Finding Words in show Command Output

To quickly locate a word in the output of any show command, use the following command: show argument | grep “string”

For this feature to work, only one show command can be the input to the grep and the show command cannot have arguments (for example, the form of the command) such as show ap 54. The “string” is a literal, case-sensitive word to search for (such as AP-54), and must be enclosed in double quotation marks. Only one string search can be performed per command line.

Finding Words in show Command Output

As an example, to search for and display the entry for AP-54 in the output of the show ap command, use the command: controller# show ap | grep “AP‐54”

AP ID AP Name     Serial Number      Op State  Availability   Runtime          

Connectivity AP Model AP Type

54    AP‐54       00:0c:e6:00:3e:a8  Disabled  Offline        3.1.4‐25 None         AP332 Local  

        AP Table(1 entry)

Customizing the CLI Prompt

Default CLI Prompt

By default, the CLI prompt consists of the system name followed by an angle bracket (>) for user EXEC mode or a pound sign (#) for privileged EXEC mode.

Commands to Customize CLI Prompt

To customize the CLI prompt for your system, use one of the following commands in Global Configuration mode:

TABLE 2: Commands to Customize the CLI Prompt

Manipulating Terminal Characteristics

Displaying Terminal Settings

To display the current terminal settings, including the screen length and width, type:

controller> show terminal

Terminal Length:         0

Terminal Width:          80

History Buffer Size:     10

Customizing the CLI Prompt

Setting Terminal Screen Length and Width

By default, the terminal length is set to 0 rows, and the width is set to 80 columns. To override this default setting, and set the number of lines or character columns on the current terminal screen for the current session, use the following commands in user EXEC mode:

controller> terminal length screen‐length controller> terminal width characters

To reset the terminal length and width to the default values, use the default command:

controller> default terminal length controller> default terminal width

Setting the terminal length to a non-zero value turns on paging. When the output length exceeds the terminal length, the output is paused and a —More— is displayed:

1. If the space bar is pressed at the —More— prompt, another page of output is displayed.
2. If the ENTER key is pressed at the —More— prompt, a single line of output is displayed.
3. If any other character at the —More— prompt, this signifies the end of output and the command prompt is displayed.

Ending a Session

To end a session, use the following command in either User or privileged EXEC mode:

controller> exit

Web UI Concepts

Access FortiWLC (SD) by entering the IP address of the controller in a browser (see “Browsers” on page 46 below). The Web UI interface that displays operates from four menus: Monitor, Maintenance, Configuration, and Wizards. Clicking any entry from the list expands it to display the options contained therein.

Figure 1: Menu Options in the WebUI

How Does the GUI Relate to CLI Commands?

Most FortiWLC (SD) tasks can be accomplished using either the CLI or the GUI. Some commands can only be done with one or the other. The chart below gives some examples of this. You can refer to the illustration on the previous page or click the indicated links on the UI Interface.

How Does the GUI Relate to CLI Commands?                                                                                                                        43

How Does the GUI Relate to CLI Commands?

How Does the GUI Relate to CLI Commands?

Browsers

WebUI

• Internet Explorer 9,10 (Vista and Win XP)
• Mozilla Firefox 25+ (Vista and Win XP)
• Google Chrome 31+

Captive Portal

• Internet Explorer 6, 7, 8,9, and 10
• Apple Safari
• Google Chrome
• Mozilla Firefox 4.x and earlier
• Mobile devices (such as Apple iPhone and BlackBerry)

Internet Explorer Caching Settings

Be sure to turn off caching on any computer using Internet Explorer, because dashboard updates are frequently ignored with caching on. To configure Windows Internet Explorer, follow these steps:

1. Access Internet Options by opening an Internet Explorer window and then clicking Tools > Internet Options.
   • window like this one displays:

Browsers

Figure 2: Internet Options for Microsoft Windows

2. Under Browsing history, click Settings.
   • window like this one displays:

Browsers

Figure 3: Website Data Settings

3. Select the option Every time I visit the web page.
4. Click OK.

The dashboard will now be updated every time the statistics change.

Note that no configuration is needed for Mozilla Firefox.

What is Network Manager?

Network Manager is a Fortinet product that manages multiple controllers.

ESS, Security, VLAN, GRE and RADIUS profiles can all be configured either from Network Manager or from the controller. You can tell where a profile was configured by checking the read-only field Owner; the Owner is either NMS or controller. If a profile belongs to Network Manager, you cannot alter or delete it from a controller.

If a profile belongs to Network Manager, the recommendation is to alter/delete it from the Network Manager interface. If for some reason Network Manager is not reachable from the con What is Network Manager?

troller, then the recommendation is to unregister the Network Manager server from the controller using the nms-server unregister CLI command.

About the CFS

The CFS allows you to manage the controller operating system (FortiWLC (SD)) and its configuration files.

