IPv6 (5.6)

New IPv6 features added to FortiOS 5.6.

FortiGate can reply to an anycast probe from the interface’s unicast address (308872)

A new setting has been added within the CLI that can enable the FortiGate to reply to an anycast probe from the FortiGate’s unicast IP address. config system global set ipv6-allow-anycast-probe [enable|disable] end

Enable: Enable probing of IPv6 address space through Anycast, by responding from the unicast IP address Disable: Disable probing of IPv6 address space through Anycast

Secure Neighbor Discovery (355946)

Additional settings have been added to the configuration for interfaces with IPv6 so that they comply more closely to the parameters of RFC 3971

The context of the new settings is

config system interface edit <interface> config ipv6 The new options with IPv6 are:

ndmode

Neighbor discovery mode set ndmode [basic | SEND]

Basic: Does not support SEND. SEND-compatible: Supports SEND.

nd-cert

Neighbor discovery certificate

set nd-cert <string of Name of certificate to be used> Example string: “Fortinet_Factory local” n-security-level

Neighbor discovery security level set nd-security-level <integer> IPv6

• Integer values from 0 – 7 l 0 = least secure l 7 = most secure l default = 0 nd-timestamp-delta –

Neighbor discovery timestamp delta value set nd-timestamp-delta <integer of time in seconds>

• Range: 1 – 3600 sec l default = 300 nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor set nd-timestamp-fuzz <integer of time in seconds>

• Range: 1 – 60 sec l default = 1

Additional related technical information Kerenl l Redirects ICMPv6 packets to user space if they require SEND options verification or build.

Radvd

• Verifies NS/RS SEND options including CGA, RSA, Timestamp, NONCE, etc. Daemon also creates neighbor cache for future timestamp checking, any entry gets flushed in 4 hours.
• Helps kernel build NA/RA SEND options including CGA, RSA, Timestamp, NONCE, etc. CGA parameters are kept in cache for each interface. CGA modifier is kept in CMDB.

Diagnose command for radvd diag test application radvd

• Shows statistics l Toggles message dump

Add multicast-PMTU to allow FGT to send ICMPv6 Too Big Message (373396)

New multicast-PMTU feature added to better comply with RFC 4443.

Normally, a “Packet Too Big” icmp6 message is sent by a routing device in response to a packet that it cannot forward because the packet is larger than the MTU of the outgoing link. For security reasons, these message may be disabled because attackers can use the information about a victim’s ip address as the source address to do IP address spoofing.

IPv6 (5.6)

In FortiOS’s implementation of this function, a setting in the CLI, has been added to make this behavior optional on the FortiGate.

The syntax for the option is:

config router multicast6 set multicast-PMTU [enable|disable] end

Logging and Reporting (5.6.1)

IPsec VPN (5.6)

New IPsec VPN features added to FortiOS 5.6.

Improvement to stats crypto command output (403995)

The CLI command get vpn ipsec stats crypto now has a better format for the information it shows in differentiating between NP6 lite and SOC3 (CP). To further avoid confusion, all engine’s encryption (encrypted/decrypted) and integrity (generated/validated) information is shown under the same heading, not separate headings.

Improved certificate key size control commands (397883)

Proxy will choose the same SSL key size as the HTTPS server. If the key size from the server is 512, the proxy will choose 1024. If the key size is bigger than 1024, the proxy will choose 2048.

As a result, the firewall ssl-ssh-profile commands certname-rsa, certname-dsa, and certname-ecdsa have been replaced with more specific key size control commands under vpn certificate setting.

(5.6)

CLI syntax

config vpn certificate setting set certname-rsa1024 <name> set certname-rsa2048 <name> set certname-dsa1024 <name> set certname-dsa2048 <name> set certname-ecdsa256 <name> set certname-ecdsa384 <name>

end

Support bit-based keys in IKE (397712)

As per FIPS-CC required standards, as well as RFC 4306, IKE supports pre-shared secrets to be entered as both ASCII string values and as hexadecimal encoded values. This feature parses hex encoded input (indicated by the leading characters 0x) and converts the input into binary data for storage.

With this change, the psksecret and psksecret-remote entries under the IPsec VPN CLI command config vpn ipsec-phase1-interface have been amended to differentiate user input as either ASCII string or hex encoded values.

