This section introduces new Security Fabric features in FortiOS 6.0.
Security Fabric Automation
User-defined Automations allow you to improve response times to security events by automating the activities between devices in the Security Fabric. You can monitor events from any source in the Security Fabric and set up action responses to any destination. To create an Automation, you can set up a Trigger event and response Actions that cause the Security Fabric to respond in a predetermined way. From the root FortiGate, you can set up event triggers for the following event types: compromised host, event log, reboot, conserve mode, high CPU, license expiry, High Availability (HA) failover, and configuration changes. The workflows have the means to launch the following actions in response: email, FortiExplorer notification, AWS Lambda and webhook. Additional actions are available for compromised hosts, such as: access layer quarantine, quarantine FortiClient via EMS, and IP ban.
The Security Rating feature (previously called the Security Fabric Audit) includes new security checks that can help you make improvements to your organization’s network, such as enforce password security, apply recommended login attempt thresholds, encourage two factor authentication, and more.
Security Rating FortiGuard service
Security Rating is now a subscription service that FortiGuard offers when you purchase a Security Rating license. This service allows you to:
l Dynamically receive updates from FortiGuard. l Run Security Rating checks for each licensed device in a Security Fabric. l Run Security Rating checks in the background or on demand. l Submit rating scores to FortiGuard and receive rating scores from FortiGuard, for ranking customers by percentile.
Solution and service integration
In FortiOS 6.0, the Security Fabric extends to include more Fortinet products.
Wireless user quarantine
When you create or edit an SSID, you can enable the Quarantine Host option to quarantine devices that are connected in Tunnel-mode. The option to quarantine a device is available from the Topology and FortiView WiFi pages.
When a host is put into quarantine VLAN, it will get its IP from the quarantine VLAN’s DHCP server, and become part of the quarantined network.
Fortinet products can join the Security Fabric by serial number
Fortinet products can now easily and securely join the Security Fabric using an authorized device serial number.
You can now add a FortiMail stats widget to the FortiGate Dashboard page to show mail detection stats from FortiMail. Other FortiMail integrations include the following:
- A FortiMail section that displays the FortiMail name, IP address, login and password is now available in the Security Fabric Settings page.
- FortiMail is now shown as a node in the topology tree view in the Fabric Settings page and in the Physical Topology and Logical Topology views.
- The topology views now show the number of FortiMail devices in the Security Fabric in the device summary.
Synchronize the FortiManager IP address among all Security Fabric members
When you add a FortiManager to the Root FortiGate of the Security Fabric, its configuration is now automatically synchronized with all devices in the Security Fabric. Central management features are now configured from the Security Fabric Settings page.
Improve FortiAP and FortiSwitch support in Security Fabric views
The Security Fabric widget on the dashboard and the Security Fabric Settings page now show the FortiAP and FortiSwitch devices in the Security Fabric.
- You can now use new shortcuts to easily authorize any newly discovered devices and manage them.
- Switch stacking is now supported in the Physical and Logical topology views, and Inter-switch Link (ISL-LAG) is now identified by a thicker single line.
EMS server support in Security Fabric topology
The FortiClient Endpoint Management System (EMS) can be enabled in FortiClient Endpoint profiles. This feature allows you to maintain FortiClient endpoint protection from FortiClient EMS and dynamically push configuration changes from the EMS to FortiClient endpoints. EMS server support is also integrated with Security Fabric Automation.
Multi-cloud support (Security Fabric connectors)
Security Fabric multi-cloud support adds Security Fabric connectors to the Security Fabric configuration. Security Fabric connectors allow you to integrate Application Centric Infrastructure (ACI), Amazon Web Services (AWS), Microsoft Azure, VMware NSX, and Nuage Virtualized Services Platform configurations into the Security Fabric.
Additionally Cloud init support for Azure is now native to the cloud. FortiGate VM for Azure also supports bootstrapping.
This section introduces new manageability features in FortiOS 6.0.
You can use the new Asset Tagging system to create tags to separate and categorize network objects, interfaces, and devices. Tags are flexible, easy to configure, and useful for comprehensive monitoring, audit reporting, and more.
FortiSwitch network assisted device detection and destination name resolution
Device detection now extends to managed FortiSwitches since some devices may not be visible to the FortiGate that manages them. Devices that are connected to a FortiSwitch are more visible to the FortiGate that manages them and to the Security Fabric.
FortiSwitch destination name resolution clearly presents destination objects and the aggregation of related IP addresses with domains. It also applies Internet service data base (ISDB) mapping for destination data.