Files used to operate the controller are located in directories on the controller flash card. Initially, the flash contains the shipped operating system, referred to as the image, which of course is set with default settings. During the course of normal operation, you probably will want to perform some or all of the following tasks:

• Configure custom settings and save the settings to a configuration file.
• Save the configuration file to a backup directory on the controller.
• Save the configuration file to a remote location to provide a more secure backup or as input for configuring other controllers.
• Restore the settings from a known, reliable backup file.
• Restore the system to its default settings.
• Upgrade the system to a new version of the operating system.
• Downgrade the system to a previous operating system version.
• Execute scripts to automate configuration.

To accomplish these tasks you need to use the CFS to manipulate files. The CFS allows you to perform the following tasks:

• Display information about files within a directory
• The display information includes the file name, size, and date of modification.
• Navigate to different directories
• You can navigate to different directories and list the files in a directory.
• Copy files

The CFS allows you to copy files on the controller via a pathname or to manipulate remote files. Use Uniform Resource Locators (URLs) to specify the location of a remote file. URLs are commonly used to specify files or locations on the World Wide Web. You can use the URL format to copy file to or retrieve files from a location on a remote file server.

• Delete files

Working with Local Directories

The controller flash card uses the following directories to organize its system files. You can access the following local directories:

Viewing Directory and File Information

Use the pwd command to view the current directory. By default, the current working directory is images, as shown with the pwd command:

controller# pwd images

To view a detailed listing about the contents of a directory, use the dir command, which accepts an optional directory or filename argument: dir [[directory/]filename]

For example, to display the contents of the images directory:

About the CFS

controller# dir total 10 total 70

drwxr‐xr‐x    8 root     root         1024 Jan 30 11:00 meru‐3.6‐45 drwxrwxr‐x    8 522      522          1024 Feb 21  2008 meru‐3.6‐46 ‐rw‐r‐‐r‐‐    1 root     root         2233 Feb 19 02:07 meru.user‐diagnostics.Dickens.2008‐02‐19.02‐07‐17.tar.gz

‐rw‐r‐‐r‐‐    1 root     root         3195 Feb 19 02:17 meru.user‐diagnostics.Dickens.2008‐02‐19.02‐17‐17.tar.gz

‐rw‐r‐‐r‐‐    1 root     root         3064 Feb 21 00:50 meru.user‐diagnostics.Dickens.2008‐02‐21.00‐50‐50.tar.gz

lrwxrwxrwx    1 root     root           28 Feb 21 00:50 mibs.tar.gz ‐> meru‐

3.6‐46/mibs/mibs.tar.gz

‐rw‐r‐‐r‐‐    1 root     root        16778 Feb 21 00:50 pre‐upgrade‐config

‐rw‐r‐‐r‐‐    1 root     root        18549 Feb 21 00:53 script.log

‐rw‐r‐‐r‐‐    1 root     root        16427 Feb 21 00:53 startup‐config

‐rw‐‐‐‐‐‐‐    1 root     root         1915 Feb 21 00:50 upgrade.log To view information about a file in different directory, use the directory arguments:

controller# dir ATS/scripts

total 4

‐rwxr‐xr‐x    1 root     root           67 Feb 21  2008 dense‐.scr

‐rwxr‐xr‐x    1 root     root           25 Feb 21  2008 guard.scr

‐rwxr‐xr‐x    1 root     root           82 Feb 21  2008 non‐guard.scr ‐rwxr‐xr‐x    1 root     root          126 Feb 21  2008 svp.scr

Changing to Another Directory

Use the cd command to navigate to another directory on the controller: controller# cd backup

Use the pwd command to view the name of the current directory:

controller# pwd backup

Managing Files Via the WebUI

While local files can be managed via the CLI as well, the FortiWLC (SD) WebUI provides a convenient management interface from the Maintenance > File Management button. The File Management page contains separate tabs for the following types of files:

• AP Init Script—Manages AP bootup scripts
• Diagnostics—Contains diagnostic files
• SD Versions—All software image files stored on the controller Syslog—Stored Syslog data for the various components of the system

Refer to the sections below for additional details relating to each tab.

AP Init Script

The default tab selected when the user first navigates to the File Management system shows any scripts installed on the system designed to make small tweaks to APs upon bootup. See Figure 4 below.

Figure 4: AP Init Script Table

Users can perform various tasks for a given boot script by clicking the radio button alongside the desired script and clicking the necessary button from the bottom of the screen, as described in

Managing Files Via the WebUI

TABLE 3:

Diagnostics

The Diagnostics tab displays any diagnostic files that have been generated by the controller. These files are in compressed format, so once they are downloaded to the local machine, the user can decompress them and view the logs contained within.

Figure 5: Diagnostics Tab

Once decompressed, the diagnostic logs can be viewed using a standard text editor. To download a log file, simply click the radio button next to the desired file and click Export. The table below describes the functions performed by the buttons on the screen.

TABLE 4:

Image

The Image tab allows the user to manage the FortiWLC (SD) image files stored on the controller. Since these files can be quite large, users may occasionally need to delete older images in order to perform system upgrades. Figure 6: Image Tab

The following table details the buttons provided for managing system files.

Managing Files Via the WebUI

TABLE 5:

Syslog

The Syslog tab provides an interface to easily view and manage Syslog files that have been generated and stored on the controller.

