Category Archives: FortiOS 6.2

Fabric View – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Fabric View

Fabric Connectors

You can use FortiAnalyzer to create the following types of fabric connectors:

ITSM

You can use the Fabric Connectors tab to create the following types of ITSM connectors:

l ServiceNow l Webhook, a generic connector

Creating or editing ITSM connectors

You can create ITSM connectors for ServiceNow and Webhook.

To create or edit ITSM connectors:

Go to Fabric View > Fabric Connectors.
To create an ITSM connector, click Create New. In the Create New Fabric Connector wizard, select ServiceNow or Webhook, and click Next.

To edit an ITSM connector, click the ITSM connector. The connector options are displayed.

Configure the following options, and then click OK:

Property		Description
Name		Type a name for the fabric connector.
Description		(Optional) Type a description for the fabric connector.
Protocol		Select HTTPS.
Property		Description
Port		Specify the port FortiAnalyzer uses to communicate with the external platform.
Method		Select POST.
Title		Type a title for the fabric connector.
URL		Type the URL of the external platform. Using ServiceNow as an example, copy and paste the URL from ServiceNow API URL in the Connection to ServiceNow API section in ServiceNow > FortiAnalyzerSystem Properties.
Enable HTTP Authentication		Set HTTP authentication to ON or OFF. Using ServiceNow as an example, enter the username and password from the Connection to ServiceNow API section in ServiceNow > FortiAnalyzer System Properties.
Status		Toggle ON to enable the fabric connector. Toggle OFF to disable the fabric connector.

Storage

You can use the Fabric Connectors tab to create the following types of storage connectors: l Amazon S3

l Microsoft Azure l Google Cloud

Creating or editing storage connectors

You can create storage connectors for Amazon S3, Microsoft Azure, and Google Cloud. Once you have created a storage connector, you can upload FortiAnalyzer logs to cloud storage. See Upload logs to cloud storage on page 219

To create a storage connector:

Go to Fabric View > Fabric Connectors.
Select Create New. In the Create New Fabric Connector wizard, choose Amazon S3, Azure Blob, or Google and select Next.
Configure the following options and select OK.

Property		Description
Name		Type a name for the fabric connector.
Comments		(Optional) Add comments about the connector.
Title		Type a title for the fabric connector.
Status		Toggle On to enable the fabric connector. Toggle Off to disable the fabric connector.
Amazon S3 Azure Blob Google	Provider	Type AWS.
	Region	Select a region.
	Access Key ID	Paste the access key from the IAM user account.
	Secret Access Key	Paste the secret access key from the IAM user account. Click the eye icon to Show or Hide the key.
	Storage Account Name	Paste the storage account name from the Microsoft Azure account.
	Account Key	Paste the account key from the Microsoft Azure account.
	Cloud Project Number	Paste the project number from the Google account.
	Service Account Credentials	Paste the entire Google account JSON key into the field. Click the eye icon to Show or Hide the key.
	Cloud Location	Select a Google Cloud location. For information about Google locations, visit the product help.

Advanced options will differ between the various types of storage connectors.

To edit a storage connector:

Go to Fabric View > Fabric Connectors.
Select an existing storage connector to edit.
In the dropdown menu that appears below the connector name, modify the connector settings.
Select OK.

Identity Center

The Fabric View > Identity Center pane displays a list of users and endpoints in the network from relevant logs, and correlates them with FortiAnalyzer modules.

The Identity Center is useful for user and endpoint mapping. Some users might use multiple endpoints in the network, endpoints might use multiple different interfaces to connect, network interfaces might have multiple IP addresses, and so on. A map of users and their endpoints gives you better visibility when you analyze logs, events, and incidents. This also helps with your reporting.

To view relevant identity logs directly from the SOC, Log View, and Incidents & Events panes, click the user or endpoint log, then click the Topography link in the pop-up that appears.

This Identity pane lists all endpoints and users from relevant logs and correlates them with FortiAnalyzer modules.

Column	Description
User Name	The name of the user.
User Group	The group of user identities. An identity can be a: l Local user account (username/password stored on the FortiGate unit) l Remote user account (password stored on a RADIUS, LDAP, or TACACS+ server) l PKI user account with digital client authentication certificate stored on the FortiGate unit l RADIUS, LDAP, or TACACS+ server, optionally specifying particular user groups on that server l User group defined on an FSSO server.
Endpoints	Endpoint host name, IP address, or MAC address. A user may be connected to multiple endpoints. Click the endpoint to display the corresponding user information in the Assets pane.
Social	The user’s Name, Picture, Email, Phone Number, and Social if it is available.
Source	The name of device that created the log.
Last Update	The date and time the log was updated.

Use the toolbar to select a Security Fabric, time period, and columns.

End user information is limited if there is no FortiClient in your installation.

Endpoints are detected based on MAC address and displayed by IP address instead of host name.
User related information might not be available.
Detailed information such as OS version, avatar, and social ID information are not available.

To provide a unified experience, you can customize how identity information is displayed, including which fields are displayed, the order, and the priority.

To configure the display settings in the Social column:

Go to Log View >Tools > UserDisplay Preferences.
Select the order preference tab you want to configure.

Tabs include Name, Picture, Email, Phone Number, and Social.

Rearrange the order preference as per your needs by drag-and-dropping an entry. For names, pictures, emails, and phone numbers, only the top entry will appear in the identity pop-up window.
User information can be disabled by moving the Show toggle to the Off position in the respective tabs.

Assets

The Fabric View > Assets pane is the central location for security analysts to view endpoint and user information to make sure they are compliant. Endpoints are important assets in a network as they are the main entry points in a cybersecurity breach.

The Assets pane is useful for the following:

Incident response. Check assets that are infected or vulnerable as part of your SOC analysis and incident response process. l Identify unknown and non-compliant users and endpoints.

To view relevant asset logs directly from the SOC, Log View, and Incidents & Events panes, click the user or endpoint log, then click the Topography link in the pop-up that appears.

The Assets pane lists all endpoints and users from relevant logs and correlates them with FortiAnalyzer modules. Sort by the Vulnerabilities column to see which endpoints and users have the highest vulnerabilities.

Column	Description
Endpoint	Endpoint host name or IP address.
User	The name of the user. Click the name to view the corresponding user information in the Identity Center pane.
MAC Address	Endpoint MAC address.
IP Address	IP address the endpoint is connected to. A user might be connected to multiple endpoints.
FortiClient UUID	Unique ID of the FortiClient.
Hardware / OS	OS name and version.
Vulnerabilities	The number of vulnerabilities for critical, high, medium, and low vulnerabilities. Click the vulnerability to view the name and category.
Network Location	The location of the FortiAnalyzer device.
Last Update	The date and time the log was updated.

Use the toolbar to select a Security Fabric, time period, and columns.

If there is no FortiClient in your installation, then endpoint and end user information is limited.

Endpoints are detected based on MAC address and displayed by IP address instead of host name.
User related information might not be available.
Detailed information such as OS version, avatar, and social ID information are not available.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiAnalyzer – Device Manager – FortiOS 6.2.3

1 Reply

Device Manager

Use the Device Manager pane to add, configure, and manage devices and VDOMs.

After you add and authorize a device or VDOM, the FortiAnalyzer unit starts collecting logs from that device or VDOM. You can configure the FortiAnalyzer unit to forward logs to another device. See Log Forwarding on page 190.

ADOMs

You can organize connected devices into ADOMs to better manage the devices. ADOMs can be organized by:

Firmware version: group all 6.0 devices into one ADOM, and all 6.2 devices into another.
Geographic regions: group all devices for a specific geographic region into an ADOM, and devices for a separate region into another ADOM.
Administrator users: group devices into separate ADOMs based for specific administrators responsible for the group of devices.
Customers: group all devices for one customer into an ADOM, and devices for another customer into another ADOM.

FortiAnalyzer, FortiCache, FortiClient, FortiDDos, FortiMail, FortiManager, FortiSandbox, FortiWeb, Chassis, and FortiCarrier devices are automatically placed in their own ADOMs. l Security Fabric: group all devices that are within the Security Fabric.

Each administrator profile can be customized to provide read-only, read/write, or restrict access to various ADOM settings. When creating new administrator accounts, you can restrict which ADOMs the administrator can access, for enhanced control of your administrator users. For more information on ADOM configuration and settings, see Administrative Domains on page 176.

FortiClient EMS devices

You can add FortiClient EMS servers to FortiAnalyzer. Authorized FortiClient EMS servers are added to the default

FortiClient ADOM. You must enable ADOMs to work with FortiClient EMS servers in FortiAnalyzer. When you select the FortiClient ADOM and go to the Device Manager pane, the FortiClient EMS servers are displayed. See also FortiClient support and ADOMs on page 178.

Unauthorized devices

When a device is configured to send logs to FortiAnalyzer, the unauthorized device is displayed in the Device Manager > Devices Unauthorized pane. You can then add devices to specific ADOMs or delete devices by using the toolbar buttons or the right-click menu.

Using FortiManager to manage FortiAnalyzer devices

You can add FortiAnalyzer devices to FortiManager and manage them. When you add a FortiAnalyzer device to FortiManager, FortiManager automatically enables FortiAnalyzer features. FortiAnalyzer and FortiManager must be running the same OS version, at least 5.6 or later.

In the Device Manager pane, a message informs you the device is managed by FortiManager and all changes should be performed on FortiManager to avoid conflict. The top right of this pane displays a lock icon. If ADOMs are enabled, the System Settings > All ADOMs pane displays a lock icon beside the ADOM managed by FortiManager.

Logs are stored on the FortiAnalyzer device, not the FortiManager device. You configure log storage settings on the FortiAnalyzer device; you cannot change log storage settings using FortiManager.

For more information, see Adding FortiAnalyzer devices in the FortiManagerAdministration Guide.

Adding devices

You must add and authorize devices and VDOMs to FortiAnalyzer to enable the device or VDOM to send logs to FortiAnalyzer. Authorized devices are also known as devices that have been promoted to the DVM table.

You must configure devices to send logs to FortiAnalyzer. For example, after you add and authorize a FortiGate device with FortiAnalyzer, you must also configure the FortiGate device to send logs to FortiAnalyzer. In the FortiGate GUI, go to Log & Report > Log Settings, and enable Send Logs to FortiAnalyzer/FortiManager.

Adding devices using the wizard

You can add devices and VDOMs to FortiAnalyzer using the Add Device wizard. When the wizard finishes, the device is added to the FortiAnalyzer unit, authorized, and is ready to start sending logs.

To add devices using the wizard:

If using ADOMs, ensure that you are in the correct ADOM.
Go to Device Manager and click Add Device.
Configure the following settings:

IP Address	Type the IP address for the device.
SN	Type the serial number for the device.
Device Name	Type a name for the device.
Device Model	Select the model of the device.
Firmware Version	Select the firmware version of the device.
Description	Type a description of the device (optional).

Click Next.

The device is added to the ADOM and, if successful, is ready to begin sending logs to the FortiAnalyzer unit.

Click Finish to finish adding the device and close the wizard.

Authorizing devices

You can configure supported devices to send logs to the FortiAnalyzer device. These devices are displayed in the root ADOM as unauthorized devices. You can quickly view unauthorized devices by clicking Unauthorized Devices in the quick status bar. You must authorize the devices before FortiAnalyzer can start receiving logs from the devices.

When ADOMs are enabled, you can assign the device to an ADOM. When authorizing multiple devices at one time, they are all added to the same ADOM.

When you delete a device or VDOM from the FortiAnalyzer unit, its raw log files are also deleted. SQL database logs are not deleted.

To authorize devices:

In the root ADOM, go to Device Manager and click Unauthorized Devices in the quick status bar. The content pane displays the unauthorized devices.
If necessary, select the Display Hidden Devices check box to display hidden unauthorized devices.
Select the unauthorized device or devices, then click Authorize. The Authorize Device dialog box opens.
If ADOMs are enabled, select the ADOM in the Add the following device(s)to ADOM If ADOMs are disabled, select root.
Click OK to authorize the device or devices.

The device or devices are authorized and FortiAnalyzer can start receiving logs from the device or devices.

Hiding unauthorized devices

You can hide unauthorized devices from view, and choose when to view hidden devices. You can authorize or delete hidden devices.

To hide and display unauthorized devices:

In the root ADOM, go to Device Manager and click Unauthorized Devices in the quick status bar. The content pane displays the unauthorized devices.
Select the unauthorized device or devices, then click Hide. The unauthorized devices are hidden from view.

You can view hidden devices by selecting the Display Hidden Devices check box.

Adding an HA cluster

You can use a HA cluster to synchronize logs and data securely among multiple FortiGate devices.

