VoIP/SIP (5.6)

This chapter describes new VoIP and SIP features added to FortiOS 5.6.

SIP strict-register enabled by default in VoIP Profiles (380830)

If strict-register is disabled, when REGISTER is received by a FortiGate, the source address (usually the IP address of PBX) and ports (usually port 5060) are translated by NAT to the external address of the FortiGate and port 65476. Pinholes are then opened for SIP and RTP. This tells the SIP provider to send incoming SIP traffic to the external address of the FortiGate on port 65476.

This creates a security hole since the port is open regardless of the source IP address so an attacker who scans all the ports by sending REGISTER messages to the external IP of the FortiGate will eventually have one register go through.

When strict-register is enabled (the new default) the pinhole is smaller because it will only accept packets from the SIP server.

Enabling strict-register can cause problems when the SIP registrar and SIP proxy server are separate entities with separate IP addresses.

SIP diagnose command improvements (376853)

A diagnose command has been added to the CLI that outputs VDOM data located in the voipd daemon.

diagnose sys sip-proxy vdom

Example

(global) # diagnose sys sip-proxy vdom VDOM list by id:

VoIP/SIP (5.6)

vdom 0 root (Kernel: root) vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 4 vdoma2 (Kernel: vdoma2) vdom 5 vdomb2 (Kernel: vdomb2) vdom 6 vdomc2 (Kernel: vdomc2) vdom 7 vdoma (Kernel: vdoma) vdom 8 vdomb (Kernel: vdomb) vdom 9 vdomc (Kernel: vdomc) VDOM list by name: vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 0 root (Kernel: root) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 7 vdoma (Kernel: vdoma) vdom 4 vdoma2 (Kernel: vdoma2) vdom 8 vdomb (Kernel: vdomb) vdom 5 vdomb2 (Kernel: vdomb2) vdom 9 vdomc (Kernel: vdomc) vdom 6 vdomc2 (Kernel: vdomc2)

 

VDOMs (5.6.1)

This section describes new VDOM features added to FortiOS 5.6.1.

Create a virtual switch that allows multiple VDOMs to use the same physical interface or

VLAN (436206)

This feature allows multiple VDOMs to access the same network or the Internet using the same physical interface rather than requiring each VDOM to have its own Internet-facing interface.

To create this configuration, consider a FortiGate with three VDOMs:

config vdom edit root

next edit vdom1

next edit vdom2

end

Create inter-VDOM links for vdom1 and vdom2. The inter-VDOM links should have their type set to ethernet.

config system vdom-link edit “vlnk1” set type ethernet

next edit “vlnk2” set type ethernet

end

These commands create the following four interfaces:

• vlnk1 creates the interfaces vlnk10 and vlnk11 l vlnk2 creates the interfaces vlnk20 and vlnk21

Then create a virtual switch, add it to the root VDOM, and add the first interface created for each inter-VDOM link to it along with the physical interface or VLAN that the VDOMs will use to connect to the external network. In this example, the VDOMs will all connect to the Internet through the wan1 interface.

config system switch-interface edit “vs1” set vdom “root”

set member “wan1” “vlnk10” “vlnk20”

end

Then distribute the interfaces in the virtual switch to the respective VDOMs and configure the required IP settings. In this example:

• wan1, vlnk10, and vlnk20 are added to the root VDOM l vlnk11 is added to vdom1 l vlnk21 is added to vdom2 l wan1, vlnk11 and vlnk21 are configured with IP addresses on the same subnet. The example uses internal IP addresses that may not be appropriate for your network.

config system interface edit “wan1”

VoIP/SIP

set vdom “root”

set ip 10.1.1.101 255.255.255.0

next edit “vlnk10” set vdom “root” set type vdom-link

next edit “vlnk20” set vdom “root” set type vdom-link

next edit “vlnk11” set vdom “vdom1”

set ip 10.1.1.102 255.255.255.0 set type vdom-link

next edit “vlnk21” set vdom “vdom2”

set ip 10.1.1.103 255.255.255.0 set type vdom-link

end

System (5.6)

New system administration features added to FortiOS 5.6.

Remove CLI commands from 1-CPU platforms (405321)

Two CLI commands that set CPU affinity have been removed from 1-CPU platforms since they do not have any impact on these platforms. The commands are config system global > set miglog-affinity and config system global > set av-affinity <string>.

New SNMP trap for bypass events (307329)

When bypass mode is enabled or disabled on FortiGate units that are equipped with bypass interfaces and support AMC modules, a new SNMP trap is generated and logs bypass events.

