Botnet database changes (390756)

Starting in FortiOS 5.6, FortiGate units and FortiGuard Distribution Servers (FDS0 will use object IDs IBDB and DBDB to download and update the Botnet database. Botnet protection will be part of the AntiVirus contract.

FortiOS 5.4 uses object IDs IRDB and BDDB.

Block Google QUIC protocol in default Application Control configuration (385190)

QUIC is an experimental protocol from Google. With recent Google Chrome versions (52 and above), and updated Google services, more than half of connections to Google servers are now in QUIC. This affects the accuracy of Application Control. The default configuration for Application control blocks QUIC.

Users may enable QUIC with CLI commands.

CLI Syntax

config application list edit <profile-name> set options allow-quic

end

Changes to default SSL inspection configuration (380736)

SSL inspection is mandatory in the CLI and GUI and is enabled by default.

GUI Changes

• Updated edit dialogues for IPv4/IPv6 Policy and Explicit Proxy Policy l SSL/SSH inspection data displayed in muted palette l disabled the toggle button for this option l set the default profile as “certificate-inspection”
• Updated list pages for IPv4/IPv6 Policy and Explicit Proxy Policy l Add validation for “ssl-ssh-profile” when configuring UTM profiles
• Updated SSL/SSH Inspection list page l disabled delete menu on GUI for default ssl profiles l changed “Edit” menu to “View” menu for default ssl profiles l added implicit class (grayed) the default ssl profile entries
• Updated SSL/SSH Inspection edit dialog l disabled all the inputs for default ssl profiles except download/view trusted certificate links l changed button to “Return” for default ssl profiles to return the list page
• Updated Profile Group edit dialog l removed checkbox for “ssl-ssh-profile” option, make it always required.

CLI changes

1. ssl-ssh-profile default value is certificate-inspection when applicable in table firewall.profile-group, firewall.policy, firewall.policy6, explicit-proxy-policy
2. make default profiles “certificate-inspection”, “deep-ssl-inspection’ read only in table firewall.ssl-ssh-profile

Application control and Industrial signatures separate from IPS signatures (382053)

IPS, Application control and industrial signatures have been separated. The get system status command shows the versions of each signature database:

get system status

Version: FortiGate-5001D v5.6.0,build1413,170121 (interim)

Virus-DB: 42.00330(2017-01-23 01:16)

Extended DB: 1.00000(2012-10-17 15:46)

Extreme DB: 1.00000(2012-10-17 15:47) IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 0.00000(2001-01-01 00:00)

APP-DB: 6.00741(2015-12-01 02:30)

DNS profile supports safe search (403275)

Users can take advantage of pre-defined DNS doctor rules to edit DNS profiles and provide safe search for Google, Bing, and YouTube.

To add safe search to a DNS profile – GUI

1. Go to Security Profiles > DNS Filter.
2. Edit the default filter or create a new one.
3. Enable Enforce ‘Safe Search on Google, Bing, YouTube.
4. Select Strict or Moderate level of restriction for YouTube Access.

To add safe search to a DNS profile – CLI

config dnsfilter profile edit “default” set safe-search enable

set youtube-restrict {strict | moderate} (only available is safe-search enabled)

next

end

FortiClient Vulnerability Exemption Setting (407230)

A new CLI command provides a manual override for client computers with vulnerabilities that cannot be fixed.

CLI Syntax

New command to enable/disable compliance exemption for vulnerabilities that cannot be auto patched. Default is disable.

config endpoint-control profile edit <profile-name> config forticlient-winmac-setting set forticlient-vuln-scan enable

set forticlient-vuln-scan-exempt [enable|disable]

end

next

end

Security Profiles (5.6)

New security profile features added to FortiOS 5.6.

New FortiGuard Web Filter categories (407574)

New categories added to FortiGuard Web Filter sub-categories:

• Under Security Risk:
• Newly Observed Domain (5.90) l Newly Registered Domain (5.91)
• Under General Interest – Business l Charitable Organizations (7.92) l Remote Access (7.93) l Web Analytics (7.94) l Online Meeting (7.95)

Newly observed domain (NOD) applies to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes.

