Yearly Archives: 2017

FortiOS 5.4.4 Release Notes

Leave a reply

What’s new in FortiOS 5.4.4

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.4, see the What’s New forFortiOS 5.4.4 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

 

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units running 5.4.4 and managed by FortiManager 5.0 or 5.2

FortiGate units running 5.4.4 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Note that the FortiClient license should be considered before upgrading. Full featured FortiClient 5.2, and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on the environment needs, FortiClient EMS license may need to be purchased for endpoint provisioning. Please consult Fortinet Sales or your reseller for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. A new license will need to be procured for either FortiClient EMS or FortiGate. To verify if a license purchase is compatible with 5.4.1 and later, the SKU should begin with FC-10-C010.

 

Pages: 1 2 3 4 5 6 7

Web caching and memory usage

Leave a reply

Web caching and memory usage

To accelerate and optimize disk access and to provide better throughput and less latency, web caching uses provisioned memory to reduce disk I/O and increase disk I/O efficiency. In addition, web caching requires a small amount of additional memory per session for comprehensive flow control logic and efficient traffic forwarding.

When web caching is enabled you will see a reduction in available memory. The reduction increases when more web caching sessions are being processed. If you are thinking of enabling web caching on an operating FortiGate unit, make sure its memory usage is not maxed out during high traffic periods.

In addition to using the system dashboard to see the current memory usage you can use the get test wad 2 command to see how much memory is currently being used by web caching. See get test {wad | wccpd} <test_ level> on page 2956 for more information.

Web caching and HA

Leave a reply

Web caching and HA

You can configure web caching on a FortiGate HA cluster. The recommended best practice HA configuration for web caching is active-passive mode. When the cluster is operating, all web caching sessions are processed by the primary unit only. Even if the cluster is operating in active-active mode, HA does not load-balance web caching sessions.

In a cluster, only the primary unit stores the web cache database. The databases is not synchronized to the subordinate units. So, after a failover, the new primary unit must build its web cache.

Turning on web caching for HTTPS traffic

Leave a reply

Turning on web caching for HTTPS traffic

Web caching can also cache the content of HTTPS traffic on TCP port 443. With HTTPS web caching, the FortiGate unit receives the HTTPS traffic on behalf of the client, opens up the encrypted traffic and extracts content to be cached. Then FortiGate unit re-encrypts the traffic and sends it on to its intended recipient. It is very similar to a man-in-the-middle attack.

You enable HTTPS web caching from the CLI in a security policy or an explicit proxy policy that accepts the traffic to be cached using webcache-https. For a firewall policy:

config firewall policy edit 0

 

set webcache enable

set webcache-https any

end

For an explicit web proxy policy:

config firewall policy edit 0

set proxy web

 

set webcache enable

set webcache-https any

end

 

Web caching for HTTPS traffic is not supported if WAN optimization is enabled.

The any setting causes the FortiGate unit to re-encrypt the traffic with the FortiGate unit’s certificate rather than the original certificate. This configuration can cause errors for HTTPS clients because the name on the certificate does not match the name on the web site.

You can stop these errors from happening by configuring HTTPS web caching to use the web server’s certificate by setting webcache-https to ssl-server. This option is available for both firewall policies and explicit web proxy policies.

config firewall policy edit 0

 

set webcache enable

set webcache-https ssl-server

end

The ssl-server option causes the FortiGate unit to re-encrypt the traffic with a certificate that you imported into the FortiGate unit. You can add certificates using the following command:

In full mode the FortiGate unit is acting as a man in the middle, decrypting and encrypting the traffic. So both the client and the web server see encrypted packets.

Usually the port of the encrypted HTTPS traffic is always 443. However, in the SSL server configuration you can set the port used for HTTPS traffic. This port is not altered by the SSL Server. So for example, if the SSL Server receives HTTPS traffic on port 443, the re-encrypted traffic forwarded to the FortiGate unit to the server or client will still use port 443.

 

Half mode SSL server configuration

In half mode, the FortiGate unit only performs one encryption or decryption action. If HTTP packets are received, the half mode SSL server encrypts them and converts them to HTTPS packets. If HTTPS packets are received, the SSL server decrypts them and converts them to HTTP packets.

