What's New in FortiOS 5.4.6

Most development work in FortiOS 5.4.6 involved resolving issues. However, the following new features were added as well.

User group authentication timeout range increased to 30 days (378085)

The user authentication timeout for users in a user group has been extended to 30 days.

config user group

edit <group-name>

set authtimeout 43200

end

Where authtimeout is the length of the timeout in minutes. An authtimeout of 43200 minutes is equivalent to 30 days. Set authtimeout to 0 to use the default authentication timeout.

FortiOS-VM support 10 interfaces (397860)

New installations of FortiOS-VM for FortiOS 5.4.6 now include 10 interfaces.

Improved support for RFCs 5746 and 7627 (422133)

FortiOS includes improved support of RFC 5746 : TLS Renegotiation Indication Extension and RFC 7627: TLS Session Hash and Extended Master Secret Extension.

Stripping clear text padding and IPsec session ESP padding (416950)

In some situations, when clear text or ESP packets in IPsec sessions may have large amounts of layer 2 padding, the NP6 IPsec engine may not be able to process them and the session may be blocked.

If you notice dropped IPsec sessions, you could try using the following CLI options to cause the NP6 processor to strip clear text padding and ESP padding before sending the packets to the IPsec engine. With padding stripped, the session can be processed normally by the IPsec engine.

Use the following command to strip ESP padding:

config system npu

set strip-esp-padding enable

set strip-clear-text-padding enable

end

Stripping clear text and ESP padding are both disabled by default.

Optionally disable NP6 offloading of traffic passing between 10Gbps and 1Gbps interfaces (392436)

Due to NP6 internal packet buffer limitations, some offloaded packets received at a 10Gbps interface and destined for a 1Gbps interface can be dropped, reducing performance for TCP and IP tunnel traffic. If you experience this performance reduction, you can use the following command to disable offloading sessions passing from 10Gbps interfaces to 1Gbps interfaces:

config system npu

set host-shortcut-mode host-shortcut

end

Select host-shortcut to stop offloading TCP and IP tunnel packets passing from 10Gbps interfaces to 1Gbps interfaces. TCP and IP tunnel packets passing from 1Gbps interfaces to 10Gbps interfaces are still offloaded as normal.

If host-shortcut is set to the default bi-directional setting, packets in both directions are offloaded.

BFD echo mode support (enable/disable blocking land attacks) (441740)

A new option has been added to FortiOS 5.4.6 that allows you to enable or disable blocking land attacks:

config system settings

set block-land-attack {disable | enable}

end

This option is disabled by default. Since its a system settings option you can enable or disable blocking land attacks for individual VDOMs if your FortiGate is operating with multiple VDOMs.

Another reason to enable this feature would be if your FortiGate is blocking BFD echo packets that should be allowed to pass through the FortiGate. For example, a FortiGate operating in Transparent mode between two routers with a policy that allows all traffic may block BFD echo communication between the routers if blocking land attacks is disabled.

Enabling blocking land attacks allows BFD echo packets to pass through the FortiGate. Use the following command to block land attacks and allow BFD echo packets.

config system settings

set block-land-attack enable

end

Memory compatibility mode for HA between FortiGates of different hardware generations (436585)

Different hardware generations of some FortiGate models may have different amounts of system memory. In HA mode this means the primary unit, if it has more memory than the backup unit, could be able to handle more sessions than the backup unit. So after a failover some sessions could be lost if the backup unit doesn't have enough memory for all of the sessions. If you have a cluster of FortiGates from different hardware generations you can use the following command to enable memory compatibility mode to prevent session loss after a failover. Memory compatibility mode is disabled by default.

config system ha

set memory-compatible-mode {disable | enable}

end

Memory compatibility mode synchronizes the memory size among the units in the cluster. The amount of memory available on the FortiGate with the lowest amount of memory is set as the soft total memory for each FortiGate in the cluster. That way, after a failover the new primary unit will have the same amount of memory for processing sessions and will support the same number of sessions as the former primary unit. As a result, after a failover no sessions are lost.

WiFi split tunnel enhancement (413142)

In a WTP profile, you can use the following command to control whether packets that match the split tunneling access control list (ACL) use the CAPWAP tunnel or the local LAN between the FortiAP and the FortiGate.

config wireless-controller wtp-profile

edit <profile-name>

set split-tunneling-acl-path {tunnel | local}

end

where:

tunnel packets from wireless clients that match the split tunneling ACL pass from the FortiAP through the CAPWAP tunnel to the FortiGate (tunnel mode) and then to their destination.

local (the default) packets from wireless clients that match the split tunneling ACL pass across the local LAN from the FortiAP to the FortiGate (source NAT applied) and then to their destination.