New Features Guide

FortiOS 7.6.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

April 24, 2025

FortiOS 7.6.0 New Features Guide
01-760-1015000-20250424
 TABLE OF CONTENTS

Change Log 10
Overview 12
GUI 13
General usability enhancements 13
GUI support for local-in policies 13
GUI support for internet service groups 17
GUI displays logic between firewall policy objects 20
GUI support to create policies in FortiView Sources and traffic logs 23
GUI improvements to device upgrade 28
GUI support for enhanced logging for threat feeds 34
Expanded support for Advanced Threat Protection Statistics widget 38
GUI improvements to the IPsec VPN Wizard 40
GUI improvements to Security Rating 55
GUI support for web proxy forward server over IPv6 57
GUI support for security posture tags in dial-up IPsec VPN tunnels 7.6.1 59
CLI diagnostic shortcuts in the GUI 7.6.1 60
Asset Details pane 7.6.1 61
GUI access for global search 7.6.3 68
GUI warnings for IKE-TCP port conflicts 7.6.3 70
GUI improvements of PIM support for VRFs 7.6.3 72
Network 74
General 74
Configure the VRRP hello timer in milliseconds 74
FortiGate as a recursive DNS resolver 75
BGP network prefixes utilize firewall addresses and groups 81
Support UDP-Lite traffic 83
Custom LSA refresh rates and fast link-down detection on VLAN interfaces for OSPF 87
Filter NetFlow sampling 88
SOCKS proxy supports UTM scanning, authentication, and forward server 92
Implement the interface name as the source IP address in RADIUS, LDAP, and DNS
configurations 96
Include groups in PIM join/prune messages 99
Automatic LTE connection establishment 104
Netflow sampling 105
Support source-IP interface for system DNS database 107
Extended VRF ID range for enhanced network scalability 7.6.1 109
Enhanced PIM support for VRFs 7.6.1 109
Including denied multicast sessions in the session table 7.6.1 111
Support specific VRF ID for local-out traffic 7.6.1 112
Support source IP interface for system DNS 7.6.1 118
Improvements to IPsec monitoring 7.6.1 119
Connectivity Fault Management (CFM) now available for FG-80F-POE and FG-20xF
models 7.6.3 123
Application and network performance monitoring with FortiTelemetry 7.6.3 123
Fortinet Support Tool for capturing incidents 145

FortiOS 7.6.0 New Features Guide 3

Fortinet Inc.
 IPv6 151
DHCPv6 enhancements 151
Recursive resolution of BGP routes using IPv6 prefix with on-link flag from route
aggregation 154
Enhancing SIP reliability in 464XLAT environments 7.6.1 156
Explicit and Transparent Proxy 162
Specifying outgoing interface and VRF for a web proxy forward server or isolator
server 7.6.1 163
Isolator servers in proxy policies 7.6.1 165
GUI support of isolator servers for proxy policies 7.6.3 168
SD-WAN 170
Overlays and underlays 170
ADVPN 2.0 enhancements 170
ADVPN 2.0 overlay placeholders for shortcuts between spokes 7.6.1 177
SD-WAN Setup wizard for guided configuration 7.6.1 185
Fabric Overlay Orchestrator Topology dashboard widget for hub FortiGates 7.6.3 193
Performance SLA 196
Embed SLA priorities in ICMP probes 196
Embed SLA status in ICMP probes 208
Map SD-WAN member priorities to BGP MED attribute when spoke advertises
routes using iBGP to hub 7.6.1 220
FortiGuard SLA database for SD-WAN performance SLA 7.6.1 226
Passive monitoring of TCP metrics 7.6.1 230
Enhanced passive monitoring of TCP metrics 7.6.3 234
Service rules 236
Allow SD-WAN rules to steer IPv6 multicast traffic 236
Specify SD-WAN zones in some policies 7.6.1 242
Policy and objects 246
NGFW 246
Seven-day policy hit counter 246
Policies 247
NPTv6 protocol for IPv6 address translation 248
MAP-E supports multiple VNE interfaces in the same VDOM 251
Full cone NAT for fixed port range IP pools 252
Custom port ranges for PBA and FPR IP pools 255
HTTP transaction logging 258
Support for NAT64 in FPR IP pools 263
Support for randomized port selection in IP pool mechanisms 7.6.1 266
Enhanced security with default local-in policy 7.6.1 268
DHCP-PD support for MAP-E 7.6.1 271
Objects 277
RSSO dynamic address subtype 7.6.1 277
New ISDB record for SOCaaS 7.6.1 280
Zero Trust Network Access 283
Security posture and EMS connector 283
Share ZTNA information through the EMS connector 283
Application gateway 283

FortiOS 7.6.0 New Features Guide 4

Fortinet Inc.
 ZTNA agentless web-based application access 7.6.1 283
General 293
ZTNA support for UDP traffic 293
ZTNA support for SaaS application access control in the GUI 306
Include EMS tag information in traffic logs 308
ZTNA single sign-on with Entra ID 7.6.3 308
ZTNA tags on 2 GB entry-level platforms in IP/MAC-based access control 7.6.3 317
Security profiles 319
Antivirus 319
Sanitize Microsoft OneNote files through content disarm and reconstruction 319
Stream-based antivirus scanning for HTML and Javascript files 321
Web filter 323
Introduce URL risk-scores in determining policy action 7.6.1 323
IPS 331
AI and ML-based IPS detection 7.6.3 331
Data loss prevention 334
FortiGuard managed DLP dictionaries 334
Application control 339
Introducing domain fronting protection 339
Virtual patching 341
Streamline IoT/OT device detection 7.6.1 341
Unified OT virtual patching and IPS signatures 7.6.1 344
Others 348
Support the Zstandard compression algorithm for web content 348
DNS filtering in proxy policies 351
DNS translation support for Service records over the DNS Filter profile 354
Control TLS connections that utilize Encrypted Client Hello 358
Selective forwarding to ICAP server 7.6.1 358
Control TLS connections that utilize Encrypted Client Hello in flow mode 7.6.3 361
Inline CASB security profile to support control factors in exchanged JSON data for
custom SaaS applications 7.6.3 368
VPN 376
IPsec and SSL VPN or Agentless VPN 376
Automatic selection of IPsec tunneling protocol 376
Security posture tag match enforced before dial-up IPsec VPN connection 381
Enhancing security with Post-Quantum Cryptography for IPsec key exchange 7.6.1 385
Migration from SSL VPN tunnel mode to IPsec VPN 7.6.3 392
Agentless VPN 7.6.3 413
Configure FortiClient SIA for IPsec VPN tunnels 7.6.3 413
Support Quantum Key Distribution and Digital Signature Algorithm Post-Quantum
Cryptography 7.6.3 417
User and authentication 423
Authentication 423
Customizable password reuse thresholds 423
Trigger RADIUS authentication with DNS and ICMP queries 426
Authentication sessions preserved after a reboot 429
SCIM server support 431

FortiOS 7.6.0 New Features Guide 5

Fortinet Inc.
 GUI support for SCIM clients 7.6.1 435
Bearer token authentication for SCIM 7.6.1 439
LAN Edge 442
Wireless 442
Support the 802.11mc protocol in FortiAP 442
Support OpenRoaming Standards on FortiAP 445
Support segregating WLAN traffic on FortiAPs operating in WAN-LAN mode 447
Support isolating mDNS traffic on the Bonjour profile 450
Support RADIUS NAS-ID on FortiAPs in standalone mode 453
Improve packet detection on the FortiAP sniffer 454
Support RADSEC on WPA2/WPA3-Enterprise SSID 457
Add GUI support for configuring wireless data rates and sticky client thresholds 458
Support self-registration of MPSKs through FortiGuest 461
Support IKEv2 for FortiAP IPsec data channel management 463
Support WPA3-SAE and WPA3-SAE Transition security modes in MPSK profiles 466
Add Advanced WIDS Options 7.6.1 471
Support RADSEC on Local Bridge mode captive portals 7.6.1 476
Add a RADIUS Called Station ID setting 7.6.1 478
Support remote TACACS access to FortiAP 7.6.1 479
Support RADIUS Accounting messages over FortiGuest MPSK Authentication 7.6.1 481
Switch controller 482
Change the priority of MAB and EAP 802.1X authentication 483
Send SNMP traps for MAC address changes 488
Support QinQ with the switch controller 7.6.1 489
Enhance network performance with VLAN pruning 7.6.1 494
Provide an enhanced GUI for NAC policies 7.6.3 495
Support IPv6 addresses for managed FortiSwitch units 7.6.3 496
Prevent automatically created VLANs 7.6.3 497
FortiExtender 498
Support fast failover for FortiExtender 498
Support VLAN over FortiExtender LAN-extension mode 7.6.1 498
Support split tunneling in LAN extension mode 7.6.1 506
Support multiple APNs in WAN extension mode 7.6.1 511
Support FortiCare registration for FortiExtender 7.6.1 513
Add GUI support for split tunneling in LAN extension mode 7.6.3 514
Add GUI support for multiple APNs in WAN extension mode 7.6.3 516
Add GUI support for FortiCare registration for FortiExtender 7.6.3 518
System 521
General 521
Restrict local administrator logins through the console 521
Configure TCP NPU session delay globally 523
Object usage included in the print tablesize command output 525
Simplified device registration for Security Fabric devices 7.6.1 525
Firmware upgrade report 7.6.1 527
Optimizations for physical FortiGate devices with 2 GB RAM 7.6.3 531
FortiGuard 532
Streamline timezone updates with a downloadable database 532
Streamlined subscription and FortiGuard settings management 7.6.1 533

FortiOS 7.6.0 New Features Guide 6

Fortinet Inc.
 FortiGate StateRamp support 7.6.1 536
AMQP-powered subscription notifications for FortiGuard 7.6.3 539
High availability 543
Manual and automatic HA virtual MAC address assignment 543
Backup heartbeat interface mitigates split-brain scenarios 545
RSSO authenticated user logon information synchronized between FGSP peers 547
FGSP support for failover with asymmetric traffic and UTM 552
Monitor routing prefix for FGSP session failover 7.6.1 553
Single FortiGuard license for FortiGate A-P HA cluster 7.6.1 556
Certificates 557
ACME External Account Binding support 7.6.3 557
Security 560
Encrypt configuration files in the eCryptfs file system 560
Closed network VM license security enhancement 561
OpenSSL FIPS provider installed globally at startup 563
Enhance real-time file system integrity checking 564
Use per-FortiGate generated random password for private-data-encryption 7.6.1 564
Enhanced administrator password security 7.6.1 565
BIOS security Low and High level classification 7.6.1 568
SNMP 568
Ethernet Statistics Group 568
Non-management VDOMs perform queries using SNMP v3 569
SNMP support for BIOS security level 570
Security Fabric 573
Fabric settings and connectors 573
Apply threat feed connectors as source addresses in central SNAT 573
Automatic serial number retrieval from FortiManager 577
Support multi-tenant FortiClient Cloud fabric connectors in the GUI 7.6.1 577
Generic connector for importing addresses 7.6.1 579
Support mTLS client certification for threat feed connections 7.6.1 586
GUI support for mTLS of threat feed connections 7.6.3 587
Enhancing FortiSandbox TLS security with CA and CN controls 7.6.3 588
Security ratings 592
Enhanced security rating customization 7.6.1 593
Unified OT virtual patching and IPS signatures 7.6.1 596
General 600
Enhanced security visibility for IoT/OT vulnerabilities 7.6.1 600
Log and report 605
Logging 605
Logging MAC address flapping events 605
Non-management VDOMs send logs to both global and vdom-override syslog
servers 606
Logging message IDs 610
Incorporating endpoint device data in the web filter UTM logs 612
Set the source interface for syslog and NetFlow settings 613
Logging detection of duplicate IPv4 addresses 616
Logging local traffic per local-in policy 621
Logs generated when starting and stopping packet capture and TCP dump 627

FortiOS 7.6.0 New Features Guide 7

Fortinet Inc.
 operations
Cloud 631
Public and private cloud 631
Azure SDN connector relay through FortiManager support 631
IBM Cloud virtual network interface support 633
GCP SDN connector relay through FortiManager support 633
Support the AWS r8g instance family 633
Support the AWS c8g instance family 633
KVM Red Hat Enterprise Linux 9.4 support 633
Azure SDN connector moves private IP address on trusted NIC during A-P HA
failover 7.6.1 633
Support the OCI E5.Flex instance type 7.6.1 634
Azure SDN connector GraphQL bulk query support 7.6.1 634
AWS NitroTPM support 7.6.1 634
AWS SDN connector IPv6 address object support 7.6.1 639
GCP C4 Intel instance support 7.6.1 639
FortiGate-VM GDC V support 7.6.1 639
OCI SDN connector IPv6 address object support 7.6.1 648
GCP SDN connector IPv6 address object support 7.6.1 648
Support for Azure upcoming MANA NIC 7.6.1 648
Azure SDN connector IPv6 address object support 7.6.1 648
FGT_VM64_KVM IPsec performance improvement through virtio and RPS 7.6.1 649
FGT_VM64_KVM IPsec performance through DPDK improvement 7.6.1 649
FortiGate-VM config system affinity-packet-redistribution optimization 7.6.1 649
OCI support for on-premise solutions 7.6.1 649
AliCloud GWLB support 7.6.1 649
AliCloud ecs.g8i instance type support 7.6.3 649
Operational Technology 650
System 650
CLI to configure FGR-70F/FGR-70F-3G4G GPIO/DIO module alarm functionality
7.6.1 650
SNMP traps and automation-stitch notifications for DIO module alarm functionality
7.6.1 652
Support Ethernet layer protocols in the IPS engine 7.6.3 654
Index 660
7.6.0 660
GUI 660
Network 660
SD-WAN 661
Policy and objects 661
Zero Trust Network Access 661
Security Profiles 662
VPN 662
User & Authentication 662
LAN Edge 662
System 663
Security Fabric 663
Log & Report 663

FortiOS 7.6.0 New Features Guide 8

Fortinet Inc.
 Cloud 664
7.6.1 664
GUI 664
Network 664
SD-WAN 665
Policy and objects 665
Zero Trust Network Access 665
Security Profiles 665
VPN 665
User & Authentication 666
LAN Edge 666
System 666
Security Fabric 666
Cloud 667
Operational Technology 667
7.6.3 668
GUI 668
Network 668
SD-WAN 668
Zero Trust Network Access 668
Security Profiles 668
VPN 669
LAN Edge 669
System 669
Security Fabric 669
Cloud 669
Operational Technology 670

FortiOS 7.6.0 New Features Guide 9

Fortinet Inc.
Change Log

Date Change Description

2025-04-24 Added Support IPv6 addresses for managed FortiSwitch units 7.6.3 on page 496 and Prevent
automatically created VLANs 7.6.3 on page 497.

2025-04-21 Added AliCloud ecs.g8i instance type support 7.6.3 on page 649.

2025-04-16 Initial release of FortiOS 7.6.3.

2025-03-20 Added Streamline timezone updates with a downloadable database on page 532.

2025-03-17 Updated Stream-based antivirus scanning for HTML and Javascript files on page 321.

2025-03-06 Added Isolator servers in proxy policies 7.6.1 on page 165.

2025-03-04 Added Support FortiCare registration for FortiExtender 7.6.1 on page 513.

2025-03-03 Added Support multiple APNs in WAN extension mode 7.6.1 on page 511.

2025-02-28 Added Support split tunneling in LAN extension mode 7.6.1 on page 506.

2025-02-24 Added Support mTLS client certification for threat feed connections 7.6.1 on page 586.

2025-02-14 Added:
l Single FortiGuard license for FortiGate A-P HA cluster 7.6.1 on page 556

l AliCloud GWLB support 7.6.1 on page 649

2025-02-06 Added FortiGate StateRamp support 7.6.1 on page 536.

2025-01-09 Added Bearer token authentication for SCIM 7.6.1 on page 439.

2024-12-20 Added GUI support for SCIM clients 7.6.1 on page 435.

2024-12-16 Updated Add Advanced WIDS Options 7.6.1 on page 471.

2024-12-13 Added Enhancing security with Post-Quantum Cryptography for IPsec key exchange 7.6.1 on
page 385 and BIOS security Low and High level classification 7.6.1 on page 568.

2024-12-10 Added KVM Red Hat Enterprise Linux 9.4 support on page 633.

2024-12-09 Added Generic connector for importing addresses 7.6.1 on page 579.

2024-12-06 Updated Monitor routing prefix for FGSP session failover 7.6.1 on page 553.

2024-12-04 Added Use per-FortiGate generated random password for private-data-encryption 7.6.1 on
page 564.

2024-12-03 Added CLI diagnostic shortcuts in the GUI 7.6.1 on page 60 and OCI support for on-premise
solutions 7.6.1 on page 649.

2024-12-02 Updated Add a RADIUS Called Station ID setting 7.6.1 on page 478.

2024-11-29 Added DHCP-PD support for MAP-E 7.6.1 on page 271 and Monitor routing prefix for FGSP
session failover 7.6.1 on page 553.

FortiOS 7.6.0 New Features Guide 10

Fortinet Inc.
Change Log

Date Change Description

2024-11-28 Initial release of FortiOS 7.6.1.

2024-11-07 Updated SCIM server support on page 431.

2024-10-29 Added Control TLS connections that utilize Encrypted Client Hello on page 358.

2024-10-24 Added Share ZTNA information through the EMS connector on page 283.

2024-10-10 Added Support the AWS r8g instance family on page 633.

2024-08-27 Added GCP SDN connector relay through FortiManager support on page 633.

2024-08-20 Updated Enhance real-time file system integrity checking on page 564.
Added Support fast failover for FortiExtender on page 498.

2024-08-09 Added Enhance real-time file system integrity checking on page 564.

2024-08-01 Added Support IKEv2 for FortiAP IPsec data channel management on page 463.

2024-07-26 Added IBM Cloud virtual network interface support on page 633.

2024-07-25 Initial release.

FortiOS 7.6.0 New Features Guide 11

Fortinet Inc.
Overview

Overview

This guide provides details of new features introduced in FortiOS 7.6. For each feature, the guide provides detailed
information on configuration, requirements, and limitations, as applicable. Features are organized into the following
sections:
l GUI
l Network
l SD-WAN
l Policy and objects
l Zero Trust Network Access
l Security profiles
l VPN
l User and authentication
l LAN Edge
l System
l Security Fabric
l Log and report
l Cloud
l Operational Technology
For features introduced in 7.6.1 and later versions, the version number is appended to the end of the topic heading. For
example, Extended VRF ID range for enhanced network scalability 7.6.1 on page 109 was introduced in 7.6.1. If a topic
heading has no version number at the end, the feature was introduced in 7.6.0.
For a list of features organized by version number, see Index on page 660.

FortiOS 7.6.0 New Features Guide 12

Fortinet Inc.
GUI

This section includes information about FortiOS GUI related new features:
l General usability enhancements on page 13

General usability enhancements

This section includes new features related to general usability enhancements:

l GUI support for local-in policies on page 13
l GUI support for internet service groups on page 17
l GUI displays logic between firewall policy objects on page 20
l GUI support to create policies in FortiView Sources and traffic logs on page 23
l GUI improvements to device upgrade on page 28
l GUI support for enhanced logging for threat feeds on page 34
l Expanded support for Advanced Threat Protection Statistics widget on page 38
l GUI improvements to the IPsec VPN Wizard on page 40
l GUI improvements to Security Rating on page 55
l GUI support for web proxy forward server over IPv6 on page 57
l GUI support for security posture tags in dial-up IPsec VPN tunnels 7.6.1 on page 59
l CLI diagnostic shortcuts in the GUI 7.6.1 on page 60
l Asset Details pane 7.6.1 on page 61
l GUI access for global search 7.6.3 on page 68
l GUI warnings for IKE-TCP port conflicts 7.6.3 on page 70
l GUI improvements of PIM support for VRFs 7.6.3 on page 72

GUI support for local-in policies

This information is also available in the FortiOS 7.6 Administration Guide:

l Local-in policy

Custom local-in policies can be created and configured in the GUI in Policy & Objects > Local-In Policy. Before, only
implicit read-only policies can be displayed.
Tabs have also been implemented to separate IPv4 and IPv6 policies. IPv4 and IPv6 local-in policies can be created and
edited in their respective tabs.

FortiOS 7.6.0 New Features Guide 13

Fortinet Inc.
GUI

To create an IPv4 local-in policy in the GUI:

1. Go to Policy & Objects > Local-In Policy.

2. Go to the Local-In Policy tab.

3. Click Create new. The Create New Local-In Policy pane is displayed.

4. Configure the policy parameters.

5. Click OK.

To create an IPv6 local-in policy in the GUI:

1. Go to Policy & Objects > Local-In Policy.

2. Go to the IPv6 Local-In Policy tab.

FortiOS 7.6.0 New Features Guide 14

Fortinet Inc.
GUI

3. Click Create new. The Create New IPv6 Local-In Policy pane is displayed.

4. Configure the policy parameters.

5. Click OK.

Example 1

In this example, a local-in policy will be configured to prevent the source subnet 10.10.10.0/24 from pinging port1, but
allow administrative access for PING on port1.

To configure the local-in policy for admin access:

1. Configure the firewall address:

a. Go to Policy & Objects > Addresses.
b. Click Create new.
c. Enter a name for the address.
d. Set Type to Subnet.
e. Set IP/Netmask to 10.10.10.0/24.

FortiOS 7.6.0 New Features Guide 15

Fortinet Inc.
GUI

f. Click OK.

2. Configure the local-in policy:

a. Go to Policy & Objects > Local-In Policy.
b. Click Create new.
c. Configure the following:
i. Set Interface to port1.
ii. Set Source to the address created previously.
iii. Set Destination to all.
iv. Set Schedule to always.
v. Set Service to PING.
vi. Set Action to DENY.

d. Click OK.

Example 2

The following example demonstrates how to enable virtual patching on the port2 interface using a local-in policy.

FortiOS 7.6.0 New Features Guide 16

Fortinet Inc.
 GUI

To enable virtual patching:

1. Go to Policy & Objects > Local-In Policy.

2. Click Create new.
3. Configure the following:
a. Set Interface to port2.
b. Set Source to all.
c. Set Destination to all.
d. Set Schedule to always.
e. Set Service to ALL.
f. Set Action to ACCEPT.
g. Enable Virtual patching.

4. Click OK.

GUI support for internet service groups

This information is also available in the FortiOS 7.6 Administration Guide:

l Internet service groups in policies

Administrators can now create internet service groups using the GUI. Previously only the CLI was supported. See
Internet service groups in policies for more information.

To create an internet service group:

1. Go to Policy & Objects > Internet Service Database, and click the Internet Service Group tab.
2. Click Create New.

FortiOS 7.6.0 New Features Guide 17

Fortinet Inc.
GUI

3. Configure the settings as needed, and click OK.

To clone an internet service group:

1. Go to Policy & Objects > Internet Service Database, and click the Internet Service Group tab.
2. Select an internet service group, and click Clone.

The Edit Internet Service Group pane opens.

3. Edit the options.

FortiOS 7.6.0 New Features Guide 18

Fortinet Inc.
GUI

4. Click OK. The clone is created.

To apply the internet service group to a firewall policy:

1. Go to Policy & Objects > Firewall Policy, and click Create New.
2. Select the internet service group:
a. Click the Destination box. The Select Entries pane opens.
b. Select Internet Service, and select one or more internet service groups, such as NS_Grp1.

FortiOS 7.6.0 New Features Guide 19

Fortinet Inc.
 GUI

c. Click Close.

3. Set the remaining options as needed, and click OK.

GUI displays logic between firewall policy objects

This information is also available in the FortiOS 7.6 Administration Guide:

l Firewall policy

The FortiOS GUI can now display the logical AND relationship in firewall policies between source IP addresses, user
groups, and security posture tags to help you configure firewall policies.

To view the changes in the GUI:

1. Go to Policy & Objects > Firewall Policy, and click Create New to view the following changes under Source
& Destination:
l A Show Logic button is available.
l The User/group option is moved out of Source.
l A Security posture tag toggle is available.

FortiOS 7.6.0 New Features Guide 20

Fortinet Inc.
GUI

2. Click Show Logic to view the following changes:

l The labels Any of and And any of appear to clarify how the objects are used to match traffic. The And any of
label indicates a logical AND relationship between the objects.

FortiOS 7.6.0 New Features Guide 21

Fortinet Inc.
GUI

3. Enable Security posture tag to view the following changes:

l The labels And any of appear, indicating a logical AND relationship between the two security posture tag
objects.
l The first security posture tag group is required when Security posture tag is enabled and is considered the
primary tag group.
l A second security posture tag group is optional when Security posture tag is enabled and is considered the
secondary tag group.
l Within each of the tag groups, there is a logical OR relationship between the tags when multiple tags are used.

4. In the Destination list, select one or more destinations to display And any of between the Destination and Service
fields.

Example

Following is the logic of using the mandatory and optional fields in the Source & Destination section, based on the
following configurations:

FortiOS 7.6.0 New Features Guide 22

Fortinet Inc.
 GUI

Traffic must match all criteria below:

l Any Source: either Windows-Client OR Mac-Clients
l Any User/group: either LDAP-Administrator, LDAP-Finance, OR LDAP-Sales
l The primary Security posture tag: Non-Critical
l Any secondary security posture tags: either all_registered_clients OR Domain-Users
l Any Destination: either Webserver1 OR Webserver2
l Any Service: Either DNS, HTTP, OR HTTPS

GUI support to create policies in FortiView Sources and traffic logs

This information is also available in the FortiOS 7.6 Administration Guide:

l For IP addresses: Firewall policy

l For MAC addresses: MAC addressed-based policies

FortiOS 7.6.0 New Features Guide 23

Fortinet Inc.
GUI

Creating a policy using IP or MAC addresses can now be done directly in the Dashboard > FortiView pages and Log
Viewer. This feature streamlines the policy creation process, making it more efficient and user-friendly.
There are multiple ways to create a firewall policy using an IP or MAC address from the Dashboard > FortiView Sources
page:
l Hover over a device in the Device column of an entry and click Firewall Policy.

l Select an entry and click Create policy.

l Select an entry, right-click on that entry, and click Create policy.

FortiOS 7.6.0 New Features Guide 24

Fortinet Inc.
GUI

l Double-click an entry. The source entry information displays. Click Actions > Create policy.

l Double-click an entry. The source entry information is displayed. Click Drill down. Click the Destination tab and
choose a Destination entry. Right-click a Destination Address and click Create policy > Create firewall policy by IP
address. Only IP addresses can be used to create a policy using this method.

Policies can also be created using an IP or MAC address from Log Viewer:
l Hover over any device in the Device column and click Firewall Policy in the tooltip window.

FortiOS 7.6.0 New Features Guide 25

Fortinet Inc.
GUI

To create a policy by an IP address with new objects:

1. From the Dashboard > FortiView Sources page, choose any entry.
2. Click Create policy > Create firewall policy by IP address. The Create New Policy pane opens.
3. The Incoming interface field is auto-filled with the correct interface and the Source field is auto-filled with a new
staged object and a green icon.
4. Hover over the icon and a warning is shown: This entry does not exist yet. If selected, it will be automatically created
when the form is submitted. Check that the stage object has the correct IP address.

Staged objects can be customized by clicking Customize.

The staged object will not be saved if you click Cancel on the Create New Policy pane.

5. Fill in all other fields with the necessary data and save the policy.
6. When the policy is successfully created, a green notification displays in the top right of the window. Click Show in list
to view the policy that was created.

FortiOS 7.6.0 New Features Guide 26

Fortinet Inc.
GUI

To create a policy by a MAC address with new objects:

1. Choose another source entry and click Create policy > Create firewall policy by MAC address. The Create New
Policy pane opens.
2. The Incoming interface field is auto-filled with the correct interface and the Source field is auto-filled with a new
staged object and a green icon.
3. Hover over the icon and a warning is shown: This entry does not exist yet. If selected, it will be automatically created
when the form is submitted. Check that the stage object has the correct MAC address.

4. Fill in the other fields with required data and save the policy. When the policy is successfully created, a green
notification displays in the top right of the window. Click Show in list to view the policy.
5. Choose another source entry and click Drill down. On the Drill down page, navigate to the Destination tab.
6. Choose any Destination entry and click Create policy > Create firewall policy by IP address. The Create New Policy
pane opens.
7. Observe that the Incoming interface and Outgoing interface fields are auto-filled with the correct interfaces. The
Source and Destinations fields are auto-filled with new staged objects and have green icons. It indicates that they
are not saved yet.

FortiOS 7.6.0 New Features Guide 27

Fortinet Inc.
 GUI

8. Fill in the other fields with required data and save the policy. When the policy is successfully created, a green
notification displays in the top right of the window.
9. Click Show in list to view the policy.

To create a policy with existing objects:

1. Navigate to the Dashboard > FortiView Sources page and choose any source entry that was saved as an address
during policy creation in the previous section
2. Click Create policy > Create firewall policy by IP address. The Create New Policy panel opens.
3. The Incoming interface field is auto-filled with the correct interface and the Source field is auto-filled with the correct
address object. No green icon is shown for the address object. The object can be found in the Address list by
clicking Show in list in the object tooltip.

4. Fill in the other fields with required data and save the policy. When the policy is successfully created, a green
notification displays in the top right of the window.
5. Click Show in list to view the policy.

GUI improvements to device upgrade

This information is also available in the FortiOS 7.6 Administration Guide:

l Upgrading individual devices

l Upgrading all devices

An updated GUI provides a consistent upgrade process for all supported devices, including FortiGate, FortiAP,
FortiSwitch, and FortiExtender devices. A tray on the bottom-right of the GUI provides progress information to help you
manage and monitor the upgrade.
From the System > Firmware & Registration page, you can:
l Select one or more devices to display the Upgrade button, and click Upgrade. Firmware images from FortiGuard or
file upload can be used for the upgrade.

FortiOS 7.6.0 New Features Guide 28

Fortinet Inc.
GUI

l Click Upgrade all, and select whether to upgrade all Devices, Extension devices, FortiAPs, FortiSwitches, or
FortiExtenders. Available for Security Fabric and non-Security Fabric devices. Firmware images are downloaded
from FortiGuard.

l Monitor the upgrade progress using the tray on the bottom-right corner of the GUI.

The same consistent GUI experience is available for the following upgrade scenarios:

Upgrade option Supported devices Firmware image support

Select Upgrade all > Devices to FortiGate, FortiAP, FortiSwitch, and FortiGuard
upgrade all devices.* FortiExtender devices

Select Upgrade all > Extension FortiAP, FortiSwitch, and FortiGuard or file upload
devices to upgrade all extension FortiExtender devices
devices.*

Select Upgrade all > FortiAPs to FortiAP devices FortiGuard or file upload
upgrade all FortiAP devices.*

Select Upgrade all > FortiExtenders FortiExtender devices FortiGuard or file upload
to upgrade all FortiExtender devices.*

Select Upgrade all > FortiSwitches to FortiSwitch devices FortiGuard or file upload
upgrade all FortiSwitch devices.*

Select one or more FortiGate devices FortiGate FortiGuard or file upload

and click Upgrade.

Select one or more FortiAP devices FortiAP devices FortiGuard or file upload
and click Upgrade.

FortiOS 7.6.0 New Features Guide 29

Fortinet Inc.
GUI

Upgrade option Supported devices Firmware image support

Select one or more FortiExtender FortiExtender devices FortiGuard or file upload

devices and click Upgrade.

Select one or more FortiSwitch FortiSwitch devices FortiGuard or file upload

devices and click Upgrade.

Select a mix of FortiAP, FortiAP, FortiSwitch, and FortiGuard or file upload

FortiExtender, or FortiSwitch devices FortiExtender devices
and click Upgrade.

*Available for Security Fabric and non-Security Fabric devices.

The following examples show the consistent GUI for upgrading a single FortiGate and for upgrading all devices in a
Security Fabric. See Example of upgrading a device on page 30 and Example of upgrading all devices in a Security
Fabric on page 32.

Example of upgrading a device

To demonstrate the functionality of this feature, this example uses FortiGates that are running
and upgrading to fictitious build numbers.

To upgrade a device:

1. Go to System > Firmware & Registration.

2. Select a device and click Upgrade. The FortiGate Upgrade pane opens to the Choose Upgrade Type step.

FortiOS 7.6.0 New Features Guide 30

Fortinet Inc.
GUI

3. Select FortiGate only and click Next. The Select Firmware step is displayed.
The All Upgrades tab displays all firmware images available from FortiGuard for upgrade.

On the File Upload tab, you can upload a firmware image.

4. Select the firmware, and click Next. The wizard proceeds to the Choose Schedule step.
5. Choose a schedule, and click Next:

FortiOS 7.6.0 New Features Guide 31

Fortinet Inc.
GUI

Immediate Select to start the upgrade immediately after completing the FortiGate
Upgrade wizard.

Specify Select to specify a date and time to start the upgrade after completing the
FortiGate Upgrade wizard.

Scheduling an upgrade using a manually uploaded file is only available for FortiGate
devices that have physical disk storage.
l If the FortiGate has a disk, File Upload upgrades can be scheduled for it and its

extension units both in the GUI and using the Security Fabric.
l If the FortiGate does not have a disk, File Upload upgrades cannot be scheduled for it
or its extension units.

In this example, the schedule is set to Immediate.

The wizard proceeds to the Review step.
6. Review the upgrade details, and click Confirm and Backup Config. The Confirm dialog box is displayed.
7. Click Yes to start the upgrade. The Important dialog box is displayed.
8. Read the information, and click Close.
9. Use the Firmware Upgrade tray to monitor upgrade progress.

Example of upgrading all devices in a Security Fabric

All devices, including FortiGate, FortiSwitch, FortiAP, and FortiExtender devices, in a Security Fabric can be upgraded
using firmware images from FortiGuard. The firmware on the root FortiGate in the Security Fabric is used as basis for the
firmware upgrade for the rest of the FortiGates. Firmware images are downloaded from FortiGuard.

To upgrade all devices in a Security Fabric:

1. On the root FortiGate in the Security Fabric, go to System > Firmware & Registration.
2. Click Upgrade all > Devices. The Choose Upgrade Type step is displayed.

FortiOS 7.6.0 New Features Guide 32

Fortinet Inc.
GUI

3. With Full Fabric upgrade selected, click Next. The wizard proceeds to the Select Firmware step.
4. Select a firmware version, and click Next.
The All Upgrades tab displays all firmware images available from FortiGuard for upgrade.

The Choose Schedule step is displayed.

5. Choose a schedule, and click Next.

FortiOS 7.6.0 New Features Guide 33

Fortinet Inc.
 GUI

Scheduling an upgrade using a manually uploaded file is only available for FortiGate
devices that have physical disk storage.
l If the FortiGate has a disk, File Upload upgrades can be scheduled for it and its

extension units both in the GUI and using the Security Fabric.
l If the FortiGate does not have a disk, File Upload upgrades cannot be scheduled for it
or its extension units.

6. Review the upgrade details, and click Confirm and Backup Config.

7. Complete the steps as needed.

GUI support for enhanced logging for threat feeds

FortiOS includes two new fields have been added to the threat feed system event log Log Details pane, Total External
Resource Entries and Invalid External Resource Entries. These fields display the total number of entries and the number
of invalid entries in the Threat Feed. The additional information from these new fields can assist in detecting
configuration errors and setting up alerts to spot significant and potentially abnormal changes in the size of the threat
feed.
These new fields are available on these threat feeds:

FortiOS 7.6.0 New Features Guide 34

Fortinet Inc.
GUI

l MAC address

l IP address

FortiOS 7.6.0 New Features Guide 35

Fortinet Inc.
GUI

l Category

l Malware hash

FortiOS 7.6.0 New Features Guide 36

Fortinet Inc.
GUI

l Domain

When viewing threat feed logs in the CLI, exttotal and extinvalid have been added to the CLI:
CLI threat feed examples:
l MAC address
1: date=2024-06-17 time=11:09:21 eventtime=1718647761458961985 tz="-0700"
logid="0100022220" type="event" subtype="system" level="information" vd="vd1"
logdesc="Threat feed updated" status="success" msg="Threat feed 'ext-vd1.test-mac'
updated successfully" desc="threat-feed" exttotal=266 extinvalid=10
l IP address
1: date=2024-06-17 time=13:49:48 eventtime=1718657388125965730 tz="-0700"
logid="0100022220" type="event" subtype="system" level="information" vd="vd1"
logdesc="Threat feed updated" status="success" msg="Threat feed 'ext-vd1.test-ip-
address' updated successfully" desc="threat-feed" exttotal=24 extinvalid=1
l Category
1: date=2024-06-17 time=13:37:52 eventtime=1718656671378406008 tz="-0700"
logid="0100022220" type="event" subtype="system" level="information" vd="vd1"
logdesc="Threat feed updated" status="success" msg="Threat feed 'ext-vd1.test-
category' updated successfully" desc="threat-feed" exttotal=30 extinvalid=3
l Malware hash
1: date=2024-06-17 time=13:50:57 eventtime=1718657456529812599 tz="-0700"
logid="0100022220" type="event" subtype="system" level="information" vd="vd1"
logdesc="Threat feed updated" status="success" msg="Threat feed 'ext-vd1.test-mal'
updated successfully" desc="threat-feed" exttotal=11 extinvalid=4
l Domain
1: date=2024-06-17 time=13:54:23 eventtime=1718657663324715674 tz="-0700"
logid="0100022220" type="event" subtype="system" level="information" vd="vd1"
logdesc="Threat feed updated" status="success" msg="Threat feed 'ext-vd1.test-
domain' updated successfully" desc="threat-feed" exttotal=44 extinvalid=3

FortiOS 7.6.0 New Features Guide 37

Fortinet Inc.
 GUI

To view these new fields on threat feeds:

1. From the Log & Report > System Events page, click the Logs tab.
2. Enable these setting options in the window:
l General System Events
l Memory
3. Search for any threat feed and double-click a threat feed entry. The Log Details pane is displayed. The results for
valid and invalid entries are displayed at the bottom of the pane.

Expanded support for Advanced Threat Protection Statistics widget

The Advanced Threat Protection Statistics (ATP) widget has been improved to provide per VDOM functionality, more
data source options, and enhanced user interactivity.
The ATP widget now uses FortiView stats for data, allows time frame selection, offers expanded views with antivirus logs
and supports log device settings. These improvements aim to provide users with more detailed and customizable threat
protection statistics.

Since the ATP widget was only available as a global setting before firmware version 7.6.0 after
upgrading from version 7.4.x to 7.6.0, users need to add this widget per VDOM, if desired.
FortiGate models without an HDD will not have the ATP widget available after upgrading to
7.6.0 firmware. Since the ATP widget used shared memory before, upgrading to 7.6.0 will first
attempt to use HDD before FortiAnalyzer and FortiGate Cloud becomes available as data
source.

To add the ATP widget to the Dashboard:

1. From the Dashboard > Status page, click Add Widget. The Add Dashboard Widget pane is displayed.
2. In the Security section, click Advanced Threat Protection Statistics.

FortiOS 7.6.0 New Features Guide 38

Fortinet Inc.
GUI

3. On the Edit Dashboard Widget - Advanced Threat Protection Statistics pane, select a FortiGate as the Data source
and click OK.

The Advanced Threat Protection Statistics widget is added to the main dashboard.

The widget can be used in various ways:

l The ATP widget can be expanded to full screen size

l Displays seven categories of threat information statistics in a pie chart

FortiOS 7.6.0 New Features Guide 39

Fortinet Inc.
 GUI

l Each category in the pie chart can be clicked to filter on the log information for that category. For example, selecting
the Malicious infection type, you can see the log entry associated with a file that was blocked.

l Logs can be downloaded for each category or all categories by clicking the Download button beside the Refresh

button.
l Tables can be customized to add or remove columns for each log

GUI improvements to the IPsec VPN Wizard

The process of creating and editing IPsec tunnels is now more logical. The IPsec Wizard supports setting the IKE
version for both hub and spoke and site-to-site configurations, along with other transport-related fields for site-to-site
tunnels. Additionally, security posture tags can be added to FortiClient Remote Access tunnels. These updates aim to
make the process more intuitive and efficient.
Additional enhancements include:

FortiOS 7.6.0 New Features Guide 40

Fortinet Inc.
GUI

l The VPN IPsec wizard has been renamed to VPN Wizard.

l The IPsec dialog and wizard GUI now utilize the Neutrino style.
l IPsec dialog pages are now accessible for editing to be inline with the CLI and other dialog pages.

Examples

To configure a site-to-site VPN with a FortiGate using the VPN Wizard:

1. Go to VPN > IPsec Wizard and configure the following settings for the VPN template:
a. Enter a name for the VPN, for example, site2site.
b. Select the Site to Site template.
c. Click Begin.

2. Configure the Remote site settings:

a. For the Remote site device type, select FortiGate.
b. For the Remote site device, select Accessible and static and enter in IP address 11.101.1.1.
c. For the Remote site subnets that can access VPN, enter 10.1.100.0/24.

FortiOS 7.6.0 New Features Guide 41

Fortinet Inc.
GUI

d. Click Next.

3. Configure the VPN tunnel settings:

a. For the Authentication method, select Pre-shared key and enter in a password in Pre-shared key field.
b. For the IKE, select Version 2.
c. For the Transport, select UDP.
d. For the NAT traversal, select Enable.
e. Enter in a number for the Keepalive frequency.
f. Click Next.

4. Configure the Local site settings:

a. For the Outgoing interface that binds to tunnel, select port5 from the dropdown menu.
b. Enable the Create and add interface zone option.
c. For the Local interface, click in the field and select port2 from the Select Entries pane.
d. For the Local subnets that can access VPN, enter 192.168.5.0/24.
e. Enable the Route all traffic through this device option.
f. For the Shared WAN, select port1 from the dropdown menu.

FortiOS 7.6.0 New Features Guide 42

Fortinet Inc.
GUI

g. Click Next.

5. Review the information for the VPN tunnel.

FortiOS 7.6.0 New Features Guide 43

Fortinet Inc.
GUI

6. Click Submit. The new site to site VPN tunnel is listed in the VPN > IPsec Tunnels table.

To configure a hub for a Hub and Spoke VPN using the VPN Wizard:

1. Go to VPN > IPsec Wizard and configure the following settings for the VPN template:
a. Enter a name for the VPN, for example, Hub-01.
b. Select the Hub and Spoke with ADVPN template.
c. Click Begin.

d. Select Hub.

FortiOS 7.6.0 New Features Guide 44

Fortinet Inc.
GUI

e. Click Next.

2. Configure the Local site settings:

a. For the Outgoing interface that binds to tunnel, select port5 from the dropdown menu.
b. Enable the Create and add interface zone option.
c. For the Local interface, click in the field and select port2 from the Select Entries pane.
d. For the Local subnets that can access VPN, enter 192.168.5.0/24.
e. For the Local AS, enter 65400.
f. Click Next.

3. Configure the VPN tunnel settings:

a. For the Authentication method, select Pre-shared key and enter in a password in Pre-shared key field.
b. For the IKE, select Version 2.

FortiOS 7.6.0 New Features Guide 45

Fortinet Inc.
GUI

c. Click Next.

4. Configure the Spokes settings:

a. For the Remote IP/netmask, enter 10.10.1.2/24.
b. For the Configure spoke IP addresses, select Individually.
c. For the Spoke IP addresses, enter these IP addresses by clicking the + icon in the field:
l 10.10.1.3
l 10.10.1.4
l 10.10.1.5
d. Click Next.

FortiOS 7.6.0 New Features Guide 46

Fortinet Inc.
GUI

5. Review the information for the VPN tunnel.

6. Click Submit. The new VPN hub tunnel is listed in the VPN > IPsec Tunnels table.
7. Click the Easy configuration key link from notification in the top-right corner of the window once the tunnel is
created. The Edit VPN Tunnel pane opens.

FortiOS 7.6.0 New Features Guide 47

Fortinet Inc.
GUI

8. In the Hub & spoke topology section, locate the IP address and copy the key from Easy Config Key column.

To configure a spoke for a Hub and Spoke VPN using the VPN Wizard:

1. Go to VPN > IPsec Wizard. Configure the following settings for the VPN template:
a. Enter a name for the VPN, for example, Hub-01.
b. Select the Hub and Spoke with ADVPN template.

FortiOS 7.6.0 New Features Guide 48

Fortinet Inc.
GUI

c. Click Begin.

d. Select Spoke and enter in the Easy configuration key.

e. Click Next.

2. Configure the Local site settings:

a. For the Outgoing interface that binds to tunnel, select port1 from the dropdown menu.
b. Enable the Create and add interface zone option.
c. For the Tunnel IP, enter 10.10.0.3. This should match from the Easy configuration key copied from the previous
step.

FortiOS 7.6.0 New Features Guide 49

Fortinet Inc.
GUI

d. For the Local interface, click in the field and select port2 from the Select Entries pane.
e. For the Local subnets that can access VPN, enter 192.168.5.0/24.
f. For the Local AS, enter 65400.
g. Click Next.

3. Configure the VPN tunnel settings:

a. For the Authentication method, select Pre-shared key and enter in a password in Pre-shared key field.
b. For the IKE, select Version 2.
c. Click Next.

4. Configure the Hub settings:

a. For the Remote IP/netmask, enter 10.10.1.1/24.
b. For the Hub public IP address, enter 173.2.1.1.

FortiOS 7.6.0 New Features Guide 50

Fortinet Inc.
GUI

c. Click Next.

5. Review the information for the VPN tunnel.

6. Click Submit. The new VPN spoke tunnel is listed in the VPN > IPsec Tunnels table.

To configure a Remote Access VPN with security posture tags using the VPN Wizard:

1. Go to VPN > IPsec Wizard. Configure the following settings for the VPN template:
a. Enter a name for the VPN, for example, Forticlient.
b. Select the Remote Access template.

FortiOS 7.6.0 New Features Guide 51

Fortinet Inc.
GUI

c. Click Begin.

2. Configure the Remote endpoint settings:

a. For the VPN client type, select the FortiClient logo.
b. For the IP range for connected endpoints, enter 10.10.10.1-10.10.10.100.
c. For the Subnet for connected endpoints, enter 255.255.255.255.
d. For the FortiClient settings, configure the following options:
i. For Security posture tags, click in the field and select FCTEMS_ALL_FORTICLOUD_SEVERES from the
Select Entries pane.
ii. Enable Save password
iii. enable Auto Connect
iv. Enable Always up (keep alive)

FortiOS 7.6.0 New Features Guide 52

Fortinet Inc.
GUI

e. Click Next.

3. Configure the VPN tunnel settings:

a. For the Authentication method, select Pre-shared key and enter in a password in Pre-shared key field.
b. For the User group, select local-group from the dropdown menu.
c. For the DNS Server, select Use System DNS.
d. Enable the following options:
i. Enable IPv4 Split Tunnel
ii. Allow Endpoint Registration
e. Click Next.

4. Configure the Local FortiGate settings:

FortiOS 7.6.0 New Features Guide 53

Fortinet Inc.
GUI

a. For the Outgoing interface that binds to tunnel, select port1 from the dropdown menu.
b. Enable the Create and add interface zone option.
c. For the Local interface, click in the field and select port2 from the Select Entries pane.
d. For the Local Address, click in the field and select all from the Select Entries pane.
e. Click Next.

5. Review the information for the VPN tunnel.

6. Click Submit. The new remote access VPN tunnel is listed in the VPN > IPsec Tunnels table.

FortiOS 7.6.0 New Features Guide 54

Fortinet Inc.
 GUI

GUI improvements to Security Rating

This information is also available in the FortiOS 7.6 Administration Guide:

l Security rating

The security rating display and integrations have been enhanced for a more streamlined experience:
l The Security Rating page now showcases the Security Controls and Vulnerabilities tabs, with reorganized and
categorized controls for improved navigation. Details on PSIRT advisory/Outbreak detection are now presented in a
dedicated card.
l A new Security Rating Insights feature provides immediate access to crucial security information. Hover over any
tested object to reveal a tooltip with more information about any non-conformance to best practices or industry
standards.
l Additionally, security rating checks are now run on-demand when relevant configuration changes are made,
addressing previous performance issues. An overview of Security Rating Insights on each page offers a quick filter
for items failing certain criteria.

To view the Security Rating improvements in the GUI:

1. Got to Security Fabric > Security Rating.

l The Security Controls tab displays the results for all supported security rating checks and groups them by
category:

l The Vulnerabilities tab displays PSIRT advisory and Outbreak detection entries that are included in the

FortiOS 7.6.0 New Features Guide 55

Fortinet Inc.
GUI

downloaded Security Rating package:

2. Go to Policy & Objects > Firewall Policy.

a. Objects, such as firewall policies, with security rating recommendations are highlighted. Hover over any
highlighted object to display a tooltip that shows Security Rating Insights:

b. On the bottom-left, click Security Rating Insights to display relevant issues. Select an issue, such as Unused

FortiOS 7.6.0 New Features Guide 56

Fortinet Inc.
 GUI

Policies to display a banner and filter that you can use to filter down to the applicable entries.

GUI support for web proxy forward server over IPv6

You can now use the GUI to configure an IPv6 address or an FQDN that resolves to an IPv6 address for the forward
server. Previously only the CLI was supported. See Support web proxy forward server over IPv6 for information about
the CLI.

Example

In this example, an explicit web proxy with a forward server can be reached by an IPv6 address, and a client PC uses this
explicit web proxy forward server to access a website, such as www.google.com.
The IPv6 address is configured for the web proxy forward server, and then the configuration is added to a proxy policy.
The web proxy forward server configuration could also be added to a proxy mode policy or a transparent web proxy
policy.

To configure an IPv6 address in the GUI:

1. Go to Network > Explicit Proxy.

2. If disabled, enable Explicit Web Proxy.
3. Under Web Proxy Forwarding Servers, click Create New.

FortiOS 7.6.0 New Features Guide 57

Fortinet Inc.
GUI

The New Forwarding Server pane opens.

4. Set the following options, and click OK to create the forwarding server.

Proxy Address Type IPv6

Proxy Address 2000:172:16:200::8

Port 8080

Health Monitor Enable

Health Check Monitor Site www.google.com

5. Set the remaining options as needed, and click OK to save the explicit web proxy.

FortiOS 7.6.0 New Features Guide 58

Fortinet Inc.
 GUI

6. Add the web proxy forward server to a proxy policy.

GUI support for security posture tags in dial-up IPsec VPN tunnels - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Enforcing security posture tag match before dial-up IPsec VPN connection

Starting in FortiOS 7.6.1, you can use the GUI to configure a dial-up IPsec VPN tunnel with security posture tag
matching. Previously only the CLI was supported. See also Security posture tag match enforced before dial-up IPsec
VPN connection on page 381.

To configure a dial-up IPsec VPN tunnel with security posture tags in the GUI:

1. Go to VPN > VPN Wizard.

2. On the first page of the wizard, set the following options:
a. In Tunnel name, enter a name.
b. Beside Select a template, select the Remote Access template.
c. Click Begin. The VPN tunnel options are displayed.
3. Under VPN tunnel, set the following options:
a. Set IKE to Version 2.
b. Configure other settings as needed.
c. Click Next. The Remote Endpoint options are displayed.
4. Under Remote Endpoint, set the following options:
a. Under FortiClient settings settings, enable Security posture gateway matching.
b. Select the Security posture tags as desired.
c. Click Next. The Local FortiGate options are displayed.
5. Under Local FortiGate, configure the settings as needed, and click Next.
6. Review your settings, and click Submit.
7. Under VPN > VPN tunnels, open your newly created tunnel.
8. Scroll down to the Authentication section to find:
l Remote gateway matching is set to ZTNA.

FortiOS 7.6.0 New Features Guide 59

Fortinet Inc.
 GUI

l Security posture tags is set to your desired tag(s).

CLI diagnostic shortcuts in the GUI - 7.6.1

The command palette now includes a Diagnostics tab. It provides a list of troubleshooting commands, and allows you to
browse and search for debug commands directly in the GUI.

To use the Diagnostics command palette:

1. Press ctrl+p (or cmd+p for Mac) and then enter a /, or select the Diagnostics tab.

2. Browse the command list, or search for a specific command.

3. Click on a command to run it, such as get system status.
4. Enter a search string in the search field to search the command output.

FortiOS 7.6.0 New Features Guide 60

Fortinet Inc.
 GUI

5. Click Copy to clipboard to copy the output to the clipboard, or Download the file to download the output as a text file.
6. Click Run to run the command again.

Asset Details pane - 7.6.1

A new Asset Details pane is available and accessible from multiple GUI pages. The Asset Details pane provides
comprehensive endpoint information to streamline the diagnostic process and reduce reliance on CLI commands.
Access the Asset Details pane by clicking the Asset Details button from the following GUI locations:
l On the Dashboard > Assets & Identities page:
l Click the Assets widget to expand it. On the Assets pane, hover over a device to display a tooltip that includes
the Asset Details button, or select a row in the table to display a toolbar that includes the Asset Details button.

l Click the Assets - Vulnerabilities widget to expand it. On the Assets - Vulnerabilities pane, hover over a device
to display a tooltip that includes the Asset Details button, or select a row in the table to display a toolbar that
includes the Asset Details button.

FortiOS 7.6.0 New Features Guide 61

Fortinet Inc.
GUI

l Click the Assets - FortiClient widget to expand it. On the Assets - FortiClient pane, hover over a device to
display a tooltip that includes the Asset Details button, or select a row in the table to display a toolbar that
includes the Asset Details button.

l On the Security Fabric page:

l Go to Physical Topology, and hover over an endpoint to display a tooltip that includes the Asset Details button.

l Go to Asset Identity Center page. Hover over a device to display a tooltip that includes the Asset Details button,
or select a row in the table to display a toolbar that includes the Asset Details button.

FortiOS 7.6.0 New Features Guide 62

Fortinet Inc.
GUI

l In the WiFi & Switch Controller menu:

l Go to WiFi Clients. Hover over a device to display a tooltip that includes the Asset Details button, or select a
row in the table to display a toolbar that includes the Asset Details button.

l Go to FortiSwitch Clients. Hover over a device to display a tooltip that includes the Asset Details button, or
select a row in the table to display a toolbar that includes the Asset Details button.

l On the Log & Report > Forward Traffic page, hover over a device to display a tooltip that includes the Asset Details
button:

FortiOS 7.6.0 New Features Guide 63

Fortinet Inc.
GUI

Click the Asset Details button to view the Asset Details pane:
l The following example of the Asset Details pane is for an endpoint named WinLap1 using a WiFi interface:

l The following example of the Asset Details pane is for an endpoint named PC75_WIN using a VLAN interface:

On the top-left of the Asset Details pane is information about the endpoint, such as MAC address, IP address, interface,
and so on. The following buttons are also available for the endpoint:
l Create > Firewall Address
l Create > Firewall Policy
l Quarantine > Quarantine Host
l Quarantine > Ban IP
l Disassociate is available for endpoints using a WiFi interface
l Packet capture
On the top-right are details about the WiFi or FortiLink interface when used by the endpoint.
Along the bottom are tabs of information, depending on the endpoint and interface used:

FortiOS 7.6.0 New Features Guide 64

Fortinet Inc.
GUI

Tab Subtabs

FortiView Applications
Destinations
Sources
Policies

Vulnerabilities/Vulnerabilities FortiClient
<number> KEVs IoT/OT

Logs Forward Traffic

ZTNA Traffic
WiFi Events

WiFi Performance N/A

NAC Policies N/A

Dynamic Port Policies N/A

Following are examples of the Asset Details pane for an endpoint named WinLap1 using a WiFi interface:
l The FortiView > Destinations tab:

l The FortiView > Policies tab:

FortiOS 7.6.0 New Features Guide 65

Fortinet Inc.
GUI

l The Logs > WiFi Events tab:

l The WiFi Performance tab:

FortiOS 7.6.0 New Features Guide 66

Fortinet Inc.
GUI

Following are examples of the Asset Details pane for an endpoint named PC75_WIN using a VLAN interface:
l The FortiView > Policies tab:

l The Vulnerabilities > FortiClient tab:

FortiOS 7.6.0 New Features Guide 67

Fortinet Inc.
 GUI

l The Dynamic Port Policies tab:

GUI access for global search - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Command palette

The enhanced global search in the top header menu provides quick command palette access from the GUI and
additional keyboard shortcuts. This menu allows fast navigation to GUI pages as well as running actions, such as
opening the CLI console, executing diagnostic commands, and searching configurations.

The following global search functions can be selected from the top header menu or by using keyboard shortcuts:

Search function Keyboard shortcut Definition

Jump to page ctrl + p Quickly navigate to a new GUI page.

Open ctrl + shift + Open a monitor in a prompt without changing the current
p GUI page, such as packet capture and the CLI console.

CLI diagnostics ctrl + p followed Run a diagnostic CLI command without the CLI console.
by / Recently used commands are listed first.
Once a command has been selected, you can search
within the output, copy the output, download an output
file, and run the command again.

Search configuration ctrl + / Search for and open a specific configuration in the GUI.

FortiOS 7.6.0 New Features Guide 68

Fortinet Inc.
GUI

To search for a specific configuration:

1. Select the global search menu.

2. Select Search configuration.

3. Enter the configuration you want and press Enter. Suggested results are displayed.

4. Enable categories to filter the results.

5. Select a configuration. The configuration GUI page is displayed.

FortiOS 7.6.0 New Features Guide 69

Fortinet Inc.
 GUI

6. Review and edit the configuration as needed.

GUI warnings for IKE-TCP port conflicts - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l GUI warnings for IKE-TCP port conflicts

For FortiOS 7.6.1 and above, TCP port 443 is used by default to encapsulate ESP packets within TCP headers using its
proprietary solution. See Encapsulate ESP packets within TCP headers for more information.
Starting in FortiOS 7.6.3, if administrators assign port 443 for HTTPS administrative access on an interface that is also
bound to an IPsec tunnel, FortiOS will display a warning indicating that HTTPS access on that port will no longer be
available. This is because port 443 is also used for IKE over TCP, and in such cases, IKE takes precedence over
HTTPS, resulting in the loss of GUI access on that interface.

The default IKE-TCP value of port 443 is only applicable to new FortiGate configurations with
FortiOS 7.6.1 and above. If FortiOS is upgraded to 7.6.1 and above, the ike-tcp-port
value from before the upgrade is retained.

Warnings that may appear include the following:

l In System > Settings, a warning is displayed for the Administrator Settings > HTTPS port field when the entered
HTTPS port conflicts with the IKE-TCP port.

FortiOS 7.6.0 New Features Guide 70

Fortinet Inc.
GUI

l In VPN > VPN Tunnels, a warning is displayed for the Network > Interface field when the HTTPS port conflicts with
IKE-TCP port and the selected port has HTTPS allow access.

l In VPN > VPN Tunnels, a warning is displayed in the Local Site > Outgoing interface that binds to tunnel field when
the HTTPS port conflicts with IKE-TCP port and the selected port has HTTPS allow access.

l In Security Fabric > Security Rating, a Security Posture failure is flagged for the HTTPS Port Conflict with IKE Port
check, indicating a configuration issue. Likewise, a Security Ratings Insights recommendation is listed. This occurs
when the HTTPS port conflicts with the IKE port.

FortiOS 7.6.0 New Features Guide 71

Fortinet Inc.
 GUI

GUI improvements of PIM support for VRFs - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Multicast routing and PIM support

Administrators can now configure VRF settings for multicast routing using the GUI. See Enhanced PIM support for VRFs
7.6.1 on page 109 for information on CLI support.

To configure VRF settings for multicast routing:

1. Go to Network > Multicast.

2. Enable Multicast routing if you are configuring multicast for the first time in the GUI.
3. Under VRF multicast routing, click Create new.

4. Configure the settings as needed.

FortiOS 7.6.0 New Features Guide 72

Fortinet Inc.
GUI

5. Click OK.
6. Click Apply.

FortiOS 7.6.0 New Features Guide 73

Fortinet Inc.
 Network

Network

This section includes information about network related new features:

l General on page 74
l IPv6 on page 151
l Explicit and Transparent Proxy on page 162

General

This section includes information about general network related new features:
l Configure the VRRP hello timer in milliseconds on page 74
l FortiGate as a recursive DNS resolver on page 75
l BGP network prefixes utilize firewall addresses and groups on page 81
l Support UDP-Lite traffic on page 83
l Custom LSA refresh rates and fast link-down detection on VLAN interfaces for OSPF on page 87
l Filter NetFlow sampling on page 88
l SOCKS proxy supports UTM scanning, authentication, and forward server on page 92
l Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations on page 96
l Include groups in PIM join/prune messages on page 99
l Automatic LTE connection establishment on page 104
l Netflow sampling on page 105
l Support source-IP interface for system DNS database on page 107
l Extended VRF ID range for enhanced network scalability 7.6.1 on page 109
l Enhanced PIM support for VRFs 7.6.1 on page 109
l Including denied multicast sessions in the session table 7.6.1 on page 111
l Support specific VRF ID for local-out traffic 7.6.1 on page 112
l Support source IP interface for system DNS 7.6.1 on page 118
l Improvements to IPsec monitoring 7.6.1 on page 119
l Connectivity Fault Management (CFM) now available for FG-80F-POE and FG-20xF models 7.6.3 on page 123
l Application and network performance monitoring with FortiTelemetry 7.6.3 on page 123
l Fortinet Support Tool for capturing incidents on page 145

Configure the VRRP hello timer in milliseconds

This information is also available in the FortiOS 7.6 Administration Guide:

l Adding IPv4 and IPv6 virtual routers to an interface

FortiOS 7.6.0 New Features Guide 74

Fortinet Inc.
 Network

FortiOS allows the hello timer for the Virtual Router Redundancy Protocol (VRRP) to be configured in milliseconds. This
timer dictates the rate at which VRRP advertisements are sent. With this enhanced control, you can ensure quick failover
and high availability where necessary.

To configure the VRRP hello timer for IPv4:

config system interface

edit port1
config vrrp
edit 1
set vrip <IP address>
set adv-interval <interval value, in milliseconds (250 - 255000)>
next
end
next
end

To configure the VRRP hello timer for IPv6:

config system interface

edit port1
config ipv6
set vrip6_link_local <Link-local IPv6 address of the virtual router>
config vrrp6
edit 1
set vrip6 <IPv6 address>
set adv-interval <interval value, in milliseconds (250 - 255000)>
next
end
end
next
end

FortiGate as a recursive DNS resolver

This information is also available in the FortiOS 7.6 Administration Guide:

l FortiGate as a recursive DNS resolver

FortiOS supports being configured as a recursive DNS resolver. As a resolver, the FortiGate can directly interact with
root name servers, Top-Level Domain (TLD) name servers, and finally authoritative name servers to resolve DNS
queries. The FortiGate will iterate through these DNS servers to get the final IP address for the FQDN, as opposed to
forwarding the request to external resolvers in forwarder mode for example. This can avoid hitting limitations from
external resolvers which may limit the number of queries per second. Finally, clients can then use the FortiGate as their
DNS server to perform DNS resolution.
The recursive resolver mode has been added to the DNS server interface:
config system dns-server
edit <DNS server name>
set mode {recursive | non-recursive | forward-only | resolver}

FortiOS 7.6.0 New Features Guide 75

Fortinet Inc.
Network

next
end

recursive The system checks for the requested record in the shadow DNS database and
then forward to the system's DNS server.
non-recursive The search is restricted to only the Public DNS database.
forward-only All queries are forwarded directly to the system's DNS server.
resolver The recursive resolver mode will respond to a DNS query with local cached data
or send the request to the root name server, followed by the TLD name server and
an authoritative name server.

To configure recursive resolver mode in the GUI:

1. Go to Network > DNS Servers.

2. Under DNS Service on Interface, click Create New.
3. Select the Interface to listen to DNS queries.
4. Set the Mode to Resolver.
5. Click OK.

Furthermore, FortiOS also adds support for prioritizing root name servers. By default, a list of 13 public root name
servers are known to the FortiGate. These DNS servers can be viewed with diagnose test application
dnsproxy 19.
Prioritized root name servers will be highlighted among the total list of root servers. Prioritized (highlighted) root servers
will be queried in round robin fashion. Default (non-highlighted) root servers will only be queried if there are no prioritized
root servers.
You may configure root servers from the list of 13 default servers, or you can configure your own custom root name
server. Any custom root name servers you configure will be defined with an auto-generated name.
The root name servers can be prioritized and configured with the following:
config system dns
set primary <class IP address>
set root-servers <DNS root name server IP address>
end

At most, two root-servers can be configured.

Example 1

In the following example, we will configure the FortiGate’s WAN interface (port3) in resolver mode and configure 1 DNS
entry to return results for override.fortinet.com in the fortinet.com domain.

To configure the FortiGate as DNS resolver in the GUI:

1. Go to Network > DNS Servers.

2. Under DNS Service on Interface, click Create New.
3. For Interface, select WAN (port3).
4. For Mode, select Resolver.

FortiOS 7.6.0 New Features Guide 76

Fortinet Inc.
Network

5. Click OK.
6. Under DNS Database, click Create New and configure the following:

Type Primary

View Shadow

DNS Zone fortinet

Domain Name fortinet.com

Authoritative Disable

a. Under DNS Entries, click Create New and configure the following:

Type Address (A)

Hostname override

IP Address 10.88.0.30

b. Click OK.
7. Click OK.

To configure the FortiGate as DNS resolver in the CLI:

config system dns-server

edit "port3"
set mode resolver
next
end
config system dns-database
edit "fortinet"
set domain "fortinet.com"
set authoritative disable
config dns-entry
edit 1
set hostname "override"
set ip 10.88.0.30
next
end
next
end

To verify:

1. On the FortiGate, enable dnsproxy debugs:

# diagnose debug application dnsproxy -1
# diagnose debug enable

2. From a client, use dig to issue a lookup for override.fortinet.com.

>dig @10.0.3.254 override.fortinet.com

; <<>> DiG 9.16.23 <<>> @10.0.3.254 override.fortinet.com

; (1 server found)

FortiOS 7.6.0 New Features Guide 77

Fortinet Inc.
Network

;; global options: +cmd

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53910
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;override.fortinet.com. IN A

;; ANSWER SECTION:
override.fortinet.com. 86400 IN A 10.88.0.30

;; Query time: 73 msec

;; SERVER: 10.0.3.254#53(10.0.3.254)
;; WHEN: Tue Jul 23 17:19:47 Pacific Daylight Time 2024
;; MSG SIZE rcvd: 55

3. From the FortiGate debugs, observe the results are found locally.
FortiGate-VM64-KVM # [worker 0] batch_on_read()-3563
[worker 0] udp_receive_request()-3219: vfid=0, vrf=0, intf=5, len=62, alen=16,
10.0.3.2:51485=>10.0.3.254:53
[worker 0] handle_dns_request()-2497: vfid=0 real_vfid=0 id=0xd296 req_type=3
name=override.fortinet.com qtype=1
[worker 0] dns_nat64_ptr_lookup()-272
[worker 0] dns_nat64_update_request()-305
[worker 0] dns_local_lookup_common()-2578: vfid=0, real_vfid=0, view=2,
qname=override.fortinet.com, qtype=1, qclass=1, offset=39, map#=3 max_sz=512
[worker 0] dns_lookup_aa_zone()-627: vfid=0, fqdn=override.fortinet.com
[worker 0] dns_local_lookup_common()-2630: found zone=fortinet domain=fortinet.com
[worker 0] dnsentry_search()-507: domain=fortinet.com, name=override.fortinet.com,
type=1
[worker 0] dnsentry_lookup()-431: domain=fortinet.com, name=override.fortinet.com,
type=1
[worker 0] dnsentry_lookup()-441: found entry=override.fortinet.com
…
[worker 0] dns_send_response()-1626: domain=override.fortinet.com reslen=55

4. From the client, use dig to issue a lookup for www.fortinet.com.

C:\Users\tsmith.FORTIAD>dig @10.0.3.254 www.fortinet.com

; <<>> DiG 9.16.23 <<>> @10.0.3.254 www.fortinet.com

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24497
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.fortinet.com. IN A

;; ANSWER SECTION:
www.fortinet.com. 60 IN CNAME fortinet.96983.fortiwebcloud.net.
fortinet.96983.fortiwebcloud.net. 60 IN CNAME ipv6.lb-2.us-west-1.aws.waas-online.net.
ipv6.lb-2.us-west-1.aws.waas-online.net. 60 IN A 54.177.212.176

;; Query time: 226 msec

FortiOS 7.6.0 New Features Guide 78

Fortinet Inc.
Network

;; SERVER: 10.0.3.254#53(10.0.3.254)
;; WHEN: Tue Jul 23 17:11:04 Pacific Daylight Time 2024
;; MSG SIZE rcvd: 146

5. From the FortiGate debugs, observe the FortiGate makes the resolver query to each DNS name server directly to
resolve the address.
FortiGate-VM64-KVM # [worker 0] dns_query_check_timeout()-623: jiffies=60824828
[worker 0] batch_on_read()-3563
[worker 0] udp_receive_request()-3219: vfid=0, vrf=0, intf=5, len=57, alen=16,
10.0.3.2:52979=>10.0.3.254:53
[worker 0] handle_dns_request()-2497: vfid=0 real_vfid=0 id=0x5fb1 req_type=3
name=www.fortinet.com qtype=1
[worker 0] dns_nat64_ptr_lookup()-272
[worker 0] dns_nat64_update_request()-305
[worker 0] dns_local_lookup_common()-2578: vfid=0, real_vfid=0, view=2,
qname=www.fortinet.com, qtype=1, qclass=1, offset=34, map#=3
max_sz=512
[worker 0] dns_lookup_aa_zone()-627: vfid=0, fqdn=www.fortinet.com
[worker 0] dns_local_lookup_common()-2630: found zone=fortinet domain=fortinet.com
[worker 0] dnsentry_search()-507: domain=fortinet.com, name=www.fortinet.com, type=1
[worker 0] dnsentry_lookup()-431: domain=fortinet.com, name=www.fortinet.com, type=1
[worker 0] dnsentry_lookup()-431: domain=fortinet.com, name=www.fortinet.com, type=5
[worker 0] dns_send_resol_request()-1322: orig id: 0x5fb1 local id: 0x5fb1
domain=www.fortinet.com
[worker 0] resolver_check_slist()-392: id=0x5fb1 domain=www.fortinet.com
zone=fortinet.com ns=ns3.fortinet.com:208.91.113.63
…
[worker 0] dns_send_resol_request()-1322: orig id: 0xa2d9 local id: 0xa2d9
domain=fortinet.96983.fortiwebcloud.net
[worker 0] resolver_check_slist()-392: id=0xa2d9 domain=fortinet.96983.fortiwebcloud.net
zone=fortiwebcloud.net ns=ns-111.awsdns-13.
com:205.251.192.111
…
[worker 0] dns_send_resol_request()-1322: orig id: 0x8850 local id: 0x8850
domain=ipv6.lb-2.us-west-1.aws.waas-online.net
[worker 0] resolver_check_slist()-392: id=0x8850 domain=ipv6.lb-2.us-west-1.aws.waas-
online.net zone=waas-online.net ns=ns-131.awsdn
s-16.com:205.251.192.131
…
[worker 0] __udp_receive_response()-3419: vd-0: len=210, addr=205.251.192.131:53,
rating=0
[worker 0] dns_query_handle_response()-2762: vfid=0 real_vfid=0 vrf=0 id=0x8850
domain=ipv6.lb-2.us-west-1.aws.waas-online.net pktle
n=210
…
[worker 0] dns_send_response()-1626: domain=www.fortinet.com reslen=146

6. From the FortiGate, change the DNS server setting for WAN (port3) to recursive mode.
7. Restart the dnsproxy:
# diagnose test application dnsproxy 99

8. From the client, use dig to issue a lookup for www.fortinet.com again
9. From the FortiGate debugs, observe the FortiGate now forwards the query to a resolver instead of resolving the
query itself.

FortiOS 7.6.0 New Features Guide 79

Fortinet Inc.
Network

FortiGate-VM64-KVM # [worker 0] batch_on_read()-3563

[worker 0] udp_receive_request()-3219: vfid=0, vrf=0, intf=5, len=57, alen=16,
10.0.3.2:64510=>10.0.3.254:53
[worker 0] handle_dns_request()-2497: vfid=0 real_vfid=0 id=0x1acc req_type=3
name=www.fortinet.com qtype=1
[worker 0] dns_nat64_ptr_lookup()-272
[worker 0] dns_nat64_update_request()-305
[worker 0] dns_local_lookup_common()-2578: vfid=0, real_vfid=0, view=2,
qname=www.fortinet.com, qtype=1, qclass=1, offset=34, map#=3 max_sz=512
[worker 0] dns_lookup_aa_zone()-627: vfid=0, fqdn=www.fortinet.com
[worker 0] dns_local_lookup_common()-2630: found zone=fortinet domain=fortinet.com
[worker 0] dnsentry_search()-507: domain=fortinet.com, name=www.fortinet.com, type=1
[worker 0] dnsentry_lookup()-431: domain=fortinet.com, name=www.fortinet.com, type=1
[worker 0] dnsentry_lookup()-431: domain=fortinet.com, name=www.fortinet.com, type=5
[worker 0] dns_send_resol_request()-1322: orig id: 0x1acc local id: 0x1acc
domain=www.fortinet.com
[worker 0] dns_find_best_server()-653: found server: 208.91.112.52 (vfid=0 vrf=0)
[worker 0] dns_udp_forward_request()-1064: vdom=root req_type=3 domain=www.fortinet.com
oif=0
[worker 0] dns_udp_forward_request()-1185: Send 57B to [208.91.112.52]:53 via fd=18
request:1
[worker 0] batch_on_read()-3563
[worker 0] __udp_receive_response()-3419: vd-0: len=157, addr=208.91.112.52:53, rating=0
[worker 0] dns_query_handle_response()-2762: vfid=0 real_vfid=0 vrf=0 id=0x1acc
domain=www.fortinet.com pktlen=157
[worker 0] dns_query_save_response()-2734: domain=www.fortinet.com pktlen=157
…
[worker 0] dns_send_response()-1626: domain=www.fortinet.com reslen=157

Example 2

In the following example, the root name servers that should be prioritized will be defined, and the DNS server will be
highlighted from the list of root name servers.

To define the root name servers:

1. Define the root name servers to prioritize:

config system dns
set primary 8.8.8.8
set root-servers "199.7.83.42" "192.33.4.12"
end

2. Display the DNS server for the root name servers:

# diagnose test application dnsproxy 19
worker idx: 0
name=. label_count=0 ns_count=13
ns=a.root-servers.net A=198.41.0.4 use=1
ns=b.root-servers.net A=199.9.14.201 use=1
*ns=c.root-servers.net A=192.33.4.12 use=1
ns=d.root-servers.net A=199.7.91.13 use=1
ns=e.root-servers.net A=192.203.230.10 use=1
ns=f.root-servers.net A=192.5.5.241 use=1
ns=g.root-servers.net A=192.112.36.4 use=1

FortiOS 7.6.0 New Features Guide 80

Fortinet Inc.
 Network

ns=h.root-servers.net A=198.97.190.53 use=1

ns=i.root-servers.net A=192.36.148.17 use=1
ns=j.root-servers.net A=192.58.128.30 use=1
ns=k.root-servers.net A=193.0.14.129 use=1
*ns=l.root-servers.net A=199.7.83.42 use=1
ns=m.root-servers.net A=202.12.27.33 use=1

Example 3

In the following example, the user configures a custom root server which will be added to the root zone cache. The name
of the new user-defined root server will be auto-generated.

To configure a specific root name server:

1. Configure the user-defined root name server:

config system dns
set primary 8.8.8.8
set root-servers "172.16.200.55"
end

2. Display the DNS server for the user-defined root name server:
# diagnose test application dnsproxy 19
worker idx: 0
name=. label_count=0 ns_count=14
ns=a.root-servers.net A=198.41.0.4 use=1
ns=b.root-servers.net A=199.9.14.201 use=1
ns=c.root-servers.net A=192.33.4.12 use=1
ns=d.root-servers.net A=199.7.91.13 use=1
ns=e.root-servers.net A=192.203.230.10 use=1
ns=f.root-servers.net A=192.5.5.241 use=1
ns=g.root-servers.net A=192.112.36.4 use=1
ns=h.root-servers.net A=198.97.190.53 use=1
ns=i.root-servers.net A=192.36.148.17 use=1
ns=j.root-servers.net A=192.58.128.30 use=1
ns=k.root-servers.net A=193.0.14.129 use=1
ns=l.root-servers.net A=199.7.83.42 use=1
ns=m.root-servers.net A=202.12.27.33 use=1
*ns=a.user-root-servers.fgt A=172.16.200.55 use=1

BGP network prefixes utilize firewall addresses and groups

This information is also available in the FortiOS 7.6 Administration Guide:

l Using firewall addresses and groups for BGP network prefixes

BGP prefixes can be configured utilizing firewall addresses (ipmask and interface-subnet types) and groups. This
streamlines the configuration processing, allowing users to leverage their existing firewall addresses and groups when
configuring BGP network prefixes.

FortiOS 7.6.0 New Features Guide 81

Fortinet Inc.
Network

config firewall address

edit <address>
set allow-routing {enable | disable}
next
end
config firewall addrgrp
edit <group>
set allow-routing {enable | disable}
next
end
config router bgp
config network
edit <id>
set prefix-name <address or group>
next
end
end

allow-routing {enable | disable} Enable/disable use of this address/group in routing configurations.

prefix-name <address or group> Name of firewall address or address group.

To configure various firewall address and groups and use them in BGP network prefixes:

1. Configure firewall addresses and groups with allow-routing enabled:

config firewall address
edit "222"
set allow-routing enable
set subnet 22.2.3.0 255.255.255.0
next
edit "333"
set allow-routing enable
set subnet 33.1.1.0 255.255.255.0
next
edit "555"
set type interface-subnet
set allow-routing enable
set subnet 66.6.2.0 255.255.255.0
set interface "port6"
next
edit "vlan55 address"
set type interface-subnet
set allow-routing enable
set subnet 55.2.2.0 255.255.255.0
set interface "vlan55"
next
end
config firewall addrgrp
edit "group1"
set allow-routing enable
set member "222" "555"
next
end

2. Configure BGP network prefixes

FortiOS 7.6.0 New Features Guide 82

Fortinet Inc.
 Network

config router bgp

...
config network
edit 2
set prefix-name "333"
next
edit 20
set network-import-check disable
set prefix-name "group1"
next
edit 66
set prefix-name "vlan55 address"
next
end
...
end

Support UDP-Lite traffic

UDP-Lite (RFC 3828) is a version of UDP that is able to deliver partially damaged data payload to an application by
defining partial checksums on the packet. FortiOS now provides full support for UDP-Lite (IP protocol 136), including, but
not limited to:
l Parsing of UDP-Lite traffic (extracting src/dst port numbers for the session)
l Traffic logging
l HA session synchronization for connectionless sessions (when enabled)
l Strict header checking (when enabled) to silently drop UDP-Lite packets that have invalid header format or wrong
checksum errors
l Defining a custom UDP-Lite service
l Defining session-ttl
l Applying UDP-Lite in policy routing

FortiOS does not currently support NP6/NP7 packet offloading of UDP-Lite traffic.

Usage

When configuring a custom firewall service, the protocol can be set to UDP-Lite and the UDP-Lite port range can be
configured:
config firewall service custom
edit "UDPLite_8090"
set protocol TCP/UDP/UDP-Lite/SCTP
set udplite-portrange 8090
next
end

In the GUI, go to Policy & Objects > Services and click Create New:

FortiOS 7.6.0 New Features Guide 83

Fortinet Inc.
Network

When configuring session TTL, after setting the protocol to 136, the start and end ports can be configured:
config system session-ttl
config port
edit 1
set protocol 136
set start-port 8090
set end-port 8090
next
end
end

When configuring a router policy, after setting the protocol to 136, the start, start source, end, and end source ports can
be configured:
config router policy
edit 1
set protocol 136
set start-port 8080
set end-port 8090
set start-source-port 1
set end-source-port 65535
next
end

FortiOS does not currently support NP6/NP7 packet offloading of UDP-Lite traffic.

Example 1: custom session-ttl

In this example, the UDP-Lite protocol is set in the system session TTL, and a firewall policy is created to handle the
traffic. The traffic is parsed as a UDP-Lite session, and the custom session TTL can be applied to session.

FortiOS 7.6.0 New Features Guide 84

Fortinet Inc.
Network

To configure the FortiGate and check the results:

1. Configure a firewall policy:

config firewall policy
edit 2
set name "policy-2"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "10-1-100-0"
set dstaddr "172-16-200-0"
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "all"
set logtraffic all
set auto-asic-offload disable
set nat enable
next
end

2. Configure the session TTL:

config system session-ttl
config port
edit 1
set protocol 136
set timeout 3800
set start-port 8090
set end-port 8090
next
end
end

3. Send UDP-Lite packets with destination port 8090 to pass through the FortiGate and hit the configured policy, then
check the session table. The UDP-Lite protocol number, source and destinations ports, and session timeout is
correctly identified by the FortiGate:
# diagnose sys session list
session info: proto=136 proto_state=01 duration=10 expire=3789 timeout=3800 refresh_
dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=45/1/1 reply=45/1/1 tuples=2
tx speed(Bps/kbps): 4/0 rx speed(Bps/kbps): 4/0
orgin->sink: org pre->post, reply pre->post dev=8->7/7->8 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.100.41:60390->172.16.200.155:8090(172.16.200.6:60390)
hook=pre dir=reply act=dnat 172.16.200.155:8090->172.16.200.6:60390(10.1.100.41:60390)
misc=0 policy_id=2 pol_uuid_idx=8169 auth_info=0 chk_client_info=0 vd=0
serial=00007dcf tos=ff/ff app_list=0 app=0 url_cat=0
route_policy_id=1
rpdb_link_id=00000001 ngfwid=n/a
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0,

FortiOS 7.6.0 New Features Guide 85

Fortinet Inc.
Network

vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0, ha_
divert=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/04
total session: 1

4. Check the traffic log to ensure that the service of the packets is udp-lite/8090, meaning that the FortiGate
correctly identified the protocol:
1: date=2024-04-12 time=14:37:07 eventtime=1712957827949666276 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.1.100.41 srcport=56284 srcintf="port2" srcintfrole="undefined"
dstip=172.16.200.155 dstport=8090 dstintf="port1" dstintfrole="undefined"
srcuuid="7fcec30c-f795-51ee-6b79-a787816736bf" dstuuid="8b1ab996-f795-51ee-7127-
a688cca288f5" srccountry="Reserved" dstcountry="Reserved" sessionid=32331 proto=136
action="accept" policyid=2 policytype="policy" poluuid="643284de-eb0c-51ee-6779-
16a7d8e406f0" policyname="policy-2" service="udp-lite/8090" trandisp="snat"
transip=172.16.200.6 transport=56284 duration=8 sentbyte=45 rcvdbyte=45 sentpkt=1
rcvdpkt=1 appcat="unscanned"

Example 2: Policy route

In this example, a policy route is defined to route UDP-Lite traffic (protocol 136) that meets the policy route criteria out to
port5. Only the policy route configuration is shown. It is assumed that the interfaces, routes, and firewall polices have
already been correctly configured.

To configure the policy route and check the results:

1. Configure a policy route that uses protocol 136:

config router policy
edit 1
set src "10.0.0.0/24"
set dst "0.0.0.0/0"
set protocol 136
set start-port 54321
set end-port 54321
set start-source-port 12345
set end-source-port 12345
set output-device "port5"
next
end

2. Sniff the traffic:

FortiOS 7.6.0 New Features Guide 86

Fortinet Inc.
 Network

# diagnose sniffer packet any 'ip proto 136' 4

Using Original Sniffing Mode
interfaces=[any]
filters=[ip proto 136]
2.108055 port2 in 10.0.0.1 -> 192.2.0.4: ip-proto-136 24
2.108261 port5 out 203.0.113.10 -> 192.2.0.4: ip-proto-136 24
2.177513 port2 in 10.0.0.1 -> 192.2.0.4: ip-proto-136 24
2.177574 port5 out 203.0.113.10 -> 192.2.0.4: ip-proto-136 24

3. View the session:

# diagnose sys session list
session info: proto=136 proto_state=00 duration=8 expire=171 timeout=0 refresh_dir=both
flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty synced f00
statistic(bytes/packets/allow_err): org=440/10/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 49/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=4->7/7->4 gwy=203.0.113.254/0.0.0.0
hook=post dir=org act=snat 10.0.0.1:12345->192.2.0.4:54321(203.0.113.10:12345)
hook=pre dir=reply act=dnat 192.2.0.4:54321->203.0.113.10:12345(10.0.0.1:12345)
misc=0 policy_id=2 pol_uuid_idx=15851 auth_info=0 chk_client_info=0 vd=0
serial=00000a26 tos=ff/ff app_list=0 app=0 url_cat=0
route_policy_id=1
rpdb_link_id=00000001 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

Custom LSA refresh rates and fast link-down detection on VLAN interfaces for
OSPF

This information is also available in the FortiOS 7.6 Administration Guide:

l OSPF

You can now customize the Link State Advertisement (LSA) refresh interval for the OSPF protocol to provide enhanced
flexibility and control over the timing parameters within the network. Furthermore, OSPF's capabilities have been
expanded to include fast link-down detection on VLAN interfaces, which markedly boosts the network's responsiveness
and dependability.
The config router ospf command includes new options:
config router ospf
set lsa-refresh-interval <integer>
config ospf-interface
edit <name>
set interface <string>
set linkdown-fast-failover {enable | disable}
next
end
end

FortiOS 7.6.0 New Features Guide 87

Fortinet Inc.
 Network

set lsa-refresh-interval
<integer>
set linkdown-fast-
failover {enable |
disable}
How often LSA refreshes for OSPF, in seconds (0 to 5, default = 5).
Enable/disable fast link failover.
l enable: OSPF updates the link status from up to down and advertises the
LSA update as soon as the underlying physical interface goes down.
l disable: Disable the use of OSPF and use the kernal detection and
notification instead.
Used when the ospf-interface interface attribute is configured, and the type
of the underlying interface is VLAN.

Filter NetFlow sampling

This information is also available in the FortiOS 7.6 Administration Guide:

l Filter NetFlow sampling

Exclusion filters can be applied to NetFlow sampling based on criteria including source and destination IP addresses,
source and destinations ports, and IP protocol. This enhances the relevance of collected data, streamlines data
management processes, and reduces excess network traffic. Exclusion filters are defined globally, and up to 64 can be
configured.
config system netflow
config exclusion-filters
edit <id>
set source-ip <IP_address>
set destination-ip <IP_address>
set source-port <port>
set destination-port <port>
set protocol <protocol_ID>
next
end
end

source-ip <IP_address> Session source address.

destination-ip <IP_
address>
source-port <port>
destination-port <port>
protocol <protocol_ID>
Session destination address.
Session source port number or range.
Session destination port number or range.
Session IP protocol (0 - 255, default = 255, meaning any).

In this example, IPv4-IPv4 and IPv6-IPv4 exclusion filters are configured on a FortiGate that is connected to a NetFlow
connector. Packets are sent that hit the filters, then the session lists are checked for the NetFlow flag and the sessions
are checked on the collector.

FortiOS 7.6.0 New Features Guide 88

Fortinet Inc.
Network

To configure and test the NetFlow exclusion filters:

1. Create NetFlow exclusion filters:

config system netflow
set active-flow-timeout 60
set template-tx-timeout 60
config exclusion-filters
edit 44
set source-ip 10.1.100.41
set destination-ip 172.16.200.155
next
edit 66
set source-ip 2000:10:1:100::41
set destination-ip 2000:172:16:200::155
next
edit 64
set source-ip 2000:10:1:100::41
set destination-ip 65:ff9b::ac10:c837
next
edit 46
set source-ip 10.1.100.41
set destination-ip 10.1.100.101
next
end
config collectors
edit 1
set collector-ip "10.1.100.59"
next
end
end

2. Send packets to generate sessions.

3. Check if the NetFlow flag is attached in the session/session6 list:
l If there are two IPv4-IPv4 sessions, and only the first one matches filter ID 44:
# diagnose sys session list
session info: proto=1 proto_state=00 duration=17 expire=59 timeout=0 refresh_dir=both
flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=1512/18/1 reply=1512/18/1 tuples=2
tx speed(Bps/kbps): 84/0 rx speed(Bps/kbps): 84/0
orgin->sink: org pre->post, reply pre->post dev=8->7/7->8 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.100.41:11165->172.16.200.155:8(172.16.200.6:11165)
hook=pre dir=reply act=dnat 172.16.200.155:11165->172.16.200.6:0(10.1.100.41:11165)
misc=0 policy_id=2 pol_uuid_idx=8173 auth_info=0 chk_client_info=0 vd=0
serial=000032e9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: disabled-by-policy

session info: proto=1 proto_state=00 duration=16 expire=59 timeout=0 refresh_dir=both

FortiOS 7.6.0 New Features Guide 89

Fortinet Inc.
Network

flags=00000000 socktype=0 sockport=0 av_idx=0 use=3

origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=1428/17/1 reply=1428/17/1 tuples=2
tx speed(Bps/kbps): 86/0 rx speed(Bps/kbps): 86/0
orgin->sink: org pre->post, reply pre->post dev=8->7/7->8 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.100.41:11166->172.16.200.55:8(172.16.200.6:11166)
hook=pre dir=reply act=dnat 172.16.200.55:11166->172.16.200.6:0(10.1.100.41:11166)
misc=0 policy_id=2 pol_uuid_idx=8173 auth_info=0 chk_client_info=0 vd=0
serial=000032ea tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: disabled-by-policy
total session: 2

l If there are two IPv6-IPv4 (NAT64) sessions, and only the first one matches filter ID 64:
# diagnose sys session6 list
session6 info: proto=58 proto_state=00 duration=23 expire=59 timeout=0 refresh_
dir=both flags=00000000 sockport=0 socktype=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=2392/23/0 reply=2392/23/0 tuples=2
tx speed(Bps/kbps): 102/0 rx speed(Bps/kbps): 102/0
orgin->sink: org pre->post, reply pre->post dev=8->43/43->8
hook=pre dir=org act=dnat 2000:10:1:100::41:11138->65:ff9b::ac10:c837:128
(65:ff9b::ac10:c837:11138)
hook=post dir=reply act=snat 65:ff9b::ac10:c837:11138->2000:10:1:100::41:129
(65:ff9b::ac10:c837:11138)
peer=172.16.201.8:1066->172.16.200.55:8 naf=1
hook=pre dir=org act=noop 172.16.201.8:1066->172.16.200.55:8(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.55:1066->172.16.201.8:0(0.0.0.0:0)
misc=0 policy_id=4 pol_uuid_idx=8176 auth_info=0 chk_client_info=0 vd=0
serial=0000067e tos=ff/ff ips_view=9572 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040001 no_offload
no_ofld_reason: disabled-by-policy non-npu-intf

session6 info: proto=58 proto_state=00 duration=25 expire=59 timeout=0 refresh_

dir=both flags=00000000 sockport=0 socktype=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=2600/25/0 reply=2600/25/0 tuples=2
tx speed(Bps/kbps): 103/0 rx speed(Bps/kbps): 103/0
orgin->sink: org pre->post, reply pre->post dev=8->43/43->8
hook=pre dir=org act=dnat 2000:10:1:100::41:11137->65:ff9b::ac10:c89b:128
(65:ff9b::ac10:c89b:11137)
hook=post dir=reply act=snat 65:ff9b::ac10:c89b:11137->2000:10:1:100::41:129

FortiOS 7.6.0 New Features Guide 90

Fortinet Inc.
Network

(65:ff9b::ac10:c89b:11137)
peer=172.16.201.8:1065->172.16.200.155:8 naf=1
hook=pre dir=org act=noop 172.16.201.8:1065->172.16.200.155:8(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.155:1065->172.16.201.8:0(0.0.0.0:0)
misc=0 policy_id=4 pol_uuid_idx=8176 auth_info=0 chk_client_info=0 vd=0
serial=0000067d tos=ff/ff ips_view=9572 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040001 no_offload
no_ofld_reason: disabled-by-policy non-npu-intf
total session6: 2

4. Check on the collector server. The FlowSets are received on collector for the session/session6 if they do not match
the filters. If the sessions match the filter in the system NetFlow, then no FlowSets are received on the collector.
l IPv4-IPv4 FlowSets:
Do not receive FlowSets that match exclusion filter ID 44:

Receive FlowSets that do not match any exclusion filters:

l IPv6-IPv4 FlowSets:
Do not receive FlowSets that match exclusion filter ID 64:

FortiOS 7.6.0 New Features Guide 91

Fortinet Inc.
 Network

Receive FlowSets that do not match any exclusion filters:

SOCKS proxy supports UTM scanning, authentication, and forward server

SOCKS proxy now supports UTM scanning, authentication, and forward server.

To enable the SOCKS proxy in the explicit web proxy:

config web-proxy explicit

set socks enable
end

Examples

To test that expired certificates are blocked through a SOCKS proxy:

1. Enable and configure the explicit proxy with SOCKS enabled.

2. Create an explicit proxy policy that uses deep inspection.
3. Browse to a website with an expired certificate, such as https://expired.badssl.com.

FortiOS 7.6.0 New Features Guide 92

Fortinet Inc.
Network

FortiGate can resign server certificates and block expired server certificates through the SOCKS proxy.

To test web filtering through a SOCKS proxy:

1. Enable and configure the explicit proxy with SOCKS enabled.

2. Create a web filter profile that blocks www.example.com.
3. Create an explicit proxy policy that uses deep inspection and assign the profile to it.
4. Attempt to browse to www.example.com.

FortiOS 7.6.0 New Features Guide 93

Fortinet Inc.
Network

The website is blocked.

To test blocking a virus through a SOCKS proxy:

1. Enable and configure the explicit proxy with SOCKS enabled.

2. Create an antivirus profile.
3. Create an explicit proxy policy that uses deep inspection and assign the profile to it.
4. Attempt to download a virus.

The file is blocked.

To test authentication through a SOCKS proxy:

1. Enable and configure the explicit proxy with SOCKS enabled.

2. Configure an authentication server and create user groups.
3. Create an authentication scheme and rules.
4. Create an explicit proxy policy and assign the user group to it.
5. Try transferring data with and without user credentials:

FortiOS 7.6.0 New Features Guide 94

Fortinet Inc.
Network

l If user credentials are not provided, the connection will fail:

root@client:~# curl --socks5 10.1.100.6:1080 https://172.16.200.99 -v -k
* Trying 10.1.100.6:1080...
* No authentication method was acceptable.
* Closing connection 0
curl: (97) No authentication method was acceptable.

l When user credentials are provided, the connection succeeds and traffic can be passed:
root@client:~# curl --socks5-host 10.1.100.6:1080 http://172.16.200.99 -v -k --proxy-
user test1:123
* Trying 10.1.100.6:1080...
* SOCKS5 connect to 172.16.200.99:80 (remotely resolved)
* SOCKS5 request granted.
* Connected to 10.1.100.6 (10.1.100.6) port 1080 (#0)
> GET / HTTP/1.1
> Host: 172.16.200.99
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 14 Jun 2024 00:46:47 GMT
< Server: Apache/2.4.38 (Ubuntu)
< Upgrade: h2c
< Connection: Upgrade
< Last-Modified: Tue, 08 Nov 2022 23:15:16 GMT
< ETag: "2f-5ecfdb689edac"
< Accept-Ranges: bytes
< Content-Length: 47
< Content-Type: text/html
<

It works!
this is pc4.
this is a test file
* Connection #0 to host 10.1.100.6 left intact

6. Check the WAD user information:

# diagnose wad user list

ID: 3, VDOM: root, IPv4: 10.1.100.77

user name : test1
worker : 5
duration : 179
auth_type : IP
auth_method : socks-Basic
pol_id : 0
g_id : 0
user_based : 0
expire : 421
LAN:
bytes_in=217 bytes_out=648
WAN:
bytes_in=309 bytes_out=77

FortiOS 7.6.0 New Features Guide 95

Fortinet Inc.
 Network

To use a web proxy forwarding server through a SOCKS proxy:

1. Enable and configure the explicit proxy with SOCKS enabled.

2. Configure a web proxy forwarding server.
3. Create an explicit proxy policy that uses deep inspection and apply the web proxy forwarding server to it.

Implement the interface name as the source IP address in RADIUS, LDAP, and DNS
configurations

This information is also available in the FortiOS 7.6 Administration Guide:

l Implement the interface name as the source IP address in RADIUS, LDAP, and DNS

configurations

To account for dynamic IP address changes, such as those governed by SD-WAN rules, interface names can be used to
define the source IP addresses in RADIUS, LDAP, and DNS configurations using the source-ip-interface
command. The interface's current IP address will be used as the source IP address in the configuration; enhancing
network flexibility and resolving potential connectivity issues.
The following examples demonstrate configuring the interface name as the source IP address in RADIUS and LDAP
servers, and local DNS databases, respectively. The server configuration on the FortiGate will need to have a source IP
address included. This source IP address can be any interface, including the IP address of a loopback interface.

Example 1: RADIUS server

In this example, the loopback interface is used as the source IP address and the interface method is set to specify.

To configure the interface name as the source IP address in a RADIUS server:

1. Configure the loopback interface:

config system interface
edit "loop1"
set vdom "vdom1"
set ip 10.1.10.9 255.255.255.0
set allowaccess ping
set type loopback
next
end

2. Configure the RADIUS user object:

config user radius
edit "radius-142"
set server "10.1.100.142"
set secret XXXXXX
set source-ip-interface "loop1"
set interface-select-method specify
set interface "testvlink1"
next
end

FortiOS 7.6.0 New Features Guide 96

Fortinet Inc.
Network

3. Test the basic communication:

a. Perform a local credential check with a known user and password:
# diagnose test authserver radius radius-142 pap test1 test1
authenticate 'test1' against 'pap' succeeded, server=primary assigned_rad_session_
id=105510201667592 session_timeout=3600 secs idle_timeout=300 secs!
Group membership(s) - group1

b. Perform a sniffer check in a separate SSH session to verify that the source IP address contains the expected IP
address of the loop interface:
# diagnose sniffer packet any 'host 10.1.100.142 and port 1812' 4
interfaces=[any]
filters=[host 10.1.100.142 and port 1812]
5.144791 testvlink1 out 10.1.10.9.17437 -> 10.1.100.142.1812: udp 110
5.144794 testvlink0 in 10.1.10.9.17437 -> 10.1.100.142.1812: udp 110
5.144812 port2 out 10.1.10.9.17437 -> 10.1.100.142.1812: udp 110
5.149570 port2 in 10.1.100.142.1812 -> 10.1.10.9.17437: udp 169
5.149581 testvlink0 out 10.1.100.142.1812 -> 10.1.10.9.17437: udp 169
5.149583 testvlink1 in 10.1.100.142.1812 -> 10.1.10.9.17437: udp 169

Example 2: LDAP server

In this example, a VDOM link is used as the source IP address and the interface method is set to sdwan.

To configure the interface name as the source IP address in an LDAP server:

1. Configure the VDOM link:

config system interface
edit "testvlink1"
set vdom "vdom1"
set ip 10.12.1.10 255.255.255.0
set allowaccess ping
set type vdom-link
next
end

2. Configure the LDAP user object:

config user ldap
edit "ldap-2"
set server "172.18.60.214"
set source-ip-interface "testvlink1"
set cnid "cn"
set dn "dc=qafsso,dc=com"
set type regular
set username "cn=Manager,dc=qafsso,dc=com"
set password ENC XXXXXXXXXXXXXXXXXXX
set interface-select-method sdwan
next
end

3. Confirm in a packet capture that the correct IP address is used in the outgoing and incoming packets:
# diagnose sniffer packet any 'port 389' 4
interfaces=[any]

FortiOS 7.6.0 New Features Guide 97

Fortinet Inc.
Network

filters=[port 389]
11.356977 testvlink1 out 10.12.1.10.11742 -> 172.18.60.214.389: syn 1099805903
11.356979 testvlink0 in 10.12.1.10.11742 -> 172.18.60.214.389: syn 1099805903
11.357001 port1 out 172.16.200.9.11742 -> 172.18.60.214.389: syn 1099805903
11.357548 port1 in 172.18.60.214.389 -> 172.16.200.9.11742: syn 2083328609 ack
1099805904
11.357556 testvlink0 out 172.18.60.214.389 -> 10.12.1.10.11742: syn 2083328609 ack
1099805904
11.357558 testvlink1 in 172.18.60.214.389 -> 10.12.1.10.11742: syn 2083328609 ack
1099805904
11.357566 testvlink1 out 10.12.1.10.11742 -> 172.18.60.214.389: ack 2083328610
11.357564 testvlink0 in 10.12.1.10.11742 -> 172.18.60.214.389: ack 2083328610
11.357571 port1 out 172.16.200.9.11742 -> 172.18.60.214.389: ack 2083328610

Example 3: DNS database

In this example, the system DNS database uses a customized DNS server and a loopback interface as the source IP
address.

To configure the interface name as the source IP address in a DNS database:

1. Configure the loopback interface:

config system interface
edit "loop"
set vdom "root"
set ip 10.3.10.9 255.255.255.0
set allowaccess ping
set type loopback
set role lan
set snmp-index 28
next
end

2. Configure the DNS database:

config system dns-database
edit "1"
set domain "fortinet-fsso.com"
set authoritative disable
set forwarder "10.1.100.150"
set source-ip-interface "loop"
next
end

3. Clear the DNS host cache and ping any FQDN in the DNS domain:
# execute ping login.fortinet-fsso.com
PING login.fortinet-fsso.com (10.1.100.5): 56 data bytes
64 bytes from 10.1.100.5: icmp_seq=0 ttl=255 time=0.1 ms
64 bytes from 10.1.100.5: icmp_seq=1 ttl=255 time=0.0 ms
64 bytes from 10.1.100.5: icmp_seq=2 ttl=255 time=0.0 ms
64 bytes from 10.1.100.5: icmp_seq=3 ttl=255 time=0.0 ms
64 bytes from 10.1.100.5: icmp_seq=4 ttl=255 time=0.0 ms

--- login.fortinet-fsso.com ping statistics ---

FortiOS 7.6.0 New Features Guide 98

Fortinet Inc.
 Network

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.0/0.0/0.1 ms

4. Perform a sniffer check on the FortiGate to confirm that the loopback interface was used as the source IP address in
a DNS query:
# diagnose sniffer packet any 'host 10.1.100.150 and port 53' 4
interfaces=[any]
filters=[host 10.1.100.150 and port 53]
91.180362 port2 out 10.3.10.9.1328 -> 10.1.100.150.53: udp 41
91.180733 port2 in 10.1.100.150.53 -> 10.3.10.9.1328: udp 57
468.753163 port2 out 10.3.10.9.3990 -> 10.1.100.150.53: udp 41
468.753533 port2 in 10.1.100.150.53 -> 10.3.10.9.3990: udp 57
523.470007 port2 out 10.3.10.9.3990 -> 10.1.100.150.53: udp 44
523.470017 port2 out 10.3.10.9.3990 -> 10.1.100.150.53: udp 45
523.470025 port2 out 10.3.10.9.3990 -> 10.1.100.150.53: udp 47
523.470350 port2 in 10.1.100.150.53 -> 10.3.10.9.3990: udp 60
523.470380 port2 in 10.1.100.150.53 -> 10.3.10.9.3990: udp 85
523.470396 port2 in 10.1.100.150.53 -> 10.3.10.9.3990: udp 95
^C
10 packets received by filter
0 packets dropped by kernel

Include groups in PIM join/prune messages

This information is also available in the FortiOS 7.6 Administration Guide:

l Multicast routing and PIM support

FortiOS now includes groups in the Protocol Independent Multicast (PIM) join/prune messages sent to the router,
according to section 4.9.5 in RFC 4601. Previously, FortiOS could accept PIM join/prune messages with multiple groups;
however, FortiOS could only send one group in one PIM join/prune message to the router. This improvement reduces
the number of messages sent to the router, ensuring greater stability and efficiency in network operations, particularly in
extensive multicast environments.