Global security profiles
Global Security Profiles can be used by multiple VDOMs instead of creating identical profiles for each VDOM. You can create global security profiles for the following security features:
l Antivirus l Application control l Data leak prevention l Intrusion protection l Web filtering
This section introduces new Networking features in FortiOS 6.0.
FortiOS 6.0 introduces the following SD-WAN features:
- Multiple server support for health checks l Internet service groups l Bandwidth options in SD-WAN rules l Custom profiles in SD-WAN rules
- DSCP tagging of forwarded packets in SD-WAN rules For more information, see the Networking Handbook.
Multipath intelligence and performance SLAs
SD-WAN performance Service-Level Agreements (SLAs) incorporate multilayer SLA monitoring of link selection. To help handle emergency load or outages you can select links based on weight and SLA priority and then return to defaults once the network stabilizes. Also, traffic shaping and application intelligence have been added to the SD-WAN configuration, which gives you more control of SD-WAN traffic.
You can now use application control and application control group options in SD-WAN rules.
Internet Service support is also increased from a single Internet Service to Internet Service groups.
BGP dynamic routing and IPv6 support for SD-WAN
FortiOS 6.0 introduces support for dynamic router for an SD-WAN configuration. You can set up a route map and add a route tag to the route map. Then, you can create an SD-WAN configuration, a health check, and a service for it. When you create the service, you add the configured route tag that you created in the route map to the service.
Interface-based traffic shaping
In FortiOS 6.0, you can now enable traffic shaping on an interface. Interface-based traffic shaping allows you to enforce bandwidth limits by traffic type for individual interfaces.
Cloud-assisted One-Click VPN
One-Click VPN (OCVPN) is a cloud-based solution that greatly simplifies the provisioning and configuration of IPsec VPN. The administrator enables OCVPN with a single click, adds the required subnets, and then the configuration is complete. The OCVPN updates each FortiGate automatically as devices join and leave the VPN, as subnets are added and removed, when dynamic external IP addresses change (for example, DHCP or PPPoE), and when WAN interface bindings change (as in the case of dual WAN redundancy).
The following new IPv6 features have been added.
l IPv6 captive portal l IPv6 FQDN and wildcard firewall addresses l IPv6 ISIS dynamic routing l DHCPv6 server prefix delegation l IPv6 DFD and VRRP
The following new NAT features have been added.
- Central source NAT (SNAT) policies now include a comment field l Port block allocation timeout is configurable l NAT 46 IP Pools
- VRRP HA supports firewall virtual IPs (VIPs) and IP pools For more information, see the Firewall Handbook.
The media access control (MAC) virtual local area network (VLAN) feature in Linux allows you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.
This section introduces new security features in FortiOS 6.0.
FortiGuard virus outbreak prevention
FortiGuard virus outbreak prevention is an additional layer of protection that keeps your network safe from newly emerging malware. Quick virus outbreaks can infect a network before signatures can be developed to stop them. Outbreak protection stops these virus outbreaks until signatures become available in FortiGuard.
FortiGuard content disarm and reconstruction
Content Disarm and Reconstruction (CDR) removes exploitable content and replaces it with content that’s known to be safe. As files are processed through an enabled AntiVirus profile, content that’s found to be malicious or unsafe is replaced with content that allows the traffic to continue, but doesn’t put the recipient at risk.
Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (such as, HTTP web download, SMTP email send, IMAP and POP3 email retrieval—MAPI isn’t supported).
This feature work even if FortiSandbox is not configured, but only if you want to discard the original file. If FortiSandbox is configured and it responds that the file is clean, it passes the content unmodified.
Application groups for NGFW policies
When a FortiGate operates in NGFW policy mode, you can create application groups when you add NGFW policies. Then, when you add IPv4 or IPv6 policies you can create application groups to simplify policy creation.
Application control rule sequencing
To have more control over application control outcomes, you can control the order that application signatures appear in application control sensors. Signatures for applications that are more sensitive can appear higher in the list so they get matched first.
External dynamic block lists
This feature introduces the ability to dynamically import external block lists from an HTTP server. You can use the block lists to enforce special security requirements that your organization has. This can include long term policies to always block access to some websites or short time requirements to block access to known compromised locations. Since the lists are dynamically imported any changes made to the list are instantly imported by FortiOS. Dynamic block lists can be added to:
l Web Filter profiles and SSL inspection exemptions. l DNS Filter profiles and “Source/Destination” addresses in proxy policies.
In each profile, the administrator can configure multiple external block lists.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!