What's New in FortiOS 5.4

This chapter describes new security profile features added to FortiOS 5.4.0 andFortiOS 5.4.1.

FortiOS 5.4.1

These features first appeared in FortiOS 5.4.1.

FortiClient Profile changes (356205)

Features involving general settings have been removed from the FortiClient profile GUI in 5.4.1. Features emphasizing compliance of the endpoint devices have been added. These enhancements facilitate integration with the Cooperative Security Fabric.

note icon When FortiClient endpoint compliance is enabled and FortiClient endpoints are registered to FortiGate, you must upgrade registered FortiClient endpoints. Be sure to upgrade registered endpoints to FortiClient 5.4.1 before upgrading your FortiGate to FortiOS 5.4.1.

FortiClient endpoint compliance enforcement has three actions. When the action is set to Block or Warning, it is up to you to provision endpoints either via the Enterprise Management Server (EMS) or manually. When the action is set to Auto-update, the FortiGate will provision the endpoint.

Action Meaning
Block If the endpoint does not match compliance rules in the FortiClient Security Profile, then it will be blocked.
Warning If the endpoint does not match compliance rules in the FortiClient Security Profile, then it will show on the Monitor > FortiClient Monitor as not-compliant. Traffic will not be blocked.
Auto-update If the endpoint is not-compliant, the FortiGate will push a limited profile to the endpoint and attempt to get it to be compliant.

CLI syntax

A third value called compliant and new attributes have been added to existing CLI.

 

config endpoint-control profile

edit <profile name>

config forticlient-winmac-settings

set compliance-action {block | warning | auto-update}

set os-av-software-installed {enable | disable}

set forticlient-log-upload-level {traffic | vulnerability | event}

set forticlient-system-compliance {enable | disable}

set forticlient-minimum-software-version {enable | disable}

set forticlient-vuln-scan-enforce {enable | disable}

set forticlient-vuln-scan-enforce-grace {0 - 30 days, default = 1}

set sandbox-analysis {enable | disable}

end

end

 

FortiClient Monitor page updates (304254)

Updates to the Monitor page allow the user to view FortiClient endpoint devices grouped by interface and then sub-grouped by compliance status. Compliance status can be compliant, non-compliant, exempt, or quarantined.

 

  FortiClient Enforcement
Status Enabled Disabled
Compliant List only active FortiClientEndpoints. No devices listed


Not-compliant List devices not-compliant with FortiClient profile, so long as they are not exempt. No devices listed


Exempt List FortiClient endpoints exempt from FortiClient compliance. List of all user devices except those quarantined by the administrator.
Quarantined List devices quarantined by the administrator. List devices quarantined by the administrator.

You can see the reasons for non-compliance by right-clicking on an endpoint in the list.

FortiClient Endpoint Control Profile Attributes (306833)

Certain attributes have been removed from, added to, or changed in the FortiClient endpoint control profile configuration.

Attributes Removed

You can no longer configure these attributes in the FortiClient endpoint control profile:

view-profile-details

scan-download-file

wait-sandbox-result

use-sandbox-signature

block-malicious-website

block-attack-channel

av-scheduled-scan

av-scan-type

av-scan-schedule

av-scan-time

av-scan-exclusions

monitor-unknown-application

install-ca-certificate

disable-wf-when-protected

forticlient-vuln-scan-schedule

forticlient-vuln-scan-on-registration

forticlient-vpn-provisioning

forticlient-advanced-vpn

forticlient-advanced-vpn-buffer

disable-unregister-option

forticlient-log-ssl-upload

forticlient-log-upload-schedule

forticlient-update-from-fmg

forticlient-update-server

forticlient-update-failover-to-fdn

forticlient-settings-lock

forticlient-settings-lock-passwd

auto-vpn-when-off-net

auto-vpn-name

client-log-when-on-net

forticlient-ad

fsso-ma

fsso-ma-server

fsso-ma-psk

allow-personal-vpn

disable-user-disconnect

vpn-before-logon

vpn-captive-portal

forticlient-ui-options

forticlient-advanced-cfg

forticlient-advanced-cfg-buffer

 

Attributes Added

The following attributes have been added to the FortiClient endpoint control profile configuration.

config endpoint-control profile

edit <profile_name>

config forticlient-winmac-settings

set sandbox-analysis {enable | disable}

set compliance-action {block | warning | auto-update}

set os-av-software-installed {enable | disable}

set forticlient-minimum-software-version {enable | disable}

set forticlient av {enable | disable}

set forticlient-system-compliance {enable | disable}

set forticlient-log-upload

set forticlient-log-upload-level {traffic |vulnerability | event}

set forticlient-vuln-scan-enforce {enable | disable}

set forticlient-vuln-scan-enforce-grace {number}

end

end

 

Attributes Changed

There is a change to the CLI commands to enable or disable the sending of files to FortiSandbox for analysis.