IKEv2 asymmetric authentication (393073)

Support added for IKEv2 asymmetric authentication, allowing both sides of an authentication exchange to use different authentication methods, for example the initiator may be using a shared key, while the responder may have a public signature key and certificate.

A new command, authmethod-remote, has been added to config vpn ipsec phase1-interface.

For more detailed information on authentication of the IKE SA, see RFC 5996 – Internet Key Exchange Protocol Version 2 (IKEv2).

Allow mode-cfg with childless IKEv2 (391567)

An issue that prevented childless-ike from being enabled at the same time as mode-cfg has been resolved. Both options can now be enabled at once under config vpn ipsec phase1-interface.

IKEv2 Digital Signature Authentication support (389001)

FortiOS supports the use of Digital Signature authentication, which changes the format of the Authentication Data payload in order to support different signature methods.

Instead of just containing a raw signature value calculated as defined in the original IKE RFCs, the Auth Data now includes an ASN.1 formatted object that provides details on how the signature was calculated, such as the signature type, hash algorithm, and signature padding method.

For more detailed information on IKEv2 Digital Signature authentication, see RFC 7427 – Signature Authentication in the Internet Key Exchange Version 2 (IKEv2).

Passive static IPsec VPN (387913)

New commands have been added to config vpn ipsec phase1-interface to prevent initiating

VPN connection. Static IPsec VPNs can be configured in tunnel mode, without initiating tunnel negotiation or rekey.

To allow a finer configuration of the tunnel, the rekey option is removed from config system global and added to config vpn ipsec phase1-interface.

CLI syntax

config vpn ipsec phase1-interface edit <example> set rekey {enable | disable} set passive-mode {enable | disable} set passive-tunnel-interface {enable | disable}

end

Phase 2 wizard simplified (387725)

Previously, for a site-to-site VPN, phase 2 selectors had their static routes created in the IPsec VPN wizard by adding IP addresses in string format. Now, since addresses and address groups are already created for these addresses, the address group can be used in the route directly. This means that the route can be modified simply by modifying the address/groups that were created when the VPN was initially created.

With this change, the VPN wizard will create less objects internally, and reduce complexity.

In addition, a blackhole route route will be created by default with a higher distance-weight set than the default route. This is to prevent traffic from flowing out of another route if the VPN interface goes down. In these instances, the traffic will instead be silently discarded.

Unique IKE ID enforcement (383296)

All IPsec VPN peers now connect with unique IKE identifiers. To implement this, a new phase1 CLI command has been added (enforce-unique-id) which, when enabled, requires all IPsec VPN clients to use a unique identifier when connecting.

CLI syntax

config vpn ipsec phase1 edit <name> set enforce-unique-id {keep-new | keep-old | disable} Default is disable. next

end

Use keep-new to replace the old connection if an ID collision is detected on the gateway. Use keep-old to reject the new connection if an ID collision is detected.

FortiView VPN tunnel map feature (382767)

A geospatial map has been added to FortiView to help visualize IPsec and SSL VPN connections to a FortiGate using Google Maps. Adds geographical-IP API service for resolving spatial locations from IP addresses.

(5.6)

This feature can be found under FortiView > VPN.

Childless IKEv2 initiation (381650)

As documented in RFC 6023, when both sides support the feature, no child IPsec SA is brought up during the initial AUTH of the IKEv2 negotiation. Support for this mode is not actually negotiated, but the responder indicates support for it by including a CHILDLESS_IKEV2_SUPPORTED Notify in the initial SA_INIT reply. The initiator is then free to send its AUTH without any SA or TS payloads if it also supports this extension.

CLI syntax

config vpn ipsec phase1-interface edit ike set ike-version 2 set childless-ike enable

next end

Due to the way configuration payloads (IKEV2_PAYLOAD_CONFIG) are handled in the current code base, mode-cfg and childless-ike aren’t allowed to be enabled at the same time. Processing config payloads for mode-cfg requires a child ph2handle to be created, but with childless-ike we completely avoid creating the child ph2 in the first place which makes the two features incompatible. It may be possible to support both in the future, but a deeper rework of the config payload handling is required.

Allow peertype dialup for IKEv2 pre-shared key dynamic phase1 (378714)

Restored peertype dialup that was removed in a previous build (when IKEv2 PSK gateway re-validation was not yet supported).

