FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.4 > System

System

This chapter describes new system administration features added to FortiOS 5.4.

Maintainer password recovery enhancements (356944)

For information about recovering a lost password and enhancements to the process, see: Resetting a lost Admin password on the Fortinet Cookbook site.

SSH support updated to 7.1p1 (290889)

The OpenSSH daemon has been upgraded from version 3.7.1p2 to version 7.1p1 to support new security algorithms.

The central management FortiGuard server list can include FQDNs (354449)

This new feature implements support of FQDN, to make it an option for central-management server-list. This feature can be set through the GUI and the CLI.

GUI Changes

On System > FortiGuard > Override FortiGuard Servers > Create New / Edit, a new option, FQDN is added for Address Type.

CLI Changes

config server-list

edit 1

set server-type {update|rating}

set addr-type {ipv4|ipv6|fqdn} <== added fqdn

set server-address ipv4

set server-address6 ipv6

set fqdn FQDN <== added

end

Features removed from the FortiGate 80C (356154)

Features have been changed on the FortiGate / FortiWifi 80C so as to increase available memory and decrease the image size on flash.

Changes made include:

  • removal of web application firewall (WAF)
  • removal of WAN optimization
  • removal of network vulnerability scan (netscan)
  • compression of the Intrusion Prevention System and AntiVirus library files and storing them in a gzip file
  • compression of certain WiFi data files
  • addition of virtual switch function for 80c (applicable to 5.4 only)

New role property on interfaces (294385)

Interfaces now have a property called 'role' which affects visibility and suggests different default options depending on it's value.

  • WAN - this interface is used to connect to the internet.
  • LAN - this interface is used to connect to local network of endpoints.
  • DMZ - this interface is used to connect to servers.
  • Undefined - This interface has a custom role which isn't one of the above.

Interface roles affect visibility of properties and features (295736)

Depending on an interfaces role, some properties may set to a default value and the visibility of others may be set to show or hide in the GUI.

Toggle automatic authorization of extension devices (294966)

When an interface is configured to be dedicated to an extension device, a new option appears to auto-authorize extension devices.

Support for new modem added (293598)

Support for the Linktop LW273 modem has been added.

IPS packet capture files can be backed up (276489)

Use the command execute backup disk ipsarchives and the option of tftp, ftp, or usb.

Change between NAT and Transparent modes removed from the GUI (278289)

The feature in the GUI initiating the change between NAT and Transparent modes has been removed. It can still be done, but only through the CLI. The configuration setting that is used is:

config system settings

set opmode [nat | transparent]

end

Switch mode changes (286447)

Hub mode is no longer available. The old switch mode, usually called 'LAN' will no longer be available. The interface mode is still available and on all models, and instead of the old switch mode, most of the lower end units will come configured, by default, with a hardware switch called 'LAN', which has the function of the old switch mode but is more flexible. Most models with 40 ports or more will come by default in vlan switch mode.

New start attribute as been added to scheduled scripts (285206)

The start attribute has the options manual and auto. Manual means a schedule script needs to be manually started after a reboot. Auto automatically restarts the script after a reboot.

Use the following command to set a script to automatically run after the FortiGate starts up:

config system auto-script

edit <script-name>

set start auto

end

Toggle displaying the hostname on the GUI login page (272572)

Use the following command:

config sys settings

set gui-display-hostname {disable | enable}

end

PPTP and L2TP address pool ranges expanded (275709 )

PPTP and L2TP address pool ranges are allowed to use a subnet mask of up to 255.255.0.0 (B-class), increasing the maximum range size from 254 to 65,534

Pop up notification of impending timeout of Administrator GUI sessions (266413)

A convenience feature to let administrators know that their session is about to expire. This is especially convenient for units that have a timeout setting of just a few minutes.

SNMP can generate traps based on detecting a device's online/offline status (273107)

This setting is related to the device detection feature. It allows SNMP traps to detect when a new device comes online. Within SNMP configurations there is a configurable timeout setting that periodically checks for the device. When a check determines that the device is present a trap is sent.

In the GUI, when configuring an SNMP object, one of the settings is a checkbox, under SNMP Events for Device detected.

To configure the SNMP object in the CLI use the following syntax:

config system snmp community

edit <community ID number>

set name <string>

set events device-new

end

 

In order to configure the idle timeout for the device, use the following syntax in the CLI:

config system global

set device-idel-timeout <integer of time in seconds>

end

The time value for the field can be set from 30 to 31536000.

SNMP improvements for dynamic routing (168927)

SNMP improvements for dynamic routing include support for RFC 4750 OSPF Version 2 Management Information Base and RFC 5643 Management Information Base for OSPFv3. These changes add the capability of logging dynamic routing activity. Examples include sending OSPF routing events or changes to a syslog server or FortiAnalyzer or changes in neighborhood status.

Network Mobility Extensions for Mobile IPv4 (NEMO)

This is an implementation of RFC 5177 that includes the following CLI command.

config system mobile-tunnel

set status enable/disable //Enable/disable this mobile tunnel.

set roaming-interface port1 //Roaming interface name.

set home-agent xxx.xxx.xxx.xxx //IP address of the NEMO HA.

set home-address xxx.xxx.xxx.xxx // Home IP address.

set n-mhae-spi 256 //NEMO authentication spi.

set n-mhae-key-type ascii/base64 //NEMO authentication key type.

set n-mhae-key vWZZxx //NEMO authentication key.

set hash-algorithm hmac-md5 //Hash Algorithm.

set tunnel-mode gre //NEMO tunnnel mode.

set renew-interval 60 //Time before lifetime expiraton to send NMMO HA re-registration.

set lifetime 180 //NEMO HA registration request lifetime.

set reg-interval 5 //NEMO HA registration interval.

set reg-retry 3 //NEMO HA registration maximal retries.

end

 

Restoring configuration file without rebooting the FortiGate (237786)

A setting has been added in the CLI that when set to enable, will allow the FortiGate to start using the newly uploaded configuration file without going through a full reboot process.

