Sandbox Integration (5.6.1)

New sandbox integration features added to FortiOS 5.6.1.

New file extension lists for determining which file types to send to FortiSandbox (379326)

This feature introduces two new file extension lists:

l File extensions to submit to FortiSandbox even though the AV engine says they are unsupported. l File extensions to exclude from submitting to FortiSandbox even though the AV engine says they are supported.

These lists are configured on the FortiSandbox, not the FortiGate, and are dynamically loaded on the FortiGate via quarantine.

Syntax diag sys scanunit reload-fsa-ext

Security Profiles (5.6.1)

Networking (5.6)

New networking features added to FortiOS 5.6.

New command to get transceiver signal strength (205138)

On most FortiGate models with SFP/SFP+ interfaces you can use the following command to display information about the status of the transceivers installed in the SFP/SFP+ interfaces of the FortiGate.

The command output lists all of SFP/SFP+ interfaces and if they include a transceiver the output displays information about it. The command output also includes details about transceiver operation that can be used to diagnose transmission problems.

get system interface transceiver …

Interface port14 – Transceiver is not detected. Interface port15 – SFP/SFP+ Vendor Name :     FIBERXON INC. Part No.     :      FTM-8012C-SLG Serial No. :             101680071708917 Interface port16 – SFP/SFP+ Vendor Name :            FINISAR CORP. Part No.     :            FCLF-8521-3 Serial No. :             PS62ENQ
Optical	Optical	Optical
SFP/SFP+     Temperature Voltage      Tx Bias	Tx Power	Rx Power
Interface    (Celsius)    (Volts)      (mA)	(dBm)	(dBm)
———— ———— ———— ———— ———— ———— port15 N/A    N/A    N/A    N/A    N/A port16   N/A    N/A    N/A    N/A       N/A ++ : high alarm, + : high warning, – : low warning, — : low alarm, ? : suspect.

New BGP local-AS support (307530)

Use the following command to configure BGP local-AS support:

config router bgp

(5.6)

config neighbor edit “neighbor” …

set local-as 300 set local-as-no-prepend disable|enable set local-as-replace-as disable|enable

end

Enable local-as-no-prepend if you do not want to prepend local-as to incoming updates.

Enable local-as-replace-as to replace a real AS with local AS in outgoing updates.

Interface setting removed from SNMP community (310665)

The SNMP GUI has been cleaned up by removing the Interface setting.

RPF checks can be removed from the state evaluation process (311005)

You can remove stateful firewall RFP state checks without fully enabling asymmetric routing. State checks can be disabled on specific interfaces. The following command shows how to disable state checks for traffic received by the wan1 interface.

config system interface edit wan1 set src-check disable

end

BGP graceful-restart-end-on-timer, stale-route, and linkdown-failover options (374140)

If graceful-end-on-timer is enabled, the BGP graceful restart process will be stopped upon expiration of the restart timer only.

If linkdown-failover is enabled for a BGP neighbor, the neighbor will be down when the outgoing interface is down.

If stale-route is enabled for a BGP neighbor, the route learned from the neighbor will be kept for the graceful-stalepath-time after the neighbor is down due to hold timer expiration or TCP connection failure.

config router bgp set graceful-end-on-timer disable|enable config neighbor edit 192.168.1.1 set linkdown-failover disable|enable set stale-route disable|enable

graceful-end-on-timer stops BGP graceful restart process on timer only.

linkdown-failover and stale-route are options to bring down BGP neighbors upon link down and to keep routes for a period after the neighbor is down.

FQDNs can be destination addresses in static routes (376200)

FQDN firewall addresses can now be used as destination addresses in a static route.

From the GUI, to add a FQDN firewall address (or any other supported type of firewall address) to a static route in the firewall address configuration you must enable the Static Route Configuration option. Then when configuring the static route set Destination to Named Address.