The CLI command:

config endpoint-control profile

edit <name_str>

config forticlient-winmac-settings

edit <name_str>

set sandbox-scan {enable | disable}

end

end

 

has been replaced by:

config endpoint-control profile

edit <name_str>

config forticlient-winmac-settings

edit <name_str>

set sandbox-analysis {enable | disable}

end

end

Optionally include FortiGuard spam responses in email log messages (284055)

The field FortiGuard Spam Response has been added as an option to the anti-spam log to aid in identifying misclassified email.

Virus scanning of MS Outlook email (308797)

FortiOS 5.4.1 allows users to enable or disable inspection of MAPI-over-HTTP (MAPI/HTTP) protocol. This protocol was first delivered with Outlook 2013 SP1 and Exchange 2013 SP1. Enabling inspection ensures that the FortiGate can scan Outlook email for viruses.

CLI commands

config firewall ssl-ssh-profile

edit deep-inspection

set mapi-over-https {enable|disable}

Improved Visibility of Botnet and Command & Control (C&C) protection (308104)

Mobile & Botnet C&C license information is now displayed in the License Information widget in the Dashboard. Additionally, you can view the list of Botnet C&C packages in the IP Reputation Database (IRDB) and the Botnet Domain Database (BDDB) from the License Information widget.

A button has been added to the GUI on the DNS filter page allowing you to block DNS requests known to FortiGuard. When you enable this feature, you can open a definitions window by clicking on "botnet package."

Access to the IRDB is available to users through FortiCare support contracts purchased or renewed before October 1, 2016. After that date, users will have to subscribe to the IRDB either through the FortiGuard Mobility Security Service (FMSS) or the FortiGuard Enterprise Bundle.

What's New in FortiOS 5.4.0

These features first appeared in FortiOS 5.4.0.

Proxy and flow-based inspection per VDOM

You can select Flow or Proxy Inspection Mode from the System Information dashboard widget to control your FortiGate's security profile inspection mode. Having control over flow and proxy mode is helpful if you want to be sure that only flow inspection mode is used (and that proxy inspection mode is not used).

Switching to Flow Inspection Mode also turns off WAN Optimization, Web Caching, the Explicit Web Proxy, and the Explicit FTP Proxy making sure that no proxying can occur.

In most cases proxy mode is preferred because more security profile features are available and more configuration options for these individual features are available. Some implementations; however, may require all security profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing that proxy mode inspection will not be used.

If you select flow-based to use external servers for FortiWeb and FortiMail you must use the CLI to set a Web Application Firewall profile or Anti-Spam profile to external mode and add the Web Application Firewall profile or Anti-Spam profile to a firewall policy.

Changing between proxy and flow mode

Proxy mode is enabled by default and you change to flow mode by changing the Inspection Mode on the System Information dashboard widget.

When you select Flow-based you are reminded that all proxy mode profiles are converted to flow mode, removing any proxy settings. As well proxy-mode only features (for example, Web Application Profile) are removed from the GUI.

In addition, selecting Flow-based inspection will cause the Explicit Web Proxy and Explicit FTP Proxy features to be removed from the GUI and the CLI. This includes Explicit Proxy firewall policies.

When you select Flow-based you can only configure Virtual Servers (under Policy & Objects > Virtual Servers) with Type set to HTTP, TCP, UDP, or IP.

If required, you can change back to proxy mode through the System Information dashboard widget.

If your FortiGate has multiple VDOMs, you can set the inspection mode independently for each VDOM. Use the top left dropdown menu to go to Global > System > VDOM. Click Edit for the VDOM you wish to change and select the Inspection Mode.

Security profile features mapped to inspection mode

The table below lists FortiOS security profile features and shows whether they are available in flow-based or proxy-based inspection modes.

note icon The DNS Filter security profile feature is only available for proxy-based inspection in FortiOS versions 5.4.0 and 5.4.1. It is available for both proxy-based and flow-based inspection in FortiOS versions 5.4.2 and above.