An HA cluster can have a maximum of four devices: one primary or master device with up to three backup or slave devices. All the devices in the cluster must be of the same FortiGate series and must be visible on the network.

You can use auto-grouping in FortiAnalyzer to group devices in a cluster based on the group name specified in Fortigate’s HA cluster configuration. For auto-grouping to work properly, each FortiGate cluster requires a unique group name.

If a unique group name is not used, auto-grouping should be disabled.

FAZ # config system global

(global)# set ha-member-auto-grouping disable

To create a HA cluster:

If using ADOMs, ensure that you are in the correct ADOM.
Add the devices to the Device Manager.
Choose a master device, and click Edit.
In the Edit Device pane, select HA Cluster.
From the Add Existing Device list, select a device, and click Add.
Optionally, you can use the Add OtherDevice field to add a new device.
Add more devices as necessary, and click OK. The maximum is three slave devices.

To view the HA in the Device Manager, click Column Settings > HA Status.

Managing devices

Use the tools and commands in the Device Manager pane to manage devices and VDOMs.

Using the quick status bar

You can see the quick status bar at the top of the Device Manager pane. The quick status bar contains the following tabs:

Devices Total: Displays the authorized devices. l Devices Unauthorized: Displays the unauthorized devices.
Devices Log Status Down: Displays the authorized devices with a log status of down. l Storage Used: Displays the Log View > Storage Statistics

The Devices Total, Devices Unauthorized, and the Devices Log Status Down tabs include the following default columns:

Column	Description
Device Name	Displays the name of the device.
Column	Description
IP Address	Displays the IP address for the device.
Platform	Displays the platform for the device.
Logs	Identifies whether the device is successfully sending logs to the FortiAnalyzer unit. A green circle indicates that logs are being sent. A red circle indicates that logs are not being sent. A lock icon displays when a secure tunnel is being used to transfer logs from the device to the FortiAnalyzer unit.
Average Log Rate (Logs/Sec)	Displays the average rate at which the device is sending logs to the FortiAnalyzer unit in log rate per second. Click the number to display a graph of historical average log rates.
Device Storage	Displays how much of the allotted disk space has been consumed by logs.
Description	Displays a description of the device (not displayed in Devices Unauthorized tab).

Using the toolbar

The following buttons and menus are available for selection on the toolbar:

Button	Description
Add Device	Opens the Add Device Wizard to add a device to the FortiAnalyzer unit. The device is added, but not authorized. Unauthorized devices are displayed in the Unauthorized Devices tree menu.
Edit	Edits the selected device.
Delete	Deletes the selected devices or VDOMs from the FortiAnalyzer unit. When you delete a device, its raw log files are also deleted. SQL database logs are not deleted.
Column Settings	Click to select which columns to display or select Reset to Default to display the default columns.
More	Displays more menu items including Import Device List and Export Device List.
Search	Type the name of a device. The content pane displays the results. Clear the search box to display all devices in the content pane.

Editing device information

Use the Edit Device page to edit information about a device. The information and options available on the Edit Device page depend on the device type, firmware version, and which features are enabled.

To edit information for a device or model device:

Go to Device Manager and click the Devices Total tab in the quick status bar.
In the content pane, select the device or model device and click Edit, or right-click on the device and select Edit. The Edit Device pane displays.
Edit the device settings and click OK.

Name	The name of the device.
Description	Descriptive information about the device.
IP Address	Enter the IP address of the device.
Serial Number	The serial number of the device.
Firmware Version	The firmware version.
Admin User	Enter the administrator user name.
Password	Enter the administrator user password.
HA Cluster	Select to identify the device as part of an HA cluster, and to identify the other device in the cluster by selecting them from the drop-down list, or by inputting their serial numbers.
Geographic Coordinates	Identifies the latitude and longitude of the device location to support the interactive maps. Click Show Map to open a map showing the location of the device based on the coordinates. Click and drag the map marker to adjust the device’s location.
Company/Organization	Optionally, enter the company or organization information.
Country		Optionally, enter the country where the device is located.
Province/State		Optionally, enter the province or state.
City		Optionally, enter the city.
Contact		Optionally, enter the contact information.

Displaying historical average log rates

You can display a graph of the historical, average log rates for each device.

To display historical average logs rates:

If using ADOMs, ensure that you are in the correct ADOM.
Go to Device Manager and click the Devices Total tab in the quick status bar.
In the Average Log Rate (Logs/Sec) column, click the number to display the graph.
Hover the cursor over the graph to display more details.

Connecting to an authorized device GUI

You can connect to the GUI of an authorized device from Device Manager.

To connect to an authorized device GUI:

If using ADOMs, ensure that you are in the correct ADOM.
Go to Device Manager and click the Devices Total tab in the quick status bar.
Right-click the device that you want to access, and select Connect to Device.
If necessary, change the port number and click OK.

You are directed to the Login page of the device GUI.

FortiAnalyzer Key Concepts – FortiOS 6.2.3

Leave a reply

FortiAnalyzer Key Concepts

Two operation modes

FortiAnalyzer can run in two operation modes: Analyzer and Collector. Choose the operation mode for your FortiAnalyzer units based on your network topology and requirements.

Analyzer mode

Analyzer mode is the default mode that supports all FortiAnalyzer features. Use this mode to aggregate logs from one or more Collectors.

The following diagram shows an example of deploying FortiAnalyzer in Analyzer mode.

Collector mode

When FortiAnalyzer is in Collector mode, its primary task is forwarding logs of the connected devices to an Analyzer and archiving the logs. Instead of writing logs to the database, the Collector retains logs in their original binary format for uploading. In this mode, most features are disabled.

Analyzer and Collector feature comparison

Feature	Analyzer Mode			Collector Mode
Device Manager	Yes			Yes
FortiView	Yes			No
Feature		Analyzer Mode	Collector Mode
Log View		Yes	Raw archive logs only
Incidents & Events		Yes	No
Monitoring devices		Yes	No
Reporting		Yes	No
System Settings		Yes	Yes
Log Forwarding		Yes	Yes

Analyzer–Collector collaboration

You can deploy Analyzer mode and Collector mode on different FortiAnalyzer units and make the units work together to improve the overall performance of log receiving, analysis, and reporting. The Analyzer offloads the log receiving task to the Collector so that the Analyzer can focus on data analysis and report generation. This maximizes the Collector’s log receiving performance.

For an example of setting up Analyzer–Collector collaboration, see Collectors and Analyzers on page 256.

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain the access privileges of other FortiAnalyzer unit administrators to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific VDOM for a device.

Enabling ADOMs alters the available functions in the GUI and CLI. Access to the functions depends on whether you are logged in as the admin administrator. If you are logged in as the admin administrator, you can access all ADOMs. If you are not logged in as the admin administrator, the settings in your administrator account determines access to ADOMs.

For information on enabling and disabling ADOMs, see Enabling and disabling the ADOM feature on page 179. For information on working with ADOMs, see Administrative Domains on page 176. For information on configuring administrator accounts, see Managing administrator accounts on page 223.

Log storage

Logs and files are stored on the FortiAnalyzer disks. Logs are also temporarily stored in the SQL database.

You can configure data policy and disk utilization settings for devices. These are collectively called log storage settings.

You can configure global log and file storage settings. These apply to all logs and files in the FortiAnalyzer system regardless of log storage settings.

SQL database

FortiAnalyzer supports Structured Query Language (SQL) for logging and reporting. The log data is inserted into the SQL database to support data analysis in SOC > FortiView, Log View, and Reports. Remote SQL databases are not supported.

For more information, see FortiView on page 98, Types of logs collected for each device on page 42, and Reports on page 111.

The log storage settings define how much FortiAnalyzer disk space to use for the SQL database.

When FortiAnalyzer is in Collector mode, the SQL database is disabled by default. If you want to use logs that require SQL when FortiAnalyzer is in Collector mode, you must enable the SQL database. See Two operation modes on page 19.

Analytics and Archive logs

Logs in FortiAnalyzer are in one of the following phases. Use a data policy to control how long to retain Analytics and Archive logs.

l Real-time log: Log entries that have just arrived and have not been added to the SQL database, i.e., have not been rolled. l Analytics logs or historical logs: Indexed in the SQL database and online. l Archive logs: Compressed on hard disks and offline.

In the indexed phase, logs are indexed in the SQL database for a specified length of time for the purpose of analysis.

Logs in the indexed phase in the SQL database are considered online and you can view details about these logs in SOC > FortiView, Log View, and Incidents & Events panes. You can also generate reports about the logs in the Reports pane.

In the compressed phase, logs are compressed and archived in FortiAnalyzer disks for a specified length of time for the purpose of retention. Logs in the compressed phase are considered offline and you cannot immediately view details about these logs in the SOC > FortiView, Log View, and Incidents & Events panes. You also cannot generate reports about the logs in the Reports pane.

Data policy and automatic deletion

Use a data policy to control how long to keep compressed and indexed logs. When ADOMs are enabled, you can specify settings for each ADOM and the settings apply to all devices in that ADOM. When ADOMs are disabled, settings apply to all managed devices.

A data policy specifies:

How long to keep Analytics logs indexed in the database

When the specified length of time in the data policy expires, logs are automatically purged from the database but remain compressed in a log file on the FortiAnalyzer disks.

How long to keep Archive logs on the FortiAnalyzer disks

When the specified length of time in the data policy expires, Archive logs are deleted from the FortiAnalyzer disks.

See also Log storage information on page 57.

Disk utilization for Archive and Analytic logs

You can specify how much of the total available FortiAnalyzer disk space to use for log storage. You can specify what ratio of the allotted storage space to use for logs that are indexed in the SQL database and for logs that are stored in a compressed format on the FortiAnalyzer disks. Then you can monitor how quickly device logs are filling up the allotted disk space.

Analytic logs indexed in the SQL database require more disk space than Archive logs (purged from the SQL database but remain compressed on the FortiAnalyzer disks). An average indexed log is 400 bytes and an average compressed log is 50 bytes. Keep this difference in mind when specifying the storage ratio for Analytics and Archive logs.

When ADOMs are enabled, you can specify settings for each ADOM and the settings apply to all devices in that ADOM. When ADOMs are disabled, settings apply to all managed devices. See Log storage information on page 57.

SOC dashboard

FortiAnalyzer provides dashboard for Security Operations Center (SOC) administrators. SOC includes monitors which enhance visualization for real-time activities and historical trends for analysts to effectively monitor network activities and security alerts. See SOC Monitoring on page 87.

In high capacity environments, the SOC module can be disabled to improve performance. See Enabling and disabling SOC on page 109.

Setting up FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Setting up FortiAnalyzer

Connecting to the GUI

The FortiAnalyzer unit can be configured and managed using the GUI or the CLI. This section will step you through connecting to the unit via the GUI.

To connect to the GUI:

Connect the FortiAnalyzer unit to a management computer using an Ethernet cable.
Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit:

l IP address: 192.168.1.X l Netmask: 255.255.255.0

On the management computer, start a supported web browser and browse to https://192.168.1.99.
Type admin in the Name field, leave the Password field blank, and click Login. The Change Password dialog box is displayed.
Change the default password now, or click Later to change the password later:
1. In the New Password box, type a new password.
2. In the Confirm Password box, type the new password again, and click OK.
If ADOMs are enabled, the Select an ADOM pane is displayed. Click an ADOM to select it. The FortiAnalyzer home page is displayed.
Click a tile to go to that pane. For example, click the Device Manager tile to go to the Device Manager See also GUI overview on page 12.

If the network interfaces have been configured differently during installation, the URL and/or permitted administrative access protocols (such as HTTPS) may no longer be in their default state.

For information on enabling administrative access protocols and configuring IP addresses, see Configuring network interfaces on page 167.

After logging in for the first time, you should create an administrator account for yourself and assign the Super_User profile to it. Then you should log into the FortiAnalyzer unit by using the new administrator account. See Managing administrator accounts on page 223 for information.

Security considerations

You can take steps to prevent unauthorized access and restrict access to the GUI. This section includes the following information:

l Restricting GUI access by trusted host on page 11 l Other security considerations on page 11

Restricting GUI access by trusted host

To prevent unauthorized access to the GUI you can configure administrator accounts with trusted hosts. With trusted hosts configured, the administrator user can only log into the GUI when working on a computer with the trusted host as defined in the administrator account. You can configure up to ten trusted hosts per administrator account. See Administrators on page 222 for more details.

