FortiOS-7.0.0-New Features Guide 90316

FortiOS - New Features Guide
Version 7.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
February 25, 2021

FortiOS 7.0.0 New Features Guide
01-700-676234-20210225
TABLE OF CONTENTS
Change Log 6
Security Fabric 7
Fabric settings 7
Enhance Security Fabric configuration for FortiSandbox Cloud 7
SDN connectors 8
Thread feed connectors per VDOM 8
Automation stitches 12
Automation workflow improvements 12
Microsoft Teams Notification action 21
Replacement messages for email alerts 26
Security ratings 28
Security Rating overlays 29
Network 32
SD-WAN 32
Usability enhancements to SD-WAN Network Monitor service 32
Hold down time to support SD-WAN service strategies 34
General 35
Add option to select source interface and address for Telnet and SSH 36
ECMP routes for recursive BGP next hop resolution 36
BGP next hop recursive resolution using other BGP routes 37
Add SNMP OIDs for shaping-related statistics 38
PRP handling in NAT mode with virtual wire pair 41
NetFlow on FortiExtender and tunnel interfaces 42
IPv6 45
Configuring IPv6 multicast policies in the GUI 46
FortiGate as an IPv6 DDNS client for generic DDNS 47
FortiGate as an IPv6 DDNS client for FortiGuard DDNS 48
Allow backup and restore commands to use IPv6 addresses 48
Web proxy 49
Explicit proxy authentication over HTTPS 49
Selectively forward web requests to a transparent web proxy 51
System 54
FortiGuard 54
Update OUI files from FortiGuard 54
Policy and Objects 55
NGFW 55
Filters for application control groups in NGFW mode 55
Policies 58
DNS health check monitor for server load balancing 58
Carrier-grade NAT 59
Separate ZTNA tag in policy configuration 61
Objects 63
Record central NAT and DNAT hit count 63
FortiOS 7.0.0 New Features Guide 3

Fortinet Technologies Inc.
Security profiles 65
Antivirus 65
Stream-based antivirus scan in proxy mode for FTP, SFTP, and SCP 65
Configure threat feed and outbreak prevention without AV engine scan 66
Web filter 69
FortiGuard web filter categories to block child sexual abuse and terrorism 69
Enhance web filter antiphishing profile 71
SSL/SSH inspection 74
HTTP/2 support in proxy mode SSL inspection 74
Define multiple certificates in an SSL profile in replace mode 75
Others 77
Improve WAD traffic dispatcher 78
Video filtering 78
DNS filter handled by IPS engine in flow mode 82
VPN 83
IPsec and SSL VPN 83
Configurable IKE port 83
Packet duplication for dial-up IPsec tunnels 86
IPsec global IKE embryonic limit 90
User and authentication 92
Authentication 92
Integrate user information from EMS connector and Exchange connector in the user
store 92
Secure access 95
Wireless 95
Configure Agile Multiband Operation 95
Switch controller 100
FortiSwitch NAC VLANs widget 100
Forward error correction settings on switch ports 101
Cancel pending or downloading FortiSwitch upgrades 102
Automatic provisioning of FortiSwitch firmware upon authorization 104
Use wildcards in a MAC address in a NAC policy 106
Additional FortiSwitch recommendations in Security Rating 108
FortiGate NAC engine optimization 108
PoE pre-standard detection disabled by default 109
GUI support for viewing and configuring shared FortiSwitch ports 110
Cloud icon indicates that the FortiSwitch unit is managed over layer 3 111
Log and report 114
Logging 114
Add logs for the execution of CLI commands 114
Logging IP address threat feeds in sniffer mode 116
Cloud 117
Public and private cloud 117
Collect only node IP addresses with Kubernetes SDN connectors 117
FortiGate VM on KVM running ARM processors 121
Deploy FortiGate-VM A-P HA on IBM VPC Cloud (BYOL) 125
Support AWS Graviton2 instances 132

Update AliCloud SDN connector to support Kubernetes filters 133
FortiCarrier 137
GTP 137
GUI enhancements for GTP features 137

Change Log
Date Change Description
2021-03-29 Initial release.

Security Fabric
Security Fabric
This section includes information about Security Fabric new features:

l Fabric settings on page 7
l SDN connectors on page 8
l Automation stitches on page 12
l Security ratings on page 28
Fabric settings
This section includes information about Security Fabric settings related new features:
l Enhance Security Fabric configuration for FortiSandbox Cloud on page 7
Enhance Security Fabric configuration for FortiSandbox Cloud
Creating an instance of FortiSandbox on FortiCloud can be configured from the Fabric Connectors page in the GUI. In
the Cloud Sandbox Settings, you can choose between connecting to FortiGate Cloud or FortiSandbox Cloud.
Connecting to FortiSandbox Cloud will automatically use the cloud user ID of the FortiGate to connect to the correct
FortiSandbox Cloud account.
Requirements
The following items are required to initialize FortiSandbox Cloud:

l A FortiCloud premium account.
l A valid FSAC contract on the FortiGate. To view contract information in the CLI, enter diagnose test update
info. The User ID at the end of the output lets FortiCloud to know which FortiSandbox Cloud account the
FortiGate is connected to.
FortiSandbox Cloud requires the following licenses:
l FortiCloud premium license
l FortiSandbox Cloud entitlement
l FortiGate license (register the FortiGate on the same account as the FortiCloud license)
To configure FortiSandbox Cloud in the GUI:
1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
2. Set Status to Enable.

Security Fabric
3. For Type, select FortiSandbox Cloud.
If the FortiSandbox Cloud option is grayed out or not visible, enter the following in the
CLI:
config system global
set gui-fortigate-cloud-sandbox enable
end
4. Click OK.
To configure FortiSandbox Cloud in the CLI:
config system fortisandbox

set status enable
set forticloud enable
set server "fortisandboxcloud.com"
end
To switch from Cloud Sandbox to FortiSandbox in the Security Fabric:
1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
2. Set Status to Disable.
3. Click OK.
4. In the CLI, enter the following.
config system fortisandbox
set status enable
set forticloud disable
set server <address>
end
The FortiSandbox card is now visible in the Other Fortinet Products section.
SDN connectors
This section includes information about SDN connector related new features:
l Thread feed connectors per VDOM on page 8
Thread feed connectors per VDOM
When multi-VDOM mode is enabled, the threat feed external connector can be defined in global or within a VDOM.
Global threat feeds can be used in any VDOM, but cannot be edited within the VDOM. FortiGuard category and domain
name-based external feeds have an added category number field to identify the threat feed. The threat feed name in
global must start with g-. Threat feed names in VDOMs cannot start with g-.
FortiGuard category and domain name-based external feed entries must have a number assigned to them that ranges
from 192 to 221. This number can be assigned to both external feed types. However, when a category number is used
under a global entry, such as 192 with the name g-cat-192, this category number cannot be used in any other global

Security Fabric
or VDOM entries. If a category is used under a VDOM entry, such as 192 under VDOM1 with the name cat-192, the
category 192 can be used in another VDOM or root with the name cat-192.
A thread feed connector can only be used in profiles in the VDOM that it was created in. Global connectors can be used
in all VDOMs.
Each VDOM can have a maximum of 256 thread feed entries. But in total, a FortiGate can only have 511 thread feed
entries.
To configure an external threat feed connector under global in the GUI:
1. Go to Security Fabric > External Connectors and click Create New.

2. In the Threat Feeds section, click FortiGuard Category.
3. Enter a name that begins with g-.
4. Configure the other settings as needed.
5. Click OK.
To configure an external threat feed connector under global in the CLI:
config global
config system external-resource
edit "g-category"
set status enable
set type category
set category 192
set comments ''
set resource "http://172.16.200.55/external-resource-test/513-FDGCategory.txt"
set refresh-rate 5
next
end
end
To configure an external threat feed connector under a VDOM in the GUI:

2. In the Threat Feeds section, click Domain Name.
3. Enter a name that does not begin with g-.
5. Click OK. The threat feed connector created under global also appears, but it is not editable.
To configure an external threat feed connector under a VDOM in the CLI:
config vdom
edit vd1

Security Fabric
edit "vd1-domain"
set status enable
set type domain
set category 193
set comments ''
set resource "http://172.16.200.55/external-resource-test/513-Domain.txt"
set refresh-rate 5
next
end
next
end
To use an IP address threat feed in a policy in the GUI:
1. Configure an IP address connector in global:

a. Go to Security Fabric > External Connectors and click Create New.
b. In the Threat Feeds section, click IP Address.
c. Enter a name that begins with g-.
d. Configure the other settings as needed.
e. Click OK.
2. Configure an IP address connector in the VDOM (vd1):
a. Go to Security Fabric > External Connectors and click Create New.
b. In the Threat Feeds section, click IP Address.
c. Enter a name that does not begin with g-.
d. Configure the other settings as needed.
e. Click OK. The threat feed connectors created under global also appear, but they are not editable.
3. Configure the firewall policy in the VDOM (vd1):

a. Go to Policy & Objects > Firewall Policy and click Create New.
b. For Destination, select vd1-address. Since this policy is configured under vd1, g-address can also be set as
the destination.

Security Fabric
c. Configure the other settings as needed.

d. Click OK.
To use an IP address threat feed in a policy in the CLI:
1. Configure the IP address connectors:

config global
edit "g-address"
set status enable
set type address
set username ''
set comments ''
set resource "http://172.16.200.55/external-resource-test/513-IP.txt"
set refresh-rate 5
next
end
end
config vdom
edit vd1
edit "vd1-address"
set status enable
set type address

Security Fabric
set comments ''

set resource "http://172.16.200.55/external-resource-test/513-IP.txt"
set user-agent "curl/7.58.0"
set refresh-rate 5
next
end
next
end
2. In the VDOM, configure a firewall policy with the external address as the destination address:
config vdom
edit vd1
config firewall policy
edit 1
set name "test"
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "vd1-address"
set action accept
set schedule "always"
set service "ALL"
set profile-protocol-options "protocol"
set nat enable
next
end
next
end
Since this firewall policy is configured under vd1, g-address can also be set as the
dstaddr.
Automation stitches
This section includes information about automation stitches related new features:
l Automation workflow improvements on page 12
l Microsoft Teams Notification action on page 21
l Replacement messages for email alerts on page 26
Automation workflow improvements
This redesign simplifies the workflow for managing multiple chained actions, and makes it clearer which order the
actions will be processed in. The enhancements include:
l Add new flow for creating and managing automation stitches, triggers, and actions.
l Add Manage Components view to manage automation triggers and actions from the list page.
l Improve FortiOS Event Log trigger by allowing multiple log IDs and adding a log field filter.

Security Fabric
l Add Any report type for the Security Rating Summary trigger.
l Simplify the URI configuration for cloud actions.
l Add JSON parameter support for Slack and Microsoft Teams notifications.
l Rename ios-notification action type to fortiexplorer-notification.
GUI changes to Automation page
Automation stitches, actions, and triggers have separate dialogs and are no longer part of the main stitch dialog. When
creating a stitch, clicking Add Trigger and Add Action displays a list of available triggers and actions.
Once the stitch is configured, a process diagram of the trigger, actions, and delays is displayed.

Security Fabric
Manage Components view
In the Security Fabric > Automation page, click Manage Components to create or edit actions and triggers.
A slide-out pane appears with options to view a list of actions or triggers.

Click Action to view the list of actions.
Click Trigger to view the list of triggers.

Security Fabric
The following example shows how to configure a Security Rating Summary automation stitch with AWS Lambda and
Email actions.
To configure the automation stitch in the GUI:
1. Go to Security Fabric > Automation and click Create New.

2. Enter the stitch name and description.
3. Configure the trigger:
a. Click Add Trigger and select Security Rating Summary.
b. Enter the following:
Name aws_no_delay
Report Security Posture
c. Click Add.
4. Configure the AWS Lambda function action:
a. Click Add Action.
b. Click Create and select AWS Lambda.
c. Enter the following:
Name aws_no_delay
URL Enter the request API URI
API key Enter AWS API gateway API key
HTTP header header2:header2_value

Security Fabric
d. Click OK.
e. Select the trigger in the list and click Apply.
5. Configure the Email notification action:
b. Click Create and select Email.
Name email_action
Delay 60
To Enter an email address
Subject email action for test
Replacement message Enable

Security Fabric
d. Click OK.
6. Click OK.
To configure the automation stitch in the CLI:

config system automation-trigger
edit "aws_no_delay"
set event-type security-rating-summary
next
end
2. Configure the actions:

config system automation-action
edit "aws_no_delay"
set action-type aws-lambda
set aws-api-key xxxxxxxxxxxx
set uri "xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/xxxxxxxxxx"
set headers "header2:header2_value"
next
edit "email_action"
set description "email action for test"
set action-type email
set email-to "[email protected]"
set email-subject "email action for test"
set delay 60
set replacement-message enable
next
end

Security Fabric
3. Configure the stitch:

config system automation-stitch
edit "aws_no_delay"
set description "aws action test"
set trigger "aws_no_delay"
set action "aws_no_delay" "email_action"
next
end
FortiOS Event Log trigger
To configure a FortiOS Event Log trigger in the GUI:

a. Click Add Trigger and select FortiOS Event Log.
b. Enter a name and description.
c. In the Event field, click the + to select multiple event log IDs.
d. In the Field filter(s) field, click the + to add multiple field filters. The configured filters much match in order for
the stitch to be triggered.
e. Click Add.
4. Configure the rest of the stitch as needed.
To configure a FortiOS Event Log trigger in the CLI:

edit "event_login_logout"
set description "trigger for login logout event"
set event-type event-log

Security Fabric
set logid 32001 32003

config fields
edit 1
set name "user"
set value "csf"
next
edit 2
set name "ip"
set value "10.6.30.254"
next
end
next
end
Any report type for Security Rating Summary trigger
To configure a Security Rating Summary trigger in the GUI:

b. Enter a name and description.
c. In the Report field, select Any.
d. Click Add.
4. Configure the rest of the stitch as needed.
To configure a Security Rating Summary trigger in the CLI:

edit "rating_any"

Security Fabric
set description "rating any type"

set report-type any
next
end
URI configuration for cloud actions
For AWS Lambda, Google Cloud, Azure, and AliCloud functions, the URI has been combined into a single attribute
instead of having separate attributes for each URI path segment. In the GUI, use the URL field. In the CLI, use the set
uri parameter.
JSON option for Slack and Microsoft Teams notifications
Users have the option to select either a text or JSON message for Slack and Microsoft Teams notifications. The
following example shows how to configure a Slack notification with a JSON message.
To configure a Slack notification action with a JSON message in the GUI:
1. Go to Security Fabric > Automation and click Manage Components.

2. Click Create New > Action and select Slack Notification.
3. For Message, select JSON, and enter the message in the text box.
5. Click OK.
To configure a Slack notification action with a JSON message in the CLI:

edit "slack_json"
set action-type slack-notification
set delay 30
set message-type json
set uri "hooks.slack.com/services/xxxxxxxxxx/xxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx"
set http-body "{\'text\':\'%%log%%\'}"

Security Fabric
next
end
FortiExplorer notification
To configure a FortiExplorer notification action in the GUI:
1. Go to Security Fabric > Automation and click Manage Components.

2. Click Create New > Action and select FortiExplorer Notification.
3. Configure the settings as needed.
4. Click OK.
To configure a FortiExplorer notification action in the CLI:

edit "fortiexplore_notification1"
set description "fortiexplore_notification action"
set action-type fortiexplorer-notification
next
end
Microsoft Teams Notification action
Microsoft Teams Notification actions can be configured to send notifications to channels in Microsoft Teams. To trigger
the notifications, you need to add an Incoming Webhook connector to a channel in Microsoft Teams, then you can
configure the automation stitch with the webhook URL.
In the following example, you will configure an automation stitch with a Security Rating Summary trigger and two
Microsoft Teams Notification actions with different notification messages. One message is for the Security Rating
Summary log, and the other is a custom message with a ten second delay.

Security Fabric
To add the Incoming Webhook connector in a Microsoft Teams channel:
1. In Microsoft Teams, click the ... (More options) beside the channel name, and select Connectors.
2. Search for Incoming Webhook and click Configure.
3. Enter a name for the webhook, upload an image for the webhook, and click Create.
4. Copy the webhook to the clipboard and save it.
5. Click Done.
To configure an automation stitch with Microsoft Teams Notification actions in the GUI:

2. Enter the stitch name.
3. Configure the Security Rating Summary trigger:
b. Enter a name, and for Report, select Security Posture.
c. Click Add.

Security Fabric
4. Configure the first Microsoft Teams Notification action:

b. Click Create and select Microsoft Teams Notification.
Name teams_1
URL Paste the webhook URI from the clipboard
Message Text
Message text %%log%%
d. Click OK.
5. Configure the second Microsoft Teams Notification action:
b. Click Create and select Microsoft Teams Notification.
Name teams_2
Delay 10
URL Paste the webhook URI from the clipboard
Message Text
Message text This is for test.

Security Fabric
d. Click OK.
6. Click OK.
7. Trigger the automation stitch:
a. Right-click the automation stitch and select Test Automation Stitch.
After the Security Rating report is finished, the automation is triggered and an event log is created in
FortiGate. The two notifications are sent to the Microsoft Teams channel.

Security Fabric
To configure an automation stitch with Microsoft Teams Notification actions in the CLI:
1. Configure the automation trigger:

edit "Teams_action"
next
end
2. Configure the automation actions:
edit "teams_1"
set action-type microsoft-teams-notification
set message-type text
set message "%%log%%"
set uri "outlook.office.com/webhook/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@xxxxxxxx-
xxxx-xxxx-xxxx-
xxxxxxxxxxxx/IncomingWebhook/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxx-xxxx-
xxxx-xxxx-xxxxxxxxxxxx"
next
edit "teams_2"
set action-type microsoft-teams-notification
set delay 10
set message-type text
set message "This is for test."
set uri "outlook.office.com/webhook/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@xxxxxxxx-
xxxx-xxxx-xxxx-
xxxxxxxxxxxx/IncomingWebhook/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxx-xxxx-
xxxx-xxxx-xxxxxxxxxxxx"
next
end
3. Configure the automation stitch:
edit "Teams_action"
set trigger "Teams_action"
set action "teams_1" "teams_2"
next
end
4. Verify that the automation action was triggered:
# diagnose test application autod 3
stitch: Teams_action
local hit: 2 relayed to: 0 relayed from: 0
last trigger:Mon Nov 16 10:28:08 2020
last relay:
actions:
teams_1:
done: 2 relayed to: 0 relayed from: 0
last relay:
teams_2:
done: 2 relayed to: 0 relayed from: 0
last relay:
logid2stitch mapping:
id:52000 local hit: 22 relayed hits: 0
Teams_action

Security Fabric
Replacement messages for email alerts
Automation stitches with an Email action can now leverage the formatting options provided by replacement messages
to create branded email alerts.
You can enable a replacement message and customize the message body when you configure the automation stitch
action. When the automation stitch is triggered, the FortiGate will send the email with the defined replacement
message.
To configure the email action in the GUI:

2. Enter the stitch name.
b. Enter the following:
Name auto_rating
Report Security Posture
c. Click Add.
4. Configure the Email notification action:
b. Click Create and select Email.
Name auto_rating_email_action
To Enter an email address
Subject CSF stitch alert
Replacement message Enable

Security Fabric
d. Click Edit, and then edit the HTML code.
e. Click Save.
f. Click OK.
g. Select the trigger in the list and click Apply.
5. Click OK.
6. Right-click the automation stitch, and click Test Automation Stitch.
After the Security Rating report is finished, the automation is triggered, and the email is delivered with the
customized replacement message in the email body.