 

Security Profile Feature Flow-based inspection Proxy-based inspection
AntiVirus x

x

Web Filter x x
DNS Filter x x
Application Control x x
Cloud Access Security Inspection x x
Intrusion Protection x x
Anti-Spam   x
Data Leak Protection   x
VoIP   x
ICAP   x
Web Application Firewall   x
FortiClient Profiles x x
Proxy Options   x
SSL/SSH Inspection x x
Web Rating Overrides x x
Web Profile Overrides   x

From the GUI, you can only configure antivirus and web filter security profiles in proxy mode. From the CLI you can configure flow-based antivirus profiles, web filter profiles and DLP profiles and they will appear on the GUI and include their inspection mode setting. Also, flow-based profiles created when in flow mode are still available when you switch to proxy mode.

In flow mode, antivirus and web filter profiles only include flow-mode features. Web filtering and virus scanning is still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.

note icon CASI does not work when using proxy-based profiles for AV or Web filtering. Make sure to only use flow-based profiles in combination with CASI on a specific policy.

Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).

Setting flow or proxy mode doesn't change the settings available from the CLI. However, when in flow mode you can't save security profiles that are set to proxy mode.

You can also add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn't recommended because the setting will not be visible from the GUI.

Proxy mode and flow mode antivirus and web filter profile options

The following tables list the antivirus and web filter profile options available in proxy and flow modes.

Antivirus features in proxy and flow mode

Feature Proxy Flow
Scan Mode (Quick or Full) no yes
Detect viruses (Block or Monitor) yes yes
Inspected protocols yes no (all relevant protocols are inspected)
Inspection Options yes yes (not available for quick scan mode)
Treat Windows Executables in Email Attachments as Viruses yes yes
Send Files to FortiSandbox Appliance for Inspection yes yes
Use FortiSandbox Database yes yes
Include Mobile Malware Protection yes yes

Web Filter features in proxy and flow mode

  Feature Proxy Flow
FortiGuard category based filter yes yes (show, allow, monitor, block)
Category Usage Quota yes no
Allow users to override blocked categories (on some models) yes no
Search Engines
yes no
  Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex yes no
Restrict YouTube Access yes no
Log all search keywords yes no
Static URL Filter yes yes
  Block invalid URLs yes no
URL Filter yes yes
Block malicious URLs discovered by FortiSandbox yes yes
Web Content Filter yes yes
Rating Options yes yes
  Allow websites when a rating error occurs yes yes
Rate URLs by domain and IP Address yes yes
Block HTTP redirects by rating yes no
Rate images by URL yes no
Proxy Options yes no
  Restrict Google account usage to specific domains yes no
Provide details for blocked HTTP 4xx and 5xx errors yes no
HTTP POST Action yes no
Remove Java Applets yes no
Remove ActiveX yes no
Remove Cookies yes no
Filter Per-User Black/White List yes no

 

Cloud Access Security Inspection (CASI)

This feature introduces a new security profile called Cloud Access Security Inspection (CASI) that provides support for fine-grained control on popular cloud applications, such as YouTube, Dropbox, Baidu, and Amazon. The CASI profile is applied to a policy much like any other security profile.

note icon Unfortunately CASI does not work when using Proxy-based profiles for AV or Web filtering for example.
Make sure to only use Flow-based profiles in combination with CASI on a specific policy.

For this feature, Deep Inspection of Cloud Applications (set deep-app-inspection [enable| disable]) has been moved out of the Application Control security profile options.

You will find the Cloud Access Security Inspection feature under Security Profiles > Cloud Access Security Inspection, but you must first enable it in the Feature store under System > Feature Select > CASI.

Editing CASI profiles

The CASI profile application list consists of the Name, Category, and Action. A default CASI profile exists, with the option to create custom profiles.

There is an improvement to the CASI GUI (303760) under release 5.4.1. When you search for a profile application to edit, you can hit enter after typing your search terms to see the results. Under release 5.4.0, hitting enter causes the screen to refresh and the profile to be applied.

For each CASI profile application, the user has the option to Allow, Block, or Monitor the selected cloud application. The following image demonstrates the ability to Allow, Block, or Monitor YouTube using CASI:

When the user drills down into a selected cloud application, the following options are available (depending on the type of service):

  • For business services, such as Salesforce and Zoho: Option to allow, block, or monitor file download/upload and login.
  • For collaboration services, such as Google.Docs and Webex: Option to allow, block, or monitor file access/download/upload and login.
  • For web email services, such as Gmail and Outlook: Option to allow, block, or monitor attachment download/upload, chat, read/send message.
  • For general interest services, such as Amazon, Google, and Bing: Option to allow, block, or monitor login, search phase, and file download/upload.
  • For social media services, such as Facebook, Twitter, and Instagram: Option to allow, block, or monitor chat, file download/upload, post, login.
  • For storage backup services, such as Dropbox, iCloud, and Amazon Cloud Drive: Option to allow, block, or monitor file access/download/upload and login.
  • For video/audio services, such as YouTube, Netflix, and Hulu:
    Option to allow, block, or monitor channel access, video access/play/upload, and login.
CLI Syntax