Figure 7: Syslog Tab

Syslog files are stored in “.log” format and can be viewed using a standard text editor. To download and view one, simply click the radio button alongside the desired file and click Export.

TABLE 6:

Working with Configuration Files

Configuration files direct the functions of the controller. Commands in the configuration file are parsed by the CLI and executed when the system is booted from the database, or when you enter commands at the CLI in a configuration mode. There are two types of configuration files used by the CLI:

• The startup database file (startup-config) is executed at system startup.
• The running configuration file (running-config) contains the current (running) configuration of the software.

The startup configuration file may be different from the running configuration file. For example, you might want to change the configuration, and then for a time period evaluate your changes before saving them to the startup configuration.

In this case, you would make the configuration changes using the configure terminal commands, but not save the configuration. When you were sure you wanted to permanently incorporate the changes, you would use the copy running-config startup-config EXEC command.

Changing the Running Configuration

The configure terminal EXEC command allows you to make changes to the running configuration. Commands are executed immediately, but are not saved. To save the changes, see “Changing the Startup Configuration.”

TABLE 7: Steps to Modify the Running Configuration

Working with Configuration Files

TABLE 7: Steps to Modify the Running Configuration

Changing the Startup Configuration

To make your configuration changes persistent across reboots, use the copy running-config startup-config EXEC command to copy the running configuration to a startup configuration.

Manipulating System Files

To manage the system files, you might want to transfer a configuration file to a remote system to back up the file, or obtain from a remote system an update or backup file. To access the remote system, you probably need a username and password. This section provides some example commands for performing these tasks.

Manipulating Files on a Network Server

To specify a file on a network server, use one of the following forms:

• ftp://<username>:<password>@server/filename
• scp://<username>:<password>@server/filename
• sftp://<username>:<password>@server/filename
• tftp://server/filename

The server can either be an IP address or host name. The username, if specified, overrides a username specified by the global configuration command ip ftp username. A password also overrides a password specified by the global configuration command ip ftp password.

The specified directory and filename are relative to the directory used for file transfers, or in absolute format.

Manipulating System Files

The following example uses secure FTP to access the file named meru-3.7-config on a server named ftp.fortinet.com. This example uses the username admin and the password secret to access this server: controller# copy sftp://admin:secret@ftp.fortinet.com/meru-3.7-config<space>.

For SCP (secure copy), replace the prefix sftp with scp.

Remote File Transfer Tasks

On a remote file system located on an FTP, SFTP, TFTP or SSH server, you can perform the following tasks:

• Copy files to or from the controller using the copy command.
• List the files in a given directory using the dir command.

Copying Files to a Remote Server

For example, to copy a backup image jun01.backup.mbu from the local directory images to a remote directory /home/backup on server server1, with user user1 using FTP, with the same remote filename, type:

controller# cd images controller# dir total 48

‐rw‐r‐‐r‐‐ 1 root root        15317 Jan  9 15:46 jun01.backup.mbu

controller# copy jun01.backup.mbu ftp://user1@server1/home/backup/. FTP Password: controller#

Type the password for user user1 at the FTP Password prompt. To use SCP instead of FTP:

controller# copy jun01.backup.mbu scp://user1@server1/home/backup/.

SCP Password:

Displaying a Remote Server’s Directory Contents

To display the contents of the remote directory /home/backup on the server server1, for the username user1 and password userpass, you can type: controller# dir ftp://user1:userpass@server1/home/backup

If you only specify the user name but not the password, the CLI prompts you to enter the password:

controller# dir ftp://user1@server1/home/backup FTP Password:

Manipulating System Files

Setting a Remote Username and Password

The secure remote file transfer commands require a remote username and password on each request to a server. The CLI uses the user name and password specified in the dir or copy command to authenticate with the remote file servers.

If you do not want to type the user name and password for each secure remote file transfer command, you can set these values for the duration of your session using the ip ftp, ip sftp, or ip scp commands.

For example, to set the FTP user name to user1 and the FTP password to userpass, type:

controller# configure terminal controller(config)# ip ftp username user1 controller(config)# ip ftp password userpass controller(config)# ^Z controller#

Likewise, to set the SCP user name to user1 and the SCP password to userpass, type:

controller# configure terminal controller(config)# ip scp username user1 controller(config)# ip scp password userpass controller(config)# ^Z controller#

If you have set the FTP username and password as in the previous example, you can now type the following: controller# dir ftp://server1/home/backup

We hit a total of 2942 visits yesterday! That is a record all time high for Fortinet GURU. The site is growing steadily and I am very excited about the new comments and interactions we have had as a result. Keep up the great community! I would love to help everyone that has questions!

Upgrading System Images

The controller is shipped with a pre-installed system image, containing the complete FortiWLC (SD) software. This image is loaded when the controller boots. As new software releases become available, you may decide to upgrade the system image.

Each release is accompanied by a Release Notes file on the documentation CD, which include procedures for upgrading different types of system configurations to the current release. Be sure to use the procedure included in the Release Notes when you choose to upgrade your system, as they provide the most up-to-date procedures.