The syntax for the setting is:

config system global

set reboot-upon-config-restore {enable | disable}

end

Auto repeat of CLI commands(160023 259531)

Occasionally there is a need to repeatedly run a diagnose command over a long period of time (like checking CPU or memory usage, or checking proxy health), Previously, this could only be done with external console connections. Now this can be done in a script using the interval and repeat commands.

Scripts can be uploaded as a file from the CLI or GUI. To upload scripts from the GUI go to System > Advanced > Configuration Scripts and upload and run the script.

To configure the schedule and scripts, use the following syntax:

config system auto-script

edit <ScriptName>

set interval

set repeat

set script

end

end

interval the interval time in seconds between instances of the script running.

repeat the number of times to repeat the running of the script. The value 0 is used to set an infinite number of repetitions.

start select manual to start the script manually or auto to start the script automatically

script the contents of the script.

This feature may not be available on all models as a hard drive is necessary to make use of it.

Proxy-arp function extension (250651)

A new attribute end-ip is added to proxy-arp. If end-ip is not set, then the ip has the same meaning as before. If end-ip is set, then the ip becomes the start-ip, and the end-ip should be larger than ip and the ip range should less than 256.

config system proxy-arp

edit 1

set interface internal

set ip xxx.xxx.xxx.xxx

set end-ip xxx.xxx.xxx.xxx

next

end

Changes to the FortiGuard Distribution Network GUI page (219862)

The System > FortiGuard page has been updated to include new FortiGuard features including Mobile Malware Definitions, Botnet Definitions and so on. From this page you can also upload packages, and view the list of Botnet Definitions.

 

From this page you can also access new functionality for AntiVirus and IPS updates and Web Filtering and Spam filtering.

You can also use this page to override FortiGuard servers.

Changes to firmware upgrade GUI page (248866)

The following changes have been made to the GUI as it relates to the firmware upgrade process:

  • The interface now provides an upgrade recommendations that is based on FortiGuard's list of supported upgrade paths
  • Allows user to easily select and upgrade to one of the recommended versions
  • There is a graphic representation of the progress of downloading the image and the upgrade process.

GUI features can now be enabled and disabled per VDOM (263708 273799)

When VDOMs are enabled, most of the items in the Features section of the menu are moved to a similar menu section within the VDOM menu and are now customizable on a per VDOM basis. Some items such as IPv6 and Certificates are still configured on a global basis.

From the GUI, you can enable or disable GUI features from System > Feature Select.

From the CLI, GUI items that are enabled or disabled per-VDOM are configured from the config system settings command. GUI items that are enabled globally are enabled or disabled from the config system global command.

note icon Turning these features on or off does not enable or disable the feature but determines whether or not that option is displayed on the GUI.

Improvements to system admin GUI pages (205280)

Several items relating to system administration, and the configuration of the system administrator accounts and profiles in particular, have been updated so that the layout is clearer and more efficient. One of the things improve is that it is now easier to set up two factor authentication.

 

The TFTP session helper supports (263127)

The TFTP session helper supports TFTP for NAT66 and NAT46.

Support for IPv6 addressing when configuring central management (297144)

Previously, the configuration of an IP address for a server for ratings and updates, such as a FortiManager, could only use IPv4 addresses. Now, as shown below IPv6 addressing can be used as well.

config system central-management

set type fortimanager

set fmg "2000:172:16:200::207"

set vdom "vdom1"

config server-list

edit 1

set server-type rating update

set addr-type ipv6

set server-address6 2000:172:16:200::207

next

end

end

New execute traceroute command options (272169)

Different query options can be configured for the execute traceroute command. These settings can also be saved using the execute traceroute-options command as follows:

execute traceroute-options device [Auto | <interface name>]

execute traceroute-options queries <integer>

execute traceroute-options source [Auto | <source interface IP address>]

 

The queries setting is to determine the number of queries per hop. Use execute traceroute-options to view the traceroute settings:

execute traceroute-options view-settings 
Traceroute Options:
	Number of probes per hop: 3
	Source Address: auto
	Device: auto

Administrator password updates (292858)

To set a minimum level of security for the administrative accounts, minimum levels of complexity can be set on guest admin accounts.

config system password-policy-guest-admin

set status [enable | disable]

set min-lower-case-letter <integer>

set min-upper-case-letter <integer>

set min-non-alphanumeric <integer>

set min-number <integer>

end

If the required level of complexity is not met, an error message will appear explaining that the password must conform to the system password policy.

Certificate validation added to FortiGate email server configuration (299506)

When configuring the email server on a FortiGate to send out alert emails that use SMTPS, the FortiGate can validate the email chain, thus reducing the possibility of compromise.

In the CLI the configuration of the email is set up with the following syntax:

config system email-server

set type custom

set reply-to <email address>

set server <SMTP server IP address or hostname>

set port <integer for SMTP server port>

set source-ip <SMTP server source address - IPv4 format>

set source-ip6 <SMTP server source address - IPv6 format>

set authenticate [enable| disable]

set validate-server [enable| disable]

security Connection security.

set security [none | starttls |smtps|

end

The set validate-server option is the new setting that enables the verification.

Changes to backing up and restoring configuration files (298176)

When you insert a USB drive into a FortiGate USB port options to save the configuration to USB and restore configuration from a USB appear on the configureation save and restore pages.

You can also use the command execute backup usb command to backup the configuration to the USB drive.