Other security considerations

Other security consideration for restricting access to the FortiAnalyzer GUI include the following:

l Configure administrator accounts using a complex passphrase for local accounts l Configure administrator accounts using RADIUS, LDAP, TACACS+, or PKI l Configure the administrator profile to only allow read/write permission as required and restrict access using readonly or no permission to settings which are not applicable to that administrator l Configure the administrator account to only allow access to specific ADOMs as required

When setting up FortiAnalyzer for the first time or after a factory reset, the password cannot be left blank. You are required to set a password when the admin user tries to log in to FortiManager from GUI or CLI for the first time. This is applicable to a hardware device as well as a VM. This is to ensure that administrators do not forget to set a password when setting up FortiAnalyzer for the first time.

After the initial setup, you can set a blank password from System Settings > Administrators.

GUI overview

When you log into the FortiAnalyzer GUI, the following home page of tiles is displayed:

Select one of the following tiles to display the respective pane. The available tiles vary depending on the privileges of the current user.

Device Manager	Add and manage devices and VDOMs. See Device Manager on page 24.
Fabric View	Configure fabric connectors. See Fabric View on page 32.
SOC	Summarizes SOC information in FortiView and Monitors dashboards, which include widgets displaying log data in graphical formats, network security, WiFi security, and system performance in real-time. This pane is not available when the unit is in Collector mode.
Log View	View logs for managed devices. You can display, download, import, and delete logs on this page. You can also define custom views and create log groups. See Log View and Log Quota Management on page 42.
Incidents & Events	Configure and view events for logging devices. See Incident and Event Management on page 61. This pane is not available when the unit is in Collector mode.
Reports	Generate reports. You can also configure report templates, schedules, and output profiles, and manage charts and datasets. See Reports on page 111. This pane is not available when the unit is in Collector mode.
FortiRecorder		Manage FortiCamera devices and view camera streams and recordings through the Monitors dashboard. This pane is only available in physical appliances and is disabled by default. See FortiRecorder on page 143 This pane is not available when the unit is in Collector mode.
System Settings		Configure system settings such as network interfaces, administrators, system time, server settings, and others. You can also perform maintenance and firmware operations. See System Settings on page 154.

The top-right corner of the home page includes a variety of possible selections:

ADOM	If ADOMs are enabled, the required ADOM can be selected from the dropdown list. The ADOMs available from the ADOM menu will vary depending on the privileges of the current user.
Full Screen	Click to view only the content pane in the browser window. See Full-screen mode on page 15.
Help	Click to open the FortiAnalyzer online help, or view the About information for your device (Product, Version, and Build Number). You can also open the FortiAnalyzer basic setup video (https://video.fortinet.com/video/208/fortianalyzer-basic-setup).
CLI Console	Click the CLI Console icon on the right side of the banner on any page. The CLI console is a terminal window that enables you to configure the FortiAnalyzer unit using CLI commands directly from the GUI, without making a separate SSH, or local console connection to access the CLI. When using the CLI console, you are logged in with the same administrator account that you used to access the GUI. You can enter commands by typing them, or you can copy and paste commands into or out of the console. Click Detach in the CLI Console toolbar to open the console in a separate window. Note: The CLI Console requires that your web browser support JavaScript.
Notification	Click to display a list of notifications. Select a notification from the list to take action on the issue.
admin	Click to change the password or log out of the GUI.

Panes

In general, panes have four primary parts: the banner, toolbar, tree menu, and content pane.

Banner	Along the top of the page; includes the home button (Fortinet logo), tile menu, ADOM menu (when enabled), admin menu, notifications, help button, and CLI console button.
Tree menu	On the left side of the screen; includes the menus for the selected pane. Not available in Device Manager.
Content pane		Contains widgets, lists, configuration options, or other information, depending on the pane, menu, or options that are selected. Most management tasks are handled in the content pane.
Toolbar		Directly above the content pane; includes options for managing content in the content pane, such as Create New and Delete.

To switch between panes, either select the home button to return to the home page, or select the tile menu then select a new tile.

Color themes

You can choose a color theme for the FortiAnalyzer GUI. For example, you can choose a color, such as blue or plum, or you can choose an image, such as summer or autumn. See Global administration settings on page 243.

Full-screen mode

You can view several panes in full-screen mode. When a pane is in full-screen mode, the tree menu on the left side of the screen is hidden.

Click the Full Screen button in the toolbar to enter full-screen mode, and press the Esc key on your keyboard to exit fullscreen mode.

Switching between ADOMs

When ADOMs are enabled, you can move between ADOMs by selecting an ADOM from the ADOM menu in the banner.

ADOM access is controlled by administrator accounts and the profile assigned to the administrator account. Depending on your account privileges, you might not have access to all ADOMs. See Managing administrator accounts on page 223 for more information.

Using the right-click menu

Options are sometimes available using the right-click menu. Right-click an item in the content pane, or within some of the tree menus, to display the menu that includes various options similar to those available in the toolbar.

In the following example on the Reports pane, you can right-click a template, and select Create New, View, Clone, or Create Report.

Avatars

When FortiClient sends logs to FortiAnalyzer, an avatar for each user can be displayed in the Source column in the

SOC > FortiView and Log View panes. FortiAnalyzer can display an avatar when the following requirements are met:

l FortiClient is managed by FortiGate or FortiClient EMS with logging to FortiAnalyzer enabled. l FortiClient sends logs and a picture of each user to FortiAnalyzer.

If FortiAnalyzer cannot find the defined picture, a generic, gray avatar is displayed.

Showing and hiding passwords

In some cases you can show and hide passwords by using the toggle icon. When you can view the password, the Toggle show password icon is displayed:

When you can hide the password, the Toggle hide password icon is displayed:

Target audience and access level

This guide is intended for administrators with full privileges, who can access all panes in the FortiAnalyzer GUI, including the System Settings pane.

In FortiAnalyzer, administrator privileges are controlled by administrator profiles. Administrators who are assigned profiles with limited privileges might be unable to view some panes in the GUI and might be unable to perform some tasks described in this guide. For more information about administrator profiles, see Administrator profiles on page 228.

If you logged in by using the admin administrator account, you have the Super_User administrator profile, which is assigned to the admin account by default and gives the admin administrator full privileges.

Initial setup

This topic provides an overview of the tasks that you need to do to get your FortiAnalyzer unit up and running.

To set up FortiAnalyzer:

Connect to the GUI. See Connecting to the GUI on page 10.
Configure the RAID level, if the FortiAnalyzer unit supports RAID. See Configuring the RAID level on page 174.
Configure network settings. See Configuring network interfaces on page 167.

Once the IP address of the administrative port of FortiAnalyzer is changed, you will lose connection to FortiAnalyzer. You will have to reconfigure the IP address of the management computer to connect again to FortiAnalyzer and continue.

(Optional) Configure administrative domains. See Managing ADOMs on page 180.
Configure administrator accounts. See Managing administrator accounts on page 223.
Add devices to the FortiAnalyzer unit so that the devices can send logs to the FortiAnalyzer unit. See Adding devices on page 25.
Configure the operation mode. See Configuring the operation mode on page 161 and Two operation modes on page 19.

FortiManager features

FortiManager features are not available in FortiAnalyzer 6.2.0 and up.

For information about FortiManager, see the FortiManagerAdministration Guide.

If FortiManager features are enabled in FortiAnalyzer before upgrading to 6.2.0 and later, the existing feature configurations will continue to be available after the upgrade. FortiManager features carried over during an upgrade can be disabled through the CLI console.

Next steps

Now that you have set up your FortiAnalyzer units and they have started receiving logs from the devices, you can start monitoring and interpreting data. You can:

View log messages collected by the FortiAnalyzer unit in Log View. See Types of logs collected for each device on page 42.
View multiple panes of network activity in SOC (Security Operations Center). See SOC Monitoring on page 87.
View summaries of threats, traffic, and more in SOC > FortiView. See FortiView on page 98 l Generate and view events in Incidents & Events. See Incident and Event Management on page 61. l Generate and view reports in Reports. See Reports on page 111.

Restarting and shutting down

Always use the operation options in the GUI or the CLI commands to reboot and shut down the FortiAnalyzer system to avoid potential configuration problems.

To restart the FortiAnalyzer unit from the GUI:

Go to System Settings > Dashboard.
In the Unit Operation widget, click the Restart
Enter a message for the event log, then click OK to restart the system.

To restart the FortiAnalyzer unit from the CLI:

From the CLI, or in the CLI Console menu, enter the following command:

execute reboot The system will be rebooted.

Do you want to continue? (y/n)

Enter y to continue. The FortiAnalyzer system will restart.

To shutdown the FortiAnalyzer unit from the GUI:

Go to System Settings > Dashboard.
In the Unit Operation widget, click the Shutdown
Enter a message for the event log, then click OK to shutdown the system.

To shutdown the FortiAnalyzer unit from the CLI:

From the CLI, or in the CLI Console menu, enter the following command:

execute shutdown The system will be halted.

Do you want to continue? (y/n)

Enter y to continue. The FortiAnalyzer system will shutdown.

To reset the FortiAnalyzer unit:

From the CLI, or in the CLI Console menu, enter the following command: execute reset all-settings

This operation will reset all settings to factory defaults

Do you want to continue? (y/n)

Enter y to continue. The device will reset to factory default settings and restart.

To reset logs and re-transfer all SQL logs to the database:

From the CLI, or in the CLI Console menu, enter the following command: execute reset-sqllog-transfer

WARNING: This operation will re-transfer all logs into database. Do you want to continue? (y/n)

Enter y to continue. All SQL logs will be resent to the database.

FortiOS 6.2.3 Release Notes

Leave a reply

Change Log

Date	Change Description
2019-12-19	Initial release.
2019-12-19	Updated Resolved issues and Known issues.
2019-12-20	Updated Changes in CLI defaults.
2019-12-30	Added 585122 to Resolved issues.
2020-01-02	Updated Product integration and support > FortiExtender.
2020-01-03	Updated Known issues.
2020-01-06	Updated Introduction and supported models > Special branch supported models. Removed image download note from Introduction and supported models.
2020-01-07	Added 581663 to Resolved issues.
2020-01-09	Added FG-60F, FG-61F, FG-100F, and FG-101F to Introduction and supported models > Special branch supported models.
2020-01-17	Updated Resolved issues and Known issues. Added Special notices > System Advanced menu removal (combined with System Settings).
2020-01-20	Updated Resolved issues and Known issues.
2020-01-22	Updated New features orenhancements and Known issues.
2020-01-27	Updated Special notices > New Fortinet cloud services.
2020-02-04	Added Special notices > L2TP overIPsec on certain mobile devices (459996). Updated Resolved issues and Known issues.
2020-02-13	Added Special branch support forFortiAP-W2 231E section in Introduction and supported models.
2020-02-21	Added FG-2200E, FG-2201E, FG-3300E, and FG-3301E to Introduction and supported models > Special branch supported models.
2020-02-24	Updated Special notices, New features orenhancements, Known issues, and Resolved issues.
2020-02-25	Updated Known issues and Resolved issues.

Introduction and supported models

This guide provides release information for FortiOS 6.2.3 build 1066.

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FG-30E-MG	is released on build 8255.
FG-60E-DSL	is released on build 6164.

FortiOS 6.2.3 supports the following models.

FortiGate	FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG-51E, FG-52E, FG-60E, FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-92D, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-400E, FG-401E, FG-500D, FG-500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D, FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG3000D, FG-3100D, FG-3200D, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1
FortiWiFi	FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E
FortiGate Rugged	FGR-30D, FGR-35D, FGR-90D
FortiGate VM	FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCP, FG-VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-OPC, FG-VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier	FortiOS Carrier 6.2.3 images are delivered on request and are not available on the Beta portal.

Special branch supported models

The following models are released on a special branch of FortiOS 6.2.3. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1066.

Introduction and supported models

FG-60E-DSLJ	is released on build 6164.
FG-60F	is released on build 6188.
FG-61F	is released on build 6188.
FG-100F	is released on build 6188.
FG-101F	is released on build 6188.
FG-1100E	is released on build 5401.
FG-1101E	is released on build 5401.
FG-2200E	is released on build 8329.
FG-2201E	is released on build 8329.
FG-3300E	is released on build 8329.
FG-3301E	is released on build 8329.
FWF-60E-DSL	is released on build 6164.
FWF-60E-DSLJ	is released on build 6164.

Special branch support for FortiAP-W2 231

A special branch for FortiOS 6.2.3 to support the FortiAP-W2 231E has been released. You may download the FortiOS images on the Fortinet Customer Service & Support site under the following directory:

/FortiGate/v6.00/Feature_Support/6.2.3/

Supplemental Release Notes are available.

The FortiAP-W2 231E is supported in FortiAP-W2 6.2.3.

