IPsec VPN (5.6.1)

New IPsec VPN features added to FortiOS 5.6.1.

Support for Brainpool curves specified in RFC 6954 for IKE (412795)

Added support for Brainpool curves specified in RFC 6954 (originally RFC 5639) for IKE. Four new values are added for VPN phase1 and phase2 DH groups. The allocated transform IDs are 27, 28, 29, 30:

l 27 – Brainpool 224-Bit Curve l 28 – Brainpool 256-Bit Curve l 29 – Brainpool 384-Bit Curve l 30 – Brainpool 512-Bit Curve

Syntax

config vpn ipsec phase1/phase1-interface edit <name>

set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30} next

end

config vpn ipsec phase2/phase2-interface edit <name>

set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30} next

end

Removed “exchange-interface-ip” option from “vpn ipsec phase1” (411981)

The command exchange-interface-ip only works for interface-based IPsec VPN (vpn ipsec phase1interface), and so it has been removed from policy-based IPsec VPN (vpn ipsec phase1).

IKEv2 ancillary RADIUS group authentication (406497)

This feature provides for the IDi information to be extracted from the IKEv2 AUTH exchange and sent to a RADIUS server, along with a fixed password configurable via CLI, to perform an additional group authentication step prior to tunnel establishment. The RADIUS server may return framed-IP-address, framed-ip-netmask, and dns-server attributes, which are then applied to the tunnel.

It should be noted, unlike Xauth or EAP, this feature does not perform individual user authentication, but rather treats all users on the gateway as a single group, and authenticates that group with RADIUS using a fixed password. This feature also works with RADIUS accounting, including the phase1 acct-verify option.

Syntax

config vpn ipsec phase1-interface edit <name> set mode-cfg enable

IPsec VPN (5.6.1)

set type dynamic set ike-version 2 set group-authentication {enable | disable} set group-authentication-secret <password>

next

end

IPsec mode-cfg can assign IPs from firewall address and sharing IP pools (393331)

This feature adds the ability for users to configure assign-IPs from firewall addresses/groups.

Previously, different policies accessing the same network needed to ensure that non-overlapping IP-ranges were assigned to policies to avoid the same IP address being assigned to multiple clients. With this feature, the address name is used to identify an IP pool and different policies can refer to the same IP pool to check for available IPs, thus simplifying the task of avoiding IP conflicts.

Syntax

config vpn ipsec phase1-interface edit <name> set mode-cfg enable set type dynamic

set assign-ip-from {range | dhcp | name} set ipv4-name <name> set ipv6-name <name>

next

end

Improve interface-based dynamic IPsec up/down time (379937)

This feature makes it possible to use a single interface for all instances that spawn via a given phase1. Instead of creating an interface per instance, all traffic will run over the single interface and any routes that need creating will be created on that single interface.

A new CLI option net-device is added in the phase1-interface command sets. The default is disable so that the new feature kicks in for all the new configurations. An upgrade feature will add a set net-device enable for all the existing configurations so that they will keep the old behavior.

Under the new single-interface scheme, instead of relying on routing to guide traffic to the specific instance, all traffic will flow to the specific device and IPsec will need to take care of locating the correct instance for outbound traffic. For this purpose, another new CLI option tunnel-search is created. The option is only available when the above net-device option is set to disable.

There are two options for tunnel-search, corrensponding to the two ways to select the tunnel for outbound traffic. One is selectors, meaning selecting a peer using the IPsec selectors (proxy-ids). The other is nexthop where all the peers use the same default selectors (0/0) while using some routing protocols such as BGP, OSPF, RIPng, etc. to resolve the routing. The default for tunnel-search is selectors.

Syntax

config vpn ipsec phase1-interface edit <name> set net-device {enable | disable} set tunnel-search {selectors | nexthop} next

(5.6.1)

end

Hide psksecret option when peertype is dialup (415480)

In aggressive mode and IKEv2, when peertype is dialup, pre-shared key is per-user based. There is no need to configure the psksecret in the phase1 setup. Previously, if left unconfigured, CLI would output psksecret error and fail to create the phase1 profile.

To prevent psksecret length check running on the configuration end, the psksecret option will be hidden. Prior to Mantis 397712, the length check passed because it was incorrectly checking the legnth of encrypted password which is always 204 length long.

Peertype dialup option removed for main mode.

New enforce-ipsec option added to L2TP config (423988)

A new enforce-ipsec option is added in L2TP configuration to force the FortiGate L2TP server to accept only IPsec encrypted connections.