configure application casi profile

edit "profile name"

set comment "comment"

set replacemsg-group "xxxx"

set app-replacemsg [enable|disable]

configure entries

edit

set application "app name"

set action [block|pass]

set log [enable|disable]

next

edit 2

next

end

 

configure firewall policy

edit "1"

set casi-profile "profile name"

next

end

 

config firewall sniffer

edit 1

set casi-profile-status [enable|disable]

set casi-profile "sniffer-profile"

next

end

 

config firewall interface-policy

edit 1

set casi-profile-status [enable|disable]

set casi-profile "2"

next

end

External Security Devices

External Security Devices can be configured as means to offload processes to other devices, such as a FortiWeb, FortiCache, or FortiMail. Example processes could include HTTP inspection, web caching, and anti- spam.

Offloading HTTP traffic to FortiWeb

Use the following steps to offload HTTP traffic to FortiWeb to apply Web Application Firewall features to the traffic. Using these steps you can select the HTTP traffic to offload by adding a web application firewall profile configured for external inspection to selected firewall policies. Only the HTTP traffic accepted by those firewall policies is offloaded.

If you offload HTTP traffic to FortiWeb you can also apply other HTTP inspection to it from your FortiGate including virus scanning and web filtering.

A single FortiGate cannot offload HTTP traffic to both FortiCache and FortiWeb.

To offload HTTP traffic to FortiWeb:

  1. Go to the System Information dashboard widget and make sure Inspection Mode is set to Proxy-based.
  2. Go to System > Feature Select and turn on Web Application Firewall.
  3. Go to System > Cooperative Security Fabric, enable HTTP Service, select FortiWeb and add the IP addresses of your FortiWeb devices. You can also select Authentication add a password if required.
  4. Go to Security Profiles > Web Application Firewall and add or edit a Web Application Firewall profile and set Inspection Device to External.
  5. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy, select Web Application Firewall, and select the profile that you set to use the external inspection device.

These steps add the following configuration to the CLI:

config system wccp

set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiWeb)

set group address 0.0.0.0

set server-list 5.5.5.25 255.255.255.255 (the IP address of the FortiWeb)

set authentication enable

set forward-method GRE

set return-method GRE

set assignment-method HASH

set password *

end

Offloading HTTP traffic to FortiCache

To offload Web Caching to FortiCache a FortiGate must support WAN Optimization and WAN Optimization must be enabled. For some FortiGate models you need to turn off disk logging to support WAN Optimization. See WAN Optimization in What's New for details.

Use the following steps to offload web caching to FortiCache. Using these steps you can select the web traffic to offload by selecting web caching in firewall policies. Only the web traffic accepted by those firewall policies will be offloaded.

A single FortiGate cannot offload HTTP traffic to both FortiCache and FortiWeb.

  1. Go to the System Information dashboard widget and make sure Inspection Mode is set to Proxy-based.
  2. Go to System > Advanced > Disk Settings and assign at least one disk to WAN Optimization.
  3. Go to System > Feature Select and turn on WAN Opt. & Cache.
  4. Go to System > Cooperative Security Fabric, enable HTTP Service, select FortiCache and add the IP addresses of your FortiCache devices. You can also select Authentication add a password if required.
  5. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Cache.

These steps add the following configuration to the CLI:

config system wccp

set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiCache)

set group address 0.0.0.0

set server-list 5.5.5.45 255.255.255.255 (the IP address of the FortiCache)

set authentication enable

set forward-method GRE

set return-method GRE

set assignment-method HASH

set password *

end

Offloading SMTP traffic to FortiMail

Use the following steps to offload SMTP traffic to FortiMail to apply FortiMail features to the traffic. Using these steps you can select the SMTP traffic to offload by adding an AntiSpam profile configured for external inspection to selected firewall policies. Only the SMTP traffic accepted by those firewall policies is offloaded.

If you offload HTTP traffic to FortiWeb you can also apply other HTTP inspection to it from your FortiGate including virus scanning and web filtering.

To be able to offload Anti-Spam processing to a FortiMail device you should:

  1. Go to the System Information dashboard widget and make sure Inspection Mode is set to Proxy-based.
  2. Go to System > Feature Select and turn on Anti-Spam Filter.
  3. Go to System > Cooperative Security Fabric, enable SMTP Service - FortiMail and add the IP address of your FortiMail devices. You can also select Authentication add a password if required.
  4. Go to Security Profiles > Anti-Spam and edit an Anti-Spam profile and set Inspection Device to External.
  5. Go to Policy & Objects > IPv4 Policy, add or edit a Firewall policy, enable Anti-Spam and select the profile for which you set Inspection Device to External.

