This chapter introduces the following top features of FortiOS 5.2:
- Unified Policy Management
- FortiView Dashboards
- SSL Inspection
- Web Filtering
- Application Control
- IPsec VPN Creation Wizard
- Captive Portal
- FortiAP Management
- Flow-based Antivirus
- FortiExtender Support
- Using a Virtual WAN Link for Redundant Internet Connections
- Internet Key Exchange (IKE)
- SSL VPN Creation
- On-Net Status for FortiClient Devices
The different creation pages in the web-based manager for policy types and subtypes (user-identity, device identity, and VPN) have been merged into a single main policy creation page. New fields have been added for Source User(s) and Source Device Type that remove the need for multiple authentication rules in a single policy. This allows for greater control and customization of policies, as a combination of these source types can be used in a single policy rather than having to pick one type.
For more information, see Unified Policy Management.
The FortiView dashboards integrate real time and historical dashboards into a single view that displays the top 100 sessions on a FortiGate unit. The different dashboards show information on the following:
- Cloud applications
- Web sites
- All sessions
For more information, see FortiView Dashboards.
Several changes have been made to how SSL inspection is handled by a FortiGate unit, with the addition of a new mode that allowed HTTPS traffic to be scanned without enabling deep inspection, as well as changes to the handling of certificates and configuring exemptions for SSL inspection.
For more information, see SSL Inspection.
Several new options have been added for web filtering:
- Restricting Google access to specific domains
- New protocols for warnings and authentication
- Modifying HTTP request headers
- Adding a referer to URL filters.
- Additional replacement message variables
For more information, see Web Filtering.
Several new options have been added for application control:
- Deep inspection for cloud applications
- Traffic shaping settings
- 5-Point-Risk Ratings
- Replacement messages
- Support for SPDY protocol
For more information, see Application Control.
The IPsec VPN wizard is the only web-based manager tool for creating interface- or route-based IPsec VPNs. All it takes is a few steps with the wizard to create a wide variety of interface-based IPsec VPN configurations. In addition to the IPsec settings the wizard creates all required routes and policies.
In FortiOS 5.2, expanded options have been added to the wizard, allowing it to be used for more types of VPN configurations. Tunnel templates have been created for popular configurations.
For more information, see VPN Creation Wizard.
Several new options have been added for captive portals:
- External captive portals
- Using groups from the security policy
- Exempting a policy
- Replacement messages
- New configuration options for wireless
- WPA personal security + captive portal for wireless
Several new options have been added for managing FortiAP units:
- Manually selecting AP profiles
- AP scanning
- Radio settings summary
- CLI console access
- Split tunneling for wireless traffic
For more information, see FortiAP Management.
In FortiOS 5.2, flow-based AntiVirus has been improved to have the same enhanced performance as flow-based antivirus scanning in FortiOS 5.0 while providing the same accuracy and many of the extended features of proxy-based antivirus.
For more information, see Flow-based Antivirus.
FortiOS 5.2 supports FortiExtender, that allows you to remotely connect 4G/LTE USB modems to a FortiGate unit. The FortiGate unit can remained installed in a secure location while the FortiExtender is installed on a roof or near a window providing enhanced 4G/LTE modem reception.
For more information, see FortiExtender Support.
A virtual WAN link consists of two or more interfaces that are connected to multiple ISPs. The FortiGate unit sees the virtual WAN link as a single interface so the FortiGate’s security policy configuration no longer has be redundant to support dual Internet links. In addition, the virtual WAN link includes load balancing and new link health checking and settings.
For more information, see Using a Virtual WAN Link for Redundant Internet Connections.
Several new options have been added for how IKE is supported on a FortiGate:
- Multiple interfaces
- Certificates groups
- Authentication methods
- Inheriting groups from the security policy
- Assigning client IP addresses using the DHCP proxy
- Transform matching
- Cookie notification
- Message ID sync for High Availability
For more information, see Internet Key Exchange (IKE).
SSL VPN configuration has been simplified with new settings and portal creation pages. Most SSL VPN settings can be configured on one web-based manager page, with additional settings handled as part of the security policy.
For more information, see SSL VPN Configuration.
A new status option, On-Net, has been added for FortiClient devices that show if that device has been registered with the FortiGate unit.
For more information, see On-Net Status for FortiClient Devices.