System

Implement SNMP support for NAT Session monitoring which includes new SNMP OIDs (383661)

FortiOS 5.6 implements a new feature providing SNMP support for NAT session monitoring. The resulting new SNMP object identifier (OID) is:

FORTINET-FORTIGATE-

MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwIppools.fgFwIppTables.fgFwIppStatsTable.fgFwIppStatsEntry 1.3.6.1.4.1.12356.101.5.3.2.1.1

Additionally, there are eight new items:

.fgFwIppStatsName .1

.fgFwIppStatsType .2

.fgFwIppStatsStartIp .3

.fgFwIppStatsEndIp .4

.fgFwIppStatsTotalSessions .5

.fgFwIppStatsTcpSessions .6

.fgFwIppStatsUdpSessions .7

.fgFwIppStatsOtherSessions .8

New extended database version OIDs for AV and IPS (402162)

New extended database version OIDs ensure accurate display of the AntiVirus and IPS databases in use when you go to System > FortiGuard.

Administrator password encryption hash upgraded from SHA1 to SHA256 (391576)

The encryption has for administrator passwords is upgraded from SHA1 to SHA256.

Downgrades from FortiOS 5.6->5.4->5.2->5.0 will keep the administrator password usable. If you need to downgrade to FortiOS 4.3, remove the password before the downgrade, then login after the downgrade and reset password.

Allow multiple FortiManager addresses when configuring central management (388083)

Central management configuration can now support multiple FortiManager addresses. This feature is mainly to help the case where the FortiGate unit is behind NAT.

FortiGuard can determine a FortiGate’s location from its public IP address (393972)

A new CLI command allows users to determine a FortiGate’s location from its public IP address through FortiGuard .

The new CLI command is diagnose system waninfo.

System (5.6)

Deletion of multiple saved configurations supported (308936)

The FortiGate will save multiple configurations and images when revision-backup-on-logout and revision-image-auto-backup are enabled in config system global.

The deletion of multiple saved configurations is now possible due to changes in the CLI command execute revision delete config <revision ID>. Where the command only allowed for one revision ID at a time, it now allows almost ten.

New CLI option to limit script output size (388221)

The new CLI command set output-size limits the size of an auto script in megabytes and prevents the memory from being used up by the script’s output.

CLI Syntax

config system auto-script edit <script name> set output-size <integer>

next

end

Enter an integer value from 10 to 1024. Default is 10.

Enable / disable logging of SSL connection events (375582)

New CLI commands are added to give the user the option to enable or disable logging of SSL connection events.

CLI Syntax

config system global set log-ssl-connection {enable | disable}

end

Default is disable.

Enabling or disabling static key ciphers (379616)

There is a new option in system global to enable or disable static key ciphers in SSL/TLS connections (e.g,. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). The default is enable.

CLI Syntax

config system global set ssl-static-key-ciphers {enable | disable}

end

Enhancements to IPS Signatures page (285543)

The IPS signatures list page now shows which IPS package is currently deployed. You can also change the IPS package by hovering over the information icon next to the IPS package name. Text appears that links directly to System

the FortiGate’s System > FortiGuard page from the IPS Signatures list page.

Combine multiple commands into a CLI alias (308921)

You can add one or more CLI command to a CLI alias, then use the alias command to run the alias that you have created to execute the stored commands. For example, create the following alias to run the get system status command:

config system alias edit “version” set command “get system status”

end

Then you can use the following command to run the alias:

alias version

You can use command abbreviations (for example: g sys stat instead of get system status). Use quotes around the syntax if there are spaces (there usually are).

You can enter alias followed by a ? to view the aliases that you have added.

You can add multiple commands to an alias by pressing Ctrl-Enter after the first line. Press enter at the end of subsequent lines. And the end of the last line add second quote and press Enter to end the command.

config system alias edit “debug_flow” set command “diag debug enable diag debug flow show console enable”

end

You can include config commands in an alias as well, for example, create the following alias to bring the port1 and port2 interfaces down:

config system alias edit port12down set command “config system interface edit port1 set status down next edit port2 set status down

end”

end

You can combine config, execute, get, and diagnose commands in the same alias, for example:

config system alias edit “show-info” set command “show full-configuration alertemail setting get sys status dia sys top” end

 

System (5.6.1)

New system administration features added to FortiOS 5.6.1.

Use self-sign as default GUI certificate if BIOS cert is using SHA-1 (403152)

For increased security, SHA-1 certificate has been replaced by self-sign certificate as the default GUI certificate, if the BIOS certificate is using SHA-1.