These steps add the following configuration to the CLI:

config system wccp

set service-id 52

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiMail)

set group address 0.0.0.0

set server-list 5.5.5.65 255.255.255.255 (the IP address of the FortiMail)

set authentication enable

set forward-method GRE

set return-method GRE

set assignment-method HASH

set password *

end

Blocking DNS requests to known Botnet C&C addresses

A new FortiGuard database contains a list of known Botnet C&C addresses. This database is updated dynamically and stored on the FortiGate. This database is covered by FortiGuard web filter licensing, so you must have a FortiGuard web filtering license to use this feature.

When you block DNS requests to known Botnet C&C addresses, using IPS, DNS lookups are checked against the Botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all sub-domains are also blocked.

To enable blocking of DNS requests to known Botnet C&C addresses, go to Security Profiles > DNS Filter, and enable Block DNS requests to known botnet C&C.

Static URL filter

The DNS inspection profile static URL filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS request can be blocked, exempted, monitored, or allowed.

If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site.

If exempted, access to the site is allowed even if another method is used to block it.

DNS-based web filtering

This feature is similar to the FortiGuard DNS web filtering available in FortiOS 5.2. You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.

If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is set to redirect, then the address returned to the requester points at a FortiGuard redirect page.

You can also allow access or monitor access based on FortiGuard category.

CLI commands

Rename webfilter-sdns-server-ip and webfilter-sdns-server-port:

config system fortiguard

set sdns-server-ip x.x.x.x

set sdns-server-port 53

end

Configure DNS URL filter:

config dnsfilter urlfilter

edit 1

set name "url1"

set comment ''

config entries

edit 1

set url "www.google.com"

set type simple

set action block

set status enable

next

edit 2

set url "www.yahoo.com"

set type simple

set action monitor

set status enable

next

edit 3

set url "www.foritnet.com"

set type simple

set action allow

set status enable

next

end

next

end

Configure DNS filter profile:

config dnsfilter profile

edit "dns_profile1"

set comment ''

config urlfilter

set urlfilter-table 1

end

config ftgd-dns

config filters

edit 1

set category 49

set action block

set log enable

next

edit 2

set category 71

set action monitor

set log enable

next

end

end

set log-all-url disable

set block-action redirect

set redirect-portal 0.0.0.0

set block-botnet enable

next

end

Configure DNS profile in a firewall policy:

config firewall policy

edit 1

set srcintf "any"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "FTP"

set utm-status enable

set dnsfilter-profile "dns_profile1"

set profile-protocol-options "default"

set nat enable

next

end

Configure DNS profile in profile group:

config firewall profile-group

edit "pgrp1"

set dnsfilter-profile "dns_profile1"

set profile-protocol-options "default"

next

end

 

Other new Security Profile features

DLP changes (297960)

Some DLP features removed. DLP fingerprinting removed from the GUI.

FortiClient Endpoint Profile improvements and new features (285443 275781 287137)

  • 275781: New options available in FortiClient Profiles.
  • 285446: VPN can be configured on the GUI either on IPsec VPN or SSL-VPN and changes can be preserved.
  • 287137: In the Mobile tab, .mobileconfig files can be configured and Client VPN Provisioning can be enabled.
note icon Features involving general settings have been removed from the FortiClient profile GUI in 5.4.1. Features emphasizing compliance of the endpoint devices have been added. Read FortiClient Profile changes for more information.

FortiClient Enforcement added to Interfaces (253933)

FortiClient enforcement has been moved from the Policy page to Network > Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.

To enforce FortiClient endpoint registration - GUI:
  1. Go to System > Feature Select and enable Endpoint Control.
  2. Go to Network > Interfaces and select the internal interface.
  3. Under Restrict Access, enable FortiTelemetry.
  4. Under Admission Control, enable Enforce FortiTelemetry for all FortiClients.

FortiClient exempt list improvements (268357 293191)

  • 268357: Before you could only configure captive portal policy addresses in the CLI, but it can now be performed in the GUI.
  • 293191: Exempt List has been replaced with Exempt Sources, and Exempt Destinations/Services has been added (once an interface has been set to captive portal). Before it was only possible to configure the FortiGate interface port to captive portal through the CLI, but it can now also be performed in the GUI.

FortiClient endpoint profile page updates (283968)

The Security Profiles > FortiClient Profiles page has been redesigned to better present the information available, and so the user can easily locate particular settings of interest.

