New features in FortiOS 5.2.1
This chapter provides a brief introduction to the following features that were added to FortiOS 5.2.1. See the release notes for a complete list of new features/resolved issues in this release.
- Include bandwidth and setup rate statistics in the event log
- Allow export of collected emails
- Ssl-ssh-profile is no longer mandatory when utm profiles are enabled
- Disallow multiple destination interfaces on an IPsec firewall policy
- Add a new diag test command for fnbamd
- Add deregister all option in diagnose endpoint control registration
- Redirect kernel messages to non-console terminals
- Add FortiExtender supported 3G/4G modem list
- Add a new option for STP forwarding
- Suppress probe response based on threshold in wireless controller vap
- Move global antivirus service settings into profile-protocol-options
- Add Ekahau Blink Protocol support and reorganization for station-locate
- Implement diagnose command to test flash SSD
- Online help improvements
- Add iprope check trace in flow trace
- Log id-fields reference improvements
- Add diagnose debug admin error-log command
- Improve hasync debug
- Improve interface list and switch mode
- Wizard improvement
- Allow VIP with port forwarding to permit ICMP
- Support captive portal for block notification page
- Add diagnose log clear-kernel-state command
- Apply new LDAP Tree Browser design to the User Wizard and User Group page
- New Join and try requests to FortiCloud for low-end models
Include bandwidth and setup rate statistics in the event log
Bandwidth and setup rate statistics are vital for customer’s units health reports.
The advantage of these parameters are:
- Improves performance on FAZ. Simple query small logs makes FAZ build reports faster and have more idle time for other reports.
- Reduces amount of logs send to FAZ.
- Uses less disk space on FAZ for the same report type.
Allow export of collected emails
This feature adds a new monitor page called Collected Email Addresses under User & Device > Monitor menu, it is essentially a filter on the device list for devices that have an email address associated with them.
The feature allows the administrator to export the list to a CSV file which can then be used for marketing or analysis purposes.
Ssl-ssh-profile is no longer mandatory when utm profiles are enabled
When UTM profiles are enabled in a security policy, you can set or unset ssl-ssh profile.
Syntax
config firewall policy
edit 1
set ssl-ssh profile <test>
next
end
Disallow multiple destination interfaces on an IPsec firewall policy
When a firewall policy is set to action IPsec, multiple Outgoing Interface should not be allowed.
Since multiple destination interfaces on an IPsec policy aren't necessary, the CLI and GUI was updated to explicitly disallow it.
Add a new diag test command for fnbamd
The following command was added to show authentication session statistics:
Syntax
diagnose test application fnbamd 1
Sample output
diagnose test application fnbamd 1
Pending sessions: 0
Max session reached: 0
Auth:
requests: 5000
sessions: 5000
released: 5000
Acct:
requests: 74
sessions: 0
released: 0
Cert:
requests: 0
sessions: 0
released: 0
Add deregister all option in diagnose endpoint control registration
When there is a long list of registered endpoint needed to be deregistered, the following command was added to do so:
diagnose endpoint registration deregister all
Redirect kernel messages to non-console terminals
To be able to see kernel messages from ssh or telnet which needed when customer unit is accessible remotely, the following command has been added:
diagnose debug application kmiglogd <Integer>
<Integer> is the debug level. For example, 1 would be the maximum log level in kernel to be shown.
Add FortiExtender supported 3G/4G modem list
A new 3G/4G modem list is introduced that contain the list of supported modems for both FortiGate and FortiExtender.
GUI changes
Under the System > Network > Modem page, click Configure Modem link under the External Modem section to see the list for FortiGate and FortiExtender.
Under the System > Network > FortiExtender page, click Configure Settings and click Supported Modems link under Modem Settings section to show the supported FortiExtender modem list. This will jump back to the page under System > Network > Modem page, click Configure Modem link.