Administrator timeout override per access profile (413543)

The GUI is often used for central monitoring. To do this requires the inactivity timeout to be increased, to avoid an admin having to constantly log in over again. This new feature allows the admintimeout value, under config system accprofile, to be overridden per access profile.

Note that this can be achieved on a per-profile basis, to avoid the option from being unintentionally set globally.

CLI Syntax – Configure admin timeout

config system accprofile edit <name> set admintimeout-override {enable | disable} set admintimeout <0-480> – (default = 10, 0 = unlimited)

next

end

New execute script command (423159)

A new execute command has been introduced to merge arbitrary configlets into the running configuration from script. The command’s authentication can be carried out using either username and password or with a certificate. This command supports FTP/TFTP and SCP.

An important benefit of this feature is that if the configuration in the script fails (i.e. a syntax error), the system will revert back to running configurations without interrupting the network.

CLI Syntax – Load script from FTP/TFTP/SCP server to firewall

execute restore scripts <ftp | tftp | scp> <dir / filename in server> <server ip> <username> <password>

FortiCache as an external cache service for FortiOS (435830)

A CLI configuration was added to allow the FortiGateto use FortiCache as an external cache service.

Global configuration

config wanopt forticache-service set status enable set local-cache-id “100d-bhan” set remote-forticache-id “3kc-bhan” set remote-forticache-ip 192.99.1.99

 

System (5.6)

end (Help Text) status Enable/disable using FortiCache as web-cache storage. local-cache-id ID that this device uses to connect to the remote FortiCache. remote-forticache-id ID of the FortiCache to which the device connects. remote-forticache-ip IP address of the FortiCache to which the device connects. (status)

# set status disable Use local disks as web-cache storage. enable Use a remote FortiCache as web-cache storage.

(local-cache-id)

# set local-cache-id

<string> please input string value

(remote-forticache-id)

# set remote-forticache-id

<string> please input string value

(remote-forticache-ip)

# set remote-forticache-ip

<any_ip> Any ip xxx.xxx.xxx.xxx

(Help Text) config wanopt auth-group Configure WAN optimization authentication groups.

SSL VPN (5.6)

New SSL VPN features added to FortiOS 5.6.

Remote desktop configuration changes (410648)

If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:

config vpn ssl web user-group-bookmark edit <group-name> config bookmarks edit <bookmark-name> set apptype rdp set host 172.16.200.121 set security nla set port 3389 set logon-user <username>

next

end

Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.

end

If no username (logon-user) is specified, the following warning message will appear:

Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010

SSL VPN supports WAN link load balancing interface (396236)

New CLI command to set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy edit <example> set dstintf virtual-wan-link

end

SSL VPN login timeout to support high latency (394583)

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added that allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

SSL VPN (5.6)

CLI syntax

config vpn ssl settings edit <example> set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

SSL VPN supports Windows 10 OS check (387276)

A new CLI field has been added to the os-check-list under config vpn ssl web portal to allow OS checking for Windows 10.

CLI syntax

config vpn ssl web portal edit <example> set os-check enable config os-check-list windows-10 set action {deny | allow | check-up-to-date}

end

end

SSL VPN DNS suffix per portal and number of portals (383754)

A new CLI command under config vpn ssl web portal to implement a DNS suffix per SSL VPN portal. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings.

This feature also raises bookmark limits and the number of portals that can be supported, depending on what FortiGate series model is used:

l 650 portals on 1000D series l 1300 portals on 2000E series l 2600 portals on 3000D series

The previous limit for 1000D series models, for example, was 256 portals.

CLI syntax

config vpn ssl web portal edit <example> set dns-suffix <string>

end

New SSL VPN timeout settings (379870)

New SSL VPN timeout settings have been introduced to counter ‘Slowloris’ and ‘R-U-Dead-Yet’ vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution is to add two attributes (http-request-header-timeout and http-requestbody-timeout).

(5.6)

CLI syntax

config vpn ssl settings set http-request-header-timeout [1-60] (seconds) set http-request-body-timeout [1-60] (seconds)

end

Personal bookmark improvements (377500)

You can now move and clone personal bookmarks in the GUI and CLI.

CLI syntax

config vpn ssl web user-bookmark edit ‘name’ config bookmarks move bookmark1 after/before clone bookmark1 to

next

end

New controls for SSL VPN client login limits (376983)

Removed the limitation of SSL VPN user login failure time, by linking SSL VPN user setting with config user settings and provided a new option to remove SSL VPN login attempts limitation. New CLI allows the administrator to configure the number of times wrong credentials are allowed before SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds. end

Unrated category removed from ssl-exempt (356428)

The “Unrated” category has been removed from the SSL Exempt/Web Category list.