 

Half mode SSL server configuration

Where:

config wanopt ssl-server edit corporate-server

set ip <Web-Server-IP>

set port 443

set ssl-mode { full | half}

set ssl-cert <Web-Server-Cert>

end

 

Web-Server-IP is the web server’s IP address.

Web-Server-Cert is a web server certificate imported into the FortiGate unit.

The SSL server configuration also determines whether the SSL server is operating in half or full mode and the port used for the HTTPS traffic.

You can add multiple SSL server certificates in this way. When web caching processing an SSL stream if it can find a certificate that matches the web server IP address and port of one of the added SSL servers; that certificate is used to encrypt the SSL traffic before sending it to the client. As a result the client does not generate SSL certificate errors.

Web caching uses the FortiGate unit’s FortiASIC to accelerate SSL decryption/encryption performance.

 

Full mode SSL server configuration

The ssl-mode option determines whether the SSL server operates in half or full mode. In full mode the FortiGate unit performs both decryption and encryption of the HTTPS traffic. The full mode sequence is shown below.

Full mode SSL server configuration

In half mode, the FortiGate unit is acting like an SSL accelerator, offloading HTTPS decryption from the web server to the FortiGate unit. Since FortiGate units can accelerate SSL processing, the end result could be improved web site performance.

Usually the port of the encrypted traffic is always 443. However, in the SSL server configuration you can set the port used for HTTPS traffic. No matter what port is used for the HTTPS traffic, the decrypted HTTP traffic uses port 80.

 

Changing the ports on which to look for HTTP and HTTPS traffic to cache

By default FortiOS assumes HTTP traffic uses TCP port 80 and HTTPS traffic uses port 443. So web caching caches all HTTP traffic accepted by a policy on TCP port 80 and all HTTPS traffic on TCP port 443. If you want to cache HTTP or HTTPS traffic on other ports, you can enable security profiles for the security policy and configure a proxy options profile to that looks for HTTP and HTTPS traffic on other TCP ports. To configure a proxy options profile go to Network > Explicit Proxy.

Setting the HTTP port to Any in a proxy options profile is not compatible with web caching. If you set the HTTP port to any, web caching only caches HTTP traffic on port 80.

Turning on web caching for HTTP and HTTPS traffic

Leave a reply

Turning on web caching for HTTP and HTTPS traffic

Web caching can be applied to any HTTP or HTTPS traffic by enabling web caching in a security policy that accepts the traffic. This includes IPv4, IPv6, WAN optimization and explicit web proxy traffic. Web caching caches all HTTP traffic accepted by a policy on TCP port 80.

 

You can add web caching to a policy to:

  • Cache Internet HTTP traffic for users on an internal network to reduce Internet bandwidth use. Do this by selecting the web cache option for security policies that allow users on the internal network to browse web sites on the Internet.
  • Reduce the load on a public facing web server by caching objects on the FortiGate unit. This is a reverse proxy with web caching configuration. Do this by selecting the web cache option for a security policy that allows users on the Internet to connect to the web server.
  • Cache outgoing explicit web proxy traffic when the explicit proxy is used to proxy users in an internal network who are connecting to the web servers on the Internet. Do this by selecting the web cache option for explicit web proxy security policies that allow users on the internal network to browse web sites on the Internet.
  • Combine web caching with WAN optimization. You can enable web caching in any WAN optimization security policy. This includes manual, active, and passive WAN optimization policies and WAN optimization tunnel policies. You can enable web caching on both the client-side and the server-side FortiGate units or on just one or the other.

For optimum performance you can enable web caching on both the client-side and server-side FortiGate units. In this way only uncached content is transmitted through the WAN optimization tunnel. All cached content is access locally by clients from the client side FortiGate unit.

One important use for web caching is to cache software updates (for example, Win- dows Updates or iOS updates. When updates occur a large number of users may all be trying to download these updates at the same time. Caching these updates will be a major performance improvement and also have a potentially large impact on redu- cing Internet bandwidth use. You may want to adjust the maximum cache object size to make sure these updates are cached. See Max cache object size on page 2891.