From the CLI, first configure the firewall FQDN address:

config firewall address edit ‘Fortinet-Documentation-Website’ set type fqdn set fqdn docs.fortinet.com set allow-routing enable

end

Then add the FQDN address to a static route.

config router static edit 0 set dstaddr Fortinet-Documentation-Website … end

Priority for Blackhole routes (378232)

You can now add a priority to a blackhole route to change its position relative to kernel routes in the routing table. Use the following command to add a blackhole route with a priority:

config router static edit 23 set blackhole enable set priority 200

end

New DDNS refresh interval (383994)

A new DDNS option has been added to configure the FortiGate to refresh DDNS IP addresses by periodically checking the configured DDNS server.

config system ddns edit 1 set ddns-server FortiGuardDDNS set use-public-ip enable set update-interval seconds

end

The default update-interval is 300 seconds and the range is 60 to 2592000 seconds.

Support IPv6 blackhole routes on GUI (388599)

IPv6 blackhole routes are now supported from GUI, go to Network > Static Routes and select Create New > IPv6 Route.

Choose Blackhole for Device field.

(5.6)

SSL-VPN can use a WAN link load balancing interface (396236)

Virtual-wan-link interface can now be set as a destination interface in SSLVPN policy.

Also SSL-VPN interface can now be set as a source interface for WAN LLB.

DDNS support for noip.com (399126)

Noip.com, and provider for Dynamic DNS has been added as a supported option for a ddns-server.

CLI

config system ddns edit <ddns_ip> set ddns-server

[dyndns.org|dyns.net|ods.org|tzo.com|vavic.com|dipdns.net|now.net.cn||dhs.org|ea sydns.com|genericDDNS|FortiGuardDDNS|noip.com]

IPv6 Router Advertisement options for DNS (399406)

This feature is based on RFC 6106 and it adds the ability to obtain DNS search list options from upstream DHCPv6 servers and the ability to send them out through either Router Advertisement or FortiGate’s DHCP server.

Configuration example:

To get the information from the upstream ISP server:

config system interface edit wan1 config ipv6 set dhcp6-prefix-delegation enable

next

next

end

To use Routing Advertisement to send the DNS search list:

config system interface edit port 1

config IPv6 set ip6-address 2001:10::/64 set ip6-mode static set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface WAN set subnet 0:0:0:11::/64 set autonomous-flag enable set onlink-flag enable

next

next

end

end

To use DHCPv6 server to send DNS search list:

config system dhcp6 server edit 1 set interface port2 set upstream-interface WAN set ip-mode delegated set dns-service delegated

set dns-search-list delegated // this is a new command set subnet 0:0:0:12::/64

next

end

WAN LLB to SD-WAN on GUI (403102)

To be more consistent with current terminology, the term WAN LLB has been changed in the GUI to the more recognizable SD-WAN.

 

New RFCs

New RFCs

The following RFCs are now supported by FortiOS 5.6.1 or the support for these RFCs has been enhanced in FortiOS 5.6.1:

• RFC 6954 Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol

Version 2 (IKEv2) (412795) l RFC 6106 IPv6 Router Advertisement Options for DNS Configuration (399406)

• RFC 4787 Network Address Translation (NAT) Behavioral Requirements for Unicast UDP (408875)

The following RFCs are now supported by FortiOS 5.6 or the support for these RFCs has been enhanced in FortiOS 5.6:

• RFC 7427 Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) (389001) l RFC 7348 Virtual eXtensible Local Area Network (VXLAN) or VTEP (289354) l RFC 5996 (section 15) IKEv2 asymmetric authentication (393073) l RFC 6106 IPv6 Router Advertisement Options for DNS (399406) l RFC 7383 Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation (371241) l RFC 3971 IPv6 Secure Neighbor Discovery (SEND) (355946) l RFC 6023 Childless IKEv2 Initiation (381650)

Networking (5.6.1)

New networking features added to FortiOS 5.6.1.

IPv6 Router Advertisement options for DNS enhanced with recursive DNS server option (399406)

This feature is based on RFC 6106 and it adds the ability to obtain DNS search list options from upstream DHCPv6 servers and the ability to send them out through either Router Advertisement or FortiGate’s DHCP server.

