What's New in FortiOS 5.4
This chapter describes new security profile features added to FortiOS 5.4.0 andFortiOS 5.4.1.
FortiOS 5.4.1
These features first appeared in FortiOS 5.4.1.
FortiClient Profile changes (356205)
Features involving general settings have been removed from the FortiClient profile GUI in 5.4.1. Features emphasizing compliance of the endpoint devices have been added. These enhancements facilitate integration with the Cooperative Security Fabric.
When FortiClient endpoint compliance is enabled and FortiClient endpoints are registered to FortiGate, you must upgrade registered FortiClient endpoints. Be sure to upgrade registered endpoints to FortiClient 5.4.1 before upgrading your FortiGate to FortiOS 5.4.1. |
FortiClient endpoint compliance enforcement has three actions. When the action is set to Block or Warning, it is up to you to provision endpoints either via the Enterprise Management Server (EMS) or manually. When the action is set to Auto-update, the FortiGate will provision the endpoint.
Action | Meaning |
---|---|
Block | If the endpoint does not match compliance rules in the FortiClient Security Profile, then it will be blocked. |
Warning | If the endpoint does not match compliance rules in the FortiClient Security Profile, then it will show on the Monitor > FortiClient Monitor as not-compliant. Traffic will not be blocked. |
Auto-update | If the endpoint is not-compliant, the FortiGate will push a limited profile to the endpoint and attempt to get it to be compliant. |
CLI syntax
A third value called compliant and new attributes have been added to existing CLI.
config endpoint-control profile
edit <profile name>
config forticlient-winmac-settings
set compliance-action {block | warning | auto-update}
set os-av-software-installed {enable | disable}
set forticlient-log-upload-level {traffic | vulnerability | event}
set forticlient-system-compliance {enable | disable}
set forticlient-minimum-software-version {enable | disable}
set forticlient-vuln-scan-enforce {enable | disable}
set forticlient-vuln-scan-enforce-grace {0 - 30 days, default = 1}
set sandbox-analysis {enable | disable}
end
end
FortiClient Monitor page updates (304254)
Updates to the Monitor page allow the user to view FortiClient endpoint devices grouped by interface and then sub-grouped by compliance status. Compliance status can be compliant, non-compliant, exempt, or quarantined.
FortiClient Enforcement | ||
---|---|---|
Status | Enabled | Disabled |
Compliant | List only active FortiClientEndpoints. | No devices listed |
Not-compliant | List devices not-compliant with FortiClient profile, so long as they are not exempt. | No devices listed |
Exempt | List FortiClient endpoints exempt from FortiClient compliance. |
List of all user devices except those quarantined by the administrator.
|
Quarantined | List devices quarantined by the administrator. | List devices quarantined by the administrator. |
You can see the reasons for non-compliance by right-clicking on an endpoint in the list.
FortiClient Endpoint Control Profile Attributes (306833)
Certain attributes have been removed from, added to, or changed in the FortiClient endpoint control profile configuration.
Attributes Removed
You can no longer configure these attributes in the FortiClient endpoint control profile:
view-profile-details
scan-download-file
wait-sandbox-result
use-sandbox-signature
block-malicious-website
block-attack-channel
av-scheduled-scan
av-scan-type
av-scan-schedule
av-scan-time
av-scan-exclusions
monitor-unknown-application
install-ca-certificate
disable-wf-when-protected
forticlient-vuln-scan-schedule
forticlient-vuln-scan-on-registration
forticlient-vpn-provisioning
forticlient-advanced-vpn
forticlient-advanced-vpn-buffer
disable-unregister-option
forticlient-log-ssl-upload
forticlient-log-upload-schedule
forticlient-update-from-fmg
forticlient-update-server
forticlient-update-failover-to-fdn
forticlient-settings-lock
forticlient-settings-lock-passwd
auto-vpn-when-off-net
auto-vpn-name
client-log-when-on-net
forticlient-ad
fsso-ma
fsso-ma-server
fsso-ma-psk
allow-personal-vpn
disable-user-disconnect
vpn-before-logon
vpn-captive-portal
forticlient-ui-options
forticlient-advanced-cfg
forticlient-advanced-cfg-buffer
Attributes Added
The following attributes have been added to the FortiClient endpoint control profile configuration.
config endpoint-control profile
edit <profile_name>
config forticlient-winmac-settings
set sandbox-analysis {enable | disable}
set compliance-action {block | warning | auto-update}
set os-av-software-installed {enable | disable}
set forticlient-minimum-software-version {enable | disable}
set forticlient av {enable | disable}
set forticlient-system-compliance {enable | disable}
set forticlient-log-upload
set forticlient-log-upload-level {traffic |vulnerability | event}
set forticlient-vuln-scan-enforce {enable | disable}
set forticlient-vuln-scan-enforce-grace {number}
end
end
Attributes Changed
There is a change to the CLI commands to enable or disable the sending of files to FortiSandbox for analysis.