Newly registered domain (NRD) applies to URLs whose domain name was registered in the previous 10 days.

Overall improvement to SSL inspection performance (405224)

The enabling / disabling of proxy cipher / kxp hardware acceleration in CP8/CP9 required restarting of the WAD daemon for the change to take effect; this bug has been repaired.

New CLI commands

The FortiGate will use the ssl-queue-threshold command to determine the maximum queue size of the CP SSL queue. In other words, if the SSL encryption/decryption task queue size is larger than the threshold, the FortiGate will switch to use CPU rather than CP. If less, it will employ CP.

config firewall ssl setting set ssl-queue-threshold <integer>

end

The integer represents the maximum length of the CP SSL queue. Once the queue is full, the proxy switches cipher functions to the main CPU. The range is 0 – 512 and the default is 32.

FortiClient Endpoint license updates (401721)

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.

Security Profiles (5.6.1)

New security profile features added to FortiOS 5.6.1.

FortiGuard WAN IP blacklist service is now online (404859)

The Fortiguard WAN IP blacklist service was not online in FortiOS 5.6.0. In FortiOS 5.6.1, a notification appears on the Dashboard when WAN IP is blacklisted. Clicking on the notification brings up the blacklist details.

Application Control GUI improvements (279956)

An All Categories button on the Security Profiles > Application Control page makes it easier to apply an action (Monitor, Allow, Block, Quarantine) to all categories at once.

Note that the All Categories selector goes blank when any of theactions to be applied to individual categories is manually changed to something different than what was selected for all the categories. The Unknown Application action will match the All Categories action unless that action is Quarantine, which is unsupported for unknown applications.

Industrial Application Control signatures (0434592)

The application control category Industrial is now controlled by a FortiGuard license and the default disable mask is no longer needed. The special category is also no longer used.

GUI updates to reflect package and license changes for IPS, Application Control and Industrial signatures (397010)

The following changes have been made to the GUI to reflect changes in the signature databases:

• Application Control signature database information is displayed under on the System > FortiGuardpage in the FortiCare section.
• The IPS package version and license status are shown in a separate section in System > FortiGuard A link to manually upload the IPS database signatures has been added.

(5.6.1)

• The Industrial package version and license status are shown in a separate section in System > FortiGuard A link to manually upload the Industrial database signatures is available. Access to the Industrial database is provided with the purchase of the FortiGuard Industrial Security Service. The row item for this license will not appear if you are not subscribed. l Botnet category is no longer available when searching the Application Signatures list.

Improved FortiClient monitor display (378288)

The GUI for the Monitor > FortiClient Monitor page has been revised.

• new dropdown option: Online Only or Include Offline. The default is Online Only.

l new dropdown option l Sending FortiTelemetry Only (default) l Include All FortiTelemetry States l Not Sending FortiTelemetry Only

• update: Compliance status for offline device is N/A l update: offline status indicator to grey l new compliance status text after the icon in Compliance column l Moved Compliance column after Status column
• Combined unregistered endpoint devices with not registered devices

FortiSandbox integration with AntiVirus in quick mode (436380)

FortiSandbox options in an AntiVirus Security Profile in quick scanning mode can now be enabled with CLI commands.

CLI syntax

config antivirus profile edit default set ftgd-analytics disable/everything set analytics-max-upload 10 set analytics-wl-filetype 0 set analytics-bl-filetype 0 set analytics-db enable/disable set scan-mode quick

end

Pre-configured parental controls for web filtering (399715)

Pre-configured filters based on the Motion Picture Association of America (MPAA) ratings can now be added to the Web Filter Security Profile. This feature is already available on FortiCloud and uses the same ratings categories.

Anti-Spam GUI updates (300423)

Changes made to the Anti-Spam profile update the GUI to reflect FortiOS 5.6 style.