Syntax

config vpn l2tp set eip 50.0.0.100 set sip 50.0.0.1 set status enable

set enforce-ipsec-interface {disable | enable}    (default = disable) set usrgrp <group_name>

end

IPsec VPN Wizard improvements (368069)

Previously, when using wan-load-balance (WLB) feature, and when configuring an IPsec tunnel with the wizard, the setting ‘incoming interface’ list does not contain the wan-load-balance nor the wan2 interface. Disabling the WLB permits the configuration. The solution in 5.6.1 is as follows:

l (368069) The IPsec VPN wizard now allows users to select members of virtual-wan-link (VWL) as IPsec phase1interface. Before saving, if the phase1 interface is a VWL member, then the Wizard automatically sets the virtualwan-link as the destination interface in the L2TP policy. l (246552) List VPN tunnels for VWL members if VWL is set as the destination interface in policy-based IPsec VPN.

IPsec manual key support removed from GUI (436041)

The majority of customers are not using policy-based IPsec today, and beyond that, very few are using manual key VPN. As a result, the IPsec manual key feature is removed from the GUI; the feature store option is removed as well.

Added GUI support for local-gw when configuring custom IPsec tunnels (423786)

Previously, the local-gw option was not available on the GUI when configuring a custom IPsec tunnel. This feature adds the local-gw setting to the IPsec VPN Edit dialog. The user is able to choose the primary or

 

secondary IP address from the currently selected interface, or specify an ip address manually. Both local-gw and local-gw6 are supported.

Moved the dn-format CLI option from phase1 config to vdom settings (435542)

Previous fix for dn-format didn’t take into account that, at the time isakmp_set_peer_identifier is used, we don’t have a connection and haven’t matched our gateway yet, so we can’t use that to determine the dn-format configuration setting.

The solution was to move the dn-format CLI option from phase1 config to vdom settings. It is renamed to ike-dn-format.

FGT IKE incorrect NAT detection causes ADVPN hub behind VIP to not generate shorcuts (416786)

When ADVPN NAT support was added, only spokes behind NAT was considered. No thought was given to a hub behind a VIP or the problems that occurred due to the way that FortiOS clients behind NAT enable NAT-T even when it is not required.

The solution in 5.6.1 is as follows:

• Moved shortcut determination out of the kernel and up to IKE. The shortcut message now contains the ID of both tunnels so that IKE can check the NAT condition of both.
• Added IKE debug to cover sending the initial shortcut query. The lack of this previously meant it could be awkard to determine if the offer had been converted into a query correctly.
• Added “nat:” output in diag vpn ike gateway list output to indicate whether this device or the peer is behind NAT.
• Tweaked the diag vpn tunnel list output so that the auto-discovery information now includes symbolic as well as numeric values, which makes it easier to see what type of auto-discovery was enabled.

High Availability (5.6)

New High Availability features added to FortiOS 5.6.

Multicast session failover (293751)

FGCP HA multicast session synchronization supports multicast session failover. To configure multicast session failover, use the following command to change the multicast TTL timer to a smaller value than the default. The recommended setting to support multicast session failover is 120 seconds (2 minutes). The default setting is 600 seconds (10 minutes).

config system ha set multicast-ttl 120

end

The multicast TTL timer controls how long to keep synchronized multicast routes on the backup unit (so they are present on the backup unit when it becomes the new primary unit after a failover). If you set the multicast TTL lower the multicast routes on the backup unit are refreshed more often so are more likely to be accurate. Reducing this time causes route synchronization to happen more often and could affect performance.

Performance improvement when shutting down or rebooting the primary unit (380279)

In previous versions of FortiOS, if you entered the execute reboot or execute shutdown command on the primary unit, a split brain configuration could develop for a few seconds while the primary unit was shutting down. This would happen because the heartbeat packets would stop being sent by the primary unit, while it was still able to forward traffic. When the heartbeat packets stop the backup unit becomes the primary unit. The result was a split brain configuration with two primary units both capable of forwarding traffic.

High Availability (5.6)

This wouldn’t happen all the time, but when it did network traffic would be delayed until the primary unit shut down completely. To resolve this issue, in FortiOS 5.6 when you run the execute reboot or execute shutdown command on the primary unit, the primary unit first becomes the backup unit before shutting down

allowing the backup unit to become the new primary unit and avoiding the split brain scenario. This behavior only happens when you manually run the execute reboot or execute shutdown command from the primary unit.