The CLI command:
config endpoint-control profile
edit <name_str>
config forticlient-winmac-settings
edit <name_str>
set sandbox-scan {enable | disable}
end
end
has been replaced by:
config endpoint-control profile
edit <name_str>
config forticlient-winmac-settings
edit <name_str>
set sandbox-analysis {enable | disable}
end
end
Optionally include FortiGuard spam responses in email log messages (284055)
The field FortiGuard Spam Response has been added as an option to the anti-spam log to aid in identifying misclassified email.
Virus scanning of MS Outlook email (308797)
FortiOS 5.4.1 allows users to enable or disable inspection of MAPI-over-HTTP (MAPI/HTTP) protocol. This protocol was first delivered with Outlook 2013 SP1 and Exchange 2013 SP1. Enabling inspection ensures that the FortiGate can scan Outlook email for viruses.
CLI commands
config firewall ssl-ssh-profile
edit deep-inspection
set mapi-over-https {enable|disable}
Improved Visibility of Botnet and Command & Control (C&C) protection (308104)
Mobile & Botnet C&C license information is now displayed in the License Information widget in the Dashboard. Additionally, you can view the list of Botnet C&C packages in the IP Reputation Database (IRDB) and the Botnet Domain Database (BDDB) from the License Information widget.
A button has been added to the GUI on the DNS filter page allowing you to block DNS requests known to FortiGuard. When you enable this feature, you can open a definitions window by clicking on "botnet package."
Access to the IRDB is available to users through FortiCare support contracts purchased or renewed before October 1, 2016. After that date, users will have to subscribe to the IRDB either through the FortiGuard Mobility Security Service (FMSS) or the FortiGuard Enterprise Bundle.
What's New in FortiOS 5.4.0
These features first appeared in FortiOS 5.4.0.
Proxy and flow-based inspection per VDOM
You can select Flow or Proxy Inspection Mode from the System Information dashboard widget to control your FortiGate's security profile inspection mode. Having control over flow and proxy mode is helpful if you want to be sure that only flow inspection mode is used (and that proxy inspection mode is not used).
Switching to Flow Inspection Mode also turns off WAN Optimization, Web Caching, the Explicit Web Proxy, and the Explicit FTP Proxy making sure that no proxying can occur.
In most cases proxy mode is preferred because more security profile features are available and more configuration options for these individual features are available. Some implementations; however, may require all security profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing that proxy mode inspection will not be used.
If you select flow-based to use external servers for FortiWeb and FortiMail you must use the CLI to set a Web Application Firewall profile or Anti-Spam profile to external mode and add the Web Application Firewall profile or Anti-Spam profile to a firewall policy.
Changing between proxy and flow mode
Proxy mode is enabled by default and you change to flow mode by changing the Inspection Mode on the System Information dashboard widget.
When you select Flow-based you are reminded that all proxy mode profiles are converted to flow mode, removing any proxy settings. As well proxy-mode only features (for example, Web Application Profile) are removed from the GUI.
In addition, selecting Flow-based inspection will cause the Explicit Web Proxy and Explicit FTP Proxy features to be removed from the GUI and the CLI. This includes Explicit Proxy firewall policies.
When you select Flow-based you can only configure Virtual Servers (under Policy & Objects > Virtual Servers) with Type set to HTTP, TCP, UDP, or IP.
If required, you can change back to proxy mode through the System Information dashboard widget.
If your FortiGate has multiple VDOMs, you can set the inspection mode independently for each VDOM. Use the top left dropdown menu to go to Global > System > VDOM. Click Edit for the VDOM you wish to change and select the Inspection Mode.
Security profile features mapped to inspection mode
The table below lists FortiOS security profile features and shows whether they are available in flow-based or proxy-based inspection modes.
The DNS Filter security profile feature is only available for proxy-based inspection in FortiOS versions 5.4.0 and 5.4.1. It is available for both proxy-based and flow-based inspection in FortiOS versions 5.4.2 and above. |
Security Profile Feature | Flow-based inspection | Proxy-based inspection |
---|---|---|
AntiVirus | x |
x |
Web Filter | x | x |
DNS Filter | x | x |
Application Control | x | x |
Cloud Access Security Inspection | x | x |
Intrusion Protection | x | x |
Anti-Spam | x | |
Data Leak Protection | x | |
VoIP | x | |
ICAP | x | |
Web Application Firewall | x | |
FortiClient Profiles | x | x |
Proxy Options | x | |
SSL/SSH Inspection | x | x |
Web Rating Overrides | x | x |
Web Profile Overrides | x |
From the GUI, you can only configure antivirus and web filter security profiles in proxy mode. From the CLI you can configure flow-based antivirus profiles, web filter profiles and DLP profiles and they will appear on the GUI and include their inspection mode setting. Also, flow-based profiles created when in flow mode are still available when you switch to proxy mode.