Summary of File System Commands

The following lists the available file system commands in privileged EXEC mode.

Upgrading System Images

Summary of File System Commands

Upgrading Patches

In addition to providing options to install and un-install patches, you can now easily view more details about the contents of a patch and also get history of patches installed in the controller.

These new options are available via the controller WebUI and the CLI.

Using the WebUI

Patch management options are available in the Maintenance > File Management > Patches tab. If there patch build file copied in the controller, they will be listed on this page. For specific option, select a patch file and click the option at the bottom of the page.

1. List of Patches
2. Patch History
3. Patch Install

Using CLI

1. show patches

Displays the list of patch builds copied to the controller.

#show patches

8.0‐0dev‐51‐patch‐bug1234 [installed]

8.0‐0dev‐50‐patch‐bug1234_bug1236

8.0‐0dev‐50‐patch‐bug1234

8.0‐0dev‐50‐patch‐2015.07.22‐17h.12m.09s

8.0‐0dev‐50‐patch‐bug1234_bug1235

8.0‐0dev‐51‐patch‐bug1234_bug1235

8.0‐0dev‐51‐patch‐bug1234

2. show patch installed

Displays the patch currently installed in the controller.

controller(15)# show patch installed

8.0-0dev-51-patch-bug1234

3. show patch history

Displays the history of all the patches installed and uninstalled in the controller controller(15)# show patch history

2015:07:24 01:51:13: uninstalled 8.0‐0dev‐50‐patch‐bug1234 on build 8.0‐0dev‐51

2015:07:24 01:54:13: installed 8.0‐0dev‐51‐patch‐bug1234_bug1235 on build 8.00dev‐51

2015:07:24 01:56:39: uninstalled 8.0‐0dev‐51‐patch‐bug1234_bug1235 on build

8.0‐0dev‐51

….<snipped>….

2015:07:24 14:54:50: uninstalled 8.0‐0dev‐51‐patch‐bug1234 on build 8.0‐0dev‐51

4. show patch details <patch-name>

Displays the list of bug fixes available in this patch.

controller(15)# show patch details 8.0‐0dev‐50‐patch‐bug1234

8.0‐0dev‐50‐patch‐bug1234 patch is revertable bugs:   37405: summary of bug 37405

controller(15)#

5. show patch contents <patch-name>

Displays the md5 sum of the patch build.

controller(15)# show patch contents 8.0‐0dev‐50‐patch‐bug1234

8.0‐0dev‐50‐patch‐bug1234

files:

  /opt/meru/etc/coord.config: 3d4c720265e21a53dfafe2a484e8bf11

6. patch uninstall <patch-name>

Use this command to un-install the patch build from the controller. controller(15)# patch uninstall 7. Reverting from backup.

cp ‐f /data/.patch‐backup//meru‐8.0‐0dev‐51‐patch‐bug1234/coord.config /opt/ meru/etc/coord.config

Reverting from backup done.

I hope you all enjoy the weekend with your families. May your firewalls stay up and your backups be complete and functional if restore is necessary!

Configure Basic Controller Parameters During Setup

These basic controller parameters are configured by someone with Level 15 permission, using the interactive setup script that sets up every new controller:

• Country setting
• Controller location

Configure Basic Controller Parameters During Setup                                                                                                             69

• Hostname
• Passwords for admins and guests
• Dynamic IP address or a static IP address and netmask
• Time zone
• DNS server names
• Gateway server name
• Network Time Protocol server

To start the setup script, at the Privileged EXEC prompt, type setup. Refer to the “Initial Setup” chapter of the FortiWLC (SD) Getting Started Guide for an example session using the setup command.

Configure Controller Parameters From the Web UI

To reconfigure an existing controller, click Configuration > Devices > Controller > [select a controller] > Settings. The following parameters can be configured from the Web UI with Level 10 permission:

• Information for recognizing and tracking controllers such as the Description, Location, and Contact person
• Whether or not APs should be Automatically Upgraded by a controller
• DHCP Server address and DHCP Relay Passthrough (whether or not packets are actually passed to the DHCP server)
• Statistics Polling Period and Audit Polling Period, which affect how often a controller refreshes data
• Default AP Initialization Script (bootscript) that run on APs with no other script specified
• Controller Index number used for identification (Note that changing this initiates a controller reboot.)
• Whether or not the controller will interact with the AeroScout Location Engine and associated APs will interact with AeroScout Tags to provide real-time asset tracking
• Whether or not Fastpath Mode is used. Fastpath Mode accelerates the rate that packets move through the Ethernet interface based on identification of an IP packet stream. When FastPath is enabled, the beginning of the IP packet stream is processed by the controller, and all subsequent packets of the same stream are forwarded according to the disposition of the initial packets, without being processed by the controller. This offloads a significant amount of processing from the controller.
• Bonding Mode affects MC4200, MC5000, and MC6000 models. Single Bonding combines all Ethernet ports into one port for accelerated throughput. Dual Bonding configures two ports for the controller.

