FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 8 - Firewall > New Firewall Features in 5.4

What's new for the Firewall in 5.4

Learning mode for Firewall policies (310544 365727)

The learning mode feature is a quick and easy method for setting a policy to allow everything but to log it all so that it can later be used to determine what restrictions and protections should be applied. The objective is to monitor the traffic not act upon it while in Learning mode.

Once the Learn action is enabled, functions produce hard coded profiles that will be enabled on the policy. The following profiles are set up:

  • AntiVirus (av-profile)
  • Web Filter ( webfilter-profile)
  • Anti Spam( spamfilter-profile )
  • Data Leak Prevention (dlp-sensor )
  • Intrusion Protection (ips-sensor )
  • Application Control (application-list )
  • Proxy Options (profile-protocol-options)
note icon
  • These UTM profiles are all using Flow mode
  • SSL inspection is always disable for the Learn option
  • These profiles are static and cannot be edited.

Profiles that are not being used are:

  • DNS Filter (Does not have a Flow mode)
  • Web Application Firewall(Does not have a Flow mode)
  • CASI(Almost all signatures in CASI require SSL deep inspection. Without SSL inspection, turning on CASI serves little purpose)

The ability to allow policies to be set to a learning mode is enabled on a per VDOM basis.

config system settings

set gui-policy-learning [enable | disable]

end

Once the feature is enabled on the VDOM, Learn is an available Action option when editing a policy.

caution icon Because this feature requires a minimum level of logging capabilities, it is only available on FortiGates with hard drives. Smaller models may not be able to use this feature.

Once the Learning policy has been running for a sufficient time to collect needed information a report can be looked at by going to Log & Report > Learning Report.

The Report can be either a Full Report or a Report Summary

The time frame of the report can be 5 minutes, 1 hour, or 24 hours.

The Learning Report includes:

Deployment Methodology

  • Test Details
  • Start time
  • End time
  • Model
  • Firmware
  • Policy List

Executive Summary

  • Total Attacks Detected
  • Top Application Category
  • Top Web Category
  • Top Web Domain
  • Top Host by Bandwidth
  • Host with Highest Session Count

Security and Threat Prevention

  • High Risk Applications
  • Application Vulnerability Exploits
  • Malware, botnets and Spyware/Adware
  • At-Risk Devices and Hosts

User Productivity

  • Application Usage
  • Top Application Categories
  • Top Social Media Applications
  • Top Video/Audio Streaming Applications
  • Top Peer to Peer Applications
  • Top Gaming Applications
  • Web Usage
  • Top Web Categories
  • Top Web Applications
  • Top Web Domains

 

New Features in 5.4.1

Multiple interfaces or ANY interface can be added to a firewall policy (288984)

This feature can be enabled or disabled in the GUI by going to the System > Feature Select page and toggling Multiple Interface Policies.

When selecting the Incoming or Outgoing interface of a policy, there are a few choices:

  • The ANY interface (choosing this will remove all other interfaces)
  • A single specific interface
  • multiple specific interfaces (can be added at the same time or one at a time)

The GUI is intuitive and straightforward on how to do this. Click on the "+" symbol in the interface field and then select the desired interfaces from the side menu. There are a couple of ways to do it in the CLI:

  1. Set the interfaces all at once:

config firewall policy

edit 0

set srcintf wan1 wan2

end

  1. Set the first interface and append additional ones:

config firewall policy

edit 0

set srcintf wan1

append srcintf wan2

end

Multicast policy page changes (293709 305114 )

The multicast policy GUI page has been updated to the new GUI look and feel. Some functionality has also been changed.

  • The DNAT option has been removed from the GUI but is still in the CLI, you can set the action to IPsec, and if you select Log Allowed Traffic you can also select a few logging options.
  • The Multicast policy page loads faster.

 

Policy objects dialogs updated to new GUI style (354505)

To avoid confusion, the default value for "day" is no longer Sunday. In the GUI, none of the day options are selected.

New Features in 5.4.0

Display change in Policy listing (284027)

Alias names for interfaces, if used now appear in the headings for the Interface Pair View or what used to be called the Section View.

RPC over HTTP traffic separate (288526)

How protocol options profiles and SSL inspection profiles handle RPC (Remote Procedure Calls) over HTTP traffic can now be configured separately from normal HTTP traffic.

CLI syntax changes

config firewall profile-protocol-options

edit 0

set rpc-over-http {disable | enable}

end

 

config firewall ssl-ssh-profile

edit deep-inspection

set rpc-over-http {disable | enable}

end

Disable Server Response Inspection supported (274458)

Disable Server Response Inspection (DSRI) option included in Firewall Policy (CLI only) to assist performance when only using URL filtering as it allows the system to ignore the http server responses.

CLI syntax for changing the status of the DSRI setting:

conf firewall policy|policy6

edit NNN

set dsri enable/disable

end

 

conf firewall interface-policy|interface-policy6

edit NNN

set dsri enable/disable

end

 

conf firewall sniffer

edit NNN

set dsri enable/disable

end

Policy counter improvements (277555 260743 172125)

  • implicit deny policy counter added
  • first-hit time tracked for each policy
  • "Hit count" is tracked for each policy (total number of new sessions since last reset)
  • Most counters now persist across reboots

Bidirectional Forwarding Detection (BFD) (247622)

Bidirectional Forwarding Detection (BFD) protocol support has been added to Protocol Independent Multicast (PIM), to detect failures between forwarding engines.

TCP sessions can be created without TCP syn flag checking (236078)

A Per-VDOM option is avaialble to enable or disable the creation of TCP sessions without TCP syn flag checking

Mirroring of traffic decrypted by SSL inspection (275458)

This feature sends a copy of traffic decrypted by SSL inspection to one or more FortiGate interfaces so that it can be collected by raw packet capture tool for archiving and analysis.

This feature is available if the inspection mode is set to flow-based. Use the following command to enable this feature in a policy. The following command sends all traffic decrypted by the policy to the FortiGate port1 and port2 interfaces.

conf firewall policy

edit 1

set ssl-mirror enable/disable

set ssl-mirror-intf port1 port2

next

 

Support for full cone NAT (269939)

Full cone NAT maps a public IP address and port to a LAN IP address and port. This means that a device on the Internet can send data to the internal LAN IP address and port number by directing it a the external IP address and port number. Sending to the correct IP address but a different port will cause the communication to fail. This type of NAT is also known as port forwarding.

Full cone NATing is configured only in the CLI. It is done by properly configuring an IP pool for the NATing of an external IP address. The two important settings are:

  • set type - it must be set to port-block-allocation to use full cone
  • set permit-any-host - enabling it is what enables full cone NAT

An example fo the IP pool configuration would be:

config firewall ippool

edit "full_cone-pool1"

set type port-block-allocation

set startip 10.1.1.1

set endip 10.1.1.1

set permit-any-host enable

end

Enable or disable inspecting IPv4 and IPv6 ICMP traffic (258734)

There is now a system setting that determines if ICMP traffic can pass through a Fortigate even if there is no existing session.

config sytem settings

set asymroute-icmp enable

set asymroute6-imap enable

end

When feature enabled:

  • Allows ICMP or ICMPv6 reply traffic can pass through firewall when there is no session existing - asmetric routing case.
  • Prevents TCP ACK messages from passing through the firewall when there is no session existing.

When feature disabled:

  • Prevents ICMP or ICMPv6 replies from passing through firewall when there is no session existing.

Policy names (246575 269948 293048)

In addition to the Policy ID #, there is now a Policy name field in the policy settings. On upgrading to 5.4, policy names will not be assigned to old policies but when configuring new policies, a unique name must be assigned to it. Every policy name must be unique for the current VDOM regardless of policy type.

In the GUI, the field for the policy name is the first field on the editing page.

In the CLI, the syntax for assigning the policy name is:

config firewall [policy|policy6]

set name <policy_name>

end

The feature can be turned on or off.

To turn it off in the CLI:

config system settings

set gui-advance-policy[enable|disable]

end

To turn it off in the GUI, the ability to enable or disable it in the GUI must be enabled in the CLI.It is disabled by default.The syntax is:

config system settings

set gui-allow-unamed-policy [enable | disable]

end

Once it has been enabled, the requirement for named passwords can be relaxed by going to System > Feature Select. Allow Unamed Policies can be found under Additional Features.

This setting is VDOM based so if you are running VDOMs you will have to enter the correct VDOM before entering the CLI commnands or turning the feature on or off in the GUI.

Policy and route lookup (266996 222827)

The Policy Lookup button in the menu bar at the top of the IPv4 and IPv6 Policy pages is used to determine the policy that traffic with a particular set of parameters will use. Once the parameters are entered, the policy that the traffic will use is displayed.

The parameters are:

  • Source Interface - select from drop down menu of available interfaces
  • Protocol - select from a drop down menu of:
  • IP
  • TCP
  • UDP
  • SCTP
  • [ICMP|ICMPv6]
  • [ICMP|ICMPv6] ping request
  • [ICMP|ICMPv6] ping reply
  • Source - Source IP address
  • Source Port
  • Destination - Destination IP address
  • Protocol Number - if Protocol = IP
  • Source Port - if Protocol = TCP|UDP|SCTP
  • Destination Port - if Protocol = TCP|UDP|SCTP
  • ICMP Type - if Protocol = ICMPv6
  • ICMP Code - if Protocol = ICMPv6

 

Support NAT 64 CLAT (244986)

NAT64 CLAT traffic is now supported by the FortiGate. CLAT traffic comes from devices that use the SIIT translator that plays a part in affecting IPv6 - IPv4 NAT translation.

VIPs can contain FQDNs (268876)

Instead of mapping to an IP address VIP can use a Fully Qualified Domain Name. This has to be configured in the CLI and the FQDN must be an address object that is already configured in the address listing.

The syntax for using a FQDN is as follows:

config firewall vip

edit <VIP id>

set type fqdn

set mapped-addr <FQDN address object>

end

Access Control Lists (ACLs) (293399)

The access control list (ACL) feature allows you to deny IPv4 or IPv6 packets received at an NP6-accelerated interface based on source and destination address and service. If you add a access control policy to an interface ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.

In the GUI, the feature can be found at Policy & Objects > IPv4 Access Control List Policy & Objects > IPv6 Access Control List.

To add an IPv4 ACL through the CLI use the following syntax:

config firewall acl

edit <acl Policy ID #>

set status enable

set interface <interface>

set srcaddr <address object>

set dstaddr <address object>

set service <service object>

end

end

To add an IPv6 ACL through the CLI use the following syntax:

config firewall acl6

edit <acl Policy ID #>

set status enable

set interface <interface>

set srcaddr <address object>

set dstaddr <address object>

set service <service object>

end

end

GUI improvement for DoS Policy configuration (286905)

The user can now set the Action, whether Pass or Block, for all of the anomalies in a list at once when configuring a DoS policy.Just choose the desired option in the heading at the top of the column.

Expired Policy Object warnings (259338)

The Policy window indicates when a policy has become invalid due to its schedule parameters referring only to times in the past.