Router > Static > Settings GUI options available from the CLI only

As part of the new WAN Load Balancing feature, the FortiOS 5.2 Router > Static > Settings GUI page has been removed. WAN Load Balancing should be used instead of the 5.2 ECMP Load Balancing Method settings. The 5.2 Link Health Monitor definitions are now only available from the CLI.

 

Ports preassigned as sniffer ports by default (261921)

Some models of FortiGate, by default have ports preconfigured as sniffer ports. The models and ports preconfigered in sniffer mode are as follows:

• FortiGate 300D
• Port4
• Port8
• FortiGate 500D
• Port5
• Port6
• Port13
• Port14

 

Enable or disable inspecting IPv4 and IPv6 ICMP traffic (258734)

In order for the inspection of assymetric ICMP traffic to not affect TCP and UDP traffic, a pair of settings have been added that can enable/disable the inspection of ICMP traffic being routed assymetricly for both IPv4 and IPv6.

The syntax in the CLI for configuring the setting is:

• IPv4

config system settings set asymroute-icmp end

• IPv6

config system settings set asymroute6-icmp end

 

Send GARP on aggregate MAC change (273363)

FortiGates will send out GARP (Generic Attribute Registration Protocol) if the MAC address of a link aggregated interface has changed to a new IP pool address due to a link failure or change in ports. This is needed when using networking devices, such as some switches, that don’t perform this function when they receive LACP (Link Aggregation Control Protocol) information about changes in the MAC information.

 

Support split ports (252444)

The 5001D 40 GB can be split into 4 10 GB ports.This is done through a combination of hardware and software configureation. A specific 40 GB connector is used to connect to the 40 GB port and normally, the other end of the fibre optic cable would connect to another 40 GB port but a special cable can be used that is a single 40 GB connector at one end and 4 10 GB connections at the other. To use this set up the port also has to be configured to be a split port.

The configureation option can be found in the CLI:

config system global

set port-split port1 port2 end

The ports will be checked to make sure that they are not in use or referenced by other policy configurations. If in use the command will be aborted. Changing the port to be a split port will require a system reboot.

 

Add FortiClient enforcement to interfaces (253933)

The use of FortiClient can be enforced on individual interfaces. Go to Network > Interfaces and pick the interface of your choice. Under the heading Admission Control, you can enable the setting Allow FortiClient Connections.Once this setting is enabled, two more options become visiable, Discover Clients (Broadcast) and FortiClienet Enforcement. By enabling FortiClient Enforcement you enforce that in order for incoming traffic to pass through that interface it must be initiated by a device running FortiClient.

Once the use of FortiClient is enforced on the interface, FortiClient profiles should also be configured for the incoming connections. You can also set up any exemptions that are needed. Just below the FortiClient Enforcement option are fields for Exempt Sources and Exempt Destinations/Services. These can be selected from address or services object already configured on the FortiGate.

In the CLI the enforcement can be set up as follows:

config system interface edit port1

set listen-forticlient-connection [enable|disable]

set endpoint-compliance [enable|disable]

end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!