FortiOS 5.6 supported the following:

To get the information from the upstream ISP server:

config system interface edit wan1 config ipv6 set dhcp6-prefix-delegation enable

next

next

end

To use Routing Advertisement to send the DNS search list:

config system interface edit port 1 config IPv6 set ip6-address 2001:10::/64 set ip6-mode static set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface WAN set subnet 0:0:0:11::/64 set autonomous-flag enable set onlink-flag enable

next

next

end

end

To use DHCPv6 server to send DNS search list:

config system dhcp6 server edit 1 set interface port2 set upstream-interface WAN set ip-mode delegated set dns-service delegated

set dns-search-list delegated // this is a new command set subnet 0:0:0:12::/64

next end

 

(5.6.1)

In FortiOS 5.6.1 this feature has been enhanced to include the recursive DNS server option that sends the IPv6 recursive DNS server option to downstream clients with static prefix RA.

The new options include rdnss and dnssl in the following syntax:

config system interface edit port1 config ipv6 config ip6-prefix-list edit 2001:db8::/64 set autonomous-flag enable set onlink-flag enable

set rdnss 2001:1470:8000::66 2001:1470:8000::72 set dnssl fortinet.com fortinet.ca end

Temporarily mask interface failure (435426)

In some situations during normal operation, attached network equipment may cause a ForiGate interface to appear to have disconnected from the network. And in some cases you may not want to the FortiGate interface to

detect and respond to the apparent interruption. For example, when Lawful Intercept (LI) devices are inserted/removed from the network path using a switch mechanism the signal is entirely interrupted. That interruption is seen by the FortiGate as an interface failure.

When the network path is interrupted, the FortiGate normally declares that the interface is down. All services using the interface are notified and act accordingly.

This new feature allows the FortiGate interface to temporarily delay detecting that the interface is down. If the connection is restored during the delay period, the FortiGate ignores the interface down condition and services using the interface resume without apparent interruption.

Use the following command to enable and configure the down time for a FortiGate interface:

config system interface edit port1 set disconnect-threshold <delay>

end

<delay> is the time to wait before sending a notification that this interface is down or disconnected (0 – 1000 ms, default = 0).

Policy Routes now appear on the routing monitor (411841)

You can go to Monitor > Routing Monitor and select Policy to view the active policy routes on your FortiGate.

Control how the system behaves during a routing change (408971)

FortiOS allows you to dynamically make routing changes while the FortiGate unit is processing traffic. Routing changes that affect the routing used for current sessions may affect how the FortiGate continues to process the session after the routing change has been made.

Using the following command you can control whether FortiOS keeps (preserves) the routing for the sessions that are using the route or causes the changed routing table to be applied to active sessions, possiby causing their destinations to change.

config system interface edit port2 set preserve-session-route {enable | disable}

end

If enabled (the default), all sessions passing through port2 are allowed to finish without being affected by the routing changes. If disabled, when a route changes the new routing table is applied to the active sessions through port2 which may cause their destinations to change.

Modem (5.6.1)

New modem features added to FortiOS 5.6.1.

New modem features (422266)

New FortiOS 5.6.1 modem features include:

• The ability to edit wireless profiles stored on EM7x modems from FortiOS. l GPS support. l MIB for internal LTE modems. l Syslog messages for internal LTE modems.
• More status information displayed by the diagnose sys lte-modem command l New modem-related MIB entities.

config system let-modem command changes

The mode, interface, and holddown-timer options of the config system lte-modem command have been removed. These options are no longer needed. Instead, use SD-WAN for redundant interfaces. The config system lte-modem command includes the following options status Enable/disable USB LTE/WIMAX device. extra-init Extra initialization string to USB LTE/WIMAX device.

manual-handover Enable/Disable manual handover from 3G to LTE network. If enabled, the FortiGate switches the modem firmware to LTE mode if the modem itself fails to do so after 5 loops.

force-wireless-profile Force the modem to use the configured wireless profile index (1 – 16), 0 if don’t force. If your FortiGate includes an LTE modem or if an LTE modem is connected to it you can use the execute lte-modem command to list the LTE modem profiles. Use this command to select one of these wireless profiles.