Example

In this example, multicast routing is configured on FortiGate A. On FortiGate B, multicast routing is configured with a
static group consisting of 10 group addresses. The PIM join/prune messages sent from FortiGate B to the receiver
include the group addresses.

To view groups in PIM join/prune messages:

1. On FortiGate A, enable and configure multicast routing:

config router multicast
set multicast-routing enable

FortiOS 7.6.0 New Features Guide 99

Fortinet Inc.
Network

config pim-sm-global
config rp-address
edit 1
set ip-address 1.1.1.1
next
end
end
config interface
edit "port2"
set pim-mode sparse-mode
next
edit "agg1"
set pim-mode sparse-mode
next
edit "loopback1"
set pim-mode sparse-mode
next
end
end

2. On FortiGate B, enable and configure multicast routing with a static group:

config router multicast
set multicast-routing enable
config pim-sm-global
config rp-address
edit 1
set ip-address 1.1.1.1
next
end
end
config interface
edit "agg2"
set pim-mode sparse-mode
set static-group "test1"
next
end
end

3. On FortiGate B, edit the static group to add 10 group addresses:

config router multicast-flow
edit "test1"
config flows
edit 1
set group-addr 225.1.1.10
next
edit 2
set group-addr 225.1.1.11
next
edit 3
set group-addr 225.1.1.12
next
edit 4
set group-addr 225.1.1.13
next
edit 5

FortiOS 7.6.0 New Features Guide 100

Fortinet Inc.
Network

set group-addr 225.1.1.14

next
edit 6
set group-addr 225.1.1.15
next
edit 7
set group-addr 225.1.1.16
next
edit 8
set group-addr 225.1.1.17
next
edit 9
set group-addr 225.1.1.18
next
edit 10
set group-addr 225.1.1.19
next
end
next
end

4. On FortiGate B, after traffic flows, confirm the visibility of the multicast groups on FortiGate A. A successful
enumeration of these groups signifies the correct execution of the multicast join process. Conversely, during a
multicast prune operation, ensure that the multicast groups are appropriately retracted from FortiGate A:
# get router info multicast pim sparse-mode table
IP Multicast Routing Table
(*,*,RP) Entries: 0
(*,G) Entries: 10
(S,G) Entries: 0
(S,G,rpt) Entries: 0
FCR Entries: 0
(*, 225.1.1.10) - 2
RP: 1.1.1.1
RPF nbr: 0.0.0.0
RPF idx: None
RPF RP: 1.1.1.1, 0, 1, 1, 424238339
Upstream State: JOINED
Downstream Expired: 0
Local:
Total: 0
Joined:
agg1
Total: 1
Lost assert:
Total: 0
FCR:
(*, 225.1.1.11) - 2
RP: 1.1.1.1
RPF nbr: 0.0.0.0
RPF idx: None
RPF RP: 1.1.1.1, 0, 1, 1, 424238339

FortiOS 7.6.0 New Features Guide 101

Fortinet Inc.
Network

Upstream State: JOINED

Downstream Expired: 0
Local:
Total: 0
Joined:
agg1
Total: 1
Lost assert:
Total: 0
FCR:
(*, 225.1.1.12) - 2
RP: 1.1.1.1
RPF nbr: 0.0.0.0
RPF idx: None
RPF RP: 1.1.1.1, 0, 1, 1, 424238339
Upstream State: JOINED
Downstream Expired: 0
Local:
Total: 0
Joined:
agg1
Total: 1
Lost assert:
Total: 0
FCR:
(*, 225.1.1.13) - 2
RP: 1.1.1.1
RPF nbr: 0.0.0.0
RPF idx: None
RPF RP: 1.1.1.1, 0, 1, 1, 424238339
Upstream State: JOINED
Downstream Expired: 0
Local:
Total: 0
Joined:
agg1
Total: 1
Lost assert:
Total: 0
FCR:
(*, 225.1.1.14) - 2
RP: 1.1.1.1
RPF nbr: 0.0.0.0
RPF idx: None
RPF RP: 1.1.1.1, 0, 1, 1, 424238339
Upstream State: JOINED
Downstream Expired: 0
Local:

FortiOS 7.6.0 New Features Guide 102

Fortinet Inc.
Network

Total: 0
Joined:
agg1
Total: 1
Lost assert:
Total: 0
FCR:
(*, 225.1.1.15) - 2
RP: 1.1.1.1
RPF nbr: 0.0.0.0
RPF idx: None
RPF RP: 1.1.1.1, 0, 1, 1, 424238339
Upstream State: JOINED
Downstream Expired: 0
Local:
Total: 0
Joined:
agg1
Total: 1
Lost assert:
Total: 0
FCR:
(*, 225.1.1.16) - 2
RP: 1.1.1.1
RPF nbr: 0.0.0.0
RPF idx: None
RPF RP: 1.1.1.1, 0, 1, 1, 424238339
Upstream State: JOINED
Downstream Expired: 0
Local:
Total: 0
Joined:
agg1
Total: 1
Lost assert:
Total: 0
FCR:
(*, 225.1.1.17) - 2
RP: 1.1.1.1
RPF nbr: 0.0.0.0
RPF idx: None
RPF RP: 1.1.1.1, 0, 1, 1, 424238339
Upstream State: JOINED
Downstream Expired: 0
Local:
Total: 0
Joined:
agg1

FortiOS 7.6.0 New Features Guide 103

Fortinet Inc.
 Network

Total: 1
Lost assert:
Total: 0
FCR:
(*, 225.1.1.18) - 2
RP: 1.1.1.1
RPF nbr: 0.0.0.0
RPF idx: None
RPF RP: 1.1.1.1, 0, 1, 1, 424238339
Upstream State: JOINED
Downstream Expired: 0
Local:
Total: 0
Joined:
agg1
Total: 1
Lost assert:
Total: 0
FCR:
(*, 225.1.1.19) - 2
RP: 1.1.1.1
RPF nbr: 0.0.0.0
RPF idx: None
RPF RP: 1.1.1.1, 0, 1, 1, 424238339
Upstream State: JOINED
Downstream Expired: 0
Local:
Total: 0
Joined:
agg1
Total: 1
Lost assert:
Total: 0

Automatic LTE connection establishment

This information is also available in the FortiOS 7.6 Administration Guide:

l Automatic LTE connection establishment

Establishing an LTE connection is now automated. When you insert a SIM card into FortiGate, FortiOS can obtain the
Mobile Country Code (MCC) and Mobile Network Code (MNC) from the service provider's radio tower. FortiOS then
uses the codes to look up the appropriate APN for the SIM card in a predefined table and automatically creates a
wireless profile. Manual configuration is no longer needed, which simplifies the process of establishing an LTE
connection.

FortiOS 7.6.0 New Features Guide 104

Fortinet Inc.
 Network

Netflow sampling

This information is also available in the FortiOS 7.6 Administration Guide:

l Netflow sampling

FortiOS supports NetFlow sampling, allowing it to maintain a count of the number of packets or bytes that have been
sampled for an interface. If the packet count for a session surpasses the configured threshold for transmitted or received
traffic on a NetFlow-enabled interface, a NetFlow report is exported. This helps reduce the load on the collector.
config system interface
edit <name>
set netflow-sampler {tx | rx | both}
set netflow-sample-rate <integer>
set netflow-sampler-id <integer>
next
end

netflow-sampler {tx | rx Enable/disable NetFlow on this interface and set the data that NetFlow collects.
| both}
netflow-sample-rate NetFlow sample rate. Sample one packet every configured number of packets (1 -
<integer> 65535, default = 1, which means standard NetFlow where all packets are
sampled).
netflow-sampler-id NetFlow sampler ID.
<integer>

All sessions that hit the interface with NetFlow sampling configured are still reported to the exporter daemon (sflowd),
which keeps a tally of the sampled packets and bytes. If the session has more ingress, egress, or both, packets than the
configured threshold (netflow-sample-rate), then a NetFlow report is exported. The Netflow report includes
rounded-up numbers of packets and bytes divided by the sampling rate.
In this example, FortiGate is connect on port2 to a NetFlow collector, NetFlow sampling is configured on port2 with a
sampling rate of 100. It is assumed that policies are already configured. Packets are sent that hit the policy. If the number
of packets is less than the sampling, then no flowset is sent to the collector. If the number of packets is more than the
sampling rate, then a flowset is sent to the collector.

To configure the interface and test sending different numbers of packets:

1. Connect the FortiGate port2 interface to the NetFlow collector.

2. Configure the interface:
config system interface
edit "port2"
set vdom "root"
set ip 10.1.100.6 255.255.255.0
set allowaccess https ssh snmp http telnet
set type physical
set netflow-sampler both
set netflow-sample-rate 100
set netflow-sampler-id 99
set alias "To_vlan20"

FortiOS 7.6.0 New Features Guide 105

Fortinet Inc.
Network

set snmp-index 2
config ipv6
set ip6-address 2000:10:1:100::6/64
set ip6-allowaccess https ssh http telnet
end
set speed 1000auto
next
end

3. Send 80 ICMP packets to pass through port2.

Because this is less than the sample rate of 100, the FortiGate does not send any flowsets to the collector after the
session timeout.
# diagnose sys session list

session info: proto=1 proto_state=00 duration=114 expire=26 timeout=0 refresh_dir=both

flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=6720/80/1 reply=6720/80/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=8->7/7->8 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.100.41:20043->172.16.200.155:8(172.16.200.6:20043)
hook=pre dir=reply act=dnat 172.16.200.155:20043->172.16.200.6:0(10.1.100.41:20043)
misc=0 policy_id=44 pol_uuid_idx=8183 auth_info=0 chk_client_info=0 vd=0
serial=0001e4be tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: disabled-by-policy
total session: 1

4. Send 105 ICMP packets to pass through port2.

Because this is more than the sample rate of 100, the FortiGate sends one flowset packet to the collector after the
session timeout.
# diagnose sys session list

session info: proto=1 proto_state=00 duration=110 expire=55 timeout=0 refresh_dir=both

flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=8820/105/1 reply=8820/105/1 tuples=2
tx speed(Bps/kbps): 78/0 rx speed(Bps/kbps): 78/0
orgin->sink: org pre->post, reply pre->post dev=8->7/7->8 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.100.41:20072->172.16.200.155:8(172.16.200.6:20072)
hook=pre dir=reply act=dnat 172.16.200.155:20072->172.16.200.6:0(10.1.100.41:20072)
misc=0 policy_id=44 pol_uuid_idx=8183 auth_info=0 chk_client_info=0 vd=0
serial=0001e56f tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload

FortiOS 7.6.0 New Features Guide 106

Fortinet Inc.
 Network

no_ofld_reason: disabled-by-policy
total session: 1

5. Check the flowset:

Octets: 88
Post Octets: 88
Packets: 1
Post Packets: 1
......
SamplerID: 99
Srcaddr: 10.1.100.41
Dstaddr: 172.16.200.155
......

Because the sample rate is 100, the flowset means:

l 88 * 100 = 8800 Bytes
l 1 * 100 = 100 Packets
This is basically equal to the actual value of 8820 bytes / 105 packets. This shows that after configuring the NetFlow
sampling rate, the received flowsets have been reduced, and the flowsets' values are consistent with the actual
values, although not exactly the same.

Support source-IP interface for system DNS database

This information is also available in the FortiOS 7.6 Administration Guide:

l Important DNS CLI commands

You can now specify by name what interface to use for the system DNS database, and the interface's IP address is used
as the source IP address. Specifying the interface name rather the IP address provides greater flexibility and control over
network configurations, especially in SD-WAN deployments.
config system dns-database
set source-ip-interface <string>
end

set source-ip-interface IP address of the specified interface as the source IP address.

<string>

Example

In this example, a DNS server is enabled on FGT-A and on FGT-C with FGT-A configured to forward DNS queries to
FGT-C. On FGT-A, port1 is configured as the source-ip interface. When FGT-B pings a domain name, the request is
forwarded to the FGT-C DNS server to resolve.

FortiOS 7.6.0 New Features Guide 107

Fortinet Inc.
Network

To configure a source-IP interface for system DNS database:

1. On FGT-A, create a DNS server and enable forwarding to FGT-C:

In this example, the source-IP interface is set to port1.
config system dns-database
edit "1115381"
set domain "qa.fortinet.com"
set authoritative disable
set forwarder "172.16.200.3"
set forwarder6 2000:172:16:200::3
set source-ip-interface "port1"
config dns-entry
edit 1
set hostname "pc51"
set ip 172.16.200.51
next
end
next
end

2. On FGT-A, configure an IP address on port1:

config system interface
edit "port1"
set vdom "vdom1"
set ip 172.16.200.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set monitor-bandwidth enable
set snmp-index 3
config ipv6
set ip6-address 2000:172:16:200::1/64
set ip6-allowaccess ping https ssh snmp http telnet
end
next
end

3. On FGT-C, create a DNS server:

config system dns-database
edit "1115381"
set domain "qa.fortinet.com"
config dns-entry
edit 1
set hostname "pc5"
set ip 172.16.200.55
next
end
next
end

4. From FGT-B, ping domain name pc5.qa.fortinet.com.

The hostname is resolved by the FGT-C DNS server:
# execute ping pc5.qa.fortinet.com
PING pc5.qa.fortinet.com (172.16.200.55): 56 data bytes
64 bytes from 172.16.200.55: icmp_seq=0 ttl=64 time=0.1 ms

FortiOS 7.6.0 New Features Guide 108

Fortinet Inc.
 Network

64 bytes from 172.16.200.55: icmp_seq=1 ttl=64 time=0.1 ms

64 bytes from 172.16.200.55: icmp_seq=2 ttl=64 time=0.1 ms
64 bytes from 172.16.200.55: icmp_seq=3 ttl=64 time=0.1 ms
64 bytes from 172.16.200.55: icmp_seq=4 ttl=64 time=0.1 ms

--- pc5.qa.fortinet.com ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.1 ms

5. On FGT-A, check that DNS proxy (dnsproxy) finds the source-IP address from port1.
# diagnose test application dnsproxy 8
worker idx: 0

vfid=1 name=1115381 domain=qa.fortinet.com ttl=86400 authoritative=0 view=shadow

type=primary serial=993041980 refresh=0
forwarder(s): 172.16.200.3 2000:172:16:200::3
source-ip-interface: port1
source-ip(s): 172.16.200.1 2000:172:16:200::1
A: pc51.qa.fortinet.com-->172.16.200.51(86400)
SOA: qa.fortinet.com (primary: dns.qa.fortinet.com, contact: [email protected],
serial: 993041980)(86400)

Extended VRF ID range for enhanced network scalability - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Virtual routing and forwarding

The range of Virtual Routing and Forwarding (VRF) IDs has been extended from 0 through 251 to 0 through 511,
allowing for a maximum of 512 unique VRF instances configured per VDOM.
This enhancement allows for greater scalability and flexibility in network configurations.

Enhanced PIM support for VRFs - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Multicast routing and PIM support

PIM now supports all VRFs (up to 511) and is aware of IPv4 multicast routing and forwarding over a single overlay,
enhancing network scalability and flexibility compared to the previous VRF 0-only support.
Per-VRF commands have been included for multicast routing, as follows:
config router multicast
config pim-sm-global-vrf
edit <vrf>
set bsr-candidate {enable | disable}
set bsr-interface <interface>
set bsr-priority <0-255, default = 0>

FortiOS 7.6.0 New Features Guide 109

Fortinet Inc.
Network

set bsr-hash <0-32, default = 10>

set bsr-allow-quick-refresh {enable | disable}
set cisco-crp-prefix {enable | disable}
config rp-address
edit <id>
set ip-address <RP router IP address>
set group <access list name>
next
end
next
end
end

VRF support has also been included in the following diagnose, get, and execute commands:
diagnose ip multicast mfc-add
diagnose ip multicast mfc-del
diagnose vpn mr|mr6 add
diagnose vpn mr|mr6 del
get router info multicast igmp groups
get router info multicast igmp groups-detail
get router info multicast table
get router info multicast table-count
get router info multicast pim sparse-mode bsr-info
get router info multicast pim sparse-mode rp-mapping
get router info multicast pim sparse-mode next-hop
get router info multicast pim sparse-mode table
execute mrouter clear multicast-routes
execute mrouter clear sparse-mode-bsr
execute mrouter clear sparse-routes
execute mrouter clear statistics

NPU offloading of VRF multicast traffic on a dynamic IPsec tunnel is not supported.

Example

This example uses the following topology:

In this example, the multicast server:

l Sends out multicast traffic 225.1.1.1 from 22.1.1.22 in VRF1.
l Sends out multicast traffic 225.1.1.2 from 22.1.1.55 in VRF2.

FortiOS 7.6.0 New Features Guide 110

Fortinet Inc.
 Network

To verify VRF in IPv4 multicast routing:

1. Review the sniffer information:

l The VRF1 client can receive 225.1.1.1 and cannot receive 225.1.1.2:
24.872130 vd33-vlan33 in 22.1.1.22 -> 225.1.1.1: icmp: echo request
25.872117 vd3-vlan33 out 22.1.1.22 -> 225.1.1.1: icmp: echo request
25.872123 vd33-vlan33 in 22.1.1.22 -> 225.1.1.1: icmp: echo request
26.872131 vd3-vlan33 out 22.1.1.22 -> 225.1.1.1: icmp: echo request
26.872137 vd33-vlan33 in 22.1.1.22 -> 225.1.1.1: icmp: echo request

l The VRF2 client can receive 225.1.1.2 and cannot receive 225.1.1.1:
4.320988 vd3-vlan331 out 22.1.1.55 -> 225.1.1.2: icmp: echo request
4.320996 vd4-vlan331 in 22.1.1.55 -> 225.1.1.2: icmp: echo request
5.320703 vd3-vlan331 out 22.1.1.55 -> 225.1.1.2: icmp: echo request
5.320717 vd4-vlan331 in 22.1.1.55 -> 225.1.1.2: icmp: echo request
6.320671 vd3-vlan331 out 22.1.1.55 -> 225.1.1.2: icmp: echo request
6.320678 vd4-vlan331 in 22.1.1.55 -> 225.1.1.2: icmp: echo request

2. Review the group information:

# get router info multicast igmp groups
IGMP Connected Group Membership
VRF Group Address Interface Uptime Expires Last Reporter
1 225.1.1.1 vd3-vlan33 00:15:16 stopped(static) 0.0.0.0
2 225.1.1.2 vd3-vlan331 00:14:49 stopped(static) 0.0.0.0

Including denied multicast sessions in the session table - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Including denied multicast sessions in the session table

Sessions can be created for denied multicast traffic, enabling subsequent packets to be directly matched and dropped,
reducing CPU usage and improving performance.
For more information about this feature, see Including denied multicast sessions in the session table.

To configure denied multicast session inclusion:

config system setting

set ses-denied-multicast-traffic {disable | enable}
end

Value Description
disable Do not add denied multicast sessions to the session table (default).
enable Include denied multicast sessions in the session table.

FortiOS 7.6.0 New Features Guide 111

Fortinet Inc.
 Network

Support specific VRF ID for local-out traffic - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Support specific VRF ID for local-out traffic

Previously, you could not specify a Virtual Routing and Forwarding (VRF) instance for local-out traffic, but now you can.
This enhancement provides traffic segregation, optimized routing, and enhanced policy enforcement to improve network
organization, security, and performance.
The following configuration commands now include the option to set a VRF instance number:
config system interface
edit "port2"
set dhcp-relay-vrf-select
next
end

set dhcp-relay-vrf-select VRF ID used for connection to sever. Set VRF instance number (0 to 511, default
<integer> = 0).

config system settings

set dhcp-proxy-vrf-select <integer>
end

set dhcp-proxy-vrf-select VRF ID used for connection to sever. Set VRF instance number (0 to 511, default
<integer> = 0).

config system dns

set vrf-select <integer>
end

config system fortiguard

set vrf-select <integer>
end

config system snmp community

edit <id>
config hosts
edit <id>
set vrf-select <integer>
next
config hosts6
edit <id>
set vrf-select <integer>
next
next
end

config system snmp user

edit <name>
set vrf-select <integer>
next
end

FortiOS 7.6.0 New Features Guide 112

Fortinet Inc.
Network

config system email-server

set vrf-select <integer>
end

config system vdom-dns

set vrf-select <integer>
end

config system external-resource

set vrf-select <integer>
end

config system fortindr

set vrf-select <integer>
end

config system central-management

set vrf-select <integer>
end

config system netflow|vdom-netflow

config collectors
edit <id>
set vrf-select
next
next
end

config system ntp

config ntpserver
edit <id>
set vrf-select <integer>
next
next
end

config system fortisandbox

set vrf-select <integer>
end

config log syslogd setting

set vrf-select <integer>
end

config log fortiguard setting

set vrf-select <integer>
end

config log disk setting

set vrf-select <integer>
end

config log tacacs+accounting setting

set vrf-select <integer>
end

FortiOS 7.6.0 New Features Guide 113

Fortinet Inc.
Network

config log fortianalyzer|fortianalyzer2|fortianalyzer3|fortianalyzer-cloud setting

set vrf-select <integer>
end

config system dns-database

edit <name>
set vrf-select <integer>
end
end

config user external-identity-provider

edit <name>
set vrf-select <integer>
end
end

config user fsso

edit <name>
set vrf-select <integer>
end
end

config user ldap

edit <name>
set vrf-select <integer>
end
end

config user radius

edit <name>
set vrf-select <integer>
config accounting-server
edit <id>
set vrf-select <integer>
end
end
end
end

config user tacacs+

edit <name>
set vrf-select <integer>
end
end

config vpn certificate setting

set vrf-select <integer>
end

config vpn kmip-server

edit <name>
set vrf-select <integer>
end
end

FortiOS 7.6.0 New Features Guide 114

Fortinet Inc.
Network

set vrf-select <integer> VRF ID used for connection to sever. Set VRF instance number (0 to 511, default
= 0).

The following execute commands now include the option to specify a VRF instance number:
# execute ping-options vrf <integer>
# execute ping6-options vrf <integer>
# execute traceroute-options vrf <integer>

vrf <integer> VRF ID (0 to 511).

The following execute command now includes the option to specify a VRF instance number:
# execute tracert6 -v <integer>

-v <integer> VRF ID (0 to 511).

The following diagnose commands now include the option to specify a VRF instance number:
# diagnose ip proute match <dst> <src> <iif> <proto> <dport> <sport> <vrf>
# diagnose ipv6 proute match <dst> <src> <iif> <proto> <dport> <sport> <vrf>
# diagnose test authserver radius-direct <server_name or IP> <port number (0 default port)>
<udp | tcp | tls> <secret> <pap | chap | mschap | mschap2> <vrf> <user> <password

vrf <integer> VRF ID (0 to 511).

Example 1: RADIUS server and VRF ID

In this example, the local-out traffic flows through the VRF interface to its destination. The VRF server can be reached by
port1 (VRF 22), but not port2 (VRF 0).

To configure a VRF ID for a RADIUS server:

1. Specify a VRF ID for the RADIUS server:

config user radius
edit "FAC"
set server "192.168.100.129"
set secret ftntxxxxxx
set password-renewal disable
set vrf-select 22
next
end

2. Get the static routing table:

# get router info routing-table static
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 10.100.1.249, npu0_vlink0, [1/0]
S 192.168.100.0/24 [10/0] via 172.16.205.11, port2, [1/0]

Routing table for VRF=22

S* 0.0.0.0/0 [2/0] via 172.16.200.254, port1, [1/0]

FortiOS 7.6.0 New Features Guide 115

Fortinet Inc.
Network

Example 2: ping command and VRF ID

In this example, the local-out traffic flows through the VRF interface to its destination. IP address 3.3.3.3 can be reached
by port1 (VRF 22).

To use a VRF ID with ping:

1. Get the static routing table:

# get router info routing-table static
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 10.100.1.249, npu0_vlink0, [1/0]
S 3.3.3.0/24 [10/0] via 172.16.205.11, port2, [1/0]
S 192.168.100.0/24 [10/0] via 172.16.205.11, port2, [1/0]

Routing table for VRF=22

S* 0.0.0.0/0 [2/0] via 172.16.200.254, port1, [1/0]

2. Specify a VRF ID for the interface with ping access allowed:

config system interface
edit "loop2"
set vdom "root"
set vrf 22
set ip 1.1.1.2 255.255.255.255
set allowaccess ping https http
set type loopback
set snmp-index 84
next
end

3. Execute the ping command:

# execute ping-options vrf 22

# execute ping-options source 1.1.1.2

# execute ping 3.3.3.3

PING 3.3.3.3 (3.3.3.3): 56 data bytes
64 bytes from 3.3.3.3: icmp_seq=0 ttl=255 time=0.1 ms

Example 3: traceroute command and VRF ID

The VRF ID can be used with the traceroute command.

To use a VRF ID with traceroute:

1. Get the routing table details for IP address 3.3.3.3:

# get router info routing-table details 3.3.3.3

Routing table for VRF=0

Routing entry for 3.3.3.3/32
Known via "ospf", distance 110, metric 10200, best
Last update 05:53:57 ago

FortiOS 7.6.0 New Features Guide 116

Fortinet Inc.
Network

* vrf 0 172.16.203.2, via agg1

Routing table for VRF=22

Routing entry for 3.3.3.3/32
Known via "ospf", distance 110, metric 11000, best
Last update 05:31:31 ago
* vrf 22 172.16.200.4, via port1
* vrf 22 172.16.200.40, via port1

2. Execute a traceroute for VRF 22:

# execute traceroute 3.3.3.3
VRF 22, traceroute to 3.3.3.3 (3.3.3.3), 32 hops max, 3 probe packets per hop, 84 byte
packets
1 3.3.3.3 0.135 ms 0.090 ms 0.073 ms

Example 4: diagnose command and VRF ID

Like the other examples in this topic, port1 is in VRF 22, and port2 is in VRF 0. This example demonstrates how the
diagnose ip proute match command works with and without a specified VRF ID.

To use a VRF ID with a diagnose command:

1. Configure the router policy for port1 and port2:

config router policy
edit 1
set dst "23.23.23.23/255.255.255.255"
set gateway 172.16.200.55
set output-device "port1"
next
edit 2
set dst "23.23.23.23/255.255.255.255"
set gateway 172.16.205.11
set output-device "port2"
next
end

2. Run the diagnose firewall proute list command:

# diagnose firewall proute list
list route policy info(vf=root):

id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0-

>0):dst(0->0) iif=0(any)
path(1): oif=7(port1) gwy=172.16.200.55
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 23.23.23.23/255.255.255.255
hit_count=1 rule_last_used=2024-10-11 15:40:23

id=2(0x02) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0-

>0):dst(0->0) iif=0(any)
path(1): oif=8(port2) gwy=172.16.205.11
source wildcard(1): 0.0.0.0/0.0.0.0

FortiOS 7.6.0 New Features Guide 117

Fortinet Inc.
 Network

destination wildcard(1): 23.23.23.23/255.255.255.255

hit_count=2 rule_last_used=2024-10-11 15:40:39

3. Run the diagnose ip route match command without a VRF ID:

When the VRF is not specified, VRF 0 is used, and it will match port2.
# diagnose ip proute match 23.23.23.23 2.2.2.22 port4 6 23 23
dst=23.23.23.23 src=2.2.2.22 smac=00:00:00:00:00:00 iif=10 protocol=6 sport=23 dport=23
vrf=-1
id=00000002 type=Policy Route
seq-num=2 oif=8(port2)flags=0x0

4. Run the diagnose ip route match command with a VRF ID:

When VRF 22 is specified, it will match policy route with port1, which is in VRF 22:
# diagnose ip proute match 23.23.23.23 2.2.2.22 port4 6 23 23 22
dst=23.23.23.23 src=2.2.2.22 smac=00:00:00:00:00:00 iif=10 protocol=6 sport=23 dport=23
vrf=22
id=00000001 type=Policy Route
seq-num=1 oif=7(port1)flags=0x0

Support source IP interface for system DNS - 7.6.1

Previously the local IP addresses could differ on each unit in a cluster, and the source-ip setting for DNS could not be
synchronized across the cluster. This feature introduces a new source-ip-interface configuration option for DNS,
ensuring consistent DNS configurations across the cluster and enhancing the overall network management experience.
config system vdom-dns
set vdom-dns enable
set source-ip-interface <string>
end

set source-ip-interface Specify an interface to use the IP address of the specified interface as the source
<string> IP address.
Requires vdom-dns to be enabled.

config system dns

set source-ip-interface <string>
end

set source-ip-interface Specify an interface to use the IP address of the specified interface as the source
<string> IP address.

Example

In this example, a private DNS is used. Port2 is configured with an IP address, and the private DNS is configured to use
the IP address for port2 as its source IP address.

To set the source IP interface for a private DNS:

1. Configure port2 with an IP address. You can either specify an IP address or configure the interface to receive an
IP address from a DHCP server.

FortiOS 7.6.0 New Features Guide 118

Fortinet Inc.
 Network

Example fixed IP address configuration:

config system interface
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set snmp-index 4
set secondary-IP enable
next
end

Example DHCP configuration:

config system interface
edit "port2"
set mode dhcp
next
end

2. Configure port2 as the source IP interface for DNS:

config system dns
set primary 172.17.254.148
set secondary 172.17.254.151
set source-ip-interface "port2"
end

3. Sniff port2:
# diagnose sniffer packet port2 ""
....
3.336987 10.1.100.1.2264 -> 172.17.254.148.53: udp 43

Improvements to IPsec monitoring - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l IPsec monitor

The IPsec monitor now includes pie charts for tunnel status and uptime, filters, and quick access to several tools, which
all boost usability and visualization for better VPN management.

To access the IPsec monitor:

1. Access the IPsec monitor by using one of the following methods:

l Go to VPN > VPN Tunnels and click View tunnel connections.

FortiOS 7.6.0 New Features Guide 119

Fortinet Inc.
Network

l Go to Dashboard > Network. Hover over the IPsec widget and click Click to expand.

The IPsec Monitor is displayed, and it contains pie charts, a search bar, and a table of VPN tunnels:

2. Click each pie chart to filter its information.

For example, in the VPN tunnel pie chart, click the green pie or Hub-1. A filter icon displays beside VPN tunnel, the
filter text displays in the Search bar, and the table displays the filtered results too.
Clear the filter by clicking the filter icon beside VPN tunnel or clicking an X in the Search bar.

3. In the table, hover over the first column heading to display and click the Configure Table icon to choose what
columns to display.

FortiOS 7.6.0 New Features Guide 120

Fortinet Inc.
Network

4. In the table, hover over a column heading to display and click a filter icon.
For example, hover over the Name column heading, and click the filter icon to display filter options.

5. In the table, hover over an entry to display a tooltip of information.

6. In the table, select a tunnel to display a toolbar of options: Reset Statistics, Bring Up/Bring Down, and More.

FortiOS 7.6.0 New Features Guide 121

Fortinet Inc.
Network

To reset statistics:

1. In the table, select a tunnel.

2. In the toolbar, click Reset Statistics, or right-click the tunnel and click Reset Statistics. The Confirm dialog is
displayed.
3. Click OK.

To bring a tunnel up:

1. In the table, select a tunnel.

2. Click Bring Up, or right-click the tunnel and click Bring Up. The Confirm dialog is displayed.
3. Click OK.

To bring a tunnel down:

1. In the table, select a tunnel.

2. Click Bring Down, or right-click the tunnel and click Bring Down. The Confirm dialog is displayed.
3. Click OK.

To locate a tunnel on the VPN Map:

1. In the table, select a tunnel.

2. Click More > Locate on VPN Map, or right-click the tunnel and click Locate on VPN Map. The VPN Location Map is
displayed.

3. Click OK to close the map.

To view tunnel connection in FortiView:

1. In the table, select a tunnel.

2. Click More > Show in FortiView, or right-click the tunnel and click Show in FortiView. The FortiView VPN pane is
displayed.
3. Click X to close the pane.

FortiOS 7.6.0 New Features Guide 122

Fortinet Inc.
 Network

To view matching logs for the tunnel:

1. In the table, select a tunnel.

2. Click More > Show matching Logs, or right-click the tunnel and click Show matching logs. The Logs pane is
displayed.
3. Click OK to close the pane.

Connectivity Fault Management (CFM) now available for FG-80F-POE and FG-20xF
models - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Connectivity Fault Management

Connectivity Fault Management (CFM) has been extended to the following models: FG-80F-POE and FG-20xF. This
enhancement helps administrators efficiently diagnose and resolve issues in Ethernet networks.
See Connectivity Fault Management for more information.

Application and network performance monitoring with FortiTelemetry - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l FortiTelemetry

Rapid increase in cloud adoption and recent trends in remote work have shifted organizations' requirements. Critical
information about the application-level availability and user experience is now needed. FortiTelemetry provides
information about the user experience based on application and network performance.
FortiTelemetry agents send raw application-level and network-level metrics to FortiTelemetry Cloud for data analysis.
Based on its analytics, FortiTelemetry Cloud returns to the FortiGate acting as a FortiTelemetry Controller two additional
metrics: application experience score and application failure rate. FortiTelemetry Controller presents the metrics on
FortiTelemetry monitor pages.
A FortiTelemetry deployment consists of one FortiGate hardware model acting as FortiTelemetry Controller and one or
more FortiTelemetry agents:
l The FortiTelemetry Controller manages the agents by onboarding them to the Security Fabric, managing telemetry
profiles and policies, and providing monitoring tools to give administrators a view of application metrics and
statistics.
l FortiTelemetry agents are on-premise FortiGate-integrated telemetry agents that continuously emulate, monitor,
and detect performance metrics across SaaS applications without any user intervention or involvement.
This topic lists the FortiTelemetry Requirements on page 124 and identifies the following FortiOS changes to support
FortiTelemetry:
l CLI changes on page 124
l GUI changes on page 128

FortiOS 7.6.0 New Features Guide 123

Fortinet Inc.
Network

This topic also includes an Example on page 135 deployment.

See the FortiTelemetry Administration Guide for more information about the product.

Requirements

l FortiGate acting as a FortiTelemetry controller:

l On-premise FortiGate hardware model with a minimum of 4 GB of memory
l FortiOS 7.6.3 or later
l FortiTelemetry must be enabled
l Network access to reach FortiTelemetry Cloud
l FortiTelemetry Windows software agent:
l Windows machine with a minimum of 4 CPUs and 8 GB RAM
l Windows 10 build 17134 or later
l FortiTelemetry-100G (FTL-100G) hardware agents

The IP address for each agent must be in the same subnet as the FortiTelemetry Controller
interface for incoming FortiTelemetry agent traffic.

CLI changes

New syntax to enable a FortiGate hardware model to act as a FortiTelemetry Controller:

config system global
set telemetry-controller {enable|disable}
set telemetry-data-port <integer>
end

telemetry-controller Enable/disable a FortiGate to act as a FortiTelemetry Controller to manage

{enable|disable} FortiTelemetry agents.
telemetry-data-port Telemetry data channel port. Enter an integer value from 1024 to 49150 (default =
<integer> 35246).
Note: This setting is not yet used and reserved for a future use.

New syntax to configure the interface between FortiTelemetry Controller and FortiTelemetry agents:
config system interface
edit <name>
...
set telemetry-discover {enable|disable}
next
end

telemetry-discover Enable/disable automatic registration of unknown FortiTelemetry agents to the

{enable|disable} FortiTelemetry Controller.

New syntax to create a telemetry firewall policy:

FortiOS 7.6.0 New Features Guide 124

Fortinet Inc.
Network

config firewall policy

edit <policy ID>
...
set srcaddr {agent ID 1 | agent ID 2 | ...}
...
set telemetry-profile <string>
...
next
end

srcaddr {agent ID 1 | Specify one or more FortiTelemetry agent IDs.

agent ID 2 | ...}
telemetry-profile Name of an existing telemetry profile.
<string>

New syntax to select a telemetry profile in a profile group:

config firewall profile-group
edit <id>
set telemetry-profile <string>
next
end

telemetry-profile Name of an existing telemetry profile.

<string>

New command to configure telemetry connectors for FortiTelemetry agents managed by a FortiTelemetry Controller:
config telemetry-controller agent
edit <agent ID>
set comment <string>
set alias <string>
set authz {rejected | authorized | unauthorized}
set agent-profile <string>
next
end

config telemetry- Configure telemetry connectors for FortiTelemetry agents managed by a

controller agent FortiTelemetry Controller.
edit <agent ID> Enter the ID of the agent. The ID for FortiTelemetry Windows agents starts with
FTLWIN, and the ID for FTL-100G agents starts with FT100G.
comment <string> Enter a comment about the agent (maximum value 255).
alias <string> Enter an alias for the agent to help you distinguish between agents (maximum
value 35).
authz {rejected | Set the authorization status of the agent:
authorized | l rejected
unauthorized}
l authorized
l unauthorized
agent-profile <string> Enter the name of an existing agent profile.

New command to configure agent profiles:

FortiOS 7.6.0 New Features Guide 125

Fortinet Inc.
Network

config telemetry-controller agent-profile

edit <name>
set model {FTL100G | WINDOWS}
set comment <string>
next
end

config telemetry- Configure FortiTelemetry agent profiles.

controller agent-
profile
edit <name> Name of the agent profile.
set model {FTL100G | Model of the FortiTelemetry agent:
WINDOWS} l FTL100G: FortiTelemetry-100G hardware agents.

l WINDOWS: FortiTelemetry Windows software agents.

comment <string> Comment (maximum value 255).

New command to configure the FortiTelemetry Controller:

config telemetry-controller global
set retry-interval <integer>
set telemetry-ca-certificate <string>
set region <global>
end

config telemetry- Configure FortiTelemetry global settings.

controller global
retry-interval <integer>
telemetry-ca-certificate
<string>
set region <global>
Configure FortiTelemetry Cloud retry interval (1 - 999, default = 60).
Name of the CA certificate used to verify the certificate for the FortiTelemetry
Windows agent.
Note: You must import this CA certificate to the FortiGate using the System >
Certificates page.
Configure FortiTelemetry Cloud region. Currently only global is supported.

New command to view pre-defined applications available for FortiTelemetry agents to monitor:
config telemetry-controller application predefine
edit <app-name>
next
end

config telemetry- View pre-defined applications available for FortiTelemetry agents to monitor.
controller
application
predefine
edit <app-name> Edit the pre-defined application.

New command to configure a telemetry profile:

config telemetry-controller profile
edit <name>
set comment <string>

FortiOS 7.6.0 New Features Guide 126

Fortinet Inc.
Network
config application
edit <id>
set app-name <string>
set monitor {enable | disable}
set interval <integer>
next
end
next
end
config telemetry-
controller profile
edit <name>
set comment <string>
config application
app-name <string>
monitor {enable |
disable}
interval <integer>
New get commands:
get telemetry-controller
get telemetry-controller
get telemetry-controller
get telemetry-controller
get telemetry-controller
FortiOS 7.6.0 New Features Guide
Fortinet Inc.
Configure telemetry profiles.
Edit the profile name.
Enter a comment about the telemetry profile.
Configure the applications for FortiTelemetry agents to monitor.
Name of the pre-defined application to monitor. Choose from:
l Adobe
l Atlassian Cloud
l Dropbox
l Elastic Search
l Google Docs
l Google Drive
l Google Maps
l Go To Meeting
l Microsoft 365
l Microsoft SharePoint
l Microsoft Teams
l Sales Force
l Slack
l Twilio
l Webex
l Yahoo
l Zendesk
l Zoom
Enable/disable monitoring of the application.
Time in milliseconds to check the application (1000 - 86,400 * 1000, default = 300
* 1000 ms).
agent
agent-profile
agent-status
agent-task
application
127
Network

get telemetry-controller cloud-status

get telemetry-controller global
get telemetry-controller profile

telemetry-controller Configure FortiTelemetry agents managed by a FortiGate unit.

agent
telemetry-controller Configure FortiTelemetry agent profiles.
agent-profile
telemetry-controller FortiTelemetry controller agent status. [Take 0-1 arg(s)]
agent-status
telemetry-controller FortiTelemetry controller agent task. [Take 0-1 arg(s)]
agent-task
telemetry-controller Configure FortiTelemetry applications.
application
telemetry-controller FortiTelemetry controller cloud status.
cloud-status
telemetry-controller Configure FortiTelemetry global settings.
global
telemetry-controller Configure FortiTelemetry profiles.
profile

GUI changes

On a FortiGate configured as a FortiTelemetry Controller, go to System > Feature Visibility to enable FortiTelemetry, and
then you can use the following GUI pages:
l Telemetry connector on page 128
l Telemetry profile on page 131
l Telemetry firewall policy on page 134
l FortiTelemetry monitors on page 135

Telemetry connector

Use the Telemetry connector to view, authorize, and edit FortiTelemetry agents. You can also configure pre-authorized
telemetry connectors to automatically authorize discovered agents.

FortiOS 7.6.0 New Features Guide 128

Fortinet Inc.
Network

To view the Telemetry connector and FortiTelemetry agents:

1. Go to Security Fabric > Fabric Connectors. The Telemetry connector is displayed.

Status Status of FortiTelemetry: Enabled or Disabled.

Agents The number of online, authorized FortiTelemetry agents discovered by the

FortiTelemetry Controller.

Monitored Tasks Number of tasks being monitored by authorized FortiTelemetry agents based
on the configured telemetry profile(s) selected in the firewall policy used by the
FortiTelemetry Controller.

2. Click the Telemetry connector, and click Edit. The FortiTelemetry Settings pane opens.
In this example, all FortiTelemetry agents are unauthorized and listed under Uncategorized. Authorized
FortiTelemetry agents are grouped by interface.

Create Click to create pre-authorized Telemetry connectors to automatically authorize

discovered FortiTelemetry agents.

Name Name of the FortiTelemetry agent.

Status Status of the FortiTelemetry agent: Authorized, Unauthorized, or Rejected.

Agent Profile Profile assigned to the agent when FortiTelemetry Controller discovers the
agent.
FortiTelemetry Controller automatically creates and assigns the following
profiles:
l The Auto-WINDOWS agent profile is assigned to software agents.

l The Auto-FTL100G agent profile is assigned to hardware agents.

Agent profile details can be viewed in the CLI using the config telemetry-
controller agent-profile command.

FortiOS 7.6.0 New Features Guide 129

Fortinet Inc.
Network

Agent Model Model of the agent: Windows for software agents and FTL100G for hardware
agents.

Agent Version Agent version.

IP IP address of the FortiTelemetry agent.

3. Select an agent to access additional buttons, such as Edit, Delete, and More > Authorize/Unauthorize/Reject.
4. Select an agent, and click Edit. The Telemetry Agent pane opens.

5. Click OK to close the Telemetry Agent pane.

6. Click Cancel to close the FortiTelemetry Settings pane.

To authorize discovered FortiTelemetry agents in the GUI:

1. Go to Security Fabric > Fabric Connectors.

2. Click the Telemetry connector, and click Edit. The FortiTelemetry Settings pane opens.
3. Select an agent, and click More > Set Status > Authorize.

To create pre-authorized telemetry connectors in the GUI:

1. Go to Security Fabric > Fabric Connectors.

2. Click the Telemetry connector, and click Edit. The FortiTelemetry Settings pane opens.
3. Click Create New, and set the following options on the Telemetry Agent pane:

Name Enter the agent name.

The name starts with FTLWIN for Windows agents or FT100G for hardware
agents.

Alias (Optional) Enter an alias for the FortiTelemetry agent.

Authorization Select Authorize.

FortiOS 7.6.0 New Features Guide 130

Fortinet Inc.
Network

Agent Profile Select an agent profile. Ensure the model configured in the profile matches the
type of agent.

Comments (Optional) Enter optional comments to help identify the agent.

4. Click OK. The telemetry connector is displayed in the uncategorized list until the FortiTelemetry Controller discovers
the corresponding telemetry agent and uses the connector to automatically authorize the agent and assign a status
of Online.

Telemetry profile

Use telemetry profiles to communicate to FortiTelemetry agents which of the pre-defined SaaS applications to monitor. A
default telemetry profile is provided to monitor Google Docs, Microsoft 365, and Salesforce. You can edit or clone the
default profile to create custom profiles.
FortiOS 7.6.3 includes pre-defined SaaS applications that FortiTelemetry agents can monitor. On the FortiTelemetry
Controller, use the config telemetry-controller application predefine command to view the list.
For the monitored applications, the FortiTelemetry agent sends the following raw metrics to FortiTelemetry Cloud for
analysis:
l Application-level metrics:
l Time to First Byte (TTFB)
l Application Total Downloading Time (ATDT)
l Network-level metrics:
l Latency
l Jitter
l Packet Loss
l TCP Round Trip Time (RTT)
l DNS resolving time
l TLS handshake time
l Application throughput
l Network path info:
l Network path information
FortiTelemetry Cloud returns to the FortiTelemetry Controller two additional metrics: application experience score and
application failure rate, which you can view in the FortiTelemetry monitor.

To access telemetry profiles:

1. Go to Security Profiles > Telemetry Profile. The list of telemetry profiles is displayed, including a default telemetry
profile.
2. Select a profile to access additional buttons, such as Edit, Clone, Delete, and More.
3. Select the default profile, and click Edit. The Telemetry Profile pane opens.
The default profile monitors the following predefined applications: Google docs, Microsoft 365, and Salesforce. No
SLA targets are defined.

FortiOS 7.6.0 New Features Guide 131

Fortinet Inc.
Network

4. Edit settings for a monitored application:

a. Select an application, and click Edit. The Profile Application pane opens.

b. Enable SLA Targets to view what information is gathered. Although you can enable SLA targets, the
functionality does not work yet.

FortiOS 7.6.0 New Features Guide 132

Fortinet Inc.
Network

Application level metrics:

Experience score Overall application experience score threshold between 0 and 10.
Experience scores are categorized as follows:
l Good: 8 to 10

l OK: 5 to 8
l Poor: 3 to 5
l Broken: 0 to 3

Failure rate Failure rate threshold for monitoring HTTP requests as a percentage (%).

Time to first byte Time to first byte threshold monitor requests in milliseconds (ms).

Application total download Application total download time threshold for monitoring HTTP requests in
time milliseconds (ms).

Application throughput The throughput threshold for monitoring HTTP requests in megabytes
(MBps).

Network level metrics:

Latency Average latency threshold for network probes in milliseconds (ms).

Jitter Jitter threshold for network probes in milliseconds (ms).

Packet loss Packet-loss threshold for network probes as a percentage.

TCP round trip time TCP round trip time threshold for monitoring HTTP requests in milliseconds
(ms).

95% DNS resolving time DNS resolving time threshold for monitoring HTTP requests in
milliseconds.

95% TLS handshake time TLS time threshold in milliseconds.

c. Click OK to save changes.

5. Add an application to the list:

FortiOS 7.6.0 New Features Guide 133

Fortinet Inc.
Network

a. Click Create New. The Profile Application pane opens.

b. Choose the Monitor status for the application:
l Choose Enabled to monitor the application.
l Choose Disabled to disable monitoring of the application.
c. Select a predefined application to monitor from the Applications dropdown.
d. Set the monitoring Interval in milliseconds.
e. (Optional) Enable SLA Targets to view what application-level and network-level metrics are collected. Although
you can enable SLA targets, the functionality does not work yet.
f. Click OK to finish adding the application to the list.
g. Add additional applications as desired.
6. Click OK to save telemetry profile settings.

To create a telemetry profile in the GUI:

1. Go to Security Profiles > Telemetry Profile, and click Create New. The Telemetry Profile pane opens.
2. Enter a name and optional comment for the profile.
3. In the Monitored Applications section, click Create New. The Profile Application pane opens.
4. Complete the options, and click OK to finish adding the application to the list.
5. Add additional applications as desired.
6. Click OK to save the telemetry profile.

Telemetry firewall policy

Create a firewall policy with type set to Telemetry, and select the telemetry profile. FortiTelemetry Controller uses the
following firewall policy configuration elements to automatically create a monitor task:
l FortiTelemetry agent from the policy source
l Applications to monitor from the telemetry profile
You must also allow the monitor traffic from FortiGate.

To configure a telemetry type of firewall policy in the GUI:

1. Go to Policy & Objects > Firewall Policy.

2. Click Create New to create a new firewall policy.
3. Configure the policy with the following settings:

Name Enter a name for the policy.

Action Set the action to Accept to send monitoring tasks to the agents.

Type Select Telemetry as the policy type.

Incoming Interface Choose the FortiGate port that is used to connect to the FortiTelemetry agent.

Outgoing Interface Select the outgoing interface.

Source Select the serial number of one or more FortiTelemetry agents.

Telemetry Select a telemetry security profile configured on the FortiGate.

4. Click OK to save the policy. A message is displayed:

FortiOS 7.6.0 New Features Guide 134

Fortinet Inc.
Network

5. Click OK to continue. The policy is saved and displayed at the top of the policy table.
The Type column displays Telemetry.

FortiTelemetry monitors

Add FortiTelemetry monitors to view and monitor data collected by the agents and analyzed by FortiTelemetry Cloud.
After FortiTelemetry Cloud analyzes the data, it returns to the FortiTelemetry Controller an application experience score
and an application failure rate, which you can view in the FortiTelemetry monitor.

To add a FortiTelemetry monitor:

1. In the tree menu, under the monitors section, click + (Add Monitor). The Add Monitor window opens.
2. Under Security Fabric, click + (Add) next to FortiTelemetry. The Add FortiTelemetry as Standalone Dashboard pane
opens.
3. Set the following options, and click OK to add the monitor:

Name Type a name for the monitor.

FortiGate Select the FortiGate acting as the FortiTelemetry Controller.

Source Select one of the following sources:

l Application

l Agent
l Source interface
l Destination interface
l Profile
l Policy

Time period Select a time range for the data:

l 1 hour

l 24 hours
l 7 days

Sort by Select how to sort the monitored data.

Example

In this example, a FortiGate is configured as a FortiTelemetry Controller. Port1 connects to the Internet and
FortiTelemetry Cloud. Port2 connects to a FortiTelemetry Windows agent, and port3 connects to a FortiTelemetry-100G
agent.

FortiOS 7.6.0 New Features Guide 135

Fortinet Inc.
Network

This example covers the following tasks:

1. Prepare a certificate to use for authentication with FortiTelemetry Controller and FortiTelemetry Windows agent.
2. Configure a supported FortiGate hardware model as a FortiTelemetry Controller with automatic discovery of
FortiTelemetry agents enabled. See Configuring FortiTelemetry Controller on page 137.
3. Deploy a FortiTelemetry Windows agent and FortiTelemetry-100G hardware agent to the network. See Deploying
FortiTelemetry agents on page 137.
4. After FortiTelemetry Controller discovers the FortiTelemetry agents, manually authorize the agents for use. See
Authorizing discovered FortiTelemetry agents on page 139.
5. Configure a telemetry profile for each agent to define what SaaS applications to monitor. See Creating a Telemetry
profile on page 139.
6. Create a firewall policy for each agent, and select the appropriate telemetry profile. See Creating telemetry firewall
policies on page 140.
7. Use the FortiTelemetry monitor to view the collected and analyzed information. See Accessing FortiTelemetry
monitor views on page 143

Preparing a certificate

When using a Windows FortiTelemetry agent, you must prepare a CA certificate that the FortiTelemetry Controller can
use to validate the identity of the FortiTelemetry Windows agent, and then add the certificate to the FortiTelemetry
Controller and FortiTelemetry Windows agent.
The FTL-100G agents uses a Fortinet built-in certificate.

To configure the certificate for FTL Windows agent:

1. Create a certificate authority (CA) certificate using your preferred certificate authority. The certificates used by
FortiTelemetry Windows agent are not included by default and must be supplied and maintained by the
administrator.
2. Upload the CA certificate on the FortiGate acting as FortiTelemetry Controller:

FortiOS 7.6.0 New Features Guide 136

Fortinet Inc.
Network

a. Go to System > Certificates.

b. Click Create/Import > CA Certificate.
c. Select Type as File, and then upload the CA certificate.
d. Click OK. Once uploaded, you will see the certificate under Remote CA Certificate.
3. Using your certificate authority tools, create a user certificate, so you can import the certificate file to the Windows
OS local machine that is hosting the FortiTelemetry Windows agent. The private key information is required, and the
user certificate should be of the PFX or p12 file type.

Configuring FortiTelemetry Controller

A FortiGate is configured to act as a FortiTelemetry Controller.

To configure the FortiTelemetry Controller:

1. Enable FortiTelemetry, and specify a data port:

The data port is reserved for a future use.
config system global
set telemetry-controller enable
set telemetry-data-port 35246
end

2. Configure the retry interval and the CA certificate used to validate the identity of the FortiTelemetry Windows agent:
config telemetry-controller global
set region global
set retry-interval 60
set telemetry-ca-certificate "CA_Cert_1"
end

3. Enable telemetry feature visibility in the GUI:

config system settings
set gui-fortitelemetry enable
end

4. Include fabric in the FortiGate interface allowaccess, and enable automatic discovery of FortiTelemetry
agents:
This example is for port2. Run these commands for any other ports with FortiTelemetry agents, such as port3 for
FTL-100G.
config system interface
edit "port2"
set allowaccess ping https ssh snmp http telnet fabric
set telemetry-discover enable
next
end

Deploying FortiTelemetry agents

Software and hardware FortiTelemetry agents can be deployed:

l FortiTelemetry Windows software agents
l FortiTelemetry-100G (FTL-100G) hardware agents

FortiOS 7.6.0 New Features Guide 137

Fortinet Inc.
Network

The IP address for each agent must be in the same subnet as the FortiTelemetry Controller interface for incoming
FortiTelemetry agent traffic.
For details on deploying FortiTelemetry agents, see the FortiTelemetry Administration Guide.
Summary of agents:

Agent Notes

FortiTelemetry Windows agent Use the provided installer to install the agent. Once installed, the agent has a GUI.
Add to the agent GUI the CA certificate that you prepared.
You must also add this CA certificate to the FortiGate Controller.

FortiTelemetry-100G agent Use the FortiTelemetry console and CLI to configure the hardware agent. No
GUI is available.
The FTL-100G agents uses a Fortinet built-in certificate.

Example GUI for FortiTelemetry Windows agents:

Example Telemetry console output for FortiTelemetry-100G agents:

> status
System:
Version: v7.6.3-build0012 (Interim)
Serial number: FT100GTK24000007
System time: Thu Mar 13 17:31:39 2025 PDT
Disk Usage: 1% (1/115GB)
Disk Inode Usage: 0% (205/15630336)
Image status check: OK
CPU Temperature (C): 20

FortiOS 7.6.0 New Features Guide 138

Fortinet Inc.
Network

Authorizing discovered FortiTelemetry agents

The FortiTelemetry Controller automatically discovers FortiTelemetry agents and displays them in the GUI on the
Telemetry card. You must manually authorize agents for use.

To authorize discovered FortiTelemetry agents:

1. On the FortiTelemetry Controller, go to Security Fabric > Fabric Connectors. A Telemetry card is available.
The Telemetry card shows Telemetry is Enabled, but no agents are authorized and no tasks are being monitored.

2. Click the Telemetry card, and click Edit. The FortiTelemetry Settings pane opens and displays the discovered,
unauthorized FortiTelemetry agents.

3. For each agent, select the agent, and click More > Set Status > Authorize. The status changes to Online for each
agent.

When agents are online, a firewall address with type subnet is automatically created for each agent. You can view
the addresses on the Policy & Objects > Addresses pane.

Creating a Telemetry profile

A default telemetry profile is provided to monitor Google Docs, Microsoft.365, and Salesforce. Be default, agents monitor
the applications every 5 minutes. The monitor interval can only be changed in CLI with the config telemetry-
controller profile command.
Create a profile for each agent.

FortiOS 7.6.0 New Features Guide 139

Fortinet Inc.
Network

To create a Telemetry profile:

1. Go to Security Profiles > Telemetry Profile, and click Create New.

2. Enter a name and optional comment for the profile.
3. In the Monitored Applications section, add to the profile the applications to monitor:
a. Click Create New.
b. Set Monitor to Enabled for the application.
c. From the Applications dropdown, select a predefined application to monitor.
d. Optionally, enable SLA Targets to view the application-level and network-level metrics being collected. SLA
targets can be set, but are not yet supported.

e. Click OK to save the monitored application.

f. Repeat the steps to include additional applications as needed in the profile.
4. Click OK to save the telemetry profile.

Creating telemetry firewall policies

Create the following firewall policies for the FortiTelemetry Controller to allow traffic from the FortiTelemetry Controller
interface to the FortiGate WAN interface used to send data to FortiTelemetry Cloud:
l One firewall policy for the traffic from port3 to port1 for the FTL-100G agent. The FTL-100G agent connects to port3,
and port1 connects to the Internet.
l Two firewall policies for traffic from port2 to port1, one for each Windows agent. The FortiTelemetry Windows
agents connect to port2.

To create a telemetry firewall policy:

1. Go to Policy & Objects > Firewall Policy.

2. Click Create New to create a new firewall policy.
3. Configure the policy with the following settings:

FortiOS 7.6.0 New Features Guide 140

Fortinet Inc.
Network

Name Enter a name for the policy, such as Telemetry-Policy-1.

Action Set the action to Accept to send monitoring tasks to the agents.

Type Select Telemetry as the policy type.

Incoming Interface Choose port3, which is the FortiGate port used to connect to the FTL-
100G agent.

Outgoing Interface Choose port1.

Source Select the serial number of the FortiTelemetry agent.

Destination Set to all.

Telemetry Select a telemetry security profile configured on the FortiGate.

4. Click OK to save the policy. A message is displayed:

5. Click OK to continue. The policy is saved and displayed at the top of the policy table.
The Type column displays Telemetry.
6. Create two telemetry firewall policies for traffic from port2 to port1, one for each Windows agent.
As a result, three telemetry policies are created: Telemetry-Policy-1, Telemetry-Policy-2, and Telemetry-Policy-3.

FortiOS 7.6.0 New Features Guide 141

Fortinet Inc.
Network

After the FortiTelemetry Controller pushes the tasks the FortiTelemetry agents, the Security Fabric > Fabric
Connectors > Telemetry card updates to show the number of Monitored Tasks.

Monitored tasks also display in the GUI for the FortiTelemetry Windows agent. There is no command to display the
monitored tasks on the FTL hardware agent.

FortiOS 7.6.0 New Features Guide 142

Fortinet Inc.
Network

Accessing FortiTelemetry monitor views

FortiTelemetry monitor includes the following views: Application, Agents, Source Interfaces, Destination Interfaces,
Profiles, and Policies.
From the different views, you can drill down to details of each application’s performance.

To add a FortiTelemetry monitor:

1. In the tree menu, under the monitors section, click + (Add Monitor). The Add Monitor window opens.
2. Under Security Fabric, click + (Add) next to FortiTelemetry. The Add FortiTelemetry as Standalone Dashboard pane
opens.
3. Set the following options, and click OK to add the monitor:

Name Type a name for the monitor.

FortiGate Select the FortiGate acting as the FortiTelemetry Controller.

Source Select one of the following sources:

l Application

l Agent
l Source interface
l Destination interface
l Profile
l Policy

Time period Select a time range for the data:

l 1 hour

l 24 hours
l 7 days

Sort by Select how to sort the monitored data.

The monitory displays in the tree menu under the monitors section.
Following is an example of a FortiTelemetry monitor configured with Source set to Application and Sort by set to
Experience Score. On the monitor, you monitor can drill down to details of each application’s performance.

FortiOS 7.6.0 New Features Guide 143

Fortinet Inc.
Network

l Click the gear icon to customize what columns display:

l Hover over the Experience Score rating to view the experience score for each application:

l Select the application row in the table to display a Drill Down button, and click Drill Down to view details about the
agent on the Agent tab:

FortiOS 7.6.0 New Features Guide 144

Fortinet Inc.
 Network

l You can continue drilling down to additional details. For example, select the agent to display a Drill Down button,
and click Drill Down to view details about the destination interface on the Destination Interface tab, and so on.

Fortinet Support Tool for capturing incidents

This information is also available in the FortiOS 7.6 Administration Guide:

l Fortinet Support Tool for capturing incidents

The Fortinet Support Tool application is used to capture real-time debugging information through a REST API key
generated directly on the FortiGate device. It can be installed on Windows from the Microsoft Store and on macOS from
the App store.
The program can run in the background for up to 48 hours. This increases the likelihood that it is active during an
incident, allowing administrators to gather comprehensive logs and ensuring faster and more efficient troubleshooting.

To install the Fortinet Support Tool:

1. Open the Microsoft Store or the App Store.

2. Search for Fortinet Support Tool.
3. Install the tool.

To generate a support tool key:

1. In the FortiOS GUI, select Generate Support Tool Key.

2. Configure the Connect to (IP/FQDN), Protocol, and Port, and set when the key will expire..

FortiOS 7.6.0 New Features Guide 145

Fortinet Inc.
Network

The Fortinet Support Tool will attempt to connect to this device using the specified IP/FQDN, protocol, and port.
3. Optionally, configure trusted hosts.
4. Click Generate key.

5. Copy the generated key, then click Close.

FortiOS 7.6.0 New Features Guide 146

Fortinet Inc.
Network

To create a new capture:

1. Open the Fortinet Support Tool and go to the capture tab.

2. Paste the generated key into the field. The connection will start to be established immediately.
You can also select Recent devices to try to reconnected to a previously used device.
3. Select the scenario to analyze.

The user interface can only be captured using the Fortinet Support Tool Chrome extension.
4. Select the daemons to collect logs and apply filters as needed.

FortiOS 7.6.0 New Features Guide 147

Fortinet Inc.
Network

5. Specify the file name and length of the capture.

6. Click Start capture.

7. After the capture completes, or is manually stopped, save the capture file to the computer.

FortiOS 7.6.0 New Features Guide 148

Fortinet Inc.
Network

To view a capture:

1. Click Select capture file to get started.

You can also select Recently viewed to review a previously opened capture.
2. Select a capture file with the extensions .fgtcapture, .ftntguicap, or .ftntcap for review.
When playing .fgtcapture or .ftntguicap files:
l Top-left section: Video frame
l Bottom-left section: Resource chart
l Right section: Tabs including:
l Summary
l Device Info (Config, Crash log, Licenses, Table size, Profiling)
l Client Info
l Logs

FortiOS 7.6.0 New Features Guide 149

Fortinet Inc.
Network

When playing .ftntcap files:

l Left section: Three resource charts
l Right section: Tabs including:
l Summary
l Device Info (General [Config, Crash log, Table size, Profiling], CLI diagnostics [System, Hardware,
Filesystem, HA, Session, Update], REST API responses)
l Logs

To configure the Fortinet Support Tool general settings:

1. Go to the Settings tab.

2. Adjust the Theme to Dark or Light (default).

FortiOS 7.6.0 New Features Guide 150

Fortinet Inc.
Network

3. Configure whether or not the application window is automatically maximized when viewing a capture file.
4. Click Clear all application data to clear all of the application data, such as recent devices or captures.

IPv6

This section includes information about IPv6 network related new features:
l Recursive resolution of BGP routes using IPv6 prefix with on-link flag from route aggregation on page 154
l DHCPv6 enhancements on page 151
l Enhancing SIP reliability in 464XLAT environments 7.6.1 on page 156

DHCPv6 enhancements

This information is also available in the FortiOS 7.6 Administration Guide:

l DHCPv6 stateful server

The DHCPv6 server/client can accommodate multiple (more than three) DHCP options. Support for Option 16, also
known as the Vendor Class Option, is added for DHCPv6. This allows IP pools and options assignment based on VCI
matching for DHCPv6 server and client.
Four DHCPv6 option types can be configured: fqdn, hex (default), ip6, and string.

To configure the options and IP range when the FortiGate is the DHCPv6 server:

config system dhcp6 server

edit 1
set dns-service default
set subnet 2000:11:1:1::/64
set interface "port3"
config options
edit 1
set code 16
set type string
set value "vendor class option"
next
edit 2
set code 15
set type string
set value "user class option"
next
edit 3
set code 72
set type fqdn
set value "www.test.com"
next
edit 4
set code 70
set type ip6

FortiOS 7.6.0 New Features Guide 151

Fortinet Inc.
Network

set ip6 2000:8:8:8::8

next
edit 5
set code 96
set type hex
set value "0000013700084d53465420352e30"
next
end
config ip-range
edit 1
set start-ip 2000:11:1:1::2
set end-ip 2000:11:1:1::10
next
end
next
edit 2
set subnet 2000:10:1:100::/64
set interface "port2"
config ip-range
edit 1
set start-ip 2000:10:1:100::11
set end-ip 2000:10:1:100::11
next
end
next
end

To configure the options and IP range when the FortiGate is a DHCPv6 client:

config system interface

edit "port3"
set vdom "vdom1"
set allowaccess ping https ssh snmp http telnet
set type physical
set snmp-index 5
config ipv6
set ip6-mode dhcp
config client-options
edit 1
set code 16
set type hex
set value "0000013700084d53465420352e30"
next
end
set ip6-allowaccess ping https ssh http telnet
end
set macaddr 00:09:0f:09:00:00
next
end

VCI matching in IP ranges

There are three cases:

1. If VCI matching is disabled in the IP range, then the DHCP client can get an IP address. This is the default.
2. If VCI matching is enabled and the VCI value matches the DHCP client, then the DHCP client can get an IP address.

FortiOS 7.6.0 New Features Guide 152

Fortinet Inc.
Network

3. If VCI matching is enabled and the VCI value does not match the DHCP client, then the DHCP client cannot get an
IP address.

To enable VCI matching in an IP range:

config system dhcp6 server

edit 2
set subnet 2000:10:1:100::/64
set interface "port2"
config ip-range
edit 1
set start-ip 2000:10:1:100::11
set end-ip 2000:10:1:100::11
set vci-match enable
set vci-string "PC1"
next
end
next
end

VCI matching in DHCPv6 options

There are three cases:

1. If VCI matching is disabled in the option, then all options are sent back to the client. This is the default.
2. If VCI matching is enabled and the VCI value matches the DHCP client, then all options are sent back to the client.
3. If VCI matching is enabled and the VCI value does not matches the DHCP client, then the unmatched options
cannot be sent back to the client.

To enable VCI matching in an option:

config system dhcp6 server

edit 2
set subnet 2000:10:1:100::/64
set interface "port2"
config options
edit 1
set code 16
set type string
set value "vendor class option"
set vci-match enable
set vci-string "PC1"
next
end
config ip-range
edit 1
set start-ip 2000:10:1:100::11
set end-ip 2000:10:1:100::11
next
end
next
end

FortiOS 7.6.0 New Features Guide 153

Fortinet Inc.
 Network

Recursive resolution of BGP routes using IPv6 prefix with on-link flag from route
aggregation

This information is also available in the FortiOS 7.6 Administration Guide:

l Next hop recursive resolution using IPv6 prefix with on-link flag from route aggregation

When a FortiGate is acting as an IPv4 BGP neighbor and using stateful DHCPv6, it learns BGP routes with the IPv6 next
hop belonging to an on-link prefix that is advertised through route aggregation (RA).
By default, the administrative distance for routes learned from the kernel is 255, and the routes do not interfere with the
current route selection. To make the RA route usable by BGP, the distance must be set to less than 255 using the new
kernel-route-distance command.
config router setting
set kernel-route-distance <0-255>
end

If there are other user space routes with the same prefix, the best route is selected based on the distance.

To check the effect of changing the administrative distance:

1. Configure FGT_A:
config system interface
edit "agg1"
set vdom "root"
set ip 172.16.203.1 255.255.255.0
set allowaccess ping https http
set type aggregate
set member "port4"
set alias "To_FGT_B_agg1"
set lldp-transmission enable
set snmp-index 40
config ipv6
set ip6-mode dhcp
set ip6-allowaccess ping
end
next
end

2. Configure FGT_B (RA):

config system interface
edit "agg2"
set vdom "root"
set ip 172.16.203.2 255.255.255.0
set allowaccess ping https http
set bfd disable
set type aggregate
set member "port4"
set alias "To_FGT_A_agg1"
set lldp-transmission enable
set snmp-index 28

FortiOS 7.6.0 New Features Guide 154

Fortinet Inc.
Network

config ipv6
set ip6-address 2001:4::133/64
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
set ip6-max-interval 10
set ip6-min-interval 5
config ip6-prefix-list
edit 2001:4::/64
next
end
end
next
end
config system dhcp6 server
edit 1
set subnet 2001:4::/64
set interface "agg2"
config ip-range
edit 1
set start-ip 2001:4::11
set end-ip 2001:4::20
next
end
next
end

3. By default, the learned kernel route has a distance of 255 and does not interfere with the current route selection:
FGT_A (root)# get router info6 routing-table database
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, B - BGP, V - BGP VPNv6
> - selected route, * - FIB route, p - stale info
Timers: Uptime

Routing table for VRF=0

K * ::/0 via fe80::96f3:92ff:fe15:f7b, agg1, 00:00:20
C *> ::1/128 via ::, root, 00:03:33
O 2000::1:1:1:1/128 [110/0] via ::, loopback1 inactive, 00:03:32, [1024/0]
C *> 2000::1:1:1:1/128 via ::, loopback1, 00:03:33
O *> 2000::2:2:2:2/128 [110/100] via fe80::96f3:92ff:fe15:f7b, agg1, 00:02:16,
[1024/0]
O *> 2000::3:3:3:3/128 [110/100] via fe80::6d5:90ff:fedb:e538, port1, 00:02:35,
[1024/0]
O IA *> 2000::4:4:4:4/128 [110/1100] via fe80::96f3:92ff:fe15:f7b, agg1, 00:02:16,
[1024/0]
C *> 2000:10:100:1::/126 via ::, R150, 00:03:33
O 2000:10:100:1::4/126 [110/10000] via ::, R160, 00:03:32, [1024/0]
C *> 2000:10:100:1::4/126 via ::, R160, 00:03:33
R *> 2000:10:101:1::/64 [120/2] via fe80::3cd3:7cff:fed5:39, R150, 00:03:31, [1024/0]
S *> 2000:10:101:2::/64 [10/0] via ::, Null, 00:03:33, [1024/0]

FortiOS 7.6.0 New Features Guide 155

Fortinet Inc.
 Network

S *> 2000:10:101:3::/64 [10/0] via ::, Null, 00:03:33, [1024/0]

S *> 2000:10:102:1::/64 [10/0] via ::, Null, 00:03:33, [1024/0]
S *> 2000:10:103:1::/64 [10/0] via ::, Null, 00:03:33, [1024/0]
S *> 2000:10:104:1::/64 [10/0] via ::, Null, 00:03:33, [1024/0]
O *> 2000:172:16::/48 [110/0] via ::, Null, 00:03:31, [1024/0]
O 2000:172:16:200::/64 [110/100] via ::, port1, 00:03:32, [1024/0]
C *> 2000:172:16:200::/64 via ::, port1, 00:03:33
O E2 *> 2000:172:16:201::/64 [110/10] via fe80::96f3:92ff:fe15:f7b, agg1, 00:02:16,
[1024/0]
O E2 2000:172:16:204::/64 [110/10] via fe80::96f3:92ff:fe15:f7b, agg1, 00:02:16,
[1024/0]
S *> 2000:172:16:204::/64 [10/0] via 2000:172:16:200::4, port1, 00:03:33, [1024/0]
> [10/0] via 2000:172:16:203::2, agg1 inactive, 00:03:33,
[1024/0]
*> [10/0] via 2000:172:16:206::2, vlan100, 00:03:33, [1024/0]
C *> 2000:172:16:206::/64 via ::, vlan100, 00:03:33
O 2000:172:16:207::/64 [110/10000] via ::, GRE_1, 00:03:32, [1024/0]
C *> 2000:172:16:207::/64 via ::, GRE_1, 00:03:33
S *> 2000:172:16:209::/64 [5/0] via to_FG_B_root tunnel ::172.16.206.2, 00:03:33,
[1/0]
C *> 2000:172:16:209::1/128 via ::, to_FG_B_root, 00:03:33
R *> 2000:172:16:209::2/128 [120/2] via fe80::96f3:92ff:fe15:f7b, vlan100, 00:03:10,
[1024/0]
R *> 2000:172:16:210::/64 [120/2] via fe80::96f3:92ff:fe15:f7b, vlan100, 00:03:10,
[1024/0]
C *> 2000:172:16:211::/64 via ::, sit_A_D, 00:03:33
B *> 2000:172:27:1::/64 [200/0] via 2000::2:2:2:2 (recursive via
fe80::96f3:92ff:fe15:f7b, agg1), 00:01:25, [1024/0]
K * 2001:4::/64 via ::, agg1, 00:00:20
O *> 2001:4::/64 [110/100] via ::, agg1, 00:00:24, [1024/0]
FGT_A (root)# get router info6 routing-table kernel
No route available

4. Change the distance to 254:

FGT_A (root)# config router setting
set kernel-route-distance 254
end

5. Now there is a kernel route:

FGT_A (root)# get router info6 routing-table kernel
Routing table for VRF=0
K* ::/0 [254/1024] via fe80::96f3:92ff:fe15:f7b, agg1, 00:01:04
...

Enhancing SIP reliability in 464XLAT environments - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Enhancing SIP reliability in 464XLAT environments

FortiGate can now disable IP address translation within the SIP payload in 464XLAT environments as needed. This
ensures SIP packets with IPv4 information reach user equipment without translation, which addresses an issue where

FortiOS 7.6.0 New Features Guide 156

Fortinet Inc.
Network

the customer-side translator (CLAT) component does not revert the IPv6 address to IPv4 within the SIP header and
body, which leads to RTP connection issues in 464XLAT environments. By preventing unnecessary translation,
FortiGate ensures seamless communication and robust connectivity to improve the reliability of SIP-based services in
complex network scenarios.

FortiGate only uses this feature as needed. A flag is added to each voip_session_stream,
and FortiGate uses the flag and other information to identify 464XLAT environments. When a
client initiates SIP traffic to a server, such as a REGISTER request to a server, and if the
VOIP daemon detects an IPv6 layer address, but the SIP payload header contains an IPv4
address, the payload is identified as for a 464XLAT environment, and FortiGate stops NAT46
on the SIP payload.

Scope and limitations

Only one TCP connection is used between each SIP client and the SIP server, and the TCP connection remains up (in
other words, doesn't tear down).
All SIP traffic between each SIP client and the SIP server must use the same TCP connection.
Because of the above requirements, SIP pinhole is not created.
The SIP server must offer its own IP address. The twin case for hnt_464xlat is not supported.
Only SIP/TCP-5060 is supported, and session-helper must be configured:
config system session-helper
edit 13
set name sip
set protocol 6
set port 5060
next
end

Example

This example describes the behavior in FortiOS 7.6.0 and earlier followed by a description of the behavior change in
FortiOS 7.6.1.
In FortiOS 7.6.0 and earlier when NAT46 IP address translation is enabled within the SIP payload for return traffic, and
the address is the server's IPv4 IP in a 464XLAT environment, a connection fails to establish for RTP traffic with the IPv6
destination. The example uses the following topology:

FortiOS 7.6.0 New Features Guide 157

Fortinet Inc.
Network

1. The CLAT component run insides the user equipment (UE) and performs a one-to-one (IPv4 to IPv6) stateless
translation. The CLAT component translates traffic with an IPv4 destination to IPv6. While the IPv4 address is
converted to IPv6 in the IP header, the IP information within the payload, including the SIP header and body,
remains unchanged (IPv4).
2. FortiGate as PLAT performs many-to-one (IPv6 to IPv4) stateful translation to translate the IP address within the IP
header from IPv6 to IPv4. Furthermore, SIP-ALG modifies the IP address within the payload in the SIP header and
body by substituting the IPv4 address with a publicly NATed IP address.
3. When traffic is returned from the SIP server to FortiGate, the IPv4 address within the IP header is translated back to
IPv6. Concurrently, the IP address contained within the SIP header and body is also translated back to IPv6 by
FortiGate.
4. The packet reaches UE, and the CLAT component translates the IP address of the IP header from IPv6 to IPv4. The
CLAT component does not function as an ALG and does not modify the IP address within the SIP header and body.
5. The UE receives the packet but cannot establish RTP connection with the IPv6 destination.

Step 3 changes in FortiOS 7.6.1. For traffic returning from SIP server, FortiGate stops NAT46 on the SIP payload and
only translates the IPv4 addresses in the IP header into an IPv6 address. Thus, the IP address contained within the SIP
header and body remains IPv4, which the user equipment can recognize, and RTP connections can be successfully
established.

FortiOS 7.6.0 New Features Guide 158

Fortinet Inc.
Network

To check the SIP calls when phone A (10.1.100.11) and phone B (172.16.200.33) are registering to the SIP
server (172.16.200.44):

1. View the SIP proxy SIP calls:

# diagnose sys sip-proxy calls

sip calls
vdom 1 (vdom1) vrf 0 call 7fc9eb265000
call-id: QFwxzc1FTIYZQJsQZW3-kKofMxJUcxaB
txn 7fc9eb250e00 (REGISTER)
cseq 49308 dir 0 state 5 status 200 expiry 903 HA 0
i_session: 7fc9eb250000 r_session: 7fc9eb250000
register: present
from: sip:[email protected]
to: sip:[email protected]
src: [2000:1:1:1::1:6e0c]:49555
dst: 172.16.200.44:5060
vdom 1 (vdom1) vrf 0 call 7fc9eb265000
call-id: QFwxzc1FTIYZQJsQZW3-kKofMxJUcxaB
txn 7fc9eb250700 (REGISTER)
cseq 49307 dir 0 state 7 status 401 expiry 23 HA 0
i_session: 7fc9eb250000 r_session: 7fc9eb250000
register: present
from: sip:[email protected]
to: sip:[email protected]
src: [2000:1:1:1::1:6e0c]:49555
dst: 172.16.200.44:5060

To check the SIP calls and session lists when phone A (10.1.100.1) is calling phone B (172.16.200.33):

1. View the SIP proxy SIP calls:

# diagnose sys sip-proxy calls

sip calls
vdom 1 (vdom1) vrf 0 call 7fc9eb265100
call-id: mNcOPU8ul76A1ihupFMNU78kePJYEfr3
txn 7fc9eb251c00 (INVITE)
cseq 102 dir 1 state 11 status 200 expiry 297 HA 0
i_session: 7fc9eb250000 r_session: 7fc9eb250000
register: not-present
from: sip:[email protected]
to: sip:[email protected]
src: 172.16.200.44:5060
dst: [2000:1:1:1::1:6e0c]:49555
vdom 1 (vdom1) vrf 0 call 7fc9eb265100
call-id: mNcOPU8ul76A1ihupFMNU78kePJYEfr3
txn 7fc9eb250700 (INVITE)
cseq 22155 dir 0 state 11 status 200 expiry 296 HA 0
i_session: 7fc9eb250000 r_session: 7fc9eb250000
register: not-present
from: sip:[email protected]
to: sip:[email protected]
src: [2000:1:1:1::1:6e0c]:49555
dst: 172.16.200.44:5060

FortiOS 7.6.0 New Features Guide 159

Fortinet Inc.
Network

vdom 1 (vdom1) vrf 0 call 7fc9eb265100

call-id: mNcOPU8ul76A1ihupFMNU78kePJYEfr3
txn 7fc9eb251500 (INVITE)
cseq 22154 dir 0 state 11 status 200 expiry 296 HA 0
i_session: 7fc9eb250000 r_session: 7fc9eb250000
register: not-present
from: sip:[email protected]
to: sip:[email protected]
src: [2000:1:1:1::1:6e0c]:49555
dst: 172.16.200.44:5060
vdom 1 (vdom1) vrf 0 call 7fc9eb265000
call-id: QFwxzc1FTIYZQJsQZW3-kKofMxJUcxaB
txn 7fc9eb250e00 (REGISTER)
cseq 49308 dir 0 state 5 status 200 expiry 871 HA 0
i_session: 7fc9eb250000 r_session: 7fc9eb250000
register: present
from: sip:[email protected]
to: sip:[email protected]
src: [2000:1:1:1::1:6e0c]:49555
dst: 172.16.200.44:5060

2. View the IPv6 session list:

# diagnose sys session6 list

...
orgin->sink: org pre->post, reply pre->post dev=34->43/43->34
hook=pre dir=org act=dnat 2000:1:1:1::1:6e0c:34143->2000:172:16:200::44:5060
(2000:172:16:200::44:5060)
hook=post dir=reply act=snat 2000:172:16:200::44:5060->2000:1:1:1::1:6e0c:34143
(2000:172:16:200::44:5060)
peer=172.16.200.6:34143->172.16.200.44:5060 naf=1
hook=pre dir=org act=noop 172.16.200.6:34143->172.16.200.44:5060(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.44:5060->172.16.200.6:34143(0.0.0.0:0)
...
orgin->sink: org pre->post, reply pre->post dev=34->43/43->0
hook=post dir=org act=noop 2000:1:1:1::1:6e0c:9117->2000:172:16:200::44:64446(:::0)
hook=pre dir=reply act=noop 2000:172:16:200::44:64446->2000:1:1:1::1:6e0c:9117(:::0)
peer=172.16.200.6:64444->172.16.200.44:18764 naf=1
hook=pre dir=org act=noop 172.16.200.6:64444->172.16.200.44:18764(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.44:18764->172.16.200.6:64444(0.0.0.0:0)
...
orgin->sink: org pre->post, reply pre->post dev=34->43/43->34
hook=pre dir=org act=dnat 2000:1:1:1::1:6e0c:9117->2000:172:16:200::33:64448
(2000:172:16:200::33:64448)
hook=post dir=reply act=snat 2000:172:16:200::33:64448->2000:1:1:1::1:6e0c:9117
(2000:172:16:200::33:64448)
peer=172.16.200.6:9117->172.16.200.33:64448 naf=1
hook=pre dir=org act=noop 172.16.200.6:9117->172.16.200.33:64448(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.33:64448->172.16.200.6:9117(0.0.0.0:0)
...
orgin->sink: org pre->post, reply pre->post dev=34->43/43->34
hook=post dir=org act=noop 2000:1:1:1::1:6e0c:9118->2000:172:16:200::44:64447(:::0)
hook=pre dir=reply act=noop 2000:172:16:200::44:64447->2000:1:1:1::1:6e0c:9118(:::0)
peer=172.16.200.6:64445->172.16.200.44:18765 naf=1
hook=pre dir=org act=noop 172.16.200.6:64445->172.16.200.44:18765(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.44:18765->172.16.200.6:64445(0.0.0.0:0)

FortiOS 7.6.0 New Features Guide 160

Fortinet Inc.
Network

...
orgin->sink: org pre->post, reply pre->post dev=34->43/43->34
hook=pre dir=org act=dnat 2000:1:1:1::1:6e0c:9118->2000:172:16:200::33:64449
(2000:172:16:200::33:64449)
hook=post dir=reply act=snat 2000:172:16:200::33:64449->2000:1:1:1::1:6e0c:9118
(2000:172:16:200::33:64449)
peer=172.16.200.6:9118->172.16.200.33:64449 naf=1
hook=pre dir=org act=noop 172.16.200.6:9118->172.16.200.33:64449(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.33:64449->172.16.200.6:9118(0.0.0.0:0)
...

3. View the IPv6 expectation session list:

# diagnose sys session6 list expectation

...
orgin->sink: org pre->post, reply pre->post dev=34->0/43->0
hook=post dir=org act=noop 2000:1:1:1::1:6e0c:0->2000:172:16:200::44:64448(:::0)
peer=172.16.200.6:64444->172.16.200.33:4000 naf=1
...
orgin->sink: org pre->post, reply pre->post dev=34->0/43->0
hook=post dir=org act=noop 2000:1:1:1::1:6e0c:0->2000:172:16:200::44:64448(:::0)
peer=172.16.200.6:64444->172.16.200.33:4000 naf=1
...
orgin->sink: org pre->post, reply pre->post dev=34->0/43->0
hook=post dir=org act=noop 2000:1:1:1::1:6e0c:0->2000:172:16:200::44:64449(:::0)
peer=172.16.200.6:64445->172.16.200.33:4001 naf=1
...
orgin->sink: org pre->post, reply pre->post dev=34->0/43->0
hook=post dir=org act=noop 2000:1:1:1::1:6e0c:0->2000:172:16:200::44:64449(:::0)
peer=172.16.200.6:64445->172.16.200.33:4001 naf=1
...

4. View the IPv4 session list:

# diagnose sys session list

...
orgin->sink: org pre->post, reply pre->post dev=43->23/23->43
gwy=172.16.200.33/172.16.200.6
hook=pre dir=org act=noop 172.16.200.6:9117->172.16.200.33:64448(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.33:64448->172.16.200.6:9117(0.0.0.0:0)
peer=2000:172:16:200::33:64448->2000:1:1:1::1:6e0c:9117 naf=2
hook=pre dir=org act=dnat 2000:1:1:1::1:6e0c:9117->2000:172:16:200::33:64448
(2000:172:16:200::33:64448)
hook=post dir=reply act=snat 2000:172:16:200::33:64448->2000:1:1:1::1:6e0c:9117
(2000:172:16:200::33:64448)
...
orgin->sink: org pre->post, reply pre->post dev=43->23/23->43
gwy=172.16.200.33/172.16.200.6
hook=pre dir=org act=noop 172.16.200.6:9118->172.16.200.33:64449(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.33:64449->172.16.200.6:9118(0.0.0.0:0)
peer=2000:172:16:200::33:64449->2000:1:1:1::1:6e0c:9118 naf=2
hook=pre dir=org act=dnat 2000:1:1:1::1:6e0c:9118->2000:172:16:200::33:64449
(2000:172:16:200::33:64449)
hook=post dir=reply act=snat 2000:172:16:200::33:64449->2000:1:1:1::1:6e0c:9118
(2000:172:16:200::33:64449)

FortiOS 7.6.0 New Features Guide 161

Fortinet Inc.
Network

...
orgin->sink: org pre->post, reply pre->post dev=43->23/23->43
gwy=172.16.200.44/172.16.200.6
hook=pre dir=org act=noop 172.16.200.6:34143->172.16.200.44:5060(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.44:5060->172.16.200.6:34143(0.0.0.0:0)
peer=2000:172:16:200::44:5060->2000:1:1:1::1:6e0c:34143 naf=2
hook=pre dir=org act=dnat 2000:1:1:1::1:6e0c:34143->2000:172:16:200::44:5060
(2000:172:16:200::44:5060)
hook=post dir=reply act=snat 2000:172:16:200::44:5060->2000:1:1:1::1:6e0c:34143
(2000:172:16:200::44:5060)
...
orgin->sink: org pre->post, reply pre->post dev=43->23/23->0 gwy=172.16.200.44/0.0.0.0
hook=pre dir=org act=noop 172.16.200.6:64444->172.16.200.44:18764(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.44:18764->172.16.200.6:64444(0.0.0.0:0)
peer=2000:172:16:200::44:64446->2000:1:1:1::1:6e0c:9117 naf=2
hook=post dir=org act=noop 2000:1:1:1::1:6e0c:9117->2000:172:16:200::44:64446(:::0)
hook=pre dir=reply act=noop 2000:172:16:200::44:64446->2000:1:1:1::1:6e0c:9117(:::0)
...
orgin->sink: org pre->post, reply pre->post dev=43->23/23->43
gwy=172.16.200.44/172.16.200.6
hook=pre dir=org act=noop 172.16.200.6:64445->172.16.200.44:18765(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.44:18765->172.16.200.6:64445(0.0.0.0:0)
peer=2000:172:16:200::44:64447->2000:1:1:1::1:6e0c:9118 naf=2
hook=post dir=org act=noop 2000:1:1:1::1:6e0c:9118->2000:172:16:200::44:64447(:::0)
hook=pre dir=reply act=noop 2000:172:16:200::44:64447->2000:1:1:1::1:6e0c:9118(:::0)
...

5. View the IPv4 expectation session list:

# diagnose sys session list expectation

...
orgin->sink: org pre->post, reply pre->post dev=43->0/23->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.200.6:0->172.16.200.33:4001(0.0.0.0:0)
peer=:::0->:::0 naf=2
...
orgin->sink: org pre->post, reply pre->post dev=43->0/23->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.200.6:0->172.16.200.33:4001(0.0.0.0:0)
peer=:::0->:::0 naf=2
...
orgin->sink: org pre->post, reply pre->post dev=43->0/23->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.200.6:0->172.16.200.33:4000(0.0.0.0:0)
peer=:::0->:::0 naf=2
...
orgin->sink: org pre->post, reply pre->post dev=43->0/23->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.200.6:0->172.16.200.33:4000(0.0.0.0:0)
peer=:::0->:::0 naf=2
...

Explicit and Transparent Proxy

This section includes information about explicit and transparent proxy related new features:

FortiOS 7.6.0 New Features Guide 162

Fortinet Inc.
 Network

l Specifying outgoing interface and VRF for a web proxy forward server or isolator server 7.6.1 on page 163
l Isolator servers in proxy policies 7.6.1 on page 165
l GUI support of isolator servers for proxy policies 7.6.3 on page 168

Specifying outgoing interface and VRF for a web proxy forward server or isolator
server - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Specifying outgoing interface and VRF for a web proxy forward server or isolator server

You can specify the outgoing interface and VRF for a web proxy forward server or a web proxy isolator server, such as
FortiIsolator.
The following CLI command options have been added:
config web-proxy forward-server
edit <name>
set interface-select-method specify
set interface <port>
set vrf-select <vrf-id>
next
end

config web-proxy isolator-server

edit <name>
set interface-select-method specify
set interface <port>
set vrf-select <vrf-id>
next
end

Example

In the following example, a forward server is applied to the FortiGate in an explicit proxy policy. A interface that is not in
the policy, such as port3, can be specified to forward traffic.

Without this feature, the FortiGate would have to forward traffic through the management
interface which is the destination interface of the policy.

This example uses the following topology:

FortiOS 7.6.0 New Features Guide 163

Fortinet Inc.
Network

To specify a outgoing interface and VRF for a web proxy forward server:

1. Enable and configure the explicit web proxy:

config web-proxy explicit
set status enable
set ftp-over-http enable
set http-incoming-port 8080
set ipv6-status enable
set unknown-http-version best-effort
end

2. Configure the web proxy forward server with a interface that is not included in the policy:
config web-proxy forward-server
edit "FWD_SVR"
set ip 172.16.200.7
set port 8080
set interface-select-method specify
set interface "port3"
set vrf-select 10
next
end

3. Specify the destination interface and web proxy forward server in the proxy policy:
config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "mgmt"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
set webproxy-forward-server "FWD_SVR"
next
end

4. Access a website in the browser, such as www.fortinet.com.

FortiOS 7.6.0 New Features Guide 164

Fortinet Inc.
 Network

5. Go to Log & Report > Forward Traffic and review the traffic log. The Destination Interface is port3 instead of the
management interface.

Isolator servers in proxy policies - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Isolator servers in proxy policies

Web proxy isolator servers, such as FortiIsolator, are supported in proxy policies. Isolators are fundamentally the same
as web proxy forward servers because both will redirect HTTP and HTTPS requests to an HTTP or HTTPS proxy server.
However, isolators have the specific function of isolating potentially unsafe traffic from a user environment.

FortiOS 7.6.0 New Features Guide 165

Fortinet Inc.
Network

The isolate action in proxy policies can be used to distinguish isolated traffic from normal traffic in logs. Isolator
servers can only be applied in explicit and transparent proxy policies.
The following CLI commands have been added to support isolator servers:
config web-proxy isolator-server
edit <name>
set addr-type {ip | ipv6 | fqdn}
set ip <any_ip>
set ipv6 <IPv6 address>
set fqdn <string>
set port <port>
next
end
config firewall proxy-policy
edit <id>
set action isolate
set isolator-server <name>
next
end

Example

The following example demonstrates how to apply an isolator server to a proxy policy. Two explicit proxy policies are
configured:
l A web proxy forward server is applied to one policy with the action set to accept.
l An isolator server is applied to the other policy with the action set to isolate.
Each proxy policy uses a different destination IP address to separate traffic. Once traffic passes, logs are generated for
the specific actions.

To configure an isolator server:

1. Configure the isolator server:

config web-proxy isolator-server
edit "isolator"
set ip 172.16.200.7
set port 8080
next
end

2. Configure the forward server:

config web-proxy forward-server
edit "fgt-b"
set ip 172.16.200.7
set port 8080
next
end

3. Apply each server to a proxy policy:

config firewall proxy-policy
edit 1

FortiOS 7.6.0 New Features Guide 166

Fortinet Inc.
Network

set proxy explicit-web

set dstintf "port3"
set srcaddr "all"
set dstaddr "IT"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
set webproxy-forward-server "fgt-b"
set utm-status enable
set ssl-ssh-profile "deep-custom"
set av-profile "av"
next
edit 3
set proxy explicit-web
set dstintf "port3"
set srcaddr "all"
set dstaddr "Finance"
set service "webproxy"
set action isolate
set schedule "always"
set logtraffic all
set isolator-server "isolator"
set utm-status enable
set ssl-ssh-profile "deep-custom"
set av-profile "av"
next
end

4. Generate traffic for the proxy policies and go to Log & Report > Forward Traffic in the GUI to review the logs:
a. When accessing www.fortinet.com, the traffic hits proxy policy 1 and is accepted.
Since the traffic matches the destination address, it goes to the forward server and then to the internet. A traffic
log is generated with the action set to accept.

b. When accessing www.cibc.com, the traffic hits proxy policy 3 and is isolated.
Since the traffic matches the destination address, it goes to the isolator server and then to the internet. A traffic

FortiOS 7.6.0 New Features Guide 167

Fortinet Inc.
 Network

log is generated with the action set to isolate.

GUI support of isolator servers for proxy policies - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Isolator servers in proxy policies

Isolator servers can be configured for explicit and transparent proxy policies in the GUI. For more information on isolator
servers, see Isolator servers in proxy policies 7.6.1 on page 165.

To configure an isolator server in the GUI:

1. Go to Network > Explicit Proxy.

2. Enable Explicit Web Proxy and scroll to FortiIsolator Servers.

3. Click Create New.

FortiOS 7.6.0 New Features Guide 168

Fortinet Inc.
Network

4. Configure the isolator server.

5. Click OK.
6. Configure the other explicit proxy fields, as needed, and click Apply.
7. Apply the isolator server to a proxy policy:
a. Go to Policy & Objects > Proxy Policy.
b. Click Create New.
c. Set the Type to Explicit Web or Transparent Web.
d. Set Action to Isolate.
e. Set FortiIsolator server to the new server you configured.
f. Configure other proxy policy fields, as needed.
g. Click OK.

FortiOS 7.6.0 New Features Guide 169

Fortinet Inc.
 SD-WAN

SD-WAN

This section includes information about SD-WAN related new features:

l Overlays and underlays on page 170
l Performance SLA on page 196
l Service rules on page 236

Overlays and underlays

This section includes information about overlay and underlay related new features:
l ADVPN 2.0 enhancements on page 170
l ADVPN 2.0 overlay placeholders for shortcuts between spokes 7.6.1 on page 177
l SD-WAN Setup wizard for guided configuration 7.6.1 on page 185
l Fabric Overlay Orchestrator Topology dashboard widget for hub FortiGates 7.6.3 on page 193

ADVPN 2.0 enhancements

This information is also available in the FortiOS 7.6 Administration Guide:

l ADVPN 2.0 edge discovery and path management

ADVPN 2.0 operation has been enhanced for SD-WAN. ADVPN 2.0 edge discovery and path management was
introduced in FortiOS 7.4.2. See ADVPN 2.0 edge discovery and path management.
The following enhancements have been added:
l The local spoke directly sends a shortcut-query to a remote spoke to trigger a shortcut after ADVPN 2.0 path
management makes a path decision.
l ADVPN 2.0 path management can trigger multiple shortcuts for load balancing SD-WAN rules. Traffic can be load
balanced over these multiple shortcuts to use as much of the available WAN bandwidth as possible without wasting
idle links if they are healthy. The algorithm to calculate multiple shortcuts for the load balancing service will consider
transport group and in-SLA status for both local and remote parent overlays.
l Spokes can automatically deactivate all shortcuts connecting to the same spoke when user traffic is not observed
for a specified time interval. This is achieved by enabling a shared idle timeout setting in the IPsec VPN Phase 1
interface settings for associated overlays.

CLI

The following commands configure the shared idle timeout for overlays used by ADVPN. The only new command is set
shared-idle-timeout.

FortiOS 7.6.0 New Features Guide 170

Fortinet Inc.
SD-WAN

config vpn ipsec phase1-interface

edit <phase1-interface name>
set idle-timeout {enable | disable}
set shared-idle-timeout {enable | disable}
set idle-timeoutinterval <integer>
next
end

set idle-timeout {enable
| disable}
set shared-idle-timeout
{enable | disable}
set idle-timeoutinterval
<integer>
Enable/disable IPsec tunnel idle timeout (default = disable). Must be set to
enable when shared-idle-timeout is enabled.
Enable/disable shared-idle-timeout on involved overlays (default =
disable).
IPsec tunnel idle timeout, in minutes (5 - 43200, default = 5).

The previous SD-WAN CLI commands continue to be used for configuring ADVPN 2.0. See SD-WAN CLI configuration.

Example

This example relies on the same network topology used in the previous ADVPN 2.0 topic, except for Spoke 1 having a
single SD-WAN Rule/Service using the load balancing strategy with SLA targets. For details, see Network Topology and
Load balancing strategy with SLA targets.
Recall the network topology is as follows:
l Standard Hub-Spoke topology
l The topology has two spokes, and each spoke has three overlays to Hub. Two overlays are created on internet
links, and another overlay is created on the MPLS link.
l BGP neighbor per overlay is established between spoke and hub.

SD-WAN configuration, selected IPsec configuration, and health check status

This section shows the SD-WAN configuration, selected IPsec configuration, and health check status on Spoke 1: on
page 171 and Spoke 2: on page 173.

Spoke 1:

config system sdwan

set status enable
config zone
edit "virtual-wan-link"
next
edit "overlay"
set advpn-select enable
set advpn-health-check "HUB"
next
end
config members
edit 1
set interface "H1_T11"
set zone "overlay"
set transport-group 1

FortiOS 7.6.0 New Features Guide 171

Fortinet Inc.
SD-WAN

next
edit 2
set interface "H1_T22"
set zone "overlay"
set transport-group 1
next
edit 3
set interface "H1_T33"
set zone "overlay"
set transport-group 2
next
end
config health-check
edit "HUB"
set server "172.31.100.100"
set members 1 2 3
config sla
edit 1
set link-cost-factor latency
set latency-threshold 100
next
end
next
end
config service
edit 1
set name "1"
set load-balance enable
set mode sla
set dst "CORP_LAN"
set src "CORP_LAN"
config sla
edit "HUB"
set id 1
next
end
set priority-members 1 2 3
next
end
end
config vpn ipsec phase1-interface
edit "H1_T11"
...
set idle-timeout enable
set shared-idle-timeout enable
set idle-timeoutinterval 5
...
next
end

config vpn ipsec phase1-interface

edit "H1_T22"
...
set idle-timeout enable
set shared-idle-timeout enable
set idle-timeoutinterval 5

FortiOS 7.6.0 New Features Guide 172

Fortinet Inc.
SD-WAN

...
next
end

config vpn ipsec phase1-interface

edit "H1_T33"
...
set idle-timeout enable
set shared-idle-timeout enable
set idle-timeoutinterval 5
...
next
end

# diagnose system sdwan health-check

Health Check(HUB):
Seq(1 H1_T11): state(alive), packet-loss(0.000%) latency(0.223), jitter(0.018), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x1
Seq(2 H1_T22): state(alive), packet-loss(0.000%) latency(0.191), jitter(0.009), mos(4.404),
bandwidth-up(999993), bandwidth-dw(999998), bandwidth-bi(1999991) sla_map=0x1
Seq(3 H1_T33): state(alive), packet-loss(0.000%) latency(0.139), jitter(0.007), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x1

Spoke 2:

config system sdwan

set status enable
config zone
edit "virtual-wan-link"
next
edit "overlay"
set advpn-select enable
set advpn-health-check "HUB"
next
end
config members
edit 1
set interface "H1_T11"
set zone "overlay"
set transport-group 1
next
edit 2
set interface "H1_T22"
set zone "overlay"
set transport-group 1
next
edit 3
set interface "H1_T33"
set zone "overlay"
set transport-group 2
next
end
config health-check
edit "HUB"
set server "172.31.100.100"
set members 3 1 2

FortiOS 7.6.0 New Features Guide 173

Fortinet Inc.
SD-WAN

config sla
edit 1
set link-cost-factor latency
set latency-threshold 100
next
end
next
end
end
config vpn ipsec phase1-interface
edit "H1_T11"
...
set idle-timeout enable
set shared-idle-timeout enable
set idle-timeoutinterval 5
...
next
end

config vpn ipsec phase1-interface

edit "H1_T22"
...
set idle-timeout enable
set shared-idle-timeout enable
set idle-timeoutinterval 5
...
next
end

config vpn ipsec phase1-interface

edit "H1_T33"
...
set idle-timeout enable
set shared-idle-timeout enable
set idle-timeoutinterval 5
...
next
end

# diagnose system sdwan health-check

Health Check(HUB):
Seq(3 H1_T33): state(alive), packet-loss(0.000%) latency(0.148), jitter(0.021), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x1
Seq(1 H1_T11): state(alive), packet-loss(0.000%) latency(0.183), jitter(0.010), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x1
Seq(2 H1_T22): state(alive), packet-loss(0.000%) latency(0.163), jitter(0.005), mos(4.404),
bandwidth-up(999994), bandwidth-dw(999998), bandwidth-bi(1999992) sla_map=0x1

Scenario: traffic matching SD-WAN rule 1

In this scenario, PC1 connected to Spoke 1 initiates an ICMP ping destined for PC1 connected to Spoke 2. Therefore,
this user traffic matches SD-WAN rule 1 and triggers shortcut path selection and establishment.
On Spoke 1, in the IKE debug (diagnose debug application ike -1), debug messages indicate that multiple
direct shortcut-query packets are being sent to Spoke 2:

FortiOS 7.6.0 New Features Guide 174

Fortinet Inc.
SD-WAN

ike :VWL_ADVPN_MSG_T_TRIGGER
ike V=root:0 looking up shortcut by addr 172.31.80.2, resp-name:H1_T11, name H1_T22, peer-
addr 172.31.3.101:0
ike V=root:0:H1_T22: send shortcut-query
...
ike :VWL_ADVPN_MSG_T_TRIGGER
ike V=root:0 looking up shortcut by addr 172.31.81.2, resp-name:H1_T22, name H1_T22, peer-
addr 172.31.3.105:0
ike V=root:0:H1_T22: send shortcut-query
...
ike :VWL_ADVPN_MSG_T_TRIGGER
ike V=root:0 looking up shortcut by addr 172.31.82.2, resp-name:H1_T33, name H1_T33, peer-
addr 172.31.4.101:0
ike V=root:0:H1_T33: send shortcut-query
...