Configure Controller Parameters From the Web UI

• Virtual Cell for AP400, or AP1000 is not determined by any controller setting.
• Whether or not Dynamic Frequency Selection (DFS) is enforced. For installations within the United States, enforcing DFS means that channels 52-64 (5.25-5.35 GHz), 100-116 (5.475.725 GHz), and 136-140 (5.68-5.70 GHz) conform to DFS regulations, protecting radar from interference on these channels.
• The number of minutes of station inactivity that causes a client to time out is set by the Station Aging Out Period.

Configure UDP Broadcast with Web UI

You can enable all UDP ports at once with the WebUI commands for upstream and downstream traffic. Fortinet does not recommend that you enable this feature on a production network because it could lead to broadcast storms leading to network outages. This feature is provided for testing purposes only.

You need to assign each ESS (see the chapter “Configuring an ESS.”) to a specific VLAN (see the chapter “Configuring VLANs.”) before enabling all UDP broadcast ports. Having multiple ESS’s in the default VLAN and enabling all UDP broadcast ports does not work.

To configure UDP broadcast upstream/downstream for all ports, follow these steps:

1. Click Configuration > Devices > System Settings.
2. Click the tab UDP Broadcast Ports.
3. Determine the type of UDP Broadcast mode you wish to configure (Tunnel Mode or Bridge Mode) and click that Tab.
4. Click Add.
5. Check the type of UDP Broadcast rule you wish to configure, Upstream or Downstream.
6. Enter a UDP Port Number in the range 1-65355 and then click Save. The port number now appears in the UDP Broadcast Port list.

Perform the above steps for as many ports as desired.

Security Fabric

This section introduces new Security Fabric features in FortiOS 6.0.

Security Fabric Automation

User-defined Automations allow you to improve response times to security events by automating the activities between devices in the Security Fabric. You can monitor events from any source in the Security Fabric and set up action responses to any destination. To create an Automation, you can set up a Trigger event and response Actions that cause the Security Fabric to respond in a predetermined way. From the root FortiGate, you can set up event triggers for the following event types: compromised host, event log, reboot, conserve mode, high CPU, license expiry, High Availability (HA) failover, and configuration changes. The workflows have the means to launch the following actions in response: email, FortiExplorer notification, AWS Lambda and webhook. Additional actions are available for compromised hosts, such as: access layer quarantine, quarantine FortiClient via EMS, and IP ban.

For more information, see the Security Fabric Handbook.

Security Rating

The Security Rating feature (previously called the Security Fabric Audit) includes new security checks that can help you make improvements to your organization’s network, such as enforce password security, apply recommended login attempt thresholds, encourage two factor authentication, and more.

For more information, see the Fortinet Recommended Security Best Practices document.

Security Rating FortiGuard service

Security Rating is now a subscription service that FortiGuard offers when you purchase a Security Rating license. This service allows you to:

l Dynamically receive updates from FortiGuard. l Run Security Rating checks for each licensed device in a Security Fabric. l Run Security Rating checks in the background or on demand. l Submit rating scores to FortiGuard and receive rating scores from FortiGuard, for ranking customers by percentile.

For more information, see the Security Fabric Handbook.

Solution and service integration

In FortiOS 6.0, the Security Fabric extends to include more Fortinet products.

Wireless user quarantine

When you create or edit an SSID, you can enable the Quarantine Host option to quarantine devices that are connected in Tunnel-mode. The option to quarantine a device is available from the Topology and FortiView WiFi pages.

When a host is put into quarantine VLAN, it will get its IP from the quarantine VLAN’s DHCP server, and become part of the quarantined network.

For more information, see the FortiWiFi and FortiAP Configuration Guide.

Fortinet products can join the Security Fabric by serial number

Fortinet products can now easily and securely join the Security Fabric using an authorized device serial number.

To learn how to allow a Fortinet product to join your Security Fabric, see the Security Fabric Handbook.

FortiMail integration

You can now add a FortiMail stats widget to the FortiGate Dashboard page to show mail detection stats from FortiMail. Other FortiMail integrations include the following:

• A FortiMail section that displays the FortiMail name, IP address, login and password is now available in the Security Fabric Settings page.
• FortiMail is now shown as a node in the topology tree view in the Fabric Settings page and in the Physical Topology and Logical Topology views.
• The topology views now show the number of FortiMail devices in the Security Fabric in the device summary.

For more information, see the Security Fabric Handbook.

Synchronize the FortiManager IP address among all Security Fabric members

When you add a FortiManager to the Root FortiGate of the Security Fabric, its configuration is now automatically synchronized with all devices in the Security Fabric. Central management features are now configured from the Security Fabric Settings page.

For more information, see the Security Fabric Handbook.

Improve FortiAP and FortiSwitch support in Security Fabric views

The Security Fabric widget on the dashboard and the Security Fabric Settings page now show the FortiAP and FortiSwitch devices in the Security Fabric.

• You can now use new shortcuts to easily authorize any newly discovered devices and manage them.
• Switch stacking is now supported in the Physical and Logical topology views, and Inter-switch Link (ISL-LAG) is now identified by a thicker single line.

For more information, see the Security Fabric Handbook.