Special notices

New Fortinet cloud services l FortiGuard Security Rating Service
Using FortiManager as a FortiGuard server on page 10 l FortiGate hardware limitation l CAPWAP traffic offloading
FortiClient (Mac OS X) SSL VPN requirements l Use of dedicated management interfaces (mgmt1 and mgmt2) l NP4lite platforms l Tags option removed from GUI
System Advanced menu removal (combined with System Settings) on page 11 l L2TP over IPsec on certain mobile devices on page 12 l Application group improvements on page 12 l NGFW mode on page 12

New Fortinet cloud services

FortiOS 6.2.0 introduced several new cloud-based services listed below. The new services require updates to FortiCare and Fortinet’s FortiCloud single sign-on (SSO) service.

Overlay Controller VPN
FortiGuard Cloud-Assist SD-WAN Interface Bandwidth Monitoring l FortiManager Cloud l FortiAnalyzer Cloud

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate model: l FGR-30D l FGR-35D l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E

FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E l FWF-50E-2R l FWF-51E

Using FortiManager as a FortiGuard server

If you use FortiManager as a FortiGuard server, and you configure the FortiGate to use a secure connection to FortiManager, you must use HTTPS with port 8888. HTTPS with port 53 is not supported.

FortiGate hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D does not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

All packet types are allowed, but depending on the network topology, an STP loop may result.

CAPWAP traffic offloading

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip. The following models are affected: l FG-900D l FG-1000D l FG-2000E l FG-2500E

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

Use of dedicated management interfaces (mgmt1 and mgmt2)

Bug ID	Description
584254	l Removed System > Advanced menu (moved most features to System > Settings page).

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

NP4lite platforms

FortiOS 6.2 and later does not support NP4lite platforms.

Tags option removed from GUI

The Tags option is removed from the GUI. This includes the following:

l The System > Tags page is removed. l The Tags section is removed from all pages that had a Tags section. l The Tags column is removed from all column selections.

System Advanced menu removal (combined with System Settings)

Bug ID	Description
	l Moved configuration script upload feature to top menu > Configuration > Scripts page. l Removed GUI support for auto-script configuration (the feature is still supported in the CLI). l Converted all compliance tests to security rating tests.

L2TP over IPsec on certain mobile devices

Bug ID	Description
459996	Samsung Galaxy Tab A 8 and Android 9.0 crash after L2TP over IPsec is connected.

Application group improvements

Bug ID	Description
565309	Application Group improvements.

NGFW mode

Bug ID	Description
584314	NGFW mode should have a link to show list of all applications.

Changes in default behavior

CLI

Removed dependency between gui-per-policy-disclaimer in the system setting and per-policydisclaimer in the user setting.
There is a new default any-to-any-all-to-all policy after changing from NGFW mode to policy-based mode.

GUI

l In the Feature Visibility page, the Per-policy Disclaimer option name was changed to Policy Disclaimer. l Firewall Policy was renamed to SSL Inspection & Authentication after changing from NGFW mode to policybased mode.

WiFi Controller

The default extension information setting in wtp-profile has changed from disable to enable.

Previous releases

6.2.3 release

config wireless-controller wtp-profile edit <FAP-Profile> set ext-info-enable disable

end

config wireless-controller wtp-profile edit <FAP-Profile> set ext-info-enable enable <== changed

end

The default platform type in wtp-profile has changed from 220B to 221E.

Previous releases

6.2.3 release

config wireless-controller wtp-profile edit <New profile> config platform set type 220B

end

config wireless-controller wtp-profile edit <New profile> config platform set type 221E <== changed

end

Changes in CLI defaults

Routing l auxiliary-session {enable | disable} option added at the VDOM level.

System

Previous releases	6.2.3 release
config webfilter profile edit “encrypted-web” set comment ” set replacemsg-group ” unset options config file-filter set status enable set log enable set scan-archive-contents enable config entries edit “1” set comment ”	config webfilter profile edit “encrypted-web” set comment ” set replacemsg-group ” unset options config file-filter set status enable set log enable set scan-archive-contents enable config entries edit “1” set comment ”

Consolidate FortiTelemetry and capwap into fabric to allow Security Fabric access in system interface.

Previous releases

6.2.3 release

config system interface edit <Port number> set allowaccess capwap <== Removed set fortiheartbeat <== Removed

end

config system interface edit <Port number> set allowaccess fabric <== New

end

Add execute factoryreset-shutdown to combine the functionality of the factory-reset and shutdown l Add more functions for SMC NTP and the ability to get information from SMC NTP:

config system smc-ntp <== New set ntpsync disable <== New set syncinterval 60 <== New

set channel 5 <== New end

Web Filter l Enable file-filter password protected blocked for 7Z, RAR, PDF, MSOffice, and MSOfficeX.

Changes in CLI defaults

Previous releases

6.2.3 release

set protocol http ftp set action log set direction any set password-protected

yes set file-type “zip” <==

only zip can be selected next

end

set protocol http ftp set action log set direction any set password-protected

yes set file-type “zip” “7z” “msoffice” “msofficex” “pdf” “rar” <==changed next

end

WiFi Controller l FAP-U431F and FAP-U433F can support 802.11ax on 2.4 GHz radio-2 when the platform mode is single-5G.

Previous releases

6.2.3 release

config wireless-controller wtp-profile edit “FAPU431F-default” config platform set type U431F set mode single-5G

end config radio-1 set band 802.11ax-5G

end config radio-2 set band ?

802.11b 802.11b.

802.11g 802.11g/b.

802.11n 802.11n/g/b at 2.4GHz.

802.11n,g-only 802.11n/g at 2.4GHz.

802.11g-only 802.11g.

802.11n-only 802.11n at

2.4GHz. end config radio-3 set mode monitor

end

config edit

2.4GHz.

2.4GHz.

2.4GHz.

2.4GHz.

802.11a

wireless-controller wtp-profile

“FAPU431F-default” config platform set type U431F set mode single-5G

end config radio-1 set band 802.11ax-5G

end config radio-2 set band ?

802.11b 802.11b.

802.11g 802.11g/b.

802.11n 802.11n/g/b at

802.11ax 802.11ax/n/g/b at

<==added

802.11n,g-only 802.11n/g at

802.11g-only 802.11g.

802.11n-only 802.11n at

802.11ax,n-only 802.11ax/n at

<==added

802.11ax,n,g-only

x/n/g at 2.4GHz. <==added

802.11ax-only 802.11ax at

Changes in CLI defaults

Previous releases

6.2.3 release

2.4GHz.<==added end config radio-3 set mode monitor

end

Resolved Issues

Bug ID

Description

574882

FAP-U431F and FAP-U433F can support 802.11ax on 2.4 GHz radio-2 when the platform mode is single-5G.

config wireless-controller wtp-profile edit “FAPU431F-default” config platform set type U431F set mode single-5G

end config radio-1 set band 802.11ax-5G

end config radio-2 set band 802.11ax

end config radio-3 set mode monitor

end

Changes in default values

Bug ID

Description

548906

Change default extension information setting in wtp-profile from disable to enable.

config wireless-controller wtp-profile edit <FAP-Profile> set ext-info-enable enable <== changed

end

585889

Change default platform type setting in wtp-profile from 220B to 221E.

config wireless-controller wtp-profile edit <New profile> config platform set type 221E <== changed

end

Changes in table size

Bug ID

Description

599271

Except for desktop models, all other platforms’ table size of VIP real servers are increased as follows:

l 1U platforms increased from 8 to 16 l 2U platforms increased from 32 to 64 l High-end platforms increased from 32 to 256

New features or enhancements

Bug ID	Description
529445	In wids-profile, add the new ap-scan-threshold setting, which is the minimum signal level of rogue APs detected and required by the managed FortiAP devices. Only the rogue APs with a signal level higher than the threshold will be reported to the FortiGate WiFi Controller. config wireless-controller wids-profile edit <WIDS-profile-name> set ap-scan enable set ap-scan-threshold “-80” next end The range of ap-scan-threshold, in dBm, is -95 to -20 (default = -90).
553372	Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labelled Fabric Connection. If either CAPWAP or FortiTelemetry were enabled on a particular interface, the new fabric option will be enabled after upgrading.
557614	FortiGate support for NSX-T v2.4: East/West traffic.
562394	Add support for EMS cloud: l Added CMDB attribute fortinet-one-cloud-authentication to FortiClient EMS table. l Added curl verbose diagnosis debugs to FortiClient NAC daemon for debug images. l Added fortiems-cloud option to type attribute in user.fsso table.
571639	Add support for tracking number of hits to a policy route: l Policy route hit counter and last used tag added to each policy displayed in diagnose firewall proute list command. l New CLI command diagnose firewall proute show, displays policy route hit counter and last used for a given proute id, (if 0, dumps all). l New CLI command diagnose firewall proute clear, clears policy route hit counter and last used for a given proute id, (if 0, clears all).
573568	Change public IP and routing table entries allocated in different resource groups in Azure HA. In an Azure HA scenario, the EIP and route table to fail over is specified in the SDN connector configuration. A new attribute, resource-group, is added to allow customers to specify the resource group that a EIP or route table is from. This new attribute can be empty so upgrade code is not needed. If the resource-group of the EIP or route table is not provided, it is assumed the resource comes from the same resource group as the SDN connector setting (if it is not set there, assume the same resource group as the FortiGate itself by getting it from the instance metadata).
579484	Limit OCVPN spoke to only join existing overlay.
580889	DPDK support on FortiOS VM platform.

New features or enhancements

Bug ID

Description

591567

Add support for additional SHA-2 algorithms with SNMPv3.

593148

Update interface-related pages to use AngularJS and muTable.

Interfaces list:

l Radio buttons in the top-right corner let users switch between grouping by type, role, and sort lists alphabetically have been removed. There is a dropdown instead with the following options:

l Group by type l Group by zone l Group by status, l Group by role l No grouping

l Zones do not support parent-child relationships anymore.

l The DHCP Server column has been divided into two separate columns, DHCP Clients and DHCP Ranges.

l CSF support has been added. When switching to a downstream device, both the list and the faceplate should update.

l For VDOMs, administrators can only view complete information about interfaces for the VDOM they are in. This applies even to administrators who have access to more than one VDOM.

l On devices that support VLAN switching, the VLAN Switch Mode toggle has been removed from the list page. It now shows up under System> Settings.

l Faceplates do not auto-refresh on page load anymore. For auto-refresh, users need to enable the muTable refresh feature from the button in the bottom-right corner.

Interfaces dialog:

l Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labelled Fabric Connection.

l The secondary IP address toggle has been moved from the Miscellaneous section to the Address section.

l A gutter has been added that displays the device hostname,the interface it belongs to, and relevant help links.

CLI changes:

l Consolidate fortitelemetry and capwap into fabric for allowaccess in system.interface.

Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

Go to https://support.fortinet.com.
From the Download menu, select Firmware Images.
Check that Select Product is FortiGate.
Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version

Click Go.

Device detection changes

In FortiOS 6.0.x, the device detection feature contains multiple sub-components, which are independent:

Visibility – Detected information is available for topology visibility and logging.
FortiClient endpoint compliance – Information learned from FortiClient can be used to enforce compliance of those endpoints.
Device-based policies – Device type/category and detected devices/device groups can be defined as custom devices, and then used in device-based policies.

In 6.2, these functionalities have changed:

Visibility – Configuration of the feature remains the same as FortiOS 6.0, including FortiClient information. l FortiClient endpoint compliance – A new fabric connector replaces this, and aligns it with all other endpoint connectors for dynamic policies. For more information, see Dynamic Policy – FortiClient EMS (Connector) in the FortiOS 6.2.0 New Features Guide.
Mac-address-based policies – A new address type is introduced (Mac Address Range), which can be used in regular policies. The previous device policy feature can be achieved by manually defining MAC addresses, and then adding them to regular policy table in 6.2. For more information, see MAC Addressed-Based Policies in the FortiOS 6.2.0 New Features Guide.

If you were using device policies in 6.0.x, you will need to migrate these policies to the regular policy table manually after upgrade. After upgrading to 6.2.0:

Create MAC-based firewall addresses for each device.
Apply the addresses to regular IPv4 policy table.

FortiClient Endpoint Telemetry license

Starting with FortiOS 6.2.0, the FortiClient Endpoint Telemetry license is deprecated. The FortiClient Compliance profile under the Security Profiles menu has been removed as has the Enforce FortiClient Compliance Check option under each interface configuration page. Endpoints running FortiClient 6.2.0 now register only with FortiClient EMS 6.2.0 and compliance is accomplished through the use of Compliance Verification Rules configured on FortiClient EMS 6.2.0 and enforced through the use of firewall policies. As a result, there are two upgrade scenarios:

Customers using only a FortiGate device in FortiOS 6.0 to enforce compliance must install FortiClient EMS 6.2.0 and purchase a FortiClient Security Fabric Agent License for their FortiClient EMS installation.
Customers using both a FortiGate device in FortiOS 6.0 and FortiClient EMS running 6.0 for compliance enforcement, must upgrade the FortiGate device to FortiOS 6.2.0, FortiClient to 6.2.0, and FortiClient EMS to 6.2.0.