In flow mode, antivirus and web filter profiles only include flow-mode features. Web filtering and virus scanning is still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.
CASI does not work when using proxy-based profiles for AV or Web filtering. Make sure to only use flow-based profiles in combination with CASI on a specific policy. |
Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).
Setting flow or proxy mode doesn't change the settings available from the CLI. However, when in flow mode you can't save security profiles that are set to proxy mode.
You can also add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn't recommended because the setting will not be visible from the GUI.
Proxy mode and flow mode antivirus and web filter profile options
The following tables list the antivirus and web filter profile options available in proxy and flow modes.
Antivirus features in proxy and flow mode
Feature | Proxy | Flow |
---|---|---|
Scan Mode (Quick or Full) | no | yes |
Detect viruses (Block or Monitor) | yes | yes |
Inspected protocols | yes | no (all relevant protocols are inspected) |
Inspection Options | yes | yes (not available for quick scan mode) |
Treat Windows Executables in Email Attachments as Viruses | yes | yes |
Send Files to FortiSandbox Appliance for Inspection | yes | yes |
Use FortiSandbox Database | yes | yes |
Include Mobile Malware Protection | yes | yes |
Web Filter features in proxy and flow mode
Feature | Proxy | Flow | |
---|---|---|---|
FortiGuard category based filter | yes | yes (show, allow, monitor, block) | |
Category Usage Quota | yes | no | |
Allow users to override blocked categories (on some models) | yes | no | |
Search Engines
|
yes | no | |
Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex | yes | no | |
Restrict YouTube Access | yes | no | |
Log all search keywords | yes | no | |
Static URL Filter | yes | yes | |
Block invalid URLs | yes | no | |
URL Filter | yes | yes | |
Block malicious URLs discovered by FortiSandbox | yes | yes | |
Web Content Filter | yes | yes | |
Rating Options | yes | yes | |
Allow websites when a rating error occurs | yes | yes | |
Rate URLs by domain and IP Address | yes | yes | |
Block HTTP redirects by rating | yes | no | |
Rate images by URL | yes | no | |
Proxy Options | yes | no | |
Restrict Google account usage to specific domains | yes | no | |
Provide details for blocked HTTP 4xx and 5xx errors | yes | no | |
HTTP POST Action | yes | no | |
Remove Java Applets | yes | no | |
Remove ActiveX | yes | no | |
Remove Cookies | yes | no | |
Filter Per-User Black/White List | yes | no |
Cloud Access Security Inspection (CASI)
This feature introduces a new security profile called Cloud Access Security Inspection (CASI) that provides support for fine-grained control on popular cloud applications, such as YouTube, Dropbox, Baidu, and Amazon. The CASI profile is applied to a policy much like any other security profile.
Unfortunately CASI does not work when using Proxy-based profiles for AV or Web filtering for example. Make sure to only use Flow-based profiles in combination with CASI on a specific policy. |
For this feature, Deep Inspection of Cloud Applications (set deep-app-inspection [enable| disable]
) has been moved out of the Application Control security profile options.
You will find the Cloud Access Security Inspection feature under Security Profiles > Cloud Access Security Inspection, but you must first enable it in the Feature store under System > Feature Select > CASI.
Editing CASI profiles
The CASI profile application list consists of the Name, Category, and Action. A default CASI profile exists, with the option to create custom profiles.
There is an improvement to the CASI GUI (303760) under release 5.4.1. When you search for a profile application to edit, you can hit enter after typing your search terms to see the results. Under release 5.4.0, hitting enter causes the screen to refresh and the profile to be applied.
For each CASI profile application, the user has the option to Allow, Block, or Monitor the selected cloud application. The following image demonstrates the ability to Allow, Block, or Monitor YouTube using CASI:
When the user drills down into a selected cloud application, the following options are available (depending on the type of service):
- For business services, such as Salesforce and Zoho: Option to allow, block, or monitor file download/upload and login.
- For collaboration services, such as Google.Docs and Webex: Option to allow, block, or monitor file access/download/upload and login.
- For web email services, such as Gmail and Outlook: Option to allow, block, or monitor attachment download/upload, chat, read/send message.
