Block Google QUIC protocol in default Application Control configuration (385190)

September 3, 2017, 2:13 am

≫ Next: Botnet database changes (390756)

≪ Previous: Changes to default SSL inspection configuration (380736)

$

0

0

Block Google QUIC protocol in default Application Control configuration (385190)

QUIC is an experimental protocol from Google. With recent Google Chrome versions (52 and above), and updated Google services, more than half of connections to Google servers are now in QUIC. This affects the accuracy of Application Control. The default configuration for Application control blocks QUIC.

Users may enable QUIC with CLI commands.

CLI Syntax

config application list edit <profile-name> set options allow-quic

end

---

Botnet database changes (390756)

September 3, 2017, 10:14 am

≫ Next: Security Fabric audit check for endpoint vulnerability and unauthorized FAP and FSW (401462)

≪ Previous: Block Google QUIC protocol in default Application Control configuration (385190)

$

0

0

Botnet database changes (390756)

Starting in FortiOS 5.6, FortiGate units and FortiGuard Distribution Servers (FDS0 will use object IDs IBDB and DBDB to download and update the Botnet database. Botnet protection will be part of the AntiVirus contract.

FortiOS 5.4 uses object IDs IRDB and BDDB.

Security Fabric audit check for endpoint vulnerability and unauthorized FAP and FSW (401462)

September 3, 2017, 6:13 pm

≫ Next: Change to CLI commands for configuring custom Internet services (397029)

≪ Previous: Botnet database changes (390756)

$

0

0

Security Fabric audit check for endpoint vulnerability and unauthorized FAP and FSW (401462)

The new Security Fabric Audit feature allows for the display of endpoint vulnerability status in real-time. Users can see:

l FortiClient devices that have critical vulnerabilities detected. l Discovered FortiSwitches that have not yet been authorized. l Discovered FortiAPs that have not yet been authorized.

Change to CLI commands for configuring custom Internet services (397029)

September 4, 2017, 2:15 am

≫ Next: Enable “sync-session-ttl” in “config ips global” CLI by default (399737)

≪ Previous: Security Fabric audit check for endpoint vulnerability and unauthorized FAP and FSW (401462)

$

0

0

Change to CLI commands for configuring custom Internet services (397029)

Custom internet services are no longer configured through use of the commands config application internet-service and config application internet-service-custom in the CLI.

These commands are replaced by config firewall internet-service and config firewall internet-service-custom.

CLI Syntax – examples

config firewall internet-service 1245324 set name “Fortinet-FortiGuard”

set reputation 5 set icon-id 140 set offset 1602565 config entry edit 1 set protocol 6 set port 443 set ip-range-number 27

set ip-number 80

next edit 2 set protocol 6 set port 8890 set ip-range-number 27 set ip-number 80

next edit 3 set protocol 17 set port 53 set ip-range-number 18 set ip-number 31

next edit 4 set protocol 17 set port 8888 set ip-range-number 18 set ip-number 31

next

end

end

config firewall internet-service-custom edit “custom1” set comment “custom1” config entry edit 1 set protocol 6 config port-range edit 1 set start-port 30 set end-port 33

next

end

set dst “google-drive” “icloud”

next

end

next

end

Enable “sync-session-ttl” in “config ips global” CLI by default (399737)

September 4, 2017, 10:13 am

≫ Next: CASI functionality moved into application control (385183 372103)

≪ Previous: Change to CLI commands for configuring custom Internet services (397029)

$

0

0

Enable “sync-session-ttl” in “config ips global” CLI by default (399737)

sync-session-ttl is now set to enable by default in order to:

l enhance detection of P2P traffic. Efficient detection of P2P is important on hardware accelerated platforms l ensure that IPS and the kernel use the same ttl l ensure that IPS sessions time out sooner

CASI functionality moved into application control (385183 372103)

September 4, 2017, 6:13 pm

≫ Next: New diagnose command to delete avatars (388634)

≪ Previous: Enable “sync-session-ttl” in “config ips global” CLI by default (399737)

$

0

0

CASI functionality moved into application control (385183 372103)

Cloud Access Security Inspection (CASI) is merged with Application Control resulting in changes to the GUI and the CLI.

GUI Changes

• Toggle option added to quickly filter CASI signatures in the Application Signatures list.
• Application Overrides table now shows any parent-child hierarchy using the –parent metadata on signatures. Deleting a parent app also deletes its child apps. And conversely, adding a child app will add all its parent apps but with implicit filter action.
• A policy breakdown is shown on existing application control profiles for policies using the profile. The breakdown indicates which policies are using a deep inspection.
• A breakdown is shown for application categories and filter overrides to indicate the number of CASI and non-CASI signatures. A lock icon is shown for applications requiring deep inspection.