The FortiClient 6.2.0 for MS Windows standard installer and zip package containing FortiClient.msi and language transforms and the FortiClient 6.2.0 for macOS standard installer are included with FortiClient EMS 6.2.0.

Fortinet Security Fabric upgrade

FortiOS 6.2.3 greatly increases the interoperability between other Fortinet products. This includes:

FortiAnalyzer 6.2.3 l FortiClient EMS 6.2.0 l FortiClient 6.2.2 l FortiAP 5.4.4 and later l FortiSwitch 3.6.9 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

If the Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.2.3. When the Security Fabric is enabled in FortiOS 6.2.3, all FortiGate devices must be running FortiOS 6.2.3.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.2.3 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.2.3 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox)

FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting) l LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

operation mode l interface IP/management IP l static route table l DNS settings l admin user account l session helpers l system access profiles

Amazon AWS enhanced networking compatibility issue

With this enhancement, there is a compatibility issue with 5.6.2 and older AWS VM versions. After downgrading a 6.2.3 image to a 5.6.2 or older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.2.3 to 5.6.2 or older versions, running the enhanced NIC driver is not allowed. The following AWS instances are affected:

C5d

C5n

I3en

Inf1 m4.16xlarge

M5a

M5ad M5d

M5dn

M5n

R5a

R5ad R5d

R5dn

R5n

T3a

u-6tb1.metal u-9tb1.metal u-12tb1.metal u-18tb1.metal u-24tb1.metal

X1 X1e z1d

A workaround is to stop the instance, change the type to a non-ENA driver NIC type, and continue with downgrading.

FortiLink access-profile setting

The new FortiLink local-access profile controls access to the physical interface of a FortiSwitch that is managed by FortiGate.

After upgrading FortiGate to 6.2.3, the interface allowaccess configuration on all managed FortiSwitches are overwritten by the default FortiGate local-access profile. You must manually add your protocols to the localaccess profile after upgrading to 6.2.3.

To configure local-access profile:

config switch-controller security-policy local-access edit [Policy Name] set mgmt-allowaccess https ping ssh set internal-allowaccess https ping ssh

end

To apply local-access profile to managed FortiSwitch:

config switch-controller managed-switch edit [FortiSwitch Serial Number] set switch-profile [Policy Name] set access-profile [Policy Name]

end

FortiGate VM with V-license

This version allows FortiGate VM with V-License to enable split-vdom.

To enable split-vdom:

config system global set vdom-mode [no-vdom | split vdom]

end

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
.out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

.out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any] end

FortiView widgets

FortiView widgets have been rewritten in 6.2.3. FortiView widgets created in previous versions are deleted in the upgrade.

Product integration and support

The following table lists FortiOS 6.2.3 product integration and support information:

Web Browsers	l Microsoft Edge 44 l Mozilla Firefox version 71 l Google Chrome version 78 Other web browsers may function correctly, but are not supported by Fortinet.
Explicit Web Proxy Browser	l Microsoft Edge 42 l Mozilla Firefox version 71 l Google Chrome version 78 l Microsoft Internet Explorer version 11 Other web browsers may function correctly, but are not supported by Fortinet.
FortiManager	See important compatibility information in Fortinet Security Fabric upgrade on page 22. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library. Upgrade FortiManager before upgrading FortiGate.
FortiAnalyzer	See important compatibility information in Fortinet Security Fabric upgrade on page 22. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library. Upgrade FortiAnalyzer before upgrading FortiGate.
FortiClient: l Microsoft Windows l Mac OS X l Linux	l 6.2.0 See important compatibility information in FortiClient Endpoint Telemetry license on page 22 and Fortinet Security Fabric upgrade on page 22. FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later. If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.
FortiClient iOS	l 6.2.0 and later
FortiClient Android and FortiClient VPN Android	l 6.2.0 and later
FortiAP	l 5.4.2 and later l 5.6.0 and later
FortiAP-S	l 5.4.3 and later l 5.6.0 and later
FortiAP-U	l 5.4.5 and later

FortiAP-W2	l 5.6.0 and later
FortiSwitch OS (FortiLink support)	l 3.6.9 and later
FortiController	l 5.2.5 and later Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C
FortiSandbox	l 2.3.3 and later
Fortinet Single Sign-On (FSSO)	l 5.0 build 0287 and later (needed for FSSO agent support OU in group filters) l Windows Server 2019 Standard l Windows Server 2019 Datacenter l Windows Server 2019 Core l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2016 Core l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Windows Server 2012 Core l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2008 Core l Novell eDirectory 8.8
FortiExtender	l 4.1.2
AV Engine	l 6.00132
IPS Engine	l 5.00043
Virtualization Environments
Citrix	l XenServer version 7.1
Linux KVM	l Ubuntu 18.04.3 LTS l QEMU emulator version 2.11.1 (Debian 1:2.11+dfsg-1ubuntu7.21) l libvirtd (libvirt) 4.0.0
Microsoft	l Hyper-V Server 2012 R2, and 2016
Open Source	l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware	l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, and 6.7
VM Series – SR-IOV	The following NIC chipset cards are supported: l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language	GUI
English	✔
Chinese (Simplified)	✔
Chinese (Traditional)	✔
French	✔
Japanese	✔
Korean	✔
Portuguese (Brazil)	✔
Spanish	✔

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System

Installer

Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04 / 18.04 (32-bit & 64-bit)

2336. Download from the Fortinet Developer Network: https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System	Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)	Mozilla Firefox version 61 Google Chrome version 68
Microsoft Windows 10 (64-bit)	Microsoft Edge Mozilla Firefox version 61 Google Chrome version 68
Linux CentOS 6.5 / 7 (32-bit & 64-bit)	Mozilla Firefox version 54
OS X El Capitan 10.11.1	Apple Safari version 11 Mozilla Firefox version 61 Google Chrome version 68
iOS	Apple Safari Mozilla Firefox Google Chrome
Android	Mozilla Firefox Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product	Antivirus	Firewall
Symantec Endpoint Protection 11	✔	✔
Kaspersky Antivirus 2009	✔
McAfee Security Center 8.1	✔	✔
Trend Micro Internet Security Pro	✔	✔
F-Secure Internet Security 2009	✔	✔

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product	Antivirus	Firewall
CA Internet Security Suite Plus Software	✔	✔
AVG Internet Security 2011
F-Secure Internet Security 2011	✔	✔
Kaspersky Internet Security 2011	✔	✔
McAfee Internet Security 2011	✔	✔
Norton 360™ Version 4.0	✔	✔
Norton™ Internet Security 2011	✔	✔
Panda Internet Security 2011	✔	✔
Sophos Security Suite	✔	✔
Trend Micro Titanium Internet Security	✔	✔
ZoneAlarm Security Suite	✔	✔
Symantec Endpoint Protection Small Business Edition 12.0	✔	✔

Resolved issues

The following issues have been fixed in version 6.2.3. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID	Description
590092	Cannot clear scanunit vdom-stats to reset the statistics on ATP widget.
590170	Policy in flow mode blocking .JAR archive files.

Data Leak Prevention

Bug ID	Description
586689	Downloading a file with FTP client in EPSV mode will hang.
591676	Enable file filter password protected blocked for 7Z, RAR, PDF, MSOffice, and MSOfficeX.

DNS Filter

Bug ID	Description
561297	DNS filtering does not perform well on the zone transfer when a large DNS zone’s AXFR response consists of one or more messages.
563441	7K DNS filter breaking DNS zone transfer.
574980	DNS translation is not working when request is checked against the local FortiGate.
583449	DNS filter explicit block all (wildcard FQDN) not working in 6.2 firmware.
586526	Unable to change DNS filter profile category action after upgrading from 6.0.5 to 6.2.0.

Explicit Proxy

Bug ID	Description
504011	FortiGate does not generate traffic logs for SOCKS proxy.
588211	WAD cannot learn policy if multiple policies use the same FQDN address.
589065	FSSO-based NTLM sessions from explicit proxy do not respect timeout duration and type.
589811	urfilter process does not started when adding a category as dstaddr in a proxy policy with the deny action.
590942	AV does not forward reply when GET for FTP over HTTP is used.

Firewall

Bug ID	Description
508015	Editing a policy in the GUI changes the FSSO setting to disable.
558996	FortiGate sends type-3 code-1 IP unreachable for VIP.
584451	NGFW default block page partially loads.
585073	Adding too many address objects to a local-in policy causes all blocking to fail.
585122	Should not be allowed to rename VIP or address with the same name as an existing VIP group or address group object.
590039	Samsung OEM internet browser cannot connect to FortiGate VS/VIP.
597110	When creating a firewall address with the associated-interface setting, CMD gets stuck if there is a large nested address group.

FortiView

Bug ID	Description
582341	On Policies page, consolidated policies are without names and tooltips; tooltips not working for security policies.

GUI

Bug ID	Description
282160	GUI does not show byte information for aggregate and VLAN interface.
303651	Should hide Override internal DNS option if vdom-dns is set to disable.
438298	When VDOM is enabled, the interface faceplate should only show data for interfaces managed by the admin.
451306	Add a tooltip for IPS Rate Based Signatures.
460698	There is no uptime information in the HA Status widget for the slave unit’s GUI.
467495	A wrong warning message appears that the source interface has no members after enabling an inserted proxy policy.
478472	Options 150, 15, and 51 for the DHCP server should not be shown after removing them and having no related configuration in the backend.
480731	Interface filter gets incorrect result (EMAC VLAN, VLAN ID, etc.) when entries are collapsed.
482437	SD-WAN member number is not correct in Interfaces page.
493527	Compliance events GUI page does not load when redirected from the advanced compliance page.
498892	GUI shows wrong relationship between VLAN and physical interface after adding them to a zone.
502962	Get “Fail to retrieve info” for default VDOM link on Network > Interfaces page.
505066	Not possible to select value for DN field in LDAP GUI browser.
510685	Hardware Switch row is shown indicating a number of interfaces but without any interfaces below.
514027	Cannot disable CORS setting on GUI.
531376	Get “Internal Server Error” when editing an aggregate link that has a name with a space in it.
534853	Suggest GUI Interfaces list includes SIT tunnels.
536718	Cannot change MAC address settting when configuring a reserved DHCP client.
536843	LACP aggregate interface flaps when adding/removing a member interface (first position in member list).
537307	“Failed to retrieve info” message appears for ha-mgmt-interface in Network > Interfaces.
538125	Hovering mouse over FortiExtender virtual interface shows incorrect information.
587673	On Proxy Policy page, the default view method (Interface PairView) is not clickable.
540098	GUI does not display the status for VLAN and loopback in the Network > Interfaces > Status column.
542544	In Log & Report, filtering for blank values (None) always shows no results.
544442	Virtual IPs page should not show port range dialog box when the protocol is ICMP.

Bug ID	Description
552811	Scripts pushed from FortiCloud do not show up in System > Advanced Settings when FortiCloud remote access is used.
553290	The tooltip for VLAN interfaces displays as “Failed to retrieve info”.
555687	Network mask of a VPN interface is changed to 255.255.255.255 without an actual configuration change.
559866	When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via the management tunnel.
560206	Change/remove FortiCloud standalone reference.
563053	Warning messages for third-party transceivers were removed in 6.2.1 to prevent excessive RMA or support tickets. In 6.2.2, warnings were re-added for third-party transceivers.
565748	New interface pair consolidated policy added via CLI is not displayed on GUI policy page.
566414	Application Name field shows vuln_id for custom signature, not its application name in logs.
567369	Cannot save DHCP Relay configuration when the Relay IP address list is separated by a comma.
571909	SSL VPN Settings page shows undefined error.
573456	FortiGate without disk email alert settings page should remove Disk usage exceeds option.
574101	Empty firmware version in managed FortiSwitch from FortiGate GUI.
582658	Email filter page keeps loading and cannot create a new profile when the VDOM admin only has emailfilter permission.
583049	Internal server error while trying to create a new interface.
584419	Issue with application and filter overrides.
584426	Add Selected button does not show up under FSSO Fabric Connector with custom admin profile.
584560	GUI does not have the option to disable the interface when creating a VLAN interface.
586604	No matching IPS signatures are found when Severity or Target filter is applied.
586749	Enable/disable Disarm and Reconstruction in the GUI only affects the SMTP protocol in AV profiles.
587091	When logged in as administrator with web filter read/write only privilege, the Web Rating Overrides GUI page cannot load.
588028	If the Endpoint Control feature is disabled, the exempt options for captive portal are not shown in the GUI.
588222	WAN Opt. Monitor displays Total Savings as negative integers during file transfers.
588665	Option to reset statistics from Monitor> WAN Opt. Monitor in GUI does not clear the counters.
589085	Web filter profile warning message when logged in with read/write admin on VDOM environment.
Bug ID	Description
592244	VIPs dialog page should be able to create VIP with the same extip/extport but different source IP address.
593433	DHCP offset option 2 has to be removed before changing the address range for the DHCP server in the GUI.
594162	Interface hierarchy is not respected in the GUI when a LAG interface belongs to SD-WAN and its VLANs belong to a zone.
594565	Wrong Sub-Category appears in the Edit Web Rating Override page.

