More exemptions to SSL deep inspection (267241)

Some common sense exemptions have been added to the default SSL deep inspection profile, such as Fortinet, Android, Apple, Skype, and many more.

Exempting URLs for flow-based web filtering (252010)

You can once again exempt URLs for flow-based web filtering.

Filter overrides in Application Sensors (246546)

In the Application Sensor page, a new section named Filter Overrides has been introduced. From this section, clicking Add Filter/Edit Filter will launch a dialog to pick/edit the advanced filter and save it back to the list.

New keyword byte_extract for custom IPS and Application Control signatures (179116)

The new byte_extract custom IPS signature key has been added that supports snort-like byte extraction actions. It is used for writing rules against length-encoded protocols. The keyword reads some of the bytes from the packet payload and saves it to a variable. You can use the -quiet option to suppress the reporting of signatures.

IPS logging changes (254954)

IPS operations severely affected by disk logging are moved out of the quick scanning path, including logging, SNMP trap generation, quarantine, etc.

Scanning processes are dedicated to nothing but scanning, which results in more evenly distributed CPU usage. Slow (IPS) operations are taken care of in a dedicated process, which usually stays idle.

New FortiGuard web filtering category: Dynamic DNS (265680)

A new FortiGuard web filtering category has been added forDynamic DNSunder theSecurity Riskheading, to account for nearly half a million URLs of “Information Technology” rated by BlueCoat as “Dynamic DNS Host”.

Syntax

config webfilter profile edit <profile>

config ftgd-wf config filters

edit <id>

set category 88<— New category, Dynamic DNS; number 88

end end

end