Submit Search

What's New in FortiOS 5.4.2

Most development work in FortiOS 5.4.2 involved resolving issues. However, there were a few new features as well.

Bootstrapping enabled for FortiGate VM platforms (391527)

All FortiOS 5.4.2 VM platforms support bootstrapping, allowing you to setup an iso file package that simplifies deploying FortiOS VMs. Using bootstrapping you can create a package that includes the VM firmware, a network configuration customized for your network and VM licensing, and other configuration elements such as basic firewall policies. You can then use the iso file to deploy FortiOS VM firmware into your VM environment.

To set up bootstrapping you need a VM license file and a default FortiOS VM configuration file. The configuration file sets up default FortiOS VM settings such as adding a hostname, configuring interfaces and so on.

Components of the config file should be similar to the following:

#---------configfirewall.conf-----------

root@KVM-Hypervisor:~/vz-wip# cat FGT_CONFIG_DRIVE/openstack/latest/user_data

#VM Config File

config system global

set hostname vFGTvm00

end

config system interface

edit port1

set alias "EXT"

set description "Management Network (DHCP) eth0br"

set allowaccess ping https ssh fgfm

set mode dhcp

edit port2

set alias "Internal"

set description "Liveliness Network (Static) gluebr0"

set allowaccess ping https ssh fgfm

set ip 192.168.1.10/24

config firewall policy

edit 0

set name "Allow any any"

set srcintf "port2"

set dstintf "port1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

end

config sys dns

set primary 8.8.8.8

unset secondary

end

config sys global

set hostname fgt-vm-workshop

end

Then create a configuration file used to build the iso file, for example:

{

"bucket" : "confftnt",

"region" : "us-west-2",

"license" : "/FGVM080000066848.lic",

"config" : "/configfirewall.conf",

}

ISO Structure

It is also important that the ISO have similar structure and permissions to the following:

The user account of the intaller has been replaced with <user_account>.

<user_account>:iso <user_account>$ ll -R

total 8

drwxr-xr-x 1 <user_account> staff 2048 Jan 20 15:14 .

drwxr-xr-x@ 8 root wheel 272 Jan 23 10:07 ..

drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 openstack

./openstack:

total 16

drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 .

drwxr-xr-x 1 <user_account> staff 2048 Jan 20 15:14 ..

drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 content

drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:54 latest

./openstack/content:

total 12

drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 .

drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 ..

-rwxr-xr-x 1 <user_account> staff 287 Jan 19 16:02 0000

./openstack/latest:

total 12

drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:54 .

drwxr-xr-x 1 <user_account> staff 2048 Jan 20 14:53 ..

-rwxr-xr-x 1 <user_account> staff 813 Jan 19 16:02 user_data

Where “0000” has the following content:

<user_account>:iso <user_account>$ cat openstack/content/0000

-----BEGIN FGT VM LICENSE-----

QAAAAFS1V9CLl8h69qtDbikc4yW8hSi0kyFBlFi1LqQlqXG59uCLSlJiGfHt6ddbweM0d3guoeu

uzPLA/AjPJ3/4bdgAAAAQe5bBXvK4/UTEHyCP1VFL7OUHn/84246+gFHw75lYi5Pae3PmSmlR3E

AB7kRpLJFa+A5GpCKBu2sXKWwgQGZFmHbLOT7c5HO7BbPNo8Og0oR1b/YUtnCB22mXCXp1yY

-----END FGT VM LICENSE-----

FortiAP-421E and 423E and wave 2 WiFi support (371374)

FortiOS 5.4.2 includes FortiAP profiles for the FortiAP-421E and FortiAP-423E and these profiles include support for Wave 2 WiFi.

Dynamic Frequency Selection (DFS) support added (369052)

DFS support has been added for FortiAP models that support it. FortiAP models that support this feature include the 321C, 323C, 421E, S421E, 423E, S423E, and S422E.

BGP local-AS support (307530)

Use the following command to configure BGP local-AS support:

config router bgp

config neighbor

edit "neighbor"

...

set local-as 300

set local-as-no-prepend disable|enable

set local-as-replace-as disable|enable

end

Enable local-as-no-prepend if you do not want to prepend local-as to incoming updates.

Enable local-as-replace-as to replace a real AS with local AS in outgoing updates.

Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)

Previous versions of FortiOS supported YouTube for Schools (YTfS). As of July 1, 2016 this feature is no longer supported by YouTube. Instead you can use the information in the YouTube support article Restrict YouTube content on your network or managed devices to achieve the same result. FortiOS supports applying Strict or Moderate restrictions using HTTP headers as described in this article.

In FortiOS 5.4.2 with inspection mode set to proxy-based, in a Web Filter profile under Search Engines you can select Restrict YouTube Access and select either Strict or Moderate.

High Availability hello-holddown CLI option typo fix (382364)

The config system ha option helo-holddown has been renamed hello-holddown.

DNS filter available in flow mode (390957)

DNS filter security profiles can now be edited and added to security policies if the FortiGate or the current VDOM Inspection Mode is set to Flow-based.

Patch apache server vulnerabilities (379870)

The following CLI commands have been added as part of an update to protect SSL VPN connections to the FortiGate from Slowloris (CVE-2007-6750) and R-U-Dead-Yet attacks.

config vpn ssl settings

set http-request-header-timeout 20

set http-request-body timeout 30

end

http-request-header-timeout protects against Slowloris by controlling maximum time to read the HTTP request header. If the HTTP header does not complete within this time, SSL VPN disconnects the connection with response code 408 (Request Timeout). The default is 20 seconds and the range is 1 to 60 seconds.

http-request-body-timeout protects against R-U-Dead-Yet attacks by controlling the maximum time to read a HTTP request body. If the HTTP body does not complete within this time, SSL VPN disconnects the connection with response code 408 (Request Timeout). The default is 30 seconds and the range is 1 to 60 seconds.

Diagnose hardware test added to select FortiGate models (388646 302021 381208)

Most current FortiGate models include the diagnose hardware test command that you can use to test all aspects of a FortiGate's hardware and report on problems that are found.

Antispam log message improvements (284055)

When Antispam protection finds a phishing URL in an email message, the log message recorded for this event now includes the phishing URL found in the email message. The phishing URL is included in the fortiguardresp log message field.

Last session information saved in a crash log when an IPS engine crash occurs (378252)

Changes to FortiOS IPS and to the IPS engine version 3.170 now cause FortiOS to save a crash log with the last session information when an IPS crash occurs. This information can be used by Fortinet support to diagnose the cause of the crash.