Category Archives: FortiOS 6

FortiOS 6 – Web Filtering

3 Replies

Web filter

This section describes FortiGate web filtering for HTTP traffic. The three main parts of the web filtering function, the Web Content Filter, the URL Filter, and the FortiGuard Web Filtering Service interact with each other to provide maximum control over what users on your network can view as well as protection to your network from many Internet content threats. Web Content Filter blocks web pages containing words or patterns that you specify. URL filtering uses URLs and URL patterns to block or exempt web pages from specific sources. FortiGuard Web Filtering provides many additional categories you can use to filter web traffic.

This Handbook chapter includes Inside FortiOS: Web Filtering and provides readers an overview of the features and benefits of key FortiOS 5.6 components.

For further detail than the Inside FortiOS document, we provide the following topics:

Web filter concepts

Inspection modes

FortiGuard Web Filtering Service

Configuring web filter profiles

Overriding FortiGuard website categorization

Using cookies to authenticate users in a Web Filter override

Web Profile Overrides

SafeSearch

YouTube Education Filter

Static URL filter

Web content filter

Web filtering example

Advanced web filter configurations

Web filter concepts

Web filtering is a means of controlling the content that an Internet user is able to view. With the popularity of web applications, the need to monitor and control web access is becoming a key component of secure content management systems that employ antivirus, web filtering, and messaging security. Important reasons for controlling web content include:

  • lost productivity because employees are accessing the web for non-business reasons l network congestion — when valuable bandwidth is used for non-business purposes, legitimate business applications suffer
  • loss or exposure of confidential information through chat sites, non-approved email systems, instant messaging, and peer-to-peer file sharing
  • increased exposure to web-based threats as employees surf non-business-related web sites l legal liability when employees access/download inappropriate and offensive material l copyright infringement caused by employees downloading and/or distributing copyrighted material.

Web filter concepts

As the number and severity of threats increase on the World Wide Web, the risk potential increases within a company’s network as well. Casual non-business related web surfing has caused many businesses countless hours of legal litigation as hostile environments have been created by employees who download and view offensive content. Web-based attacks and threats are also becoming increasingly sophisticated. Threats and web-based applications that cause additional problems for corporations include:

  • spyware/grayware l phishing l pharming l instant messaging l peer-to-peer file sharing l streaming media l blended network attacks.

Spyware, also known as grayware, is a type of computer program that attaches itself to a user’s operating system. It does this without the user’s consent or knowledge. It usually ends up on a computer because of something the user does such as clicking on a button in a pop-up window. Spyware can track the user’s Internet usage, cause unwanted pop-up windows, and even direct the user to a host web site. For further information, visit the FortiGuard Center.

Some of the most common types of grayware infection occur when:

  • downloading shareware, freeware, or other forms of file-sharing services l clicking on pop-up advertising l visiting legitimate web sites infected with grayware.

Phishing is the term used to describe attacks that use web technology to trick users into revealing personal or financial information. Phishing attacks use web sites and email that claim to be from legitimate financial institutions to trick the viewer into believing that they are legitimate. Although phishing is initiated by spam email, getting the user to access the attacker’s web site is always the next step.

Pharming is a next generation threat that is designed to identify and extract financial, and other key pieces of information for identity theft. Pharming is much more dangerous than phishing because it is designed to be completely hidden from the end user. Unlike phishing attacks that send out spam email requiring the user to click to a fraudulent URL, pharming attacks require no action from the user outside of their regular web surfing activities. Pharming attacks succeed by redirecting users from legitimate web sites to similar fraudulent web sites that have been created to look and feel like the authentic web site.

Instant messaging presents a number of problems. Instant messaging can be used to infect computers with spyware and viruses. Phishing attacks can be made using instant messaging. There is also a danger that employees may use instant messaging to release sensitive information to an outsider.

Peer-to-peer (P2P) networks are used for file sharing. Such files may contain viruses. Peer-to-peer applications take up valuable network resources and may lower employee productivity but also have legal implications with the downloading of copyrighted or sensitive company material.

Streaming media is a method of delivering multimedia, usually in the form of audio or video to Internet users. Viewing streaming media impacts legitimate business by using valuable bandwidth.

Blended network threats are rising and the sophistication of network threats is increasing with each new attack. Attackers learn from each successful attack and enhance and update their attack code to become more dangerous and to spread faster. Blended attacks use a combination of methods to spread and cause damage. Using virus or network worm techniques combined with known system vulnerabilities, blended threats can quickly Web filter concepts

spread through email, web sites, and Trojan applications. Examples of blended threats include Nimda, Code Red, Slammer, and Blaster. Blended attacks can be designed to perform different types of attacks, which include disrupting network services, destroying or stealing information, and installing stealthy backdoor applications to grant remote access.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

FortiOS 6 – Inspection Modes

Leave a reply

Inspection modes

You can select one of two inspection modes from the System > Settings page to control the security profile inspection mode for your FortiGate or VDOM.

  • Proxy-based inspection, that reconstructs content passing through the FortiGate unit and inspects the content for security threats, or
  • Flow-based inspection, that takes a snapshot of content packets and uses pattern matching to identify security threats in the content.

Each inspection component plays a role in the processing of traffic en route to its destination. Having control over flow and proxy mode is helpful if you want to be sure that only flow inspection mode is used (and that proxy inspection mode is not used). In most cases proxy mode is preferred because more security profile features are available and more configuration options for these individual features are available. Yet, some implementations may require all security profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing that proxy mode inspection will not be used. While both modes offer significant security, proxybased provides more features and flow-based is designed to optimize performance.

This section addresses the following topics:

Proxy-based inspection

Flow-based inspection

Changing between proxy and flow mode

Comparison of inspection types

Proxy-based inspection

If a FortiGate or VDOM is configured for proxy-based inspection, then a mixture of flow-based and proxy-based inspection occurs. Traffic initially encounters the IPS engine, which applies single-pass IPS, Application Control, and CASI, if configured in the firewall policy accepting the traffic.

The traffic is then sent for proxy-based inspection. Proxy-based inspection extracts and caches content, such as files and web pages, from a content session and inspects the cached content for threats. Content inspection takes place in the following order: VoIP inspection, DLP, AntiSpam, Web Filtering, AntiVirus, and ICAP.

If no threat is found, the proxy relays the content to its destination. If a threat is found, the proxy can block the threat and send a replacement message in its stead. The proxy can also block VoIP traffic that contains threats.

Transparent web proxy mode

In proxy mode, FortiOS 5.6 functions just like FortiOS 5.4 with the addition of the new Transparent Web Proxy mode. See New Operating mode for Transparent web proxy in What’s New in FortiOS 5.6.

Flow-based inspection

Flow-based inspection

Flow-based inspection identifies and blocks security threats in real time as they are identified using single-pass Direct Filter Approach (DFA) pattern matching to identify possible attacks or threats.

If a FortiGate or a VDOM is configured for flow-based inspection, depending on the options selected in the firewall policy that accepted the session, flow-based inspection can apply IPS, Application Control, Web Filtering, DLP, and AntiVirus. Flow-based inspection is all done by the IPS engine and, as you would expect, no proxying is involved.

All of the applicable flow-based security modules are applied simultaneously in one single pass, and pattern matching is offloaded and accelerated by CP8 or CP9 processors. IPS, Application Control, flow-based Web Filtering, and flow-based DLP filtering happen together. Flow-based AntiVirus scanning caches files during protocol decoding and submits cached files for virus scanning while the other matching is carried out.

Flow-based inspection typically requires fewer processing resources than proxy-based inspection and does not change packets, unless a threat is found and packets are blocked. Flow-based inspection cannot apply as many features as proxy inspection. For example, flow-based inspection does not support client comforting and some aspects of replacement messages.

In FortiOS 5.6, flow-based inspection requires the new NGFW mode.

Changing between proxy and flow mode

You can see which inspection mode your FortiGate is using by looking at the System Information widget on your Dashboard.

To change inspection modes, go to System > Settings and scroll down to Inspection Mode. You can select Flow-based to operate in Flow mode or Proxy to operate in Proxy mode.

When you select Flow-based, all proxy mode profiles are converted to flow mode, removing any proxy settings. As well proxy mode only features (for example, Web Application Profile) are removed from the GUI.

In addition, selecting Flow-based inspection will cause the Explicit Web Proxy and Explicit FTP Proxy features to be removed from the GUI and the CLI. This includes Explicit Proxy firewall policies.

W hen you select Flow-based you can only configure Virtual Servers (under Policy & Objects > Virtual Servers) with Type set to HTTP, TCP, UDP, or IP.

If required, you can change back to proxy mode through the System > Settings page.

If your FortiGate has multiple VDOMs, you can set the inspection mode independently for each VDOM. Use the top left drop-down menu to go to Global > System > VDOM. Click Editfor the VDOM you wish to change and select the Inspection Mode.

From the GUI, you can only configure antivirus and web filter security profiles in proxy mode. From the CLI you can configure flow-based antivirus profiles, web filter profiles and DLP profiles and they will appear on the GUI and include their inspection mode setting. Also, flow-based profiles created when in flow mode are still available when you switch to proxy mode.

NGFW profile-based and NGFW policy-based modes

When you select Flow-based as the Inspection Mode, you have the option in FortiOS 5.6 to select an NGFW Mode. NGFW Profile-based mode works the same as flow-based mode did in FortiOS 5.4

When selecting NGFW policy-based mode you can also select the SSL/SSH Inspection mode that is applied to all policies.

In the new NGFW Policy-based mode, you add applications and web filtering profiles directly to a policy without having to first create and configure Application Control or Web Filtering profiles. See NGFW Policy Mode on page

1.

When you change to flow-based inspection, all proxy mode profiles are converted to flow mode, removing any proxy settings. And proxy-mode only features (for example, Web Application Profile) are removed from the GUI.

If your FortiGate has multiple VDOMs, you can set the inspection mode independently for each VDOM. Go to System > VDOM. Click Edit for the VDOM you wish to change and select the Inspection Mode. CLI syntax

The following CLI commands can be used to configure inspection and NGFW (called “policy” in the CLI) modes:

config system settings set inspection-mode {proxy | flow} set policy-mode {standard | ngfw}

end

Comparison of inspection types

The tables in this section show how different security features map to different inspection types and present the strengths and weaknesses of proxy- vs. flow-based inspection.

Security profile features mapped to inspection mode

The table below lists FortiOS security profile features and shows whether they are available in flow-based or proxy-based inspection modes.