From the diagnostic command on Spoke 1, observe that multiple shortcuts are triggered in bold based on the ADVPN
2.0 path management calculation where in-SLA overlays within the same transport group were selected.
Branch1_FGT# diagnose system sdwan service4
Service(1): Address Mode(IPV4) flags=0x24200 use-shortcut-sla use-shortcut
Tie break: cfg
Shortcut priority: 3
Gen(69), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla hash-
mode=round-robin)
Member sub interface(8):
1: seq_num(1), interface(H1_T11):
1: H1_T11_0(103)
2: H1_T11_1(104)
2: seq_num(2), interface(H1_T22):
1: H1_T22_0(105)
2: H1_T22_1(106)
3: seq_num(3), interface(H1_T33):
1: H1_T33_0(100)
Members(8):
1: Seq_num(1 H1_T11 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
2: Seq_num(2 H1_T22 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
3: Seq_num(3 H1_T33 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
4: Seq_num(3 H1_T33_0 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
5: Seq_num(1 H1_T11_0 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
6: Seq_num(1 H1_T11_1 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
7: Seq_num(2 H1_T22_0 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
8: Seq_num(2 H1_T22_1 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
Src address(1):
10.0.0.0-10.255.255.255
Dst address(1):
10.0.0.0-10.255.255.255

From the diagnostic command on Spoke 2, observe the shortcuts in bold:

Branch2_FGT# diagnose system sdwan health-check
Health Check(HUB):
Seq(3 H1_T33): state(alive), packet-loss(0.000%) latency(0.137), jitter(0.021), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999999), bandwidth-bi(1999998) sla_map=0x1
Seq(3 H1_T33_0): state(alive), packet-loss(0.000%) latency(0.163), jitter(0.047), mos
(4.404), bandwidth-up(1000000), bandwidth-dw(1000000), bandwidth-bi(2000000) sla_map=0x1
Seq(1 H1_T11): state(alive), packet-loss(0.000%) latency(0.186), jitter(0.014), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999999), bandwidth-bi(1999998) sla_map=0x1
Seq(1 H1_T11_0): state(alive), packet-loss(0.000%) latency(0.262), jitter(0.032), mos

FortiOS 7.6.0 New Features Guide 175

Fortinet Inc.
SD-WAN

(4.404), bandwidth-up(1000000), bandwidth-dw(1000000), bandwidth-bi(2000000) sla_map=0x1

Seq(1 H1_T11_1): state(alive), packet-loss(0.000%) latency(0.255), jitter(0.037), mos
(4.404), bandwidth-up(1000000), bandwidth-dw(1000000), bandwidth-bi(2000000) sla_map=0x1
Seq(2 H1_T22): state(alive), packet-loss(0.000%) latency(0.167), jitter(0.009), mos(4.404),
bandwidth-up(999995), bandwidth-dw(999999), bandwidth-bi(1999994) sla_map=0x1
Seq(2 H1_T22_0): state(alive), packet-loss(0.000%) latency(0.232), jitter(0.013), mos
(4.404), bandwidth-up(1000000), bandwidth-dw(1000000), bandwidth-bi(2000000) sla_map=0x1
Seq(2 H1_T22_1): state(alive), packet-loss(0.000%) latency(0.257), jitter(0.021), mos
(4.404), bandwidth-up(1000000), bandwidth-dw(1000000), bandwidth-bi(2000000) sla_map=0x1

At this point, PC1 connected to Spoke 1 initiated multiple ICMP pings destined for PC1 connected to Spoke 2. The
packet capture diagnostic command on Spoke 1 demonstrates that these ICMP pings have been load balanced over all
shortcuts:
Branch1_FGT# diagnose sniffer packet any 'host 10.0.4.2' 4
interfaces=[any]
filters=[host 10.0.4.2]
3.481994 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
3.482103 H1_T11_1 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
3.482799 H1_T11_1 in 10.0.4.2 -> 10.0.3.2: icmp: echo reply
3.482928 port4 out 10.0.4.2 -> 10.0.3.2: icmp: echo reply
4.614480 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
4.614580 H1_T33_0 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
4.615122 H1_T33_0 in 10.0.4.2 -> 10.0.3.2: icmp: echo reply
4.615152 port4 out 10.0.4.2 -> 10.0.3.2: icmp: echo reply
5.286394 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
5.286497 H1_T22_0 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
5.287129 H1_T22_0 in 10.0.4.2 -> 10.0.3.2: icmp: echo reply
5.287155 port4 out 10.0.4.2 -> 10.0.3.2: icmp: echo reply
6.079759 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
6.079883 H1_T22_1 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
6.080496 H1_T22_1 in 10.0.4.2 -> 10.0.3.2: icmp: echo reply
6.080537 port4 out 10.0.4.2 -> 10.0.3.2: icmp: echo reply
7.983357 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
7.983447 H1_T11_0 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
7.984078 H1_T11_0 in 10.0.4.2 -> 10.0.3.2: icmp: echo reply
7.984120 port4 out 10.0.4.2 -> 10.0.3.2: icmp: echo reply

Without user traffic traversing the shortcut during the idle interval time, from the diagnostic command on Spoke 1,
observe that all shortcuts have been removed:
Branch1_FGT# diagnose system sdwan service4
Service(1): Address Mode(IPV4) flags=0x24200 use-shortcut-sla use-shortcut
Tie break: cfg
Shortcut priority: 3
Gen(16), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla hash-
mode=round-robin)
Members(3):
1: Seq_num(1 H1_T11 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
2: Seq_num(2 H1_T22 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
3: Seq_num(3 H1_T33 overlay), alive, sla(0x1), gid(2), num of pass(1), selected
Src address(1):
10.0.0.0-10.255.255.255
Dst address(1):
10.0.0.0-10.255.255.255

FortiOS 7.6.0 New Features Guide 176

Fortinet Inc.
 SD-WAN

ADVPN 2.0 overlay placeholders for shortcuts between spokes - 7.6.1

Hubs are not necessarily connected to all the same underlay transports as spokes. ADVPN 2.0 can now use overlay
placeholders to trigger shortcuts between spokes over transports to which hubs are not connected. As long as the path is
in-SLA and is the best quality, ADVPN 2.0 uses the overlay placeholders to establish a shortcut tunnel.
Shortcut tunnels require each spoke to be configured with these CLI commands:
config vpn ipsec phase1-interface
edit <placeholder_phase1_interface_name>
set type dynamic
...
set net-device enable
...
set auto-discovery-dialup-placeholder {enable | disable}
next
end

set auto-discovery- Enable/disable overlay placeholder tunnels (default = disable).

dialup-placeholder
{enable | disable}

Example

In this SD-WAN example with ADVPN 2.0 enabled, Spoke-1 and Spoke-2 have regular parent tunnels (H1_T11) to the
Hub. Spoke-1 and Spoke-2 also have placeholder parent tunnels configured (Placeholder_MPLS_1), where auto-
discovery-dialup-placeholder is enabled and remote-gateway isn't statically specified.
Traffic is sent from PC-1 to PC-2, and the first bit of traffic goes through the Hub and triggers SHORTCUT_
QUERY/SHORTCUT_REPLY exchange with the Hub. When Spoke-1 receives SHORTCUT_REPLY message, which
includes SD-WAN information about Spoke-2, Spoke-1 calculates and creates the shortcut between regular parent
tunnels and triggers a shortcut between the placeholder parent tunnels too.
Health-checks, which are automatically running on the regular shortcut and the placeholder shortcut, help decide which
interface to use for forwarding the remaining traffic.

FortiOS 7.6.0 New Features Guide 177

Fortinet Inc.
SD-WAN

Settings on the spoke relevant to the example:

config vpn ipsec phase1-interface

edit <placeholder_phase1_interface_name>
set type dynamic
...
set net-device enable
...
set auto-discovery-dialup-placeholder enable
next
end

To enable overlay placeholder tunnels on Spoke-1 and Spoke-2:

1. Configure key components on Spoke-1:

a. Configure a parent tunnel and a placeholder tunnel:
Tunnel H1_T11 is the parent tunnel, and tunnel Placeholder_MPLS_1 is the placeholder tunnel:
config vpn ipsec phase1-interface
edit "H1_T11"
set interface "port1"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set exchange-ip-addr4 172.31.0.65
set proposal aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 5
set auto-discovery-receiver enable
set encapsulation vpn-id-ipip

FortiOS 7.6.0 New Features Guide 178

Fortinet Inc.
SD-WAN

set network-overlay enable

set network-id 11
set transport udp
set remote-gw 172.31.1.1
set psksecret ENC
fRkYaHGx3MoAASxMsHoJSObbOfphOmBntEpKhZAY8/9OjjqJxbmTehe4Z7LOGTvjFRXTULiPBkfPupnr0JtB
o0KJb0IoUfJ8zWU3mJttCyfHNaDBXG/t5d0D93iu3ZlRoSs1EBRD7KX5fO1QnSHm0maXTJZzrKLWVSaRztdO
F246z/RbEXFzlm4+64ccLHG/3X/Ha1lmMjY3dkVA
set dpd-retryinterval 5
next
edit "Placeholder_MPLS_1"
set type dynamic
set interface "port3"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set exchange-ip-addr4 172.31.0.65
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-
prfsha384 chacha20poly1305-prfsha256
set add-route disable
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 5
set auto-discovery-receiver enable
set auto-discovery-dialup-placeholder enable
set encapsulation vpn-id-ipip
set network-overlay enable
set network-id 250
set transport udp
set psksecret ENC
e3XlBFTNA+fk4Kn7NMLfzJLgU0Pk6ssX9oJ7VSA2Q371x+oqIRSomFhRyZiErb1j07FmGT/lPUFHAB2BJG7v
hNIh0SSjEqThai8rIKWqHsIpjHwUAM0/maBzH1iTXZAyjEX0vFiu65QSLAoQzfgXkfX16P82Q1gjIim/GX4p
hzA+cIYJnfegbqXylFg4fxkqCrYFGFlmMjY3dkVA
set dpd-retryinterval 60
next
end

b. Configure SD-WAN:
Enable ADVPN 2.0 and health-checks for the overlay. Configure the SD-WAN members and their transport
groups.
config system sdwan
set status enable
config zone
edit "overlay"
set advpn-select enable
set advpn-health-check "HUB"
next
end
config members
edit 4
set interface "H1_T11"
set zone "overlay"
set source 172.31.0.65
set priority 10
set transport-group 1

FortiOS 7.6.0 New Features Guide 179

Fortinet Inc.
SD-WAN

next
edit 13
set interface "Placeholder_MPLS_1"
set zone "overlay"
set source 172.31.0.65
set priority 10
set transport-group 2
next
end
config health-check
edit "HUB"
set server "172.31.100.100"
set members 4 13
config sla
edit 1
set link-cost-factor latency
set latency-threshold 100
next
end
next
end
config service
edit 1
set name "1"
set mode sla
set dst "spoke-2_LAN-1"
set src "spoke-1_LAN-1"
config sla
edit "HUB"
set id 1
next
end
set priority-members 4 13
next
end
end

2. Configure key components on Spoke-2:

a. Configure a parent tunnel and a placeholder tunnel:
Tunnel H1_T11 is the parent tunnel, and tunnel Placeholder_MPLS_1 is the placeholder tunnel:
config vpn ipsec phase1-interface
edit "H1_T11"
set interface "port1"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set exchange-ip-addr4 172.31.0.66
set proposal aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 5
set auto-discovery-receiver enable
set encapsulation vpn-id-ipip

FortiOS 7.6.0 New Features Guide 180

Fortinet Inc.
SD-WAN

set network-overlay enable

set network-id 11
set transport udp
set remote-gw 172.31.1.1
set psksecret ENC
7tP6FktH3z3nIpiGoANS/PbxfMOeLf0KCp65MbG2/yBmeAZz0XXcF9XMbnfBtaWhZhoTnGx086ST1aRmLDxC
fVu/BM6S+j1XOUSxSZb6xgwRoaQsFTFaXq/8PYjUzJK7SdPZiJDsCrGaslMR/mTLzFTasA4y9YGteJM+tELW
5K0C6Ntrwlq8UnAtrdFMGN/3BrLNyllmMjY3dkVA
set dpd-retryinterval 5
next
edit "Placeholder_MPLS_1"
set type dynamic
set interface "port3"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set exchange-ip-addr4 172.31.0.66
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-
prfsha384 chacha20poly1305-prfsha256
set add-route disable
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 5
set auto-discovery-receiver enable
set auto-discovery-dialup-placeholder enable
set encapsulation vpn-id-ipip
set network-overlay enable
set network-id 250
set transport udp
set psksecret ENC
Un++iggqXo1wU8fAArjS9JY5rsAcd8+Xw3WR7MtRVLU0BpXT56bAwrP6wQ4gpMt32ABTQ/mAddlq1Mq5LxCV
0X+lYaxj2vVIulTb1n71Wn1WeTbDXjiTzDbrMnp4fM9+1uBKwy+RJ+u782IpI9WRhCWE/H4LNgZhYzUmyluT
CouNoBpJyzdJrekAXOtSvxLJfju/7FlmMjY3dkVA
set dpd-retryinterval 60
next
end

b. Configure SD-WAN:
Enable ADVPN 2.0 and health-checks for the overlay. Configure the SD-WAN members and their transport
groups. The internet overlay (H1_T11) is added to transport group 1, and the MPLS overlay (Placeholder_
MPLS_1) is added to transport group 2.
config system sdwan
set status enable
config zone
edit "overlay"
set advpn-select enable
set advpn-health-check "HUB"
next
end
config members
edit 4
set interface "H1_T11"
set zone "overlay"
set source 172.31.0.66

FortiOS 7.6.0 New Features Guide 181

Fortinet Inc.
SD-WAN

set priority 10
set transport-group 1
next
edit 13
set interface "Placeholder_MPLS_1"
set zone "overlay"
set source 172.31.0.66
set priority 10
set transport-group 2
next
end
config health-check
edit "HUB"
set server "172.31.100.100"
set members 4 13
config sla
edit 1
set link-cost-factor latency
set latency-threshold 100
next
end
next
end
end

To check the health status and traffic:

1. Check the health status on Spoke-1 and Spoke-2, and check the SD-WAN status of Spoke-1:
a. Check the health of Spoke-1:
The placeholder tunnel (Placeholder_MPLS_1) is dead.
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%), latency(0.235), jitter(0.011), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996), sla_
map=0x1
Seq(13 Placeholder_MPLS_1): state(dead), packet-loss(100.000%), sla_map=0x0

b. Check the health of Spoke-2:

The placeholder tunnel (Placeholder_MPLS_1) is dead.
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%), latency(0.250), jitter(0.041), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996), sla_
map=0x1
Seq(13 Placeholder_MPLS_1): state(dead), packet-loss(100.000%), sla_map=0x0

c. Check the SD-WAN status of Spoke-1:

# diagnose sys sdwan service4
Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut
Tie break: cfg
Shortcut priority: 3
Gen(21), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla), sla-
compare-order

FortiOS 7.6.0 New Features Guide 182

Fortinet Inc.
SD-WAN

Members(2):
1: Seq_num(4 H1_T11 overlay), alive, sla(0x1), gid(0), cfg_order(0), local cost
(0), selected
2: Seq_num(13 Placeholder_MPLS_1 overlay), dead, sla(0x0), gid(0), cfg_order(1),
local cost(0)
Src address(1):
10.0.3.0-10.0.3.255
Dst address(1):
10.0.4.0-10.0.4.255

2. Send traffic from PC-1 to PC-2:

When Spoke-1 receives SHORTCUT_REPLY message, which includes SD-WAN information about Spoke-2, Spoke-
1 calculates and creates the shortcut between regular parent tunnels, and it triggers a shortcut between the
placeholder tunnels too.
a. Check the health of Spoke-1:
The health-check is automatically running on the regular shortcut (H1_T11_0) and on the placeholder shortcut
(Placeholder_MPLS_1_0).
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%), latency(0.239), jitter(0.017), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996), sla_
map=0x1
Seq(4 H1_T11_0): state(alive), packet-loss(0.000%), latency(0.260), jitter(0.010),
mos(4.404), bandwidth-up(999999), bandwidth-dw(999999), bandwidth-bi(1999998), sla_
map=0x1
Seq(13 Placeholder_MPLS_1): state(dead), packet-loss(100.000%), sla_map=0x0
Seq(13 Placeholder_MPLS_1_0): state(alive), packet-loss(0.000%), latency(0.139),
jitter(0.006), mos(4.404), bandwidth-up(1000000), bandwidth-dw(1000000), bandwidth-bi
(2000000), sla_map=0x1

b. Check the health of Spoke-2:

The health-check is automatically running on the regular shortcut (H1_T11_0) and on the placeholder shortcut
(Placeholder_MPLS_1_0).
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%), latency(0.214), jitter(0.012), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995), sla_
map=0x1
Seq(4 H1_T11_0): state(alive), packet-loss(0.000%), latency(0.296), jitter(0.030),
mos(4.404), bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997), sla_
map=0x1
Seq(13 Placeholder_MPLS_1): state(dead), packet-loss(100.000%), sla_map=0x0
Seq(13 Placeholder_MPLS_1_0): state(alive), packet-loss(0.000%), latency(0.159),
jitter(0.023), mos(4.404), bandwidth-up(1000000), bandwidth-dw(1000000), bandwidth-bi
(2000000), sla_map=0x1

c. Check the SD-WAN status of Spoke-1:

The regular shortcut (H1_T11_0 overlay) is preferred.
# diagnose sys sdwan service4

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut

Tie break: cfg
Shortcut priority: 3

FortiOS 7.6.0 New Features Guide 183

Fortinet Inc.
SD-WAN

Gen(33), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla), sla-

compare-order
Member sub interface(4):
3: seq_num(4), interface(H1_T11):
1: H1_T11_0(1152)
4: seq_num(13), interface(dummy_MPLS_1):
1: dummy_MPLS_1_0(1153)
Members(4):
1: Seq_num(4 H1_T11_0 overlay), alive, sla(0x1), gid(0), cfg_order(0), local cost
(0), selected
2: Seq_num(13 Placeholder_MPLS_1_0 overlay), alive, sla(0x1), gid(0), cfg_order
(1), local cost(0), selected
3: Seq_num(4 H1_T11 overlay), alive, sla(0x1), gid(0), cfg_order(0), local cost
(0), selected
4: Seq_num(13 Placeholder_MPLS_1 overlay), dead, sla(0x0), gid(0), cfg_order(1),
local cost(0)
Src address(1):
10.0.3.0-10.0.3.255
Dst address(1):
10.0.4.0-10.0.4.255

3. Diagnose the sniffer packet:

The first few packets travel over the regular parent tunnel (H1_T11), and then the packets switch to the regular
shortcut tunnel (H1_T11_0).
# diagnose sniffer packet any 'host 10.0.4.2' 4
interfaces=[any]
filters=[host 10.0.4.2]
4.967575 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
4.967976 H1_T11 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
4.969587 H1_T11 in 10.0.4.2 -> 10.0.3.2: icmp: echo reply
4.969629 port4 out 10.0.4.2 -> 10.0.3.2: icmp: echo reply
5.968744 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
5.968838 H1_T11 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
5.969785 H1_T11 in 10.0.4.2 -> 10.0.3.2: icmp: echo reply
5.969842 port4 out 10.0.4.2 -> 10.0.3.2: icmp: echo reply
6.969970 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
6.970187 H1_T11 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
9.969251 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
9.969366 H1_T11_0 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
9.970229 H1_T11_0 in 10.0.4.2 -> 10.0.3.2: icmp: echo reply
9.970278 port4 out 10.0.4.2 -> 10.0.3.2: icmp: echo reply
10.969982 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
10.970199 H1_T11_0 out 10.0.3.2 -> 10.0.4.2: icmp: echo request

4. When the regular shortcut tunnel (H1_T11_0) is out of SLA, traffic switches to the placeholder shortcut tunnel
(Placeholder_MPLS_1).
a. Diagnose the SD-WAN service:
The placeholder shortcut tunnel (Placeholder_MPLS_1) is preferred, and the regular shortcut tunnel (H1_T11_
0 overlay) is out of SLA.
# diagnose sys sdwan service4

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut

Tie break: cfg
Shortcut priority: 3

FortiOS 7.6.0 New Features Guide 184

Fortinet Inc.
 SD-WAN

Gen(87), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(sla), sla-

compare-order
Member sub interface(4):
2: seq_num(4), interface(H1_T11):
1: H1_T11_0(1167)
4: seq_num(13), interface(Placeholder_MPLS_1):
1: Placeholder_MPLS_1_0(1168)
Members(4):
1: Seq_num(13 Placeholder_MPLS_1_0 overlay), alive, sla(0x1), gid(0), cfg_order
(1), local cost(0), selected
2: Seq_num(4 H1_T11 overlay), alive, sla(0x1), gid(0), cfg_order(0), local cost
(0), selected
3: Seq_num(4 H1_T11_0 overlay), alive, sla(0x0), gid(0), cfg_order(0), local cost
(0), selected
4: Seq_num(13 Placeholder_MPLS_1 overlay), dead, sla(0x0), gid(0), cfg_order(1),
local cost(0)
Src address(1):
10.0.3.0-10.0.3.255
Dst address(1):
10.0.4.0-10.0.4.255

b. Sniff the packet to see the traffic switch to the placeholder shortcut tunnel (Placeholder_MPLS_1_0):
# diagnose sniffer packet any 'host 10.0.4.2' 4
interfaces=[any]
filters=[host 10.0.4.2]

17.356165 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request

17.356261 Placeholder_MPLS_1_0 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
17.356857 Placeholder_MPLS_1_0 in 10.0.4.2 -> 10.0.3.2: icmp: echo reply
17.356913 port4 out 10.0.4.2 -> 10.0.3.2: icmp: echo reply
18.361038 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
18.361247 Placeholder_MPLS_1_0 out 10.0.3.2 -> 10.0.4.2: icmp: echo request

SD-WAN Setup wizard for guided configuration - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l SD-WAN Setup wizard

An SD-WAN Setup wizard is now available on the SD-WAN > SD-WAN Zones page to provide guided configuration of
the following settings for a simple SD-WAN setup:
l Interface
The wizard supports a maximum of two interfaces.
l Networking
l Performance SLA
l SD-WAN Rule
After completing the wizard, configure a default static route for the newly created SD-WAN interface.
FortiGate requires a valid SD-WAN Network Monitor (SWNM) entitlement before the SD-WAN Setup wizard is visible.
See also FortiGuard SLA database for SD-WAN performance SLA 7.6.1 on page 226.

FortiOS 7.6.0 New Features Guide 185

Fortinet Inc.
SD-WAN

Example

This example describes how to use the SD-WAN Setup wizard to create an SD-WAN configuration with one SD-WAN
zone (named Test) and two SD-WAN members (agg1 and vlan100). The wizard also guides you to complete the
networking, performance SLA, and SD-WAN rule. After the wizard completes, configure a default static route for the SD-
WAN interface.

To use the SD-WAN Setup wizard to configure SD-WAN:

1. Go to the Network > SD-WAN > SD-WAN Zones page to access the wizard:
l When no SD-WAN configuration exists, the following message is displayed. Click Begin SD-WAN setup wizard
to access the wizard.

FortiOS 7.6.0 New Features Guide 186

Fortinet Inc.
SD-WAN

l When an SD-WAN configuration exists, click Create New > SD-WAN Wizard to access the wizard.

The SD-WAN Setup wizard opens on the Interface step.

2. For the Interface step, identify a zone, and select one or two interfaces for the underlay:
The selected interfaces become members of the SD-WAN zone. This example creates a zone named Test and
uses two interfaces (agg1 and vlan100).
a. Set SD-WAN Zone to:
l Use Existing and select an existing SD-WAN zone.
Or:
l Create New and type a name for the new SD-WAN zone. In this example, a new zone named Test is
created.

b. Click Add a new WAN underlay, select an interface, and click Apply.

FortiOS 7.6.0 New Features Guide 187

Fortinet Inc.
SD-WAN

c. Click Add a new WAN underlay again, select an interface, and click Apply.

You have added two interfaces to the SD-WAN zone.

d. Click Next to proceed to the Networking step.
3. For the Networking step, set the gateway and priority for each interface, and click Next:

Gateway Select one of the following methods to assign a gateway IP address to the
interface:
l Dynamic: Select to leave the gateway undefined and proceed to the next

screen. Can be used with interfaces set to use DHCP as a client.

l Specify: Select to specify an IPv4 or IPv6 address for the gateway.

Cost Used by the lowest-cost SLA strategy. The link with the lowest cost is chosen
to pass traffic. The lowest possible cost is 0.

FortiOS 7.6.0 New Features Guide 188

Fortinet Inc.
SD-WAN

Fallback priority Select one of the following methods to define the priority of SD-WAN
members:
l Default: Select to use the default, which is the same priority for all SD-

WAN members.
l Specify: Select to specify a priority for the SD-WAN member in the Priority
box.

Priority Available when Fallback priority is set to Specify.

Specify a priority for the SD-WAN member. Lower values are higher priority.
The priority value is used in the static route created for the SD-WAN member's
interface.

The wizard moves to the Performance SLA step.

4. For the Performance SLA step, configure health-check for SD-WAN members, and click Next:
Only the fields that you must set before you can proceed are described.

Performance SLA Select one of the following to choose how to define performance SLA:
l FortiGuard: Select to use the FortiGuard SLA database. Select a

predefined server from the Server list, and specify the protocol to use.
l Manual: Select to manually define a server for the SLA.

FortiOS 7.6.0 New Features Guide 189

Fortinet Inc.
SD-WAN

The wizard moves to the Rule step.

5. For the Rule step, create a service rule, and click Next:

Skip creation of SD-WAN rule Enable to use the implicit rule instead of creating an SD-WAN rule.
and use implicit rule

Interface selection strategy Available when Skip creation of SD-WAN rule and use implicit rule is disabled.
Specify how SD-WAN should select an interface:
l Best quality: Select to use the interface with the best measured

performance.
l Lowest cost (SLA): Select to use the interface that meets the defined
performance SLA targets. When a tie occurs, the interface with the lowest
assigned cost is selected.
l Maximize bandwidth: Traffic is load balanced among interfaces that meet
SLA targets.

FortiOS 7.6.0 New Features Guide 190

Fortinet Inc.
SD-WAN

The wizard moves to the Review step.

6. For the Review step, review the entries, and click Apply to create them:

Zone Displays the name of the SD-WAN zone that will be created.

Members Displays the name of the interface members that will be added to the SD-WAN
zone.

Performance SLA Displays the name of the performance SLA configuration that will be used for
the SD-WAN configuration.

Rule Displays the name of the SD-WAN rule that will be used for the SD-WAN
configuration

The entries are created, and the wizard completes.

7. Create a static route for the SD-WAN interface (that is the SD-WAN zone):

FortiOS 7.6.0 New Features Guide 191

Fortinet Inc.
SD-WAN

a. Go to Network > Static Routes, and click Create new.

b. Complete the options, and click OK.

8. Review the SD-WAN configuration:

a. Go to Network > SD-WAN > SD-WAN Zones, and view the zone and members that you created.

b. On the SD-WAN Rule tab, view the rule that you created.

c. On the Performance SLAs tab, view the SLA configuration that you created.

FortiOS 7.6.0 New Features Guide 192

Fortinet Inc.
 SD-WAN

Fabric Overlay Orchestrator Topology dashboard widget for hub FortiGates - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Fabric Overlay Orchestrator Topology dashboard widget for hub FortiGates

The Fabric Overlay Orchestrator Topology dashboard widget provides an interactive view of hub and spoke devices
previously configured using the Fabric Overlay Orchestrator feature. It can display health-check status, multiple tunnels,
resource usage, shortcuts, and so on.

This dashboard widget is only available on the hub or root FortiGate device.

To enable the Fabric Overlay Orchestrator Topology widget:

1. Go to Dashboard > Status.

2. Click Add widget.

3. Select Fabric Overlay Orchestrator Topology under Security Fabric.

4. Enter the Auto-play speed.

FortiOS 7.6.0 New Features Guide 193

Fortinet Inc.
SD-WAN

5. Click OK.
6. Click Close.

To review hub and spoke details in the Fabric Overlay Orchestrator Topology widget:

1. Go to Dashboard > Status.

2. Click the Fabric Overlay Orchestrator Topology widget to expand it.

3. Review the topology:

l Select a hub or spoke in the topology to view Details, such as Latency, Jitter, and usage information.

FortiOS 7.6.0 New Features Guide 194

Fortinet Inc.
SD-WAN

l Hover over a hub or spoke in the topology to view device information, such as Serial Number, Model, and
Version information.

l Toggle the display options to define what is displayed.

l Use the + and - to zoom in and out of the topology.

FortiOS 7.6.0 New Features Guide 195

Fortinet Inc.
 SD-WAN

Performance SLA

This section includes information about performance SLA related new features:
l Embed SLA priorities in ICMP probes on page 196
l Embed SLA status in ICMP probes on page 208
l Map SD-WAN member priorities to BGP MED attribute when spoke advertises routes using iBGP to hub 7.6.1 on
page 220
l FortiGuard SLA database for SD-WAN performance SLA 7.6.1 on page 226
l Passive monitoring of TCP metrics 7.6.1 on page 230
l Enhanced passive monitoring of TCP metrics 7.6.3 on page 234

Embed SLA priorities in ICMP probes

This information is also available in the FortiOS 7.6 Administration Guide:

l Embedded SD-WAN SLA priorities in ICMP probes

In SD-WAN hub-and-spoke topologies, each spoke can now embed an SLA priority (priority-in-sla and
priority-out-sla) in ICMP probes and send them to the hub. The hub can use the received SLA priorities from each
spoke to manage route priority for hub-to-spoke traffic.
SLA status can also be embedded in ICMP probes. See Embed SLA status in ICMP probes on page 208 for more
information. Prior to FortiOS 7.6.0, only the measured SLA information was embedded in ICMP probes. See Embedded
SD-WAN SLA information in ICMP probes for more information.
Spoke-initiated speed tests can also use the embedded information. When a spoke continually embeds an out-of
SLA priority into ICMP probes on the overlay, the hub can use the received out-of SLA priority information to manage
route priorities and detour hub-to-spoke user traffic to other tunnels.
For configuration on a spoke, the config system sdwan command includes new options:
config system sdwan
config members
edit <entry>
set priority-in-sla <integer>
set priority-out-sla <integer>
next
end
end

set priority-in-sla Preferred priority of routes to this member when this member is in SLA (0 - 65535,
<integer> default = 0).
set priority-out-sla Preferred priority of routes to this member when this member is out of SLA (0 -
<integer> 65535, default = 0).

FortiOS 7.6.0 New Features Guide 196

Fortinet Inc.
SD-WAN

Example

The SD-WAN topology with ADVPN and BGP neighbor on loopback is used for the following two examples:
l Path selection based on embedded SLA priorities on page 198
l Speed test rerouting based on embedded SLA priorities on page 204

The examples use the following SD-WAN settings on the spoke:

SD-WAN settings on the spoke relevant to the examples:

config system sdwan

set speedtest-bypass-routing enable
config members
edit <id>
set priority-in-sla <value>
set priority-out-sla <value>
next
end
config health-check
edit <name>
set embed-measured-health enable
set sla-id-redistribute <id>
config sla
edit 1
<desired SLA thresholds>

next

FortiOS 7.6.0 New Features Guide 197

Fortinet Inc.
SD-WAN

end
next
end
end

SD-WAN settings on the hub relevant to the examples:

config system sdwan

config health-check
edit <name>
set detect-mode remote
set sla-id-redistribute <id>
config sla
edit <id>
set link-cost-factor remote
next
end
next
end
next
end

Path selection based on embedded SLA priorities

In this example, spokes are configured to embed the SLA priority in ICMP probes, and the hub is configured to use the
information. With this configuration:
l The spoke's overlay priority on each overlay is embedded in the ICMP probes and transported to the hub.
l The hub sets priorities on IKE routes over different overlays based on the received overlay priorities.
l On the hub, BGP routes, which are used to guide hub-to-spoke traffic, rely on IKE routes to be resolved to tunnels
and inherit the priorities from the IKE routes.
l The hub can steer traffic to spokes by resolved BGP routes with different inherited priorities.

To embed SD-WAN SLA status and priorities in ICMP probes:

1. Configure SD-WAN and BGP on Spoke-1 (Branch1_A_FGT):

a. Configure SD-WAN:
config system sdwan
set status enable
set speedtest-bypass-routing enable
config zone
edit "overlay"
next
end
config members
edit 4
set interface "H1_T11"
set zone "overlay"
set source 172.31.0.65
set priority 10
set priority-in-sla 10
set priority-out-sla 20
next

FortiOS 7.6.0 New Features Guide 198

Fortinet Inc.
SD-WAN

edit 5
set interface "H1_T22"
set zone "overlay"
set source 172.31.0.65
set priority 10
set priority-in-sla 15
set priority-out-sla 25
next
end
config health-check
edit "HUB"
set server "172.31.100.100"
set embed-measured-health enable
set sla-id-redistribute 1
set members 4 5
config sla
edit 1
set link-cost-factor latency
set latency-threshold 50
next
end
next
end
end

b. Configure BGP:
config router bgp
set as 65001
set router-id 172.31.0.65
......
config neighbor
edit "172.31.0.1"
......
set remote-as 65001
set update-source "Loopback0"
next
end
config network
edit 1
set prefix 10.0.3.0 255.255.255.0
next
end
......
end

c. View the health-check settings:

# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%) latency(0.246), jitter(0.015), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999996), bandwidth-bi(1999994) sla_
map=0x1
Seq(5 H1_T22): state(alive), packet-loss(0.000%) latency(0.197), jitter(0.005), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995) sla_
map=0x1

2. Configure SD-WAN and BGP on Spoke-2 (Branch2_FGT):

FortiOS 7.6.0 New Features Guide 199

Fortinet Inc.
SD-WAN

a. Configure SD-WAN:
config system sdwan
set status enable
set speedtest-bypass-routing enable
config zone
edit "overlay"
next
end
config members
edit 4
set interface "H1_T11"
set zone "overlay"
set source 172.31.0.66
set priority 10
set priority-in-sla 30
set priority-out-sla 40
next
edit 5
set interface "H1_T22"
set zone "overlay"
set source 172.31.0.66
set priority 10
set priority-in-sla 35
set priority-out-sla 45
next
end
config health-check
edit "HUB"
set server "172.31.100.100"
set embed-measured-health enable
set sla-id-redistribute 1
set members 4 5
config sla
edit 1
set link-cost-factor latency
set latency-threshold 70
next
end
next
end
end

b. Configure BGP:
config router bgp
set as 65001
set router-id 172.31.0.66
......
config neighbor
edit "172.31.0.1"
......
set remote-as 65001
set update-source "Loopback0"
next
end
config network

FortiOS 7.6.0 New Features Guide 200

Fortinet Inc.
SD-WAN

edit 1
set prefix 10.0.4.0 255.255.255.0
next
end
......
end

c. View the health-check settings:

# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%) latency(0.230), jitter(0.040), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999996), bandwidth-bi(1999994) sla_
map=0x1
Seq(5 H1_T22): state(alive), packet-loss(0.000%) latency(0.188), jitter(0.007), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999996), bandwidth-bi(1999994) sla_
map=0x1

3. Configure SD-WAN and BGP on the Hub (DC1_A_FGT):

a. Configure SD-WAN:
config system sdwan
set status enable
config zone
edit "overlay"
next
end
config members
edit 1
set interface "EDGE_T1"
set zone "overlay"
next
edit 2
set interface "EDGE_T2"
set zone "overlay"
next
end
config health-check
edit "Remote_HC"
set detect-mode remote
set sla-id-redistribute 1
set members 1 2
config sla
edit 1
set link-cost-factor remote
next
end
next
end
end

b. Configure BGP:
config router bgp
set as 65001
set router-id 172.31.0.1
set recursive-inherit-priority enable

FortiOS 7.6.0 New Features Guide 201

Fortinet Inc.
SD-WAN

......
config neighbor-group
edit "EDGE"
set remote-as 65001
set update-source "Loopback0"
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 172.31.0.64 255.255.255.192
set neighbor-group "EDGE"
next
end
......
end

c. View the health-check settings:

The following example shows:
l rmt_ver=2 indicates that SLA information, SLA status, and overlay priority have been received.
l rmt_sla=out indicates that received SLA status is out of SLA.
l rmt_sla=in indicates that received SLA status is in SLA.
l rmt_prio indicates the received overlay priority value.
l EDGE_T1_0 is to H1_T11 on Spoke-1, and EDGE_T1_1 is to H1_T11 on Spoke-2.
l EDGE_T2_1 is to H1_T22 on Spoke-1, and EDGE_T1_0 is to H1_T22 on Spoke-2.
# diagnose sys sdwan health-check remote

Remote Health Check: Remote_HC(1)

Passive remote statistics of EDGE_T1(46):
EDGE_T1_0(10.0.0.20): timestamp=06-12 14:04:29, src=172.31.0.65, latency=0.247,
jitter=0.028, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_
prio=10
EDGE_T1_1(172.31.0.66): timestamp=06-12 14:04:30, src=172.31.0.66, latency=0.246,
jitter=0.031, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_
prio=30

Remote Health Check: Remote_HC(2)

Passive remote statistics of EDGE_T2(47):
EDGE_T2_0(10.0.0.15): timestamp=06-12 14:04:30, src=172.31.0.66, latency=0.191,
jitter=0.008, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_
prio=35
EDGE_T2_1(172.31.0.65): timestamp=06-12 14:04:29, src=172.31.0.65, latency=0.201,
jitter=0.008, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_
prio=15

4. After the spokes' overlay priorities are embedded in ICMP probes and transported to the hub, view the routing tables
on the hub.
The hub sets overlay priorities on IKE routes over EDGE_T1 and EDGE_T2. Meanwhile, recursively resolved BGP
routes inherit the priorities from those IKE routes.
a. On the hub, get the static routing table:
# get router info routing-table static
Routing table for VRF=0

FortiOS 7.6.0 New Features Guide 202

Fortinet Inc.
SD-WAN

S 172.31.0.65/32 [15/0] via EDGE_T1 tunnel 10.0.0.20, [10/0]

[15/0] via EDGE_T2 tunnel 172.31.0.65, [15/0]
S 172.31.0.66/32 [15/0] via EDGE_T1 tunnel 172.31.0.66, [30/0]
[15/0] via EDGE_T2 tunnel 10.0.0.15, [35/0]

b. On the hub, get the BGP routing table:

# get router info routing-table bgp
Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T1 tunnel 10.0.0.20
[10]), 01:15:46
(recursive via EDGE_T2 tunnel 172.31.0.65
[15]), 01:15:46, [1/0]
B 10.0.4.0/24 [200/0] via 172.31.0.66 (recursive via EDGE_T1 tunnel 172.31.0.66
[30]), 01:13:46
(recursive via EDGE_T2 tunnel 10.0.0.15
[35]), 01:13:46, [1/0]

5. Change the latency on Spoke-1 and Spoke-2, and view the results.
a. On Spoke-1, increase H1_T11's latency to 60 to make it out of SLA.
b. On Spoke-2, increase H1_T11's latency to 80 to make it out of SLA.
c. On Spoke-1, run a health check:
Branch1_A_FGT (root) (Interim)# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%) latency(60.247), jitter(0.036), mos
(4.373), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995) sla_
map=0x0
Seq(5 H1_T22): state(alive), packet-loss(0.000%) latency(0.218), jitter(0.016), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996) sla_map=0x

d. On Spoke-2, run a health check:

Branch2_FGT (root) (Interim)# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%) latency(80.217), jitter(0.022), mos
(4.361), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996) sla_
map=0x0
Seq(5 H1_T22): state(alive), packet-loss(0.000%) latency(0.202), jitter(0.016), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995) sla_
map=0x1

6. After the hub receives the updated overlay priorities, run a health check on the hub and view the routing tables.
The hub has updated the route priorities.
a. Run a health check:
# diagnose sys sdwan health-check remote

Remote Health Check: Remote_HC(1)

Passive remote statistics of EDGE_T1(46):
EDGE_T1_0(10.0.0.20): timestamp=06-12 14:19:26, src=172.31.0.65, latency=60.249,
jitter=0.031, pktloss=0.000%, mos=4.373, SLA id=1(remote), rmt_ver=2, rmt_sla=out,
rmt_prio=20
EDGE_T1_1(172.31.0.66): timestamp=06-12 14:19:26, src=172.31.0.66, latency=80.222,
jitter=0.021, pktloss=0.000%, mos=4.361, SLA id=1(remote), rmt_ver=2, rmt_sla=out,
rmt_prio=40

FortiOS 7.6.0 New Features Guide 203

Fortinet Inc.
SD-WAN

Remote Health Check: Remote_HC(2)

Passive remote statistics of EDGE_T2(47):
EDGE_T2_0(10.0.0.15): timestamp=06-12 14:19:26, src=172.31.0.66, latency=0.205,
jitter=0.011, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_
prio=35
EDGE_T2_1(172.31.0.65): timestamp=06-12 14:19:26, src=172.31.0.65, latency=0.215,
jitter=0.009, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=2, rmt_sla=in, rmt_
prio=15

b. View the static routing table:

For EDGE_T1, the priority changed from 10 to 20 and from 30 to 40 because it is out of SLA.
DC1_A_FGT (root) (Interim)# get router info routing-table static
Routing table for VRF=0
S 172.31.0.65/32 [15/0] via EDGE_T2 tunnel 172.31.0.65, [15/0]
[15/0] via EDGE_T1 tunnel 10.0.0.20, [20/0]
S 172.31.0.66/32 [15/0] via EDGE_T2 tunnel 10.0.0.15, [35/0]
[15/0] via EDGE_T1 tunnel 172.31.0.66, [40/0]

c. View the BGP routing table:

l For 10.0.3.0/24, EDGE_T2 is preferred. Priority for EDGE_T1 changed from 10 to 20.
l For 10.0.4.0/24, EDGE_T2 is preferred. Priority for EDGE_T1 changed from 30 to 40.
DC1_A_FGT (root) (Interim)# get router info routing-table bgp
Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T2 tunnel 172.31.0.65
[15]), 00:07:28
(recursive via EDGE_T1 tunnel 10.0.0.20
[20]), 00:07:28, [1/0]
B 10.0.4.0/24 [200/0] via 172.31.0.66 (recursive via EDGE_T2 tunnel 10.0.0.15
[35]), 00:07:28 (recursive
via EDGE_T1 tunnel 172.31.0.66 [40]), 00:07:28, [1/0]

Speed test rerouting based on embedded SLA priorities

When spoke-initiated speed tests are enabled for this configuration, the out-of SLA priority is used by the hub to choose
other routes during the speed test.

To configure speed tests:

1. On the hub, enable speed tests and allow them on the underlays and overlays.
a. Enable speed tests:
config system global
set speedtest-server enable
set speedtestd-ctrl-port 6000
set speedtestd-server-port 7000
end

b. Allow speed tests on the underlay:

config system interface
edit "port1"
...
set allowaccess ping speed-test
...

FortiOS 7.6.0 New Features Guide 204

Fortinet Inc.
SD-WAN

next
end

c. Allow speed tests on the underlay:

config system interface
edit "port2"
...
set allowaccess ping speed-test
...
next
end

d. Allow speed tests on the overlay, and specify a shaping profile:

config system interface
edit "EDGE_T1"
...
set allowaccess ping speed-test
set type tunnel
set egress-shaping-profile "profile_1"
...
set interface "port1"
next
end

e. Allow speed tests on the overlay, and specify a shaping profile:

config system interface
edit "EDGE_T2"
...
set allowaccess ping speed-test
set type tunnel
set egress-shaping-profile "profile_1"
...
set interface "port2"
next
end

f. View the shaping profile:

config firewall shaping-profile
edit "profile_1"
set default-class-id 2
config shaping-entries
edit 1
set class-id 2
set priority low
set guaranteed-bandwidth-percentage 10
set maximum-bandwidth-percentage 10
next
edit 2
set class-id 3
set priority medium
set guaranteed-bandwidth-percentage 30
set maximum-bandwidth-percentage 40
next
edit 3
set class-id 4

FortiOS 7.6.0 New Features Guide 205

Fortinet Inc.
SD-WAN

set guaranteed-bandwidth-percentage 20
set maximum-bandwidth-percentage 50
next
end
next
end

2. On Spoke-1, schedule speed tests:

config system speed-test-schedule

edit "H1_T11"
set mode TCP
set schedules "speed-test"
set dynamic-server enable
set ctrl-port 6000
set server-port 7000
set update-shaper remote
next
edit "H1_T22"
set mode UDP
set schedules "speed-test"
set dynamic-server enable
set ctrl-port 6000
set server-port 7000
set update-shaper remote
next
end

Before starting the speed test on Spoke-1, route priorities are based on the received overlay priorities on both H1_T11
and H1_T22
DC1_A_FGT (root) (Interim)# get router info routing-table bgp
Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T1 tunnel 10.0.0.20 [10]),
00:11:56
(recursive via EDGE_T2 tunnel 172.31.0.65 [15]),
00:11:56, [1/0]

While the speed test is running on H1_T11 of Spoke-1, Spoke-1 will constantly embed out-of SLA overlay priority into
probes on H1_T11 and send them to the hub. Then the Hub updates route priorities accordingly and detours hub-to-
spoke traffic to H1_T22 to avoid the impact on speed test of H1_T11. EDGE_T2 is preferred, and the EDGE_T1 priority
changed from 10 to 20.
DC1_A_FGT (root) (Interim)# get router info routing-table bgp
Routing table for VRF=0Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T2 tunnel 172.31.0.65 [15]),
00:03:49
(recursive via EDGE_T1 tunnel 10.0.0.20 [20]),
00:03:49, [1/0]

During the speed test on H1_T22 of Spoke-1, Spoke-1 constantly embeds out-of SLA overlay priority into probes on H1_
T22 and sends them to the hub. Then the Hub updates route priorities accordingly and detours hub-to-spoke traffic to
H1_T11 to avoid the impact on speed test of H1_T22. EDGE_T1 is preferred, and the EDGE_T2 priority changed from
15 to 25.

FortiOS 7.6.0 New Features Guide 206

Fortinet Inc.
SD-WAN

DC1_A_FGT (root) (Interim)# get router info routing-table bgp

Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T1 tunnel 10.0.0.20 [10]),
00:04:06
(recursive via EDGE_T2
tunnel 172.31.0.65 [25]), 00:04:06, [1/0]

Once speed test completes, the results are applied on child tunnels as egress-shaping-profile on the hub.
DC1_A_FGT (root) (Interim)# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=EDGE_T1_0 ver=2 serial=22 172.31.1.1:0->172.31.3.1:0 nexthop=172.31.1.2 tun_
id=10.0.0.20 tun_id6=::10.0.0.31 status=up dst_mtu=1500 weight=1
.....
dec: spi=9932cb6a esp=aes-gcm key=36
0819373cc74d0eb2dae8ac559519b756010fb42d2453b1c046429f8aad4d7dcbb507b990
ah=null key=0
enc: spi=dea67361 esp=aes-gcm key=36
c2ac45b9c1144d6728b5a7a542d1a35c86d018af35f6f661888dc39f771dc4820e2a40ff
ah=null key=0
dec:pkts/bytes=0/0, enc:pkts/bytes=3789/517724
npu_flag=03 npu_rgwy=172.31.3.1 npu_lgwy=172.31.1.1 npu_selid=26 dec_npuid=1 enc_npuid=1
npu_isaidx=719 npu_osaidx=39
egress traffic control:
bandwidth=711495(kbps) lock_hit=0 default_class=2 n_active_class=3
class-id=2 allocated-bandwidth=71149(kbps) guaranteed-bandwidth=71149
(kbps)
max-bandwidth=71149(kbps) current-bandwidth=1(kbps)
priority=low forwarded_bytes=82K
dropped_packets=0 dropped_bytes=0
class-id=3 allocated-bandwidth=284597(kbps) guaranteed-bandwidth=213448
(kbps)
max-bandwidth=284597(kbps) current-bandwidth=0(kbps)
priority=medium forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
class-id=4 allocated-bandwidth=355747(kbps) guaranteed-bandwidth=142298
(kbps)
max-bandwidth=355747(kbps) current-bandwidth=0(kbps)
priority=high forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
------------------------------------------------------
name=EDGE_T2_1 ver=2 serial=1c 172.31.1.5:0->172.31.3.5:0 nexthop=172.31.1.6 tun_
id=172.31.0.65 tun_id6=::10.0.0.25 status=up dst_mtu=1500 weight=1
......
dec: spi=9932cb69 esp=aes-gcm key=36
01842dbbe1fe98fc6503b491c0768a844d815074950589b48db8a9a00c7505e73a96dc84
ah=null key=0
enc: spi=dea67360 esp=aes-gcm key=36
c2e4cb1065325de7970d6f8edb3cac8829a33420ff79acedd6dcf4012e4614dd92d7b16b
ah=null key=0
dec:pkts/bytes=0/0, enc:pkts/bytes=3518/499252
npu_flag=03 npu_rgwy=172.31.3.5 npu_lgwy=172.31.1.5 npu_selid=27 dec_npuid=1 enc_npuid=1
npu_isaidx=718 npu_osaidx=40
egress traffic control:
bandwidth=374876(kbps) lock_hit=0 default_class=2 n_active_class=3
class-id=2 allocated-bandwidth=37487(kbps) guaranteed-bandwidth=37487

FortiOS 7.6.0 New Features Guide 207

Fortinet Inc.
 SD-WAN

(kbps)
max-bandwidth=37487(kbps) current-bandwidth=2(kbps)
priority=low forwarded_bytes=78K
dropped_packets=0 dropped_bytes=0
class-id=3 allocated-bandwidth=149950(kbps) guaranteed-bandwidth=112462
(kbps)
max-bandwidth=149950(kbps) current-bandwidth=0(kbps)
priority=medium forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
class-id=4 allocated-bandwidth=187438(kbps) guaranteed-bandwidth=74975
(kbps)
max-bandwidth=187438(kbps) current-bandwidth=0(kbps)
priority=high forwarded_bytes=0
dropped_packets=0 dropped_bytes=0

Embed SLA status in ICMP probes

This information is also available in the FortiOS 7.6 Administration Guide:

l Embedded SD-WAN SLA status in ICMP probes

In SD-WAN hub-and-spoke topologies, each spoke can now embed in ICMP probes sent to the hub the SLA status
decided by the spoke. The SLA status is either in SLA or out of SLA. The hub uses the received SLA status from each
spoke to manage route priority for hub-to-spoke traffic.
SLA priority can also be embedded in ICMP probes. See Embed SLA priorities in ICMP probes on page 196 for more
information. Prior to FortiOS 7.6.0, only the measured SLA information was embedded in ICMP probes. See Embedded
SD-WAN SLA information in ICMP probes for more information.
Spoke-initiated speed tests can also use the embedded information. When a spoke continually embeds an out-of
SLA status into ICMP probes—regardless of the SLA calculation—the hub can use the received out-of SLA status
information to manage route priorities and detour hub-to-spoke user traffic to other tunnels.
For configuration on a hub, the config system sdwan command includes new options:
config system sdwan
config health-check
edit <entry>
set sla-id-redistribute <ID>
config sla
edit <entry>
set link-cost-factor remote {latency | jitter | packet-loss | mos |
remote}
next
end
next
end
end

set sla-id-redistribute Select the ID from the SLA subtable. The selected SLA's priority value will be
<ID> distributed into the routing table (0 - 32, default = 0).

FortiOS 7.6.0 New Features Guide 208

Fortinet Inc.
SD-WAN

set link-cost-factor Criteria on which to base link selection.

{latency | jitter | l remote: Select link based on available remote SLA status.
packet-loss | mos |
remote}

The hub can also work in a hybrid mode. If set sla-id-redistribute is not configured on the spoke, the hub can
use its own SLA settings to determine the route priority.

Example

The SD-WAN topology with ADVPN and BGP neighbor on loopback is used for the following two examples:
l Path selection based on embedded SLA status on page 210
l Speed test rerouting based on embedded SLA status on page 216

The examples use the following SD-WAN settings on the spoke:

SD-WAN settings on the spoke relevant to the examples:

config system sdwan

set speedtest-bypass-routing enable
config health-check
edit <name>
set embed-measured-health enable
set sla-id-redistribute <id>
config sla
edit 1

FortiOS 7.6.0 New Features Guide 209

Fortinet Inc.
SD-WAN

<desired SLA thresholds>

next
end
next
end
next
end

SD-WAN settings on the hub relevant to the examples:

config system sdwan

config health-check
edit <name>
set detect-mode remote
set sla-id-redistribute <num>
config sla
edit <num>
set link-cost-factor remote
set priority-in-sla <value>
set priority-out-sla <value>
next
end
next
end
next
end

Path selection based on embedded SLA status

In this example, spokes are configured to embed the SLA status in ICMP probes, and the hub is configured to use the
information. With this configuration:
l The spoke's SLA information (packet-loss, latency, jitter, and mos) and SLA status (in SLA or out of SLA) on each
overlay are embedded into ICMP probes and transported to the hub;
l The hub sets priorities on IKE routes over different overlays based on the received SLA status on overlays
l On the hub, BGP routes, which are used to guide hub-to-spoke traffic, rely on IKE routes to be resolved to tunnels
and inherit the priorities from the IKE routes
l The hub can steer traffic to spokes by resolved BGP routes with different inherited priorities

To embed SD-WAN SLA status and priorities in ICMP probes:

1. Configure SD-WAN and BGP on Spoke-1 (Branch1_A_FGT):

a. Configure SD-WAN:
config system sdwan
set status enable
set speedtest-bypass-routing enable
config zone
edit "overlay"
next
end
config members
edit 4
set interface "H1_T11"

FortiOS 7.6.0 New Features Guide 210

Fortinet Inc.
SD-WAN

set zone "overlay"

set source 172.31.0.65
set priority 10
next
edit 5
set interface "H1_T22"
set zone "overlay"
set source 172.31.0.65
set priority 10
next
end
config health-check
edit "HUB"
set server "172.31.100.100"
set embed-measured-health enable
set sla-id-redistribute 1
set members 4 5
config sla
edit 1
set link-cost-factor latency
set latency-threshold 50
next
end
next
end
end

b. Configure BGP:
config router bgp
set as 65001
set router-id 172.31.0.65
......
config neighbor
edit "172.31.0.1"
......
set remote-as 65001
set update-source "Loopback0"
next
end
config network
edit 1
set prefix 10.0.3.0 255.255.255.0
next
end
......
end

c. View the health-check settings:

All overlays on Spoke-1 are in SLA.
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%) latency(0.252), jitter(0.025), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996) sla_
map=0x1
Seq(5 H1_T22): state(alive), packet-loss(0.000%) latency(0.199), jitter(0.008), mos

FortiOS 7.6.0 New Features Guide 211

Fortinet Inc.
SD-WAN

(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995) sla_

map=0x1

2. Configure SD-WAN and BGP on Spoke-2 (Branch2_FGT):

a. Configure SD-WAN:
config system sdwan
set status enable
set speedtest-bypass-routing enable
config zone
edit "overlay"
next
end
config members
edit 4
set interface "H1_T11"
set zone "overlay"
set source 172.31.0.66
set priority 10
next
edit 5
set interface "H1_T22"
set zone "overlay"
set source 172.31.0.66
set priority 10
next
end
config health-check
edit "HUB"
set server "172.31.100.100"
set embed-measured-health enable
set sla-id-redistribute 1
set members 4 5
config sla
edit 1
set link-cost-factor latency
set latency-threshold 70
next
end
next
end
end

b. Configure BGP:
config router bgp
set as 65001
set router-id 172.31.0.66
......
config neighbor
edit "172.31.0.1"
......
set remote-as 65001
set update-source "Loopback0"
next
end
config network

FortiOS 7.6.0 New Features Guide 212

Fortinet Inc.
SD-WAN

edit 1
set prefix 10.0.4.0 255.255.255.0
next
end
......
end

c. View the health-check settings:

All overlays on Spoke-2 are in SLA.
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%) latency(0.245), jitter(0.034), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999996), bandwidth-bi(1999994) sla_
map=0x1
Seq(5 H1_T22): state(alive), packet-loss(0.000%) latency(0.191), jitter(0.007), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995) sla_
map=0x1

3. Configure SD-WAN and BGP on the Hub (DC1_A_FGT):

a. Configure SD-WAN:
config system sdwan
set status enable
config zone
edit "overlay"
next
end
config members
edit 1
set interface "EDGE_T1"
set zone "overlay"
next
edit 2
set interface "EDGE_T2"
set zone "overlay"
next
end
config health-check
edit "Remote_HC"
set detect-mode remote
set sla-id-redistribute 1
set members 1 2
config sla
edit 1
set link-cost-factor remote
set priority-in-sla 100
set priority-out-sla 200
next
end
next
end
end

b. Configure BGP:

FortiOS 7.6.0 New Features Guide 213

Fortinet Inc.
SD-WAN

config router bgp

set as 65001
set router-id 172.31.0.1
set recursive-inherit-priority enable
......
config neighbor-group
edit "EDGE"
set remote-as 65001
set update-source "Loopback0"
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 172.31.0.64 255.255.255.192
set neighbor-group "EDGE"
next
end
......
end

c. View the health-check settings:

The following example shows:
l rmt_ver=0 indicates that only SLA information has been received.
l rmt_ver=1 indicates that SLA information and SLA status have been received.
l rmt_sla=out indicates that received SLA status is out of SLA.
l rmt_sla=in indicates that received SLA status is in SLA.
l EDGE_T1_0 is to H1_T11 on Spoke-1, and EDGE_T1_1 is to H1_T11 on Spoke-2.
l EDGE_T2_1 is to H1_T22 on Spoke-1, and EDGE_T1_0 is to H1_T22 on Spoke-2.
# diagnose sys sdwan health-check remote

Remote Health Check: Remote_HC(1)

Passive remote statistics of EDGE_T1(46):
EDGE_T1_0(10.0.0.20): timestamp=06-11 14:50:33, src=172.31.0.65, latency=0.261,
jitter=0.043, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=1, rmt_sla=in, rmt_
prio=0
EDGE_T1_1(172.31.0.66): timestamp=06-11 14:50:33, src=172.31.0.66, latency=0.285,
jitter=0.038, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=1, rmt_sla=in, rmt_
prio=0

Remote Health Check: Remote_HC(2)

Passive remote statistics of EDGE_T2(47):
EDGE_T2_0(10.0.0.15): timestamp=06-11 14:50:33, src=172.31.0.66, latency=0.195,
jitter=0.008, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=1, rmt_sla=in, rmt_
prio=0
EDGE_T2_1(172.31.0.65): timestamp=06-11 14:50:33, src=172.31.0.65, latency=0.202,
jitter=0.009, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=1, rmt_sla=in, rmt_
prio=0

4. After the spokes' SLA status on overlays are embedded in ICMP probes and transported to the hub, view the routing
tables on the hub.
Based on the received in-SLA status, the hub sets a predefined priority of 100 on IKE routes over EDGE_T1
and EDGE_T2. Meanwhile, recursively resolved BGP routes inherit the priorities from those IKE routes.

FortiOS 7.6.0 New Features Guide 214

Fortinet Inc.
SD-WAN

a. On the hub, get the static routing table:

# get router info routing-table static
Routing table for VRF=0
S 172.31.0.65/32 [15/0] via EDGE_T2 tunnel 172.31.0.65, [100/0]
[15/0] via EDGE_T1 tunnel 10.0.0.20, [100/0]
S 172.31.0.66/32 [15/0] via EDGE_T1 tunnel 172.31.0.66, [100/0]
[15/0] via EDGE_T2 tunnel 10.0.0.15, [100/0]

b. On the hub, get the BGP routing table:

# get router info routing-table bgp
Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T2 tunnel 172.31.0.65
[100]), 22:15:50
(recursive via EDGE_T1 tunnel 10.0.0.20
[100]), 22:15:50, [1/0]
B 10.0.4.0/24 [200/0] via 172.31.0.66 (recursive via EDGE_T1 tunnel 172.31.0.66
[100]), 00:01:50
(recursive via EDGE_T2 tunnel 10.0.0.15
[100]), 00:01:50, [1/0]

5. Change the latency on Spoke-1 and Spoke-2, and view the results.
a. On Spoke-1, increase H1_T11's latency to 60 to make it out of SLA.
b. On Spoke-2, increase H1_T11's latency to 80 to make it out of SLA.
c. On Spoke-1, run a health check:
Branch1_A_FGT (root) (Interim)# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%) latency(60.229), jitter(0.021), mos
(4.373), bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_
map=0x0
Seq(5 H1_T22): state(alive), packet-loss(0.000%) latency(0.210), jitter(0.012), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995) sla_
map=0x1

d. On Spoke-2, run a health check:

Branch2_FGT (root) (Interim)# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%) latency(80.227), jitter(0.024), mos
(4.361), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996) sla_
map=0x0
Seq(5 H1_T22): state(alive), packet-loss(0.000%) latency(0.202), jitter(0.012), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995) sla_
map=0x1

6. After the hub receives the updated SLA status, run a health check on the hub and view the routing tables.
The hub has updated the route priorities based on predefined priority settings (set priority-in-sla 100 and
set priority-out-sla 200).
a. Run a health check:
# diagnose sys sdwan health-check remote

Remote Health Check: Remote_HC(1)

Passive remote statistics of EDGE_T1(46):
EDGE_T1_0(10.0.0.20): timestamp=06-11 15:35:29, src=172.31.0.65, latency=60.244,

FortiOS 7.6.0 New Features Guide 215

Fortinet Inc.
SD-WAN

jitter=0.017, pktloss=0.000%, mos=4.373, SLA id=1(remote), rmt_ver=1, rmt_sla=out,

rmt_prio=0
EDGE_T1_1(172.31.0.66): timestamp=06-11 15:35:29, src=172.31.0.66, latency=80.234,
jitter=0.036, pktloss=0.000%, mos=4.361, SLA id=1(remote), rmt_ver=1, rmt_sla=out,
rmt_prio=0

Remote Health Check: Remote_HC(2)

Passive remote statistics of EDGE_T2(47):
EDGE_T2_0(10.0.0.15): timestamp=06-11 15:35:29, src=172.31.0.66, latency=0.201,
jitter=0.008, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=1, rmt_sla=in, rmt_
prio=0
EDGE_T2_1(172.31.0.65): timestamp=06-11 15:35:29, src=172.31.0.65, latency=0.215,
jitter=0.010, pktloss=0.000%, mos=4.404, SLA id=1(pass), rmt_ver=1, rmt_sla=in, rmt_
prio=0

b. View the static routing table:

For EDGE_T1, the priority changed from 100 to 200 because it is out of SLA.
DC1_A_FGT (root) (Interim)# get router info routing-table static
Routing table for VRF=0
S 172.31.0.65/32 [15/0] via EDGE_T2 tunnel 172.31.0.65, [100/0]
[15/0] via EDGE_T1 tunnel 10.0.0.20, [200/0]
S 172.31.0.66/32 [15/0] via EDGE_T2 tunnel 10.0.0.15, [100/0]
[15/0] via EDGE_T1 tunnel 172.31.0.66, [200/0]

c. View the BGP routing table:

l For 10.0.3.0/24, EDGE_T2 is preferred. Priority for EDGE_T1 changed from 100 to 200.
l For 10.0.4.0/24, EDGE_T2 is preferred. Priority for EDGE_T1 changed from 30 to 40.
DC1_A_FGT (root) (Interim)# get router info routing-table bgp
Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T2 tunnel 172.31.0.65
[100]), 22:31:22 (recursive via
EDGE_T1 tunnel 10.0.0.20 [200]), 22:31:22, [1/0]
B 10.0.4.0/24 [200/0] via 172.31.0.66 (recursive via EDGE_T2 tunnel 10.0.0.15
[100]), 00:08:22
(recursive via EDGE_T1 tunnel 172.31.0.66
[200]), 00:08:22, [1/0]

Speed test rerouting based on embedded SLA status

When spoke-initiated speed tests are enabled for this configuration, the out-of SLA status is used by the hub to choose
other routes during the speed test.

To configure speed tests:

1. On the hub, enable speed tests and allow them on the underlays and overlays.
a. Enable speed tests:
config system global
set speedtest-server enable
set speedtestd-ctrl-port 6000
set speedtestd-server-port 7000
end

b. Allow speed tests on the underlay:

FortiOS 7.6.0 New Features Guide 216

Fortinet Inc.
SD-WAN

config system interface

edit "port1"
...
set allowaccess ping speed-test
...
next
end

c. Allow speed tests on the underlay:

config system interface
edit "port2"
...
set allowaccess ping speed-test
...
next
end

d. Allow speed tests on the overlay, and specify a shaping profile:

config system interface
edit "EDGE_T1"
...
set allowaccess ping speed-test
set type tunnel
set egress-shaping-profile "profile_1"
...
set interface "port1"
next
end

e. Allow speed tests on the overlay, and specify a shaping profile:

config system interface
edit "EDGE_T2"
...
set allowaccess ping speed-test
set type tunnel
set egress-shaping-profile "profile_1"
...
set interface "port2"
next
end

f. View the shaping profile:

config firewall shaping-profile
edit "profile_1"
set default-class-id 2
config shaping-entries
edit 1
set class-id 2
set priority low
set guaranteed-bandwidth-percentage 10
set maximum-bandwidth-percentage 10
next
edit 2
set class-id 3
set priority medium

FortiOS 7.6.0 New Features Guide 217

Fortinet Inc.
SD-WAN

set guaranteed-bandwidth-percentage 30
set maximum-bandwidth-percentage 40
next
edit 3
set class-id 4
set guaranteed-bandwidth-percentage 20
set maximum-bandwidth-percentage 50
next
end
next
end

2. On Spoke-1, schedule speed tests:

config system speed-test-schedule

edit "H1_T11"
set mode TCP
set schedules "speed-test"
set dynamic-server enable
set ctrl-port 6000
set server-port 7000
set update-shaper remote
next
edit "H1_T22"
set mode UDP
set schedules "speed-test"
set dynamic-server enable
set ctrl-port 6000
set server-port 7000
set update-shaper remote
next
end

Before starting the speed test on Spoke-1, route priorities are based on the received in-SLA status on both H1_T11 and
H1_T22
DC1_A_FGT (root) (Interim)# get router info routing-table bgp
Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T2 tunnel 172.31.0.65
[100]), 00:24:14
(recursive via EDGE_T1 tunnel 10.0.0.20 [100]),
00:24:14, [1/0]

While the speed test is running on H1_T11 of Spoke-1, Spoke-1 will constantly embed NOKstatus into probes on H1_T11
and send them to the hub. Then the Hub updates route priorities accordingly and detours hub-to-spoke traffic to H1_T22
to avoid the impact on speed test of H1_T11. EDGE_T2 is preferred, and the EDGE_T1 priority changed from 100 to
200.
DC1_A_FGT (root) (Interim)# get router info routing-table bgp
Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T2 tunnel 172.31.0.65
[100]), 00:04:42
(recursive via EDGE_T1 tunnel 10.0.0.20 [200]),
00:04:42, [1/0]

FortiOS 7.6.0 New Features Guide 218

Fortinet Inc.
SD-WAN

During the speed test on H1_T22 of Spoke-1, Spoke-1 constantly embeds NOK status (out of SLA status) into probes on
H1_T22 and sends them to the hub. Then the Hub updates route priorities accordingly and detours hub-to-spoke traffic
to H1_T11 to avoid the impact on speed test of H1_T22. EDGE_T1 is preferred, and the EDGE_T2 priority changed from
100 to 200.
DC1_A_FGT (root) (Interim)# get router info routing-table bgp
Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T1 tunnel 10.0.0.20 [100]),
00:00:05
(recursive via EDGE_T2 tunnel 172.31.0.65
[200]), 00:00:05, [1/0]

Once speed test completes, the results are applied on child tunnels as egress-shaping-profile on the hub.
DC1_A_FGT (root) (Interim)# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=EDGE_T1_0 ver=2 serial=22 172.31.1.1:0->172.31.3.1:0 nexthop=172.31.1.2 tun_
id=10.0.0.20 tun_id6=::10.0.0.31 status=up dst_mtu=1500 weight=1
.......
dec: spi=9932cb0d esp=aes-gcm key=36
466db2b7ef257f0cf4b32ce79ef009485cbaececf0bad273b27c6a0a03d736557dfa15db
ah=null key=0
enc: spi=dea67332 esp=aes-gcm key=36
4f10635db3f4b52f156d98291e0b9af21529a12233cb77c8f94d5a58027d26efcfe7d1ac
ah=null key=0
dec:pkts/bytes=0/0, enc:pkts/bytes=1762/235516
npu_flag=03 npu_rgwy=172.31.3.1 npu_lgwy=172.31.1.1 npu_selid=26 dec_npuid=1 enc_npuid=1
npu_isaidx=626 npu_osaidx=39
egress traffic control:
bandwidth=673982(kbps) lock_hit=0 default_class=2 n_active_class=3
class-id=2 allocated-bandwidth=67398(kbps) guaranteed-bandwidth=67398
(kbps)
max-bandwidth=67398(kbps) current-bandwidth=1(kbps)
priority=low forwarded_bytes=173K
dropped_packets=0 dropped_bytes=0
class-id=3 allocated-bandwidth=269592(kbps) guaranteed-bandwidth=202194
(kbps)
max-bandwidth=269592(kbps) current-bandwidth=0(kbps)
priority=medium forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
class-id=4 allocated-bandwidth=336990(kbps) guaranteed-bandwidth=134796
(kbps)
max-bandwidth=336990(kbps) current-bandwidth=0(kbps)
priority=high forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
------------------------------------------------------
name=EDGE_T2_1 ver=2 serial=1c 172.31.1.5:0->172.31.3.5:0 nexthop=172.31.1.6 tun_
id=172.31.0.65 tun_id6=::10.0.0.25 status=up dst_mtu=1500 weight=1
.......
dec: spi=9932cb0e esp=aes-gcm key=36
551bdf438cb62ba0bf2df131d5e7da4697dfbec5d4f1d60e876f049ef9ec29bae2deb3b1
ah=null key=0
enc: spi=dea67333 esp=aes-gcm key=36
1d94ae5e40f32d48f03555d1d76008b72f3662e6619c4fc16fc730b9bae8c7546b595acc
ah=null key=0
dec:pkts/bytes=0/0, enc:pkts/bytes=1560/215488

FortiOS 7.6.0 New Features Guide 219

Fortinet Inc.
 SD-WAN

npu_flag=03 npu_rgwy=172.31.3.5 npu_lgwy=172.31.1.5 npu_selid=27 dec_npuid=1 enc_npuid=1

npu_isaidx=627 npu_osaidx=40
egress traffic control:
bandwidth=389154(kbps) lock_hit=0 default_class=2 n_active_class=3
class-id=2 allocated-bandwidth=38915(kbps) guaranteed-bandwidth=38915
(kbps)
max-bandwidth=38915(kbps) current-bandwidth=1(kbps)
priority=low forwarded_bytes=166K
dropped_packets=0 dropped_bytes=0
class-id=3 allocated-bandwidth=155661(kbps) guaranteed-bandwidth=116746
(kbps)
max-bandwidth=155661(kbps) current-bandwidth=0(kbps)
priority=medium forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
class-id=4 allocated-bandwidth=194576(kbps) guaranteed-bandwidth=77830
(kbps)
max-bandwidth=194576(kbps) current-bandwidth=0(kbps)
priority=high forwarded_bytes=0
dropped_packets=0 dropped_bytes=0

Map SD-WAN member priorities to BGP MED attribute when spoke advertises
routes using iBGP to hub - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Map SD-WAN member priorities to BGP MED attribute when spoke advertises routes

using iBGP to hub

When a spoke advertises routes using iBGP to a hub, SD-WAN member priorities are mapped into the BGP multiple exit
discriminator (MED) attribute using the following CLI commands:
config system sdwan
config neighbor
edit <bgp-peer-IP>
set member <num_1> ... <num_n>
set route-metric {preferable | priority}
set health-check <health-check-name>
next
end
end

Value Description
preferable Select neighbor based on its HC to match BGP preferable/unpreferable route_
map.
priority Select neighbor based on its members' priority-in-sla/priority-out-sla value.

Routes to prefixes behind spokes are advertised by the SD-WAN hub to eBGP peers on an external network. The
relative values of the BGP MED attribute for each hub are used to indicate to eBGP peers the more preferred paths, that
is, the preferred hub used to route to spoke prefixes.
This enhancement depends on the spoke SD-WAN configuration defined in Embed SLA priorities in ICMP probes on
page 196 and hub SD-WAN and BGP configuration defined in Embed SLA status in ICMP probes on page 208.

FortiOS 7.6.0 New Features Guide 220

Fortinet Inc.
SD-WAN

Example

This example includes one spoke and two hubs:

l The spoke has two overlays to Hub-1 and Hub-2 respectively.
l BGP neighbors between the spoke and hubs are over loopback IP addresses
l SD-WAN is configured on the spoke.

To configure and test the example:

1. Enable recursive inherit priority on the hubs:

config router bgp
set recursive-inherit-priority enable
end

See Embedded SD-WAN SLA information in ICMP probes for more information.
2. Configure SD-WAN on the spoke:
config system sdwan
set status enable
config zone
edit "overlay"
next
end
config members
edit 4
set interface "H1_T11"
set zone "overlay"
set source 172.31.0.65
set priority-in-sla 50
set priority-out-sla 100
next
edit 5
set interface "H1_T22"
set zone "overlay"
set source 172.31.0.65
set priority-in-sla 70
set priority-out-sla 120
next

FortiOS 7.6.0 New Features Guide 221

Fortinet Inc.
SD-WAN

edit 7
set interface "H2_T11"
set zone "overlay"
set source 172.31.0.65
set priority-in-sla 60
set priority-out-sla 110
next
edit 8
set interface "H2_T22"
set zone "overlay"
set source 172.31.0.65
set priority-in-sla 80
set priority-out-sla 130
next
end
config health-check
edit "HUB"
set server "172.31.100.100"
set embed-measured-health enable
set sla-id-redistribute 1
set sla-fail-log-period 10
set sla-pass-log-period 10
set members 4 5 7 8
config sla
edit 1
set link-cost-factor latency
set latency-threshold 100
next
end
next
end
config neighbor
edit "172.31.0.1"
set member 4 5
set route-metric priority
set health-check "HUB"
next
edit "172.31.0.2"
set member 7 8
set route-metric priority
set health-check "HUB"
next
end
end

The routes with MEDs are advertised to a router on the external network that establishes a BGP neighbor
relationship with Hub-1 and Hub-2. When sending traffic destined for 10.0.3.0/24, the router on the external network
will prefer to send traffic to the hub with the lower MED.
3. All overlays are in SLA.
When sending traffic destined for 10.0.3.0/24, the router on the external network will prefer to send traffic to Hub-1
with lower MED 50 over Hub-2 with higher MED 60.
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%), latency(0.225), jitter(0.035), mos

FortiOS 7.6.0 New Features Guide 222

Fortinet Inc.
SD-WAN

(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995), sla_map=0x1

Seq(5 H1_T22): state(alive), packet-loss(0.000%), latency(0.203), jitter(0.016), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996), sla_map=0x1
Seq(7 H2_T11): state(alive), packet-loss(0.000%), latency(0.260), jitter(0.035), mos
(4.404), bandwidth-up(999997), bandwidth-dw(999997), bandwidth-bi(1999994), sla_map=0x1
Seq(8 H2_T22): state(alive), packet-loss(0.000%), latency(0.201), jitter(0.018), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996), sla_map=0x1
# get router info bgp neighbors 172.31.0.1 advertised-routes
VRF 0 BGP table version is 31, local router ID is 172.31.0.65
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i10.0.3.0/24 172.31.0.65 50 100 32768 0 i <-/->

Total number of prefixes 1

# get router info bgp neighbors 172.31.0.2 advertised-routes
VRF 0 BGP table version is 31, local router ID is 172.31.0.65
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i10.0.3.0/24 172.31.0.65 60 100 32768 0 i <-/->

Total number of prefixes 1

4. H1_T11 is out of SLA.

When sending traffic destined for 10.0.3.0/24, the router on the external network will prefer to send traffic to Hub-2
with lower MED 60 over Hub-1 with higher MED 70.
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%), latency(120.225), jitter(0.037), mos
(4.338), bandwidth-up(999997), bandwidth-dw(999996), bandwidth-bi(1999993), sla_map=0x0
Seq(5 H1_T22): state(alive), packet-loss(0.000%), latency(0.203), jitter(0.015), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995), sla_map=0x1
Seq(7 H2_T11): state(alive), packet-loss(0.000%), latency(0.249), jitter(0.026), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999996), bandwidth-bi(1999994), sla_map=0x1
Seq(8 H2_T22): state(alive), packet-loss(0.000%), latency(0.205), jitter(0.018), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995), sla_map=0x1
# get router info bgp neighbors 172.31.0.1 advertised-routes
VRF 0 BGP table version is 31, local router ID is 172.31.0.65
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i10.0.3.0/24 172.31.0.65 70 100 32768 0 i <-/->

Total number of prefixes 1

# get router info bgp neighbors 172.31.0.2 advertised-routes
VRF 0 BGP table version is 31, local router ID is 172.31.0.65
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

FortiOS 7.6.0 New Features Guide 223

Fortinet Inc.
SD-WAN

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i10.0.3.0/24 172.31.0.65 60 100 32768 0 i <-/->

Total number of prefixes 1

5. H1_T11 and H2_T11 are out of SLA.

When sending traffic destined for 10.0.3.0/24, the router on the external network will prefer to send traffic to Hub-1
with lower MED 70 over Hub-2 with higher MED 80.
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%), latency(120.194), jitter(0.011), mos
(4.338), bandwidth-up(999997), bandwidth-dw(999997), bandwidth-bi(1999994), sla_map=0x0
Seq(5 H1_T22): state(alive), packet-loss(0.000%), latency(0.191), jitter(0.008), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996), sla_map=0x1
Seq(7 H2_T11): state(alive), packet-loss(0.000%), latency(120.235), jitter(0.029), mos
(4.338), bandwidth-up(999997), bandwidth-dw(999997), bandwidth-bi(1999994), sla_map=0x0
Seq(8 H2_T22): state(alive), packet-loss(0.000%), latency(0.215), jitter(0.016), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996), sla_map=0x1
# get router info bgp neighbors 172.31.0.1 advertised-routes
VRF 0 BGP table version is 31, local router ID is 172.31.0.65
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i10.0.3.0/24 172.31.0.65 70 100 32768 0 i <-/->

Total number of prefixes 1

# get router info bgp neighbors 172.31.0.2 advertised-routes
VRF 0 BGP table version is 31, local router ID is 172.31.0.65
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i10.0.3.0/24 172.31.0.65 80 100 32768 0 i <-/->

Total number of prefixes 1

6. H1_T11, H2_T11, and H1_T22 are out of SLA.

When sending traffic destined for 10.0.3.0/24, the router on the external network will prefer to send traffic to Hub-2
with lower MED 80 over Hub-1 with higher MED 100.
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%), latency(120.199), jitter(0.016), mos
(4.338), bandwidth-up(999997), bandwidth-dw(999996), bandwidth-bi(1999993), sla_map=0x0
Seq(5 H1_T22): state(alive), packet-loss(0.000%), latency(120.190), jitter(0.012), mos
(4.338), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995), sla_map=0x0
Seq(7 H2_T11): state(alive), packet-loss(0.000%), latency(120.251), jitter(0.022), mos
(4.338), bandwidth-up(999997), bandwidth-dw(999996), bandwidth-bi(1999993), sla_map=0x0
Seq(8 H2_T22): state(alive), packet-loss(0.000%), latency(0.211), jitter(0.014), mos
(4.404), bandwidth-up(999998), bandwidth-dw(999997), bandwidth-bi(1999995), sla_map=0x1
# get router info bgp neighbors 172.31.0.1 advertised-routes
VRF 0 BGP table version is 31, local router ID is 172.31.0.65

FortiOS 7.6.0 New Features Guide 224

Fortinet Inc.
SD-WAN

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i10.0.3.0/24 172.31.0.65 100 100 32768 0 i <-/->

Total number of prefixes 1

# get router info bgp neighbors 172.31.0.2 advertised-routes
VRF 0 BGP table version is 31, local router ID is 172.31.0.65
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i10.0.3.0/24 172.31.0.65 80 100 32768 0 i <-/->

Total number of prefixes 1

7. All of the overlays are out of SLA.

When sending traffic destined for 10.0.3.0/24, the router on the external network will prefer to send traffic to Hub-1
with lower MED 100 over Hub-2 with higher MED 110.
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(4 H1_T11): state(alive), packet-loss(0.000%), latency(120.201), jitter(0.013), mos
(4.338), bandwidth-up(999997), bandwidth-dw(999997), bandwidth-bi(1999994), sla_map=0x0
Seq(5 H1_T22): state(alive), packet-loss(0.000%), latency(120.187), jitter(0.008), mos
(4.338), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996), sla_map=0x0
Seq(7 H2_T11): state(alive), packet-loss(0.000%), latency(120.251), jitter(0.023), mos
(4.338), bandwidth-up(999997), bandwidth-dw(999997), bandwidth-bi(1999994), sla_map=0x0
Seq(8 H2_T22): state(alive), packet-loss(0.000%), latency(120.194), jitter(0.010), mos
(4.338), bandwidth-up(999998), bandwidth-dw(999998), bandwidth-bi(1999996), sla_map=0x0
# get router info bgp neighbors 172.31.0.1 advertised-routes
VRF 0 BGP table version is 31, local router ID is 172.31.0.65
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i10.0.3.0/24 172.31.0.65 100 100 32768 0 i <-/->

Total number of prefixes 1

# get router info bgp neighbors 172.31.0.2 advertised-routes
VRF 0 BGP table version is 31, local router ID is 172.31.0.65
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i10.0.3.0/24 172.31.0.65 110 100 32768 0 i <-/->

Total number of prefixes 1

FortiOS 7.6.0 New Features Guide 225

Fortinet Inc.
 SD-WAN

FortiGuard SLA database for SD-WAN performance SLA - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l FortiGuard SLA database for SD-WAN performance SLA

A new FortiGuard SLA database is available, and it includes popular SaaS and internet destinations as well as
recommended settings that you can select as probe servers for SD-WAN Performance SLA configurations in the GUI or
CLI.
In the GUI, go to Network > SD-WAN > Performance SLA, and click Create New to access the new database.
In the CLI, use the following new options:
config system sdwan
config health-check
edit <health-check name>
set fortiguard {enable | disable}
set fortiguard-name <string>
next
end
end

set fortiguard {enable | Enable/disable use of FortiGuard SLA database.

disable}
set fortiguard-name Name of the predefined health-check target from the FortiGuard SLA database.
<string>

The FortiGate requires a valid SD-WAN Network Monitor (SWNM) entitlement before the FortiGuard SLA Database can
be downloaded or updated.
See also SD-WAN Setup wizard for guided configuration 7.6.1 on page 185.

Example

In this example, an SD-WAN performance SLA is configured to use the FortiGuard SLA database and its Amazon target.

To configure a performance SLA in the GUI:

1. Go to Network > SD-WAN > Performance SLA, and click Create New. The New Performance SLA pane is
displayed.
2. Set Performance SLA to FortiGuard to select the database, and set SLA Target to the www.amazon.com target
from the database.

FortiOS 7.6.0 New Features Guide 226

Fortinet Inc.
SD-WAN

3. Complete the remaining options, and click OK. The configuration is displayed on the Performance SLAs pane.
4. On the Performance SLAs pane, select the configuration to view the health-check status.

To configure performance SLA in the CLI:

1. Configure an SD-WAN health-check to use the SLA database and its Amazon target:
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "agg1"
set gateway 172.16.203.2
next
edit 2
set interface "vlan100"
set gateway 172.16.206.2
next

FortiOS 7.6.0 New Features Guide 227

Fortinet Inc.
SD-WAN

end
config health-check
edit "test"
set fortiguard enable
set fortiguard-name "Amazon"
set server "www.amazon.com"
set members 0
config sla
edit 1
next
end
next
end
end

2. Check the health status:

In this example, the SLA database is enabled and Amazon is configured.
# diagnose sys sdwan health-check
Health Check(test):
Seq(1 agg1): state(alive), packet-loss(1.000%), latency(55.557), jitter(1.245), mos
(4.373), bandwidth-up(999993), bandwidth-dw(999982), bandwidth-bi(1999975), sla_map=0x0
Seq(2 vlan100): state(alive), packet-loss(4.000%), latency(55.534), jitter(1.211), mos
(4.372), bandwidth-up(697383), bandwidth-dw(437492), bandwidth-bi(1134875), sla_map=0x0

To view the performance SLA database in the CLI:

1. View the SLA database version:

# diagnose autoupdate version

...

SLA Database
---------
Version: 1.00003
Contract Expiry Date: Wed Apr 30 2025
Last Updated using scheduled update on Mon Nov 25 09:46:47 2024
Last Update Attempt: Wed Nov 27 14:36:01 2024
Result: No Updates

Timezone Database
---------
Version: 1.0006

...

2. List the targets predefined by FortiGuard in the SLA database:

# diagnose sladb target-list
target-name:8X8
deprecated:0
sz_domain:6

target-name:ADP
deprecated:0
sz_domain:5

FortiOS 7.6.0 New Features Guide 228

Fortinet Inc.
SD-WAN

target-name:AOL
deprecated:0
sz_domain:9

target-name:AWS dynamodb
deprecated:0
sz_domain:27

target-name:AWS ec2
deprecated:0
sz_domain:27

target-name:AWS ecs
deprecated:0
sz_domain:27

target-name:AWS es
deprecated:0
sz_domain:27

target-name:AWS lambda
deprecated:0
sz_domain:27
...

3. List the domains under a specific target predefined by FortiGuard in the SLA database:
# diagnose sladb domain-list ADP
domain-name:www.adp.com
desc:ADP (www.adp.com)
deprecated:0
sz_protocol:2

domain-name:ipay.adp.com
desc:Online payroll management and payment platform.
deprecated:0
sz_protocol:2

domain-name:workforcenow.adp.com
desc:Human resource management platform.
deprecated:0
sz_protocol:2

domain-name:globalview.adp.com
desc:Global HR management platform.
deprecated:0
sz_protocol:2

domain-name:mobile.adp.com
desc:Mobile app for ADP services.
deprecated:0
sz_protocol:2

4. List the protocols under a specific target and domain predefined by FortiGuard in the SLA database:

FortiOS 7.6.0 New Features Guide 229

Fortinet Inc.
 SD-WAN

# diagnose sladb protocol-list ADP www.adp.com

target-name:ADP
domain-name:www.adp.com

protocol: ping
protocol: https

5. View the communication method between FortiGate and servers predefined by FortiGuard for SD-WAN health-
checks.
# show system health-check-fortiguard
config system health-check-fortiguard
edit "8X8"
set server "www.8x8.com"
set protocol https
next
edit "ADP"
set server "www.adp.com"
next
edit "AOL"
set server "www.aol.com"
next
edit "AWS dynamodb"
set server "dynamodb.me-central-1.amazonaws.com"
next
edit "AWS ec2"
set server "ec2.us-east-1.amazonaws.com"
next
edit "AWS ecs"
set server "ecs.me-central-1.amazonaws.com"
next
edit "AWS es"
set server "es.us-east-1.amazonaws.com"
next
edit "AWS lambda"
set server "lambda.us-east-1.amazonaws.com"
next
...

Passive monitoring of TCP metrics - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Passive monitoring of TCP metrics

FortiGate can now perform passive monitoring of TCP metrics by measuring and logging the following for each TCP
session:
l Network response time
l Server response time
l Original retransmits
l Reply retransmits
l SYN retransmits

FortiOS 7.6.0 New Features Guide 230

Fortinet Inc.
SD-WAN

l SYN-ACK retransmits
l Original or reply resets
Passive monitoring of TCP sessions is configured in firewall policies with the SD-WAN zone as the destination interface
using the following CLI command:
config firewall policy
edit <entry>
set app-monitor {enable | disable}
next
end

When set app-monitor is enabled in a firewall policy, NPU offloading for the firewall policy is automatically disabled.
The following metrics for each TCP session are logged:

tcpnrt Represents TCP Network Response Time and the time between SYN_ACK to ACK
in milliseconds.

tcpsrt Represents TCP Server Response Time and the time between SYN to SYN_ACK
in milliseconds.

tcporgrtrs Represents TCP Original Retransmit and the number of retransmissions in the
original direction.

tcprplrtrs Represents TCP Reply Retransmit and the number of retransmissions in the reply
direction.

tcpsynrtrs Represents TCP SYN Retransmit and number of SYN retransmissions.

tcpsynackrtrs Represents TCP SYN ACK Retransmit and number of SYN_ACK retransmissions.

tcprst Represents TCP Reset and values are none, origin, and reply.

This feature helps monitor performance of TCP traffic and locate potential network issues. You can display TCP metrics
using the diagnose sys session list command, or you can view traffic logs in either the CLI or the GUI.
SD-WAN traffic steering remains independent from the measured TCP session metrics.

Example

In this example, SD-WAN is configured with a zone named virtual-wan-link, and it contains two members (vlan100 and
vd1-p1). A firewall policy is configured for the SD-WAN zone to passively monitor TCP metrics from the PC to a server.

FortiOS 7.6.0 New Features Guide 231

Fortinet Inc.
SD-WAN

To configure SD-WAN:

1. Configure SD-WAN:
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "vd1-p1"
next
edit 2
set interface "vlan100"
set gateway 172.16.206.2
next
end
config service
edit 1
set name "1"
set dst "all"
set src "172.16.205.0"
set priority-members 1 2
next
end
end

2. Identify the preferred interface:

In this example vd1-p1 is the preferred SD-WAN member.
# diagnose sys sdwan service4

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut

Tie break: cfg
Shortcut priority: 2
Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual)

FortiOS 7.6.0 New Features Guide 232

Fortinet Inc.
SD-WAN

Members(2):
1: Seq_num(1 vd1-p1 virtual-wan-link), alive, selected
2: Seq_num(2 vlan100 virtual-wan-link), alive, selected
Src address(1):
172.16.205.0-172.16.205.255
Dst address(1):
0.0.0.0-255.255.255.255

3. Configure a firewall policy for the SD-WAN zone to monitor traffic from the PC:
In this example, the dstintf option is set to the SD-WAN zone (virtual-wan-link), the srcaddr option
identifies the PC (172.16.205.0), and passive monitoring and logging of TCP metrics is enabled.
config firewall policy
edit 1
set name "TCP-Metrics"
set srcintf "any"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "172.16.205.0"
set dstaddr "all"
set schedule "always"
set service "ALL"
set app-monitor enable
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set application-list "g-default"
set logtraffic all
set auto-asic-offload disable
next
end

4. As traffic passes from the PC through FortiGate to the server, TCP traffic is measured and logged, and you can view
the results:
l View a session list:
# diagnose sys session list

session info: proto=6 proto_state=11 duration=172 expire=3577 timeout=3600 refresh_

dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=172.16.209.2/0.0.0.0 vlan_cos=0/255
state=log may_dirty f00 f02 app_valid
statistic(bytes/packets/allow_err): org=59961/864/1 reply=2663311/2103/1 tuples=2
tx speed(Bps/kbps): 2/0 rx speed(Bps/kbps): 3/0
orgin->sink: org pre->post, reply pre->post dev=15->115/115->15
gwy=172.16.209.2/172.16.205.100
hook=pre dir=org act=noop 172.16.205.100:51128->172.16.202.2:22(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.202.2:22->172.16.205.100:51128(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=843 auth_info=0 chk_client_info=0 vd=0
serial=00006eb8 tos=ff/ff app_list=6000 app=16060 url_cat=0
sdwan_mbr_seq=1 sdwan_service_id=1
rpdb_link_id=ff000001 ngfwid=n/a
tcp_srt=240 tcp_nrt=0 tcp_org_rtrs=17 tcp_rpl_rtrs=273 tcp_syn_rtrs=0 tcp_syn_ack_

FortiOS 7.6.0 New Features Guide 233

Fortinet Inc.
 SD-WAN

rtrs=0 tcp_rst=00
npu_state=0x1041001 no_offload
no_ofld_reason: disabled-by-policy non-npu-intf
total session: 1

l View metrics for TCP sessions in the logs:

# execute log display

1: date=2024-11-27 time=09:16:16 eventtime=1732655776116103929 tz="+1200"

logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root"
srcip=172.16.205.100 srcport=51128 srcintf="port5" srcintfrole="undefined"
dstip=172.16.202.2 dstport=22 dstintf="vd1-p1" dstintfrole="wan"
srccountry="Reserved" dstcountry="Reserved" sessionid=28344 proto=6 action="accept"
policyid=1 policytype="policy" poluuid="ba9c4c14-85b8-51ef-6644-c7ff3d55c4ce"
policyname="TCP-Metrics" service="SSH" trandisp="noop" appid=16060 app="SSH"
appcat="Network.Service" apprisk="elevated" applist="g-default" duration=149
sentbyte=59857 rcvdbyte=2663123 sentpkt=863 rcvdpkt=2101 vpntype="ipsecvpn" vwlid=1
vwlquality="Seq_num(1 vd1-p1 virtual-wan-link), alive, selected" vwlname="1" tcpnrt=0
tcpsrt=240 tcporgrtrs=17 tcprplrtrs=273 tcpsynrtrs=0 tcpsynackrtrs=0 tcprst="none"
sentdelta=59857 rcvddelta=2663123 durationdelta=149 sentpktdelta=863
rcvdpktdelta=2101

Enhanced passive monitoring of TCP metrics - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Passive monitoring of TCP metrics

The latest enhancement introduces passive monitoring of TCP metrics for each application, expanding the range of
metrics measured and logged. Previously, monitoring was limited to a session with a limited set of metrics. See Passive
monitoring of TCP metrics 7.6.1 on page 230 for more information.
The new metrics include:
l Server Response Time
l Network Transfer Time
l Latency
l RTT Sample
l Origin Jitter
l Reply Jitter
l Jitter
l Origin Packet Loss
l Reply Packet Loss
l Packet Loss
l Retransmission Sample
l Origin Retransmission
l Reply Retransmission
l SYN Retransmission
l SYN-ACK Retransmission

FortiOS 7.6.0 New Features Guide 234

Fortinet Inc.
SD-WAN

l Origin Reset
l Reply Reset

To enable passive monitoring of applications:

config firewall policy

edit <entry>
set app-monitor enable
set passive-wan-health-measurement enable
next
end

Example

In this example, SD-WAN is configured with a zone named virtual-wan-link, and it contains two members (vlan100 and
vd1-p1). A firewall policy is configured for the SD-WAN zone to passively monitor TCP metrics from the PC to a server.
See Passive monitoring of TCP metrics 7.6.1 on page 230 for information about the complete configuration.
You can use the configuration from the 7.6.1 topic with a small change. Enable passive-wan-health-measurement
for passive monitoring of applications.

As traffic passes from the PC through FortiGate to the server, TCP traffic is measured and logged, providing valuable
insights into application performance.
For example, the SD-WAN log captures detailed performance metrics, as shown below:
1: date=2025-03-06 time=09:40:33 eventtime=1741210833244790449 tz="+1200" logid="0113022941"
type="event" subtype="sdwan" level="information" vd="root" logdesc="SDWAN application
performance metrics via kernel" eventtype="Application Performance Metrics" appid=16091
interface="vd1-p1" serverresponsetime="162.0" networktransfertime="0.0" latency="162.0"
rttsample=5 originjitter="0" replyjitter="100" jitter="100.0" originpktloss="21.8"
replypktloss="2.6" packetloss="3.7" retransample=6 originretransmission=13
replyretransmission=17 synretransmission=0 synackretransmission=0 originreset=0 replyreset=0
msg="Application Performance Metrics via kernel"

FortiOS 7.6.0 New Features Guide 235

Fortinet Inc.
 SD-WAN

Service rules

This section includes information about service rule related new features:
l Allow SD-WAN rules to steer IPv6 multicast traffic on page 236
l Specify SD-WAN zones in some policies 7.6.1 on page 242

Allow SD-WAN rules to steer IPv6 multicast traffic

This information is also available in the FortiOS 7.6 Administration Guide:

l Use SD-WAN rules to steer multicast traffic

SD-WAN rules can now steer IPv6 multicast traffic. Previously only IPv4 multicast traffic was supported. When an SD-
WAN member is out of SLA, multicast traffic can fail over to another SD-WAN member, and switch back when
SLA recovers.
The new pim-use-sdwan option enables or disables the use of SD-WAN for PIM (Protocol Independent Multicast)
when checking RP (Rendezvous Point) neighbors and sending PIM-SM join or register packets.
config router multicast6
config pim-sm-global
set pim-use-sdwan {enable | disable}
end
end

When SD-WAN steers multicast traffic, ADVPN is not supported. Use the set shortcut
option to disable shortcuts for the service:
config system sdwan
config service
edit <id>
set shortcut {enable | disable}
next
end
end

Example

In the following example, three PIM-SM enabled tunnels are configured between Spoke-1 and the Hub. The multicast
source is located at Hub, and the multicast receiver is attached to Spoke-1.

This example focuses on configuration related to the new feature. Following is an overview of the configuration steps:

FortiOS 7.6.0 New Features Guide 236

Fortinet Inc.
SD-WAN

1. On the hub FortiGate, configure multicast routing for the source and the multicast RP.
2. On the spoke FortiGate, configuring multicast routing and enable SD-WAN for steering.
3. Verify traffic failover for the following scenarios:
l When the cost of an SD-WAN member changes
l When a link is in SLA
l When a link is out of SLA

To configure the Hub:

1. On Hub, configure multicast routing for the source and the multicast RP:
In this example, port5 is used for the multicast source, and 20000:172:16:205::1 is the IPv6 address for the
RP.
config router multicast6
set multicast-routing enable
config interface
edit "hub-phase1"
next
edit "hub2-phase1"
next
edit "port5"
next
edit "hub3-phase1"
next
end
config pim-sm-global
config rp-address
edit 1
set ip6-address 2000:172:16:205::1
next
end
end
end

2. Configure the firewall policy:

config firewall multicast-policy6
edit 1
set srcintf "port5"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
next
end

3. Verify that all PIM-SM neighbors are established:

# get router info6 multicast pim sparse-mode neighbor
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
fe80::1 hub-phase1 06:49:35/00:01:39 v2 1 /
fe80::2 hub2-phase1 06:49:34/00:01:42 v2 1 /
fe80::1 hub3-phase1 02:41:17/00:01:31 v2 1 /

FortiOS 7.6.0 New Features Guide 237

Fortinet Inc.
SD-WAN

To configure Spoke-1:

1. On Spoke-1, configure multicast routing and enable SD-WAN for steering:

In this example, port5 is used for the multicast receiver, the use of SD-WAN for steering is enabled, and
20000:172:16:205::1 is the IPv6 address for the RP.
config router multicast6
set multicast-routing enable
config interface
edit "spoke11-p1"
next
edit "spoke12-p1"
next
edit "port2"
next
edit "spoke13-p1"
next
end
config pim-sm-global
set pim-use-sdwan enable
config rp-address
edit 1
set ip6-address 2000:172:16:205::1
next
end
end
end

2. Configure the firewall policy:

config firewall multicast-policy6
edit 1
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
next
end

3. Configure SD-WAN:
In this example, the protocol is set to 103 to match PIM-SM join/register messages.
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "spoke11-p1"
next
edit 2
set interface "spoke12-p1"
next
edit 3
set interface "spoke13-p1"

FortiOS 7.6.0 New Features Guide 238

Fortinet Inc.
SD-WAN

next
end
config health-check
edit "1"
set addr-mode ipv6
set server "2000::9:0:0:1"
set update-static-route disable
set members 1
config sla
edit 1
next
end
next
edit "2"
set addr-mode ipv6
set server "2000::9:0:0:2"
set update-static-route disable
set members 2
config sla
edit 1
next
end
next
edit "3"
set addr-mode ipv6
set server "2000::9:0:0:3"
set update-static-route disable
set members 3
config sla
edit 1
next
end
next
end
config service
edit 1
set name "1"
set addr-mode ipv6
set mode sla
set protocol 103
config sla
edit "1"
set id 1
next
edit "2"
set id 1
next
edit "3"
set id 1
next
end
set priority-members 1 2 3
set sla-compare-method number
set dst6 "all"
next
end

FortiOS 7.6.0 New Features Guide 239

Fortinet Inc.
SD-WAN

end

4. Verify that all PIM-SM neighbors are established:

# get router info6 multicast pim sparse-mode neighbor
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
fe80:10:10:15::253 spoke11-p1 06:49:50/00:01:16 v2 1 / DR
fe80:10:10:16::253 spoke12-p1 06:49:50/00:01:26 v2 1 / DR
fe80:10:10:17::253 spoke13-p1 02:41:32/00:01:43 v2 1 / DR

To verify traffic failover:

1. On Spoke-1, diagnose the SD-WAN service. The preferred route is spoke11-p1 to hub-phase1:
# diagnose sys sdwan service6

Service(1): Address Mode(IPV6) flags=0x4200 use-shortcut-sla use-shortcut

Tie break: cfg
Shortcut priority: 2
Gen(1), TOS(0x0/0x0), Protocol(103): src(1->65535):dst(1->65535), Mode(sla), sla-
compare-number
Members(3):
1: Seq_num(1 spoke11-p1 virtual-wan-link), alive, sla(0x1), gid(0), cfg_order(0),
local cost(0), selected >>>>>>> spoke11-p1 which is connected to hub-phase1 is
preferred
2: Seq_num(2 spoke12-p1 virtual-wan-link), alive, sla(0x2), gid(0), cfg_order(1),
local cost(0), selected
3: Seq_num(3 spoke13-p1 virtual-wan-link), alive, sla(0x4), gid(0), cfg_order(2),
local cost(0), selected
Dst6 address(1): ::/0

2. When the receiver initiates IGMP to join group ff15::10, view mroute on Spoke-1 and Hub:
l On Spoke-1:
The RPF idx is connected to hub-phase1, indicating that PIM-SM join message follows SD-WAN service and
is sent to spoke11-p1, and port2 is connected to the receiver.
FGT_B (root)# get router info6 multicast pim sparse-mode mroute ff15::10
IP Multicast Routing Table

......