Bug ID	Description
540718	Signal 14 alarm crashes were observed on DFA rebuild.
579018	IPS engine 5.030 signal 14 alarm clock crash at nturbo_on_event.
586608	The CPU consumption of ipsengine gets high with customer configuration file.

Bug ID	Description
479780	Slave fails to send and receive HA heartbeat when configuring cfg-revert setting on FG-2500E.
540632	In HA, management-ip that is set on a hardware switch interface does not respond to ping after executing reboot.
575020	HA failing config sync on VM01 with error (slave and master have different hdisk status) when master is pre-configured.
581906	HA slave sending out GARP packets in 16-20 seconds after HA monitored interface failed.
585348	default-gateway injected by dynamic-gateway on PPP interface deleted by other interface down.
585675	exe backup disk alllogs ftp command causes FortiGate to enter conserve mode.
586004	Moving VDOM via GUI between virtual clusters causes cluster to go out of sync and VDOM state work/standby does not change.
586835	HA slave unable to get checksum from master. HA sync in Z state.
590931	Multiple PPPoE connections on a single interface does not sync PPPoE dynamic assigned IP and cannot start re-negotiation.

Intrusion Prevention IPsec VPN

Bug ID	Description
577502	OCVPN cannot register—status “Undefined”.
582251	IKEv2 with EAP peer ID authentication validation does not work.
582876	ADVPN connections from the hub disconnects one-by-one and IKE gets stuck.
584982	The customer is unable to log in to VPN with RADIUS intermittently.

Bug ID	Description
525328	External resource does not support no content length.
549660	WAD crash with signal 11.
573028	WAD crash causing traffic interruption.

Log & Report

Bug ID	Description
578057	Action field in traffic log cannot record security policy action—it shows the consolidated policy action.
580887	No traffic log after reducing miglogd child to 1.
586038	FortiOS 6.0.6 reports too long VPN tunnel durations in local report.
590598	Log viewer application control cannot show any logs (page is stuck loading).
590852	Log filter can return empty result when there are too many logs, but the filter result is small.
591152	IPS logs set srcintf(role)/dstinf(role) reversely at the time of IPS signature reverse pattern.
591523	When refreshing logs in GUI, some log_se processes are running extremely long and consuming CPU.
593907	Miglogd still uses the daylight savings time after the daylight savings end.
596278	sentdelta and rcvddelta showing 0 if syslog format is set to CSV.
599860	When logtraffic is set to all, existing sessions cannot change the egress interfaces when the routing table is updated with a new outgoing interface.

Proxy

Bug ID	Description
579400	High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.
580592	Policy in proxy-based mode with AV and WAF profile denies access to Nginx with enabled gzip compression.
584719	WAD reads ftp over-limit multi-line response incorrectly.
587214	WAD crash for wad_ssl_port_on_ocsp_notify.
587987	In case of TLS 1.3 with certificate inspection and a certificate with an empty CN name, WAD workers would locate a random size for CN name and then cause unexpected high memory usage in WAD workers.
592153	Potential memory leak that will be triggered by certificate inspection CIC connection in WAD.
593365	WAD crash due to user learned from proxy not purged from the kernel when user is deleted from proxy or zone with empty interface member.
594237	Slow download speed in proxy-based mode compared to flow-based mode.
594725	WAD memory leak detected on cert_hash in wad_ssl_cert.
596012	Receive SSL fatal alert with source IP 0.0.0.0.

REST API

Bug ID	Description
587470	REST API to support revision flag.

Routing

Bug ID	Description
371453	OSPF translated type 5 LSA not flushed according to RFC-3101.
524229	SD-WAN health-check keep records useless logs under some circumstances.
570686	FortiOS 6.2.1 introduces asymmetric return path on the hub in SD-WAN after the link change due to SLA on the spoke.
582078	ISDB ID is changed after restoring the configuration under the situation where the FortiGate has a previous ISDB version.
584095	SD-WAN option of set gateway enable/set default enable override available on connected routes.
Bug ID	Description
584477	In transparent mode with asymmetric routing, packet in the reply direction does not use asymmetric route.
585027	There is no indication in proute if the SD-WAN service is default or not.
585325	IPv6 route cannot be inactive after link-monitor is down when link-monitor are set with ipv4 and ipv6.
587198	After failover/recovery of link, E2 route with non-zero forward address recurses to itself as a next hope.
587700	Routing monitor policy view cannot show source and destination data for SD-WAN route and wildcard destination.
587970	SD-WAN rules route-tag still used in service rule but not in diagnose sys virtual-wanlink route-tag-list.
589620	Link monitor with tunnel as srcintf cannot recover after remote server down/up.
592599	FortiGate sends malformed OSPFv3 LSAReq/LSAck packets on interfaces with MTU = 9k.
593375	OSPF NSSA with multiple ASBRs losing valid external OSPF routes in upsteam neighbors as different ASBRs are power cycled.
593864	Routing table is not always updated when BGP gets an update with changed next hop.
594685	Unable to create the IPsec VPN directly in Network > SD-WAN.
595937	PPPoE interface bandwidth is mistakenly calculated as 0 in SD-WAN.

Security Fabric

Bug ID	Description
575495	FGCP dynamic objects are not populated in the slave unit.
586587	Security Fabric widget keeps loading when FortiSwitches are in a loop, or the FortiSwitch is in MCLAG mode.
587758	Invalid CIDR format shows as valid by the Security Fabric threat feed.
589503	Threat Feeds show the URL is invalid if there is a special character in the URL.
592344	CSF automation configuration cannot be synced to downstream from root.

SSL VPN

Bug ID	Description
525342	In some special cases, SSL VPN main state machine reads function pointer is empty that will cause SSL VPN daemon crash.
557806	Cannot fully load a website through SSL VPN bookmark.
570171	When accessing ACT application through SSL VPN web mode, the embedded calendar request gets wrong response and redirects to login page.
573787	SSL VPN web mode not displaying custom web application’s JavaScript parts.
576288	FSSO groups set in rule with SSL VPN interface.
578908	Fails to load bookmark site over SSL VPN portal.
580377	Unable to access https://outlook.office365.com as bookmark in SSL VPN web mode.
583339	Support HSTS include SubDomains and preload option under SSL VPN settings.
584780	When the SSL VPN portal theme is set to red, the style is lost in the SSL VPN portal.
585754	A VPN SSL bookmark failed to load the Proxmox GUI interface.
586032	Unable to download report from an internal server via SSL VPN web mode connection.
586035	The policy “script-src ‘self'” will block the SSL VPN proxy URL.
587075	SAML login is not stable for SSL VPN, it requires restarting sslvpnd to enable the function.
588119	There is no OS support for the latest macOS Catalina version (10.15) when using SSL VPN tunnel mode.
588720	SSL VPN web portal bookmarks cannot resolve hostname.
589015	SSO does not correctly URL-encode POST-ed credentials.
590643	href rewrite has some issues with the customer’s JS file.
591613	https://outlook.office365.com cannot be accessed in SSLVPN web portal.
592318	After sslvpn proxy, some Kurim JS files run with an error.
592935	sslvpnd crashed on FortiGate.
593082	SSL VPN bookmark does not load Google Maps on internal server.
593641	Cannot access HTTPS bookmark, get a blank page.
593850	SSL VPN logs out after some users click through the remote application.
594160	Screen shot feature is not working though SSL VPN portal.
594247	Cannot access https://cdn.i-ready.com through SSL VPN web portal.
595920	SSL VPN web mode goes to 99% on a specific bookmark.
596273	sslvpnd worker process crashes, causing a zombie tunnel session.
Bug ID	Description
596843	Internal website not working in SSL VPN web mode.
597282	The latest FortiOS GUI does not render when accessing it by the SSL VPN portal.

Switch Controller

Bug ID	Description
581370	FortiSwitch managed by FortiGate not updating the RADIUS settings and user group in the FortiSwitch.
586299	Adding factory-reset device to HA fails with switch-controller.qos settings in root.
592111	FortiSwitch shows offline CAPWAP response packet getting dropped/failed after upgrading from 6.2.2.

System

Bug ID	Description
484749	TCP traffic with tcp_ecn tag cannot go through ipip ipv6 tunnel with NP6 offload enabled.
502387	X.509 certificate support required for FGFM portocol.
511790	Router info does not update after plugging out/plugging in USB modem.
528052	FortiGuard filtering services show as unavailable for read-only admin.
547712	HPE does not protect against DDoS attacks like flood on IKE and BGP destination ports.
556408	Aggregate link does not work for LACP mode active for FG-60E internal ports but works for wan1 and wan2 combination.
570759	RX/TX counters for VLAN interfaces based on LACP interface are 0.
572003	There was a hardware defect in an earlier revision of SSD used for FG-61E. When powering off then powering on in a very short time, the SSD may jump into ROM mode and cannot recover until a power circle.
573090	Making a change to a policy through inline editing is very slow with large table sizes.
573238	Session TTL expiry timer is not reset for VLAN traffic when offloading is enabled.
573973	ASIC offloading sessions sticking to interfaces after SD-WAN SLA interface selection.
577423	FG-80D and FG-92D kernel error in CLI during FortiGate boot up.
578259	FG-3980E VLANs over LAG interface show no TX/RX statistics.

Bug ID	Description
578608	High CPU usage due to dnsproxy process as high at 99%.
580038	Problems with cmdbsvr while handling a large number of FSSO address groups and security policies.
581496	FG-201E stops sending out packets and NP6lite is stuck.
581528	SSH/RDP sessions are terminated unexpectedly.
581998	Session clash event log found on FG-6500F when passing a lot of the same source IP ICMP traffic over load-balance VIP.
582520	Enabling offloading drops fragmented packets.
583199	fgfmsd crashed with signal 11 when some code accesses a VDOM that has been deleted, but does not check the return value from CMDB query.
583602	Script to purge and re-create a local-in-policy ran against the remote FortiGate directly (in the CLI) is causing auto-update issues.
586301	GUI cannot show default Fortinet logo for replacement messages.
586551	When an SD-WAN member is disabled or VWL is disabled, snmpwalk shows “No Such Object available on this agent at this OID” message.
587498	FortiGate sends ICMP type 3 code 3 (port unreachable) for UDP 500 and UDP 520 against vulnerability scan.
587540	Netflow traffic records sent with wrong interface index 0 (inputint = 0 and outputint = 0).
588035	Kernel crashes when sniffing packets on interfaces that are related to EMAC VLAN.
588202	FortiGate returns invalid configuration during FortiManager retrieving configuration.
589027	EMAC VLAN drops traffic when asymmetric roue enabled on internet VDOM.
589234	Local system DNS setting instead of DNS setting acquired from upstream DHCP server was assigned to client under management VDOM.
589517	Dedicated management CPU running on high CPU (soft IRQ).
589978	alertemail username length cannot go beyond 35 characters.
590295	OID for the IPsec VPN phase 2 selector only displays the first one on the list.
591466	Cannot change the mask for an existing secondary IP on interfaces.
592787	FortiGate got rebooted automatically due to kernel crash.
593606	diagnose hardware test suite all fails due to FortiLink loopback test.
594157	FortiGate accepts invalid configuration from FortiManager.
594499	Communication over PPPoE fails after installing PPPoE configuration from FortiManager.
595598	SOC4 devices may reboot by watchdog after upgrading to FortiOS 6.2.2 (build 6083). Affected platforms: FG-60F, FG-61F, FG-100F, and FG-101F.
596180	Constant DHCPD crashes.

Upgrade

Bug ID	Description
586793	Address objects have reference to old firewall policy after upgrading from 6.0.6 > 6.2.x NGFW policies.

Bug ID	Description
571212	Only one CPU core in AWS is being used for traffic processing.
577653	vMotion tasks cause connections to be dropped as sessions related to vMotion VMs do not appear on the destination VMX.