Pre-existing GUI options under User & Device > FortiClient Profiles have been moved to the Security Profiles menu, and have been reorganized into separate tabs: Security, VPN, Advanced, and Mobile. Profiles can be created and options can be enabled within these tabs.

note icon The VPN, Advanced, and Mobile tabs do not appear in the GUI in FortiOS5.4.1. See FortiClient Profile changes (356205).

Note that Client-based Logging when On-Net has been renamed to Allow Access to Logs from FortiClient Console.

In addition, the following features were added:

  • Support for FortiSandbox integration
  • Option for C&C destination scanning and blocking
  • Certificate deployment as part of endpoint profile
  • FortiClientRTP Option updates
  • Option to monitor all unknown applications

Configure the ability to store FortiClient configuration files (171380)

  1. Enable the advanced FortiClient configuration option in the endpoint profile:

config endpoint-control profile

edit "default"

set forticlient-config-deployment enable

set fct-advanced-cfg enable

set fct-advanced-cfg-buffer "hello"

set forticlient-license-timeout 1

set netscan-discover-hosts enable

next

end

 

  1. Export the configuration from FortiClient (xml format).
  2. Copy the contents of the configuration file and try to paste in the advanced FortiClient configuration box.

 

If the configuration file is greater than 32k, you need to use the following CLI:

config endpoint-control profile

edit <profile>

config forticlient-winmac-settings

config extra-buffer-entries

edit <entry_id>

set buffer xxxxxx

next

end

end

end

FortiOS 5.4 no longer supports FortiClient 5.0 or earlier (289455)

FortiOS 5.2 would support FortiClient 5.0 (only if the FortiGate upgraded to FortiOS 5.2), however FortiOS 5.4 will no longer support FortiClient 5.0. Customers need to purchase a FortiClient 5.4 subscription-based FortiClient license.

Session timers for IPS sessions (174696 163930)

The standard FortiOS session time-to-live (session TTL) timer for IPS sessions has been introduced to reduce synchronization problems between the FortiOS Kernel and IPS. This has been added so that FortiGate hard-coded timeout values can be customized, and IPS was using too much overall memory.

Botnet protection with DNS Filter (293259)

The new botnet list from FortiGuard can be used to block DNS requests to known botnet C&C IP addresses within a new DNS filter profile.

You can view the botnet list by going to System > FortiGuard > Botnet Definitions.

Secure white list database (288365)

Secure white list exemption for SSL deep inspection. To enable, go to Security Profiles > SSL/SSH Inspection and enable Exempt from SSL Inspection and enable Reputable Websites.

Mobile Malware protection update (288022)

Mobile Malware protection requires a separate license and can be downloaded as a separate object. The mobile malware signatures are no longer part of the AntiVirus Database but these signatures can be enabled by going to Security Profiles > AntiVirus and enabling Include Mobile Malware Protection.

Options not supported by the new quick mode flow-based virus scanning (288317)

Files cannot be sent to FortiSandbox for inspection while in quick mode flow-based virus scanning, and so the GUI option for it has been removed. No option to switch between quick mode and full mode, as choice between Proxy and Flow based inspection has been removed.

Add mobile malware to FortiGuard licenses page and include more version information (290049)

An entry and version information for Mobile Malware Definitions has been added in the License Information table under System > FortiGuard. Also, main items have been bolded and sub-items have been indented for clarification.

Secure white-list DB for flow based UTM features (287343)

A new feature that gathers a list of reputable domain names that can be excluded from SSL deep inspection. This list is periodically updated and downloaded to FortiGate units through FortiGuard.

Syntax:

config firewall ssl-ssh-profile

edit deep-inspection

set whitelist enable

end

New customizable replacement message that appears when an IPS sensor blocks traffic (240081)

A new replacement message will appear specifically for IPS sensor blocked Internet access, to differentiate between IPS sensor blocking and application control blocking.

Low-end models don't support flow AV quick mode and don't support the IPS block-malicious-url option (288318)

AV quick mode and the IPS block-malicious-url option have been disabled on low-end FortiGate models, however these features can be enabled if the FortiGate unit has a hard disk. Low-end models will only supportFullscan mode (the option is left in the GUI to show which mode is active for the user).

New quick mode flow-based virus scanning (281291)

When configuring flow-based virus scanning you can now choose between quick and full mode. Full mode is the same as flow-based scanning in FortiOS 5.2. Quick mode uses a compact antivirus database and advanced techniques to improve performance. Use the following command to enable quick mode in an antivirus profile:

config antivirus profile

edit <profile-name>

set scan-mode {quick | full}

end

CVE-IDs now appear in the FortiOS IPS signature list (272251)

The signature list can be found at Security Profiles > Intrusion Protection > View IPS Signatures.

