NSX security group importing (403975)

A feature has been added to allow the importation of security group information from VMware’s NSX firewall.

CLI Changes: nsx group list

This is used to list NSX security Groups

Syntax:

execute nsx group list <name of the filter>

nsx group import

This is used to import NSX security groups.

Syntax:

execute nsx group import <vdom> <name of the filter>

nsx group delete

This is used to delete NSX security Groups

Syntax:

execute nsx group delete <vdom> <name of the filter>

nsx.setting.update-period

This is used to set the update period for the NSX security group

Syntax:

config.nsx.setting.update-period <0 – 3600 in seconds>

0 means disabled

Default value: 0

Non-vdom VM models FGVM1V/FGVM2V/FGVM4V (405549)

New models of the FortiGate-VM have been introduced. These match up with the existing FortiGate-VM models of FG-VM01, FG-VM02 and FG-VM04. The difference being that the new models don’t support VDOMs.

FortiGate VM (5.6)

FG-VM01v

FG-VM04                                                                      FG-VM04v

Hardware acceleration

Hardware acceleration (5.6)

New hardware acceleration features added to FortiOS 5.6.1.

IPsec session ESP padding and NP6 acceleration (416950)

In some situations when ESP packets in IPsec sessions have large amounts of layer 2 padding the NP6 IPsec engine may not be able to process them and the session may be blocked.

The following CLI option has been added to cause the NP6 processor to strip the ESP padding before send the packets to the IPsec engine. With padding stripped, the session can be processed normally by the IPsec engine.

Use the following command to strip ESP padding:

config system npu set strip-esp-padding enable

end

This stripping ESP padding is disabled by default. If you notice that offloaded IPsec sessions are failing you can enable this option and see if the problem is resolved.

Hardware acceleration (5.6)

New hardware acceleration features added to FortiOS 5.6.

Improved visibility of SPU and nTurbo hardware acceleration (389711)

All hardware acceleration hardware has been renamed Security Professing Units (SPUs). This includes NPx and CPx processors.

SPU and nTurbo data is now visible in a number of places on the GUI. For example, the Active Sessions column pop-up in the firewall policy list and the Sessions dashboard widget:

Hardware acceleration (5.6)

You can also add SPU filters to many FortiView pages.

NP4Lite option to disable offloading ICMP traffic in IPsec tunnels (383939)

In some cases ICMP traffic in IPsec VPN tunnels may be dropped by the NP4Lite processor due to a bug with the NP4Lite firmware. You can use the following command to avoid this problem by preventing the NP4Lite processor from offloading ICMP sessions in IPsec VPN tunnels. This command is only available on FortiGate models with NP4Lite processors, such as the FortiGate/FortiWiFi-60D.

config system npu set process-icmp-by-host {disable | enable}

end

The option is disabled by default an all ICMP traffic in IPsec VPN tunnels is offloaded where possible. If you are noticing that ICMP packets in IPsec VPN tunnels are being dropped you can disable this option and have all ICMP traffic processed by the CPU and not offloaded to the NP4Lite.

NP6 IPv4 invalid checksum anomaly checking (387675)

The following new options have been added to NP6 processors to check for IPv4 checksum errors in IPv4, TCP, UDP, and ICMP packets:

config system np6 edit {np6_0 | np6_1| …} config fp-anomaly-v4 set ipv4-csum-err {drop | trap-to-host} set tcp-csum-err {drop | trap-to-host} set udp-csum-err {drop | trap-to-host} set icmp-csum-err {drop | trap-to-host}

end

You can use the new options to either drop packets with checksum errors (the default) or send them to the CPU for processing. Normally you would want to drop these packets.

High Availability (5.6.1)

High Availability (5.6.1)

New High Availability features added to FortiOS 5.6.1.

HA cluster Uptime on HA Status dashboard widget (412089)

The HA Cluster dashboard widget now displays how long the cluster has been operating (Uptime) and the time since the last failover occurred (State Changed). You can hover over the State Changed time to see the event that caused the state change.

You can also click on the HA Status dashboard widget to configure HA settings or to get a listing of the most recent HA events recorded by the cluster.

FGSP with static (non-dialup) IPsec VPN tunnels and controlling IKE routing advertisement (402295)

Until FortiOS 5.6.1, the FortiGate Session Life Support Protocol (FGSP) only supported IPsec tunnel synchronization for dialup (or dynamic) IPsec VPN tunnels. FortiOS 5.6.1 now also supports IPsec tunnel synchronization for static IPsec VPN tunnels. No special FGSP or IPsec VPN configuration is required. You can configure static IPsec VPN tunnels normally and create a normal FGSP configuration.

An additional feature has been added to support some FGSP configurations that include IPsec VPNs. A new CLI option allows you to control whether IKE routes are added to the FGSP backup unit.

config system cluster-sync edit 0 set slave-add-ike-routes {enable | disable}

end

Enable to add IKE routes to the backup unit, disable if the IKE routes should not be added to the backup unit.

High Availability (5.6)

VRRP support for synchronizing firewall VIPs and IP Pools (0397824)

FortiOS VRRP HA now supports failover of firewall VIPs and IP Pools when the status of a virtual router (VR) changes. This feature introduces a new proxy ARP setting to map VIP and IP Pool address ranges to each VR’s Virtual MAC (VMAC). After failover, the IP Ranges added to the new primary VR will be routed to the new primary VR`s VMAC.

Use the following command to add a proxy ARP address range and a single IP address to a VR added to a FortiGate`s port5 interface. The address range and single IP address should match the address range or single IP for VIPs or IP Pools added to the port5 interface:

config system interface edit port5 config vrrp edit 1 config proxy-arp edit 1 set ip 192.168.62.100-192.168.62.200

next edit 2 set ip 192.168.62.225 end

High Availability (5.6)

New High Availability features added to FortiOS 5.6.

Multicast session failover (293751)

FGCP HA multicast session synchronization supports multicast session failover. To configure multicast session failover, use the following command to change the multicast TTL timer to a smaller value than the default. The recommended setting to support multicast session failover is 120 seconds (2 minutes). The default setting is 600 seconds (10 minutes).

config system ha set multicast-ttl 120

end

The multicast TTL timer controls how long to keep synchronized multicast routes on the backup unit (so they are present on the backup unit when it becomes the new primary unit after a failover). If you set the multicast TTL lower the multicast routes on the backup unit are refreshed more often so are more likely to be accurate. Reducing this time causes route synchronization to happen more often and could affect performance.

Performance improvement when shutting down or rebooting the primary unit (380279)

In previous versions of FortiOS, if you entered the execute reboot or execute shutdown command on the primary unit, a split brain configuration could develop for a few seconds while the primary unit was shutting down. This would happen because the heartbeat packets would stop being sent by the primary unit, while it was still able to forward traffic. When the heartbeat packets stop the backup unit becomes the primary unit. The result was a split brain configuration with two primary units both capable of forwarding traffic.