If peertype is dialup, IKEv2 AUTH verify uses user password in the user group “usrgrp” of phase1. The “psksecret” in phase1 is ignored.

CLI syntax

config vpn ipsec phase1-interface edit “name” set type dynamic set interface “wan1” set ike-version 2 set peertype dialup set usrgrp “local-group”

next

end

IPsec default phase1/phase1-interface peertype changed from ‘any’ to ‘peer’ (376340)

Previously, when authmethod was changed to signature, peertype automatically changed to peer and required a peer to be set. This change was done to try to provide a more secure initial configuration, while allowing the admin to set peertype back to any if that’s what they really wanted. The default value was kept at any in the CLI. However, this caused problems with copy/pasting configurations and with FMG because if peertype any wasn’t explicitly provided, the CLI was switched to peertype peer.

This patch changes the default peertype to peer now; peertype any is considered non-default and will be printed out on any config listing. Upgrade code has been written to ensure that any older build that was implicitly using set peertype any has this setting preserved.

IPsec GUI bug fixes (374326)

Accept type “Any peer ID” is available when creating IPsec tunnel with authmethod, pre-shared key, ikev1 main mode/aggressive mode, and ikev2.

Support for IKEv2 Message Fragmentation (371241)

Added support for IKEv2 Message Fragmentation, as described in RFC 7383.

Previously, when sending and IKE packets with IKEv1, the whole packet is sent once, and it is only fragmented if there is a retransmission. With IKEv2, because RFC 7383 requires each fragment to be individually encrypted and authenticated, we would have to keep a copy of the unencrypted payloads around for each outgoing packet, in case the original single packet was never answered and we wanted to retry with fragments. So with this implementation, if the IKE payloads are greater than a configured threshold, the IKE packets are preemptively fragmented and encrypted.

CLI syntax

config vpn ipsec phase1-interface edit ike set ike-version 2 set fragmentation [enable|disable] set fragmentation-mtu [500-16000]

next

end

IPsec monitoring pages now based on phase 1 proposals not phase 2 (304246)

The IPsec monitor, found under Monitor > IPsec Monitor, was in some instances showing random uptimes even if the tunnel was in fact down.

Tunnels are considered as “up” if at least one phase 2 selector is active. To avoid confusion, when a tunnel is down, IPsec Monitor will keep the Phase 2 Selectors column, but hide it by default and be replaced with Phase 1 status column.

IPv6 (5.6)

IPsec VPN (5.6.1)

New IPsec VPN features added to FortiOS 5.6.1.

Support for Brainpool curves specified in RFC 6954 for IKE (412795)

Added support for Brainpool curves specified in RFC 6954 (originally RFC 5639) for IKE. Four new values are added for VPN phase1 and phase2 DH groups. The allocated transform IDs are 27, 28, 29, 30:

l 27 – Brainpool 224-Bit Curve l 28 – Brainpool 256-Bit Curve l 29 – Brainpool 384-Bit Curve l 30 – Brainpool 512-Bit Curve

Syntax

config vpn ipsec phase1/phase1-interface edit <name>

set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30} next

end

config vpn ipsec phase2/phase2-interface edit <name>

set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 27 | 28 | 29 | 30} next

end

Removed “exchange-interface-ip” option from “vpn ipsec phase1” (411981)

The command exchange-interface-ip only works for interface-based IPsec VPN (vpn ipsec phase1interface), and so it has been removed from policy-based IPsec VPN (vpn ipsec phase1).

IKEv2 ancillary RADIUS group authentication (406497)

This feature provides for the IDi information to be extracted from the IKEv2 AUTH exchange and sent to a RADIUS server, along with a fixed password configurable via CLI, to perform an additional group authentication step prior to tunnel establishment. The RADIUS server may return framed-IP-address, framed-ip-netmask, and dns-server attributes, which are then applied to the tunnel.

It should be noted, unlike Xauth or EAP, this feature does not perform individual user authentication, but rather treats all users on the gateway as a single group, and authenticates that group with RADIUS using a fixed password. This feature also works with RADIUS accounting, including the phase1 acct-verify option.

Syntax

config vpn ipsec phase1-interface edit <name> set mode-cfg enable

IPsec VPN (5.6.1)

set type dynamic set ike-version 2 set group-authentication {enable | disable} set group-authentication-secret <password>

next

end

IPsec mode-cfg can assign IPs from firewall address and sharing IP pools (393331)

This feature adds the ability for users to configure assign-IPs from firewall addresses/groups.

Previously, different policies accessing the same network needed to ensure that non-overlapping IP-ranges were assigned to policies to avoid the same IP address being assigned to multiple clients. With this feature, the address name is used to identify an IP pool and different policies can refer to the same IP pool to check for available IPs, thus simplifying the task of avoiding IP conflicts.

Syntax

config vpn ipsec phase1-interface edit <name> set mode-cfg enable set type dynamic

set assign-ip-from {range | dhcp | name} set ipv4-name <name> set ipv6-name <name>

next

end

Improve interface-based dynamic IPsec up/down time (379937)

This feature makes it possible to use a single interface for all instances that spawn via a given phase1. Instead of creating an interface per instance, all traffic will run over the single interface and any routes that need creating will be created on that single interface.

A new CLI option net-device is added in the phase1-interface command sets. The default is disable so that the new feature kicks in for all the new configurations. An upgrade feature will add a set net-device enable for all the existing configurations so that they will keep the old behavior.

Under the new single-interface scheme, instead of relying on routing to guide traffic to the specific instance, all traffic will flow to the specific device and IPsec will need to take care of locating the correct instance for outbound traffic. For this purpose, another new CLI option tunnel-search is created. The option is only available when the above net-device option is set to disable.

There are two options for tunnel-search, corrensponding to the two ways to select the tunnel for outbound traffic. One is selectors, meaning selecting a peer using the IPsec selectors (proxy-ids). The other is nexthop where all the peers use the same default selectors (0/0) while using some routing protocols such as BGP, OSPF, RIPng, etc. to resolve the routing. The default for tunnel-search is selectors.

Syntax

config vpn ipsec phase1-interface edit <name> set net-device {enable | disable} set tunnel-search {selectors | nexthop} next

(5.6.1)

end

Hide psksecret option when peertype is dialup (415480)

In aggressive mode and IKEv2, when peertype is dialup, pre-shared key is per-user based. There is no need to configure the psksecret in the phase1 setup. Previously, if left unconfigured, CLI would output psksecret error and fail to create the phase1 profile.

To prevent psksecret length check running on the configuration end, the psksecret option will be hidden. Prior to Mantis 397712, the length check passed because it was incorrectly checking the legnth of encrypted password which is always 204 length long.

Peertype dialup option removed for main mode.

New enforce-ipsec option added to L2TP config (423988)

A new enforce-ipsec option is added in L2TP configuration to force the FortiGate L2TP server to accept only IPsec encrypted connections.

Syntax

config vpn l2tp set eip 50.0.0.100 set sip 50.0.0.1 set status enable

set enforce-ipsec-interface {disable | enable}    (default = disable) set usrgrp <group_name>

end

IPsec VPN Wizard improvements (368069)

Previously, when using wan-load-balance (WLB) feature, and when configuring an IPsec tunnel with the wizard, the setting ‘incoming interface’ list does not contain the wan-load-balance nor the wan2 interface. Disabling the WLB permits the configuration. The solution in 5.6.1 is as follows:

l (368069) The IPsec VPN wizard now allows users to select members of virtual-wan-link (VWL) as IPsec phase1interface. Before saving, if the phase1 interface is a VWL member, then the Wizard automatically sets the virtualwan-link as the destination interface in the L2TP policy. l (246552) List VPN tunnels for VWL members if VWL is set as the destination interface in policy-based IPsec VPN.

IPsec manual key support removed from GUI (436041)

The majority of customers are not using policy-based IPsec today, and beyond that, very few are using manual key VPN. As a result, the IPsec manual key feature is removed from the GUI; the feature store option is removed as well.

Added GUI support for local-gw when configuring custom IPsec tunnels (423786)

Previously, the local-gw option was not available on the GUI when configuring a custom IPsec tunnel. This feature adds the local-gw setting to the IPsec VPN Edit dialog. The user is able to choose the primary or

secondary IP address from the currently selected interface, or specify an ip address manually. Both local-gw and local-gw6 are supported.

Moved the dn-format CLI option from phase1 config to vdom settings (435542)

Previous fix for dn-format didn’t take into account that, at the time isakmp_set_peer_identifier is used, we don’t have a connection and haven’t matched our gateway yet, so we can’t use that to determine the dn-format configuration setting.

The solution was to move the dn-format CLI option from phase1 config to vdom settings. It is renamed to ike-dn-format.

FGT IKE incorrect NAT detection causes ADVPN hub behind VIP to not generate shorcuts (416786)

When ADVPN NAT support was added, only spokes behind NAT was considered. No thought was given to a hub behind a VIP or the problems that occurred due to the way that FortiOS clients behind NAT enable NAT-T even when it is not required.

The solution in 5.6.1 is as follows:

• Moved shortcut determination out of the kernel and up to IKE. The shortcut message now contains the ID of both tunnels so that IKE can check the NAT condition of both.
• Added IKE debug to cover sending the initial shortcut query. The lack of this previously meant it could be awkard to determine if the offer had been converted into a query correctly.
• Added “nat:” output in diag vpn ike gateway list output to indicate whether this device or the peer is behind NAT.
• Tweaked the diag vpn tunnel list output so that the auto-discovery information now includes symbolic as well as numeric values, which makes it easier to see what type of auto-discovery was enabled.

High Availability (5.6)

New High Availability features added to FortiOS 5.6.

Multicast session failover (293751)

FGCP HA multicast session synchronization supports multicast session failover. To configure multicast session failover, use the following command to change the multicast TTL timer to a smaller value than the default. The recommended setting to support multicast session failover is 120 seconds (2 minutes). The default setting is 600 seconds (10 minutes).

config system ha set multicast-ttl 120

end

The multicast TTL timer controls how long to keep synchronized multicast routes on the backup unit (so they are present on the backup unit when it becomes the new primary unit after a failover). If you set the multicast TTL lower the multicast routes on the backup unit are refreshed more often so are more likely to be accurate. Reducing this time causes route synchronization to happen more often and could affect performance.

Performance improvement when shutting down or rebooting the primary unit (380279)

In previous versions of FortiOS, if you entered the execute reboot or execute shutdown command on the primary unit, a split brain configuration could develop for a few seconds while the primary unit was shutting down. This would happen because the heartbeat packets would stop being sent by the primary unit, while it was still able to forward traffic. When the heartbeat packets stop the backup unit becomes the primary unit. The result was a split brain configuration with two primary units both capable of forwarding traffic.

High Availability (5.6)

This wouldn’t happen all the time, but when it did network traffic would be delayed until the primary unit shut down completely. To resolve this issue, in FortiOS 5.6 when you run the execute reboot or execute shutdown command on the primary unit, the primary unit first becomes the backup unit before shutting down

allowing the backup unit to become the new primary unit and avoiding the split brain scenario. This behavior only happens when you manually run the execute reboot or execute shutdown command from the primary unit.

VRRP failover process change (390938)

In a FortiOS 5.6 VRRP configuration, when the master cannot reach its next hop router (vrdst) it sends packets to the configured backup router(s). These packets set the priority of the master to be lower than the backup router (s). So a backup router now becomes the new master and takes over processing traffic.

Use the vrdst-priority option to set the lower priority that the master sends to the backup routers. The following CLI syntax resets the master’s priority to 10 if it can no longer connect to its next hop router.

config system interface edit port10 config vrrp set vrip 10.31.101.200 set priority 255 set vrdst 10.10.10.1 set vrdst-priority 10

end

Display cluster up time and history (get system ha status command changes)(394745)

The get system HA status command now displays cluster uptime and history: get system status

Version: FortiGate-5001D v5.6.0,build1413,170121 (interim) …

Current HA mode: a-p, master

Cluster uptime: 3 days, 4 hours, 3 minutes, 46 seconds …

In-band HA management Interface (401378)

You can use the following command to add a management interface to an individual cluster unit interface that is also connected to a network and processing traffic. The in-band management interface is an alternative to the reserved HA management interface feature and does not require reserving an interface just for management access.

config system interface edit port1 set management-ip 172.20.121.155/24

end

The management IP address is accessible from the network that the cluster interface is connected to. This setting is not synchronized so each cluster unit can have their own management IP addresses. You can add a management IP address to each cluster unit interface. You can use the execute ha manage command to connect to individual cluster units.

The management-ip can be on the same subnet as the interface you are adding it to but cannot be on the same subnet as other cluster unit interfaces.

High Availability (5.6)

Up to four dedicated HA management interfaces supported (378127)

You can now add up to four dedicated HA management interfaces. Just like all FortiGate interfaces, these management interfaces must be on a different subnet from any other FortiGate interface. You can also configure a separate default gateway for each interface.

Use the following command to add two dedicated HA management interfaces:

config system ha set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface port4 set gateway 10.10.10.1

next edit 2 set interface port5 set gateway 4.5.6.7 end

FGSP support for automatic session sync after peer reboot (365851)

New options allow you to configure your FGSP cluster to resume sessions more smoothly after a failed FortiGate rejoins the cluster. In some cases when a failed FortiGate in the cluster comes back up it may begin processing sessions before the session table has been synchronized to it from the other FortiGate in the cluster. When this happens, the FortiGate may drop packets until the session synchronization is complete.

Shutting down interfaces during session synchronization

This new feature allows you to shut some interfaces down on the failed FortiGate when it is starting up so that it will not accept packets until session synchronization is complete. Then the interfaces are brought up and traffic can flow. While the interfaces are down, the FortiGate that had not failed keeps processing traffic.

Use the following command to select the interfaces to shutdown while waiting for session synchronization to complete:

config system cluster-sync edit 1 set down-intfs-before-sess-sync port1 port2

end

Heartbeat monitoring

If the FortiGate that was running fails before session synchronization is complete, the FortiGate that is restarting would not be able to complete session synchronization and would not turn on its shutdown interfaces. To prevent this from happening FGSP now includes heartbeat monitoring. Using heartbeat monitoring the FortiGate that is waiting for session synchronization to finish can detect that the other FortiGate is down and turn on its interfaces even if session synchronization is not complete. You can use the following command to change the heartbeat interval (hb-interval) and lost heartbeat threshold (hp-lost-threshold) to change heartbeat monitoring timing.

config system cluster-sync edit 1 set hb-interval 2 set hb-lost-threshold 3

High Availability (5.6)

end

Change in cluster behavior when the primary unit is restarted (380279)

When testing HA failover or restarting the primary unit for other reasons, manually rebooting or shutting down the primary unit running previous versions of FortiOS can sometimes cause a failover delay. This happens because the backup unit may become the primary unit before the primary unit is fully shut down causing a temporary split brain scenario.

To resolve this issue, when you manually restart or shut down the primary unit running FortiOS 5.6.0 before the primary unit actually shuts down it becomes the backup unit and the previous backup unit becomes the primary unit. Traffic is then failed over to the new primary unit before the former primary unit shuts down or reboots.

(5.6.1)

High Availability (5.6.1)

New High Availability features added to FortiOS 5.6.1.

HA cluster Uptime on HA Status dashboard widget (412089)

The HA Cluster dashboard widget now displays how long the cluster has been operating (Uptime) and the time since the last failover occurred (State Changed). You can hover over the State Changed time to see the event that caused the state change.

You can also click on the HA Status dashboard widget to configure HA settings or to get a listing of the most recent HA events recorded by the cluster.

FGSP with static (non-dialup) IPsec VPN tunnels and controlling IKE routing advertisement (402295)

Until FortiOS 5.6.1, the FortiGate Session Life Support Protocol (FGSP) only supported IPsec tunnel synchronization for dialup (or dynamic) IPsec VPN tunnels. FortiOS 5.6.1 now also supports IPsec tunnel synchronization for static IPsec VPN tunnels. No special FGSP or IPsec VPN configuration is required. You can configure static IPsec VPN tunnels normally and create a normal FGSP configuration.

An additional feature has been added to support some FGSP configurations that include IPsec VPNs. A new CLI option allows you to control whether IKE routes are added to the FGSP backup unit.

config system cluster-sync edit 0 set slave-add-ike-routes {enable | disable}

end

Enable to add IKE routes to the backup unit, disable if the IKE routes should not be added to the backup unit.