Botnet protection added (254959)

The latest Botnet database is available from FortiGuard. You can see the version of the database and display its contents from the System > FortiGuard GUI page. You can also block, monitor or allow outgoing connections to Botnet sites for each FortiGate interface.

FortiSandbox URL database added

You can see the version of the database and display its contents from the System > FortiSandbox GUI page.

New Web Filter profile whitelist setting and changes to blacklist setting (283855, 285216)

Domain reputation can now be determined by "common sense", for sites such as Google, Apple, and even sites that may contain sensitive material that would otherwise be trusted (i.e. there is no risk of receiving botnets or malicious attacks). You can tag URL groups with flags that exempt them from further sandboxing or AV analyzing.

You can identify reputable sites and enable certain bypasses under Security Profiles > Web Filter.

Similarly, you can exempt the identified reputable sites from SSL inspection.

CLI Syntax

config firewall ssl-ssh-profile

edit <profile-name>

set whitelist [enable | disable]

end

 

config webfilter profile

edit <profile-name>

config web

set whitelist exempt-av exempt-webcontent exempt-activex-java-cookie exempt-dlp exempt-rangeblock extended-log-others

end

end

 

Support security profile scanning of RPC over HTTP traffic (287508)

This protocol is used by Microsoft Exchange Server so this feature supports security profile features such as virus scanning of Microsoft Exchange Server email that uses RPC over HTTP.

Users now allowed to override blocked categories using simple, wildcard, and regex expressions to identify the URLs that are blocked (270165)

This feature is also called per-user BWL. To be able to configure this feature from the GUI enter the following command:

config system global

set per-user-bwl enable

end

Then go to Security Profiles > Web Filtering, edit a web filtering profile and select Allow users to override blocked categories.

Use the following command to configure this feature from the CLI:

config webfilter profile

edit <profile-name>

set options per-user-bwl

end

Set flow or proxy mode for your FortiGate (or per VDOM) (266028)

You can configure your FortiGate or a VDOM to apply security profile features in proxy or flow mode. Change between modes from the System Information dashboard widget. Proxy mode offers the most accurate results and the greatest depth of functionality. Flow mode provides enhanced performance. IPS and application control always operates in flow mode and so is not affected by changing this mode.

Security Profiles > Web Application Firewall

Signatures can now be filtered based on risk level.

The options to reset action and apply traffic shaping is now only available in the CLI.

The All Other Known Applications option has been removed, while the option for All Other Unknown Applications has been renamed Unknown Applications.

Block all Windows executable files (.exe) in email attachments (269781)

A new option has been added to AntiVirus profiles to block all Windows executable files (.exe) in email attachments.

CLI Syntax

config antivirus profile

edit "default"

config imap

set executables {default | virus}

end

config pop3

set executables {default | virus}

end

config smtp

set executables {default | virus}

end

config mapi

set executables {default | virus}

end

end


Cookies can now be used to authenticate users when a web filter override is used (275273)

Cookies can be used to authenticate users when a web filter override is used. This feature is available in CLI only.

CLI Syntax

config webfilter cookie-ovrd

set redir-host <name or IP>

set redir-port <port>

end

 

config webfilter profile

edit <name>

config override

set ovrd-cookie {allow | deny}

set ovrd-scope {user | user-group | ip | ask}

set profile-type {list | radius}

set ovrd-dur-mode {constant | ask}

set ovrd-dur <duration>

set ovrd-user-group <name>

set profile <name>

end

end



Blocking malicious URLs (277363)

A local malicious URL database dowloaded from FortiGuard has been added to assist IPS detection for live exploits, such as drive-by attacks. You enable blocking malicious URLs in an IPS profile from the CLI using the following command:

CLI Syntax

config ips sensor

edit default

set block-malicious-url {enable | disable}

next

end

The FortiGuard IPS/AV update schedule can be set by time intervals (278772)

This feature allows updates to occur more frequently (syntax below shown for updates randomly every 2-3 hours).

CLI Syntax

config system autoupdate schedule

set frequency every

set time 02:60

end

Application Control signatures belonging to industrial category/group are excluded by default (277668)

Use the following command to be able to add industrial signatures to an application control sensor:

config ips global

set exclude-signatures {none | industrial}

end


The Industrial category now appears on the Application Control sensor GUI.