CLI Changes

Commands removed:

l config application casi profile l casi profile in config firewall policy l casi profile in config firewall policy6 l casi-profile-status and casi-profile under config firewall sniffer l casi-profile-status and casi-profile under config firewall interface-policy

New diagnose command to delete avatars (388634)

September 5, 2017, 2:13 am

≫ Next: Fortinet bar option disabled in profile protocol options when VDOM is in flow-based inspection mode (384953)

≪ Previous: CASI functionality moved into application control (385183 372103)

$

0

0

New diagnose command to delete avatars (388634)

Commands to delete avatars by FortiClient UID or avatar name have been added to the CLI.

the two following commands has been added to diagnose endpoint avatar: l diagnose endpoint avatar delete <ftcl_uid> l diagnose endpoint avatar delete <ftcl_uid> <username>

The attribute delete did not exist before. The values <fctl_uid> and <user_name> describe a set of avatars. If only <fctl_uid> is defined, all avatars belonging to this FortiClient UID that are not being used will be removed. If both values are defined, the avatar belonging to them will be removed unless they are being used in which case this call will cause an error to user.

Fortinet bar option disabled in profile protocol options when VDOM is in flow-based inspection mode (384953)

September 5, 2017, 10:13 am

≫ Next: SSL/SSH profile certificate handling changes (373835)

≪ Previous: New diagnose command to delete avatars (388634)

$

0

0

Fortinet bar option disabled in profile protocol options when VDOM is in flow-based inspection mode (384953)

In order to prevent the Fortinet Bar from being enabled and redirecting traffic to proxy (WAD) when a VDOM is in flow-based mode, the Fortinet Bar option is disabled in profile protocol options.

---

SSL/SSH profile certificate handling changes (373835)

September 5, 2017, 6:13 pm

≫ Next: Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)

≪ Previous: Fortinet bar option disabled in profile protocol options when VDOM is in flow-based inspection mode (384953)

$

0

0

SSL/SSH profile certificate handling changes (373835)

In order to support DSA and ECDSA key exchange (in addition to RSA) in SSL resign and replace mode, CLI commands for deep-inspection have changed. The certname command in ssl-ssh-profile has been removed.

To select from the list of available certificates in the system, use the CLI below.

edit deep-inspection set server-cert-mode re-sign set certname-{rsa | dsa | ecdsa}

Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)

September 6, 2017, 2:13 am

≫ Next: Enhancements to IPS Signatures page (285543)

≪ Previous: SSL/SSH profile certificate handling changes (373835)

$

0

0

Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)

Previous versions of FortiOS supported YouTube for Schools (YTfS). As of July 1, 2016 this feature is no longer supported by YouTube. Instead you can use the information in the YouTube support article Restrict YouTube content on your network or managed devices to achieve the same result. FortiOS supports applying Strict or Moderate restrictions using HTTP headers as described in this article.

In FortiOS 5.6 with inspection mode set to proxy-based, in a Web Filter profile under Search Engines you can select Restrict YouTube Access and select either Strict or Moderate.

Enhancements to IPS Signatures page (285543)

September 6, 2017, 10:13 am

≫ Next: DLP sensor GUI changes (307225)

≪ Previous: Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)

$

0

0

Enhancements to IPS Signatures page (285543)

The IPS signatures list page now shows which IPS package is currently deployed. Users can also change their IPS package by linking directly to the FortiGate’s System > FortiGuard page from the IPS Signatures list page.

DLP sensor GUI changes (307225)

September 6, 2017, 6:14 pm

≫ Next: Web Filter profile page GUI updates (309012)

≪ Previous: Enhancements to IPS Signatures page (285543)

$

0

0

DLP sensor GUI changes (307225)

The DLP sensor for file size has been corrected to indicate that the file size has to be greater than the number of KB entered. Previously, the GUI incorrectly showed that the files size could be greater than or equal to the number of KB entered.

Web Filter profile page GUI updates (309012)

September 7, 2017, 2:13 am

≫ Next: Web Filter Quota traffic can no longer be set to 0 (374380)

≪ Previous: DLP sensor GUI changes (307225)

$

0

0

Web Filter profile page GUI updates (309012)

The GUI for the Web Filter security profile and Web Profile Overrides pages are changed.

Web Filter profile page

• removed multilist for override user group and profile l replaced FortiGuard categories actions icons with font icons
• added tooltip for Allow users to override blocked categories to explain the policy group dependency Web Profile Overrides page
• removed multilist of user, user group, original profile, new profile l duplicate profile for new profile (for bug #284239)

Web Filter Quota traffic can no longer be set to 0 (374380)

September 7, 2017, 10:12 am

≫ Next: Webcache-https and SSL deep inspection profile configuration changes (381101)

≪ Previous: Web Filter profile page GUI updates (309012)

$

0

0

Web Filter Quota traffic can no longer be set to 0 (374380)

To fix a bug in older major release, the CLI has been changed so that minimum traffic quota does not allow 0 as an entry. The value entered must be in the range of 1 – 4,294,967,295; if 0 is entered, then an error message will be returned.