User & Device

Bug ID	Description
567831	Local FSSO poller regularly missing logon events.
583745	Wrong categorization of OS from device detection.
586334	Brief connectivity loss on shared service when RDP session is logged in to from local device.
586394	Authentication list entry is not created/updated after changing the client PC with another user in FSSO polling mode.
587293	The session to the SQL database is closed as timeout when a new user logs in to terminal server.
587519	fnbamd takes high CPU usage and user not able to authenticate.
587666	Mobile token authentication does not work for SSL VPN on SOC3 platforms. Affected models include: FG-60E, FG-60E-POE, FG-61E, FG-80E, FG-80E-POE, FG-81E, FG81E-POE, FG-100E, FG-100EF, FG-101E, FG-140E, FWF-60E, FWF-61E.
592241	Gmail POP3 authentication fails with certificate error since version 6.0.5.
592253	RADIUS state attribute truncated in access request when using third-party MFA (ping ID).
593116	Client PC matching multiple authentication methods (firewall, FSSO, RSSO, WSSO) may not be matched to NGFW policies correctly.
597496	Guest user log in expires after first log in and no longer works; user is not removed from the firewall authentication list after the set time.

Bug ID	Description
579708	Should replace GUI option to register to FortiCare from AWS PAYG with link to portal for registration.
582123	EIP does not failover if the master FortiGate is rebooted or stopped from the Alibaba Cloud console.
586954	FGCP cluster member reboots in infinite loop and hatalk daemon dumps the core with segmentation fault.
588436	Azure SDN connector unable to connect to Azure Kubneretes integrated with AAD.
589445	VM deployed in ESX platform with VMXNET3 does not show the correct speed and duplex settings.
590140	FG-VM-LENC unable to validate new license.
590149	Azure FortiGate crashing frequently when MLX4 driver RX jumbo.
590253	VLAN not working on FortiGate in a Hyper-V deployment.
590555	Allow PAYG AWS VM to bootstrap the configuration first before acquiring FortiCare license.
590780	Azure FortiGate-VM (BYOL) unable to boot up when loading a lower vCPU license than the instance’s vCPU.
591563	Azure autoscale not syncing after upgrading to 6.2.2.
592000	In Alibaba Cloud, multiple VPC route entries fail to switch when HA fails over.
592611	HA not fully failing over when using OCI.
593797	FG-VM64-AWS not responding to ICMP6 request when destination IPv6 address is in the neighbor cache entry.

Bug ID	Description
560904	In NGFW mode, Security Profiles GUI is missing Web Rating Overrides page.
581523	Wrong web filter category when using flow-based inspection.
587120	Administrator logged in with web filter read/write privilege cannot create or edit web filter profiles in the GUI.

VoIP

Bug ID	Description
582271	Add support for Cisco IP Phone keepalive packet.

Web Filter WiFi Controller

Bug ID	Description
520677	When editing a FortiAP profile on the FortiGate web UI, the previously selected SSID group(s) cannot be displayed.
555659	When FortiAP is managed with cross VDOM links, the WiFi client cannot join to SSID when autoasic-offload is enabled.
566054	Errors pop up while creating or editing as SSID.
567011	WPA2-Enterprise SSID should support acct-all-servers setting in RADIUS to send accounting messages to all servers.
567933	FortiAP unable to connect to FortiGate via IPsec VPN tunnel with dtls-policy clear-text.
572350	FortiOS GUI cannot support FAP-U431F and FAP-U433F profiles.
580169	Captive portal (disclaimer) redirect not working for Android phones.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID	CVE references
568788	FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference: l CVE-2007-6750
576090	FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference: l CVE-2019-17655
576941	FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference: l CVE-2019-15703
581663	FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference: l CVE-2019-9496
582538	FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference: l CVE-2019-17656

Known issues

The following issues have been identified in version 6.2.3. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID	Description
563250	Shared memory does not empty out properly under /tmp.

Data Leak Prevention

Bug ID	Description
591178	WAD fails to determine the correct file name when downloading a file from Nextcloud.

DNS Filter

Bug ID	Description
582374	License shows expiry date of 0000-00-00.

Endpoint Control

Bug ID	Description
538095	Compliance cannot work correctly due to the same MAC address reported by all devices.

Explicit Proxy

Bug ID	Description
594580	FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message.
594598	Enabling proxy policies (+400) increases memory by 30% and up to 80% total.
603707	The specified port configurations of https-incoming-port for config web-proxy explicit disappeared after rebooting.
605209	LDAP ignores source-ip with web proxy Kerberos authentication.

Firewall

Bug ID	Description
593103	When a policy denies traffic for a VIP and send-deny-packet is enabled, ICMP unreachable message references the mapped address, not the external.
595044	Get new CLI signal 11 crash log when performing execute internet-service refresh.
598559	ISDB matches all objects and chooses the best one based on their weight values and the firewall policy.
599253	GUI traffic shaper Bandwidth Utilization should use KBps units.
600644	IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies.
601331	Virtual load-balance VIP and intermittent HTTP health check failures.
604886	Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.

FortiView

Bug ID	Description
592309	FortiGate with double loop FortiSwitches—FortiView physical topology page cannot load; get “Failed to get FortiView data” error message.
599124	Ban IP under FortiView frequently fails.

GUI

Bug ID	Description
354464	AntiVirus profile in GUI should not override quarantine archive value.
514632	Inconsistent Refcnt value in GUI when using ports in HA session-sync-dev.
517744	Widget for CPU memory and sessions does not show real time diagram in 12-hours and 24-hours mode.
535099	GUI should add support for new MAC address filter in SSID dialog page.
541042	Log viewer forward traffic cannot support double negate filter (client side issue).
557786	GUI response is very slow when accessing Monitor> IPsec Monitor (api/v2/monitor/vpn/ipsec is taking a long time).
563549	Recurring httpsd crash at [0x01f17bc0] => /bin/httpsd lh_char_hash (+0x0000).
564849	HA warning messsage, This FortiGate has taken overforthe master, remains after master takes back control.
565309	Application sroups improvements.
579711	Cannot run Security Rating due to disk issue (diagnose security-rating clean fails).
584314	NGFW mode should have a link to show all applications in the list.
584915	OK button missing on all pages (policy, interface, system settings) on Android mobile.
584939	VPN event logs shows incorrectly when adding two action filters and if the filter action filter contains “-“.
585055	High CPU utilization by httpsd daemon if there are too many API connections.
585924	Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages.
589709	Status icon in Tunnel column on IPsec Tunnels page should be removed.
593899	Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error.
598725	Login page shows random characters when system language is not English.
599284	pyfcgid crashed with signal 11 (Segmentation fault) received.
599401	FortiGuard quota category details displays No matching entries found for local category.
601568	Interface status is not displayed on faceplate when viewing from the System > HA page.
601653	When deleting an AV profile in the GUI, there is no confirmation message prompt.
602637	Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3.
607972	FortiGate enters conserve mode when accessing Amazon AWS ISDB object.
601653	When deleting an AV profile in the GUI, there is no confirmation message prompt.
Bug ID	Description
606074	Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3.
611436	FortiGate displays a hacked webpage after selecting an IPS log.

Bug ID	Description
588908	FG-3400E hasync reports the “Network is unreachable”.
598937	Local user creation causes HA to be out of sync for several minutes.
601550	Application hasync crashes several times.
602247	IP pool used in cross-AZ should not sync between the cluster members.
602266	The configuration of the SD-WAN interface gateway IP should not sync.
602406	In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the slave unit.

Intrusion Prevention

Bug ID	Description
565747	IPS engine 5.00027 has signal 11 crash.
586544	IPS intelligent mode not working when reflect sessions are created on different physical interfaces.
587668	IPS engine 5.00035 has signal 11 crash.

IPsec VPN

Bug ID	Description
589096	In IPsec after HA failover, performance regression and IKESAs is lost.
592361	Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.
594962	IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a nonFortiGate in a remote peer gateway.
Bug ID	Description
595810	Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection.
597748	L2TP/IPsec VPN disconnects frequently.
604334	L2TP disconnection when transferring large files.

Bug ID	Description
584631	REST API admin with token unable to configure HA setting (via login session works).
599516	When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access.

Log & Report

Bug ID	Description
589782	IPS sensor log-attack-context output truncated.
593557	Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address.
595151	Log filter for user name in UPN format is not consistent when the log location is set to FortiAnalyzer and local disk.
597494	In FIPS-CC mode, API access check returns 401 causing FortiAnalyzer to repeat the login (should return 403).
602459	GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion.
605174	Incorrect sentdelta/rcvddelta in traffic log statistics for RTSP sessions.
606533	User observes FGT internal error while trying to log in from the web UI.

Proxy

Bug ID	Description
575224	WAD high memory usage from worker process causing conserve mode and traffic issues.
582475	WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

REST API Routing

Bug ID	Description
537354	BFD/BGP dropping when outbandwidth is set on interface.
580207	Policy route does not apply to local-out traffic.
593951	Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based.
597733	IPv6 ECMP routes cannot be synchronized correctly to HA slave unit.
600332	SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.
600995	Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2.

Security Fabric

Bug ID	Description
599195	Unable to get consistent results from the security rating.
599474	FortiGate SDN connector not seeing all available tag name-value pairs.
604670	Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system’s timezone configuration.

SSL VPN

Bug ID	Description
505986	On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.
563022	SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy.
594416	Accessing FortiGate GUI through SSL VPN web mode causes Network > Interfaces page to return an error.
595627	Cannot access some specific sites through SSL VPN web mode.
598659	SSL VPN daemon crash.
599668	In SSL VPN web mode, page keeps loading after user authenticates into internal application.
599671	In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.
Bug ID	Description
599960	RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed.
600103	Sslvpnd crashes when trying to query a DNS host name without a period (.).
602645	SSL VPN Synology NAS web bookmark log in page does not work after upgrading to 6.2.3.
603957	SSL VPN LDAPS authentication does not work in multiple user group configurations after upgrading the firewall to 6.0.7.
605699	Internal HRIS website dropdown list box not loading in SSL VPN web mode.

Switch Controller

Bug ID	Description
517663	For a managed FortiSwitch already running the latest GA image, Upgrade Available tag shows unexpectedly.
588584	GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.
605864	If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting.
608231	LLDP policy did not download completely to the managed FortiSwitch 108Es.

System

Bug ID	Description
464340	EHP drops for units with no NP service module.
527459	SDN address filter unable to handle space character.
555616	TCP packets send wrong interface and high CPU.
563276	High memory usage on FortiGate 30E after upgrading firmware to 6.0.5.
576337	SNMP polling stopped when FortiManager API script executed onto FortiGate.
578031	FortiManager Cloud cannot be removed once the FortiGate has trouble on contract.
582498	Traffic can be offloaded to both NTurbo and NP6 when DoS policy is applied on ingress/egress interface in a policy with IPS.
589079	QSFP interface goes down when the get system interface transceiver command is interrupted.
Bug ID	Description
592570	VLAN switch does not work on FG-100E.
592827	FortiGate is not sending DHCP request after receiving offer.
594018	Update daemon is locked to one resolved update server.
594577	Out of order packets for an offloaded multicast stream.
594865	diagnose internet-service match does not return the IP value of the IP reputation database object.
594871	Potential memory leak triggered by FTP command in WAD.
595338	Unable to execute ping6 when configuring execute ping6-options tos, except for default.
595467	Invalid multicast policy created after transparent VDOM restored.
598527	ISDB may cause crashes after downgrading FortiGate firmware.
598928	FortiGate restarts fgfm tunnel every two minutes when FortiManager is defined as FQDN.
600032	SNMP does not provide routing table for non-management VDOM.
602523	DDNS monitor-interface uses the monitored interface if DDNS services other than FortiGuard DDNS are used.
602548	Some of the clients are not getting their IP through DHCP intermittently.
603194	NP multicast session remains after the kernel session is deleted.
603551	DHCPv6 relay does not work on FG-2200E.
604550	Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0.
604699	Five FG-30Es and one FG-100D enter in conserve mode in a transparent mode deployment.
607015	Too many DNS lookups with global NTP server as global NTP server often changes its IP.
610900	Low throughput on FG-2201E for traffic with ECN flag enabled.