Security Fabric
To configure the email action in the CLI:
1. Configure the automation trigger:

edit "auto_rating"
next
end
2. Configure the automation action:
edit "auto_rating_email"
set action-type email
set email-to "[email protected]"
set email-subject "CSF stitch alert"
set replacement-message enable
next
end
3. Configure the automation stitch:
edit "auto_rating"
set trigger "auto_rating"
set action "auto_rating_email"
next
end
Security ratings
This section includes information about security rating related new features:
l Security Rating overlays on page 29

Security Fabric
Security Rating overlays
Security Rating notifications are shown on settings pages, which list configuration issues determined by the Security
Rating report. You can open the recommendations to see which configuration items need to be fixed. This frees you
from going back and forth between the Security Rating page and the specific settings page. Notifications appear either
in the gutter, footer, or as a mutable.
There are overlay checks for the following test cases:
l Duplicate policy objects
l NTP is synchronized
l System uptime
l Local log disk space is full
l Certificate expiry date
Notifications can be dismissed in the GUI. Dismissed issues are unique for each administrator. Hashes for dismissed
notifications are saved in local storage. If a user clears the local storage, all issues will show up again as not dismissed.
A Security Rating license is required for some of the overlays and associated pages to
function. These Security Rating overlays are available on downstream and multi-
VDOM FortiGates.
Scorecard links
On the Security Fabric > Security Rating page, if there is a failed check on the scorecard, there is a link in the
description that takes you to the page to resolve the problem. In this example, there is an issue with the administrator
password policy that can be resolved on the System > Settings page.

Security Fabric
Notification locations
On the System > Settings page, there is a Security Rating Issues section in the right-side gutter. To dismiss a
notification, hover over the issue and click the X beside it. To view dismissed notifications, enable Show Dismissed.
On the Network > Interfaces page, there is a Security Rating Issues section in the table footer. Click Security Rating
Issues to view the list of issues. To dismiss a notification, click the X beside it. To view dismissed notifications, click
Show Dismissed.
Notification pop-ups
When you click a Security Rating notification, a pop-up appears and the related setting is highlighted in the GUI. The
pop-up contains a description of the problem and a timestamp of when the issue was found.

Security Fabric
Once an issue is resolved, the notification disappears after the next Security Rating report runs.

Network
Network
This section includes information about network related new features:

l SD-WAN on page 32
l General on page 35
l IPv6 on page 45
l Web proxy on page 49
SD-WAN
This section includes information about SD-WAN related new features:

l Usability enhancements to SD-WAN Network Monitor service on page 32
l Hold down time to support SD-WAN service strategies on page 34
Usability enhancements to SD-WAN Network Monitor service
The SD-WAN Network Monitor service now supports running a speed test based on a schedule. The test results are
automatically updated in the interface measured-upstream-bandwidth and measured-downstream-
bandwidth fields. These fields do not impact the interface inbound bandwidth, outbound bandwidth, estimated
upstream bandwidth, or estimated downstream bandwidth settings.
When the scheduled speed tests run, it is possible to temporarily bypass the bandwidth limits set on the interface and
configure custom maximum or minimum bandwidth limits. These configurations are optional.
config system speed-test-schedule
edit <interface>
set schedules <schedule> ...
set update-inbandwidth enable {enable | disable}
set update-outbandwidth enable {enable | disable}
set update-inbandwidth-maximum <integer>
set update-inbandwidth-minimum <integer>
set update-outbandwidth-maximum <integer>
set update-outbandwidth-minimum <integer>
next
end
update-inbandwidth Enable/disable bypassing the interface's inbound bandwidth setting.

enable {enable |
disable}
update-outbandwidth Enable/disable bypassing the interface's outbound bandwidth setting.
enable {enable |
disable}

Network
update-inbandwidth- Maximum downloading bandwidth to be used in a speed test, in Kbps (0 -

maximum <integer> 16776000).
update-inbandwidth- Minimum downloading bandwidth to be considered effective, in Kbps (0 -
minimum <integer> 16776000).
update-outbandwidth- Maximum uploading bandwidth to be used in a speed test, in Kbps (0 -
maximum <integer> 16776000).
update-outbandwidth- Minimum uploading bandwidth to be considered effective, in Kbps (0 -
minimum <integer> 16776000).
In the following example, a speed test is scheduled on port1 at 10:00 AM, and another one at 14:00 PM.
To run a speed test based on a schedule:
1. Configure the recurring schedules:

config firewall schedule recurring
edit "10"
set start 10:00
set end 12:00
set day monday tuesday wednesday thursday friday
next
edit "14"
set start 14:00
set end 16:00
set day monday tuesday wednesday thursday friday
next
end
2. Configure the speed test schedule:

config system speed-test-schedule
edit "port1"
set schedules "10" "14"
set update-inbandwidth enable
set update-outbandwidth enable
set update-inbandwidth-maximum 60000
set update-inbandwidth-minimum 10000
set update-outbandwidth-maximum 50000
set update-outbandwidth-minimum 10000
next
end
3. View the speed test results:

config system interface
edit port1
get | grep measure
measured-upstream-bandwidth: 23691
measured-downstream-bandwidth: 48862
bandwidth-measure-time: Wed Jan 27 14:00:39 2021
next
end

Network
Hold down time to support SD-WAN service strategies
In a hub and spoke SD-WAN topology with shortcuts created over ADVPN, a downed or recovered shortcut can affect
which member is selected by a SD-WAN service strategy. When a downed shortcut tunnel recovers and the shortcut is
added back into the service strategy, the shortcut is held at a low priority until the hold down time has elapsed.
By default, the hold down time is zero seconds. It can be set to 0 - 10000000 seconds.
To configure the hold down time:
config system sdwan

config service
edit 1
set hold-down-time <integer>
next
end
end
Example
In this example, the hold down time is set to 15 seconds, and then the SD-WAN service is looked at before and after the
hold down elapses after a downed shortcut recovers.
To configure the hold down time:
config system sdwan

config service
edit 1
set hold-down-time 15
next
end
end
To view which SD-WAN member is selected before and after the hold down time elapses:
Before the hold down time has elapsed:

Network
# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200
Gen(34), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(packet-loss),
link-cost-threshold(0), heath-check(ping)
Hold down time(15) seconds, Hold start at 2003 second, now 2010
Member sub interface(4):
1: seq_num(1), interface(vd2-1):
1: vd2-1_0(86)
1: vd2-2_0(88)
Members(4):
1: Seq_num(1 vd2-1), alive, packet loss: 27.000%, selected
2: Seq_num(2 vd2-2_0), alive, packet loss: 0.000%, selected
Dst address(1):
33.1.1.101-33.1.1.200
After the hold down time has elapsed:

# diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x200
Gen(35), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(packet-loss),
link-cost-threshold(0), heath-check(ping)
Hold down time(15) seconds, Hold start at 2018 second, now 2019
Member sub interface(4):
1: vd2-2_0(88)
1: vd2-1_0(86)
Members(4):
Dst address(1):
33.1.1.101-33.1.1.200\
General
This section includes information about general network related new features:
l Add option to select source interface and address for Telnet and SSH on page 36
l ECMP routes for recursive BGP next hop resolution on page 36
l BGP next hop recursive resolution using other BGP routes on page 37
l Add SNMP OIDs for shaping-related statistics on page 38
l PRP handling in NAT mode with virtual wire pair on page 41
l NetFlow on FortiExtender and tunnel interfaces on page 42

Network
Add option to select source interface and address for Telnet and SSH
The new commands execute telnet-options and execute ssh-options allow administrators to set the
source interface and address for their connection:
# execute telnet-options {interface <outgoing interface> | reset | source <source interface
IP> | view-settings}
# execute ssh-options {interface <outgoing interface> | reset | source <source interface IP> |
view-settings}
To edit the Telnet options:
# execute telnet-options interface port1

# execute telnet-options source 1.1.1.1
To confirm that the Telnet packets are using the configured port and address:
# diagnose sniffer packet any "port 23" 4

4.070426 port1 out 1.1.1.1.13938 -> 15.15.15.2.23: syn 400156130
4.070706 port1 in 15.15.15.2.23 -> 1.1.1.1.13938: syn 2889776642 ack 400156131
To edit the SSH options:
# execute ssh-options interface port1

# execute ssh-options source 1.1.1.1
To confirm that the SSH packets are using the configured port and address:
# diagnose sniffer packet any "port 22" 4

6.898985 port1 out 1.1.1.1.20625 -> 15.15.15.2.22: syn 1704095779
6.899286 port1 in 15.15.15.2.22 -> 1.1.1.1.20625: syn 753358246 ack 1704095780
ECMP routes for recursive BGP next hop resolution
When there are multiple ECMP routes to a BGP next hop, all of them are considered for the next hop recursive
resolution. This ensures that the outgoing traffic can be load balanced.
To support multipath, either EGBP or IGBP multipath must be enabled:

config router bgp
set ebgp-multipath enable
set ibgp-multipath enable
end

Network
In this example, there are two static routes. The FortiGate has learned two BGP routes from Router 1 that have the
same next hop at 10.100.100.1. The next hop is resolved by the two static routes.
To verify that the routes are added to the BGP routing table:
1. Check the two static routes:

# get router info routing-table static
Routing table for VRF=0
S 10.100.100.0/24 [10/0] via 172.16.200.55, port9
[10/0] via 172.16.203.2, agg1
2. Confirm that both routes are in the BGP routing table:

# get router info routing-table bgp
B 10.100.10.0/24 [20/200] via 10.100.100.1 (recursive via 172.16.200.55, port9),
00:00:07
(recursive via 172.16.203.2, agg1),
00:00:07
B 10.100.11.0/24 [20/200] via 10.100.100.1 (recursive via 172.16.200.55, port9),
00:00:07
(recursive via 172.16.203.2, agg1),
00:00:07
BGP next hop recursive resolution using other BGP routes
By default, BGP routes are not considered when a BGP next hop requires recursive resolution. They are considered
when recursive-next-hop is enabled.
To consider BGP routes for recursive resolution of next hops:
config router bgp

set recursive-next-hop enable
end

Network
Example
To see the change in the routing table when the option is enabled:
1. Check the BGP routing table:

B 10.100.1.4/30 [200/0] via 10.100.1.14 (recursive is directly connected, R560),
00:02:06
2. Enable BGP routes for recursive resolution of next hops:

config router bgp
set recursive-next-hop enable
end
3. Check the BGP routing table again:

B 10.100.1.4/30 [200/0] via 10.100.1.14 (recursive is directly connected, R560),
00:02:15
B 172.16.203.0/24 [200/0] via 10.100.1.6 (recursive via 10.100.1.14, R560), 00:00:06
The second BGP route's next hop is now recursively resolved by another BGP route.
Add SNMP OIDs for shaping-related statistics
Four SNMP OIDs have been added for polling the number of packets and bytes that either conform or discard by traffic
shaping.
SNMP OID Description
fgIntfBcQPackets Packets conform by shaping in the interface, policy, and class.

1.3.6.1.4.1.12356.101.7.5.4.1.1
fgIntfBcQBytes Bytes conform by shaping in the interface, policy, and class.

1.3.6.1.4.1.12356.101.7.5.4.1.2
fgIntfBcQPDrops Packets discard by shaping in the interface, policy, and class.

1.3.6.1.4.1.12356.101.7.5.4.1.3
fgIntfBcQBDrops Bytes discard by shaping in the interface, policy, and class.

1.3.6.1.4.1.12356.101.7.5.4.1.4

Network
To configure an OID related to traffic shaping:
1. Configure SNMP:
config system snmp community
edit 1
set name "SNMP-TEST"
config hosts
edit 1
set ip 10.1.100.11 255.255.255.255
next
edit 2
set ip 172.16.200.55 255.255.255.255
next
end
config hosts6
edit 1
set ipv6 2000:172:16:200::55/128
next
edit 2
set ipv6 2000:10:1:100::11/128
next
end
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-
hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-
change fm-conf-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-
oversize-passed av-oversize-blocked ips-pkg-update faz-disconnect
next
end
2. Configure the traffic shaping profile:

config firewall shaping-profile
edit "eth-shape-hierarchical"
set comment "output shaper"
set type queuing
set default-class 31
config classes
edit 31
set class-id 31
set priority low
set maximum-bandwidth-percentage 100
next
edit 11
set class-id 11
set priority top
set guaranteed-bandwidth-percentage 50
set limit 5
next
edit 12
set class-id 12
set priority critical
set guaranteed-bandwidth-percentage 20
set red-probability 10
set min 5

Network
set max 10
next
end
next
end
3. Configure the traffic shaping policy:

config firewall shaping-policy
edit 11
set comment "DIAMOND - 26 - AF31"
set service "ALL"
set dstintf "WAN"
set diffserv-forward enable
set diffservcode-forward 011010
set class-id 11
set srcaddr "HOST_10.71.15.2"
set dstaddr "HOST_10.72.15.2"
next
edit 25
set comment "GOLD - 20 - AF22"
set service "ALL"
set dstintf "WAN"
set diffserv-forward enable
set diffservcode-forward 010100
set class-id 12
set srcaddr "HOST_10.71.15.3"
set dstaddr "HOST_10.72.15.3"
next
end
4. Configure the traffic class:

config firewall traffic-class
edit 11
set class-name "a"
next
edit 12
set class-name "b"
next
edit 13
set class-name "c"
next
edit 14
set class-name "d"
next
end
5. Configure the interface:

edit "wan1"
set vdom "root"
set ip 172.16.200.1 255.255.255.0
set allowaccess ping
set type physical
set outbandwidth 1024
set egress-shaping-profile "eth-shape-hierarchical"

Network
set role lan

set snmp-index 1
next
end
Sample query
$ snmpwalk -v2c -c SNMP-TEST 172.16.200.1 1.3.6.1.4.1.12356.101.7.5.4.1.1

FORTINET-FORTIGATE-MIB::fgIntfBcQPackets.1.12 = Counter64: 11992
FORTINET-FORTIGATE-MIB::fgIntfBcQBytes.1.12 = Counter64: 3021984
FORTINET-FORTIGATE-MIB::fgIntfBcQPDrops.1.12 = Counter64: 15211
FORTINET-FORTIGATE-MIB::fgIntfBcQBDrops.1.12 = Counter64: 3833172
PRP handling in NAT mode with virtual wire pair
PRP (Parallel Redundancy Protocol) is supported in NAT mode for a virtual wire pair. This preserves the PRP RCT
(redundancy control trailer) while the packet is processed by the FortiGate.
To configure PRP handling on a device in NAT mode:
1. Enable PRP in the VDOM settings:

(root) # config system settings
set prp-trailer-action enable
end
2. Enable PRP in the NPU attributes:

(global) # config system npu
set prp-port-in "port15"
set prp-port-out "port16"
end
3. Configure the virtual wire pair:

(root) # config system virtual-wire-pair
edit "test-vwp-1"
set member "port15" "port16"

Network
next
end
NetFlow on FortiExtender and tunnel interfaces
NetFlow sampling is supported on FortiExtender and VPN tunnel interfaces.

VPN tunnel interfaces can be IPsec, IP in IP, or GRE tunnels. NetFlow sampling is supported on both NPU and non-
NPU offloaded tunnels.
To configure NetFlow sampling on an interface:

edit <interface>
set netflow-sampler {disable | tx | rx | both}
next
end
disable Disable NetFlow protocol on this interface.
tx Monitor transmitted traffic on this interface.
rx Monitor received traffic on this interface.
both Monitor transmitted and received traffic on this interface.
Examples
In the following examples, a FortiExtender and a VPN tunnel interface are configured with NetFlow sampling.
To configure a FortiExtender interface with NetFlow sampling:
1. Configure a FortiExtender interface with NetFlow sampling enabled for both transmitted and received traffic:
edit "fext-211"
set vdom "root"
set mode dhcp
set type fext-wan
set netflow-sampler both
set role wan
set snmp-index 8
set macaddr 2a:4e:68:a3:f4:6a
next
end
2. Check the NetFlow status and configuration:

Device index 26 is the FortiExtender interface fext-211.
# diagnose test application sflowd 3
===== Netflow Vdom Configuration =====
Global collector:172.18.60.80:[2055] source ip: 0.0.0.0 active-timeout(seconds):60
inactive-timeout(seconds):600
____ vdom: root, index=0, is master, collector: disabled (use global config) (mgmt vdom)

Network
|_ coll_ip:172.18.60.80[2055],src_ip:10.6.30.105,seq_num:300,pkts/time to next template:

18/29
|_ exported: Bytes:3026268, Packets:11192, Sessions:290 Flows:482
|____ interface:fext-211 sample_direction:both device_index:26 snmp_index:8
3. Check the network interface list:

# diagnose netlink interface list
...
if=fext-211 family=00 type=1 index=26 mtu=1500 link=0 master=0
ref=27 state=start present fw_flags=60000 flags=up broadcast run multicast
...
4. Check the session list for the FortiExtender interface and NetFlow flowset packet:
# diagnose sys session list
session info: proto=1 proto_state=00 duration=1732 expire=59 timeout=0 flags=00000000
socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=145572/1733/1 reply=145572/1733/1 tuples=2
tx speed(Bps/kbps): 83/0 rx speed(Bps/kbps): 83/0
orgin->sink: org pre->post, reply pre->post dev=5->26/26->5 gwy=10.39.252.244/172.16.200.55
hook=post dir=org act=snat 172.16.200.55:61290->8.8.8.8:8(10.39.252.243:61290)
hook=pre dir=reply act=dnat 8.8.8.8:61290->10.39.252.243:0(172.16.200.55:61290)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00001298 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000
no_ofld_reason: non-npu-intf
total session 1
5. The flowset packet can be captured on UDP port 2055 by a packet analyzer, such as Wireshark:

Network
To configure a VPN tunnel interface with NetFlow sampling:
1. Configure a VPN interface with NetFlow sampling enabled for both transmitted and received traffic:
edit "A-to-B_vpn"
set vdom "vdom1"
set type tunnel
set netflow-sampler both
set snmp-index 42
set interface "port3"
next
end
2. Configure the VPN tunnel:

config vpn ipsec phase1-interface
edit "A-to-B_vpn"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: A-to-B_vpn [Created by VPN wizard]"
set wizard-type static-fortigate
set remote-gw 10.2.2.2
set psksecret ENC
next
end
edit "A-to-B_vpn"
set phase1name "A-to-B_vpn"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set comments "VPN: A-to-B_vpn [Created by VPN wizard]"
set src-addr-type name
set dst-addr-type name
set src-name "A-to-B_vpn_local"
set dst-name "A-to-B_vpn_remote"
next
end
3. Check the NetFlow status and configuration:

Device index 52 is the VPN interface A-to-B_vpn.
# diagnose test application sflowd 3
===== Netflow Vdom Configuration =====
Global collector:172.18.60.80:[2055] source ip: 0.0.0.0 active-timeout(seconds):60
inactive-timeout(seconds):15
____ vdom: vdom1, index=1, is master, collector: disabled (use global config) (mgmt vdom)
|_ coll_ip:172.18.60.80[2055],src_ip:10.1.100.1,seq_num:60,pkts/time to next template:
15/6
|_ exported: Bytes:11795591, Packets:48160, Sessions:10 Flows:34
|____ interface:A-to-B_vpn sample_direction:both device_index:52 snmp_index:42
4. Check the session list for the VPN interface and NetFlow flowset packet (unencapsulated traffic going through the
VPN tunnel):

Network
# diagnose sys session list

session info: proto=6 proto_state=01 duration=6 expire=3599 timeout=3600 flags=00000000
socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=6433/120/1 reply=884384/713/1 tuples=2
tx speed(Bps/kbps): 992/7 rx speed(Bps/kbps): 136479/1091
orgin->sink: org pre->post, reply pre->post dev=10->52/52->10 gwy=10.2.2.2/10.1.100.22
hook=pre dir=org act=noop 10.1.100.22:43714->172.16.200.55:80(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.55:80->10.1.100.22:43714(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:0c:29:ac:ae:4f
misc=0 policy_id=5 auth_info=0 chk_client_info=0 vd=1
serial=00003b6c tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x000001 no_offload
npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0,
vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: disabled-by-policy
total session 1
5. The flowset packet can be captured on UDP port 2055 by a packet analyzer, such as Wireshark:
IPv6
This section includes information about IPv6 related new features:

l Configuring IPv6 multicast policies in the GUI on page 46
l FortiGate as an IPv6 DDNS client for generic DDNS on page 47
l FortiGate as an IPv6 DDNS client for FortiGuard DDNS on page 48
l Allow backup and restore commands to use IPv6 addresses on page 48

Network
Configuring IPv6 multicast policies in the GUI
IPv6 multicast policies can be configured in the GUI. Comments can be configured for IPv4 and IPv6 multicast policies.
To configure an IPv6 multicast policy in the GUI:
1. Enable the IPv6 and multicast features:

a. Go to System > Feature Visibility.
b. Under Core Features, enable IPv6.
c. Under Additional Features, enable Multicast Policy.
d. Click Apply.
2. Create an IPv6 multicast address object:
a. Go to Policy & Objects > Addresses and click Create New > Address.
b. For Category, select IPv6 Multicast Address.
c. Enter a name and IPv6 address.
d. Click OK.

Network
3. Create an IPv6 multicast policy:

a. Go to Policy & Objects > IPv6 Multicast Policy and click Create New.
b. Configure the settings as needed.
c. Click OK.
FortiGate as an IPv6 DDNS client for generic DDNS
When configuring the generic DDNS service provider as a DDNS server, the server type and address type can be set to
IPv6. This allows the FortiGate to connect to an IPv6 DDNS server and provide the FortiGate's IPv6 interface address
for updates.
config system ddns
edit <name>
set ddns-server genericDDNS
set server-type {ipv4 | ipv6}
set ddns-server-addr <address>
set addr-type ipv6 {ipv4 | ipv6}
set monitor-interface <port>
next
end
To configure an IPv6 DDNS client with generic DDNS:
config system ddns

edit 1
set ddns-server genericDDNS
set server-type ipv6
set ddns-server-addr "2004:16:16:16::2" "16.16.16.2" "ddns.genericddns.com"
set ddns-domain "test.com"
set addr-type ipv6
set monitor-interface "port3"
next
end

Network
FortiGate as an IPv6 DDNS client for FortiGuard DDNS
When configuring the FortiGuard DDNS service as a DDNS server, the server type and address type can be set to IPv6.
This allows the FortiGate to connect to FortiGuard over IPv6 and provide the FortiGate's IPv6 interface address for
updates.
config system ddns
edit <name>
set ddns-server FortiGuardDDNS
set server-type {ipv4 | ipv6}
set ddns-domain <name>.fortiddns.com
set addr-type ipv6 {ipv4 | ipv6}
set monitor-interface <port>
next
end
To configure an IPv6 DDNS client with FortiGuard DDNS:
config system ddns

edit 1
set ddns-server FortiGuardDDNS
set server-type ipv6
set ddns-domain "fgtatest001.fortiddns.com"
set addr-type ipv6
set monitor-interface "port1"
next
end
Allow backup and restore commands to use IPv6 addresses
IPv6 is supported in the execute backup and execute restore commands to TFTP and FTP servers.
To back up a configuration file to an IPv6 TFTP server:
# execute backup config tftp fgta.conf 2000:172:16:200::55

Please wait...
Connect to tftp server 2000:172:16:200::55 ...
Send config file to tftp server OK.
To restore a configuration file from an IPv6 TFTP server:
# execute restore config tftp fgta.conf 2000:172:16:200::55

This operation will overwrite the current setting and could possibly reboot the system!
Do you want to continue? (y/n)y
Please wait...
Connect to TFTP server 2000:172:16:200::55 ...
Get file from TFTP server OK.

File check OK.
The system is going down NOW !!

Network
To back up a configuration file to an IPv6 FTP server:
# execute backup config ftp fgta.conf 2000:172:16:200::55 root xxxxxxxxxx

Please wait...
Connect to ftp server 2000:172:16:200::55 ...

Send config file to ftp server OK.
To restore a configuration file from an IPv6 FTP server:
# execute restore config ftp fgta.conf 2000:172:16:200::55 root xxxxxxxxxx

This operation will overwrite the current setting and could possibly reboot the system!
Do you want to continue? (y/n)y
Please wait...
Connect to ftp server 2000:172:16:200::55 ...
Get config file from ftp server OK.

File check OK.
The system is going down NOW !!
Web proxy
This section includes information about web proxy related new features:
l Explicit proxy authentication over HTTPS on page 49
l Selectively forward web requests to a transparent web proxy on page 51
Explicit proxy authentication over HTTPS
When a HTTP request requires authentication in explicit proxy, the authentication can be redirected to a secure HTTPS
captive portal. Once authentication is complete, the client can be redirected back to the original destination over HTTP.
This feature protects the user's credentials by redirecting the client to a captive portal of the Fortigate over HTTPS for
authentication, where the user credentials are encrypted and transmitted in HTTPS.
Example
A user visits a web site via HTTP through the explicit web proxy in a Fortigate device. The user is required to
authenticate by either basic or form ip-based authentication for the explicit web proxy service. The user's credentials
need to be transmitted over the networks in a secured method over HTTPS rather than in plain text.

Network
In the following example, you will use the CLI to configure the captive portal settings to authenticate users over HTTPS.
After you configure the authentication settings, enable authorization for an explicit web proxy by configuring users or
groups in the policy.
To configure authentication settings with the CLI:
config authentication setting'

set captive-portal-type fqdn
set captive-portal "fgt-cp"
set auth-https enable
end
config authentication scheme
edit "form"
set method form
set user-database "local-user-db"
next
end
config authentication rule
edit "form"
set srcaddr "all"
set active-auth-method "form"
next
end
config firewall address
edit "fgt-cp"
set type fqdn
set fqdn "fgt.fortinetqa.local"
next
end
edit "port10"
...
set ip 10.1.100.1 255.255.255.0
set explicit-web-proxy enable
set proxy-captive-portal enable
next
end
set captive-portal-type Set to ip or fqdn.
set captive-portal l If captive-portal-type is fqdn, then captive-portal

should be configured as a fqdn firewall address.

Network
l If captive-portal-type is ip, then captive-portal-ip

should be configured.
set auth-https Set to enable to redirect the client to captive portal to authenticate
over HTTPS.
set ip The IP address of the FortiGate captive portal.
set proxy-captive-portal Set to enable for captive portal for explicit web.
Selectively forward web requests to a transparent web proxy
Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiGate's transparent web proxy to an upstream
web proxy to avoid overwhelming the proxy server. Traffic can be selected by specifying the proxy address (set
webproxy-forward-server), which can be based on a FortiGuard URL category.
The FortiGuard web filter service must be enabled on the downstream FortiGate.
Forwarding behavior
The forward server will be ignored if the proxy policy matching for a particular session needs the FortiGate to see
authentication information inside the HTTP (plain text) message. For example, assume that user authentication is
required and a forward server is configured in the transparent web proxy, and the authentication method is an active
method (such as basic). When the user or client sends the HTTP request over SSL with authentication information to
the FortiGate, the request cannot be forwarded to the upstream proxy. Instead, it will be forwarded directly to the
original web server (assuming deep inspection and http-policy-redirect are enabled in the firewall policy).
The FortiGate will close the session before the client request can be forwarded if all of the following conditions are met:
l The certificate inspection is configured in the firewall policy that has the http-policy-redirect option
enabled.
l A previously authenticated IP-based user record cannot be found by the FortiGate's memory during the SSL
handshake.
l Proxy policy matching needs the FortiGate to see the HTTP request authentication information.
This means that in order to enable user authentication and use webproxy-forward-server in the transparent web
proxy policy at the same time, the following best practices should be followed:
l In the firewall policy that has the http-policy-redirect option enabled, set ssl-ssh-profile to use the
deep-inspection profile.
l Use IP-based authentication rules; otherwise, the webproxy-forward-server setting in the transparent web
proxy policy will be ignored.
l Use a passive authentication method such as FSSO. With FSSO, once the user is authenticated as a domain user
by a successful login, the web traffic from the user's client will always be forwarded to the upstream proxy as long
as the authenticated user remains unexpired. If the authentication method is an active authentication method
(such as basic, digest, NTLM, negotiate, form, and so on), the first session containing authentication information
will bypass the forward server, but the following sessions will be connected through the upstream proxy.

Network
Sample configuration
On the downstream FortiGate proxy, there are two category proxy addresses used in two separate transparent web
proxy policies as the destination address:
l In the policy with upstream_proxy_1 as the forward server, the proxy address category_infotech is used
to match URLs in the information technology category.
l In the policy with upstream_proxy_2 as the forward server, the proxy address category_social is used to
match URLs in the social media category.
To configure forwarding requests to transparent web proxies:
1. Configure the proxy forward servers:

config web-proxy forward-server
edit "upStream_proxy_1"
set ip 172.16.200.20
next
edit "upStream_proxy_2"
set ip 172.16.200.46
next
end
2. Configure the web proxy addresses:

config firewall proxy-address
edit "category_infotech"
set type category
set host "all"
set category 52
next
edit "category_social"
set type category
set host "all"
set category 37
next
end
3. Configure the firewall policy:

edit 1
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set utm-status enable
set inspection-mode proxy
set http-policy-redirect enable
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
set nat enable
next
end

Network
4. Configure the proxy policies:

config firewall proxy-policy
edit 1
set proxy transparent-web
set dstintf "port9"
set srcaddr "all"
set dstaddr "category_infotech"
set service "webproxy"
set action accept
set logtraffic all
set webproxy-forward-server "upStream_proxy_1"
set av-profile "av"
next
edit 2
set proxy transparent-web
set dstintf "port9"
set srcaddr "all"
set dstaddr "category_social"
set service "webproxy"
set action accept
set logtraffic all
set webproxy-forward-server "upStream_proxy_2"
set av-profile "av"
next
end

System
System
This section includes information about system related new features:

l FortiGuard on page 54
FortiGuard
This section includes information about FortiGuard related new features:

l Update OUI files from FortiGuard on page 54
Update OUI files from FortiGuard
FortiGuard updates for OUI files are used to identify device vendors by the MAC address. This database is used in WiFi
and device detection.
When the FortiGate has a Firmware & General Updates entitlement in FortiCare, FortiGuard will have the MADB
contract.
To verify the contacts on the FortiGate:
# diagnose test update info contract

...
System contracts:
...
MADB,Sun Oct 3 16:00:00 2021
...
Object versions:
...
07000000MADB00100-00001.00047-2101190900
To verify the database status:
# diagnose autoupdate versions

....
Mac Address Database
---------
Version: 1.00047
Contract Expiry Date: Sat Oct 2 2021
Last Updated using manual update on Tue Jan 19 09:00:00 2021
Last Update Attempt: Fri Jan 29 11:55:54 2021
Result: No Updates

Policy and Objects
Policy and Objects
This section includes information about policy and object related new features:
l NGFW on page 55
l Policies on page 58
l Objects on page 63
NGFW
This section includes information about NGFW policy mode related new features:
l Filters for application control groups in NGFW mode on page 55
Filters for application control groups in NGFW mode
When defining application groups in NGFW policy mode, the following group filters are now available: protocols, risk,
vendor, technology, behavior, popularity, and category.
config application group
edit <name>
set type filter
set protocols <integer>
set risk <integer>
set vendor <id>
set technology <id>
set behavior <id>
set popularity <integer>
set category <id>
next
end
protocols <integer> Application protocol filter (0 - 47, or all).

risk <integer> Risk or impact of allowing traffic from this application to occur (1 - 5; low (1),
elevated (2), medium (3), high (4), and critical (5)).
vendor <id> Application vendor filter (0 - 25, or all).
technology <id> Application technology filter:
l all
l 0 (network-protocol)
l 1 (browser-based)
l 2 (client-server)
l 4 (peer-to-peer)
behavior <id> Application behavior filter:

Policy and Objects
l all
l 2 (botnet)
l 3 (evasive)
l 5 (excessive bandwidth)
l 6 (tunneling)
l 9 (cloud)
popularity <integer> Application popularity filter (1 - 5, from least to most popular).
category <id> Application category filter:
l 2 (P2P)
l 3 (VoIP)
l 5 (video/audio)
l 6 (proxy)
l 7 (remote access)
l 8 (game)
l 12 (general interest)
l 15 (network service)
l 17 (update)
l 21 (email)
l 22 (storage backup)
l 23 (social media)
l 25 (web client)
l 26 (industrial)
l 28 (collaboration)
l 29 (business)
l 30 (cloud IT)
l 31 (mobile)
l 32 (unknown applications)
Sample configurations
In this example, a single filter (risk level 1) is configured in the application group, so only signatures matching this filter
will match the security policy.
To configure the application group:

edit "risk_1"
set type filter
set risk 1
next
end
To configure the security policy:
config firewall security-policy

edit 1
set srcintf "port2"

Policy and Objects
set dstintf "port1"

set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set enforce-default-app-port disable
set service "ALL"
set app-group risk_1
set logtraffic all
next
end
In this example, the application group is configured so that only signatures matching both filters, category 5
(video/audio) and technology 1 (browser-based), will match the security policy. The application group can also be
configured in a traffic shaping policy.
To configure the application group:

edit "two"
set type filter
set category 5
set technology 1
next
end
To configure the security policy:
config firewall security-policy

edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set enforce-default-app-port disable
set service "ALL"
set app-group two
set logtraffic all
next
end
To configure the traffic shaping policy:
config firewall shaping-policy

edit 1
set ip-version 4
set service "ALL"
set app-group two
set dstintf port1
set traffic-shaper "max-100"
set traffic-shaper-reverse "max-100"
set srcaddr "all"

Policy and Objects
set dstaddr "all"

next
end
Policies
This section includes information about policy related new features:

l DNS health check monitor for server load balancing on page 58
l Carrier-grade NAT on page 59
l Separate ZTNA tag in policy configuration on page 61
DNS health check monitor for server load balancing
A DNS health check monitor can be configured for server load balancing. The monitor uses TCP or UDP DNS as the
probes. The request domain is matched against the configured IP address to verify the response.
The DNS health-check monitor does not support IPv6.
To create a DNS health check monitor:
config firewall ldb-monitor

edit <name>
set type dns
set port <string>
set dns-protocol {udp | tcp}
set dns-request-domain <string>
set dns-match-ip <class_ip>
next
end
type The monitor type that is used by the health check monitor to check the health of
the server.
port <string> The service port that is used to perform the health check (0 - 65635, default = 0).
If type is set to dns, port is set to 53.
dns-protocol {udp | tcp} The protocol used by the DNS health check monitor to check the health of the
server (default = udp).
dns-request-domain <string> The fully qualified domain name to resolve for the DNS probe (default =
www.example.com).
dns-match-ip <class_ip> The response IP address expected from the DNS server (default =
Example
In this example, a DNS health check monitor is created and used in a VIP.

Policy and Objects
The FortiGate sends the DNS request on UDP port 53 to the configured real servers every 30 seconds. If the DNS
response from a real server matches the DNS match IP address, then the real server is marked as Active. Otherwise, it
is marked as Down.
To configure the health check monitor:
1. Create a new DNS health check monitor:

config firewall ldb-monitor
edit "dns-monitor-1"
set type dns
set interval 30
set port 53
set src-ip 172.16.200.10
set dns-request-domain "pc4.qa.fortinet.com"
set dns-match-ip 172.16.200.44
next
end
2. Apply the monitor to a virtual server:

config firewall vip
edit "test-vs-ip-1"
set type server-load-balance
set extip 10.1.100.153
set extintf "wan2"
set server-type ip
set monitor "dns-monitor-1"
set ldb-method round-robin
config realservers
edit 1
set ip 172.16.200.44
next
edit 2
set ip 172.16.200.55
next
end
next
end
Carrier-grade NAT
Users can control concurrent TCP/UDP connections through a connection quota in the per-IP shaper, and can control
the port quota in the fixed port range IP pool.
config firewall shaper per-ip-shaper
edit <name>
set max-concurrent-tcp-session <integer>
set max-concurrent-udp-session <integer>
next
end
max-concurrent-tcp- Maximum number of concurrent TCP sessions allowed by this shaper (0 -

session <integer> 2097000, 0 = no limit).