High Availability (5.6)

This wouldn’t happen all the time, but when it did network traffic would be delayed until the primary unit shut down completely. To resolve this issue, in FortiOS 5.6 when you run the execute reboot or execute shutdown command on the primary unit, the primary unit first becomes the backup unit before shutting down

allowing the backup unit to become the new primary unit and avoiding the split brain scenario. This behavior only happens when you manually run the execute reboot or execute shutdown command from the primary unit.

VRRP failover process change (390938)

In a FortiOS 5.6 VRRP configuration, when the master cannot reach its next hop router (vrdst) it sends packets to the configured backup router(s). These packets set the priority of the master to be lower than the backup router (s). So a backup router now becomes the new master and takes over processing traffic.

Use the vrdst-priority option to set the lower priority that the master sends to the backup routers. The following CLI syntax resets the master’s priority to 10 if it can no longer connect to its next hop router.

config system interface edit port10 config vrrp set vrip 10.31.101.200 set priority 255 set vrdst 10.10.10.1 set vrdst-priority 10

end

Display cluster up time and history (get system ha status command changes)(394745)

The get system HA status command now displays cluster uptime and history: get system status

Version: FortiGate-5001D v5.6.0,build1413,170121 (interim) …

Current HA mode: a-p, master

Cluster uptime: 3 days, 4 hours, 3 minutes, 46 seconds …

In-band HA management Interface (401378)

You can use the following command to add a management interface to an individual cluster unit interface that is also connected to a network and processing traffic. The in-band management interface is an alternative to the reserved HA management interface feature and does not require reserving an interface just for management access.

config system interface edit port1 set management-ip 172.20.121.155/24

end

The management IP address is accessible from the network that the cluster interface is connected to. This setting is not synchronized so each cluster unit can have their own management IP addresses. You can add a management IP address to each cluster unit interface. You can use the execute ha manage command to connect to individual cluster units.

The management-ip can be on the same subnet as the interface you are adding it to but cannot be on the same subnet as other cluster unit interfaces.

High Availability (5.6)

Up to four dedicated HA management interfaces supported (378127)

You can now add up to four dedicated HA management interfaces. Just like all FortiGate interfaces, these management interfaces must be on a different subnet from any other FortiGate interface. You can also configure a separate default gateway for each interface.

Use the following command to add two dedicated HA management interfaces:

config system ha set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface port4 set gateway 10.10.10.1

next edit 2 set interface port5 set gateway 4.5.6.7 end

FGSP support for automatic session sync after peer reboot (365851)

New options allow you to configure your FGSP cluster to resume sessions more smoothly after a failed FortiGate rejoins the cluster. In some cases when a failed FortiGate in the cluster comes back up it may begin processing sessions before the session table has been synchronized to it from the other FortiGate in the cluster. When this happens, the FortiGate may drop packets until the session synchronization is complete.

Shutting down interfaces during session synchronization

This new feature allows you to shut some interfaces down on the failed FortiGate when it is starting up so that it will not accept packets until session synchronization is complete. Then the interfaces are brought up and traffic can flow. While the interfaces are down, the FortiGate that had not failed keeps processing traffic.

Use the following command to select the interfaces to shutdown while waiting for session synchronization to complete:

config system cluster-sync edit 1 set down-intfs-before-sess-sync port1 port2

end

Heartbeat monitoring

If the FortiGate that was running fails before session synchronization is complete, the FortiGate that is restarting would not be able to complete session synchronization and would not turn on its shutdown interfaces. To prevent this from happening FGSP now includes heartbeat monitoring. Using heartbeat monitoring the FortiGate that is waiting for session synchronization to finish can detect that the other FortiGate is down and turn on its interfaces even if session synchronization is not complete. You can use the following command to change the heartbeat interval (hb-interval) and lost heartbeat threshold (hp-lost-threshold) to change heartbeat monitoring timing.

config system cluster-sync edit 1 set hb-interval 2 set hb-lost-threshold 3

High Availability (5.6)

end

Change in cluster behavior when the primary unit is restarted (380279)

When testing HA failover or restarting the primary unit for other reasons, manually rebooting or shutting down the primary unit running previous versions of FortiOS can sometimes cause a failover delay. This happens because the backup unit may become the primary unit before the primary unit is fully shut down causing a temporary split brain scenario.

To resolve this issue, when you manually restart or shut down the primary unit running FortiOS 5.6.0 before the primary unit actually shuts down it becomes the backup unit and the previous backup unit becomes the primary unit. Traffic is then failed over to the new primary unit before the former primary unit shuts down or reboots.

(5.6.1)

IPsec VPN (5.6.1)

New IPsec VPN features added to FortiOS 5.6.1.

Support for Brainpool curves specified in RFC 6954 for IKE (412795)

Added support for Brainpool curves specified in RFC 6954 (originally RFC 5639) for IKE. Four new values are added for VPN phase1 and phase2 DH groups. The allocated transform IDs are 27, 28, 29, 30:

l 27 – Brainpool 224-Bit Curve l 28 – Brainpool 256-Bit Curve l 29 – Brainpool 384-Bit Curve l 30 – Brainpool 512-Bit Curve

Syntax

config vpn ipsec phase1/phase1-interface edit <name>

set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30} next

end

config vpn ipsec phase2/phase2-interface edit <name>

set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30} next

end

Removed “exchange-interface-ip” option from “vpn ipsec phase1” (411981)

The command exchange-interface-ip only works for interface-based IPsec VPN (vpn ipsec phase1interface), and so it has been removed from policy-based IPsec VPN (vpn ipsec phase1).

IKEv2 ancillary RADIUS group authentication (406497)

This feature provides for the IDi information to be extracted from the IKEv2 AUTH exchange and sent to a RADIUS server, along with a fixed password configurable via CLI, to perform an additional group authentication step prior to tunnel establishment. The RADIUS server may return framed-IP-address, framed-ip-netmask, and dns-server attributes, which are then applied to the tunnel.

It should be noted, unlike Xauth or EAP, this feature does not perform individual user authentication, but rather treats all users on the gateway as a single group, and authenticates that group with RADIUS using a fixed password. This feature also works with RADIUS accounting, including the phase1 acct-verify option.

Syntax

config vpn ipsec phase1-interface edit <name> set mode-cfg enable

IPsec VPN (5.6.1)

set type dynamic set ike-version 2 set group-authentication {enable | disable} set group-authentication-secret <password>

next

end

IPsec mode-cfg can assign IPs from firewall address and sharing IP pools (393331)

This feature adds the ability for users to configure assign-IPs from firewall addresses/groups.

Previously, different policies accessing the same network needed to ensure that non-overlapping IP-ranges were assigned to policies to avoid the same IP address being assigned to multiple clients. With this feature, the address name is used to identify an IP pool and different policies can refer to the same IP pool to check for available IPs, thus simplifying the task of avoiding IP conflicts.

