System

New role property on interfaces (294385)

Interfaces now have a property called ‘role’ which affects visibility and suggests different default options depending on it’s value.

• WAN – this interface is used to connect to the internet.
• LAN – this interface is used to connect to local network of endpoints.
• DMZ – this interface is used to connect to servers.
• Undefined – This interface has a custom role which isn’t one of the above.

Interface roles affect visibility of properties and features (295736)

Depending on an interfaces role, some properties may set to a default value and the visibility of others may be set to show or hide in the GUI.

Toggle automatic authorization of extension devices (294966)

When an interface is configured to be dedicated to an extension device, a new option appears to auto-authorize extension devices.

Support for new modem added (293598)

Support for the Linktop LW273 modem has been added.

SSL VPN

Significant SSL VPN web portal improvements (287328, 292726, 299319)

Significant updates and improvements have been made to the SSL VPN web portal in preparation for future browser updates, and in order to support all browsers:

• SSL VPN web portal redesigned.
• SSL VPN tunnel mode widget no longer works in the web portal.The tunnel mode widget used a deprecated NPAPI plugin mechanism to send the tunnel client to the browser for local system execution—this is a popular exploitation vector. FortiClient is now required for tunnel mode SSL VPN.
• SSL VPN Web mode RDP Native java applet removed.
• Removed unnecessary options from RDP bookmark and changed to HTML5 RDP.
• Cache cleaning function has been removed.

Implement post-authentication CSRF protection in SSL VPN web mode (287180)

This attribute can enable/disable verification of a referer in the HTTP request header in order to prevent a Cross- Site Request Forgery attack.

Syntax:

config vpn ssl settings

set check-referer [enable|disable]

end

Session–aware Load Balancing (SLBC)

GUI support for SSL VPN and WiFi controller in SLBC mode (246481)

SSL VPN and WiFi controller GUI pages now appear on the worker GUI when operating in SLBC mode.

Add an option to force IPsec to use NAT Traversal (275010)

Add a new option for NAT. If NAT is set to forced, then the worker will use a port value of zero when constructing the NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

Security Profiles

FortiClient Endpoint Profile improvements and new features (285443 275781 287137)

• 275781: New options available in FortiClient Profiles.
• 285446: VPN can be configured on the GUI either on IPsec VPN or SSL–VPN and changes can be preserved.
• 287137: In the Mobile tab, .mobileconfig files can be configured and Client VPN Provisioning can be enabled.

FortiClient Enforcement added to Interfaces (253933)

FortiClient enforcement has been moved from the Policy page to Network > Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.

To enforce FortiClient endpoint registration – web-based manager:

1. Go to System > Feature Select and enable Endpoint Control.

2. Go to Network > Interfaces and select the internal interface.

3. Under Restrict Access, enable FortiHeartBeat.

4. Under Admission Control, enable Enforce FortiHeartBeat for all FortiClients.

FortiClient exempt list improvements (268357 293191)

• 268357: Before you could only configure captive portal policy addresses in the CLI, but it can now be performed in the GUI.
• 293191: Exempt List has been replaced with Exempt Sources, and Exempt Destinations/Services has been added (once an interface has been set to captive portal). Before it was only possible to configure the FortiGate interface port to captive portal through the CLI, but it can now also be performed in the GUI.

Networking

Internet-Service database (288672 281333 291858)

Go to Policy & Objects > Internet Service Database to view the Internet Service Database. The database contains detailed information about services available on the Internet such as DNS servers provided by Adobe, Google, Fortinet, Apple and so on and a wide range of other services. For each service the database includes the IP addresses of the servers that host the service as well as the port and protocol number used by each IP address.

Interfaces assigned to Virtual Wired Pairs don’t have “roles” (296519 )

Assigning an interface to be part of a virtual wire pairing will remove the “role” value from the interface.

FortiHeartBeat replaces FortiClient Access and other FortiClient interface settings (299371)

To configure an interface to listen for connections from devices with FortiClient installed, enable FortiHeartBeat

Administrative Access. FortiHeartBeat was called FCT-Access or FortiClient Access in FortiOS 5.2.