(*, ff15::10)
RP: 2000:172:16:205::1
RPF nbr: fe80:10:10:15::253
RPF idx: spoke11-p1
Upstream State: JOINED
Local:
port2
Joined:
Asserted:
FCR:
Source: 2000:172:16:205::100
Outgoing:
port2
KAT timer running, 196 seconds remaining

FortiOS 7.6.0 New Features Guide 240

Fortinet Inc.
SD-WAN

Packet count 168

...

l On the Hub:
We see that hub-phase1 is connected to spoke11-p1 on Spoke-1.
FGT_A (root) (Interim)# get router info6 multicast pim sparse-mode mroute ff15::10
IP Multicast Routing Table

......

(*, ff15::10)
RP: 2000:172:16:205::1
RPF nbr: ::
RPF idx: None
Upstream State: JOINED
Local:
Joined:
hub-phase1
Asserted:
FCR:

...

3. The server starts to send multicast traffic to group ff15::10, and Hub forwards the traffic to Spoke-1 through hub-
phase1.
FGT_A (root) (Interim)# diagnose sniffer packet any 'host ff15::10' 4
interfaces=[any]
filters=[host ff15::10]
0.637174 port5 in 2000:172:16:205::100.38823 -> ff15::10.12345: udp 46 [flowlabel
0x8ea58]
0.637228 hub-phase1 out 2000:172:16:205::100.38823 -> ff15::10.12345: udp 46 [flowlabel
0x8ea58]

4. When the cost of member spoke11-p1 and spoke12-p1 is increased, SD-WAN prefers spoke13-p1.
The PIM-SM join message from Spoke-1 to RP is sent to member spoke13-p1, and multicast traffic fails over
to hub3-phase1 on the Hub accordingly.
l On Spoke-1:
In this example, spoke13-p1, which is connected to hub-phase3, is preferred.
FGT_B (root) (Interim)# diagnose sys sdwan service6

Service(1): Address Mode(IPV6) flags=0x4200 use-shortcut-sla use-shortcut

Tie break: cfg
Shortcut priority: 2
Gen(1), TOS(0x0/0x0), Protocol(103): src(1->65535):dst(1->65535), Mode(sla), sla-
compare-number
Members(3):
1: Seq_num(3 spoke13-p1 virtual-wan-link), alive, sla(0x4), gid(0), cfg_order(2),
local cost(0), selected
2: Seq_num(1 spoke11-p1 virtual-wan-link), alive, sla(0x1), gid(0), cfg_order(0),
local cost(20), selected
3: Seq_num(2 spoke12-p1 virtual-wan-link), alive, sla(0x2), gid(0), cfg_order(1),
local cost(20), selected
Dst6 address(1): ::/0

FortiOS 7.6.0 New Features Guide 241

Fortinet Inc.
 SD-WAN

l On the Hub:
Once the cost of spoke11-p1 is increased, multicast traffic fails over to hub2-phase1. Once the cost of
spoke12-p1 is increased, multicast traffic fails over to hub3-phase1.
FGT_A (root) (Interim)# diagnose sniffer packet any 'host ff15::10' 4
interfaces=[any]
filters=[host ff15::10]

....
385.497887 port5 in 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46 [flowlabel
0xa5e3d]
385.497927 hub-phase1 out 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46
[flowlabel 0xa5e3d]
386.497967 port5 in 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46 [flowlabel
0xa5e3d]
386.498258 hub2-phase1 out 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46
[flowlabel 0xa5e3d]
387.498044 port5 in 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46 [flowlabel
0xa5e3d]
...
400.499075 port5 in 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46 [flowlabel
0xa5e3d]
400.499120 hub2-phase1 out 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46
[flowlabel 0xa5e3d]
401.499180 port5 in 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46 [flowlabel
0xa5e3d]
401.499515 hub3-phase1 out 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46
[flowlabel 0xa5e3d]
402.499254 port5 in 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46 [flowlabel
0xa5e3d]
402.499319 hub3-phase1 out 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46
[flowlabel 0xa5e3d]
403.499330 port5 in 2000:172:16:205::100.41944 -> ff15::10.12345: udp 46 [flowlabel
0xa5e3d]
...

5. When spoke13-p1 becomes out of SLA, SD-WAN selects spoke11-p1 as the preferred member.
This change redirects the PIM-SM join message from Spoke-1 to RP towards spoke11-p1, causing the multicast
traffic to failover to hub-phase1 on the Hub.
6. Conversely, when spoke13-p1 is in SLA again, it is prioritized by SD-WAN.
This adjustment redirects the PIM-SM join message from Spoke-1 to RP towards spoke13-p1, triggering a failover
of the multicast traffic to hub3-phase1 on the Hub.

Specify SD-WAN zones in some policies - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Specify SD-WAN zones in some policies

SD-WAN zones can be specified as interfaces in Local In policies, DoS policies, Multicast policies, TTL policies, and
central SNAT maps. This simplifies policy management and improves operational efficiency.

FortiOS 7.6.0 New Features Guide 242

Fortinet Inc.
SD-WAN

config firewall local-in-policy

edit <id>
set intf <SD-WAN zone>
next
end
config firewall DoS-policy
edit <id>
set interface <SD-WAN zone>
next
end
config firewall interface-policy
edit <id>
set interface <SD-WAN zone>
next
end
config firewall multicast-policy
edit <id>
set srcintf <SD-WAN zone>
set dstintf <SD-WAN zone>
next
end
config firewall ttl-policy
edit <id>
set srcintf <SD-WAN zone>
next
end
config firewall central-snat-map
edit <id>
set srcintf <SD-WAN zone>
set dstintf <SD-WAN zone>
next
end

Example

To configure a use an SD-WAN zone as an interface in some policies:

1. Configure an SD-WAN zone:

config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "test"
next
end
config members
edit 1
set interface "agg1"
set zone "test"
set gateway 172.16.203.2
next
edit 2
set interface "vlan100"

FortiOS 7.6.0 New Features Guide 243

Fortinet Inc.
SD-WAN

set zone "test"

set gateway 172.16.206.2
next
end
end

2. Use that SD-WAN zone as an interface in policies:

config firewall local-in-policy
edit 1
set intf "test"
set srcaddr "172.16.205.0"
set dstaddr "all"
set service "ALL"
set schedule "always"
next
end
config firewall DoS-policy
edit 1
set interface "test"
set srcaddr "172.16.205.0"
set dstaddr "all"
set service "ALL"
config anomaly
edit "tcp_syn_flood"
set threshold 2000
next
edit "tcp_port_scan"
set threshold 1000
next
edit "tcp_src_session"
set threshold 5000
next
...
end
next
end
config firewall interface-policy
edit 1
set interface "test"
set srcaddr "172.16.205.0"
set dstaddr "all"
set service "ALL"
next
end
config firewall multicast-policy
edit 1
set srcintf "test"
set dstintf "any"
set srcaddr "172.16.205.0"
set dstaddr "all"
next
end

FortiOS 7.6.0 New Features Guide 244

Fortinet Inc.
SD-WAN

config firewall ttl-policy

edit 1
set srcintf "test"
set srcaddr "172.16.205.0"
set service "ALL"
set schedule "always"
set ttl 5
next
end
config firewall central-snat-map
edit 1
set srcintf any
set dstintf "test"
set orig-addr "all"
set dst-addr "172.16.205.0"
next
end

FortiOS 7.6.0 New Features Guide 245

Fortinet Inc.
 Policy and objects

Policy and objects

This section includes information about policy and object related new features:
l NGFW on page 246
l Policies on page 247
l Objects on page 277

NGFW

This section includes information about new features related to NGFW policy mode:
l Seven-day policy hit counter on page 246

Seven-day policy hit counter

This information is also available in the FortiOS 7.6 Administration Guide:

l NGFW policy

The hit count for the last seven days is now available for next-generation firewall (NGFW) policies. The hit count offers a
rolling tally of how many times over the previous seven days a policy has been triggered, providing comprehensive,
dynamic insight into policy usage patterns.

To view the hit count in the GUI:

1. Go to Policy & Objects > Security Policy.

2. Select a security policy, and click Edit. The Last 7 Days chart displays the hit count for policy ID 1.
The following example was taken on June 12 and displays the previous seven days of hit counts (June 5 to June

FortiOS 7.6.0 New Features Guide 246

Fortinet Inc.
Policy and objects

11).

To view the hit count in the CLI:

1. Check the hit counter for a policy. The following example checks the hit count for the security policy with ID 1:
# diagnose ips pme policy stats
[ 357] vdom:2 policy:1 ""
first hit: 2024-06-05 10:22:56
last hit: 2024-06-12 10:28:38
hit count: 6 (1 0 0 1 1 1 1 1)

...

Policies

This section includes information about policy related new features:

l NPTv6 protocol for IPv6 address translation on page 248
l MAP-E supports multiple VNE interfaces in the same VDOM on page 251
l Full cone NAT for fixed port range IP pools on page 252
l Custom port ranges for PBA and FPR IP pools on page 255
l HTTP transaction logging on page 258
l Support for NAT64 in FPR IP pools on page 263
l Support for randomized port selection in IP pool mechanisms 7.6.1 on page 266
l Enhanced security with default local-in policy 7.6.1 on page 268
l DHCP-PD support for MAP-E 7.6.1 on page 271

FortiOS 7.6.0 New Features Guide 247

Fortinet Inc.
 Policy and objects

NPTv6 protocol for IPv6 address translation

This information is also available in the FortiOS 7.6 Administration Guide:

l NPTv6 protocol for IPv6 address translation example

FortiOS adds partial support of the Network Prefix Translation (NPTv6) protocol in RFC6296 for IPv6 address
translation, ensuring end-to-end connectivity, address independence, and 1:1 address mapping. It allows the use of
private IPv6 addresses internally while translating them to globally routable IPv6 addresses when communicating with
external networks. It operates at the prefix level by translating the network, prefix portion of an IPv6 address while
leaving the host information unchanged. This enhances network scalability and facilitates efficient IPv6 network
management.
A new NPTv6 type IP pool is introduced which allows an internal prefix of a IPv6 address to be translated to an external
prefix. This enables administrators the freedom to use any internal prefix, but efficiently translate these to the prefix
provided by their provider that can be routed globally.

To configure NPTv6 in the CLI:

config firewall ippool6

edit <IPv6 IP pool name>
set type nptv6
set internal-prefix <internal NPTv6 prefix length>
set external-prefix <external NPTv6 prefix length>
next
end

To configure NPTv6 in the GUI:

1. Go to Policy & Objects > IP Pools.

2. Go to the IPv6 IP Pool tab.
3. Click Create new.
4. Configure the IP pool:
a. Enter a Name.
b. Set the Type to NPTv6.
c. Enter the Internal prefix and External prefix.
d. Click OK.

FortiOS 7.6.0 New Features Guide 248

Fortinet Inc.
Policy and objects

How NPTv6 works

NPTv6 works on the principle that network translation is accomplished using a stateless approach, and that it is
checksum-neutral at the transport layer. For instance, at the TCP layer, TCP checksums should remain unchanged even
after the IP address has been translated.
In brief, TCP checksum is calculated based on a pseudo-header that includes the source and destination IP address.
When the source address is translated, it needs to be done in a way that offsets the change to keep the checksum
unchanged. This can be accomplished with the following rules:
l For an IPv6 with prefix length of 48-bit or shorter, a 16-bit adjustment can be made on the 4th word (4th hextat) of
the IPv6 address which is the subnet field.
l For an IPv6 with prefix length greater than 48-bit, a 16-bit adjustment can be made on the 5th, 6th, 7th or 8th word of
the IPv6 address.
For example, to translate from an internal prefix of fc00:1::/48 to an external prefix of 2003:db8:1::/48, an “adjustment” of
0xce45 has to be made in the 5th word, by adding 0xce45 to the 16-bit subnet field.
Therefore, the internal address fc00:1::1/48 becomes 2003:db8:1:ce45::1/48.
For more information, see section RFC6296 Section 3 – NPTv6 Algorithmic Specification.

Example

In the following example, an NPTv6 pool will be created and applied to the firewall policy. The packet IPv6 address
translation will then be verified.

To configure the NPTv6 IP pool:

1. Configure the NPTv6 IP pool and prefix length:

The internal and external prefix must be the same length.

config firewall ippool6

edit "NPTv6-ippool6-1"
set type nptv6
set internal-prefix 2000:10:1:100::/64
set external-prefix 2000:172:16:200::/64
next
end

2. Apply the IP pool in the firewall policy:

config firewall policy
edit 2
set name "NPTv6_policy6-1"
set srcintf "port2"

FortiOS 7.6.0 New Features Guide 249

Fortinet Inc.
Policy and objects

set dstintf "port1"

set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname6 "NPTv6-ippool6-1"
next
end

To verify the address translation:

1. Start an ICMP ping from 2000:10:1:100::41 to 2000:172:16:200::155.

2. Identify the 16-bit subnet field adjustment that is calculated according to the algorithm specified by RFC6296:
# diagnose firewall iprope6 list 100004
policy id: 2, group: 00100004, uuid_idx=8162
action: accept, schedule: always
cos_fwd=255 cos_rev=255
flag (08050109): log redir nat master use_src pol_stats
flag2(00004000): resolve_sso
flag3(00000080): best-route
shapers: / per_ip=
sub_groups: av 00004e20 auth 00000000 split 00000000 misc 00000000
app_list: 0 ips_view: 0
vdom_id: 0
zone_from(1): 8
zone_to(1): 7
address_src(1):
all uuid_idx=8045
address_dst(1):
all uuid_idx=8045
service(1):
[0:0x0:0/(0,65535)->(0,65535)] helper:auto
nat(0):
nat_64(0):
nptv6(1):
2000:10:1:100::/64->2000:172:16:200::/64 adjust=FD88

3. Verify the session table. The translated IP address shows 2000:172:16:200:fd88::41 after applying the external
prefix and the adjustment.
# diagnose sys session6 list
session6 info: proto=58 proto_state=00 duration=15 expire=45 timeout=0 refresh_dir=both
flags=00000000 sockport=0 socktype=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty npu
statistic(bytes/packets/allow_err): org=1096/2/0 reply=1096/2/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=8->7/7->8

FortiOS 7.6.0 New Features Guide 250

Fortinet Inc.
 Policy and objects

hook=post dir=org act=snat 2000:10:1:100::41:15308->2000:172:16:200::155:128

(2000:172:16:200:fd88::41:15308)
hook=pre dir=reply act=dnat 2000:172:16:200::155:15308->2000:172:16:200:fd88::41:129
(2000:10:1:100::41:15308)
misc=0 policy_id=2 pol_uuid_idx=8162 auth_info=0 chk_client_info=0 vd=0
serial=00000b86 tos=ff/ff ips_view=0 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=0/0, epid=128/129, ipid=129/128,
vlan=0x0000/0x0000
vlifid=129/128, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=4/7, ha_
divert=0/0
total session6: 1

4. Take a sniffer trace. The IP address also shows 2000:172:16:200:fd88::41.

# diagnose sniffer packet any icmp6 4
interfaces=[any]
filters=[icmp6]
6.712522 port2 in 2000:10:1:100::41 -> 2000:172:16:200::155: icmp6: echo request seq 1
[flowlabel 0xc6f01]
6.712555 port1 out 2000:172:16:200:fd88::41 -> 2000:172:16:200::155: icmp6: echo request
seq 1 [flowlabel 0xc6f01]
6.712706 port1 in 2000:172:16:200::155 -> 2000:172:16:200:fd88::41: icmp6: echo reply
seq 1 [flowlabel 0xa0b59]
6.712718 port2 out 2000:172:16:200::155 -> 2000:10:1:100::41: icmp6: echo reply seq 1
[flowlabel 0xa0b59]
7.721168 port2 in 2000:10:1:100::41 -> 2000:172:16:200::155: icmp6: echo request seq 2
[flowlabel 0xc6f01]
7.721181 port1 out 2000:172:16:200:fd88::41 -> 2000:172:16:200::155: icmp6: echo request
seq 2 [flowlabel 0xc6f01]
7.721347 port1 in 2000:172:16:200::155 -> 2000:172:16:200:fd88::41: icmp6: echo reply
seq 2 [flowlabel 0xa0b59]
7.721355 port2 out 2000:172:16:200::155 -> 2000:10:1:100::41: icmp6: echo reply seq 2
[flowlabel 0xa0b59]
^C
8 packets received by filter
0 packets dropped by kernel

The IPv6 prefix and subnet fields have been translated but the host field remains unchanged.

MAP-E supports multiple VNE interfaces in the same VDOM

This information is also available in the FortiOS 7.6 Administration Guide:

l MAP-E support

Mapping of Address and Port with Encapsulation (MAP-E) now supports multiple Virtual Network Embedding (VNE)
interfaces within the same VDOM, allowing for a more versatile network setup. Previously only one VNE interface was
supported.
After upgrading to FortiOS 7.6.0, any existing VNE configurations are converted to a table and retain their previous
names.

FortiOS 7.6.0 New Features Guide 251

Fortinet Inc.
 Policy and objects

In the config system vne-interface command, the set status option is no longer needed and has been
removed.

To configure two VNE tunnels for a FortiGate VDOM:

config system vne-interface

edit "vne1"
set interface "agg1"
set ipv4-address 12.12.12.1 255.255.255.0
set br "2000:11:11:11::2"
set update-url "<URL>"
set mode fixed-ip
next
edit "vne2"
set interface "port1"
set ipv4-address 13.13.13.1 255.255.255.0
set br "2003:172:16:200::4"
set update-url "<URL>"
set mode fixed-ip
next
end

Full cone NAT for fixed port range IP pools

This information is also available in the FortiOS 7.6 Administration Guide:

l Full cone NAT for fixed port range IP pools

Full cone Network Address Translation (NAT) support is added for Fixed Port Range (FPR) IP pools. It allows all external
hosts to send packets to internal hosts through a mapped external IP address and port, enhancing connectivity and
communication efficiency. Full cone NAT is also known as Endpoint Independent Filtering (EIF).
To enable full cone NAT, enable the permit-any-host command when configuring the FPR IP pool.
config firewall ippool
edit <name>
set type fixed-port-range
set permit-any-host {enable | disable}
next
end

Only UDP is supported for full cone NAT.

FortiOS 7.6.0 New Features Guide 252

Fortinet Inc.
Policy and objects

In this example, a NAT44 FPR IP pool with permit-any-host enabled is created and applied to a policy. The packet is
sent from Client1 to Server1 that hits the policy. The session list is checked for the NAT IP address and port,
172.16.201.3 and 1033. The expectation session list is checked to see that the session will be used to allow access to
the NAT IP address and port from any other external host, such as Server2. The packet sent from Server2 to the NAT
IP address and port is forwarded to Client1.

To configure and check the full cone IP pool:

1. Create an IP pool with full cone NAT:

config firewall ippool
edit "test-new-fpr-ippool-1"
set type fixed-port-range
set startip 172.16.201.3
set endip 172.16.201.4
set startport 1024
set endport 1087
set source-startip 10.1.100.41
set source-endip 10.1.100.42
set port-per-user 64
set permit-any-host enable
set comments "test"
next
end

2. Use the IP pool with full cone NAT in a policy:

config firewall policy
edit 7
set name "policy-fpr-ippool"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set nat enable
set ippool enable
set poolname "test-new-fpr-ippool-1"
next
end

3. Check the session list:

# diagnose sys session list
session info: proto=17 proto_state=00 duration=65 expire=175 timeout=0 refresh_dir=both
flags=00000000 socktype=0 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=58/2/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

FortiOS 7.6.0 New Features Guide 253

Fortinet Inc.
Policy and objects

orgin->sink: org pre->post, reply pre->post dev=8->7/7->8 gwy=0.0.0.0/0.0.0.0

hook=post dir=org act=snat 10.1.100.41:20041->172.16.200.155:2156(172.16.201.3:1033)
hook=pre dir=reply act=dnat 172.16.200.155:2156->172.16.201.3:1033(10.1.100.41:20041)
misc=0 policy_id=7 pol_uuid_idx=8173 auth_info=0 chk_client_info=0 vd=0
serial=0001fb57 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: disabled-by-policy
total session: 1

4. Check the expectation session list:

# diagnose sys session list expectation
session info: proto=17 proto_state=00 duration=74 expire=-44 timeout=0 refresh_dir=both
flags=00000000 socktype=0 sockport=0 av_idx=0 use=2
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=new log f31
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=8->7/7->8 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 10.1.100.41:0->172.16.201.3:1033(10.1.100.41:0)
hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
misc=0 policy_id=7 pol_uuid_idx=8173 auth_info=0 chk_client_info=0 vd=0
serial=0001fb57 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: new disabled-by-policy

session info: proto=17 proto_state=00 duration=74 expire=-44 timeout=0 refresh_dir=both

flags=00000000 socktype=0 sockport=0 av_idx=0 use=2
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=1 tunnel=/ vlan_cos=255/255
state=new log f31
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->8/8->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 0.0.0.0:0->172.16.201.3:1033(10.1.100.41:20041)
hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
misc=0 policy_id=7 pol_uuid_idx=8173 auth_info=0 chk_client_info=0 vd=0
serial=0001fb57 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: new disabled-by-policy

5. Check that the packet sent from Server2 to the NAT IP address and port number is forwarded to Client1:
# diagnose sniffer packet any 'udp and port 1033 or 20041' 4
interfaces=[any]
filters=[udp and port 1033 or 20041]
12.001145 port1 in 172.16.200.55.4155 -> 172.16.201.3.1033: udp 4
12.001180 port2 out 172.16.200.55.4155 -> 10.1.100.41.20041: udp 4

FortiOS 7.6.0 New Features Guide 254

Fortinet Inc.
 Policy and objects

2 packets received by filter

0 packets dropped by kernel
# diagnose sys session list
session info: proto=17 proto_state=00 duration=234 expire=1734 timeout=0 refresh_
dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=1 tunnel=/ vlan_cos=255/255
state=log intree
statistic(bytes/packets/allow_err): org=32/1/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=7->8/8->7 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 172.16.200.55:4155->172.16.201.3:1033(10.1.100.41:20041)
hook=post dir=reply act=snat 10.1.100.41:20041->172.16.200.55:4155(172.16.201.3:1033)
misc=0 policy_id=7 pol_uuid_idx=8173 auth_info=0 chk_client_info=0 vd=0
serial=0001fb57 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: disabled-by-policy

Custom port ranges for PBA and FPR IP pools

This information is also available in the FortiOS 7.6 Administration Guide:

l Dynamic SNAT

Administrators can now configure custom port ranges from 1024 to 65535 for the port block allocation (PBA) and fixed
port range (FPR) types of IP pools, enhancing control and adaptability in network configuration.
The config firewall ippool command includes new options:
config firewall ippool
edit <ID>
set type {fixed-port-range | port-block-allocation}
set startport <integer>
set endport <integer>
next
end

set type {fixed-port- Specify the type of IP pool:

range | port-block-
allocation}
set startport <integer>
set endport <integer>
l fixed-port-range: Configure a fixed port range.
l port-block-allocation: Configure a port block allocation.
First port number (inclusive) in the range for the address pool (1024 - 65535,
default = 5117).
Available when type is set to fixed-port-range or port-block-
allocation.
Final port number (inclusive) in the range for the address pool (1024 - 65535,
default = 65533).

FortiOS 7.6.0 New Features Guide 255

Fortinet Inc.
Policy and objects

Available when type is set to fixed-port-range or port-block-

allocation.

To configure custom port ranges for IP pools in the GUI:

1. Go to Policy & Objects > IP Pools and click Create New.

2. Perform one of the following actions:
l Set Type to Port Block Allocation. The Start port and End port options are displayed.

FortiOS 7.6.0 New Features Guide 256

Fortinet Inc.
Policy and objects

l Set Type to Fixed Port Range. The Start port and End port options are displayed

3. Click OK.

To configure custom port ranges for IP pools in the CLI:

1. Configure a custom port range for PBA:

config firewall ippool
edit "test-pba-ippool-1"
set type port-block-allocation
set startip 172.16.201.1
set endip 172.16.201.2
set startport 1024
set endport 1087
set block-size 64
set num-blocks-per-user 1
next
end

2. Select the port range configuration in a firewall policy:

config firewall policy
edit 98
set name "98"
set uuid a1e18036-125e-51ef-0dac-1f158a17db1d
set srcintf "port7"
set dstintf "port1"
set action accept
set srcaddr "10-1-100-0"

FortiOS 7.6.0 New Features Guide 257

Fortinet Inc.
 Policy and objects

set dstaddr "172-16-200-0"

set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set nat enable
set ippool enable
set poolname "test-pba-ippool-1"
next
end

HTTP transaction logging

This information is also available in the FortiOS 7.6 Administration Guide:

l Explicit proxy logging

HTTP transaction details are logged in a new type of traffic log when HTTP traffic is routed through a proxy. This ensures
comprehensive logging of HTTP interactions for improved monitoring and analysis.
After an HTTP transaction is proxied through the FortiGate, traffic logs of the http-transaction subtype are generated in
addition to the forward subtype log. HTTP transaction logs are based on each transaction, such as an HTTP request and
response pair. When there are multiple HTTP transactions completed over the TCP connection there will be multiple
http-transaction logs and only one forward traffic log.
HTTP transaction logging can be enabled in explicit-web proxy, transparent-web proxy, access-proxy, and proxy-mode
firewall policies.
config firewall proxy-policy
edit 1
set proxy {explicit-web | transparent-web | access-proxy}
logtraffic {utm | all}
set log-http-transaction {enable | disable}
next
end
config firewall policy
edit 1
set inspection-mode proxy
logtraffic {utm | all}
set log-http-transaction {enable | disable}
next
end

Log examples

One http-transaction log is generated for each HTTP transaction. A TCP connection can have multiple HTTP
transactions, so there can be multiple http-transaction logs for one forward traffic log.

FortiOS 7.6.0 New Features Guide 258

Fortinet Inc.
Policy and objects

l Explicit-web proxy logs:

In the http-transaction logs (logs 2 and 3), transaction information such as httpmethod and statuscode are
recorded.
1: date=2024-05-21 time=20:06:17 eventtime=1716347177537010993 tz="-0700"
logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=42694 srcintf="port1" srcintfrole="undefined"
dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.44 dstport=80
dstintf="port3" dstintfrole="undefined" sessionid=316483733 service="HTTP"
proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy"
poluuid="1e1e0b2e-14c1-51ef-7b4c-6b789be487f2" trandisp="snat" transip=172.16.200.8
transport=12204 duration=30 wanin=760 rcvdbyte=760 wanout=211 lanin=163 sentbyte=163
lanout=36194 appcat="unscanned" utmaction="block" countav=1 utmref=65515-14
2: date=2024-05-21 time=20:06:17 eventtime=1716347177536946272 tz="-0700"
logid="0006000026" type="traffic" subtype="http-transaction" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=42694 dstip=172.16.200.44 dstport=80 sessionid=316483733
transid=50331679 action="accept" policyid=1 policytype="proxy-policy" poluuid="1e1e0b2e-
14c1-51ef-7b4c-6b789be487f2" url="http://172.16.200.44/eicar.com" agent="curl/7.68.0"
duration=0 reqlength=86 resplength=392 rcvdbyte=760 sentbyte=163 scheme="http"
hostname="172.16.200.44" resptype="cached" httpmethod="GET" statuscode="403"
reqtime=1716347177 resptime=0 respfinishtime=1716347177 appcat="unscanned"
utmaction="block" countav=1 utmref=65515-0
3: date=2024-05-21 time=20:06:06 eventtime=1716347166400042072 tz="-0700"
logid="0006000026" type="traffic" subtype="http-transaction" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=42694 dstip=172.16.200.44 dstport=80 sessionid=316483733
transid=50331678 action="accept" policyid=1 policytype="proxy-policy" poluuid="1e1e0b2e-
14c1-51ef-7b4c-6b789be487f2" url="http://172.16.200.44/" agent="curl/7.68.0" duration=0
reqlength=77 resplength=368 rcvdbyte=368 sentbyte=77 scheme="http"
hostname="172.16.200.44" resptype="normal" httpmethod="GET" statuscode="200"
reqtime=1716347166 resptime=1716347166 respfinishtime=1716347166 appcat="unscanned"

When the EICAR test file in the response is blocked by utm-av, utmref information referring to the corresponding
utm-av log is included:
# execute log detail 2 "65515-0"
1 logs found.
1 logs returned.
1: date=2024-05-21 time=20:06:17 eventtime=1716347177536848145 tz="-0700"
logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning"
vd="vdom1" policyid=1 poluuid="1e1e0b2e-14c1-51ef-7b4c-6b789be487f2" policytype="proxy-
policy" msg="File is infected." action="blocked" service="HTTP" sessionid=316483733
transid=50331679 srcip=10.1.100.11 dstip=172.16.200.44 srcport=42694 dstport=80
srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined"
dstintf="port3" dstintfrole="undefined" proto=6 direction="incoming"
filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE"
viruscat="Virus" dtype="av-engine" itype="infected"
ref="https://fortiguard.com/encyclopedia/virus/2172" virusid=2172
url="http://172.16.200.44/eicar.com" profile="av" agent="curl/7.68.0" httpmethod="GET"
analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

l Forward traffic log and http-transaction logs for transparent-web proxy policy, access-proxy proxy policy, and proxy-
mode firewall policy:

FortiOS 7.6.0 New Features Guide 259

Fortinet Inc.
Policy and objects

l Transparent-web proxy policy:

1: date=2024-05-23 time=23:22:36 eventtime=1716531756508124889 tz="-0700"
logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=34326 srcintf="port1" srcintfrole="undefined"
dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.44 dstport=443
dstintf="port3" dstintfrole="undefined" sessionid=90954 service="HTTPS"
proxyapptype="web-proxy" proto=6 action="accept" policyid=2 policytype="proxy-policy"
poluuid="1f986ef4-14c1-51ef-7d4f-fd482cefde73" trandisp="snat" transip=172.16.200.8
transport=34326 duration=0 wanin=3051 rcvdbyte=3051 wanout=618 lanin=842 sentbyte=842
lanout=4551 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium"
utmaction="allow" countssl=2 utmref=65516-0
2: date=2024-05-23 time=23:22:36 eventtime=1716531756507534974 tz="-0700"
logid="0006000026" type="traffic" subtype="http-transaction" level="notice"
vd="vdom1" srcip=10.1.100.11 srcport=34326 dstip=172.16.200.44 dstport=443
sessionid=90954 transid=50331679 srcuuid="bdba900e-14c0-51ef-1328-c1b8329857ef"
dstuuid="bdba900e-14c0-51ef-1328-c1b8329857ef" action="accept" policyid=2
policytype="proxy-policy" poluuid="1f986ef4-14c1-51ef-7d4f-fd482cefde73"
url="https://172.16.200.44/" agent="curl/7.68.0" duration=0 reqlength=38
resplength=185 rcvdbyte=3051 sentbyte=787 scheme="https" hostname="172.16.200.44"
resptype="normal" httpmethod="GET" statuscode="200" reqtime=1716531756
resptime=1716531756 respfinishtime=1716531756 appcat="unscanned"

l Access-proxy proxy policy:

1: date=2024-05-23 time=23:24:10 eventtime=1716531850437771247 tz="-0700"
logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=51076 srcintf="port1" srcintfrole="undefined"
dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.44 dstport=443
dstintf="port3" dstintfrole="undefined" sessionid=91243 service="HTTPS"
proxyapptype="http" proto=6 action="accept" policyid=3 policytype="proxy-policy"
poluuid="2853b1ba-195e-51ef-2e7c-93b136b9505a" duration=0 gatewayid=1 realserverid=1
vip="vip-ztna" accessproxy="ztna" clientdevicemanageable="unknown" clientcert="no"
wanin=2981 rcvdbyte=2981 wanout=712 lanin=824 sentbyte=824 lanout=2000
appcat="unscanned"
2: date=2024-05-23 time=23:24:10 eventtime=1716531850436959338 tz="-0700"
logid="0006000026" type="traffic" subtype="http-transaction" level="notice"
vd="vdom1" srcip=10.1.100.11 srcport=51076 dstip=172.16.200.44 dstport=443
sessionid=91243 transid=50331680 srcuuid="bdba900e-14c0-51ef-1328-c1b8329857ef"
action="accept" policyid=3 policytype="proxy-policy" poluuid="2853b1ba-195e-51ef-
2e7c-93b136b9505a" url="https://a.ftnt.com/" agent="curl/7.68.0" duration=0
reqlength=36 resplength=185 rcvdbyte=2981 sentbyte=800 scheme="https"
hostname="a.ftnt.com" resptype="normal" httpmethod="GET" statuscode="200"
reqtime=1716531850 resptime=1716531850 respfinishtime=1716531850 appcat="unscanned"

l Proxy-mode firewall policy:

1: date=2024-05-23 time=23:32:11 eventtime=1716532331148593220 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=49424 srcintf="port1" srcintfrole="undefined"
dstip=172.16.200.44 dstport=443 dstintf="port3" dstintfrole="undefined"
srccountry="Reserved" dstcountry="Reserved" sessionid=92757 proto=6 action="close"
policyid=1 policytype="policy" poluuid="1ab9cbbc-14c1-51ef-55cd-4b90ff9a117a"
service="HTTPS" trandisp="snat" transip=172.16.200.8 transport=49424 duration=1
sentbyte=1406 rcvdbyte=5235 sentpkt=15 rcvdpkt=13 appcat="unscanned" wanin=3051
wanout=618 lanin=842 lanout=4551 utmaction="allow" countssl=2 utmref=65511-0

FortiOS 7.6.0 New Features Guide 260

Fortinet Inc.
Policy and objects

2: date=2024-05-23 time=23:32:10 eventtime=1716532330081764186 tz="-0700"

logid="0006000026" type="traffic" subtype="http-transaction" level="notice"
vd="vdom1" srcip=10.1.100.11 srcport=49424 dstip=172.16.200.44 dstport=443
sessionid=92757 transid=50331681 srcuuid="bdba900e-14c0-51ef-1328-c1b8329857ef"
dstuuid="bdba900e-14c0-51ef-1328-c1b8329857ef" action="pending" policyid=1
policytype="policy" poluuid="1ab9cbbc-14c1-51ef-55cd-4b90ff9a117a"
url="https://172.16.200.44/" duration=0 reqlength=38 resplength=185 rcvdbyte=3051
sentbyte=787 scheme="https" hostname="172.16.200.44" resptype="normal"
reqtime=1716532330 resptime=1716532330 respfinishtime=1716532330 appcat="unscanned"

For HTTPS with explicit-web proxy, there is an additional piece of http-transaction log for each CONNECT request and
response:
3: date=2024-05-21 time=20:34:44 eventtime=1716348884524284243 tz="-0700" logid="0006000026"
type="traffic" subtype="http-transaction" level="notice" vd="vdom1" srcip=10.1.100.11
srcport=46030 dstip=172.16.200.44 dstport=443 sessionid=316483736 transid=50331683
action="accept" policyid=1 policytype="proxy-policy" poluuid="1e1e0b2e-14c1-51ef-7b4c-
6b789be487f2" url="https://172.16.200.44/" agent="curl/7.68.0" duration=0 reqlength=118
resplength=0 rcvdbyte=0 sentbyte=118 scheme="https" hostname="172.16.200.44"
resptype="generated" httpmethod="CONNECT" statuscode="200" reqtime=1716348884 resptime=0
respfinishtime=1716348884 appcat="unscanned"

For HTTPS with certificate-inspection or no inspection, there is only one http-transaction log for each TCP connection
because the encrypted HTTP messages are not decrypted:
l Firewall policy:
2: date=2024-05-23 time=21:38:56 eventtime=1716525535340969183 tz="-0700"
logid="0006000026" type="traffic" subtype="http-transaction" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=46462 dstip=172.16.200.44 dstport=443 sessionid=70593
transid=1 srcuuid="bdba900e-14c0-51ef-1328-c1b8329857ef" dstuuid="bdba900e-14c0-51ef-
1328-c1b8329857ef" policyid=1 policytype="policy" poluuid="1ab9cbbc-14c1-51ef-55cd-
4b90ff9a117a" url="172.16.200.44" duration=0 reqlength=842 resplength=3100 rcvdbyte=3100
sentbyte=842 scheme="https" hostname="172.16.200.44" resptype="N/A" reqtime=1716525535
resptime=1716525535 respfinishtime=1716525535 appcat="unscanned"

l Explicit-web proxy policy:

2: date=2024-05-23 time=21:36:18 eventtime=1716525378802239534 tz="-0700"
logid="0006000026" type="traffic" subtype="http-transaction" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=56986 dstip=172.16.200.44 dstport=443 sessionid=1369348242
transid=50331673 action="accept" policyid=1 policytype="proxy-policy" poluuid="1e1e0b2e-
14c1-51ef-7b4c-6b789be487f2" url="https://172.16.200.44/" agent="curl/7.68.0" duration=0
reqlength=118 resplength=0 rcvdbyte=0 sentbyte=118 scheme="https"
hostname="172.16.200.44" resptype="generated" httpmethod="CONNECT" statuscode="200"
reqtime=1716525378 resptime=0 respfinishtime=1716525378 appcat="unscanned"

For SOCKS proxy, there is one http-transaction log for each HTTP transaction per TCP connection:
1: date=2024-05-23 time=22:50:34 eventtime=1716529833463518327 tz="-0700" logid="0006000026"
type="traffic" subtype="http-transaction" level="notice" vd="vdom1" srcip=10.1.100.143
srcport=63744 dstip=34.107.221.82 dstport=80 sessionid=1369348358 transid=117441403
srcuuid="bdba900e-14c0-51ef-1328-c1b8329857ef" dstuuid="bdba900e-14c0-51ef-1328-
c1b8329857ef" action="pending" policyid=1 policytype="proxy-policy" poluuid="1e1e0b2e-14c1-
51ef-7b4c-6b789be487f2" url="http://detectportal.firefox.com/success.txt?ipv4"
agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"
duration=0 reqlength=305 resplength=216 rcvdbyte=7128 sentbyte=20143 scheme="http"
hostname="detectportal.firefox.com" resptype="normal" httpmethod="GET" statuscode="200"
reqtime=1716529833 resptime=1716529833 respfinishtime=1716529833 appcat="unscanned"

FortiOS 7.6.0 New Features Guide 261

Fortinet Inc.
Policy and objects

2: date=2024-05-23 time=22:49:40 eventtime=1716529779381260298 tz="-0700" logid="0000000010"

type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.143 srcport=63842
srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved"
dstip=172.16.200.44 dstport=80 dstintf="port3" dstintfrole="undefined" sessionid=1369348430
service="webproxy" proxyapptype="web-proxy" proto=6 action="accept" policyid=1
policytype="proxy-policy" poluuid="1e1e0b2e-14c1-51ef-7b4c-6b789be487f2" trandisp="snat"
transip=172.16.200.8 transport=16135 duration=0 wanin=392 rcvdbyte=392 wanout=356 lanin=725
sentbyte=725 lanout=71832 appcat="unscanned" utmaction="block" countav=1 utmref=65517-14
3: date=2024-05-23 time=22:49:40 eventtime=1716529779381204800 tz="-0700" logid="0006000026"
type="traffic" subtype="http-transaction" level="notice" vd="vdom1" srcip=10.1.100.143
srcport=63842 dstip=172.16.200.44 dstport=80 sessionid=1369348430 transid=117441401
srcuuid="bdba900e-14c0-51ef-1328-c1b8329857ef" dstuuid="bdba900e-14c0-51ef-1328-
c1b8329857ef" action="pending" policyid=1 policytype="proxy-policy" poluuid="1e1e0b2e-14c1-
51ef-7b4c-6b789be487f2" url="http://172.16.200.44/eicar.com" agent="Mozilla/5.0 (Windows NT
10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" duration=0 reqlength=356
resplength=392 rcvdbyte=392 sentbyte=725 scheme="http" hostname="172.16.200.44"
resptype="cached" httpmethod="GET" statuscode="403" reqtime=1716529779 resptime=0
respfinishtime=1716529779 appcat="unscanned" utmaction="block" countav=1 utmref=65517-0

UTM logs that do not belong to an HTTP transaction are only associated with the forward traffic log, and not the http-
transaction log:
Only the forward traffic log is associated to the utm-ssl log by the utmref.
l forward traffic log:
1: date=2024-05-23 time=22:01:43 eventtime=1716526903039789335 tz="-0700"
logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=57928 srcintf="port1" srcintfrole="undefined"
dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.44 dstport=443
dstintf="port3" dstintfrole="undefined" sessionid=1369348243 service="HTTPS"
proxyapptype="web-proxy" proto=6 action="accept" policyid=1 policytype="proxy-policy"
poluuid="1e1e0b2e-14c1-51ef-7b4c-6b789be487f2" trandisp="snat" transip=172.16.200.8
transport=1837 duration=0 wanin=3051 rcvdbyte=3051 wanout=618 lanin=960 sentbyte=960
lanout=4623 appcat="unscanned" utmaction="allow" countssl=2 utmref=65523-0

l http-transaction logs:
2: date=2024-05-23 time=22:01:43 eventtime=1716526903038941661 tz="-0700"
logid="0006000026" type="traffic" subtype="http-transaction" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=57928 dstip=172.16.200.44 dstport=443 sessionid=1369348243
transid=50331675 action="accept" policyid=1 policytype="proxy-policy" poluuid="1e1e0b2e-
14c1-51ef-7b4c-6b789be487f2" url="https://172.16.200.44/" agent="curl/7.68.0" duration=0
reqlength=38 resplength=185 rcvdbyte=3051 sentbyte=936 scheme="https"
hostname="172.16.200.44" resptype="normal" httpmethod="GET" statuscode="200"
reqtime=1716526903 resptime=1716526903 respfinishtime=1716526903 appcat="unscanned"
3: date=2024-05-23 time=22:01:43 eventtime=1716526903015933382 tz="-0700"
logid="0006000026" type="traffic" subtype="http-transaction" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=57928 dstip=172.16.200.44 dstport=443 sessionid=1369348243
transid=50331674 action="accept" policyid=1 policytype="proxy-policy" poluuid="1e1e0b2e-
14c1-51ef-7b4c-6b789be487f2" url="https://172.16.200.44/" agent="curl/7.68.0" duration=0
reqlength=118 resplength=0 rcvdbyte=0 sentbyte=118 scheme="https"
hostname="172.16.200.44" resptype="generated" httpmethod="CONNECT" statuscode="200"
reqtime=1716526903 resptime=0 respfinishtime=1716526903 appcat="unscanned"

FortiOS 7.6.0 New Features Guide 262

Fortinet Inc.
 Policy and objects

Support for NAT64 in FPR IP pools

This information is also available in the FortiOS 7.6 Administration Guide:

l Dynamic SNAT

Support for NAT64 has been added to the fixed port range (FPR) type of IP pool, enabling the configuration of internal
IPv6 ranges in the NAT64 FPR IP pool. This addition is significant because it allows for prefix-based restrictions, which
provides greater control and security over network traffic management.
The config firewall ippool command includes new options when type is set to fixed-port-range and
nat64 is enabled:
config firewall ippool
edit 1
set type fixed-port-range
set nat64 enabled
set source-prefix6 <IPv6 network>
set client-prefix <integer>
...
end
end

set source-prefix6 <IPv6 Source IPv6 network to be translated (format =

network> xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx, default = ::/0).
set client-prefix Subnet length of a single deterministic NAT64 client (1 - 128, default = 64).
<integer>

To configure NAT64 FPR IP pools in the GUI:

1. Go to Policy & Objects > IP Pools.

2. Select the IP Pool tab and click Create New.
3. Set the following options:

Name Enter a name.

Type Select Fixed Port Range.

External IP Range Enter the IP address range.

NAT64 Enable.

IPv6 Source Prefix Enter the source IPv6 network to be translated.

Custom IPv6 Prefix Length Enter the subnet length of a single deterministic NAT64 client.

FortiOS 7.6.0 New Features Guide 263

Fortinet Inc.
Policy and objects

4. Set the remaining options as needed and click OK.

Example

In this example, an FPR type of IP pool is created with the source-prefix6 is set to 2000:10:1:100::/64 and the
client-prefix-length set to 68. The start and end NAT IPv4 range is 172.16.202.0-172.16.202.3. The IP
pool is applied to a firewall policy. After traffic passes through the firewall policy, the IP translation is verified.

To configure NAT64 FPR IP pools in the CLI:

1. Create an IP pool:
config firewall ippool
edit "test-new-fpr64-ippool"
set type fixed-port-range
set startip 172.16.202.0
set endip 172.16.202.3
set startport 1024
set endport 65535
set nat64 enable
set source-prefix6 2000:10:1:100::/64
set client-prefix-length 68
set tcp-session-quota 20
set udp-session-quota 20
set icmp-session-quota 10
next
end

FortiOS 7.6.0 New Features Guide 264

Fortinet Inc.
Policy and objects

2. Add the IP pool to a firewall policy:

config firewall policy
edit 4
set name "nat64-policy"
set uuid c9b1860e-faf0-51ee-06af-d6dd3e02da3a
set srcintf "port2"
set dstintf "port1"
set action accept
set nat64 enable
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "test-vip64-1"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set ippool enable
set poolname "test-new-fpr64-ippool"
next
end

3. View the table of addresses:

# diagnose firewall ippool-fixed-range list natip 172.16.202.0-172.16.202.3
ippool name=test-new-fpr64-ippool, ip shared num=4, port num=16128
internal ip=2000:10:1:100::/68, nat ip=172.16.202.0, range=1024~17151
internal ip=2000:10:1:100:1000::/68, nat ip=172.16.202.0, range=17152~33279
internal ip=2000:10:1:100:2000::/68, nat ip=172.16.202.0, range=33280~49407
internal ip=2000:10:1:100:3000::/68, nat ip=172.16.202.0, range=49408~65535
internal ip=2000:10:1:100:4000::/68, nat ip=172.16.202.1, range=1024~17151
internal ip=2000:10:1:100:5000::/68, nat ip=172.16.202.1, range=17152~33279
internal ip=2000:10:1:100:6000::/68, nat ip=172.16.202.1, range=33280~49407
internal ip=2000:10:1:100:7000::/68, nat ip=172.16.202.1, range=49408~65535
internal ip=2000:10:1:100:8000::/68, nat ip=172.16.202.2, range=1024~17151
internal ip=2000:10:1:100:9000::/68, nat ip=172.16.202.2, range=17152~33279
internal ip=2000:10:1:100:a000::/68, nat ip=172.16.202.2, range=33280~49407
internal ip=2000:10:1:100:b000::/68, nat ip=172.16.202.2, range=49408~65535
internal ip=2000:10:1:100:c000::/68, nat ip=172.16.202.3, range=1024~17151
internal ip=2000:10:1:100:d000::/68, nat ip=172.16.202.3, range=17152~33279
internal ip=2000:10:1:100:e000::/68, nat ip=172.16.202.3, range=33280~49407
internal ip=2000:10:1:100:f000::/68, nat ip=172.16.202.3, range=49408~65535

4. Verify the translation:

a. Send a packet from the last internal IPv6 segment (2000:10:1:100:f000::41/68) through the firewall policy.
b. Check the session list.
In this example, the NAT IP address is 172.16.202.3, and the NAT port falls within the range 49408-65535,
which matches the output of the diagnose command.
# diagnose sys session list
session info: proto=6 proto_state=11 duration=104 expire=3495 timeout=3600 refresh_
dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0

FortiOS 7.6.0 New Features Guide 265

Fortinet Inc.
 Policy and objects

state=log may_dirty ndr f00

statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=43->7/7->43 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.202.3:60833->172.16.200.155:2156(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.155:2156->172.16.202.3:60833(0.0.0.0:0)
peer=65:ff9b::ac10:c89b:2156->2000:10:1:100:f000::41:20041 naf=2
hook=pre dir=org act=dnat 2000:10:1:100:f000::41:20041->65:ff9b::ac10:c89b:2156
(65:ff9b::ac10:c89b:2156)
hook=post dir=reply act=snat 65:ff9b::ac10:c89b:2156->2000:10:1:100:f000::41:20041
(65:ff9b::ac10:c89b:2156)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4 pol_uuid_idx=8175 auth_info=0 chk_client_info=0 vd=0
serial=000014dd tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x001001 no_offload
no_ofld_reason: disabled-by-policy redir-to-ips
total session: 1

Support for randomized port selection in IP pool mechanisms - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Dynamic SNAT

The current port block allocation (PBA) and fixed port range (FPR) IP pool mechanisms use a sequential port selection
algorithm, which assigns the next available non-conflicting port within the specified range. This enhancement introduces
an option for a randomized port selection algorithm, making the allocation process less predictable, which enhances
security.
The config firewall central-snat-map command includes a new option:
config firewall central-snat-map
edit 1
set port-preserve disable
set port-random {enable | disable}
next
end

The config firewall policy command includes a new option:

config firewall policy
edit 1
set port-preserve disable
set port-random {enable | disable}
next
end

set port-random {enable | Enable/disable random source port selection for source NAT (default = disable).
disable}
Available when port-preserve is disabled.

In addition, the port-preserve option now supports firewall policies with NAT64/NAT46/NAT66 enabled. Previously
only NAT44 was supported.

FortiOS 7.6.0 New Features Guide 266

Fortinet Inc.
Policy and objects

The port-preserve and port-random options are mutually exclusive, and both support
firewall policies with NAT44/NAT64/NAT46/NAT66 enabled.

Example

In this example, an FPR type of IP pool is created to use the port range 5245-5372 for SNAT port allocation. A firewall
policy is created with port-preserve disabled, port-random enabled, and the IP pool selected.
Packets are sent from client through the firewall policy on the FortiGate to server1.

To enable randomized port selection in IP pools:

1. Create an FPR IP pool:

config firewall ippool
edit "test-nat44-fpr-1"
set type fixed-port-range
set startip 172.16.210.1
set endip 172.16.210.2
set source-startip 10.1.100.41
set source-endip 10.1.100.42
set port-per-user 128
next
end

2. Configure the firewall policy with port-preserve disabled, port-random enabled, and the IP pool selected:
config firewall policy
edit 44
set status disable
set name "nat44_policy"
set uuid a8d52dfe-8e71-51ef-0bc7-bf5e922f55b5
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "10-1-100-0"
set dstaddr "172-16-200-0"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set nat enable
set port-preserve disable
set port-random enable
set ippool enable
set poolname "test-nat44-fpr-1"
next
end

FortiOS 7.6.0 New Features Guide 267

Fortinet Inc.
 Policy and objects

3. View the port range for the IP pool:

# diagnose firewall ippool-fixed-range list natip 172.16.210.1-172.16.210.2
ippool name=test-nat44-fpr-1, ip shared num=472, port num=128
internal ip=10.1.100.41, nat ip=172.16.210.1, range=5117~5244
internal ip=10.1.100.42, nat ip=172.16.210.1, range=5245~5372

4. Send traffic from the client to server1.

5. Sniff the packet to see that the port number is randomly selected from the range of 5245-5372.
The NATed port number of the first session is 5337:
# diagnose sniffer packet any 'tcp and port 80' 4
interfaces=[any]
filters=[tcp and port 80]
11.267309 port2 in 10.1.100.42.20042 -> 172.16.200.155.80: syn 3904040962
11.267733 port1 out 172.16.210.1.5337 -> 172.16.200.155.80: syn 3904040962
11.267954 port1 in 172.16.200.155.80 -> 172.16.210.1.5337: syn 858083650 ack 3904040963
11.268217 port2 out 172.16.200.155.80 -> 10.1.100.42.20042: syn 858083650 ack 3904040963
11.268430 port2 in 10.1.100.42.20042 -> 172.16.200.155.80: ack 858083651
11.268436 port1 out 172.16.210.1.5337 -> 172.16.200.155.80: ack 858083651^C
20 packets received by filter
0 packets dropped by kernel

The NATed port number of the second session is 5359:

# diagnose sniffer packet any 'tcp and port 80' 4
interfaces=[any]
filters=[tcp and port 80]
88.519476 port2 in 10.1.100.42.20042 -> 172.16.200.155.80: syn 816122695
88.519510 port1 out 172.16.210.1.5359 -> 172.16.200.155.80: syn 816122695
88.519901 port1 in 172.16.200.155.80 -> 172.16.210.1.5359: syn 2938166003 ack 816122696
88.519913 port2 out 172.16.200.155.80 -> 10.1.100.42.20042: syn 2938166003 ack 816122696
88.520162 port2 in 10.1.100.42.20042 -> 172.16.200.155.80: ack 2938166004
88.520168 port1 out 172.16.210.1.5359 -> 172.16.200.155.80: ack 2938166004^C
20 packets received by filter
0 packets dropped by kernel

Enhanced security with default local-in policy - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Local-in policy

A default local-in policy has been added with internet service source enabled for Malicious-Malicious.Server, Tor-
Exit.Node, and Tor-Relay.Node ISDB sources. This policy is designed to utilize these three sources to identify known
malicious threat actors and prevent them from accessing any interface on the FortiGate on any service and port.
The new default local-in policy is automatically added when a FortiGate is in factory default setting, or a new VDOM is
created. Resetting your device to factory default settings is not recommended, so you can manually add the policy on
FortiOS versions that support ISDB as a local-in policy source (7.4.4 and higher). See Local-In policy for details.

FortiOS 7.6.0 New Features Guide 268

Fortinet Inc.
Policy and objects

To manually add the policy:

config firewall local-in-policy

edit 1
set intf "any"
set dstaddr "all"
set internet-service-src enable
set internet-service-src-name "Malicious-Malicious.Server" "Tor-Exit.Node" "Tor-
Relay.Node"
set service "ALL"
set schedule "always"
next
end

To view the malicious sources that are blocked:

1. Go to Policy & Objects > Internet Service Database and select the Internet Service tab.
2. Search for Malicious-Malicious.Server, Tor-Exit.Node, or Tor-Relay.Node.
3. Hover over the entry and, in the pop-up, click View/Edit Entries.
The listed addresses are the sources that will be blocked.

Example

In this example, the default local-in policy is used to protect the FortiGate management interface (port1) from large-
scale, brute force attacks originating from various malicious networks.
The following steps will be completed:
1. Enable VDOMS
2. Configure a new VDOM
3. View the default local-in policy
4. Move the management interface to newly created VDOM

Enable VDOMS

To enable VDOMs in the GUI:

1. Go to System > Settings.

2. In the System Operation Settings sections, enable Virtual Domains.
3. Click OK.
You will be logged out of the device when the VDOM mode is enabled. Not all devices support enabling VDOMs
using the GUI.

To enable VDOMs in the CLI:

config system global

set vdom-mode multi-vdom
end

You will be logged out of the device when the VDOM mode is enabled.

FortiOS 7.6.0 New Features Guide 269

Fortinet Inc.
Policy and objects

Configure a new VDOM

Most FortiGate devices support 10 VDOMs be default. Many models also support purchasing
a license key to increase the maximum number of VDOMs. Some exceptions may apply.

To configure a VDOM in the GUI:

1. Go to System > VDOM.

2. Click Create New.
3. Enter a Virtual Domain name, such as mgmt, and set the Type to Traffic.
4. Click OK.
A pop-up warning will appear, click OK to confirm.

To configure a VDOM in the CLI:

config vdom
edit mgmt
config system settings
set vdom-type traffic
end
next
end

View the default local-in policy

To view the local-in policy in the GUI:

1. In the mgmt VDOM, go to Policy & Objects > Local-In Policy. If Local-In-Policy is not visible in the tree menu, go to
System > Feature Visibility to enable it.

To view the local-in policy in the CLI:

# show firewall local-in-policy 1

config firewall local-in-policy
edit 1
set uuid 2ab7****-****...

FortiOS 7.6.0 New Features Guide 270

Fortinet Inc.
 Policy and objects

set intf "any"

set dstaddr "all"
set internet-service-src enable
set internet-service-src-name "Malicious-Malicious.Server" "Tor-Exit.Node" "Tor-
Relay.Node"
set service "ALL"
set schedule "always"
next
end

Assign interfaces to a VDOM

An interface can only be assigned to one VDOM, and cannot be moved if it is referenced in an existing configuration.

In the GUI, the interface list Ref. column shows if the interface is referenced in an existing
configuration and allows you to quickly access and edit those references.

To assign an interface to a VDOM in the GUI:

1. In the Global VDOM, go to Network > Interfaces.

2. Select the interface that will be assigned to a VDOM, such as port1, and click Edit.
3. Select the VDOM that the interface will be assigned to from the Virtual Domain list, such as mgmt.
4. Click OK.

To assign an interface to a VDOM in the CLI:

config global
config system interface
edit port1
set vdom mgmt
next
end
end

DHCP-PD support for MAP-E - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l DHCP-PD support for MAP-E

Mapping of address and port with encapsulation (MAP-E) can operate in DHCPv6 prefix delegation (DHCPv6-PD)
environments, providing greater flexibility, improved automation, and scalability in network configurations. Previously,
MAP-E utilized the RA IPv6 prefix for deployment; see MAP-E support.

FortiOS 7.6.0 New Features Guide 271

Fortinet Inc.
Policy and objects

MAP-E mode

To configure MAP-E mode:

1. Configure the border relay FortiGate:

config system interface
edit "core-br21"
set vdom "br2"
set type vdom-link
set snmp-index 27
config ipv6
set ip6-address 2001:db8:b2c::b/64
set ip6-allowaccess ping
end
next
end
config system ipv6-tunnel
edit "6"
set source 2001:db8:b2c::b
set destination 2400:4050:6:0:c0:2:2200:0
next
end

2. Configure the CPE FortiGate:

a. Configure port6 to get an IPv6 address through the delegate:
config system interface
edit "port6"
set vdom "root"
set type physical
set snmp-index 6
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
set ip6-delegated-prefix-iaid 1
set ip6-upstream-interface "port6"
set ip6-subnet ::1/64
config dhcp6-iapd-list

FortiOS 7.6.0 New Features Guide 272

Fortinet Inc.
Policy and objects

edit 1
set prefix-hint ::/56
next
end
end
next
end
# dianose ipv ad list | grep port6
dev=7 devname=port6 flag= scope=0 prefix=64 addr=2400:4050:6::1 preferred=22 valid=45
cstamp=9913 tstamp=6047755
dev=7 devname=port6 flag=P scope=253 prefix=64 addr=fe80::20c:29ff:fe7b:d83b
preferred=4294967295 valid=4294967295 cstamp=6263 tstamp=6263

b. Configure the virtual network enabler (VNE) tunnel:

config system vne-interface
edit "vne.port6"
set interface "port6"
next
end
# diagnose test application vned 1
----------------------------------------------------------------------------
vdom: root/0, is master, devname=port6 link=1 tun=vne.port6 mode=map-e ssl_
cert=Fortinet_Factory
end user ipv6 perfix: 2400:4050:6::/56
interface ipv6 addr: 2400:4050:6::1
bmr rule ipv6 perfix: 2400:4050:6::/56
bmr rule ipv4 perfix: 192.0.2.34/32
bmr rule br: 2001:db8:b2c::b
bmr rule hostname: Testbed6_dhcpv6-pd-IP1
saved hostname: Testbed6_dhcpv6-pd-IP1
tunnel br: 2001:db8:b2c::b
tunnel ipv6 addr: 2400:4050:6:0:c0:2:2200:0
tunnel ipv4 addr: 192.0.2.34/255.255.255.255
update result: good

Map-e rule client: state=succeed retries=0 interval=60 expiry=23634 reply_code=200

fqdn=rule.map.ocn.ad.jp num=1 cur=0 ttl=86400 expiry=0
2001:db8:c::1
Map-e DDNS client: state=succeed retries=0 interval=120 expiry=61372 reply_code=200
fqdn=ipoe-static.ocn.ad.jp num=1 cur=0 ttl=86400 expiry=0
2001:db8:c::2

vne.port6 is automatically configured after the VNE tunnel is set up:

config system interface
edit "vne.port6"
set vdom "root"
set ip 192.0.2.34 255.255.255.255
set type tunnel
set snmp-index 16
set interface "port6"
next
end
# diagnose ipv ad li | grep port6
dev=7 devname=port6 flag=Pn scope=0 prefix=128 addr=2400:4050:6:0:c0:2:2200:0

FortiOS 7.6.0 New Features Guide 273

Fortinet Inc.
Policy and objects

preferred=4294967295 valid=4294967295 cstamp=10620 tstamp=10620

dev=7 devname=port6 flag= scope=0 prefix=64 addr=2400:4050:6::1 preferred=37 valid=60
cstamp=9913 tstamp=6108593
dev=7 devname=port6 flag=P scope=253 prefix=64 addr=fe80::20c:29ff:fe7b:d83b
preferred=4294967295 valid=4294967295 cstamp=6263 tstamp=6263

c. Traffic can now pass through the VNE tunnel:

config router static
edit 1
set device "vne.port6"
next
end
# execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=5.3 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=4.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=3.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=4.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=4.0 ms

--- 8.8.8.8 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 3.7/4.2/5.3 ms
# diagnose sniffer packet port6 'ip6'
Using Original Sniffing Mode
interfaces=[port6]
filters=[ip6]
pcap_lookupnet: port6: no IPv4 address assigned
3.091513 2400:4050:6:0:c0:2:2200:0 -> 2001:db8:b2c::b: 192.0.2.34 -> 8.8.8.8: icmp:
echo request
3.096651 2001:db8:b2c::b -> 2400:4050:6:0:c0:2:2200:0: 8.8.8.8 -> 192.0.2.34: icmp:
echo reply
4.091842 2400:4050:6:0:c0:2:2200:0 -> 2001:db8:b2c::b: 192.0.2.34 -> 8.8.8.8: icmp:
echo request
4.095918 2001:db8:b2c::b -> 2400:4050:6:0:c0:2:2200:0: 8.8.8.8 -> 192.0.2.34: icmp:
echo reply
5.092029 2400:4050:6:0:c0:2:2200:0 -> 2001:db8:b2c::b: 192.0.2.34 -> 8.8.8.8: icmp:
echo request
5.095576 2001:db8:b2c::b -> 2400:4050:6:0:c0:2:2200:0: 8.8.8.8 -> 192.0.2.34: icmp:
echo reply
6.092221 2400:4050:6:0:c0:2:2200:0 -> 2001:db8:b2c::b: 192.0.2.34 -> 8.8.8.8: icmp:
echo request
6.096358 2001:db8:b2c::b -> 2400:4050:6:0:c0:2:2200:0: 8.8.8.8 -> 192.0.2.34: icmp:
echo reply
7.092372 2400:4050:6:0:c0:2:2200:0 -> 2001:db8:b2c::b: 192.0.2.34 -> 8.8.8.8: icmp:
echo request
7.096299 2001:db8:b2c::b -> 2400:4050:6:0:c0:2:2200:0: 8.8.8.8 -> 192.0.2.34: icmp:
echo reply

FortiOS 7.6.0 New Features Guide 274

Fortinet Inc.
Policy and objects

Fixed IP mode

To configure fixed IP mode:

1. Configure the border relay FortiGate:

config system ipv6-tunnel
edit "VNE-IPV6-2"
set source 2606:f900:8102:302::2
set destination 2606:f900:8102:301:8000::
set interface "port3"
next
end
config system interface
edit "port3"
set vdom "root"
set type physical
set snmp-index 9
config ipv6
set ip6-address 2606:f900:8102:302::2/64
set ip6-allowaccess ping
end
next
end

2. Configure the CPE FortiGate:

a. Configure port3 to get an IPv6 address through the delegate:
config system interface
edit "port3"
set vdom "root"
set type physical
set snmp-index 9
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
set ip6-delegated-prefix-iaid 1
set ip6-upstream-interface "port3"
set ip6-subnet ::8000:0:0:0/64
config dhcp6-iapd-list
edit 1
set prefix-hint 2606:f900:8102:301::/64
next
edit 2
set prefix-hint 2606:f900:8102:303::/64
next
end

FortiOS 7.6.0 New Features Guide 275

Fortinet Inc.
Policy and objects

end
next
end
# diagnose ipv ad list | grep port3
dev=13 devname=port3 flag=P scope=0 prefix=64 addr=2606:f900:8102:301:8000::
preferred=4294967295 valid=4294967295 cstamp=61106 tstamp=61106
dev=13 devname=port3 flag=P scope=253 prefix=64 addr=fe80::e223:ffff:fe67:8e6e
preferred=4294967295 valid=4294967295 cstamp=56882 tstamp=56882

b. Configure the VNE tunnel:

config system vne-interface
edit "VNE"
set interface "port3"
set ipv4-address 10.100.100.1 255.255.255.0
set br "2606:f900:8102:302::2"
set update-url "http://test.com"
set mode fixed-ip
next
end
# diagnose test application vned 1
----------------------------------------------------------------------------
vdom: root/0, is master, devname=port3 link=1 tun=VNE mode=fixed-ip ssl_
cert=Fortinet_Factory
end user ipv6 perfix: 2606:f900:8102:301::/64
interface ipv6 addr: 2606:f900:8102:301:8000::
config ipv4 perfix: 10.100.100.1/255.255.255.0
config br: 2606:f900:8102:302::2
HTTP username:
update url: http://test.com
host: test.com path: / port:80 ssl: 0
tunnel br: 2606:f900:8102:302::2
tunnel ipv6 addr: 2606:f900:8102:301:8000::
tunnel ipv4 addr: 10.100.100.1/255.255.255.0
update result:
Fixed IP rule client: state=succeed retries=0 interval=0 expiry=0 reply_code=0
fqdn=2606:f900:8102:302::2 num=1 cur=0 ttl=4294967295 expiry=0
2606:f900:8102:302::2
Fixed IP DDNS client: state=init retries=0 interval=10 expiry=4 reply_code=0
fqdn=test.com num=0 cur=0 ttl=0 expiry=0

c. Traffic can now pass through the VNE tunnel:

# execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=52 time=5.0 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=6.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=52 time=4.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=52 time=4.6 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=52 time=4.6 ms

--- 8.8.8.8 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4.6/5.0/6.4 mss
# diagnose sniffer packet port3 'ip6'
interfaces=[port3]

FortiOS 7.6.0 New Features Guide 276

Fortinet Inc.
 Policy and objects

filters=[ip6]
4.319283 2606:f900:8102:301:8000:: -> 2606:f900:8102:302::2: 10.100.100.1 -> 8.8.8.8:
icmp: echo request
4.324193 2606:f900:8102:302::2 -> 2606:f900:8102:301:8000::: 8.8.8.8 -> 10.100.100.1:
icmp: echo reply
5.331276 2606:f900:8102:301:8000:: -> 2606:f900:8102:302::2: 10.100.100.1 -> 8.8.8.8:
icmp: echo request
5.337550 2606:f900:8102:302::2 -> 2606:f900:8102:301:8000::: 8.8.8.8 -> 10.100.100.1:
icmp: echo reply
6.341289 2606:f900:8102:301:8000:: -> 2606:f900:8102:302::2: 10.100.100.1 -> 8.8.8.8:
icmp: echo request
6.345900 2606:f900:8102:302::2 -> 2606:f900:8102:301:8000::: 8.8.8.8 -> 10.100.100.1:
icmp: echo reply
7.351258 2606:f900:8102:301:8000:: -> 2606:f900:8102:302::2: 10.100.100.1 -> 8.8.8.8:
icmp: echo request
7.355743 2606:f900:8102:302::2 -> 2606:f900:8102:301:8000::: 8.8.8.8 -> 10.100.100.1:
icmp: echo reply
8.361257 2606:f900:8102:301:8000:: -> 2606:f900:8102:302::2: 10.100.100.1 -> 8.8.8.8:
icmp: echo request
8.365788 2606:f900:8102:302::2 -> 2606:f900:8102:301:8000::: 8.8.8.8 -> 10.100.100.1:
icmp: echo reply

Objects

This section includes information about object related new features:

l RSSO dynamic address subtype 7.6.1 on page 277
l New ISDB record for SOCaaS 7.6.1 on page 280

RSSO dynamic address subtype - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l RSSO dynamic address subtype

The new RSSO dynamic address object subtype can be used in a firewall policy's source and destination fields. It allows
for more granular and precise policies based on RSSO group membership, enhancing security and flexibility when
managing network traffic and enforcing policies.
When the sub-type is rsso, the sso-attribute-value must be set. The IP address of the RADIUS single sign-on
user matching the group value will be loaded to the address object.

To configure the RSSO dynamic address subtype:

config firewall address

edit "test-rsso-addr-1"
set type dynamic
set sub-type rsso
set sso-attribute-value <name(s)>

FortiOS 7.6.0 New Features Guide 277

Fortinet Inc.
Policy and objects

next
end

Variable Description
sub-type rsso RSSO address sub-type.
sso-attribute-value <name Name(s) of the RADIUS user groups that this address includes.
(s)>

To check the RADIUS dynamic address database information :

# diagnose test application radiusd {6 | 66}

Test level Description

6 Show RADIUS dynamic address database summary information.
66 Show RADIUS dynamic address database information.

Example

To configure and use an RSSO dynamic address object:

1. Enable RADIUS account access on port 1.

When the RADIUS server sends an RSSO message to the FortiGate on port 1, which includes an IP address, the
FortiGate will add it to the RSSO dynamic address list.
config system interface
edit port1
append allowaccess radius-acct
next
end

2. Configure the RADIUS user and user group for the RSSO address:
config user radius
edit "rsso_server"
set rsso enable
set rsso-radius-response enable
set rsso-secret **************
set rsso-flush-ip-session enable
next
end
config user group
edit "rsso_g1"
set group-type rsso
set sso-attribute-value "rsso_group_1"
next
end

FortiOS 7.6.0 New Features Guide 278

Fortinet Inc.
Policy and objects

3. Configure a dynamic address with RSSO subtype:

config firewall address
edit "test-rsso-addr-1"
set type dynamic
set sub-type rsso
set sso-attribute-value "rsso_group_1"
next
end

4. Apply the RSSO dynamic address as a destination in the firewall policy:

config firewall policy
edit 44
set name "nat44_policy"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "10-1-100-0"
set dstaddr "test-rsso-addr-1"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set nat enable
next
end

5. Check the RSSO dynamic address. In this case, 172.16.200.155 is loaded into the RSSO dynamic address:
# diagnose test application radiusd 6
dynamic addresses total[vd:root]:0.
dynamic addresses total[vd:vdom1]:1.
name, ip_db-total
test-rsso-addr-1, 1
# diagnose test application radiusd 66
dynamic addresses total[vd:root]:0.
dynamic addresses total[vd:vdom1]:1.
name:test-rsso-addr-1, ip_db total:1.
ip, installed
172.16.200.155, 1.
# diagnose firewall dynamic list test-rsso-addr-1
CMDB name: test-rsso-addr-1
test-rsso-addr-1: ID(90)
ADDR(172.16.200.155)
Total IP dynamic range blocks: 0.
Total IP dynamic addresses: 1.

6. Send a packet that hits the policy, then check the session to see that the RSSO dynamic address works as a
destination in the firewall policy:
# diagnose sys session list
session info: proto=6 proto_state=07 duration=6 expire=115 timeout=3600 refresh_dir=both
flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=

FortiOS 7.6.0 New Features Guide 279

Fortinet Inc.
 Policy and objects

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

dst_user=dynamic_user_1 dst_authsvr=vdom1 state=log may_dirty f00
statistic(bytes/packets/allow_err): org=269/5/1 reply=715/4/1 tuples=2
tx speed(Bps/kbps): 42/0 rx speed(Bps/kbps): 112/0
orgin->sink: org pre->post, reply pre->post dev=10->9/9->10
gwy=172.16.200.155/10.1.100.42
hook=post dir=org act=snat 10.1.100.42:20042->172.16.200.155:80(172.16.200.6:20042)
hook=pre dir=reply act=dnat 172.16.200.155:80->172.16.200.6:20042(10.1.100.42:20042)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=44 pol_uuid_idx=2522 auth_info=0 chk_client_info=0 vd=1
serial=0000254c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason: disabled-by-policy
total session: 1

New ISDB record for SOCaaS - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l ISDB record for SOCaaS

The Fortinet-FortiGuard.SOCaaS Internet service database (ISDB) entry for Fortinet SOCaaS enables policies to be
configured for devices to forward data to SOCaaS collectors without relying on DNS. Eliminating the dependency on
DNS reduces the risk of DNS mapping failures and helps ensure a more reliable and seamless data forwarding
processing.

To check that the new entry is added to the ISDB:

1. Update the object versions:

# diagnose autoupdate versions

Internet-service Full Database

---------
Version: 7.03917 signed
Contract Expiry Date: n/a
Last Updated using manual update on Wed Oct 30 10:33:22 2024
Last Update Attempt: Wed Oct 30 10:33:22 2024
Result: Updates Installed

2. Check the Internet service database for the entry:

# diagnose internet-service id 1245514

Internet Service: 1245514(Fortinet-FortiGuard.SOCaaS)

Version: 00007.03917
Timestamp: 202410291605
Number of Entries: 14
66.35.19.120-66.35.19.120 country(840) region(283) city(23352) blocklist(0x0) reputation
(5), popularity(5) domain(5225) botnet(0) proto(6) port(514)
149.5.234.172-149.5.234.172 country(250) region(1509) city(24955) blocklist(0x0)
reputation(5), popularity(5) domain(0) botnet(0) proto(6) port(514)

FortiOS 7.6.0 New Features Guide 280

Fortinet Inc.
Policy and objects

154.52.2.164-154.52.2.164 country(276) region(697) city(7844) blocklist(0x0) reputation

(5), popularity(5) domain(0) botnet(0) proto(6) port(514)
154.52.2.169-154.52.2.169 country(276) region(697) city(7844) blocklist(0x0) reputation
(5), popularity(5) domain(0) botnet(0) proto(6) port(514)
154.52.2.182-154.52.2.182 country(276) region(697) city(7844) blocklist(0x0) reputation
(5), popularity(5) domain(0) botnet(0) proto(6) port(514)
154.52.4.160-154.52.4.160 country(840) region(283) city(21092) blocklist(0x0) reputation
(5), popularity(5) domain(0) botnet(0) proto(6) port(514)
154.52.4.192-154.52.4.192 country(840) region(283) city(21092) blocklist(0x0) reputation
(5), popularity(5) domain(0) botnet(0) proto(6) port(514)
154.52.4.195-154.52.4.195 country(840) region(283) city(21092) blocklist(0x0) reputation
(5), popularity(5) domain(0) botnet(0) proto(6) port(514)
154.52.4.197-154.52.4.197 country(840) region(283) city(21092) blocklist(0x0) reputation
(5), popularity(5) domain(0) botnet(0) proto(6) port(514)
154.52.4.204-154.52.4.204 country(840) region(283) city(21092) blocklist(0x0) reputation
(5), popularity(5) domain(0) botnet(0) proto(6) port(514)
154.52.4.224-154.52.4.224 country(840) region(283) city(21092) blocklist(0x0) reputation
(5), popularity(5) domain(5225) botnet(0) proto(6) port(514)
154.52.6.181-154.52.6.181 country(840) region(2039) city(1106) blocklist(0x0) reputation
(5), popularity(5) domain(0) botnet(0) proto(6) port(514)
154.52.22.161-154.52.22.161 country(36) region(1287) city(23487) blocklist(0x0)
reputation(5), popularity(5) domain(0) botnet(0) proto(6) port(514)
154.52.29.66-154.52.29.66 country(840) region(482) city(25915) blocklist(0x0) reputation
(5), popularity(5) domain(0) botnet(0) proto(6) port(514)

3. Check the entry in the GUI:

a. Go to Policy & Objects > Internet Service Database and select the Internet Service tab.
b. Search for Fortinet-FortiGuard.SOCaaS.
c. Hover over the result, and click View/Edit Entries.

To use the new entry in a firewall policy:

1. Configure a firewall policy:

config firewall policy
edit 99
set name "ISDB_Policy"
set srcintf "wan2"
set dstintf "wan1"
set action accept

FortiOS 7.6.0 New Features Guide 281

Fortinet Inc.
Policy and objects

set srcaddr "all"

set internet-service enable
set internet-service-name "Fortinet-FortiGuard.SOCaaS"
set schedule "always"
set logtraffic all
set auto-asic-offload disable
set nat enable
next
end

2. Generate and then check a log generated by traffic hitting the policy:
1: date=2024-10-29 time=17:52:49 eventtime=1730249569310005321 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.1.100.42 srcport=38380 srcintf="wan2" srcintfrole="lan" dstip=66.35.19.120
dstport=514 dstintf="wan1" dstintfrole="undefined" srcuuid="70a3388c-dfec-51ea-f8dd-
88267a721f36" srccountry="Reserved" dstinetsvc="Fortinet-FortiGuard.SOCaaS"
dstcountry="United States" dstregion="California" dstcity="Sunnyvale" dstreputation=5
sessionid=474401 proto=6 action="close" policyid=99 policytype="policy"
poluuid="ac8e35a2-dffd-51ea-9df6-e3860c663d3b" policyname="ISDB_Policy"
service="Fortinet-FortiGuard.SOCaaS" trandisp="snat" transip=172.16.200.10
transport=38380 appcat="unscanned" duration=2 sentbyte=300 rcvdbyte=172 sentpkt=5
rcvdpkt=4 mastersrcmac="00:0c:29:6e:3a:47" srcmac="00:0c:29:6e:3a:47" srcserver=0

FortiOS 7.6.0 New Features Guide 282

Fortinet Inc.
 Zero Trust Network Access

Zero Trust Network Access

This section includes information about ZTNA related new features:

l Security posture and EMS connector on page 283
l Application gateway on page 283
l General on page 293

Security posture and EMS connector

This section includes information about security posture and EMS connector related new features:
l Share ZTNA information through the EMS connector on page 283

Share ZTNA information through the EMS connector

FortiClient EMS 7.2.5 or later, or 7.4.1 or later is required for this feature.

Previously, all TCP and SaaS applications that required a ZTNA destination on FortiClient had to first be manually
configured on FortiClient or FortiClient EMS. With this enhancement, FortiGate can share ZTNA information, such as
ZTNA VIP addresses and application addresses and ports, with the EMS connector. On FortiClient EMS, the configured
ZTNA TCP and SaaS applications are pulled into the ZTNA application catalog, and can be to ZTNA destinations without
any additional configuration. This streamlines the deployment of ZTNA applications and rules between FortiGate and
FortiClient, and reduces errors from manual configurations.
For more information about this feature, see Share ZTNA application configurations with FortiClient EMS.

Application gateway

This section includes information about application gateway related new features:
l ZTNA agentless web-based application access 7.6.1 on page 283

ZTNA agentless web-based application access - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l ZTNA agentless web-based application access

FortiOS 7.6.0 New Features Guide 283

Fortinet Inc.
Zero Trust Network Access

A ZTNA web portal is now available to provide end-user access to applications without FortiClient or client certificate
checks. The ZTNA portal handles authentication and authorization of traffic destined for the protected resources. It is
implemented entirely in WAD.
When end-users connect to the ZTNA web portal, they are directed to a login page:

Once logged in, end-users can access bookmarks defined by the administrator:

For web applications, the client must resolve the FQDN to the ZTNA portal VIP. In addition, when accessing the web
application, end users are presented with the certificate configured on the ZTNA portal VIP instead of the certificate on
the end web server. Hence, the certificate requires the correct Subject Alternate Name(s) to avoid browser certificate
errors.

FortiOS 7.6.0 New Features Guide 284

Fortinet Inc.
Zero Trust Network Access

CLI syntax

Configure an access-proxy type of VIP. Disable client-cert so that it is not checked when an agentless client
connects.
config firewall vip
edit <name>
set type access-proxy
set server-type https
set extip <ip address>
set extintf <interface>
set client-cert disable
set extport <port>
set ssl-certificate <certificate>
next
end

Configure an access-proxy virtual host. End-users will connect to this destination to access the ZTNA web portal.
Disable client-cert for this virtual host.
config firewall access-proxy-virtual-host
edit "ztna-web-portal-fqdn"
set host < web portal host name or ip >
set client-cert disable
next
end

Configure an authentication scheme. Then configure an authentication rule with the new protocol ztna-portal.
config authentication rule
edit <rule>
set protocol ztna-portal
set active-auth-method < auth scheme >
next
end

New syntax for configuring the ZTNA web portal:

config ztna web-portal
edit <name>
set vip <vip name>
set host <virtual host name>
set auth-portal {enable | disable}
set vip6 <virtual IPv6 name>
set auth-rule <rule>
next
end

set vip <vip name>
set host <virtual host
name>
set auth-portal {enable |
disable}
set vip6 <virtual IPv6
name>
The access-proxy VIP associated with this portal.
The access-proxy virtual host object and FQDN defined for accessing this portal.
This virtual host object should not conflict with other virtual host objects used in
TCP forwarding and HTTP web services or with the SAML SP host.
Enable/disable the authentication portal.
The access-proxy VIP6 associated with the ZTNA server and applications that
this portal is allowing.

FortiOS 7.6.0 New Features Guide 285

Fortinet Inc.
Zero Trust Network Access

New syntax for creating the web portal bookmarks:

config ztna web-portal-bookmark
edit <name>
set users <users>
set groups <groups>
config bookmarks
edit <name>
set apptype {ftp | rdp | sftp | smb | ssh | telnet | vnc | web}
set url <string>
set host <name or IP>
set description <description>
set port <remote port>
set sso {enable | disable}
next
end
next
end

set users <users> The user(s) allowed to access the web-portal.

set groups <groups>
set apptype {ftp | rdp |
sftp | smb | ssh |
telnet | vnc | web}
set url <url>
set host <name or ip>
set port <remote port>
set sso {enable |
disable}
The group(s) allowed to access the web-portal.
Supported types of bookmarks: ftp, rdp, sftp, smb, ssh, telnet, vnc, web.
For different types of applications, the URL used to define the destination.
For different types of applications, the host name or IP used to define the
destination.
Where applicable, define the port for the service.
Enable/disable the SSO user login and credentials to connect to the application,
where applicable.

Not all options are listed. Some options are available only for certain types of applications.

Within the proxy-policy (full ZTNA policy), a new proxy type is added called ztna-proxy. Configure your proxy-policy to
map to your web-portal.
config firewall proxy-policy
edit <id>
set proxy ztna-proxy
set active-auth-method <authentication rule>
set ztna-proxy <web-portal>
…
next
end

FortiOS 7.6.0 New Features Guide 286

Fortinet Inc.
Zero Trust Network Access

Example

This example demonstrates connecting to a ZTNA web portal to gain access to protected resources. Authentication is
performed with LDAP.

Prerequisites:

l The Client can resolve:

l The hostname web-portal.ztnademo.com to the VIP address 10.0.3.20
l The server s1.ztnademo.com to the VIP address 10.0.3.20
l The server s2.ztnademo.com to the VIP address 10.0.3.20
l The FortiGate resolves:
l s1.ztnademo.com to the real server IP of 10.88.0.7
l s2.ztnademo.com to the real server IP of 10.88.0.3
l The FortiGate has an LDAP connection and user group already created.

To configure from the CLI:

1. Configure a firewall VIP with external IP 10.0.3.20:

config firewall vip
edit "ZTNA-web-proxy"
set type access-proxy
set server-type https
set extip 10.0.3.20
set extintf "port3"
set client-cert disable
set extport 443
set ssl-certificate "ztna-wildcard"
next
end

2. Configure an access-proxy virtual host:

The configuration here defines the virtual host used to access the ZTNA web portal, as well as the server certificate
for the portal. It overrides the settings in the VIP. Ensure that client-cert is disabled.
config firewall access-proxy-virtual-host
edit "ztna-web-portal-fqdn"
set host "web-portal.ztnademo.com"
set client-cert disable

FortiOS 7.6.0 New Features Guide 287

Fortinet Inc.
Zero Trust Network Access

next
end

3. Configure the authentication scheme and rule:

config authentication scheme
edit "ztna-web-portal-ldap"
set method basic
set user-database "LDAP-fortiad"
next
end
config authentication rule
edit "ztna-web-portal-rule"
set protocol ztna-portal
set ip-based disable
set active-auth-method "ztna-web-portal-ldap"
set web-auth-cookie enable
next
end

4. Configure the ZTNA web-portal:

Map the portal to the VIP, virtual host, and authentication rule that were previously created.
config ztna web-portal
edit "ztna-web-portal-ldap"
set vip "ZTNA-web-proxy"
set host "ztna-web-portal-fqdn"
set auth-rule "ztna-web-portal-rule"
next
end

5. Create web-portal bookmarks that will point to your internal resources:

The groups setting defines the user group allowed access to the portal.
config ztna web-portal-bookmark
edit "bookmark"
set groups "LDAP-Remote-Allowed-Group"
config bookmarks
edit "Webserver"
set url "https://s2.ztnademo.com:9043"
next
edit "Server-S1-Web"
set sso enable
set url "https://s1.ztnademo.com"
next
edit "Server-S1-SSh"
set apptype ssh
set sso enabled
set host "10.88.0.7"
set logon-user "admin"
set logon-password <password>
next
edit "FortiGate-Internal-SSH"
set apptype ssh
set host "10.88.0.254"
next
edit "RDP"

FortiOS 7.6.0 New Features Guide 288

Fortinet Inc.
Zero Trust Network Access

set apptype rdp

set host "10.88.0.1"
set port 3389
next
end
next
end

6. Create a full ZTNA policy (proxy-policy) to allow access to the new VIP:
config firewall proxy-policy
edit 0
set name "ZTNA-web-portal"
set proxy ztna-proxy
set ztna-proxy "ztna-web-portal-ldap"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set logtraffic all
next
end

Verification:

1. On the Client 10.0.3.2, access the portal on https://web-portal.ztnademo.com.

2. When prompted, enter the LDAP user credentials.
3. Once logged into the ZTNA Portal, choose the application bookmark to connect to.

4. Click Webserver to access s2.ztnademo.com. A new tab opens up to the web page.
5. Check the certificate to confirm it is signed by the CA certificate used in the VIP configurations.

FortiOS 7.6.0 New Features Guide 289

Fortinet Inc.
Zero Trust Network Access

6. On the FortiGate, go to Log & Report > ZTNA Traffic to view the latest traffic log. Alternatively, use these commands
to view the logs from CLI:
# execute log filter field subtype ztna

# execute log display

32 logs found.
10 logs returned.

1: date=2024-12-03 time=13:04:33 eventtime=1733259873399494172 tz="-0800"

logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2
srcport=1629 srcintf="port3" srcintfrole="wan" dstcountry="Reserved"
srccountry="Reserved" dstip=10.0.3.20 dstport=443 dstintf="port2" dstintfrole="dmz"
sessionid=6761 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="HTTPS"
proxyapptype="ztna-proxy" proto=6 action="accept" policyid=2 policytype="proxy-policy"
poluuid="b93f2588-b125-51ef-47b1-85fc99ba0ab1" policyname="ZTNA-web-portal"
trandisp="dnat" tranip=10.88.0.3 tranport=9043 appcat="unscanned" duration=421
gatewayid=1 vip="ZTNA-web-proxy" clientdevicemanageable="unknown" clientcert="no"
wanin=303011 rcvdbyte=303011 wanout=5460 lanin=3202 sentbyte=3202 lanout=306669

7. On the ZTNA Portal, connect to RDP. When prompted enter the credentials.
8. Once successfully connected, users can press F8 for additional controls.

FortiOS 7.6.0 New Features Guide 290

Fortinet Inc.
Zero Trust Network Access

9. Review the logs:

# execute log filter field subtype ztna

# execute log display

35 logs found.
10 logs returned.

1: date=2024-12-03 time=16:24:50 eventtime=1733271890886450548 tz="-0800"

logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2
srcport=2540 srcintf="port3" srcintfrole="wan" dstcountry="Reserved"
srccountry="Reserved" dstip=10.0.3.20 dstport=443 dstintf="port2" dstintfrole="dmz"
sessionid=8146 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="HTTPS"
proxyapptype="ztna-proxy" proto=6 action="accept" policyid=2 policytype="proxy-policy"
poluuid="b93f2588-b125-51ef-47b1-85fc99ba0ab1" policyname="ZTNA-web-portal"
trandisp="dnat" tranip=10.88.0.1 tranport=3389 appcat="unscanned" duration=0 gatewayid=1
vip="ZTNA-web-proxy" clientdevicemanageable="unknown" clientcert="no" wanin=0 rcvdbyte=0
wanout=0 lanin=3242 sentbyte=3242 lanout=1726

Additional troubleshooting and debugs:

If an issue occurs, you can troubleshoot by running these commands:

# diagnose wad debug enable category all
# diagnose wad debug enable level verbose
# diagnose debug enable

A working connection will output the debugs indicating the web-portal matched the proper gateway. Then accessing the
bookmark will output debugs for matching the bookmark.
GET
/XX/YY/ZZ/webservice?bmgroup=bookmark&bmname=Webserver&cookie=9DC408DF3F32C8805385A1204DED7F
81 HTTP/1.1
Host: s2.ztnademo.com

FortiOS 7.6.0 New Features Guide 291

Fortinet Inc.
Zero Trust Network Access

upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/131.0.0.0 Safari/537.36
accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q
=0.8,application/signed-exchange;v=b3;q=0.7
sec-fetch-site: same-site
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
referer: https://web-portal.ztnademo.com/
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: ZTPORTAL-EP-w8ICkTaqA8_EMoSCNDe_
gyTAXEUw=430AAAAAAIAAAAAAAAAKF1h1WrrQAbAnodk0tYbtu1vnZZ-qlaOhL_y-
UZIXxPCwqIplM3ujQ==DAAAAFB0iNTviC6zS6nUx9VNZ3yWCbkG
priority: u=0, i

[V][p:3472][s:6905][r:815] wad_http_marker_uri :1533

path=/XX/YY/ZZ/webservice len=20
[V][p:3472][s:6905][r:815] wad_http_parse_host :1911 host_len=15
[I][p:3472][s:6905][r:815] wad_http_parse_host :1948 host=[15]s2.ztnademo.com
[I][p:3472][s:6905][r:815] wad_http_str_canonicalize :2468 enc=0
path=/XX/YY/ZZ/webservice len=20 changes=0
[I][p:3472][s:6905][r:815] wad_http_str_canonicalize :2470 end=5
path=bmgroup=bookmark&bmname=Webserver&cookie=9DC408DF3F32C8805385A1204DED7F81 len=
73 changes=0
[V][p:3472][s:6905][r:815] wad_http_normalize_uri :2643 host_len=15 path_len=20
query_len=73
[I][p:3472][s:6905][r:815] wad_http_req_detect_special :14025 captive_portal detected:
false, preflight=(null)
[I][p:3472][s:6905][r:815] wad_vs_proxy_match_gwy :4534 16059:ZTNA-web-proxy:
matching gwy with vhost(_def_virtual_host_)
[V][p:3472][s:6905][r:815] wad_vs_proxy_match_vhost :4653 16059:ZTNA-web-proxy:
matching vhost by: s2.ztnademo.com
[V][p:3472][s:6905][r:815] wad_vs_proxy_match_vhost :4656 16059:ZTNA-web-proxy: no
host matched.
[V][p:3472][s:6905][r:815] wad_vs_web_portal_cookie_lookup :8784 decode cookie_
str=9DC408DF3F32C8805385A1204DED7F81 as cookie_val=1870837449, vd_id=0, vs_
id=16059, gwy_id=1
[I][p:3472][s:6905][r:815] wad_vs_proxy_match_gwy :4578 16059:ZTNA-web-proxy:
Matched gwy(1) type(ztna-portal) via cookie in query 0x7fdeabcd2448
.
…
[I][p:3472][s:6905][r:815] wad_ztna_portal_match_user :79 matched cached grp:LDAP-
Remote-Allowed-Group
…
[V][p:3472][s:6905][r:815] wad_http_req_exec_act :13264 response is ready!
[V][p:3472][s:6905][r:815] wad_http_msg_start_setup_proc :2280 msg(0x7fdeaa161048)
proc-setup started from: req_resp_ready.
[V][p:3472][s:6905][r:815] wad_http_def_proc_msg_plan :2242 msg(0x7fdeaa161048)
setting up processor(req_resp_ready)
[V][p:3472][s:6905][r:815] wad_http_msg_start_setup_proc :2280 msg(0x7fdeaa4f4cf0)

FortiOS 7.6.0 New Features Guide 292

Fortinet Inc.
 Zero Trust Network Access

proc-setup started from: resp_forward.

[V][p:3472][s:6905][r:815] wad_http_def_proc_msg_plan :2242 msg(0x7fdeaa4f4cf0)
setting up processor(resp_forward)
[I][p:3472][s:6905][r:815] wad_dump_fwd_http_resp :3040 hreq=0x7fdeaa161048
Forward response from Internal:

HTTP/1.1 303 See Other

X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:
'unsafe-eval' 'unsafe-inline' blob:;
Connection: close
Content-Type: text/html
Cache-Control: no-cache
Location: https://s2.ztnademo.com:443
Content-Length: 133
Set-Cookie: ZTNAWebPortal=9DC408DC3F32C8805385A1204DED7F81; Max-Age=3600; Path=/; HTTPOnly;
Secure
Set-Cookie: ZTNAWEB=bmgroup=bookmark&bmname=Webserver; Path=/; HTTPOnly; Secure

General

This section includes information about general ZTNA related new features:
l ZTNA support for UDP traffic on page 293
l ZTNA support for SaaS application access control in the GUI on page 306
l Include EMS tag information in traffic logs on page 308
l ZTNA single sign-on with Entra ID 7.6.3 on page 308
l ZTNA tags on 2 GB entry-level platforms in IP/MAC-based access control 7.6.3 on page 317

ZTNA support for UDP traffic

ZTNA now supports UDP traffic from FortiClient 7.4.1 and later endpoints. When UDP traffic to a destination is detected,
FortiClient forms a UDP connection over QUIC to the FortiGate ZTNA gateway. After authentication, security posture
check, and authorization, FortiGate forms a connection with the destination and the end-to-end UDP traffic passes
through.

Scope and limitations

l FortiClient endpoint must be running 7.4.1 or later.

l FortiClient EMS 7.4.1 and later supports the option to enable UDP on a ZTNA application.

FortiOS 7.6.0 New Features Guide 293

Fortinet Inc.
Zero Trust Network Access

CLI syntax

In order to support UDP traffic forwarding, the FortiGate VIP associated with the ZTNA server configurations must have
h3-support enabled.
config firewall vip
edit <ZTNA VIP>
set type access-proxy
set h3-support {enable | disable}
next
end

The remaining UDP applications can be configured under the firewall access-proxy configuration:
config firewall access-proxy
edit <name>
set vip <ZTNA VIP>
config api-gateway
edit 1
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address <UDP application address>
set mappedport <UDP application port(s)>
next
end
next
end
next
end

FortiClient EMS configuration

From the FortiClient EMS server, you must change the ZTNA applications to enable UDP.

To enable UDP:

1. From Fabric & Connectors > ZTNA Application Catalog, locate the applications retrieved from the FortiGate.
2. On the right side of the entry, click Edit.
3. In the Edit Application popup, select Enable UDP.

FortiOS 7.6.0 New Features Guide 294

Fortinet Inc.
Zero Trust Network Access

4. Click Finish to save.

5. If the application is used in a profile, confirm that the change will apply to the profile, and click Yes to proceed.

When applying the application to a ZTNA Destination Profile, confirm that the protocol displays both TCP & UDP.

Example

When an application on an endpoint initializes UDP traffic, FortiClient forms a UDP connection over QUIC to the
FortiGate ZTNA gateway (10.0.3.10:9043). After authentication, security posture check, and authorization, FortiGate
forms a UDP connection with the destination (quic.nginx.org), and the end-to-end UDP traffic passes through, allowing
the endpoint to reach three different destinations through UDP.

To configure FortiGate:

config firewall vip

edit "ZTNA-webserver"
set type access-proxy
set server-type https
set extip 10.0.3.10
set h3-support enable
set extintf "port3"

FortiOS 7.6.0 New Features Guide 295

Fortinet Inc.
Zero Trust Network Access

set extport 9043

set ssl-certificate "ztna-wildcard"
next
end
config firewall address
edit "EMS"
set color 21
set subnet 10.88.0.1 255.255.255.255
next
edit "EMS-HA"
set associated-interface "port2"
set subnet 10.88.0.31 255.255.255.255
next
edit "DNS_8.8.8.8"
set subnet 8.8.8.8 255.255.255.255
next
edit "quic.nginx.org"
set type fqdn
set fqdn "quic.nginx.org"
next
end
config firewall access-proxy
edit "ZTNA-webserver"
set vip "ZTNA-webserver"
config api-gateway
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 4
set address "DNS_8.8.8.8"
set mappedport 53 52 176
next
edit 5
set address "quic.nginx.org"
next
edit 7
set address "EMS"
set mappedport 5001
next
edit 8
set address "EMS-HA"
set mappedport 5201
next
end
next
end
next
end
config firewall policy
edit 9
set name "ZTNA-Access"
set srcintf "port3"
set dstintf "any"
set action accept
set srcaddr "all"

FortiOS 7.6.0 New Features Guide 296

Fortinet Inc.
Zero Trust Network Access

set dstaddr "ZTNA-webserver"

set schedule "always"
set logtraffic all
set nat enable
next
next

To configure FortiClient EMS:

1. From Fabric & Connectors > ZTNA Application Catalog, locate each application retrieved from the FortiGate.
2. Edit each application, and select Enable UDP.

3. Go to Endpoint Profiles > ZTNA Destinations, and edit the Default profile.
4. Under Rules, click +Add. Select the applications learned from the FortiGate, and then click Finish.

FortiOS 7.6.0 New Features Guide 297

Fortinet Inc.
Zero Trust Network Access

5. Click Save to save this profile, and push changes to managed FortiClients.

To verify:

1. Verify DNS traffic to 8.8.8.8:

a. From Windows client, perform an nslookup with server 8.8.8.8:

b. From logs under C:\Program Files\Fortinet\FortiClient\logs\trace\fortitcs.log, verify

DNS traffic to 8.8.8.8:
[2024-10-18 13:14:28.7631989]
[2024-10-18 13:14:28.7632605]
[2024-10-18 13:14:28.7634133]
5476 21269 0 0}
[2024-10-18 13:14:28.7635253]
[fortitcs] dns-src: 10.0.3.2:62261
[fortitcs] dns-dst: 8.8.8.8:53
[fortitcs] dns-info: &{5 0 167772930 62261 134744072 53
[fortitcs] Not found virtual IP for

FortiOS 7.6.0 New Features Guide 298

Fortinet Inc.
Zero Trust Network Access

www.fortinet.com.fortiad.info.
[2024-10-18 13:14:28.7635697] [fortitcs] proxy-src: 10.0.3.2:62261
[2024-10-18 13:14:28.7635982] [fortitcs] proxy-dst: 8.8.8.8:53
[2024-10-18 13:14:28.7636256] [fortitcs] handleConnection: gatewayIP=10.0.3.10
gatewayPort=9043 encryption=0redirect=0 fqdn_name= path=tcp
[2024-10-18 13:14:28.7636570] [fortitcs] tunnKey: 8.8.8.8:53-10.0.3.2:62261-
10.0.3.10:9043
[2024-10-18 13:14:28.7637298] [fortitcs] Establish: &{0 10.0.3.10:9043 tcp 8.8.8.8:53
udp }
[2024-10-18 13:14:28.7637620] [fortitcs] strPort: 53
[2024-10-18 13:14:28.7638829] [fortitcs] Request: GET
/tcp?address=8.8.8.8&port=53&proto=udp HTTP/1.1
Host: 10.0.3.10:9043
Accept: */*
User-Agent: Forticlient

[2024-10-18 13:14:28.7639791] [fortitcs] Establish: ph2

[2024-10-18 13:14:28.7640038] [fortitcs] Establish: ph3
[2024-10-18 13:14:28.7640366] [fortitcs] Found existing connection for 10.0.3.10:9043
[2024-10-18 13:14:28.7651388] [fortitcs] Establish: RoundTripOpt end!
[2024-10-18 13:14:28.7652400] [fortitcs] Establish: ph4
[2024-10-18 13:14:28.7652696] [fortitcs] Establish: ph5
[2024-10-18 13:14:28.7652965] [fortitcs] Establish: ph6
[2024-10-18 13:14:28.7653259] [fortitcs] Establish: ph7
[2024-10-18 13:14:28.7653529] [fortitcs] Establish: ph8
[2024-10-18 13:14:28.7653799] [fortitcs] Establish: ph9
[2024-10-18 13:14:28.7654354] [fortitcs] Establish: ph10
[2024-10-18 13:14:28.7654806] [fortitcs] Stream ID: 1
[2024-10-18 13:14:28.7655300] [fortitcs] handleConnection: end
[2024-10-18 13:14:28.7655849] [fortitcs] dns-handleDnsRequest: end
[2024-10-18 13:14:28.7799524] [fortitcs] Write to stream id: 1len: 118
…

c. From FortiGate, go to Log & Report > ZTNA Traffic, and view log details for the ZTNA-webserver:

FortiOS 7.6.0 New Features Guide 299

Fortinet Inc.
Zero Trust Network Access

FortiGate-VM64-KVM # exec log filter field subtype ztna

FortiGate-VM64-KVM # exec log display

582 logs found.
10 logs returned.
2.6% of logs has been searched.