Syntax

config vpn ipsec phase1-interface edit <name> set mode-cfg enable set type dynamic

set assign-ip-from {range | dhcp | name} set ipv4-name <name> set ipv6-name <name>

next

end

Improve interface-based dynamic IPsec up/down time (379937)

This feature makes it possible to use a single interface for all instances that spawn via a given phase1. Instead of creating an interface per instance, all traffic will run over the single interface and any routes that need creating will be created on that single interface.

A new CLI option net-device is added in the phase1-interface command sets. The default is disable so that the new feature kicks in for all the new configurations. An upgrade feature will add a set net-device enable for all the existing configurations so that they will keep the old behavior.

Under the new single-interface scheme, instead of relying on routing to guide traffic to the specific instance, all traffic will flow to the specific device and IPsec will need to take care of locating the correct instance for outbound traffic. For this purpose, another new CLI option tunnel-search is created. The option is only available when the above net-device option is set to disable.

There are two options for tunnel-search, corrensponding to the two ways to select the tunnel for outbound traffic. One is selectors, meaning selecting a peer using the IPsec selectors (proxy-ids). The other is nexthop where all the peers use the same default selectors (0/0) while using some routing protocols such as BGP, OSPF, RIPng, etc. to resolve the routing. The default for tunnel-search is selectors.

Syntax

config vpn ipsec phase1-interface edit <name> set net-device {enable | disable} set tunnel-search {selectors | nexthop} next

(5.6.1)

end

Hide psksecret option when peertype is dialup (415480)

In aggressive mode and IKEv2, when peertype is dialup, pre-shared key is per-user based. There is no need to configure the psksecret in the phase1 setup. Previously, if left unconfigured, CLI would output psksecret error and fail to create the phase1 profile.

To prevent psksecret length check running on the configuration end, the psksecret option will be hidden. Prior to Mantis 397712, the length check passed because it was incorrectly checking the legnth of encrypted password which is always 204 length long.

Peertype dialup option removed for main mode.

New enforce-ipsec option added to L2TP config (423988)

A new enforce-ipsec option is added in L2TP configuration to force the FortiGate L2TP server to accept only IPsec encrypted connections.

Syntax

config vpn l2tp set eip 50.0.0.100 set sip 50.0.0.1 set status enable

set enforce-ipsec-interface {disable | enable}    (default = disable) set usrgrp <group_name>

end

IPsec VPN Wizard improvements (368069)

Previously, when using wan-load-balance (WLB) feature, and when configuring an IPsec tunnel with the wizard, the setting ‘incoming interface’ list does not contain the wan-load-balance nor the wan2 interface. Disabling the WLB permits the configuration. The solution in 5.6.1 is as follows:

l (368069) The IPsec VPN wizard now allows users to select members of virtual-wan-link (VWL) as IPsec phase1interface. Before saving, if the phase1 interface is a VWL member, then the Wizard automatically sets the virtualwan-link as the destination interface in the L2TP policy. l (246552) List VPN tunnels for VWL members if VWL is set as the destination interface in policy-based IPsec VPN.

IPsec manual key support removed from GUI (436041)

The majority of customers are not using policy-based IPsec today, and beyond that, very few are using manual key VPN. As a result, the IPsec manual key feature is removed from the GUI; the feature store option is removed as well.

Added GUI support for local-gw when configuring custom IPsec tunnels (423786)

Previously, the local-gw option was not available on the GUI when configuring a custom IPsec tunnel. This feature adds the local-gw setting to the IPsec VPN Edit dialog. The user is able to choose the primary or

secondary IP address from the currently selected interface, or specify an ip address manually. Both local-gw and local-gw6 are supported.

Moved the dn-format CLI option from phase1 config to vdom settings (435542)

Previous fix for dn-format didn’t take into account that, at the time isakmp_set_peer_identifier is used, we don’t have a connection and haven’t matched our gateway yet, so we can’t use that to determine the dn-format configuration setting.

The solution was to move the dn-format CLI option from phase1 config to vdom settings. It is renamed to ike-dn-format.

FGT IKE incorrect NAT detection causes ADVPN hub behind VIP to not generate shorcuts (416786)

When ADVPN NAT support was added, only spokes behind NAT was considered. No thought was given to a hub behind a VIP or the problems that occurred due to the way that FortiOS clients behind NAT enable NAT-T even when it is not required.

The solution in 5.6.1 is as follows:

• Moved shortcut determination out of the kernel and up to IKE. The shortcut message now contains the ID of both tunnels so that IKE can check the NAT condition of both.
• Added IKE debug to cover sending the initial shortcut query. The lack of this previously meant it could be awkard to determine if the offer had been converted into a query correctly.
• Added “nat:” output in diag vpn ike gateway list output to indicate whether this device or the peer is behind NAT.
• Tweaked the diag vpn tunnel list output so that the auto-discovery information now includes symbolic as well as numeric values, which makes it easier to see what type of auto-discovery was enabled.

IPsec VPN (5.6)

New IPsec VPN features added to FortiOS 5.6.

Improvement to stats crypto command output (403995)

The CLI command get vpn ipsec stats crypto now has a better format for the information it shows in differentiating between NP6 lite and SOC3 (CP). To further avoid confusion, all engine’s encryption (encrypted/decrypted) and integrity (generated/validated) information is shown under the same heading, not separate headings.

Improved certificate key size control commands (397883)

Proxy will choose the same SSL key size as the HTTPS server. If the key size from the server is 512, the proxy will choose 1024. If the key size is bigger than 1024, the proxy will choose 2048.

As a result, the firewall ssl-ssh-profile commands certname-rsa, certname-dsa, and certname-ecdsa have been replaced with more specific key size control commands under vpn certificate setting.

(5.6)

CLI syntax

config vpn certificate setting set certname-rsa1024 <name> set certname-rsa2048 <name> set certname-dsa1024 <name> set certname-dsa2048 <name> set certname-ecdsa256 <name> set certname-ecdsa384 <name>

end

Support bit-based keys in IKE (397712)

As per FIPS-CC required standards, as well as RFC 4306, IKE supports pre-shared secrets to be entered as both ASCII string values and as hexadecimal encoded values. This feature parses hex encoded input (indicated by the leading characters 0x) and converts the input into binary data for storage.

With this change, the psksecret and psksecret-remote entries under the IPsec VPN CLI command config vpn ipsec-phase1-interface have been amended to differentiate user input as either ASCII string or hex encoded values.

IKEv2 asymmetric authentication (393073)

Support added for IKEv2 asymmetric authentication, allowing both sides of an authentication exchange to use different authentication methods, for example the initiator may be using a shared key, while the responder may have a public signature key and certificate.

A new command, authmethod-remote, has been added to config vpn ipsec phase1-interface.

For more detailed information on authentication of the IKE SA, see RFC 5996 – Internet Key Exchange Protocol Version 2 (IKEv2).