EMS server support in Security Fabric topology

The FortiClient Endpoint Management System (EMS) can be enabled in FortiClient Endpoint profiles. This feature allows you to maintain FortiClient endpoint protection from FortiClient EMS and dynamically push configuration changes from the EMS to FortiClient endpoints. EMS server support is also integrated with Security Fabric Automation.

For more information, see the Security Fabric Handbook.

Multi-cloud support (Security Fabric connectors)

Security Fabric multi-cloud support adds Security Fabric connectors to the Security Fabric configuration. Security Fabric connectors allow you to integrate Application Centric Infrastructure (ACI), Amazon Web Services (AWS), Microsoft Azure, VMware NSX, and Nuage Virtualized Services Platform configurations into the Security Fabric.

Additionally Cloud init support for Azure is now native to the cloud. FortiGate VM for Azure also supports bootstrapping.

For more information, see the Security Fabric Handbook and the Virtual FortiOS Handbook.

Manageability

This section introduces new manageability features in FortiOS 6.0.

Asset tagging

You can use the new Asset Tagging system to create tags to separate and categorize network objects, interfaces, and devices. Tags are flexible, easy to configure, and useful for comprehensive monitoring, audit reporting, and more.

For more information, see the System Administration Handbook.

FortiSwitch network assisted device detection and destination name resolution

Device detection now extends to managed FortiSwitches since some devices may not be visible to the FortiGate that manages them. Devices that are connected to a FortiSwitch are more visible to the FortiGate that manages them and to the Security Fabric.

FortiSwitch destination name resolution clearly presents destination objects and the aggregation of related IP addresses with domains. It also applies Internet service data base (ISDB) mapping for destination data.

For more information, see the Managing Devices Handbook and the FortiSwitch Devices Managed by FortiOS 6.0 Handbook.

Global security profiles

Global Security Profiles can be used by multiple VDOMs instead of creating identical profiles for each VDOM. You can create global security profiles for the following security features:

l Antivirus l Application control l Data leak prevention l Intrusion protection l Web filtering

For more information, see the Virtual Domains handbook.

Networking

This section introduces new Networking features in FortiOS 6.0.

SD-WAN improvements

FortiOS 6.0 introduces the following SD-WAN features:

• Multiple server support for health checks l Internet service groups l Bandwidth options in SD-WAN rules l Custom profiles in SD-WAN rules
• DSCP tagging of forwarded packets in SD-WAN rules For more information, see the Networking Handbook.

Multipath intelligence and performance SLAs

SD-WAN performance Service-Level Agreements (SLAs) incorporate multilayer SLA monitoring of link selection. To help handle emergency load or outages you can select links based on weight and SLA priority and then return to defaults once the network stabilizes. Also, traffic shaping and application intelligence have been added to the SD-WAN configuration, which gives you more control of SD-WAN traffic.

For more information, see the Networking Handbook.

Application awareness

You can now use application control and application control group options in SD-WAN rules.

Internet Service support is also increased from a single Internet Service to Internet Service groups.

For more information, see the Networking Handbook.

BGP dynamic routing and IPv6 support for SD-WAN

FortiOS 6.0 introduces support for dynamic router for an SD-WAN configuration. You can set up a route map and add a route tag to the route map. Then, you can create an SD-WAN configuration, a health check, and a service for it. When you create the service, you add the configured route tag that you created in the route map to the service.

For more information, see the Networking Handbook.

Interface-based traffic shaping

In FortiOS 6.0, you can now enable traffic shaping on an interface. Interface-based traffic shaping allows you to enforce bandwidth limits by traffic type for individual interfaces.

For more information, see the Traffic Shaping Handbook.

Cloud-assisted One-Click VPN

One-Click VPN (OCVPN) is a cloud-based solution that greatly simplifies the provisioning and configuration of IPsec VPN. The administrator enables OCVPN with a single click, adds the required subnets, and then the configuration is complete. The OCVPN updates each FortiGate automatically as devices join and leave the VPN, as subnets are added and removed, when dynamic external IP addresses change (for example, DHCP or PPPoE), and when WAN interface bindings change (as in the case of dual WAN redundancy).

For more information, see the IPsec VPN Handbook.

IPv6 enhancements

The following new IPv6 features have been added.

l IPv6 captive portal l IPv6 FQDN and wildcard firewall addresses l IPv6 ISIS dynamic routing l DHCPv6 server prefix delegation l IPv6 DFD and VRRP

For more information, see the Firewall Handbook.

NAT enhancements

The following new NAT features have been added.

• Central source NAT (SNAT) policies now include a comment field l Port block allocation timeout is configurable l NAT 46 IP Pools
• VRRP HA supports firewall virtual IPs (VIPs) and IP pools For more information, see the Firewall Handbook.

EMAC-VLAN support

The media access control (MAC) virtual local area network (VLAN) feature in Linux allows you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

For more information, see the Networking Handbook.

Security

This section introduces new security features in FortiOS 6.0.