Security Profile Feature Flow-based inspection Proxy-based inspection
AntiVirus x x
Web Filter x x

 

Security Profile Feature Flow-based inspection Proxy-based inspection
DNS Filter x x
Application Control x x
Intrusion Protection x x
Anti-Spam   x
Data Leak Protection   x
VoIP   x
ICAP   x
Web Application Firewall   x
FortiClient Profiles x x
Proxy Options x x
SSL Inspection x x
SSH Inspection   x
Web Rating Overrides x x
Web Profile Overrides   x

Individual security profile considerations

In flow mode, AntiVirus and Web Filter profiles only include flow-mode features. Web filtering and virus scanning are still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.

Application control uses flow-based inspection; if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the warning, or replacement, message. However, Application Control will still function.

Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).

Setting flow or proxy mode doesn’t change the settings available from the CLI. However, when in flow mode you can’t save security profiles that are set to proxy mode.

You can also add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn’t recommended because the setting will not be visible from the GUI.

If you set flow-based to use external servers for FortiWeb and FortiMail you must use the CLI to set a Web Application Firewall profile or Anti-Spam profile to external mode and add the Web Application Firewall profile or AntiSpam profile to a firewall policy.

Proxy mode and flow mode antivirus and web filter profile options

The following tables list the antivirus and web filter profile options available in proxy and flow modes.

Antivirus features in proxy and flow mode

Feature Proxy Flow
Scan Mode (Quick or Full) no yes
Detect viruses (Block or Monitor) yes yes
Inspected protocols yes no (all relevant protocols are inspected)
Inspection Options yes yes (not available for quick scan mode)
Treat Windows Executables in Email Attachments as Viruses yes yes
Send Files to FortiSandbox Appliance for Inspection yes yes
Use FortiSandbox Database yes yes
Include Mobile Malware Protection yes yes

Web filter features in proxy and flow mode

Feature Proxy Flow
FortiGuard category based filter yes yes (show, allow, monitor, block)
Category Usage Quota yes no
Allow users to override blocked categories (on some models) yes no
Search Engines yes no

 

Feature   Proxy Flow
  Enforce ‘Safe Search’ on Google, Yahoo!, Bing, Yandex yes no
Restrict YouTube Access yes no
Log all search keywords yes no
Static URL Filter   yes yes
  Block invalid URLs yes no
URL Filter yes yes
Block malicious URLs discovered by FortiSandbox yes yes
Web Content Filter yes yes
Rating Options   yes yes
  Allow websites when a rating error occurs yes yes
Rate URLs by domain and IP Address yes yes
Block HTTP redirects by rating yes no
Rate images by URL yes no
Proxy Options   yes no
  Restrict Google account usage to specific domains yes no
Provide details for blocked HTTP 4xx and 5xx errors yes no
HTTP POST Action yes no
Remove Java Applets yes no
Remove ActiveX yes no
Remove Cookies yes no
Filter Per-User Black/White List yes no

AntiVirus scanning differences between versions of FortiOS 5.x

In FortiOS 5.0, 5.2, 5.4, 5.6 and 6.0, there are several AntiVirus (AV) scanning inspection modes available. FortiOS 5.0 includes proxy and flow-based virus scanning. FortiOS 5.2 also uses proxy-based and flowbased scanning, but the flow-based mode in FortiOS 5.2 uses a new approach to flow-based scanning (that is sometimes called deepflow or deep flow scanning). FortiOS 5.4 and onward offer another flow-based mode, quick mode, to inspect traffic efficiently.

The databases used for AV scanning does not change from proxy to flow mode unless quick mode is enabled. In flow-based quick mode, a compact antivirus database is used.

AntiVirus scanning examines files in HTTP, HTTPS, email, and FTP traffic for threats as they pass through your FortiGate. If the traffic contains compressed files, they are also examined. Go to the SysAdmin Note on the Fortinet Cookbook site for detailed information on supported compression formats in antivirus scanning.

If the AV scanner finds a threat such as a virus or some other malware, FortiOS protects your network by blocking the file.

FortiOS includes a number of AntiVirus features that make virus scanning more user-friendly. One of these features, called replacement messages, sends a customizable message to anyone whose file is blocked by AV scanning, to explain what happened and why. Other features make communication between the client and the server more seamless. The availability of these changes depending on the inspection mode.

Proxy-based AV scanning

Proxy-based AV scanning is the most feature-rich AV scanning mode. This mode uses a proxy to manage the communication between client and server. The proxy extracts content packets from the data stream as they arrive and buffers the content until the complete file is assembled. Once the file is whole, the AV scanner examines the file for threats. If no threats are found, the file is sent to its destination. If a threat is found, the file is blocked.

Because proxy-based scanning is applied to complete files, including compressed files, it provides very effective threat detection. Proxy-based scanning also supports a full range of features, including replacement messages and client comforting, making proxy-based scanning the most user friendly inspection mode. In addition the proxy manages the communication between the client and the server, improving the user experience. For example, in flow mode if a virus is found, the last part of the file is not downloaded and the connection just times out and the user cannot tell what is going on. In proxy mode, the users gets a message about the file being blocked.

Proxy-based scanning inspects all files under the oversized threshold. Since the FortiGate unit has a limited amount of memory, files larger than a certain size do not fit within the memory buffer. The default buffer size is 10 MB. You can use the uncompsizelimitCLI command to adjust the size of this memory buffer. Files larger than the threshold are passed to the destination without scanning. You can use the Oversized File/Email setting in Security Profiles > Proxy Options to block files larger than the antivirus buffer if allowing files that are too large to be scanned is an unacceptable security risk.

During the buffering and scanning procedure, the client must wait. With a default configuration, the file is released to the client only after it is scanned. You can enable client comforting in the Proxy Options security profile to feed the client a trickle of data to prevent them from possibly thinking the transfer is stalled and consequently canceling the download.

Flow-based AV scanning

Although the name “flow-based scanning” is used in FortiOS 5.0, 5.2, 5.4, and 5.6, the different versions handle this mode in very different ways.

Flow AV in FortiOS 5.4 and 5.6

In FortiOS 5.4 and 5.6, there are two modes available for flow-based virus scanning: Quick and Full scan mode. Full mode is the same as flow-based scanning in FortiOS 5.2 (see below). Quick mode uses a compact antivirus database and advanced techniques to improve performance. You can designate quick or full scan mode when configuring the antivirus profile in the GUI. Alternatively, use the following CLI command to enable quick or full mode:

config antivirus profile edit <profile> set scan-mode {quick | full}

end

Flow AV in FortiOS 5.2 (deepflow or deep flow)

FortiOS 5.2 introduced a new type of flow-based AV scanning, that is sometimes called deepflow or deep flow, and that takes a hybrid approach where content packets are buffered while simultaneously being sent to their destination. When all of the files packets have been collected and buffered, but before the final packet is delivered, the buffered file is scanned. If a threat is found, the last packet is blocked and the client application has to deal with not getting the completed file. If no threat is found the final packet is sent and the user gets their file.

Deepflow AV scanning is as good as proxy-based AV scanning at detecting threats. There may be a small performance advantage over proxy-based AV as files get larger based on the difference between sending the whole file after analysis and just sending the last packet. Deepflow’s most notable limitation is that, just like the flow-based AV in 5.0, it does not support many of the user-friendly features provided by proxy-based AV.

Flow AV in FortiOS 5.0

In FortiOS 5.0, flow-based AV scanning examines the content of individual data packets as they pass through the FortiGate. There is no proxy involved so packets are not changed by the proxy and files are not buffered for analysis. Potentially less memory and CPU resources are used, resulting in a potential performance increase compared to using proxy-based mode. FortiOS 5.0 flow-based AV scanning is also not limited by file size.

Flow AV uses the IPS engine and the AV database and is effective at many kinds of threat detection; however, because it can only analyze what is in an individual packet rather than a complete file, flow-based scanning cannot detect some types of malware, including polymorphic code. Malware in documents, compressed files, and some archives are also less likely to be detected.

Flow AV does not actually block files, it stops delivering a file’s packets once a threat has been detected. This means that parts of the file may already have been delivered when the threat has been detected and the recipient application is responsible for dealing with the partially complete content.

In addition flow AV can be less user friendly. Replacement messages are not supported and clients may have to wait for sessions to time out without knowing why content has been blocked.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiOS 6 – Security profiles overview

Leave a reply

Security profiles overview

The FortiGate line combines a number of security features to protect your network from threats. As a whole, these features, when included in a single Fortinet security appliance, are referred to as Security Profiles.

This overview addresses the following topics:

l Traffic inspection l Content inspection and filtering l Security profile components l Security profiles/lists/sensors

Firewall policies limit access, and while this and similar features are a vital part of securing your network, they are not covered in this discussion of Security Profiles.

FortiOS 5.4 no longer supports FortiClient 5.0.

FortiOS 5.4.1 supports only FortiClient 5.4.1. Be sure to upgrade managed FortiClients before upgrading the FortiGate to 5.4.1.

FortiOS 5.2 can support FortiClient 5.0, but only if the FortiGate upgraded to FortiOS 5.2. Customers need to purchase a FortiClient 5.4 subscription-based FortiClient license.

Traffic inspection

When the FortiGate unit examines network traffic one packet at a time for IPS signatures, it is performing traffic analysis. This is unlike content analysis where the traffic is buffered until files, email messages, web pages, and other files are assembled and examined as a whole.

DoS policies use traffic analysis by keeping track of the type and quantity of packets, as well as their source and destination addresses.

Application control uses traffic analysis to determine which application generated the packet.

Although traffic inspection doesn’t involve taking packets and assembling files they are carrying, the packets themselves can be split into fragments as they pass from network to network. These fragments are reassembled by the FortiGate unit before examination.

No two networks are the same and few recommendations apply to all networks. This topic offers suggestions on how you can use the FortiGate unit to help secure your network against content threats.

IPS signatures

IPS signatures can detect malicious network traffic. For example, the Code Red worm attacked a vulnerability in the Microsoft IIS web server. Your FortiGate’s IPS system can detect traffic attempting to exploit this vulnerability. IPS may also detect when infected systems communicate with servers to receive instructions.

