WiFi

Automatic all-SSID selection in FortiAP Profile (219347)

The SSID field in FortiAP Profiles now includes the option Automatically assign Tunnel-mode SSIDs. This eliminates the need to re-edit the profile when new SSIDs are created. You can still select SSIDs individually using the Select SSIDs option.

Automatic assignment of SSIDs is not available for FortiAPs in Local Bridge mode. The option is hidden on both the Managed FortiAP settings and the FortiAP Profile assigned to that AP.

 

Improved override of FortiAP settings (219347 264010 264897)

The configuration settings of a FortiAP in WiFi Controller > Managed FortiAPs can override selected settings in the FortiAP Profile:

• Band and/or Channel
• Transmitter Power
• SSIDs
• LAN Port mode

 

Note that a Band override also overrides Channel selections.

In the CLI, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, and split tunneling settings.

 

Spectrum Analysis removed from FortiAP Profile GUI

Spectrum Analysis is no longer available in FortiAP Profiles in the GUI. It can be enabled in the CLI if needed.

 

Disable low data rates in 802.11a, g, n ac (297821)

To reduce air-time usage on your WiFi network, you can disable the use of low data rates which cause communications to consume more air time.

The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54

Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix “basic”, “12-basic” for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.

The 802.11n and ac protocols are specified by MSC (Modulation and Coding Scheme) Index and the number of spatial streams.

• 802.11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
• 802.11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
• 802.11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
• 802.11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4

 

Here are some examples of setting basic and supported rates.

config wireless-controller vap edit <vap_name>

set rates-11a 12-basic 18 24 36 48 54 set rates-11bg 12-basic 18 24 36 48 54

set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4 set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3

end

 

WiFi and Switch controllers are enabled separately (275860)

In the Feature Store (System > Features), the WiFi Controller and Switch Controller are now separate. However, the Switch Controller must be enabled in order for the WiFi Controller to be visible.

In the CLI, the settings that enable the WiFi and Switch controllers have been separated:

config system global

set wireless-controller enable set switch-controller enable

end

 

The settings that enable the GUI display for those controllers have also been separated:

config system settings

set gui-wireless-controller enable set gui-switch-controller enable

end

 

Add Support of LLDP protocol on FortiAP to send switch and port information (283107)

You can enable LLDP protocol in the FortiAP Profile. Each FortiAP using that profile can then send back information about the switch and port that it is connected to. This information is visible in the optional LLDP column of the Managed FortiAP list. To enable LLDP:

config wireless-controller wtp-profile edit <profile-name>

set lldp enable end

 

WTP groups (278462)

You can define FortiAP Groups. Each group can contain FortiAPs of a single platform (model). These groups can be used in VLAN-pooling to assign APs to particular VLANs. Create a FortiAP Group in the CLI like this:

 

config wireless-controller wtp-group edit 1

set platform-type 320C

config wtp-list

edit FP320C3X14010828 next

edit FP320C3X14010830 end

end

The platform-type field is optional. If it is left empty, the group can contain FortiAPs of any model.

 

VLAN–pooling (278462)

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN

pool can

• assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or
• assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

WAN Optimization

Toggle Disk Usage for logging or wan-opt (290892)

Both logging and WAN Optimization use hard disk space to save data. For FortiOS 5.4 you cannot use the same hard disk for WAN Optimization and logging.

• If the FortiGate has one hard disk, then it can be used for either disk logging or WAN optimization, but not both. By default, the hard disk is used for disk logging.
• If the FortiGate has two hard disks, then one disk is always used for disk logging and the other disk is always used for WAN optimization.

On the FortiGate, go to System > Advanced > Disk Settings to switch between Local Log and WAN Optimization.

You can also change disk usage from the CLI using the following command:

configure system global

set disk-usage {log | wanopt}

end

 

The Toggle Disk Usage feature is supported on all new “E” Series models, while sup- port for “D” Series models may vary.

Please refer to the Feature Platform Matrix for more information.

Changing the disk setting formats the disk, erases current data stored on the disk and disables either disk logging or WAN Optimization.