After enabling FortiHeartBeat, under Admission Control you can select Enforce FortiHeartBeat for all FortiClients to require clients to have FortiClient installed to be able to get access through the FortiGate. If you enable this feature you should also go to Security Profiles > FortiClient Profiles and configure FortiClient Profiles. Then you should add the configured FortiClient Profiles to firewall policies with device detection.

Use the following CLI command to enable FortiHeartBeat on an interface and enable enforcing FortiHeartBeat for all FortiClients:

config system interface edit port1

set listen-forticlient-connection enable set endpoint-compliance enable

end

After enabling FortiHeartBeat, you can also enable DHCP server and turn on FortiClient On-Net Status to display the on-net status of FortiClient devices on the FortiClient Monitor (go to Monitor > FortiClient Monitor).

Use the following CLI command to enable FortiClient on-net status for a DHCP server added to the port1 interface:

config system dhcp server edit 1

set interface port1

set forticlient-on-net-status enable end

STP (Spanning Tree Protocol) support for models with hardware switches (214901 291953)

STP used to be only available on the old style switch mode for the internal ports. It is now possible to activate STP on the hardware switches found in the newer models. These models use a virtual switch to simulate the old Switch Mode for the Internal ports.

The syntax for enabling STP is as follows:

config system interface edit lan

set stp [enable | disable]

end

Command to determine interface transceiver optical signal strength (205138 282307)

The ew get system interface transceiver command can be used to determine optical signal strength when using SFP/SFP+ modules. The command can be used for trouble shooting fiber optic connections to

service providers. This command is hardware dependent and currently supported by FortiGate models that include various SPF/SFP+ interfaces including the FortiGate-100D/200D- POE/400D/500D/900D/1000D/1200D/1500D/3700D/3700DX) models.

Managing a FortiSwitch with FortiGate

Unless otherwise stated, these features require FortiSwitchOS 3.3.0 or later release on the FortiSwitch. The following FortiGate models can be used to manage FortiSwitches:

FGT-60D, FGT-60D-POE, FWF-60D, FWF-60D-POE, FGT-90D, FGT-90D-POE, FWF-90D, FWF-90D-POE,

FGT-100D, FGT-140D, FGT-140D_POE, FGT-140D_POE_T1, FGT-200D, FGT-240D, FGT-280D, FGT-280D_POE,

FGT-600C, FGT-800C, FGT-1000C, FGT-1200D, FGT-1500D, FGT-3700D

New FortiLink topology diagram (289005 271675 277441)

For managed FortiSwitches (WIFI & Switch Controller > Managed FortiSwitch), the system now displays the overall topology of the managed FortiSwitches that are connected to this FortiGate.

The topology lists the FortiLink ports on the FortiGate, and displays a full faceplate for each connected FortiSwitch (also showing the FortiLink ports on each FortiSwitch). You can right-click to authorize a managed FortiSwitch or left-click to edit the managed FortiSwitch information.

The topology can displays multiple FortiLinks to each FortiSwitch, as FortiOS 5.4 provides support for FortiLink as a LAG.

New interface option to auto-authorize extension devices 294966

If you enable the auto-authorize option on a FortiGate FortiLink port, the FortiGate will automatically authorize the managed FortiSwitch connected to this FortiLink. The new option is only visible when the interface type is set to Dedicate to Extension Device.

New CLI setting to enable pre-standard PoE detection on managed FortiSwitch ports 293512

This feature is available in FortiSwitchOS 3.3.2 and later releases.

Use the following commands to enable this setting on a managed FortiSwitch port:

config switch-controller managed-switch edit $FSW

config ports edit “port1”

set poe-pre-standard-detection enable/disable (the default is disable)

next end

end

Reset any POE port (by toggling the power OFF and then ON):

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general POE status:

get switch-controller <fortiswitch-id> <port>