Allow mode-cfg with childless IKEv2 (391567)

An issue that prevented childless-ike from being enabled at the same time as mode-cfg has been resolved. Both options can now be enabled at once under config vpn ipsec phase1-interface.

IKEv2 Digital Signature Authentication support (389001)

FortiOS supports the use of Digital Signature authentication, which changes the format of the Authentication Data payload in order to support different signature methods.

Instead of just containing a raw signature value calculated as defined in the original IKE RFCs, the Auth Data now includes an ASN.1 formatted object that provides details on how the signature was calculated, such as the signature type, hash algorithm, and signature padding method.

For more detailed information on IKEv2 Digital Signature authentication, see RFC 7427 – Signature Authentication in the Internet Key Exchange Version 2 (IKEv2).

Passive static IPsec VPN (387913)

New commands have been added to config vpn ipsec phase1-interface to prevent initiating

VPN connection. Static IPsec VPNs can be configured in tunnel mode, without initiating tunnel negotiation or rekey.

To allow a finer configuration of the tunnel, the rekey option is removed from config system global and added to config vpn ipsec phase1-interface.

CLI syntax

config vpn ipsec phase1-interface edit <example> set rekey {enable | disable} set passive-mode {enable | disable} set passive-tunnel-interface {enable | disable}

end

Phase 2 wizard simplified (387725)

Previously, for a site-to-site VPN, phase 2 selectors had their static routes created in the IPsec VPN wizard by adding IP addresses in string format. Now, since addresses and address groups are already created for these addresses, the address group can be used in the route directly. This means that the route can be modified simply by modifying the address/groups that were created when the VPN was initially created.

With this change, the VPN wizard will create less objects internally, and reduce complexity.

In addition, a blackhole route route will be created by default with a higher distance-weight set than the default route. This is to prevent traffic from flowing out of another route if the VPN interface goes down. In these instances, the traffic will instead be silently discarded.

Unique IKE ID enforcement (383296)

All IPsec VPN peers now connect with unique IKE identifiers. To implement this, a new phase1 CLI command has been added (enforce-unique-id) which, when enabled, requires all IPsec VPN clients to use a unique identifier when connecting.

CLI syntax

config vpn ipsec phase1 edit <name> set enforce-unique-id {keep-new | keep-old | disable} Default is disable. next

end

Use keep-new to replace the old connection if an ID collision is detected on the gateway. Use keep-old to reject the new connection if an ID collision is detected.

FortiView VPN tunnel map feature (382767)

A geospatial map has been added to FortiView to help visualize IPsec and SSL VPN connections to a FortiGate using Google Maps. Adds geographical-IP API service for resolving spatial locations from IP addresses.

(5.6)

This feature can be found under FortiView > VPN.

Childless IKEv2 initiation (381650)

As documented in RFC 6023, when both sides support the feature, no child IPsec SA is brought up during the initial AUTH of the IKEv2 negotiation. Support for this mode is not actually negotiated, but the responder indicates support for it by including a CHILDLESS_IKEV2_SUPPORTED Notify in the initial SA_INIT reply. The initiator is then free to send its AUTH without any SA or TS payloads if it also supports this extension.

CLI syntax

config vpn ipsec phase1-interface edit ike set ike-version 2 set childless-ike enable

next end

Due to the way configuration payloads (IKEV2_PAYLOAD_CONFIG) are handled in the current code base, mode-cfg and childless-ike aren’t allowed to be enabled at the same time. Processing config payloads for mode-cfg requires a child ph2handle to be created, but with childless-ike we completely avoid creating the child ph2 in the first place which makes the two features incompatible. It may be possible to support both in the future, but a deeper rework of the config payload handling is required.

Allow peertype dialup for IKEv2 pre-shared key dynamic phase1 (378714)

Restored peertype dialup that was removed in a previous build (when IKEv2 PSK gateway re-validation was not yet supported).

If peertype is dialup, IKEv2 AUTH verify uses user password in the user group “usrgrp” of phase1. The “psksecret” in phase1 is ignored.

CLI syntax

config vpn ipsec phase1-interface edit “name” set type dynamic set interface “wan1” set ike-version 2 set peertype dialup set usrgrp “local-group”

next

end

IPsec default phase1/phase1-interface peertype changed from ‘any’ to ‘peer’ (376340)

Previously, when authmethod was changed to signature, peertype automatically changed to peer and required a peer to be set. This change was done to try to provide a more secure initial configuration, while allowing the admin to set peertype back to any if that’s what they really wanted. The default value was kept at any in the CLI. However, this caused problems with copy/pasting configurations and with FMG because if peertype any wasn’t explicitly provided, the CLI was switched to peertype peer.

This patch changes the default peertype to peer now; peertype any is considered non-default and will be printed out on any config listing. Upgrade code has been written to ensure that any older build that was implicitly using set peertype any has this setting preserved.

IPsec GUI bug fixes (374326)

Accept type “Any peer ID” is available when creating IPsec tunnel with authmethod, pre-shared key, ikev1 main mode/aggressive mode, and ikev2.

Support for IKEv2 Message Fragmentation (371241)

Added support for IKEv2 Message Fragmentation, as described in RFC 7383.

Previously, when sending and IKE packets with IKEv1, the whole packet is sent once, and it is only fragmented if there is a retransmission. With IKEv2, because RFC 7383 requires each fragment to be individually encrypted and authenticated, we would have to keep a copy of the unencrypted payloads around for each outgoing packet, in case the original single packet was never answered and we wanted to retry with fragments. So with this implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.

CLI syntax

config vpn ipsec phase1-interface edit ike set ike-version 2 set fragmentation [enable|disable] set fragmentation-mtu [500-16000]

next

end

IPsec monitoring pages now based on phase 1 proposals not phase 2 (304246)

The IPsec monitor, found under Monitor > IPsec Monitor, was in some instances showing random uptimes even if the tunnel was in fact down.

Tunnels are considered as “up” if at least one phase 2 selector is active. To avoid confusion, when a tunnel is down, IPsec Monitor will keep the Phase 2 Selectors column, but hide it by default and be replaced with Phase 1 status column.

IPv6 (5.6)

IPv6 (5.6)

New IPv6 features added to FortiOS 5.6.

FortiGate can reply to an anycast probe from the interface’s unicast address (308872)

A new setting has been added within the CLI that can enable the FortiGate to reply to an anycast probe from the FortiGate’s unicast IP address. config system global set ipv6-allow-anycast-probe [enable|disable] end

Enable: Enable probing of IPv6 address space through Anycast, by responding from the unicast IP address Disable: Disable probing of IPv6 address space through Anycast

Secure Neighbor Discovery (355946)

Additional settings have been added to the configuration for interfaces with IPv6 so that they comply more closely to the parameters of RFC 3971

The context of the new settings is

config system interface edit <interface> config ipv6 The new options with IPv6 are:

ndmode

Neighbor discovery mode set ndmode [basic | SEND]

Basic: Does not support SEND. SEND-compatible: Supports SEND.

nd-cert

Neighbor discovery certificate

set nd-cert <string of Name of certificate to be used> Example string: “Fortinet_Factory local” n-security-level

Neighbor discovery security level set nd-security-level <integer> IPv6

• Integer values from 0 – 7 l 0 = least secure l 7 = most secure l default = 0 nd-timestamp-delta –

Neighbor discovery timestamp delta value set nd-timestamp-delta <integer of time in seconds>

• Range: 1 – 3600 sec l default = 300 nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor set nd-timestamp-fuzz <integer of time in seconds>

• Range: 1 – 60 sec l default = 1

Additional related technical information Kerenl l Redirects ICMPv6 packets to user space if they require SEND options verification or build.

