What's New in FortiOS 5.4.2
Most development work in FortiOS 5.4.2 involved resolving issues. However, there were a few new features as well.
Bootstrapping enabled for FortiGate VM platforms (391527)
All FortiOS 5.4.2 VM platforms support bootstrapping, allowing you to setup an iso file package that simplifies deploying FortiOS VMs. Using bootstrapping you can create a package that includes the VM firmware, a network configuration customized for your network and VM licensing, and other configuration elements such as basic firewall policies. You can then use the iso file to deploy FortiOS VM firmware into your VM environment.
To set up bootstrapping you need a VM license file and a default FortiOS VM configuration file. The configuration file sets up default FortiOS VM settings such as adding a hostname, configuring interfaces and so on.
Components of the config file should be similar to the following:
#---------configfirewall.conf-----------
root@KVM-Hypervisor:~/vz-wip# cat FGT_CONFIG_DRIVE/openstack/latest/user_data
#VM Config File
config system global
set hostname vFGTvm00
end
config system interface
edit port1
set alias "EXT"
set description "Management Network (DHCP) eth0br"
set allowaccess ping https ssh fgfm
set mode dhcp
next
edit port2
set alias "Internal"
set description "Liveliness Network (Static) gluebr0"
set allowaccess ping https ssh fgfm
set ip 192.168.1.10/24
next
config firewall policy
edit 0
set name "Allow any any"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
config sys dns
set primary 8.8.8.8
unset secondary
end
config sys global
set hostname fgt-vm-workshop
end
Then create a configuration file used to build the iso file, for example:
{
"bucket" : "confftnt",
"region" : "us-west-2",
"license" : "/FGVM080000066848.lic",
"config" : "/configfirewall.conf",
}
ISO Structure
It is also important that the ISO have similar structure and permissions to the following:
The user account of the intaller has been replaced with <user_account>.
<user_account>:iso <user_account>$ ll -R
total 8
drwxr-xr-x 1 <user_account> staff 2048 Jan 20 15:14 .
drwxr-xr-x@ 8 root wheel 272 Jan 23 10:07 ..
drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 openstack
.
.
.
./openstack:
total 16
drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 .
drwxr-xr-x 1 <user_account> staff 2048 Jan 20 15:14 ..
drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 content
drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:54 latest
.
.
.
./openstack/content:
total 12
drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 .
drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 ..
-rwxr-xr-x 1 <user_account> staff 287 Jan 19 16:02 0000
.
.
.
./openstack/latest:
total 12
drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:54 .
drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 ..
-rwxr-xr-x 1 <user_account> staff 813 Jan 19 16:02 user_data
.
.
.
Where “0000” has the following content:
<user_account>:iso <user_account>$ cat openstack/content/0000
-----BEGIN FGT VM LICENSE-----
QAAAAFS1V9CLl8h69qtDbikc4yW8hSi0kyFBlFi1LqQlqXG59uCLSlJiGfHt6ddbweM0d3guoeu
uzPLA/AjPJ3/4bdgAAAAQe5bBXvK4/UTEHyCP1VFL7OUHn/84246+gFHw75lYi5Pae3PmSmlR3E
AB7kRpLJFa+A5GpCKBu2sXKWwgQGZFmHbLOT7c5HO7BbPNo8Og0oR1b/YUtnCB22mXCXp1yY
-----END FGT VM LICENSE-----
FortiAP-421E and 423E and wave 2 WiFi support (371374)
FortiOS 5.4.2 includes FortiAP profiles for the FortiAP-421E and FortiAP-423E and these profiles include support for Wave 2 WiFi.
Dynamic Frequency Selection (DFS) support added (369052)
DFS support has been added for FortiAP models that support it. FortiAP models that support this feature include the 321C, 323C, 421E, S421E, 423E, S423E, and S422E.
BGP local-AS support (307530)
Use the following command to configure BGP local-AS support:
config router bgp
config neighbor
edit "neighbor"
...
set local-as 300
set local-as-no-prepend disable|enable
set local-as-replace-as disable|enable
end
Enable local-as-no-prepend
if you do not want to prepend local-as to incoming updates.
Enable local-as-replace-as
to replace a real AS with local AS in outgoing updates.
Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)
Previous versions of FortiOS supported YouTube for Schools (YTfS). As of July 1, 2016 this feature is no longer supported by YouTube. Instead you can use the information in the YouTube support article Restrict YouTube content on your network or managed devices to achieve the same result. FortiOS supports applying Strict or Moderate restrictions using HTTP headers as described in this article.
In FortiOS 5.4.2 with inspection mode set to proxy-based, in a Web Filter profile under Search Engines you can select Restrict YouTube Access and select either Strict or Moderate.
High Availability hello-holddown CLI option typo fix (382364)
The config system ha
option helo-holddown
has been renamed hello-holddown
.
DNS filter available in flow mode (390957)
DNS filter security profiles can now be edited and added to security policies if the FortiGate or the current VDOM Inspection Mode is set to Flow-based.
Patch apache server vulnerabilities (379870)
The following CLI commands have been added as part of an update to protect SSL VPN connections to the FortiGate from Slowloris (CVE-2007-6750) and R-U-Dead-Yet attacks.
config vpn ssl settings
set http-request-header-timeout 20
set http-request-body timeout 30
end
http-request-header-timeout
protects against Slowloris by controlling maximum time to read the HTTP request header. If the HTTP header does not complete within this time, SSL VPN disconnects the connection with response code 408 (Request Timeout). The default is 20 seconds and the range is 1 to 60 seconds.
http-request-body-timeout
protects against R-U-Dead-Yet attacks by controlling the maximum time to read a HTTP request body. If the HTTP body does not complete within this time, SSL VPN disconnects the connection with response code 408 (Request Timeout). The default is 30 seconds and the range is 1 to 60 seconds.
Diagnose hardware test added to select FortiGate models (388646 302021 381208)
Most current FortiGate models include the diagnose hardware test
command that you can use to test all aspects of a FortiGate's hardware and report on problems that are found.
Antispam log message improvements (284055)
When Antispam protection finds a phishing URL in an email message, the log message recorded for this event now includes the phishing URL found in the email message. The phishing URL is included in the fortiguardresp
log message field.
Last session information saved in a crash log when an IPS engine crash occurs (378252)
Changes to FortiOS IPS and to the IPS engine version 3.170 now cause FortiOS to save a crash log with the last session information when an IPS crash occurs. This information can be used by Fortinet support to diagnose the cause of the crash.