SSL VPN (5.6)

New SSL VPN features added to FortiOS 5.6.

Remote desktop configuration changes (410648)

If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:

config vpn ssl web user-group-bookmark edit <group-name> config bookmarks edit <bookmark-name> set apptype rdp set host 172.16.200.121 set security nla set port 3389 set logon-user <username>

next

end

Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.

end

If no username (logon-user) is specified, the following warning message will appear:

Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010

SSL VPN supports WAN link load balancing interface (396236)

New CLI command to set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy edit <example> set dstintf virtual-wan-link

end

SSL VPN login timeout to support high latency (394583)

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added that allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

SSL VPN (5.6)

CLI syntax

config vpn ssl settings edit <example> set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

SSL VPN supports Windows 10 OS check (387276)

A new CLI field has been added to the os-check-list under config vpn ssl web portal to allow OS checking for Windows 10.

CLI syntax

config vpn ssl web portal edit <example> set os-check enable config os-check-list windows-10 set action {deny | allow | check-up-to-date}

end

end

SSL VPN DNS suffix per portal and number of portals (383754)

A new CLI command under config vpn ssl web portal to implement a DNS suffix per SSL VPN portal. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings.

This feature also raises bookmark limits and the number of portals that can be supported, depending on what FortiGate series model is used:

l 650 portals on 1000D series l 1300 portals on 2000E series l 2600 portals on 3000D series

The previous limit for 1000D series models, for example, was 256 portals.

CLI syntax

config vpn ssl web portal edit <example> set dns-suffix <string>

end

New SSL VPN timeout settings (379870)

New SSL VPN timeout settings have been introduced to counter ‘Slowloris’ and ‘R-U-Dead-Yet’ vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution is to add two attributes (http-request-header-timeout and http-requestbody-timeout).

(5.6)

CLI syntax

config vpn ssl settings set http-request-header-timeout [1-60] (seconds) set http-request-body-timeout [1-60] (seconds)

end

Personal bookmark improvements (377500)

You can now move and clone personal bookmarks in the GUI and CLI.

CLI syntax

config vpn ssl web user-bookmark edit ‘name’ config bookmarks move bookmark1 after/before clone bookmark1 to

next

end

New controls for SSL VPN client login limits (376983)

Removed the limitation of SSL VPN user login failure time, by linking SSL VPN user setting with config user settings and provided a new option to remove SSL VPN login attempts limitation. New CLI allows the administrator to configure the number of times wrong credentials are allowed before SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds. end

Unrated category removed from ssl-exempt (356428)

The “Unrated” category has been removed from the SSL Exempt/Web Category list.

Clipboard support for SSL VPN remote desktop connections (307465)

A remote desktop clipboard viewer pane has been added which allows user to copy, interact with and overwrite remote desktop clipboard contents.

System (5.6.1)

SSL VPN (5.6.1)

New SSL VPN features added to FortiOS 5.6.1.

Added a button to send Ctrl-Alt-Delete to the remote host for VNC and RDP desktop connections (401807)

Previously, users were unable to send Ctrl-Alt-Delete to the host machine in an SSL VPN remote desktop connection.

FortiOS 5.6.1 adds a new button that allows users to send Ctrl-Alt-Delete in remote desktop tools (also fixes 412456, preserving the SSL VPN realm after session timeout prompts a logout).

Improved SSL VPN Realms page (0392184)

Implemented minor functional changes to the dialog on the SSL VPN > Realms page:

l URL preview uses info message similar to that seen on the SSL VPN settings dialog. l Virtual-Host input is now visible when set in the CLI. l Added help tooltip describing what the virtual-host property does.

Customizable FortiClient Download URL in SSL VPN Web Portal (437883)

A new attribute, customize-forticlient-download-url, is added to vpn.ssl.web.portal.

The added attribute indicates whether to support a customizable download URI for FortiClient. This attribute is disabled by default. If enabled, two other attributes, windows-forticlient-download-url and macosforticlient-download-url, will appear through which the user can customize the download URI for

FortiClient.

Syntax

config vpn ssl web portal edit <portal> set customize-forticlient-download-url {enable | disable} set windows-forticlient-download-url <custom URL for Windows> set macos-forticlient-download-url <custom URL for Mac OS>

next

end

Added split DNS support for SSL VPN (434512)

Split DNS is now supported for SSL VPN. This feature allows you to specify which domains will be resolved by the DNS server specified by the VPN while all other domains will be resolved by the locally specified DNS.

This feature is useful in both Enterprise and MSP scenarios (when hosting multiple SSL VPN portals).

Syntax config vpn ssl web portal

SSL VPN (5.6.1)

edit <name> config split-dns-domains edit 1 set domains “abc.com, cde.com” set dns-server1 192.168.1.1 set dns-server2 192.168.1.2 set ipv6-dns-server1 2000:2:3:4::5 set ipv6-dns-server2 2000:2:3:4::6

next …

end

end

Support SSL VPN function in browsers without plugins: Citrix/RDPNative/Port forward

(437886)

Syntax

config vpn ssl web user-bookmark edit <name> config bookmarks edit “rdpnative” set apptype rdpnative set description “rdpnative” set host “172.16.68.188” set additional-params ” unset full-screen-mode set screen-height 768 set screen-width 1024

next

end

next

end

SSL VPN SSO Support for HTML5 RDP (417248)

This feature adds support for SSO from the SSL VPN portal to an RDP bookmark. If SSO is used, then the credentials used to login to SSL VPN will be automatically used when connecting to a remote RDP server.

Syntax

conf vpn ssl web user-bookmark edit <name> config bookmarks edit <name> set apptype rdp set host “x.x.x.x” set port <value> set sso [disable | auto]

next

end

next end

(5.6)

Session-aware Load Balancing (SLBC) (5.6.1)

New SLBC features added to FortiOS 5.6.1.

FortiController-5000 series independent port splitting (42333)

FortiOS 5.6.1 supports splitting some 40G FortiController front panel fiber channel front panel interfaces in to 10G ports. In previous versions of FortiOS this configuration was not supported and all FortiController fiber channel front panel interfaces had to operate at the same speed.

(5.6.1)

Server Load balancing (5.6)

New load balancing features added to FortiOS 5.6.

IPv6, 6to4, and 4to6 server load balancing (280073)

Sever load balancing is supported for:

Server Load balancing (5.6)

l IPv6 VIPs (config firewall vip6) l IPv6 to IPv4 (6to4) VIPs (config firewall vip64) l IPv4 to IPv6 (4to6) VIPs (config firewall vip46)

Configuration is the same as IPv4 VIPs, except support for advanced HTTP and SSL related features is not available. IPv6 server load balancing supports all the same server types as IPv4 server load balancing (HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL, TCP, UDP, and IP). IPv4 to IPv6 and IPv6 to IPv4 server load balancing supports fewer server types (HTTP, TCP, UDP, and IP).

Improved Server load balancing GUI pages (404169)

Server load balancing GUI pages have been updated and now include more functionality and input verification.

 

Server Load balancing (5.6.1)

New load balancing features added to FortiOS 5.6.1.

Add server load balancing real servers on the Virtual Server GUI page (416709)

In previous versions of the FortiOS GUI, after adding a Virtual Server you would go to Policy & Objects > Real Servers to add real servers and associate each real server with a virtual server.

In FortiOS 5.6.1 you now go to Policy & Objects > Virtual Servers, configure a virtual server and then from the same GUI page add real servers to the virtual server. In addition, on the Virtual Server GUI page the option Outgoing Interface is renamed Interface and the load balancing method Source IP Hash has been renamed

Static.

Server Load balancing

New custom IPS and Application Control Signatures list (280954)

You can now create IPS and Application control custom signatures by going to Security Profiles > Custom Signatures. From here you can create and edit all custom IPS and Application Control signatures.

 

FortiGate conserve mode changes (242562, 386503)

The following changes were made to rework conserve mode and facilitate its implementation:

• Implemented CLI commands to configure extreme, red, and green memory usage thresholds in percentages of total RAM. Memory used is the criteria for these thresholds, and set at 95% (extreme), 88% (red) and 82% (green).
• Removed structure av_conserve_mode, other changes in kernel to obtain and set memory usage thresholds from the kernel
• Added conserve mode diagnostic command diag hardware sysinfo conserve, which displays information about memory conserve mode.
• Fixed conserve mode logs in the kernel
• Added conserve mode stats to the proxy daemon through command diag sys proxy stats all | grep conserve_mode

Webcache-https and SSL deep inspection profile configuration changes (381101)

In older releases, the CLI blocked the configuration of the SSL deep inspection profile when webcache-https was enabled. This bug is fixed in FortiOS 5.6.0.