Modem (5.6.1)

Wireless profiles contain detailed LTE modem data session settings. In each modem, a maximum of 16 wireless profiles can be stored, any data connections are initiated using settings from one of the stored wireless profiles. To make a data connection, at least one profile must be defined. Here is a sample wireless profile table stored in one of the internal modems:

FG30EN3U15000025 # execute lte-modem wireless-profile list
ID    Type Name                 APN                   PDP_Type	Authen	Username
*1   0     profile1            vzwims                3	0
2    0     profile2            vzwadmin              3	0
3    0     profile3            VZWINTERNET           3	0
4    0     profile4            vzwapp                3	0
5    0     profile5            vzw800                3	0
9    0     profile9            vzwims                2	0
10 0        profile10            vzwadmin              0	0
11 0        profile11            VZWINTERNET           0	0
12 0        profile12           vzwapp                3	0
13 0        profile13                                 0 Profile Type: 0  ==> QMI_WDS_PROFILE_TYPE_3GPP 1  ==> QMI_WDS_PROFILE_TYPE_3GPP2 * ==> Default 3GPP Profile, # ==> Default 3GPP2 Profile Profile PDP Type: 0  ==> QMI_WDS_PDP_TYPE_IPV4 1  ==> QMI_WDS_PDP_TYPE_PPP 2  ==> QMI_WDS_PDP_TYPE_IPV6 3  ==> QMI_WDS_PDP_TYPE_IPV4_OR_IPV6 Authentication: 0  ==> QMI_WDS_AUTHENTICATION_NONE 1  ==> QMI_WDS_AUTHENTICATION_PAP 2  ==> QMI_WDS_AUTHENTICATION_CHAP	0
3 ==> QMI_WDS_AUTHENTICATION_PAP|QMI_WDS_AUTHENTICATION_CHAP

authtype Authentication type for PDP-IP packet data calls. apn Log in APN string for PDP-IP packet data calls. modem-port Modem port index (0 – 20). network-type Set wireless network. auto-connect Enable/disable Modem auto connect. gpsd-enabled Enable/disable GPS daemon. data-usage-tracking Enable/disable data usage tracking.

gps-port Modem port index (0 – 20). Specify the index for GPS port, by default it is set to 255 which means to use the system default.

execute lte-modem command changes

The following options are available for the execute lte-modem command:

Modem (5.6.1)

cold-reboot Cold reboot LTE Modem, which means power off the internal modem and power it on again after 1 second.

get-modem-firmware get-modem-firmware get-pri-firmware get-pri-firmware power-off Power off LTE Modem. power-on Power on LTE Modem. purge-billing-data Purge all existing LTE Modem billing data. reboot Warm reboot LTE Modem.

set-operation-mode Set LTE Modem operation mode to online or offline.

wireless-profile wireless-profile

cold-reboot, power-off, power-on, set-operation-mode, and wireless-profile are new in

FortiOS 5.6.1.

New execute lte-modem wireless-profile command

The following options are available for the execute lte-modem wireless-profile command:

create Create a wireless profile. You use the create command to create an LTE modem profile by providing a name and supplying settings for the profile. The command syntax is:

execute lte-modem wireless-profile create <name> <type> <pdp-type> <apn-name> <auth-type> [<user> <password>]

<name> Wireless profile name of 1 to 16 characters.

<type> Wireless profile type: l 0 for 3GPP profiles. l 1 for 3GPP2 profiles.

<pdp-type> Wireless profile PDP type.

• 0 for IPv4 l 1 for PPP l 2 for IPv6 l 3 for IPv4v6

<apn-name> Wireless profile APN name, 0 to 32 characters.

<auth-type> Wireless profile authentication type.

• 0 for no authentication. l 1 for PAP l 2 for CHAP l 3 for PAP and CHAP

[<user> <password>] Wireless profile user name and password (1 to 32 characters each). Not required if <auth-type> is 0.