1: date=2024-10-18 time=13:15:47 eventtime=1729282547041415918 tz="-0700"

logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root"
srcip=10.0.3.2 srcport=62260 srcintf="port3" srcintfrole="wan" dstcountry="United
States" srccountry="Reserved" dstip=8.8.8.8 dstport=53 dstintf="port3"
dstintfrole="wan" sessionid=2149672 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1"
service="DNS" proxyapptype="http" proto=17 action="accept" policyid=9
policytype="policy" poluuid="e45c01da-0344-51ef-b73c-91581a6f68d8" policyname="ZTNA-
Access" appcat="unscanned" duration=79 vip="ZTNA-webserver" accessproxy="ZTNA-
webserver" clientdevicemanageable="manageable" clientcert="yes" wanin=0 rcvdbyte=0
wanout=0 lanin=11813 sentbyte=11813 lanout=8526

2: date=2024-10-18 time=13:14:47 eventtime=1729282487027716661 tz="-0700"

logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root"
srcip=10.0.3.2 srcport=62260 srcintf="port3" srcintfrole="wan" dstcountry="United
States" srccountry="Reserved" dstip=8.8.8.8 dstport=53 dstintf="port3"
dstintfrole="wan" srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="DNS"
proxyapptype="http" proto=17 action="accept" policyid=9 policytype="policy"
poluuid="e45c01da-0344-51ef-b73c-91581a6f68d8" policyname="ZTNA-Access"
appcat="unscanned" duration=15 wanin=0 rcvdbyte=0 wanout=0 lanin=0 sentbyte=0
lanout=0

2. Verify traffic to quic.nginx.org:

a. From a browser, go to quic.nginx.org:

b. From FortiClient logs, verify traffic to quic.nginx.org:

FortiOS 7.6.0 New Features Guide 300

Fortinet Inc.
Zero Trust Network Access

[2024-10-18 13:25:51.1368546] [fortitcs] trace reinit -> pid: 13984

[2024-10-18 13:25:51.1445664] [fortitcs] handshake success!
[2024-10-18 13:25:51.1446311] [fortitcs] SAML address:
https://10.0.3.10:9043/tcp?address=quic.nginx.org&port=443&tls=0
[2024-10-18 13:25:51.1446788] [fortitcs] Cache address: https://10.0.3.10:9043
[2024-10-18 13:25:51.1452810] [fortitcs] Request: GET
/tcp?address=quic.nginx.org&port=443&tls=0 HTTP/1.1
Host: 10.0.3.10:9043
Accept: */*
Authorization: ******
Connection: Upgrade
Cookie:
Upgrade: tcp-forwarding/1.0
User-Agent: Forticlient

[2024-10-18 13:25:51.1461070] [fortitcs] Send tunnel cmd Success

[2024-10-18 13:25:51.2481341] [fortitcs] html Reply:
[2024-10-18 13:25:51.2481824] [fortitcs] Tunnel upgrade success
[2024-10-18 13:25:51.7557746] [fortitcs debug] 16 bytes data length=16
00000000 45 77 63 C3 85 55 50 61 48 75 34 49 37 34 57 6E Ewc..UPaHu4I74Wn
[2024-10-18 13:25:51.7559508] [fortitcs] Sent: 16 bytes to confirm tunnel created
[2024-10-18 13:25:51.7559964] [fortitcs] Forward quic.nginx.org:: local:
127.0.0.1:18458 -> remote: 127.0.0.1:23755proxy: 10.0.3.2:23756 -> remote:
10.0.3.10:9043
[2024-10-18 13:25:52.0570035] [fortitcs] FindFQDNFromDoh: IP=10.235.0.1 Port=443
FQDN=quic.nginx.org
[2024-10-18 13:25:52.0571533] [fortitcs] UpdateDnsRedirectEntry: Ip=183173121
Port=443 RealIp=0 Fqdn=quic.nginx.org Flag=0
[2024-10-18 13:25:52.0575230] [fortitcs] proxy-src: 10.0.3.2:60721
[2024-10-18 13:25:52.0576011] [fortitcs] proxy-dst: 10.235.0.1:443
[2024-10-18 13:25:52.0576672] [fortitcs] FindFQDNFromDoh: IP=10.235.0.1 Port=443
FQDN=quic.nginx.org
[2024-10-18 13:25:52.0576992] [fortitcs] UpdateDnsRedirectEntry: Ip=183173121
Port=443 RealIp=0 Fqdn=quic.nginx.org Flag=0
[2024-10-18 13:25:52.0607618] [fortitcs] proxy-src: 10.0.3.2:60721
[2024-10-18 13:25:52.0608304] [fortitcs] proxy-dst: 10.235.0.1:443
[2024-10-18 13:25:52.0609950] [fortitcs] handleConnection: gatewayIP=10.0.3.10
gatewayPort=9043 encryption=0redirect=0 fqdn_name=quic.nginx.org path=tcp
[2024-10-18 13:25:52.0610356] [fortitcs] tunnKey: 10.235.0.1:443-10.0.3.2:60721-
10.0.3.10:9043
[2024-10-18 13:25:52.0610893] [fortitcs] Establish: &{0 10.0.3.10:9043 tcp
10.235.0.1:443 udp quic.nginx.org}
[2024-10-18 13:25:52.0611259] [fortitcs] strPort: 443
[2024-10-18 13:25:52.0612787] [fortitcs] Request: GET
/tcp?address=quic.nginx.org&port=443&proto=udp HTTP/1.1
Host: 10.0.3.10:9043
Accept: */*
User-Agent: Forticlient

[2024-10-18 13:25:52.0613189] [fortitcs] Establish: ph2

[2024-10-18 13:25:52.0613495] [fortitcs] Establish: ph3
[2024-10-18 13:25:52.0614189] [fortitcs] Establishing new connection to
10.0.3.10:9043

FortiOS 7.6.0 New Features Guide 301

Fortinet Inc.
Zero Trust Network Access

[2024-10-18 13:25:52.0667583] [fortitcs] handleConnection: gatewayIP=10.0.3.10

gatewayPort=9043 encryption=0redirect=0 fqdn_name=quic.nginx.org path=tcp
…
[2024-10-18 13:25:52.1573963] [fortitcs] Handshake complete for 10.0.3.10:9043
[2024-10-18 13:25:52.1589209] [fortitcs] Establish: RoundTripOpt end!
[2024-10-18 13:25:52.1589932] [fortitcs] Establish: ph4
[2024-10-18 13:25:52.1590219] [fortitcs] Establish: ph5
[2024-10-18 13:25:52.1591793] [fortitcs] Establish: ph6
[2024-10-18 13:25:52.1592123] [fortitcs] Establish: ph7
[2024-10-18 13:25:52.1592400] [fortitcs] Establish: ph8
[2024-10-18 13:25:52.1592667] [fortitcs] Establish: ph9
[2024-10-18 13:25:52.1593069] [fortitcs] Establish: ph10
[2024-10-18 13:25:52.1593630] [fortitcs] Stream ID: 0
[2024-10-18 13:25:52.1593998] [fortitcs] handleConnection: end
[2024-10-18 13:25:52.1594631] [fortitcs] tunnKey: 10.235.0.1:443-10.0.3.2:60721-
10.0.3.10:9043
[2024-10-18 13:25:52.1595045] [fortitcs] Found existing tunnel for [src:
10.0.3.2:60721 dst: 10.235.0.1:443 gw: 10.0.3.10:9043]
[2024-10-18 13:25:52.1595323] [fortitcs] Stream ID: 0
[2024-10-18 13:25:52.1595623] [fortitcs] handleConnection: end

c. From FortiGate logs, verify traffic to quic.nginx.org:

FortiGate-VM64-KVM # exec log filter field subtype ztna

FortiGate-VM64-KVM # exec log display

585 logs found.
10 logs returned.
2.6% of logs has been searched.

1: date=2024-10-18 time=13:27:12 eventtime=1729283232175082831 tz="-0700"

logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root"
srcip=10.0.3.2 srcport=60722 srcintf="port3" srcintfrole="wan"
dstcountry="Netherlands" srccountry="Reserved" dstip=35.214.218.230 dstport=443
dstintf="port3" dstintfrole="wan" sessionid=2159838 srcuuid="b458a65a-f759-51ea-d7df-
ef2e750026d1" service="udp/443" proxyapptype="http" proto=17 action="accept"
policyid=9 policytype="policy" poluuid="e45c01da-0344-51ef-b73c-91581a6f68d8"

FortiOS 7.6.0 New Features Guide 302

Fortinet Inc.
Zero Trust Network Access

policyname="ZTNA-Access" appcat="unscanned" duration=80 vip="ZTNA-webserver"

accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" clientcert="yes"
wanin=0 rcvdbyte=0 wanout=0 lanin=16382 sentbyte=16382 lanout=15613

2: date=2024-10-18 time=13:27:07 eventtime=1729283227642864634 tz="-0700"

logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root"
srcip=10.0.3.2 srcport=23756 srcintf="port3" srcintfrole="wan"
dstcountry="Netherlands" srccountry="Reserved" dstip=35.214.218.230 dstport=443
dstintf="port3" dstintfrole="wan" sessionid=2159796 srcuuid="b458a65a-f759-51ea-d7df-
ef2e750026d1" service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=9
policytype="policy" poluuid="e45c01da-0344-51ef-b73c-91581a6f68d8" policyname="ZTNA-
Access" appcat="unscanned" duration=76 gatewayid=2 vip="ZTNA-webserver"
accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" clientcert="yes"
wanin=113381 rcvdbyte=113381 wanout=3315 lanin=5197 sentbyte=5197 lanout=116510

3. Verify iperf UDP stream to server:

a. From Client, run:
# iperf3 –udp -c 10.88.0.1 –p 5001 -t 3 –length 500

b. From Server:
# iperf3 -s -V -p 5001

Many packets arrived out of order and are considered lost.

c. From FortiClient logs:

FortiOS 7.6.0 New Features Guide 303

Fortinet Inc.
Zero Trust Network Access

[2024-10-18 13:55:44.8971806] [fortitcs] trace reinit -> pid: 2812

[2024-10-18 13:55:44.8999376] [fortitcs] RevertImpersonateUser success!
[2024-10-18 13:55:44.9006103] [fortitcs] trace reinit -> pid: 2812
[2024-10-18 13:55:44.9075925] [fortitcs] handshake success!
[2024-10-18 13:55:44.9076768] [fortitcs] SAML address:
https://10.0.3.10:9043/tcp?address=10.88.0.1&port=5001&tls=0
[2024-10-18 13:55:44.9077060] [fortitcs] Cache address: https://10.0.3.10:9043
[2024-10-18 13:55:44.9079779] [fortitcs] Request: GET
/tcp?address=10.88.0.1&port=5001&tls=0 HTTP/1.1
Host: 10.0.3.10:9043
Accept: */*
Authorization: ******
Connection: Upgrade
Cookie:
Upgrade: tcp-forwarding/1.0
User-Agent: Forticlient

[2024-10-18 13:55:44.9083164] [fortitcs] Send tunnel cmd Success

[2024-10-18 13:55:44.9102421] [fortitcs] html Reply:
[2024-10-18 13:55:44.9105980] [fortitcs] Tunnel upgrade success
[2024-10-18 13:55:45.4236064] [fortitcs debug] 16 bytes data length=16
00000000 C3 A5 C3 A5 54 32 56 32 75 52 68 4E 69 67 46 6A ....T2V2uRhNigFj
[2024-10-18 13:55:45.4238964] [fortitcs] Sent: 16 bytes to confirm tunnel created
[2024-10-18 13:55:45.4239691] [fortitcs] Forward :: local: 127.0.0.1:1909 -> remote:
127.0.0.1:2317proxy: 10.0.3.2:2318 -> remote: 10.0.3.10:9043
[2024-10-18 13:55:45.4383558] [fortitcs] proxy-src: 172.16.7.3:51211
[2024-10-18 13:55:45.4384322] [fortitcs] proxy-dst: 10.88.0.1:5001
[2024-10-18 13:55:45.4384682] [fortitcs] handleConnection: gatewayIP=10.0.3.10
gatewayPort=9043 encryption=0redirect=0 fqdn_name= path=tcp
[2024-10-18 13:55:45.4385013] [fortitcs] tunnKey: 10.88.0.1:5001-172.16.7.3:51211-
10.0.3.10:9043
[2024-10-18 13:55:45.4385877] [fortitcs] Establish: &{0 10.0.3.10:9043 tcp
10.88.0.1:5001 udp }
[2024-10-18 13:55:45.4386639] [fortitcs] strPort: 5001
[2024-10-18 13:55:45.4388261] [fortitcs] Request: GET
/tcp?address=10.88.0.1&port=5001&proto=udp HTTP/1.1
Host: 10.0.3.10:9043
Accept: */*
User-Agent: Forticlient

…
[2024-10-18 13:55:45.4413329] [fortitcs] handleConnection: end
[2024-10-18 13:55:45.4414211] [fortitcs] New stream established, cancel closing
gateway 10.0.3.10:9043
[2024-10-18 13:55:45.4703313] [fortitcs] Write to stream id: 3len: 4
[2024-10-18 13:55:45.5103964] [fortitcs] proxy-src: 172.16.7.3:51211
[2024-10-18 13:55:45.5105414] [fortitcs] proxy-dst: 10.88.0.1:5001
[2024-10-18 13:55:45.5106482] [fortitcs] handleConnection: gatewayIP=10.0.3.10
gatewayPort=9043 encryption=0redirect=0 fqdn_name= path=tcp
[2024-10-18 13:55:45.5107198] [fortitcs] tunnKey: 10.88.0.1:5001-172.16.7.3:51211-
10.0.3.10:9043
[2024-10-18 13:55:45.5107829] [fortitcs] Found existing tunnel for [src:
172.16.7.3:51211 dst: 10.88.0.1:5001 gw: 10.0.3.10:9043]

FortiOS 7.6.0 New Features Guide 304

Fortinet Inc.
Zero Trust Network Access

[2024-10-18 13:55:45.5108385] [fortitcs] Stream ID: 3

[2024-10-18 13:55:45.5108738] [fortitcs] handleConnection: end
…

Using default datagram length of 8000 causes the stream to fail due to exceeding
datagram length, as seen in the fortitcs_2.log:
[2024-10-18 13:53:59.8142919] [fortitcs] Stream ID: 0
[2024-10-18 13:53:59.8143302] [fortitcs error] Failed to send
message: DATAGRAM frame too large
[2024-10-18 13:53:59.8143734] [fortitcs] handleConnection: end

Therefore, the datagram size of 500bytes was used.

d. From FortiGate logs:

FortiGate-VM64-KVM # exec log filter field subtype ztna

FortiGate-VM64-KVM # exec log display

31 logs found.
10 logs returned.
2.0% of logs has been searched.

1: date=2024-10-18 time=13:57:01 eventtime=1729285021171869729 tz="-0700"

logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root"
srcip=10.0.3.2 srcport=64618 srcintf="port3" srcintfrole="wan" dstcountry="Reserved"
srccountry="Reserved" dstip=10.88.0.1 dstport=5001 dstintf="port2" dstintfrole="dmz"
sessionid=2185087 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="udp/5001"
proxyapptype="http" proto=17 action="accept" policyid=9 policytype="policy"
poluuid="e45c01da-0344-51ef-b73c-91581a6f68d8" policyname="ZTNA-Access"
appcat="unscanned" duration=181 vip="ZTNA-webserver" accessproxy="ZTNA-webserver"
clientdevicemanageable="manageable" clientcert="yes" wanin=0 rcvdbyte=0 wanout=0
lanin=1941259 sentbyte=1941259 lanout=90556

2: date=2024-10-18 time=13:56:01 eventtime=1729284961171888217 tz="-0700"

logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root"

FortiOS 7.6.0 New Features Guide 305

Fortinet Inc.
 Zero Trust Network Access

srcip=10.0.3.2 srcport=64618 srcintf="port3" srcintfrole="wan" dstcountry="Reserved"

srccountry="Reserved" dstip=10.88.0.1 dstport=5001 dstintf="port2" dstintfrole="dmz"
srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="udp/5001" proxyapptype="http"
proto=17 action="accept" policyid=9 policytype="policy" poluuid="e45c01da-0344-51ef-
b73c-91581a6f68d8" policyname="ZTNA-Access" appcat="unscanned" duration=15 wanin=0
rcvdbyte=0 wanout=0 lanin=0 sentbyte=0 lanout=0

ZTNA support for SaaS application access control in the GUI

This information is also available in the FortiOS 7.6 Administration Guide:

l ZTNA inline CASB for SaaS application access control

Added GUI support for specifying SaaS applications within the service/server mapping inside a ZTNA server object. This
enhanced feature allows users to create and manage the ZTNA server with a SaaS service type more intuitively and
efficiently, providing a more user-friendly experience.

If SaaS applications were previously configured on an earlier firmware version, upgrade to

firmware version 7.6.0 or later. The pre-configured SaaS entries are available to view in the
GUI: Policy & Objects > ZTNA > ZTNA Server > Service/server mapping.

To configure ZTNA inline CASB for SaaS application access:

1. Go to Policy & Object > ZTNA.

2. Under the ZTNA Server tab, click Create New.
3. In the Service/server mapping section, click Create New.

FortiOS 7.6.0 New Features Guide 306

Fortinet Inc.
Zero Trust Network Access

4. From the Service options, click SaaS (CASB).

5. In the Application field, click + and add the SaaS applications to the policy, as needed.

6. Click OK. The SaaS options are added to the ZTNA server.

FortiOS 7.6.0 New Features Guide 307

Fortinet Inc.
 Zero Trust Network Access

Include EMS tag information in traffic logs

This information is also available in the FortiOS 7.6 Administration Guide:

l Synchronizing FortiClient ZTNA tags

By enabling ZTNA EMS tag checking in a firewall policy, you can include EMS tag information in the traffic log.
When primary and secondary ZTNA EMS tag checking is enabled using address groups, the Primary EMS tag and
Secondary EMS tag fields will be included in the GUI traffic logs.

Likewise, the emstag and emstag2 fields will be included in the CLI traffic logs.
10: date=2024-05-23 time=21:22:41 eventtime=1716524560990015176 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=21.21.21.120 srcport=56140 srcintf="port2" srcintfrole="undefined"
dstip=172.16.200.139 dstport=8013 dstintf="port3" dstintfrole="undefined" emstag="grp_ztna_
tag" emstag2="grp_classification_tag" srccountry="United States" dstcountry="Reserved"
sessionid=33027 proto=6 action="client-rst" policyid=4 policytype="policy"
poluuid="1c129108-d6e1-51ec-b73c-aca3c493ce64" policyname="0000" service="tcp/8013"
trandisp="snat" transip=172.16.200.4 transport=56140 duration=5 sentbyte=1063 rcvdbyte=1255
sentpkt=7 rcvdpkt=7 fctuid="6CB4E52E85BE45E8A9ADDE54E89A6B38" unauthuser="frank"
unauthusersource="forticlient" srcremote=172.18.62.4 appcat="unscanned"

ZTNA single sign-on with Entra ID - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l ZTNA single sign-on with Entra ID

FortiOS 7.6.0 New Features Guide 308

Fortinet Inc.
Zero Trust Network Access

In this enhancement, Windows users signed in to their workstations using Microsoft Entra ID domain are automatically
allowed access to ZTNA-protected TCP resources by using the same IdP login information. FortiGate queries Entra ID
using the client’s login token to look up and validate the user. This allows single sign-on (SSO) and eliminates the extra
step for each user to authenticate when they access a TCP application.
Prerequisites include:
l FortiClient 7.4.3 and later
l FortiOS 7.6.1 and later
l Domain configured on Microsoft Entra ID
l Enterprise application configured on Microsoft Entra ID
l Various permissions enabled in Microsoft Entra ID
l Windows clients that are able to join to the Entra ID domain

Topology and communications

Entra ID configurations

Create an Azure enterprise application to obtain Entra ID values.

FortiOS 7.6.0 New Features Guide 309

Fortinet Inc.
Zero Trust Network Access

To create an Azure enterprise application:

1. Click Create your own application, and select the Register an application to integrate with Microsoft Entra ID (App
you're developing) option.

2. Open the App registrations page, and locate your app. On the Overview page, you can obtain the Application
(client) ID and the Directory (tenant) ID.

In the this example, the values from the ZTNA_entra_ID app can be applied to the FortiClient EMS ZTNA Destinations
profile in later steps:

Entra ID portal field Corresponding FortiClient Value

XML profile element

Application (client) ID <client_id> 45d0ae67-e3f3-xxxx-xxxx-xxxxxxxxxxxx

Directory (tenant) ID <tenant_name> 7c6bb73f-2328-xxxx-xxxx-xxxxxxxxxxxx

Users and groups can be assigned to the enterprise application. In this example, the user
[email protected] belongs to a group assigned to the ZTNA_entra_ID app.

FortiOS 7.6.0 New Features Guide 310

Fortinet Inc.
Zero Trust Network Access

The user belongs to the Entra ID domain that is used by the user workstation to join the domain.

FortiClient EMS configurations

In FortiClient EMS 7.4.3 and later, the client ID and tenant ID can be specified in the azure_app attribute in XML.

To configure FortiClient EMS:

1. Go to Endpoint Profiles > ZTNA Destinations.

2. Create a new profile or edit an existing one.
3. Click XML, and then click Edit.
4. Configure the profile as follows:
Configure <client_id> and <tenant_name> with the Application (client) ID and Directory (tenant) ID values for
the enterprise application in the Entra ID portal.
Bold lines in the XML sample highlight key fields to support this feature:
<forticlient_configuration>
<ztna>
…
<azure_auto_login>
<enabled>1</enabled>
<azure_app>
<client_id>45d0ae67-e3f3-xxxx-xxxx-xxxxxxxxxxxx</client_id>
<tenant_name>7c6bb73f-2328-xxxx-xxxx-xxxxxxxxxxxx</tenant_name>
</azure_app>
</azure_auto_login>
…
</ztna>
<forticlient_configuration>

FortiOS 7.6.0 New Features Guide 311

Fortinet Inc.
Zero Trust Network Access

Not shown here, but TCP forwarding destinations are defined in the ZTNA destination profile.

Windows endpoint configuration

The endpoint client should already be joined to the Entra ID domain.

Once logged in and FortiClient is registered to EMS, click the user avatar to display information about the user, including
the login domain name.

FortiOS 7.6.0 New Features Guide 312

Fortinet Inc.
Zero Trust Network Access

FortiGate configuration

FortiGate ZTNA server configurations remain the same. EMS connectivity and ZTNA server configurations are not
explained in this topic. The major difference in FortiGate configurations is in the authentication scheme, rule, and user
group. Therefore, the configuration process starts with authentication scheme and rule.

To configure the authentication scheme and rule:

1. Go to Policy & Objects > Authentication, and click the Authentication Schemes tab.
2. Click Create new.
3. Enter the name.
4. For method, click + and select the method Microsoft Entra Single Sign-On.
5. Create a new User External Identity Provider:
a. Click the drop-down and click Create.
b. Enter a name.
c. Leave the default values of Microsoft Graph and v1.0, which are enabled by default.

FortiOS 7.6.0 New Features Guide 313

Fortinet Inc.
Zero Trust Network Access

d. Click OK.
6. Select the newly created External Identity Provider.
7. Click OK to save.
8. Click the Authentication Rule tab. Click Create new.
a. Configure the following:

Field Value

Name Name of the rule

Source Address all to apply this rule to all source traffic

Incoming Interface any to apply this on any interface

Protocol HTTP

Authentication Scheme Disabled

IP-based Authentication Enabled

SSO Authentication Scheme Enabled. Set to the name of the new authentication scheme

Enable this rule Enabled

b. Click OK to save.

Next, you must configure the user group that is authorized to access the protected TCP application. The user group is
queried against Entra ID using Microsoft Graph v1.0.

To configure the user group:

1. Go to User & Authentication > User Groups, and click Create new.
2. Enter a name.
3. Keep type as default (Firewall).

FortiOS 7.6.0 New Features Guide 314

Fortinet Inc.
Zero Trust Network Access

4. Under Remote Groups, click Add.

a. For Remote Server, select the User External Identity Provider that was previously created.
b. Optionally for Groups, specify the group name/ID corresponding to the user group object ID on Entra ID to filter
by group.
c. Click OK.
5. Click OK to save.

Finally, you must apply the user group to a ZTNA policy. In this example, a full ZTNA policy is configured.

To configure a full ZTNA policy:

1. Go to Policy & Objects > Proxy Policy, and click Create new.
2. Configure the following:

Field Value

Name Name of the policy

Type ZTNA

Incoming Interface Interface used by FortiGate to listen for the ZTNA connections.

Source Address: Specify the source, or select all to allow all traffic sources.
User: select the user group that was created in the previous step.

Security Posture Tag Choose any tags that may be applicable.

Destination Specify a destination server, or select all for all servers.

ZTNA Server Specify the ZTNA server to allow access to.

Schedule always

Action ACCEPT

3. Configure other optional settings as needed.

4. Click OK to save.

Sample CLI configurations

config user external-identity-provider

edit "entra_id"
set type ms-graph
set version v1.0
next
end

config authentication scheme

edit "entra_id"
set method entra-sso
set external-idp "entra_id"
next
end

config authentication rule

edit "entra_id"

FortiOS 7.6.0 New Features Guide 315

Fortinet Inc.
Zero Trust Network Access

set srcaddr "all"

set dstaddr "all"
set ip-based disable
set sso-auth-method "entra_id"
set web-auth-cookie enable
next
end

config user group

edit "aad_group"
set member "entra_id"
config match
edit 1
set server-name "entra_id"
set group-name "22e10685-49d3-4af8-b75b-57f22cb8aa32"
next
end
next
end

config firewall proxy-policy

edit 3
set name "fzt"
set proxy access-proxy
set access-proxy "ztna_4"
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "EMS7_ZTNA_ZT_OS_LINUX" "EMS7_ZTNA_ZT_OS_MAC" "EMS7_ZTNA_ZT_OS_WIN"
set action accept
set schedule "always"
set logtraffic all
set srcaddr6 "all"
set dstaddr6 "all"
set groups "aad_group"
set ssl-ssh-profile "custom-deep-inspection"
next
end

Testing and verification

In this example, a user logged in to Windows as [email protected] in the AzureAD domain attempts
to access a host 172.16.200.209:22 through SSH.
As the screenshot shows, the user can connect to the server through SSH without logging in again.

FortiOS 7.6.0 New Features Guide 316

Fortinet Inc.
 Zero Trust Network Access

From the FortiGate, go to Log & Report > ZTNA Traffic to view corresponding traffic logs. Alternatively, use the CLI to
run:
# execute log filter field subtype ztna
# execute log display
1: date=2024-11-18 time=14:46:53 eventtime=1731970013042933838 tz="-0800" logid="0005000024"
type="traffic" subtype="ztna" level="notice" vd="vdom1" srcip=10.1.100.214 srcport=51765
srcintf="port2" srcintfrole="lan" dstcountry="Reserved" srccountry="Reserved"
dstip=172.18.62.66 dstport=4443 dstintf="port1" dstintfrole="lan" sessionid=100630
service="tcp/4443" proxyapptype="ztna-proxy" proto=6 action="accept" policyid=3
policytype="proxy-policy" poluuid="5a72570a-932a-51ef-4e9e-a2d01c654769" policyname="fzt"
trandisp="dnat" tranip=172.16.200.209 tranport=22 appcat="unscanned" duration=121
user="[email protected]" group="aad_group" gatewayid=2 vip="ztna_4"
accessproxy="ztna_4" clientdeviceid="0D48C06390CA42D78158BE90C480A3F0"
clientdevicemanageable="manageable" clientdeviceems="FCTEMS8821001322" clientdevicetags="ZT_
PO_AV_ENABLED/ZT_OS_WIN/ZT_FILE_TESTFILE/ZT_EMS_MGMT/all_registered_clients"
clientcert="yes" emsconnection="online" wanin=1729 rcvdbyte=1729 wanout=1412 lanin=6820
sentbyte=6820 lanout=4279 fctuid="0D48C06390CA42D78158BE90C480A3F0" unauthuser="ZTNAuser"
unauthusersource="forticlient" srcdomain="fosdevqa.onmicrosoft.com" srcremote=204.101.161.19

ZTNA tags on 2 GB entry-level platforms in IP/MAC-based access control - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Proxy-related features not supported on FortiGate 2 GB RAM models

Entry-level platforms with 2 GB memory now support ZTNA tags in IP/MAC-based access control. Once registered with
the EMS server, they can synchronize posture tags and IP/MAC addresses for use in firewall policies.
The following settings can now be configured from CLI:
config firewall policy
edit <id>

FortiOS 7.6.0 New Features Guide 317

Fortinet Inc.
Zero Trust Network Access

set ztna-status {enable | disable}

set ztna-ems-tag <tag>
set ztna-ems-tag-secondary <tag>
set ztna-geo-tag <tag>
set ztna-ems-tag-negate {enable | disable}
next
end

ZTNA options are not available in the GUI until the CLI has been configured. Once ZTNA has been enabled and the tags
configured for the policy in the CLI, the ZTNA Security posture tags are available in the GUI.

Likewise, client access will be filtered by the IP/MAC address resolved from the ZTNA EMS tag.

FortiOS 7.6.0 New Features Guide 318

Fortinet Inc.
Security profiles

This section includes information about security profile related new features:
l Antivirus on page 319
l Web filter on page 323
l IPS on page 331
l Data loss prevention on page 334
l Application control on page 339
l Virtual patching on page 341
l Others on page 348

Antivirus

This section includes information about antivirus related new features:

l Sanitize Microsoft OneNote files through content disarm and reconstruction on page 319
l Stream-based antivirus scanning for HTML and Javascript files on page 321

Sanitize Microsoft OneNote files through content disarm and reconstruction

This information is also available in the FortiOS 7.6 Administration Guide:

l Content disarm and reconstruction

FortiOS antivirus supports Microsoft OneNote files through the content disarm and reconstruction (CDR) feature. This
allows the FortiGate to sanitize these files by detecting and removing active content, such as hyperlinks and embedded
media, while preserving the text. This feature provides an additional tool for network administrators to protect users from
malicious documents.

To configure CDR for Microsoft OneNote files:

1. Go to Security Profiles > AntiVirus.

2. Select a proxy-based antivirus profile and click Edit.
3. In APT Protection Options, enable Content Disarm and Reconstruction.
4. Enable Apply CDR to office files.

FortiOS 7.6.0 New Features Guide 319

Fortinet Inc.
Security profiles

5. Click OK.
6. Review the logs:
l In Log & Report > Security Events > Logs, the content disarm of Microsoft OneNote files are listed.

l In the logs, the content disarm of Microsoft OneNote files are listed:
1: date=2024-02-15 time=13:41:29 eventtime=1708033288658288261 tz="-0800"
logid="0205009240" type="utm" subtype="virus" eventtype="content-disarm"
level="warning" vd="vdom1" policyid=1 poluuid="12703e08-bc4a-51ed-a0bd-185c7e368bef"
policytype="policy" epoch=1499437875 eventid=2 msg="File was disarmed by Content
Disarm engine." action="content-disarmed" service="HTTP" sessionid=4321
srcip=10.1.100.18 dstip=172.16.200.44 srcport=47632 dstport=80 srccountry="Reserved"
dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1"
dstintfrole="undefined" srcuuid="dfcbd5b6-bc49-51ed-1617-cf3ea170cee5"
dstuuid="dfcbd5b6-bc49-51ed-1617-cf3ea170cee5" proto=6 direction="incoming"
filename="with_multiple_insert_files.one" checksum="8d077b7"
url="http://172.16.200.44/content_disarm/OneNote/with_multiple_insert_files.one"
profile="av"
analyticscksum="4fab69475ede27c359ba7f1b3eab2555a1faa471e2664a4d8e48e31e67333110"
contentdisarmed="disarmed" cdrcontent="office-embedded-object" rawdata="[RESP]
Content-Type=application/onenote" crscore=10 craction=2 crlevel="medium"

2: date=2024-02-15 time=13:40:48 eventtime=1708033248160303337 tz="-0800"

logid="0205009240" type="utm" subtype="virus" eventtype="content-disarm"
level="warning" vd="vdom1" policyid=1 poluuid="12703e08-bc4a-51ed-a0bd-185c7e368bef"
policytype="policy" epoch=1499437874 eventid=1 msg="File was disarmed by Content
Disarm engine." action="content-disarmed" service="HTTP" sessionid=4287
srcip=10.1.100.18 dstip=172.16.200.44 srcport=50110 dstport=80 srccountry="Reserved"
dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1"
dstintfrole="undefined" srcuuid="dfcbd5b6-bc49-51ed-1617-cf3ea170cee5"
dstuuid="dfcbd5b6-bc49-51ed-1617-cf3ea170cee5" proto=6 direction="incoming"
filename="OneNote2016_hyperlink.one" checksum="2c986f08"
url="http://172.16.200.44/content_disarm/OneNote/OneNote2016_hyperlink.one"
profile="av"
analyticscksum="400c3b0d1c608536906e589862c04fb574676752595d08617101003e06f7baf0"

FortiOS 7.6.0 New Features Guide 320

Fortinet Inc.
 Security profiles

contentdisarmed="disarmed" cdrcontent="office-hyperlink" rawdata="[RESP] Content-

Type=application/onenote" crscore=10 craction=2 crlevel="medium"

Stream-based antivirus scanning for HTML and Javascript files

This information is also available in the FortiOS 7.6 Administration Guide:

l Flow mode stream-based scanning

FortiOS now offers stream-based antivirus scanning in flow mode for HTML and Javascript files with AV engine 7.0. With
this enhancement, the AV engine determines the necessary amount of file payload to buffer and scans the partial buffer
in certain instances, eliminating the need to cache the entire file, and potentially improving memory usage.
Prior to this enhancement, flow AV operates in a hybrid mode where the IPS engine will attempt an in-process AV scan
by default. If the built-in AV engine in the IPS process indicates a full scan is required, the file is sent to the scanunit
process for a full scan. In this scenario, the whole file is cached before scanunit can begin scanning the file.
With this stream-based AV scanning enhancement, the built-in AV engine in the IPS process can attempt to scan HTML
and Javascript files as it buffers the file. This provides better performance and potentially less memory usage overall
compared to a full scan.
The full antivirus scanning method is retained for file types and configurations unsupported by stream-based scanning.
The following table summarizes the types of scans and when they are automatically used:

Default antivirus l Automatically uses stream-based scanning in flow mode for HTML and Javascript files.
scan l Automatically scans other supported files using the flow DB.
l Triggers a legacy scan for unsupported configurations and file types.

Full antivirus scan l Automatically used for files types unsupported by default antivirus scans.
l Automatically used when any of the following antivirus scanning features are enabled:
l Machine learning-based malware detection (set machine-learning-
detection)
l Extreme antivirus database (set use-extreme-db)
l Antivirus PUP/PUA grayware checks
l Mobile malware database (set mobile-malware-db)
l External block list (set external-blocklist)
l EMS threat feed
l FortiGuard outbreak prevention
l Automatically used when any of the following scanning features are used:
l Data loss prevention (DLP)
l File filter

Example

When the default antivirus scan is used, the AV engine uses stream-based scanning to partially buffer the file and scan
it:

FortiOS 7.6.0 New Features Guide 321

Fortinet Inc.
Security profiles

# diagnose debug application ipsengine 0x1000

diagnose sys scanunit debug all
diagnose debug enable
...
[flav-402] open file size: 68, ftype: 0
[flav-402] flowav config allows quickscan: yes
[flav-402] fsa_enabled=0 fsa_mode=2
[flav-402] heur=0 (0) bz2=1 fsa_ft=0 grayware=0 scantypes: 1
[flav-402] av_flow_write_0 flav_ctx=0x7f35a61a1000, buflen=68, rc = 2
[flav-402] file is infected or suspicious. Wait until file close due to av_exempt enabled
[flav-402] ips_avscan_file_close
[flav-402] [118]: quickscan_close() flav_ctx=0x7f35a61a1000, rc = 2
[flav-402] [118]: cached length 0, flow_bytes 68
[flav-402] [118]: virus EICAR_TEST_FILE detected!
[flav-402] quickscan_destroy(), flow_writes=1, flow_bytes=68, flav_ctx=0x7f35a61a1000
[flav-402] [118]: quickscan finalized with action 1
[flav-402] ips_avscan_file_close, action=1
[flav-402] ips_avscan_file_destroy

The above debug is taken while a user attempts to download a EICAR file. Partial buffering occurred and the file is
scanned inside the IPS engine.
When the default antivirus scan (stream-based scanning) cannot be used for a file, the full antivirus scan is used, and the
IPS engine buffers the entire file before sending it to scanunit for scanning:
# diagnose debug application ipsengine 0x1000
# diagnose sys scanunit debug all
# diagnose debug enable
...
[flav-496] [41]: quickscan_close() flav_ctx=0x7fdfc41a1000, rc = -7
[flav-496] [41]: file requires fullscan
[flav-496] attempting switch to fullscan
[flav-496] succesfully switched to fullscan
[flav-496] got FlowAV fullscan request: query_id=41 view_id=3 file_size=12939
[flav-496] quickscan_destroy(), flow_writes=10, flow_bytes=12939, flav_ctx=0x7fdfc41a1000
su 2388 open

The Flow AV statistics monitor can be used to view whether the default or full (legacy) scan method was used:
# diagnose test app ipsmonitor 24

pid: 23498 from 20240404-09:23:05 to 20240404-09:23:59

av_failopen: enabled
FlowAV mmap : 0
FlowAV file open : 0
FlowAV timeout : 0
FlowAV req success : 0
FlowAV req fail : 0
FlowAV req retry success : 0
FlowAV req retry fail : 0
FlowAV bypassed scan : 0
FlowAV buffer scan : 0
FlowAV file scan : 0
FlowAV interface file open : 0
FlowAV interface file close : 0
FlowAV interface file destroy : 0
FlowAV ignored files : 0

FortiOS 7.6.0 New Features Guide 322

Fortinet Inc.
 Security profiles

FlowAV legacy scan : 1

FlowAV default scan : 1

Web filter

This section includes information about web filter related new features:
l Introduce URL risk-scores in determining policy action 7.6.1 on page 323

Introduce URL risk-scores in determining policy action - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Using URL risk-scores in determining policy action

In this enhancement, risk level rating is added to the FortiGuard URL rating service. A FortiGate can query the rating
service to retrieve the risk score for a URL. This risk score rates the likelihood that a website has malicious intent. It
combines the results of machine learning models and human analysis together to predict how likely a given URL is
malicious.
The risk score returned from FortiGuard is a value from 0-100, where:

Risk Score Risk Level Description

91-100 High Strong confidence of malicious intent.

71-90 Suspicious Medium confidence of malicious intent.

51-70 Moderate Generally benign with a potential risk of attack.

21-50 Low Low predictive risk of attack.

1-20 Trustworthy Very low predictive risk of attack.

0 Unrated The URL does not exist in FortiGuard DB or the risk score of the URL
is unknown.

The FortiGate can utilize this risk score and risk level in two different ways.
1. In a web filter profile, a risk level can be associated with the action Block or Monitor. When traffic hits a policy with
the web filter profile applied, the URL will be used to query the FortiGuard URL rating service. If the risk score
matches a level defined in the profile, the action is taken on that website.

The firewall policy must use proxy-based inspection. Either certificate or deep inspection
will work with this feature.

2. In an explicit or transparent web proxy, a proxy-policy can be configured with a risk level. The risk level becomes a
matching criteria for the policy.

FortiOS 7.6.0 New Features Guide 323

Fortinet Inc.
Security profiles

Furthermore, the risk score range associated with each predefined level above cannot be modified on the FortiGate.
However, new risk levels can be created with a custom range. These risk levels can be used within a web filter profile or
within a proxy-policy.

Tie-breaker

In a web filter profile, when both risk level and web filter category are used, the action for the matched risk level will be
ranked against the action for the matched web category.
Actions have the following weight order:
1. Block
2. Warning (Authenticate)
3. Monitor
4. Allow

When the action resulting from the risk level query and web filter category query return different actions, the action higher
in the weight order will be performed. For example, a block and a warning action will result in the page being blocked.
When the actions returned are the same, then that action will be applied, and the replacement message and UTM log will
indicate the decision was made by web filter category check.
Finally, if multiple risk levels are matched within a web filter profile, the action that has the higher weight will be applied.

Risk score override

A risk score can be overridden by a local risk-score override value. This override applies to a single URL specified in the
object name.

CLI Syntax

The follow CLI syntax are included for introducing URL risk-scores to determine policy action:
l Risk level configuration in a web filter profile:
config webfilter profile
edit <name>
set feature-set proxy
config ftgd-wf
unset options
config risk
edit <id>
set risk-level <pre-defined or custom level>
set action {block | monitor}
set log {enable | disable}
next
end
end
next
end

l Built-in read-only web filter local FortiGuard risk-level definition:

FortiOS 7.6.0 New Features Guide 324

Fortinet Inc.
Security profiles

config webfilter ftgd-risk-level

edit "high"
set high 100
set low 91
next
edit "suspicious"
set high 90
set low 71
next
edit "moderate"
set high 70
set low 51
next
edit "low"
set high 50
set low 21
next
edit "trustworthy"
set high 20
set low 1
next
edit "unrated"
set high 0
set low 0
next
end

l Custom user-defined web filter local FortiGuard risk-level:

config webfilter ftgd-risk-level
edit <name>
set high <score>
set low <score>
next
end

l Web filter local FortiGuard risk-score override:

config webfilter ftgd-local-risk
edit <url>
set status {enable | disable}
set comment <string>
set risk-score <score>
next
end

l Applying risk-level to proxy-policy match:

config firewall proxy-policy
edit <id>
set url-risk <pre-defined or custom level>
next
end

Examples

The following examples demonstrate applying risk levels in different scenarios.

FortiOS 7.6.0 New Features Guide 325

Fortinet Inc.
Security profiles

Two demo URLs are used for the examples:

Demo URL Risk score Default risk level

www.example.com 58 Moderate

www.httpbin.org 46 Low

In the web filter examples, the profile is applied to a firewall policy that utilizes proxy-based inspection and deep
inspection.

Example 1: Applying the action block to the moderate risk level

To apply the action block to the moderate risk level:

config webfilter profile

edit "webfilter"
set feature-set proxy
config ftgd-wf
unset options
config risk
edit 1
set risk-level "moderate"
set action block
next
end
end
next
end
config firewall policy
edit 1
set name "WF"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set profile-protocol-options "protocol"
set ssl-ssh-profile "protocols"
set webfilter-profile "webfilter"
set logtraffic all
set nat enable
next
end

When a client accesses www.example.com, the URL is blocked.

FortiOS 7.6.0 New Features Guide 326

Fortinet Inc.
Security profiles

The following UTM log can be observed from CLI:

# execute log filter category utm-webfilter
# execute log display
1: date=2024-11-20 time=09:45:19 eventtime=1732124719100876715 tz="-0800" logid="0316013058"
type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" policyid=1
poluuid="717176ae-97e7-51ef-2203-1f0b21e90462" policytype="policy" sessionid=6273
srcip=10.1.100.123 srcport=61545 srccountry="Reserved" srcintf="port2"
srcintfrole="undefined" srcuuid="8770b128-97cd-51ef-63d8-082966d66657" dstip=93.184.215.14
dstport=443 dstcountry="Belgium" dstintf="port1" dstintfrole="undefined" dstuuid="8770b128-
97cd-51ef-63d8-082966d66657" proto=6 httpmethod="GET" service="HTTPS"
hostname="www.example.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KH" profile="webfilter" action="blocked" reqtype="direct"
url="https://www.example.com/" sentbyte=4559 rcvdbyte=6070 direction="outgoing" msg="URL
belongs to a denied risk-level in policy" ratemethod="domain" cat=255 urlrisk=58

Example 2: Overriding the URL's FortiGuard risk score with local risk score

To override the URL's FortiGuard risk score with local risk score:

config webfilter ftgd-local-risk

edit "www.example.com"
set risk-score 30
next
end
config webfilter profile
edit "webfilter"
set feature-set proxy
config ftgd-wf
unset options
config risk
edit 1
set risk-level "moderate"
set action block
next
edit 2
set risk-level "low"

FortiOS 7.6.0 New Features Guide 327

Fortinet Inc.
Security profiles

next
end
end
set log-all-url enable
next
end

The low risk-level is added to the web filter profile, with the action monitor.
When a client accesses www.example.com, the URL is allowed.

The following UTM log can be observed from CLI:

1: date=2024-11-20 time=11:25:55 eventtime=1732130754321650374 tz="-0800" logid="0317013313"
type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vdom1" policyid=1
poluuid="717176ae-97e7-51ef-2203-1f0b21e90462" policytype="policy" sessionid=7648
srcip=10.1.100.123 srcport=61943 srccountry="Reserved" srcintf="port2"
srcintfrole="undefined" srcuuid="8770b128-97cd-51ef-63d8-082966d66657" dstip=93.184.215.14
dstport=443 dstcountry="Belgium" dstintf="port1" dstintfrole="undefined" dstuuid="8770b128-
97cd-51ef-63d8-082966d66657" proto=6 httpmethod="GET" service="HTTPS"
hostname="www.example.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KH" profile="webfilter" action="passthrough" reqtype="direct"
url="https://www.example.com/" sentbyte=3118 rcvdbyte=4927 direction="outgoing" msg="URL
belongs to an allowed risk-level in policy" ratemethod="domain" cat=255 urlrisk=30

Example 3: Applying a user-defined risk level to the web filter profile

To apply a user-defined risk level to the web filter profile:

config webfilter ftgd-risk-level

edit "medium-safety"
set high 60
set low 30
next
end
config webfilter profile
edit "webfilter"
set feature-set proxy
config ftgd-wf
unset options
config risk
edit 1
set risk-level "medium-safety"
set action block
next

FortiOS 7.6.0 New Features Guide 328

Fortinet Inc.
Security profiles

end
end
set log-all-url enable
next
end

When a client accesses www.example.com, the URL is blocked.

The following UTM log can be observed from CLI:

1: date=2024-11-20 time=11:58:46 eventtime=1732132726031604734 tz="-0800" logid="0316013058"
type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" policyid=1
poluuid="717176ae-97e7-51ef-2203-1f0b21e90462" policytype="policy" sessionid=8028
srcip=10.1.100.123 srcport=62051 srccountry="Reserved" srcintf="port2"
srcintfrole="undefined" srcuuid="8770b128-97cd-51ef-63d8-082966d66657" dstip=93.184.215.14
dstport=443 dstcountry="Belgium" dstintf="port1" dstintfrole="undefined" dstuuid="8770b128-
97cd-51ef-63d8-082966d66657" proto=6 httpmethod="GET" service="HTTPS"
hostname="www.example.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KH" profile="webfilter" action="blocked" reqtype="direct"
url="https://www.example.com/" sentbyte=2962 rcvdbyte=4927 direction="outgoing" msg="URL
belongs to a denied risk-level in policy" ratemethod="domain" cat=255 urlrisk=58

Example 4: Matching an explicit web proxy policy by the URL’s risk level

A proxy-policy is configured to allow URLs that have low risk level.

To match an explicit web proxy policy by the URL’s risk level:

config firewall proxy-policy

edit 1
set name "Test"
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set url-risk "low"
set service "webproxy"
set action accept
set schedule "always"

FortiOS 7.6.0 New Features Guide 329

Fortinet Inc.
Security profiles

set logtraffic all

set ssl-ssh-profile "protocols"
set log-http-transaction enable
next
end

When a client accesses www.httpbin.org, the URL is allowed.

Traffic log indicates the traffic matched proxy-policy 1:

# execute log filter category traffic
# execute log display
2: date=2024-11-20 time=14:14:43 eventtime=1732140883609560183 tz="-0800" logid="0006000026"
type="traffic" subtype="http-transaction" level="notice" vd="vdom1" srcip=10.1.100.123
srcport=64445 dstip=52.20.148.183 dstport=443 sessionid=1798921931 transid=150995356
action="accept" policyid=1 policytype="proxy-policy" poluuid="7b6afd8e-a78b-51ef-0ae5-
5ddbd0defd25" url="https://www.httpbin.org/" agent="Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
appcat="unscanned" duration=1 reqlength=474 resplength=9751 rcvdbyte=15379 sentbyte=2809
scheme="https" hostname="www.httpbin.org" resptype="normal" httpmethod="GET"
statuscode="200" reqtime=1732140882 resptime=1732140883 respfinishtime=1732140883

When a client accesses www.example.com, no proxy policy is matched. The URL is blocked.

Traffic log indicates the traffic is denied:

2: date=2024-11-20 time=14:19:17 eventtime=1732141157742504064 tz="-0800" logid="0000000013"
type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.123 srcport=64593
srcintf="port2" srcintfrole="undefined" dstip=93.184.215.14 dstport=443 dstintf="port1"
dstintfrole="undefined" srccountry="Reserved" dstcountry="Belgium" sessionid=1798922057
proto=6 action="deny" policyid=0 policytype="proxy-policy" service="HTTPS" trandisp="noop"
url="https://www.example.com/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" appcat="unscanned"

FortiOS 7.6.0 New Features Guide 330

Fortinet Inc.
 Security profiles

duration=0 sentbyte=222 rcvdbyte=0 sentpkt=0 rcvdpkt=0 crscore=30 craction=131072

crlevel="high" msg="Traffic denied because of explicit proxy policy"

IPS

This section includes information about IPS related new features:

l AI and ML-based IPS detection 7.6.3 on page 331

AI and ML-based IPS detection - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l AI and ML-based IPS detection

As cyber threats become increasingly sophisticated, traditional signature-based detection is struggling to keep up. To
improve it, AI and machine learning-based models are trained on features extracted during protocol decoding, such as
HTTP traffic. These models act as classifiers, distinguishing exploits from clean traffic through supervised learning.
Instead of applying machine learning (ML) models blindly across all traffic, we will first use signatures for preliminary
filtering, allowing AI-based detection to be more targeted and efficient. This hybrid approach will reduce false positives
while maintaining high performance.

CLI syntax

The setting is enabled by default at the IPS global setting level:

config ips global
set machine-learning-detection {enable | disable}
end

The AI/Machine Learning IPS Definitions package is downloaded by FortiOS from FortiGuard through
FortiGuard updates. Devices with active IPS subscription can download this package. The package can be viewing in
the diagnose autoupdate versions output.
# diagnose autoupdate versions | grep -A 7 AI

AI/Machine Learning IPS Definitions

---------
Version: 2503.00100 signed
Contract Expiry Date: Thu Jan 1 2032
Last Updated using manual update on Thu Mar 13 18:01:37 2025
Last Update Attempt: Thu Mar 13 18:01:37 2025
Result: Updates Installed

The IPS machine learning database version is displayed in the output of get system status command.
# get system status

Version: FortiGate-1101E v7.6.3,build3495,250313 (interim)

FortiOS 7.6.0 New Features Guide 331

Fortinet Inc.
Security profiles

First GA patch build date: 240724

Security Level: Low
...
IPS-MLDB: 2503.00100(2025-03-13 03:43)
...

The IPS machine learning rules can be displayed in the output of get ips rule status command. For example,
looking up rule 57293 returns the following:
# get ips rule status | grep -B 2 -A 16 57293

rule-name: "Backdoor.Cobalt.Strike"
rule-id: 57293
rev: 0.000
date: 2025-03-12 09:00:00
action: pass
status: enable
log: disable
log-packet: disable
severity: 3.high
service: TCP, HTTP
location: client
os: All
application: All
rate-count: 0
rate-duration: 0
rate-track: none
rate-mode: continuous

Example

In the following example, AI and ML-based IPS detection is implemented on a regular firewall policy. As the IPS machine
learning detection runs alongside traditional IPS signature detection, the configuration of the IPS sensor remains the
same.

To add AI and ML-based IPS detection:

1. Configure an IPS sensor with machine learning signature Backdoor.Cobalt.Strike set to block:
config ips sensor
edit "MI-test"
config entries
edit 1
set rule 57293
set status enable
set action block
next
end
next
end

2. Apply the IPS sensory to a firewall policy:

config firewall policy
edit 1
set name "test"

FortiOS 7.6.0 New Features Guide 332

Fortinet Inc.
Security profiles

set srcintf "port2"

set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set ips-sensor "MI-test"
next
end

3. Generate traffic from the client.

4. Review the IPS event logs:
# execute log filter category 4

date=2025-03-14 time=11:46:12 eventtime=1741977972028174920 tz="-0700"

logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert"
vd="root" severity="high" srcip=10.1.100.240 srccountry="Reserved" dstip=172.16.200.240
dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1"
dstintfrole="undefined" sessionid=4012 action="dropped" proto=6 service="HTTP"
policyid=1 poluuid="9d827014-00fa-51f0-e5af-640cfd149b4a" policytype="policy"
attack="Backdoor.Cobalt.Strike" srcport=52294 dstport=80 hostname="10.0.2.78"
url="/understand/CYBERDOCS31/S4IR30UL" agent="Mozilla/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
httpmethod="GET" direction="incoming" attackid=57293 profile="MI-test"
ref="http://www.fortinet.com/ids/VID57293" incidentserialno=181403686 msg="backdoor:
Backdoor.Cobalt.Strike" forwardedfor="IK_
Z9RMF9GQECAZ5RZZ5CMHSUZZD4YTH6K8=\x07\x10Z%at=Icr>Gav=Jas?Nav?Coy?Lb<B`u?Baz=Jas<Bb~>Ga
{2Laz<Maz2Oaz>Fcz>G`t<M`}>Ca{>Fcr>F`r" crscore=30 craction=8192 crlevel="high"

5. Review the IPS debug logs:

# diagnose ips debug enable all
# diagnose debug enable

...
[699@214]ips_process_event: ctx 14: 6 => 2
[699@214]ips_process_event: ctx 14: 2 => 4
[699@214]ips_ml_classify_internal: model=0 labels=[0.9960013, 0.0]@0=0.9960013
[699@214]ips_match_rule: pattern matched 57293,99455: Backdoor.Cobalt.Strike
[699@214]ips_match_rule: matched rule 57293 99455 Backdoor.Cobalt.Strike (weight:0)
[699@214]ips_match_candidates: set best rule 57293 99455 Backdoor.Cobalt.Strike
[699@214]ips_set_pkt_verdict: action=DROP
[699@214]ips_set_pkt_verdict: turn tcp drop to DROP_SESSION
[699@214]ips_report_alert_va_internal: v_id=57293, a_id=99455, log=1, log_pkt=1
[699@214]ips_log: id=57293 conf=0x44, action=1
[699@214]ips_log_packet: aid=99455 log=0xb
[699@214]match_ips: disarm ftgd queries when request is to be blocked.
[699@214]ips_process_event: ctx 14: 4 => 3
[699@214]ips_handle_pkt_verdict: drop a session, size=296
[699@214]ips_session_sched_release: serial=7429 close session 0x7f8a84751018, reason 0
[699@214]ips_process_event: ctx 14: 3 => 5
[699@-1]ips_dsct_http_prep_release_sess: sess 214: http release proxy layer

FortiOS 7.6.0 New Features Guide 333

Fortinet Inc.
 Security profiles

To filter the debug logs to only display the bolded results, enter diagnose ips debug
enable ml instead.

Data loss prevention

This section includes information about data loss prevention (DLP) related new features:
l FortiGuard managed DLP dictionaries on page 334

FortiGuard managed DLP dictionaries

This information is also available in the FortiOS 7.6 Administration Guide:

l Assign confidence levels in FortiGuard managed DLP dictionaries

Three confidence levels are added to the DLP signature package retrieved from FortiGuard. Users can select a
FortiGuard dictionary with varying confidence levels based on their specific requirements.
l The high level provides maximum precision to minimize false positives.
l The medium level balances match quantity and precision.
l The low level captures the most matches, but may result in more false positives.
A valid DLP license is required to obtain the latest package.
To see the available confidence levels for a dictionary, go to Security Profiles > Data Loss Prevention, select the
Dictionary tab, and then edit the dictionary:

FortiOS 7.6.0 New Features Guide 334

Fortinet Inc.
Security profiles

When applying a FortiGuard built-in dictionary to a custom sensor, the dictionary with the highest confidence level is
selected by default.

The confidence level of a dictionary applied to a custom sensor can be adjusted by editing the entry:

Use case examples

In these use case examples, various Canadian Social Insurance Number (SIN) formats are tested at different confidence
levels using different protocols.

FortiOS 7.6.0 New Features Guide 335

Fortinet Inc.
Security profiles

Low Confidence Medium Confidence High Confidence

SIN format Matching criteria: regular Matching criteria: regular Matching criteria: regular
expression, data expression, data expression, data
validation validation SIN format validation, SIN format
validation validation, Match-around
data

815489034 match does not match does not match

193849270 match match does not match

sin# 193849270 match match match

To verify that a FortiGuard dictionary with the low confidence level will block matching message through
an HTTPS post:

1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-
dict) DLP dictionary with the Confidence level set to Low and then use the profile in a policy.

2. Test that an HTTPS message containing a SIN is blocked. DLP Test > HTTPS Post can be used to send a test
message:

FortiOS 7.6.0 New Features Guide 336

Fortinet Inc.
Security profiles

The message is blocked:

3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-low
dictionary.
4. Check the raw logs:
1: date=2024-05-29 time=16:55:27 eventtime=1717026926501493215 tz="-0700"
logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1"
ruleid=1 rulename="sensor_can_sin_low" dlpextra="Sensor 'sensor_can_sin_low' matching
any: ('g-fg-can-natl_id-sin-dict-low'=1) >= 1; match." filtertype="sensor"
filtercat="message" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-
940d89557186" policytype="policy" sessionid=64304 epoch=2100732550 eventid=1
srcip=10.1.100.241 srcport=34184 srccountry="Reserved" srcintf="port2"
srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988"
dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1"
dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6
service="HTTPS" filetype="N/A" direction="outgoing" action="block"
hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (X11;
Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="customer_can_
sin"

FortiOS 7.6.0 New Features Guide 337

Fortinet Inc.
Security profiles

To verify that a FortiGuard dictionary with medium confidence level will block matching message
through a FTPS post:

1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-
dict) DLP dictionary with the Confidence level set to Medium and then use the profile in a policy.
2. Test that posting a file that contains 193849270 is blocked.

3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-
med dictionary.

4. Check the raw logs:

1: date=2024-05-29 time=17:43:38 eventtime=1717029818309788622 tz="-0700"
logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1"
ruleid=2 rulename="sensor_can_sin_med" dlpextra="Sensor 'sensor_can_sin_mid' matching
any: ('g-fg-can-natl_id-sin-dict-med'=1) >= 1; match." filtertype="sensor"
filtercat="file" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-
940d89557186" policytype="policy" sessionid=65893 epoch=2100732638 eventid=0

FortiOS 7.6.0 New Features Guide 338

Fortinet Inc.
 Security profiles

srcip=10.1.100.241 srcport=37561 srccountry="Reserved" srcintf="port2"

srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988"
dstip=172.16.200.175 dstport=33065 dstcountry="Reserved" dstintf="port1"
dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6
service="FTPS" filetype="unknown" direction="outgoing" action="block" filename="can_sin_
med.txt" filesize=10 profile="customer_can_sin"

To verify that the FortiGuard dictionary with a high confidence level will block matching message
through an SMTP post:

1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-
dict) DLP dictionary with the Confidence level set to High and then use the profile in a policy.
2. Test that sending email with an attached file that contains sin# 193849270 is blocked.
3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-
high dictionary.
4. Check the raw logs:
1: date=2024-05-30 time=11:37:18 eventtime=1717094238851929893 tz="-0700"
logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1"
ruleid=3 rulename="sensor_can_sin_high" dlpextra="Sensor 'sensor_can_sin_high' matching
any: ('g-fg-can-natl_id-sin-dict-high'=1) >= 1; match." filtertype="sensor"
filtercat="file" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-
940d89557186" policytype="policy" sessionid=96838 epoch=1455065196 eventid=2
srcip=10.1.100.171 srcport=51141 srccountry="Reserved" srcintf="port2"
srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988"
dstip=172.16.200.175 dstport=25 dstcountry="Reserved" dstintf="port1"
dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6
service="SMTP" filetype="unknown" direction="outgoing" action="block"
from="[email protected]" to="[email protected]"
sender="[email protected]" recipient="[email protected]"
subject="Canadian SIN" attachment="yes" filename="sin.txt" filesize=70
profile="customer_can_sin"

Application control

This section includes information about new features related to application control:
l Introducing domain fronting protection on page 339

Introducing domain fronting protection

This information is also available in the FortiOS 7.6 Administration Guide:

l Domain fronting protection

FortiOS now protects against domain fronting in both explicit proxy and proxy-based firewall policies. In both cases,
FortiGate checks whether the domain of the request matches the host domain in the HTTP header, and then allows,

FortiOS 7.6.0 New Features Guide 339

Fortinet Inc.
Security profiles

blocks, or monitors the traffic. This feature enhances security by preventing unauthorized access that could result from
domain mismatches.
The config firewall profile-protocol-options command includes a new option:
config firewall profile-protocol-options
edit protocol
config http
set domain-fronting {allow | block | monitor}
next
end
end

set domain-fronting Configure HTTP domain fronting (default = block).

{allow | block | l allow: allow domain fronting.
monitor}
l block: block and log domain fronting.
l monitor: allow and log domain fronting.

Domain fronting protection supports HTTP/1.1 but not HTTP/2.

Example

In this example, the server name indication (SNI) in the request is httpbin.org, and the host header in the request is
google.com.
When FortiGate has an explicit proxy policy configured with set domain-fronting block, traffic is blocked and
logged when the request domain does not match the HTTP header domain.
l Example traffic log:
1: date=2024-06-11 time=10:38:23 eventtime=1718127503650731465 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.77 srcport=41548 srcintf="port2" srcintfrole="undefined"
dstip=3.211.196.247 dstport=443 dstintf="port3" dstintfrole="undefined"
srccountry="Reserved" dstcountry="United States" sessionid=1542161161 proto=6
action="deny" policyid=1 policytype="proxy-policy" poluuid="01352fb2-1370-51ef-8ac3-
c46f77827b80" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 appcat="unscanned" utmaction="block" countweb=1 msg="Traffic denied because of
domain fronting" utmref=65498-0

l Example Web filter UTM log:

1: date=2024-06-11 time=10:38:23 eventtime=1718127503650663438 tz="-0700"
logid="0320013318" type="utm" subtype="webfilter" eventtype="domain-fronting"
level="notice" vd="vdom1" policyid=1 poluuid="01352fb2-1370-51ef-8ac3-c46f77827b80"
policytype="proxy-policy" sessionid=1542161161 transid=1 srcip=10.1.100.77 srcport=41548
srccountry="Reserved" srcintf="port2" srcintfrole="undefined" dstip=3.211.196.247
dstport=443 dstcountry="United States" dstintf="port3" dstintfrole="undefined" proto=6
httpmethod="GET" service="HTTPS" hostname="google.com" agent="curl/7.83.1"
profile="protocol" action="blocked" reqtype="direct" url="https://google.com/"
sentbyte=860 rcvdbyte=5470 direction="outgoing" msg="Domain fronting detected"
rawdata="HTTP Host <google.com> does not match SNI <httpbin.org>"

FortiOS 7.6.0 New Features Guide 340

Fortinet Inc.
 Security profiles

When FortiGate has a transparent proxy policy configured with set domain-fronting monitor, traffic is passed
and logged when the request domain does not match the HTTP header domain.
l Example traffic log:
1: date=2024-06-11 time=11:14:22 eventtime=1718129661884640964 tz="-0700"
logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.77 srcport=44250 srcintf="port2" srcintfrole="undefined"
dstcountry="United States" srccountry="Reserved" dstip=3.211.196.247 dstport=443
dstintf="port3" dstintfrole="undefined" sessionid=2024 service="web" proxyapptype="web-
proxy" proto=6 action="accept" policyid=22 policytype="proxy-policy" poluuid="05d56dfc-
1370-51ef-5315-e0ee922dd3b5" trandisp="snat" transip=172.16.200.2 transport=44250
duration=0 wanin=15331 rcvdbyte=15331 wanout=578 lanin=777 sentbyte=777 lanout=12868
appcat="unscanned" utmaction="allow" countweb=1 utmref=65496-0

l Example Web filter UTM log:

1: date=2024-06-11 time=11:14:22 eventtime=1718129661808321505 tz="-0700"
logid="0320013318" type="utm" subtype="webfilter" eventtype="domain-fronting"
level="notice" vd="vdom1" policyid=22 poluuid="05d56dfc-1370-51ef-5315-e0ee922dd3b5"
policytype="proxy-policy" sessionid=2024 transid=1 srcip=10.1.100.77 srcport=44250
srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="e3659a44-136f-
51ef-2b98-b3a63e02baed" dstip=3.211.196.247 dstport=443 dstcountry="United States"
dstintf="port3" dstintfrole="undefined" dstuuid="e3659a44-136f-51ef-2b98-b3a63e02baed"
proto=6 httpmethod="GET" service="HTTPS" hostname="google.com" agent="curl/7.83.1"
profile="protocol" action="passthrough" reqtype="direct" url="https://google.com/"
sentbyte=746 rcvdbyte=5470 direction="outgoing" msg="Domain fronting detected"
rawdata="HTTP Host <google.com> does not match SNI <httpbin.org>"

Virtual patching

This section includes information about new features related to virtual patching:
l Streamline IoT/OT device detection 7.6.1 on page 341
l Unified OT virtual patching and IPS signatures 7.6.1 on page 596

Streamline IoT/OT device detection - 7.6.1

You can directly enable IoT and OT categories for device detection, without applying an Application Control profile. If the
IoT or OT signatures are not excluded in any of the policy interfaces, a built-in application list is automatically created
and applied, ensuring that relevant IoT and OT categories are active, optimizing IPS functionality, and reducing overall
configuration complexity. Database licenses are not changed for IoT and OT signatures.

To enable IoT and OT device detection:

config system interface

edit <name>
set device-identification enable
set exclude-signatures {iot ot}
next
end

FortiOS 7.6.0 New Features Guide 341

Fortinet Inc.
Security profiles

Command Description

device-identification {enable | Enable/disable passively gathering of device identity information about the
disable} devices on the network connected to this interface (default = disable).

exclude-signatures {iot ot} Exclude IOT and/or OT application control signatures. This option is hidden when
device-identification is disabled.

Example

To test IoT and OT device detection:

1. Create a firewall policy:

config firewall policy
edit 1
set name "1"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set logtraffic all
set nat enable
next
end

2. Configure the interface with device identification enabled and neither signature excluded:
config system interface
edit "port1"
set vdom "vd1"
set ip 172.16.200.101 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set device-identification enable
next
end

3. Simulate iPad device traffic on the server with the following command to generate an IoT app-category log:
# curl 10.1.100.11 -H "User-Agent: Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1"

4. Check the log on the FortiGate:

FortiOS 7.6.0 New Features Guide 342

Fortinet Inc.
Security profiles

# execute log filter category 10

# execute log display
1 logs found.
1 logs returned.

1: date=2024-10-31 time=12:10:03 eventtime=1730333403392508511 tz="+1200"

logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature"
level="information" vd="vd1" appid=10000870 srcip=172.16.200.55 srccountry="Reserved"
dstip=10.1.100.11 dstcountry="Reserved" srcport=39420 dstport=80 srcintf="port1"
srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" proto=6 service="HTTP"
direction="outgoing" policyid=2 poluuid="76847474-87f8-51ef-8d01-26c8aab89964"
policytype="policy" sessionid=1797 action="pass" appcat="IoT" app="Apple.iPad"
hostname="10.1.100.11" incidentserialno=2097193 url="/" agent="Mozilla/5.0 (iPad; CPU OS
12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2
Mobile/15E148 Safari/604.1" httpmethod="GET" msg="IoT: Apple.iPad"
clouddevice="Vendor=Apple, Product=ipados, Version=12.5.5, Firmware=IOS" apprisk="low"

5. Simulate Advantech device traffic with the following command to generate an OT app-category log:
# curl -v http://172.16.200.55/ips/index.php

6. Check the log on the FortiGate:

# execute log filter category 10
# execute log display
1 logs found.
1 logs returned.

2: date=2024-10-31 time=11:14:02 eventtime=1730330041534145667 tz="+1200"

logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature"
level="information" vd="vd1" appid=10002847 srcip=10.1.100.11 srccountry="Reserved"
dstip=172.16.200.55 dstcountry="Reserved" srcport=46224 dstport=80 srcintf="port2"
srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP"
direction="incoming" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82"
policytype="policy" sessionid=1072 action="pass" appcat="OT" app="Advantech.R-SeeNet"
hostname="172.16.200.55" incidentserialno=2097190 url="/ips/index.php"
agent="curl/7.61.1" httpmethod="GET" msg="OT: Advantech.R-SeeNet"
clouddevice="Vendor=Advantech, Product=R-SeeNet, Version=2.4.15" apprisk="low"

7. Edit the interface to exclude OT signatures:

config system interface
edit "port1"
set exclude-signatures ot
next
end

8. Simulate iPad device traffic on the server with the following command to generate an IoT app-category log:
# curl 10.1.100.11 -H "User-Agent: Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1"

9. Check the log on the FortiGate:

# execute log filter category 10
# execute log display
1 logs found.
1 logs returned.

FortiOS 7.6.0 New Features Guide 343

Fortinet Inc.
 Security profiles

1: date=2024-10-31 time=12:21:52 eventtime=1730333511817900453 tz="+1200"

logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature"
level="information" vd="vd1" appid=10000870 srcip=172.16.200.55 srccountry="Reserved"
dstip=10.1.100.11 dstcountry="Reserved" srcport=56446 dstport=80 srcintf="port1"
srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" proto=6 service="HTTP"
direction="outgoing" policyid=2 poluuid="76847474-87f8-51ef-8d01-26c8aab89964"
policytype="policy" sessionid=1804 action="pass" appcat="IoT" app="Apple.iPad"
hostname="10.1.100.11" incidentserialno=2097194 url="/" agent="Mozilla/5.0 (iPad; CPU OS
12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2
Mobile/15E148 Safari/604.1" httpmethod="GET" msg="IoT: Apple.iPad"
clouddevice="Vendor=Apple, Product=ipados, Version=12.5.5, Firmware=IOS" apprisk="low"

10. Simulate Advantech device traffic with the following command to see that no OT app-category log is generated:
# curl -v http://172.16.200.55/ips/index.php

11. Check the log on the FortiGate:

# execute log filter category 10
# execute log display
0 logs found.
0 logs returned.

Unified OT virtual patching and IPS signatures - 7.6.1

Virtual patching now includes OT virtual patching and IPS signatures. This allows IPS signatures to be used in OT/IoT
vulnerability lookup and response, covering additional threats and vulnerabilities.
Virtual patching works by:
1. Collecting device information on connected devices.
2. Performing a vulnerability query through FortiGuard for device-specific vulnerabilities.
3. Retrieving and caching application signatures and mitigation rules for the device.
4. Applying the application rules on matched device traffic.

In the second step, FortiGuard now returns additional signature IDs based on IPS database that can match
vulnerabilities on most IT devices, like Windows, Mac, and so on.

Examples

To demonstrate the flow of a virtual patching detection, an IPS signature (Eicar.Virus.Test.File (id=29844)) was added to
a demo FortiGuard Server. This can be observed in the following debug:
# diagnose ips share list otvp_cfgcache
10.1.100.11 f2:d7:39:5d:40:11 3 29844(ips) 10000673(n/a) 10000684

This cache output shows the cached response of an application rule that identifies the IPS signature 29844 matching the
source device 10.1.100.11.
Traffic originating from a device (10.1.100.11) that matches this signature (29844) will trigger either the virtual patching
profile, if enabled, or the IPS profile, if enabled. This use case demonstrates that an OT virtual profile can use an IPS
signature for matching, and will either drop or reset the connection.
Note that rule 29844 is not valid on the production server; it is only for testing and demonstration purposes.

FortiOS 7.6.0 New Features Guide 344

Fortinet Inc.
Security profiles

To configure the profiles and firewall:

config virtual-patch profile

edit "g-default"
set comment ''
set severity info low medium high critical
set action block
set log enable
next
end
config ips sensor
edit "test"
config entries
edit 1
set rule 29844
set status enable
next
end
next
end
config firewall policy
edit 1
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set nat enable
next
end

Example 1

If only the virtual patch profile is enabled in the firewall policy, its configuration takes effect and a virtual patch log is
generated.

To configure the firewall:

config firewall policy

edit 1
set virtual-patch-profile "g-default"
next
end

To check the log:

# execute log filter category 24

# execute log display
1 logs found.
1 logs returned.

FortiOS 7.6.0 New Features Guide 345

Fortinet Inc.
Security profiles

1: date=2024-11-16 time=13:40:09 eventtime=1731721208854825766 tz="+1200" logid="2400064600"

type="utm" subtype="virtual-patch" eventtype="ot-vpatch" level="warning" vd="vd1"
severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55
dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1"
dstintfrole="undefined" sessionid=266 action="dropped" proto=6 service="HTTP" policyid=1
poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy"
attack="Eicar.Virus.Test.File" srcport=48970 dstport=80 hostname="172.16.200.55"
url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844
profile="g-default" msg="file_transfer: Eicar.Virus.Test.File, (signature is from IPS DB)"

Example 2

If both the IPS sensor's and virtual patch profile's actions are set to block, the IPS sensor configuration takes effect and
an IPS log is generated.

To configure the IPS sensor and firewall:

config ips sensor

edit "test"
config entries
edit 1
set action block
next
end
next
end
config firewall policy
edit 1
set ips-sensor "test"
set virtual-patch-profile "g-default"
next
end

To check the log:

# execute log filter category 4

# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:43:03 eventtime=1731721383128922224 tz="+1200" logid="0419016384"

type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="info"
srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved"
srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined"
sessionid=304 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-
51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=32880
dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET"
direction="incoming" attackid=29844 profile="test"
ref="http://www.fortinet.com/ids/VID29844" incidentserialno=156237864 msg="file_transfer:
Eicar.Virus.Test.File"

FortiOS 7.6.0 New Features Guide 346

Fortinet Inc.
Security profiles

Example 3

If the IPS sensor's action is pass and the virtual patch profile's action is block, the virtual patch profile configuration takes
effect and a virtual patch log is generated.

To configure the IPS sensor and firewall:

config ips sensor

edit "test"
config entries
edit 1
set action pass
next
end
next
end
config firewall policy
edit 1
set ips-sensor "test"
set virtual-patch-profile "g-default"
next
end

To check the log:

# execute log filter category 24

# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:50:24 eventtime=1731721824022513590 tz="+1200" logid="2400064600"

type="utm" subtype="virtual-patch" eventtype="ot-vpatch" level="warning" vd="vd1"
severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55
dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1"
dstintfrole="undefined" sessionid=411 action="dropped" proto=6 service="HTTPS" policyid=1
poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy"
attack="Eicar.Virus.Test.File" srcport=37108 dstport=443 hostname="172.16.200.55"
url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844
profile="g-default" msg="file_transfer: Eicar.Virus.Test.File, (signature is from IPS DB)"

Example 4

If only the IPS sensor enabled, its configuration takes effect and an IPS log is generated.

To configure the IPS sensor and firewall:

config ips sensor

edit "test"
config entries
edit 1
set action reset
next
end

FortiOS 7.6.0 New Features Guide 347

Fortinet Inc.
 Security profiles

next
end
config firewall policy
edit 1
set ips-sensor "test"
next
end

To check the log:

# execute log filter category 4

# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:44:57 eventtime=1731721497986271293 tz="+1200" logid="0419016384"

type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="info"
srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved"
srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined"
sessionid=345 action="reset" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-
3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=39416
dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET"
direction="incoming" attackid=29844 profile="test"
ref="http://www.fortinet.com/ids/VID29844" incidentserialno=156237865 msg="file_transfer:
Eicar.Virus.Test.File"

Others

This section includes information about other security profile related new features:
l Support the Zstandard compression algorithm for web content on page 348
l DNS filtering in proxy policies on page 351
l DNS translation support for Service records over the DNS Filter profile on page 354
l Control TLS connections that utilize Encrypted Client Hello on page 358
l Selective forwarding to ICAP server 7.6.1 on page 358
l Control TLS connections that utilize Encrypted Client Hello in flow mode 7.6.3 on page 361
l Inline CASB security profile to support control factors in exchanged JSON data for custom SaaS applications 7.6.3
on page 368

Support the Zstandard compression algorithm for web content

FortiOS now supports the Zstandard (ZSTD) compression algorithm for web content. FortiOS can use proxy-based
policies to decode ZSTD-encoded web content, scan it, and forward the web content to a browser. Then the web content
can be passed to the user or blocked from the user based on UTM profile settings, ensuring a seamless and secure
browsing experience.

FortiOS 7.6.0 New Features Guide 348

Fortinet Inc.
Security profiles

Example

In this example, FortiGate is configured with explicit web proxy, a proxy policy, and a UTM DLP profile.
The user visits the facebook web site (www.facebook.com) through FortiGate. The facebook web site uses ZSTD to
code web content. When FortiGate receives the ZSTD-encoded web content from facebook, it decodes and scans the
web content, and uses the settings in the UTM profile to pass or block the web content.

When the DLP profile passes the web content, the facebook login page is displayed for the user:

When the DLP profile is configured to block web sites if the web content contains the Connect with friends string,
then access to facebook is blocked, and a replacement message is displayed to the user:

FortiOS 7.6.0 New Features Guide 349

Fortinet Inc.
Security profiles

Without this feature, FortiGate cannot display ZSTD-encoded content from facebook in the browser:

And when a UTM antivirus profile is applied, a log is generated that shows contentencoding="zstd"
msg="Unknown content-encoding detected and blocked.", for example:
1: date=2024-06-12 time=12:43:25 eventtime=1718221405781282450 tz="-0700" logid="0249009241"
type="utm" subtype="virus" eventtype="unknown" level="warning" vd="vdom1" policyid=1
sessionid=1123 srcip=10.1.100.11 dstip=157.240.249.35 srcport=52290 dstport=443

FortiOS 7.6.0 New Features Guide 350

Fortinet Inc.
 Security profiles

srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6

service="HTTPS" action="blocked" url="https://www.facebook.com/" contentencoding="zstd"
msg="Unknown content-encoding detected and blocked."

DNS filtering in proxy policies

This information is also available in the FortiOS 7.6 Administration Guide:

l Proxy policy security profiles

DNS filtering can be applied to proxy policies, providing an extra layer of protection for users that are behind a proxy.
This is particularly useful when client applications use DoH and DoT protocols and require the added security of DNS
filtering.

To configure and test a proxy policy with a DNS filter:

1. Configure a DNS filter. See DNS filter.

2. Go to Policy & Objects > Proxy Policy, create or edit an explicit or transparent web proxy policy, and apply the DNS
filter.

config firewall proxy-policy

edit 1
set proxy {explicit-web | transparent-web}
set dnsfilter-profile "dnsfilter_fgd"
next
end

3. Test the filter from a client that is configured to use the proxy:
l DoH client request through an explicit proxy policy with the action set to block:
curl -H 'accept: application/dns-message' -x 10.1.100.1:8080 -v -k
'https://1.1.1.1/dns-query?dns=q80BAAABAAAAAAAAA3d3dwN1YmMCY2EAAAEAAQ' | hexdump

* Trying 10.1.100.1:8080...

FortiOS 7.6.0 New Features Guide 351

Fortinet Inc.
Security profiles

* TCP_NODELAY set
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
Connected to 10.1.100.1 (10.1.100.1) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to 1.1.1.1:443
> CONNECT 1.1.1.1:443 HTTP/1.1
> Host: 1.1.1.1:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
< Proxy-Agent: Fortinet-Proxy/1.0
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x555786e4bdb0)
} [5 bytes data]
> GET /dns-query?dns=q80BAAABAAAAAAAAA3d3dwN1YmMCY2EAAAEAAQ HTTP/2
> Host: 1.1.1.1
> user-agent: curl/7.68.0
> accept: application/dns-message
} [5 bytes data]
< HTTP/2 200
< content-type: application/dns-message
< content-length: 28
<
{ [28 bytes data]
100 28 100 28 0 0 430 0 --:--:-- --:--:-- --:--:-- 430
* Connection #0 to host 10.1.100.1 left intact
0000000 cdab 0381 0100 0000 0000 0000 7703 7777
0000010 7503 6362 6302 0061 0100 0100
000001c
connect svr orig 10.1.100.11:33270->10.1.100.1:8080 out 10.1.100.11:33270->1.1.1.1:8080
[I][p:386][s:1746142837][r:50331664] wad_http_upd_ses_ctx_by_req :1046 wad http
session 0x7f3842990b80 forward (nil) fwd_srv_ip=
[V][p:386][s:1746142837][r:50331664] wad_http_connect_srv :791
[0x7f384377a8e8] Connect to server: 1.1.1.1:443/1.1.1.1:443

HTTP/1.1 200 Connection established

Proxy-Agent: Fortinet-Proxy/1.0

HTTP/1.1 200
server: cloudflare

[V][p:386][s:1746142837] wad_http_doh_proc_payload :274 msg(0x7f384378ace8)

proc doh payload from 10.1.100.11 -> 1.1.1.1.
[V][p:386][s:1746142837] wad_http_doh_proc_payload :289 dnsproxy_local_
id=0xabcd.

FortiOS 7.6.0 New Features Guide 352

Fortinet Inc.
Security profiles

[I][p:386][s:1746142837] wad_dns_req_msg_send_hdr :172 send unreq to

dnsproxy.
msg_len=135, type=wad_srv_res, dnxproxy_local_id=0xabcd, session_id=157, flags=0,
vfid=1, vrf=0, ifindex=7, policy_id=1, proto=6, src_addr=10.1.100.11, dst_addr=1.1.1.1

[worker 0] dns_profile_do_url_rating()-2036: vfid=1 profile=dnsfilter_fgd category=30

domain=www.ubc.ca
[worker 0] dns_profile_do_url_rating()-2128: response filter result for www.ubc.ca
(type=7 action=10)
[worker 0] dns_secure_apply_action()-2270: action=10 category=30 log=1 error_allow=0
profile=dnsfilter_fgd
[worker 0] dns_send_error_response()-1809: id: 0xabcd domain: www.ubc.ca qtype: 1 err: 3
[worker 0] dns_send_response()-1626: domain=www.ubc.ca reslen=28
[worker 0] dns_secure_log_response()-1254: id:0xcdab domain=www.ubc.ca
profile=dnsfilter_fgd action=10 log=1
[worker 0] dns_secure_log_response()-1276: cannot find IPv4 session
[worker 0] dns_unix_stream_packet_write()-287: vfid=1 real_vfid=1 vrf=0 id=0xabcd
domain=www.ubc.ca req_type=2 req=0
[worker 0] dns_unix_stream_packet_write()-309: type=7 len=31 session_id=147 flags=1
[worker 0] dns_query_delete()-560: orig id:0xabcd local id:0xabcd domain=www.ubc.ca
use=5 active

l DoT client request to a Cloudfare server at 1.1.1.1 through an explicit proxy policy with the action set to redirect:
kdig www.ubc.ca +tls @127.0.0.1:853
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 64291
;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.ubc.ca. IN A

;; ANSWER SECTION:
www.ubc.ca. 60 IN A 208.91.112.55

;; Received 44 B
;; Time 2024-07-02 22:18:51 UTC
;; From 127.0.0.1@853(TCP) in 54.8 ms
[worker 0] dns_secure_forward_response()-1660: category=30 profile=dnsfilter_fgd
[worker 0] dns_visibility_log_hostname()-371: vd=1 pktlen=468
[worker 0] wildcard_fqdn_response_cb()-951: vd=1 pktlen=468
[worker 0] hostname_entry_insert()-292: af=2 domain=www.ubc.ca
[worker 0] hostname_entry_insert()-292: af=2 domain=www.ubc.ca
[worker 0] hostname_entry_insert()-292: af=2 domain=www.ubc.ca
[worker 0] hostname_entry_insert()-292: af=2 domain=www.ubc.ca
[worker 0] dns_profile_do_url_rating()-2036: vfid=1 profile=dnsfilter_fgd category=30
domain=www.ubc.ca
[worker 0] dns_profile_do_url_rating()-2128: response filter result for www.ubc.ca
(type=7 action=10)
[worker 0] dns_secure_apply_action()-2270: action=10 category=30 log=1 error_allow=0
profile=dnsfilter_fgd
[worker 0] dns_secure_answer_redir()-1605
[worker 0] dns_send_response()-1626: domain=www.ubc.ca reslen=44
[worker 0] dns_secure_log_response()-1254: id:0x23fb domain=www.ubc.ca
profile=dnsfilter_fgd action=10 log=1

l DoH client request through a transparent proxy policy with the action set to redirect:

FortiOS 7.6.0 New Features Guide 353

Fortinet Inc.
 Security profiles

curl -H 'accept: application/dns-message' -v -k 'https://1.1.1.1/dns-

query?dns=q80BAAABAAAAAAAAA3d3dwN1YmMCY2EAAAEAAQ' | hexdump

* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x562b7267bdb0)
} [5 bytes data]
> GET /dns-query?dns=q80BAAABAAAAAAAAA3d3dwN1YmMCY2EAAAEAAQ HTTP/2
> Host: 1.1.1.1
> user-agent: curl/7.68.0
> accept: application/dns-message
< HTTP/2 200
< content-type: application/dns-message
< content-length: 28
<
{ [28 bytes data]
100 28 100 28 0 0 27 0 0:00:01 0:00:01 --:--:-- 27
* Connection #0 to host 1.1.1.1 left intact
0000000 cdab 0381 0100 0000 0000 0000 7703 7777
0000010 7503 6362 6302 0061 0100 0100
000001c
[worker 0] dns_profile_do_url_rating()-2036: vfid=1 profile=dnsfilter_fgd category=30
domain=www.ubc.ca
[worker 0] dns_profile_do_url_rating()-2128: response filter result for www.ubc.ca
(type=7 action=10)
[worker 0] dns_secure_apply_action()-2270: action=10 category=30 log=1 error_allow=0
profile=dnsfilter_fgd
[worker 0] dns_send_error_response()-1809: id: 0xabcd domain: www.ubc.ca qtype: 1 err: 3
[worker 0] dns_send_response()-1626: domain=www.ubc.ca reslen=28
[worker 0] dns_secure_log_response()-1254: id:0xcdab domain=www.ubc.ca
profile=dnsfilter_fgd action=10 log=1
[worker 0] dns_policy_find_by_idx()-2990: vfid=1 idx=1 policy_type=1
[worker 0] dns_secure_log_response()-1504: write to log: logid=54803 qname=www.ubc.ca
[worker 0] dns_unix_stream_packet_write()-287: vfid=1 real_vfid=1 vrf=0 id=0xabcd
domain=www.ubc.ca req_type=2 req=0
[worker 0] dns_unix_stream_packet_write()-309: type=7 len=31 session_id=259 flags=1
[worker 0] dns_query_delete()-560: orig id:0xabcd local id:0xabcd domain=www.ubc.ca
use=5 active

DNS translation support for Service records over the DNS Filter profile

This information is also available in the FortiOS 7.6 Administration Guide:

l DNS translation

DNS translation now supports Service (SRV) records over the DNS Filter profile, providing broader coverage and finer
control to network administrators.

FortiOS 7.6.0 New Features Guide 354

Fortinet Inc.
Security profiles

Example 1: SRV query DNS translation in proxy mode

1. Configure the DNS filter profile:

config dnsfilter profile
edit "dns_filter_srv_translate"
set comment "Test_srv_translation"
set log-all-domain enable
set block-action block
config dns-translation
edit 1
set src 172.16.200.56
set dst 1.2.3.4
next
edit 2
set addr-type ipv6
set src6 2000:172:16:200::56
set dst6 2000:1:2:3::4
next
end
next
end

2. The client DNS query for SRV record is _telnet._tcp.ftntqa.com. The configured IP addresses on DNS server for the
SRV records are 172.16.200.56 (A) and 2000:172:16:200::56(AAAA), and the configured hostname is
telnet.ftntqa.com .
nslookup -type=SRV _telnet._tcp.ftntqa.com
Address: 2000:172:16:200::200
_telnet._tcp.ftntqa.com SRV service location:
priority = 2
weight = 1
port = 23
svr hostname = v
telnet.ftntqa.com internet address = 1.2.3.4
telnet.ftntqa.com AAAA IPv6 address = 2000:1:2:3::4

3. Check the relevant DNS proxy debug:

worker 0] dns_profile_do_url_rating()-2046: vfid=3 profile=dns_filter_srv_translate
category=255 domain=_telnet._tcp.ftntqa.com
[worker 0] dns_record_check_translation()-1690: translated reply ip=172.16.200.56 to
1.2.3.4 (id=1)
[worker 0] dns_record_check_translation()-1706: translated reply ip=
[2000:172:16:200::56] to [2000:1:2:3::4] (id=2)
[worker 0] dns_profile_do_url_rating()-2138: response filter result for _telnet._
tcp.ftntqa.com (type=6 action=9)
[worker 0] dns_secure_apply_action()-2280: action=9 category=0 log=0 error_allow=0
profile=dns_filter_srv_translate
[worker 0] dns_send_response()-1624: domain=_telnet._tcp.ftntqa.com reslen=122
[worker 0] dns_secure_log_response()-1256: id:0x0200 domain=_telnet._tcp.ftntqa.com
profile=dns_filter_srv_translate action=9 log=0
[worker 0] dns_policy_find_by_idx()-3000: vfid=3 idx=3 policy_type=0

4. Check the logs:

1: date=2024-07-17 time=12:48:33 eventtime=1721245713066437281 tz="-0700"
logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice"

FortiOS 7.6.0 New Features Guide 355

Fortinet Inc.
Security profiles

vd="vdom1" policyid=3 poluuid="d6373198-43b2-51ef-6b7b-82b6d177142d" policytype="policy"

sessionid=6542 srcip=2000:10:1:100::252 srcport=54902 srccountry="Reserved"
srcintf="port1" srcintfrole="lan" dstip=2000:172:16:200::200 dstport=53
dstcountry="Reserved" dstintf="port9" dstintfrole="lan" proto=17 profile="dns_filter_
srv_translate" xid=2 qname="_telnet._tcp.ftntqa.com" qtype="SRV" qtypeval=33 qclass="IN"
msg="Domain is monitored" action="pass" cat=0 translationid=2
2: date=2024-07-17 time=12:48:33 eventtime=1721245713066422116 tz="-0700"
logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information"
vd="vdom1" policyid=3 poluuid="d6373198-43b2-51ef-6b7b-82b6d177142d" policytype="policy"
sessionid=6542 srcip=2000:10:1:100::252 srcport=54902 srccountry="Reserved"
srcintf="port1" srcintfrole="lan" dstip=2000:172:16:200::200 dstport=53
dstcountry="Reserved" dstintf="port9" dstintfrole="lan" proto=17 profile="dns_filter_
srv_translate" xid=2 qname="_telnet._tcp.ftntqa.com" qtype="SRV" qtypeval=33 qclass="IN"

In the GUI, go to Log & Report > Security Events, and filter by Query Type = SRV:

Example 2: SRV query DNS translation in flow mode

1. Configure the DNS filter profile as in example 1.

2. The client DNS query for SRV record is _telnet._tcp.ftntqa.com. The configured IP addresses on DNS server for the
SRV records are 172.16.200.56 (A) and 2000:172:16:200::56(AAAA), and the configured hostname is
telnet.ftntqa.com .
nslookup -type=SRV _telnet._tcp.ftntqa.com
Address: 2000:172:16:200::200
_telnet._tcp.ftntqa.com SRV service location:
priority = 2
weight = 1
port = 23
svr hostname = telnet.ftntqa.com
telnet.ftntqa.com internet address = 1.2.3.4
telnet.ftntqa.com AAAA IPv6 address = 2000:1:2:3::4

3. Check the relevant IPS debug :

FortiOS 7.6.0 New Features Guide 356

Fortinet Inc.
Security profiles

[10401@4]ips_run_session_verdict_check: serial=1790 session is ACTIVE

[10401@4]ips_dsct_session_loop: serial=1790 only: dns_udp
[10401@4]dns_dissector: Operation Code: 0 flags 0x8580
[10401@4]dns_dissector: response is authoritative
[10401@4]dissect_query_records: dns request: name _telnet._tcp.ftntqa.com, type 33,
class 0x1, size 25
[10401@4]dissect_answer_records: dns reply: name _telnet._tcp.ftntqa.com, type 33, class
0x1, size 2
[10401@4]dissect_answer_records: dns reply: name telnet.ftntqa.com, type 1, class 0x1,
size 2
[10401@4]dns_type_a: 172.16.200.56
[10401@4]dissect_answer_records: dns reply: name telnet.ftntqa.com, type 28, class 0x1,
size 2
[10401@4]dns_type_aaaa: 2000:172:16:200::56
[10401@4]dnsfilter_check_dns_translation: translated resolved ip 172.16.200.56 to
1.2.3.4 (1)
[10401@4]dnsfilter_check_dns_translation: translated resolved ip 2000:172:16:200::56 to
2000:1:2:3::4 (2)

4. Check the logs:

1: date=2024-07-17 time=12:46:40 eventtime=1721245599743143887 tz="-0700"
logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice"
vd="vdom1" policyid=3 poluuid="d6373198-43b2-51ef-6b7b-82b6d177142d" policytype="policy"
sessionid=6489 srcip=2000:10:1:100::252 srcport=58966 srccountry="Reserved"
srcintf="port1" srcintfrole="lan" dstip=2000:172:16:200::200 dstport=53
dstcountry="Reserved" dstintf="port9" dstintfrole="lan" proto=17 profile="dns_filter_
srv_translate" xid=2 qname="_telnet._tcp.ftntqa.com" qtype="SRV" qtypeval=33 qclass="IN"
ipaddr="2000:10:1:100::252, 2000:10:1:100::252" msg="Domain is monitored" action="pass"
cat=255 catdesc="Unknown" translationid=2
2: date=2024-07-17 time=12:46:40 eventtime=1721245599742773343 tz="-0700"
logid="1500054000" type="utm" subtype="dns" eventtype="dns-query" level="information"
vd="vdom1" policyid=3 poluuid="d6373198-43b2-51ef-6b7b-82b6d177142d" policytype="policy"
sessionid=6489 srcip=2000:10:1:100::252 srcport=58966 srccountry="Reserved"
srcintf="port1" srcintfrole="lan" dstip=2000:172:16:200::200 dstport=53
dstcountry="Reserved" dstintf="port9" dstintfrole="lan" proto=17 profile="dns_filter_
srv_translate" xid=2 qname="_telnet._tcp.ftntqa.com" qtype="SRV" qtypeval=33 qclass="IN"

In the GUI, go to Log & Report > Security Events, and filter by Query Type = SRV:

FortiOS 7.6.0 New Features Guide 357

Fortinet Inc.
 Security profiles

Control TLS connections that utilize Encrypted Client Hello

This information is also available in the FortiOS 7.6 Administration Guide:

l Block or allow ECH TLS connections

Encrypted Client Hello (ECH) is an extension to TLS that allows TLS to effectively hide information that is exposed in the
unencrypted TLS ClientHello message. The ClientHello is one of the first messages sent in a TLS handshake, containing
information inside the Server Name Indication (SNI) field about the destination host. By encrypting the ClientHello, this
information is not exposed in plaintext.
Using the ECH extension, the client queries DNS for the DNS record of the destination host containing the ECH
configuration, and public key for encrypting the ClientHello message. To prevent the identity from being exposed within
the DNS query, clients usually use DoH or DoT to encrypt the DNS packets.
With the public key returned from the DNS server, the client can encrypt the ClientHello message, now called the inner
ClientHello. An outer, unencrypted ClientHello must still be present to route to the server, often a CDN, that can unpack
and reroute the traffic to the final destination.
For more information about this feature, see Control TLS connections that utilize Encrypted Client Hello.

Selective forwarding to ICAP server - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Selective forwarding to ICAP server

FortiOS 7.6.0 New Features Guide 358

Fortinet Inc.
Security profiles

The ICAP profile now includes a new ocr-only option to forward only image files, such as JPEG, JPG, and PNG, to an
ICAP (Internet Content Adaptation Protocol) server for OCR (optical character recognition) scanning. When enabled,
FortiGate forwards only image files that are relevant for OCR scanning to the ICAP server. This selective forwarding
applies only to image files in HTTP responses; it does not apply to image files in HTTP requests. By reducing processing
time and optimizing resource usage, this feature enhances overall system efficiency.
config icap profile
edit <name>
set ocr-only {enable | disable}
next
end

set ocr-only {enable | Enable/disable only passing OCR scan requests of images files to ICAP server
disable} (default = disabled).
When enabled, also enable response to allow FortiGate to forward images to
the ICAP server.

You cannot enable the ocr-only and streaming-content-bypass options in an

ICAP profile at the same time. When ocr-only is enabled, the streaming-content-
bypass option is removed from the CLI.
The ocr-only feature applies only to HTTP. FTP and SCP are not supported. In addition, this
feature applies only to HTTP downloads. HTTP uploads are not supported.

Example

In this example, FortiGate acts as the ICAP client, and FortiProxy acts as the ICAP server. An ICAP profile is configured
on FortiGate with ocr-only enabled. An ICAP server is configured on FortiProxy with the icap-service configured to
use an image-analyzer ICAP profile.
When a client HTTP response includes an image that is of interest to OCR, FortiGate forwards only the image file to the
ICAP server for OCR scanning, and the scan results determine whether the image is passed or blocked.

When OCR scanning passes the image in the HTTP response, the image is displayed to the client, for example:

FortiOS 7.6.0 New Features Guide 359

Fortinet Inc.
Security profiles

When OCR scanning blocks the image in the HTTP response, an alert message is displayed instead of the image:

Only configurations relevant to selective forwarding are described.

To enable selective forwarding on the ICAP client:

1. On FortiGate, enable ocr-only in the ICAP profile:

In this example, ocr-only and response are enabled. Responses are enabled to allow FortiGate to forward
images files to the ICAP server.
config icap profile
edit "ocr"
set request enable
set response enable
set ocr-only enable
set request-server "icap_server1"
set response-server "icap_server1"
next
end

To enable image scanning on the ICAP server:

1. On FortiProxy acting as an ICAP server, create an image-analyzer ICAP profile:

In this example, an image-analyzer profile named default is created.
config image-analyzer profile
edit "default"
set comment "Analyze image content"
set alcohol-status allow
set drugs-status allow
set extremism-status allow
set gambling-status allow
set gore-status allow

FortiOS 7.6.0 New Features Guide 360

Fortinet Inc.
 Security profiles

set porn-status allow

set swim_underwear-status allow
set weapons-status allow
set log-option all
set blocked-img-cache enable
set rating-err-action block
set optical-character-recognition enable
set ocr-activation-threshold 100
next
end

2. On FortiProxy, configure the ICAP service to use the image-analyzer profile:

The icap-service is configured to use the image-analyzer profile named default.
config icap local-server
edit 1
set interface "port1"
set incoming-ip 10.211.255.147
set srcaddr "all"
config icap-service
edit 1
set name "profile"
set dlp-profile "default"
set image-analyzer-profile "default"
next
end
next
end

Control TLS connections that utilize Encrypted Client Hello in flow mode - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Block or allow ECH TLS connections

Previously, support for inspecting TLS connections that utilize Encrypted Client Hello (ECH) was added in proxy mode.
In this enhancement, flow mode can now support the following:
l Inspect DNS over TLS (DoT) and DNS over HTTPS (DoH) traffic.
l Strip the ECH response returned from the DNS server over DoT or DoH.
l Block TLS Client Hello that uses ECH, allowing TLS to fallback to using a plain text Client Hello.
No new CLI syntax was added for supporting flow mode.
For more background on this feature, see the original new feature implemented for proxy mode in FortiOS 7.4.4: Control
TLS connections that utilize Encrypted Client Hello.

Examples

The following examples demonstrate flow mode support:

FortiOS 7.6.0 New Features Guide 361

Fortinet Inc.
Security profiles

l Example 1: Inspecting DoT and DoH traffic in flow mode on page 362
l Example 2: Stripping ECH information from DoH responses on page 365
l Example 3: Blocking TLS connections with certificate inspection when ECH is used in the TLS handshake through
the FortiGate on page 367

Example 1: Inspecting DoT and DoH traffic in flow mode

In the following example, the DNS profile is configured to inspect DoT and DoH traffic in differing scenarios.

Scenario 1

In the first scenario, the Education category is inspected and the DNS response is redirected to the default portal of
208.91.112.55.

To configure DoT and DoH inspection in the GUI:

1. Configure a SSL profile to perform DoT and DoH inspection:

a. Go to Security Profiles > SSL/SSH Inspection.
b. Click Create new.
c. Enter a name.
d. Set Inspection method to Full SSL Inspection.
e. Under Protocol Port Mapping, enable DNS over TLS.
f. Click OK to save.
2. Configure a DNS filter profile:
a. Go to Security Profiles > DNS Filter.
b. Click Create new.
c. Enter a name.
d. Under the FortiGuard Category Based Filter, set the Education category to Redirect to Block Portal.
e. Click OK to save.
3. Apply the SSL profile and the DNS filter profile to an outbound firewall policy.

To configure DoT and DoH inspection in the CLI:

config firewall ssl-ssh-profile

edit "DoT-DoH"
config https
set ports 443
set status deep-inspection
end
config dot
set status deep-inspection
set quic inspect
end
end
config dnsfilter profile
edit "dnsfilter_fgd"
config ftgd-dns
config filters
edit 1

FortiOS 7.6.0 New Features Guide 362

Fortinet Inc.
Security profiles

set category 30
set action block
next
end
end
set block-action redirect
set block-botnet disable
set redirect-portal 0.0.0.0
next
end

To review the results:

1. Using the kdig command, perform a DNS query over DoT to an education website:
kdig -d @1.1.1.1 +tls +header +all www.ubc.ca
;; DEBUG: Querying for owner(www.ubc.ca.), class(1), type(1), server(1.1.1.1), port
(853), protocol(TCP)
;; QUESTION SECTION:
;; www.ubc.ca. IN A
;; ANSWER SECTION:
www.ubc.ca. 60 IN A 208.91.112.55
;; Received 44 B
;; Time 2024-06-19 00:02:51 UTC
;; From 1.1.1.1@853(TCP) in 67.2 ms

The response is replaced by the Redirect Portal address of 208.91.112.55.

2. View the DNS log to verify:
# execute log filter field subtype dns
# execute log display
1: date=2024-06-18 time=17:02:52 eventtime=1718755371997279459 tz="-0700"
logid="1501054803" type="utm" subtype="dns" eventtype="dns-response" level="warning"
vd="vdom1" policyid=1 poluuid="e0aa630a-2d34-51ef-2628-4db06034250d" policytype="policy"
sessionid=69603 srcip=10.1.100.11 srcport=56392 srccountry="Reserved" srcintf="port1"
srcintfrole="undefined" dstip=1.1.1.1 dstport=853 dstcountry="Australia" dstintf="port9"
dstintfrole="undefined" proto=6 profile="dnsfilter_fgd" xid=7695 qname="www.ubc.ca"
qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain belongs to a denied
category in policy" action="redirect" cat=30 catdesc="Education"

3. Similarly, perform a DNS query over DoH to an education website:

curl -H 'accept: application/dns-message' -v -k 'https://1.1.1.1/dns-
query?dns=q80BAAABAAAAAAAAA3d3dwN1YmMCY2EAAAEAAQ' | hexdump

> GET /dns-query?dns=q80BAAABAAAAAAAAA3d3dwN1YmMCY2EAAAEAAQ HTTP/2

> Host: 1.1.1.1
> user-agent: curl/7.68.0
> accept: application/dns-message

{ [44 bytes data]

100 44 100 44 0 0 586 0 --:--:-- --:--:-- --:--:-- 594
* Connection #0 to host 1.1.1.1 left intact
0000000 cdab 8081 0100 0100 0000 0000 7703 7777

FortiOS 7.6.0 New Features Guide 363

Fortinet Inc.
Security profiles

0000010 7503 6362 6302 0061 0100 0100 0cc0 0100

0000020 0100 0000 3c00 0400 5bd0 3770

The response indicates the address of 208.91.112.55 in hex.