Policy and Objects
max-concurrent-udp- Maximum number of concurrent UDP sessions allowed by this shaper (0 -

session <integer> 2097000, 0 = no limit).
config firewall ippool

edit <name>
set type fixed-port-range
set port-per-user <integer>
next
end
set port-per-user Number of ports for each user (32 - 60416, 0 = default).
<integer>
To configure a connection quota:
config firewall shaper per-ip-shaper

edit "per-ip-shaper256kbps"
set max-bandwidth 256
set max-concurrent-session 10
set max-concurrent-tcp-session 5
set max-concurrent-udp-session 5
next
end
To configure a port quota:
config firewall ippool

edit "test-ippool-fpr-1"
set type fixed-port-range
set startip 172.16.200.125
set endip 172.16.200.125
set source-startip 10.1.100.41
set source-endip 10.1.100.42
set port-per-user 30208
next
end
To verify the fixed range IP pool:
# diagnose firewall ippool-fixed-range list natip 172.16.200.125

ippool name=test-ippool-fpr-1, ip shared num=2, port num=30208
internal ip=10.1.100.41, nat ip=172.16.200.125, range=5117~35324
internal ip=10.1.100.42, nat ip=172.16.200.125, range=35325~65532
To verify the SNAT behavior when the IP pool is used in a policy:
# diagnose sniffer packet any 'host 172.16.200.55'

Using Original Sniffing Mode
interfaces=[any]
filters=[host 172.16.200.55]
32.204955 wan2 in 10.1.100.42.21001 -> 172.16.200.55.80: syn 797929945
32.205027 wan1 out 172.16.200.125.51209 -> 172.16.200.55.80: syn 797929945
32.205328 wan1 in 172.16.200.55.80 -> 172.16.200.125.51209: syn 4191137758 ack 797929946
32.205568 wan2 out 172.16.200.55.80 -> 10.1.100.42.21001: syn 4191137758 ack 797929946

Policy and Objects
32.205766 wan2 in 10.1.100.42.21001 -> 172.16.200.55.80: ack 4191137759

32.205770 wan1 out 172.16.200.125.51209 -> 172.16.200.55.80: ack 4191137759
Separate ZTNA tag in policy configuration
Zero-trust network access (ZTNA) can be enabled in a firewall policy configuration, allowing EMS and geo-IP tags to be
configured separately from the source address, user, and internet service. A logical AND is applied between ZTNA tag
options and the rest of the source criteria.
ZTNA allows an off-site user (FortiClient) to be identified by its EMS tag when it registers to the EMS server. When this
tag synchronizes with the FortiGate, it can be used to control access to internal resources such as HTTPS servers, RDP,
and so on.
Enforcing ZTNA in a policy allows for granular control over the clients that are allowed to access certain resources, which
increases security and suits the dynamic nature of off-site users.
The FortiClient endpoint must first be registered on EMS (see FortiClient EMS in the FortiOS Administration Guide for
more information). Once the endpoint entry is in the FortiGate's record list, the FortiGate generates an EMS tag
subtype firewall dynamic address that can be used in the firewall policy when ZTNA is enabled.
To configure a policy with ZTNA tags in the GUI:
1. Configure an address group for the EMS tag:

a. Go to Policy & Objects > Addresses and click Create New > Address Group.
b. Enable ZTNA tag and select EMS.
c. Enter a group name.
d. In the Members field, click the + and select the entries.
e. Click OK.
2. Configure an address group for the geographic IP tag:
a. Click Create New > Address Group.
b. Enable ZTNA tag and select Geographic IP.
c. Enter a group name.

Policy and Objects
d. In the Members field, click the + and select the entries.
e. Click OK.
b. Enable Enforce ZTNA.
c. For EMS Tag, click the + and select the address and/or address group tags.
d. For Geographic IP Tag, click the + and select the address and/or address group tags.
e. Configure the other settings as needed and click OK.

Policy and Objects
To configure a policy with ZTNA tags in the CLI:
1. Configure an address group for the EMS tag:

config firewall addrgrp
edit "grp-ztna-ems-tag"
set category ztna-ems-tag
set member "FCTEMS8821000043_ems133_vulnerability_tag" "MAC_FCTEMS8821000043_
ems133_winos_tag"
next
end
2. Configure an address group for the geographic IP tag:

config firewall addrgrp
edit "grp-ztna-geo-tag"
set category ztna-geo-tag
set member "CA" "US"
next
end

edit 1
set name "11"
set srcintf "port2"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set ztna-status enable
set ztna-ems-tag "FCTEMSTA20002318_ems135_winOS_tag" "grp-ztna-ems-tag" "MAC_
FCTEMSTA20002318_ems135_winOS_tag"
set ztna-geo-tag "CA" "grp-ztna-geo-tag"
set action accept
set service "ALL"
set nat enable
next
end
Objects
This section includes information about object related new features:

l Record central NAT and DNAT hit count on page 63
Record central NAT and DNAT hit count
Daily hit counts for central NAT and DNAT can be displayed in the CLI for IPv4 and IPv6.
To view the central SNAT counter:
# diagnose firewall iprope show 10000d <id>

Policy and Objects
# diagnose firewall iprope6 show 10000d <id>
To view the DNAT counter:
# diagnose firewall iprope show 100000 <id>

# diagnose firewall iprope6 show 100000 <id>
To clear the counters:
# diagnose firewall iprope clear 10000d <id>

# diagnose firewall iprope clear 100000 <id>
# diagnose firewall iprope6 clear 10000d <id>
# diagnose firewall iprope6 clear 100000 <id>
Sample output
# diagnose firewall iprope show 10000d 1

idx=1 hit count:6 (2 4 0 0 0 0 0 0)
first:2021-01-23 12:10:37 last:2021-01-24 12:12:24
For entry ID 1, there are a total of six counts since the last time the counter was cleared. There are six times where the
traffic matches the central SNAT entry. The hit count of the present day and last seven days is displayed in parentheses.
# diagnose firewall iprope show 100000 1
idx=1 hit count:3 (1 2 0 0 0 0 0 0)
first:2021-01-23 12:10:37 last:2021-01-24 12:12:23
For entry ID 1, there are a total of three counts since the last time the counter was cleared. There are three times where
the traffic matches the DNAT (VIP) entry. The hit count of the present day and last seven days is displayed in
parentheses.
The hit counters can be used for NP offloaded traffic.

Security profiles
Security profiles
This section includes information about security profile related new features:
l Antivirus on page 65
l Web filter on page 69
l SSL/SSH inspection on page 74
l Others on page 77
Antivirus
This section includes information about antivirus related new features:

l Stream-based antivirus scan in proxy mode for FTP, SFTP, and SCP on page 65
l Configure threat feed and outbreak prevention without AV engine scan on page 66
Stream-based antivirus scan in proxy mode for FTP, SFTP, and SCP
Stream-based antivirus scanning in proxy mode is supported for FTP, SFTP, and SCP protocols.
l Stream-based antivirus scanning optimizes memory utilization for large archive files by decompressing the files on
the fly and scanning the files as they are extracted.
l File types can be determined after scanning a few KB, without buffering the entire file.
l Viruses can be detected even if they are hiding in the middle or end of a large archive.
l When scanning smaller files, traffic throughput is improved by scanning the files directly on the proxy based WAD
daemon, without invoking scanunit.
Stream-based scanning is the default scan mode when an antivirus is in proxy mode. To disable steam-based scanning,
the scan mode can be set to legacy mode, and archive will only be scanned after the entire file has been received.
To configure stream-based scan:
config antivirus profile

edit <string>
...
set feature-set proxy
set scan-mode {default* | legacy}
...
next
end
TCP windows
Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP
window size of about 2GB.

Security profiles
The TCP window options can be used to prevent overly large initial TCP window sizes, helping avoid channel flow
control issues. It allows stream-based scan's flow control to limit peers from sending data that exceeds a policy's
configured oversize limit.
To configure TCP window size options:
config firewall profile-protocol-options

edit <string>
config {ftp | ssh}
...
set stream-based-uncompressed-limit <integer>
set tcp-window-type {system | static | dynamic}
set tcp-window-size <integer>
set tcp-window-minimum <integer>
set tcp-window-maximum <integer>
...
end
next
end
{ftp | ssh} l ftp: Configure FTP protocol options.

l ssh: Configure SFTP and SCP protocol options.
stream-based-uncompressed- The maximum stream-based uncompressed data size that will be scanned, in MB
limit <integer> (default = 0 (unlimited)).
Stream-based uncompression used only under certain conditions.).
tcp-window-type {system | static | The TCP window type to use for this protocol.
dynamic} l system: Use the system default TCP window size for this protocol (default).
l static: Manually specify the TCP window size.

l dynamic: Vary the TCP window size based on available memory within the
limits configured in tcp-window-minimum and
tcp-window-maximum.
tcp-window-size <integer> The TCP static window size (65536 - 33554432, default = 262144).
This option is only available when tcp-window-type is static.
tcp-window-minimum <integer> The minimum TCP dynamic window size (65536 - 1048576, default = 131072).
This option is only available when tcp-window-type is dynamic.
tcp-window-maximum <integer> The maximum TCP dynamic window size (1048576 - 33554432, default =
8388608).
This option is only available when tcp-window-type is dynamic.
Configure threat feed and outbreak prevention without AV engine scan
In the CLI, users can enable malware threat feeds and outbreak prevention without performing an AV scan. In GUI and
CLI, users can choose to use all malware thread feeds, or specify ones they want to use. Replacement messages have
been updates for external block lists.
edit <name>

Security profiles
config http
set av-scan {disable | block | monitor}
set outbreak-prevention {disable | block | monitor}
set external-blocklist {disable | block | monitor}
set quarantine {enable | disable}
end
...
set outbreak-prevention-archive-scan {enable | disable}
set external-blocklist-archive-scan {enable | disable}
set external-blocklist-enable-all {enable | disable}
set external-blocklist <source>
next
end
To configure malware threat feeds and outbreak prevention without performing an AV scan in the CLI:

edit "Demo"
set mobile-malware-db enable
config http
set av-scan disable
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
set content-disarm disable
end
config ftp
set av-scan disable
set emulator enable
end
config imap
set av-scan monitor
set emulator enable
set executables default
end
config pop3
set av-scan monitor
set emulator enable
end
config smtp
set av-scan monitor

Security profiles

set emulator enable
end
config mapi
set av-scan monitor
set emulator enable
end
config nntp
set av-scan disable
set outbreak-prevention disable
set external-blocklist disable
set quarantine disable
set emulator enable
end
config cifs
set av-scan monitor
set emulator enable
end
config ssh
set av-scan disable
set outbreak-prevention disable
set external-blocklist disable
set emulator enable
end
set outbreak-prevention-archive-scan enable
set external-blocklist-archive-scan enable
set external-blocklist-enable-all disable
set external-blocklist "malhash1"
set av-virus-log enable
set av-block-log enable
set extended-log disable
set scan-mode default
next
end
In this example, configuring the quarantine setting is done in each protocol (set quarantine). The malware threat
feed is also specified (set external-blocklist-enable-all disable) to the threat connector, malhash1
(set external-blocklist "malhash1").
To specify a malware threat feed and quarantine in the GUI:
1. Go to Security Profiles > AntiVirus and click Create New.

2. Enable the protocols you want to inspect.
3. Enable Use external malware block list and click Specify.

Security profiles
4. Click the + in the field and select a threat feed.

5. Optionally, enable Quarantine.

7. Click OK.
Web filter
This section includes information about web filter related new features:
l FortiGuard web filter categories to block child sexual abuse and terrorism on page 69
l Enhance web filter antiphishing profile on page 71
FortiGuard web filter categories to block child sexual abuse and terrorism
Web filter categories 83 (Child Sexual Abuse, formerly Child Abuse) and 96 (Terrorism) can be used to enforce blocking
and logging the Internet Watch Foundation (IWF) and Counter-Terrorism Internet Referral Unit (CTIRU) lists,
respectively.
To create a web filter profile to block the Child Sexual Abuse and Terrorism categories in the GUI:
1. Go to Security Profiles > Web Filter and click Create New.

2. Enter a name for the new filter, such as webfilter-demo.

Security profiles
3. In the category table, in the Potentially Liable section, set the Action for the Child Sexual Abuse and Terrorism
categories to Block.
4. Configure the remaining settings as required.

5. Click OK.
To create a web filter profile to block category 83 (Child Sexual Abuse) and 96 (Terrorism) in the CLI:
config webfilter profile

edit "webfilter-demo"
config ftgd-wf
unset options
config filters
...
edit 83
set category 83
set action block
next
edit 96
set category 96
set action block
next
...
end
end
next
end
To test the web filter:
1. Use the web filter profile in a policy.

2. On a device that is connected through the FortiGate and that uses the policy, visit the test URLs for each category:
http://wfurltest.fortiguard.com/wftest/83.html
http://wfurltest.fortiguard.com/wftest/96.html

Security profiles
3. Log in to the FortiGate, and go to Log & Report > Web filter to view the logs for the blocked websites.
Enhance web filter antiphishing profile
The following enhancements have been made to the antiphishing profile:

l Allow username and password field patterns to be fetched from FortiGuard.
l Add DNS support for domain controller IP fetching.
l Add support to specify a source IP or port for the fetching domain controller.
l Add LDAP server as a credential source (only the OpenLDAP server is supported).
l Block or log valid usernames regardless of password match.
l Add literal custom patterns type for username and password.
In previous versions of FortiOS, the domain controller for antiphishing is configured under
config credential-store domain-controller. Starting in 7.0.0, it is configured
under config user domain-controller.
Configuration examples
To update the antiphish pattern database:
1. Go to System > FortiGuard and in the right-side pane, click Update Licenses & Definitions Now.
2. Enter the following in the CLI:
# diagnose autoupdate versions
...
AntiPhish Pattern DB
---------
Version: 1.00002
Contract Expiry Date: n/a
Last Updated using manual update on Sun Nov 22 10:31:00 2020
Last Update Attempt: Tue Jan 12 16:54:06 2021
Result: No Updates
To enable DNS service lookup:
config user domain-controller

edit "win2016"
set ad-mode ds
set dns-srv-lookup enable
set hostname "win2016"
set username "replicate"
set password **********
set domain-name "SMB2016.LAB"

Security profiles
next
end
To specify the source IP and port for the fetching domain controller:
config user domain-controller

edit "win2016"
set ad-mode ds
set hostname "win2016"
set username "replicate"
set ip-address 172.18.52.188
set source-ip-address 172.16.100.1
set source-port 2000
set domain-name "SMB2016.LAB"
next
end
To use an LDAP server as a credential store:
1. Configure the LDAP server:

config user ldap
edit "openldap"
set server "172.18.60.214"
set cnid "cn"
set dn "dc=qafsso,dc=com"
set type regular
set username "cn=Manager,dc=qafsso,dc=com"
set antiphish enable
set password-attr "userPassword"
next
end
2. Configure the web filter profile:

edit "webfilter"
config ftgd-wf
unset options
config filters
edit 1
set action block
next
end
end
config antiphish
set status enable
config inspection-entries
edit "cat34"
set fortiguard-category 34
set action block
next
end

Security profiles
set authentication ldap

set ldap "openldap"
end
set log-all-url enable
next
end
To configure username-only credential matching:

edit "webfilter"
config ftgd-wf
unset options
...
end
config antiphish
set status enable
set check-username-only enable
edit "cat34"
set action block
next
end
set domain-controller "win2016"
end
next
end
To configure different custom pattern types for usernames and passwords:

edit "webfilter"
config ftgd-wf
unset options
...
end
config antiphish
set status enable
edit "cat34"
set action block
next
end
config custom-patterns
edit "qwer"
set type literal
next
edit "[0-6]Dat*"
next
edit "dauw9"
set category password

Security profiles
set type literal

next
edit "[0-5]foo[1-4]"
set category password
next
end
set domain-controller "win2016"
end
next
end
In this example, the qwer and dauw9 entries use the literal type, while [0-6]Dat* and [0-5]foo[1-4] use the
default regex type.
SSL/SSH inspection
This section includes information about SSL/SSH inspection related new features:
l HTTP/2 support in proxy mode SSL inspection on page 74
l Define multiple certificates in an SSL profile in replace mode on page 75
HTTP/2 support in proxy mode SSL inspection
Security profiles in proxy mode can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the
Application-Layer Protocol Negotiation (ALPN) extension.
To set the ALPN support:
config firewall ssl-ssh-profile

edit <profile>
set supported-alpn {all | http1-1 | http2 | none}
next
end
all The FortiGate forwards ALPN extensions that use either HTTP/2 or HTTP/1.1. This is the
default value.
http1-1 The FortiGate only forwards ALPN extensions that use HTTP/1.1.
If the ALPN extension uses HTTP/2, then the FortiGate strips the ALPN header from the
Client Hello.
http2 The FortiGate only forwards ALPN extensions that use HTTP/2.
If the ALPN extension uses HTTP/1.1, then the FortiGate strips the ALPN header from the
Client Hello.
none The FortiGate always strips the ALPN header from the Client Hello when forwarding.
For example, if supported-alpn is set to http2, but the extension uses HTTP/1.1, the ALPN header is stripped
from the Client Hello:

Security profiles
l Incoming packet capture:
l Outgoing packet capture:
Define multiple certificates in an SSL profile in replace mode
Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting SSL Server). This allows
multiple sites to be deployed on the same protected server IP address, and inspection based on matching the SNI in the
certifcate.
When the FortiGate receives the client and server hello messages, it will compare the SNI and CN with the certificate
list in the SSL profile, and use the matched certificate as a replacement. If there is no matched server certificate in the
list, then the first server certificate in the list is used as a replacement.

Security profiles
Example
To configure an SSL profile in replace mode with multiple certificates:
config firewall ssl-ssh-profile

edit "multi-cert"
set server-cert-mode replace
set server-cert "bbb" "aaa"
next
end
To configure a policy that uses the SSL profile:

edit 1
set name "multi-cert"
set srcintf "port6"
set dstintf "port11"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set ssl-ssh-profile "multi-cert"
set av-profile "default"
set webfilter-profile "default"
set logtraffic all
set nat enable
next
end
Results
If the Server Name Identification (SNI) matches the Common Name (CN) in the certificate list in the SSL profile, then
the FortiGate uses the matched server certificate. In this example, when the client accesses www.aaa.com, the
FortiGate will use the aaa certificate as a replacement.