FortiGuard virus outbreak prevention

FortiGuard virus outbreak prevention is an additional layer of protection that keeps your network safe from newly emerging malware. Quick virus outbreaks can infect a network before signatures can be developed to stop them. Outbreak protection stops these virus outbreaks until signatures become available in FortiGuard.

For more information, see the Security Profiles Handbook.

FortiGuard content disarm and reconstruction

Content Disarm and Reconstruction (CDR) removes exploitable content and replaces it with content that’s known to be safe. As files are processed through an enabled AntiVirus profile, content that’s found to be malicious or unsafe is replaced with content that allows the traffic to continue, but doesn’t put the recipient at risk.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (such as, HTTP web download, SMTP email send, IMAP and POP3 email retrieval—MAPI isn’t supported).

This feature work even if FortiSandbox is not configured, but only if you want to discard the original file. If FortiSandbox is configured and it responds that the file is clean, it passes the content unmodified.

For more information, see the Security Profiles Handbook.

Application groups for NGFW policies

When a FortiGate operates in NGFW policy mode, you can create application groups when you add NGFW policies. Then, when you add IPv4 or IPv6 policies you can create application groups to simplify policy creation.

For more information, see the Firewall Handbook.

Application control rule sequencing

To have more control over application control outcomes, you can control the order that application signatures appear in application control sensors. Signatures for applications that are more sensitive can appear higher in the list so they get matched first.

For more information, see the Security Profiles Handbook.

External dynamic block lists

This feature introduces the ability to dynamically import external block lists from an HTTP server. You can use the block lists to enforce special security requirements that your organization has. This can include long term policies to always block access to some websites or short time requirements to block access to known compromised locations. Since the lists are dynamically imported any changes made to the list are instantly imported by FortiOS. Dynamic block lists can be added to:

l Web Filter profiles and SSL inspection exemptions. l DNS Filter profiles and “Source/Destination” addresses in proxy policies.

In each profile, the administrator can configure multiple external block lists.

For more information, see the Security Profiles Handbook.

Configure Controller Parameters From the CLI

Reset System and System Passwords from the CLI

The passwords for the system users “admin’ and “guest” can be reset to their default values during a system boot. When the controller prompts “accepting reset request” displays, type pass to reset the passwords.

To reset the settings for the entire system to their default values, type reset at the reset system values prompt.

Limit Wireless Client Access to the Controller From the CLI

Administrators wishing to block access to the controller management utilities for wireless clients can do so with the no management access command. When wireless management access is blocked, all packets sent to the controller by wireless clients are dropped except for those used for Captive Portal.

To remove wireless access to the controller, enter the command: controller(config)# no management wireless

To check the management status, use the show controller command. The line near the bottom of the output, Management by wireless stations: will show either an on or off value.

mc3200# show controller

Global Controller Parameters

Controller ID : 1

Description : controller Host Name : MC3200 Uptime : 05d:17h:10m:59s

Location :

Contact :

Operational State : Enabled

Availability Status : Online

Alarm State : Major

Automatic AP Upgrade : on

Virtual IP Address : 172.29.0.137

Virtual Netmask : 255.255.192.0

Default Gateway : 172.29.0.1

DHCP Server : 10.0.0.240

Statistics Polling Period (seconds)/0 disable Polling : 60

Audit Polling Period (seconds)/0 disable Polling : 60

Software Version : 6.0.SR1‐4

Network Device Id : 00:90:0b:23:2e:d3 System Id : 08659559054A Default AP Init Script :

DHCP Relay Passthrough : on

Controller Model : MC3200

Region Setting : Unknown

Country Setting : United States Of America

Manufacturing Serial # : 4911MC32009025

Management by wireless stations : on

Controller Index : 0

FastPath Mode : on

Bonding Mode : single

Station Aging Out Period(minutes) : 2

Configure Controller Parameters From the CLI

Roaming Domain State : disable Layer3 Routing Mode : off

To re-enable access to wireless clients, use the management wireless command: controller(config)# management wireless

Limit Wired Client Access to the Controller With QoS Rules

To control access to the controller from wired network devices, you can configure rule-based IP ACL lists using the qosrules command. This section provides qosrule examples for several types of configurations.

The following is an example that blocks management access (on TCP and UDP) to the controller (at 192.168.1.2) for all devices except the host at 192.168.1.7. Notice that match tags are enabled when srcip, dstip, srcport, dstport, netprotocol, or packet min-length is configured for a rule.

Allow the host 192.168.1.7 to access the controller with TCP/UDP:

controller(config)#  qosrule 20 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# srcip 192.168.1.7 controller(config‐qosrule)# srcip‐match controller(config‐qosrule)# srcmask 255.255.255.255 controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

controller(config)# qosrule 21 netprotocol 17 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# srcip 192.168.1.7 controller(config‐qosrule)# srcip‐match controller(config‐qosrule)# srcmask 255.255.255.255 controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

The following qosrules allow wireless clients to access the controller on TCP ports 8080/8081 if using the Captive Portal feature.

