Networking (5.6.1)
New networking features added to FortiOS 5.6.1.
IPv6 Router Advertisement options for DNS enhanced with recursive DNS server option (399406)
This feature is based on RFC 6106 and it adds the ability to obtain DNS search list options from upstream DHCPv6 servers and the ability to send them out through either Router Advertisement or FortiGate’s DHCP server.
FortiOS 5.6 supported the following:
To get the information from the upstream ISP server:
config system interface edit wan1 config ipv6 set dhcp6-prefix-delegation enable
next
next
end
To use Routing Advertisement to send the DNS search list:
config system interface edit port 1 config IPv6 set ip6-address 2001:10::/64 set ip6-mode static set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface WAN set subnet 0:0:0:11::/64 set autonomous-flag enable set onlink-flag enable
next
next
end
end
To use DHCPv6 server to send DNS search list:
config system dhcp6 server edit 1 set interface port2 set upstream-interface WAN set ip-mode delegated set dns-service delegated
set dns-search-list delegated // this is a new command set subnet 0:0:0:12::/64
next end
(5.6.1)
In FortiOS 5.6.1 this feature has been enhanced to include the recursive DNS server option that sends the IPv6 recursive DNS server option to downstream clients with static prefix RA.
The new options include rdnss and dnssl in the following syntax:
config system interface edit port1 config ipv6 config ip6-prefix-list edit 2001:db8::/64 set autonomous-flag enable set onlink-flag enable
set rdnss 2001:1470:8000::66 2001:1470:8000::72 set dnssl fortinet.com fortinet.ca end
Temporarily mask interface failure (435426)
In some situations during normal operation, attached network equipment may cause a ForiGate interface to appear to have disconnected from the network. And in some cases you may not want to the FortiGate interface to
detect and respond to the apparent interruption. For example, when Lawful Intercept (LI) devices are inserted/removed from the network path using a switch mechanism the signal is entirely interrupted. That interruption is seen by the FortiGate as an interface failure.
When the network path is interrupted, the FortiGate normally declares that the interface is down. All services using the interface are notified and act accordingly.
This new feature allows the FortiGate interface to temporarily delay detecting that the interface is down. If the connection is restored during the delay period, the FortiGate ignores the interface down condition and services using the interface resume without apparent interruption.
Use the following command to enable and configure the down time for a FortiGate interface:
config system interface edit port1 set disconnect-threshold <delay>
end
<delay> is the time to wait before sending a notification that this interface is down or disconnected (0 – 1000 ms, default = 0).
Policy Routes now appear on the routing monitor (411841)
You can go to Monitor > Routing Monitor and select Policy to view the active policy routes on your FortiGate.
Control how the system behaves during a routing change (408971)
FortiOS allows you to dynamically make routing changes while the FortiGate unit is processing traffic. Routing changes that affect the routing used for current sessions may affect how the FortiGate continues to process the session after the routing change has been made.
Using the following command you can control whether FortiOS keeps (preserves) the routing for the sessions that are using the route or causes the changed routing table to be applied to active sessions, possiby causing their destinations to change.
config system interface edit port2 set preserve-session-route {enable | disable}
end
If enabled (the default), all sessions passing through port2 are allowed to finish without being affected by the routing changes. If disabled, when a route changes the new routing table is applied to the active sessions through port2 which may cause their destinations to change.