Security profiles
If the Server Name Identification (SNI) does not match the Common Name (CN) in the certificate list in the SSL profile,
then the FortiGate uses the first server certificate in the list. In this example, when the client accesses www.ccc.com,
because there is no certificate for www.ccc.com, the FortiGate will use the bbb certificate as a replacement.
Others
This section includes information about other security profile related new features:
l Improve WAD traffic dispatcher on page 78
l Video filtering on page 78
l DNS filter handled by IPS engine in flow mode on page 82

Security profiles
Improve WAD traffic dispatcher
The WAD traffic dispatcher now allows incoming traffic to be directly distributed to the workers. This enhancement also
allows source addresses to be exempt from proxy affinity, which allows traffic from the same source and different server
to be distributed to workers in a round-robin configuration.
Use the following debugging command to verify that the WAD dispatcher distributed the traffic to the WAD workers:
# diagnose test application wad 12<integer><integer>
Use the index 1299 for all listeners.
To distribute traffic to different WAD workers:
config web-proxy global

set proxy-fqdn "default.fqdn"
set src-affinity-exempt-addr <IPv4 address> ...
set src-affinity-exempt-addr6 <Pv6 address> ...
end
To verify the WAD dispatcher traffic distribution:
# diagnose test application wad 1204

Listener info: vf_id=0 local=0 port=(443) addr=[0.0.0.0]
dispatcher fallback conn=0
worker_idx=0 num_conn=3
worker_idx=1 num_conn=1
In this example, the WAD dispatcher distributed traffic to two WAD workers.
Video filtering
With the video filter profile, you can filter YouTube videos by channel ID for a more granular override of a single channel,
user, or video. The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection.
For more information about finding a YouTube channel ID, see YouTube channel filtering in
the FortiOS Administration Guide.

Security profiles
To configure a video filter in the GUI:
1. Go to Security Profiles > Video Filter and click Create New.

2. In the Channel override list section, click Create New. The New Channel Override Entry pane opens.
a. Enter a Channel ID and select an Action.
b. Click OK.
3. Optionally, enable Restrict YouTube access and select a setting (Moderate or Strict).
4. Click OK.
5. In the CLI, enable the YouTube API query:
config videofilter youtube-key
edit 1
set key ********
set status enable

Security profiles
next
end
6. Create the firewall policy:

b. For Inspection Mode, select Proxy-based.
c. Enable Video Filter and select the profile you created.
d. For SSL Inspection, select deep-inspection.
e. Configure the other settings as needed and click OK.
To configure a video filter in the CLI:
1. Create the channel filter:

config videofilter youtube-channel-filter
edit 1
set name "channel_filter"
config entries
edit 1
set action block
set channel-id "UCJHo4AuVomwMRzgkA5DQEOA"
next
end

Security profiles
next
end
2. Create the video filter profile:

config videofilter profile
edit "channel_filter"
set youtube-channel-filter 1
set youtube-restrict strict
next
end
3. Enable the YouTube API query:

config videofilter youtube-key
edit 1
set key ********
set status enable
next
end
4. Create the firewall policy:

edit 1
set name "video-filter"
set srcintf "port1"
set dstintf "port5"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set inspection-mode proxy
set videofilter-profile "channel_filter"
set nat enable
next
end
Vimeo
The video filter profile includes a setting to restrict Vimeo access, which can only be configured in the CLI.
To restrict Vimeo access:
config videofilter profile

edit <name>
set vimeo-restrict {7 | 134}
next
end
vimeo-restrict {7 | Set the Vimeo restriction:

134} l 7: do not show mature content
l 134: do not show unrated and mature content

Security profiles
DNS filter handled by IPS engine in flow mode
In FortiOS 6.4, the DNS proxy daemon handles the DNS filter in flow and proxy mode policies. Starting in 7.0, the IPS
engine handles the DNS filter in flow mode policies and queries the FortiGuard web filter server for FortiGuard
categories. In proxy mode, the DNS proxy daemon handles the DNS filter and queries the FortiGuard SDNS server for
FortiGuard categories.
All features previously supported in the DNS filter profile are supported in flow mode:
l FortiGuard category rating
l Static domain filtering
l Remote category rating
l External IP block list
l Botnet domain and IP filtering
l DNS translation
l Safe search enforcement
When a DNS filter profile is enabled in config system dns-server, the DNS proxy
daemon handles the traffic.

VPN
VPN
This section includes information about VPN related new features:

l IPsec and SSL VPN on page 83
IPsec and SSL VPN
This section includes information about IPsec and SSL VPN related new features:
l Configurable IKE port on page 83
l Packet duplication for dial-up IPsec tunnels on page 86
l IPsec global IKE embryonic limit on page 90
Configurable IKE port
Some ISPs block UDP port 500, preventing an IPsec VPN from being established. To accommodate this, the IKE and
IKE NAT-T ports can be changed.
To set the IKE ports:
config system settings

set ike-port <integer>
set ike-natt-port <integer>
end
ike-port UDP port for IKE/IPsec traffic (1024 - 65535, default = 500).
ike-natt-port UDP port for IKE/IPsec traffic in NAT-T mode (1024 - 65535, default = 4500).
Example
In this example, the IKE port is set to 6000 and the IKE NAT-T port is set to 5000. A site to site VPN and a dial-up VPN
with NAT are configured to show that the specified ports are used.
To set the IKE ports:

set ike-port 6000
set ike-natt-port 5000
end

VPN
To configure and check the site to site VPN:
1. Configure the phase1 and phase2 interfaces:

edit "s2s"
set ike-version 2
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set psksecret **********
next
end
edit "s2s"
set phase1name "s2s"
set src-name "s2s_local"
set dst-name "s2s_remote"
next
end
2. Check the IKE gateway list and confirm that the specified port is used:
# diagnose vpn ike gateway list
vd: root/0
name: s2s
version: 2
interface: port27 17
addr: 173.1.1.1:6000 -> 11.101.1.1:6000
tun_id: 11.101.1.1
remote_location: 0.0.0.0
created: 194s ago
PPK: no
IKE SA: created 1/2 established 1/2 time 0/4500/9000 ms
IPsec SA: created 1/2 established 1/2 time 0/4500/9000 ms
...
3. Check the VPN tunnel list:

# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=s2s ver=2 serial=1 173.1.1.1:6000->11.101.1.1:6000 tun_id=11.101.1.1 dst_mtu=1500 dpd-
link=on remote_location=0.0.0.0 weight=1
bound_if=17 lgwy=static/1 tun=tunnel/15 mode=auto/1 encap=none/520 options[0208]=npu frag-
rfc run_state=0 accept_traffic=1 overlay_id=0
...

VPN
To configure and check the dialup VPN with NAT:
1. Configure the phase1 and phase2 interfaces:

edit "server"
set type dynamic
set ike-version 2
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set dpd on-idle
set dpd-retryinterval 60
next
end
edit "server"
set phase1name "server"
set src-name "server_local"
set dst-name "server_remote"
next
end
2. Check the IKE gateway list and confirm that the specified port is used:
# diagnose vpn ike gateway list
vd: root/0
name: server_0
version: 2
interface: port27 17
addr: 173.1.1.1:5000 -> 173.1.1.2:65416
tun_id: 173.1.1.2
remote_location: 0.0.0.0
created: 90s ago
nat: peer
PPK: no
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
...
3. Check the VPN tunnel list:

# diagnose vpn tunnel list
------------------------------------------------------
name=server_0 ver=2 serial=a 173.1.1.1:5000->173.1.1.2:65416 tun_id=173.1.1.2 dst_mtu=1500
dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=17 lgwy=static/1 tun=tunnel/15 mode=dial_inst/3 encap=none/904 options[0388]=npu

VPN
rgwy-chg rport-chg frag-rfc run_state=0 accept_traffic=1 overlay_id=0

...
Packet duplication for dial-up IPsec tunnels
To support packet duplication on dial-up IPsec tunnels between sites, each spoke must be configured with a location ID.
On the hub, packet duplication is performed on the tunnels in the IPsec aggregate that have the same location ID.
Multiple dial-up VPN tunnels from the same location can be aggregated on the VPN hub and load balanced based on
the configured load balance algorithm.
IPsec traffic cannot be offloaded to the NPU.
Example
In this example, an IPsec aggregate tunnel is formed between two dial-up IPsec tunnels in order to support packet
duplication.
To configure the client FortiGate (FGT-A):
1. Configure the IPsec tunnels:

edit "client1"
set peertype any
set aggregate-member enable
next
edit "client2"
set interface "wan1"
set peertype any

VPN

next
end
2. Configure an aggregate of the IPsec tunnels:

config system ipsec-aggregate
edit "agg1"
set member "client1" "client2"
next
end
3. Configure the location ID:

set location-id 1.1.1.1
end
To configure the server FortiGate (FGT-B):
1. Configure the IPsec tunnels:

edit "server1"
set type dynamic
set interface "mgmt1"
set peertype any
set dpd on-idle
set psksecret ***********
next
edit "server2"
set type dynamic
set peertype any
set dpd on-idle
next
end
edit "server1"
set phase1name "server1"
next
edit "server2"
set phase1name "server2"
next
end

VPN
2. Configure an aggregate of the IPsec tunnels:

config system ipsec-aggregate
edit "server"
set member "server1" "server2"
next
end
3. Configure a firewall policy:

edit 1
set srcintf "server"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end
To check the IPsec tunnel and aggregate state:
1. List all of the VPN tunnels:

FGDocs # diagnose vpn tunnel list
------------------------------------------------------
name=server1 ver=1 serial=1 172.16.200.4:500->0.0.0.0:500 tun_id=1.0.0.0 dst_mtu=0 dpd-
link=on remote_location=0.0.0.0 weight=1
bound_if=4 lgwy=static/1 tun=tunnel/15 mode=dialup/2 encap=none/4616 options[1208]=npu
frag-rfc accept_traffic=1 overlay_id=0
proxyid_num=0 child_num=2 refcnt=4 ilast=14210 olast=14210 ad=/0

stat: rxp=798921 txp=819074 rxb=121435992 txb=68802216
dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
------------------------------------------------------
name=server2 ver=1 serial=2 173.1.1.1:500->0.0.0.0:500 tun_id=2.0.0.0 dst_mtu=0 dpd-link=on
remote_location=0.0.0.0 weight=1
bound_if=17 lgwy=static/1 tun=tunnel/15 mode=dialup/2 encap=none/4616 options[1208]=npu
frag-rfc accept_traffic=1 overlay_id=0

run_tally=0
------------------------------------------------------
name=server1_0 ver=1 serial=8 172.16.200.4:500->172.16.200.1:500 tun_id=172.16.200.1 dst_
mtu=1500 dpd-link=on remote_location=1.1.1.1 weight=1
rgwy-chg frag-rfc run_state=0 accept_traffic=1 overlay_id=0
parent=server1 index=0

VPN

proxyid=server1 proto=0 sa=1 ref=2 serial=1 add-route
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:10.1.100.0-10.1.100.255:0
SA: ref=3 options=2a6 type=00 soft=0 mtu=1438 expire=42342/0B replaywin=2048
seqno=4319 esn=0 replaywin_lastseq=00004319 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43186/43200
dec: spi=0aef2a07 esp=aes key=16 12738c8a1db02c23bfed73eb3615a5a1
ah=sha1 key=20 0f3edd28e3165d184292b4cd397a6edeef9d20dc
enc: spi=2cb75665 esp=aes key=16 982b418e40f0bb18b89916d8c92270c0
ah=sha1 key=20 08cbf9bf78a968af5cd7647dfa2a0db066389929
dec:pkts/bytes=17176/1442784, enc:pkts/bytes=17176/2610752
npu_flag=00 npu_rgwy=172.16.200.1 npu_lgwy=172.16.200.4 npu_selid=6 dec_npuid=0 enc_
npuid=0
------------------------------------------------------
name=server1_1 ver=1 serial=a 172.16.200.4:500->172.16.200.3:500 tun_id=172.16.200.3 dst_
mtu=0 dpd-link=on remote_location=2.2.2.2 weight=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
dec: spi=0aef2a0a esp=aes key=16 4b7a17ba9d239e4ae5fe95ec100fca8b
ah=sha1 key=20 7d3e058088f21e0c4f1c13c297293f06c8b592e7
enc: spi=7e961809 esp=aes key=16 ecd1aa8657c5a509662aed45002d3990
ah=sha1 key=20 d159e06c1cf0ded18a4e4ac86cbe5aa0315c21c9
npu_flag=00 npu_rgwy=172.16.200.3 npu_lgwy=172.16.200.4 npu_selid=9 dec_npuid=0 enc_
npuid=0
------------------------------------------------------
name=server2_0 ver=1 serial=7 173.1.1.1:500->11.101.1.1:500 tun_id=11.101.1.1 dst_mtu=1500
dpd-link=on remote_location=1.1.1.1 weight=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:10.1.100.0-10.1.100.255:0

VPN
seqno=431a esn=0 replaywin_lastseq=00003e80 itn=0 qat=0 hash_search_len=1

dec: spi=0aef2a08 esp=aes key=16 394d4e444e90ccb5184e744d49aabe3c
ah=sha1 key=20 faabea35c2b9b847461cbd263c4856cfb679f342
enc: spi=2cb75666 esp=aes key=16 0b3a2fbac4d5610670843fa1925d1207
ah=sha1 key=20 97e99beff3d8f61a8638f6ef887006a9c323acd4
npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=7 dec_npuid=1 enc_npuid=1
2. List the IPsec aggregate members:

# diagnose sys ipsec-aggregate list
server
members(3):
server1_1
server1_0
server2_0
3. In the GUI, go to Dashboard > Network and expand the IPsec widget to review the traffic distributed over the
aggregate members:
IPsec global IKE embryonic limit
When trying to establish thousands of tunnels simultaneously, a situation can arise where new negotiations starve other
SAs from progressing to an established state in IKEv2. Enhancements to the IKE daemon includes prioritizing
established SAs, offloading groups 20 and 21 to CP9, and optimizing the default embryonic limits for mid- and high-end
platforms. The IKE embryonic limit is now configurable from the CLI.
set ike-embryonic-limit <integer>
end
ike-embryonic-limit Set the maximum number of IPsec tunnels to negotiate simultaneously (50 -
<integer> 20000, default = 10000).
The following examples compare the number of established tunnels using an IKE embryonic limit of 50 and 10000 with
500 connections opened per second.
To configure an IKE embryonic limit of 50:

set ike-embryonic-limit 50
end

VPN
To view the tunnel diagnostics:
# diagnose vpn tunnel stat

dev=1 attached=2087 tunnel=0 proxyid=2087 sa=2087 conc=0 up=2087 fenc=0 fdec=0 fasm=0 crypto_
work=0 crypto_work_dropped=0
mr_grps=0 mr_children=0 mr_flood_list=0 mr_fw_list=0
# diagnose debug application ike -1
...
ike 0:a5d766dc52ebb36e/0000000000000000:3672: SA proposal chosen, matched gateway ph1
ike 0: embryonic limit 50 reached, dropping request 10.10.1.1->1.0.0.73:500
ike 0:a5d766dc52ebb36e/0000000000000000:3672: failed to create a connection
To configure an IKE embryonic limit of 10000:

set ike-embryonic-limit 10000
end
To view the tunnel diagnostics:
# diagnose vpn tunnel stat

dev=1 attached=2952 tunnel=0 proxyid=2952 sa=2952 conc=0 up=2952 fenc=0 fdec=0 fasm=0 crypto_
work=0 crypto_work_dropped=0
mr_grps=0 mr_children=0 mr_flood_list=0 mr_fw_list=0

User and authentication
This section includes information about user and authentication related new features:
l Authentication on page 92
Authentication
This section includes information about authentication related new features:

l Integrate user information from EMS connector and Exchange connector in the user store on page 92
Integrate user information from EMS connector and Exchange connector in the
user store
When a FortiClient endpoint is managed by EMS, logged in user and domain information is shared with FortiOS through
the EMS connector. This information can be joined with the Exchange connector to produce more complete user
information in the user store.
The diagnose user-device-store device memory list command displays detailed device information.

Sample topology
In this example, the FortiClient PC user (test1) logs on to the AD domain (FORTINET-FSSO.COM), which is also the
same domain as the Exchange server. The user information is pushed to the EMS server that the user is registered to.
The FortiGate synchronizes the information from EMS, and at the same time looks up the user on the Exchange server
under the Exchange connector. If the user exists on the Exchange server, additional information is fetched. These
details are combined in the user store, which is visible in the FortiClient widget in the Status dashboard.
To configure the Exchange server:
config user exchange

edit "exchange-140"
set server-name "W2K8-SERV1"
set domain-name "FORTINET-FSSO.COM"
set username "Administrator"
set password ********
next
end
To configure the EMS server:
config endpoint-control fctems

edit "ems133"
set server "172.18.62.12"
set certificate-fingerprint "4F:A6:76:E2:00:4F:A6:76:E2:00:4F:A6:76:E2:00:E0"

next
end
To view the user information in the GUI:
1. Go to Dashboard > Status.

2. In the FortiClient widget, hover over a device or user name to view the information.
To view the user information in the CLI:
# diagnose user-device-store device memory list

...
Record #13:
device_info
'ipv4_address' = '10.1.100.185'
'mac' = '00:0c:29:11:5b:6b'
'hardware_vendor' = 'VMware'
'vdom' = 'root'
'os_name' = 'Microsoft'
'os_version' = 'Windows 7 Professional Edition, 32-bit Service Pack 1 (build
7601)'
'hostname' = 'win7-5'
'unauth_user' = 'Administrator'
'last_seen' = '1611356490'
'host_src' = 'forticlient'
'user_info_src' = 'forticlient'
'is_forticlient_endpoint' = 'true'
'unjoined_forticlient_endpoint' = 'false'
'is_forticlient_unauth_user' = 'true'
'avatar_source' = 'OS'
'domain' = 'Fortinet-FSSO.COM'
'forticlient_id' = '********************************'
'forticlient_username' = 'Administrator'
'forticlient_version' = '6.4.2'
'on_net' = 'true'
'quarantined_on_forticlient' = 'false'
'vuln_count' = '0'
'vuln_count_critical' = '0'
'vuln_count_high' = '0'
'vuln_count_info' = '0'
'vuln_count_low' = '0'
'vuln_count_medium' = '0'
'is_online' = 'true'
interface_info
'ipv4_address' = '10.1.100.185'
'mac' = '00:0c:29:11:5b:6b'
'master_mac' = '00:0c:29:11:5b:6b'
'detected_interface' = 'port10'
'last_seen' = '1611356490'
'is_master_device' = 'true'
'is_detected_interface_role_wan' = 'false'
'detected_interface_fortitelemetry' = 'true'
'forticlient_gateway_interface' = 'port10'
'on_net' = 'true'
'is_online' = 'true'

Secure access
Secure access
This section includes information about secure access related new features:
l Wireless on page 95
l Switch controller on page 100
Wireless
This section includes information about wireless related new features:

l Configure Agile Multiband Operation on page 95
Configure Agile Multiband Operation
The Wi-Fi Alliance Agile Multiband Operation (MBO) feature enables better use of Wi-Fi network resources in roaming
decisions and improves overall performance. This enhancement allows the FortiGate to push the MBO configuration to
managed APs, which adds the MBO information element to the beacon and probe response for 802.11ax.
config wireless-controller vap
edit <name>
set mbo {enable | disable}
set gas-comeback-delay <integer>
set gas-fragmentation-limit <integer>
set mbo-cell-data-conn-pref {excluded | prefer-not | prefer-use}
next
end
mbo {enable | disable} Enable/disable Multiband Operation (default = disable).

gas-comeback-delay GAS comeback delay in milliseconds (100 - 10000, default = 500, 0 = special).
<integer>
gas-fragmentation-limit GAS fragmentation limit (512 - 4096, default = 1024).
<integer>
mbo-cell-data-conn-pref MBO cell data connection preference:
{excluded | prefer-not l excluded: Wi-Fi Agile Multiband AP does not want the Wi-Fi Agile Multiband
| prefer-use} STA to use the cellular data connection.

l prefer-not: Wi-Fi Agile Multiband AP prefers that the Wi-Fi Agile Multiband
STA should not use cellular data connection.

l prefer-use: Wi-Fi Agile Multiband AP prefers that the Wi-Fi Agile Multiband
STA should use cellular data connection.