Syntax
The following new diagnose command was added to show the list of supported FortiExtender modems:
diagnose extender modem-list
Add a new option for STP forwarding
Due to STP forwarding problem in one-arm transparent mode firewall, a new option: replace nothing (rpl-nothing) has been added when configuring stpforward-mode.
Syntax
config system interface
edit wan1
set stpforward enable
set stpforward-mode rpl-nothing
next
end
Suppress probe response based on threshold in wireless controller vap
The wireless controller vap supports probe response suppression (probe-resp-suppression) and probe response threshold (probe-resp-threshold).
Syntax
config wireless-controller vap
edit “SSID”
set probe-resp-suppression enable|disable
set probe-resp-threshold <value>
next
end
probe-resp-threshold range is [-20,-95]dBm, and the default is -80dBm if enabled.
Move global antivirus service settings into profile-protocol-options
The global antivirus service settings moved into profile-protocol-options (options included: uncompsizelimit, uncompnestlimit, scan-bzip2, and block-page-status-code). HTTP and HTTPS combined into HTTP, uncompsizelimit changed to uncompressed-oversize-limit and uncompnestlimit to uncompressed-nest-limit. scan-bzip2 set to enabled by default and an appropriate help text added.
On upgrade, the options from antivirus service are moved into the corresponding entries in each profile-protocol-options.
CLI changes
The following options are moved from global antivirus service to firewall profile-protocol-options: uncompsizelimit, uncompnestlimit, scan-bzip2, and block-page-status-code moved.
The following options are removed: ftp, ftps, http, https, imap, imaps, nntp, pop3, pop3s, smtp, and smtps.
The following help test was added:
uncompressed-oversize-limit Maximum in-memory uncompressed size that can be scanned.
uncompressed-nest-limit Maximum uncompress nest level that can be scanned.
scan-bzip2 Enable/disable scanning of BZip2 compressed files.
block-page-status-code Return code of blocked HTTP pages (non-FortiGuard only).
Add Ekahau Blink Protocol support and reorganization for station-locate
We used to have a config command to report station position for retail analytic server under config wireless-controller wtp-profile > radio > station-locate. A new feature ekahua-blink-mode has been added.
These features are all location based service (LBS) related and they moved to a sub-config under wtp-profile, and they are per wtp-profile configuration.
On upgrade, the options from antivirus service are moved into the corresponding entries in each profile-protocol-options.
Syntax
config wireless-controller wtp-profile
edit <wtp-profile-name>
config lbs
set ekahau-blink-mode Enable/disable
set ekahau-tag <xx:xx:xx:xx:xx:xx>
set erc-server-ip <any_ip>
set erc-server-port <integer>
end
end
<xx:xx:xx:xx:xx:xx>
mac address.
<any_ip>
Any ip xxx.xxx.xxx.xxx.
<integer>
input integer value.
Implement diagnose command to test flash SSD
A new diagnose command has been implemented to test the disk.
Syntax
diagnose disktest <option>
Option can be the following:
device
Specify which device to test.
block The block size of each read/write operation.
time
The limit of test time of each cycles. Default is no limit.
size
The limit of test size of each cycles. Default is no limit.
run Run test with specified cycles. Default is infinite cycles.
Online help improvements
A video links to some help topics has been added in the FortiOS GUI header bar.
Add iprope check trace in flow trace
Previously flow trace shows only accepted or denied policy information. Sometimes, policy tracking is also important and knowing which policies are checked, and what is the result for the checking might be helpful.
Syntax
diagnose debug flow show iprope {enable|disable}
enable to enable trace iprope match.
disable to disable trace iprope match.
Log id-fields reference improvements
This improvement is to make a complete reference for each log id with its corresponding fields in FortiOS.
CLI changes
Add new endpoint and ha subcategories into config log eventfilter
Syntax
config log eventfilter
set endpoint Enable/disable
set ha Enable/disable
end
GUI changes
Add subtype log filter options named Endpoint and HA under Event Log
Add diagnose debug admin error-log command
Since the last failed admin login is recorded, this new command shows details about the failed admin login attempt.