You can configure WAN Optimization from the CLI or the GUI. To configure WAN Optimization from the GUI you must go to System > Feature Select and turn on WAN Optimization.

Remote logging (including logging to FortiAnalyzer and remote Syslog servers) is not affected by using the single local hard disk for WAN Optimization.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

VDOMs

Stackable VDOM licenses (269153)

Using this feature you can purchase VDOM licenses for your FortiGate in multiples of 5 and increase the number of VDOM licenses that your FortiGate has incrementally over time. For example, you could add a 5 VDOM license to a 25 VDOM license and your FortiGate would now support up to 30 VDOMs. In the future you could add another 5 (or 10 or more).

For previous versions of FortiOS if you had a 25 VDOM license and wanted to increase the number of VDOMs you would have to purchase a 50 VDOM license, resulting in a total of 50 VDOMs.

This stackable VDOM licenses feature is backwards compatible with VDOM licenses purchased for older versions of FortiOS. For example, if you purchased a 25-VDOM license for your FortiGate running FortiOS 5.2.x, when you upgrade to FortiOS 5.4.x you can purchase 5 more VDOM licenses so that your FortiGate running FortiOS 5.4.x now supports up to 30 VDOMs.

 

Support execution of global CLI commands from within VDOMs (262848)

A new CLI command, sudo, allows the running of global commands from within the vdom context of the

CLI.This means that the user no longer has to:

1. exit from the VDOM

2. enter global

3. run the command

4. return to the previous VDOM The syntax for the command is:

sudo {global | vdom-name} {diagnose | execute | show | get}

These commands will only work if the user already has permissions to run the command. Unlike the the sudo command in some other operating systems like Linux, this command does not allow the user to run programs with the privileges of another user.

 

GUI features can now be enabled and disabled per VDOM (263708 273799 266028)

When VDOMs are enabled, most of the items in the Features section of the menu are moved to a similar menu section within the VDOM menu and are now customizable on a per VDOM basis. Some items such as IPv6 and Certificates are still configured on a global basis.

From the GUI, you can enable or disable GUI features from System > Feature Select.

From the CLI, GUI items that are enabled or disabled per-VDOM are configured from the config system settings command. GUI items that are enabled globally are enabled or disabled from the config system global command.

Turning these features on or off does not enable or disable the feature but determines whether or not that option is

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

System

 

New role property on interfaces (294385)

Interfaces now have a property called ‘role’ which affects visibility and suggests different default options depending on it’s value.

• WAN – this interface is used to connect to the internet.
• LAN – this interface is used to connect to local network of endpoints.
• DMZ – this interface is used to connect to servers.
• Undefined – This interface has a custom role which isn’t one of the above.

 

Interface roles affect visibility of properties and features (295736)

Depending on an interfaces role, some properties may set to a default value and the visibility of others may be set to show or hide in the GUI.

 

Toggle automatic authorization of extension devices (294966)

When an interface is configured to be dedicated to an extension device, a new option appears to auto-authorize extension devices.

 

Support for new modem added (293598)

Support for the Linktop LW273 modem has been added.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

SSL VPN

Significant SSL VPN web portal improvements (287328, 292726, 299319)

Significant updates and improvements have been made to the SSL VPN web portal in preparation for future browser updates, and in order to support all browsers:

• SSL VPN web portal redesigned.
• SSL VPN tunnel mode widget no longer works in the web portal.The tunnel mode widget used a deprecated NPAPI plugin mechanism to send the tunnel client to the browser for local system execution—this is a popular exploitation vector. FortiClient is now required for tunnel mode SSL VPN.
• SSL VPN Web mode RDP Native java applet removed.
• Removed unnecessary options from RDP bookmark and changed to HTML5 RDP.
• Cache cleaning function has been removed.

Implement post-authentication CSRF protection in SSL VPN web mode (287180)

This attribute can enable/disable verification of a referer in the HTTP request header in order to prevent a Cross- Site Request Forgery attack.

Syntax:

config vpn ssl settings

set check-referer [enable|disable]

end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Session–aware Load Balancing (SLBC)

 

GUI support for SSL VPN and WiFi controller in SLBC mode (246481)

SSL VPN and WiFi controller GUI pages now appear on the worker GUI when operating in SLBC mode.

 

Add an option to force IPsec to use NAT Traversal (275010)

Add a new option for NAT. If NAT is set to forced, then the worker will use a port value of zero when constructing the NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Security Profiles

FortiClient Endpoint Profile improvements and new features (285443 275781 287137)

• 275781: New options available in FortiClient Profiles.
• 285446: VPN can be configured on the GUI either on IPsec VPN or SSL–VPN and changes can be preserved.
• 287137: In the Mobile tab, .mobileconfig files can be configured and Client VPN Provisioning can be enabled.

 

FortiClient Enforcement added to Interfaces (253933)

FortiClient enforcement has been moved from the Policy page to Network > Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.

 

To enforce FortiClient endpoint registration – web-based manager:

1. Go to System > Feature Select and enable Endpoint Control.

2. Go to Network > Interfaces and select the internal interface.

3. Under Restrict Access, enable FortiHeartBeat.

4. Under Admission Control, enable Enforce FortiHeartBeat for all FortiClients.

 

FortiClient exempt list improvements (268357 293191)

• 268357: Before you could only configure captive portal policy addresses in the CLI, but it can now be performed in the GUI.
• 293191: Exempt List has been replaced with Exempt Sources, and Exempt Destinations/Services has been added (once an interface has been set to captive portal). Before it was only possible to configure the FortiGate interface port to captive portal through the CLI, but it can now also be performed in the GUI.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Networking

Internet-Service database (288672 281333 291858)

Go to Policy & Objects > Internet Service Database to view the Internet Service Database. The database contains detailed information about services available on the Internet such as DNS servers provided by Adobe, Google, Fortinet, Apple and so on and a wide range of other services. For each service the database includes the IP addresses of the servers that host the service as well as the port and protocol number used by each IP address.

 

Interfaces assigned to Virtual Wired Pairs don’t have “roles” (296519 )

Assigning an interface to be part of a virtual wire pairing will remove the “role” value from the interface.

 

FortiHeartBeat replaces FortiClient Access and other FortiClient interface settings (299371)

To configure an interface to listen for connections from devices with FortiClient installed, enable FortiHeartBeat

Administrative Access. FortiHeartBeat was called FCT-Access or FortiClient Access in FortiOS 5.2.

After enabling FortiHeartBeat, under Admission Control you can select Enforce FortiHeartBeat for all FortiClients to require clients to have FortiClient installed to be able to get access through the FortiGate. If you enable this feature you should also go to Security Profiles > FortiClient Profiles and configure FortiClient Profiles. Then you should add the configured FortiClient Profiles to firewall policies with device detection.

Use the following CLI command to enable FortiHeartBeat on an interface and enable enforcing FortiHeartBeat for all FortiClients:

config system interface edit port1

set listen-forticlient-connection enable set endpoint-compliance enable

end

After enabling FortiHeartBeat, you can also enable DHCP server and turn on FortiClient On-Net Status to display the on-net status of FortiClient devices on the FortiClient Monitor (go to Monitor > FortiClient Monitor).

 

Use the following CLI command to enable FortiClient on-net status for a DHCP server added to the port1 interface:

config system dhcp server edit 1

set interface port1

set forticlient-on-net-status enable end

 

STP (Spanning Tree Protocol) support for models with hardware switches (214901 291953)

STP used to be only available on the old style switch mode for the internal ports. It is now possible to activate STP on the hardware switches found in the newer models. These models use a virtual switch to simulate the old Switch Mode for the Internal ports.

The syntax for enabling STP is as follows:

config system interface edit lan

set stp [enable | disable]

end

 

Command to determine interface transceiver optical signal strength (205138 282307)

The ew get system interface transceiver command can be used to determine optical signal strength when using SFP/SFP+ modules. The command can be used for trouble shooting fiber optic connections to

service providers. This command is hardware dependent and currently supported by FortiGate models that include various SPF/SFP+ interfaces including the FortiGate-100D/200D- POE/400D/500D/900D/1000D/1200D/1500D/3700D/3700DX) models.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!