An SSL server table can now be used for SSL offloading (275273)

CLI Syntax

config firewall ssl-ssh-profile

edit <name>

set use-ssl-server {enable | disable}

next

end


MAPI RPC over HTTP/HTTPS traffic is now supported for security scanning (278012)

CLI Syntax

config firewall profile-protocol-options

edit "default"

set comment "All default services."

config http

set ports 80 3128

set options rpc-over-http

end

end

New Dynamic DNS FortiGuard web filtering sub-category (276495)

A new FortiGuard web filtering sub-category, Dynamic DNS, has been added and can be found in the Security Risk Category. Also, the sub-category Shopping and Auction has been separated into two sub-categories: Auction and Shopping.

New Filter Overrides in the Application Sensor GUI (260901)

The overrides allow you to select groups of applications and override the application signature settings for them.

FortiGate CA certificates installed on managed FortiClients (260902)

This feature allows you to enable or disable CA certificate installation on managed FortiClients in a FortiClient Profile.

Syntax

config endpoint-control profile

edit <profile>

config forticlient-winmac-settings

set install-ca-certificate [enable | disable]

end

next

end

More exemptions to SSL deep inspection (267241)

Some common sense exemptions have been added to the default SSL deep inspection profile, such as Fortinet, Android, Apple, Skype, and many more.

Exempting URLs for flow-based web filtering (252010)

You can once again exempt URLs for flow-based web filtering.

Filter overrides in Application Sensors (246546)

In the Application Sensor page, a new section named Filter Overrides has been introduced. From this section, clicking Add Filter/Edit Filter will launch a dialog to pick/edit the advanced filter and save it back to the list.

New keyword byte_extract for custom IPS and Application Control signatures (179116)

The new byte_extract custom IPS signature key has been added that supports snort-like byte extraction actions. It is used for writing rules against length-encoded protocols. The keyword reads some of the bytes from the packet payload and saves it to a variable. You can use the -quiet option to suppress the reporting of signatures.

IPS logging changes (254954)

IPS operations severely affected by disk logging are moved out of the quick scanning path, including logging, SNMP trap generation, quarantine, etc.

Scanning processes are dedicated to nothing but scanning, which results in more evenly distributed CPU usage. Slow (IPS) operations are taken care of in a dedicated process, which usually stays idle.

New FortiGuard web filtering category: Dynamic DNS (265680)

A new FortiGuard web filtering category has been added for Dynamic DNS under the Security Risk heading, to account for nearly half a million URLs of "Information Technology" rated by BlueCoat as "Dynamic DNS Host".

Syntax

config webfilter profile

edit <profile>

config ftgd-wf

config filters

edit <id>

set category 88<--- New category, Dynamic DNS; number 88

end

end

end

Access Control Lists in DoS Policies (293399)

You can go to Policy & Objects > IPv4 Access Control List or Policy & Objects > IPv6 Access Control List and select an incoming interface and add a list of Firewall source and destination addresses and services and drop traffic that matches.

You can use the following CLI command to add an ACL:

config firewall acl

edit 1

set interface "port1"

set srcaddr "google-drive"

set dstaddr "all"

set service "ALL"

next

end

Websense web filtering through WISP (287757)

WISP is a Websense protocol that is similar in functionality to ICAP, it allows for URLs to be extracted by a firewall and submitted to Websense systems for rating and approval checking.

This feature provides a solution for customers who have large, existing, deployed implementations of Websense security products to replace their legacy firewalls with a Fortigate family, such that they are not forced to make a change to their web filtering infrastructure at the same time.

In order to use Websense's web filtering service, a WISP server per VDOM needs to be defined and enabled first. A Web filtering profile is then defined that enables WISP, which in turn is applied to a firewall policy.

When WISP is enabled, the FortiGate will maintain a pool of TCP connections to the WISP server. The TCP connections will be used to forward HTTP request information and log information to the WISP server and receive policy decisions.

Syntax

config web-proxy wisp

set status enable

set server-ip 72.214.27.138

set max-connection 128

end

 

config webfilter profile

edit "wisp_only"

set wisp enable

next

end

Other new Security Profiles features:

  • CPU allocation & tuning commands now remain after a system reboot (276190)
  • The GUI notifies an administrator when the FortiGate is in conserve mode (266937)
  • A new custom IPS signature option, "--ip_dscp" has been added to be compatible with engine 1.x. (269063 )
  • The RTP/RTSP decoder can now detect slave sessions (273910)
  • ISNIFF can now dump all HTML files if the dump-all-html CLI command is used (277793)
  • Sender and recipient fields have been added to flow-based SMTP spam logs (269063)
  • Browser Signature Detection added to Application Control profiles (279934)