Logging and Reporting

 

New Features

A new error log message is recorded when the Antispam engine request does not get a response from FortiGuard (265255)

Error code is ‘sp_ftgd_error‘.

 

New Report database construction (280398 267019)

This will improve performance with reports and FortiView without requiring any configuration changes.

 

Communication between FortiGate and FortiAnalyzer supports IPv6 addresses (245620)

When configuring your FortiGate to send logs to a FortiAnalyzer you can specify an IPv4 or an IPv6 address.

 

Context menu on Log & Report > Forward Traffic has been updated (293188)

Now includes Policy Table and Device Quarantine controls.

 

Filtering allows control of the log messages sent to each log device (262061)

This includes disk log, memory log, FortiAnalyzer and syslog servers and allows inclusion/exclusion based on type, severity, and log ID.

 

Use the following CLI command:

 

config log <device> filter

set filter <new-filter-settings>

set filter-type <include | exclude>

end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Load balancing

ChaCha20 and Poly1305 cipher suites added for SSL load balancing (264785)

FortiOS 5.4 adds support for ChaCha20 and Poly1305 for SSL load balancing (see RFC 7539 for information about ChaCha20 and Poly1305). You can use the following command to view the complete list of supported cipher suites:

 

config firewall vip edit <vip-name>

set type server-load-balance set server-type https

set ssl-algorithm custom config ssl-cipher-suites

edit 0

set cipher ?

In most configurations the matching cipher suite is automatically selected.

All of these cipher suites are available to all of FortiOS’s implementations of SSL but the complete list of supported cipher suites is only viewable using the above command.

You can also use the above command to limit the set of cipher suites that are available for a given SSL offloading configuration. For example, use the following command to limit an SSL load balancing configuration to use the three cipher suites that support ChaCha20 and Poly1305:

config firewall vip edit <vip-name>

set type server-load-balance set server-type https

set ssl-algorithm custom config ssl-cipher-suites

edit 1

set cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 next

edit 2

set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 next

edit 3

set cipher TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 end

end

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6

 

DHCPv6 server is configurable in delegated mode (295007)

Downstream IPv6 interfaces can receive address assignments on delegated subnets from a DHCP server that serves an upstream interface.

 

DHCPv6-PD configuration

Enable DHCPv6 Prefix Delegation on upstream interface (port10):

config system interface edit “port10”

config ipv6

set dhcp6-prefix-delegation enable end

end

 

Assign delegated prefix on downstream interface (port1). Optionally, specific delegated prefixes can be specified:

 

config system interface edit “port1”

config ipv6

set ip6-mode delegated

set ip6-upstream-interface “port10” set ip6-subnet ::1:0:0:0:1/64

set ip6-send-adv enable

config ipv6-delegated-prefix-list edit 1

set upstream-interface “port10” set autonomous-flag enable

set onlink-flag enable

set subnet 0:0:0:100::/64 end

end end

 

 

DHCPv6 Server configuration

Configuring a server that uses delegated prefix and DNS from upstream:

 

config system dhcp6 server edit 1

set dns-service delegated set interface “wan2”

set upstream-interface “wan1” set ip-mode delegated

set subnet 0:0:0:102::/64 end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPsec VPN

 

IKE/IPsec Extended Sequence Number (ESN) support (255144)

This feature implements negotiation of 64-bit Extended Sequence numbers as described in RFC 4303, RFC 4304 as an addition to IKEv1, and RFC 5996 for IKEv2.

 

Updates and enhancements to the IPsec VPN wizard (222339 290377 287021 289251)

The IPsec VPN wizard has been simplified to more clearly identify tunnel template types, remote device types, and NAT configuration requirements. Example topological diagrams are now also included.

New Dialup – FortiGate and Dialup – Windows (Native L2TP/IPsec) tunnel template options.

 

Cisco compatible keep-alive support for GRE (261595)

The FortiGate can now send a GRE keep-alive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.

 

Syntax

config system gre-tunnel edit <id>

set keepalive-interval <value: 0-32767>

set keepalive-failtimes <value: 1-255>

next end

 

Repeated Authentication in Internet Key Exchange (IKEv2) Protocol (282025)

This feature provides the option to control whether a device requires its peer to re-authenticate or whether re-key is sufficient. It does not influence the re-authentication or re-key behavior of the device itself, which is controlled by the peer (with the default being to re-key).

This solution is in response to RFC 4478. As described by the IETF, “the purpose of this is to limit the time that security associations (SAs) can be used by a third party who has gained control of the IPsec peer”.

 

Syntax

config vpn ipsec phase1-interface edit p1

set reauth [enable | disable]

next end

 

Improvements to IPsec VPN in ADVPN hub-and-spoke (275322)

IPsec VPN traffic is now allowed through a tunnel between an ADVPN hub-and-spoke config vpn ipsec phase1-interface edit “int-fgtb”

…

set auto-discovery-sender [enable | disable] set auto-discovery-receiver [enable | disable] set auto-discovery-forwarder [enable | disable]

… next

end

config vpn ipsec phase2-interface edit “int-fgtb”

…

set auto-discovery-sender phase1 [enable | disable]

… next

end

 

 

ADVPN support for NAT device (299798)

The ADVPN feature has been extended so that it allows ADVPN shortcuts to be negotiated as long as one of the devices is not behind NAT.

