Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)

Previous versions of FortiOS supported YouTube for Schools (YTfS). As of July 1, 2016 this feature is no longer supported by YouTube. Instead you can use the information in the YouTube support article Restrict YouTube content on your network or managed devices to achieve the same result. FortiOS supports applying Strict or Moderate restrictions using HTTP headers as described in this article.

In FortiOS 5.6 with inspection mode set to proxy-based, in a Web Filter profile under Search Engines you can select Restrict YouTube Access and select either Strict or Moderate.

SSL/SSH profile certificate handling changes (373835)

In order to support DSA and ECDSA key exchange (in addition to RSA) in SSL resign and replace mode, CLI commands for deep-inspection have changed. The certname command in ssl-ssh-profile has been removed.

To select from the list of available certificates in the system, use the CLI below.

edit deep-inspection set server-cert-mode re-sign set certname-{rsa | dsa | ecdsa}

Fortinet bar option disabled in profile protocol options when VDOM is in flow-based inspection mode (384953)

In order to prevent the Fortinet Bar from being enabled and redirecting traffic to proxy (WAD) when a VDOM is in flow-based mode, the Fortinet Bar option is disabled in profile protocol options.

New diagnose command to delete avatars (388634)

Commands to delete avatars by FortiClient UID or avatar name have been added to the CLI.

the two following commands has been added to diagnose endpoint avatar: l diagnose endpoint avatar delete <ftcl_uid> l diagnose endpoint avatar delete <ftcl_uid> <username>

The attribute delete did not exist before. The values <fctl_uid> and <user_name> describe a set of avatars. If only <fctl_uid> is defined, all avatars belonging to this FortiClient UID that are not being used will be removed. If both values are defined, the avatar belonging to them will be removed unless they are being used in which case this call will cause an error to user.

CASI functionality moved into application control (385183 372103)

Cloud Access Security Inspection (CASI) is merged with Application Control resulting in changes to the GUI and the CLI.

GUI Changes

• Toggle option added to quickly filter CASI signatures in the Application Signatures list.
• Application Overrides table now shows any parent-child hierarchy using the –parent metadata on signatures. Deleting a parent app also deletes its child apps. And conversely, adding a child app will add all its parent apps but with implicit filter action.
• A policy breakdown is shown on existing application control profiles for policies using the profile. The breakdown indicates which policies are using a deep inspection.
• A breakdown is shown for application categories and filter overrides to indicate the number of CASI and non-CASI signatures. A lock icon is shown for applications requiring deep inspection.

CLI Changes

Commands removed:

l config application casi profile l casi profile in config firewall policy l casi profile in config firewall policy6 l casi-profile-status and casi-profile under config firewall sniffer l casi-profile-status and casi-profile under config firewall interface-policy

Enable “sync-session-ttl” in “config ips global” CLI by default (399737)

sync-session-ttl is now set to enable by default in order to:

l enhance detection of P2P traffic. Efficient detection of P2P is important on hardware accelerated platforms l ensure that IPS and the kernel use the same ttl l ensure that IPS sessions time out sooner

Change to CLI commands for configuring custom Internet services (397029)

Custom internet services are no longer configured through use of the commands config application internet-service and config application internet-service-custom in the CLI.

These commands are replaced by config firewall internet-service and config firewall internet-service-custom.

CLI Syntax – examples

config firewall internet-service 1245324 set name “Fortinet-FortiGuard”

set reputation 5 set icon-id 140 set offset 1602565 config entry edit 1 set protocol 6 set port 443 set ip-range-number 27

set ip-number 80

next edit 2 set protocol 6 set port 8890 set ip-range-number 27 set ip-number 80

next edit 3 set protocol 17 set port 53 set ip-range-number 18 set ip-number 31

next edit 4 set protocol 17 set port 8888 set ip-range-number 18 set ip-number 31

next

end

end

config firewall internet-service-custom edit “custom1” set comment “custom1” config entry edit 1 set protocol 6 config port-range edit 1 set start-port 30 set end-port 33

next

end

set dst “google-drive” “icloud”

next

end

next

end

Security Fabric audit check for endpoint vulnerability and unauthorized FAP and FSW (401462)

The new Security Fabric Audit feature allows for the display of endpoint vulnerability status in real-time. Users can see:

l FortiClient devices that have critical vulnerabilities detected. l Discovered FortiSwitches that have not yet been authorized. l Discovered FortiAPs that have not yet been authorized.