- For general interest services, such as Amazon, Google, and Bing: Option to allow, block, or monitor login, search phase, and file download/upload.
- For social media services, such as Facebook, Twitter, and Instagram: Option to allow, block, or monitor chat, file download/upload, post, login.
- For storage backup services, such as Dropbox, iCloud, and Amazon Cloud Drive: Option to allow, block, or monitor file access/download/upload and login.
- For video/audio services, such as YouTube, Netflix, and Hulu:
Option to allow, block, or monitor channel access, video access/play/upload, and login.
CLI Syntax
configure application casi profile
edit "profile name"
set comment "comment"
set replacemsg-group "xxxx"
set app-replacemsg [enable|disable]
configure entries
edit
set application "app name"
set action [block|pass]
set log [enable|disable]
next
edit 2
next
end
configure firewall policy
edit "1"
set casi-profile "profile name"
next
end
config firewall sniffer
edit 1
set casi-profile-status [enable|disable]
set casi-profile "sniffer-profile"
next
end
config firewall interface-policy
edit 1
set casi-profile-status [enable|disable]
set casi-profile "2"
next
end
External Security Devices
External Security Devices can be configured as means to offload processes to other devices, such as a FortiWeb, FortiCache, or FortiMail. Example processes could include HTTP inspection, web caching, and anti- spam.
Offloading HTTP traffic to FortiWeb
Use the following steps to offload HTTP traffic to FortiWeb to apply Web Application Firewall features to the traffic. Using these steps you can select the HTTP traffic to offload by adding a web application firewall profile configured for external inspection to selected firewall policies. Only the HTTP traffic accepted by those firewall policies is offloaded.
If you offload HTTP traffic to FortiWeb you can also apply other HTTP inspection to it from your FortiGate including virus scanning and web filtering.
A single FortiGate cannot offload HTTP traffic to both FortiCache and FortiWeb.
To offload HTTP traffic to FortiWeb:
- Go to the System Information dashboard widget and make sure Inspection Mode is set to Proxy-based.
- Go to System > Feature Select and turn on Web Application Firewall.
- Go to System > Cooperative Security Fabric, enable HTTP Service, select FortiWeb and add the IP addresses of your FortiWeb devices. You can also select Authentication add a password if required.
- Go to Security Profiles > Web Application Firewall and add or edit a Web Application Firewall profile and set Inspection Device to External.
- Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy, select Web Application Firewall, and select the profile that you set to use the external inspection device.
These steps add the following configuration to the CLI:
config system wccp
set service-id 51
set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiWeb)
set group address 0.0.0.0
set server-list 5.5.5.25 255.255.255.255 (the IP address of the FortiWeb)
set authentication enable
set forward-method GRE
set return-method GRE
set assignment-method HASH
set password *
end
Offloading HTTP traffic to FortiCache
To offload Web Caching to FortiCache a FortiGate must support WAN Optimization and WAN Optimization must be enabled. For some FortiGate models you need to turn off disk logging to support WAN Optimization. See WAN Optimization in What's New for details.
Use the following steps to offload web caching to FortiCache. Using these steps you can select the web traffic to offload by selecting web caching in firewall policies. Only the web traffic accepted by those firewall policies will be offloaded.
A single FortiGate cannot offload HTTP traffic to both FortiCache and FortiWeb.
- Go to the System Information dashboard widget and make sure Inspection Mode is set to Proxy-based.
- Go to System > Advanced > Disk Settings and assign at least one disk to WAN Optimization.
- Go to System > Feature Select and turn on WAN Opt. & Cache.
- Go to System > Cooperative Security Fabric, enable HTTP Service, select FortiCache and add the IP addresses of your FortiCache devices. You can also select Authentication add a password if required.
- Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Cache.
These steps add the following configuration to the CLI:
config system wccp
set service-id 51
set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiCache)
set group address 0.0.0.0
set server-list 5.5.5.45 255.255.255.255 (the IP address of the FortiCache)
set authentication enable
set forward-method GRE
set return-method GRE
set assignment-method HASH
set password *
end
Offloading SMTP traffic to FortiMail
Use the following steps to offload SMTP traffic to FortiMail to apply FortiMail features to the traffic. Using these steps you can select the SMTP traffic to offload by adding an AntiSpam profile configured for external inspection to selected firewall policies. Only the SMTP traffic accepted by those firewall policies is offloaded.
If you offload HTTP traffic to FortiWeb you can also apply other HTTP inspection to it from your FortiGate including virus scanning and web filtering.
To be able to offload Anti-Spam processing to a FortiMail device you should:
- Go to the System Information dashboard widget and make sure Inspection Mode is set to Proxy-based.