The on-the-wire format of the ADVPN messages was changed so that they use TLV encoding. Since the on-the- wire format has changed this is not compatible with any previous ADVPN builds.

 

 

AES–GCM support (281822)

AES-GCM (128 | 256) AEAD has been added, as specified in RFC 4106:

config vpn ipsec phase1-interface edit “tofgta”

…

set suite-b disable | suite-b-gcm-128 | suite-b-gcm-256

… next

end

config vpn ipsec phase2-interface

edit “tofgta”

set phase1name “tofgta”

set proposal aes128gcm aes256gcm

… next

end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

High Availability

FGCP supports BFD enabled BGP graceful restart after an HA failover (255574)

If an HA cluster is part of a Border Gateway Protocol (BGP) bidirectional forwarding detection (BFD) configuration where both the cluster and the BGP static neighbor are configured for graceful restart, after an HA failover BGP enters graceful restart mode and both the cluster and the BGP neighbor keep their BGP routes.

To support HA and BFD enabled BGP graceful:

l  From the cluster, configure the BFD enabled BGP neighbor as a static BFD neighbor using the config router bfd command.Set the BGP auto-start timer to 5 seconds so that after an HA failover BGP on the new primary unit waits for 5 seconds before connect to its BFD neighbors, and then registers BFD requests after establishing the connections. With static BFD neighbors, BFD requests and sessions can be created as soon as possible after the failover.The command get router info bfd requests shows the BFD peer requests.

l  The BFD session created for a static BFD neighbor/peer request initializes its state as INIT instead of DOWN and its detection time as bfd-required-min-rx * bfd-detect-mult msecs.

l  When a BFD control packet with a nonzero Your Discriminator (your_discr) value is received, if no session can be found to match the your_discr, instead of discarding the packet, other fields in the packet, such as addressing information, are used to choose one session that was just initialized, with zero as its remote discriminator.

l  When a BFD session in the UP state receives a control packet with zero as Your Discriminator and DOWN as State, the session changes its state to DOWN but will not notify this DOWN event to BGP and/or other registered clients.

 

FRUP is not supported by FortiOS 5.4 (295198)

With the changes to switch mode, FRUP is no longer available on the FortiGate-100D.

 

VOIP application control sessions are no longer blocked after an HA failover (273544)

After an HA failover, VoIP sessions that are being scanned by application control will now continue with only a minor interruption, if any. To support this feature, IPS UDP expectation tables are now synchronized between cluster units.

 

Firewall local-in policies are supported for the dedicated HA management interface (276779

246574)

To add local in polices for the dedicated management interface, enable ha-mgmt-inft-only and set intf to any. Enabling ha-mgmt-intf-only means the local-in policy applies only to the VDOM that contains the dedicated HA management interface.

 

config firewall local-in-policy edit 0

set ha-mgmt-intf-only enable set intf any

etc… end

 

 

 

 

HA heartbeat traffic set to the same priority level as data traffic (276665)

Local out traffic, including HA heartbeat traffic, is now set to high priority to make sure it is processed at the same priority level as data traffic. This change has been made because HA heartbeat traffic can be processed by NP6 processors that are also processing data traffic. When HA heartbeat traffic was set to a lower priority it may have be delayed or dropped by very busy NP6 processors resulting in HA failovers.

 

FGSP CLI command name changed (262340)

The FortiOS 5.2 command config system session-sync has been changed in FortiOS 5.4 to config system cluster-sync. Otherwise the command syntax is the same and the config system ha commands used for FGSP settings have not changed.

 

FGSP now supports synchronizing IPsec sessions (262340)

The FGSP now synchronizes IPsec tunnels between FortiGates in an FGSP configuration. IPsec tunnel synchronization synchronizes keys and other run time data between the FortiGates in an FGSP configuration. No additional configuration is required to synchronize IPsec sessions. Also you cannot disable IPsec tunnel synchronization.

 

The FGSP synchronizes IPsec keys and other runtime data but not actual tunnel sessions. This means that if one of the cluster units goes down the cluster unit that is still operating can quickly get IPsec tunnels re-established without re-negotiating them but all existing tunnel sessions on the failed FortiGate have to be restarted on the still operating FortiGate.

IPsec tunnel sync only supports dialup IPsec. The interfaces on both FortiGates that are tunnel endpoints must have the same IP addresses and external routers must be configured to load balance IPsec tunnel sessions to the FortiGates in the cluster.

 

Monitoring VLAN interfaces (220773)

When operating in HA mode and if you have added VLAN interfaces to the FortiGates in the cluster, you can use the following command to monitor all VLAN interfaces and send a message if one of the VLAN interfaces is found to be down.