High Availability (5.6)

VRRP support for synchronizing firewall VIPs and IP Pools (0397824)

FortiOS VRRP HA now supports failover of firewall VIPs and IP Pools when the status of a virtual router (VR) changes. This feature introduces a new proxy ARP setting to map VIP and IP Pool address ranges to each VR’s Virtual MAC (VMAC). After failover, the IP Ranges added to the new primary VR will be routed to the new primary VR`s VMAC.

Use the following command to add a proxy ARP address range and a single IP address to a VR added to a FortiGate`s port5 interface. The address range and single IP address should match the address range or single IP for VIPs or IP Pools added to the port5 interface:

config system interface edit port5 config vrrp edit 1 config proxy-arp edit 1 set ip 192.168.62.100-192.168.62.200

next edit 2 set ip 192.168.62.225 end

Hardware acceleration (5.6)

New hardware acceleration features added to FortiOS 5.6.1.

IPsec session ESP padding and NP6 acceleration (416950)

In some situations when ESP packets in IPsec sessions have large amounts of layer 2 padding the NP6 IPsec engine may not be able to process them and the session may be blocked.

The following CLI option has been added to cause the NP6 processor to strip the ESP padding before send the packets to the IPsec engine. With padding stripped, the session can be processed normally by the IPsec engine.

Use the following command to strip ESP padding:

config system npu set strip-esp-padding enable

end

This stripping ESP padding is disabled by default. If you notice that offloaded IPsec sessions are failing you can enable this option and see if the problem is resolved.

Hardware acceleration (5.6)

New hardware acceleration features added to FortiOS 5.6.

Improved visibility of SPU and nTurbo hardware acceleration (389711)

All hardware acceleration hardware has been renamed Security Professing Units (SPUs). This includes NPx and CPx processors.

SPU and nTurbo data is now visible in a number of places on the GUI. For example, the Active Sessions column pop-up in the firewall policy list and the Sessions dashboard widget:

Hardware acceleration (5.6)

You can also add SPU filters to many FortiView pages.

NP4Lite option to disable offloading ICMP traffic in IPsec tunnels (383939)

In some cases ICMP traffic in IPsec VPN tunnels may be dropped by the NP4Lite processor due to a bug with the NP4Lite firmware. You can use the following command to avoid this problem by preventing the NP4Lite processor from offloading ICMP sessions in IPsec VPN tunnels. This command is only available on FortiGate models with NP4Lite processors, such as the FortiGate/FortiWiFi-60D.

config system npu set process-icmp-by-host {disable | enable}

end

The option is disabled by default an all ICMP traffic in IPsec VPN tunnels is offloaded where possible. If you are noticing that ICMP packets in IPsec VPN tunnels are being dropped you can disable this option and have all ICMP traffic processed by the CPU and not offloaded to the NP4Lite.

NP6 IPv4 invalid checksum anomaly checking (387675)

The following new options have been added to NP6 processors to check for IPv4 checksum errors in IPv4, TCP, UDP, and ICMP packets:

config system np6 edit {np6_0 | np6_1| …} config fp-anomaly-v4 set ipv4-csum-err {drop | trap-to-host} set tcp-csum-err {drop | trap-to-host} set udp-csum-err {drop | trap-to-host} set icmp-csum-err {drop | trap-to-host}

end

You can use the new options to either drop packets with checksum errors (the default) or send them to the CPU for processing. Normally you would want to drop these packets.

High Availability (5.6.1)

Non-vdom VM models FGVM1V/FGVM2V/FGVM4V (405549)

New models of the FortiGate-VM have been introduced. These match up with the existing FortiGate-VM models of FG-VM01, FG-VM02 and FG-VM04. The difference being that the new models don’t support VDOMs.

FortiGate VM (5.6)

FG-VM01v

FG-VM04                                                                      FG-VM04v

Hardware acceleration

NSX security group importing (403975)

A feature has been added to allow the importation of security group information from VMware’s NSX firewall.

CLI Changes: nsx group list

This is used to list NSX security Groups

Syntax:

execute nsx group list <name of the filter>

nsx group import

This is used to import NSX security groups.

Syntax:

execute nsx group import <vdom> <name of the filter>

nsx group delete

This is used to delete NSX security Groups

Syntax:

execute nsx group delete <vdom> <name of the filter>

nsx.setting.update-period

This is used to set the update period for the NSX security group

Syntax:

config.nsx.setting.update-period <0 – 3600 in seconds>

0 means disabled

Default value: 0