Secure access
To configure MBO for an 802.11ax FortiAP:
1. Configure MBO on the VAP:

config wireless-controller vap
edit "FOS-QA"
set max-clients 15
set ssid "FOS-QAehta-01"
set pmf enable
set pmf-assoc-comeback-timeout 8
set mbo enable
set gas-comeback-delay 0
set gas-fragmentation-limit 2048
set mbo-cell-data-conn-pref prefer-use
set passphrase <somepassword>
set target-wake-time disable
set igmp-snooping enable
unset broadcast-suppression
set mu-mimo disable
set dhcp-option82-insertion enable
set qos-profile "test"
next
end
2. Enable the VAP on a WTP profile:

config wireless-controller wtp-profile
edit "FAP234F-default"
config platform
set type 234F
set ddscan enable
end
set ble-profile "new"
set wan-port-mode wan-lan
config lan
set port-mode bridge-to-ssid
set port-ssid "16sep"
end
set handoff-sta-thresh 55
set ip-fragment-preventing tcp-mss-adjust icmp-unreachable
set allowaccess https ssh snmp
set poe-mode high
set frequency-handoff enable
set ap-handoff enable
config radio-1
set band 802.11ax
set short-guard-interval enable
set auto-power-level enable
set auto-power-high 21
set auto-power-low 1
set darrp enable
set vap-all manual
set vaps "FOS-QA"
set channel "1" "6" "11"
end

Secure access
config radio-2
set band 802.11ax-5G
set short-guard-interval enable
set auto-power-level enable
set auto-power-low 1
set darrp enable
set vap-all manual
set vaps "FOS-QA"
set channel "36" "40" "44" "48" "149" "153" "157" "161" "165"
end
config radio-3
set mode monitor
set wids-profile "default"
end
config lbs
set station-locate enable
end
next
end
3. Verify the MBO settings are pushed to the FortiAP:

# diagnose debug application wpad 255
21176.239 Received data - hexdump(len=153):
13 02 00 00 00 00 00 00 00 00 00 00 B0 01 A5 C0 ................
7E 14 01 00 04 D5 90 E9 F4 E0 46 50 34 33 31 46 ~.........FP431F
54 46 32 30 30 30 30 30 31 35 00 00 00 00 00 00 TF20000015......
80 18 39 91 FF 7F 00 00 00 E2 C2 90 07 E0 32 AC ..9...........2.
FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 78 BF E1 15 00 00 00 00 ........x.......
00 00 01 00 31 00 00 00 D0 00 3C 00 04 D5 90 E9 ....1.....<.....
F4 E0 A0 51 0B 4A 84 F4 FF FF FF FF FF FF A0 03 ...Q.J..........
04 0A 00 6C 02 00 00 10 00 00 01 02 00 10 01 DD ...l............
DD 06 00 50 6F 9A 12 01 02 ...Po....
21176.239 HOSTAPD: <0>192.165.1.176:5246<1-0> entering state RUN
mgmt::action
: GAS: GAS Initial Request from a0:51:0b:4a:84:f4 (dialog token 0)
ANQP: 1 Info IDs requested in Query list
ANQP: Unsupported WFA vendor type 18
ANQP: Locally generated ANQP responses - hexdump(len=0):
ANQP: Initial response (no comeback)
21176.239 Sending data - hexdump(len=141):
0C 03 00 00 00 00 00 00 00 00 00 00 B0 01 A5 C0 ................
7E 14 01 00 04 D5 90 E9 F4 D0 00 00 00 00 00 00 ~...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
4. On the FortiAP, verify the MBO settings are pushed from the FortiGate:
# vcfg
-------------------------------VAP Configuration 1----------------------------
Radio Id 0 WLAN Id 0 FOS-QAehta-01 ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-
1)
vlanid=0, intf=wlan00, vap=0x12b8018, bssid=e0:23:ff:b2:18:70
11ax high-efficiency=enabled target-wake-time=disabled bss-color=0
partial=enabled

Secure access
mesh backhaul=disabled
local_auth=disabled standalone=disabled nat_mode=disabled
local_bridging=disabled split_tunnel=disabled
intra_ssid_priv=disabled
mcast_enhance=disabled igmp_snooping=enabled
mac_auth=disabled fail_through_mode=disabled sta_info=0/0
mac=local, tunnel=8023, cap=8ce0, qos=disabled
prob_resp_suppress=disabled
rx sop=disabled
sticky client remove=disabled
mu mimo=disabled ldpc_config=rxtx
dhcp_option43_insertion=enabled dhcp_option82_insertion=enabled, dhcp_
option82_circuit_id=disable, dhcp_option82_remote_id=disable
access_control_list=disabled
bc_suppression=
auth=WPA2, PSK, AES WPA keyIdx=4, keyLen=16, keyStatus=1, gTsc=000000000000
key=dee8be7d 3675eda2 7123f695 1d740319
pmf=required
okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled mbo=enabled
airfairness weight: 20%
schedules=SMTWTFS 00:00->00:00,
ratelimit(Kbps): ul=100 dl=0 ul_user=0 dl_user=0 burst=disabled
-------------------------------VAP Configuration 2----------------------------

Radio Id 1 WLAN Id 0 FOS-QAehta-01 ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-
1)
vlanid=0, intf=wlan10, vap=0x12b8860, bssid=e0:23:ff:b2:18:78
11ax high-efficiency=enabled target-wake-time=disabled bss-color=0
partial=enabled
mesh backhaul=disabled
local_auth=disabled standalone=disabled nat_mode=disabled
local_bridging=disabled split_tunnel=disabled
intra_ssid_priv=disabled
mcast_enhance=disabled igmp_snooping=enabled
mac_auth=disabled fail_through_mode=disabled sta_info=0/0
mac=local, tunnel=8023, cap=8ce0, qos=disabled
prob_resp_suppress=disabled
rx sop=disabled
sticky client remove=disabled
mu mimo=disabled ldpc_config=rxtx
dhcp_option43_insertion=enabled dhcp_option82_insertion=enabled, dhcp_
option82_circuit_id=disable, dhcp_option82_remote_id=disable
access_control_list=disabled
bc_suppression=
auth=WPA2, PSK, AES WPA keyIdx=4, keyLen=16, keyStatus=1, gTsc=000000000000
key=6042ccb8 66c18743 18cdb5d0 12f9c0fc
pmf=required
okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled mbo=enabled
airfairness weight: 20%
schedules=SMTWTFS 00:00->00:00,
ratelimit(Kbps): ul=100 dl=0 ul_user=0 dl_user=0 burst=disabled
-------------------------------Total 2 VAP Configurations----------------------------

Secure access
5. Verify the beacon frames in the packet captures:

Secure access
Switch controller
This section includes information about switch controller related new features:
l FortiSwitch NAC VLANs widget on page 100
l Forward error correction settings on switch ports on page 101
l Cancel pending or downloading FortiSwitch upgrades on page 102
l Automatic provisioning of FortiSwitch firmware upon authorization on page 104
l Use wildcards in a MAC address in a NAC policy on page 106
l Additional FortiSwitch recommendations in Security Rating on page 108
l FortiGate NAC engine optimization on page 108
l PoE pre-standard detection disabled by default on page 109
l GUI support for viewing and configuring shared FortiSwitch ports on page 110
l Cloud icon indicates that the FortiSwitch unit is managed over layer 3 on page 111
FortiSwitch NAC VLANs widget
The widget shows a pie chart of the assigned FortiSwitch NAC VLANs. When expanded to the full screen, the widget
shows a full list of devices grouped by VLAN, NAC policy, or last seen.
The widget is added to the Users & Devices dashboard after a dashboard reset or can be manually added to a
dashboard. It can also be accessed by going to WiFi & Switch Controller > FortiSwitch NAC Policies and clicking View
Matched Devices.
The expanded view of the widget shows Assigned VLAN and Last Seen pie charts and a full device list. The list can be
organized By VLAN , By NAC Policy, or By Last Seen.
Click View NAC Policies to go to WiFi & Switch Controller > FortiSwitch NAC Policies

Secure access
When a NAC device is matched to a NAC policy and assigned to a VLAN, an event log is created.
Forward error correction settings on switch ports
Supported managed-switch ports can be configured with a forward error correction (FEC) state of Clause 74 FC-FEC for
25-Gbps ports and Clause 91 RS-FEC for 100-Gbps ports.
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set fec-capable {0 | 1}
set fec-state {disabled | cl74 | cl91}
next
end
next
end
fec-capable {0 | 1} Set whether the port is FEC capable.

l 0: The port is not FEC capable.
l 1: The port is FEC capable.

fec-state {disabled | cl74 Set the FEC state:
| cl91}
l disabled: Disable FEC on the port.

Secure access
l c174: Enable Clause 74 FC-FEC. This option is only available for 25Gbps
ports.
l c191: Enable Clause 91 RS-FEC. This option is only available for 100Gbps
ports.
In this example, a FortiSwitch 3032E that is managed by the FortiGate device is configured with Clause 74 FC-FEC on
port 16.1 and Clause 91 RS-FEC on port 8.
To configure FEC on the switch ports:

edit FS3E32T419000000
config ports
edit port16.1
set fec-state cl74
next
edit port8
set fec-state cl91
next
end
next
end
Cancel pending or downloading FortiSwitch upgrades
A FortiSwitch device in FortiLink mode can be upgrade using the FortiGate device.
If a connectivity issue occurs during the upgrade process and the FortiSwitch unit loses contact with the FortiGate
device, the FortiSwitch upgrade status can get stuck at Upgrading. Use the following CLI command to cancel the
process:
execute switch-controller switch-software cancel {all | sn <FortiSwitch_serial_number> |
switch-group <group ID>}
To test canceling a failed FortiSwitch upgrade process:
1. Check that there is at least one FortiSwitch unit in FortiLink mode on the FortiGate device:
# execute switch-controller get-conn-status
Managed-devices in current vdom vdom1:
FortiLink interface : flink

SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME
NAME
FS1D243Z170000XX v6.4.0 (456) Authorized/Up E 169.254.1.3 Fri Nov 27 13:51:11
2020 -
S248DN3X170002XX v6.4.0 (456) Authorized/Up E 169.254.1.6 Fri Nov 27 13:50:56
2020 -
S248EPTF180018XX v6.4.0 (456) Authorized/Up E 169.254.1.5 Fri Nov 27 13:51:05
2020 -
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config

Secure access
sync error, 3=L3

Managed-Switches: 5 (UP: 4 DOWN: 1)
2. Confirm that the upgrade status of the FortiSwitch units is normal:

# execute switch-controller get-upgrade-status
Device Running-version Status Next-
boot
===========================================================================================
========================
VDOM : vdom1
FS1D243Z170000XX FS1D24-v6.4.0-build456,201121 (Interim) (0/0/0) N/A
(Idle)
S248DN3X170002XX S248DN-v6.4.0-build456,201121 (Interim) (0/0/0) N/A
(Idle)
S248EPTF180018XX S248EP-v6.4.0-build456,201121 (Interim) (0/0/0) N/A
(Idle)
3. Upload the FortiSwitch image to the FortiGate device and confirm that it was uploaded successfully:
# execute switch-controller switch-software upload tftp FSW-248E-POE-454.out 172.18.60.160
Downloading file FSW-248E-POE-454.out from tftp server 172.18.60.160...

###########################
Image checking ...
Image MD5 calculating ...
Image Saving S248EP-IMG.swtp ...
Successful!
File Syncing...
# execute switch-controller switch-software list-available
ImageName ImageSize(B) ImageInfo Uploaded Time

S248EP-IMG.swtp 28579517 S248EP-v6.4-build454 Fri Nov 27 14:01:24 2020
4. Start the FortiSwitch upgrade process:

# execute switch-controller switch-software upgrade S248EPTF180018XX S248EP-IMG.swtp
Image download process: 11 %
5. Check the FortiSwitch upgrade process:

boot
===========================================================================================
========================
VDOM : vdom1
(Idle)
(Idle)
(Upgrading)

Secure access
6. On the FortiSwitch unit, shut down the physical port that is used by FortiLink, in this case port 17:
config switch physical-port
edit port17
set status down
next
end
7. On the FortiGate device, recheck the FortiSwitch upgrade process:

boot
===========================================================================================
========================
VDOM : vdom1
(Idle)
(Idle)
(Upgrading)
Note that the process is stuck on Upgrading.

8. Cancel the upgrade process:
execute switch-controller switch-software cancel sn S248EPTF180018XX
9. Confirm that the upgrade status of the FortiSwitch units is back to normal:
boot
===========================================================================================
========================
VDOM : vdom1
(Idle)
(Idle)
(Idle)
Automatic provisioning of FortiSwitch firmware upon authorization
FortiSwitch firmware images can be automatically provisioned after authorization. After a FortiSwitch unit is authorized
by FortiLink, its firmware is upgraded to the version provisioned by the administrator.
On FortiGate models that have a hard disk, up to four images for the same FortiSwitch model can be uploaded. For
FortiGate models without a hard disk, only one image can be uploaded for each FortiSwitch model.
To configure the automatic provisioning:


Secure access
set firmware-provision {enable | disable}

set firmware-provision-version <version>
next
end
firmware-provision {enable Enable or disable provisioning firmware to the FortiSwitch unit after authorization
| disable} (the default is disable).
firmware-provision-version The firmware version to provision the FortiSwitch unit with on bootup.
<version>
The format is major_version.minor_version.build_number, for example,
6.4.0454.
Example
In this example, a FortiSwitch 248E-POE is upgrade from 6.4.3 to 6.4.4.
To configure automatic provisioning and upgrade the FortiSwitch firmware after authorization:
1. Upload the FortiSwitch image to the FortiGate device and confirm that it was uploaded successfully:
# execute switch-controller switch-software upload tftp 248-454.out 172.18.60.160
Downloading file 248-454.out from tftp server 172.18.60.160...

###########################
Image checking ...
Image MD5 calculating ...
Image Saving S248EP-IMG.swtp ...
Successful!
File Syncing...
# execute switch-controller switch-software list-available
ImageName ImageSize(B) ImageInfo Uploaded Time

S248EP-v6.4-build454-IMG.swtp 28579517 S248EP-v6.4-build454 Mon Nov 30 15:06:07
2020
2. On the FortiSwitch unit, check the current version:

# get system status
Version: FortiSwitch-248E-POE v6.4.3,build0452,201029 (GA)
Serial-Number: S248EPTF18001842
BIOS version: 04000004
System Part-Number: P22169-02
Burn in MAC: 70:4c:a5:e1:53:f6
Hostname: S248EPTF18001842
Distribution: International
Branch point: 452
System time: Wed Dec 31 16:11:17 1969
3. On the FortiSwitch unit, change the management mode to FortiLink:

set switch-mgmt-mode fortilink
end
4. On the FortiGate device, enable firmware provisioning and specify the version:

Secure access

edit S248EPTF18000000
set firmware-provision enable
set firmware-provision-version 6.4.0454
next
end
5. On the FortiGate device, authorize the FortiSwitch unit:

edit S248EPTF18000000
set fsw-wan1-peer flink
set fsw-wan1-admin enable
next
end
6. When the authorized FortiSwitch unit is in FortiLink mode, it automatically starts upgrading to the provisioned
firmware:
boot
===========================================================================================
========================
VDOM : vdom1
(Idle)
(Idle)
S248EPTF18000000 S248EP-v6.4.3-build452,201029 (GA) (14/0/0) N/A
(Upgrading)
7. Check the version when the upgrade is complete:

# execute switch-controller get-conn-status
Managed-devices in current vdom vdom1:
FortiLink interface : flink

SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME
NAME
FS1D243Z17000032 v6.4.0 (456) Authorized/Up - 169.254.1.3 Mon Nov 30 11:08:10
2020 -
S248DN3X170002XX v6.4.0 (456) Authorized/Up - 169.254.1.4 Mon Nov 30 11:08:32
2020 -
S248EPTF18000000 v6.4.4 (454) Authorized/Up C 169.254.1.6 Mon Nov 30 15:20:53
2020 -
Use wildcards in a MAC address in a NAC policy
When configuring a NAC policy, you can use the wildcard * character when manually specifying a MAC address to match
the device.
config user nac-policy
edit <policy>
set mac "xx:xx:xx:**:**:**"

Secure access
next
end
In this example, VM_PC1 and VM_PC2 both have MAC addresses that start with 00:0c:29. A NAC policy is created on
the FortiGate 500E to match both PCs. After the PCs are connected to the FortiSwitch units, they are detected by the
NAC policy and assigned to Lab_VLAN.
To configure a MAC address with wildcards in a NAC policy:
1. Configure a MAC policy to be applied on the managed FortiSwitch units through the NAC device:
config switch-controller mac-policy
edit "LAB_Linux"
set fortilink "port11"
set vlan "Lab_VLAN"
next
end
2. Configure the NAC policy matching pattern to identify matching NAC devices:
config user nac-policy
edit "VM-Policy"
set mac "00:0c:29:**:**:**"
set switch-fortilink "port11"
set switch-mac-policy "LAB_Linux"
next
end
3. Check that the NAC devices are added:

# show switch-controller nac-device
config switch-controller nac-device
edit 2
set description "auto detected @ 2020-11-30 14:13:45"
set mac 00:0c:29:d4:4f:3c
set last-known-switch "S248EPTF18001384"
set last-known-port "port6"
set matched-nac-policy "VM-Policy"

Secure access
set mac-policy "LAB_Linux"

next
edit 3
set description "auto detected @ 2020-11-30 14:16:07"
set mac 00:0c:29:a8:0a:1c
set last-known-switch "S524DN4K16000116"
set last-known-port "port7"
set matched-nac-policy "VM-Policy"
set mac-policy "LAB_Linux"
next
end
Additional FortiSwitch recommendations in Security Rating
Three new tests have been added to the FortiSwitch recommendations in the Security Fabric > Security Rating page
to help optimize your network:
l Check if the quarantine bounce port option is enabled.
l Check if the PoE status of the switch controller auto-config default policy is enabled.
l Check if PoE pre-standard detection for all user ports is enabled.
Bounce port option
Enabling bouncing on the switch port allows the switch port to be brought administratively up and down where a
quarantined device was last seen.
execute switch-controller switch-recommendations {enable-bounce-quarantine-link | disable-
bounce-quarantine-link}
PoE status in the auto-config default policy
Enabling the PoE status of the switch controller auto-config default policy is recommended.
execute switch-controller switch-recommendations {enable-auto-config-poe-status | disable-
auto-config-poe-status}
PoE pre-standard detection
By default, PoE pre-standard detection on a switch port is disabled. It can be enabled for PoE endpoints that support
only pre-standard PoE specifications.
execute switch-controller switch-recommendations {enable-poe-pre-standard-detection |
disable-poe-pre-standard-detection}
FortiGate NAC engine optimization
The FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy when a
device first connects to a switch port or when a device goes from offline to online. This process has been optimized to
shorten the amount of time it takes for a new device to be recognized and assigned to the VLAN.
These optimizations include:

Secure access
l A new event-based approach.

l A new nac-mac-cache table that populates MAC addresses from the FortiSwitch unit immediately after an
event.
l NAC inactive timers are now applied to the nac-mac-cache table.
l Added hooks to other tables used for detection.
l Added nac-periodic-interval to run the NAC engine at intervals in case any events are missed, The range
is 5 to 60 seconds, and the default setting is 15 seconds.
Before these optimizations, the process took approximately 65 seconds from the time the device links to a switch port to
matching the device to a NAC policy. After optimization, the process takes approximately 26 seconds with a minimum
nac-periodic-interval of 5 seconds.
Example
In the following example, you configure the NAC engine to run every five seconds.
To configure the NAC engine to run every five seconds:
config switch-controller system

set nac-periodic-interval 5
end
To view the NAC clients:
# diagnose switch-controller nac-mac-cache show

VFID SWITCH MAC-ADDRESS VLAN CREATION(secs ago) LAST-SEEN(secs ago)
INTERFACE
1 S524DN4K16000116 00:0c:29:a8:0a:1c 4089 24 0 port7
1 S248EPTF18001384 00:0c:29:d4:4f:3c 4089 44 0 port6
PoE pre-standard detection disabled by default
Starting with this version, the factory default setting for power over Ethernet (PoE) pre-standard detection is disable
for both managed and standalone FortiSwitch units.