- Go to System > Feature Select and turn on Anti-Spam Filter.
- Go to System > Cooperative Security Fabric, enable SMTP Service - FortiMail and add the IP address of your FortiMail devices. You can also select Authentication add a password if required.
- Go to Security Profiles > Anti-Spam and edit an Anti-Spam profile and set Inspection Device to External.
- Go to Policy & Objects > IPv4 Policy, add or edit a Firewall policy, enable Anti-Spam and select the profile for which you set Inspection Device to External.
These steps add the following configuration to the CLI:
config system wccp
set service-id 52
set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiMail)
set group address 0.0.0.0
set server-list 5.5.5.65 255.255.255.255 (the IP address of the FortiMail)
set authentication enable
set forward-method GRE
set return-method GRE
set assignment-method HASH
set password *
end
Blocking DNS requests to known Botnet C&C addresses
A new FortiGuard database contains a list of known Botnet C&C addresses. This database is updated dynamically and stored on the FortiGate. This database is covered by FortiGuard web filter licensing, so you must have a FortiGuard web filtering license to use this feature.
When you block DNS requests to known Botnet C&C addresses, using IPS, DNS lookups are checked against the Botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all sub-domains are also blocked.
To enable blocking of DNS requests to known Botnet C&C addresses, go to Security Profiles > DNS Filter, and enable Block DNS requests to known botnet C&C.
Static URL filter
The DNS inspection profile static URL filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS request can be blocked, exempted, monitored, or allowed.
If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site.
If exempted, access to the site is allowed even if another method is used to block it.
DNS-based web filtering
This feature is similar to the FortiGuard DNS web filtering available in FortiOS 5.2. You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.
If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is set to redirect, then the address returned to the requester points at a FortiGuard redirect page.
You can also allow access or monitor access based on FortiGuard category.
CLI commands
Rename webfilter-sdns-server-ip and webfilter-sdns-server-port:
config system fortiguard
set sdns-server-ip x.x.x.x
set sdns-server-port 53
end
Configure DNS URL filter:
config dnsfilter urlfilter
edit 1
set name "url1"
set comment ''
config entries
edit 1
set url "www.google.com"
set type simple
set action block
set status enable
next
edit 2
set url "www.yahoo.com"
set type simple
set action monitor
set status enable
next
edit 3
set url "www.foritnet.com"
set type simple
set action allow
set status enable
next
end
next
end
Configure DNS filter profile:
config dnsfilter profile
edit "dns_profile1"
set comment ''
config urlfilter
set urlfilter-table 1
end
config ftgd-dns
config filters
edit 1
set category 49
set action block
set log enable
next
edit 2
set category 71
set action monitor
set log enable
next
end
end
set log-all-url disable
set block-action redirect
set redirect-portal 0.0.0.0
set block-botnet enable
next
end
Configure DNS profile in a firewall policy:
config firewall policy
edit 1
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "FTP"
set utm-status enable
set dnsfilter-profile "dns_profile1"
set profile-protocol-options "default"
set nat enable
next
end
Configure DNS profile in profile group:
config firewall profile-group
edit "pgrp1"
set dnsfilter-profile "dns_profile1"
set profile-protocol-options "default"
next
end
Other new Security Profile features
DLP changes (297960)
Some DLP features removed. DLP fingerprinting removed from the GUI.
FortiClient Endpoint Profile improvements and new features (285443 275781 287137)
- 275781: New options available in FortiClient Profiles.
- 285446: VPN can be configured on the GUI either on IPsec VPN or SSL-VPN and changes can be preserved.
- 287137: In the Mobile tab, .mobileconfig files can be configured and Client VPN Provisioning can be enabled.
Features involving general settings have been removed from the FortiClient profile GUI in 5.4.1. Features emphasizing compliance of the endpoint devices have been added. Read |
FortiClient Enforcement added to Interfaces (253933)
FortiClient enforcement has been moved from the Policy page to Network > Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.
To enforce FortiClient endpoint registration - GUI:
- Go to System > Feature Select and enable Endpoint Control.
- Go to Network > Interfaces and select the internal interface.
- Under Restrict Access, enable FortiTelemetry.
- Under Admission Control, enable Enforce FortiTelemetry for all FortiClients.
FortiClient exempt list improvements (268357 293191)
- 268357: Before you could only configure captive portal policy addresses in the CLI, but it can now be performed in the GUI.
- 293191: Exempt List has been replaced with Exempt Sources, and Exempt Destinations/Services has been added (once an interface has been set to captive portal). Before it was only possible to configure the FortiGate interface port to captive portal through the CLI, but it can now also be performed in the GUI.