CLI Commands:

config webfilter profile edit default config ftgd-wf config quota edit 1 set type traffic set value {a number in the range of 1 – 4,294,967,295}

Webcache-https and SSL deep inspection profile configuration changes (381101)

September 7, 2017, 6:13 pm

≫ Next: FortiGate conserve mode changes (242562, 386503)

≪ Previous: Web Filter Quota traffic can no longer be set to 0 (374380)

$

0

0

Webcache-https and SSL deep inspection profile configuration changes (381101)

In older releases, the CLI blocked the configuration of the SSL deep inspection profile when webcache-https was enabled. This bug is fixed in FortiOS 5.6.0.

---

FortiGate conserve mode changes (242562, 386503)

September 8, 2017, 2:14 am

≫ Next: New custom IPS and Application Control Signatures list (280954)

≪ Previous: Webcache-https and SSL deep inspection profile configuration changes (381101)

$

0

0

FortiGate conserve mode changes (242562, 386503)

The following changes were made to rework conserve mode and facilitate its implementation:

• Implemented CLI commands to configure extreme, red, and green memory usage thresholds in percentages of total RAM. Memory used is the criteria for these thresholds, and set at 95% (extreme), 88% (red) and 82% (green).
• Removed structure av_conserve_mode, other changes in kernel to obtain and set memory usage thresholds from the kernel
• Added conserve mode diagnostic command diag hardware sysinfo conserve, which displays information about memory conserve mode.
• Fixed conserve mode logs in the kernel
• Added conserve mode stats to the proxy daemon through command diag sys proxy stats all | grep conserve_mode

New custom IPS and Application Control Signatures list (280954)

September 8, 2017, 10:13 am

≫ Next: Server Load balancing (5.6.1)

≪ Previous: FortiGate conserve mode changes (242562, 386503)

$

0

0

New custom IPS and Application Control Signatures list (280954)

You can now create IPS and Application control custom signatures by going to Security Profiles > Custom Signatures. From here you can create and edit all custom IPS and Application Control signatures.

 

Server Load balancing (5.6.1)

September 8, 2017, 6:13 pm

≫ Next: Server Load balancing (5.6)

≪ Previous: New custom IPS and Application Control Signatures list (280954)

$

0

0

Server Load balancing (5.6.1)

New load balancing features added to FortiOS 5.6.1.

Add server load balancing real servers on the Virtual Server GUI page (416709)

In previous versions of the FortiOS GUI, after adding a Virtual Server you would go to Policy & Objects > Real Servers to add real servers and associate each real server with a virtual server.

In FortiOS 5.6.1 you now go to Policy & Objects > Virtual Servers, configure a virtual server and then from the same GUI page add real servers to the virtual server. In addition, on the Virtual Server GUI page the option Outgoing Interface is renamed Interface and the load balancing method Source IP Hash has been renamed

Static.

Server Load balancing

Server Load balancing (5.6)

September 9, 2017, 2:16 am

≫ Next: Session-aware Load Balancing (SLBC) (5.6.1)

≪ Previous: Server Load balancing (5.6.1)

$

0

0

Server Load balancing (5.6)

New load balancing features added to FortiOS 5.6.

IPv6, 6to4, and 4to6 server load balancing (280073)

Sever load balancing is supported for:

Server Load balancing (5.6)

l IPv6 VIPs (config firewall vip6) l IPv6 to IPv4 (6to4) VIPs (config firewall vip64) l IPv4 to IPv6 (4to6) VIPs (config firewall vip46)

Configuration is the same as IPv4 VIPs, except support for advanced HTTP and SSL related features is not available. IPv6 server load balancing supports all the same server types as IPv4 server load balancing (HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL, TCP, UDP, and IP). IPv4 to IPv6 and IPv6 to IPv4 server load balancing supports fewer server types (HTTP, TCP, UDP, and IP).

Improved Server load balancing GUI pages (404169)

Server load balancing GUI pages have been updated and now include more functionality and input verification.

 

Session-aware Load Balancing (SLBC) (5.6.1)

September 9, 2017, 10:13 am

≫ Next: SSL VPN (5.6.1)

≪ Previous: Server Load balancing (5.6)

$

0

0

Session-aware Load Balancing (SLBC) (5.6.1)

New SLBC features added to FortiOS 5.6.1.

FortiController-5000 series independent port splitting (42333)

FortiOS 5.6.1 supports splitting some 40G FortiController front panel fiber channel front panel interfaces in to 10G ports. In previous versions of FortiOS this configuration was not supported and all FortiController fiber channel front panel interfaces had to operate at the same speed.

(5.6.1)