Radvd

• Verifies NS/RS SEND options including CGA, RSA, Timestamp, NONCE, etc. Daemon also creates neighbor cache for future timestamp checking, any entry gets flushed in 4 hours.
• Helps kernel build NA/RA SEND options including CGA, RSA, Timestamp, NONCE, etc. CGA parameters are kept in cache for each interface. CGA modifier is kept in CMDB.

Diagnose command for radvd diag test application radvd

• Shows statistics l Toggles message dump

Add multicast-PMTU to allow FGT to send ICMPv6 Too Big Message (373396)

New multicast-PMTU feature added to better comply with RFC 4443.

Normally, a “Packet Too Big” icmp6 message is sent by a routing device in response to a packet that it cannot forward because the packet is larger than the MTU of the outgoing link. For security reasons, these message may be disabled because attackers can use the information about a victim’s ip address as the source address to do IP address spoofing.

IPv6 (5.6)

In FortiOS’s implementation of this function, a setting in the CLI, has been added to make this behavior optional on the FortiGate.

The syntax for the option is:

config router multicast6 set multicast-PMTU [enable|disable] end

Logging and Reporting (5.6.1)

Logging and Reporting (5.6.1)

New logging and reporting features added to FortiOS 5.6.1.

Usability Updates to Reports Page (383684)

The Reports page has been updated in 5.6.1, to include both FortiCloud and Local Reports in a single location. Configuring of report schedules is also available on this page. The page will display whichever format is enabled, or allow switching between both if both Local and FortiCloud are in use.

Interface Categories (srcintfrole, etc) added to log data (434188)

In 5.6, logs and FortiView both sort log traffic into two interface categories: “Traffic from LAN/DMZ”, and “Traffic from WAN.” For greater compatibility and troubleshooting of FortiAnalyzer and FortiCloud setups, interface category fields that expose this information have been added to general log data in 5.6.1: srcintfrole and dstintfrole for better backend control and monitoring.

Individual FAZ log settings for SLBC Cluster Blades (382942/424076)

Individual SLBC Cluster Blades can now be enabled to have its own specific FortiAnalyzer log settings, rather than auto-syncing with all other blades in the cluster. This allows for multi-FAZ setups and collector-analyzer architectures, to deal with high logging volume. Entries in the command config system objectnsyncdetermine which settings are not synced from the blade. Settings are available to specify VDOMs that will or will not sync.

Logging and Reporting (5.6)

New logging and reporting features added to FortiOS 5.6.

Client and server certificates included in Application control log messages (406203)

When SSL/TLS traffic triggers an application control signature, the application control log messages now include information about the signatures used by the session. This includes the client certificate issuer, the name in the server certificate, and the server certificate issuer.

DNS Logging (401757)

FortiOS logging now includes the Detailed DNS log message type. DNS events were previously recorded as event logs. In FortiOS 5.6 DNS log messages are a new category that also includes more DNS log messages to provide additional detail about DNS activity through the FortiGate. You can enable DNS logging from the CLI using the following command (shown in this example for memory logging):

config log memory filter set dns enable end

Logging and Reporting (5.6)

DNS log messages include details of each DNS query and response. DNS log messages are recorded for all DNS traffic though the FortiGate and originated by the FortiGate.

The detailed DNS logs can be used for low-impact security investigation. Most network activity involves DNS activity of some kinds. Analyzing DNS logs can provide a lot of details about the activity on your network without using flow or proxy-based resource intensive techniques.

Added Policy Comment logging option (387865)

As an alternative to custom log fields, the functionality has been added to log a policy’s comment field in all traffic log files that use that policy, in order to sort/isolate logs effectively with larger deployments and VDOMs. The feature is disabled by default. config log setting set log policy comment [enable/disable]

FortiAnalyzer encryption option name change (399191)

For clarity, and because the default options for config log fortianalyzer setting have now changed, the option default has now been changed to high-medium in the following CLI commands:

config log fortianalyzer setting set enc-algorithm [high/high-medium/low]

config log fortinalyzer override-setting set enc-algorithm [high/high-medium/low]

config log fortiguard setting set enc-algorithm [high/high-medium/low]

config log fortiguard override-setting set enc-algorithm [high/high-medium/low]

Maximum values changes

Maximum values changes

Maximum values changes in FortiOS 5.6.1:

• The maximum number of SSIDs (CLI command config wireless-controller vap) for FortiGate models 600C, 600D, 800C, 800D, and 900D increased from 356 to 512 (414202).
• The maximum number DLP sensors (CLI command config dlp sensor / config filter) for models

1000C, 1000D, 1200D, 1500D, 1500DT, 3240C, and 3600C decreased from 10,000 to 3,000. (371270) l The maximum number DLP sensors (CLI command config dlp sensor / config filter) for models

3000D, 3100D, 3200D, 3700D, 3700DX, 3800D, 3810D, 3815D, 5001C, and 5001D decreased from 50,000 to 4,000. (371270)

Maximum values changes in FortiOS 5.6: l The maximum number of wireless controller QoS Profiles is per VDOM (388070).

Modem (5.6.1)

New modem features added to FortiOS 5.6.1.

New modem features (422266)

New FortiOS 5.6.1 modem features include:

• The ability to edit wireless profiles stored on EM7x modems from FortiOS. l GPS support. l MIB for internal LTE modems. l Syslog messages for internal LTE modems.
• More status information displayed by the diagnose sys lte-modem command l New modem-related MIB entities.

config system let-modem command changes

The mode, interface, and holddown-timer options of the config system lte-modem command have been removed. These options are no longer needed. Instead, use SD-WAN for redundant interfaces. The config system lte-modem command includes the following options status Enable/disable USB LTE/WIMAX device. extra-init Extra initialization string to USB LTE/WIMAX device.

manual-handover Enable/Disable manual handover from 3G to LTE network. If enabled, the FortiGate switches the modem firmware to LTE mode if the modem itself fails to do so after 5 loops.

force-wireless-profile Force the modem to use the configured wireless profile index (1 – 16), 0 if don’t force. If your FortiGate includes an LTE modem or if an LTE modem is connected to it you can use the execute lte-modem command to list the LTE modem profiles. Use this command to select one of these wireless profiles.