controller(config)# qosrule 22 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match

controller(config‐qosrule)# srcip <subnet of wireless clients> controller(config‐qosrule)# srcip‐match

controller(config‐qosrule)# srcmask <netmask of wireless clients>

controller(config‐qosrule)# dstport‐match on controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# dstport 8080 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

controller(config)# qosrule 23 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match

controller(config‐qosrule)# srcip <subnet of wireless clients> controller(config‐qosrule)# srcmask <netmask of wireless clients> controller(config‐qosrule)# dstport‐match on controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# dstport 8081 controller(config‐qosrule)# action forward controller(config‐qosrule)# end

The following qosrules block all hosts from accessing the Controller using TCP/UDP.

controller(config)# qosrule 24 netprotocol 6 qosprotocol none controller(config‐qosrule)# netprotocol‐match controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action drop controller(config‐qosrule)# end

controller(config)# qosrule 25 netprotocol 17 qosprotocol none controller(config‐qosrule)# dstip 192.168.1.2 controller(config‐qosrule)# dstip‐match controller(config‐qosrule)# dstmask 255.255.255.255 controller(config‐qosrule)# action drop controller(config‐qosrule)# end

Configuring UDP Broadcast From the CLI

You can enable all UDP ports at once with the CLI commands for upstream and downstream traffic. Fortinet does not recommend that you enable this feature on a production network because it could lead to broadcast storms leading to network outages. This feature is provided for testing purposes only.

Configure Controller Parameters From the CLI

You need to assign each ESS (see the chapter “Configuring an ESS.”) to a specific VLAN (see the chapter “Configuring VLANs.”) before enabling all UDP broadcast ports. Having multiple ESS’s in the default VLAN and enabling all UDP broadcast ports does not work.

To configure UDP broadcast upstream/downstream for all ports, use these two CLI commands:

default# configure terminal default(config)# ip udp‐broadcast upstream all‐ports selected default(config)# ip udp‐broadcast downstream all‐ports on default(config)# end

To display configured UDP broadcast upstream/downstream for all ports, use these two CLI commands:

default# show ip udp‐broadcast upstream all‐ports

Upstream UDP Broadcast All Ports

UDP All Ports : on default#

default# show ip udp‐broadcast downstream all‐ports

Downstream UDP Broadcast All Ports

UDP All Ports : selected default#

To view the currently configured broadcast ports for either upstream or downstream, use show ip udp-broadcast [downstream/downstream-bridged/upstream/upstream-bridged].

Configure Time Services From the CLI

We recommend that you configure controllers to synchronize their system clock with a Network Time Protocol (NTP) server. This ensures the system time is accurate and standardized with other systems. Accurate and standardized system time is important for alarms, traces, syslog, and applications such as cryptography that use timestamps as a parameter for key management and lifetime control. An accurate clock is also necessary for intrusion detection, isolation and logging, as well as network monitoring, measurement, and control.

During the initial system configuration, the setup script prompts for an IP address of an NTP server. If you do not supply an IP address of an NTP server at that time, or if you wish to change an assigned server at a later time, you can use the ntp server followed by the ntp sync commands.

• To set up automatic periodic synchronizing with the configured NTP server, use the command start-ntp.

There are several NTP servers that can be designated as the time server. The site www.ntp.org provides a list of servers that can be used.

To set a server as an NTP server, use the command:

ntp server ip-address

where ip-address is the IP address of the NTP server providing clock synchronization.

Configure a Controller Index with the CLI

To configure a controller index from CLI, using the following commands

ramecntrl(0)# configure terminal ramecntrl(0)(config)# controller‐index 22 ramecntrl(0)(config)# exit

Note that changing the index causes a controller to reboot.

Configuring FortiWLM Location Manager

Location Manager is supported by release 3.7 and later.

Configuring with the CLI

This example creates a packet-capture-profile named Location on a controller and then forwards the captured packets directly from AP 16 to Location Manager on port #9177. Port 9177 is the port where Location Manager is listening for incoming packets in L3 mode.

MC3K‐1#

MC3K‐1# configure terminal

Licensing for Virtual Controllers

MC3K‐1(config)# packet‐capture‐profile Location

MC3K‐1(config‐pcap)# mode l3 destination‐ip 1.1.1.1 port 9177

MC3K‐1(config‐pcap)# ap‐list 16

MC3K‐1(config‐pcap)# exit

MC3K‐1(config)# exit

MC3K‐1# show packet‐capture‐profile Location AP Packet Capture profiles

Packet Capture Profile Name            : Location Packet Capture profile Enable/Disable   : off

Modes Allowed L2/L3                     : l3

Destination IP Address                  : 1.1.1.1

UDP Destination Port                    : 9177

Destination MAC for L2 mode             : 00:00:00:00:00:00

Rx only/Tx only/Both                    : rx

Rate Limiting per station or cumulative : station

Token Bucket Rate                       : 10 Token Bucket Size                       : 10 AP Selection                            : 16

Extended Filter String                  : Interface List                          :

Packet Truncation Length                : 82

Rate Limiting                           : off

Capture frames sent by other APs in the network : on MC3K‐1#

For a detailed explanation of the packet capture profile commands, see the Troubleshooting chapter of the FortiWLC (SD) Configuration Guide.