VRRP failover process change (390938)

In a FortiOS 5.6 VRRP configuration, when the master cannot reach its next hop router (vrdst) it sends packets to the configured backup router(s). These packets set the priority of the master to be lower than the backup router (s). So a backup router now becomes the new master and takes over processing traffic.

Use the vrdst-priority option to set the lower priority that the master sends to the backup routers. The following CLI syntax resets the master’s priority to 10 if it can no longer connect to its next hop router.

config system interface edit port10 config vrrp set vrip 10.31.101.200 set priority 255 set vrdst 10.10.10.1 set vrdst-priority 10

end

Display cluster up time and history (get system ha status command changes)(394745)

The get system HA status command now displays cluster uptime and history: get system status

Version: FortiGate-5001D v5.6.0,build1413,170121 (interim) …

Current HA mode: a-p, master

Cluster uptime: 3 days, 4 hours, 3 minutes, 46 seconds …

In-band HA management Interface (401378)

You can use the following command to add a management interface to an individual cluster unit interface that is also connected to a network and processing traffic. The in-band management interface is an alternative to the reserved HA management interface feature and does not require reserving an interface just for management access.

config system interface edit port1 set management-ip 172.20.121.155/24

end

The management IP address is accessible from the network that the cluster interface is connected to. This setting is not synchronized so each cluster unit can have their own management IP addresses. You can add a management IP address to each cluster unit interface. You can use the execute ha manage command to connect to individual cluster units.

The management-ip can be on the same subnet as the interface you are adding it to but cannot be on the same subnet as other cluster unit interfaces.

High Availability (5.6)

Up to four dedicated HA management interfaces supported (378127)

You can now add up to four dedicated HA management interfaces. Just like all FortiGate interfaces, these management interfaces must be on a different subnet from any other FortiGate interface. You can also configure a separate default gateway for each interface.

Use the following command to add two dedicated HA management interfaces:

config system ha set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface port4 set gateway 10.10.10.1

next edit 2 set interface port5 set gateway 4.5.6.7 end

FGSP support for automatic session sync after peer reboot (365851)

New options allow you to configure your FGSP cluster to resume sessions more smoothly after a failed FortiGate rejoins the cluster. In some cases when a failed FortiGate in the cluster comes back up it may begin processing sessions before the session table has been synchronized to it from the other FortiGate in the cluster. When this happens, the FortiGate may drop packets until the session synchronization is complete.

Shutting down interfaces during session synchronization

This new feature allows you to shut some interfaces down on the failed FortiGate when it is starting up so that it will not accept packets until session synchronization is complete. Then the interfaces are brought up and traffic can flow. While the interfaces are down, the FortiGate that had not failed keeps processing traffic.

Use the following command to select the interfaces to shutdown while waiting for session synchronization to complete:

config system cluster-sync edit 1 set down-intfs-before-sess-sync port1 port2

end

Heartbeat monitoring

If the FortiGate that was running fails before session synchronization is complete, the FortiGate that is restarting would not be able to complete session synchronization and would not turn on its shutdown interfaces. To prevent this from happening FGSP now includes heartbeat monitoring. Using heartbeat monitoring the FortiGate that is waiting for session synchronization to finish can detect that the other FortiGate is down and turn on its interfaces even if session synchronization is not complete. You can use the following command to change the heartbeat interval (hb-interval) and lost heartbeat threshold (hp-lost-threshold) to change heartbeat monitoring timing.

config system cluster-sync edit 1 set hb-interval 2 set hb-lost-threshold 3

High Availability (5.6)

end

Change in cluster behavior when the primary unit is restarted (380279)

When testing HA failover or restarting the primary unit for other reasons, manually rebooting or shutting down the primary unit running previous versions of FortiOS can sometimes cause a failover delay. This happens because the backup unit may become the primary unit before the primary unit is fully shut down causing a temporary split brain scenario.

To resolve this issue, when you manually restart or shut down the primary unit running FortiOS 5.6.0 before the primary unit actually shuts down it becomes the backup unit and the previous backup unit becomes the primary unit. Traffic is then failed over to the new primary unit before the former primary unit shuts down or reboots.

 

(5.6.1)

High Availability (5.6.1)

New High Availability features added to FortiOS 5.6.1.

HA cluster Uptime on HA Status dashboard widget (412089)

The HA Cluster dashboard widget now displays how long the cluster has been operating (Uptime) and the time since the last failover occurred (State Changed). You can hover over the State Changed time to see the event that caused the state change.

You can also click on the HA Status dashboard widget to configure HA settings or to get a listing of the most recent HA events recorded by the cluster.