Web caching and SSL offloading

Leave a reply

Web caching and SSL offloading

FortiGate web caching is a form of object caching that accelerates web applications and web servers by reducing bandwidth usage, server load, and perceived latency. Web caching supports caching of HTTP 1.0 and HTTP 1.1 web sites. See RFC 2616 for information about web caching for HTTP 1.1.

Web caching supports caching of Flash content over HTTP but does not cache audio and video streams including Flash videos and streaming content that use native streaming protocols such as RTMP.

The first time a file is received by web caching it is cached in the format it is received in, whether it be compressed or uncompressed. When the same file is requested by a client but in a different compression format, the cached file is converted to the new compressed format before being sent to the client.

 

There are three significant advantages to using web caching to improve HTTP and WAN performance:

  • reduced bandwidth consumption because fewer requests and responses go over the WAN or Internet.
  • reduced web server load because there are fewer requests for web servers to handle.
  • reduced latency because responses for cached requests are available from a local FortiGate unit instead of from across the WAN or Internet.

You can use web caching to cache any web traffic that passes through the FortiGate unit, including web pages from web servers on a LAN, WAN or on the Internet. You apply web caching by enabling the web caching option in any security policy. When enabled in a security policy, web caching is applied to all HTTP sessions accepted by the security policy. If the security policy is an explicit web proxy security policy, the FortiGate unit caches explicit web proxy sessions.

Example Adding secure tunneling to an active-passive WAN optimization configuration

Leave a reply

Example Adding secure tunneling to an active-passive WAN optimization configuration

This example shows how to configure two FortiGate units for active-passive WAN optimization with secure tunneling. The same authentication group is added to both FortiGate units. The authentication group includes a password (or pre-shared key) and has Peer Acceptance set to Accept any Peer. An active policy is added to the client-side FortiGate unit and a passive policy to the server-side FortiGate unit. The active policy includes a profile that performs secure tunneling, optimizes HTTP traffic, and uses Transparent Mode and byte caching.

The authentication group is named AuthSecure-Tunnel and the password for the pre-shared key is 2345678. The topology for this example is shown below. This example includes web-based manager configuration steps followed by equivalent CLI configuration steps. For information about secure tunneling, see Secure tunneling on page 2864.

 

Network topology and assumptions

This example configuration includes a client-side FortiGate unit called Client-net with a WAN IP address of 172.30.120.1.This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Web-servers and has a WAN IP address of 192.168.20.1. This unit is in front of a web server network with IP address 192.168.10.0.

 

Example active-passive WAN optimization and secure tunneling topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

1. Configure the client-side FortiGate unit:

  • Add peers.
  • Add an authentication group.
  • Add an active WAN optimization policy.

2. Configure the server-side FortiGate unit.

  • Add peers.
  • Add the same authentication group
  • Add a passive WAN optimization policy that applies application control.
  • Add a WAN optimization tunnel policy.

Also note that if you perform any additional actions between procedures, your configuration may have different results.

 

Configuring WAN optimization with secure tunneling – web-based manager

Use the following steps to configure the example WAN optimization configuration from the client-side and server- side FortiGate unit web-based manager. (CLI steps follow.)

 

To configure the client-side FortiGate unit

1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the client-side FortiGate unit:

 

Local Host ID                            Client-Fgt

2. Select Apply to save your setting.

3. Select Create New and add a Peer Host ID and the IP Address for the server-side FortiGate unit:

 

Peer Host ID                               Server-Fgt

IP Address                                 192.168.20.1

4. Select OK.

5. Go to WAN Opt. & Cache > Authentication Groups and select Create New to add the authentication group to be used for secure tunneling:

 

Name                                           Auth-Secure-Tunnel

Authentication Method            Pre-shared key

Password                                   2345678

Peer Acceptance                       Accept Any Peer

6. Select OK.

7. Go to WAN Opt. & Cache > Profiles and select Create New to add a WAN optimization profile that enables secure tunneling and includes the authentication group:

 