Traffic inspection

IPS recommendations

  • Enable IPS scanning at the network edge for all services. l Use FortiClient endpoint IPS scanning for protection against threats that get into your network.
  • Subscribe to FortiGuard IPS Updates and configure your FortiGate unit to receive push updates. This will ensure you receive new IPS signatures as soon as they are available.
  • Your FortiGate unit includes IPS signatures written to protect specific software titles from DoS attacks. Enable the signatures for the software you have installed and set the signature action to Block.
  • You can view these signatures by going to Security Profiles > Intrusion Prevention and selecting the [View IPS Signatures] link in the right-hand corner of the window. l Because it is critical to guard against attacks on services that you make available to the public, configure IPS signatures to block matching signatures. For example, if you have a web server, configure the action of web server signatures to Block.

Suspicious traffic attributes

Network traffic itself can be used as an attack vector or a means to probe a network before an attack. For example, SYN and FIN flags should never appear together in the same TCP packet. The SYN flag is used to initiate a TCP session while the FIN flag indicates the end of data transmission at the end of a TCP session.

The FortiGate unit has IPS signatures that recognize abnormal and suspicious traffic attributes. The SYN/FIN combination is one of the suspicious flag combinations detected in TCP traffic by the TCP.BAD.FLAGS signature.

The signatures that are created specifically to examine traffic options and settings, begin with the name of the traffic type they are associated with. For example, signatures created to examine TCP traffic have signature names starting with TCP.

Application control

While applications can often be blocked by the ports they use, application control allows convenient management of all supported applications, including those that do not use set ports. Application control recommendations

l Some applications behave in an unusual manner in regards to application control. For more information, see Application considerations on page 128. l By default, application control allows the applications not specified in the application control list. For high security networks, you may want to change this behavior so that only the explicitly allowed applications are permitted.

SSL/SSH inspection

Regular web filtering can be circumvented by using https:// instead of http://. By enabling this feature, the FortiGate can filter traffic that is using the HTTPS protocol. This sort of analysis is some times referred to as deep scanning.

Deep Inspection works along the following lines: If your FortiGate unit has the correct chipset it will be able to scan SSL encrypted traffic in the same way that regular traffic can be scanned. The FortiGate firewall will essentially receive the traffic on behalf of the client and open up the encrypted traffic. Once it is finished it reContent inspection and filtering

encrypts the traffic and sends it on to its intended recipient. It is very similar to a man-in-the-middle attack. By enabling this feature, it allows the FortiGate firewall to filter on traffic that is using the SSL encrypted protocol.

The encrypted protocols that can be inspected are:

  • HTTPS l SMTPS l POP3S l IMAPS l FTPS

Before the invention of SSL inspection, scanning regular web traffic can be circumvented by using the prefix https:// instead of http:// in the URL. SSL inspection prevents this circumvention. However, because when the encrypted traffic is decrypted it has to be re-encrypted with the FortiGate’s certificate rather than the original certificate it can cause errors because the name on the certificate does not match the name on the web site.

At one point deep inspection was something that was either turned on or off. Now individual deep inspection profiles can be created depending on the requirements of the policy. Depending on the Inspection Profile, you can:

  • Configure which CA certificate will be used to decrypt the SSL encrypted traffic. l Configure which SSL protocols will be inspected. l Configure which ports will be associated with which SSL protocols for the purpose of inspection.
  • Configure which websites will be exempt from SSL inspection l Configure whether or not to allow invalid SSL certificates. l Configure whether or not SSH traffic will be inspected.

Web rating overrides

This feature allows you to override the FortiGuard Web Filtering. This option allows users to change the rating for a website and control access to the site without affecting the rest of the sites in the original category. More information can be found in Overriding FortiGuard website categorization.

Web profile overrides

This feature allows administrators to grant temporary access to sites that are otherwise blocked by a web filter profile. The temporary access can be granted to a user, user group, or source IP address. The time limit can be set in days, hours, or minutes. See the section on Web Profile Overrides for more information.

Content inspection and filtering

When the FortiGate unit buffers the packets containing files, email messages, web pages, and other similar files for reassembly before examining them, it is performing content inspection. Traffic inspection, on the other hand, is accomplished by the FortiGate unit examining individual packets of network traffic as they are received.

No two networks are the same and few recommendations apply to all networks. This topic offers suggestions on how you can use the FortiGate unit to help secure your network against threats to content. Be sure to understand the effects of the changes before using the suggestions.

AntiVirus

The FortiGate antivirus scanner can detect viruses and other malicious payloads used to infect machines. The FortiGate unit performs deep content inspection. To prevent attempts to disguise viruses, the antivirus scanner will reassemble fragmented files and uncompress content that has been compressed. Patented Compact Pattern Recognition Language (CPRL) allows further inspection for common patterns, increasing detection rates of virus variations in the future.

AntiVirus recommendations

  • Enable antivirus scanning at the network edge for all services. l Use FortiClient endpoint antivirus scanning for protection against threats that get into your network.
  • Subscribe to FortiGuard AntiVirus Updates and configure your FortiGate unit to receive push updates. This will ensure that new antivirus signatures are loaded onto your FortiGate as soon as they are available.
  • Enable the Extended Virus Database if your FortiGate unit supports it.
  • Examine antivirus logs periodically. Take particular notice of repeated detections. For example, repeated virus detection in SMTP traffic could indicate a system on your network is infected and is attempting to contact other systems to spread the infection using a mass mailer.
  • To conserve system resources, avoid scanning email messages twice. Scan messages as they enter and leave your network or when clients send and retrieve them, rather than both.
  • Enable Treat Windows Executables in Email Attachments as Viruses if you are concerned about incoming ‘.exe’ files.

FortiGuard web filtering

The web is the most popular part of the Internet and, as a consequence, virtually every computer connected to the Internet is able to communicate using port 80, HTTP. Botnet communications take advantage of this open port and use it to communicate with infected computers. FortiGuard Web Filtering can help stop infections from malware sites and help prevent communication if an infection occurs. FortiGuard web filtering recommendations

  • Enable FortiGuard Web Filtering at the network edge. l Install the FortiClient application and use FortiGuard Web Filtering on any systems that bypass your FortiGate unit.
  • Block categories such as Pornography, Malware, Spyware, and Phishing. These categories are more likely to be dangerous.
  • In the Anti-Spam profile, enable Spam Detection and Filtering and then enable IP Address Check. Many IP addresses used in spam messages lead to malicious sites; checking them will protect your users and your network.

DNS filter

DNS-based web filtering

This feature is similar to the FortiGuard DNS web filtering available in FortiOS 5.2. You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups. DNS lookup requests Content inspection and filtering

sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.

If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is set to redirect, then the address returned to the requester points at a FortiGuard redirect page.

You can also allow access or monitor access based on FortiGuard category.

The following filtering options can be configured in a DNS Filter security profile:

Blocking DNS requests to known Botnet C&C addresses

A new FortiGuard database contains a list of known Botnet C&C addresses. This database is updated dynamically and stored on the FortiGate. This database is covered by FortiGuard web filter licensing; you must have an active FortiGuard web filtering license to use this feature. You can view the botnet lists by going to System > FortiGuard > Botnet IPs and System > FortiGuard > Botnet Domains.

When you block DNS requests to known Botnet C&C addresses, using IPS, DNS lookups are checked against the Botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all subdomains are also blocked.

To enable blocking of DNS requests to known Botnet C&C addresses, go to Security Profiles > DNS Filter, and enable Block DNS requests to known botnet C&C. When you do this in FortiOS 5.4.1, you can open a definitions window by clicking on “botnet package.”

Static URL filter

The DNS static URL filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS request can be blocked, exempted, monitored, or allowed.

If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site.

If exempted, access to the site is allowed even if another method is used to block it.

Anti-Spam

Spam is a common means by which attacks are delivered. Users often open email attachments they should not, and infect their own machine. The FortiGate email filter can detect harmful spam and mark it, alerting the user to the potential danger.

Anti-Spam filter recommendations

l Subscribe to the FortiGuard Anti-Spam Filtering service. l Enable email filtering at the network edge for all types of email traffic. l Use FortiClient endpoint scanning for protection against threats that get into your network.

Data Leak Prevention

Most security features on the FortiGate unit are designed to keep unwanted traffic out of your network while Data Leak Prevention (DLP) can help you keep sensitive information from leaving your network. For example, credit card numbers and social security numbers can be detected by DLP sensors.

DLP recommendations

  • Rules related to HTTP posts can be created, but if the requirement is to block all HTTP posts, a better solution is to use application control or the HTTP POST Action option in the web filter profile.
  • While DLP can detect sensitive data, it is more efficient to block unnecessary communication channels than to use DLP to examine it. If you don’t use instant messaging or peer-to-peer communication in your organization, for example, use application control to block them entirely.

Security profile components

Below is a brief description of the security profiles and their features.

AntiVirus

Your FortiGate unit stores a virus signature database that can identify more than 15,000 individual viruses.

FortiGate models that support additional virus databases are able to identify hundreds of thousands of viruses. With a FortiGuard AntiVirus subscription, the signature databases are updated whenever a new threat is discovered.

AntiVirus also includes file filtering. When you specify files by type or by file name, the FortiGate unit will block the matching files from reaching your users.

FortiGate units with a hard drive or configured to use a FortiAnalyzer unit can store infected and blocked files for that you can examine later.

Web filter

Web filtering includes a number of features you can use to protect or limit your users’ activity on the web.

FortiGuard Web Filtering is a subscription service that allows you to limit access to web sites. More than 60 million web sites and two billion web pages are rated by category. You can choose to allow or block each of the 77 categories.

URL filtering can block your network users from access to URLs that you specify.

Web content filtering can restrict access to web pages based on words and phrases appearing on the web page itself. You can build lists of words and phrases, each with a score. When a web content list is selected in a web filter profile, you can specify a threshold. If a user attempts to load a web page and the score of the words on the page exceeds the threshold, the web page is blocked.

DNS filter

The FortiGate will inspect DNS traffic to any DNS server, so long as the policy has DNS inspection enabled. The

FortiGate will intercept DNS requests, regardless of the destination IP, and redirect it to the FortiGuard Secure

Security profile components

DNS server — this is separate from the FortiGuard DNS server.

The Secure DNS server will resolve and rate the FQDN and send a DNS response which includes both IP and rating of the FQDN back to the FortiGate, where it will handle the DNS response according to the DNS filter profile.

Application control

Although you can block the use of some applications by blocking the ports they use for communications, many applications do not use standard ports to communicate. Application control can detect the network traffic of more than 1,000 applications, improving your control over application communication.

Cloud Access Security Inspection (CASI)

This feature introduces a new security profile called Cloud Access Security Inspection (CASI) that provides support for fine-grained control on popular cloud applications, such as YouTube, Dropbox, Baidu, and Amazon. The CASI profile is applied to a policy much like any other security profile.

Unfortunately CASI does not work when using Proxy-based profiles for AV or Web filtering for example.

Make sure to only use Flow-based profiles in combination with CASI on a specific policy.

Intrusion protection

The FortiGate Intrusion Protection System (IPS) protects your network against hacking and other attempts to exploit vulnerabilities of your systems. More than 3,000 signatures are able to detect exploits against various operating systems, host types, protocols, and applications. These exploits can be stopped before they reach your internal network.

You can also write custom signatures tailored to your network.

Anti-spam

FortiGuard Anti-Spam is a subscription service that includes an IP address black list, a URL black list, and an email checksum database. These resources are updated whenever new spam messages are received, so you do not need to maintain any lists or databases to ensure accurate spam detection.

You can use your own IP address lists and email address lists to allow or deny addresses, based on your own needs and circumstances.

Data Leak Prevention

Data Leak Prevention (DLP) allows you to define the format of sensitive data. The FortiGate unit can then monitor network traffic and stop sensitive information from leaving your network. Rules for U.S. social security numbers, Canadian social insurance numbers, as well as Visa, Mastercard, and American Express card numbers are included.

profile components

VoIP

The Session Initiation Protocol (SIP) is an IETF application layer signaling protocol used for establishing, conducting, and terminating multi-user multimedia sessions over TCP/IP networks using any media. SIP is often used for Voice over IP (VoIP) calls but can be used for establishing streaming communication between end points.

For more information, see VoIP Solutions: SIP.

ICAP

This module allows for the offloading of certain processes to a separate server so that your FortiGate firewall can optimize its resources and maintain the best level of performance possible.

FortiClient profiles

FortiClient is an all-in-one comprehensive endpoint security solution that extends the power of Fortinet’s Advanced Threat Protection (ATP) to end user devices. As the endpoint is the ultimate destination for malware that is seeking credentials, network access, and sensitive information, ensuring that your endpoint security combines strong prevention with detection and mitigation is critical.

The FortiGate provides network security by defining compliance rules for FortiClient endpoints.

For more information, see the FortiClient 5.4.1 Administration Guide.

Proxy options

Proxy Options includes features you can configure for when your FortiGate is operating in proxy mode, including protocol port mapping, block oversized files/emails, and other web and email options.

SSL/SSH inspection

SSL/SSH Inspection (otherwise known as Deep Inspection) is used to scan HTTPS traffic in the same way that HTTP traffic can be scanned. This allows the FortiGate to receive and open up the encrypted traffic on behalf of the client, then the traffic is re-encrypted and sent on to its intended destination.

Individual Deep Inspection profiles can be created, depending on the requirements of the policy. Depending on the profile, you can:

l Configure which CA certificate will be used to decrypt the SSL encrypted traffic l Configure which SSL protocols will be inspected l Configure which ports will be associated with which SSL protocols for inspection l Configure whether or not to allow invalid SSL certificates l Configure whether or not SSH traffic will be inspected

Security profiles/lists/sensors

Security profiles/lists/sensors

A profile is a group of settings that you can apply to one or more firewall policies. Each Security Profile feature is enabled and configured in a profile, list, or sensor. These are then selected in a security policy and the settings apply to all traffic matching the policy. For example, if you create an antivirus profile that enables antivirus scanning of HTTP traffic, and select the antivirus profile in the security policy that allows your users to access the World Wide Web, all of their web browsing traffic will be scanned for viruses.

Because you can use profiles in more than one security policy, you can configure one profile for the traffic types handled by a set of firewall policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate sets of profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Inside FortiOS: Web Filtering

Leave a reply

Inside FortiOS: Web Filtering

A Web Filtering solution is designed to restrict or control the content a reader is authorized to access, delivered over the Internet via the Web browser. It may be used to improve security, prevent objectionable activities, and increase productive within an organization.

Intelligent and effective content control

Web-based threats such as Phishing, drive-by Malware sites, and Botnets are more sophisticated and scrutinized than ever, and as well as increasingly difficult to control due to the rise of mobility in the workplace, even more difficult for you to control. The Web has become the preferred medium of choice for hackers and thieves looking for new ways to disrupt services, steal information, and perform malicious activities for financial gain. In addition, employees who visit websites containing objectionable content can expose your organization to civil or criminal liability.

FortiOS Web Filtering solution utilizes three main components of the web filtering function: the Web Content Filter, the URL Filter, and the FortiGuard Web Filtering Service. These functions integrate with each other to provide maximum control over what the Internet user can view as well as protection to the network from many Internet content threats. Web Content Filtering blocks web pages containing words or patterns that you specify. URL filtering uses URLs and URL patterns to block or exempt web pages from specific sources. FortiGuard Web Filtering provides many additional categories you can use to filter web traffic by independent real-world tests.

Highlights

  • Comprehensive and advanced Web Filtering features Safe Search and user override options. l FortiGuard Web Filtering Services with superior coverage of over 250 million rated websites. l Integration with other FortiOS components, such as User Identification for flexible and secured implementation. l Supports detection for traffic using HTTP protocol (versions 1.0, 1.1, and 2.0).
  • Ability to configure web filtering by adding URL categories to security policies when operating in flow-based inspection and NGFW policy-based mode. You can set the action to accept or deny to allow or block the applications.

Key features & benefits

Cloud-based Rating Database Real-time website category rating provides accurate content control.
Wide choice of web filtering technologies Various web filtering technology options are available to provide each organization the most suitable implementation.
Integrated with other security and networking functions Allows organizations to simplified networks and reduce TCO.

 

Features

Cloud-based rating system

Fortinet is a pioneer in cloud-based rating systems for web filtering. FortiOS provides an innovative approach to HTTP and HTTPS web filtering technology by combining the advantages of a cloud-based service offering with layered response caching. The multiple FortiGuard data centers around the world hold the entire categorized URL database and receive rating requests from FortiGate units triggered by browser-based URL requests.

FortiGuard responds to these rating requests with the categories stored for specific URLs, the requesting FortiGate unit then uses its own local profile configuration to determine what action is appropriate to the category, such as: blocking, monitoring, allowing the page, displaying a warning, or requiring authentication to view the page.

Rating responses are also cached directly in FortiGate unit memory so that ratings for frequently used sites can be retrieved directly from the cache, reducing the number of requests to the FortiGuard network. Caching URLs in memory makes URL lookups almost instantaneous while only using a very small amount of system memory.

An appropriately licensed FortiManager appliance can be synchronized to the FortiGuard network and as such can be used in the same way to as the FortiGuard network for managed FortiGate devices. This can further reduce any latency associated with the round trip time for individual rating requests while at the same time ensuring complete database coverage. Consider the combination of a LAN attached FortiGate cluster and FortiManager combination with the potential to handle tens of thousands of requests per second.

Superior coverage

FortiGuard Web Filter ratings are performed by a combination of proprietary methods including text analysis, exploitation of the web structure, and human raters. This service currently rates more than 250 million sites covering billions of URLs with each site able to be rated in multiple categories. The FortiGuard database provides a truly international service with support for 70 languages.

Extensive and flexible categorization

Rated URLs are assigned into one of the 98 categories (including 20 user defined ones) which administrators can then easily manage and control. Administrators can configure and populate local categories or place specific URLs in existing categories should the FortiGuard rating not be in agreement with an organization’s policies and practices.

Rating override

At times, administrators may have to allow approved people to access what they need during periods when an exception to the normal rules is required, while still having enough control that the organization’s web usage policies are not compromised. FortiOS can provide such setup by using alternate profiles.

Protection against malicious URLs

The malicious URL database contains all malicious URLs active in the last month and is organized as one of the categories. With Fortinet Security Fabric, customers can further their protection by having the FortiSandbox add newly discovered URLs to a dynamic URL filter, thus blocking files from being downloaded again from that URL.

Inspection modes

FortiOS web filtering can operate in different modes: proxy-based and flow-based inspection modes and DNS filtering. Each mode has strengths and weaknesses and all three can be active at the same time on different traffic streams.

Proxy-based web filtering uses a proxy to assemble and analyze web content as it passes through the FortiGate unit. If a page is blocked the proxy can replace the blocked page with a customizable web page informing users that the page is blocked. Proxy-based web filtering is the most feature-rich mode, supporting many advanced filters including web content filtering that analyzes web page content according to your custom requirements, Java applet filtering, and blocking invalid URLs.

Flow-based web filtering uses the FortiOS IPS engine to filter web content packets as they pass through the FortiGate unit without any buffering. Flow-based inspection does not use a proxy, so inspected packets are not proxied and altered by the FortiGate unit. Flow-based inspection does not support as many advanced features as proxy-based web filtering.

To control your FortiGate’s security profile inspection mode in FortiOS 5.6, you can select Flow or Proxy Inspection Mode from System > Settings. Having control over flow and proxy mode is helpful if you want to ensure that only flow inspection mode is used.

In most cases proxy mode is preferred because more security profile features are available and more configuration options for these individual features are available. Some implementations, however, may require all security profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing that proxy mode inspection will not be used. Two new policy modes are available in FortiOS 5.6.

l NGFW mode simplifies applying application control and web filtering to traffic by allowing you to add applications and web filtering profiles directly to policies. This is used in conjunction with flow-based inspection. l Transparent proxy allows you to apply web authentication to HTTP traffic without using the explicit proxy.

DNS web filtering employs DNS lookups to the FortiGuard DNS service to get web page ratings. Filtering is done as part of the DNS lookup and web pages can be blocked or redirected to a web filter block page before the HTTP session starts. As a result, it is lightweight in terms of resource usage although it only supports a limited number of advanced features.

Usage quota

Administrators can set a daily timed access quota by category or category group. Quotas allow access for a specified length of time or traffic volume, calculated separately for each user.

SafeSearch

SafeSearch is a feature of popular search sites that prevents explicit web sites and images from appearing in search results. Although SafeSearch is a useful tool, especially in educational environments, the resourceful user may be able to simply turn it off. Enabling SafeSearch on the FortiGate for the supported search sites can better enforce its use by rewriting the search URL to include the code to indicate the use of the SafeSearch feature.

 

Restrict YouTube access

In FortiOS 5.6 with inspection mode set to proxy-based, you can set Strict or Moderate access to YouTube in a Web Filter profile.

Manual URL and content filter

FortiOS web filtering offers specific URL filtering by standard, wildcard, and regular expression definition, as well as content filtering by pattern type and language.

Advanced web filter configurations

FortiOS rich feature set includes ability to implement a number of enterprise features such as:

  • Block HTTP redirects by rating, invalid URLs, HTTP POST actions, and Web resume download l Cookie, Java applet, and ActiveX filter
  • Rate Images by URL and URLs by domain and IP address

Proxy avoidance preventions

FortiGate is able to improve the effectiveness of the web filtering by preventing users from evading the security implementation. Organizations can use its multiple integrated technologies including proxy site URL, proxy application control, and IPS proxy behavior blocking.

User and device awareness

Most networks in today’s organizations are connected with both corporate and personal mobile devices. User and device awareness provides the option to configure intelligent policies that can effectively enforce security.

To tackle the prevalence of BYOD environments, administrators are able to configure web content access policies with sources defined by IPs, users, and devices, either combined or selectively.

External URL filtering support

In instances where customers have large, existing, deployed implementations of a specific URL filtering solution but replace their legacy firewalls with a FortiGate family, they can still retain their web filtering infrastructure since FortiOS supports both ICAP and WISP.

Monitoring, logging, and reporting

FortiOS empowers an organization to implement security best practices that require continuous monitoring of threats, allowing the organization to adapt to new requirements.

The FortiView dashboards display useful analysis data with detailed and contextual session information, which can be filtered and ranked, with drilldown options also available. This information, including system events activities and administration audit trails, can also be archived via logs.

FortiOS logs all the types of traffic that can connect to or terminate at the FortiGate unit. In turn, these logs can generate useful trending and overview reports.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Inside FortiOS: AntiVirus

Leave a reply

Inside FortiOS: AntiVirus

AntiVirus uses a suite of integrated security technologies to provide against a variety of threats, including both known and unknown malicious codes (Malware), plus Advanced Targeted Attacks (ATA), also known as Advanced Persistent Threats (APT).

Advanced protection against malware and APTs

Malware and Advanced Persistent Threats can cause significant damages to today’s organizations. These malicious codes are commonly designed to steal valuable data, gain unauthorized access, or cause products to degrade. FortiOS’s AntiVirus is an industry-proven anti-malware security solution with robust features and deployment options

FortiOS offers the unique ability to implement both Flow- and Proxy-based AV concurrently, depending on traffic type, users, and locations. Flow-based AV offers higher throughput performance while proxy-based solutions are useful in mitigating stealthy malicious codes. The AV detection capabilities are further enhanced with complementary security features and external sandbox integration.

By utilizing the unique Content Pattern Recognition Language (CPRL) built into the FortiASIC Content Processor, FortiOS is able to deliver high performance and low latency anti-malware capabilities. This real-time protection is backed by a team of worldwide researchers.

Highlights

  • Certification from multiple industries for best-in-class security and capacity with proven coverage and high performance.
  • Multi-layered protection with extended AV components and external file analysis integration. l Comprehensive remediation actions such as file quarantine and knowledge tools.

Key Features & Benefits

Robust feature set Allows the flexibility to deploy appropriate protection according to security needs and infrastructure designs.
High performance utilizing FortiASIC and patented CPRL AV signatures Low latency and high capacity ensures that business applications are not affected while security is enforced.
Backed by FortiGuard Labs that deliver real-time protection Critical digital assets are covered by continuous protection against latest threats.

 

Features

Industry’s validated protection

FortiOS anti-malware components and FortiGuard AV signatures periodically undergo numerous authoritative certifications. These independent certifications demonstrate that the solution offered is of the highest standard in performance and accuracy, ensuring organizations are truly protected.

Fortinet has been consistently ranked among the top vendors for Virus Bulletin’s RAP (Reactive And Proactive) bimonthly tests. This test measures a product’s detection rates over the freshest samples available, as well as samples not seen until after product databases are frozen, thus reflecting both the vendor’s ability to handle the huge quantity of newly emerging malware and accurately detect previously unknown malware.

Real time protection

The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the latest content-level threats via the experienced FortiGuard global network is backed by over 200 researchers. With the release of FortiOS 5.6, botnet protection is part of the FortiGuard AntiVirus contract.

FortiGuard AV service quick facts

l 95,000 malware programs neutralized per minute l 1.8 Million new and updated AV definitions per week l Hourly updates of the AV signature database l 190 TB of threat samples till date

Organizations can also engage the FortiGuard Premier Signature Service, which provides enhanced virus detection and threat analysis support. This service offers submissions for custom AntiVirus signatures on a daily basis, offering prioritized support with guaranteed response times. With the release of FortiOS 5.6, botnet protection is part of the FortiGuard AntiVirus contract.

Unique proxy- and flow-based AV

FortiOS offers organizations the flexibility to select the most appropriate inspection method for different network sessions. This can be implemented by defining policies that match specific source objects (IP, IP ranges, users, and devices), destination objects, applications, and schedules with different AV profiles.

 

Flow-based AV relies on IPS technology where packets are inspected in real-time and matched against the AV signature database. It offers lower latency and higher throughput than Proxy-based AV. Flow-based AV is recommended for inspecting traffic that requires spontaneous user experience or when serving as an additional AV protection layer.

FortiOS’s Proxy-based AV offers the most secure AV protection as it’s able to inspect more protocols and provides replacement messages on wider range of applications.

AV acceleration with Content Processor

The FortiASICS Content Processor (CP) accelerates content processing traditionally performed completely by the CPU. The CP reduces the resources required by the CPU when matching an incoming file against the signature database, thus improving system performance and stability.

Proactive protection using patented CPRL

Compact Pattern Recognition Language (CPRL) is a patented and proprietary programming language that allows for further inspection of common patterns to not only protect against threats and their variants but also to predict tomorrow’s zero-day malware. It allows FortiGuard analysts to describe entire families of malware with a single program, instead of the traditional signature- based “one signature, one variant” model used by other vendors. With fewer signatures to match, throughput performance and latency naturally improve.

Intelligent behavioral evaluation

Signature-based security alone is no longer sufficient; it is now critical to understand how devices on your network are behaving. Threat Weight scoring provides a cumulative security ranking of each client device on your network based on a range of behaviors. It provides specific, actionable information that helps identify compromised systems and potential zero-day attacks in real-time.

This unique system attaches predefined scores to various malicious network activities discovered by IPS, application control, URL filtering, etc., to determine the top suspicious users. Administrator can then further inspect these users to undercover unknown threats or APTs via FortiView.

External file analysis integration

FortiOS offers organizations the ability to adopt robust ATP (Advanced Threat Protection) framework that reaches mobile users and branch offices, detecting and preventing advanced attacks that may bypass traditional defenses by examining files from various vectors, including encrypted files. To detect unknown threats, zero-day, and targeted attacks, the FortiGate can engage external resources to perform additional file analysis. Files can be submitted to an on- premise appliance (FortiSandbox) or cloud-based service (FortiSandbox Cloud) after both proxy-based and flow- based AV processing.

It is also possible to configure the FortiGate to automatically receive dynamic signature updates from FortiSandbox and add the originating URL of any malicious file to a blocked URL list. In addition, if the organization deploys integrated endpoint control with FortiClient, an administrator can instruct an infected terminal to self-quarantine.

 

File filtering

File filtering using data leak prevention (DLP) on the FortiGate offers an effective ways to stop unwanted file transmission instantly. Administrators may implement granular file controls by defining protection profiles using filenames or nearly 50 different file types over mail, web, and file download protocols.

File quarantine

FortiOS offers sophisticated file quarantine capabilities that allow organizations to archive suspicious or blocked files for further examination or to release false positives.

Anti-bot

Organizations may prevent, uncover, and block botnet activities using FortiOS Anti-Bot traffic pattern detection and domain and IP reputation services supplied in real-time by FortiGuard threat experts.

User notification

User notifications are helpful in reducing administration and support burdens, as well as providing user education. FortiOS is able to automatically replace blocked attachments and downloads with detailed information sent to Email, FTP, or web users.

Monitoring, logging, and reporting

FortiOS empowers organizations to implement security best practices that require continuous examination of their threat status and adaptation to new requirements. The FortiView widgets provide useful analysis data with detailed and contextual session information, which can be filtered, ranked, and further inspected. System events can also be archived via logs, which in turn can generate useful trending and overview reports.

FortiOS also offers robust in-built E-mail and SMS alert systems, as well as integration with external threat management systems using SNMP and standard-based Syslogs.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Inside FortiOS: Application Control

Leave a reply

Inside FortiOS: Application Control

Application control technologies detect and take action against network traffic based on the application that generated the traffic. Application control uses protocol decoders with signatures that analyze network traffic to detect application traffic, even if the traffic uses nonstandard ports or protocols.

Enhance control and network visibility

Controlling and monitoring applications on a network can seem like a daunting task due to the wide range of available applications. It is no longer an option to simply block or allow TCP and/or UDP ports since most applications do not map to individual ports. For example, controlling traffic on an HTTP or HTTPS port is futile against complex social networking sites and cloud applications.

FortiOS leverages its massive application database to identify applications and their activities while still providing a suitable and sufficient user experience, thanks to FortiASIC Content Processors (CPs), which boost CPU performance. Organizations can adopt more granular control, such as allowing logins but not chatting over selected sites. Traffic shaping may also be applied to the application traffic that is allowed. After applying control measures, continuous monitoring ensures that the measures are effective and allow for changes in application traffic patterns to be managed.

Highlights

  • Superior performance using the unique FortiASIC Content Processor that offloads heavy computation from the CPU.
  • Flexible implementation with robust deployment modes and granular controls. l Excellent visibility and management tools that help administrators improve security.
  • Application control is a standard part of any FortiCare support contract and the database for Application Control signatures is separate from the IPS database. Access to the database no longer requires a FortiGuard IPS subscription.
  • Supports detection for traffic using HTTP protocol (versions 1.0, 1.1, and 2.0).
  • Ability to configure application control by adding individual applications or application categories to security policies when operating in flow-based inspection and NGFW policy-based mode.

Key features & benefits

Identifies and controls application traffic Allows organization to strengthen security policies by controlling evasive application communications.

Inside FortiOS: Application Control

Leverages FortiGate’s hardware acceleration and software optimization Offers more security without compromising performance.
Granular control and integration with other FortiOS capabilities Provides administrators the ability to implement the most appropriate configuration for any given organization.

Features

NSS Labs “Recommend” rating for Next Generation Firewall

Fortinet’s entry into the NSS Labs Next Generation Firewall Group Test in 2013, 2014 and 2016 received the “Recommend” rating, placing it as one of the top performing systems. NSS Labs uses respectable real-world testing methodologies to measure Next Generation Firewall protection and performance, including application control.

Superior performance with unique hardware architecture

Unlike a traditional security gateway, which relies heavily on CPUs for packet inspection, the FortiGate’s unique hardware architecture allows FortiOS to automatically utilize appropriate hardware components to achieve optimal performance. This prevents the CPU from becoming a bottleneck as it performs various functions concurrently.

In support of application control, the Content Processor (CP) is a specialized ASIC chip that handles demanding cryptographic computation for SSL inspection and intensive signature matching. By offloading these processes from the CPU, the FortiGate is able to minimize performance degradation when administrators opt for greater security.

Robust deployment modes

FortiOS supports a wide array of network protocols and operating modes, allowing administrators to deploy the most appropriate security for their unique IT infrastructure. FortiOS also supports a variety of routing and switching protocols.

The FortiGate is able to operate in inline route and transparent mode. It can also operate in offline sniffer mode for passive monitoring of user activities. These different operating modes run concurrently by using virtual systems.

 

Protection at the edge

With today’s BYOD and mobile workforce environment, it is no longer wise to deploy control just at the Internet gateway. Through Fortinet Security Fabric, FortiOS unique wireless and switch controller feature allows organizations to implement better visibility and protection closer to internal devices. Moreover, with FortiClient, administrators can also apply similar policies when mobile users are outside of the protected networks.

Advanced application detection and control

By relying on the FortiOS 3rd Generation IPS engine, the FortiGate is able to inspect many of today’s encrypted and evasive traffic, as well as traffic running on new technologies, such as SPDY protocol. The inspection can be applied to both network and IPsec/SSL VPN traffic.

An application and its specific activity are identified using FortiGuard’s Application Control database of over 2,500 distinct signatures. These signatures are crafted by researchers across the globe to include applications that may be unique to platforms, regions, and/or languages. It also offers specific application activity identification, such as a Facebook posting or Dropbox file sync. The database is kept up to date via scheduled or manual downloads.

The application database is classified into 20 intuitive categories for ease of use. Administrators may also create specific application overrides that differ from the category settings. These specific applications can be filtered and selected by type of behavior, risk levels, technology type, application vendor and popularity.

Administrators may also apply advanced controls, such as setting up session TTLs for specific applications using CLI commands.

Traffic shaping

Organizations may better utilize bandwidth and protect critical applications by enforcing granular application usage with traffic shaping. Administrators can create various traffic shaping profiles by defining traffic priority and maximum or guaranteed bandwidth. These profiles can then be assigned to targeted applications.

User notification

User education is central to an effective security implementation. In response to this, FortiOS lets you provide user notification when blocking an unauthorized application. The notification appears as an HTML block page for web-based applications.

Advanced notification is possible by implementing Fortinet’s browser-embedded frame. And when “off-net” users are denied access, notifications appear via FortiClient’s notification pop-ups.

Deep inspection for cloud applications

The prevalence of cloud applications like Dropbox poses a security challenge to today’s organizations. Using

FortiOS’s deep inspection for popular cloud applications, administrators gain deep and useful insights, via FortiView and logs, into activities associated with these applications, such as user IDs, cloud actions, file names, and file sizes. For popular video sites, FortiOS will also be able to track video files viewed.

Inside FortiOS: Application Control

SSL inspection for encrypted traffic

SSL (Secure Sockets Layer) is a popular encryption standard used to protect Internet traffic but may also be used to evade traditional inspection. FortiOS enables organizations to adopt effective application control even when traffic is encrypted.

Unique hardware components and software optimizations can decrypt traffic with minimal performance impact. The inspection can easily omit sensitive communications, such as financial transaction (thereby complying with privacy policies), or bypass applications that forbid SSL inspection by using granular policy settings.

Monitoring, logging, and reporting

FortiOS empowers organization to implement security best practices that require continuous examination of threat statuses and the ability to adapt to new requirements.

The FortiView widgets provide useful analyses with detailed and contextual session information that can be filtered, ranked, and further inspected. For example, an administrator can instantly query the top applications that are currently consuming bandwidth and drill down to identify their users and help decide if such activities should be blocked.

Network, threat, and system events activities can be archived via syslogs. In turn, these logs can generate useful trending and overview reports.

Lastly, the FortiOS offers robust in-built email and SMS alert systems. Meanwhile, integration with external threat management systems can be achieved with SNMP and standard-based syslogs.

 

Recipes

Visit cookbook.fortinet.com for these and other recipes:

l NGFW policy-based mode

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Inside FortiOS: Intrusion Prevention System (IPS)

Leave a reply

Inside FortiOS: Intrusion Prevention System (IPS)

Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.

World class next generation IPS capabilities

Today, sophisticated and high volume attacks are the challenges that every organization must recognize. These attacks are evolving, infiltrating ever-increasing vectors and complex network environments. The result is an urgent need for network protection while maintaining the ability to efficiently provide demanding services and applications.

FortiOS’s IPS functionality is an industry-proven network security solution that scales up to over 200 Gbps of inline protection. Powered by purpose-built hardware and FortiASICs, FortiOS is able to achieve attractive TCO while meeting performance requirements. IPS is easy to set up, yet offers feature-rich capabilities, with contextual visibility and coverage. It is kept up-to-date by research teams that work 24 hours a day worldwide, in order to detect and deter the latest known threats as well as zero-day attacks.

Highlights

  • Validated best-in-class security and capacity with proven coverage and high performance.
  • Comprehensive protection provided by a signatures-based IPS engine, protocol anomaly scanning, and DDOS mitigation. l Flexible deployment options and actionable implementations for a wide array of network integration and operation requirements.

Key features & benefits

High Performance IPS, powered by FortiASIC Low latency and high capacity ensure business applications are not affected while security is enforced.
Best-in-class security with superior coverage Protects critical digital resources from both internal exploits and external cybercriminals, even if sophisticated attacks are crafted.
Backed by FortiGuard Labs that deliver real-time

protection

 Maintains up-to-date and proactive protection against latest known threats and newly discovered hacking techniques while allowing time for organizations to patch vulnerable systems.

Features                                                                                      Inside FortiOS: Intrusion Prevention System (IPS)

Features

Tested and proven protection

Not only have FortiGates been deployed in some of the largest enterprises in the world since 2002, FortiOS IPS components and FortiGuard IPS signatures are periodically tested and certified by well-known external labs. For example, Fortinet’s FortiGate 3000D earned the highest ratings for Security Effectiveness, blocking 99.9 percent of exploits in the recent NSS Labs DCIPS test. These independent certifications ensure that solutions delivered to

customers are of the highest standards in performance, coverage, and accuracy.

Real-time & zero-day protection

The FortiGuard Intrusion Prevention Service (IPS) provides customers with the latest defenses against stealthy network-level threats through a constantly updated database of known threats and behavior-based signatures.

FortiGuard IPS service quick facts

l     Over 10,000 signatures consisting of 18,000 rules l Approximately 470,000 network intrusion attempts resisted per

minute

l     About 1,000 rules are updated or added per week l Over 300 Zero-day vulnerabilities discovered to date

This update service is backed by a team of threat experts and a close relationship with major application vendors. The best-in-class team also uncovers significant zero-day vulnerabilities continuously, providing FortiGate units with advanced protection ahead of vendor patches.

Uncompromised performance

The FortiASICS Content Processor (CP) accelerates content processing, which is traditionally done completely by the CPU. The CP reduces the resources required by the CPU when matching an incoming file against the signature database, thus improving system performance and stability.

Protocol decoders and anomaly detection

Protocol decoders are required to assemble the packets and detect suspicious, nonconforming sessions that resemble known attacks or are non-compliant to RFC or standard implementation.

FortiOS offers one of the most comprehensive arrays of protocol decoders in the industry, providing customers with significantly wide coverage in all kinds of environments.

Pattern & rate-based signatures

The pattern signature matching technique is essential in IPS implementation due to its high level of precision and accuracy. FortiOS offers administrators robust pattern signature selection using filters based on severity, target, operating system, application, and protocol. Each of the 10,000+ signatures has a direct link to its detailed entry on the threat encyclopedia and CVE-ID references. After selection, administrators are able to assign associated actions such as monitoring, blocking, or resetting the session.

Rate-based IPS signatures protect networks against application based DoS and brute force attacks.

Administrators can configure nearly 30 rate-based IPS signatures and tune them to their needs. Threshold (incidents per minute) and an action to take when the threshold is reached can be assigned to each signature. If the action is set to block, then a timeout period can be set so that the block is removed after a specified duration.

DoS and DDoS mitigation

DoS policies can help protect against DDoS attacks that aim to overwhelm server resources. In FortiOS, the DoS scans precede the policy engine at the incoming interfaces, thus eliminating unnecessary sessions from the firewall process and state table entry during a surge of attack traffic. This helps to safeguard the firewall from overloading and allows it to perform optimally.

FortiOS DoS policies can be configured to detect and block floodings, port scans, and sweeps. Administrators can set baselines for the amount of concurrent sessions from sources or to destinations. The settings utilize thresholds and can be applied to UDP, TCP, ICMP, IP, and SCTP.

Network interfaces associated with a port attached to a Network Processor (NP) can be configured to offload anomaly checking, further offloading the CPU for greater performance. Some of the anomaly traffic dropped includes LAND attacks, IP protocol with malformed options, and WinNukes.

Quarantine attacks

FortiOS offers sophisticated automatic attack quarantine capabilities which allow organizations to proactively prevent further attacks from known attackers over a predefined duration. Quarantining by duration can be used to protect potentially vulnerable servers until more permanent defense.

Packet logging

Administrators may choose to automatically perform IPS packet logging, which saves packets for detailed analysis when an IPS signature is matched. Saved packets can be viewed and analyzed on the FortiGate unit or by using third-party analysis tools. Packet logging is also useful in determining false positives.

Custom signatures

Custom IPS signatures can be created to further extend protection. For example, you can use custom IPS signatures to protect unusual or specialized applications, or even custom platforms from known and unknown attacks.

Organizations may use FortiConverter to easily convert Snort signatures for FortiOS use.

Resistant against evasions

Evasion techniques attempt to fool the protocol decoders in IPS products by crafting exotic network streams that would not be handled or reconstructed by the decoders, yet still be valid enough for the target recipient to process. Robust IPS engine is capable of handling both common evasions and sophisticated AETs (Advanced Evasion Techniques) deployed by hackers such as IP Packet Fragmentation, TCP Stream Segmentation, RPC Fragmentation, URL & HTML Obfuscation, and other protocol specific evasion techniques.

Intrusion detection mode

In out-of-band sniffer mode (or one-arm IPS mode), IPS operates as an Intrusion Detection System (IDS), detecting attacks and reporting them but not taking any action against them. In sniffer mode, the FortiGate unit does not process network traffic and instead is connected to a spanning or mirrored switch port, or a network tap. If an attack is detected, log messages can be recorded and alerts sent to system administrators.

Traffic bypass

Since most IPS deployments are in transparent inline mode, active traffic bypass is often desired until normal operation of the device resumes. Some FortiGates offer inbuilt active bypass interfaces while others may use external bypass devices such as the FortiBridge. Administrators are also offered with software fail-open option to tackle instances where the IPS engine fails.

Monitoring, logging, and reporting

FortiOS empowers organizations to implement security best practices that require continuous examination of their threat status and adaptation to new requirements. The FortiView query widgets provide useful analysis data with detailed and contextual session information, which can be filtered, ranked, and further inspected. System events can also be archived via logs, which in turn can generate useful trending and overview reports.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiOS 6.0.2 Release Notes

6 Replies

Introduction

This document provides the following information for FortiOS 6.0.2 build 0163:

Supported models

FortiOS 6.0.2 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E,

FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG70D-POE, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE,

FG-90E, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG-101E,

FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG-200E,

FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E,

FG-400D, FG-500D, FG-500E, FG-501E, FG-600D, FG-800D, FG-900D, FG-1000D,

FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D,

FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1
FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE,

FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E, FWF-90D, FWF-90D-POE, FWF-92D
FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN,

FG-VM64-GCP, FG-VM64-OPC, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCPONDEMAND
Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 6.0.2 images are delivered upon request and are not available on the customer support firmware download page.

Special Notices

WAN optimization and web caching functions

WAN optimization and web caching functions are removed from 60D and 90D series platforms, starting from 6.0.0 due to their limited disk size. Platforms affected are: l FGT-60D l FGT-60D-POE l FWF-60D l FWF-60D-POE l FGT-90D l FGT-90D-POE l FWF-90D l FWF-90D-POE l FGT-94D-POE

Upon upgrading from 5.6 patches to 6.0.0, diagnose debug config-error-log read will show command parse error about wanopt and webcache settings.

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate mode:

  • FGR-30D-A l FGR-30D l FGR-35D l FGR-60D l FGR-90D l FGT-200D l FGT-200D-POE l FGT-240D l FGT-240D-POE l FGT-280D-POE l FGT-30D l FGT-30D-POE l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E Special Notices 7
  • FGT-51E l FGT-52E l FGT-60D l FGT-60D-POE l FGT-70D l FGT-70D-POE l FGT-90D l FGT-90D-POE l FGT-94D-POE l FGT-98D-POE l FWF-30D l FWF-30D-POE l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E-2R l FWF-50E l FWF-51E l FWF-60D l FWF-60D-POE l FWF-90D l FWF-90D-POE l FWF-92D

Built-in certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

 

Special Notices

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiClient profile changes

With introduction of the Fortinet Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn.

FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 6.0.2

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

  1. Go to https://support.fortinet.com.
  2. From the Download menu, select Firmware Images.
  3. Check that Select Product is FortiGate.
  4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version 5. Click Go.

If you are upgrading from version 5.6.2 or 5.6.3, this caution does not apply.

Before upgrading, ensure that port 4433 is not used for admin-port or admin-sport (in config system global), or for SSL VPN (in config vpn ssl settings). If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

Physical interface inclusion in zones

Upgrading from 5.6.3 or later removes all of the members of a zone if the zone contains a physical interface and at least one of that physical interface’s VLAN interfaces is removed. For example:

Before Upgrade:

config system zone edit “Trust”

set interface “port1” “Vlan01” “Vlan02” “Vlan03”

next

After Upgrade:

config system zone edit “Trust”

next

Remove “port1” from the list and the upgrade will retain the VLANs.

Conditions when physical zone members are removed: l If a physical interface has a VLAN associated (regardless of whether they are in the same zone or any zone) Conditions when VLAN zone members are removed: l If the parent physical interface is also set on a zone

You can use the following options to prepare for the upgrade:

  • Use only physical interfaces that have no VLAN associations Or:
  • Create new VLANs in place of current physical interface zone members, and remove all physical zone members from zones using only the associated, new VLAN entries.

Fortinet Security Fabric upgrade

FortiOS 6.0.2 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.0.0 l FortiClient 6.0.0 l FortiClient EMS 6.0.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.4 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.0.2 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.0.2 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

  • Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox) l FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting)

 

  • LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS enhanced networking compatibility issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.0.2 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.0.2 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3
  • I2 l M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any] end

 

Product Integration and Support

FortiOS 6.0.2 support

The following table lists 6.0.2 product integration and support information:

Web Browsers l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.
Explicit Web Proxy Browser l    Microsoft Edge 41

l    Microsoft Internet Explorer version 11 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.
FortiManager See important compatibility information in Fortinet Security Fabric upgrade on page 10. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.
FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on page 10. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.
FortiClient:

l Microsoft Windows l Mac OS X l Linux

 l 6.0.0

See important compatibility information in Fortinet Security Fabric upgrade on page 10.

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.
FortiClient iOS l 5.6.0 and later
FortiClient Android and FortiClient VPN Android l 5.4.2 and later

 

FortiAP l 5.4.2 and later l 5.6.0 and later
FortiAP-S l 5.4.3 and later l 5.6.0 and later
FortiSwitch OS

(FortiLink support)

 l 3.6.4 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C
FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l 5.0 build 0268 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8
FortiExtender l 3.2.1
AV Engine l 6.00012
IPS Engine l 4.00021
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5
VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

 2336. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

 Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59
Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59
Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X El Capitan 10.11.1 Apple Safari version 9

Mozilla Firefox version 54

Google Chrome version 59
iOS Apple Safari

Mozilla Firefox

Google Chrome
Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus   Firewall
Symantec Endpoint Protection 11  
Kaspersky Antivirus 2009    
McAfee Security Center 8.1  
Trend Micro Internet Security Pro  
F-Secure Internet Security 2009  

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 6.0.2. For inquires about a particular bug, please contact Customer Service & Support.

AntiVirus

Bug ID Description
487946 MSS value increases when AV or WEB filter in use resulting in Packet too big message.
489308 scanunit process frequently crashes.
497371 Flow-AV blocks Windows updates (.cab files).

Application Control

Bug ID Description
423140 All IPS sessions lost when new custom signature added.

Authentication & User

Bug ID Description
477392 Cannot use FAC username password and FortiToken two-factor authenticate login HA slave unit.
481469 Failed to resolve hostname for configured CRL URL on a non-managment VDOM.
488566 Renaming guest user group name doesn’t reflect under Guest administrator account assigned leads to black page.
491175 diag test application fnbamd 1 causes fnbamd to enter an idle state and causes authentication failure.
491235 New diag command diag test app wad 13.
491241 Enhance diag command diag test app fnbamd 1.
493470 Authenticated user receives Oops “Authentication requested” referencing a proxy policy which does not have authentication.
493930 Admins who use dedicated HA mgmt interfaces are not visible in the CLI.
495210 Guest user accounts do not show expiration time, but time until expiration only.
496524 After successful wired portal auth, the wired PC still gets many http redirection and fails to access the internet.

Connectivity

Bug ID Description
463982 FortiManager IP is unset in FortiGate CM.
479607 Scheduled auto-update happens twice in 10 seconds but a log entry for the first try is not logged.
481058 Configuration revision control list can’t be retrieved from FortiCloud.

DLP

Bug ID Description
478524 Diskless model missing full-archive-proto in config DLP sensor when only FortiCloud logging enabled.
486958 Scanunit signal 14 alarm clock caused by DLP scanning bz2 file.
492624 DLP blocking web sites in FortiOS v6.0 GA.
496255 Some XML-based MS Office files are recognized as ZIP files.

Firewall

Bug ID Description
474612 SNAT is using low ports below 1023.
475539 Inaccurate netflow export. Traffic measurements do not match with SNMP readings.
478681 Should be able to disable SNAT when a VIP exists and central-NAT is enabled.
492961 Set utm-status disable did not hide profile-group. Unset profile-group will make profile-protocol-options empty.
498188 Dirty_session_check in FortiGate drops all established VIP64 sessions.
502579 Local-In-Policies with FQDN address is not working after upgrade from 5.6 to 6.0.1.

FortiView

Bug ID Description
414172 HTTPsd / DNSproxy/ high CPU/memory with high rate UDP 1Byte spoofing traffic.
GUI  
Bug ID Description
402457 Suggest to improve IPsec VPN monitor page Proxy ID Source and Proxy ID Destination fields.

 

Bug ID Description
413881 VDOM link tooltip displays Failed to retrieve info.
444104 Accept/Decline buttons cannot be seen in GUI with a long login disclaimer and screen under certain resolutions.
449598 Remote LDAP User Definition wizard does not pull users.
457627 Want the ability to change the date/time format displayed in the GUI of the FortiGate.
457721 FortiLink Switch-controller GUI – allow user to edit Port Description for FortiLink/ISL.
457966 Virtual wire pair > Add VLAN range filter on GUI.
460617 GUI FortiGuard Check Again button doesn’t work as expected due to FortiGuard service 8888/53 incorrectly routed.
462011 GUI is blank when accessed with RADIUS user with read-access profile and the FortiGate is managed by FortiManager.
462072 GUI should show full FQDN name in reputation search result.
468465 Some filters do not return logs when source is FortiCloud.
468797 Cannot filter by date or timestamp when viewing logs from FortiCloud.
469082 prof_admin profile admins are not able to display GUI IPv4 source address.
470241 Raw logs are downloaded from the default location even if you select another log device in GUI.
472023 Outbreak prevention detection makes “clean” counter increment in Advanced Threat Protection Stats widget.
472558 DHCP Server GUI – GUI populates wrong information when switching from DHCP Relay to DHCP

Server.
473808 Column filter is not persistent and is removed after refreshing the page.
474807 Cannot restore default page in replacement message group.
475036 Virtual Server Duplicate Entry found error in GUI.
477393 Negative values in Load Balance monitor logs.
477870 Alias for modem interface present in GUI but not in CLI.
479468 The link status is lost after SD-WAN GUI changes to List Edit.
479937 GUI should hide options that don’t apply to certificate inspection.
481902 When accessing FortiView > Websites page, gets error Failed to get FortiView data and httpsd keeps crashing.
482628 CPU.Speculative.Execution.Timing.Information.Disclosure signature can’t be filtered if Application is selected.
Bug ID Description
489674 When scroll to the end of an muTable, GUI should shows 100% of entry.
489675 The Firefox web browser sometimes cannot delete performance SLA rules.
489715 Destination address should not be mandatory in GUI in SD-WAN Rules.
492898 Cannot delete FSSO AD group entries in GUI anymore.
493351 Object tooltip of last page should not always display on current page.
493773 SD-WAN rule in GUI unable to select (whether as source or destination) the address group grp_ citrixfarm.
494724 When creating trunk interface on managed FSW, FSW ports in right-side list show down, even when some are up.
496613 Editing web filter profile in GUI deletes web-proxy profile and URL filter entries.
497667 FortiSwitch Ports page loads very slowly.
502785 Remove # of interfaces from device list.

HA

Bug ID Description
408886 Uninterrupted upgrade from B718 to tag 9702 failed with 1.5M BGP routes and 6M sessions load.
461915 When standalone config sync is enabled in FGSP, IPv6 setting of interface is synced.
473806 Management interface IP address replicating to slave when using standalone management VDOMs.
473806 Management interface IP address replicating to slave when using standalone management VDOMs.
474622 IPsec itn=0 after a unit joins an FGSP cluster.
482548 Conserve mode caused by hasync consuming most of memory.
485340 Cluster Uptime: -141 days -20:-31:-50.
486552 vcluster HA failover fails with large site-to-site IPsec VPN configuration on 3800D.
487444 FortiGate stops accepting traffic from any interface in a hardware switch after HA failover in 80/81E.
491311 Management port has sync’ed when creating a new NAT VDOM.
493759 When vcluster2 is removed from HA config, all active sessions are killed once session-ttl is reached.
494029 After failover, sometimes cannot connect to management-ip of backup device.
501147 Moving VDOM to virtual cluster from GUI causes cluster to go out of sync.

IPS

Bug ID Description
478185 Improve the ability of detection fragmented intrusion attacks.
489557 Strange traceroute issues when IPS is enabled.

IPsec VPN

Bug ID Description
486756 Traffic is not fragmented for IPsec VPN when Proxy-based UTM is enabled.
489990 Make PKI validation of IDi & Certificate Identity optional.
490066 FortiClient with IPsec with Proxy / Webfilter – Fragmentation is needed.
491305 Packet from FortiClient cannot go through VXLAN over IPsec depending on packet size.
492046 FortiGate does not respond to INFORMATIONAL exchange message as requested by RFC.
493918 Memory leak with IKED.

Log & Report

Bug ID Description
459306 Suggest to lower Threat Level for oversized file.
493140 Need to see application signature names instead of LDS under Logs & Report > System event logs.
494040 Creating or modifying security profiles generate multiple logs with misleading action.
497357 FortiGate logs show the action as block when we use DNS filter and if a DNS query timeout happens.
498519 Web filter authentication failed to set status field in the event log message.

Proxy

Bug ID Description
479678 IPpool does not work properly in explicit Proxy-policy.
482916 WAD crashes with signal 6.
486821 Web application Symphony fails with AV profile enabled in policy.
487096 SSL handshake fails when activate ESET application.
491417 FortiGate is dropping server hello packets when URLFILTER is enabled.
Bug ID Description
491424 Adjust the proxy-auth-timeout default value and unit.
491630 With UTM enabled, client failed to get response from server, gets 500 Internal error.
494081 WAD process crashes with signal 11 after upgrading the firmware to v5.6.4.

Router

Bug ID Description
443948 High memory usage for zebos_launcher and isisd.
482631 OSPF adjacencies lost, FGFMD high CPU while pushing policies from FortiManager.
491423 BGP shutdown neighbor capability-default-originate parameter always in use.
491679 FortiGate chooses higher metric OSPF E2 route for traffic under some circumstance.
492063 Route map not able to set attribute with BGP conditional advertisement.
493454 Large PIM SM bootstrap packets are not forwarded with kernel 3.2.
494393 Router access list should not default to prefix any and exact match disable.
500673 SD-WAN rules with application do not work after HA switchover.

SSL VPN

Bug ID Description
466438 High CPU usage by sslvpnd.
483712 sslvpnd consumes high memory causing FortiGate to enter conserve mode.
486918 SSL VPN web mode unable to load the page correctly.
489827 In SSL VPN web mode, Visteon.service-now.com/vss URL is not loading.
491895 Web mode SSL VPN HTTP bookmark not working.
494948 Confluence software is not rendered correctly in web mode.
494960 SSL VPN web mode has trouble loading internal web application.
494978 authd registers SSL VPN user with wrong user/group information and breaking SSL VPN after upgrade to 5.6.4.
498249 Need update SCEP over SSL host name/certificate check.
501769 SSL VPN: Bookmark to internal web site not loading correctly – JavaScript errors.

Switch

Bug ID Description
493685 Hardware switch flooding traffic.

System

Bug ID Description
370953 SLBC worker blade failed to re-synchronize with the config master blade due to the frozen confsync daemon.
394509 No log entry for failed admin PKI authentication.
414081 SMB1 support has been by default disabled under part models.
441483 Confused by set enable-shaper disable to enable HPE protection.
459273 Slave worker blade loses local administrator accounts.
462178 Front panel SPEED LED is flashing green when transmitting and receiving data.
466317 [api] is in Z state.
468938 Kernel panic on 3700D – slave.
472267 DNS filter performance improvement.
472270 SNMP feature for DNS filter counts.
473354 Suggest enable per-session-accounting on NP6Lite by default.
477886 PRP support.
479142 SLBC 5001D slave blade going out of sync.
481783 DHCP address assignment sometimes fails – DHCPD crashing multiple times.
485781 Deleting EMAC VLAN interface on a different VDOM causing connectivity loss to the EMAC VLAN for 5-7 pings.
493219 Softirq and nice are taking high CPU resources when sending and receiving packets with a virtual wire pair.
494603 FortiGate in transparent mode is not accessible over https/ssh (administrative access) once trusted host is configured.
494707 FortiGate trusthost settings not respected.
499332 No error message when configuring address .067 and address converted with .55.
499435 Allow packet sniffer to use RAM disk.
499793 FortiGate set wrong timezone for Paraguay.

Upgrade

Bug ID Description
495994 After upgrade to 5.4.9, observing a lot of IPS syntax errors on the console screen.

VM

Bug ID Description
493225 FTG-VM01 is missing diag sys mpstat command option.
499154 FortiGate Azure rejects static route configure pushing from FortiManager.
501911 In FOS-AWS prompt, user password = instance ID, and force user to change password upon initial log in.
Bug ID Description
471638 FortiGate disconnects all clients when they roam from AP to AP.
479415 Incorrect auth-success-page Authentication Success Page Replacement message.

VoIP

Bug ID Description
478634 Debug commands for SIP filter are not applied.

Web Filter

Bug ID Description
454634 Web filter set warning-prompt per-domain is warning per-category instead of per-domain.
476806 FortiOS incorrectly sends ICMP “Destination Unreachable” with WF/certificate inspection.
486171 The Web Rating Overrides option doesn’t work with flow-mode.
490377 The Web Rating Overrides option doesn’t work properly on proxy-based.
498231 Web sites like FedEx.com is catogized as malicious category incorrectly.

Web Proxy

Bug ID Description
500182 UDP over SOCKS proxy.

WiFi

Bug ID Description
491248 VAP RADIUS-based MAC authentication should support CoA.
491769 Support for third-party external portal with RADIUS MAC authentication.
495995 Custom categories override doesn’t work.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
450553 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2017-12150 l CVE-2017-12151 l CVE-2017-12163
487421 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13365
495090 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13366
496431 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2018-9192
499552 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2016-7431

 

Known Issues

The following issues have been identified in version 6.0.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.
Bug ID Description
256264 Realtime session list cannot show IPv6 session and related issues.

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.

FortiView

Bug ID Description
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
453610 Fortiview->Policies(or Sources)->Now, it shows nothing when filtered by physical interface at PPPoE mode.
460016 In Fortiview > Threats, drill down one level, click Return and the graph is cleared.
482045 FortiView – no data shown on Traffic from WAN.
494731 Incorrect reporting in Fortiview.

GUI

Bug ID Description
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
451776 Admin GUI has limit of 10 characters for OTP.
470589 The Forward Traffic Log Details panel Security tab does not display security log details when multiple log devices are enabled.
487350 FortiGuard Filtering Services Availability showing Unavailable on GUI when no valid Anti-spam license is present.
493839 Cannot change quota type (time-based, traffic-based).

HA

Bug ID Description
451470 Unexpected performance reduction in case of Inter-Chassis HA fail-back with enabling HA override.
479987 FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works).
503433 hasync daemon crashes when admin session times out and cluster could be out of sync for a short period.

IPS

Bug ID Description
445113 IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.

IPsec VPN

Bug ID Description
469798 The interface shaping with egress shaping profile doesn’t work for offloaded traffic.
481201 The OCVPN feature is delayed about one day after registering on FortiCare.

Log & Report

Bug ID Description
412649 In NGFW Policy mode, FortiGate does not create webfilter logs.

Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.

System

Bug ID Description
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411 Monitor NP6 IPsec engine status.
466048 Huawei USB LTE E3276 cannot be detected.
468684 EHP drop improvement for units using NP_SERVICE_MODULE.
472843 When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes.
474132 FG-51E hang under stress test since build 0050.
482497 Running diagnose npu np6lite session in FGT-201E results in high CPU and system instability.
494042 If we create VLAN in VDOM A, then we cannot create ZONE name with the same VLAN name in VDOM B.

Upgrade

Bug ID Description
470575 After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and webfilter.
473075 When upgrading, multicast policies are lost when there is a zone member as interface.
Bug ID Description
481408 When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
494217 Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1. Workaround: Use CLI to rename the user bookmark to the new name.

Web Filter

Bug ID Description
480003 FortiGuard category does not work in NGFW mode policy.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!