Modem (5.6.1)

Wireless profiles contain detailed LTE modem data session settings. In each modem, a maximum of 16 wireless profiles can be stored, any data connections are initiated using settings from one of the stored wireless profiles. To make a data connection, at least one profile must be defined. Here is a sample wireless profile table stored in one of the internal modems:

authtype Authentication type for PDP-IP packet data calls. apn Log in APN string for PDP-IP packet data calls. modem-port Modem port index (0 – 20). network-type Set wireless network. auto-connect Enable/disable Modem auto connect. gpsd-enabled Enable/disable GPS daemon. data-usage-tracking Enable/disable data usage tracking.

gps-port Modem port index (0 – 20). Specify the index for GPS port, by default it is set to 255 which means to use the system default.

execute lte-modem command changes

The following options are available for the execute lte-modem command:

Modem (5.6.1)

cold-reboot Cold reboot LTE Modem, which means power off the internal modem and power it on again after 1 second.

get-modem-firmware get-modem-firmware get-pri-firmware get-pri-firmware power-off Power off LTE Modem. power-on Power on LTE Modem. purge-billing-data Purge all existing LTE Modem billing data. reboot Warm reboot LTE Modem.

set-operation-mode Set LTE Modem operation mode to online or offline.

wireless-profile wireless-profile

cold-reboot, power-off, power-on, set-operation-mode, and wireless-profile are new in

FortiOS 5.6.1.

New execute lte-modem wireless-profile command

The following options are available for the execute lte-modem wireless-profile command:

create Create a wireless profile. You use the create command to create an LTE modem profile by providing a name and supplying settings for the profile. The command syntax is:

execute lte-modem wireless-profile create <name> <type> <pdp-type> <apn-name> <auth-type> [<user> <password>]

<name> Wireless profile name of 1 to 16 characters.

<type> Wireless profile type: l 0 for 3GPP profiles. l 1 for 3GPP2 profiles.

<pdp-type> Wireless profile PDP type.

• 0 for IPv4 l 1 for PPP l 2 for IPv6 l 3 for IPv4v6

<apn-name> Wireless profile APN name, 0 to 32 characters.

<auth-type> Wireless profile authentication type.

• 0 for no authentication. l 1 for PAP l 2 for CHAP l 3 for PAP and CHAP

[<user> <password>] Wireless profile user name and password (1 to 32 characters each). Not required if <auth-type> is 0.

For example, use the following command to create an LTE modem 3GPP IPv4 profile named myprofile6. This profile uses the APN profile named p6apn that uses PAP and CHAP authentication.

Modem (5.6.1)

execute lte-modem wireless-profile create myprofile 0 0 myapn 3 myname mypasswd

delete <profile-number> Delete a wireless profile from the Modem. Speficy profile ID of the profile to delete.

list List all the wireless profiles stored in the Modem. If the modem is busy the list may not display. If this happens just repeat the command. It may take a few attempts.

modify Modify a wireless profile using the same settings as the create command except the first option is the profile ID . You can find the profile ID for each profile by listing the profiles using the execute lte-modem wireless-profile list command. For example, to modify the profile created above to change it to an IPv4v6 profile, change the APN proflie to yourapn, and set the authentication type to PAP enter the following command (assuming the profile ID is 6): execute lte-modem wireless-profile modify 6 myprofile 0 3 yourapn 1 myname mypasswd

test Test wireless profiles.

Static mode for wwan interface removed (440865)

When configuring the wireless modem wwan interface from the CLI the mode can only be set to DHCP. Static addressing for the wwan interface is not supported so the static option has been removed.

Networking (5.6.1)

Networking (5.6.1)

New networking features added to FortiOS 5.6.1.

IPv6 Router Advertisement options for DNS enhanced with recursive DNS server option (399406)

This feature is based on RFC 6106 and it adds the ability to obtain DNS search list options from upstream DHCPv6 servers and the ability to send them out through either Router Advertisement or FortiGate’s DHCP server.

FortiOS 5.6 supported the following:

To get the information from the upstream ISP server:

config system interface edit wan1 config ipv6 set dhcp6-prefix-delegation enable

next

next

end

To use Routing Advertisement to send the DNS search list:

config system interface edit port 1 config IPv6 set ip6-address 2001:10::/64 set ip6-mode static set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface WAN set subnet 0:0:0:11::/64 set autonomous-flag enable set onlink-flag enable

next

next

end

end

To use DHCPv6 server to send DNS search list:

config system dhcp6 server edit 1 set interface port2 set upstream-interface WAN set ip-mode delegated set dns-service delegated

set dns-search-list delegated // this is a new command set subnet 0:0:0:12::/64

next end

(5.6.1)

In FortiOS 5.6.1 this feature has been enhanced to include the recursive DNS server option that sends the IPv6 recursive DNS server option to downstream clients with static prefix RA.

The new options include rdnss and dnssl in the following syntax:

config system interface edit port1 config ipv6 config ip6-prefix-list edit 2001:db8::/64 set autonomous-flag enable set onlink-flag enable

set rdnss 2001:1470:8000::66 2001:1470:8000::72 set dnssl fortinet.com fortinet.ca end

Temporarily mask interface failure (435426)

In some situations during normal operation, attached network equipment may cause a ForiGate interface to appear to have disconnected from the network. And in some cases you may not want to the FortiGate interface to

detect and respond to the apparent interruption. For example, when Lawful Intercept (LI) devices are inserted/removed from the network path using a switch mechanism the signal is entirely interrupted. That interruption is seen by the FortiGate as an interface failure.

When the network path is interrupted, the FortiGate normally declares that the interface is down. All services using the interface are notified and act accordingly.

This new feature allows the FortiGate interface to temporarily delay detecting that the interface is down. If the connection is restored during the delay period, the FortiGate ignores the interface down condition and services using the interface resume without apparent interruption.

Use the following command to enable and configure the down time for a FortiGate interface:

config system interface edit port1 set disconnect-threshold <delay>

end

<delay> is the time to wait before sending a notification that this interface is down or disconnected (0 – 1000 ms, default = 0).

Policy Routes now appear on the routing monitor (411841)

You can go to Monitor > Routing Monitor and select Policy to view the active policy routes on your FortiGate.

Control how the system behaves during a routing change (408971)

FortiOS allows you to dynamically make routing changes while the FortiGate unit is processing traffic. Routing changes that affect the routing used for current sessions may affect how the FortiGate continues to process the session after the routing change has been made.

Using the following command you can control whether FortiOS keeps (preserves) the routing for the sessions that are using the route or causes the changed routing table to be applied to active sessions, possiby causing their destinations to change.

config system interface edit port2 set preserve-session-route {enable | disable}

end

If enabled (the default), all sessions passing through port2 are allowed to finish without being affected by the routing changes. If disabled, when a route changes the new routing table is applied to the active sessions through port2 which may cause their destinations to change.

Networking (5.6)

New networking features added to FortiOS 5.6.