For example, use the following command to create an LTE modem 3GPP IPv4 profile named myprofile6. This profile uses the APN profile named p6apn that uses PAP and CHAP authentication.

Modem (5.6.1)

execute lte-modem wireless-profile create myprofile 0 0 myapn 3 myname mypasswd

delete <profile-number> Delete a wireless profile from the Modem. Speficy profile ID of the profile to delete.

list List all the wireless profiles stored in the Modem. If the modem is busy the list may not display. If this happens just repeat the command. It may take a few attempts.

modify Modify a wireless profile using the same settings as the create command except the first option is the profile ID . You can find the profile ID for each profile by listing the profiles using the execute lte-modem wireless-profile list command. For example, to modify the profile created above to change it to an IPv4v6 profile, change the APN proflie to yourapn, and set the authentication type to PAP enter the following command (assuming the profile ID is 6): execute lte-modem wireless-profile modify 6 myprofile 0 3 yourapn 1 myname mypasswd

test Test wireless profiles.

Static mode for wwan interface removed (440865)

When configuring the wireless modem wwan interface from the CLI the mode can only be set to DHCP. Static addressing for the wwan interface is not supported so the static option has been removed.

Networking (5.6.1)

Logging and Reporting (5.6)

New logging and reporting features added to FortiOS 5.6.

Client and server certificates included in Application control log messages (406203)

When SSL/TLS traffic triggers an application control signature, the application control log messages now include information about the signatures used by the session. This includes the client certificate issuer, the name in the server certificate, and the server certificate issuer.

DNS Logging (401757)

FortiOS logging now includes the Detailed DNS log message type. DNS events were previously recorded as event logs. In FortiOS 5.6 DNS log messages are a new category that also includes more DNS log messages to provide additional detail about DNS activity through the FortiGate. You can enable DNS logging from the CLI using the following command (shown in this example for memory logging):

config log memory filter set dns enable end

Logging and Reporting (5.6)

DNS log messages include details of each DNS query and response. DNS log messages are recorded for all DNS traffic though the FortiGate and originated by the FortiGate.

The detailed DNS logs can be used for low-impact security investigation. Most network activity involves DNS activity of some kinds. Analyzing DNS logs can provide a lot of details about the activity on your network without using flow or proxy-based resource intensive techniques.

Added Policy Comment logging option (387865)

As an alternative to custom log fields, the functionality has been added to log a policy’s comment field in all traffic log files that use that policy, in order to sort/isolate logs effectively with larger deployments and VDOMs. The feature is disabled by default. config log setting set log policy comment [enable/disable]

FortiAnalyzer encryption option name change (399191)

For clarity, and because the default options for config log fortianalyzer setting have now changed, the option default has now been changed to high-medium in the following CLI commands:

config log fortianalyzer setting set enc-algorithm [high/high-medium/low]

config log fortinalyzer override-setting set enc-algorithm [high/high-medium/low]

config log fortiguard setting set enc-algorithm [high/high-medium/low]

config log fortiguard override-setting set enc-algorithm [high/high-medium/low]

Maximum values changes

Maximum values changes

Maximum values changes in FortiOS 5.6.1:

• The maximum number of SSIDs (CLI command config wireless-controller vap) for FortiGate models 600C, 600D, 800C, 800D, and 900D increased from 356 to 512 (414202).
• The maximum number DLP sensors (CLI command config dlp sensor / config filter) for models

1000C, 1000D, 1200D, 1500D, 1500DT, 3240C, and 3600C decreased from 10,000 to 3,000. (371270) l The maximum number DLP sensors (CLI command config dlp sensor / config filter) for models

3000D, 3100D, 3200D, 3700D, 3700DX, 3800D, 3810D, 3815D, 5001C, and 5001D decreased from 50,000 to 4,000. (371270)

Maximum values changes in FortiOS 5.6: l The maximum number of wireless controller QoS Profiles is per VDOM (388070).

Logging and Reporting (5.6.1)

New logging and reporting features added to FortiOS 5.6.1.

Usability Updates to Reports Page (383684)

The Reports page has been updated in 5.6.1, to include both FortiCloud and Local Reports in a single location. Configuring of report schedules is also available on this page. The page will display whichever format is enabled, or allow switching between both if both Local and FortiCloud are in use.

Interface Categories (srcintfrole, etc) added to log data (434188)

In 5.6, logs and FortiView both sort log traffic into two interface categories: “Traffic from LAN/DMZ”, and “Traffic from WAN.” For greater compatibility and troubleshooting of FortiAnalyzer and FortiCloud setups, interface category fields that expose this information have been added to general log data in 5.6.1: srcintfrole and dstintfrole for better backend control and monitoring.

Individual FAZ log settings for SLBC Cluster Blades (382942/424076)

Individual SLBC Cluster Blades can now be enabled to have its own specific FortiAnalyzer log settings, rather than auto-syncing with all other blades in the cluster. This allows for multi-FAZ setups and collector-analyzer architectures, to deal with high logging volume. Entries in the command config system objectnsyncdetermine which settings are not synced from the blade. Settings are available to specify VDOMs that will or will not sync.

IPv6 (5.6)

New IPv6 features added to FortiOS 5.6.

FortiGate can reply to an anycast probe from the interface’s unicast address (308872)

A new setting has been added within the CLI that can enable the FortiGate to reply to an anycast probe from the FortiGate’s unicast IP address. config system global set ipv6-allow-anycast-probe [enable|disable] end

Enable: Enable probing of IPv6 address space through Anycast, by responding from the unicast IP address Disable: Disable probing of IPv6 address space through Anycast

Secure Neighbor Discovery (355946)

Additional settings have been added to the configuration for interfaces with IPv6 so that they comply more closely to the parameters of RFC 3971

The context of the new settings is

config system interface edit <interface> config ipv6 The new options with IPv6 are:

ndmode

Neighbor discovery mode set ndmode [basic | SEND]

Basic: Does not support SEND. SEND-compatible: Supports SEND.

nd-cert

Neighbor discovery certificate

set nd-cert <string of Name of certificate to be used> Example string: “Fortinet_Factory local” n-security-level

Neighbor discovery security level set nd-security-level <integer> IPv6

• Integer values from 0 – 7 l 0 = least secure l 7 = most secure l default = 0 nd-timestamp-delta –

Neighbor discovery timestamp delta value set nd-timestamp-delta <integer of time in seconds>

• Range: 1 – 3600 sec l default = 300 nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor set nd-timestamp-fuzz <integer of time in seconds>

• Range: 1 – 60 sec l default = 1

Additional related technical information Kerenl l Redirects ICMPv6 packets to user space if they require SEND options verification or build.

Radvd

• Verifies NS/RS SEND options including CGA, RSA, Timestamp, NONCE, etc. Daemon also creates neighbor cache for future timestamp checking, any entry gets flushed in 4 hours.
• Helps kernel build NA/RA SEND options including CGA, RSA, Timestamp, NONCE, etc. CGA parameters are kept in cache for each interface. CGA modifier is kept in CMDB.

Diagnose command for radvd diag test application radvd

• Shows statistics l Toggles message dump

Add multicast-PMTU to allow FGT to send ICMPv6 Too Big Message (373396)

New multicast-PMTU feature added to better comply with RFC 4443.

Normally, a “Packet Too Big” icmp6 message is sent by a routing device in response to a packet that it cannot forward because the packet is larger than the MTU of the outgoing link. For security reasons, these message may be disabled because attackers can use the information about a victim’s ip address as the source address to do IP address spoofing.

IPv6 (5.6)

In FortiOS’s implementation of this function, a setting in the CLI, has been added to make this behavior optional on the FortiGate.

The syntax for the option is:

config router multicast6 set multicast-PMTU [enable|disable] end

 

Logging and Reporting (5.6.1)

IPsec VPN (5.6)

New IPsec VPN features added to FortiOS 5.6.