User & Device

Bug ID	Description
573317	SSO admin with a user name over 35 characters cannot log in after the first login.
580391	Unable to create MAC address-based policies in NGFW mode.
591461	FortiGate does not send user IP to TACACS server during authentication.
592047	GUI RADIUS test fails with vdom-dns configuration.
Bug ID	Description
596844	Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device identification.
593361	No source IP option available for OCSP certificate checking.
594863	UPN extraction does not work for particular PKI.
605206	FortiClient server certificate in FSSO CA uses weak public key strength of 1024 bits and certificate expiring in May 2020.
605404	FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy with thousands of address objects.
605437	FortiOS does not understand CMPv2 grantedWithMods response.
605950	RDP and other applications affected (freezing, disconnecting) after upgrading to 6.2.3 due to no session match error.

Bug ID	Description
575346	gui-wanopt cache missing under system settings after upgrading a FortiGate VM with two disks.
587180	FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.
587757	FG-VM image unable to be deployed on AWS with additional HDD(st1) disk type.
596742	Azure SDN connector replicates configuration from master to slave during configuration restore.
597003	Unable to bypass self-signed certificates on Chrome in macOS Catalina.
598419	Static routes are not in sync on FortiGate Azure.
599430	FG-VM-AZURE fails to boot up due to rtnl_lock deadlock.
600077	Randomly getting the vmxnet3 tx:hang error, which shuts down port2.
600975	Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing NETVSC offering and vPCI offering at the same time.
601357	FortiGate VM Azure in HA has unsuccessful failover.
601528	License validation failure log message missing when using FortiManager to validate a VM.
603599	VIP in autoscale on GCP not syncing to other nodes.
605435	API call to associate elastic IP is triggered only when the unit becomes the master.
605511	FG-VM-GCP reboots a couple of times due to kernel panic.
606527	GUI and CLI interface dropdown lists are inconsistent.
608881	IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

Web Filter

Bug ID	Description
593203	Cannot enter a name for a web rating override and save—error message appears when entering the name.

WiFi Controller

Bug ID	Description
563630	Kernel panic observed on FWF-60E.
599690	Unable to perform COA with device MAC address for 802.1x wireless connection when usemanagement-vdom is enabled.
601012	When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country code.

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

XenTools installation is not supported.
FortiGate-VM can be imported or deployed in only the following three formats:
XVA (recommended)
VHD l OVF
The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Recipes for Sandbox inspection

Leave a reply

Recipes for Sandbox inspection

AntiVirus

The following recipes provide information about Sandbox inspection with AntiVirus:

Use FortiSandbox Appliance with AntiVirus

Feature overview

AntiVirus can use FortiSandbox to supplement its detection capabilities. In real-world situations, networks are always under the threat of zero-day attacks.

AntiVirus can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox’s analysis, the FortiGate can supplement its own antivirus database with FortiSandbox’s database to detect files determined as malicious/risky by FortiSandbox. This helps FortiGate’s AntiVirus to detect zero-day virus and malware whose signatures are not found in the FortiGate’s antivirus Database.

Support and limitations

FortiSandbox can be used with AntiVirus in both proxy-based and flow-based inspection modes.
With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
Submit only suspicious files to FortiSandbox for inspection. l Submit every file to FortiSandbox for inspection.
Do not submit anything. l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
Submit every file to FortiSandbox for inspection. l Do not submit anything.

Network topology example

Configuring the feature

To configure AntiVirus to work with an external block list, the following steps are required:

Enable FortiSandbox on the FortiGate.
Authorize FortiGate on the FortiSandbox.
Enable FortiSandbox inspection.
Enable use of the FortiSandbox database.

To enable FortiSandbox on the FortiGate:

Go to Global > Security Fabric > Settings.
Set the Sandbox Inspection toggle to the On
Enter the IP address of the FortiSandbox.
Add an optional NotifierEmail if desired.
At this point, selecting Test connectivity will return an unreachable status.

This is expected behavior because the FortiGate is not yet authorized by the FortiSandbox.

Select Apply to save the settings.

To authorize FortiGate on the FortiSandbox:

In the FortiSandbox Appliance GUI, go to Scan Input > Device.
Use the FortiGate serial number to quickly locate the desired FortiGate and select the link icon to authorize the FortiGate.
Enable the desired VDOM in the same manner.
The link icon changes from an open to closed link. This indicates that the FortiSandbox has authorized this FortiGate.
In the FortiGate GUI, go to Global > Security Fabric > Settings.
Select Test connectivity. FortiGate is now authorized and the status now displays as Connected.
FortiSandbox options are now displayed in the AV Profile

To enable FortiSandbox inspection:

Go to Security Profiles > AntiVirus.
Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.
Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
Select Apply.

To enable use of the FortiSandbox database:

Go to Security Profiles > AntiVirus
Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On
Select Apply.

Diagnostics and Debugging

Debug on the FortiGate side l Update daemon:

FGT_PROXY (global) # diagnose debug application quarantined -1 FGT_PROXY (global) # diagnose debug enable

quar_req_fsa_file()-890: fsa ext list new_version (1547781904) quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0

__quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=99

quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0

__quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0

__quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1 quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2). quar_put_job_req()-332: Job 337 deleted

quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0

__quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name= __quar_send()-470: dev buffer — pos=0, len=98 …

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1

quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1 quar_store_analytics_report()-590: Analytics-report return

file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735

quar_store_analytics_report()-597: The request

’83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18′ score is 1 quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1). quar_put_job_req()-332: Job 2 deleted quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)

[193] __ssl_data_ctx_free: Done

[805] ssl_free: Done

[185] __ssl_cert_ctx_free: Done

[815] ssl_ctx_free: Done

[796] ssl_disconnect: Shutdown l Appliance FortiSandbox diagnostics:

FGT_PROXY # config global

FGT_PROXY (global) # diagnose test application quarantined 1

Total remote&local devices: 8, any task full? 0 System have disk, vdom is enabled, mgmt=1, ha=2

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=0, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is disabled. fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled. l Checking FortiSandbox analysis statistics:

FGT_PROXY (global) # diagnose test application quarantine 7 Total: 0

Statistics: vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

FGT_PROXY (global) #

Debug on the FortiSandbox side l Appliance FortiSandbox OFTP debug:

> diagnose-debug device FG101E4Q17002429

[2019/01/31 00:48:21] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:21] FG101E4Q17002429 VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549

[2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=2 detected=2 risk_low=0 risk_ med=0 risk_high=0 sus_limit=0

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 0

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 1795

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 595

[2019/01/31 00:48:21] FG101E4Q17002429 VDOM: root

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 4

[2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=0 detected=0 risk_low=0 risk_ med=0 risk_high=0 sus_limit=0

[2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: av, ENTRY_VERSION: 1795,

PACKAGE_PATH: /Storage/malpkg/pkg/avsig/avsigrel_1795.pkg

[2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: url, ENTRY_VERSION: 595,

PACKAGE_PATH: /Storage/malpkg/pkg/url/urlrel_595.pkg.gz

[2019/01/31 00:48:29] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:32] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:59] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:49:03] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

Use FortiSandbox Cloud with AntiVirus

Feature overview

FortiCloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance.

FortiCloud Sandbox works the same way as the physical FortiSandbox appliance.

Starting from FortiOS 6.2, the FortiCloud Sandbox allows users to control the region where their traffic is sent to for analysis. This allows users to meet their country’s compliances regarding data’s storage location.

Support and limitations

Starting from FortiOS 6.2, users no longer require a FortiCloud account to use FortiCloud Sandbox. l Without a valid AVDB license, FortiGate devices are limited to 100 FortiCloud submissions per day.
Unlimited FortiCloud submissions are allowed if the FortiGate has a valid AVDB license.
There is a limit on how many submissions are sent per minute.
Per minute submission rate is based on the FortiGate model.
FortiSandbox can be used with AntiVirus in both proxy-based and flow-based policy inspection modes.
With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
Submit only suspicious files to FortiSandbox for inspection. l Submit every file to FortiSandbox for inspection.
Do not submit anything. l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
Submit every file to FortiSandbox for inspection. l Do not submit anything.

Network topology example

Configuring the feature

To configure AntiVirus to work with an external block list, the following steps are required:

Through FortiCare/FortinetOne, registerthe FortiGate device and purchase a FortiGuard AntiVirus license.
Enable FortiCloud Sandbox on the FortiGate.
Enable FortiSandbox inspection.
Enable the use of the FortiSandbox database.

To obtain or renew an AVDB license:

Please see the video How to Purchase orRenew FortiGuard Services for FortiGuard AntiVirus license purchase instructions.
Once a FortiGuard license has been purchased or activated, users will be provided with a paid FortiSandbox Cloud license.
1. Go to Global > Main Dashboard to view the FortiSandbox Cloud license indicator.
2. Users can also view this indicator at Global > System > FortiGuard.

Enable FortiCloud Sandbox on the FortiGate:

Go to Global > Security Fabric > Settings and set the Sandbox Inspection toggle to the On
Select FortiSandbox Cloud and choose a region from the dropdown list.
Select Apply to save the settings.
When the FortiGate is connected to the FortiSandbox Cloud, FortiSandbox’s current database version is displayed.

Enable FortiSandbox inspection:

Go to Security Profiles > AntiVirus.
Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.
Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
Select Apply.

Enable the use of the FortiSandbox database:

Go to Security Profiles > AntiVirus.
Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On
Select Apply.

Diagnostics and debugging

Debug on FortiGate side

l Checking FortiCloud controller status:

FGT_FL_FULL (global) # diagnose test application forticldd 2

Server: log-controller, task=0/10, watchdog is off

Domain name: logctrl1.fortinet.com

Address of log-controller: 1

172.16.95.168:443

Statistics: total=3, discarded=1, sent=2, last_updated=12163 secs ago http connection: is not in progress

Current address: 172.16.95.168:443

Calls: connect=9, rxtx=12

Current tasks number: 0

Account: name=empty, status=0, type=basic

Current volume: 0B

Current tasks number: 0

Update timer fires in 74240 secs l Checking Cloud APT server status:

FGT_FL_FULL (global) # diagnose test application forticldd 3 Debug zone info:

Domain:

Home log server: 0.0.0.0:0

Alt log server: 0.0.0.0:0

Active Server IP: 0.0.0.0

Active Server status: down

Log quota: 0MB

Log used: 0MB

Daily volume: 0MB

fams archive pause: 0

APTContract : 1 <====

APT server: 172.16.102.51:514 <====

APT Altserver: 172.16.102.52:514 <====

Active APTServer IP: 172.16.102.51 <====

Active APTServer status: up <==== l Cloud FortiSandbox diagnostics:

FGT_FL_FULL (global) # diagnose test application quarantine 1

Total remote&local devices: 4, any task full? 0 System have disk, vdom is enabled, mgmt=3, ha=1

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=1, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is enabled: analytics, realtime=yes, taskfull=no addr=172.16.102.51/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=1, hmac_alg=0 fortisandbox-fsb1 is disabled. fortisandbox-fsb2 is disabled. fortisandbox-fsb3 is disabled. fortisandbox-fsb4 is disabled.

fortisandbox-fsb5 is disabled. fortisandbox-fsb6 is disabled. global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled.

l Checking FortiSandbox Cloud submission statistics:

FGT_FL_FULL (global) # diagnose test application quarantined 2 Quarantine daemon state:

QUAR mem: mem_used=0, mem_limit=97269, threshold=72951

dropped(0 by quard, 0 by callers)

pending-jobs=0, tot-mem=0, last_ipc_run=12353, check_new_req=1 alloc_job_failed=0, job_wrong_type=0, job_wrong_req_len=0, job_invalid_qfd=0 tgz_create_failed=0, tgz_attach_failed=0, qfd_mmap_failed=0, buf_attached=0 xfer-fas:

ips: total=0, handled=0, accepted=0 quar: total=0, handled=0, accepted=0 archive: total=0, handled=0, accepted=0 analytics: total=0, handled=0, accepted=0, local_dups=0 analytics stats: total=0, handled=0, accepted=0 last_rx=0, last_tx=0, error_rx=0, error_tx=0

max_num_tasks=10000, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0

forticloud-fsb:

ips: total=0, handled=0, accepted=0 quar: total=0, handled=0, accepted=0 archive: total=0, handled=0, accepted=0

analytics: total=0, handled=0, accepted=0, local_dups=0

num_buffer=0(per-minute:10) last_min_count=0 last_vol_count=0 next_vol_reset_tm=’Sun Feb 17 00:00:00 2019

‘ analytics stats: total=24, handled=24, accepted=24 last_rx=1224329, last_tx=1224329, error_rx=2, error_tx=0 max_num_tasks=200, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0

l Checking FortiSandbox analysis statistics:

FGT_FL_FULL (global) # diagnose test application quarantine 7 Total: 0

Statistics: vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

FGT_FL_FULL (global) # l Update Daemon debug:

FGT_FL_FULL (global) # diagnose debug application quarantined -1 FGT_FL_FULL (global) # diagnose debug enable