New command to get transceiver signal strength (205138)

On most FortiGate models with SFP/SFP+ interfaces you can use the following command to display information about the status of the transceivers installed in the SFP/SFP+ interfaces of the FortiGate.

The command output lists all of SFP/SFP+ interfaces and if they include a transceiver the output displays information about it. The command output also includes details about transceiver operation that can be used to diagnose transmission problems.

get system interface transceiver …

New BGP local-AS support (307530)

Use the following command to configure BGP local-AS support:

config router bgp

(5.6)

config neighbor edit “neighbor” …

set local-as 300 set local-as-no-prepend disable|enable set local-as-replace-as disable|enable

end

Enable local-as-no-prepend if you do not want to prepend local-as to incoming updates.

Enable local-as-replace-as to replace a real AS with local AS in outgoing updates.

Interface setting removed from SNMP community (310665)

The SNMP GUI has been cleaned up by removing the Interface setting.

RPF checks can be removed from the state evaluation process (311005)

You can remove stateful firewall RFP state checks without fully enabling asymmetric routing. State checks can be disabled on specific interfaces. The following command shows how to disable state checks for traffic received by the wan1 interface.

config system interface edit wan1 set src-check disable

end

BGP graceful-restart-end-on-timer, stale-route, and linkdown-failover options (374140)

If graceful-end-on-timer is enabled, the BGP graceful restart process will be stopped upon expiration of the restart timer only.

If linkdown-failover is enabled for a BGP neighbor, the neighbor will be down when the outgoing interface is down.

If stale-route is enabled for a BGP neighbor, the route learned from the neighbor will be kept for the graceful-stalepath-time after the neighbor is down due to hold timer expiration or TCP connection failure.

config router bgp set graceful-end-on-timer disable|enable config neighbor edit 192.168.1.1 set linkdown-failover disable|enable set stale-route disable|enable

graceful-end-on-timer stops BGP graceful restart process on timer only.

linkdown-failover and stale-route are options to bring down BGP neighbors upon link down and to keep routes for a period after the neighbor is down.

FQDNs can be destination addresses in static routes (376200)

FQDN firewall addresses can now be used as destination addresses in a static route.

From the GUI, to add a FQDN firewall address (or any other supported type of firewall address) to a static route in the firewall address configuration you must enable the Static Route Configuration option. Then when configuring the static route set Destination to Named Address.

From the CLI, first configure the firewall FQDN address:

config firewall address edit ‘Fortinet-Documentation-Website’ set type fqdn set fqdn docs.fortinet.com set allow-routing enable

end

Then add the FQDN address to a static route.

config router static edit 0 set dstaddr Fortinet-Documentation-Website … end

Priority for Blackhole routes (378232)

You can now add a priority to a blackhole route to change its position relative to kernel routes in the routing table. Use the following command to add a blackhole route with a priority:

config router static edit 23 set blackhole enable set priority 200

end

New DDNS refresh interval (383994)

A new DDNS option has been added to configure the FortiGate to refresh DDNS IP addresses by periodically checking the configured DDNS server.

config system ddns edit 1 set ddns-server FortiGuardDDNS set use-public-ip enable set update-interval seconds

end

The default update-interval is 300 seconds and the range is 60 to 2592000 seconds.

Support IPv6 blackhole routes on GUI (388599)

IPv6 blackhole routes are now supported from GUI, go to Network > Static Routes and select Create New > IPv6 Route.

Choose Blackhole for Device field.

(5.6)

SSL-VPN can use a WAN link load balancing interface (396236)

Virtual-wan-link interface can now be set as a destination interface in SSLVPN policy.

Also SSL-VPN interface can now be set as a source interface for WAN LLB.

DDNS support for noip.com (399126)

Noip.com, and provider for Dynamic DNS has been added as a supported option for a ddns-server.

CLI

config system ddns edit <ddns_ip> set ddns-server

[dyndns.org|dyns.net|ods.org|tzo.com|vavic.com|dipdns.net|now.net.cn||dhs.org|ea sydns.com|genericDDNS|FortiGuardDDNS|noip.com]

IPv6 Router Advertisement options for DNS (399406)

This feature is based on RFC 6106 and it adds the ability to obtain DNS search list options from upstream DHCPv6 servers and the ability to send them out through either Router Advertisement or FortiGate’s DHCP server.

Configuration example:

To get the information from the upstream ISP server:

config system interface edit wan1 config ipv6 set dhcp6-prefix-delegation enable

next

next

end

To use Routing Advertisement to send the DNS search list:

config system interface edit port 1

config IPv6 set ip6-address 2001:10::/64 set ip6-mode static set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface WAN set subnet 0:0:0:11::/64 set autonomous-flag enable set onlink-flag enable

next

next

end

end

To use DHCPv6 server to send DNS search list:

config system dhcp6 server edit 1 set interface port2 set upstream-interface WAN set ip-mode delegated set dns-service delegated

set dns-search-list delegated // this is a new command set subnet 0:0:0:12::/64

next

end

WAN LLB to SD-WAN on GUI (403102)

To be more consistent with current terminology, the term WAN LLB has been changed in the GUI to the more recognizable SD-WAN.

New RFCs

New RFCs

The following RFCs are now supported by FortiOS 5.6.1 or the support for these RFCs has been enhanced in FortiOS 5.6.1:

• RFC 6954 Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol

Version 2 (IKEv2) (412795) l RFC 6106 IPv6 Router Advertisement Options for DNS Configuration (399406)

• RFC 4787 Network Address Translation (NAT) Behavioral Requirements for Unicast UDP (408875)

The following RFCs are now supported by FortiOS 5.6 or the support for these RFCs has been enhanced in FortiOS 5.6:

• RFC 7427 Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) (389001) l RFC 7348 Virtual eXtensible Local Area Network (VXLAN) or VTEP (289354) l RFC 5996 (section 15) IKEv2 asymmetric authentication (393073) l RFC 6106 IPv6 Router Advertisement Options for DNS (399406) l RFC 7383 Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation (371241) l RFC 3971 IPv6 Secure Neighbor Discovery (SEND) (355946) l RFC 6023 Childless IKEv2 Initiation (381650)

Sandbox Integration (5.6.1)

New sandbox integration features added to FortiOS 5.6.1.

New file extension lists for determining which file types to send to FortiSandbox (379326)

This feature introduces two new file extension lists:

l File extensions to submit to FortiSandbox even though the AV engine says they are unsupported. l File extensions to exclude from submitting to FortiSandbox even though the AV engine says they are supported.

These lists are configured on the FortiSandbox, not the FortiGate, and are dynamically loaded on the FortiGate via quarantine.

Syntax diag sys scanunit reload-fsa-ext

Security Profiles (5.6.1)

Security Profiles (5.6.1)

New security profile features added to FortiOS 5.6.1.

