Firewall (5.6)
New firewall features added to FortiOS 5.6.
Optimization of the firewall Service cache (355819)
In order to improve the efficiency and performance of the firewall Service cache, the following improvements have been made:
- The logic behind the structure of the cache has been simplified. Instead of storing ranges of port numbers, we store each individual port number in the cache
- Separate caches are created for each VDOM so that cache searches are faster.
- The performance of more frequently used cases has been increased l Hash tables are used to improve the performance of complex cases. These could include such instances as:
- service names tied to specific IP Ranges
- redefinition (one port number with multiple service names)
New CLI option to prevent packet order problems for sessions offloaded to NP4 or NP6 (365497)
In order to prevent the issue of a packet, on FortiGate processing a heavy load of traffic, from being processed out of order, a new setting has been added to better control the timing of pushing the packets being sent to NP units.
The new option, delay-tcp-npc-session, has been added into the context of config firewall policy within the CLI
config firewall policy edit <Integer for policy ID> set delay-tcp-npc-session end
Policy may not be available on units not using NP units.
GUI changes to Central NAT (371516)
The Central NAT configuration interface prevents the accidental occurrence of being able to select “all” and “none” as two objects for the same field. It only allows the selecting of a single IP pool, though it is still possible to select multiple IP pools within the CLI.
Max value for Firewall User authentication changed (378085)
Previously, the maximum time that a member of a firewall user group could remain authenticated without any activity was 24 hours (1440 minutes). The maximum value for this setting has been changed to 72 hours (4320 minutes). This allow someone to log in but not be kicked off the system due to inactivity over the course of a weekend.
The syntax in the CLI for configuring this setting is: config user group edit <name of user group> set authtimeout 4320 end
Changes to default SSL inspection configuration (380736)
SSL is such a big part of normal traffic that SSL certificate inspection is no longer disabled by default. SSL inspection is not mandatory in both the CLI and GUI when it is applicable. The default setting is the Certificate Inspection level. As a result there have been a few changes within the CLI and the GUI.
CLI
The setting SSL-SSH-Profile, is a required option, with the default value being “certificate-inspection”, when it is applicable in the following tables:
- profile-group l firewall.policy l firewall.policy6, l firewall.explicit-proxy-policy
The following default profiles are read-only:
- certificate-inspection l deep-ssl-inspection
GUI
IPv4/IPv6 Policy and Explicit Proxy Policy edit window l The configuration and display set up for SSL/SSH Inspection is now similar to “profile-protocol-option” option l The disable/enable toggle button is no longer available for the Profile Protocol Option l The default profile is set to “certificate-inspection” IPv4/IPv6 Policy, Explicit Proxy Policy list page l There is validation for SSL-SSH-Profile when configuring UTM profiles
SSL/SSH Inspection list page
l There is no delete menu on GUI for default ssl profiles l The “Edit” menu has been changed to “View” for default SSL profiles l The default SSL profile entries are considered an implicit class and are grayed out SSL/SSH Inspection edit window l The only input for default SSL profiles is now download/view trusted certificate links l To return to the List page from default SSL profiles, the name of the button is now “Return” Profile Group edit window l There is no check box for SSL-SSH-Profile. It is always required.
Add firewall policy comment field content to log messages (387865)
There has been a need by some customer to have some information in the logs that includes specific information about the traffic that produced the log. The rather elegant solution is that when the log-policy-comment option is enabled, the comment field from the policy will be included in the log. In order to make the logs more useful regarding the traffic just include a customized comment in the policy and enable this setting.
Syntax
config system settings set log-policy-comment [enable | disable] end
l This setting is for all traffic and security logs. l It can be select on a per VDOM basis
Learning mode changes profile type to single (387999)
The Learning mode does not function properly when it is applied to a policy that has a UTM profile group applied to it. The logging that should be taking place from the Learning Mode profiles does not occur as intended, and the
Automatically switching the profile type to single on a policy with Learning mode enabled prevents it from being affected by the UTM policy groups.
MAC address authentication in firewall policies and captive portals (391739)
When enabled, a MAC authentication request will be sent to fnbamd on any traffic. If the authentication receives a positive response, login becomes available. If the response is negative the normal authentication process takes over.
CLI
New option in the firewall policy setting
config firewall policy edit <policy ID> set radius-mac-auth-bypass [enable |disable] end
New option in the interface setting config system interface
edit <interface> set security-mode captive-portal set security-mac-auth-bypass end
Display resolved IP addresses for FQDN in policy list (393927)
If a FQDN address object is used in a policy, hovering the cursor over the icon for that object will show a tool tip that lists the parameters of the address object. This tool tip now includes the IP address that the FQDN resolves to.
Added comment for acl-policy, interface-policy and DoS-policy (396569)
A comment field has been added to the following policy types: l acl-policy l interface-policy l DoS-policy
Comments of up to 1023 characters can be added through the CLI.
Examples:
DoS policy
config firewall DoS-policy edit 1 set comment “you can put a comment here(Max 1023).”
set interface “internal” set srcaddr “all” set dstaddr “all” set service “ALL” config anomaly edit “tcp_syn_flood” set threshold 2000
next
end
end
Interface policy
config firewall interface-policy edit 1 set comment “you can put a comment here(max 1023).”
set interface “dmz2” set srcaddr “all” set dstaddr “all” set service “ALL” end
Firewall ACL
config firewall acl edit 1 set status disable
set comment “you can put a comment here(max 1023).”
set interface “port5” set srcaddr “all” set dstaddr “all” set service “ALL”
end
Internet service settings moved to more logical place in CLI (397029)
The following settings have moved from the application context of the CLI to the firewall context: l internet-service l internet-service-custom
Example of internet-service
config firewall internet-service 1245324 set name “Fortinet-FortiGuard”
set reputation 5 set icon-id 140 set offset 1602565 config entry
edit 1
set protocol 6 set port 443 set ip-range-number 27 set ip-number 80
next
edit 2
set protocol 6 set port 8890 set ip-range-number 27 set ip-number 80
next
edit 3
set protocol 17 set port 53 set ip-range-number 18 set ip-number 31
next
edit 4
set protocol 17 set port 8888 set ip-range-number 18 set ip-number 31
next
end
Example of internet-service-custom
config firewall internet-service-custom edit “custom1” set comment “custom1”
config entry
edit 1
set protocol 6 config port-range
edit 1
set start-port 30 set end-port 33
next
end
set dst “google-drive” “icloud”
next
end
next
end
Example of get command:
get firewall internet-service-summary
Version: 00004.00002
Timestamp: 201611291203
Number of Entries: 1349
Certificate key size selection (397883)
FortiOS will now support different SSL certificate key lengths from the HTTPS server. FortiOS will select a key size from the two options of 1024 and 20148, to match the key size (as close as possible, rounding up) on the HTTS server. If the size of the key from the server is 512 or 1024 the proxy will select a 1024 key size. If the key size from the servers is over 1024, the proxy will select a key size of 2048.
CLI changes:
In ssl-ssh-profile remove:
- certname-rsa l certname-dsa l certname-ecdsa
In vpn certificate setting, add the following options :
- certname-rsa1024 l certname-rsa2048 l certname-dsa1024 l certname-dsa2048 l certname-ecdsa256 l certname-ecdsa384