Name                                           Secure-wan-op-pro

Transparent Mode                    Select

Authentication Group              Auth-Secure-tunnel

8. Select the HTTP protocol, select Secure Tunneling and Byte Caching and set the Port to 80.

9. Select OK.

10. Go to Policy & Objects > Addresses and select Create New to add a firewall address for the client network.

 

Category                                     Address

Name                                           Client-Net

Type                                            Subnet

Subnet / IP Range                     172.20.120.0/24

Interface                                     port1

11. Select Create New to add a firewall address for the web server network.

 

Category                                     Address

Address Name                           Web-Server-Net

Type                                            Subnet

Subnet / IP Range                     192.168.10.0/24

Interface                                     port2

12. Go to Policy & Objects > IPv4 Policy and select Create New to add an active WAN optimization security policy:

 

Incoming Interface                   port1

Source Address                        Client-Net

Outgoing Interface                   port2

Destination Address                 Web-Server-Net

Schedule                                    always

Service                                       HTTP

Action                                         ACCEPT

13. Turn on WAN Optimization and configure the following settings:

 

WAN Optimization                    active

Profile                                         Secure-wan-opt-pro

14. Select OK.

 

To configure the server-side FortiGate unit

1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the server-side FortiGate unit:

 

Local Host ID                            Server-Fgt

2. Select Apply to save your setting.

3. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:

Peer Host ID                               Client-Fgt

IP Address                                 172.30.120.1

4. Select OK.

5. Go to WAN Opt. & Cache > Authentication Groups and select Create New and add an authentication group to be used for secure tunneling:

Name                                           Auth-Secure-Tunnel

Authentication Method            Pre-shared key

Password                                   2345678

Peer Acceptance                       Accept Any Peer

6. Select OK.

7. Go to Policy & Objects > Addresses and select Create New to add a firewall address for the client network.

Category                                     Address

Name                                           Client-Net

Type                                            Subnet

Subnet / IP Range                     172.20.120.0/24

Interface                                     port1

8. Select Create New to add a firewall address for the web server network.

Category                                     Address

Address Name                           Web-Server-Net

Type                                            Subnet

Subnet / IP Range                     192.168.10.0/24

Interface                                     port2

9. Select OK.

10. Select Create New to add a passive WAN optimization policy that applies application control.

Incoming Interface                   port2

Source Address                        Client-Net

Outgoing Interface                   port1

Destination Address                 Web-Server-Net

Schedule                                    always

Service                                       ALL

Action                                         ACCEPT

11. Turn on WAN Optimization and configure the following settings:

WAN Optimization                    passive

Passive Option                          default

12. Select OK.

13. From the CLI enter the following command to add a WAN optimization tunnel explicit proxy policy.

configure firewall explicit-proxy-policy edit 0

set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

next end

Pages: 1 2

Example Active-passive WAN optimization

Leave a reply

Example Active-passive WAN optimization

In active-passive WAN optimization you add an active WAN optimization policy to the client-side FortiGate unit and you add a WAN optimization tunnel policy and a passive WAN optimization policy to the server-side FortiGate unit.

The active policy accepts the traffic to be optimized and sends it down the WAN optimization tunnel to the server- side FortiGate unit. The active policy can also apply security profiles and other features to traffic before it exits the client-side FortiGate unit.

A tunnel explicit proxy policy on the sever-side FortiGate unit allows the server-side FortiGate unit to form a WAN optimization tunnel with the client-side FortiGate unit. The passive WAN optimization policy is required because of the active policy on the client-side FortiGate unit. You can also use the passive policy to apply WAN optimization transparent mode and features such as security profiles, logging, traffic shaping and web caching to the traffic before it exits the server-side FortiGate unit.

 

Network topology and assumptions

On the client-side FortiGate unit this example configuration includes a WAN optimization profile that optimizes CIFS, HTTP, and FTP traffic and an active WAN optimization policy. The active policy also applies virus scanning to the WAN optimization traffic.

On the server-side FortiGate unit, the passive policy applies application control to the WAN optimization traffic.

In this example, WAN optimization transparent mode is selected in the WAN optimization profile and the passive WAN optimization policy accepts this transparent mode setting. This means that the optimized packets maintain their original source and destination addresses. As a result, routing on the client network must be configured to route packets for the server network to the client-side FortiGate unit. Also the routing configuration on the server network must be able to route packets for the client network to the server-side FortiGate unit.