FortiGuard WAN IP blacklist service is now online (404859)

The Fortiguard WAN IP blacklist service was not online in FortiOS 5.6.0. In FortiOS 5.6.1, a notification appears on the Dashboard when WAN IP is blacklisted. Clicking on the notification brings up the blacklist details.

Application Control GUI improvements (279956)

An All Categories button on the Security Profiles > Application Control page makes it easier to apply an action (Monitor, Allow, Block, Quarantine) to all categories at once.

Note that the All Categories selector goes blank when any of theactions to be applied to individual categories is manually changed to something different than what was selected for all the categories. The Unknown Application action will match the All Categories action unless that action is Quarantine, which is unsupported for unknown applications.

Industrial Application Control signatures (0434592)

The application control category Industrial is now controlled by a FortiGuard license and the default disable mask is no longer needed. The special category is also no longer used.

GUI updates to reflect package and license changes for IPS, Application Control and Industrial signatures (397010)

The following changes have been made to the GUI to reflect changes in the signature databases:

• Application Control signature database information is displayed under on the System > FortiGuardpage in the FortiCare section.
• The IPS package version and license status are shown in a separate section in System > FortiGuard A link to manually upload the IPS database signatures has been added.

(5.6.1)

• The Industrial package version and license status are shown in a separate section in System > FortiGuard A link to manually upload the Industrial database signatures is available. Access to the Industrial database is provided with the purchase of the FortiGuard Industrial Security Service. The row item for this license will not appear if you are not subscribed. l Botnet category is no longer available when searching the Application Signatures list.

Improved FortiClient monitor display (378288)

The GUI for the Monitor > FortiClient Monitor page has been revised.

• new dropdown option: Online Only or Include Offline. The default is Online Only.

l new dropdown option l Sending FortiTelemetry Only (default) l Include All FortiTelemetry States l Not Sending FortiTelemetry Only

• update: Compliance status for offline device is N/A l update: offline status indicator to grey l new compliance status text after the icon in Compliance column l Moved Compliance column after Status column
• Combined unregistered endpoint devices with not registered devices

FortiSandbox integration with AntiVirus in quick mode (436380)

FortiSandbox options in an AntiVirus Security Profile in quick scanning mode can now be enabled with CLI commands.

CLI syntax

config antivirus profile edit default set ftgd-analytics disable/everything set analytics-max-upload 10 set analytics-wl-filetype 0 set analytics-bl-filetype 0 set analytics-db enable/disable set scan-mode quick

end

Pre-configured parental controls for web filtering (399715)

Pre-configured filters based on the Motion Picture Association of America (MPAA) ratings can now be added to the Web Filter Security Profile. This feature is already available on FortiCloud and uses the same ratings categories.

Anti-Spam GUI updates (300423)

Changes made to the Anti-Spam profile update the GUI to reflect FortiOS 5.6 style.

Security Profiles (5.6)

New security profile features added to FortiOS 5.6.

New FortiGuard Web Filter categories (407574)

New categories added to FortiGuard Web Filter sub-categories:

• Under Security Risk:
• Newly Observed Domain (5.90) l Newly Registered Domain (5.91)
• Under General Interest – Business l Charitable Organizations (7.92) l Remote Access (7.93) l Web Analytics (7.94) l Online Meeting (7.95)

Newly observed domain (NOD) applies to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes.

Newly registered domain (NRD) applies to URLs whose domain name was registered in the previous 10 days.

Overall improvement to SSL inspection performance (405224)

The enabling / disabling of proxy cipher / kxp hardware acceleration in CP8/CP9 required restarting of the WAD daemon for the change to take effect; this bug has been repaired.

New CLI commands

The FortiGate will use the ssl-queue-threshold command to determine the maximum queue size of the CP SSL queue. In other words, if the SSL encryption/decryption task queue size is larger than the threshold, the FortiGate will switch to use CPU rather than CP. If less, it will employ CP.

config firewall ssl setting set ssl-queue-threshold <integer>

end

The integer represents the maximum length of the CP SSL queue. Once the queue is full, the proxy switches cipher functions to the main CPU. The range is 0 – 512 and the default is 32.

FortiClient Endpoint license updates (401721)

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.

FortiClient Vulnerability Exemption Setting (407230)

A new CLI command provides a manual override for client computers with vulnerabilities that cannot be fixed.

CLI Syntax

New command to enable/disable compliance exemption for vulnerabilities that cannot be auto patched. Default is disable.

config endpoint-control profile edit <profile-name> config forticlient-winmac-setting set forticlient-vuln-scan enable

set forticlient-vuln-scan-exempt [enable|disable]

end

next

end

DNS profile supports safe search (403275)

Users can take advantage of pre-defined DNS doctor rules to edit DNS profiles and provide safe search for Google, Bing, and YouTube.

To add safe search to a DNS profile – GUI

1. Go to Security Profiles > DNS Filter.
2. Edit the default filter or create a new one.
3. Enable Enforce ‘Safe Search on Google, Bing, YouTube.
4. Select Strict or Moderate level of restriction for YouTube Access.

To add safe search to a DNS profile – CLI

config dnsfilter profile edit “default” set safe-search enable

set youtube-restrict {strict | moderate} (only available is safe-search enabled)

next

end

Application control and Industrial signatures separate from IPS signatures (382053)

IPS, Application control and industrial signatures have been separated. The get system status command shows the versions of each signature database:

get system status

Version: FortiGate-5001D v5.6.0,build1413,170121 (interim)

Virus-DB: 42.00330(2017-01-23 01:16)

Extended DB: 1.00000(2012-10-17 15:46)

Extreme DB: 1.00000(2012-10-17 15:47) IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 0.00000(2001-01-01 00:00)

APP-DB: 6.00741(2015-12-01 02:30)

Changes to default SSL inspection configuration (380736)

SSL inspection is mandatory in the CLI and GUI and is enabled by default.

GUI Changes

• Updated edit dialogues for IPv4/IPv6 Policy and Explicit Proxy Policy l SSL/SSH inspection data displayed in muted palette l disabled the toggle button for this option l set the default profile as “certificate-inspection”
• Updated list pages for IPv4/IPv6 Policy and Explicit Proxy Policy l Add validation for “ssl-ssh-profile” when configuring UTM profiles
• Updated SSL/SSH Inspection list page l disabled delete menu on GUI for default ssl profiles l changed “Edit” menu to “View” menu for default ssl profiles l added implicit class (grayed) the default ssl profile entries
• Updated SSL/SSH Inspection edit dialog l disabled all the inputs for default ssl profiles except download/view trusted certificate links l changed button to “Return” for default ssl profiles to return the list page
• Updated Profile Group edit dialog l removed checkbox for “ssl-ssh-profile” option, make it always required.

CLI changes

1. ssl-ssh-profile default value is certificate-inspection when applicable in table firewall.profile-group, firewall.policy, firewall.policy6, explicit-proxy-policy
2. make default profiles “certificate-inspection”, “deep-ssl-inspection’ read only in table firewall.ssl-ssh-profile