FortiClient endpoint profile page updates (283968)
The Security Profiles > FortiClient Profiles page has been redesigned to better present the information available, and so the user can easily locate particular settings of interest.
Pre-existing GUI options under User & Device > FortiClient Profiles have been moved to the Security Profiles menu, and have been reorganized into separate tabs: Security, VPN, Advanced, and Mobile. Profiles can be created and options can be enabled within these tabs.
The VPN, Advanced, and Mobile tabs do not appear in the GUI in FortiOS5.4.1. See FortiClient Profile changes (356205). |
Note that Client-based Logging when On-Net has been renamed to Allow Access to Logs from FortiClient Console.
In addition, the following features were added:
- Support for FortiSandbox integration
- Option for C&C destination scanning and blocking
- Certificate deployment as part of endpoint profile
- FortiClientRTP Option updates
- Option to monitor all unknown applications
Configure the ability to store FortiClient configuration files (171380)
- Enable the advanced FortiClient configuration option in the endpoint profile:
config endpoint-control profile
edit "default"
set forticlient-config-deployment enable
set fct-advanced-cfg enable
set fct-advanced-cfg-buffer "hello"
set forticlient-license-timeout 1
set netscan-discover-hosts enable
next
end
- Export the configuration from FortiClient (xml format).
- Copy the contents of the configuration file and try to paste in the advanced FortiClient configuration box.
If the configuration file is greater than 32k, you need to use the following CLI:
config endpoint-control profile
edit <profile>
config forticlient-winmac-settings
config extra-buffer-entries
edit <entry_id>
set buffer xxxxxx
next
end
end
end
FortiOS 5.4 no longer supports FortiClient 5.0 or earlier (289455)
FortiOS 5.2 would support FortiClient 5.0 (only if the FortiGate upgraded to FortiOS 5.2), however FortiOS 5.4 will no longer support FortiClient 5.0. Customers need to purchase a FortiClient 5.4 subscription-based FortiClient license.
Session timers for IPS sessions (174696 163930)
The standard FortiOS session time-to-live (session TTL) timer for IPS sessions has been introduced to reduce synchronization problems between the FortiOS Kernel and IPS. This has been added so that FortiGate hard-coded timeout values can be customized, and IPS was using too much overall memory.
Botnet protection with DNS Filter (293259)
The new botnet list from FortiGuard can be used to block DNS requests to known botnet C&C IP addresses within a new DNS filter profile.
You can view the botnet list by going to System > FortiGuard > Botnet Definitions.
Secure white list database (288365)
Secure white list exemption for SSL deep inspection. To enable, go to Security Profiles > SSL/SSH Inspection and enable Exempt from SSL Inspection and enable Reputable Websites.
Mobile Malware protection update (288022)
Mobile Malware protection requires a separate license and can be downloaded as a separate object. The mobile malware signatures are no longer part of the AntiVirus Database but these signatures can be enabled by going to Security Profiles > AntiVirus and enabling Include Mobile Malware Protection.
Options not supported by the new quick mode flow-based virus scanning (288317)
Files cannot be sent to FortiSandbox for inspection while in quick mode flow-based virus scanning, and so the GUI option for it has been removed. No option to switch between quick mode and full mode, as choice between Proxy and Flow based inspection has been removed.
Add mobile malware to FortiGuard licenses page and include more version information (290049)
An entry and version information for Mobile Malware Definitions has been added in the License Information table under System > FortiGuard. Also, main items have been bolded and sub-items have been indented for clarification.
Secure white-list DB for flow based UTM features (287343)
A new feature that gathers a list of reputable domain names that can be excluded from SSL deep inspection. This list is periodically updated and downloaded to FortiGate units through FortiGuard.
Syntax:
config firewall ssl-ssh-profile
edit deep-inspection
set whitelist enable
end
New customizable replacement message that appears when an IPS sensor blocks traffic (240081)
A new replacement message will appear specifically for IPS sensor blocked Internet access, to differentiate between IPS sensor blocking and application control blocking.
Low-end models don't support flow AV quick mode and don't support the IPS block-malicious-url option (288318)
AV quick mode and the IPS block-malicious-url option have been disabled on low-end FortiGate models, however these features can be enabled if the FortiGate unit has a hard disk. Low-end models will only supportFullscan mode (the option is left in the GUI to show which mode is active for the user).