4. View the DNS log to verify:
# execute log filter field subtype dns
# execute log display
1: date=2024-06-19 time=09:32:58 eventtime=1718814777347123199 tz="-0700"
logid="1501054803" type="utm" subtype="dns" eventtype="dns-response" level="warning"
vd="vdom1" policyid=1 poluuid="e0aa630a-2d34-51ef-2628-4db06034250d" policytype="policy"
sessionid=110162 srcip=10.1.100.11 srcport=38952 srccountry="Reserved" srcintf="port1"
srcintfrole="undefined" dstip=1.1.1.1 dstport=443 dstcountry="Australia" dstintf="port9"
dstintfrole="undefined" proto=6 profile="dnsfilter_fgd" xid=43981 qname="www.ubc.ca"
qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain belongs to a denied
category in policy" action="redirect" cat=30 catdesc="Education"

Scenario 2

In the second scenario, the same configuration as Scenario 1 on page 362 is modified so that the DNS response is
blocked entirely.

To block the DNS response in the CLI:

config dnsfilter profile

edit "dnsfilter_fgd"
set block-action block
next
end

To review the results:

1. Using the kdig command, perform a DNS query over DoT to an education website.
There is no resolution for the DNS query.
2. View the DNS log to verify:
# execute log filter field subtype dns
# execute log display
1: date=2024-06-18 time=10:43:35 eventtime=1718732614247027641 tz="-0700"
logid="1501054803" type="utm" subtype="dns" eventtype="dns-response" level="warning"
vd="vdom1" policyid=1 poluuid="e0aa630a-2d34-51ef-2628-4db06034250d" policytype="policy"
sessionid=45757 srcip=10.1.100.11 srcport=51786 srccountry="Reserved" srcintf="port1"
srcintfrole="undefined" dstip=1.1.1.1 dstport=853 dstcountry="Australia" dstintf="port9"
dstintfrole="undefined" proto=6 profile="dnsfilter_fgd" xid=13873 qname="www.mcgill.ca"
qtype="A" qtypeval=1 qclass="IN" msg="Domain belongs to a denied category in policy"
action="block" cat=30 catdesc="Education" rcode=3

3. Similarly, perform a DNS query over DoH to an education website.

There is no resolution for the DNS query.
4. View the DNS log to verify:
# execute log filter field subtype dns
# execute log display
1: date=2024-06-18 time=10:51:26 eventtime=1718733085808170153 tz="-0700"
logid="1501054803" type="utm" subtype="dns" eventtype="dns-response" level="warning"

FortiOS 7.6.0 New Features Guide 364

Fortinet Inc.
Security profiles

vd="vdom1" policyid=1 poluuid="e0aa630a-2d34-51ef-2628-4db06034250d" policytype="policy"

sessionid=46252 srcip=10.1.100.11 srcport=38988 srccountry="Reserved" srcintf="port1"
srcintfrole="undefined" dstip=1.1.1.1 dstport=443 dstcountry="Australia" dstintf="port9"
dstintfrole="undefined" proto=6 profile="dnsfilter_fgd" xid=43981 qname="www.ubc.ca"
qtype="A" qtypeval=1 qclass="IN" msg="Domain belongs to a denied category in policy"
action="block" cat=30 catdesc="Education" rcode=3

Example 2: Stripping ECH information from DoH responses

DNS filters are used to strip ECH information from DNS responses, and force the browser to not use ECH for TLS
connections. The browser relies on the ECH information from DoH for ECH-enabled TLS connections.
In this example, a client sends a DNS message to query the public key for a destination. The ECH information in the DNS
response is stripped. Accessing the web page in the browser indicates that ECH is not used in the TLS connection.

To strip ECH information in the GUI:

1. Configure a SSL profile to perform DoT and DoH inspection with Certificate Inspection:
a. Go to Security Profiles > SSL/SSH Inspection.
b. Click Create new.
c. Enter a name.
d. Set Inspection method to SSL Certificate Inspection.
e. Click OK to save.
2. Configure a DNS filter profile:
a. Go to Security Profiles > DNS Filter.
b. Click Create new.
c. Enter a name.
d. Under Options, enable Strip Encrypted Client Hello service parameters.
e. Click OK to save.
3. Apply the SSL profile and the DNS filter profile to an outbound firewall policy.

To strip ECH information in the CLI:

config firewall ssl-ssh-profile

edit "DoT-DoH-Cert"
config https
set ports 443
set status certificate-inspection
set quic bypass
end
next
end

FortiOS 7.6.0 New Features Guide 365

Fortinet Inc.
Security profiles

config dnsfilter profile

edit "dnsfilter_fgd"
set block-action redirect
set strip-ech enable
set redirect-portal 0.0.0.0
next
end

To review the results:

1. Using the dig command, perform a DNS query over DoH.

When strip-ech is disabled on the DNS profile, the result will return the ECH payload.
# dig @1.1.1.1 HTTPS tls-ech.dev +dnssec
; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> @1.1.1.1 HTTPS tls-ech.dev +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8445
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
;EDNS: version: 0, flags: do; udp: 1232
;;QUESTION SECTION:
;tls-ech.dev. IN HTTPS

;; ANSWER SECTION:
tls-ech.dev. 60 IN HTTPS 1.
ech=AEn+DQBFKWAgACABWIHUGj4u+PIggYXcR5JF@gYk3dCRLoBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50
bHMtZWN0LmRldgAA

;;Query time: 118 msec

;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Mar 06 15:34:47 PST 2025
;; MSG SIZE rcvd: 134

When strip-ech is enabled on the DNS profile, the result will not return the ECH payload.
# dig @1.1.1.1 HTTPS tls-ech.dev +dnssec
; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> @1.1.1.1 HTTPS tls-ech.dev +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37261
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
;EDNS: version: 0, flags: do; udp: 1232
;;QUESTION SECTION:
;tls-ech.dev. IN HTTPS

;; ANSWER SECTION:
tls-ech.dev. 60 IN HTTPS 1.

;;Query time: 81 msec

;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)

FortiOS 7.6.0 New Features Guide 366

Fortinet Inc.
Security profiles

;; WHEN: Thu Mar 06 15:37:16 PST 2025

;; MSG SIZE rcvd: 55

2. Using the browser, navigate to the website https://tls-ech.dev.

This website indicates that ECH is not used. This is due to the ECH payload being stripped from the DNS response.

Example 3: Blocking TLS connections with certificate inspection when ECH is used in the TLS
handshake through the FortiGate

In this example, an SSL/SSH inspection profile is configured to block TLS connections from some SNIs when ECH is
used in the TLS handshake. Client messages with the outer SNI public.tls-ech.dev are blocked.

A web filter block message will be shown when trying to connect directly to public.tls-ech.dev. And accessing the web
page tls-ech.dev, which uses public.tls-ech.dev in its outer SNI, will show that the client is not using ECH.

To configure TLS connection blocking in the CLI:

config firewall ssl-ssh-profile

edit " block_ech_cert"
config https
set ports 443
set status certificate-inspection
set quic bypass
end
next
end
config ech-outer-sni
edit "3"
set sni "public.tls-ech.dev"
next
end
config webfilter profile
edit "webfilter"
next
end
config firewall policy

FortiOS 7.6.0 New Features Guide 367

Fortinet Inc.
 Security profiles

edit 1
set name "TLS-ECH-block”
set srcintf "port1"
set dstintf "port9"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set profile-protocol-options "protocol"
set ssl-ssh-profile "block_ech_cert"
set webfilter-profile “webfilter”
set logtraffic all
set nat enable
next
end

To review the results:

1. Using the browser, navigate to the website https://tls-ech.dev.

The page tls-ech.dev uses ECH to encrypt the SNI field and adds a new outer SNI of public.tls-ech.dev. The
browser will initially try to establish an ECH-enabled TLS connection to public.tls-ech.dev, but that will be blocked,
forcing the browser to reconnect without ECH. As a result, the page tls-ech.dev loads and indicates that ECH is not
used.

For QUIC sessions that utilize ECH, flow mode inspection is also able to strip ECH and
fallback to a connection without using ECH.

Inline CASB security profile to support control factors in exchanged JSON data for
custom SaaS applications - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Support control factors in exchanged JSON data for custom SaaS applications

Introduced in FortiOS 7.4.1, the inline CASB security profile enables the FortiGate to perform granular control over SaaS
applications directly on firewall policies. In FortiOS 7.6.3, the inline CASB security profile has been enhanced to support
control factors such as tenant information in JSON data exchanged between a web browser and a custom SaaS
application. For example, for some custom SaaS applications, the URL does not change to reflect the type or identity of

FortiOS 7.6.0 New Features Guide 368

Fortinet Inc.
Security profiles

the user or organization when logged in as such tenant information is exchanged using JSON data instead of through
changes in the URL. With this enhancement, JSON data can be extracted using JQ filters (see
https://jqlang.org/manual/v1.5/#basic-filters).

Example

In CASB filtering, the administrator wants to distinguish between two types of users in different categories, and assign
different actions accordingly.
The following two SaaS application requests will be made:
curl -k https://httpbin.org/headers -H "Partners-Data: {'company': 'contractorsA'}"
curl -k https://httpbin.org/headers -H "Partners-Data: {'company': 'contractorsB'}"

Sending the CURL request for contractorsA as:

GET /headers HTTP/2.0
Host: httpbin.org
user-agent: curl/7.68.0
accept: */*
partners-data: {'company': 'contractorsA'}

Traffic is classified based on the tenant information company in the HTTP request header Partners-Data. Traffic from
contractorsA is authorized and monitored, and traffic from contractorsB is blocked.
This information is transported in a JSON structure within the request, so the JQ tenant extraction feature is used.

To configure a CASB SaaS application in the GUI:

1. Go to Security Profiles > Inline-CASB and select the SaaS Application tab.
2. Click Create New.
3. Enter a Name, such as httpbin.
4. Enter the Domains, such as httpbin.org.
5. In Tenant Controls, select the Output controls tab and then click Create New.
6. Enter the Attribute, such as company, then click OK.

7. Click OK.

FortiOS 7.6.0 New Features Guide 369

Fortinet Inc.
Security profiles

To configure a CASB profile in the GUI:

1. Go to Security Profiles > Inline-CASB and, on the Profile tab, click Create New.
2. Enter a Name, such as casbProfile.
3. In the SaaS applications table, click Create New.
4. Select the httpbin custom application (custom applications are at the bottom of the list), then click Next.

5. In the Custom controls table, click Create New.

6. Enter a Name, such as partners.
7. Enable URL path and set it to /headers. This how the user activity (UA) will be identified. The administrator needs to
find a way to recognize this traffic, which can be done using the path, a special header/value pair, or the URL
domain name.
8. Enable Apply this control to specific tenants.
9. Set Apply when HTTP packet matches to Header, because in this case the JSON is in the HTTP header.
10. Set Header value to Partners-Data.
11. Set jq filter to .[].company. This is the tenant extraction field; it tells the FortiGate to extract the company field from
the JSON structure that is in the HTTP request header.

12. In the Apply action by attribute match table click Create New.

FortiOS 7.6.0 New Features Guide 370

Fortinet Inc.
Security profiles

13. Configure the tenant information for contractorsA:

Field Value

Name contractorsA

Attribute company

Match pattern substring

Value contractorsA

14. Click OK, then click Create New again to configure the tenant information for contractorsB:

Field Value

Name contractorsB

Attribute company

Match pattern substring

Value contractorsB

15. Click OK.

16. In the Apply action by attribute match table, select contractorsB and click Set Action > Block.

FortiOS 7.6.0 New Features Guide 371

Fortinet Inc.
Security profiles

17. Click OK to save the custom control.

18. Click OK to save the SaaS application rules.

19. Click OK to save the CASB profile.

To configure a CASB SaaS application in the CLI:

config casb saas-application

edit "httpbin"
set domains "httpbin.org"
config output-attributes
edit "company"
next
end
next
end

To configure a CASB profile in the CLI:

1. Configure CASB user activity:

config casb user-activity
edit "httpbin-partners"

FortiOS 7.6.0 New Features Guide 372

Fortinet Inc.
Security profiles

set application "httpbin"

set category other
config match
edit 1
config rules
edit 1
set type path
set match-value "/headers"
next
end
config tenant-extraction
set status enable
set jq ".\"req-headers\".[].company"
config filters
edit 1
set header-name "Partners-Data"
next
end
end
next
end
next
end

2. Configure CASB attribute match rules:

config casb attribute-match
edit "httpbin-contractorsA"
set application "httpbin"
config match
edit 1
config rule
edit 1
set attribute "company"
set match-pattern substr
set match-value "contractorsA"
next
end
next
end
next
edit "httpbin-contractorsB"
set application "httpbin"
config match
edit 1
config rule
edit 1
set attribute "company"
set match-pattern substr
set match-value "contractorsB"
next
end
next
end
next
end

FortiOS 7.6.0 New Features Guide 373

Fortinet Inc.
Security profiles

3. Configure a CASB profile:

config casb profile
edit "casbProfile"
config saas-application
edit "httpbin"
config custom-control
edit "httpbin-partners"
config attribute-filter
edit 1
set attribute-match "httpbin-contractorsA"
set action monitor
next
edit 2
set attribute-match "httpbin-contractorsB"
set action block
next
end
next
end
next
end
next
end

To test the profile:

1. Make the following two SaaS application requests:

curl -k https://httpbin.org/headers -H "Partners-Data: {'company': 'contractorsA'}"
curl -k https://httpbin.org/headers -H "Partners-Data: {'company': 'contractorsB'}"

2. Check the logs to see that the SaaS application request for contractorsA is passed and a log is generated:
1: date=2025-03-22 time=00:25:19 eventtime=1742628319441656177 tz="-0700"
logid="2500010002" type="utm" subtype="casb" eventtype="casb" level="information"
vd="vdom1" policyid=1 poluuid="e0a45778-05e0-51f0-d77d-e4e8a02811e2" policytype="policy"
sessionid=7535 srcip=10.1.100.13 dstip=54.236.151.211 srcport=46476 dstport=443
srcintf="lan" srcintfrole="undefined" srcuuid="bcbee936-05e0-51f0-5712-f0e95616dde0"
dstintf="mgmt" dstintfrole="lan" dstuuid="bcbee936-05e0-51f0-5712-f0e95616dde0" proto=6
url="https://httpbin.org/headers" action="monitor" profile="casbProfile"
saasapp="httpbin" useractivity="httpbin-partners" subaction="monitor"
tenantmatch="matched" activitycategory="other" msg="CASB access was monitored because it
contained activity."

3. In the GUI, go to Log & Report > Security Events and view the Inline-CASB event logs.

FortiOS 7.6.0 New Features Guide 374

Fortinet Inc.
Security profiles

4. Confirm that the SaaS application request for contractorsB is blocked, as its sub-action is set to block.

FortiOS 7.6.0 New Features Guide 375

Fortinet Inc.
VPN

This section includes information about VPN related new features:

l IPsec and SSL VPN or Agentless VPN on page 376

IPsec and SSL VPN or Agentless VPN

Starting from FortiOS 7.6.3, SSL VPN web mode is renamed Agentless VPN.

This section includes information about IPsec and SSL VPN or Agentless VPN related new features:
l Automatic selection of IPsec tunneling protocol on page 376
l Security posture tag match enforced before dial-up IPsec VPN connection on page 381
l Enhancing security with Post-Quantum Cryptography for IPsec key exchange 7.6.1 on page 385
l Migration from SSL VPN tunnel mode to IPsec VPN 7.6.3 on page 392
l Agentless VPN 7.6.3 on page 413
l Configure FortiClient SIA for IPsec VPN tunnels 7.6.3 on page 413
l Support Quantum Key Distribution and Digital Signature Algorithm Post-Quantum Cryptography 7.6.3 on page 417

Automatic selection of IPsec tunneling protocol

This information is also available in the FortiOS 7.6 Administration Guide:

l Encapsulate ESP packets within TCP headers

With IKE version 2, you can now enable automatic selection of the IPsec tunneling protocol. Initially, IKE uses UDP
encapsulation. If the UDP connection fails to establish within the defined threshold, then FortiOS automatically
transitions to TCP for performance and reliability.
In the config vpn ipsec phase1-interface command, the set transport upd-fallback-tcp option
changed to set transport auto, and the set fallback-tcp-threshold changed to set auto-transport-
threshold. Now the config vpn ipsec phase1-interface command contains the following options:
config vpn ipsec phase1-interface
edit <name>
set ike-version 2
set transport {auto | udp | tcp}
set auto-transport-threshold <integer>
next
end

FortiOS 7.6.0 New Features Guide 376

Fortinet Inc.
VPN

set transport {auto | udp Set the IKE transport protocol:

| tcp} l auto: use UDP transport for IKE, with fallback to TCP transport.

l udp: use UDP transport for IKE.

l tcp: use TCP transport for IKE.
This command is available when ike-version is set to 2.
set auto-transport- How long to wait for the UDP connection to establish before falling back IKE/IPsec
threshold <integer> traffic to TCP, in seconds (1 to 300, default = 15).

In the GUI, the VPN Wizard can be used to set the IKE transport protocol.

To set the IKE transport protocol in the GUI:

1. Go to VPN > VPN Wizard.

2. Enter a Tunnel name.
3. For Select a template, select Site to Site, and click Begin.
4. Configure the Remote Site settings as required, and click Next.
5. Under VPN tunnel, set the Transport protocol as needed.

The Use Fortinet encapsulation option displays only when Transport is set to TCP
encapsulation. See Encapsulate ESP packets within TCP headers for more information.
When Transport is set to Auto, you can adjust the threshold for switching to
TCP encapsulation by using the set auto-transport-threshold command.

6. Configure the remaining settings as needed.

FortiOS 7.6.0 New Features Guide 377

Fortinet Inc.
VPN

Example

In this example, FGT-A has IPsec phase 1 configured for automatic protocol selection with a failover threshold of 3
seconds. By default FGT-A encapsulates IKE packed in UDP packets. But the UDP connection fails to establish within
the defined threshold time of 3 seconds, so TCP is automatically used instead.

To configure automatic protocol selection:

1. Configure FGT-A (spoke):

a. Configure the IPsec phase 1 settings for automatic protocol selection.
In this example, IKE version is set to 2 with automatic transport enabled and a timeout threshold of 3.
config vpn ipsec phase1-interface
edit "tofgtd"
set interface "port9"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-
prfsha384 chacha20poly1305-prfsha256
set transport auto
set auto-transport-threshold 3
set remote-gw 173.1.1.1
set psksecret **********
next
end

a. Configure the IPsec phase 2 settings:

config vpn ipsec phase2-interface

edit "tofgtd"
set phase1name "tofgtd"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
aes128gcm aes256gcm chacha20poly1305
set src-subnet 10.1.100.0 255.255.255.0
next
end

FortiOS 7.6.0 New Features Guide 378

Fortinet Inc.
VPN

2. Configure FGT-D (hub):

a. Configure the IPsec phase 1 settings:

config vpn ipsec phase1-interface

edit "tofgta"
set type dynamic
set interface "port8"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-
prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set transport auto
set psksecret **********
set dpd-retryinterval 60
next
end

a. Configure the IPsec phase 2 settings:

config vpn ipsec phase2-interface

edit "tofgta"
set phase1name "tofgta"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
aes128gcm aes256gcm chacha20poly1305
next
end

3. On FGT-D (hub), verify the IPsec VPN tunnel state:

By default, the IKE message is sent using UDP, but the UDP connection fails to establish within the timeout
threshold of 3 seconds, so the TCP transport protocol is automatically used instead:
# diagnose debug application ike -1

ike V=root:0: cache rebuild start

ike V=root:0:tofgtd: local:11.101.1.1, remote:173.1.1.1
ike V=root:0:tofgtd: cached as static-ddns.
ike V=root:0: cache rebuild done
ike V=root:0:tofgtd: restoring
ike V=root:0:tofgtd:tofgtd: created connection: 0xc3281b0 15 11.101.1.1-
>173.1.1.1:500.
ike V=root:0:tofgtd:tofgtd: chosen to populate IKE_SA traffic-selectors
ike V=root:0:tofgtd: no suitable IKE_SA, queuing CHILD_SA request and initiating
IKE_SA negotiation
ike V=root:0:tofgtd:0: generate DH public value request queued
ike V=root:0:tofgtd:0: create NAT-D hash local 11.101.1.1/500 remote 173.1.1.1/500
ike 0:tofgtd:0: out
8994F030780AAA660000000000000000212022080000000000000278220000F00200003401010005030
0000C0100000C800E00800300000802000005030000080300000C0300000

FortiOS 7.6.0 New Features Guide 379

Fortinet Inc.
VPN

804000005000000080400000E02000034020100050300000C0100000C800E0100030000080200000503
0000080300000C0300000804000005000000080400000E0200002C030100040300000C0100001480

0E008003000008020000050300000804000005000000080400000E0200002C040100040300000C01000
014800E010003000008020000060300000804000005000000080400000E0000002C0501000403000

00C0100001C800E010003000008020000050300000804000005000000080400000E28000108000E0000
4872689DAFB661C0AB548E3ACB11EB4F103375F65DF62B0C125091C2A9432D9C813EBE7F15456AEA

4A4977BBDF623C371BD57AA72CB756E409EAF41C3AC827F72A48306FF9D0444D5D8C0A48B516AB69233
87286C8B669073CEBED027F4555F7192293350C2E46DFD50E536B8781109F3D0247C9EE2DCC0893F

28B1EC5CF68F7911AAD7937C61223CC7A1A03492C70E48559C462F9E4581EF7B3039FBBBF006F518F9B
58AB4FDC8690ADCC0F24234612B89C9087D580E6D32451058A131BEA77FB31DCE100A6DBD38CA04A

18F650A442B33DC71209275BCCCBC7D72D81304453DB7BFCD161AE5427B17F8BE75E1E1FF24A66D2D95
B2F1B451EB47B42FA207B9A290000240F07B9E8BCC75601A050A9F7328158588F21796161E93F5BB

D40C01655CC5FB82900001C000040043087B6D2B7AB7F74D6574F1AED0BD831067CA86D2900001C0000
4005DF7F5E0FF0BDE220F8F7BA03E566EDAE56814327000000080000402E
ike V=root:0:tofgtd:0: sent IKE msg (SA_INIT): 11.101.1.1:500->173.1.1.1:500,
len=632, vrf=0, id=8994f030780aaa66/0000000000000000, oif=15
ike 0:tofgtd:0: out
8994F030780AAA660000000000000000212022080000000000000278220000F00200003401010005030
0000C0100000C800E00800300000802000005030000080300000C0300000

804000005000000080400000E02000034020100050300000C0100000C800E0100030000080200000503
0000080300000C0300000804000005000000080400000E0200002C030100040300000C0100001480

0E008003000008020000050300000804000005000000080400000E0200002C040100040300000C01000
014800E010003000008020000060300000804000005000000080400000E0000002C0501000403000

00C0100001C800E010003000008020000050300000804000005000000080400000E28000108000E0000
4872689DAFB661C0AB548E3ACB11EB4F103375F65DF62B0C125091C2A9432D9C813EBE7F15456AEA

4A4977BBDF623C371BD57AA72CB756E409EAF41C3AC827F72A48306FF9D0444D5D8C0A48B516AB69233
87286C8B669073CEBED027F4555F7192293350C2E46DFD50E536B8781109F3D0247C9EE2DCC0893F

28B1EC5CF68F7911AAD7937C61223CC7A1A03492C70E48559C462F9E4581EF7B3039FBBBF006F518F9B
58AB4FDC8690ADCC0F24234612B89C9087D580E6D32451058A131BEA77FB31DCE100A6DBD38CA04A

18F650A442B33DC71209275BCCCBC7D72D81304453DB7BFCD161AE5427B17F8BE75E1E1FF24A66D2D95
B2F1B451EB47B42FA207B9A290000240F07B9E8BCC75601A050A9F7328158588F21796161E93F5BB

D40C01655CC5FB82900001C000040043087B6D2B7AB7F74D6574F1AED0BD831067CA86D2900001C0000
4005DF7F5E0FF0BDE220F8F7BA03E566EDAE56814327000000080000402E
ike V=root:0:tofgtd:0: sent IKE msg (RETRANSMIT_SA_INIT): 11.101.1.1:500-
>173.1.1.1:500, len=632, vrf=0, id=8994f030780aaa66/0000000000000000, oif=15
ike V=root:0:tofgtd:0: auto transport timeout, use tcp port 4500

FortiOS 7.6.0 New Features Guide 380

Fortinet Inc.
 VPN

ike V=root:creates tcp-transport(vd=0, vrf=0, intf=15:15, 11.101.1.1:3599-

>173.1.1.1:4500 sock=37 refcnt=2 ph1=0xc3208c0) (1).
ike V=root:0:tofgtd:0: generate DH public value request queued
ike V=root:0:tofgtd:0: create NAT-D hash local 11.101.1.1/3599 remote
173.1.1.1/4500
ike V=root:0:tofgtd:0: auto transport timeout, use tcp port 4500
ike V=root:0:tofgtd:0: auto transport tcp already up
ike V=root:0: comes 173.1.1.1:4500->11.101.1.1:3599,ifindex=15,vrf=0,len=424....
ike V=root:0: IKEv2 exchange=SA_INIT_RESPONSE id=8994f030780aaa66/8b1f744987714238
len=424

Security posture tag match enforced before dial-up IPsec VPN connection

This information is also available in the FortiOS 7.6 Administration Guide:

l Enforcing security posture tag match before dial-up IPsec VPN connection

In an IPsec dial-up VPN configuration, an option is added to enforce ZTNA security posture tag matching before
establishing a VPN tunnel. When a tag is defined on an IKEv2 IPsec tunnel, the client IP addresses that are resolved by
that tag will be allowed to establish connection to the tunnel. When multiple tags are used, tags are checked sequentially
until a match is made. If no tags match, then the client cannot establish a VPN connection.
The following settings have been added:
config vpn ipsec phase1-interface
edit <name>
set ike-version 2
set remote-gw-match {any | ipmask | iprange | geography | ztna}
set remote-gw-ztna-tags <IPv4 ZTNA posture tags>
next
end

When set remote-gw-match ztna is enabled, remote-gw-ztna-tags can be configured.

FortiOS 7.6.1 adds GUI support. See GUI support for security posture tags in dial-up IPsec VPN tunnels 7.6.1 on page
59.

Example

A PC (172.16.200.242) makes a connection to the dial-up VPN gateway (172.16.200.4). The following example
configuration and outputs show a successful connection with a matching ZTNA security posture tag (EMS1_ZTNA_all_
registered_clients) and an unsuccessful connection when a ZTNA security posture tag cannot be matched.

It is assumed that the following mandatory pre-configurations are complete before configuring VPN:

FortiOS 7.6.0 New Features Guide 381

Fortinet Inc.
VPN

l FortiGate has established a connection with FortiClient EMS and has synchronized the ZTNA security posture tags,
including the EMS1_ZTNA_all_registered_clients tag.
l FortiClient is registered to EMS and has the ZTNA security posture tag (EMS1_ZTNA_all_registered_
clients).

To configure the VPN gateway with the CLI:

config vpn ipsec phase1-interface

edit "dialup"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set eap enable
set eap-identity send-request
set authusrgrp "local-group"
set remote-gw-match ztna
set remote-gw-ztna-tags "EMS1_ZTNA_all_registered_clients"
set psksecret xxxxxxxx
next
end
config vpn ipsec phase2-interface
edit "DY"
set phase1name "dialup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm
chacha20poly1305
next
end

Results

When a client (172.16.200.242) has the appropriate ZTNA security posture tag, it is synchronized to FortiClient EMS and
FortiGate.

To view the IP address that is resolved to tag:

# diagnose firewall dynamic list EMS1_ZTNA_all_registered_clients

CMDB name: EMS1_ZTNA_all_registered_clients

TAG name: all_registered_clients
EMS1_ZTNA_all_registered_clients: ID(6)
ADDR(172.16.200.242)
Total IP dynamic range blocks: 0.
Total IP dynamic addresses: 1.

The address resolves to the IP address that is configured on the client endpoint. It does not resolve to the NAT’d public
IP address when the client is behind NAT. In other words, the address resolves to the IP Address in the following
output, and not the Public IP Address:
# diagnose endpoint ec-shm list

FortiOS 7.6.0 New Features Guide 382

Fortinet Inc.
VPN

Record #0:
IP Address = 172.16.200.242
MAC Address = **:**:**:**:67:74
MAC list =
VDOM = root (0)
TOKEN VDOM = (-1)
EMS serial number: FCTEMS***********
EMS tenant id: *************1EDB589FBC4626
Client cert SN: *************60ACA9FE283DEEC3B
Public IP address: *************
Quarantined: no
Online status: online
Registration status: registered
On-net status: on-net
Gateway Interface: port1
FortiClient version: 7.2.4
…
Number of Routes: (1)
Gateway Route #0:
- IP:172.16.200.242, MAC: **:**:**:**:67:74, VPN: no
- Interface:port1, VDOM:root (0), SN: FG5H*************

From the PC1 client, establish a tunnel with the FortiGate VPN gateway. When enabled, the following debug information
displays the output when the security posture tag is matched:
# diagnose debug application ike -1
…
ike V=root:0:DY:155: received FCT-UID : 6108A9179A5C40D7BD57504E15114C1F
ike V=root:0:DY:155: received EMS SN : FCTEMS***********
ike V=root:0:DY:155: received EMS tenant ID : *************1EDB589FBC4626
ike V=root:0:DY:155: peer identifier IPV4_ADDR 172.16.200.242
ike V=root:0:DY:155: re-validate gw ID
ike V=root:0:DY:155: gw validation OK
ike V=root:0:DY:155: responder preparing EAP identity request
…

The following tunnel output indicates a dial-up tunnel has been established:
# diagnose vpn ike gateway list
vd: root/0
name: dialup_0
version: 2
interface: port1 9
addr: 172.16.200.4:500 -> 172.16.200.242:500
tun_id: 10.212.134.200/::10.0.0.5
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 34s ago
eap-user: userc
2FA: no
peer-id: 172.16.200.242
peer-id-auth: no
FortiClient UID: 6108A9179A5C40D7BD57504E15114C1F
assigned IPv4 address: 10.212.134.200/255.255.255.255
pending-queue: 0
PPK: no

FortiOS 7.6.0 New Features Guide 383

Fortinet Inc.
VPN

IKE SA: created 1/1 established 1/1 time 10/10/10 ms

IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
…

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0
------------------------------------------------------
name=dialup ver=2 serial=1 172.16.200.4:0->0.0.0.0:0 nexthop= tun_id=10.0.0.1 tun_
id6=::10.0.0.1 status=up dst_mtu=0 weight=1
bound_if=9 real_if=0 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu
frag-rfc role=primary accept_traffic=1 overlay_id
=0

proxyid_num=0 child_num=1 refcnt=3 ilast=42978277 olast=42978277 ad=/0

stat: rxp=1290 txp=40 rxb=65588 txb=34472
dpd: mode=on-demand on=0 status=ok idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
------------------------------------------------------
name=dialup_0 ver=2 serial=5 172.16.200.4:0->172.16.200.242:0 nexthop=172.16.200.242 tun_
id=10.212.134.200 tun_id6=::10.0.0.5 status=up dst_mtu=1
500 weight=1
bound_if=9 real_if=9 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/74408 options
[122a8]=npu rgwy-chg frag-rfc run_state=0 role=primary
accept_traffic=1 overlay_id=0

parent=dialup index=0
…

In the scenario where a client without a matching tag tries to establish a tunnel, the following debug information indicates
that the tunnel cannot match the remote IP of the client.
# diagnose debug application ike -1

ike :shrank heap by 159744 bytes

ike V=root:0: comes 172.16.200.242:500->172.16.200.4:500,ifindex=9,vrf=0,len=456....
ike V=root:0: IKEv2 exchange=SA_INIT id=8044739046585b1a/0000000000000000 len=456
…
ike V=root:0:8044739046585b1a/0000000000000000:164: responder received SA_INIT msg
…
ike V=root:0:8044739046585b1a/0000000000000000:164: incoming proposal:
ike V=root:0:8044739046585b1a/0000000000000000:164: proposal id = 1:
ike V=root:0:8044739046585b1a/0000000000000000:164: protocol = IKEv2:
ike V=root:0:8044739046585b1a/0000000000000000:164: encapsulation = IKEv2/none
ike V=root:0:8044739046585b1a/0000000000000000:164: type=ENCR, val=AES_CBC (key_len
= 128)
ike V=root:0:8044739046585b1a/0000000000000000:164: type=INTEGR, val=AUTH_HMAC_SHA2_
256_128
ike V=root:0:8044739046585b1a/0000000000000000:164: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:8044739046585b1a/0000000000000000:164: type=DH_GROUP, val=MODP1536.
ike V=root:0:8044739046585b1a/0000000000000000:164: proposal id = 2:
ike V=root:0:8044739046585b1a/0000000000000000:164: protocol = IKEv2:
ike V=root:0:8044739046585b1a/0000000000000000:164: encapsulation = IKEv2/none
ike V=root:0:8044739046585b1a/0000000000000000:164: type=ENCR, val=AES_CBC (key_len
= 256)
ike V=root:0:8044739046585b1a/0000000000000000:164: type=INTEGR, val=AUTH_HMAC_SHA2_
256_128

FortiOS 7.6.0 New Features Guide 384

Fortinet Inc.
 VPN

ike V=root:0:8044739046585b1a/0000000000000000:164: type=PRF, val=PRF_HMAC_SHA2_256

ike V=root:0:8044739046585b1a/0000000000000000:164: type=DH_GROUP, val=MODP1536.
ike V=root:dialup: match remote ip failed
ike V=root:0:8044739046585b1a/0000000000000000:164: my proposal, gw dialup:
ike V=root:0:8044739046585b1a/0000000000000000:164: proposal id = 1:
ike V=root:0:8044739046585b1a/0000000000000000:164: protocol = IKEv2:
…

Enhancing security with Post-Quantum Cryptography for IPsec key exchange - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Post-Quantum Cryptography for IPsec key exchange

IPsec key exchange now supports Post-Quantum Cryptography (PQC) to enhance security with algorithms that protect
against quantum computer attacks. This update ensures future-proof encryption and addresses vulnerabilities in
traditional methods, aligning with upcoming security standards.
FortiOS allows users to specify various KE groups; however, only the following KE groups are standardized by NIST and
are FIPS 203 compliant:
l ML-KEM-512
l ML-KEM-768
l ML-KEM-1024
FIPS 203, also known as the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) Standard, is a set of
guidelines established by the National Institute of Standards and Technology (NIST). These guidelines specify the use of
lattice-based cryptographic algorithms for key encapsulation mechanisms, which are crucial for secure communication
in various applications.
The three parameter sets offer different levels of security and performance:

ML-KEM-512 Provides a balance between security and efficiency, suitable for environments
where moderate security is sufficient.

ML-KEM-768 Offers a higher level of security compared to ML-KEM-512, making it suitable for
more sensitive applications.

ML-KEM-1024 Delivers the highest level of security among the three, ideal for highly sensitive
data and critical applications.

See FIPS203 and Module-Lattice-Based Key-Encapsulation Mechanism Standard for more information.

CLI configuration

The following commands have been included to enable and configure PQC:
config vpn ipsec phase1-interface
edit <name>
set addke1 <option1>, <option2>, <option3>
set addke2 <option1>, <option2>, <option3>
set addke3 <option1>, <option2>, <option3>

FortiOS 7.6.0 New Features Guide 385

Fortinet Inc.
VPN

set addke4 <option1>, <option2>, <option3>

set addke5 <option1>, <option2>, <option3>
set addke6 <option1>, <option2>, <option3>
set addke7 <option1>, <option2>, <option3>
set childless-ike enable
next
end
config vpn ipsec phase2-interface
edit <name>
set addke1 <option1>, <option2>, <option3>
set addke2 <option1>, <option2>, <option3>
set addke3 <option1>, <option2>, <option3>
set addke4 <option1>, <option2>, <option3>
set addke5 <option1>, <option2>, <option3>
set addke6 <option1>, <option2>, <option3>
set addke7 <option1>, <option2>, <option3>
next
end

Example

A financial institution uses IPsec VPN to move sensitive customer data, such as account numbers, social insurance
numbers, and credit card information. The current encryption used is based on traditional algorithms, which could be
vulnerable to attacks from quantum computers in the future. By implementing Post-Quantum Cryptography, the financial
institution can ensure that their data remains secure even as technology advances, protecting themselves and their
customers from potential breaches due to advancements in computing power. This ensures compliance with regulatory
requirements and maintains customer trust.

To enable PQC in the GUI:

This is a site-to-site VPN setup. Only the new configuration is being demonstrated in the GUI
for this example. For more information, see Basic site-to-site VPN with pre-shared key.

1. Go to VPN > VPN Tunnels.

2. Double-click the VPN Tunnel to open it for editing.

3. Scroll down to Post Quantum Cryptography Additional Key Exchanges, and click Create new.

FortiOS 7.6.0 New Features Guide 386

Fortinet Inc.
VPN

4. Set Transform type, select up to three KE groups, and click OK.

5. In Phase 2 selectors, click Create new and repeat the steps above.

FortiOS 7.6.0 New Features Guide 387

Fortinet Inc.
VPN

6. Click OK to save the tunnel.

To enable PQC key exchange for an IPsec tunnel in the CLI:

1. Configure FGT-C:
config vpn ipsec phase1-interface
edit "site_002"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set addke1 35 36 37
set addke2 1083
set childless-ike enable
set transport auto
set remote-gw 172.16.200.9
set psksecret XXXXXX
next
end
config vpn ipsec phase2-interface
edit "site_002"
set phase1name "site_002"
set addke1 1090
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
next
end

2. Configure FGT-D:

FortiOS 7.6.0 New Features Guide 388

Fortinet Inc.
VPN

config vpn ipsec phase1-interface

edit "site_001"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set addke1 35 36 37
set addke2 1083
set childless-ike enable
set transport auto
set remote-gw 172.16.200.8
set psksecret XXXXXX
next
end
config vpn ipsec phase2-interface
edit "site_001"
set phase1name "site_001"
set addke1 1090
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
next
end

3. Verify the IPsec VPN tunnel state on FGT-D:

#diagnose vpn ike gateway list

vd: root/0
name: site_001PPPPPP1
version: 2
interface: port1 9
addr: 172.16.200.9:500 -> 172.16.200.8:500
tun_id: 172.16.200.8/::172.16.200.8
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 88s ago
peer-id: 172.16.200.8
peer-id-auth: no
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 111 7316ebc639a46c4b/4be2fd15d7304333

direction: responder
status: established 88-88s ago = 0ms
proposal: aes128-sha256
child: no
SK_ei: 5a81d7880641e298-3c6cd9753e62c482
SK_er: b52ad6f1590ca132-86245f3df596eb32
SK_ai: 00d051d432556218-5708374c8496c37e-aef06d7d0457bebd-506bd9034bdd1c30
SK_ar: 15dac6f288163198-2c34b87dda107af7-6db98a53b29cf757-0d6d5b8020cc8d47
PPK: no
message-id sent/recv: 0/6

FortiOS 7.6.0 New Features Guide 389

Fortinet Inc.
VPN

QKD: no
PQC-KEM (IKE): yes
PQC-KEM (all IPsec): yes
lifetime/rekey: 86400/86041
DPD sent/recv: 00000000/00000000
peer-id: 172.16.200.8

4. Verify the IKE debug output:

#diagnose debug enable
#diagnose debug application ike -1

ike V=root:0:site_002PPPPPP1:14: initiator received SA_INIT response

ike V=root:0:site_002PPPPPP1:14: processing notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:site_002PPPPPP1:14: processing NAT-D payload
ike V=root:0:site_002PPPPPP1:14: NAT not detected
ike V=root:0:site_002PPPPPP1:14: process NAT-D
ike V=root:0:site_002PPPPPP1:14: processing notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:site_002PPPPPP1:14: processing NAT-D payload
ike V=root:0:site_002PPPPPP1:14: NAT not detected
ike V=root:0:site_002PPPPPP1:14: process NAT-D
ike V=root:0:site_002PPPPPP1:14: processing notify type FRAGMENTATION_SUPPORTED
ike V=root:0:site_002PPPPPP1:14: processing notify type CHILDLESS_IKEV2_SUPPORTED
ike V=root:0:site_002PPPPPP1:14: processing notify type INTERMEDIATE_EXCHANGE_SUPPORTED
ike V=root:0:site_002PPPPPP1:14: incoming proposal:
ike V=root:0:site_002PPPPPP1:14: proposal id = 1:
ike V=root:0:site_002PPPPPP1:14: protocol = IKEv2:
ike V=root:0:site_002PPPPPP1:14: encapsulation = IKEv2/none
ike V=root:0:site_002PPPPPP1:14: type=ENCR, val=AES_CBC (key_len = 128)
ike V=root:0:site_002PPPPPP1:14: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:site_002PPPPPP1:14: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:site_002PPPPPP1:14: type=DH_GROUP, val=MODP2048.
ike V=root:0:site_002PPPPPP1:14: type=ADDKE1, val=ML-KEM-512.
ike V=root:0:site_002PPPPPP1:14: type=ADDKE2, val=FRODO L1.
ike V=root:0:site_002PPPPPP1:14: matched proposal id 1
ike V=root:0:site_002PPPPPP1:14: proposal id = 1:
ike V=root:0:site_002PPPPPP1:14: protocol = IKEv2:
ike V=root:0:site_002PPPPPP1:14: encapsulation = IKEv2/none
ike V=root:0:site_002PPPPPP1:14: type=ENCR, val=AES_CBC (key_len = 128)
ike V=root:0:site_002PPPPPP1:14: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:site_002PPPPPP1:14: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:site_002PPPPPP1:14: type=DH_GROUP, val=MODP2048.
ike V=root:0:site_002PPPPPP1:14: type=ADDKE1, val=ML-KEM-512.
ike V=root:0:site_002PPPPPP1:14: type=ADDKE2, val=FRODO L1.
ike V=root:0:site_002PPPPPP1:14: lifetime=86400
ike V=root:0:site_002PPPPPP1:14: compute DH shared secret request pending
ike 0:site_002PPPPPP1:14: IKE SA 1d7b30eb8916377b/bcc3ac86051fd55c SK_ei
16:636BFFEC63FB7B02AC3C55CBC2A615ED
ike 0:site_002PPPPPP1:14: IKE SA 1d7b30eb8916377b/bcc3ac86051fd55c SK_er
16:EBA51E65F2E101A6922C728D8507B1D6
ike 0:site_002PPPPPP1:14: IKE SA 1d7b30eb8916377b/bcc3ac86051fd55c SK_ai
32:146F21B8D780175B7CF3C13475754B5296D11E0658695F77E7688C33681AA8A6
ike 0:site_002PPPPPP1:14: IKE SA 1d7b30eb8916377b/bcc3ac86051fd55c SK_ar
32:ADA3A9275B35CD2309B73FCE7A17AD0A75DC5F98A4D4FF008D7503CD6A69EA94
ike V=root:0:site_002PPPPPP1:14: initiator preparing INTERMEDIATE msg
ike V=root:0:site_002PPPPPP1:14: generating KE for group 35
ike 0:site_002PPPPPP1:14: enc

FortiOS 7.6.0 New Features Guide 390

Fortinet Inc.
VPN

ike V=root:0:site_002PPPPPP1:14: initiator received INTEREMDIATE response

ike V=root:0:site_002PPPPPP1:14: processing KE group 35
ike V=root:0:site_002PPPPPP1:14: KEM decapsulate okay
ike 0:site_002PPPPPP1:14: IKE SA 1d7b30eb8916377b/bcc3ac86051fd55c SK_ei
16:7D54A38F71768F91B32EA828521E56D7
ike 0:site_002PPPPPP1:14: IKE SA 1d7b30eb8916377b/bcc3ac86051fd55c SK_er
16:AC66EF35E670D558A5704519E348BFD2
ike 0:site_002PPPPPP1:14: IKE SA 1d7b30eb8916377b/bcc3ac86051fd55c SK_ai
32:39DED1A07EF0D0A37D2FA51AF478EC981E17D4092FA1DE3CF3A46EC8E28DD9E9
ike 0:site_002PPPPPP1:14: IKE SA 1d7b30eb8916377b/bcc3ac86051fd55c SK_ar
32:3E8BB857F90943DD289DDCDE742AC18DFBF0DA7590F9CEA5E413B02463BE4303
ike V=root:0:site_002PPPPPP1:14: initiator preparing INTERMEDIATE msg
ike V=root:0:site_002PPPPPP1:14: generating KE for group 1083
ike V=root:0:site_002PPPPPP1:14: splitting payload len=9624 into 10 fragments

ike V=root:0:site_002PPPPPP1:14:site_002:17: phase2 matched by subset

ike V=root:0:site_002PPPPPP1:14:site_002:17: accepted proposal:
ike V=root:0:site_002PPPPPP1:14:site_002:17: TSr_0 0:10.1.100.0-10.1.100.255:0
ike V=root:0:site_002PPPPPP1:14:site_002:17: TSi_0 0:10.1.200.0-10.1.200.255:0
ike V=root:0:site_002PPPPPP1:14:site_002:17: autokey
ike V=root:0:site_002PPPPPP1:14:site_002:17: incoming child SA proposal:
ike V=root:0:site_002PPPPPP1:14:site_002:17: proposal id = 1:
ike V=root:0:site_002PPPPPP1:14:site_002:17: protocol = ESP:
ike V=root:0:site_002PPPPPP1:14:site_002:17: encapsulation = TUNNEL
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ENCR, val=AES_CBC (key_len =
128)
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=INTEGR, val=SHA
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=DH_GROUP, val=MODP2048
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ESN, val=NO
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=BIKE L3.
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=BIKE L5.
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=HQC128.
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=HQC192.
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=HQC256.
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=1090.
ike V=root:0:site_002PPPPPP1:14:site_002:17: matched proposal id 1
ike V=root:0:site_002PPPPPP1:14:site_002:17: proposal id = 1:
ike V=root:0:site_002PPPPPP1:14:site_002:17: protocol = ESP:
ike V=root:0:site_002PPPPPP1:14:site_002:17: encapsulation = TUNNEL
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ENCR, val=AES_CBC (key_len =
128)
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=INTEGR, val=SHA
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=DH_GROUP, val=MODP2048
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ESN, val=NO
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=BIKE L3.
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=BIKE L5.
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=HQC128.
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=HQC192.
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=HQC256.
ike V=root:0:site_002PPPPPP1:14:site_002:17: type=ADDKE1, val=1090.
ike V=root:0:site_002PPPPPP1:14:site_002:17: lifetime=43200
ike V=root:0:site_002PPPPPP1:14:site_002:17: ADDKE negotiated
ike V=root:0:site_002PPPPPP1:17: initiator preparing FOLLOWUP_KE message (CHILD_SA)
ike V=root:0:site_002PPPPPP1:17: construct KE grp (1090) payload
ike V=root:0:site_002PPPPPP1:14: splitting payload len=3103 into 3 fragments

FortiOS 7.6.0 New Features Guide 391

Fortinet Inc.
 VPN

Migration from SSL VPN tunnel mode to IPsec VPN - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l SSL VPN tunnel mode to IPsec VPN migration

Starting from FortiOS 7.6.3, SSL VPN tunnel mode is no longer supported. All existing configurations related to SSL
VPN tunnel mode, including associated firewall policies, are not upgraded from previous versions to FortiOS 7.6.3. To
get a list of CLI commands that are not supported, see Appendix A: FortiOS CLI on page 404.
To ensure uninterrupted remote access, you must migrate your SSL VPN tunnel mode configuration to IPsec VPN
before upgrading to FortiOS 7.6.3.
If you are using SSL VPN web mode, your existing configurations will persist after the upgrade. Thus, SSL VPN web
mode remains functional and continues to operate under its new name Agentless VPN, see Agentless VPN 7.6.3 on
page 413 and Agentless VPN.
FortiGates set up as SSL VPN clients are no longer supported. All existing configurations related to SSL VPN clients,
including firewall policies, are not upgraded from previous versions to FortiOS 7.6.3. To configure remote access using
IPsec VPN, see FortiGate as dialup client.
This topic includes the following sections:
l IPsec and SSL VPN comparison on page 392
l Migration planning and design considerations on page 393
l Migration steps for SSL VPN tunnel mode to IPsec VPN on page 393
l Key components comparison on page 394
l Examples on page 396
l Appendix A: FortiOS CLI on page 404
l Appendix B: FortiClient XML on page 406

IPsec and SSL VPN comparison

IPsec VPN and SSL VPN tunnel mode each offer distinct advantages, depending on the use case. Some key benefits of
IPsec VPN include:
l Strong security: Uses robust encryption standards to protect data from cyber threats.
l Efficient performance: Optimized bandwidth usage and low latency improve overall network performance.
l Seamless integration: Works well with enterprise security policies and authentication mechanisms.
l Advanced Networking Features: Supports split tunneling, split DNS, traffic shaping, and QoS for better traffic
management.
l Scalability: Suitable for large-scale enterprise deployments with both site-to-site IPsec VPNs and remote access
options.
l Interoperability: Compatible with a wide range of networking devices and operating systems.
l End-to-End Encryption: Ensures data integrity and confidentiality throughout transmission.
l Automatic Key Management: Uses protocols like IKEv1, IKEv2 for secure and automated key exchanges.
l Multi-Factor Authentication (MFA) Support: Enhances security by integrating with strong authentication
methods such as LDAP, Radius, SAML, and so on.
l Resilience: Supports failover and redundancy for high availability and business continuity.

FortiOS 7.6.0 New Features Guide 392

Fortinet Inc.
VPN

l Traffic Segmentation: Enables policy-based routing and access controls to restrict and optimize traffic flow.
l Compliance Readiness: Helps meet security standards and regulatory requirements like GDPR and HIPAA.
l Device Identity Verification: Uses certificates or pre-shared keys for secure endpoint authentication.
l Support for Mobile and Remote Users: Efficiently handles varying network conditions, including broadband and
cellular connections.
For more details, see the Migration background section of the SSL VPN to IPsec VPN Migration guide.

Migration planning and design considerations

You are strongly advised to plan a detailed migration strategy to transition your SSL VPN tunnel mode configuration to
IPsec VPN. Key considerations for a successful migration include:
1. Assessing current SSL VPN tunnel mode usage and identifying its key configurations on FortiGate.
2. Ensuring IPsec VPN compatibility with existing authentication methods, routing configurations, and network
policies.
3. Testing the new IPsec VPN configuration before deploying it organization-wide.
4. Communicating the transition plan to users and providing necessary training on IPsec VPN usage.

For information about different design considerations when migrating from SSL VPN tunnel mode to IPsec VPN, see
Design Considerations.

Migration steps for SSL VPN tunnel mode to IPsec VPN

Migrating from SSL VPN tunnel mode to IPsec VPN involves multiple steps, depending on factors such as the migration
method (GUI or CLI), whether the FortiGate is managed by FortiManager, and the specific FortiOS version in use. Follow
the steps below for a smooth transition:
1. Back up existing configuration.
Before making any changes, back up the current SSL VPN tunnel mode configuration to prevent data loss and
facilitate rollback if needed. See Backing up and restoring configurations from the GUI.
2. Convert FortiGate and FortiClient configurations in their existing versions.
The SSL VPN tunnel mode configuration can be converted to IPsec VPN using either the GUI, CLI, or
FortiConverter service.
a. Migrating FortiGate and FortiClient using GUI:
i. For FortiGate devices running FortiOS 7.4.4 and planned for an upgrade to FortiOS 7.6.3, migration to
IPsec VPN is required before upgrading. For detailed steps, see the FortiOS 7.4 SSL VPN to IPsec VPN
Migration guide.
ii. For FortiGate devices running FortiOS 7.6.0, 7.6.1, or 7.6.2 and planned for an upgrade to FortiOS 7.6.3,
migration to IPsec VPN is also required before upgrading. For detailed steps, see the FortiOS 7.6 SSL
VPN to IPsec VPN Migration guide.
iii. For FortiClient endpoint configuration migration, see FortiClient endpoint configuration migration.
b. Migrating FortiGate using CLI and FortiClient using XML configuration:
i. For CLI-based migration of FortiGate and XML-based configuration migration for FortiClient, see
Examples on page 396.
c. Use the FortiConverter service to perform the conversion.
3. Enable IPsec VPN alongside SSL VPN during transition.

FortiOS 7.6.0 New Features Guide 393

Fortinet Inc.
VPN

a. Apply the converted IPsec VPN configuration to the current FortiOS version, and configure the IPsec VPN
profile in FortiClient EMS.
b. Deploy the IPsec VPN profile from FortiClient EMS to endpoints.
4. Verify IPsec VPN functionality.
Test the IPsec VPN connection between FortiClient and FortiGate to confirm successful migration and ensure
reliable IPsec VPN connectivity.
5. Upgrade steps for FortiGate managed by FortiManager.
If FortiGate is managed by FortiManager, follow these steps to ensure compatibility and centralized management
after completing the IPsec VPN migration on one of the FortiGate devices:
a. Upgrade FortiManager to version 7.6.3 before upgrading FortiOS to maintain compatibility.
b. Re-import the new FortiGate configuration to FortiManager 7.6.3 to ensure centralized management
consistency.
c. Use FortiManager to upgrade FortiOS to version 7.6.3.
d. Re-validate the IPsec VPN configuration after upgrade to confirm full functionality.
6. Upgrade steps for standalone FortiGate.
For unmanaged or standalone FortiGate devices:
a. Upgrade the FortiGate to FortiOS 7.6.3 after completing the IPsec VPN migration. The unsupported SSL VPN
tunnel mode configuration is automatically removed after upgrade. For a list of unsupported CLI commands,
see Appendix A: FortiOS CLI on page 404.
b. After upgrade, re-validate the IPsec VPN configuration to ensure IPsec VPN’s functionality.
7. Enforce IPsec VPN and disable SSL VPN on FortiClient EMS.
After verifying that IPsec VPN is functioning correctly, update the FortiClient EMS VPN profile:
a. Remove SSL VPN tunnel mode configurations.
b. Enforce IPsec VPN usage across all managed endpoints to complete the transition.

Key components comparison

This section aims to help you understand how your existing SSL VPN tunnel CLI setup maps to an IPsec VPN CLI setup.
By understanding these mappings, you can effectively convert your SSL VPN tunnel configuration to IPsec VPN while
maintaining equivalent functionality and security.

Key configuration components of SSL VPN tunnel mode on FortiOS

SSL VPN configuration on FortiOS consists of several key elements, each defined by specific CLI settings. The following
sections outline these components and their respective configuration commands:

SSL VPN configuration Configured under Function/Purpose CLI reference

SSL VPN portal #config vpn ssl web Defines portal settings For FortiOS 7.6.2, see
portal such as user access config vpn ssl web portal.
permissions, bookmarks,
and tunnel mode and web
mode configurations.

FortiOS 7.6.0 New Features Guide 394

Fortinet Inc.
VPN

SSL VPN configuration Configured under Function/Purpose CLI reference

SSL VPN portal #config vpn ssl Specifies global SSL VPN For FortiOS 7.6.2, see
settings settings, including listening config vpn ssl settings.
ports, encryption methods,
authentication parameters,
and routing options.

Firewall policies
#config firewall Defines firewall policies For FortiOS 7.6.2, see
policy that regulate SSL VPN config firewall policy.
traffic by specifying
source/destination, allowed
services, and security
rules. The SSL-VPN tunnel
interface (ssl.root) is used
in the Incoming or
Outgoing interface fields.

Key configuration components of IPsec VPN tunnel mode on FortiOS

IPsec VPN setup consists of multiple configuration elements, including Phase 1 and Phase 2 settings that establish and
maintain the tunnel, as well as firewall policies that control traffic flow. Depending on your use cases, you can configure
multiple SSL VPN web portals, each tailored to specific user groups or access requirements. For each SSL VPN web
portal, you might also need one or more corresponding IPsec Phase 1 and Phase 2 tunnel configurations to support your
current use cases.
Following is an overview of key configurations of IPsec VPN:

IPsec VPN Configured under Function/Purpose CLI reference

configuration

IPsec Phase 1 #config vpn ipsec Defines phase 1 settings For FortiOS 7.6.2, see
phase1- for IPsec VPN tunnels, config vpn ipsec phase1-
interface
including authentication, interface.
encryption, and key
exchange parameters.

IPsec Phase 2 #config vpn iphase Specifies phase 2 settings For FortiOS 7.6.2, see
phase2- for IPsec VPN, including config vpn iphase phase2-
interface
security proposals and interface.
traffic selectors.

Firewall policies
#config firewall Defines firewall policies For FortiOS 7.6.2, see
policy that regulate IPsec VPN config firewall policy.
traffic by specifying
source/destination, allowed
services, and security
rules. The IPsec VPN
tunnel interface is used in
the Incoming or Outgoing
interface fields.

FortiOS 7.6.0 New Features Guide 395

Fortinet Inc.
VPN

Examples

You can convert the SSL VPN tunnel mode settings to IPsec using CLI/XML on FortiGate and FortiClient EMS. Use the
following examples to understand your current SSL VPN tunnel mode configuration and its equivalent IPsec VPN
configuration after conversion. The XML configuration for SSL VPN tunnel mode to IPsec VPN remains same in both
examples.
The configurations provided in these examples are for demonstration purposes only. Customers must evaluate their own
environments and, with the help of these example configurations, develop an IPsec equivalent setup suitable for their
transition. It is essential to test and validate the configurations before applying them to production environments.

Topology

Example 1

Corp1 uses the following SSL VPN tunnel mode configuration. This configuration enables remote users to securely
connect to corporate network using SSL VPN tunnel mode configuration. It enforces full tunnel mode, meaning all user
traffic is routed through the VPN tunnel without split tunneling. In addition, features such as auto-connect, keep alive,
and save password are enabled.
The following network setup is in use:
l WAN Interface (listening for SSL VPN connections on port 443): wan1
l LAN Interface: port1
l IP address assigned to VPN users: REMOTE-CLIENT-ADDRESS-RANGE
l User group for user authentication: vpn-user-group
l Address object for LAN: Local-LAN
l Other features: auto-connect, keep alive, save password.

If your SSL VPN configuration assigns IP addresses to remote clients from multiple IP ranges,
you can achieve similar behavior with IPsec VPN using mode config. IPsec mode config
supports assigning client IP addresses from multiple IP ranges by referencing an address
group that contains the desired IP range objects. During IKE negotiation, the FortiGate
dynamically allocates an available IP address from the specified address group to the
connecting IPsec client.

CLI configuration for SSL VPN on FortiGate:

1. SSL VPN web portal:

config vpn ssl web portal
edit "full-access"
set tunnel-mode disable
set web-mode disable

FortiOS 7.6.0 New Features Guide 396

Fortinet Inc.
VPN

next
edit "my-full-tunnel-portal"
set tunnel-mode enable
set auto-connect enable
set keep-alive enable
set save-password enable
set ip-pools "REMOTE-CLIENT-ADDRESS-RANGE"
set split-tunneling disable
next
end

2. SSL VPN settings:

config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "SSL_CERTIFICATE"
set tunnel-ip-pools "REMOTE-CLIENT-ADDRESS-RANGE"
set port 443
set source-interface "wan1"
set source-address "all
set default-portal "full-access"
config authentication-rule
edit 1
set groups "vpn-user-group"
set portal "my-full-tunnel-portal"
next
end
end

3. SSL VPN firewall policy:

config firewall policy
edit 1
set name "SSL VPN to LAN"
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "REMOTE-CLIENT-ADDRESS-RANGE"
set dstaddr "Local-LAN"
set schedule "always"
set service "ALL"
set groups "vpn-user-group"
next
edit 2
set name "SSL VPN to Internet"
set srcintf "ssl.root"
set dstintf "wan1"
set srcaddr "REMOTE-CLIENT-ADDRESS-RANGE"
set dstaddr "all"
set schedule "always"
set service "ALL"
set groups "vpn-user-group"
set nat enable
next
end

FortiOS 7.6.0 New Features Guide 397

Fortinet Inc.
VPN

XML configuration for SSL VPN on FortiClient EMS

To view the XML configuration on FortiClient EMS for SSL VPN configuration, see the XML configuration for SSL VPN
on page 406 section in Appendix B: FortiClient XML on page 406.

CLI configuration for IPsec VPN on FortiGate

The following configuration provides an equivalent setup to the existing SSL VPN configuration, enabling a seamless
migration to IPsec VPN while maintaining secure remote access.

IPsec VPN can be configured to use either pre-shared key (PSK) or certificate-based
authentication for peer identity authentication. This deployment example uses PSK for
simplicity and ease of configuration. When using certificate-based authentication,
administrators must configure a certificate authority (CA), issue certificates to all FortiClient
endpoints, and ensure the FortiGate is properly configured to validate client certificates during
IKE negotiation. For more information about certificate-based authentication, see Dialup IPsec
VPN with certificate authentication.

1. IPsec Phase 1 settings:

config vpn ipsec phase1-interface
edit "my-full-tunnel"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set eap enable
set eap-identity send-request
set authusrgrp "vpn-user-group"
set network-overlay enable
set network-id 1
set transport auto
set assign-ip-from name
set ipv4-name "REMOTE-CLIENT-ADDRESS-RANGE"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ******
next
end

In IKE version 2, FortiGate utilizes Network ID as unique identifiers to distinguish between

multiple dialup tunnels configured on the same WAN interface. During the IPsec
negotiation process, FortiClient transmits its configured Network ID, which FortiGate
matches against its defined Network IDs to identify the appropriate tunnel. The Network ID
configured on FortiClient must align with the corresponding Network ID set on FortiGate to
successfully establish an IPsec tunnel.

2. IPsec Phase 2 settings:

FortiOS 7.6.0 New Features Guide 398

Fortinet Inc.
VPN

config vpn ipsec phase2-interface

edit "my-full-tunnel"
set phase1name "my-full-tunnel"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
next
end

3. SSL VPN firewall policy:

config firewall policy
edit 1
set name "IPsec VPN to LAN"
set srcintf "my-full-tunnel"
set dstintf "port1"
set action accept
set srcaddr "REMOTE-CLIENT-ADDRESS-RANGE"
set dstaddr "Local-LAN"
set schedule "always"
set service "ALL"
next
edit 2
set name "IPsec VPN to WAN"
set srcintf "my-full-tunnel"
set dstintf "wan1"
set action accept
set srcaddr "REMOTE-CLIENT-ADDRESS-RANGE"
set dstaddr "Local-LAN"
set schedule "always"
set service "ALL"
set nat enable
next
end

XML configuration for IPsec VPN on FortiClient EMS

To view the XML configuration on FortiClient EMS for IPsec VPN configuration, see the XML configuration for IPsec VPN
on page 409 section in Appendix B: FortiClient XML on page 406.

Example 2

Corp2 uses the following SSL VPN tunnel mode configuration. The company has different types of users. Based on their
specific requirements, users are assigned different SSL VPN portals, each offering distinct connectivity and security
settings.
l dhcpra: The dhcpra portal enforces full tunneling, ensuring that all internet traffic from VPN users is routed through
the FortiGate firewall. VPN users obtain an IP address dynamically from an external DHCP server, with FortiGate
acting as a DHCP relay agent to facilitate it. In addition, features such as auto-connect, keep alive and save
password enabled.
l split-dns: The split-dns portal is designed for users who need access to specific corporate networks while allowing
direct internet access for non-corporate traffic. VPN users are assigned custom DNS servers for their DNS queries.
Certain domains are routed to internal DNS servers using split DNS feature. In addition, features such as auto-
connect, keep alive and save password enabled.

FortiOS 7.6.0 New Features Guide 399

Fortinet Inc.
VPN

If your SSL VPN configuration assigns IP addresses to remote clients from multiple IP ranges,
you can achieve similar behavior with IPsec VPN using mode config. IPsec mode config
supports assigning client IP addresses from multiple IP ranges by referencing an address
group that contains the desired IP range objects. During IKE negotiation, the FortiGate
dynamically allocates an available IP address from the specified address group to the
connecting IPsec client.

CLI configuration for SSL VPN on FortiGate

1. SSL VPN web portal:

config vpn ssl web portal
edit "full-access"
set tunnel-mode disable
set web-mode disable
next
edit "dhcpra"
set tunnel-mode enable
set ip-mode dhcp
set client-auto-negotiate enable
set keep-alive enable
set save-password enable
set split-tunneling disable
set dhcp-ra-giaddr 10.1.1.1
next
edit "split-dns"
set tunnel-mode enable
set client-auto-negotiate enable
set keep-alive enable
set save-password enable
set dns-server1 10.10.10.8
set dns-server2 10.10.10.9
set split-tunneling enable
config split-dns
edit 1
set domains "domain1.com"
set dns-server1 10.10.10.10
next
end
next
end

2. SSL VPN settings:

config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "SSL_Certificate"
set tunnel-ip-pools "REMOTE-CLIENT-ADDRESS-RANGE”
set dns-server1 172.17.254.148
set dns-server2 172.17.254.151
set port 443
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"

FortiOS 7.6.0 New Features Guide 400

Fortinet Inc.
VPN

config authentication-rule
edit 1
set group "group-dhcpra"
set portal "dhcpra"
next
edit 2
set groups "group-split-dns"
set portal "split-dns"
next
end
end

3. SSL VPN firewall policy:

config firewall policy
edit 1
set name "SSL VPN to LAN"
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set groups "group-dhcpra" "group-split-dns"
next
edit 2
set name "SSL-VPN to Internet"
set srcintf "ssl.root"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set groups "group-dhcpra" "group-split-dns"
next
end

XML configuration for SSL VPN on FortiClient EMS

To view the XML configuration on FortiClient EMS for SSL VPN configuration, see the XML configuration for SSL VPN
on page 406 section in Appendix B: FortiClient XML on page 406.

CLI configuration for IPsec VPN on FortiGate

Since IPsec VPN does not support portals, you may be required to configure separate IPsec VPN tunnels to
accommodate the various use cases your current SSL VPN tunnel mode web portals support. Each IPsec VPN tunnel
should be configured based on the specific security, authentication, and routing requirements of the associated SSL
VPN portal.

FortiOS 7.6.0 New Features Guide 401

Fortinet Inc.
VPN

IPsec VPN can be configured to use either pre-shared key (PSK) or certificate-based
authentication for peer identity authentication. This deployment example uses PSK for
simplicity and ease of configuration. When using certificate-based authentication,
administrators must configure a certificate authority (CA), issue certificates to all FortiClient
endpoints, and ensure the FortiGate is properly configured to validate client certificates during
IKE negotiation. For more information about certificate-based authentication, see Dialup IPsec
VPN with certificate authentication.

1. IPsec Phase 1 settings:

config vpn ipsec phase1-interface
edit "dhcpra"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 172.17.254.148
set ipv4-dns-server2 172.17.254.151
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set eap enable
set eap-identity send-request
set authusrgrp "group-dhcpra"
set network-overlay enable
set network-id 2
set transport auto
set psksecret *****
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
next
edit "split-dns"
set type dynamic
set interface "wan1"
set ike-version 2
set authmethod psk
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 10.10.10.8
set ipv4-dns-server2 10.10.10.9
set ipv4-dns-server3 10.10.10.10
set internal-domain-list "domain1.com"
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set eap enable
set eap-identity send-request
set authusrgrp "group-split-dns"
set network-overlay enable
set network-id 3
set transport auto
set psksecret *****
set assign-ip-from name

FortiOS 7.6.0 New Features Guide 402

Fortinet Inc.
VPN

set ipv4-split-include "Local-LAN"

set ipv4-name "REMOTE-CLIENT-ADDRESS-RANGE"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
next

end

SSL VPN in tunnel mode supports the configuration of both split DNS and DNS suffix. For
dialup IPsec tunnels, the availability of these features depends on the IKE version in use.
l IKE version 1: Supports DNS suffix configuration but requires enabling unity-support

in the Phase 1 configuration. See IPsec DNS suffix.

l IKE version 2: Supports split DNS. See IPsec Split DNS.
When configuring your environment, consider reviewing the existing SSL VPN settings to
determine the most suitable IKE version for your requirements.

In IKE version 2, FortiGate utilizes Network ID as unique identifier to distinguish between

multiple dialup tunnels configured on the same WAN interface. During the IPsec
negotiation process, FortiClient transmits its configured Network ID, which FortiGate
matches against its defined Network IDs to identify the appropriate tunnel. The Network ID
configured on FortiClient must align with the corresponding Network ID set on FortiGate to
successfully establish an IPsec tunnel.

2. IPsec Phase 2 configuration:

config vpn ipsec phase2-interface
edit "split-dns"
set phase1name "split-dns"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
next
edit "dhcpra"
set phase1name "dhcpra"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set dhcp-ipsec enable
next
end

3. IPsec tunnel interface configuration for DHCP relay:

config system interface
edit "dhcpra"
set vdom "root"
set dhcp-relay-service enable
set type tunnel
set snmp-index 9
set dhcp-relay-ip "10.1.1.1"
set dhcp-relay-type ipsec
set interface "wan1"
next
end

FortiOS 7.6.0 New Features Guide 403

Fortinet Inc.
VPN

4. Firewall policy configuration:

config firewall policy
edit 1
set name "IPsec to LAN"
set srcintf "split-dns" "dhcpra"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 2
set name "IPsec to Internet"
set srcintf "split-dns" "dhcpra"
set dstintf "wan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end

The configured user group, <group-name>, must be either configured inside the IPsec
Phase 1 setting, set authusrgrp <group-name>, or in the firewall policy, set groups
<group-name>, to allow the traffic to flow through the IPsec tunnel. If the user group is
configured in both IPsec Phase 1 and firewall policy, the traffic does not flow through the IPsec
tunnel. In the example discussed, the user group is configured it in the IPsec tunnel.

XML configuration for IPsec VPN on FortiClient EMS

To view the XML configuration on FortiClient EMS for IPsec VPN configuration, see the XML configuration for IPsec VPN
on page 409 section in Appendix B: FortiClient XML on page 406.

Appendix A: FortiOS CLI

After upgrade to FortiOS 7.6.3, the following configuration commands for SSL VPN tunnel mode are no longer supported
or configurable. These configurations will be lost once upgraded to FortiOS 7.6.3. Administrators should migrate their
SSL VPN tunnel-related configuration to IPsec VPN accordingly to avoid remote access issues in FortiOS 7.6.3 or later.
l SSL VPN settings:
The commands under config vpn ssl settings related to tunnel mode.
config vpn ssl settings
set dtls-hello-timeout
set dtls-heartbeat-idle-timeout
set dtls-heartbeat-interval
set dtls-heartbeat-fail-count
set tunnel-ip-pools
set tunnel-ipv6-pools

FortiOS 7.6.0 New Features Guide 404

Fortinet Inc.
VPN

set dns-server1
set dns-server2
set wins-server1
set wins-server2
set ipv6-dns-server1
set ipv6-dns-server2
set ipv6-wins-server1
set ipv6-wins-server2
set dtls-tunnel
set dtls-max-proto-ver
set dtls-min-proto-ver
set tunnel-connect-without-reauth
set tunnel-user-session-timeout
set tunnel-addr-assigned-method
set ztna-trusted-client
end

l SSL VPN web portal:

The following commands under config vpn ssl web portal are no longer available:
config vpn ssl web portal
set tunnel-mode
set ip-mode
set auto-connect
set keep-alive
set save-password
set ip-pools
set split-tunneling
set split-tunneling-routing-negate
set split-tunneling-routing-address
set dns-server1
set dns-server2
set wins-server1
set wins-server2
set ipv6-tunnel-mode
set ipv6-pools
set ipv6-split-tunneling
set ipv6-split-tunneling-routing-negate
set ipv6-split-tunneling-routing-address
set ipv6-dns-server1
set ipv6-dns-server2
set ipv6-wins-server1
set ipv6-wins-server2
set client-src-range
set host-check
set mac-addr-check
set os-check
end

l Host check software configuration:

config vpn ssl web host-check-software
end

l Host check software configuration:

The system-wide option to enable or disable SN checks for SSL VPN tunnel connections is no longer configurable:

FortiOS 7.6.0 New Features Guide 405

Fortinet Inc.
VPN

config system global

set vpn-ems-sn-check
end

After upgrade to FortiOS 7.6.3, the following configuration commands for SSL VPN Client are no longer supported or
configurable. These configurations will be lost once upgraded to FortiOS 7.6.3. Administrators should migrate their SSL
VPN client-related configuration to IPsec VPN accordingly to avoid remote access issues in FortiOS 7.6.3 or later.
l SSL VPN Client configuration
config vpn ssl client
end

l All references to interfaces configured under config system interface with their type set as SSL (that is, set
type ssl), including:
l Interface definitions under config system interface
l Link monitors referencing SSL interfaces
l Zone configurations containing SSL interfaces
l Firewall policies involving SSL interfaces

Appendix B: FortiClient XML

To understand the various XML settings available in FortiClient EMS for SSL VPN and IPsec configuration, refer to the
XML Reference Guide version that matches your FortiClient EMS version. For example, for FortiClient EMS 7.4.2, refer
the FortiClient 7.4.2 XML Reference Guide.

XML configuration for SSL VPN

The following XML configuration on FortiClient EMS demonstrates the SSL VPN settings used for Example 1 on page
396 and Example 2 on page 399:

The Network ID setting cannot be configured on unmanaged or standalone FortiClient. For

managed FortiClient, configuration of the Network ID is supported through FortiClient EMS
starting with versions 7.2.6 and later or 7.4.1 and later.
Ensure that both the EMS server and FortiClient endpoints are running compatible versions to
apply and enforce this setting, see EMS compatibility chart.

<forticlient_configuration>
<vpn>
<options>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<allow_personal_vpns>0</allow_personal_vpns>
<on_os_start_connect/>
<disable_connect_disconnect>0</disable_connect_disconnect>
<keep_running_max_tries>0</keep_running_max_tries>
<show_negotiation_wnd>0</show_negotiation_wnd>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<autoconnect_on_install>0</autoconnect_on_install>
<minimize_window_on_connect>1</minimize_window_on_connect>
<secure_remote_access>0</secure_remote_access>
<certs_require_keyspec>0</certs_require_keyspec>
<autoconnect_tunnel>sslvpn</autoconnect_tunnel>

FortiOS 7.6.0 New Features Guide 406

Fortinet Inc.
VPN

<current_connection_type>ssl</current_connection_type>
<use_windows_credentials>0</use_windows_credentials>
<suppress_vpn_notification>0</suppress_vpn_notification>
<show_vpn_before_logon>0</show_vpn_before_logon>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<current_connection_name>sslvpn</current_connection_name>
<disable_internet_check>1</disable_internet_check>
</options>
<lockdown>
<max_attempts>3</max_attempts>
<grace_period>120</grace_period>
<exceptions>
<apps/>
<ips/>
<domains/>
<icdb_domains/>
</exceptions>
<enabled>0</enabled>
</lockdown>
<ipsecvpn>
<connections/>
<options>
<check_for_cert_private_key>0</check_for_cert_private_key>
<usesmcardcert>1</usesmcardcert>
<uselocalcert>0</uselocalcert>
<no_dns_registration>0</no_dns_registration>
<usewincert>1</usewincert>
<use_win_current_user_cert>1</use_win_current_user_cert>
<enable_udp_checksum>0</enable_udp_checksum>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certific
<disable_default_route>0</disable_default_route>
<block_ipv6>1</block_ipv6>
<beep_if_error>0</beep_if_error>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<show_auth_cert_only>0</show_auth_cert_only>
<enabled>0</enabled>
</options>
</ipsecvpn>
<enabled>1</enabled>
<sslvpn>
<connections>
<connection>
<name>sslvpn</name>
<uid>434A9FE6-7CC5-48C2-83E9-F264B15F076C</uid>
<machine>0</machine>
<keep_running>0</keep_running>
<username/>
<password/>
<certificate/>
<pkcs11_lib/>
<prompt_certificate>0</prompt_certificate>
<prompt_username>1</prompt_username>
<fgt>1</fgt>
<disclaimer_msg/>
<sso_enabled>0</sso_enabled>

FortiOS 7.6.0 New Features Guide 407

Fortinet Inc.
VPN

<keep_fqdn_resolution_consistency>0</keep_fqdn_resolution_consis
<use_external_browser>0</use_external_browser>
<azure_auto_login>
<enabled>0</enabled>
<azure_app>
<tenant_name/>
<client_id/>
</azure_app>
</azure_auto_login>
<single_user_mode>0</single_user_mode>
<ui>
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<save_username>1</save_username>
</ui>
<warn_invalid_server_certificate>1</warn_invalid_server_certific
<allow_standard_user_use_system_cert>0</allow_standard_user_use_
<redundant_sort_method>0</redundant_sort_method>
<RedundantSortMethod>0</RedundantSortMethod>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<android_cert_path/>
<android_cert_source>filesystem</android_cert_source>
<no_vnic_dns_server>0</no_vnic_dns_server>
<dual_stack>0</dual_stack>
<server>192.0.2.1:443</server>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>

FortiOS 7.6.0 New Features Guide 408

Fortinet Inc.
VPN

</script>
</on_disconnect>
<traffic_control>
<enabled>0</enabled>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
<options>
<preferred_dtls_tunnel>0</preferred_dtls_tunnel>
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<negative_split_tunnel_metric/>
<no_dns_registration>0</no_dns_registration>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certific
<dnscache_service_control>0</dnscache_service_control>
<block_ipv6>1</block_ipv6>
<use_gui_saml_auth>0</use_gui_saml_auth>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<show_auth_cert_only>0</show_auth_cert_only>
<enabled>1</enabled>
</options>
</sslvpn>
</vpn>
<endpoint_control>
<ui>
<display_vpn>1</display_vpn>
</ui>
</endpoint_control>
</forticlient_configuration>

XML configuration for IPsec VPN

The following XML configuration on FortiClient EMS demonstrates the VPN settings for Example 1 and Example 2.
However, the value for the <networkid> XML tag will vary based on the network ID specified in the corresponding
IPsec configuration.
<forticlient_configuration>
<vpn>
<options>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<allow_personal_vpns>0</allow_personal_vpns>
<on_os_start_connect/>
<disable_connect_disconnect>0</disable_connect_disconnect>
<keep_running_max_tries>0</keep_running_max_tries>
<show_negotiation_wnd>0</show_negotiation_wnd>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<autoconnect_on_install>0</autoconnect_on_install>
<minimize_window_on_connect>1</minimize_window_on_connect>
<secure_remote_access>0</secure_remote_access>
<certs_require_keyspec>0</certs_require_keyspec>
<autoconnect_tunnel>ipsec</autoconnect_tunnel>
<current_connection_type>ipsec</current_connection_type>
<use_windows_credentials>0</use_windows_credentials>
<suppress_vpn_notification>0</suppress_vpn_notification>
<show_vpn_before_logon>0</show_vpn_before_logon>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>

FortiOS 7.6.0 New Features Guide 409

Fortinet Inc.
VPN

<current_connection_name>ipsec</current_connection_name>
<disable_internet_check>1</disable_internet_check>
</options>
<lockdown>
<max_attempts>3</max_attempts>
<grace_period>120</grace_period>
<exceptions>
<apps/>
<ips/>
<domains/>
<icdb_domains/>
</exceptions>
<enabled>0</enabled>
</lockdown>
<ipsecvpn>
<connections>
<connection>
<name>ipsec</name>
<uid>A47A1B4A-01C4-4E19-9A21-3981067058B5</uid>
<machine>0</machine>
<keep_running>0</keep_running>
<disclaimer_msg/>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<ui>
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<show_passcode>0</show_passcode>
<save_username>0</save_username>
</ui>
<redundant_sort_method>0</redundant_sort_method>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<ike_settings>
<server>192.0.2.1</server>
<authentication_method>Preshared Key</authentication_met
<fgt>1</fgt>
<prompt_certificate>1</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid/>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<nat_alive_freq>5</nat_alive_freq>
<enable_local_lan>0</enable_local_lan>

FortiOS 7.6.0 New Features Guide 410

Fortinet Inc.
VPN

<enable_ike_fragmentation>0</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<run_fcauth_system>0</run_fcauth_system>
<sso_enabled>0</sso_enabled>
<ike_saml_port>443</ike_saml_port>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<networkid>0</networkid>
<auth_data>
<preshared_key>Enc
4beb1e1c4306fadaaf3409c77e27861e20b21eb51dc331d082bf4c6c272404f0</preshared_key>
</auth_data>
<xauth_timeout>120</xauth_timeout>
<dhgroup>5;15</dhgroup>
<proposals>
<proposal>AES128|SHA256</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>0.0.0.0</addr>
<mask>0.0.0.0</mask>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<dhgroup>14</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<android_cert_path/>
<warn_invalid_server_certificate>1</warn_invalid_server_certific
<on_connect>
<script>
<os>windows</os>
<script/>

FortiOS 7.6.0 New Features Guide 411

Fortinet Inc.
VPN

</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<enabled>0</enabled>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
<options>
<check_for_cert_private_key>0</check_for_cert_private_key>
<usesmcardcert>0</usesmcardcert>
<uselocalcert>0</uselocalcert>
<no_dns_registration>0</no_dns_registration>
<usewincert>0</usewincert>
<use_win_current_user_cert>1</use_win_current_user_cert>
<enable_udp_checksum>0</enable_udp_checksum>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certific
<disable_default_route>0</disable_default_route>
<block_ipv6>1</block_ipv6>
<beep_if_error>0</beep_if_error>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<show_auth_cert_only>0</show_auth_cert_only>
<enabled>1</enabled>
</options>
</ipsecvpn>
<enabled>1</enabled>
<sslvpn>
<connections/>
<options>
<preferred_dtls_tunnel>0</preferred_dtls_tunnel>
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<negative_split_tunnel_metric/>
<no_dns_registration>0</no_dns_registration>

FortiOS 7.6.0 New Features Guide 412

Fortinet Inc.
 VPN

<disallow_invalid_server_certificate>0</disallow_invalid_server_certific
<dnscache_service_control>0</dnscache_service_control>
<block_ipv6>1</block_ipv6>
<use_gui_saml_auth>0</use_gui_saml_auth>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<show_auth_cert_only>0</show_auth_cert_only>
<enabled>0</enabled>
</options>
</sslvpn>
</vpn>
<endpoint_control>
<ui>
<display_vpn>1</display_vpn>
</ui>
</endpoint_control>
</forticlient_configuration>

Agentless VPN - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Agentless VPN

Starting from FortiOS 7.6.3, SSL VPN web mode is now referred to as Agentless VPN. This updated terminology reflects
FortiGate’s ability to provide secure remote access without requiring a VPN client or agent on the user’s device.
Changes in FortiOS 7.6.3 and later:
l Terminology update: The term SSL VPN Web Mode is now Agentless VPN across the FortiOS GUI and public
documentation. The CLI configuration to configure it remains unchanged.
l Existing configurations remain valid: Any existing SSL VPN web mode configurations will continue to work as
expected.
l No functional changes: Users can continue securely accessing web-based applications and services through their
browser without installing a VPN client.
l However, SSL VPN tunnel mode is no longer supported. Thus, users who are using SSL VPN tunnel mode must
migrate to IPsec VPN. See Migration from SSL VPN tunnel mode to IPsec VPN 7.6.3 on page 392 and Appendix A:
FortiOS CLI on page 404.

Configure FortiClient SIA for IPsec VPN tunnels - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Configure FortiClient SIA for IPsec VPN tunnels

The FortiClient Secure Internet Access (SIA) template for the VPN Wizard enables the configuration of a remote access
IPsec VPN to ensure all FortiClient traffic is routed through the FortiGate IPsec VPN tunnel for security inspection. The
template allows administrators to select the desired security profile, including certificate or deep inspection, and

FortiOS 7.6.0 New Features Guide 413

Fortinet Inc.
VPN

configure policies to block access to botnet and C&C servers. Additionally, it provides an option to allow remote VPN
users access to specified local subnets and local interfaces.

To configure IPsec VPN with FortiClient as the dial up client in the GUI:

1. Configure a user and user group:

a. Go to User & Authentication > User Definition and create a local user. See Users in the FortiOS Administration
Guide.
b. Go to User & Authentication > User Groups and create a user group with the local user added as a member.
See User groups in the FortiOS Administration Guide.
2. Go to VPN > VPN Wizard and configure the tunnel settings:
a. Enter a VPN Tunnel name.
b. For Select a template, select FortiClient Secure Internet Access (SIA).
c. Click Begin.

3. Configure the following VPN tunnel settings:

a. Set Authentication method to Pre-shared key.
b. Enter the Pre-shared key.
c. Set IKE to Version 2.
d. For User authentication method, select Phase 1 interface.
e. Select the user group from the dropdown list.
f. Click Next.

FortiOS 7.6.0 New Features Guide 414

Fortinet Inc.
VPN

4. Configure the following Remote endpoint settings:

a. In Addresses to assign to connected endpoints, enter the client address range.
b. Enter the Subnet for connected endpoints.
c. Enable the FortiClient settings, as needed.
d. Click Next.

5. Configure the following Local FortiGate and Secure Internet Access (SIA) settings:
a. From the Incoming interface that binds to tunnel dropdown list, select the port. This port may be your WAN
interface, or any other interface designated for establishing the IPsec tunnel on.
b. Enable Local subnets that remote endpoints can access.
c. Set the Local interface and Local Address.

FortiOS 7.6.0 New Features Guide 415

Fortinet Inc.
VPN

d. From the Shared WAN dropdown list, select WAN interface. This interface can also be the same interface used
for establishing the IPsec tunnel if your internet access is through it.
e. Enable the other Secure Internet Access (SIA) fields, as needed.

The Block external feeds field is an optional feature that allows you to block specific
external feeds. After enabling the field, select an Address External Feed or Dynamic
Address option to proceed.

f. Enable the required Security Profiles.

g. Click Next.

6. Click Submit.

FortiOS 7.6.0 New Features Guide 416

Fortinet Inc.
 VPN

Support Quantum Key Distribution and Digital Signature Algorithm Post-Quantum

Cryptography - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Using both QKD and DSA PQC

Support is added for configuring Quantum Key Distribution (QKD) and Digital Signature Algorithm (DSA) / Post-
Quantum Cryptography (PQC). This allows you to mix keys from QKD, PQC, and traditional Diffie-Hellman (DH) key
exchange, ensuring robust security. By combining different types of keys, users can achieve maximum resilience
against potential threats.
This feature can be used in environments handling highly sensitive data, necessitating the highest level of security. For
example, a financial institution might use this feature in its network infrastructure to secure communications between
different system components. This ensures that even if one key exchange method is compromised, the other methods
will still provide secure communication.
In such a scenario, the financial institution could enable QKD for advanced quantum security, PQC for resilience against
quantum threats, and DH for traditional key exchange. By combining these methods, they can tailor their security
approach to meet specific needs and maximize resilience against potential threats.

FortiOS 7.6.0 New Features Guide 417

Fortinet Inc.
VPN

Example

To configure IPsec key retrieval with a QKD and PQC keys together by CLI:

1. Configure FGT-A
a. Configure the QKD profile:
config vpn qkd
edit "qkd_1"
set server "10.1.100.9"
set port 8989
set id "123456"
set peer "qkdtest"
next
end

b. Configure the IPsec phase1 interface:

config vpn ipsec phase1-interface
edit "test_qkd"
set interface "port9"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-
prfsha384 chacha20poly1305-prfsha256
set dhgrp 21
set addke1 1080
set qkd require
set qkd-hybrid require
set qkd-profile "qkdtest"
set remote-gw 173.1.1.1
set psksecret **********
next
end

c. Configure the IPsec phase2 interface :

config vpn ipsec phase2-interface
edit "test_qkd"
set phase1name "test_qkd"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set dhgrp 20 21
set addke1 35
next
end

FortiOS 7.6.0 New Features Guide 418

Fortinet Inc.
VPN

2. Configure FGT-D
a. Configure the QKD profile:
config vpn qkd
edit "qkdtest"
set server "10.1.100.9"
set port 8989
set id "123456"
set peer "qkdtest"
next
end

b. Configure the IPsec phase1 interface:

config vpn ipsec phase1-interface
edit "test_qkd"
set interface "test_qkd"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-
prfsha384 chacha20poly1305-prfsha256
set dhgrp 21
set addke1 1080
set qkd require
set qkd-hybrid require
set qkd-profile "qkdtest"
set remote-gw 11.101.1.1
set psksecret **********
next
end

c. Configure the IPsec phase2 interface :

config vpn ipsec phase2-interface
edit "test_qkd"
set phase1name "test_qkd"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set dhgrp 20 21
set addke1 35
next
end

To verify the configuration on FGT-A:

1. Generate traffic between PC1 and PC4.

2. Verify the IPsec phase1 interface status:
# diagnose vpn ike gateway list
vd: root/0
name: test_qkd
version: 2
interface: port9 15
addr: 11.101.1.1:500 -> 173.1.1.1:500
tun_id: 173.1.1.1/::173.1.1.1
remote_location: 0.0.0.0
network-id: 0

FortiOS 7.6.0 New Features Guide 419

Fortinet Inc.
VPN

transport: UDP
created: 1557s ago
peer-id: 173.1.1.1
peer-id-auth: no
pending-queue: 0
PPK: no
IKE SA: created 1/18 established 1/18 time 0/2/10 ms
IPsec SA: created 1/33 established 1/18 time 0/16/20 ms

id/spi: 67 bc882e536cbc7f1d/ede854f1e0dc71bb
direction: responder
status: established 17-17s ago = 0ms
proposal: aes128-sha256
child: yes
SK_ei: 4e415c84e086e980-059f1be89239ec30
SK_er: fb14db5b3718dad4-e7f5158308ba00c0
SK_ai: 8894937bd4e66304-a5c64941dc08d544-c7d725408247cfc4-489a292a3fb44b51
SK_ar: 0bbf85dcd9daaa1b-1f1e04318b69aaae-befc871e40f9ab4c-0d005f0f980a3d60
message-id sent/recv: 0/1
QKD: yes
PQC-KEM (IKE): yes
PQC-KEM (all IPsec): yes
lifetime/rekey: 86400/86112
DPD sent/recv: 00000000/00000000
peer-id: 173.1.1.1

3. Verify the IPsec phase2 interface status:

# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=test_qkd ver=2 serial=1 11.101.1.1:0->173.1.1.1:0 nexthop=11.101.1.2 tun_
id=173.1.1.1 tun_id6=::173.1.1.1 status=up dst_mtu=1500 weight=1
bound_if=15 real_if=15 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options
[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=3 ilast=1270 olast=1270 ad=/0

stat: rxp=69 txp=70 rxb=10420 txb=5880
dpd: mode=off
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=test_qkd proto=0 sa=1 ref=2 serial=2 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=6 options=18227 type=00 soft=0 mtu=1438 expire=3297/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3329/3600
dec: spi=450287b6 esp=aes key=16 42551cf97c77fb110f44574e0b33b36a
ah=sha1 key=20 640b627fb80f4342a488349bdd35437db381640c
enc: spi=a8a6afc3 esp=aes key=16 238c43ac7ee569c20ba5861fb8336c9a
ah=sha1 key=20 d1226a16bfecb186148aafbce42a5da34e246afb
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=03 npu_rgwy=173.1.1.1 npu_lgwy=11.101.1.1 npu_selid=1 dec_npuid=1 enc_npuid=1

4. Verify IKE debug messages on:

FortiOS 7.6.0 New Features Guide 420

Fortinet Inc.
VPN

# diagnose debug application ike -1

...
ike V=root:0:64555dc0381b820e/0000000000000000:70: received notify type USE_QKD
ike V=root:0:64555dc0381b820e/0000000000000000:70: received notify type INTERMEDIATE_
EXCHANGE_SUPPORTED
ike V=root:0:64555dc0381b820e/0000000000000000:70: incoming proposal:
ike V=root:0:64555dc0381b820e/0000000000000000:70: proposal id = 1:
ike V=root:0:64555dc0381b820e/0000000000000000:70: protocol = IKEv2:
ike V=root:0:64555dc0381b820e/0000000000000000:70: encapsulation = IKEv2/none
ike V=root:0:64555dc0381b820e/0000000000000000:70: type=ENCR, val=AES_CBC (key_
len = 128)
ike V=root:0:64555dc0381b820e/0000000000000000:70: type=INTEGR, val=AUTH_HMAC_
SHA2_256_128
ike V=root:0:64555dc0381b820e/0000000000000000:70: type=PRF, val=PRF_HMAC_SHA2_
256
ike V=root:0:64555dc0381b820e/0000000000000000:70: type=DH_GROUP, val=ECP521.
ike V=root:0:64555dc0381b820e/0000000000000000:70: type=ADDKE1, val=KYBER512.
...
ike V=root:0:test_qkd:70: process NAT-D
ike V=root:0:test_qkd:70: processing notify type FRAGMENTATION_SUPPORTED
ike V=root:0:test_qkd:70: processing notify type USE_QKD
ike V=root:0:test_qkd:70: responder preparing SA_INIT msg
...
ike V=root:0:test_qkd:70: responder received INTEREMDIATE msg
ike V=root:0:test_qkd:70: processing KE group 1080
ike V=root:0:test_qkd:70: KEM encapsulate okay
ike V=root:0:test_qkd:70: responder INTERMEDIATE send
ike V=root:0:test_qkd:70: construct KE (1080) payload
...
ike V=root:0:test_qkd:73: received followup-ke request
ike V=root:0:test_qkd:73: responder received FOLLOWUP_KE msg
ike V=root:0:test_qkd:73: processing notify type ADDITIONAL_KEY_EXCHANGE
ike V=root:0:test_qkd:73: received ADDKE notify link data size (len=4)
ike V=root:0:test_qkd:73: FOLLOWUP_KE continuation for IKE SA
1d5770c3f3044565/b2cb648b2f8e064d
ike V=root:0:test_qkd:74: KEM encapsulate okay
ike V=root:0:test_qkd:74: responder preparing IKE SA FOLLOWUP_KE message
ike V=root:0:test_qkd:74: construct KE grp (1080) payload
...
ike V=root:0:test_qkd:74::80: QKD responder request '49d2bff4-0e61-11f0-8e8b-
6bdf091987ab'
ike V=root:0:test_qkd:74::80: QKD responder key-id '49d2bff4-0e61-11f0-8e8b-
6bdf091987ab'
ike V=root:0:test_qkd:74:80: peer proposal:
ike V=root:0:test_qkd:74:80: TSi_0 0:0.0.0.0-255.255.255.255:0
ike V=root:0:test_qkd:74:80: TSr_0 0:0.0.0.0-255.255.255.255:0
ike V=root:0:test_qkd:74:test_qkd:80: comparing selectors
ike V=root:0:test_qkd:74:test_qkd:80: matched by rfc-rule-2
ike V=root:0:test_qkd:74:test_qkd:80: phase2 matched by subset
ike V=root:0:test_qkd:74:test_qkd:80: accepted proposal:
ike V=root:0:test_qkd:74:test_qkd:80: TSi_0 0:0.0.0.0-255.255.255.255:0
ike V=root:0:test_qkd:74:test_qkd:80: TSr_0 0:0.0.0.0-255.255.255.255:0
ike V=root:0:test_qkd:74:test_qkd:80: autokey
ike V=root:0:test_qkd:74:test_qkd:80: incoming child SA proposal:
ike V=root:0:test_qkd:74:test_qkd:80: proposal id = 1:
ike V=root:0:test_qkd:74:test_qkd:80: protocol = ESP:

FortiOS 7.6.0 New Features Guide 421

Fortinet Inc.
VPN

ike V=root:0:test_qkd:74:test_qkd:80: encapsulation = TUNNEL

ike V=root:0:test_qkd:74:test_qkd:80: type=ENCR, val=AES_CBC (key_len = 128)
ike V=root:0:test_qkd:74:test_qkd:80: type=INTEGR, val=SHA
ike V=root:0:test_qkd:74:test_qkd:80: type=DH_GROUP, val=ECP384
ike V=root:0:test_qkd:74:test_qkd:80: type=DH_GROUP, val=ECP521
ike V=root:0:test_qkd:74:test_qkd:80: type=ESN, val=NO
ike V=root:0:test_qkd:74:test_qkd:80: type=ADDKE1, val=ML-KEM-512.
...
ike V=root:0:test_qkd:74:test_qkd:80: ADDKE negotiated
...
ike V=root:0:test_qkd:74: responder received FOLLOWUP_KE msg
ike V=root:0:test_qkd:74: processing notify type ADDITIONAL_KEY_EXCHANGE
ike V=root:0:test_qkd:74: received ADDKE notify link data size (len=4)
ike V=root:0:test_qkd:74: FOLLOWUP_KE continuation for IPsec SA bc870245/c9afa6a8
ike V=root:0:test_qkd:80: KEM encapsulate okay
ike V=root:0:test_qkd:80: responder preparing CHILD SA FOLLOWUP_KE message
ike V=root:0:test_qkd:80: construct KE grp (35) payload

5. Verify the statistics of QKD profile:

# diagnose vpn ike qkd qkdtest
ike.qkd.server.dns.addrs:
ike.qkd.server.curl.initiator.error.request.send.count: 10
ike.qkd.server.curl.initiator.error.request.send.last.ticks: 4295033761
ike.qkd.server.curl.initiator.error.request.send.last.ago: 1986
ike.qkd.server.curl.initiator.error.request.send.last.local: 2025-04-01 06:12:40 +1200
ike.qkd.server.curl.initiator.error.request.send.last.utc: 2025-03-31 18:12:40
ike.qkd.server.curl.initiator.error.request.send.value: 7
ike.qkd.server.curl.inflight: now 0 max 2 total 48
ike.qkd.server.curl.ssl.verify.count: 3952
ike.qkd.server.curl.ssl.verify.last.ticks: 4295231030
ike.qkd.server.curl.ssl.verify.last.ago: 13
ike.qkd.server.curl.ssl.verify.last.local: 2025-04-01 06:45:33 +1200
ike.qkd.server.curl.ssl.verify.last.utc: 2025-03-31 18:45:33

FortiOS 7.6.0 New Features Guide 422

Fortinet Inc.
User and authentication

This section includes information about user and authentication related new features:
l Authentication on page 423

Authentication

This section includes information about authentication related new features:

l Customizable password reuse thresholds on page 423
l Trigger RADIUS authentication with DNS and ICMP queries on page 426
l Authentication sessions preserved after a reboot on page 429
l SCIM server support on page 431
l GUI support for SCIM clients 7.6.1 on page 435
l Bearer token authentication for SCIM 7.6.1 on page 439

Customizable password reuse thresholds

This information is also available in the FortiOS 7.6 Administration Guide:

l Password policy

You can now use a global option to specify how many passwords to save for local users and system administrators, and
then you can specify how many of the saved passwords can be reused. Password history is visible in the backup
configuration.
The config system global command includes a new option:
config system global
set user-history-password-threshold <integer>
end

set user-history- Global maximum number of previous passwords saved for each local user and
password-threshold system administrator (3-15, default = 3).
<integer>

When a password policy is enabled for system administrators, a new option is available:
config system password-policy
set reuse-password-limit <integer>
end

When expire-status and reuse-password are enabled in the password policy for a local user, a new option is
available:

FortiOS 7.6.0 New Features Guide 423

Fortinet Inc.
User and authentication

config user password-policy

edit <ID>
set reuse-password-limit <integer>
end
end

set reuse-password-limit Number of times the password for system administrators or local users can be
<integer> reused (0 - 20, default = 0). If set to 0, the password can be reused an unlimited
number of times.
Cannot exceed the global user-history-password-threshold.

For existing password policies, the new options are disabled by default after upgrading to FortiOS 7.6.0 or later.

To create a password policy for a local user:

Multiple password policies can be created and applied to different local user accounts.
1. Configure a global password history limit.
In this example, the global policy is to save three passwords for each local user and system administrator.
config system global
set user-history-password-threshold 3
end

2. Configure a password policy for local users:

a. Before you can configure the password limit, enable expire-status and reuse-password.
config user password-policy
edit 1
set expire-status enable
set reuse-password enable
next
end

b. Specify the maximum number of times a user can reuse a password.

In this example, the reuse-password-limit is set to 1, which means one of the globally-set three saved
passwords can be reused.
config user password-policy
edit 1
set reuse-password-limit 1
next
end

3. Assign the password policy to a local user.

In this example, password policy 1 is assigned to local user local2.
config user local
edit "local2"
set type password
set passwd-policy "1"
set passwd ********
next
end

4. Add the local user to a firewall policy, an SSL VPN policy, or to FortiGate user groups used in policies.

FortiOS 7.6.0 New Features Guide 424

Fortinet Inc.
User and authentication

Before the password for the local user expires, the FortiOS GUI provides the option to change the password during login
or skip the password change.

If the password for the local user has expired, the FortiOS GUI provides the option to change the password during login.
When the local user enters a password that adheres to the policy, the login continues. If the new password has been
used too many times before, a warning message is displayed.

To create a password policy for all system administrators:

The password policy applies to all administrator accounts when enabled, including the built-in admin account named
admin. If an existing system administrator account fails to comply with the enabled password policy, the administrator is
forced to change passwords on next login.
1. Configure a global history password limit.
In this example, the global policy is to save three passwords for each local user and system administrator.
config system global
set user-history-password-threshold 3
end

2. Configure a password policy for system administrators:

a. Enable the password policy.
config system password-policy
set status enable
end

b. Enable the expire status and set the password reuse limit.
In this example, the reuse-password-limit is set to 1, which means one of the globally-set three saved
passwords can be reused.
config system password-policy
set expire-status enable
set expire-day 3
set reuse-password-limit 1
end

When a password policy is enabled, and passwords for existing system administrators fail to comply with the new policy,
the Change Password dialog box is displayed to communicate the policy requirements and prompt the password
change.

FortiOS 7.6.0 New Features Guide 425

Fortinet Inc.
 User and authentication

After the system administrator password expires, the Change Password dialog box is displayed after the system
administrator logs in to prompt the password change:

Trigger RADIUS authentication with DNS and ICMP queries

This information is also available in the FortiOS 7.6 Administration Guide:

l Trigger RADIUS authentication with DNS and ICMP queries

DNS and ICMP queries can trigger RADIUS authentication. In some situations, a RADIUS client cannot trigger
authentication with only HTTP, HTTPS, or Telnet traffic, such as VoIP gateways or servers. Without RADIUS
authentication there is no RADIUS accounting, which can be required in some circumstances.
In this example, a Client PC is used as a VoIP gateway.