Clipboard support for SSL VPN remote desktop connections (307465)

A remote desktop clipboard viewer pane has been added which allows user to copy, interact with and overwrite remote desktop clipboard contents.

System (5.6.1)

SSL VPN (5.6.1)

New SSL VPN features added to FortiOS 5.6.1.

Added a button to send Ctrl-Alt-Delete to the remote host for VNC and RDP desktop connections (401807)

Previously, users were unable to send Ctrl-Alt-Delete to the host machine in an SSL VPN remote desktop connection.

FortiOS 5.6.1 adds a new button that allows users to send Ctrl-Alt-Delete in remote desktop tools (also fixes 412456, preserving the SSL VPN realm after session timeout prompts a logout).

Improved SSL VPN Realms page (0392184)

Implemented minor functional changes to the dialog on the SSL VPN > Realms page:

l URL preview uses info message similar to that seen on the SSL VPN settings dialog. l Virtual-Host input is now visible when set in the CLI. l Added help tooltip describing what the virtual-host property does.

Customizable FortiClient Download URL in SSL VPN Web Portal (437883)

A new attribute, customize-forticlient-download-url, is added to vpn.ssl.web.portal.

The added attribute indicates whether to support a customizable download URI for FortiClient. This attribute is disabled by default. If enabled, two other attributes, windows-forticlient-download-url and macosforticlient-download-url, will appear through which the user can customize the download URI for

FortiClient.

Syntax

config vpn ssl web portal edit <portal> set customize-forticlient-download-url {enable | disable} set windows-forticlient-download-url <custom URL for Windows> set macos-forticlient-download-url <custom URL for Mac OS>

next

end

Added split DNS support for SSL VPN (434512)

Split DNS is now supported for SSL VPN. This feature allows you to specify which domains will be resolved by the DNS server specified by the VPN while all other domains will be resolved by the locally specified DNS.

This feature is useful in both Enterprise and MSP scenarios (when hosting multiple SSL VPN portals).

Syntax config vpn ssl web portal

SSL VPN (5.6.1)

edit <name> config split-dns-domains edit 1 set domains “abc.com, cde.com” set dns-server1 192.168.1.1 set dns-server2 192.168.1.2 set ipv6-dns-server1 2000:2:3:4::5 set ipv6-dns-server2 2000:2:3:4::6

next …

end

end

Support SSL VPN function in browsers without plugins: Citrix/RDPNative/Port forward

(437886)

Syntax

config vpn ssl web user-bookmark edit <name> config bookmarks edit “rdpnative” set apptype rdpnative set description “rdpnative” set host “172.16.68.188” set additional-params ” unset full-screen-mode set screen-height 768 set screen-width 1024

next

end

next

end

SSL VPN SSO Support for HTML5 RDP (417248)

This feature adds support for SSO from the SSL VPN portal to an RDP bookmark. If SSO is used, then the credentials used to login to SSL VPN will be automatically used when connecting to a remote RDP server.

Syntax

conf vpn ssl web user-bookmark edit <name> config bookmarks edit <name> set apptype rdp set host “x.x.x.x” set port <value> set sso [disable | auto]

next

end

next end

(5.6)

Session-aware Load Balancing (SLBC) (5.6.1)

New SLBC features added to FortiOS 5.6.1.

FortiController-5000 series independent port splitting (42333)

FortiOS 5.6.1 supports splitting some 40G FortiController front panel fiber channel front panel interfaces in to 10G ports. In previous versions of FortiOS this configuration was not supported and all FortiController fiber channel front panel interfaces had to operate at the same speed.

(5.6.1)

Server Load balancing (5.6)

New load balancing features added to FortiOS 5.6.

IPv6, 6to4, and 4to6 server load balancing (280073)

Sever load balancing is supported for:

Server Load balancing (5.6)

l IPv6 VIPs (config firewall vip6) l IPv6 to IPv4 (6to4) VIPs (config firewall vip64) l IPv4 to IPv6 (4to6) VIPs (config firewall vip46)

Configuration is the same as IPv4 VIPs, except support for advanced HTTP and SSL related features is not available. IPv6 server load balancing supports all the same server types as IPv4 server load balancing (HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL, TCP, UDP, and IP). IPv4 to IPv6 and IPv6 to IPv4 server load balancing supports fewer server types (HTTP, TCP, UDP, and IP).

Improved Server load balancing GUI pages (404169)

Server load balancing GUI pages have been updated and now include more functionality and input verification.