 

Example active-passive WAN optimization topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

1. Configure the client-side FortiGate unit:

  • Add peers.
  • Add a WAN optimization profile to optimize CIFS, FTP, and HTTP traffic.
  • Add firewall addresses for the client and web server networks.
  • Add an active WAN optimization policy.
  1. 2. Configure the server-side FortiGate unit by:
  • Add peers.
  • Add firewall addresses for the client and web server networks.
  • Add a passive WAN optimization policy.
  • Add a WAN optimization tunnel policy.

 

Configuring basic active-passive WAN optimization – web-based manager

Use the following steps to configure the example WAN optimization configuration from the client-side and server- side FortiGate unit web-based manager.

 

To configure the client-side FortiGate unit

1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the client-side FortiGate unit:

 

Local Host ID                            Client-Fgt

2. Select Apply.

3. Select Create New and add a Peer Host ID and the IP Address for the server-side FortiGate unit:

 

Peer Host ID                               Server-Fgt

IP Address                                 192.168.20.1

4. Select OK.

5. Go to WAN Opt. & Cache > Profiles and select Create New to add a WAN optimization profile to optimize CIFS, HTTP, and FTP traffic:

 

Name                                           Custom-wan-opt-pro

Transparent Mode                    Select

6. Select the CIFS protocol, select Byte Caching and set the Port to 445.

7. Select the FTP protocol, select Byte Caching and set the Port to 21.

8. Select the HTTP protocol, select Byte Caching and set the Port to 80.

9. Select OK.

10. Go to Policy & Objects > Addresses and select Create New to add an address for the client network.

 

Category                                     Address

Address Name                           Client-Net

Type                                            IP Range

Subnet / IP Range                     172.20.120.100-172.20.120.200

Interface                                     port1

11. Select Create New to add an address for the web server network.

Category                                     Address

Address Name                           Web-Server-Net

Type                                            Subnet

Subnet / IP Range                     192.168.10.0/24

Interface                                     port2

12. Go to Policy & Objects > IPv4 Policy and select Create New to add an active WAN optimization security policy:

Incoming Interface                   port1

Source Address                        Client-Net

Outgoing Interface                   port2

Destination Address                 Web-Server-Net

Schedule                                    always

Service                                       HTTP FTP SMB

Action                                         ACCEPT

13. Turn on WAN Optimization and configure the following settings:

WAN Optimization                    active

Profile                                         Custom-wan-opt-pro

14. Turn on Antivirus and select the default antivirus profile.

15. Select OK.

 

To configure the server-side FortiGate unit

1. Go to WAN Opt. & Cache > Peers and enter a Local Host ID for the server-side FortiGate unit:

 

Local Host ID                            Server-Fgt

2. Select Apply.

3. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:

 

Peer Host ID                               Client-Fgt

IP Address                                 172.30.120.1

4. Select OK.

5. Go to Policy & Objects > Addresses and select Create New to add an address for the client network.

 

Category                                     Address

Address Name                           Client-Net

Type                                            IP Range

Subnet / IP Range                     172.20.120.100-172.20.120.200

Interface                                     port1

6. Select Create New to add a firewall address for the web server network.

 

Category                                     Address

Address Name                           Web-Server-Net

Type                                            Subnet

Subnet / IP Range                     192.168.10.0/24

Interface                                     port2

7. Select OK.

8. Select Policy & Objects > IPv4 Policy and select Create New to add a passive WAN optimization policy that applies application control.

 

Incoming Interface                   port2

Source Address                        Client-Net

Outgoing Interface                   port1

Destination Address                 Web-Server-Net

Schedule                                    always

Service                                       ALL

Action                                         ACCEPT

9. Turn on WAN Optimization and configure the following settings:

 

WAN Optimization                    passive

Passive Option                          default

10. Select OK.

11. From the CLI enter the following command to add a WAN optimization tunnel explicit proxy policy.

configure firewall explicit-proxy-policy edit 0

set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

next end

Pages: 1 2