FGSP with static (non-dialup) IPsec VPN tunnels and controlling IKE routing advertisement (402295)

Until FortiOS 5.6.1, the FortiGate Session Life Support Protocol (FGSP) only supported IPsec tunnel synchronization for dialup (or dynamic) IPsec VPN tunnels. FortiOS 5.6.1 now also supports IPsec tunnel synchronization for static IPsec VPN tunnels. No special FGSP or IPsec VPN configuration is required. You can configure static IPsec VPN tunnels normally and create a normal FGSP configuration.

An additional feature has been added to support some FGSP configurations that include IPsec VPNs. A new CLI option allows you to control whether IKE routes are added to the FGSP backup unit.

config system cluster-sync edit 0 set slave-add-ike-routes {enable | disable}

end

Enable to add IKE routes to the backup unit, disable if the IKE routes should not be added to the backup unit.

High Availability (5.6)

VRRP support for synchronizing firewall VIPs and IP Pools (0397824)

FortiOS VRRP HA now supports failover of firewall VIPs and IP Pools when the status of a virtual router (VR) changes. This feature introduces a new proxy ARP setting to map VIP and IP Pool address ranges to each VR’s Virtual MAC (VMAC). After failover, the IP Ranges added to the new primary VR will be routed to the new primary VR`s VMAC.

Use the following command to add a proxy ARP address range and a single IP address to a VR added to a FortiGate`s port5 interface. The address range and single IP address should match the address range or single IP for VIPs or IP Pools added to the port5 interface:

config system interface edit port5 config vrrp edit 1 config proxy-arp edit 1 set ip 192.168.62.100-192.168.62.200

next edit 2 set ip 192.168.62.225 end

Hardware acceleration (5.6)

New hardware acceleration features added to FortiOS 5.6.1.

IPsec session ESP padding and NP6 acceleration (416950)

In some situations when ESP packets in IPsec sessions have large amounts of layer 2 padding the NP6 IPsec engine may not be able to process them and the session may be blocked.

The following CLI option has been added to cause the NP6 processor to strip the ESP padding before send the packets to the IPsec engine. With padding stripped, the session can be processed normally by the IPsec engine.

Use the following command to strip ESP padding:

config system npu set strip-esp-padding enable

end

This stripping ESP padding is disabled by default. If you notice that offloaded IPsec sessions are failing you can enable this option and see if the problem is resolved.

Hardware acceleration (5.6)

New hardware acceleration features added to FortiOS 5.6.

Improved visibility of SPU and nTurbo hardware acceleration (389711)

All hardware acceleration hardware has been renamed Security Professing Units (SPUs). This includes NPx and CPx processors.

SPU and nTurbo data is now visible in a number of places on the GUI. For example, the Active Sessions column pop-up in the firewall policy list and the Sessions dashboard widget:

Hardware acceleration (5.6)

You can also add SPU filters to many FortiView pages.

NP4Lite option to disable offloading ICMP traffic in IPsec tunnels (383939)

In some cases ICMP traffic in IPsec VPN tunnels may be dropped by the NP4Lite processor due to a bug with the NP4Lite firmware. You can use the following command to avoid this problem by preventing the NP4Lite processor from offloading ICMP sessions in IPsec VPN tunnels. This command is only available on FortiGate models with NP4Lite processors, such as the FortiGate/FortiWiFi-60D.

config system npu set process-icmp-by-host {disable | enable}

end

The option is disabled by default an all ICMP traffic in IPsec VPN tunnels is offloaded where possible. If you are noticing that ICMP packets in IPsec VPN tunnels are being dropped you can disable this option and have all ICMP traffic processed by the CPU and not offloaded to the NP4Lite.

NP6 IPv4 invalid checksum anomaly checking (387675)

The following new options have been added to NP6 processors to check for IPv4 checksum errors in IPv4, TCP, UDP, and ICMP packets:

config system np6 edit {np6_0 | np6_1| …} config fp-anomaly-v4 set ipv4-csum-err {drop | trap-to-host} set tcp-csum-err {drop | trap-to-host} set udp-csum-err {drop | trap-to-host} set icmp-csum-err {drop | trap-to-host}

end

You can use the new options to either drop packets with checksum errors (the default) or send them to the CPU for processing. Normally you would want to drop these packets.

 

High Availability (5.6.1)

Non-vdom VM models FGVM1V/FGVM2V/FGVM4V (405549)

New models of the FortiGate-VM have been introduced. These match up with the existing FortiGate-VM models of FG-VM01, FG-VM02 and FG-VM04. The difference being that the new models don’t support VDOMs.