FortiOS 7.6.0 New Features Guide 426

Fortinet Inc.
User and authentication

To configure FGT-B:

1. Configure a RADIUS user:

config user radius
edit "FreeRADIUS"
set server "172.18.60.203"
set secret **********
set acct-interim-interval 600
set auth-type pap
set password-renewal disable
config accounting-server
edit 1
set status enable
set server "172.18.60.203"
set secret **********
next
end
next
end

2. Find the MAC address on the interface. In the RADIUS accounting start message it will be the Called-Station-Id.
# get hardware nic port10 | grep HW
Current_HWaddr 80:80:2c:a3:50:f3
Permanent_HWaddr 80:80:2c:a3:50:f3

3. Add the RADIUS user to a group:

config user group
edit "remote-radius"
set member "FreeRADIUS"
next
end

4. Configure the interface:

config system interface
edit "port10"
set vdom "root"
set ip 10.1.100.8 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
set security-mode captive-portal
set security-ip-auth-bypass enable
set security-groups "remote-radius"
set device-identification enable
set snmp-index 12
config ipv6
set ip6-address 2008::8/64
set ip6-allowaccess ping https http
end
next
end

5. Configure a policy:
config firewall policy
edit 1

FortiOS 7.6.0 New Features Guide 427

Fortinet Inc.
User and authentication

set name "pol1"

set srcintf "port10"
set dstintf "port9"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "custom-deep-inspection"
set av-profile "default"
set logtraffic all
set nat enable
set groups "remote-radius"
set radius-ip-auth-bypass enable
next
end

To test the configuration:

1. Trigger RADIUS authentication on the Client PC using the ip-auth-bypass feature configured on the FortiGate.
This can be done by either:
l Pinging any external resource (ICMP query).
l Connecting to an external webpage using an FQDN URL in a browser with an empty cache, which requires a
new DNS query.
The FortiGate will use the Client PC IP address as the credentials for authentication. If successful, this will be
followed by a RADIUS accounting start message.
2. On FGT-B, check the local firewall authentication list.
The RADIUS user that is used for ip-auth-bypass is the IP address of the Client PC. The source MAC address is
the MAC address of the Client PC.
# diagnose firewall auth list

10.1.100.188, 10.1.100.188
src_mac: 00:0c:29:44:be:b9
type: fw, id: 0, duration: 16, idled: 10
expire: 284, allow-idle: 300, max-life: 2384
flag(14): hard radius
server: FreeRADIUS
packets: in 4 out 5, bytes: in 1105 out 1044
group_id: 5
group_name: remote-radius

----- 1 listed, 0 filtered ------

3. Check the RADIUS accounting start messages in the traffic between FGT-B and the RADIUS server. The MAC

FortiOS 7.6.0 New Features Guide 428

Fortinet Inc.
 User and authentication

address of FGT-B is the Called-Station-Id, and the IP address of the Client PC is the User-Name.

Authentication sessions preserved after a reboot

This information is also available in the FortiOS 7.6 Administration Guide:

l Preserve authentication sessions after reboot

FortiGate models with a log disk can preserve authentication sessions a firewall reboot. This eliminates the need to
reauthenticate after rebooting, enhancing the user experience.
When session authentication backup is enabled, authenticated sessions are backed up at the configured interval. By
default, session authentication backup is disabled.
config system global
set auth-session-auto-backup {enable | disable}
set auth-session-auto-backup-interval {1min | 5min | 15min | 30min | 1hr}
end

auth-session-auto-backup Enable/disable automatic and periodic backup of authentication sessions (default

{enable | disable} = disable). Sessions are restored upon bootup.
auth-session-auto-backup- Configure the automatic authentication session backup interval (default = 15min).
interval {1min |
5min | 15min | 30min
| 1hr}

FortiOS 7.6.0 New Features Guide 429

Fortinet Inc.
User and authentication

To configured and test authentication session backup:

1. Enable authentication backup at a one minute interval:

config system global
set auth-session-auto-backup enable
set auth-session-auto-backup-interval 1min
end

2. Authenticate with valid user credentials on a PC and start communicating with an external resources .
3. On the FortiGate, check that current sessions are backed up correctly:
2024-07-11 06:47:24 vd_name:root logon_total:1 num: 1.
2024-07-11 06:47:24 [get_auth_backup_file:107]: Temp json file path: /var/log/auth/auth_
ses.json.tmp
2024-07-11 06:47:24 [authd_json_session_backup:367]: Authenticated sessions are backed
up.
2024-07-11 06:47:24 [crypto_free:216]: [crypto_free:216]: (./migbase/osapi/rnd.c:266)
2024-07-11 06:47:24 [crypto_free:216]: [crypto_free:216]: (crypto/threads_pthread.c:147)
...
2024-07-11 06:48:24 authd_timer_run: 1 expired
2024-07-11 06:48:24 authd_epoll_work: timeout 2990
2024-07-11 06:48:24 authd_json_backup_logon user:test1, duration:172 idled:0 expire:300
2024-07-11 06:48:24 authd_json_backup_groups id:2, group:ldap-group
2024-07-11 06:48:24 vd_name:root logon_total:1 num: 1.
2024-07-11 06:48:24 [get_auth_backup_file:107]: Temp json file path: /var/log/auth/auth_
ses.json.tmp
2024-07-11 06:48:24 [authd_json_session_backup:367]: Authenticated sessions are backed
up.
2024-07-11 06:48:24 [crypto_free:216]: [crypto_free:216]: (./migbase/osapi/rnd.c:266)

4. Check users in the authentication list:

# diagnose firewall auth list
10.1.100.188, test1
src_mac: 00:0c:29:44:be:b9
type: fw, id: 0, duration: 139, idled: 3
expire: 297, allow-idle: 300
server: ad-ldap
packets: in 8817 out 7084, bytes: in 10641897 out 516250
group_id: 2
group_name: ldap-group

----- 1 listed, 0 filtered ------

5. Restart the FortiGate.

6. Check users in the authentication list again:
# diagnose firewall auth list
10.1.100.188, test1
src_mac: 00:0c:29:44:be:b9
type: fw, id: 0, duration: 9, idled: 4
expire: 296, allow-idle: 300
server: ad-ldap
packets: in 75 out 60, bytes: in 48854 out 10006
group_id: 2
group_name: ldap-group

FortiOS 7.6.0 New Features Guide 430

Fortinet Inc.
 User and authentication

----- 1 listed, 0 filtered ------

The same user is still authorized after the reboot.

SCIM server support

This information is also available in the FortiOS 7.6 Administration Guide:

l SCIM servers

System for Cross-domain Identity Management (SCIM) is an open-standard protocol that facilitates the exchange of
identity data between platforms. In a business environment with a large number of employees and hundreds of cloud
applications, manual provisioning can be challenging and susceptible to errors. By automating user provisioning, SCIM
greatly minimizes the time, effort, and cost involved in managing user life cycles.
See the following RFCs for more information:
l See RFC 7642 for information about definitions, overview, concepts, and requirements.
l See RFC 7643 for information about the core schema.
l See RFC 7644 for information about the protocol.
SCIM is based on a client-server model where the client is usually an identity provider (IdP) that maintains a directory of
user identities, and the server is typically a service provider (SP). The client sends user and group information to the
server, enabling automatic provisioning of users and groups between the SP and IdP.
FortiOS 7.6.0 supports SCIM servers. This enhancement allows FortiGate to communicate with an Identity Provider
(IdP) using the SCIM 2.0 protocol, which facilitates the automatic provisioning of users and groups on FortiGate. Once
users and groups are provisioned on FortiGate, they can be used with SAML to provide user authentication.
The config system global command includes new SCIM settings:
config system global
set scim-http-port <integer>
set scim-https-port <integer>
set scim-server-cert <string>
end

scim-http-port <integer>
scim-https-port <integer>
scim-server-cert <string>
Specify the port on which the SCIM server will listen for HTTP requests (default =
44558).
Specify the port on which the SCIM server will listen for HTTPS requests (default
= 44559).
Specify the certificate that will be used if the HTTPS protocol is being used to
communicate with the SCIM client.
The certificate used by FortiGate must be trusted by the SCIM client.

To allow SCIM access in the GUI:

1. Go to Network > Interfaces.

2. Create or edit an interface.

FortiOS 7.6.0 New Features Guide 431

Fortinet Inc.
User and authentication

3. In the Administrative Access section, select SCIM.

4. Click OK.

To allow SCIM access in the CLI:

config system interface

edit <name>
append allowaccess scim
next
end

To configure SCIM client entries in the CLI:

config user scim

edit <name>
set status {enable| disable}
set base-url <string>
set client-authentication-method {token | base}
set client-secret-token <string>
set certificate <name>
set client-identity-check {enable| disable}
next
end

status {enable| disable}
base-url <string>
client-authentication-
method {token |
base}
certificate <name>
client-identity-check
{enable| disable}
Enable/disable System for Cross-domain Identity Management (SCIM).
Server URL to receive SCIM create, read, update, and delete (CRUD) requests.
FortiGate will communicate with the SCIM client based on the protocol specified
in base-url.
Specify the TLS client authentication methods (default = token).
The certificate sent by the SCIM client during the TLS handshake. Applies when
HTTPS is used for communication.
FortiGate must have the corresponding Certificate Authority (CA) certificate
installed.
Enable/disable client identity check (default = disabled).
When enabled, FortiOS will check the Subject Alternative Name (SAN) field of the
SCIM client certificate, which must contain a correct FQDN or URL.

To add SCIM client to SAML server configuration:

config user saml

edit <name>
set scim-client <name>
next
end

FortiOS 7.6.0 New Features Guide 432

Fortinet Inc.
User and authentication

Example

In this example, FortiGate is configured as the SCIM server (SP), and FortiAuthenticator is configured as the SCIM client
(IdP). Two groups are configured on FortiAuthenticator: IT and Pochiya clan. The groups contain the following
users:
l The IT group contains three users: admin, sk, and sy.
l The Pochiya clan group contains two users: naynay and kiki.
Upon successful configuration, users and groups are provisioned on FortiGate. This setup can leverage SAML to
provide access to authenticated users.

To configure FortiGate as an SCIM server:

1. Allow SCIM access on an interface:

config system interface
edit port2
append allowaccess scim
next
end

2. Specify the SCIM server certificate:

config system global
set scim-server-cert ‘SCIM-Demo-CA-SSL’
end

3. Configure SCIM client entries:

config user scim
edit "SCIM-server-to-FAC"
set status enable
set base-url ‘https://10.88.0.254/scim/v2’
set client-authentication-method base
set client-secret-token ‘**********’
set certificate ‘REMOTE_Cert_2’
set client-identity-check enable
next
end

To configure FortiAuthenticator as an SCIM client:

1. On FortiAuthenticator, use your admin account to log in.

2. Click Authentication > SCIM > Service Provider.
3. Click Create New, and configure the following settings:

Name Test-SCIM

FortiOS 7.6.0 New Features Guide 433

Fortinet Inc.
User and authentication

SCIM endpoint https://10.88.0.254:44559/scim/v2

Access token **********

4. Configure the remaining settings as required, and click Save.

5. Once the setting is saved, double-click the newly created entry to open the settings pane, and click Sync to
automatically add existing users to the SCIM server.
See Service providers for more information

The SCIM endpoint and access token must match the base-url and client-secret-
token respectively, as configured on the FortiGate.
Furthermore, an initial synchronization is necessary to commence provisioning for the first
time. However, when alterations to identities occur in the IdP, including creation, updating, and
deletion, these changes are automatically synchronized with SP in accordance with the SCIM
protocol.

To verify whether users and groups are provisioned on FortiGate:

# diagnose test scim list-clients

There are 1 clients in vdom.
id:1 name:SCIM-server-to-FAC

# diagnose test scim list-groups SCIM-server-to-FAC

IT
pochiya clan
total:2

# diagnose test scim list-users SCIM-server-to-FAC

admin
kiki
naynay
sk
sy

To add an SCIM group to a SAML server configuration:

config user saml

edit "SCIM-SAML"
set scim-client "SCIM-server-to-FAC"
next
end

To modify the SAML user group used in the firewall policy:

The configuration in this topic incorporates all the SCIM groups configured on FortiAuthenticator and enables all users to
authenticate. However, if you want to limit authentication to users who belong to specific groups, such as the IT group,
the following additional configuration is necessary:
config user group
edit saml-scim

FortiOS 7.6.0 New Features Guide 434

Fortinet Inc.
 User and authentication

set member "SCIM-SAML"

config match
edit 1
set server-name "SCIM-SAML"
set group-name "IT"
next
end
next
end

For brevity, only the commands relevant to this enhancement are included. See SAML for
more information about configuring SP and IdP.

GUI support for SCIM clients - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l SCIM servers

GUI support is added for SCIM clients. System for Cross-domain Identity Management (SCIM) is an open-standard
protocol that facilitates the exchange of identity data between platforms. See SCIM server support on page 431 for more
information.

To specify the SCIM server certificate and HTTP(S) port in the GUI:

1. Go to System > Settings.

2. In the SCIM Settings section, configure the HTTP port, HTTPS port, and Server certificate as required.
3. Click Apply.

To configure SCIM clients in the GUI:

1. Go to User & Authentication > SCIM Clients, and click Create New.
2. Set Status to Enabled, enter a Name, then configure the remaining settings as needed.
3. Click OK.

To add a SCIM client to SAML server configuration in the GUI:

1. Go to User & Authentication > Single Sign-On and edit an existing entry or click Create New to create a new single
sign-on.
2. In the Additional SAML Attributes section, enable SCIM client and select a SCIM client.
3. Click OK.

FortiOS 7.6.0 New Features Guide 435

Fortinet Inc.
User and authentication

Example

In this example, FortiGate is configured as the SCIM server (SP), and FortiAuthenticator is configured as the SCIM client
(IdP). Two groups are configured on FortiAuthenticator: IT and Pochiya clan. The groups contain the following
users:
l The IT group contains three users: admin, sk, and sy.
l The Pochiya clan group contains two users: naynay and kiki.
Upon successful configuration, users and groups are provisioned on FortiGate. This setup can leverage SAML to
provide access to authenticated users.

To configure FortiGate as an SCIM server in the GUI:

1. Allow SCIM access on an interface:

a. Go to Network > Interfaces and edit the interface.
b. In the Administrative Access section, select SCIM.

c. Click OK.
2. Specify the SCIM server certificate:
a. Go to System > Settings.
b. In the SCIM Settings section, set Server certificate.

c. Click Apply.
3. Configure SCIM client entries:
a. Go to User & Authentication > SCIM Clients, and click Create New.
b. Set Status to Enabled, enter a Name, then configure the remaining settings as needed.

FortiOS 7.6.0 New Features Guide 436

Fortinet Inc.
User and authentication

c. Click OK.

To configure FortiAuthenticator as an SCIM client:

1. On FortiAuthenticator, use your admin account to log in.

2. Click Authentication > SCIM > Service Provider.
3. Click Create New, and configure the following settings:

Name Test-SCIM

SCIM endpoint https://10.88.0.254:44559/scim/v2

Access token **********

4. Configure the remaining settings as required, and click Save.

5. Once the setting is saved, double-click the newly created entry to open the settings pane, and click Sync to
automatically add existing users to the SCIM server.
See Service providers for more information

The SCIM endpoint and access token must match the base-url and client-secret-
token respectively, as configured on the FortiGate.
Furthermore, an initial synchronization is necessary to commence provisioning for the first
time. However, when alterations to identities occur in the IdP, including creation, updating, and
deletion, these changes are automatically synchronized with SP in accordance with the SCIM
protocol.

To verify whether users and groups are provisioned on FortiGate:

# diagnose test scim list-clients

There are 1 clients in vdom.
id:1 name:SCIM-server-to-FAC

# diagnose test scim list-groups SCIM-server-to-FAC

IT
pochiya clan
total:2

# diagnose test scim list-users SCIM-server-to-FAC

FortiOS 7.6.0 New Features Guide 437

Fortinet Inc.
User and authentication

admin
kiki
naynay
sk
sy

To add a SCIM client to SAML server configuration in the GUI:

1. Go to User & Authentication > Single Sign-On and edit an existing entry or click Create New to create a new single
sign-on.
2. In the Additional SAML Attributes section, enable SCIM client and select the SCIM client.

3. Click OK.

To modify the SAML user group used in the firewall policy in the GUI:

The configuration in this topic incorporates all the SCIM groups configured on FortiAuthenticator and enables all users to
authenticate. However, if you want to limit authentication to users who belong to specific groups, such as the IT group,
the following additional configuration is necessary:
1. Go to User & Authentication > User Groups and click Create New. Firewall is selected as the default Type.
2. Enter the group name, such as saml-scim.
3. In the Remote Groups section, click Add.
4. Set Remote Server to the SAML user, SCIM-SAML.
5. For the Groups, select Specify, then click the text box to see the groups pulled from SCIM client as Suggestions.

6. Select the required group then click OK.

FortiOS 7.6.0 New Features Guide 438

Fortinet Inc.
 User and authentication

Bearer token authentication for SCIM - 7.6.1

In addition to the current pre-shared secret, bearer token authentication is also now supported for SCIM to improve
security between the SCIM server and client. Bearer tokens generated by FortiOS can be temporary to minimize the risk
of unauthorized access and adhere to modern security standards. A long lived token can also be configured. Additionally
a new option is added to verify the token from the SCIM client.
A new execute gen-token command is available to generate the bearer token. This command is available for each
VDOM.
execute gen-token <type> <string> <algorithm> <expire>

<type> Type for token generation:

l cert: certificate

l key: pre-shared key

<string> Name of the certificate or pre-shared key for token generation.
<algorithm> Algorithm for token generation. Ensure that the signing algorithm supports the
type.
Available algorithms:
l When the type is cert: RS256, RS384, RS512, ES256, ES384, or ES512.

l When the type is key: HS256, HS384, or HS512.

<expire> Expire interval, in hours (1 - 32767, 0 = long lived).
When the token expires, administrators must manually generate another token on
FortiGate and copy it to the SCIM client.

A new attribute is added to config user scim to specify a certificate name:

config user scim
edit <name>
set token-certificate <name>
next
end

set token-certificate Name of certificate used to verify bearer token.

<name>

The following attributes for config user scim also changed:

l The attribute client-secret-token changed to secret.
l The attribute client-authentication-method changed to auth-method.

Example

This example shows how to generate a certificate type of bearer token and configure verification of the bearer token.
When generating a bearer token on FortiGate, remember:
l You can use any of the built-in or custom certificates available in the local certificate store.
l You must select a signing algorithm that supports the certificates.

FortiOS 7.6.0 New Features Guide 439

Fortinet Inc.
User and authentication

l When the bearer token expires, the administrator must manually generate a new bearer token on FortiGate and
copy the token to the SCIM client.

To generate a bearer token:

1. Enter execute gen-token cert to display the list of certificates available in the local certificate store:
Custom and built-in certificates are displayed, and either can be used to generate tokens. In this example,
FGT401E-II-SAN-all is a custom certificate, and Fortinet_CA_SSL is a built-in certificate.
# execute gen-token cert
<string> Certificate or preshared-key for token generation.
Available certificates:
FGT401E-II-SAN-all local
Fortinet_CA_SSL local
Fortinet_CA_Untrusted local "
Fortinet_Factory local "
Fortinet_Factory_Backup local
Fortinet_GUI_Server local "
Fortinet_SSL local
Fortinet_SSL_DSA1024 local
Fortinet_SSL_DSA2048 local
Fortinet_SSL_ECDSA256 local
Fortinet_SSL_ECDSA384 local
Fortinet_SSL_ECDSA521 local
Fortinet_SSL_ED448 local
Fortinet_SSL_ED25519 local
Fortinet_SSL_RSA1024 local
Fortinet_SSL_RSA2048 local
Fortinet_SSL_RSA4096 local

2. Enter ? to display additional information:

# execute gen-token cert
Please specify <certificate or preshared-key> <algorithm> <expire>.

3. Enter the certificate name and ? to display additional information:

In this example, the FGT401E-II-SAN-all certificate is specified.
# execute gen-token cert FGT401E-II-SAN-all
<Algorithm> Algorithm for token generation.
Please ensure that the signing algorithm matches the type of certificate and its
corresponding private key.
Available Algorithms:
RS256, RS384, RS512, ES256, ES384, ES512 for cert.
HS256, HS384, HS512 for key.

4. Enter the algorithm and ? to display additional information:

In this example, the RS256 algorithm is specified.
# execute gen-token cert FGT401E-II-SAN-all RS256
<Expire> Expire interval in hours, 0 for long live token.

5. Enter the expiration value:

In this example, no expiration time (0) is specified.
# execute gen-token cert FGT401E-II-SAN-all RS256 0

The following values display after successful token generation:

FortiOS 7.6.0 New Features Guide 440

Fortinet Inc.
User and authentication

Added key:iat val:1732547333

Generated token:eyAidHlwIjogIkpXVCIsICJhbGciOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

6. Copy the Generated token to your SCIM client.

Generated
token:eyAidHlwIjogIkpXVCIsICJhbGciOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

l On FortiAuthenticator, the generated token is called an access token.

l For Azure, the generated token is called a secret token.

To configure verification of the bearer token:

1. Configure the certificate name or pre-shared key to use for verification of the bearer token.
In this example, a certificate (cert) type of bearer token is configured. You must specify the same certificate used
to generate the bearer token:
config user scim
edit "SCIM-server-to-FAC"
set id 1
set status enable
set base-url "https://10.1.100.7/SCIM-server-to-FAC/scim/v2/"
set auth-method token
set token-certificate "FGT401E-II-SAN-all"
set certificate "REMOTE_Cert_1"
set client-identity-check disable
next
end

When using a pre-shared key (key), you must specify the same value used to generate the bearer token, for
example:
config user scim
edit "SCIM-server-to-FAC"
set id 1
set status enable
set base-url "https://10.1.100.8/SCIM-server-to-FAC/scim/v2/"
set auth-method token
set secret ENC mSoyZXvQ/tM1v1VOuS31DOrCZRNQ383JiXXXXXXXXXXXXXXXXXXXXX"
set certificate "REMOTE_Cert_2"
set client-identity-check disable
next
end

FortiOS 7.6.0 New Features Guide 441

Fortinet Inc.
LAN Edge

This section includes information about LAN Edge related new features:
l Wireless on page 442
l Switch controller on page 482
l FortiExtender on page 498

Wireless

This section includes information about wireless related new features:

l Support the 802.11mc protocol in FortiAP on page 442
l Support OpenRoaming Standards on FortiAP on page 445
l Support segregating WLAN traffic on FortiAPs operating in WAN-LAN mode on page 447
l Support isolating mDNS traffic on the Bonjour profile on page 450
l Support RADIUS NAS-ID on FortiAPs in standalone mode on page 453
l Improve packet detection on the FortiAP sniffer on page 454
l Support RADSEC on WPA2/WPA3-Enterprise SSID on page 457
l Add GUI support for configuring wireless data rates and sticky client thresholds on page 458
l Support self-registration of MPSKs through FortiGuest on page 461
l Support IKEv2 for FortiAP IPsec data channel management on page 463
l Support WPA3-SAE and WPA3-SAE Transition security modes in MPSK profiles on page 466
l Add Advanced WIDS Options 7.6.1 on page 471
l Support RADSEC on Local Bridge mode captive portals 7.6.1 on page 476
l Add a RADIUS Called Station ID setting 7.6.1 on page 478
l Support remote TACACS access to FortiAP 7.6.1 on page 479
l Support RADIUS Accounting messages over FortiGuest MPSK Authentication 7.6.1 on page 481

Support the 802.11mc protocol in FortiAP

This information is also available in the FortiWiFi and FortiAP 7.6 Configuration Guide:
l Configuring location tracking

This release adds support for the 802.11mc Wi-Fi protocol, which enables supported devices and clients to measure
their distance to nearby Wi-Fi access points. APs act as a Fine Timing Measurement (FTM) responder to time
measurement queries sent from a client.

FortiOS 7.6.0 New Features Guide 442

Fortinet Inc.
LAN Edge

FortiAP radios can be configured to operate in 802.11mc responder mode, enabling connected devices and clients to
use enhanced location accuracy.

The FortiAP must be running firmware version 7.6.0 or later to support this feature.

The following CLI configuration setting has been added:

conf wireless-controller wtp-profile
edit <name>
config radio-1
set 80211mc [enable | disable]
end
next
end

To enable 802.11mc on a FortiAP - CLI:

1. From the FortiGate CLI, enable 8011mc in the FortiAP profile.

config wireless-controller wtp-profile
edit "FAP23JF-default"
config platform
set type 23JF
set ddscan enable
end
set handoff-sta-thresh 55
set allowaccess https ssh snmp
set frequency-handoff enable
set ap-handoff enable
config radio-1
set band 802.11g 802.11n-2G 802.11ax-2G
set auto-power-level enable
set 80211mc enable
set vap-all manual
set vaps "customer_usage"
end
config radio-2
set band 802.11a 802.11n-5G 802.11ac-5G 802.11ax-5G
set 80211mc enable
set vap-all manual
set vaps "customer_usage"
set channel "153"
end
config radio-3
set mode monitor
end
next
end

FortiOS 7.6.0 New Features Guide 443

Fortinet Inc.
LAN Edge

To verify that 802.11mc is configured on a FortiAP:

1. From the FortiGate, verify that 802.11mc has been successfully enabled.
FortiGate-81E-POE (Interim)# diagnose wireless-controller wlac -c wtp FP23JFTF21000769 |
grep 80211mc -B 2
Radio 1 : AP
80211d enable: : enabled
80211mc enable : enabled
--
Radio 2 : AP
80211d enable: : enabled
80211mc enable : enabled

2. From the FortiAP, verify that 802.11mc has been successfully enabled.
FortiAP-23JF # rcfg | grep 802.11mc -B4
Radio 0: AP
country : cfg=US oper=US
countryID : cfg=841 oper=841
802.11d enable : enabled
802.11mc enable : enabled
--
Radio 1: AP
country : cfg=US oper=US
countryID : cfg=841 oper=841
802.11d enable : enabled
802.11mc enable : enabled

3. Using a packet capture tool, check the packet capture result for the customer_usage SSID configured in the FortiAP
profile.

Fine Timing Measurement Responder should be set to True, indicating that the FortiAP supports the 802.11mc
responder mode.

FortiOS 7.6.0 New Features Guide 444

Fortinet Inc.
 LAN Edge

4. Optionally, you can use a scanning app such as Google's WifiRttScan App to scan for nearby Wi-Fi RTT (802.11mc)
capable access points.

Support OpenRoaming Standards on FortiAP

This information is also available in the FortiWiFi and FortiAP 7.6 Configuration Guide:
l Configuring OpenRoaming on FortiAP

This release adds support for the Wireless Broadband Alliance (WBA) OpenRoaming Standards on FortiAPs.
OpenRoaming enhances Wi-Fi management and user experience by automating guest Wi-Fi onboarding, enabling
seamless and secure roaming between Wi-Fi and LTE/5G networks, and providing you with insightful customer
analytics. For example, when implemented in a city, tourists can roam between Wi-Fi networks throughout the city
without manual authentication, enabling them to stay connected while traveling.
The following CLI configuration settings have been added to configure OpenRoaming:
config wireless-controller hotspot20 hs-profile
edit <name>
set roaming-consortium <string>
set wba-open-roaming [enable | disable]
set wba-financial-clearing-provider <string>
set wba-data-clearing-provider <string>
set wba-charging-currency <string>
set wba-charging-rate <integer>
next
end

set wba-open-roaming Enable/disable Wireless Broadband Alliance (WBA) OpenRoaming support.

set wba-financial- WBA ID of financial clearing provider.
clearing-provider

set wba-data-clearing- WBA ID of data clearing provider.

provider

set wba-charging- Three letter currency code.

currency

set wba-charging-rate Number of currency units per kilobyte (0 to 4294967295).

To enable OpenRoaming on FortiAP - CLI:

1. Create a Hotspot 2.0 Access Network Query Protocol (ANQP) Roaming Consortium profile, and specify the
Organization Identifier (OI) for the device's service provider.
config wireless-controller hotspot20 anqp-roaming-consortium
edit "openroaming"
config oi-list
edit 1
set oi "BAA2D00000"
next
end

FortiOS 7.6.0 New Features Guide 445

Fortinet Inc.
LAN Edge

next
end

2. Create a Hotspot 2.0 profile and apply the ANQP Roaming Consortium profile you created, and then configure
OpenRoaming options.
config wireless-controller hotspot20 hs-profile
edit "openroaming"
set roaming-consortium "openroaming"
set wba-open-roaming enable
set wba-financial-clearing-provider "RBC"
set wba-data-clearing-provider "444444"
set wba-charging-currency "CAN"
set wba-charging-rate 135
next
end

3. Apply the Hotspot 2.0 profile to a FortiAP SSID.

config wireless-controller vap
edit "40f.ent.radius"
set ssid "radius.openroaming"
set security wpa2-only-enterprise
set auth radius
set radius-server "radius-wifi"
set schedule "always"
set hotspot20-profile "openroaming"
next
end

4. Apply the SSID to a FortiAP profile.

config wireless-controller wtp-profile
edit "831F"
config platform
set type 831F
end
config radio-2
set vap-all manual
set vaps "40f.ent.radius"
end
next
end

5. Apply the FortiAP profile to a FortiAP.

config wireless-controller wtp
edit "FP831FTF21000074"
set admin enable
set wtp-profile "831F"
next
end

6. Using a packet capture tool, verify that OpenRoaming configurations have been successfully applied.
When the client connects to the SSID, the Access-Request from the FortiGate to the RADIUS server includes the
following example OpenRoaming information:

FortiOS 7.6.0 New Features Guide 446

Fortinet Inc.
 LAN Edge

WBA-Offered-Service (Type:26, Vendor ID:14122, Subtype:12),

WBA_FINANCIAL_CLEARING_PROVIDER (Type: 26, Vendor ID:14122, Subtype:13),
WBA_DATA_CLEARING_PROVIDER (Type:26, Vendor ID:14122, Subtype:14),
WBA-Linear-Volume-Rate (Type:26, Vendor ID:14122, Subtype:15),

Support segregating WLAN traffic on FortiAPs operating in WAN-LAN mode

This information is also available in the FortiWiFi and FortiAP 7.6 Configuration Guide:
l Wireless network with segregated WLAN traffic

This enhancement supports local LAN segregation for FortiAPs operating in WAN-LAN mode. When enabled, wired
clients on the LAN port and wireless clients on the SSID remain within the same layer-2 bridge. Clients can continue to
send and receive data traffic through the same VLAN segment of the FortiAP WAN port, however, their local traffic is
segregated from the FortiAP's WAN side. This feature provides customers with enhanced control over their network
traffic, improving security and network management.
For more information on WAN-LAN mode, refer to LAN port options in the FortiWiFi and FortiAP Configuration Guide.
The following CLI command has been added:
config wireless-controller vap
edit <name>
set local-standalone enable
set local-bridging enable
set local-lan-partition {enable|disable}
next
end

FortiOS 7.6.0 New Features Guide 447

Fortinet Inc.
LAN Edge

local-lan-partition is only applicable when local-bridging and local-

standalone mode are enabled in the VAP.

Example Use Case

In this example, the customer has two separate networks: CORP and INT. They want to deploy dual LAN FortiAP units
and connect the LAN1 port to the CORP network and the LAN2 port to the INT network.
l Both networks have their own switches, routers, firewalls, policies, and ingress/egress to the internet.
l The FortiGate on the CORP network manages all FortiAPs, with the FortiAPs broadcasting all necessary SSIDs.
l The FortiAP LAN2 port bridges to INTwifi (Standalone mode), it connects to the INT switch and INT wired network to
provide DHCP, gateway, and traffic routing.

The CORP network is a typical WLAN and LAN network. This example focuses on configuring the INT network.

To configure a network for LAN segregation:

1. Configure the bridge-mode VAP for LAN segregation:

config wireless-controller vap
edit "INT"
set ssid "INTwifi"
set passphrase ENC *
set local-standalone enable
set local-lan-partition enable
set local-bridging enable
set local-authentication enable

FortiOS 7.6.0 New Features Guide 448

Fortinet Inc.
LAN Edge

set schedule "always"

set vlanid 100
next
end

Note: vlanid is used to distinguish the VLAN segregated from the FortiAP WAN port. The SSID and LAN local
bridge traffic has no VLAN tag.
2. Configure the FortiAP unit to operate in WAN-LAN mode, and then bridge the LAN port to the bridge mode VAP. For
more information, refer to LAN port options in the FortiWiFi and FortiAP Configuration Guide.
l From the FortiGate, make the following configurations to bridge the LAN port to the bridge mode VAP:
config wireless-controller wtp-profile
edit "431F"
config platform
set type 431F
set ddscan enable
end
set wan-port-mode wan-lan
config lan
set port-mode bridge-to-ssid
set port-ssid "INT"
end
set handoff-sta-thresh 55
config radio-1
set mode disabled
end
config radio-2
set band 802.11a 802.11n-5G 802.11ac-5G 802.11ax-5G
set channel-bonding 40MHz
set vap-all manual
set vaps "INT" "wifi.fap.01"
set channel "40"
end
config radio-3
set mode monitor
end
next
end

l From the FortiAP, configure the FortiAP to operate in WAN-LAN mode:

FortiAP-431F # cfg –a WANLAN_MODE=WAN-LAN
FortiAP-431F # cfg –c

3. Log into the FortiAP CLI to verify the changes have been successfully made.
FortiAP-431F # wcfg
WTP Configuration
name : FortiAP-431F
......
LAN mode : WAN LAN, ESL
ESL ses-imagotag : scd disabled, conn_state tcp-conn-down compliance level 2,
chan 127, power A, coex 0, apc :0, tls cert enabled fqdn disabled
LAN port cnt : 2
port1-cfg : BR-TO-SSID(3) 0 84:39:8f:88:5d:61 ssid=INTwifi
vlan_tag=0064 flags=0000402b lsw lbr loc_auth st lan_loc
port2-cfg : offline (0)

FortiOS 7.6.0 New Features Guide 449

Fortinet Inc.
 LAN Edge

encrypt_key[0-15] : 16-fa-3b-ec-f7-b5-10-2e-d7-7b-a3-f5-e9-e8-a5-10
encrypt_key[16-31] : ca-28-cc-4f-c1-85-d9-18-0b-a8-9a-1a-cc-6e-9a-f2
syslog conf : disabled server=0.0.0.0():0 log-level=0

4. Verify the settings from the client side:

a. Connect a Wi-Fi client (MAC 1c:87:2c:b7:bc:cc) to the INTwifi SSID. Since there is a DHCP server in the INT
network, it can assign an IP address to the Wi-Fi client.
b. Connect another client (MAC 54:27:1e:e6:43:a7) to the wifi-ssid.fap.01 SSID, the traffic of which is routed
through the FortiAP WAN port.
c. Verify the client status in FortiAP:
FortiAP-431F # usta

WTP daemon STA info:

1/2 1c:87:2c:b7:bc:cc 00:00:00:00:00:00 vId=100 type=wl----sta,loc-auth

vap=wlan11,INTwifi(100) mpsk= ip=10.100.101.22/1 mimo=3 host=wifi1-fap-robot vci=
os=Linux
ip6=fe80::1e87:2cff:feb7:bccc/3 rx=20
replycount=0000000000000002
2/2 54:27:1e:e6:43:a7 00:00:00:00:00:00 vId=0 type=wl----sta,
vap=wlan10,wifi-ssid.fap.01(0) mpsk= ip=10.10.100.22/1 mimo=1 host=wifi2-fap-robot
vci= os=Linux
replycount=0000000000000002

5. Verify that the connected clients can ping the correct networks.
a. Log into a client on the INTwifi network, and run the following command:
wifi1-fap-robot:~# ifconfig
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.100.101.22 netmask 255.255.255.0 broadcast 10.100.101.255
inet6 fe80::1e87:2cff:feb7:bccc prefixlen 64 scopeid 0x20<link>
ether 1c:87:2c:b7:bc:cc txqueuelen 1000 (Ethernet)
RX packets 1421 bytes 146158 (146.1 KB)
RX errors 0 dropped 0 overruns 0 frame 346
TX packets 1931 bytes 164133 (164.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17

b. Verify that the INTwifi client can ping LAN PC in the INT network (subnet 10.100.101.0/24).
root@wifi1-fap-robot:~# ping 10.100.101.20
PING 10.100.101.20 (10.100.101.20) 56(84) bytes of data.
64 bytes from 10.100.101.20: icmp_seq=1 ttl=64 time=5.88 ms

c. Verify that the INTwifi client cannot reach CORP network (subnet 10.10.100.0/24) or the other way around.
root@wifi1-fap-robot:~# ping 10.10.100.22
PING 10.10.100.22 (10.10.100.22) 56(84) bytes of data.
From 10.100.101.1 icmp_seq=1 Destination Net Unreachable

Support isolating mDNS traffic on the Bonjour profile

This information is also available in the FortiWiFi and FortiAP 7.6 Configuration Guide:
l Isolate mDNS traffic on the Bonjour profile

FortiOS 7.6.0 New Features Guide 450

Fortinet Inc.
LAN Edge

This release enables Bonjour profiles to isolate multicast Domain Name System (mDNS) traffic using the Micro-Location
feature. Micro-Location confines mDNS traffic originating from one location so that it remains isolated from other
locations. In this scenario, "location" is defined by the FortiAP group configured on the FortiGate.
This enables you to confine mDNS traffic within designated areas of the network, specifically targeting the same SSID
and VLAN, on a per-AP or AP group level. For example, you can segregate your FortiAPs by zones such as floor1 or
floor2.
The following CLI command has been added:
config wireless-controller bonjour-profile
edit <name>
set micro-location {enable|disable}
end

To isolate mDNS traffic with Micro-Location:

In this example, there are four FortiAP devices located in two separate locations.

1. Configure a Bonjour profile with a policy list and enable micro-location.

config wireless-controller bonjour-profile
edit "micro-loc"
set micro-location enable
config policy-list
edit 1
set from-vlan "100"
set to-vlan "200"
set services airplay printers chromecast
next
end
next
end

2. Apply the Bonjour profile to a FortiAP profile.

config wireless-controller wtp-profile
edit "FAP231G-default"
config platform
set type 231G
end
set bonjour-profile "micro-loc"
set handoff-sta-thresh 55
config radio-1
set mode disabled
end

FortiOS 7.6.0 New Features Guide 451

Fortinet Inc.
LAN Edge

config radio-2
set band 802.11a 802.11n-5G 802.11ac-5G 802.11ax-5G
set channel-bonding 40MHz
set vap-all manual
set vaps "wifi.fap.01" "wifi.fap.02"
end
config radio-3
set mode disabled
end
next
end

3. Once the Bonjour profile is added to the FortiAP profile, the Bonjour function determines each FortiAP's location
based on the FortiAP group the device belongs to. Since this example has four FortiAP units located in two places,
you will need to create two FortiAP group to define each location.
config wireless-controller wtp-group
edit "Loc-1"
set wtps "FP231GTF23042734" "FP231GTF23045868"
next
edit "Loc-2"
set wtps "FP231GTF23046245" "FP231GTF23041369"
next
end

4. From the FortiGate, verify the configurations have been successful made.
FortiGate-201E (vdom1) (Interim)# diagnose wireless-controller wlac -c bjprof
BJPROF (001/001) vdom,name: vdom1, micro-loc
refcnt : 2 own(1) wtpprof(1)
deleted : no
Micro location : 1
policy list cnt : 1
policy id: 1 , from_vlan: 100, to_vlan: 200, service: airplay printers
chromecast
wtp cnt : 0

5. From the FortiAPs in each location, verify the configurations have been successful made.
l The output for FortiAP 1 and 2:
FAP-1 # cw_diag -c bonjour
Micro location status: Enabled
Micro location name : Loc-1
Bonjour Gateway: Controlled by AC
Configured Bonjour Vlans:
100 ==> 200 services 00002208 airplay printers googlecast
Total 1 Bonjour Vlans
Bonjour Gateway Election Info:
1/1 74:78:a6:98:d9:88 state=oper,305 live=323 age=1
---- 74:78:a6:97:51:c8 state=cap,326
FAP-1 # bjallow
#from_intf to_intf service_name1 service_name2 service_name3
br.100 br.200 tcp _airplay _appletv _raop _sleep-proxy _touch-able _dacp _http _ipp _
pdl-datastream _printer _googlecast _device-info
br.100 br.200 udp _services._dns-sd
micro_location Loc-1

l The output for FortiAP 3 and 4:

FortiOS 7.6.0 New Features Guide 452

Fortinet Inc.
 LAN Edge

FAP-3 # cw_diag -c bonjour

Micro location status: Enabled
Micro location name : Loc-2
Bonjour Gateway: Controlled by AC
Configured Bonjour Vlans:
100 ==> 200 services 00002208 airplay printers googlecast
Total 1 Bonjour Vlans
Bonjour Gateway Election Info:
1/1 74:78:a6:96:a7:28 state=cap,992 live=992 age=0
---- 74:78:a6:99:08:a8 state=oper,975
FAP-3 # bjallow
#from_intf to_intf service_name1 service_name2 service_name3
br.100 br.200 tcp _airplay _appletv _raop _sleep-proxy _touch-able _dacp _http _ipp _
pdl-datastream _printer _googlecast _device-info
br.100 br.200 udp _services._dns-sd
micro_location Loc-2

Support RADIUS NAS-ID on FortiAPs in standalone mode

This information is also available in the FortiWiFi and FortiAP 7.6 Configuration Guide:
l Custom RADIUS NAS-ID

This features requires FortiAP to run firmware 7.6.0 or later.

This feature enables the FortiOS WiFi controller to push the RADIUS nas-id-type setting to a managed FortiAP. The
FortiAP can then forward the NAS-Identifier value in an Access-Request packet when authenticating a wireless client
with a remote RADIUS server.
For more information about configuring NAS-IDs, refer to Custom RADIUS NAS-ID in the FortiWiFi and FortiAP
Configuration Guide.

Example topology

To configure and push a NAS-ID to a FortiAP in standalone mode:

1. From FortiOS, configure the RADIUS server with a NAS-ID. You can use custom or hostname NAS-IDs.
config user radius
edit "wifi-radius"

FortiOS 7.6.0 New Features Guide 453

Fortinet Inc.
 LAN Edge

set server "172.16.200.55"

set secret ENC
set nas-ip 172.16.200.9
set nas-id-type custom
set nas-id "AP-431F"
next
end

2. Apply the RADIUS server to an SSID.

config wireless-controller vap
edit "stand-vap"
set ssid "FOS_101F_Stand_Ent_Radius"
set security wpa2-only-enterprise
set auth radius
set radius-server "wifi-radius"
set local-standalone enable
set local-bridging enable
set schedule "always"
next
end

3. When the client connects to the SSID, the NAS-Identifier attribute you configured, AP-431F, will be sent in an
Access-Request packet.

Improve packet detection on the FortiAP sniffer

This information is also available in the FortiWiFi and FortiAP 7.6 Configuration Guide:
l Wireless traffic packet sniffer

This release enhances the FortiAP sniffer with improved packet detection capabilities. When the FortiAP is set to sniffer
mode, it can capture all frame types, including data frames, across specified channel bandwidths ranging from 320 MHz
to 20 MHz.
The following CLI command has been added:
config wireless-controller wtp-profile
edit <name>

FortiOS 7.6.0 New Features Guide 454

Fortinet Inc.
LAN Edge

config <radio>
set mode sniffer
set ap-sniffer-chan-width [320MHz|160MHz|80MHz|...]
end
next
end

set ap-sniffer-chan- Set the channel bandwidth for sniffer. Bandwidth ranges from 320 MHz to 20MHz
width depending on the FortiAP model and radio.

To configure the channel bandwidth for FortiAP sniffer mode:

In the following example, a FAP-234F unit is configure to work in sniffer mode to capture wireless frames from a third-
party AP SSID named "customer_usage". This SSID is operating in channel 153 with a channel width of 80MHz.
1. Configure a FortiAP profile to operate in sniffer mode on the designated channel and channel width.
config wireless-controller wtp-profile
edit "FAP234F-default"
config platform
set type 234F
set ddscan enable
end
set handoff-sta-thresh 55
set allowaccess https ssh snmp
set frequency-handoff enable
set ap-handoff enable
config radio-1
set mode disabled
end
config radio-2
set mode sniffer
set ap-sniffer-chan 153
set ap-sniffer-chan-width 80MHz
end
config radio-3
set mode monitor
end
next
end

2. Apply the profile to the FortiAP device.

config wireless-controller wtp
edit "FP234FTF21011491"
set uuid 1e95638a-1300-51ef-6115-83bfd8756de6
set admin enable
set name "FAP1"
set wtp-profile "FAP234F-default"
next
end

3. From the FortiGate, verify that the settings have been applied to the FortiAP.
FortiGate-81E-POE (Interim)# diagnose wireless-controller wlac -c wtp FP234FTF21011491 |
grep Radio -A3
Radio 1 : Disabled

FortiOS 7.6.0 New Features Guide 455

Fortinet Inc.
LAN Edge

Radio 2 : Sniffer
bufsize : 16 MB
chan : 153
chan bandwidth : 2
--
Radio 3 : Monitor
ap scan passive: disabled
sensor mode : disabled
auto suppress : disabled
--
Radio 4 : Not Exist
Radio 5 : Not Exist
WAN/LAN stats :
: lan1 rx,tx bytes 2443934,120170937 packets 34954,165081 errors
0,0 dropped 318,0
WAN/LAN EXT stats :

The FortiGate diagnose output shows Radio 2 in sniffer mode with chan bandwidth set to 2 to represent the
80MHz band.
4. From the FortiAP, verify that the settings have been applied.
FAP1 # rcfg
Radio 0: Disabled
Radio 1: Sniffer
bufsize : 16 MB
chan : 153
chan width : 80MHz
addr : 00:00:00:00:00:00
filter : KEEP: ctl mgmt-beacon mgmt-probe mgmt-other data DROP:
Radio 2: Monitor
radio type : 2.4G 5G
sensor mode : disabled (applied promisc mode=disabled)
ap scan thresh : 0 dBm
ap scan passive: disabled
ap scan rpt tmr: 15s
spect analysis : scan only
ss chans loc : cnt=30
list=1,3,6,8,11,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,
149,153,157,161,165,
ss chans rem : cnt=0 list=
wids : disabled
r_ac scan list : all_2g5g_channel all_6g_channel
partial scan list : 1 2 3 4 5 6 7 8 9 10 11 36 40 44 48 52 56 60 64 100 104 108 112
116
120 124 128 132 136 140 144 149 153 157 161 165
full scan list : 1 2 3 4 5 6 7 8 9 10 11 36 40 44 48 52 56 60 64 100 104 108 112 116
120 124 128 132 136 140 144 149 153 157 161 165
fortipresence : disabled

5. After the FortiAP finishes the capture, export the capture file to a local TFTP server with the following command:
ftftp <tftp-server-ip> -m binary -c put /tmp/wl_sniff.cap <file-name>

6. Open the capture file with a packet analyzer tool and verify that the wireless control, management, and data packets
have been successfully captured.

FortiOS 7.6.0 New Features Guide 456

Fortinet Inc.
 LAN Edge

Support RADSEC on WPA2/WPA3-Enterprise SSID

This information is also available in the FortiWiFi and FortiAP 7.6 Configuration Guide:
l WPA2 and WPA3 Enterprise authentication

The FortiOS Wi-Fi controller has been enhanced to support RADSEC during the 802.1X authentication of wireless
clients. TCP and TLS protocols are now supported for direct RADIUS authentication over the WPA2/WPA3-Enterprise
SSID.

To configure a RADIUS server over TCP in a WPA2-Only-Enterprise SSID:

1. Configure a RADIUS server.

For more information on configuring a RADIUS server over TCP/TLS, refer to Configuring a RADSEC client in the
FortiOS Administration Guide.
config user radius
edit "radius-tcp"
set server "172.16.200.55"
set secret *
set nas-ip 172.16.200.109
set nas-id-type custom
set nas-id "FGT-101F"
set radius-coa enable
set transport-protocol tcp
config accounting-server
edit 1
set status enable
set server "172.16.200.55"
set secret *
next
end
next
end

2. Apply the RADIUS server you configured to a WPA2-Only-Enterprise SSID.

config wireless-controller vap
edit "wifi.fap.01"
set ssid "FOS_101F_Enterprise"
set security wpa2-only-enterprise
set auth radius
set radius-server "radius-tcp"
set schedule "always"
next
end

3. Confirm RADIUS request and responds packets are transported over TCP when the wireless client connects.
FortiGate-101F (vdom1) (Interim)# diagnose wireless-controller wlac -d sta online
vf=2 mpId=7 wtp=2 rId=1 wlan=wifi.fap.01 vlan_id=0 ip=192.168.81.2 ip6=::
mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user=print group=radius-tcp signal=-22
noise=-78 idle=7 bw=1 use=5 chan=149 radio_type=11AC_5G security=wpa2_only_enterprise

FortiOS 7.6.0 New Features Guide 457

Fortinet Inc.
 LAN Edge

mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,1.0.0.0:1-0-0 -- 0.0.0.0:0 0,0

online=yes mimo=2

The configure a RADIUS over TLS in a WPA3-Only-Enterprise SSID:

1. Configure a RADIUS server.

For more information on configuring a RADIUS server over TCP/TLS, refer to Configuring a RADSEC client in the
FortiOS Administration Guide.
config user radius
edit "radius-tls"
set server "172.16.200.55"
set secret *
set radius-coa enable
set radius-port 2083
set transport-protocol tls
set server-identity-check disable
config accounting-server
edit 1
set status enable
set server "172.16.200.55"
set secret *
next
end
next
end

2. Apply the RADIUS server you configured to a WPA3-Only-Enterprise SSID.

config wireless-controller vap
edit "wifi"
set ssid "FOS_101F_WPA3_ENT"
set security wpa3-only-enterprise
set pmf enable
set 80211k disable
set 80211v disable
set auth radius
set radius-server "radius-tls"
set schedule "always"
next
end

3. Confirm RADIUS request and responds packets are transported over TLS when the wireless client connects.
FortiGate-101F (vdom1) (Interim)# diagnose wireless-controller wlac -d sta online
vf=2 mpId=7 wtp=2 rId=1 wlan=wifi vlan_id=0 ip=10.30.80.2 ip6=::
mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user=tester group=radius-tls signal=-22
noise=-76 idle=4 bw=3 use=5 chan=149 radio_type=11AC_5G security=wpa3_only_enterprise
mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0
online=yes mimo=2

Add GUI support for configuring wireless data rates and sticky client thresholds

This information is also available in the FortiWiFi and FortiAP 7.6 Configuration Guide:
l Advanced SSID options

FortiOS 7.6.0 New Features Guide 458

Fortinet Inc.
LAN Edge

This release adds GUI support for configuring 802.11a and 802.11bg data rates, the 802.11n Modulation and Coding
Scheme (MCS), as well as sticky client removal thresholds. By disabling lower rates, you can conserve air time and allow
the channel to serve more users.
Once you enable Advanced Wireless Features from System > Feature Visibility, you can access the configuration
options from the SSID page.

To configure data rate controls and sticky client thresholds - GUI:

1. Go to System > Feature Visibility and enable Advanced Wireless Features from System.
2. Click Apply.
3. Go to WiFi & Switch Controller > SSIDs and create or edit an SSID
4. Under Advanced Settings, the Sticky client removal and Advanced rate controls options are available.

By default, sticky client and all 802.11 a and 802.11bg rates are disabled. MCS rates are all unselected.
5. Enable Sticky client removal to configure the minimum threshold in dBM required for clients to be serviced by the
AP.

6. Expand Advanced rate controls to configure wireless data rates.

FortiOS 7.6.0 New Features Guide 459

Fortinet Inc.
LAN Edge

a. For each 802.11a and 802.11bg data rate option, you can select the following options:
l Mandatory: Clients must support this data rate in order to associate with an access point on the controller.
l Supported: Any associated clients that support this data rate may communicate with the access point
using that rate. However, the clients are not required to be able to use this rate in order to associate.
l Disabled: The clients specify the data rates used for communication.
b. For 802.11n MCS options, select the allowed data rate for each spatial stream.
Note: Only the following data rates are supported:
l 802.11a.
l 802.11b/g.
l 802.11n with 1 or 2 spatial streams.
l 802.11n with 3 or 4 spatial streams.
802.11ac, 802.11ax, and 802.11n with 4 streams are not supported in the GUI.
7. When you are finished, click OK.

FortiOS 7.6.0 New Features Guide 460

Fortinet Inc.
 LAN Edge

Support self-registration of MPSKs through FortiGuest

This information is also available in the FortiWiFi and FortiAP 7.6 Configuration Guide:
l User self-registration of MPSKs through FortiGuest

This release enables users to generate Multi Pre-Shared Keys (MPSK) through the FortiGuest self-registration portal.
Users can self-register their devices through the portal, receiving a unique pre-shared key (MPSK) bound to their
device's MAC address. When they connect to the SSID, FortiGate sends the client's passphrase and MAC address to
FortiGuest during the 4-way handshake. Based the FortiGuest response, FortiGate authenticates or de-authenticates
the client.
The following CLI commands have been added:
config wireless-controller mpsk-profile
edit <name>
set mpsk-external-server-auth [enable|disable]
set mpsk-external-server {string}
next
end

set mpsk-external-server- Enable/Disable MPSK external server authentication (default = disable).

auth

set mpsk-external-server RADIUS server to be used to authenticate MPSK users.

Example Topology

To configure a FortiGuest external MPSK server - GUI:

1. Go to System > Feature Visibility and enable Advanced Wireless Features.

2. Click Apply.
3. Go to WiFi & Switch Controller > Connectivity Profiles > MPSK Profiles and click Create new to create an MPSK
profile.
The New MPSK Profile window loads.
4. Enter an MPSK profile Name and select a security Type.
5. Enable MPSK external server authentication and select an MPSK external server.

FortiOS 7.6.0 New Features Guide 461

Fortinet Inc.
LAN Edge

6. When you are finished, click OK.

To configure a FortiGuest external MPSK server - GUI:

1. Create an external FortiGuest server.

config user radius
edit "fortiguest"
set server "172.16.200.117"
set secret ENC *
next
end

2. Create an MPSK profile, enable MPSK external server authentication, and apply the external server you created.
config wireless-controller mpsk-profile
edit "wifi"
set mpsk-external-server-auth enable
set mpsk-external-server "fortiguest"
next
end

3. Apply the MPSK profile to a VAP.

config wireless-controller vap
edit "wifi"
set ssid "FOS_81F_POE_MPSK"
set schedule "always"
set mpsk-profile "wifi"
set dynamic-vlan enable
set quarantine disable
next
end

FortiOS 7.6.0 New Features Guide 462

Fortinet Inc.
 LAN Edge

To verify external MPSK authentication:

1. Using a wireless client, create a key in the FortiGuest self-registration portal.

l The MAC address of the device is 54:27:1E:B7:4A:95.

l The PSK key is 12345678.
2. Verify that you can connect the wireless client to the SSID using the configured PSK key of 12345678.
# dia wireless-controller wlac -d sta online
vf=0 mpId=0 wtp=4 rId=1 wlan=wifi vlan_id=0 ip=192.168.1.110
ip6=fe80::dc46:a41f:5546:f07f mac=54:27:1e:b7:4a:95 vci=MSFT 5.0 host=DESKTOP-05HBKE1
user= group= signal=-70 noise=-95 idle=1 bw=0 use=5 chan=11 radio_type=11N
security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0
G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=1
ip6=*fe80::dc46:a41f:5546:f07f,26,

3. Check the WiFi event log and verify there is a log with the action as EXT-MPSK-auth-success, indicating that the 4-
way handshake is successful.
# exe log display
date=2024-03-13 time=09:02:06 eventtime=1710345725686198360 tz="-0700"
logid="0104043657" type="event" subtype="wireless" level="notice" vd="root"
logdesc="Wireless station association failed" sn="FP433GTY22001147"
ap="FP433GTY22001147" vap="wifi" ssid="FOS_QA_Starr_81F_3G_psk" radioid=1 user="N/A"
stamac="54:27:1e:b7:4a:95" signal=-45 snr=50 authserver="N/A" channel=11 security="WPA2
Personal" encryption="AES" action="EXT-MPSK-auth-success" reason="Reserved 0"
msg="External MPSK authentication was successful for client 54:27:1e:b7:4a:95"

Support IKEv2 for FortiAP IPsec data channel management

This features requires FortiAP to run firmware 7.6.0 or later.

This release adds support for IKEv2 when FortiAP establishes an IPsec VPN tunnel with FortiGate to encrypt CAPWAP
data traffic. IKEv2 improves on the now-deprecated IKEv1 and offers improved performance and security.

FortiOS 7.6.0 New Features Guide 463

Fortinet Inc.
LAN Edge

To enable IKEv2 on IPsec VPN:

1. From the FortiAP profile, set the data channel DTLS policy to ipsec-vpn.
config wireless-controller wtp-profile
edit "FAP234F-default"
config platform
set type 234F
set ddscan enable
end
set dtls-policy ipsec-vpn
set handoff-sta-thresh 55
config radio-1
set band 802.11g 802.11n-2G 802.11ax-2G
end
config radio-2
set band 802.11a 802.11n-5G 802.11ac-5G 802.11ax-5G
set channel-bonding 40MHz
set vap1 "wifi.fap.01"
set vap2 "wifi.fap.02"
set vap3 "wifi.fap.03"
set vap4 "wifi.fap.01_6"
set vap5 "wifi.fap.02_6"
set vap6 "wifi.fap.03_6"
end
config radio-3
set mode monitor
end
next
end

2. FortiGate automatically creates an interface following the format of WLC-xxx-xx.

config system interface
edit "WLC-0003.00"
set vdom "vdom1"
set ip 169.254.0.1 255.255.255.255
set allowaccess fabric
set type tunnel
set snmp-index 33
set interface "internal1"
next
end

3. Configure the Phase 1 interface to use IKEv2.

config vpn ipsec phase1-interface
edit "WLC-0003.00"
set type dynamic
set interface "internal1"
set ike-version 2
set local-gw 10.131.0.1
set peertype one
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set dpd on-idle
set comments "Do NOT edit. Automatically generated by wireless controller."

FortiOS 7.6.0 New Features Guide 464

Fortinet Inc.
LAN Edge

set dhgrp 20
set transport auto
set peerid "WLC-0003.00"
set ipv4-start-ip 169.254.0.2
set ipv4-end-ip 169.254.0.254
set dns-mode auto
set psksecret ENC
set dpd-retryinterval 60
next
end

4. Configure the Phase 2 interface to associate with the Phase 1 configurations.

config vpn ipsec phase2-interface
edit "WLC-0003.00"
set phase1name "WLC-0003.00"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm
chacha20poly1305
set dhgrp 20
set comments "Do NOT edit. Automatically generated by wireless controller."
next
end

To verify IKEv2 is used on FortiGate:

FortiGate-81F-POE (vdom1) (Interim)# diagnose vpn tunnel list

list all ipsec tunnel in vd 3
------------------------------------------------------
name=WLC-0003.00 ver=2 serial=1 10.131.0.1:0->0.0.0.0:0 nexthop= tun_id=10.0.0.1 tun_
id6=::10.0.0.1 status=up dst_mtu=0 weight=1
bound_if=7 real_if=0 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu
frag-rfc role=primary accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=1 refcnt=3 ilast=43000649 olast=43000649 ad=/0

stat: rxp=13220 txp=166 rxb=10773439 txb=14410
dpd: mode=on-idle on=-1 status=ok idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
------------------------------------------------------
name=WLC-0003.00_0 ver=2 serial=4 10.131.0.1:0->10.131.0.120:0 nexthop=10.131.0.120 tun_
id=169.254.0.2 tun_id6=::10.0.0.4 status=up dst_mtu=1500 weight=1
bound_if=7 real_if=7 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/74408 options
[122a8]=npu rgwy-chg frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

...

To verify IKEv2 is used on FortiAP:

FortiAP-234F # opconf
# /tmp/ipsec.secrets - OpenSwan IPsec secrets file
: PSK "8c096b79fb25c92239fdd1014ab52b64"
# configuration
config setup
plutodebug=all
plutostderrlog=/tmp/openswan.tmp.log
nat_traversal=yes
#virtual_private=%v4:169.254.0.1/8,%v4:!192.168.100.1/24

FortiOS 7.6.0 New Features Guide 465

Fortinet Inc.
 LAN Edge

conn wlc-user
authby=secret
leftupdown="ipsec _updown"
left=10.131.0.120
leftsubnet=0.0.0.0/32
[email protected]
right=10.131.0.1
# PHASE 1
# negothiation mode
ikev2=yes
...

Support WPA3-SAE and WPA3-SAE Transition security modes in MPSK profiles

This information is also available in the FortiWiFi and FortiAP 7.6 Configuration Guide:
l MPSK profiles

This features requires FortiAP to run firmware 7.6.0 or later.

Support for configuring WPA3 SAE Transition and WPA3 SAE security mode on MPSK
Profiles using the CLI was added in FortiOS 7.4.4. FortiOS 7.6.0 adds GUI support.

This release supports WPA3-SAE and WPA3-SAE Transition security modes on Multi Pre-Shared Keys (MPSK)
profiles, enabling the use of MPSK on Wi-Fi 6 and 7 SSIDs. For more information on WPA3 security modes, refer to
WPA3 and Other Wi-Fi 6/6E/7 Security Improvements in the WiFi 6 + 7 Design and Planning Guide.
The following CLI commands have been added:
config wireless-controller mpsk-profile
edit <name>
set mpsk-type [wpa2-personal|wpa3-sae|wpa3-sae-transition]
config mpsk-group
edit <name>
config mpsk-key
edit <name>
set key-type [wpa2-personal|wpa3-sae]
next
end
next
end
next
end

set mpsk-type Select the security type of keys for this profile.
set key-type Select the type of the key.

FortiOS 7.6.0 New Features Guide 466

Fortinet Inc.
LAN Edge

To configure an MPSK profile with WPA3 SAE Transition or WPA3 SAE security mode - GUI:

1. Go to System > Feature Visibility and enable Advanced Wireless Features.

2. Click Apply.
3. Go to WiFi & Switch Controller > Connectivity Profiles > MPSK Profiles and click Create new to create an MPSK
profile.
The New MPSK Profile window loads.
4. Enter an MPSK profile Name and select a security Type.

You can select WPA3 SAE Transition or WPA3 SAE.

5. Under MPSK group list, click Add > Create Group to create a new MPSK Group.
The New MPSK Group window loads.
6. In the New MPSK Group window, enter an MPSK Group Name and click Add > Create Key to add a new key.

The New MPSK Key window loads.

l If you selected WPA3 SAE as your MPSK Profile security type, the Type is automatically set WPA3 SAE.
l If you selected WPA3 SAE Transition, you can choose between WPA2 Personal or WPA3 SAE as the MPSK
Key security type.
7. In the New MPSK Key window, enter an MPSK Key Name, SAE password, and MAC address.

FortiOS 7.6.0 New Features Guide 467

Fortinet Inc.
LAN Edge

Note: If you selected WPA3-SAE Transition, you can create multiple MPSK keys with WPA2 Personal and WPA3
SAE security types.
8. When you are finished, click OK to save your MPSK profile configurations.
9. Go to WiFi & Switch Controller > SSIDs and select or create a new SSID.
10. Under Security Mode Settings, select the Security mode and SAE password that matches your MPSK profile.
a. If your security mode is WPA3 SAE:
i. Under Pre-shared Key, enable MPSK Profile and then select the WPA3 SAE MPSK profile you configured.

FortiOS 7.6.0 New Features Guide 468

Fortinet Inc.
LAN Edge

b. If your security mode is WPA3 SAE Transition:

i. In Mode, select Multiple.
ii. the MPSK profile, select the WPA3 SAE Transition MPSK profile you configured.

11. When you are finished, click OK.

To configure an MPSK profile with WPA3 SAE security mode - CLI:

1. Create an MPSK profile with WPA3 SAE security mode:

config wireless-controller mpsk-profile
edit "wifi"
set mpsk-type wpa3-sae
config mpsk-group
edit "g1"
config mpsk-key
edit "p1"
set key-type wpa3-sae
set mac f8:e4:e3:d8:5e:af
set sae-password ENC
next
end
next
end

FortiOS 7.6.0 New Features Guide 469

Fortinet Inc.
LAN Edge

next
end

2. Apply the MPSK profile to a VAP with the security mode also set to WPA3 SAE:
config wireless-controller vap
edit "wifi"
set ssid "FOS_81F_WPA3_MPSK"
set security wpa3-sae
set pmf enable
set schedule "always"
set mpsk-profile "wifi"
set dynamic-vlan enable
set sae-password ENC
next
end

To configure an MPSK profile with WPA3 SAE Transition security mode - CLI:

1. Create an MPSK profile with WPA3 SAE Transition security mode:

config wireless-controller mpsk-profile
edit "wifi2"
set mpsk-type wpa3-sae-transition
config mpsk-group
edit "g1"
config mpsk-key
edit "p1"
set key-type wpa2-personal
set passphrase *
next
edit "p2"
set key-type wpa3-sae
set mac f8:e4:e3:d8:5e:af
set sae-password *
next
end
next
end
next
end

2. Apply the MPSK profile to a VAP with the security mode also set to WPA3 SAE:
config wireless-controller vap
edit "wifi2"
set ssid "FOS_81F_WPA3_Transition"
set security wpa3-sae-transition
set pmf optional
set schedule "always"
set mpsk-profile "wifi2"
set dynamic-vlan enable
set sae-password ENC
next
end

FortiOS 7.6.0 New Features Guide 470

Fortinet Inc.
 LAN Edge

Add Advanced WIDS Options - 7.6.1

This information is also available in the FortiWiFi and FortiAP 7.6.1 Configuration Guide:
l Wireless Intrusion Detection System

This release enhances the Wireless Intrusion Detection System (WIDS) profile with advanced options, improving the
detection and reporting of a wider range of security threats and intrusion attempts.
The following new WIDS categories have been added in the CLI:

Advanced WIDS CLI command Description

category

Ad Hoc Network adhoc-network Detects ad hoc networks that are uncontrolled and can expose clients
Detection to viruses and other security vulnerabilities.
An Ad hoc network is a chain of wireless devices connected to each
other without the use of an AP.

Ad Hoc Network adhoc-valid- Detects unauthorized ad hoc networks mimicking a valid SSID that
Using a Valid SSID ssid try to trick your wireless clients into connecting.
Detection

AirJack Detection air-jack Detects AirJack attacks. AirJack is a suite of device drivers that can
force all users off an AP.

AP Impersonation ap- Detects AP impersonation by checking the Basic Service Set

Detection impersonation Identifier (BSSID) and Extended Service Set Identification (ESSID)
from the AP beacon to ensure this it is valid.

AP Spoofing ap-spoofing Detects AP spoofing where an intruder sends forged frames

Detection pretending to come from a legitimate AP.

Beacon Frame bcn-flood Detects beacon frame flooding where an attacker floods the network
Flooding with a large amount of beacon frames to increase the amount of
processing needed on client operating systems.

Beacon Frame beacon-wrong- Detects spoofed beacon packets that are modified so that the
Spoofing channel channel is different from what's advertised in the beacon frame of the
AP.

*Block Ack Flood block_ack-flood Detects Block Ack Flood, which is when an attacker sends spoofed
Detection Add Block Acknowledgment (ADDBA) request frames to an AP
causing the AP to ignore valid traffic from clients.

Channel-Based Man- chan-based-mitm Channel-based Man-in-the-Middle detection involves checking the

in-the-Middle Channel Switch Announcement (CSA) beacon frame to make sure it
Detection comes from a legitimate AP.

*Invalid Client client-flood Detects Denial-of-Service (DoS) attacks to WIDS where an attacker
Flooding generates a large number of invalid clients to flood and overwhelm
the WIDS with fake information.

FortiOS 7.6.0 New Features Guide 471

Fortinet Inc.
LAN Edge

Advanced WIDS CLI command Description

category

*CTS Flooding cts-flood Detects Clear to Send (CTS) flooding where attackers send CTS
Detection frames to flood the system and prevent channel access to legitimate
users.

Disassociation disassoc- Monitors authorized clients within the network for frequent
Broadcast Monitor broadcast associations and disassociations that may indicate potential network
dangers.

Disconnect Attack disconnect- Monitors station activity for frequent connects and disconnects that
Monitor station may indicate a disconnect attack.

EAPOL Key eapol-key- Detects EAPOL-Key packets with a key field length over the limit.
Overflow Detection overflow Malicious actors can overflow the key fields to trigger a DoS or to
execute code.

FATA-JACK fata-jack Detects FATA-JACK attacks. FATA-JACK is an 802.11 client DoS

Detection tool that uses spoofed authentication frames with invalid
authentication algorithm numbers to disconnect targeted stations.

Fuzzed Beacon fuzzed-beacon Detects fuzzed beacon frames with malformed Information Elements
Detection (IE). When the modified frames are retransmitted, it can cause
devices to experience driver and operating system crashes, or stack-
based overflows. This can leave the affected system vulnerable to
arbitrary code executions.

Fuzzed Probe fuzzed-probe- Detects probe request frames with malformed IE's.
Request Detection request

Fuzzed Probe fuzzed-probe- Detects probe response frames with malformed IE's
Response Detection response

Hotspotter Attack hotspotter- Detects Hotspotter attacks which are a type of an evil-twin attack
Detection attack where attackers set up a fraudulent AP broadcasting an SSID similar
to a legitimate one to lure a client into connecting. Once a client
connects to the fraudulent AP, they can launch security attacks on
the client.

High Throughput ht-40mhz- Checks if a client has an 40MHz intolerance bit and is unable to
40MHz Intolerance intolerance participate in a 40 MHz BSS. The AP may have to use lower data
Check rates instead, which can impact network performance.

High Throughput ht-greenfield Checks if 802.11 client beacons are advertising High Throughput
Greenfield Check (HT) Greenfield mode as they cannot share the same channel as
other 802.11a/b/g clients or communicate with legacy devices. These
incompatibilities can cause collisions, errors, and retransmissions.

Invalid Address invalid-addr- Detects attacks were intruders use invalid broadcast or multicast
Combination combination MAC addresses in the source address field to make an AP transmit
Detection deauthentication and disassociation frames to its clients.

FortiOS 7.6.0 New Features Guide 472

Fortinet Inc.
LAN Edge

Advanced WIDS CLI command Description

category

Malformed malformed- Detects Malformed Association attacks by checking association

Association association request frames for SSID IE tags with a null length SSID or an
Detection overflow SSID length. These malicious requests can trigger a DoS or
code execution.

Malformed malformed-auth Detects Malformed Authentication attacks by checking for

Authentication unexpected values in 802.11 authentication algorithm, sequence and
Detection status code.

Malformed HT IE malformed-ht-ie Detects Malformed HT IE attacks by checking the 802.11

Detection management frame for malformed HT IEs which can crash some
client implementations and leave them vulnerable to exploitation.

*NetStumbler netstumbler Detects devices using NetStumbler, a popular wardriving tool that
Detection scans for networks using the 802.11b, 802.11a and 802.11g WLAN
standards. It probes nearby networks and attempts to authenticate
and associate with unsecured APs

Omerta Detection omerta-attack Detects Omerta attacks. Omerta is an 802.11 DoS tool that sends
disassociation frames to all clients on a channel in response to data
frames.

Overflow Information overflow-ie Detects association request sent to an AP containing an IE with an

Elements inappropriately long length. Malicious actors can overflow the IE
length to trigger a DoS or to execute code.

*Probe Frame probe-flood A probe flood is when an attacker floods the network with a large
Flooding amount of probe requests frames to exhaust network resources.

*PS-Poll Flood pspoll-flood Detects PS-poll flood attacks. In a PS-poll attack, an attacker spoofs
Detection the MAC address of a wireless client and floods an AP with a large
number of PS-poll frames. The AP is tricked into thinking the actual
wireless client is in power save mode, so the AP starts buffering
frames destined to that client, which results in the client missing those
data frames and becoming partially disconnected from the network.
PS-Poll is the power save mode used in legacy IEEE 802.11
standards.

Power Save DoS pwsave-dos- Monitors the power save status of clients in order to validate their
Attack Detection attack state and check for abnormal behavior.

*Reassociation reassoc-flood A reassociation flood is a DoS attack where a large number of client
Frame Flooding association frames are sent to an AP, exhausting the AP's resources
and causing legitimate clients to not be able to associate with the AP.

Risky Encryption risky- Detects networks using WEP encryption, a retired security algorithm
Detection encryption that is considered risky and insecure.

FortiOS 7.6.0 New Features Guide 473

Fortinet Inc.
LAN Edge

Advanced WIDS CLI command Description

category

*RTS Flooding rts-flood Detects Requests-To-Send (RTS) flood attacks, a type of DoS attack
Detection where an attacker sends RTS frames prevent channel access to
legitimate users.

Unencrypted Mode unencrypted- Detects if an authorized client is passing traffic in unencrypted mode.
Detection valid

Valid Client valid-client- Monitors valid (authorized) wireless clients for misassociation in the
Misassociation misassociation network. Misassociations occur when a valid client connects to an
unsafe AP such as a rogue, external, or honeypot AP.

Valid SSID Misuse valid-ssid- Detects if an unauthorized AP is using the same SSID as an
Detection misuse authorized network.

*Wellenreiter wellenreiter Detects devices using Wellenreiter, a wireless network discovery and
Detection auditing tool that probes nearby networks and reveals AP and client
information.

Windows Bridge windows-bridge Detects if a Windows Bridge occurs. A Windows Bridge is when a
Detection client associated to an AP is also connected to the wired network,
and has enabled bridging between these two interfaces.

Fast Transition wpa-ft-attack Detects Fast Transition (FT) attacks. An FT attack happens when an
Attack attacker intercepts the communication between a client and an AP
during the FT handshake. The attacker decrypts and forges packets
that are then sent back to the client.

*These options can be configured with a detection window period time and a threshold value.

To configure a WIDS profile with advanced options - CLI:

config wireless-controller wids

edit example-WIDS
set rts-flood enable
set rts-flood-time 5
set rts-flood-thresh 10
next
end

Setting rts-flood-time to 5 and rts-flood-thresh to 10 means if the FortiGate WIDS detects RTS frames 10
times within 5 seconds, then that event is considered an rts-flood, or an RTS flood attack.

To apply a WIDS profile to a FortiAP profile - CLI:

config wireless-controller wtp-profile

edit "433F"
config radio-3
set mode monitor
set wids-profile "example-WIDS"
end
next
end

FortiOS 7.6.0 New Features Guide 474

Fortinet Inc.
LAN Edge

To verify the WIDS profile has been applied to a FortiAP:

# rcfg
Radio 0: Disabled
Radio 1: AP
country : cfg=US oper=US
...
Radio 2: Monitor
...
wids : rts-flood
deauth-unknown-src
rts-flood: time=5, thresh=10
# cw_diag -c wids
index TA* RA types/DS dur chan live/s
age/s cnt seq rssi rId encrypt

5 00:0c:e6:83:5c:01 1a:53:41:dc:b4:d0 rts/NO 334 56 520 280 25 0

8 2 0

9 00:0c:e6:8b:29:02 5e:1b:64:77:ed:bf rts/NO 158 56 400 5 371 0

14 2 0
10 00:0c:e6:8b:29:01 6e:de:35:2e:75:1c rts/NO 158 56 239
133 107 0 14 2 0

12 00:0c:e6:8d:7f:41 96:92:b0:e2:06:a9 rts/NO 282 108 379 13 244 0

25 2 0

14 00:0c:e6:7f:7b:02 bc:17:b8:fd:d6:2b rts/NO 206 124 405 94 283 0

9 2 0
Total 24 WIDS of type 26 (rts_flood)

Total 24 WIDS means FortiGate WIDS detected 24 different RTS entries, and of those entries, 5 of them were
detected 10 times in 5 seconds and were considered an rts_flood, or an RTS flood attack.

To view detection logs from a FortiGate - CLI:

# diagnose wireless-controller wlac -c wids

Detected rts_flood:
index TA* RA types/DS vfid dur chan
live age cnt seq wtp-id rId rssi encrypt

1 00:0c:e6:7f:7b:02 bc:17:b8:fd:d6:2b rts/NO 3 206 124 393 83 283

0 FP433FTF23003319 2 9 0

2 00:0c:e6:83:5c:01 1a:53:41:dc:b4:d0 rts/NO 3 334 56 15824 268 25

0 FP433FTF23003319 2 8 0

3 00:0c:e6:8b:29:01 6e:de:35:2e:75:1c rts/NO 3 158 56 227 122 107

0 FP433FTF23003319 2 14 0

4 00:0c:e6:8b:29:02 5e:1b:64:77:ed:bf rts/NO 3 158 56 389 51 366

0 FP433FTF23003319 2 14 0

5 00:0c:e6:8d:7f:41 c6:9b:8e:64:d2:99 rts/NO 3 274 108 367 89 212

0 FP433FTF23003319 2 24 0
Total 5 rts_flood detected (tree size 5)

FortiOS 7.6.0 New Features Guide 475

Fortinet Inc.
 LAN Edge

# exe log display

1: date=2024-10-29 time=15:29:02 eventtime=1730240941663495212 tz="-0700" logid="0104043536"
type="event" subtype="wireless" level="notice" vd="vdom1" logdesc="Wireless threat detected"
action="wids-detect-first" threattype="rts_flood" live=22 age=5 channel=56 rssi=14
frametype="rts" ds="NO" bssid="N/A" seq="0" encrypt=0 tamac="00:0c:e6:8b:29:01"
manuf="Fortinet" sndetected="FP433FTF23003319" radioiddetected=2 msg="WIDS rts_flood: rts/NO
chan 56"
2: date=2024-10-29 time=15:26:32 eventtime=1730240791644779702 tz="-0700" logid="0104043536"
type="event" subtype="wireless" level="notice" vd="vdom1" logdesc="Wireless threat detected"
action="wids-detect-first" threattype="rts_flood" live=12 age=4 channel=108 rssi=23
frametype="rts" ds="NO" bssid="N/A" seq="0" encrypt=0 tamac="00:0c:e6:8d:7f:41"
manuf="Fortinet" sndetected="FP433FTF23003319" radioiddetected=2 msg="WIDS rts_flood: rts/NO
chan 108"
...

Support RADSEC on Local Bridge mode captive portals - 7.6.1

This information is also available in the FortiWiFi and FortiAP 7.6.1 Configuration Guide:
l Captive Portal Security

The FortiOS Wi-Fi controller now supports pushing RADIUS server settings using TCP or TLS protocols to FortiAPs
when broadcasting a Local-Bridge mode captive portal SSID. FortiAP can then use the specified transport protocol to
communicate with the RADIUS server to authenticate wireless clients connecting to the captive portal SSID. This
enhancement improves on the previous UDP-only support.

To configure a RADIUS server over TCP in a Local-Bridge mode captive portal SSID:

1. Create a RADIUS server using TCP.

config user radius
edit "radius-tcp"
set server "172.18.56.104"
set secret *
set transport-protocol tcp
next
end

2. Apply the RADIUS server you configured to a Local-Bridge mode captive portal SSID.
config wireless-controller vap
edit "cap-br"
set ssid "FOS_80F_cap_br_fqdn"
set external-web "https://cpauth.fortinet.com/portal/index.php"
set passphrase *
set radius-server "radius-tcp"
set local-bridging enable
set captive-portal enable
set portal-type external-auth
set security-redirect-url "http://www.fortinet.com"
set auth-cert "portal_server"

FortiOS 7.6.0 New Features Guide 476

Fortinet Inc.
LAN Edge

set auth-portal-addr "https://cappost.fortinet.com"

set schedule "always"
next
end

3. Confirm RADIUS request and responds packets are transported over TCP between the FortiAP and RADIUS server
when the wireless client passes authentication.
FortiWiFi-80F-2R (Interim)# diagnose wireless-controller wlac -d sta online
vf=0 mpId=6 wtp=2 rId=2 wlan=cap-br vlan_id=0 ip=10.0.1.11 ip6=2001:192:168:10::1000
mac=54:27:1e:b7:4a:95 vci=MSFT 5.0 host=DESKTOP-05HBKE1 user=tester group=radius-tcp
signal=-62 noise=-95 idle=10 bw=0 use=6 chan=149 radio_type=11AC_5G security=wpa2_only_
personal+captive mpsk= encrypt=aes cp_authed=yes l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 --
0.0.0.0:0 0,0 online=yes mimo=1
ip6=fe80::dc46:a41f:5546:f07f,65, *2001:192:168:10::1000,83

To configure a RADIUS server over TLS in a Local-Bridge mode captive portal SSID:

1. Create a RADIUS server using TLS.

config user radius
edit "radius-tls"
set server "172.18.56.104"
set secret ENC
set radius-port 2083
set transport-protocol tls
set ca-cert "CA_Cert_2"
set client-cert "client_cert_1"
set server-identity-check disable
next
end

Note: When you are using TLS, you must first import a CA certificate of the RADIUS server on the FortiGate.
2. Apply the RADIUS server you configured to a Local-Bridge mode captive portal SSID.
config wireless-controller vap
edit "cap-br"
set ssid "FOS_80F_cap_br_fqdn"
set external-web "https://cpauth.fortinet.com/portal/index.php"
set passphrase ENC
set radius-server "radius-tls"
set local-bridging enable
set captive-portal enable
set portal-type external-auth
set security-redirect-url "http://www.fortinet.com"
set auth-cert "portal_server"
set auth-portal-addr "cppost.fortinet.com"
set schedule "always"
next
end

3. Confirm RADIUS request and responds packets are transported over TLS between the FortiAP and RADIUS server
when the wireless client passes authentication.
FortiWiFi-80F-2R (Interim)# diagnose wireless-controller wlac -d sta online
vf=0 mpId=6 wtp=2 rId=2 wlan=cap-br vlan_id=0 ip=10.0.1.11 ip6=2001:192:168:10::1000
mac=54:27:1e:b7:4a:95 vci=MSFT 5.0 host=DESKTOP-05HBKE1 user=tester group=radius-tls
signal=-64 noise=-95 idle=10 bw=21 use=6 chan=149 radio_type=11AC_5G security=wpa2_only_

FortiOS 7.6.0 New Features Guide 477

Fortinet Inc.
 LAN Edge

personal+captive mpsk= encrypt=aes cp_authed=yes l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 --

0.0.0.0:0 0,0 online=yes mimo=1
ip6=fe80::dc46:a41f:5546:f07f,61, *2001:192:168:10::1000,27,

Add a RADIUS Called Station ID setting - 7.6.1

This information is also available in the FortiWiFi and FortiAP 7.6.1 Configuration Guide:
l Configuring the RADIUS Called Station ID setting

This release adds a new RADIUS Called Station identifier setting in the FortiOS Wireless Controller. This setting
determines the type information sent to the RADIUS server from the FortiAP. You can specify either the FortiAP MAC
address, IP address, or AP Name in the RADIUS Access-Request packet.
The following CLI command has been added:
configure wireless-controller vap
edit <name>
set called-station-id-type [mac|ip|apname]
next
end

called-station-id-type Select the called station ID type you want to send to the RADIUS server:
l mac: Sends the FortiAP's board MAC address and SSID name using the

MAC:SSID format (default).

l ip: Sends the FortiAP's local IP address and SSID name using the IP:SSID

format.
l apname: Sends the FortiAP and SSID name using the APName:SSID

format.

To configure the called station ID:

1. Set the called station ID type.

In this example, the called station ID is set to apname.
config wireless-controller vap
edit "wifi3"
set ssid "FOS_81F_3G_ent"
set called-station-id-type apname
set security wpa2-only-enterprise
set fast-bss-transition enable
set auth radius
set radius-server "peap"
set schedule "always"
next
end

2. Set an AP name.
config wireless-controller wtp
edit "FW81FD-WIFI0"
set name "FWF-81F-2R-LR"

FortiOS 7.6.0 New Features Guide 478

Fortinet Inc.
 LAN Edge

next
end

To verify, check the RADIUS request packet. The called station ID is sent in the following format: FWF-81F-2R-
LR:FOS_81F_3G_ent.

Support remote TACACS access to FortiAP - 7.6.1

This information is also available in the FortiWiFi and FortiAP 7.6.1 Configuration Guide:
l Remote TACACS user access for FortiAP management

FortiAP now supports console, SSH, and HTTPS login using remote user accounts from a third-party TACACS server.
The following CLI commands have been added:
config wireless-controller wtp-profile
edit <name>
set admin-auth-tacacs+ <tacacs server>
set admin-restrict-local [enable|disable]
next
end

admin-auth-tacacs+ Adds a TACACS server to wtp profile

admin-restrict-local Defines if a local admin account can log into FortiAP.
l disable: The local admin account is still allowed to log into FortiAP

(default).
l enable: Only TACACS accounts are allowed to log into FortiAP

To configure a TACACS+ server for remote FortiAP authentication:

1. Configure a TACACS+ user account and enter the server access information.
config user tacacs+
edit "tacacs1"
set server "172.16.200.148"
set key *
set authorization enable
set authen-type pap
next
end

FortiOS 7.6.0 New Features Guide 479

Fortinet Inc.
LAN Edge

Note: You can log into a FortiAP over SSH when you configure the TACACS server with different authen-types
including pap, chap, ascii, mschap, and auto.
2. Add the TACACS+ user account you created to a FortiAP profile, and then disable local admin access.
config wireless-controller wtp-profile
edit "433F"
set allowaccess https ssh
set admin-auth-tacacs+ "tacacs1"
set admin-restrict-local disable
next
end

To log in and out of a FortiAP SSH session over TACACS+:

FortiGate-301E (vdom1) (Interim)# diagnose wireless wlac -c wtpprof

WTPPROF (002/002) vdom,name: vdom1, 433F
platform : FAP433F.
refcnt : 7 own(1) wlan(3) wtp(1) bleprof(1) TACACS+(1)
…
ssh [email protected]
[email protected]'s password:
FortiAP-433F #

FortiAP-433F # wcfg
WTP Configuration
name : FortiAP-433F
loc : N/A
…
TACACS+ server : server=172.16.200.148:49 authen-type=PAP admin-restrict-local=
disabled
console-login : enabled
frequency-handoff : disabled
ap-handoff : disabled

FortiAP-433F # exit
Connection to 10.233.80.24 closed.

To view TACACS+ access on the FortiGate system event log:

FortiGate-301E (vdom1) (Interim)# execute log display

2: date=2024-08-30 time=16:15:33 eventtime=1725059733751700217 tz="-0700" logid="0100032003"

type="event" subtype="system" level="information" vd="vdom1" logdesc="Admin logout
successful" sn="21273" user="FortiAP:FP433FTF21001160" ui="ssh(10.233.80.1)" method="ssh"
action="logout" status="success" srcip=10.233.80.1 dstip=10.233.80.24 reason="exit"
msg="Administrator user1 logged out from ssh(10.233.80.1)"

4: date=2024-08-30 time=16:15:26 eventtime=1725059726834362629 tz="-0700" logid="0100032001"

type="event" subtype="system" level="information" vd="vdom1" logdesc="Admin login
successful" sn="21273" user="FortiAP:FP433FTF21001160" ui="ssh(10.233.80.1)" method="ssh"
action="login" status="success" srcip=10.233.80.1 dstip=10.233.80.24 reason="none"
msg="Administrator user1 logged in successfully from ssh(10.233.80.1)"

FortiOS 7.6.0 New Features Guide 480

Fortinet Inc.
 LAN Edge

Support RADIUS Accounting messages over FortiGuest MPSK Authentication - 7.6.1

This information is also available in the FortiWiFi and FortiAP 7.6.1 Configuration Guide:
l User self-registration of MPSKs through FortiGuest

FortiGate now generates accounting messages when wireless clients connect to an SSID using an MPSK created
through the FortiGuest self-registration portal. Accounting messages can be sent to the FortiAP, enhancing network
management and user accountability with key expiration and user limits.

To configure an SSID with an MPSK created through FortiGuest:

1. From the FortiGate, configure a RADIUS server entry with a FortiGuest portal server.
config user radius
edit "fortiguest"
set server "172.16.200.117"
set secret ENC
config accounting-server
edit 1
set status enable
set server "172.16.200.55"
set secret xxxxxxxxx
next
end
next
end

2. Create an MPSK profile with mpsk-external-server-auth enabled and then set the mpsk-external-
server to the RADIUS server you created.
config wireless-controller mpsk-profile
edit "wifi"
set mpsk-external-server-auth enable
set mpsk-external-server "fortiguest"
next
end

3. Add the MPSK profile to an SSID.

config wireless-controller vap
edit "wifi"
set ssid "FOS_81F_3G_psk"
set schedule "always"
set mpsk-profile "wifi"
set dynamic-vlan enable
next
end

FortiOS 7.6.0 New Features Guide 481

Fortinet Inc.
LAN Edge

4. To verify that a client is being authenticated with a FortiGuest passphrase, confirm the accounting messages can be
generated.
Example accounting message from an accounting server:
Wed Oct 2 17:57:13 2024
Acct-Status-Type = Start
Acct-Authentic = Local
User-Name = "F8-E4-E3-D8-5E-AF"
NAS-IP-Address = 0.0.0.0
NAS-Identifier = "172.16.200.9/25246-wifi"
Called-Station-Id = "E0-23-FF-B4-A1-70:FOS_81F_3G_psk"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
NAS-Port = 1
Fortinet-SSID = "FOS_81F_3G_psk"
Fortinet-AP-Name = "FP431F-LAB"
Calling-Station-Id = "F8-E4-E3-D8-5E-AF"
Connect-Info = "CONNECT 0/0Mbps(Tx/Rx) 11AX_5G"
Acct-Session-Id = "66FC4C2A00000026"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027076
WLAN-AKM-Suite = 1027074
Framed-IP-Address = 192.168.10.2
Fortinet-WirelessController-Device-MAC = 0xf8e4e3d85eaf
Fortinet-WirelessController-WTP-ID = "FP431FTF20012724"
Fortinet-WirelessController-Assoc-Time = "Oct 2 2024 17:57:13 PDT"
Event-Timestamp = "Oct 2 2024 17:57:13 PDT"
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "ab4179d17f6271e78def7f7f483e11f9"
Timestamp = 1727917033

Switch controller

This section includes information about switch-controller-related new features:

l Change the priority of MAB and EAP 802.1X authentication on page 483
l Send SNMP traps for MAC address changes on page 488
l Support QinQ with the switch controller 7.6.1 on page 489
l Enhance network performance with VLAN pruning 7.6.1 on page 494
l Provide an enhanced GUI for NAC policies 7.6.3 on page 495
l Support IPv6 addresses for managed FortiSwitch units 7.6.3 on page 496
l Prevent automatically created VLANs 7.6.3 on page 497

FortiOS 7.6.0 New Features Guide 482

Fortinet Inc.
 LAN Edge

Change the priority of MAB and EAP 802.1X authentication

l 802.1X authentication and MAB authentication must be enabled before you can change
the priority of MAB and EAP 802.1X authentication.
l This feature requires FortiSwitchOS 7.2.1 or later.
l This feature is supported by both 802.1X port-based authentication and 802.1X MAC-
based authentication.

You can now use the CLI to change the priority of MAC authentication bypass (MAB) authentication and Extensible
Authentication Protocol (EAP) 802.1X authentication to fit your specific network security requirements.
l Before FortiOS 7.6.0, the managed switch tried EAP 802.1X authentication and MAB authentication in the order that
they were received with EAP 802.1X authentication having absolute priority. If authentication failed, users were
assigned to the auth-fail-vlanid VLAN if it had been configured. There was no time delay. Starting inFortiOS
7.6.0, use the set auth-priority legacy command to keep this priority. After an upgrade, auth-priority
is set to legacy by default.
l Starting in FortiOS 7.6.0, if you want the managed switch to try EAP 802.1X authentication first and then MAB
authentication if EAP 802.1X fails, use the set auth-priority dot1x-mab command. If MAB authentication
also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.
l Starting in FortiOS 7.6.0, if you want the managed switch to try MAB authentication first and then EAP 802.1X
authentication if MAB authentication fails, use the set auth-priority mab-dot1x command. If EAP 802.1X
authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.
l Starting in FortiOS 7.6.0 with FortiSwitchOS 7.2.3, MAB-only authentication is supported. In this mode, the
managed FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are
not sent. To enable MAB-only authentication, set the auth-order command to mab.

FortiOS 7.6.0 New Features Guide 483

Fortinet Inc.
LAN Edge

The following flowchart shows the FortiSwitch 802.1X port-based authentication with MAB enabled and with an
authentication priority of auth-priority legacy:

FortiOS 7.6.0 New Features Guide 484

Fortinet Inc.
LAN Edge

The following flowchart shows the FortiSwitch 802.1X MAC-based authentication with MAB enabled and with an
authentication priority of auth-priority legacy:

FortiOS 7.6.0 New Features Guide 485

Fortinet Inc.
LAN Edge

In the following flowchart, the authentication priority is dot1x-mab. If both EAP 802.1X authentication and MAB
authentication fail, the user is assigned to the auth-fail-vlanid VLAN. If an EAPoL-Start packet is received after
MAB authentication, the switch changes to EAP 802.1X authentication.

FortiOS 7.6.0 New Features Guide 486

Fortinet Inc.
LAN Edge

In the following flowchart, the authentication priority is mab-dot1x. If MAB authentication fails, the switch attempts EAP
802.1X authentication. If an EAPoL-Start packet is received after MAB authentication, the switch attempts EAP 802.1X
authentication without any time delay or processing impact.

To configure the priority of MAB and EAP 802.1X authentication for managed switches:

1. Enable 802.1X authentication and MAB authentication.

config switch-controller security-policy 802-1X
edit <policy_name>
set security-mode {802.1X | 802.1X-mac-based}
set mac-auth-bypass enable

Variable Description Default

security-mode Set the security mode for the port. 802.1X
802.1X | l 802.1X—Use this setting for port-based authentication.

802.1X-mac- l 802.1X-mac-based—Use this setting for MAC-based authentication.

based} If you change the security mode to 802.1X or 802.1X-mac-based, you

must set the user group with the set user-group command.

2. Specify the authentication order and priority.

set auth-order mab
set auth-priority {legacy | dot1x-mab | mab-dot1x}

FortiOS 7.6.0 New Features Guide 487

Fortinet Inc.
 LAN Edge

Variable Description
auth-order mab This command is available only when the set mac-auth-bypass command is
enabled.
Use this command if you want to use the MAB-only authentication mode, where the
FortiSwitch unit performs MAB authentication without performing EAP authentication.
EAP packets are not sent.
auth-priority Select the priority of MAB authentication and EAP 802.1X authentication.
{legacy | dot1x- l legacy—The switch tries EAP 802.1X authentication and MAB authentication in

mab | mab-dot1x} the order that they are received with EAP 802.1X authentication having absolute
priority. If authentication fails, users are assigned to a guest VLAN if it has been
configured. There is no time delay involved. This is the default value.
l dot1x-mab—The switch tries EAP 802.1X authentication first and then MAB
authentication if EAP 802.1X fails. If MAB authentication also fails, users are
assigned to the auth-fail-vlanid VLAN if it is configured.
l mab-dot1x—The switch tries MAB authentication first and then EAP 802.1X
authentication if MAB authentication fails. If EAP 802.1X authentication also fails,
users are assigned to the auth-fail-vlanid VLAN if it is configured.
This command is available only when the set mac-auth-bypass command is
enabled.

For example:
config switch-controller security-policy 802-1X
edit "8021Xmabpolicy"
set security-mode 802.1X
set user-group "1X_RADIUS_GROUP"
set mac-auth-bypass enable
set auth-order mab-dot1x
set auth-priority mab-dot1x
next
end

Send SNMP traps for MAC address changes

You can now configure an SNMP trap so that you receive a message when a layer-2 MAC address has been added to,
moved from or to, or deleted from a managed FortiSwitch port. This SNMP trap allows network administrators to monitor
MAC address changes in real time, which strengthens overall network security.

This SNMP trap applies only to dynamic MAC addresses learned on the managed FortiSwitch
port. MAC events can be lost by the hardware or software.

To send SNMP traps for MAC address changes:

1. Enable the SNMP trap for MAC address changes in a specific SNMP community.
By default, this SNMP trap is disabled.
config switch-controller snmp-community
edit <SNMP_community_identifier>

FortiOS 7.6.0 New Features Guide 488

Fortinet Inc.
 LAN Edge

set name <SNMP_community_name>

set events l2mac
next
end
For example:
config switch-controller snmp-community
edit 1
set name newsnmpcommunity
set events l2mac
next
end
2. If the managed switchʼs port has set access-mode static, enable the logging of dynamic MAC address
events for this interface. If the managed switchʼs port has set access-mode dynamic or set access-mode
nac, the set log-mac-event command is hidden. By default, dynamic MAC address events are not logged.
Enabling the logging for an interface reports when a dynamic MAC address is learned, moved, or deleted.
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set log-mac-event enable
next
end
next
end
For example:
config switch-controller managed-switch
edit S548DF5018000776
config ports
edit port10
set log-mac-event enable
next
end
next
end

Support QinQ with the switch controller - 7.6.1

The FortiOS switch controller now supports QinQ. With QinQ, each client of a managed security service provider
(MSSP) can have a unique customer VLAN with a self-managed 4k VLAN range in its own virtual domain. QinQ allows
better segregation and control over network traffic.
QinQ allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field specifies where
the VLAN header is placed in the Ethernet frame.
Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four
VLAN TPID profiles, including the default (0x8100). Use the default (0x8100) VLAN TPID profile to reach layer 3. The
default VLAN TPID profile (0x8100) cannot be deleted or changed.

To see which FortiSwitch models support this feature, refer to the FortiSwitch feature matrix.

FortiOS 7.6.0 New Features Guide 489

Fortinet Inc.
LAN Edge

The following features are not supported with QinQ:

l DHCP relay

l DHCP snooping

l IGMP snooping

l IP source guard

l PVLAN

l STP

Settings under config QinQ are for customer VLANs (C-VLANs). Other settings such as
set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider
VLANs (S-VLANs).

To configure QinQ with the switch controller:

1. Using the FortiOS CLI, create a separate VDOM for each customer.
2. Using the FortiOS CLI, create VLANs for each customer and assign the VLANs to the appropriate VDOM.
3. Using the FortiOS CLI, configure QinQ for the managed switch port that will be used by the customerʼs VLANs.

Create a VDOM for each customer

Use the FortiOS CLI to configure a separate VDOM for each customer. For example:
config vdom
edit root
next
edit vdom1
next
end

Create VLANs for each customer

Use the FortiOS CLI to create VLANs foreach customer and assign the VLANs to the appropriate VDOM.
The S-VLAN must be configured on the same VDOM where the FortiLink interface is; for example, if the FortiLink
interface is on the root VDOM, all S-VLANs must be defined in the root VDOM.
In the following example, three VLANs are created and then assigned to the same VDOM:
config system interface
edit "c1.svlan999"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 52
set interface "fortilink"
set vlanid 999
next
end

config system interface

edit "c1.cvlan10"

FortiOS 7.6.0 New Features Guide 490

Fortinet Inc.
LAN Edge

set vdom "root"

set ip 15.1.1.1 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 53
set interface "c1.svlan999"
set vlanid 10
next
end

config system interface

edit "c1.cvlan20"
set vdom "root"
set ip 16.1.1.1. 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 54
set interface "c1.svlan999"
set vlanid 20
next
end

In the following example, three VLANs are created and then assigned to the root or vdom1 VDOM:
config system interface
edit "909824.1"
set vdom "vdom1"
set interface "fortilink"
set vlanid 3000
next
end

config system interface

edit "1.vlan1"
set vdom "root"
set interface "909824.1"
set vlanid 1
next
end

config system interface

edit "1.vlan2"
set vdom "root"
set interface "909824.1"
set vlanid 2
next
end

Configure QinQ with the switch controller

Use the FortiOS CLI to configure QinQ for the managed switch port that will be used by the customerʼs VLANs. In the
following example, QinQ is enabled on port10 of the managed switch:
config switch-controller managed-switch
edit "S248EPTF18001384"

FortiOS 7.6.0 New Features Guide 491

Fortinet Inc.
LAN Edge

config ports
edit "port10"
set qnq "909824.1"
set vlan "1.vlan1"
set allowed-vlans "1.vlan2"
next
end
next
end

If you enable the set allowed-vlans-all command when QinQ is enabled, all C-VLANs in that VDOM that have the
same parent interface as the set qnq VLAN are pushed. In the following example, all C-VLANs in the root VDOM with
svlan100 as the parent interface are pushed:
config switch-controller managed-switch
edit S548DN5018000532
config ports
edit "port16"
set vlan "cv_sv_50"
set allowed-vlans-all enable
set export-to "root"
set mac-addr 70:4c:a5:a5:9d:59
set qnq "svlan100"
next
end
next
end

Configuration example

In this example, there are two customers. Customer c1 is assigned a customer tag of 3000 and VLANs 1-4094.
Customer c2 is assigned a customer tag of 3001 and VLANs 1-4094.
1. Use the FortiOS CLI to create separate VDOMs for the two customers, c1 and c2.
config vdom
edit root
next
edit c1
next
edit c2
next
end
2. Use the FortiOS CLI to create VLANs for each customer and assign the VLANs to the appropriate VDOM. In this
example, you create three VLANs for customer c1 and three VLANs for customer c2.
config system interface
edit "fortilink"
set fortilink enable
next
edit "customer.c1"
set vdom "root"
set interface "fortilink"
set vlanid 3000
next
edit "customer.c2"
set vdom "root"
set interface "fortilink"

FortiOS 7.6.0 New Features Guide 492

Fortinet Inc.
LAN Edge

set vlanid 3001

next
edit "c1.vlan1"
set vdom "c1"
set interface "customer.c1"
set vlanid 1
next
edit "c1.vlan10"
set vdom "c1"
set interface "customer.c1"
set vlanid 10
next
edit "c1.vlan20"
set vdom "c1"
set interface "customer.c1"
set vlanid 20
next
edit "c2.vlan1"
set vdom "c2"
set interface "customer.c2"
set vlanid 1
next
edit "c2.vlan10"
set vdom "c2"
set interface "customer.c2"
set vlanid 10
next
edit "c2.vlan20"
set vdom "c2"
set interface "customer.c2"
set vlanid 20
next
end
3. Use the FortiOS CLI to configure QinQ for the managed switch port (port8) that will be used by the VLANs (1, 10,
and 20) for customer c1.
config switch-controller managed-switch
edit "S108DV3A17000077"
config ports
edit "port8"
set qnq "customer.c1"
set vlan "c1.vlan1"
set allowed-vlans "c1.vlan10" "c1.vlan20"
next
end
next
end
4. Use the FortiOS CLI to configure QinQ for the managed switch port (port9) that will be used by the VLANs (1, 10,
and 20) for customer c2
config switch-controller managed-switch
edit "S548DF5018000776"
config ports
edit "port9"
set qnq "customer.c2"
set vlan "c2.vlan1"
set allowed-vlans "c2.vlan10" "c2.vlan20"
next

FortiOS 7.6.0 New Features Guide 493

Fortinet Inc.
 LAN Edge

end
next
end

Enhance network performance with VLAN pruning - 7.6.1

Starting in FortiOS 7.6.1 with FortiSwitchOS 7.6.1, the FortiOS switch controller supports VLAN pruning. VLAN pruning
prevents unnecessary traffic from unused VLANs by only allowing traffic from the VLANs required for the inter-switch link
(ISL) trunks. This process makes networks more efficient and preserves bandwidth. In addition, VLAN pruning
eliminates the time spent on manual VLAN pruning and reduces the chance of errors. By default, VLAN pruning is
disabled.

