FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

What's new in FortiOS 5.4

Toggle Disk Usage for logging or wan-opt (290892)

Both logging and WAN Optimization use hard disk space to save data. For FortiOS 5.4 you cannot use the same hard disk for WAN Optimization and logging.

  • If the FortiGate has one hard disk, then it can be used for either disk logging or WAN optimization, but not both. By default, the hard disk is used for disk logging.
  • If the FortiGate has two hard disks, then one disk is always used for disk logging and the other disk is always used for WAN optimization.
note icon WAN Optimization is not supported while the FortiGate is in Flow-based inspection.

On  the FortiGate, go to System > Advanced > Disk Settings to switch between Local Log and WAN Optimization.

You can also change disk usage from the CLI using the following command:

configure system global

set disk-usage {log | wanopt}


note icon The Toggle Disk Usage feature is supported on all new "E" Series models, while support for "D" Series models may vary.

Please refer to the Feature Platform Matrix for more information.


caution icon Changing the disk setting formats the disk, erases current data stored on the disk and disables either disk logging or WAN Optimization.

You can configure WAN Optimization from the CLI or the GUI. To configure WAN Optimization from the GUI you must go to System > Feature Select and turn on WAN Optimization.

note icon Remote logging (including logging to FortiAnalyzer and remote Syslog servers) is not affected by using the single local hard disk for WAN Optimization.

Enabling WAN Optimization affects more than just disk logging

In addition to affecting WAN Optimization, the following table shows other features affected by the FortiGate disk configuration.

Features affected by Disk Usage as per the number of internal hard disks on the FortiGate
Feature Logging Only
(1 hard disk)
WAN Opt. Only
(1 hard disk)
Logging & WAN Opt.
(2 hard disks)
Logging Supported
Not supported Supported
Report/Historical FortiView Supported Not supported Supported
Firewall Packet Capture (Policy Capture and Interface Capture) Supported Not supported Supported
AV Quarantine Supported Not supported Supported
IPS Packet Capture Supported. Not supported Supported
DLP Archive Supported Not supported Supported
Sandbox DB & Results FortiSandbox database and results are also stored on disk, but will not be affected by this feature.

MAPI AV scanning is supported over WAN Optimization (267975)

AV works on MAPI when WAN Optimization is used.

New explicit proxy features

The following section describes new explicit web proxy features added to FortiOS 5.4.0 and FortiOS 5.4.1.

FortiOS 5.4.1

These features first appeared in FortiOS 5.4.1.

Support Kerberos and NTLM authentication (370489)

FortiGate now recognizes the client's authentication method from the token and selects the correct authentication scheme to authenticate successfully.

CLI syntax

config firewall explicit-proxy-policy

edit <example>

set active-auth-method [ntlm | basic | digest | negotiate | none]


Explicit Web Proxy WISP support improvements (309388 309236)

The following Explicit Web Proxy WISP CLI syntax has been changed and added:

  • Changed web-proxy wisp to table object and added outgoing-ip.
CLI syntax

config web-proxy

set server-ip // WISP server IP address

set server-port // WISP server port (1 - 65535)


  • In the web filter profile, added WISP servers and WISP algorithm.
CLI syntax

config webfilter profile

edit <example>

set wisp-servers // WISP servers

set wisp-algorithm // WISP server selection algorithm

Improvements to explicit web proxy policy page (305817)

Explicit proxy URL categories show description next to their numerical values in the CLI. Also, all categories for URL Category are available in the GUI.

Explicit web proxy Kerberos authentication support (297503)

The following web proxy Kerberos authentication CLI syntax has been added:

CLI syntax

config user krb-keytab

edit <example>

set principal // Kerberos service principal

set ldap-server // LDAP server name

set keytab // base64 coded keytab

Explicit proxy, Web Caching, and WAN Optimization are not supported for Flow-based VDOMs (274748)

Explicit proxy, web caching, and WAN optimization have been removed from the GUI in a Flow-based VDOM.

Explicit proxy support for base64 encoded X-Authenticated-Groups and X-Authenticated-User HTTP headers (356979)

Data for http header-names X-Authenticated-Groups and X-Authenticated-User are decoded before further processing.

FortiOS 5.4.0

These features first appeared in FortiOS 5.4.0.

New explicit proxy firewall address types (284753)

New explicit proxy firewall address types improve granularity over header matching for explicit web proxy policies. You can enable this option using the Show in Address List button on the Address and Address Group New/Edit forms under Policy & Objects > Addresses.

The following new address types have been added:

  • URL Pattern - destination address
  • Host Regex Match - destination address
  • URL Category - destination address (URL filtering)
  • HTTP Method - source address
  • User Agent - source address
  • HTTP Header - source address
  • Advanced (Source) - source address (combines User Agent, HTTP Method, and HTTP Header)
  • Advanced (Destination) - destination address (combines Host Regex Match and URL Category)

Disclaimer messages can be added to explicit proxy policies (273208)

Disclaimer options are now available for each explicit proxy policy or split policy of ID-based policy. This feature allows you to create user exceptions for specific URL categories (including warning messages) based on user groups.

The Disclaimer Options are configured under Policy & Objects > Explicit Proxy Policy. You can also configure a disclaimer for each Authentication Rule by setting Action to Authenticate.

Disclaimer explanations
  • Disable: No disclaimer (default setting).
  • By Domain: The disclaimer will be displayed on different domains. The explicit web proxy will check the referring header to mitigate the javascript/css/images/video/etc page.
  • By Policy: The disclaimer will be displayed if the HTTP request matches a different explicit firewall policy.
  • By User: The disclaimer will be displayed when a new user logs on.

Firewall virtual IPs (VIPs) can be used with Explicit Proxy policies (234974)

The explicit web-proxy will now accept VIP addresses for destination address. If an external IP matches a VIP policy, the IP is changed to the mapped-IP of the VIP.

Implement Botnet features for explicit policy (259580)

The option scan-botnet-connections has been added to the firewall explicit proxy policy.


config firewall explicit-proxy-policy

edit <policyid>

set scan-botnet-connections [disable/block/monitor]



disable means do not scan connections to botnet servers.

block means block connections to botnet servers.

monitor means log connections to botnet servers.

Add HTTP.REFERRER URL to web filter logs (260538)

Added support for the referrer field in the HTTP header on webfilter log, this field along with others in the HTTP header are very useful in heuristic analysis /search for malware infected hosts.

Adding guest management to explicit web proxy (247566)

Allow user group with type Guest to be referenced in explicit-proxy-policy.