FortiGate VM (5.6)

New FortiGate-VM without VDOM support

Original FortiGate-VM

FG-VM01

FG-VM02

FG-VM02v

FG-VM01v

FG-VM04                                                                      FG-VM04v

Hardware acceleration

NSX security group importing (403975)

A feature has been added to allow the importation of security group information from VMware’s NSX firewall.

CLI Changes: nsx group list

This is used to list NSX security Groups

Syntax:

execute nsx group list <name of the filter>

nsx group import

This is used to import NSX security groups.

Syntax:

execute nsx group import <vdom> <name of the filter>

nsx group delete

This is used to delete NSX security Groups

Syntax:

execute nsx group delete <vdom> <name of the filter>

nsx.setting.update-period

This is used to set the update period for the NSX security group

Syntax:

config.nsx.setting.update-period <0 – 3600 in seconds>

0 means disabled

Default value: 0

FortiGate VM (5.6)

New FortiGate VM features added to FortiOS 5.6.

FGT-VM VCPUs (308297)

Fortinet has now launched licensing for FortiGate VMs that support larger than 8 vCPUs. The new models/licenses include:

• Support for up to 16 vCPU – FortiGate-VM16 l Support for up to 32 vCPU – FortiGate-VM32 l Support for unlimited vCPU – FortiGate-VMUL

Each of these models should be able to support up to 500 VDOMs.

Improvements to License page (382128)

The page has been rewritten with some minor improvements such as:

• An indicator to show when a VM is waiting for authentication or starting up l Shows VM status when license is valid
• Shows CLI console window when VM is waiting too long for remote registration of server

Citrix XenServer tools support for XenServer VMs (387984)

This support allows users, with Citrix XenServer tools to read performance statistics from XenServer clients and do Xenmotion with servers in the same cluster

There are no changes to the GUI, but there are some changes to the CLI.

A setting has been edited to control the debug level of the XenServer tools daemon diag debug application xstoolsd <integer>

Integer = Debug level

An additional update has been added to set the update frequency for XenServer tools

config system global set xstools-update-frequency Xenserver <integer> end

Enter an integer value from 30 to 300 (default = 60).

FortiGate VM

FOS VM supports more interfaces (393068)

The number of virtual interfaces that the VM version of FortiOS supports has been raised from 3 to 10.

FortiView (5.6)

New FortiView features added to FortiOS 5.6.

Added Vulnerability score topology view (303786)

In Physical Topology and Logical Topology pages, there are two new views added: Vulnerability, and

Threat. Drill-downs in these menus will now include Vulnerability/Threat information. In Vulnerability view, device bubbles are colored based on maximum vulnerability level, and bubble size is the vulnerability score. In Threat view, device bubbles are colored based on maximum threat level, and bubble size is the threat score.

FortiView VPN tunnel map feature (382767)

The FortiView VPN page now displays VPN tunnel connections between devices, and offers more information about tunnels and devices on drill-down.

 

FortiView (5.6)

Updated FortiView CSF topology pages (384188)

The FortiView Physical Topology and Logical Topology pages have been updated in 5.6.0 to reorganize and clarify larger deployments with servers and multi-directional traffic.

Historical FortiView includes FortiAnalyzer (387423)

Data from associated FortiAnalyzer devices can now be selected as a log display option for Historical FortiView.

FortiView menu reorganization (399713)

The order of FortiView pages has been reorganized in 5.6.0 based on the source interface of data being displayed:

l Topology l Traffic from LAN/DMZ l Traffic from WAN l All Segments

Data Exchange with FortiAnalyzer (393891)

Rather than sending all CSF information via log messages, FortiGate and FortiAnalyzer will now directly pass CSF information (tree, interface roles, user devices, HA members), if the FAZ responds to notices that are sent when the data has changed.

Google Maps Integration

FortiView now uses Google Maps to display location-related information. In this release the first view to use Google maps this component is the FortView VPN page. All current VPNs can be viewed on a fully scalable Google world map.

FortiView

FortiView usability and organization updates (306247)

Several organization changes have been made to make the FortiView menu order less cluttered, and more intuitive. l WiFi Client Monitor is now in FortiView, but is hidden when there is no managed FortiAP or WiFi Radio. l Country view has been merged into Destinations view. l Failed Authentication and Admin Login views have been merged into System Events view.

FortiGate VM (5.6)