New quick mode flow-based virus scanning (281291)
When configuring flow-based virus scanning you can now choose between quick and full mode. Full mode is the same as flow-based scanning in FortiOS 5.2. Quick mode uses a compact antivirus database and advanced techniques to improve performance. Use the following command to enable quick mode in an antivirus profile:
config antivirus profile
edit <profile-name>
set scan-mode {quick | full}
end
CVE-IDs now appear in the FortiOS IPS signature list (272251)
The signature list can be found at Security Profiles > Intrusion Protection > View IPS Signatures.
Botnet protection added (254959)
The latest Botnet database is available from FortiGuard. You can see the version of the database and display its contents from the System > FortiGuard GUI page. You can also block, monitor or allow outgoing connections to Botnet sites for each FortiGate interface.
FortiSandbox URL database added
You can see the version of the database and display its contents from the System > FortiSandbox GUI page.
New Web Filter profile whitelist setting and changes to blacklist setting (283855, 285216)
Domain reputation can now be determined by "common sense", for sites such as Google, Apple, and even sites that may contain sensitive material that would otherwise be trusted (i.e. there is no risk of receiving botnets or malicious attacks). You can tag URL groups with flags that exempt them from further sandboxing or AV analyzing.
You can identify reputable sites and enable certain bypasses under Security Profiles > Web Filter.
Similarly, you can exempt the identified reputable sites from SSL inspection.
CLI Syntax
config firewall ssl-ssh-profile
edit <profile-name>
set whitelist [enable | disable]
end
config webfilter profile
edit <profile-name>
config web
set whitelist exempt-av exempt-webcontent exempt-activex-java-cookie exempt-dlp exempt-rangeblock extended-log-others
end
end
Support security profile scanning of RPC over HTTP traffic (287508)
This protocol is used by Microsoft Exchange Server so this feature supports security profile features such as virus scanning of Microsoft Exchange Server email that uses RPC over HTTP.
Users now allowed to override blocked categories using simple, wildcard, and regex expressions to identify the URLs that are blocked (270165)
This feature is also called per-user BWL. To be able to configure this feature from the GUI enter the following command:
config system global
set per-user-bwl enable
end
Then go to Security Profiles > Web Filtering, edit a web filtering profile and select Allow users to override blocked categories.
Use the following command to configure this feature from the CLI:
config webfilter profile
edit <profile-name>
set options per-user-bwl
end
Set flow or proxy mode for your FortiGate (or per VDOM) (266028)
You can configure your FortiGate or a VDOM to apply security profile features in proxy or flow mode. Change between modes from the System Information dashboard widget. Proxy mode offers the most accurate results and the greatest depth of functionality. Flow mode provides enhanced performance. IPS and application control always operates in flow mode and so is not affected by changing this mode.
Security Profiles > Web Application Firewall
Signatures can now be filtered based on risk level.
The options to reset action and apply traffic shaping is now only available in the CLI.
The All Other Known Applications option has been removed, while the option for All Other Unknown Applications has been renamed Unknown Applications.
Block all Windows executable files (.exe) in email attachments (269781)
A new option has been added to AntiVirus profiles to block all Windows executable files (.exe) in email attachments.
CLI Syntax
config antivirus profile
edit "default"
config imap
set executables {default | virus}
end
config pop3
set executables {default | virus}
end
config smtp
set executables {default | virus}
end
config mapi
set executables {default | virus}
end
end
Cookies can now be used to authenticate users when a web filter override is used (275273)
Cookies can be used to authenticate users when a web filter override is used. This feature is available in CLI only.
CLI Syntax
config webfilter cookie-ovrd
set redir-host <name or IP>
set redir-port <port>
end
config webfilter profile
edit <name>
config override
set ovrd-cookie {allow | deny}
set ovrd-scope {user | user-group | ip | ask}
set profile-type {list | radius}
set ovrd-dur-mode {constant | ask}
set ovrd-dur <duration>
set ovrd-user-group <name>
set profile <name>
end
end
Blocking malicious URLs (277363)
A local malicious URL database dowloaded from FortiGuard has been added to assist IPS detection for live exploits, such as drive-by attacks. You enable blocking malicious URLs in an IPS profile from the CLI using the following command:
CLI Syntax
config ips sensor
edit default
set block-malicious-url {enable | disable}
next
end
The FortiGuard IPS/AV update schedule can be set by time intervals (278772)
This feature allows updates to occur more frequently (syntax below shown for updates randomly every 2-3 hours).
CLI Syntax
config system autoupdate schedule
set frequency every
set time 02:60
end
Application Control signatures belonging to industrial category/group are excluded by default (277668)
Use the following command to be able to add industrial signatures to an application control sensor:
config ips global
set exclude-signatures {none | industrial}
end
The Industrial category now appears on the Application Control sensor GUI.
