New features in FortiOS 5.2.5
The default Diffie-Hellman setting is 2048 (286801)
This change improves the security of Diffie-Hellman key generation. The default was 1024.
Simple, Wildcard & Regex options now available for per-user BWL (270165)
The Allow users to override blocked categories web filter profile feature (available on some FortiGate models) now allows users to use simple, wildcard and regex expressions to identify the URLs that are blocked.
This feature is also called per-user BWL. To be able to configure this feature from the GUI enter the following command:
config system global
set per-user-bwl enable
end
Then go to Security Profiles > Web Filtering, edit a web filtering profile and select Allow users to override blocked categories. You can select a web filter profile that users can switch to. If the URLs in the web filter profile contain wildcards or regex expressions they will now work when selected for user overrides.
Use the following command to configure this feature from the CLI:
config webfilter profile
edit <profile-name>
set options per-user-bwl
config override
set profile
...
end
end
New diagnose traffictest command (280801)
diagnose traffictest {show | run -h arg | server-intf | client-intf | port | proto}
Where -h arg can be
-f, --format [kmgKMG] format to report: Kbits, Mbits, KBytes, MBytes
-i, --interval # seconds between periodic bandwidth reports
-F, --file name xmit/recv the specified file
-A, --affinity n/n,m set CPU affinity
-V, --verbose more detailed output
-J, --json output in JSON format
-d, --debug emit debugging output
-v, --version show version information and quit
-h, --help show this message and quit
-b, --bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited) (default %d Mbit/sec for UDP, unlimited for TCP) (optional slash and packet count for burst mode)
-t, --time # time in seconds to transmit for (default %d secs)
-n, --bytes #[KMG] number of bytes to transmit (instead of -t)
-k, --blockcount #[KMG] number of blocks (packets) to transmit (instead of -t or -n)
-l, --len #[KMG] length of buffer to read or write (default %d KB for TCP, %d KB for UDP)
-P, --parallel # number of parallel client streams to run
-R, --reverse run in reverse mode (server sends, client receives)
-w, --window #[KMG] TCP window size (socket buffer size)
-C, --linux-congestion <algo> set TCP congestion control algorithm (Linux only)
-M, --set-mss # set TCP maximum segment size (MTU - 40 bytes)
-N, --nodelay set TCP no delay, disabling Nagle's Algorithm
-4, --version4 only use IPv4
-6, --version6 only use IPv6
-S, --tos N set the IP 'type of service'
-L, --flowlabel N set the IPv6 flow label (only supported on Linux)
-Z, --zerocopy use a 'zero copy' method of sending data
-O, --omit N omit the first n seconds
-T, --title str prefix every output line with this string
--get-server-output get results from server
[KMG] indicates options that support a K/M/G suffix for kilo-, mega-, or giga-
Improve device identification (289921)
FortiFone devices are now identified by FortiOS as Fortinet FON. As Apple device detection have also been improved. FortiOS can now more reliably detect Mac OS, iPhone 6, Apple Watch, Microsoft tables and so on.
NP6 SynProxy Monitoring (218425)
New support for monitoring SynProxy and other DoS anomalies. The DoS policy list for both IPv4 and IPv6 displays active IPS meters, as shown by IP and by anomaly. With SynProxy activated, each destination IP will show results.
Maximum number of VLANs per interface increased for the FortiGate-30 Series (300032)
On the FortiGate-30 series products you can add up to 20 VLANs to a physical interface.