Syntax
diagnose debug admin error-log
Sample output
The recent admin user failed login details:
error code : -100
method : ssh
login name : test
cmdb name : null
login vdom : root
current vdom : root
override vdom : null
login profile : null
override profile : null
login time : 2014-08-29 11:01:57
Improve hasync debug
Add diag test application hasync to control hasync debug finely.
Syntax
diag test application hasync [1-19,50-53]
Value | Description |
---|---|
1 | Dump all states of debug switches. |
2 | Turn off all debug switches. |
3 | Toggle debug switch of hsync core. |
4 | Toggle debug switch of ha-diff. |
5 | Toggle debug switch of FIB. |
6 | Toggle debug switch of route6. |
7 | Toggle debug switch of BYOD. |
8 | Toggle debug switch of endpoint_compliance. |
9 | Toggle debug switch of NEB. |
10 | Toggle debug switch of zebos. |
11 | Toggle debug switch of haconf. |
12 | Toggle debug switch of proxy. |
13 | Toggle debug switch of time. |
14 | Toggle debug switch of snmp. |
15 | Toggle debug switch of gtp. |
16 | Toggle debug switch of auth. |
17 | Toggle debug switch of IPsec. |
18 | Toggle debug switch of fdb. |
19 | Toggle debug switch of arp. |
50 | Dump ha sync statistics. |
51 | Dump FIB information. |
52 | Dump extfile's signature. |
53 | Recalculate external files signature. |
Improve interface list and switch mode
This features introduces grouping interfaces by interface type and adds switch to toggle between VLAN Switch Mode and regular Hardware Switch Mode.
GUI changes
- A Group By Type toggle switch has been added in the interfaces page under System > Network > Interfaces.
- A VLAN Switch Mode toggle switch has been added in the interfaces page under System > Network > Interfaces. This VLAN Switch Mode toggle switch shows a confirmation dialog when clicked before toggling the system setting.
- A mini faceplate for Hardware Switch Mode and VLAN Switch Mode has been added in the member column under System > Network > Interfaces.
Wizard improvement
The Wizard has been improved to provide instruction page to explain how to set up FortiClient for IPsec and SSLVPN and permit to set up FortiCloud connection on Wizard so that logs will be sent to FortiCloud.
GUI changes
- Add instruction module to generate page explaining how to set up FortiClient for IPsec and SSLVPN depending on the VPN that is configured.
- Add a Wizard Summary Page.
- Allow FortiOS Setup wizard to set up FortiCloud.
Allow VIP with port forwarding to permit ICMP
When a VIP is defined with port forwarding enabled, ICMP (PING) to the mapped IP can be allowed.
Syntax
config firewall vip
edit "VIP"
set extip xxx.xxx.xxx.xxx
set extintf "wan1"
set portforward enable
set mappedip xxx.xxx.xxx.xxx
set protocol icmp
next
end
The command set protocol has icmp option now to make the firewall forward ICMP to the host specified by mappedip while the mappedport and extport attributes are skipped.
Support captive portal for block notification page
The main requirement of this feature is to present a block notification page if the web access is denied by a firewall policy.
Add diagnose log clear-kernel-state command
This command has been added to clear log statistics in kernel in order to improve disk log session setup rate.
Syntax
diagnose log clear-kernel-stats
Apply new LDAP Tree Browser design to the User Wizard and User Group page
Previously, the LDAP browser shows LDAP containers and LDAP entries within the same tree. When there are many LDAP entries available, it becomes harder for users to select, filter, search different types of LDAP objects.
This new feature now divides the LDAP Browser into two major parts:
- A tree to show the container.
- Tables to show different type of LDAP object entries.
New Join and try requests to FortiCloud for low-end models
These new join and try requests are for low-end models only such as: FG-30D, FWF-30D, FG-60D, FWF-60D, FG-70D, FG-80D, FG-90D, and FWF-90D.
Syntax
exec fortiguard-log join
exec fortiguard-log try <FortiCloud_id> <Password>