An SSL server table can now be used for SSL offloading (275273)
CLI Syntax
config firewall ssl-ssh-profile
edit <name>
set use-ssl-server {enable | disable}
next
end
MAPI RPC over HTTP/HTTPS traffic is now supported for security scanning (278012)
CLI Syntax
config firewall profile-protocol-options
edit "default"
set comment "All default services."
config http
set ports 80 3128
set options rpc-over-http
end
end
New Dynamic DNS FortiGuard web filtering sub-category (276495)
A new FortiGuard web filtering sub-category, Dynamic DNS, has been added and can be found in the Security Risk Category. Also, the sub-category Shopping and Auction has been separated into two sub-categories: Auction and Shopping.
New Filter Overrides in the Application Sensor GUI (260901)
The overrides allow you to select groups of applications and override the application signature settings for them.
FortiGate CA certificates installed on managed FortiClients (260902)
This feature allows you to enable or disable CA certificate installation on managed FortiClients in a FortiClient Profile.
Syntax
config endpoint-control profile
edit <profile>
config forticlient-winmac-settings
set install-ca-certificate [enable | disable]
end
next
end
More exemptions to SSL deep inspection (267241)
Some common sense exemptions have been added to the default SSL deep inspection profile, such as Fortinet, Android, Apple, Skype, and many more.
Exempting URLs for flow-based web filtering (252010)
You can once again exempt URLs for flow-based web filtering.
Filter overrides in Application Sensors (246546)
In the Application Sensor page, a new section named Filter Overrides has been introduced. From this section, clicking Add Filter/Edit Filter will launch a dialog to pick/edit the advanced filter and save it back to the list.
New keyword byte_extract for custom IPS and Application Control signatures (179116)
The new byte_extract
custom IPS signature key has been added that supports snort-like byte extraction actions. It is used for writing rules against length-encoded protocols. The keyword reads some of the bytes from the packet payload and saves it to a variable. You can use the -quiet
option to suppress the reporting of signatures.
IPS logging changes (254954)
IPS operations severely affected by disk logging are moved out of the quick scanning path, including logging, SNMP trap generation, quarantine, etc.
Scanning processes are dedicated to nothing but scanning, which results in more evenly distributed CPU usage. Slow (IPS) operations are taken care of in a dedicated process, which usually stays idle.
New FortiGuard web filtering category: Dynamic DNS (265680)
A new FortiGuard web filtering category has been added for Dynamic DNS under the Security Risk heading, to account for nearly half a million URLs of "Information Technology" rated by BlueCoat as "Dynamic DNS Host".
Syntax
config webfilter profile
edit <profile>
config ftgd-wf
config filters
edit <id>
set category 88<--- New category, Dynamic DNS; number 88
end
end
end
Access Control Lists in DoS Policies (293399)
You can go to Policy & Objects > IPv4 Access Control List or Policy & Objects > IPv6 Access Control List and select an incoming interface and add a list of Firewall source and destination addresses and services and drop traffic that matches.
You can use the following CLI command to add an ACL:
config firewall acl
edit 1
set interface "port1"
set srcaddr "google-drive"
set dstaddr "all"
set service "ALL"
next
end
Websense web filtering through WISP (287757)
WISP is a Websense protocol that is similar in functionality to ICAP, it allows for URLs to be extracted by a firewall and submitted to Websense systems for rating and approval checking.
This feature provides a solution for customers who have large, existing, deployed implementations of Websense security products to replace their legacy firewalls with a Fortigate family, such that they are not forced to make a change to their web filtering infrastructure at the same time.
In order to use Websense's web filtering service, a WISP server per VDOM needs to be defined and enabled first. A Web filtering profile is then defined that enables WISP, which in turn is applied to a firewall policy.
When WISP is enabled, the FortiGate will maintain a pool of TCP connections to the WISP server. The TCP connections will be used to forward HTTP request information and log information to the WISP server and receive policy decisions.
Syntax
config web-proxy wisp
set status enable
set server-ip 72.214.27.138
set max-connection 128
end
config webfilter profile
edit "wisp_only"
set wisp enable
next
end
Other new Security Profiles features:
- CPU allocation & tuning commands now remain after a system reboot (276190)
- The GUI notifies an administrator when the FortiGate is in conserve mode (266937)
- A new custom IPS signature option, "--ip_dscp" has been added to be compatible with engine 1.x. (269063 )
- The RTP/RTSP decoder can now detect slave sessions (273910)
- ISNIFF can now dump all HTML files if the dump-all-html CLI command is used (277793)
- Sender and recipient fields have been added to flow-based SMTP spam logs (269063)
- Browser Signature Detection added to Application Control profiles (279934)