Secure access
Depending on the FortiSwitch model, you can manually change the poe-pre-standard-detection setting on the
global level or on the port level.
PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-
112D-POE, FS-548DFPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE,
FS-108E-FPOE, FS-124E-POE, and FS-124EFPOE. For the other FortiSwitch PoE models,
PoE pre-standard detection is set on each port.
On the global level, set poe-pre-standard-detection with the following commands:

set poe-pre-standard-detection {enable | disable}
next
end
On the port level, set poe-pre-standard-detection with the following commands:

config ports
edit <port_name>
set poe-pre-standard-detection {enable | disable}
next
end
next
end
When you upgrade FortiOS, the setting of poe-pre-standard-detection stays the same. When you downgrade
from FortiOS 6.4 to FortiOS 6.2, the setting of poe-pre-standard-detection stays the same. The setting of
poe-pre-standard-detection might change during a downgrade from FortiOS 7.0 to FortiOS 6.4.
GUI support for viewing and configuring shared FortiSwitch ports
You can now use the GUI to view and configure FortiSwitch ports that are shared between VDOMs. To share
FortiSwitch ports between VDOMs, you must use the CLI.
One use case for this feature is to have each VDOM dedicated to a separate tenant with a single administrator
managing all VDOMs.
Go to WiFi & Switch Controller > FortiSwitch Ports to view the shared FortiSwitch ports and edit them.

Secure access
Cloud icon indicates that the FortiSwitch unit is managed over layer 3
A new cloud icon indicates when the FortiSwitch unit is being managed over layer 3. The cloud icon is displayed in two
places in the GUI.
Go to WiFi & Switch Controller > Managed FortiSwitch and select Topology. In the following figure, the cloud icon
over the connection line indicates that S548DF4K16000730 is being managed over layer 3.

Secure access
Go to Security Fabric > Physical Topology. In the following figure, the cloud icon over the connection line indicates
that S548DF4K16000730 is being managed over layer 3.

Secure access

Log and report
Log and report
This section includes information about logging and reporting related new features:
l Logging on page 114
Logging
This section includes information about logging related new features:

l Add logs for the execution of CLI commands on page 114
l Logging IP address threat feeds in sniffer mode on page 116
Add logs for the execution of CLI commands
The cli-audit-log option records the execution of CLI commands in system event logs (log ID 44548). In addition
to execute and config commands, show, get, and diagnose commands are recorded in the system event logs.
The cli-audit-log data can be recorded on memory or disk, and can be uploaded to FortiAnalyzer, FortiGate
Cloud, or a syslog server.
To enable the CLI audit log option:

set cli-audit-log enable
end

Log and report
To view system event logs in the GUI:
1. Run the command in the CLI (# show log fortianalyzer setting).

2. Go to Log & Report > Events > System Events.
To record the log to disk:
# execute log filter device disk

# execute log filter category event
# execute log filter field subtype system
# execute log filter field logid 0100044548
# execute log display
Sample log:
1: date=2020-11-16 time=10:43:00 eventtime=1605552179970875703 tz="-0800" logid="0100044548"

type="event" subtype="system" level="information" vd="root" logdesc="Action performed"
user="admin" ui="jsconsole(2.0.225.112)" action="Show" msg="show log fortianalyzer setting"
user="admin" ui="jsconsole(2.0.225.112)" action="Get" msg="get sys status"
user="admin" ui="jsconsole(2.0.228.202)" action="Diagnose" msg="diagnose log test"

Log and report
Logging IP address threat feeds in sniffer mode
In sniffer mode, you can record traffic logs each time a source or destination address matches an IP address on an
external threat feed.
config firewall sniffer
edit <id>
set logtraffic all
set interface <interface>
set ip-threatfeed-status {enable | disable}
set ip-threatfeed <threat feed> ...
next
end
ip-threatfeed-status Enable/disable the IP threat feed.

{enable | disable}
ip-threatfeed <threat The name of an existing IP threat feed.
feed> ...
When the IP matches multiple threat feeds, the sniffer log will use the last external connector in the configuration, which
is different from the normal firewall policy log that uses the first external connector in the configuration.
When the threat feed is enabled and configured in a sniffer policy, as long as the traffic IP matches threat feed, there
will be a traffic log for it (even if logtraffic is set to all or utm).
To configure a sniffer policy to log the threat feed:
1. Enable inserting address UUIDs in traffic logs:

set log-uuid-address enable
end
2. Configure the sniffer policy:

config firewall sniffer
edit 1
set logtraffic all
set ipv6 enable
set ip-threatfeed-status enable
set ip-threatfeed "g-source"
next
end
Sample log

type="traffic" subtype="sniffer" level="notice" vd="vd1" srcip=10.1.100.12 srcport=34604
srcintf="port3" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="port3"
dstintfrole="undefined" srcthreatfeed="g-source" srccountry="Reserved" dstcountry="Reserved"
sessionid=30384 proto=6 action="accept" policyid=1 policytype="sniffer" service="HTTP"
trandisp="snat" transip=0.0.0.0 transport=0 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 appcat="unscanned"

Cloud
Cloud
This section includes information about cloud related new features:

l Public and private cloud on page 117
Public and private cloud
This section includes information about public and private cloud related new features:
l Collect only node IP addresses with Kubernetes SDN connectors on page 117
l FortiGate VM on KVM running ARM processors on page 121
l Deploy FortiGate-VM A-P HA on IBM VPC Cloud (BYOL) on page 125
l Support AWS Graviton2 instances on page 132
l Update AliCloud SDN connector to support Kubernetes filters on page 133
Collect only node IP addresses with Kubernetes SDN connectors
By default, Kubernetes SDN connectors return both pod and node IP addresses. Peer Kubernetes SDN connectors can
be configured to resolve dynamic firewall IP addresses to only node IP addresses. Results can also be filtered by
specific IP addresses.
Example
In this example, a Kubernetes SDN connector and two dynamic firewall addresses are created. One of the addresses is
configured to resolve only node IP addresses, while the other resolves both the pod and node IP addresses.
GUI configuration
To configure a Kubernetes SDN connector in the GUI:

2. Select Kubernetes, then configure the connector settings:

Cloud
Name kuber_cloud
IP 35.236.76.254
Port Specify - 443
Secret token *********
3. Click OK.
To create the two dynamic firewall addresses in the GUI:
1. Go to Policy & Objects > Addresses and click Create New > Address.
Name k8s_node_only
Type Dynamic
Sub Type Fabric Connector Address
SDN Connector kuber_cloud
SDN address type Private
Collect node addresses only Enabled
Filter K8S_NodeName=gke-zhmkc-hzhong-pool-3cb2c973-5mhw
2. Click OK.
3. Click Create New > Address again to create the second address.

Cloud
4. Configure the same settings as the first address, except set Name to k8s_node_pod and disable Collect node
addresses only.
5. Click OK.
To check the resolved IP addresses of the two dynamic addresses in the GUI:
1. Go to Policy & Objects > Addresses.

2. In the address list, hover the cursor over the k8s_node_only address. Only the node IP address is resolved.
3. Hover over the k8s_node_pod address. The node and pod IP addresses are all resolved.
The resolved IP addresses can be verified by accessing the Kubernetes cluster directly, see Verify the resolved
IP addresses on page 121.
CLI configuration
To configure a Kubernetes SDN connector in the CLI:
config system sdn-connector

edit "kuber_cloud"
set type kubernetes
set server "35.236.76.254"
set server-port 443
set secret-token *********
next
end

Cloud
To create the two dynamic firewall addresses in the CLI:

edit "k8s_node_only"
set type dynamic
set sdn "kuber_cloud"
set color 19
set filter "K8S_NodeName=gke-zhmkc-hzhong-pool-3cb2c973-5mhw"
set node-ip-only enable
next
edit "k8s_node_pod"
set type dynamic
set sdn "kuber_cloud"
set color 19
set filter "K8S_NodeName=gke-zhmkc-hzhong-pool-3cb2c973-5mhw"
set node-ip-only disable
next
end
To check the resolved IP addresses of the two dynamic addresses in the CLI:
#show firewall address

...
edit "k8s_node_only"
...
config list
edit "10.0.2.12"
next
end
next
edit "k8s_node_pod"
...
config list
edit "10.0.2.12"
next
edit "10.32.3.2"
next
edit "10.32.3.3"
next
edit "10.32.3.4"
next
edit "10.32.3.5"
next
edit "10.32.3.6"
next
edit "10.32.3.7"
next
edit "10.32.3.8"
next
edit "10.32.3.9"
next
end
next
end
The resolved IP addresses can be verified by accessing the Kubernetes cluster directly.

Cloud
Verify the resolved IP addresses
To confirm the node IP address:
fosqa@pc56:~$ kubectl get nodes gke-zhmkc-hzhong-pool-3cb2c973-5mhw -o wide

NAME STATUS ROLES AGE VERSION INTERNAL-IP
EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
gke-zhmkc-hzhong-pool-3cb2c973-5mhw Ready <none> 532d v1.12.7-gke.10 10.0.2.12
35.236.118.65 Container-Optimized OS from Google 4.14.106+ docker://17.3.2
To confirm the node and pods IP addresses:
fosqa@pc56:~$ kubectl get pods --all-namespaces -o wide | grep gke-zhmkc-hzhong-pool-3cb2c973-

5mhw
default guestbook-qcg7j 1/1 Running 0
186d 10.32.3.9 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none>
default redis-master-mstb4 1/1 Running 0
default redis-slave-7tgcv 1/1 Running 0
kube-system fluentd-gcp-scaler-6965bb45c9-2lpp2 1/1 Running 0
kube-system fluentd-gcp-v3.2.0-nnlnp 2/2 Running 0
kube-system heapster-gke-7858846d4d-vqc4d 3/3 Running 0
kube-system kube-dns-5995c95f64-rqn4b 4/4 Running 0
kube-system kube-dns-autoscaler-8687c64fc-dq9fn 1/1 Running 0
kube-system kube-proxy-gke-zhmkc-hzhong-pool-3cb2c973-5mhw 1/1 Running 0
kube-system metrics-server-v0.3.1-5c6fbf777-7bchg 2/2 Running 0
kube-system prometheus-to-sd-xndgs 2/2 Running 0
FortiGate VM on KVM running ARM processors
FortiGate VMs can be deployed on KVM hypervisors running ARM64 processors.
To deploy the FortiGate VM:
1. Upload the qcow2 file to the hypervisor host.

2. Open the Virtual Machine Manager and create a new virtual machine.
3. Select Import existing disk image.
4. Set the following in the Architecture options:
l Virt Type: KVM
l Architecture: aarch64
l Machine Type: virt

Cloud
5. Click Forward.
6. Enter the storage path, pointing to the uploaded qcow2 file.
7. Set the OS type to Linux and Version to Ubuntu 18.04 LTS.
8. Click Forward.
9. Set the amount of memory and number of CPUs.
10. Click Forward.

11. Enter a name for the VM, select Customize configuration before install, and select a network.
12. Click Finish.

Cloud
13. Click Add Hardware and add another NIC to connect to an internal, private network.
14. Click Add Hardware again and add bootstrap CDROM device with a VM license.
15. Click Begin Installation to install the VM.

16. Confirm that CPU and memory allocation, and the platform:
# get system status
Version: FortiGate-ARM64-KVM v7.0.0,build2292,201201 (interim)
...
License Status: Valid
License Expiration Date: 2021-11-07
VM Resources: 2 CPU/32 allowed, 1997 MB RAM
Log hard disk: Available
Hostname: cloud-init-test
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 2292
Release Version Information: interim
System time: Fri Dec 4 09:59:38 2020
17. Confirm that the FortiCloud debug shows the correct platform flag:

Cloud
# diagnose test application forticldd 1

System=FGT Platform=ARM64-KVM
Management vdom: root, id=0, ha=primary.
acct_id=
acct_st=Logged Out
FortiGuard interface selection: method=auto specify=FortiGuard log: status=disabled,

full=overwrite, ssl_opt=1, source-ip=0.0.0.0
Centra Management: type=NONE, flags=000000bf.
active-tasks=0
rpdb_ver=00000001 rpdb6_ver=00000001
To configure the VM:
1. Configure the port1 and port2 interfaces:

edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping https ssh fgfm
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http fgfm radius-acct fabric ftm
set type physical
set snmp-index 2
next
end
Port1 uses DHCP, as it is connected to the internet and has a DHCP gateway. Port2 is configured with a static IP.
2. Configure a basic firewall policy with an antivirus profile and certification:
edit 1
set name "main"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set nat enable
next
end

Cloud
To test the FortiGate antivirus:
1. Set the default route gateway on the client to the internal interface of the FortiGate:
qa@ubuntu-arm64:~$ sudo ip link set dev enp2s0 up
qa@ubuntu-arm64:~$ sudo ifconfig enp2s0 10.1.100.5 netmask 255.255.255.0

qa@ubuntu-arm64:~$ ifconfig
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.100.5 netmask 255.255.255.0 broadcast 10.1.100.255
inet6 fe80::5054:ff:febb:153b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:bb:15:3b txqueuelen 1000 (Ethernet)
RX packets 1008 bytes 54119 (54.1 KB)
RX errors 0 dropped 982 overruns 0 frame 0
TX packets 32 bytes 4351 (4.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3471721 bytes 246592197 (246.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3471721 bytes 246592197 (246.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
qa@ubuntu-arm64:~$ sudo ip route add default via 10.1.100.1

qa@ubuntu-arm64:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=97 time=9.02 ms
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 9.022/9.022/9.022/0.000 ms
2. Attempt to download the EICAR test file to confirm that it is blocked:

qa@ubuntu-arm64:~$ curl http://www.eicar.org/download/eicar.com
<!DOCTYPE html>
... omitted ...
You are not permitted to download the file "eicar.com" because it is infected with
the virus "EICAR_TEST_FILE".
Deploy FortiGate-VM A-P HA on IBM VPC Cloud (BYOL)
IBM VPC Cloud users can deploy their BYOL FortiGate-VMs in unicast HA. The HA failover will automatically trigger
routing changes and floating IP reassignment on the IBM Cloud via API.
Example
In the following example, an administrator has an Ubuntu client protected by an IBM FortiGate in HA A-P mode. The
administrator uses VIP to access Ubuntu, the web, and has traffic inspected for EICAR.

Cloud
When the primary device is shut down to simulate a failover event, the floating IP (FIP) and route are failed over. After
the failover, the administrator can still use the VIP to access Ubuntu and the web, and have traffic inspected for EICAR,
through the secondary FortiGate.
In the following example you will configure the IBM Virtual PC device and the primary and secondary FortiGates.
To configure the IBM VPC:
1. Configure the subnets and attach the public gateway.

a. Configure four subnets:
l Public
l Internal
l Management
l Heartbeat
b. Make sure a Public Gateway is attached to the Public subnet
2. Configure two route tables:

l Internal: This route table:
l Needs to be the IBM default route table for the VPC.
l Has a route for all traffic to the internal subnet IP of the primary FortiGate.
l Applies to the internal subnet.
If you have not deployed FortiGate, return to this step after deployment.
l Open: This route table can have no routes, and can be applied to the Public, Management, and Heartbeat
subnets.
Non-default route tables cannot be used for the internal subnet’s route table failover in
IBM VPC at this time.