 

config system ha-monitor

set monitor-vlan enable/disable

set vlan-hb-interval <interval_seconds>

set vlan-hb-lost-threshold <vlan-lost-heartbeat-threshold>

end

Once configured, this feature works by verifying that the primary unit can connect to the subordinate unit over each VLAN. This verifies that the switch that the VLAN interfaces are connected to is configured correctly for each VLAN. If the primary unit cannot connect to the subordinate unit over one of the configured VLANs the primary unit writes a link monitor log message indicating that the named VLAN went down (log message id 20099).

 

FortiGate HA cluster support for managed switches (276488 266084)

Added the capability to support managed switches from a FortiGate HA cluster. If a standby FortiGate becomes active, it automatically establishes connectivity with the managed switches. See Managing a FortiGate with a FortiSwitch for details.

 

HA cluster health displayed on the Unit Operation dashboard widget (260547)

The Unit Operation dashboard widget now includes the serial number and hostname of all of the FortiGate units in the cluster as well as an indication of the sync status of each cluster member.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Hardware acceleration

NP6 diagnose commands and get command changes (288738)

You can use the get hardware npu np6 command to display information about the NP6 processors in your FortiGate and the sessions they are processing. This command contains a subset of the options available from the diagnose npu np6 command. The command syntax is:

get hardware npu np6 {dce <np6-id> | ipsec-stats | port-list | session-stats <np6-id> |

sse-stats <np6-id> | synproxy-stats}

<np6-id> identifies the NP6 processor. 0 is np6_0, 1 is np6_1 and so on. dce show NP6 non-zero sub-engine drop counters for the selected NP6. ipsec-stats show overall NP6 IPsec offloading statistics.

port-list show the mapping between the FortiGate’s physical ports and its NP6 processors.

session-stats show NP6 session offloading statistics counters for the selected NP6.

sse-stats show hardware session statistics counters.

synproxy-stats show overall NP6 synproxy statistics for TCP connections identified as being syn proxy DoS attacks.

 

NP6 session accounting enabled when traffic logging is enabled in a firewall policy (268426)

By default, on a FortiGate unit with NP6 processors, when you enable traffic logging in a firewall policy this also enables NP6 per-session accounting. If you disable traffic logging this also disables NP6 per-session accounting. This behavior can be changed using the following command:

config system np6 edit np6_0

set per-session-accounting {disable | all-enable | enable-by-log}

end

By default, per-session-accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. You can disable per-session accounting or set all- enable to enable per-session accounting whether or not traffic logging is enabled. Note that this configuration is set separately for each NP6 processor.

When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as

NP sessions:

You can hover over the NP icon to see some information about the offloaded sessions.

 

Determining why a session is not offloaded (245447)

You can use the diagnose sys session list command to get information about why a session has not been offloaded to an NP4 or NP6 processor.

If a session has not been offloaded the session information displayed by the command includes no_ofld_ reason followed by information to help you determine the cause. To take a simple example, an HTTPS session connecting to the GUI could have a field similar to no_ofld_reason: local. This means the session is a local session that is not offloaded.

The no_ofld_reason field only appears if the session is not offloaded and includes information to help determine why the session is not offloaded. For example,

no_ofld_reason: redir-to-av redir-to-ips non-npu-intf

Indicates that the session is not offloaded because it was redirected to virus scanning (redir-to-av), IPS (redir-to-ips), and so on.

IPsec pass-through traffic is now offloaded to NP6 processors (253221)

IPsec traffic that passes through a FortiGate without being unencrypted is now be offloaded to NP6 processors.

 

Disabling offloading IPsec Diffie-Hellman key exchange (269555)

You can use the following command to disable using ASIC offloading to accelerate IPsec Diffie-Hellman key exchange for IPsec ESP traffic. By default hardware offloading is used. For debugging purposes or other reasons you may want this function to be processed by software.

Use the following command to disable using ASIC offloading for IPsec Diffie Hellman key exchange:

config system global

set ipsec-asic-offload disable end

 

FortiGate–3700DX TP2 processors support GTP offloading (294212)

The FortiGate-3700DX contains two TP2 processors that provide GTP offloading. GTPu traffic is forwarded from NP6 processors to TP2 processors. The TP2 processors filter the encapsulated traffic and send the approved GTPu traffic back to the NP6.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM

You can reset FortiGate VMs to factory defaults without deleting the VM license (280471)

New command , execute factoryreset keepvmlicense, resets FortiGate VMs to factory defaults without deleting the VM license.

FortiGate VM Single Root I/O Virtualization (SR-IOV) support (275432)

SR-IOV is a specification that allows a PCIe device to be treated as multiple separate PCIe devices.This feature will enable better performance with Intel based servers across multiple VM platforms, including Citrix and AWS. In fact, AWS has optimized some instance types to take advantage of this feature.

 

VM License Check Time Extension (262494)

VM license check time has been extended from 24 hours to 5 days.

 

Integrate VMtools Into FortiGate-VM for VMware (248842)

The following VMtools sub set of features has been integrated into the FortiGate-VM for VMWare images:

• Start
• Stop
• Reboot
• IP state in vCenter

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!