Improvement to stats crypto command output (403995)

The CLI command get vpn ipsec stats crypto now has a better format for the information it shows in differentiating between NP6 lite and SOC3 (CP). To further avoid confusion, all engine’s encryption (encrypted/decrypted) and integrity (generated/validated) information is shown under the same heading, not separate headings.

Improved certificate key size control commands (397883)

Proxy will choose the same SSL key size as the HTTPS server. If the key size from the server is 512, the proxy will choose 1024. If the key size is bigger than 1024, the proxy will choose 2048.

As a result, the firewall ssl-ssh-profile commands certname-rsa, certname-dsa, and certname-ecdsa have been replaced with more specific key size control commands under vpn certificate setting.

(5.6)

CLI syntax

config vpn certificate setting set certname-rsa1024 <name> set certname-rsa2048 <name> set certname-dsa1024 <name> set certname-dsa2048 <name> set certname-ecdsa256 <name> set certname-ecdsa384 <name>

end

Support bit-based keys in IKE (397712)

As per FIPS-CC required standards, as well as RFC 4306, IKE supports pre-shared secrets to be entered as both ASCII string values and as hexadecimal encoded values. This feature parses hex encoded input (indicated by the leading characters 0x) and converts the input into binary data for storage.

With this change, the psksecret and psksecret-remote entries under the IPsec VPN CLI command config vpn ipsec-phase1-interface have been amended to differentiate user input as either ASCII string or hex encoded values.

IKEv2 asymmetric authentication (393073)

Support added for IKEv2 asymmetric authentication, allowing both sides of an authentication exchange to use different authentication methods, for example the initiator may be using a shared key, while the responder may have a public signature key and certificate.

A new command, authmethod-remote, has been added to config vpn ipsec phase1-interface.

For more detailed information on authentication of the IKE SA, see RFC 5996 – Internet Key Exchange Protocol Version 2 (IKEv2).

Allow mode-cfg with childless IKEv2 (391567)

An issue that prevented childless-ike from being enabled at the same time as mode-cfg has been resolved. Both options can now be enabled at once under config vpn ipsec phase1-interface.

IKEv2 Digital Signature Authentication support (389001)

FortiOS supports the use of Digital Signature authentication, which changes the format of the Authentication Data payload in order to support different signature methods.

Instead of just containing a raw signature value calculated as defined in the original IKE RFCs, the Auth Data now includes an ASN.1 formatted object that provides details on how the signature was calculated, such as the signature type, hash algorithm, and signature padding method.

For more detailed information on IKEv2 Digital Signature authentication, see RFC 7427 – Signature Authentication in the Internet Key Exchange Version 2 (IKEv2).

Passive static IPsec VPN (387913)

New commands have been added to config vpn ipsec phase1-interface to prevent initiating

VPN connection. Static IPsec VPNs can be configured in tunnel mode, without initiating tunnel negotiation or rekey.

To allow a finer configuration of the tunnel, the rekey option is removed from config system global and added to config vpn ipsec phase1-interface.

CLI syntax

config vpn ipsec phase1-interface edit <example> set rekey {enable | disable} set passive-mode {enable | disable} set passive-tunnel-interface {enable | disable}

end

Phase 2 wizard simplified (387725)

Previously, for a site-to-site VPN, phase 2 selectors had their static routes created in the IPsec VPN wizard by adding IP addresses in string format. Now, since addresses and address groups are already created for these addresses, the address group can be used in the route directly. This means that the route can be modified simply by modifying the address/groups that were created when the VPN was initially created.

With this change, the VPN wizard will create less objects internally, and reduce complexity.

In addition, a blackhole route route will be created by default with a higher distance-weight set than the default route. This is to prevent traffic from flowing out of another route if the VPN interface goes down. In these instances, the traffic will instead be silently discarded.

Unique IKE ID enforcement (383296)

All IPsec VPN peers now connect with unique IKE identifiers. To implement this, a new phase1 CLI command has been added (enforce-unique-id) which, when enabled, requires all IPsec VPN clients to use a unique identifier when connecting.

CLI syntax

config vpn ipsec phase1 edit <name> set enforce-unique-id {keep-new | keep-old | disable} Default is disable. next

end

Use keep-new to replace the old connection if an ID collision is detected on the gateway. Use keep-old to reject the new connection if an ID collision is detected.

FortiView VPN tunnel map feature (382767)

A geospatial map has been added to FortiView to help visualize IPsec and SSL VPN connections to a FortiGate using Google Maps. Adds geographical-IP API service for resolving spatial locations from IP addresses.

(5.6)

This feature can be found under FortiView > VPN.

Childless IKEv2 initiation (381650)

As documented in RFC 6023, when both sides support the feature, no child IPsec SA is brought up during the initial AUTH of the IKEv2 negotiation. Support for this mode is not actually negotiated, but the responder indicates support for it by including a CHILDLESS_IKEV2_SUPPORTED Notify in the initial SA_INIT reply. The initiator is then free to send its AUTH without any SA or TS payloads if it also supports this extension.

CLI syntax

config vpn ipsec phase1-interface edit ike set ike-version 2 set childless-ike enable

next end

Due to the way configuration payloads (IKEV2_PAYLOAD_CONFIG) are handled in the current code base, mode-cfg and childless-ike aren’t allowed to be enabled at the same time. Processing config payloads for mode-cfg requires a child ph2handle to be created, but with childless-ike we completely avoid creating the child ph2 in the first place which makes the two features incompatible. It may be possible to support both in the future, but a deeper rework of the config payload handling is required.

Allow peertype dialup for IKEv2 pre-shared key dynamic phase1 (378714)

Restored peertype dialup that was removed in a previous build (when IKEv2 PSK gateway re-validation was not yet supported).

If peertype is dialup, IKEv2 AUTH verify uses user password in the user group “usrgrp” of phase1. The “psksecret” in phase1 is ignored.

CLI syntax

config vpn ipsec phase1-interface edit “name” set type dynamic set interface “wan1” set ike-version 2 set peertype dialup set usrgrp “local-group”

next

end

IPsec default phase1/phase1-interface peertype changed from ‘any’ to ‘peer’ (376340)

Previously, when authmethod was changed to signature, peertype automatically changed to peer and required a peer to be set. This change was done to try to provide a more secure initial configuration, while allowing the admin to set peertype back to any if that’s what they really wanted. The default value was kept at any in the CLI. However, this caused problems with copy/pasting configurations and with FMG because if peertype any wasn’t explicitly provided, the CLI was switched to peertype peer.

This patch changes the default peertype to peer now; peertype any is considered non-default and will be printed out on any config listing. Upgrade code has been written to ensure that any older build that was implicitly using set peertype any has this setting preserved.

IPsec GUI bug fixes (374326)

Accept type “Any peer ID” is available when creating IPsec tunnel with authmethod, pre-shared key, ikev1 main mode/aggressive mode, and ikev2.

Support for IKEv2 Message Fragmentation (371241)

Added support for IKEv2 Message Fragmentation, as described in RFC 7383.

Previously, when sending and IKE packets with IKEv1, the whole packet is sent once, and it is only fragmented if there is a retransmission. With IKEv2, because RFC 7383 requires each fragment to be individually encrypted and authenticated, we would have to keep a copy of the unencrypted payloads around for each outgoing packet, in case the original single packet was never answered and we wanted to retry with fragments. So with this implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.

CLI syntax

config vpn ipsec phase1-interface edit ike set ike-version 2 set fragmentation [enable|disable] set fragmentation-mtu [500-16000]

next

end

IPsec monitoring pages now based on phase 1 proposals not phase 2 (304246)

The IPsec monitor, found under Monitor > IPsec Monitor, was in some instances showing random uptimes even if the tunnel was in fact down.

Tunnels are considered as “up” if at least one phase 2 selector is active. To avoid confusion, when a tunnel is down, IPsec Monitor will keep the Phase 2 Selectors column, but hide it by default and be replaced with Phase 1 status column.

 

IPv6 (5.6)