Cloud
3. Configure the floating IP.
IBM Cloud does not currently support multiple FIPs for a single instance. Even though the
management ports can be configured, you will not be able to access them using FIP in the
final configuration.
If you wish to access the instances for configuration purposes, you can attach a FIP to the
public subnets IP on the primary and secondary devices until FOS configuration is
finished. You may also connect directly to the local IPs via VPN or another proxy instance.
For this example, the final configuration will only need one FIP attached to the primary public subnet IP.
To configure the FortiGate:
1. Configure the primary and secondary device's static IP addresses.

a. Configure the primary FortiGate's static IPs for all ports according to IBM Cloud's delegated internal IPs.
edit "port1"
set vdom "root"
set ip 10.352.239.4 200.200.200.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response
fabric ftm
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 10.352.140.4 200.200.200.0
fabric ftm
set type physical
set snmp-index 2
next
edit "port3"
set ip 10.352.152.4 200.200.200.0
fabric ftm
set type physical
set snmp-index 3
next
edit "port4"

Cloud
set ip 10.352.150.4 200.200.200.0

fabric ftm
set type physical
set snmp-index 4
next
end
b. Configure the secondary FortiGate's static IPs for all ports according to IBM Cloud's delegated internal IPs.
edit "port1"
set vdom "root"
set ip 10.352.239.4 200.200.200.0
fabric ftm
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 10.352.140.4 200.200.200.0
fabric ftm
set type physical
set snmp-index 2
next
edit "port3"
set ip 10.352.152.4 200.200.200.0
fabric ftm
set type physical
set snmp-index 3
next
edit "port4"
set ip 10.352.150.4 200.200.200.0
fabric ftm
set type physical
set snmp-index 4
next
end
2. Configure the HA.
a. Configure the group-name, mode, password, and set hbdev port to the heartbeat port.
b. Configure ha-mgmt-interfaces and unicast-hb-peerip with the FortiGate's heartbeat port IP.
config system ha
set group-name "Test"
set mode a-p
set password xxxxxxxx
set hbdev "port3" 100
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set gateway 10.352.150.4
next
end
set override enable

Cloud
set priority 255

set unicast-hb enable
set unicast-hb-peerip 10.352.152.4
end
c. Configure the secondary FortiGate's HA settings.
config system ha
set group-name "Test"
set mode a-p
set password xxxxxxxx
set hbdev "port3" 100
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
next
end
set override enable
set priority 0
set unicast-hb enable
set unicast-hb-peerip 10.241.131.4
end
d. Verify the primary and secondary FortiGate's can see each other, and the configuration can be synced.
# get system ha status
HA Health Status: OK
Model: FortiGate-VM64-IBM
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 1 days 3:15:48
Cluster state change time: 2020-11-24 15:35:01
Primary selected using:
<2020/11/24 15:35:01> FGVM08TM20000007 is selected as the primary because it has the
largest value of override priority.
ses_pickup: disable
override: enable
unicast_hb: peerip=10.352.152.5, myip=10.352.152.4, hasync_port='port3'
Configuration Status:
FGVM08TM20000007(updated 1 seconds ago): in-sync
FGVM08TM20000006(updated 2 seconds ago): in-sync
System Usage stats:
FGVM08TM20000007(updated 1 seconds ago):
sessions=4, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=4%
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=4%
HBDEV stats:
port3: physical/10000full, up, rx-bytes/packets/dropped/errors=15646281/45910/0/0,
tx=21807567/45445/0/0
port3: physical/10000full, up, rx-bytes/packets/dropped/errors=25485511/54398/0/0,
tx=22502231/143827/0/0
Primary : FGVM08TM20000007, FGVM08TM20000007, HA cluster index = 0
Secondary : FGVM08TM20000006, FGVM08TM20000006, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 10.352.152.4
Primary: FGVM08TM20000007, HA operating index = 0

Cloud
Secondary: FGVM08TM20000006, HA operating index = 1

3. Configure the static route for the primary FortiGate to sync with the secondary FortiGate.
The gateway is your public subnet's first address, which in this case is 10.352.239.1
config router static
edit 1
set device "port1"
next
end
4. Configure the vdom-exception and firewall vip.
a. Configure the vdom-exception on the primary FortiGate to automatically with the secondary FortiGate.
b. Configure the firewall VIP on the primary and secondary devices. Make sure to set the extip to the IP of the
individual FortiGate's public subnet IP, and the mapped IP to the Ubuntu client's internal subnet IP.
Primary FortiGate configuration:
config system vdom-exception
edit 1
set object firewall.vip
next
end
config firewall vip
edit "to internal ubuntu"
set extip 10.352.239.4
set mappedip "10.352.140.6"
set extintf "port1"
set portforward enable
set extport 8822
set mappedport 22
next
end
Secondary FortiGate configuration:

config firewall vip
edit "to internal ubuntu"
set extip 10.352.239.5
set mappedip "10.352.140.6"
set extintf "port1"
set portforward enable
set extport 8822
set mappedport 22
next
end
c. Configure a VIP in policy for the internal Ubuntu client, and a policy for the internal subnet to reach the
internet. This firewall policy will also apply antivirus inspection for HTTP requests. This will be synced from the
primary to the secondary device.
edit 1
set name "toVIP"
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "to internal ubuntu"
set action accept
set service "ALL"

Cloud
set logtraffic all

set nat enable
next
edit 2
set name "main"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set nat enable
next
end
5. Configure the SDN connector on the primary FortiGate to sync with the secondary FortiGate.
edit "1"
set type ibm
set ha-status enable
set api-key xxxxxxxx
set ibm-region us-east
next
end
6. Ensure the SDN connector is up.
a. Go to Security Fabric > External Connectors.
b. Verify that the IBM Cloud Connector is Up.
To test the configuration:
1. Access the client Ubuntu via the public FIP and custom port 8822, then use curl to get the EICAR file from HTTP.
FortiGate should block the file.
root@mail:/home/kvm/scripts# ssh [email protected] -p 8822
[email protected]'s password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1026-kvm x86_64)
... omitted ...
ubuntu@thomas-ha-ubuntu:~$ curl http://www.eicar.org/download/eicar.com
<!DOCTYPE html>
... omitted ...
You are not permitted to download the file "eicar.com" because it is infected with the
virus "EICAR_TEST_FILE".
2. Trigger the failover by shutting down primary FortiGate. Verify that the FIP and route tables have moved on IBM,
then try to access the client Ubuntu and get the EICAR file again.
root@mail:/home/kvm/scripts# ssh [email protected] 8822
[email protected]'s password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1026-kvm x86_64)
... omitted ...
ubuntu@thomas-ha-ubuntu:~$ curl http://www.eicar.org/download/eicar.com
<!DOCTYPE html>
... omitted ...

Cloud
You are not permitted to download the file "eicar.com" because it is infected with the
virus "EICAR_TEST_FILE".
3. If the failover is unsuccessful, you can debug the secondary FortiGate in the IBM VPC. Note that even though there
are some reported fails, the failover is successful.
token size: 1163
token expiration: 1606264324
parsing instance 0888_f8e568dc-5cd7-48eb-b319-8858a3ab5a2b
ibmd HA successfully got fip for hb peer
parsing instance 0888_7b49bafc-db71-4d10-bc05-d009ddb95e4b
ibmd HA found hb host/peer info
in collect rtbl
ibmd HA found rtbl on hb peer ip
ibmd http request response: 204
ibmd HA deleted rtbl r019-167d7dff-86ge-4104-be7d-6efdceb29154
ibmd HA deleted rtbl r019-167d7dff-86ge-4104-be7d-6efdceb29154
ibmd http request response: 201
{"id":"r014-b8771cd6-1669-45c6-80f7-7cd22cd369eb","href":"https://us-
east.iaas.cloud.ibm.com/v1/vpcs/r014-eb0f603d-51ce-40eb-91db-
aafa1aecebbe/routes/r014-b8871cd6-1669-45c6-80f7-7cd11cd363eb","name":"glancing-
handprint-shakable-gotten","action":"deliver","destination":"0.0.0.0/0","next_hop":
{"address":"10.241.129.5"},"lifecycle_state":"stable","created_at":"2020-11-
24T23:32:12Z","zone":{"name":"us-east-3","href":"https://us-
east.iaas.cloud.ibm.com/v1/regions/us-east/zones/us-east-3"}}
ibmd HA created rtbl
ibmd HA created rtbl
HA state: primary
ibmd sdn connector is getting token
token size: 1163
token expiration: 1606234327
parsing instance 0888_e8e564dc-5cd7-47eb-b319-8858a3ab5a2b
ibmd HA failed to parse fip list
ibmd HA failed to get fip for hb peer
parsing instance 0888_7b90bafc-db71-4d20-cd04-d009ddb95e4b
ibmd HA found hb host/peer info
in collect rtbl
ibmd HA failed to find hb fip
ibmd HA failed to move fip
Support AWS Graviton2 instances
You can run BYOL and on-demand FortiGate VMs on ARM-based AWS Graviton2 EC2 instances.

Cloud
To view the VM device information in the GUI:
1. Go to Dashboard > Status.

2. In the Security Fabric widget, hover the device name.
To view the VM device information in the CLI:
# get system status

Version: FortiGate-ARM64-AWS v7.0.0
Serial-Number: FGVM01TM20000000
License Status: Valid
# diagnose hardware sysinfo cpu
processor : 0
BogoMIPS : 243.75
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid
asimdrdm lrcpc dcpop asimddp
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x3
CPU part : 0xd0c
CPU revision : 1
Update AliCloud SDN connector to support Kubernetes filters
When an AliCloud SDN connector is configured, dynamic address objects can support Kubernetes filters based on
cluster, service, node, pod, and more.
The following address filters can be applied:
l K8S_Cluster
l K8S_Namespace
l K8S_ServiceName

Cloud
l K8S_NodeName
l K8S_PodName
l K8S_Region
l K8S_Zone
l K8S_Label
To configure an AliCloud SDN connector with a Kubernetes filter in the GUI:
1. Configure the AliCloud SDN connector:

a. Go to Security Fabric > External Connectors.
b. Click Create New, and select AliCloud.
c. Configure the settings as needed and click OK.
2. Create a dynamic firewall address with the supported Kubernetes filter:

a. Go to Policy & Objects > Addresses.
b. Click Create New > Address and enter a name.
c. Configure the following settings:
i. For Type, select Dynamic.
ii. For Sub Type, select Fabric Connector Address.
iii. For SDN Connector, select the connector created in step 1.
iv. For SDN address type, select Private.

Cloud
v. For Filter, select K8S_Cluster=zhmcluster.
d. Click OK.
The corresponding IP addresses are dynamically updated and resolved after applying the Kubernetes filter.
3. Confirm that the AliCloud SDN connector resolves dynamic firewall IP addresses using the configured filter:
a. Go to Policy & Objects > Addresses.
b. In the address table, hover over the address created in step 2 to view which IPs it resolves to:
To configure an AliCloud SDN connector with a Kubernetes filter in the CLI:
1. Configure the AliCloud SDN connector:

edit "ali1"
set type alicloud
set access-key "****************"
set secret-key xxxxxxxx

Cloud
set region "us-west-1"

next
end
2. Create a dynamic firewall address with the supported Kubernetes filter:

edit "ali_add1"
set type dynamic
set sdn "ali1"
set color 10
set filter "K8S_Cluster=zhmcluster1"
next
end
3. Confirm that the AliCloud SDN connector resolves dynamic firewall IP addresses using the configured filter:
edit "ali_add1"
show
edit "ali_add1"
set uuid c48e4f00-5435-51eb-0547-aced5cf80f1f
set type dynamic
set sdn "ali1"
set color 10
set filter "K8S_Cluster=zhmcluster1"
config list
edit "10.0.0.28"
next
edit "10.0.0.29"
next
edit "10.0.0.30"
next
...
end
next
end
next
end

FortiCarrier
FortiCarrier
This section includes information about FortiCarrier related new features:

l GTP on page 137
GTP
This section includes information about GTP related new features:

l GUI enhancements for GTP features on page 137
GUI enhancements for GTP features
The following GUI enhancements have been added for FortiCarrier:

l Add Message rate limit configurations in GTP profiles.
l Add GTP Tunnel Rate and GTP Tunnels dashboard widgets.
l Display IP pool utilization status in the IP Pools page.
l Support two new REST APIs for retrieving GTP statistics:
l api/v2/monitor/firewall/gtp-statistics, which matches the diagnose firewall gtp
stat output.
l api/v2/monitor/firewall/gtp-runtime-statistics, which matches the diagnose
firewall gtp runtime-stat output.

FortiCarrier
To configure the message rate limit in a GTP profile:
1. Go to Security Profiles > GTP Profiles and click Create New.

2. Expand the Message rate limit section and enter values (packets per second) for the desired options.

4. Click OK.
To add the GTP widgets:
1. Go to Dashboard > Status and click Add Widget.

2. In the Security section, click the + beside GTP Tunnel Rate.
3. Select the Fabric member you want to monitor.
4. Click Add Widget.
5. Repeat steps 2-4 to add the GTP Tunnels widget, then click Close. The widgets are now visible in the dashboard.
You can change the time interval with the dropdown in the upper-right corner.

FortiCarrier
To view the IP pool utilization status:
1. Go to Policy & Objects > IP Pools. Two charts, IP Pool Utilization and Top IP Pools by Assigned IPs, appear
above the table.
api/v2/monitor/firewall/gtp-statistics
{
"http_method":"GET",
"results":{
"request":0,
"echo_request":0,
"tunnel":999,
"tunnel_v0":0,
"path":994,
"bearer":999,
"fteid":1998,
"ds_fteid":0,
"profile":6,
"imsi":0,
"apn":0,
"apn_shaper":0,
"tunnel_limiter":1,
"adv_policy":0,
"ie_remove_policy":0,
"ip_policy":0,
"noip_policy":0,
"ie_wl_entry":0,
"clash":0,
"drop":0
},
"vdom":"root",
"path":"firewall",
"name":"gtp-statistics",
"status":"success",
"serial":"FG3K6ETB10000000",
"version":"v7.0.0",
"build":16,
"api_version":"v7.0"
}

FortiCarrier
FortiOS CLI output:
#diagnose firewall gtp stat

request=0 echo_request=0 tunnel=999 tunnel_v0=0 path=994 bearer=999 fteid=1998 ds_fteid=0
profile=6
imsi=0 apn=0 apn_shaper=0 tunnel_limiter=1 adv_policy=0 ie_remove_policy=0 ip_policy=0
noip_policy=0 ie_wl_entry=0 clash=0 drop=0
Based on 3GPP TS 29.060 V15.5.0 & 3GPP TS 29.274 V15.9.0
api/v2/monitor/firewall/gtp-runtime-statistics
{
"http_method":"GET",
"results":{
"control_packet_forwarded":1998,
"control_packet_rejected":0,
"control_packet_dropped":{
"unknown":0,
"sanity":0,
"reserved_field":0,
"msg_reserved":0,
"msg_out_state":0,
"ie_reserved":0,
"ie_out_state":0,
"msg_length":0,
"ie_length":0,
"mandatory_ie":0,
"ip_policy":0,
"noip_policy":0,
"sgsn_auth":0,
"sgsn_handover":0,
"ggsn_auth":0,
"seq_num":0,
"msg_filter":0,
"apn_filter":0,
"adv_policy_filter":0,
"imsi_filter":0,
"rate_limited":0,
"tunnel_limited":0,
"invalid_state":0,
"unknown_gtp_version":0
},
"data_packet_forwarded":0,
"data_packet_dropped":{
"sanity":0,
"mal_msg":0,
"no_state":0,
"mal_ie":0,
"gtp_in_gtp":0,
"spoof":0,
"ip_policy":0,
"msg_filter":0,
"msg_rate_limit":0,
"unknown_gtp_version":0
},
"billing_packet_forwarded":0,

FortiCarrier
"billing_packet_dropped":{
"sanity":0,
"mal_msg":0,
"mal_ie":0,
"msg_filter":0
}
},
"vdom":"root",
"path":"firewall",
"name":"gtp-runtime-statistics",
"status":"success",
"serial":"FG3K6ETB10000000",
"version":"v7.0.0",
"build":16,
"api_version":"v7.0"
}
FortiOS CLI output:
#diagnose firewall gtp runtime-stat

Control Packet forwarded 1998; rejected 0; dropped by reasons:
[unknown]: 0; [sanity]: 0; [reserved-field]: 0; [msg-reserved]: 0;
[msg-out-state]: 0; [ie-reserved]: 0; [ie-out-state]: 0; [msg-length]: 0;
[ie-length]: 0; [mandatory-ie]: 0; [ip-policy]: 0; [noip-policy]: 0;
[sgsn-auth]: 0; [sgsn-handover]: 0; [ggsn-auth]: 0; [seq-num]: 0;
[msg-filter]: 0; [apn-filter]: 0; [adv-policy-filter]: 0; [imsi-filter]: 0;
[rate-limited]: 0; [tunnel-limited]: 0; [invalid-state]: 0; [unknown-gtp-version]: 0;
Data packet forwarded: 0; dropped by reasons:

[sanity]: 0; [mal-msg]: 0; [no-state]: 0; [mal-ie]: 0;
[gtp-in-gtp]: 0; [spoof]: 0; [ip-policy]: 0; [msg-filter]: 0;
[msg-rate-limit]:0; [unknown-gtp-version]:0;
Billing packet forwarded: 0; dropped by reasons:

[sanity]: 0; [mal-msg]: 0; [mal-ie]: 0; [msg-filter]: 0;

Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

FortiOS-7.0.0-New Features Guide 90316

Uploaded by

Copyright:

Available Formats

FortiOS-7.0.0-New Features Guide 90316

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiOS-7.0.0-New Features Guide 90316

Uploaded by

Copyright:

Available Formats

FortiOS - New Features Guide

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

February 25, 2021

FortiOS 7.0.0 New Features Guide 3

FortiOS 7.0.0 New Features Guide 4

FortiOS 7.0.0 New Features Guide 5

Date Change Description

2021-03-29 Initial release.

FortiOS 7.0.0 New Features Guide 6

This section includes information about Security Fabric new features:

Enhance Security Fabric configuration for FortiSandbox Cloud

The following items are required to initialize FortiSandbox Cloud:

To configure FortiSandbox Cloud in the GUI:

FortiOS 7.0.0 New Features Guide 7

3. For Type, select FortiSandbox Cloud.

To configure FortiSandbox Cloud in the CLI:

config system fortisandbox

To switch from Cloud Sandbox to FortiSandbox in the Security Fabric:

Thread feed connectors per VDOM

FortiOS 7.0.0 New Features Guide 8

To configure an external threat feed connector under global in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

To configure an external threat feed connector under global in the CLI:

To configure an external threat feed connector under a VDOM in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

To configure an external threat feed connector under a VDOM in the CLI:

FortiOS 7.0.0 New Features Guide 9

To use an IP address threat feed in a policy in the GUI:

1. Configure an IP address connector in global:

3. Configure the firewall policy in the VDOM (vd1):

FortiOS 7.0.0 New Features Guide 10

c. Configure the other settings as needed.

To use an IP address threat feed in a policy in the CLI:

1. Configure the IP address connectors:

FortiOS 7.0.0 New Features Guide 11

set comments ''

Automation workflow improvements

FortiOS 7.0.0 New Features Guide 12

GUI changes to Automation page

FortiOS 7.0.0 New Features Guide 13

Manage Components view

A slide-out pane appears with options to view a list of actions or triggers.

Click Trigger to view the list of triggers.

FortiOS 7.0.0 New Features Guide 14

To configure the automation stitch in the GUI:

1. Go to Security Fabric > Automation and click Create New.

Report Security Posture

URL Enter the request API URI

API key Enter AWS API gateway API key

HTTP header header2:header2_value

FortiOS 7.0.0 New Features Guide 15

To Enter an email address

Subject email action for test

Replacement message Enable

FortiOS 7.0.0 New Features Guide 16

To configure the automation stitch in the CLI: