Security Profiles (5.6)

New security profile features added to FortiOS 5.6.

New FortiGuard Web Filter categories (407574)

New categories added to FortiGuard Web Filter sub-categories:

• Under Security Risk:
• Newly Observed Domain (5.90) l Newly Registered Domain (5.91)
• Under General Interest – Business l Charitable Organizations (7.92) l Remote Access (7.93) l Web Analytics (7.94) l Online Meeting (7.95)

Newly observed domain (NOD) applies to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes.

Newly registered domain (NRD) applies to URLs whose domain name was registered in the previous 10 days.

Overall improvement to SSL inspection performance (405224)

The enabling / disabling of proxy cipher / kxp hardware acceleration in CP8/CP9 required restarting of the WAD daemon for the change to take effect; this bug has been repaired.

New CLI commands

The FortiGate will use the ssl-queue-threshold command to determine the maximum queue size of the CP SSL queue. In other words, if the SSL encryption/decryption task queue size is larger than the threshold, the FortiGate will switch to use CPU rather than CP. If less, it will employ CP.

config firewall ssl setting set ssl-queue-threshold <integer>

end

The integer represents the maximum length of the CP SSL queue. Once the queue is full, the proxy switches cipher functions to the main CPU. The range is 0 – 512 and the default is 32.

FortiClient Endpoint license updates (401721)

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.

Security Profiles (5.6.1)

New security profile features added to FortiOS 5.6.1.

FortiGuard WAN IP blacklist service is now online (404859)

The Fortiguard WAN IP blacklist service was not online in FortiOS 5.6.0. In FortiOS 5.6.1, a notification appears on the Dashboard when WAN IP is blacklisted. Clicking on the notification brings up the blacklist details.

Application Control GUI improvements (279956)

An All Categories button on the Security Profiles > Application Control page makes it easier to apply an action (Monitor, Allow, Block, Quarantine) to all categories at once.

Note that the All Categories selector goes blank when any of theactions to be applied to individual categories is manually changed to something different than what was selected for all the categories. The Unknown Application action will match the All Categories action unless that action is Quarantine, which is unsupported for unknown applications.

Industrial Application Control signatures (0434592)

The application control category Industrial is now controlled by a FortiGuard license and the default disable mask is no longer needed. The special category is also no longer used.

GUI updates to reflect package and license changes for IPS, Application Control and Industrial signatures (397010)

The following changes have been made to the GUI to reflect changes in the signature databases:

• Application Control signature database information is displayed under on the System > FortiGuardpage in the FortiCare section.
• The IPS package version and license status are shown in a separate section in System > FortiGuard A link to manually upload the IPS database signatures has been added.

(5.6.1)

• The Industrial package version and license status are shown in a separate section in System > FortiGuard A link to manually upload the Industrial database signatures is available. Access to the Industrial database is provided with the purchase of the FortiGuard Industrial Security Service. The row item for this license will not appear if you are not subscribed. l Botnet category is no longer available when searching the Application Signatures list.

Improved FortiClient monitor display (378288)

The GUI for the Monitor > FortiClient Monitor page has been revised.

• new dropdown option: Online Only or Include Offline. The default is Online Only.

l new dropdown option l Sending FortiTelemetry Only (default) l Include All FortiTelemetry States l Not Sending FortiTelemetry Only

• update: Compliance status for offline device is N/A l update: offline status indicator to grey l new compliance status text after the icon in Compliance column l Moved Compliance column after Status column
• Combined unregistered endpoint devices with not registered devices

FortiSandbox integration with AntiVirus in quick mode (436380)

FortiSandbox options in an AntiVirus Security Profile in quick scanning mode can now be enabled with CLI commands.

CLI syntax

config antivirus profile edit default set ftgd-analytics disable/everything set analytics-max-upload 10 set analytics-wl-filetype 0 set analytics-bl-filetype 0 set analytics-db enable/disable set scan-mode quick

end

Pre-configured parental controls for web filtering (399715)

Pre-configured filters based on the Motion Picture Association of America (MPAA) ratings can now be added to the Web Filter Security Profile. This feature is already available on FortiCloud and uses the same ratings categories.

Anti-Spam GUI updates (300423)

Changes made to the Anti-Spam profile update the GUI to reflect FortiOS 5.6 style.

Sandbox Integration (5.6.1)

New sandbox integration features added to FortiOS 5.6.1.

New file extension lists for determining which file types to send to FortiSandbox (379326)

This feature introduces two new file extension lists:

l File extensions to submit to FortiSandbox even though the AV engine says they are unsupported. l File extensions to exclude from submitting to FortiSandbox even though the AV engine says they are supported.

These lists are configured on the FortiSandbox, not the FortiGate, and are dynamically loaded on the FortiGate via quarantine.

Syntax diag sys scanunit reload-fsa-ext

Security Profiles (5.6.1)

Networking (5.6)

New networking features added to FortiOS 5.6.

New command to get transceiver signal strength (205138)

On most FortiGate models with SFP/SFP+ interfaces you can use the following command to display information about the status of the transceivers installed in the SFP/SFP+ interfaces of the FortiGate.

The command output lists all of SFP/SFP+ interfaces and if they include a transceiver the output displays information about it. The command output also includes details about transceiver operation that can be used to diagnose transmission problems.

get system interface transceiver …

New BGP local-AS support (307530)

Use the following command to configure BGP local-AS support:

config router bgp

(5.6)

config neighbor edit “neighbor” …

set local-as 300 set local-as-no-prepend disable|enable set local-as-replace-as disable|enable

end

Enable local-as-no-prepend if you do not want to prepend local-as to incoming updates.

Enable local-as-replace-as to replace a real AS with local AS in outgoing updates.

Interface setting removed from SNMP community (310665)

The SNMP GUI has been cleaned up by removing the Interface setting.

RPF checks can be removed from the state evaluation process (311005)

You can remove stateful firewall RFP state checks without fully enabling asymmetric routing. State checks can be disabled on specific interfaces. The following command shows how to disable state checks for traffic received by the wan1 interface.

config system interface edit wan1 set src-check disable

end

BGP graceful-restart-end-on-timer, stale-route, and linkdown-failover options (374140)

If graceful-end-on-timer is enabled, the BGP graceful restart process will be stopped upon expiration of the restart timer only.

If linkdown-failover is enabled for a BGP neighbor, the neighbor will be down when the outgoing interface is down.

If stale-route is enabled for a BGP neighbor, the route learned from the neighbor will be kept for the graceful-stalepath-time after the neighbor is down due to hold timer expiration or TCP connection failure.

config router bgp set graceful-end-on-timer disable|enable config neighbor edit 192.168.1.1 set linkdown-failover disable|enable set stale-route disable|enable

graceful-end-on-timer stops BGP graceful restart process on timer only.

linkdown-failover and stale-route are options to bring down BGP neighbors upon link down and to keep routes for a period after the neighbor is down.

FQDNs can be destination addresses in static routes (376200)

FQDN firewall addresses can now be used as destination addresses in a static route.

From the GUI, to add a FQDN firewall address (or any other supported type of firewall address) to a static route in the firewall address configuration you must enable the Static Route Configuration option. Then when configuring the static route set Destination to Named Address.

From the CLI, first configure the firewall FQDN address:

config firewall address edit ‘Fortinet-Documentation-Website’ set type fqdn set fqdn docs.fortinet.com set allow-routing enable

end

Then add the FQDN address to a static route.

config router static edit 0 set dstaddr Fortinet-Documentation-Website … end

Priority for Blackhole routes (378232)

You can now add a priority to a blackhole route to change its position relative to kernel routes in the routing table. Use the following command to add a blackhole route with a priority:

config router static edit 23 set blackhole enable set priority 200

end

New DDNS refresh interval (383994)

A new DDNS option has been added to configure the FortiGate to refresh DDNS IP addresses by periodically checking the configured DDNS server.

config system ddns edit 1 set ddns-server FortiGuardDDNS set use-public-ip enable set update-interval seconds

end

The default update-interval is 300 seconds and the range is 60 to 2592000 seconds.

Support IPv6 blackhole routes on GUI (388599)

IPv6 blackhole routes are now supported from GUI, go to Network > Static Routes and select Create New > IPv6 Route.

Choose Blackhole for Device field.

(5.6)

SSL-VPN can use a WAN link load balancing interface (396236)

Virtual-wan-link interface can now be set as a destination interface in SSLVPN policy.

Also SSL-VPN interface can now be set as a source interface for WAN LLB.

DDNS support for noip.com (399126)

Noip.com, and provider for Dynamic DNS has been added as a supported option for a ddns-server.

CLI

config system ddns edit <ddns_ip> set ddns-server

[dyndns.org|dyns.net|ods.org|tzo.com|vavic.com|dipdns.net|now.net.cn||dhs.org|ea sydns.com|genericDDNS|FortiGuardDDNS|noip.com]

IPv6 Router Advertisement options for DNS (399406)

This feature is based on RFC 6106 and it adds the ability to obtain DNS search list options from upstream DHCPv6 servers and the ability to send them out through either Router Advertisement or FortiGate’s DHCP server.

Configuration example:

To get the information from the upstream ISP server:

config system interface edit wan1 config ipv6 set dhcp6-prefix-delegation enable

next

next

end

To use Routing Advertisement to send the DNS search list:

config system interface edit port 1

config IPv6 set ip6-address 2001:10::/64 set ip6-mode static set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface WAN set subnet 0:0:0:11::/64 set autonomous-flag enable set onlink-flag enable

next

next

end

end

To use DHCPv6 server to send DNS search list:

config system dhcp6 server edit 1 set interface port2 set upstream-interface WAN set ip-mode delegated set dns-service delegated

set dns-search-list delegated // this is a new command set subnet 0:0:0:12::/64

next

end

WAN LLB to SD-WAN on GUI (403102)

To be more consistent with current terminology, the term WAN LLB has been changed in the GUI to the more recognizable SD-WAN.

New RFCs

New RFCs

The following RFCs are now supported by FortiOS 5.6.1 or the support for these RFCs has been enhanced in FortiOS 5.6.1:

• RFC 6954 Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol

Version 2 (IKEv2) (412795) l RFC 6106 IPv6 Router Advertisement Options for DNS Configuration (399406)

• RFC 4787 Network Address Translation (NAT) Behavioral Requirements for Unicast UDP (408875)

The following RFCs are now supported by FortiOS 5.6 or the support for these RFCs has been enhanced in FortiOS 5.6:

• RFC 7427 Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) (389001) l RFC 7348 Virtual eXtensible Local Area Network (VXLAN) or VTEP (289354) l RFC 5996 (section 15) IKEv2 asymmetric authentication (393073) l RFC 6106 IPv6 Router Advertisement Options for DNS (399406) l RFC 7383 Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation (371241) l RFC 3971 IPv6 Secure Neighbor Discovery (SEND) (355946) l RFC 6023 Childless IKEv2 Initiation (381650)

Networking (5.6.1)

New networking features added to FortiOS 5.6.1.

IPv6 Router Advertisement options for DNS enhanced with recursive DNS server option (399406)

This feature is based on RFC 6106 and it adds the ability to obtain DNS search list options from upstream DHCPv6 servers and the ability to send them out through either Router Advertisement or FortiGate’s DHCP server.

FortiOS 5.6 supported the following:

To get the information from the upstream ISP server:

config system interface edit wan1 config ipv6 set dhcp6-prefix-delegation enable

next

next

end

To use Routing Advertisement to send the DNS search list:

config system interface edit port 1 config IPv6 set ip6-address 2001:10::/64 set ip6-mode static set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface WAN set subnet 0:0:0:11::/64 set autonomous-flag enable set onlink-flag enable

next

next

end

end

To use DHCPv6 server to send DNS search list:

config system dhcp6 server edit 1 set interface port2 set upstream-interface WAN set ip-mode delegated set dns-service delegated

set dns-search-list delegated // this is a new command set subnet 0:0:0:12::/64

next end

(5.6.1)

In FortiOS 5.6.1 this feature has been enhanced to include the recursive DNS server option that sends the IPv6 recursive DNS server option to downstream clients with static prefix RA.

The new options include rdnss and dnssl in the following syntax:

config system interface edit port1 config ipv6 config ip6-prefix-list edit 2001:db8::/64 set autonomous-flag enable set onlink-flag enable

set rdnss 2001:1470:8000::66 2001:1470:8000::72 set dnssl fortinet.com fortinet.ca end

Temporarily mask interface failure (435426)

In some situations during normal operation, attached network equipment may cause a ForiGate interface to appear to have disconnected from the network. And in some cases you may not want to the FortiGate interface to

detect and respond to the apparent interruption. For example, when Lawful Intercept (LI) devices are inserted/removed from the network path using a switch mechanism the signal is entirely interrupted. That interruption is seen by the FortiGate as an interface failure.

When the network path is interrupted, the FortiGate normally declares that the interface is down. All services using the interface are notified and act accordingly.

This new feature allows the FortiGate interface to temporarily delay detecting that the interface is down. If the connection is restored during the delay period, the FortiGate ignores the interface down condition and services using the interface resume without apparent interruption.

Use the following command to enable and configure the down time for a FortiGate interface:

config system interface edit port1 set disconnect-threshold <delay>

end

<delay> is the time to wait before sending a notification that this interface is down or disconnected (0 – 1000 ms, default = 0).

Policy Routes now appear on the routing monitor (411841)

You can go to Monitor > Routing Monitor and select Policy to view the active policy routes on your FortiGate.

Control how the system behaves during a routing change (408971)

FortiOS allows you to dynamically make routing changes while the FortiGate unit is processing traffic. Routing changes that affect the routing used for current sessions may affect how the FortiGate continues to process the session after the routing change has been made.

Using the following command you can control whether FortiOS keeps (preserves) the routing for the sessions that are using the route or causes the changed routing table to be applied to active sessions, possiby causing their destinations to change.

config system interface edit port2 set preserve-session-route {enable | disable}

end

If enabled (the default), all sessions passing through port2 are allowed to finish without being affected by the routing changes. If disabled, when a route changes the new routing table is applied to the active sessions through port2 which may cause their destinations to change.

Modem (5.6.1)

New modem features added to FortiOS 5.6.1.

New modem features (422266)

New FortiOS 5.6.1 modem features include:

• The ability to edit wireless profiles stored on EM7x modems from FortiOS. l GPS support. l MIB for internal LTE modems. l Syslog messages for internal LTE modems.
• More status information displayed by the diagnose sys lte-modem command l New modem-related MIB entities.

config system let-modem command changes

The mode, interface, and holddown-timer options of the config system lte-modem command have been removed. These options are no longer needed. Instead, use SD-WAN for redundant interfaces. The config system lte-modem command includes the following options status Enable/disable USB LTE/WIMAX device. extra-init Extra initialization string to USB LTE/WIMAX device.

manual-handover Enable/Disable manual handover from 3G to LTE network. If enabled, the FortiGate switches the modem firmware to LTE mode if the modem itself fails to do so after 5 loops.

force-wireless-profile Force the modem to use the configured wireless profile index (1 – 16), 0 if don’t force. If your FortiGate includes an LTE modem or if an LTE modem is connected to it you can use the execute lte-modem command to list the LTE modem profiles. Use this command to select one of these wireless profiles.

Modem (5.6.1)

Wireless profiles contain detailed LTE modem data session settings. In each modem, a maximum of 16 wireless profiles can be stored, any data connections are initiated using settings from one of the stored wireless profiles. To make a data connection, at least one profile must be defined. Here is a sample wireless profile table stored in one of the internal modems:

authtype Authentication type for PDP-IP packet data calls. apn Log in APN string for PDP-IP packet data calls. modem-port Modem port index (0 – 20). network-type Set wireless network. auto-connect Enable/disable Modem auto connect. gpsd-enabled Enable/disable GPS daemon. data-usage-tracking Enable/disable data usage tracking.

gps-port Modem port index (0 – 20). Specify the index for GPS port, by default it is set to 255 which means to use the system default.

execute lte-modem command changes

The following options are available for the execute lte-modem command:

Modem (5.6.1)

cold-reboot Cold reboot LTE Modem, which means power off the internal modem and power it on again after 1 second.

get-modem-firmware get-modem-firmware get-pri-firmware get-pri-firmware power-off Power off LTE Modem. power-on Power on LTE Modem. purge-billing-data Purge all existing LTE Modem billing data. reboot Warm reboot LTE Modem.

set-operation-mode Set LTE Modem operation mode to online or offline.

wireless-profile wireless-profile

cold-reboot, power-off, power-on, set-operation-mode, and wireless-profile are new in

FortiOS 5.6.1.

New execute lte-modem wireless-profile command

The following options are available for the execute lte-modem wireless-profile command:

create Create a wireless profile. You use the create command to create an LTE modem profile by providing a name and supplying settings for the profile. The command syntax is:

execute lte-modem wireless-profile create <name> <type> <pdp-type> <apn-name> <auth-type> [<user> <password>]

<name> Wireless profile name of 1 to 16 characters.

<type> Wireless profile type: l 0 for 3GPP profiles. l 1 for 3GPP2 profiles.

<pdp-type> Wireless profile PDP type.

• 0 for IPv4 l 1 for PPP l 2 for IPv6 l 3 for IPv4v6

<apn-name> Wireless profile APN name, 0 to 32 characters.

<auth-type> Wireless profile authentication type.

• 0 for no authentication. l 1 for PAP l 2 for CHAP l 3 for PAP and CHAP

[<user> <password>] Wireless profile user name and password (1 to 32 characters each). Not required if <auth-type> is 0.

For example, use the following command to create an LTE modem 3GPP IPv4 profile named myprofile6. This profile uses the APN profile named p6apn that uses PAP and CHAP authentication.

Modem (5.6.1)

execute lte-modem wireless-profile create myprofile 0 0 myapn 3 myname mypasswd

delete <profile-number> Delete a wireless profile from the Modem. Speficy profile ID of the profile to delete.

list List all the wireless profiles stored in the Modem. If the modem is busy the list may not display. If this happens just repeat the command. It may take a few attempts.

modify Modify a wireless profile using the same settings as the create command except the first option is the profile ID . You can find the profile ID for each profile by listing the profiles using the execute lte-modem wireless-profile list command. For example, to modify the profile created above to change it to an IPv4v6 profile, change the APN proflie to yourapn, and set the authentication type to PAP enter the following command (assuming the profile ID is 6): execute lte-modem wireless-profile modify 6 myprofile 0 3 yourapn 1 myname mypasswd

test Test wireless profiles.

Static mode for wwan interface removed (440865)

When configuring the wireless modem wwan interface from the CLI the mode can only be set to DHCP. Static addressing for the wwan interface is not supported so the static option has been removed.

Networking (5.6.1)

Logging and Reporting (5.6)

New logging and reporting features added to FortiOS 5.6.

Client and server certificates included in Application control log messages (406203)

When SSL/TLS traffic triggers an application control signature, the application control log messages now include information about the signatures used by the session. This includes the client certificate issuer, the name in the server certificate, and the server certificate issuer.

DNS Logging (401757)

FortiOS logging now includes the Detailed DNS log message type. DNS events were previously recorded as event logs. In FortiOS 5.6 DNS log messages are a new category that also includes more DNS log messages to provide additional detail about DNS activity through the FortiGate. You can enable DNS logging from the CLI using the following command (shown in this example for memory logging):

config log memory filter set dns enable end

Logging and Reporting (5.6)

DNS log messages include details of each DNS query and response. DNS log messages are recorded for all DNS traffic though the FortiGate and originated by the FortiGate.

The detailed DNS logs can be used for low-impact security investigation. Most network activity involves DNS activity of some kinds. Analyzing DNS logs can provide a lot of details about the activity on your network without using flow or proxy-based resource intensive techniques.

Added Policy Comment logging option (387865)

As an alternative to custom log fields, the functionality has been added to log a policy’s comment field in all traffic log files that use that policy, in order to sort/isolate logs effectively with larger deployments and VDOMs. The feature is disabled by default. config log setting set log policy comment [enable/disable]

FortiAnalyzer encryption option name change (399191)

For clarity, and because the default options for config log fortianalyzer setting have now changed, the option default has now been changed to high-medium in the following CLI commands:

config log fortianalyzer setting set enc-algorithm [high/high-medium/low]

config log fortinalyzer override-setting set enc-algorithm [high/high-medium/low]

config log fortiguard setting set enc-algorithm [high/high-medium/low]

config log fortiguard override-setting set enc-algorithm [high/high-medium/low]

Maximum values changes

Maximum values changes

Maximum values changes in FortiOS 5.6.1:

• The maximum number of SSIDs (CLI command config wireless-controller vap) for FortiGate models 600C, 600D, 800C, 800D, and 900D increased from 356 to 512 (414202).
• The maximum number DLP sensors (CLI command config dlp sensor / config filter) for models

1000C, 1000D, 1200D, 1500D, 1500DT, 3240C, and 3600C decreased from 10,000 to 3,000. (371270) l The maximum number DLP sensors (CLI command config dlp sensor / config filter) for models

3000D, 3100D, 3200D, 3700D, 3700DX, 3800D, 3810D, 3815D, 5001C, and 5001D decreased from 50,000 to 4,000. (371270)

Maximum values changes in FortiOS 5.6: l The maximum number of wireless controller QoS Profiles is per VDOM (388070).

Logging and Reporting (5.6.1)

New logging and reporting features added to FortiOS 5.6.1.

Usability Updates to Reports Page (383684)

The Reports page has been updated in 5.6.1, to include both FortiCloud and Local Reports in a single location. Configuring of report schedules is also available on this page. The page will display whichever format is enabled, or allow switching between both if both Local and FortiCloud are in use.

Interface Categories (srcintfrole, etc) added to log data (434188)

In 5.6, logs and FortiView both sort log traffic into two interface categories: “Traffic from LAN/DMZ”, and “Traffic from WAN.” For greater compatibility and troubleshooting of FortiAnalyzer and FortiCloud setups, interface category fields that expose this information have been added to general log data in 5.6.1: srcintfrole and dstintfrole for better backend control and monitoring.

Individual FAZ log settings for SLBC Cluster Blades (382942/424076)

Individual SLBC Cluster Blades can now be enabled to have its own specific FortiAnalyzer log settings, rather than auto-syncing with all other blades in the cluster. This allows for multi-FAZ setups and collector-analyzer architectures, to deal with high logging volume. Entries in the command config system objectnsyncdetermine which settings are not synced from the blade. Settings are available to specify VDOMs that will or will not sync.