FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.2 > Firewall

Firewall

New firewall features include:

Menu Simplification

Security policies and firewall objects are now found in the same menu, called Policy & Objects.

Policies

The menu option for policies, found at Policy & Objects > Policy, has been expanded to include the following policy types:

  • IPv4
  • IPv6
  • NAT64
  • NAT46
  • DoS
  • IPv6 DoS
  • Multicast
  • Local In
  • Central NAT Table
  • Proxy Options
  • SSL Inspection (SSL/SSH Inspection on some FortiGate models)

Objects

The following firewall objects have been grouped together under a single menu, found at Policy & Objects > Objects:

  • Addresses
  • Services
  • Schedules
  • Traffic Shapers
  • Virtual IPs
  • IP Pools

Other changes have been made for specific features.

Groups

Object groups can now be made by expanding the arrow beside Create New and selecting Group.

Traffic Shapers

Shared and Per-IP shapers have been combined into a single page, with a Type field added to the creation page.

Traffic shapers creation screen

An additional column, Type, has also been added to the traffic shapers table.

Unified Policy Management

The different creation pages in the web-based manager for policy types and subtypes (user-identity, device identity, and VPN) have been merged into a single main policy creation page. New fields have been added for Source User(s) and Source Device Type that remove the need for multiple authentication rules in a single policy. This allows for greater control and customization of policies, as a combination of these source types can be used in a single policy rather than having to pick one type.

The policy creation page

If both Source User(s) and Source Device Type are set, then traffic must match both fields in order to be accepted by the policy. Both these fields are optional; only Source Address must be set.

For policies that require user or device authentication, there is an implicit fall-through to allow traffic to be checked against other policies if it does not match the authentication requirements. This option cannot be disabled and the CLI command set fall-through-unauthenticated has been removed.

For more information about security policies in FortiOS 5.2, please see the FortiGate Cookbook recipe Creating security policies.

To create a policy for SSL VPNs, an SSL VPN interface is created and used as the source interface. For more information about this interface creation, see SSL VPN Configuration.

Importing LDAP Users for a Security Policy

The LDAP user importing wizard can now be launched during the creation of a new security policy, by selecting Import LDAP users in the dropdown menu when you are adding users to the policy.

The LDAP user importing wizard

Dynamic VIP According to DNS Translation

Dynamic virtual IPs according to DNS translation can now be configured.

When a dynamic virtual IP is used in a policy, the dynamic DNS translation table is installed along with the dynamic NAT translation table into the kernel. All matched DNS responses will be translated and recorded regardless if they hit the policy. When a client request hits the policy, dynamic NAT translation will occur if it matches a record, otherwise the traffic will be blocked.

Syntax

config firewall vip

edit 1

set type dns-translation

set extip 192.168.0.1-192.168.0.100

set extintf dmz

set dns-mapping-ttl 604800

set mappedip 3.3.3.0/24 4.0.0.0/24

end

end

GTP Rate Limiting

New methods of GPRS Tunneling Protocol (GTP) rate limiting are available in FortiOS 5.2.

Per-Stream Rate Limiting

FortiOS 5.2 supports per-stream rate limiting of GTP and the ability to apply rate limiting separately for GTPv0 and GTPv1, as well as for GTPv2.

This feature required the addition of the following CLI commands: message-rate-limit-v0, message-rate-limit-v1, and message-rate-limit-v2. The commands message-rate-limit-v0 and message-rate-limit-v1 are only visible when rate-limit-mode is set to per-stream, while message-rate-limit is visible when rate-limit-mode is set to per-profile. The command message-rate-limit-v2 is always visible, since GTPv2 message numbering and naming are different from GTPv0/v1.

The following features have also been added:

  • Warning limit support.
  • Per-version message rate limiting.
  • A log for rate limiting warning called rate-limited-warning.

In addition, FortiOS Carrier now indicates the GTP version in rate limiting log messages and writes a rate limiting warning log message when a packet exceeds the rate limiting threshold.

Syntax

config firewall gtp

edit <name>

set rate-limit-mode {per-profile | per-stream}

set warning-threshold {0-99}

config {message-rate-limit-v0 | message-rate-limit-v1 | message-rate-limit-v2}

set create-pdp-request <rate-limit>

set delete-pdp-request <rate-limit>

set echo-request <rate-limit>

end

end

Per-APN Rate Limiting Profiles

In FortiOS 5.2, GTP rate limiting profiles can be based per-APN, as well as per-IP. To use this feature, the rate limit for each specific APN needs to be configured in the CLI, as there is no default rate limit.

Syntax

config firewall gtp profile

set rate-limit-mode per-apn

config per-apn-shaper

edit <ID>

set apn <string>

set version <version>

set rate-limit <rate-limit>

end

end

Object UUID Support

UUID is only supported on large-partition platforms (>=128M).

A Universally Unique Identified (UUID) attribute has been added to some firewall objects, including virtual IPs and virtual IP groups for IPv4, IPv6, NAT46, and NAT64, so that the logs can record these UUID to be used by a FortiManager or FortiAnalyzer unit.

The UUID of an object can either be generated automatically or assigned through the CLI. To view the UUID for these objects in a FortiGate unit's logs, log-uuid must be set to extended mode, rather than policy-only, which only shows the policy UUID in a traffic log.

Syntax

config sys global

set log-uuid {disable | policy-only | extended}

end

 

config firewall {policy | policy6 | policy46 | policy64 | address| addres6 | addgrp | addgrp6}

edit <1>

set uuid <8289ef80-f879-51e2-20dd-fa62c5c51f44>

end

end

Configuring the Class of Service Bit

FortiGate units can now configure the value of the Class of Service (CoS) bit, also called Priority Code Point (PCP).

The value of CoS in forward direction (fwd) and reverse direction (rev) is set in the policy/policy6 table using the CLI. The value can be set either as 255, to allow passthrough, or given a priority between 0 and 7.

Syntax

config firewall {policy | policy6}

set vlan-cos-fwd <int>

set vlan-cos-rev <int>

end

Hairpinning for NAT64 and NAT46

In FortiOS 5.2, NAT64 and NAT46 support hairpinning between hosts that are located in the same network behind a single external IP address. Hairpinning allows endpoints on the internal network to communicate using external IP addresses and ports.

In order to allow hairpinning, set permit-any-host must be enabled in the NAT64 or NAT46 firewall policy.

Maximum Number of Available Virtual IPs Increased

The maximum limit of available virtual IPs has been increased on 1U FortiGate models (FortiGate-100 to 800 series) to 16,000 and on 2U FortiGate models (FortiGate-1000 to 3810 series) to 32,000.