To enable VLAN pruning in FortiOS:

config switch-controller global

set vlan-optimization prune
end

To disable VLAN pruning in FortiOS:

config switch-controller global

set vlan-optimization {configured | none}
end

To display all VLANs learned using VLAN pruning on a FortiSwitch unit:

diagnose switch vlan-pruning dynamic-vlan list [<interface_name>]

For example:
diagnose switch vlan-pruning dynamic-vlan list port10

Although FortiOS leverages the Generic VLAN Registration Protocol (GVRP) message format
to exchange internal control packets for the VLAN-pruning feature, the firmware is currently
not fully compliant with the IEEE 802.1r-based standard GVRP specification.

To display the received and transmitted counters with GVRP-formatted messages on a FortiSwitch unit:

diagnose switch vlan-pruning protocol-packet stats [<interface_name>]

For example:
FS1E48T422005187 # diagnose switch vlan-pruning protocol-packet stats
Receive(RX) and transmit(TX) counters for GVRP vlan states
RX: JE JI LE LI LA E
TX: JE JI LE LI LA E
JE: JoinEmpty JI: JoinIn LE: LeaveEmpty
LI: LeaveIn LA: LeaveAll E: Empty

Configuration example

In the following example, a FortiGate device manages two FortiSwitch units.

FortiOS 7.6.0 New Features Guide 494

Fortinet Inc.
 LAN Edge

1. Configure the native VLAN on the managed FortiSwitch port. FortiSwitch1 has vlan1 and vlan11, and FortiSwitch2
has vlan11
config switch interface
edit port21
set native-vlan vlan1
next
end

config switch interface

edit port22
set native-vlan vlan11
next
end

config switch interface

edit port47
set native-vlan vlan11
next
end
2. Enable VLAN pruning on the FortiGate device.
FGT_A (vdom1) (Interim)# config switch-controller global
FGT_A (global) (Interim)# set vlan-optimization prune
FGT_A (global) (Interim)# end
3. Check VLAN pruning on the FortiSwitch1 auto-generated trunk interface. Only vlan11 and vlan4093 (the quarantine
VLAN configured in the set allowed-vlans command on all FortiSwitch ports) are allowed, and vlan1 is not.
config switch trunk
edit "8EPTF18001384-0"
set mode lacp-active
set auto-isl 1
set members "port22"
next
end

S524DN4K16000116 # diagnose switch vlan-pruning dynamic-vlan list 8EPTF18001384-0

8EPTF18001384-0 :
vlans : 11 4093

Provide an enhanced GUI for NAC policies - 7.6.3

When you create a device NAC policy in the FortiOS GUI, FortiOS now suggests values when you select the hardware
vendor, device family, type, operating system, and host to match. For example, if you want the NAC policy to match a
device family, FortiOS suggests FortiSwitch, FortiGate, FortiAP, FortiFone, FortiCam, FortiRecorder, FortiManager,
FortiAnalyzer, Mac, iPhone, Galaxy, Virtual Machine, and Printer. These suggestions make it easier and quicker to
create a device NAC policy.

FortiOS 7.6.0 New Features Guide 495

Fortinet Inc.
 LAN Edge

Support IPv6 addresses for managed FortiSwitch units - 7.6.3

Starting in FortiOS 7.6.3 with FortiSwitchOS 7.2.3, you can use FortiLink to manage FortiSwitch units using IPv6
addresses. Previously, only IPv4 addresses were supported.
To use this feature, the following is required on the FortiGate device:
l FortiOS 7.6.3 or later
l You need to manually configure the IPv6 address for the FortiLink interface.
l You need to manually configure the DHCP pool.
To use this feature, the following is required on the managed FortiSwitch unit:
l FortiSwitchOS 7.2.3 or later
l You need to set the IPv4 mode for DHCP to static or to a similar setting because the DHCP IP acquisition for IPv4
occurs before IPv6. If the IPv6 DHCP IP address is acquired on an internal interface first, it takes precedence during
the discovery phase broadcast.
l You need to configure the IPv6 NTP server.
l In layer-3 mode, only the static AC discovery mode (under the config switch-controller global
command) is supported for IPv6.
FortiLink interfaces using IPv6 do not support zero-touch provisioning.

To configure a FortiLink interface with IPv6 in the FortiGate GUI:

1. Go to System > Feature Visibility, enable IPv6, and click Apply.

2. Go to WiFi & Switch Controller > FortiLink Interface.
3. Click Create New.
4. Select + in the Interface members field and then select the ports to add to the FortiLink interface.
NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, right-click the
FortiLink physical port, select Edit, delete the port from the Interface members field, and then select OK.
5. Configure the IPv6 Address/Prefix for your network.
6. Select Automatically authorize devices.
7. Click OK.

To configure a FortiLink interface with IPv6 in the FortiGate CLI:

Use the IPv6 options for configuring the system interface with the config system interface command. For
example:
config system interface
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set member "a" "b"
set lldp-reception enable
set lldp-transmission enable
set snmp-index 18
set auto-auth-extension-device enable
set fortilink-split-interface disable
set switch-controller-nac "fortilink"

FortiOS 7.6.0 New Features Guide 496

Fortinet Inc.
 LAN Edge

set switch-controller-dynamic "fortilink"

set swc-first-create 255
config ipv6
set ip6-address 2001:10:255:1::1/64
set ip6-allowaccess ping https ssh http fabric
set ip6-send-adv enable
set ip6-other-flag enable
set ip6-max-interval 60
set ip6-min-interval 10
config ip6-prefix-list
edit 2001:10:255:1::/64
set valid-life-time 86400
set preferred-life-time 43200
next
end
end
next
end

To configure a DHCP server with IPv6 in the FortiGate GUI:

1. Go to System > Feature Visibility, enable IPv6, and click Apply.

2. Go to WiFi & Switch Controller > FortiLink Interface.
3. Select the FortiLink interface and click Edit.
4. Enable DHCPv6 Server.
5. Complete the fields as needed.
6. Click OK.

To configure a DHCP server with IPv6 in the FortiGate CLI:

You can configure a DHCP server using the config system dhcp6 server command. For example:
config system dhcp6 server
edit 1
set dns-service default
set subnet 2001:db8:d0c:1::/64
set interface "port5"
config ip-range
edit 1
set start-ip 2001:db8:d0c:1::a
set end-ip 2001:db8:d0c:1::f
next
end
next
end

Prevent automatically created VLANs - 7.6.3

When a FortiSwitch unit is discovered, the switch controller automatically creates VLANs for quarantined traffic, RSPAN
and ERSPAN mirrored traffic, voice devices, video devices, and NAC onboarding devices. You can use the CLI to
prevent the switch controller from automatically creating VLANs.

FortiOS 7.6.0 New Features Guide 497

Fortinet Inc.
 LAN Edge

When you disable the automatic creation of VLANs, only the default VLAN is created. All VLANs are hidden, except for
the default VLAN. Features that use unassigned VLANs do not work unless you manually configure them.
This feature applies only to new FortiLink configurations that use FortiOS 7.6.3 and later. By default, the automatic
creation of VLANs is enabled.

To prevent the switch controller from automatically creating VLANs:

config switch-controller initial-config vlans

set optional-vlans disable
end

FortiExtender

This section includes information about FortiExtender related new features:

l Support fast failover for FortiExtender on page 498
l Support VLAN over FortiExtender LAN-extension mode 7.6.1 on page 498
l Support split tunneling in LAN extension mode 7.6.1 on page 506
l Support multiple APNs in WAN extension mode 7.6.1 on page 511
l Support FortiCare registration for FortiExtender 7.6.1 on page 513
l Add GUI support for split tunneling in LAN extension mode 7.6.3 on page 514
l Add GUI support for multiple APNs in WAN extension mode 7.6.3 on page 516
l Add GUI support for FortiCare registration for FortiExtender 7.6.3 on page 518

Support fast failover for FortiExtender

This enhancement ensures that FortiGate can swiftly recover data sessions in the event of a failover. You can set a
FortiExtender up with two sessions, Active and Standby, which are each associated with a primary and secondary
FortiGate.
Upon receiving a failover notification, FortiExtender switches the Standby session associated with the now primary
Access Controller (AC) to Active, and the Active session associated with the previous primary AC to Standby.
For more information about this feature, see Support fast failover for FortiExtender.

Support VLAN over FortiExtender LAN-extension mode - 7.6.1

This information is also available in the FortiExtender (FGT-Managed) 7.6.1 Admin Guide:
l VLAN support for LAN-extension mode

This release adds support for VLANs over a FortiExtender configured as a LAN extension. VLAN support can be
configured on the FortiGate Access Controller via the GUI or CLI. Once you add the VLAN configurations to the LAN
extension profile, FortiGate then synchronizes the VLAN configurations to the FortiExtender and the FortiExtender

FortiOS 7.6.0 New Features Guide 498

Fortinet Inc.
LAN Edge

applies the VLAN configuration to the soft switch. Clients from a different port in the LAN switch can set a dedicated
VLAN ID and the FortiGate Access Controller can apply a dedicated firewall policy for each VLAN interface.
The following CLI commands have been added:
config extension-controller extender-profile
edit <FortiExtender Profile>
set extension lan-extension
config lan-extension
config downlinks
edit <id>
set type port
set port <port>
set pvid <vlanid>
next
end
end
next
end

l port is the VLAN interface added to the FortiExtender interface.

l vlanid is the desired VLAN ID.

Example topology

All FortiExtender LAN traffic is sent to the FortiGate Access Controller via a Layer 2 Tunnel.

FortiOS 7.6.0 New Features Guide 499

Fortinet Inc.
LAN Edge

To configure VLANs on FortiExtender- GUI:

1. From the FortiGate, go to Network > FortiExtenders and configure the FortiExtender to run in LAN extension mode.

2. Go to Network > Interfaces and add VLAN interfaces to the LAN extension interface.

DHCP servers are enabled in these VLAN interfaces and will provide IP and gateway addresses to clients behind
the FortiExtender.
3. Go to Network > FortiExtenders and edit the FortiExtender Profile.
4. Under LAN extension > FortiExtender downlink, click Create new to create a new downlink.

FortiOS 7.6.0 New Features Guide 500

Fortinet Inc.
LAN Edge

5.
6. Select the interface and enter the VLAN ID you want to bind to the FortiExtender LAN switch port.

7. When you are finished, click OK.

8. In the FortiGate Access Controller, go to Policy & Objects > Firewall Policy and create a firewall policy for each
VLAN interface designated as a downlink.

FortiOS 7.6.0 New Features Guide 501

Fortinet Inc.
LAN Edge

9. When you are done configuring on the FortiGate Access Controller, you can check the FortiExtender device to see
the corresponding downlink configurations.

When a client connects to port4 of a FortiExtender LAN switch, it will get the DHCP allocation (21.21.21.100) from
FortiGate vlan201. Client traffic then goes through the firewall from vlan201 to port1.

FortiOS 7.6.0 New Features Guide 502

Fortinet Inc.
LAN Edge

To configure VLANs on FortiExtender- CLI:

1. When the FortiGate Access Controller detects a FortiExtender, it automatically generates an extender-profile
without a downlink.
config extension-controller extender-profile
edit "FX200F-lanext-default"
set id 0
set model FX200F
set extension lan-extension
config lan-extension
set link-loadbalance loadbalance
set ipsec-tunnel "fext-ipsec-QdzC"
set backhaul-interface "port3"
set backhaul-ip "1.1.1.10"
config backhaul
edit "1"
set port port1
next
edit "2"
set port port2
next
end
end

2. Configure the FortiExtender to use LAN-extension mode.

config extension-controller extender
edit "FX0035919000000"
set id "FX200F5919000000"
set authorized enable
set device-id 0
set extension-type lan-extension
set profile "FX200F-lanext-default"
set override-allowaccess enable
set allowaccess ping telnet

FortiOS 7.6.0 New Features Guide 503

Fortinet Inc.
LAN Edge

set override-login-password-change enable

next
end

3. When the FortiExtender is authorized, the FortiGate will receive a LAN-extension interface.
config system interface
edit "FX0035919000000"
set vdom "root"
set ip 172.31.0.254 255.255.255.0
set allowaccess ping ssh
set type lan-extension
set role lan
set snmp-index 27
set ip-managed-by-fortiipam enable
set interface "fext-ipsec-QdzC"
next
end

4. Create VLAN interfaces based on the LAN-extension interface and enable DHCP servers on the VLAN interface.
config system interface
edit "v201"
set vdom "root"
set ip 21.21.21.99 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 28
set ip-managed-by-fortiipam disable
set interface "FX0035919000000"
set vlanid 201
next
end
config system dhcp server
edit 4
set forticlient-on-net-status disable
set dns-service default
set default-gateway 21.21.21.99
set netmask 255.255.255.0
set interface "v201"
config ip-range
edit 1
set start-ip 21.21.21.100
set end-ip 21.21.21.120
next
end
next
end

5. Configure the FortiExtender downlink interface in the LAN extension profile.

This example forces clients connected to the FortiExtender LAN switch port4 to send traffic to FortiGate VLAN 201.
Clients connected to the FortiExtender LAN switch port5 to send traffic to the FortiGate VLAN 401.
config extension-controller extender-profile
edit "FX200F-lanext-default"
set id 0

FortiOS 7.6.0 New Features Guide 504

Fortinet Inc.
LAN Edge

set model FX200F

set extension lan-extension
config lan-extension
set link-loadbalance loadbalance
set ipsec-tunnel "fext-ipsec-QdzC"
set backhaul-interface "port3"
set backhaul-ip "1.1.1.10"
config backhaul
edit "1"
set port port1
next
edit "2"
set port port2
next
end
config downlinks
edit "downlink-v201"
set type port
set port port4
set pvid 201
next
edit "downlink-v401"
set type port
set port port5
set pvid 401
next
end
end
next
end

6. After configuring the extension profile in the FortiGate, the settings are automatically synced to the FortiExtender.
No manual configuration is needed on the FortiExtender side.
Corresponding synced FortiExtender configurations:
config system switch-interface
edit le-switch
set vlan-support enable
config member
edit le-agg-link
set type aggregate
set port le-agg-link
set vids 201 401
next
edit port4
set type physical
set port port4
set vids
set pvid 201
next
edit port5
set type physical
set port port5
set vids
set pvid 401
next

FortiOS 7.6.0 New Features Guide 505

Fortinet Inc.
 LAN Edge

end
set stp disable
set ts-mode disable
next
end

7. Configure firewall policies to manage client traffic on each dedicated FortiGate VLAN.
The following shows an example firewall policy for traffic on v201:
config firewall policy
edit 5
set name "v201"
set uuid 7ea5b28c-810c-51ef-1a44-f92a2c95d2d3
set srcintf "v201"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end

Support split tunneling in LAN extension mode - 7.6.1

This information is also available in the FortiExtender 7.6.1 Managed Administration Guide:
l Configure split tunneling in LAN extension mode

GUI support is available in FOS 7.6.3. For more information, see Add GUI support for split
tunneling in LAN extension mode 7.6.3 on page 514.

This release supports split tunneling when FortiExtender is configured in LAN extension mode. You can configure split
tunneling to specify which traffic gets routed to the central FortiGate for further inspection and which traffic can be sent
directly to their destination. This reduces the load on the central FortiGate by routing less traffic through the LAN
extension tunnel.

FortiOS 7.6.0 New Features Guide 506

Fortinet Inc.
LAN Edge

Example topology

When FortiGate authorizes a FortiExtender in LAN extension mode, it creates an IPsec tunnel between the
FortiExtender uplink port and the FortiGate. Client traffic is forwarded to the FortiGate via this tunnel. The name of the
tunnel can be found in the FortiGate LAN extension profile. You can specify which traffic is forwarded through this tunnel
to the FortiGate based on source/destination, IP/port number, and protocol type.
FortiExtender groups its wired and wireless clients into a soft-switch called le-switch. The traffic from these FortiExtender
clients are bridged into a default IPsec tunnel called le-agg-link to reach the central FortiGate.

To configure split tunneling - CLI:

1. From the FortiGate CLI, define the split tunnel in the FortiExtender LAN extension profile under config traffic-
split services.
config extension-controller extender-profile
edit "FXW51G-lanext-default"
config lan-extension
set ipsec-tunnel "fext-ipsec-mSI4"
set backhaul-interface "internal"
config backhaul
edit "1"
set port lte1
set role secondary
next
edit "2"
set port wan
set role primary
next
end
config traffic-split-services
edit "1"
set vsdb enable
set address ''
set service ''
next
edit "2"
set vsdb disable
set address "gmail.com"
set service "HTTPS"

FortiOS 7.6.0 New Features Guide 507

Fortinet Inc.
LAN Edge

next
edit "3"
set vsdb disable
set address "fortinet.com"
set service "HTTPS"
next
end
end
next
end

2. Once a FortiExtender is authorized with the LAN extension profile, a FortiGate LAN extension interface is created
(FX016S224000024).
"FX016S224000024" is an IPsec interface that corresponds with the tunnel "fext-ipsec-mSI4", which is created by
the FortiGate LAN extension profile.
config extension-controller extender
edit "FX016S224000024"
set id "FXW51GS224000024"
set authorized enable
set device-id 0
set extension-type lan-extension
set profile "FXW51G-lanext-default"
set override-allowaccess enable
set allowaccess ping telnet https
set override-login-password-change enable
next
end

3. A DHCP server is created on the FortiGate LAN extension interface "FX016S224000024" for FortiExtender LAN
clients.
config system dhcp server
edit 2
set forticlient-on-net-status disable
set ntp-service default
set default-gateway 192.168.0.254
set netmask 255.255.255.0
set interface "FX016S224000024"
config ip-range
edit 1
set start-ip 192.168.0.1
set end-ip 192.168.0.254
next
end
set dhcp-settings-from-fortiipam enable
config exclude-range
edit 1
set start-ip 192.168.0.254
set end-ip 192.168.0.254
next
end
set dns-server1 192.168.0.1
next
end

FortiOS 7.6.0 New Features Guide 508

Fortinet Inc.
LAN Edge

4. Configure a FortiGate firewall policy for traffic from the FortiExtender LAN clients to the IPsec
interface "FX016S224000024".
config firewall policy
edit 2
set name "Exclude-lanext"
set uuid ffaf4528-ef11-51ef-da97-83d777adbadc
set srcintf "FX016S224000024"
set dstintf "wan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end

5. After you apply these configurations, they are automatically synched to the FortiExtender devices.

To verify split tunneling configurations from FortiExtender - CLI:

When you apply FortiExtender profile configurations from the FortiGate, they are automatically synched to the
FortiExtender. Note that these configurations are auto-generated and cannot be edited while in LAN extension mode.
1. Verify the synched profile configurations from the FortiExtender CLI. FortiExtender profile configurations from the
FortiGate are synched to the FortiExtender soft-switch (le-switch). The le-switch bridges LAN clients to the IPsec
tunnel (le-agg-link), and then to FortiGate "FX016S224000024". With split tunneling defined, the split traffic will be
sent out of IPsec tunnel.
config system switch-interface
...
edit le-switch
set vlan-support disable
config member
edit le-agg-link
set type aggregate
set port le-agg-link
set vids
next
edit port1
set type physical
set port port1
set vids
set pvid 1
next
edit port2
set type physical
set port port2
set vids
set pvid 1
next
edit port3
set type physical
set port port3
set vids

FortiOS 7.6.0 New Features Guide 509

Fortinet Inc.
LAN Edge

set pvid 1
next
edit 2G
set type vap
set vap 2G
set pvid 0
next
edit 5G
set type vap
set vap 5G
set pvid 0
next
end
set stp disable
set ts-mode include
config traffic-split
edit 1
set dst-mac 1a:44:f9:fd:72:94
set dst-addr le-ts-vsdb
set services
next
edit 2
set dst-mac 1a:44:f9:fd:72:94
set dst-addr le-ts-gmail.com
set services le-ts-HTTPS
next
edit 3
set dst-mac 1a:44:f9:fd:72:94
set dst-addr le-ts-fortinet.com
set services le-ts-HTTPS
next
end
next
end

2. Verify that splitted traffic is filtered with the following DHCP assigned address to LAN clients.
config network address
edit le-ts-le-switch
set type ipmask
set subnet 192.168.0.0/24
next
end

3. Verify that splitted traffic will be forwarded to FortiExtender WAN interface following the synched firewall policy.
config firewall policy
edit le-ts-le-switch
set srcintf any
set dstintf any
set srcaddr le-ts-le-switch
set dnat disable
set dstaddr all
set action accept
set status enable
set service ALL
set nat enable

FortiOS 7.6.0 New Features Guide 510

Fortinet Inc.
 LAN Edge

next
end

4. Verify that the FortiExtender WAN interface has a default gateway to the Internet. In this example, it is wan.
FXW51GS224000024 # get router info routing-table all
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, P - PIM, A - Babel, N - NHRP,
> - selected route, * - FIB route

S 0.0.0.0/0 [61/0] via 192.168.0.254, le-switch

S>* 0.0.0.0/0 [5/0] via 192.168.3.99, wan

Support multiple APNs in WAN extension mode - 7.6.1

This information is also available in the FortiExtender 7.6.1 Managed Administration Guide:
l Multiple APNs in WAN-Extension mode

GUI support is available in FOS 7.6.3. For more information, see Add GUI support for multiple
APNs in WAN extension mode 7.6.3 on page 516.

This release supports adding multiple APNs when operating in WAN-Extension mode. Select FortiExtender models can
support multiple Access Point Names (APNs). By using different APNs to create multiple Packet Data Networks (PDNs),
FortiGate can establish up to four FortiExtender virtual interfaces from a single FortiExtender modem. These interfaces
provide users with more flexibility to customize data traffic steering, improving FortiGate connectivity and performance
through FortiExtender.

To configure multiple APNs - CLI:

1. From the FortiExtender CLI, create multiple data plans with unique APNs.
config extension-controller dataplan
edit "plan1"
set apn "ltedata.apn"
set capacity 100
next
edit "plan2"
set apn "ltemobile.apn"
set capacity 200
next
end

2. In the FortiExtender profile, enable multiple-PDN and add your data plans.
config extension-controller extender-profile
edit "FXW51G-wanext-default"
set model FXW51G
config cellular
set dataplan "plan1"
config modem1

FortiOS 7.6.0 New Features Guide 511

Fortinet Inc.
LAN Edge

set multiple-PDN enable

set pdn1-dataplan "plan1"
set pdn2-dataplan "plan2"
set pdn3-dataplan ''
set pdn4-dataplan ''
end
end
next
end

3. Authorize the FortiExtender and set your WAN-Extension PDN interfaces so that FortiGate obtains multiple virtual
interfaces with different PDNs.
config extension-controller extender
edit "FX016S224000024"
set id "FXW51GS224000024"
set authorized enable
set extension-type wan-extension
set profile "FXW51G-wanext-default"
config wan-extension
set modem1-pdn1-interface "fext1"
set modem1-pdn2-interface "fext2"
set modem1-pdn3-interface ''
set modem1-pdn4-interface ''
end
next
end

4. Configure firewall polices to steer different traffic flows to different FortiExtender interfaces based on PDNs.
config firewall policy
edit 3
set name "control-flow"
set uuid 6aaedd2a-f309-51ef-9fee-0ca8ef8f4206
set srcintf "wan1"
set dstintf "fext1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "MMS"
set nat enable
next
edit 4
set name "data-flow"
set uuid 8a47bb70-f309-51ef-91a0-35e0e2bc5547
set srcintf "wan1"
set dstintf "fext2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end

FortiOS 7.6.0 New Features Guide 512

Fortinet Inc.
 LAN Edge

Support FortiCare registration for FortiExtender - 7.6.1

This information is also available in the FortiExtender 7.6.1 Managed Administration Guide:
l Register with FortiCare

GUI support is available in FOS 7.6.3. For more information, see Add GUI support for
FortiCare registration for FortiExtender 7.6.3 on page 518.

This feature adds the option to register your authorized FortiExtender to FortiCare directly from the FortiGate CLI.
FortiCare enables you to manage security fabric devices such as FortiAP, FortiSwitch, and FortiExtender from a root
FortiGate device. Once your FortiExtender is registered with FortiCare, you gain access to more streamlined ticket
reporting and tracking services. You can also download historic and recent modem firmware and device images from
FortiCare.

To register a FortiExtender to FortiCare via FortiGate - CLI

1. From the FortiGate CLI, enter the following command:

# diag forticare direct-registration product-registration

To view available CLI options, enter -help.

Example:
# diag forticare direct-registration product-registration -help
Options: a:A:y:C:c:T:eF:f:hI:i:l:O:o:p:P:z:R:r:S:s:t:v:N:G
--<long> -<short>
account_id a:
address A:
city y:
company C:
...

2. Example registration:
# diag forticare direct-registration product-registration -N FX212FTQ22000746 -a
[email protected] -p LDAP -T "CA" -R "other" -e 1
Account info:
contract_number=[] account_id=[[email protected]] password=[***]
reseller_id=0 reseller=[other]
isGovernment=0
first_name=[] last_name=[] company=[]
title=[] address=[] city=[]
state=[] state_code=[] country_code=0
post_code=[] phone=[] fax=[]
industry=[] industry_id=0 orgsize=[] orgsize_id=0
version=0 SN=[FX212FTQ22000746] existing=1
Prepare to register product into this account.

FortiOS 7.6.0 New Features Guide 513

Fortinet Inc.
 LAN Edge

Do you want to continue? (y/n)y

Registration successful

Add GUI support for split tunneling in LAN extension mode - 7.6.3

Support for configuring split tunneling in LAN extension mode using the CLI was added in
FortiOS 7.6.1. FortiOS 7.6.3 adds GUI support. For more information, see Support split
tunneling in LAN extension mode 7.6.1 on page 506.

This release adds GUI support for configuring split tunneling. When FortiExtender is configured in LAN extension mode,
you can configure split tunneling to specify which traffic gets routed to the central FortiGate for further inspection and
which traffic can be sent directly to their destination. This reduces the load on the central FortiGate by routing less traffic
through the LAN extension tunnel.

To configure split tunneling - GUI:

1. From the FortiGate, go to Network > FortiExtenders > Managed FortiExtenders and locate the FortiExtender you
want to configure split tunneling for.
2. In the details column, you can find the name of the IPsec tunnel between the FortiExtender and FortiGate. In this
example, the tunnel name is fext-ipsec-mSI4.

3. Go to Network > FortiExtenders> Profiles and click Create new or edit an existing FortiExtender profile.
4. Under LAN extension, you can configure the IPsec tunnel (fext-ipsec-mSI4) between the FortiGate and
FortiExtender uplink port.
5. In Link role, select Uplink with split tunnel to select which traffic you want to exempt from being sent to the IPsec
tunnel. You can enable Popular video services or add specific addresses in services you want to exempt.
In the following example, popular video services, as well as https links to specific addresses are exempted from
being sent to the IPsec tunnel.

FortiOS 7.6.0 New Features Guide 514

Fortinet Inc.
LAN Edge

6. When you are finished, click OK.

FortiExtender clients will receive DHCP assignments from the FortiGate LAN extension interface
(FX016S224000024).
7. To configure a firewall policy for FortiExtender clients, go to Policy & Objects > Firewall Policy, and click Create new
to define a policy.
8. Configure the following:
a. Set the Action to ACCEPT.
b. In the Incoming interface, set it to the FortiGate LAN extension interface (FX016S224000024).
Note: FortiExtender clients receive DHCP assignments from the FortiGate LAN extension interface.
c. In Outgoing interface, set it to wan1.
d. When you are finished, click OK.

FortiOS 7.6.0 New Features Guide 515

Fortinet Inc.
 LAN Edge

As defined in split tunneling mode, traffic will use this firewall policy to access the internet for initialization, DNS,
and etc.
9. Once the session is established, the split traffic will be sent to the FortiExtender WAN interface via the FortiExtender
firewall. This traffic will no longer use the IPsec tunnel.
l The FortiExtender firewall only accepts the traffic from FortiExtender LAN clients, which is defined as le-ts-le-

switch (the DHCP range in FortiGate LAN extension interface).

l FortiExtender will forward the split traffic to a local interface with default gateway.

Add GUI support for multiple APNs in WAN extension mode - 7.6.3

Support for configuring multiple APNs in WAN extension mode using the CLI was added in
FortiOS 7.6.1. FortiOS 7.6.3 adds GUI support. For more information, see Support multiple
APNs in WAN extension mode 7.6.1 on page 511.

This release adds GUI support for configuring multiple APNs. When operating in WAN-Extension mode, select
FortiExtender models can support multiple Access Point Names (APNs). By using different APNs to create multiple
Packet Data Networks (PDNs), FortiGate can establish up to four FortiExtender virtual interfaces from a single
FortiExtender modem. These interfaces provide users with more flexibility to customize data traffic steering, improving
FortiGate connectivity and performance through FortiExtender.

FortiOS 7.6.0 New Features Guide 516

Fortinet Inc.
LAN Edge

To configure multiple APNs - GUI:

1. From the FortiGate, go to Network > FortiExtenders > Data Plans and click Create new to create multiple data plans
with unique APNs.

2. Go to Network > FortiExtenders > Profiles and create a FortiExtender profile.

3. Select a model that supports multiple APNs, and then set the Mode to WAN extension.
4. Under the modem section, enable Multiple PDN and add the multiple data plans (with different APN) to the same
modem.

5. When you are finished, click OK.

6. Go to Network > FortiExtenders > Manged FortiExtenders and Authorize the FortiExtender.
7. Under WAN extension, add your FortiExtender interfaces to the Modem 1 PDN Interface.

FortiOS 7.6.0 New Features Guide 517

Fortinet Inc.
 LAN Edge

Multiple FortiExtender interfaces can be created to match the different PDN.

8. Go to Policy & Objects > Firewall Policy and create firewalls policies to steer different traffic flows to different
FortiExtender interfaces based on PDNs.

Add GUI support for FortiCare registration for FortiExtender - 7.6.3

Support for adding FortiExtenders to FortiCare using the CLI was added in FortiOS 7.6.1.
FortiOS 7.6.3 adds GUI support. For more information, see Support FortiCare registration for
FortiExtender 7.6.1 on page 513.

This release adds GUI support for registering your authorized FortiExtender to FortiCare directly from the FortiGate.
FortiCare enables you to manage security fabric devices such as FortiAP, FortiSwitch, and FortiExtender from a root
FortiGate device. Once your FortiExtender is registered with FortiCare, you gain access to more streamlined ticket
reporting and tracking services. You can also download historic and recent modem firmware and device images from
FortiCare.

FortiOS 7.6.0 New Features Guide 518

Fortinet Inc.
LAN Edge

To register a FortiExtender to FortiCare via FortiGate - GUI

1. From the FortiGate, go to Network > FortiExtenders > Managed FortiExtenders.

If there are any authorized FortiExtenders that have not been registered yet, a Register all button is available.

2. Click Register all to begin registering your device.

3. Complete the following:
a. Enter your FortiCloud account credentials.
b. Enter the device registration details.
c. Select the device serial numbers of the FortiExtenders you want to register.
d. When you are finished, click Register.

FortiOS 7.6.0 New Features Guide 519

Fortinet Inc.
LAN Edge

4. FortiGate displays the registration result.

FortiOS 7.6.0 New Features Guide 520

Fortinet Inc.
 System

System

This section includes information about system related new features:

l General on page 521
l FortiGuard on page 532
l High availability on page 543
l Certificates on page 557
l Security on page 560
l SNMP on page 568

General

This section includes information about general system related new features:
l Restrict local administrator logins through the console on page 521
l Configure TCP NPU session delay globally on page 523
l Object usage included in the print tablesize command output on page 525
l Simplified device registration for Security Fabric devices 7.6.1 on page 525
l Firmware upgrade report 7.6.1 on page 527
l Optimizations for physical FortiGate devices with 2 GB RAM 7.6.3 on page 531

Restrict local administrator logins through the console

This information is also available in the FortiOS 7.6 Administration Guide:

l Restricting local administrator logins through the console

FortiOS can now restrict local administrator logins using the console when FortiGate can reach the remote
authentication server. This enhancement provides more control over local administrator logins to improve system
security.
config system global
set admin-restrict-local {all | non-console-only | disable}
end

set admin-restrict-local Restrict local administrator logins when the remote authentication server is
{all | non-console- reachable.
only | disable}
l all: Enable local administrator authentication restriction, including the

console.
l non-console-only: Enable local administrator authentication restriction,
excluding the console.
l disable: Disable local administrator authentication restriction.

FortiOS 7.6.0 New Features Guide 521

Fortinet Inc.
System

Example 1

In this example, the local administrator restriction is set to non-console-only. As a result, local administrators cannot
use non-console methods, such as SSH, to log in to FortiGate when the remote authentication server is reachable.
However, local administrators can use the console to log in to FortiGate.

To exclude the console from local administrator login restrictions:

1. In FortiOS, set the administrator restriction to non-console-only:

config system global
set admin-restrict-local non-console-only
end

2. Using SSH and the local administrator account, log in to FortiOS.

Login is denied:
ssh admin@<ip address>
admin@<ip address>'s password:
Permission denied, please try again.

The login failure is captured in the logs:

1: date=2024-04-01 time=15:42:08 eventtime=1712011328452918375 tz="-0700"
logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin
login failed" sn="0" user="admin" ui="ssh(172.16.200.100)" method="ssh"
srcip=172.16.200.100 dstip=172.16.200.1 action="login" status="failed" reason="none"
msg="Administrator admin login failed from ssh(172.16.200.100)"

3. Using the FortiGate console and the local administrator account, log in to FortiOS.
Login is allowed:
FGT login: admin
Password:
Welcome!

The successful login is captured in the logs:

1: date=2024-04-01 time=15:43:36 eventtime=1712011415358013250 tz="-0700"
logid="0100032001" type="event" subtype="system" level="information" vd="root"
logdesc="Admin login successful" sn="1712011415" user="admin" ui="console"
method="console" srcip=0.0.0.0 dstip=0.0.0.0 action="login" status="success"
reason="none" profile="super_admin" msg="Administrator admin logged in successfully from
console"

Example 2

In this example, the local administrator restriction is set to all. As a result, local administrators cannot use any method
to log in to FortiGate when the remote authentication server is reachable.

To restrict all local administrator logins:

1. In FortiOS, set the local administrator restriction to all:

FortiOS 7.6.0 New Features Guide 522

Fortinet Inc.
 System

config system global

set admin-restrict-local all
end

2. Using SSH and the local administrator account, log in to FortiOS.

Login is denied and the failure is captured in the logs.
3. Using the FortiGate console and the local administrator account, log in to FortiOS.
Login is denied, and the failure is captured in the logs:
2: date=2024-04-01 time=16:26:56 eventtime=1712014017124846849 tz="-0700"
logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin
login failed" sn="0" user="admin" ui="console" method="console" srcip=0.0.0.0
dstip=0.0.0.0 action="login" status="failed" reason="none" msg="Administrator admin
login failed from console"

Configure TCP NPU session delay globally

This information is also available in the FortiOS 7.6 Administration Guide:

l Configure TCP NPU session delay globally

The TCP NPU session delay can be applied globally, eliminating the need to set this command for each firewall policy.
config system global
set delay-tcp-npu-session {enable | disable}
end

This global setting is disabled by default. When it is disabled, if the host interface is busy, it is possible that the third TCP
session establishment ACK received from the client is transmitted to the server after the data packets. When it is
enabled, the packet order of the three-way handshake is guaranteed.
A sniffer trace will display the following when the setting is disabled:
# diagnose sniffer packet port1 'tcp' 6 0 a
interfaces=[port1]
filters=[tcp]
2024-04-17 20:42:48.920621 port1 -- 172.16.200.55.45028 -> 10.1.100.11.80: syn 1844864123
0x0000 8439 8ff2 9c30 000c 2960 1955 0800 4500 .9...0..)`.U..E.
0x0010 003c 868a 4000 4006 d1dd ac10 c837 0a01 .<..@[email protected]..
0x0020 640b afe4 0050 6df6 647b 0000 0000 a002 d....Pm.d{......
0x0030 70bc 3f42 0000 0204 05a3 0402 080a 5026 p.?B..........P&
0x0040 e2f1 0000 0000 0103 0307 ..........

2024-04-17 20:42:48.921391 port1 -- 10.1.100.11.80 -> 172.16.200.55.45028: syn 2427492278

ack 1844864124
0x0000 000c 2960 1955 8439 8ff2 9c30 0800 4500 ..)`.U.9...0..E.
0x0010 003c 0000 4000 3e06 5a68 0a01 640b ac10 .<..@.>.Zh..d...
0x0020 c837 0050 afe4 90b0 97b6 6df6 647c a012 .7.P......m.d|..
0x0030 7120 d861 0000 0204 0576 0402 080a 5029 q..a.....v....P)
0x0040 ee07 5026 e2f1 0103 0307 ..P&......

2024-04-17 20:42:48.921586 port1 -- 172.16.200.55.45028 -> 10.1.100.11.80: ack 2427492279

0x0000 8439 8ff2 9c30 000c 2960 1955 0800 4500 .9...0..)`.U..E.
0x0010 0034 868b 4000 4006 d1e4 ac10 c837 0a01 .4..@[email protected]..

FortiOS 7.6.0 New Features Guide 523

Fortinet Inc.
System

0x0020 640b afe4 0050 6df6 647c 90b0 97b7 8010 d....Pm.d|......
0x0030 00e2 772e 0000 0101 080a 5026 e2f1 5029 ..w.......P&..P)
0x0040 ee07 ..

2024-04-17 20:42:48.922499 port1 -- 10.1.100.11.80 -> 172.16.200.55.45028: ack 1844864277

0x0000 000c 2960 1955 8439 8ff2 9c30 0800 4500 ..)`.U.9...0..E.
0x0010 0034 79b0 4000 3e06 e0bf 0a01 640b ac10 .4y.@.>.....d...
0x0020 c837 0050 afe4 90b0 97b7 6df6 6515 8010 .7.P......m.e...
0x0030 00eb 768c 0000 0101 080a 5029 ee07 5026 ..v.......P)..P&
0x0040 e2f1

A sniffer trace will display the following when the setting is enabled:
# diagnose sniffer packet port1 'tcp' 6 0 a
interfaces=[port1]
filters=[tcp]
2024-04-17 20:37:11.440240 port1 -- 172.16.200.55.43672 -> 10.1.100.11.80: syn 780932462
0x0000 8439 8ff2 9c30 000c 2960 1955 0800 4500 .9...0..)`.U..E.
0x0010 003c 8c31 4000 4006 cc36 ac10 c837 0a01 .<.1@[email protected]..
0x0020 640b aa98 0050 2e8c 156e 0000 0000 a002 d....P...n......
0x0030 70bc 1c99 0000 0204 05a3 0402 080a 5025 p.............P%
0x0040 995f 0000 0000 0103 0307 ._........

2024-04-17 20:37:11.440925 port1 -- 10.1.100.11.80 -> 172.16.200.55.43672: syn 3325091396

ack 780932463
0x0000 000c 2960 1955 8439 8ff2 9c30 0800 4500 ..)`.U.9...0..E.
0x0010 003c 0000 4000 3e06 5a68 0a01 640b ac10 .<..@.>.Zh..d...
0x0020 c837 0050 aa98 c630 de44 2e8c 156f a012 .7.P...0.D...o..
0x0030 7120 833c 0000 0204 0576 0402 080a 5028 q..<.....v....P(
0x0040 a476 5025 995f 0103 0307 .vP%._....

2024-04-17 20:37:11.441126 port1 -- 172.16.200.55.43672 -> 10.1.100.11.80: ack 3325091397

0x0000 8439 8ff2 9c30 000c 2960 1955 0800 4500 .9...0..)`.U..E.
0x0010 0034 8c32 4000 4006 cc3d ac10 c837 0a01 .4.2@.@..=...7..
0x0020 640b aa98 0050 2e8c 156f c630 de45 8010 d....P...o.0.E..
0x0030 00e2 2209 0000 0101 080a 5025 995f 5028 ..".......P%._P(
0x0040 a476 .v

2024-04-17 20:37:11.441518 port1 -- 172.16.200.55.43672 -> 10.1.100.11.80: psh 780932463 ack

3325091397
0x0000 8439 8ff2 9c30 000c 2960 1955 0800 4500 .9...0..)`.U..E.
0x0010 00cd 8c33 4000 4006 cba3 ac10 c837 0a01 ...3@[email protected]..
0x0020 640b aa98 0050 2e8c 156f c630 de45 8018 d....P...o.0.E..
0x0030 00e2 feba 0000 0101 080a 5025 995f 5028 ..........P%._P(
0x0040 a476 4745 5420 2f76 6972 7573 2f69 6d61 .vGET./virus/ima
0x0050 6765 2e6f 7574 2048 5454 502f 312e 310d ge.out.HTTP/1.1.
0x0060 0a55 7365 722d 4167 656e 743a 2057 6765 .User-Agent:.Wge
0x0070 742f 312e 3137 2e31 2028 6c69 6e75 782d t/1.17.1.(linux-
0x0080 676e 7529 0d0a 4163 6365 7074 3a20 2a2f gnu)..Accept:.*/
0x0090 2a0d 0a41 6363 6570 742d 456e 636f 6469 *..Accept-Encodi
0x00a0 6e67 3a20 6964 656e 7469 7479 0d0a 486f ng:.identity..Ho
0x00b0 7374 3a20 3130 2e31 2e31 3030 2e31 310d st:.10.1.100.11.
0x00c0 0a43 6f6e 6e65 6374 696f 6e3a 204b 6565 .Connection:.Kee
0x00d0 702d 416c 6976 650d 0a0d 0a p-Alive....

2024-04-17 20:37:11.441883 port1 -- 10.1.100.11.80 -> 172.16.200.55.43672: ack 780932616

0x0000 000c 2960 1955 8439 8ff2 9c30 0800 4500 ..)`.U.9...0..E.

FortiOS 7.6.0 New Features Guide 524

Fortinet Inc.
 System

0x0010 0034 7a33 4000 3e06 e03c 0a01 640b ac10 .4z3@.>..<..d...
0x0020 c837 0050 aa98 c630 de45 2e8c 1608 8010 .7.P...0.E......
0x0030 00eb 2167 0000 0101 080a 5028 a476 5025 ..!g......P(.vP%
0x0040 995f

Object usage included in the print tablesize command output

This information is also available in the FortiOS 7.6 Administration Guide:

l print tablesize

Object usage is now shown as the fourth column in the print tablesize command output. This can help
administrators to monitor limits and improve system management.
The four columns are:
l the maximum number allowed for the child-table in its parent entry
l the maximum number allowed per VDOM
l the system global limit
l the current object usage

To check the current object usage:

# print tablesize
system.vdom: 0 0 10 3
system.datasource: 0 0 0 3
system.timezone: 0 0 0 597
system.accprofile: 0 0 10 5
system.np6xlite: 0 256 512 1
system.vdom-link: 0 0 0 3
...

Simplified device registration for Security Fabric devices - 7.6.1

This feature adds the option to register all of the Fortinet devices (FortiGates, FortiAPs, and FortiSwitches) that are in the
same Security Fabric to the same FortiCare account at the same time, as opposed to having to register each device
individually.

To register multiple devices:

1. On the Fabric root FortiGate, go to System > Firmware & Registration. The Registration Status column shows
whether or not a device has been registered to FortiCare.

FortiOS 7.6.0 New Features Guide 525

Fortinet Inc.
System

2. Click Register All.

3. Fill in the Device registration pane, adding all of the unregistered devices in the Devices field.

If the root FortiGate device is already registered, the Email address will already be set.

4. Click Register. A registration request for all of the selected devices is sent to FortiCare and the Device registration
summary table is shown.

FortiOS 7.6.0 New Features Guide 526

Fortinet Inc.
 System

5. Click Close. The Firmware & Registration page shows the updated registration statuses.

Firmware upgrade report - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Viewing firmware upgrade reports

FortiOS now includes a firmware upgrade report that compares statistics and configurations before and after a firewall
upgrade. Automatic generation of the report is enabled by default, and the report enhances the upgrade process by
providing detailed assurance of successful upgrades.
The config system global command includes a new option:
config system global
set upgrade-report {enable | disable}
end

set upgrade-report Enable/disable automatic generation of an upgrade report when upgrading

{enable | disable} firmware (default = enable).

The diagnose command includes new options:

# diagnose sys upgrade-report
current Display the stats currently.
on-disk Display the stats saved on disk.
generate Generate upgrade report and replace the one on disk.

FortiOS 7.6.0 New Features Guide 527

Fortinet Inc.
System

diagnose sys upgrade- Display the current statistics.

report current
diagnose sys upgrade- Display the upgrade report saved on disk.
report on-disk
diagnose sys upgrade- Generate an upgrade report and replace the report saved on disk.
report generate

For FortiGates without disks, the report is stored on flash memory. All FortiGate models are
equipped with flash memory.

Example

The firmware upgrade report is available after a successful FortiOS upgrade.

You can disable automatic generation of the firmware upgrade report in the CLI.

To view the firmware upgrade report in the GUI:

1. After a successful upgrade, log in to the GUI, and view the Firmware Upgrade monitor in the bottom-right corner.
The following buttons are available:
l View reports <number>
The <number> indicates how many FortiGates have an available firmware upgrade report.
l View device list

2. Click the View reports <number> button or the document icon beside Done. A Firmware Upgrade Reports pane
opens to show the list of FortiGates with an available firmware upgrade report:

FortiOS 7.6.0 New Features Guide 528

Fortinet Inc.
System

3. Double-click a FortiGate to display its firmware upgrade report. The firmware upgrade report contains the following
tabs: Statistics and Configuration diff.
l The Statistics tab displays general information at the top about Upgrade path, Upgrade time, and Initiated by.
Below the general section are categories of information from before and after the upgrade. The categories of
information depend on whether the FortiGate is part of a Security Fabric.
In this example, the FortiGate is not part of a Security Fabric, and the following categories of information are
displayed: FortiAPs, FortiSwitches, FortiExtenders, Endpoint Devices, Routing, Traffic, Connectivity, and
Resources.

l Click Refresh to retrieve the latest current statistics.

FortiOS 7.6.0 New Features Guide 529

Fortinet Inc.
System

l Click the Configuration diff tab to display a comparison of the current (green) and previous (red) configurations.

4. In the Firmware Upgrade monitor, click View device list to display the Firmware & Registration pane.

To display the firmware upgrade report in the CLI:

1. After a successful firmware upgrade, display the firmware upgrade report:

# diagnose sys upgrade-report on-disk

To regenerate the firmware upgrade report in the CLI:

1. Regenerate the firmware upgrade report:

# diagnose sys upgrade-report generate

This act will delete the upgrade report on disk and create a new one.

FortiOS 7.6.0 New Features Guide 530

Fortinet Inc.
 System

Do you want to continue? (y/n)

2. Display the firmware upgrade report:

# diagnose sys upgrade-report on-disk

To view current statistics in the CLI:

# diagnose sys upgrade-report current

IPv4 session count = 24
IPv6 session count = 0
SSLVPN tunnel count = 0
IPSEC tunnel count = 6
CPU usage = 0%
Memory usage = 36%
Total routes = 18
Total OSPF routes = 0
Total BGP routes = 5
Total FortiGates = 1
Online = 1
Unauthorized = 0
Total FortiAPs = 0
Online = 0
Offline = 0
Unauthorized = 0
Rejected = 0
Total FortiSwitches = 0
Online = 0
Offline = 0
Unauthorized = 0
Rejected = 0
Total FortiExtenders = 0
Online = 0
Offline = 0
Unauthorized = 0
Rejected = 0
Total Endpoints = 0
Online = 0
Offline = 0
Quarantined = 0

Optimizations for physical FortiGate devices with 2 GB RAM - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l GUI features not supported on FortiGate 2 GB RAM models

Fortinet has optimized memory usage on physical FortiGate devices with 2 GB of RAM to ensure smooth performance
and reliability by adjusting memory used by some GUI features. This change prioritizes device stability and reduces the
risk of performance issues.
Changes:

FortiOS 7.6.0 New Features Guide 531

Fortinet Inc.
 System

l Removed CLI Command: The gui-rest-api-cache command (under config system global) is no longer
available. This command was used to enable/disable REST API result caching on FortiGate.
l Streamlined GUI Pages: The following pages in the Security Fabric section have been removed:
l Physical Topology
l Logical Topology
l Security Rating
l Security Rating: With Security Rating page removed, security insights no longer show on pages, such as firewall
policy, interface, or address object. Security rating event logs are no longer generated. However, PSIRT advisory
warnings and critical vulnerability warnings are still visible in the GUI.
l Visibility in Security Fabric topologies: Since physical FortiGate devices with 2 GB RAM do not support topology
features, any downstream physical FortiGate with 2 GB RAM will not appear in the Physical Topology or Logical
Topology pages of the upstream root device’s GUI, even if the upstream device has more than 2 GB of RAM.
To verify the downstream device’s connection, use the following CLI on the upstream FortiGate instead:
# diagnose sys csf downstream

l Retired REST API Endpoints: The /api/v2/monitor/system/security-rating/* endpoints are no

longer supported.
These adjustments free up critical memory resources to help your FortiGate device operate more efficiently and reliably
and to remain stable under typical workloads.

These changes apply exclusively to physical FortiGate devices with 2 GB of RAM, leaving
devices with higher memory unaffected. Specifically, the impacted models are:
l FortiGate/FortiWiFi 40F and 60F series and their variants

l FortiGate-Rugged 60F (only the 2 GB versions)

To confirm whether your FortiGate model has 2 GB RAM, enter diagnose hardware
sysinfo conserve in the CLI. If the total RAM value is around 2000 MB (1000 MB = 1 GB),
then your device has 2 GB RAM.

FortiGuard

This section includes information about FortiGuard related new features:

l Streamline timezone updates with a downloadable database on page 532
l Streamlined subscription and FortiGuard settings management 7.6.1 on page 533
l FortiGate StateRamp support 7.6.1 on page 536
l AMQP-powered subscription notifications for FortiGuard 7.6.3 on page 539

Streamline timezone updates with a downloadable database

The Internet assigned numbers authority (IANA) timezone database is downloadable from the FortiGuard server,
instead of being embedded within the FortiOS image. This allows the FortiGate to automatically refresh its timezone
database, eliminating the need to wait for the next image release to access new or updated timezones.

FortiOS 7.6.0 New Features Guide 532

Fortinet Inc.
 System

To check the timezone database version in the GUI:

1. Go to System > FortiGuard and in the License Information table, expand the Firmware & General Updates section to
check the Timezone Database versions.

To check the timezone database version in the CLI:

# diagnose autoupdate versions | grep -A 3 Timezone

Timezone Database
---------
Version: 1.0007
# diagnose test update info
...
Object versions: ...
07004000TZDB00000-00001.00070-0000000000
...

Streamlined subscription and FortiGuard settings management - 7.6.1

Subscriptions and FortiGuard settings are now organized into separate tabs with clear distinctions between licensed,
expired, and available-for-purchase subscriptions, providing customers with a more intuitive and informative layout.

Subscriptions

FortiGuard subscription information can be found in the System > FortiGuard > Subscriptions tab.

FortiOS 7.6.0 New Features Guide 533

Fortinet Inc.
System

The Subscriptions tab is further divided by subscription status:

l Licensed: Displays each subscription or service in individual cards and allows you to interact with the license:
l Expanding a card displays subscription details, such as the expiry date, signature and engine information, and
the status.

l Hovering over the version will display the date when the signature or engine was Last updated. For items that
are only updated once it has been enabled in a policy, Version details will be most up to date if item is used in a
policy will also be included in the update information.

FortiOS 7.6.0 New Features Guide 534

Fortinet Inc.
System

l Clicking Update licenses & definitions now will trigger a database update from FortiGuard.
l Unregistered FortiGates are identified in the Basic Subscriptions > Support card. Click Register to proceed with
registering the FortiGate. Once it has been registered, access to FortiCloud and transfer services are included
under Support.
l Expired: Lists the subscriptions or services that have expired.

l Available for purchase: Lists available subscriptions in individual cards. Once an available subscription has been
purchased, it will appear in the Licensed page.

FortiOS 7.6.0 New Features Guide 535

Fortinet Inc.
 System

The registration code can be activated by clicking Activate subscription in the gutter.

FortiGuard settings

Configuration and management settings pertaining to FortiGuard can be found in the System > FortiGuard > FortiGuard
settings tab, including updates, filtering, and override servers.

FortiGate StateRamp support - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l FortiGate StateRamp support

FortiOS 7.6.0 New Features Guide 536

Fortinet Inc.
System

A StateRamp FortiGate SKU entitles the FortiGate to use dedicated FortiGuard servers located in the United States. It
also entitles customers to access their support tickets through a dedicated FortiCare service located in the United
States.
When you purchase a StateRamp FortiGate, you will receive a FortiGate that automatically boots up in StateRamp
mode. It will contact the dedicated FortiGuard server to learn the rest of its entitlement.
All FortiGuard services that are supported by the StateRamp device are United States-based and use a specific FQDN.
The FortiGuard servers only support connections through Anycast. Any un-used cloud services are disabled on the
FortiGate.

Supported FortiGuard services

The following table lists supported FortiGuard services:

Feature or service FQDN IP address

FortiGate firmware upgrade update.fortinetgov.com 23.249.62.6

Contract / License Update

FortiGuard Query guardservice.fortinetgov.com 23.249.62.16

Video Query videoquery.fortinetgov.com 23.249.62.18

SDNS sdns.fortinetgov.com 23.249.62.53

Geo IP address Database gip.fortinetgov.com 23.249.62.16

Device Query devquery.fortinetgov.com 23.249.62.16

Default DNS server 23.249.63.52 / 23.249.63.53

Default NTP server time-a-g.nist.gov time-b-g.nist.gov 129.6.15.28 129.6.15.29

Unsupported FortiGuard services

The following lists the unsupported FortiGuard services:

l FortiCare server connection
l Central management to FortiManager or FortiGuard
l Logging to FortiAnalyzer
l FortiSandbox (FSA) and FSA Cloud configuration
l FortiGuard DDNS service
l FortiSwitch authorization
l FortiExtender pre-authorization
l Regular FortiGuard NTP setting
l Local FortiClient EMS
l FortiClient EMS cloud
l Product API: Device vulnerability on GUI device assets
l Security fabric CSF: Configured as root
l Security fabric CSF: Configured as leaf

FortiOS 7.6.0 New Features Guide 537

Fortinet Inc.
System

l Alert email - User must configure their own email server

l FortiNDR
l Email Filter query to RBL_SERVER (dnsbl.sorbs.net)
l FortiToken server connection
l Logging to FortiGate Cloud server
l SD-WAN overlay
l Activating FortiGate Cloud account
l Regular FortiGuard DNS setting
l FortiAP pre-authorization
l Security rating under Security Fabric
l Attack Surface Security Rating
The following lists FortiGuard services that are subject to limitations:
l Security Rating, FortiSwitch, FortiAP, FortiClient, FortiExplorer, and FortiNAC related automation stitch, trigger, or
action

Blocking unsupported features on StateRamp devices

When trying to enable services that are not supported on StateRamp devices, an error will be returned in the GUI and
CLI. Likewise, some features are hidden in the GUI if they are disabled for StateRamp devices.
In the following example, the user attempts to enable FortiAnalyzer on a StateRamp FortiGate which is an unsupported
service on StateRamp devices.

To view StateRamp device unsupported feature errors:

1. In the CLI, verify that the device has a StateRamp license:

# get system status
Version: FortiGate-1101E v7.2.6,build4553,230821 (interim)
Security Level: 1
Firmware Signature: un-certified
...
License Status: StateRAMP

2. Test configuring the unsupported feature in the GUI:

a. In the GUI, go to Security Fabric > Fabric Connectors.
b. Edit Logging & Analytics.
c. Attempt to enable FortiAnalyzer.

FortiOS 7.6.0 New Features Guide 538

Fortinet Inc.
 System

An error is displayed and the Switch Controller feature is hidden.

3. Test configuring the unsupported feature in the CLI:
a. Attempt to enable FortiAnalyzer.
config log fortianalyzer setting
set status enable
Cannot enable FortiAnalyzer logging when StateRAMP license is used.
node_check_object fail! for status enable

value parse error before 'enable'

Command fail. Return code -39

An error is displayed.

AMQP-powered subscription notifications for FortiGuard - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l AMQP-powered subscription notifications for FortiGuard

Fortinet Inc. now leverages AMQP (Advanced Message Queuing Protocol) to deliver real-time update notifications to
FortiGate devices. When enabled, this feature allows FortiGate to receive notifications directly from FortiGuard,
eliminating the need for polling or persistent HTTP connections. By leveraging Fortinet Inc.'s cloud infrastructure, AMQP
enables event-driven updates, reducing resource consumption and minimizing overhead. Notifications are pushed
instantly to devices, ensuring proactive management and swift response to critical updates.
The AMQP client daemon, fortimq, connects with the cloud server, fortimq-cloud. It works as a proxy for other
FortiOS daemons to receive real-time updates for Fortinet Inc.'s cloud infrastructure. Once FortiGuard or an account or
device-level contract is updated, fortimq-cloud publishes notifications to the FortiGate and triggers the update
procedure.
By default, fortimq stays idle until a feature explicitly subscribes to a topic, such as license alerts, database updates,
and so on. When a subscription is created, fortimq:
1. Connects to the cloud.
2. Delivers updates automatically.

FortiOS 7.6.0 New Features Guide 539

Fortinet Inc.
System

3. Disconnects once all subscriptions are removed.

The fortimq daemon requires the following pre-existing settings:

config system fortiguard
set fortiguard-anycast enable
end
config system global
set cloud-communication enable
end

CLI syntax

AMQP-powered subscription notifications for FortiGuard can be enabled and disabled in the CLI using the following
command:
config system fortiguard
set subscribe-update-notification {enable | disable}
end

This command automatically creates the following subscriptions:

l FortiGuard License Alerts
l Database Update Notifications
However, enabling subscribe-update-notification does not automatically disable persistent HTTP
connections. If persistent-connection was manually enabled earlier, administrators should disable it after
activating AMQP notifications to eliminate redundancy and reduce resource usage. Persistent HTTP connections can be
disabled with the following command:
config system fortiguard
set persistent-connection disable
end

Persistent HTTP connection is disabled by default on supported devices.

fortimq status can be tested using the following command:

diagnose test application fortimq <integer>

Example

The following example demonstrates enabling AMQP-powered subscription notifications and reviewing the logs.

To enable AMQP-powered subscription notifications for FortiGuard:

1. Enable AMQP-powered subscription notifications:

FortiOS 7.6.0 New Features Guide 540

Fortinet Inc.
System

config system fortiguard

set subscribe-update-notification enable
end

2. Monitor fortimq activities:

# diagnose debug application fortimq -1

After fortimq starts, it will remain idle:

<672> 02 fortimq_event()-211: handle event: restart (start)
<672> 08 fortimq_cleanup_unbound_payload_cb()-896
<672> 04 fortimq_client_try_start_cb()-1556
<672> 02 fortimq_event()-211: handle event: start-done (start)
<672> 02 fsm_update_state()-200: update state: idle (start)

It will leave the idle state when a feature explicitly subscribes to a topic:
l Once a new contract is set in the FortiGate, fortimq will receive the following message from FortiGuard:
<227> 08 fortimq_handle_basic_deliver()-1044: receive msg:
delivery tag 1, channel 1 key FGD-LIC-UPDATE.TOKYO-APAC
{"version":"1.0","type":"device_contract","geoloca
...
handle_fortimq_lic_notify_packet[328]-version=1.0, type=device_contract
handle_fortimq_lic_notify_packet[375]-contracts[0]=[{ "serial_number":
"FG201E4QXXXXXXXX", "contract": [ "AVDB-1-06-20260711:0:1:1:0", "COMP-1-20-
20260711:0:1:1:0", "DLDB-1-06-20260711:0:1:1:0", "ENHN-1-20-20260711:0:1:1:0", "FAIS-
1-06-20260711:0:1:1:0", "FCSS-1-10-20260711:0:1:1:0", "FGSA-1-06-20260711:0:1:1:0",
"FMWR-1-06-20260711:0:1:1:0", "FRVS-1-06-20260711:0:1:1:0", "FURL-1-06-
20260711:0:1:1:0", "HDWR-1-05-20260711:0:1:1:0", "IOTH-1-06-20260711:0:1:1:0", "ISSS-
1-06-20260406:0:1:1:0", "NIDS-1-06-20260711:0:1:1:0", "SBCL-1-06-20180716:0:1:1:0",
"SPAM-1-06-20260711:0:1:1:0", "SPRT-1-20-20260711:0:1:1:0", "ZHVO-1-06-
20260711:0:1:1:0" ] }]

handle_fortimq_lic_notify_packet[404]-contract[0,12]=[ISSS-1-06-20260406:0:1:1:0]

l Once a new FortiGuard database is deployed, fortimq will receive the following message from FortiGuard:
3087> 08 fortimq_handle_basic_deliver()-1044: receive msg:
delivery tag 1, channel 2 key
{"version":"1.0","type":"package","geolocation":"T

handle_fortimq_obj_notify_packet[222]-version=1.0, type=package
handle_fortimq_obj_notify_packet[252]-version_string[0]=[07006000DBDB00100-
00003.01214]

3. Review the fortimq status and bindings:

# diagnose test application fortimq 1
connection status: connected
acct: 741008
fqdn: qafortimq.fortinet.net
port: 5671
next-channel: 3
msg count: 31
attempts: 0

# diagnose test application fortimq 3

dump fortimq bindings:

FortiOS 7.6.0 New Features Guide 541

Fortinet Inc.
System

topic, queue, routing key, proc, pid, fd, cnt

FGD-LIC_UPD 741008-FG201E4Q17901047 FGD-LIC-UPDATE.TOKYO-APAC updated 621 10 1
FGD-DB-UPD FGD-DB-UPDATE-STREAM none updated 621 10 30

4. Review the results of the contract subscription:

a. Review the push update for when the contract is triggered by the fortimq notification:
# diagnose debug application update -1
has_push_notification[690]-found notifcation for object=contract, version=00003.01214
cached_action_add[1284]-Cached action, act=00000002, add=1743727203,
update=1743727203, now=1743727207, adjust=-4.
upd_daemon[1636]-Received update notification from ForitGuard.

do_update[760]-Starting push UPDATE (not final retry)

update_status_obj[787]-ISDB contract expiry=Sun Apr 5 17:00:00 2026

upd_install_pkg[1410]-ALCI000(alci) installed successfully

b. Review the FortiGuard contract update result:

# diagnose test update info
System contracts:
ISDB,Sat Apr 4 2026
...
SerialNumber=FG201E4QXXXXXXXX|Contract=...*ISSS-1-06-20260406:0:1:1:0*

c. Review the event log:

date=2025-04-03 time=17:40:27 eventtime=1743727227516567159 tz="-0700"
logid="0100041000" type="event" subtype="system" level="notice" vd="root"
logdesc="FortiGate update succeeded" status="update" msg="Fortigate notify update
fcni=yes fsci=yes alci(0.00000) from 192.168.100.76:443"

5. Review the results of the database subscription:

a. Review the push update for when the database is triggered by the fortimq notification:
# diagnose debug application update -1
has_push_notification[690]-found notifcation for object=dnsbot, version=00003.01214

upd_daemon[1636]-Received update notification from ForitGuard.

do_update[760]-Starting push UPDATE (not final retry)

upd_install_pkg[1410]-DBDB001(dnsbot) installed successfully

b. Review the FortiGuard database update result:

# diagnose autoupdate versions
Botnet Domain Database
---------
Version: 3.01214 signed
Contract Expiry Date: Thu Jul 9 2026
Last Updated using notify update on Thu Apr 3 16:09:22 2025
Last Update Attempt: Thu Apr 3 16:09:22 2025
Result: Updates Installed

c. Review the event log:

FortiOS 7.6.0 New Features Guide 542

Fortinet Inc.
 System

date=2025-04-03 time=16:09:22 eventtime=1743721762115544351 tz="-0700"

logid="0100041000" type="event" subtype="system" level="notice" vd="root"
logdesc="FortiGate update succeeded" status="update" msg="Fortigate notify update
fcni=yes fsci=yes dnsbot(3.01214) alci(0.00000) from 192.168.100.76:443"

d. Review the record of fortimq notification regarding the FortiGuard database:

# diagnose test update info
Update Notification: total 4, last received at Thu Apr 3 17:41:05 2025
last notification:
AVDB00201-00093.02170
AVDB00701-00093.02170
DBDB00100-00003.01214
FSCI00100-00000.00000

Support contract: pending_registration=255 got_contract_info=1

account_id=[[email protected]] company=[Fortinet] industry=[Technology]

User ID: XXXXX

GeoLocation: TOKYO-APAC

High availability

This section includes information about HA related new features:

l Manual and automatic HA virtual MAC address assignment on page 543
l Backup heartbeat interface mitigates split-brain scenarios on page 545
l RSSO authenticated user logon information synchronized between FGSP peers on page 547
l FGSP support for failover with asymmetric traffic and UTM on page 552
l Monitor routing prefix for FGSP session failover 7.6.1 on page 553
l Single FortiGuard license for FortiGate A-P HA cluster 7.6.1 on page 556

Manual and automatic HA virtual MAC address assignment

This information is also available in the FortiOS 7.6 Administration Guide:

l Cluster virtual MAC addresses

To increase the number of HA virtual MAC addresses higher than the number HA group IDs, FortiGate supports three
methods of assigning virtual MAC addresses, in order of highest priority to lowest:
l Manual assignment per interface
l Automatic assignment
l Group ID based assignment (existing process)
Manual virtual MAC address assignment can be configured on a physical, EMAC, or FortiExtender interface. It will
override other virtual MAC address assignments on the interface.

FortiOS 7.6.0 New Features Guide 543

Fortinet Inc.
System

config system interface

edit <interface>
set virtual-mac <mac_address>
next
end

Automatic virtual MAC address assignment can be configured on physical interfaces. It uses the hardware MAC address
of the primary device with the locally administered bit (U/L bit) changed to 1. For example, 00:xx:xx:xx:xx:xx
becomes 02:xx:xx:xx:xx:xx.

In a 48-bit MAC address, the U/L bit refers to the second least significant bit in the first octet of
the hexadecimal MAC address. When this bit is 0, it indicates that the MAC address is
Universal, meaning that it is assigned by a central authority. When this bit is 1, it indicates that
the MAC address is Local, meaning that it is assigned locally.
For example, the first octet of 00 represented in binary is 00000000, where the U/L bit is 0.
Whereas the first octet of 02 represented in binary is 00000010, where the U/L bit is set to 1.

config system ha
set auto-virtual-mac-interface <interface> [interface(s)]
end

To manually assign a virtual MAC address to an interface:

config system interface

edit "wan1"
set ip 172.16.200.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set virtual-mac 06:d5:90:04:f8:9c
set type physical
set snmp-index 3
config ipv6
set ip6-address 2000:172:16:200::1/64
set ip6-allowaccess ping https ssh snmp http telnet
end
next
end

To configure automatic virtual MAC address assignment:

config system ha
set group-id 20
set group-name "MMMMM"
set mode a-p
set hbdev "ha1" 50 "ha2" 100
set auto-virtual-mac-interface "wan1" "port1" "port2" "ha1" "ha2" "port3" "port4"
"port5" "port6" "port7" "port8" "dmz"
set upgrade-mode simultaneous
set override enable
set priority 200
end

FortiOS 7.6.0 New Features Guide 544

Fortinet Inc.
 System

To check the MAC addresses:

# diagnose hardware deviceinfo nic wan1 | grep addr

Current_HWaddr 06:d5:90:04:f8:9c
Permanent_HWaddr 04:d5:90:04:f8:9c

The current hardware address (Current_HWaddr) is the automatically generated virtual MAC address. The permanent
hardware address (Permanent_HWaddr) is the physical MAC address.

Backup heartbeat interface mitigates split-brain scenarios

This information is also available in the FortiOS 7.6 Administration Guide:

l Split brain scenario

A split-brain scenario can occur in an FGCP HA cluster when the heartbeat interface(s) go down between the FortiGate
units, and the secondary unit promotes itself to primary, resulting in both FortiGate units acting as primary units. Extreme
latency or congestion can also result in a split-brain scenario.
A new backup heartbeat interface is available to help prevent split-brain scenarios. The backup heartbeat is a dedicated
interface that is automatically used when a secondary unit detects no heartbeats from the primary unit through the
heartbeat interface(s). The backup heartbeat interface is no longer used when the secondary unit detects a heartbeat
again.
The config system ha command includes a new option:
config system ha
set backup-hbdev <interface(s)>
end

set backup-hbdev Backup heartbeat interfaces. Must be the same for all HA cluster members, but
<interface(s)> different from the heartbeat interface (hbdev). Supports a maximum of 32
interfaces.

In 7.6.1 and later, the backup heartbeat can be configured in the GUI on the System > HA page.
Consider the following when using a backup heartbeat interface:
l A split-brain happens specifically when the secondary unit cannot detect heartbeats from the primary unit, and it
promotes itself to primary. Therefore, the backup-hbdev is used only when the secondary unit cannot detect
heartbeats. When the backup-hbdev is in use, the setting cannot be changed.
l The backup heartbeat interface does not bind to the virtual port_ha interface. Its main purpose is to operate
efficiently to maintain the HA cluster and continue the flow of traffic. Therefore, some functions are not available by
design.
l Configuration changes are not synchronized to the secondary member in the HA cluster while the backup heartbeat
interface is in use.
l Without using session-sync-dev, the session-sync and session-pickup events will not occur.

FortiOS 7.6.0 New Features Guide 545

Fortinet Inc.
System

Example

In this example, the FortiGate HA cluster consists of two FortiGates (FortiGate A and FortiGate B) connected by two
heartbeat interfaces (HA1 and HA2). A backup heartbeat interfaces (port2) is configured too.
Because a backup heartbeat interface is configured, the HA cluster continues to work when heartbeat interfaces HA1
and HA2 are down.

To configure a backup heartbeat interface:

config system ha
set hbdev "HA1" 50 "HA2" 100
set backup-hbdev "port2"
end

To view the HA cluster status when both heartbeat interfaces are down:

1. View the HA cluster status:

In this example, the heartbeat interface is down.
# get system ha status
path=system, objname=ha, tablename=(null), size=3376
HA Health Status:
WARNING: FG101FTK19003737 has hbdev down;
Model: FortiGate-101F
Mode: HA A-P
Group Name: cluster1
Group ID: 4
Debug: 0
Cluster Uptime: 12 days 23h:13m:45s
Cluster state change time: 2024-05-22 16:53:54
Primary selected using:
:
:
HBDEV stats:
FG101FTK<number>(updated 3 seconds ago):
ha1: physical/1000auto, down, rx-
bytes/packets/dropped/errors=944653617/1954535/0/0, tx=1191179360/2270052/0/0
ha2: physical/1000auto, down, rx-

FortiOS 7.6.0 New Features Guide 546

Fortinet Inc.
 System

bytes/packets/dropped/errors=1846379700/4140237/0/0, tx=1458035532/3809641/0/0
FG101FTK<number>(updated 2719 seconds ago):
ha1: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
ha2: physical/1000auto, down, rx-
bytes/packets/dropped/errors=20229285/55544/0/0, tx=21798783/51360/0/0
number of member: 2
BB , FG101FTK<number>, HA cluster index = 1
AAAA , FG101FTK<number>, HA cluster index = 0
number of vcluster: 1
vcluster 1: standby 169.254.0.1
Secondary: FG101FTK<number>, HA operating index = 1
Primary: FG101FTK<number>, HA operating index = 0

2. Check whether the backup heartbeat interface is in use:

In this example, the backup heartbeat interface is up, and the HA cluster continues to operate.
# diagnose sys ha dump-by group
HA information.
group-id=4, group-name='cluster1'
has_no_aes128_gcm_sha256_member=0
backup_heartbeat_used=1

3. View logs:
The following logs are recorded when a backup heartbeat is used:
# execute log display

31: date=2024-05-22 time=18:33:15 eventtime=1716427995692641099 tz="-0700"

logid="0108037914" type="event" subtype="ha" level="information" vd="root"
logdesc="Heartbeat device backup" msg="backup heartbeat interfaces are used"

32: date=2024-05-22 time=18:33:15 eventtime=1716427995692454039 tz="-0700"

logid="0108037899" type="event" subtype="ha" level="notice" vd="root" logdesc="HA
device interface peer information" msg="HA device(interface) peerinfo" ha_
role="primary" devintfname="port2"

RSSO authenticated user logon information synchronized between FGSP peers

This information is also available in the FortiOS 7.6 Administration Guide:

l FGSP

RSSO (Radius Single Sign-On) authenticated user logon information is now synchronized between FortiGate peers
using FGSP (FortiGate Life Support Protocol), which ensures a consistent user experience across all FGSP peers.

Example

In this example, FGT-185 (peer 1) and FGT-184 (peer 2) are configured as FGSP stand-alone peers. See FGSP basic
peer setup for more information. RSSO authentication information is synchronized between the FGSP peers.

FortiOS 7.6.0 New Features Guide 547

Fortinet Inc.
System

Interfaces and FGSP are configured on FGT-185 as follows:

l Network configuration:
l Port 10:
config system interface
edit "port10"
set vdom "root"
set ip 10.1.100.7 255.255.255.0
set allowaccess ping https ssh http telnet radius-acct
set type physical
set snmp-index 12
next
end

l Port 9:
config system interface
edit "port9"
set vdom "root"
set ip 172.16.200.7 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 11
next
end

l Port 11:
config system interface
edit "port11"
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 13
next
end

l FGSP configuration:
config system standalone-cluster
config cluster-peer

FortiOS 7.6.0 New Features Guide 548

Fortinet Inc.
System

edit 1
set peerip 10.10.10.2
next
end
set standalone-group-id 1
set group-member-id 1
end

Interfaces and FGSP are configured on FGT-184 as follows:

l Network configuration:
l Port 10:
config system interface
edit "port10"
set vdom "root"
set ip 10.1.100.5 255.255.255.0
set allowaccess ping https ssh http telnet radius-acct
set type physical
set snmp-index 12
next
end

l Port 9:
config system interface
edit "port9"
set vdom "root"
set ip 172.16.200.5 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 11
next
end

l Port 11:
config system interface
edit "port11"
set vdom "root"
set ip 10.10.10.2 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 13
next
end

l FGSP configuration:
config system standalone-cluster
config cluster-peer
edit 1
set peerip 10.10.10.1

FortiOS 7.6.0 New Features Guide 549

Fortinet Inc.
System

next
end
set standalone-group-id 1
set group-member-id 2
end

Session Interfaces and FGSP are configured on FGT-184 as follows:

To configure RSSO synchronization between FGSP peers:

1. On each FGSP peer, configure session synchronization.

These settings allow session synchronization for NAT, UDP, and ICMP traffic.
config system ha
set session-pickup enable
set session-pickup-connectionless enable
end

2. On each FGSP peer, configure an RSSO agent.

config user radius

edit "RSSO Agent"
set rsso enable
set rsso-radius-response enable
set rsso-validate-request-secret enable
set rsso-secret 123456
set rsso-endpoint-attribute User-Name
next
end

3. On each FGSP peer, add one or more RSSO user groups.

In this example, two user groups are created.
edit "rsso-group1"
set group-type rsso
set sso-attribute-value "group1"
next
edit "rsso-group2"
set group-type rsso
set sso-attribute-value "group2"
next
end

4. On each FGSP peer, configure identical firewall policies.

The firewall policy allows traffic from the incoming interface (port10) to the outgoing interface (port9).
config firewall policy
edit 3
set name "pol1"
set uuid 3bbf5b1a-fd88-51ee-79c0-1bbfc9ba464c
set srcintf "port10"
set dstintf "port9"

FortiOS 7.6.0 New Features Guide 550

Fortinet Inc.
System

set action accept

set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "default"
set logtraffic all
set nat enable
set groups "rsso-group1" "rsso-group2"
next
end

5. On each FGSP peer, verify RSSO database information is synchronized.

Run the diagnose test app radiusd 3 command on each FGSP peer to confirm that the same
RSSO database information is displayed on both devices.
# diagnose test app radiusd 3
RADIUS server database [vd root]:
"index","time left","ip","endpoint","block status","log status","profile
group","ref count","use default profile"
1,07:03:36,"10.1.100.188""test2","allow","no log","group1",1,No

6. On each FGSP peer, verify RSSO session information is synchronized after traffic is sent from the client to an
FGSP peer.
Run the diagnose firewall auth list command on each FGSP peer to confirm that the same
RSSO session information is displayed on both devices.
In this example, traffic was sent from the client (10.1.100.188) to FGT-185 gateway:
# diagnose firewall auth list

10.1.100.188, test2
type: rsso, id: 0, duration: 694, idled: 146
flag(10): radius
server: root
packets: in 2869 out 3293, bytes: in 1488458 out 287365
group_id: 4
group_name: rsso-group1

----- 1 listed, 0 filtered ------

The same RSSO session is in the firewall auth list for FGT-184, but the packet count is 0 because the traffic was
sent to the FGT-185 gateway:
# diagnose firewall auth list

10.1.100.188, test2
type: rsso, id: 0, duration: 520, idled: 520
flag(10): radius
server: root

FortiOS 7.6.0 New Features Guide 551

Fortinet Inc.
 System

packets: in 0 out 0, bytes: in 0 out 0 <---- !!!~

group_id: 2
group_name: rsso-group1

----- 1 listed, 0 filtered ------

FGSP support for failover with asymmetric traffic and UTM

This information is also available in the FortiOS 7.6 Administration Guide:

l FGSP support for failover with asymmetric traffic and UTM

Session failover is now supported for asymmetric traffic. FortiGate can continue sessions on the active FGSP peers if
the original FGSP peer, which initially received the session's first packet, becomes unavailable or unhealthy. It may go
into this state due to:
l Device shutdown or reboot
l A monitored interface is down
l A ping-server monitor goes down
When the original peer for a session is unavailable or unhealthy and other peers receive the asymmetric traffic, this
traffic does not bounce back to the original peer. Instead, it gets handled by the active FGSP peer. In the case of an
unhealthy peer due to failed monitored interface or ping-server monitor, it will share its not-ready status over FGSP
heartbeats so other peers will know not to bounce traffic back to it.
In the case of an unavailable peer, once the original FGSP peer is back online, it will perform session sync. While it is
syncing, it will share a not-ready status over FGSP so peers will not bounce traffic back to it. Once session sync is
complete, it will share a ready status and accept sessions to fail back to it.

UTM inspection will not occur during failover since the traffic must be scanned by the original
peer only. Furthermore, during failback of the session to the original FGSP peer, the session
will only be scanned if the policy is using flow-based inspection.

This enhancement ensures continuity and reliability of the network sessions, even if a device does not function as
expected.
There are two new options available in the config system standalone-cluster command on the CLI:
config system standalone-cluster
set monitor-interface <interface name>
set pingsvr-monitor-interface <interface name>
end

Example

In the following configurations, two peers are configured in FGSP, and a monitored interface and ping server monitor are
configured.
config system link-monitor
edit "1"

FortiOS 7.6.0 New Features Guide 552

Fortinet Inc.
 System

set srcintf "wan1"

set server "172.16.200.254"
next
end
config system standalone-cluster
set standalone-group-id 22
set group-member-id 2
config cluster-peer
edit 1
set peerip 10.2.2.2
set hb-interval 20
set hb-lost-threshold 60
next
end
set monitor-interface "wan2"
set pingsvr-monitor-interface "wan1"
end

Traffic originally passes through UTM inspection over peer_1. The return traffic is routed to peer_2, where it will bounce
to peer_1, the original FGSP peer for inspection.
Upon peer_1 becoming unavailable or unhealthy, traffic no longer bounce back to peer_1. Instead, it is failed over to
peer_2 for processing.

Monitor routing prefix for FGSP session failover - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Monitor routing prefix for FGSP session failover

Prior to this enhancement, FortiGate can continue sessions on the active FGSP peers if the original FGSP peer, which
initially received the session's first packet, becomes unavailable or unhealthy. It can determine this status due to
monitored interface or ping-server monitor failures. This is described in FGSP support for failover with asymmetric traffic
and UTM on page 552.
FGSP now supports another method for determining a FGSP peer as unhealthy, by monitoring the health of a routing
prefix from RIP, OSPF or BGP. Using this method, FortiGate can prevent network isolation and blackholing by
recognizing a critical data path is down. For instance, when peer 1’s path to a certain network no longer exists in the
routing table, it will share a not-ready status over FGSP heartbeats so other peers will know not to bounce traffic back to
it.

FortiOS 7.6.0 New Features Guide 553

Fortinet Inc.
System

Multiple prefixes can be monitored. However, a bad health status on a prefix will trigger the
entire peer as not-ready, not only the specific path. Furthermore, if traffic is failed over to the
peer that is not the original owner of the session, then UTM inspection will not apply.

There are new configuration options available in the config system standalone-cluster command in the CLI:
config system standalone-cluster
config monitor-prefix
edit <ID>
set vdom <VDOM name>
set vrf <VRF ID>
set prefix <ip address and netmask>
next
end
end

Example

In the following configurations, two peers are configured in FGSP. Two routing prefixes are monitored. In the diagram
below, traffic travels asymmetrically, but is eventually bounced back to the peer (FGT_1) where the traffic was initiated.
This allows the traffic to continue its UTM inspection through the peer.

In the scenario that one of the peers (FGT_1) no longer sees a route to a prefix, disrupting the flow of traffic, instead of
causing network isolation and blackholing by bouncing the traffic back to the peer (FGT_1), traffic instead continues
through the healthy peer (FGT_2).
Note that in this case, traffic does not get scanned by UTM on the healthy peer (FGT_2).

To configure routing prefix monitoring to FGSP:

1. Configure two peers in FGSP:

config system standalone-cluster
set standalone-group-id 1
config cluster-peer
edit 1
set peerip 10.2.2.2
next
end
config monitor-prefix

FortiOS 7.6.0 New Features Guide 554

Fortinet Inc.
System

edit 1
set vdom "root"
set prefix 192.168.2.0 255.255.255.0
next
edit 2
set vdom "root"
set prefix 20.1.1.0 255.255.255.0
next
end
end

2. Verification:
a. FGT_1 and FGT_2 both learn the network prefix of 20.1.1.0/24 over RIP from the upstream router.
FGT_1 # get rout info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 172.16.200.254, wan1, [1/0]
C 10.1.100.0/24 is directly connected, port1
C 10.2.2.0/24 is directly connected, ha1
R 20.1.1.0/24 [120/2] via 172.16.200.3, wan1, 00:01:46, [1/0]
C 172.16.200.0/24 is directly connected, wan1
C 192.168.2.0/24 is directly connected, mgmt

b. As such, the health status on peer_1 for both prefixes display healthy=1:
FGT_1 # diagnose test application sessionsync 1
HA is not enabled
sync context:
sync-enabled=0, sync-tcp=1, sync-nat=0
sync-other=1, sync-exp=1, standalone-sync=1, mtu=0
ipsec-tun-sync=1, encrypt-enabled=0
fgsp-peers-num=1, kernel-filters-num=1
fgsp-peers:
vdom=0, ip/port=10.2.2.2:708
fgsp_route_health=1
mon_prefix: vdom=root vrf=0, prefix=192.168.2.0(255.255.255.0) healthy=1
mon_prefix: vdom=root vrf=0, prefix=20.1.1.0(255.255.255.0) healthy=1

c. On peer_2, it sees the health status of peer_1 as ready:

FGT_2 # diagnose sys ha standalone-peers
Group=1, ID=2
Detected-peers=1
Peer ready bitmap=0000000100000000
Kernel standalone-peers: num=1.
peer0: vfid=0, peerip:port = 10.2.2.1:708, standalone_id=0, ready=1
session-type: send=0, recv=0
packet-type: send=0, recv=0
…

FortiOS 7.6.0 New Features Guide 555

Fortinet Inc.
 System

d. Traffic originally passes through UTM inspection over peer_1. The return traffic is routed to peer_2, where it will
bounce to peer_1, the original FGSP peer for inspection.
e. In the event that the network prefix 20.1.1.0/24 becomes unavailable from peer_1:
FGT_1 # get rout info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 172.16.200.254, wan1, [1/0]
C 10.1.100.0/24 is directly connected, port1
C 10.2.2.0/24 is directly connected, ha1
C 172.16.200.0/24 is directly connected, wan1
C 192.168.2.0/24 is directly connected, mgmt

f. Its health status immediately changes to unhealthy (healthy=0).

# diagnose test application sessionsync 1
HA is not enabled
sync context:
sync-enabled=0, sync-tcp=1, sync-nat=0
sync-other=1, sync-exp=1, standalone-sync=1, mtu=0
ipsec-tun-sync=1, encrypt-enabled=0
fgsp-peers-num=1, kernel-filters-num=1
fgsp-peers:
vdom=0, ip/port=10.2.2.2:708
fgsp_route_health=0
mon_prefix: vdom=root vrf=0, prefix=192.168.2.0(255.255.255.0) healthy=1
mon_prefix: vdom=root vrf=0, prefix=20.1.1.0(255.255.255.0) healthy=0

g. peer_2 also detects the not-ready status over the heartbeat packets (ready=0):
FGT_2 (Interim)# diagnose sys ha standalone-peers
Group=1, ID=2
Detected-peers=1
Peer ready bitmap=0000000000000000
Kernel standalone-peers: num=1.
peer0: vfid=0, peerip:port = 10.2.2.1:708, standalone_id=0, ready=0
session-type: send=0, recv=0
packet-type: send=0, recv=0

h. Upon peer_1 becoming unavailable or unhealthy, traffic no longer bounces back to peer_1. Instead, it is failed
over to peer_2 for processing.

Single FortiGuard license for FortiGate A-P HA cluster - 7.6.1

FortiGate A-P HA cluster now supports sharing a single FortiGuard service license for both cluster units for the following
models:
l 40F and variants
l 60F and variants
l 70F and variants

FortiOS 7.6.0 New Features Guide 556

Fortinet Inc.
 System

l 80F and variants

l 100F and variants
When a customer purchases two units with the HA SKU (such as 2 x FG-40F-HA), they can further purchase a single
order of the following SKUs:
l Enterprise Protection
l Unified Threat Protection (UTP)
l Advanced Threat Protection (ATP)
The two FortiGate S/N will be associated together on FortiCare to create one virtual Serial Number (vSN). The above
services will then be registered to the vSN.
For more information about this feature, see Single FortiGuard license for FortiGate A-P HA cluster.

Certificates

This section includes information about certificate system related new features:
l ACME External Account Binding support 7.6.3 on page 557

ACME External Account Binding support - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l ACME External Account Binding support

Support is added for ACME External Account Binding (EAB), as defined in RFC 8555 section 7.3.4.
EAB is a way to associate an ACME account with an existing non-ACME account, such as a CA customer database, by
adding additional information in newAccount requests. This additional information is used by the CA operating the ACME
server to verify domain ownership by the requester, without the need for human users to follow interactive, natural-
language instructions from the CA. Domain ownership verification is done when you register for EAB with your CA.
config vpn certificate local
edit < name>
set acme-eab-key-id <key>
set acme-eab-key-hmac <HMAC>
next
end

Command Description
acme-eab-key-id <key> External Account Binding Key ID (optional setting).
acme-eab-key-hmac <HMAC> External Account Binding HMAC Key (URL-encoded base64).

A user obtains EAB from ACME CA or creates it using their web account access provided by ACME CA. Note that this
feature is not supported by all CAs; for example, Let's Encrypt CA does not currently support EAB. Once created, EAB
can be utilized for ACME certificate enrollment. Some ACME CAs allow the use of EAB as an authentication method,

FortiOS 7.6.0 New Features Guide 557

Fortinet Inc.
System

bypassing the standard online verification of domain ownership during the ACME certificate enrollment process via
HTTP.

Example

In this example, public ZeroSSL CA is used (zerossl.com) as it supports EAB and allows registered accounts to create
an EAB online. The server is an Azure VM with a public IP address and DNS.

To configure and verify ACME EAB:

1. Create an account with zeroSSL and create the EAB.

Securely save both the eab-key-id and acme-eab-key-hmac. They are not stored in your account.
2. On the FortiGate, set the ACME interface to the port that is used for external communication:
config system acme
set interface port1
end

3. Create a local VPN certificate using ACME as the enrollment protocol:

config vpn certificate local
edit "test-acme-zeroSSL"
set enroll-protocol acme2
set acme-ca-url "https://acme.zerossl.com/v2/DV90"
set acme-email [email protected]
set acme-eab-key-id "ZSx3bMEaa99RRt7wIjaRrw"
set acme-eab-key-hmac "DeGr0jpQkZ1hqMVskqpe99dsyyPUM-SS77qqQQTTMM88-
yy331kf2DOzmG6dg96aM3-HuHi_OVELPsBFQSLNJw"
set acme-domain qa-fgt-acme-test-vkonddcbssww2.westus.cloudapp.azure.com
next
By enabling this feature you declare that you agree to the Terms of Service at
https://acme.zerossl.com/v2/DV90
Do you want to continue? (y/n)y
end

4. Verify the results:

config vpn certificate local
edit "test-acme-zeroSSL"
get
name : test-acme-zeroSSL
password : *
comments : Renewed with ACME on Tue Mar 4 22:43:35 2025 (UTC)
private-key : *
certificate :
Subject: CN = qa-fgt-acme-test-vkonddcbssww2.westus.cloudapp.azure.com
Issuer: C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
Valid from: 2025-03-04 00:00:00 GMT
Valid to: 2025-06-02 23:59:59 GMT
Fingerprint:
3F:9A:A8:1F:3A:C4:AB:44:15:66:FD:83:EA:D0:58:01:4E:73:0B:52:69:22:9F:A0:1D:0A:17:FE:6A:7
E:33:42
Root CA: No
Version: 3
Serial Num:

FortiOS 7.6.0 New Features Guide 558

Fortinet Inc.
System

e8:90:0e:9f:0b:b7:76:3b:76:42:1b:1a:7a:81:02:e6
Extensions:
Name: X509v3 Authority Key Identifier
Critical: no
Content:
C8:D9:78:68:A2:D9:19:68:D5:3D:72:DE:5F:0A:3E:DC:B5:86:86:A6

Name: X509v3 Subject Key Identifier

Critical: no
Content:
4C:B6:A3:DD:20:A4:33:2C:21:8A:B8:BA:96:A3:4E:FD:A3:2B:E3:BA

Name: X509v3 Key Usage

Critical: yes
Content:
Digital Signature, Key Encipherment

Name: X509v3 Basic Constraints

Critical: yes
Content:
CA:FALSE

Name: X509v3 Extended Key Usage

Critical: no
Content:
TLS Web Server Authentication, TLS Web Client Authentication

Name: X509v3 Certificate Policies

Critical: no
Content:
Policy: 1.3.6.1.4.1.6449.1.2.2.78
CPS: https://sectigo.com/CPS
Policy: 2.23.140.1.2.1

Name: Authority Information Access

Critical: no
Content:
CA Issuers -
URI:http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
OCSP - URI:http://zerossl.ocsp.sectigo.com

Name: CT Precertificate SCTs

Critical: no
Content:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : CF:11:56:EE:D5:2E:7C:AF:F3:87:5B:D9:69:2E:9B:E9:
1A:71:67:4A:B0:17:EC:AC:01:D2:5B:77:CE:CC:3B:08
Timestamp : Mar 4 22:43:32.069 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:42:95:F3:A6:8D:23:8D:B7:FC:AC:69:E5:
82:78:D7:AA:B6:15:A1:3B:2F:C2:57:66:36:E8:96:63:
C4:16:F2:09:02:21:00:E3:59:20:04:3A:34:8B:0F:25:
04:A3:3B:52:AA:F

FortiOS 7.6.0 New Features Guide 559

Fortinet Inc.
 System

Name: X509v3 Subject Alternative Name

Critical: no
Content:
DNS:qa-fgt-acme-test-vkonddcbssww2.westus.cloudapp.azure.com

state : OK
range : global
source : user
source-ip : 0.0.0.0
ike-localid-type : asn1dn
enroll-protocol : acme2
acme-ca-url : https://acme.zerossl.com/v2/DV90
acme-domain : qa-fgt-acme-test-vkonddcbssww2.westus.cloudapp.azure.com
acme-email : [email protected]
acme-eab-key-id : ZSxXXXXXXXXXXXXXXXXXXXIjaRrw

acme-eab-key-hmac : DeGr0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXBFQSLNJw
acme-rsa-key-size : 2048
acme-renew-window : 30

If the certificate details are not shown, check the detailed status and error messages for the enrollment process:
# diagnose sys acme status-full <acme-domain>

Security

This section includes information about security system related new features:
l Encrypt configuration files in the eCryptfs file system on page 560
l Closed network VM license security enhancement on page 561
l OpenSSL FIPS provider installed globally at startup on page 563
l Enhance real-time file system integrity checking on page 564
l Use per-FortiGate generated random password for private-data-encryption 7.6.1 on page 564
l Enhanced administrator password security 7.6.1 on page 565
l BIOS security Low and High level classification 7.6.1 on page 568

Encrypt configuration files in the eCryptfs file system

This information is also available in the FortiOS 7.6 Administration Guide:

l Encrypt configuration files in the eCryptfs file system

Configuration files are encrypted in the eCryptfs file system when the system reboots or shuts down, and are decrypted
when the system boots up and has to load the configuration to CMDB.
If the device supports TPM, the 32 byte eCryptfs encryption key is randomly generated and stored in the TPM, like the
private-data-encryption key. If the device does not support TPM, the key is generated by the cryptographically secure
pseudorandom number generator (CSPRNG) and stored on the disk.

FortiOS 7.6.0 New Features Guide 560

Fortinet Inc.
 System

Closed network VM license security enhancement

This information is also available in the FortiOS 7.6 Administration Guide:

l Closed network VM license security

The CMS signature is now verified immediately after the license is loaded. This ensures that the license is from FortiCare
and confirms the authenticity of the license's contents and contracts, enhancing license integrity and customer trust.

If a valid offline license with a CMS signature is loaded:

FGVM2VTM22222222# get system status

Version: FortiGate-VM64-KVM v7.6.0,build9999,240524
First GA patch build date: 230509
Security Level: 0
Firmware Signature: not-certified
...
Serial-Number: FGVM2VTM22222222
License Status: Valid
License Expiration Date: 2024-08-02
VM Resources: 1 CPU/2 allowed, 1992 MB RAM
...
FGVM2VTM22222222# diagnose debug vm-print-license
SerialNumber: FGVM2VTM22222222
CreateDate: Wed Mar 20 18:47:49 2024
License expires: Fri Aug 2 00:00:00 2024
Expiry: 134
UUID: fdbf7aa999999999a9999aa578127e67
Default Contract:
FMWR:6:20230802:20240804,ENHN:20:20230802:20240804,...,IPMC:6:20230802:20240804
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Signature: yes
Model: 2V (6)
CPU: 2
MEM: 2147483647
VDOM license:
permanent: 2
subscription: 0

If an old offline license without a CMS signature is loaded:

FGVM2VTM22222222# get system status

Version: FortiGate-VM64-KVM v7.6.0,build9999,240524
First GA patch build date: 230509
Security Level: 0
Firmware Signature: not-certified
...
Serial-Number: FGVM2VTM22222222
License Status: Invalid
License Expiration Date: 2024-08-02

FortiOS 7.6.0 New Features Guide 561

Fortinet Inc.
System

VM Resources: 1 CPU/2 allowed, 1992 MB RAM

...
FGVM2VTM22222222# diagnose debug vm-print-license
SerialNumber: FGVM2VTM22222222
CreateDate: Wed Aug 2 20:18:51 2023
License expires: Fri Aug 2 00:00:00 2024
Expiry: 365
UUID: fdbf7aa999999999a9999aa578127e67
Default Contract:
FMWR:6:20230802:20240804,ENHN:20:20230802:20240804,...,IPMC:6:20230802:20240804
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: 2V (6)
CPU: 2
MEM: 2147483647
VDOM license:

If an offline license with a modified CMS signature is loaded the license is invalid and there is no
signature:

FGVM2VTM22222222# get system status

Version: FortiGate-VM64-KVM v7.6.0,build9999,240524
First GA patch build date: 230509
Security Level: 0
Firmware Signature: not-certified
...
Serial-Number: FGVM2VTM22222222
License Status: Invalid
License Expiration Date: 2024-08-02
VM Resources: 1 CPU/2 allowed, 1992 MB RAM
...
FGVM2VTM22222222# diagnose debug vm-print-license
SerialNumber: FGVM2VTM22222222
CreateDate: Wed Mar 20 18:47:49 2024
License expires: Fri Aug 2 00:00:00 2024
Expiry: 134
UUID: fdbf7aa999999999a9999aa578127e67
Default Contract:
FMWR:6:20230802:20240804,ENHN:20:20230802:20240804,...,IPMC:6:20230802:20240804
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: 2V (6)
CPU: 2
MEM: 2147483647
VDOM license:
permanent: 2
subscription: 0

FortiOS 7.6.0 New Features Guide 562

Fortinet Inc.
 System

OpenSSL FIPS provider installed globally at startup

This information is also available in the FortiOS 7.6 Administration Guide:

l FIPS-CC mode and OpenSSL FIPS provider

When the device is in FIPS-CC mode, the OpenSSL FIPS provider is installed globally at startup, ensuring that any
OpenSSL application is automatically compliant with FIPS regulations. An OpensSSL FIPS provider test (ossl-fips-
provider-test) is added, and the self-test runs automatically at startup. The TLSv1.1 KDF self-test is removed.
The system defaults to the more secure TLSv1.2 and TLSv1.3 protocols instead of SSL3.0 and TLS1.1, and only Diffie-
Hellman parameters of 2048 bits or higher are permitted, ensuring a robust security posture and aligning with industry
standards. The TLSv1.1 KDF self-test is removed.
When configuring a RADIUS server, Authentication method (auth-type) can only be set to PAP (password
authentication protocol), and transport-protocol can only be set to tls.

To manually run the OpenSSL FIPS provider self-test:

# execute fips kat ossl-fips-provider-test

HMAC : KAT_Integrity : Pass
HMAC : Module_Integrity : Pass
SHA1 : KAT_Digest : Pass
SHA2 : KAT_Digest : Pass
SHA3 : KAT_Digest : Pass
AES_GCM : KAT_Cipher : Pass
AES_ECB_Decrypt : KAT_Cipher : Pass
RSA : KAT_Signature : Pass
ECDSA : KAT_Signature : Pass
ECDSA : KAT_Signature : Pass
DSA : KAT_Signature : Pass
TLS13_KDF_EXTRACT : KAT_KDF : Pass
TLS13_KDF_EXPAND : KAT_KDF : Pass
TLS12_PRF : KAT_KDF : Pass
PBKDF2 : KAT_KDF : Pass
SSHKDF : KAT_KDF : Pass

FortiOS 7.6.0 New Features Guide 563

Fortinet Inc.
 System

KBKDF : KAT_KDF : Pass

HKDF : KAT_KDF : Pass
SSKDF : KAT_KDF : Pass
X963KDF : KAT_KDF : Pass
X942KDF : KAT_KDF : Pass
HASH : DRBG : Pass
CTR : DRBG : Pass
HMAC : DRBG : Pass
DH : KAT_KA : Pass
ECDH : KAT_KA : Pass
RSA_Encrypt : KAT_AsymmetricCipher : Pass
RSA_Decrypt : KAT_AsymmetricCipher : Pass
RSA_Decrypt : KAT_AsymmetricCipher : Pass
Running OSSL-FIPS-TEST test... passed

Enhance real-time file system integrity checking

In this enhancement, a hash of all executable binary files and shared libraries are taken during image build time. The file
containing these hashes, called the executable hash, is also hashed. This new hash is signed together with other
important files like the FortiOS firmware, AV and IPS engine files. This hash will follow the BIOS-level signature and
integrity check during the boot process, to prevent any unauthorized changes from being loaded.
For more information about this feature, see Enhance real-time file system integrity checking.

Use per-FortiGate generated random password for private-data-encryption - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Trusted platform module support

l TPM support for FortiGate-VM

When enabling private-data-encryption, instead of asking users to input a 32 digit hexadecimal string as the master-
encryption-password, the FortiGate will generate a random password itself. This increases security as the master-
encryption-password is not known and cannot be stolen or leaked.
As such, a configuration that is backed up while private-data-encryption is enabled cannot be restored when private-
data-encryption is disabled or when private-data-encryption is re-enabled with a different random key.

To enable private-data-encryption:

config system global

set private-data-encryption enable
end
This operation will generate a random private data encryption key!
Previous config files encrypted with the system default key cannot be restored after this
operation!
Do you want to continue? (y/n)y

Private data encryption key generation succeeded!

FortiOS 7.6.0 New Features Guide 564

Fortinet Inc.
 System

To disable private-data-encryption:

config system global

set private-data-encryption disable
end
This operation will restore system default data encryption key!
Previous config files encrypted with the private key cannot be restored after this
operation!
Do you want to continue? (y/n)y

HA enhancement

HA will form when both units have the basic matching HA required settings, including the HA group and HA password,
regardless of whether private-data-encryption is enabled on both units before or after forming HA.
If private-data-encryption is enabled separately before forming HA, the FortiGates will first form HA and then
synchronize the private-data-encryption key after. Once both devices have the same private-data-encryption key,
configurations are synchronized from the primary to the secondary.
If private-data-encryption is enabled after the HA cluster is formed, then the primary unit will generate the random
master-encryption-password. The password is synchronized from the primary to the secondary immediately after it is
created.

Enhanced administrator password security - 7.6.1

The PBKDF2 hashing scheme with randomized salts is now used to store system administrator passwords on the
FortiGate to enhance security. Previously the SHA256 hashing algorithm was used.
With this change, a new command is available to maintain FortiOS downgrade:
config system password-policy
set login-lockout-upon-downgrade {enable | disable}
end

set login-lockout-upon-
downgrade { enable |
disable}
Enable/disable system administrator login lockout after downgrade to FortiOS
firmware that does not support safer passwords (default = disable).
When disabled, system administrator passwords with SHA256 hash are kept after
successfully converting to PBKDF2 hash. SHA256 hashed passwords are used
after downgrading to a firmware version that does not support PBKDF2 hashed
passwords.
When enabled, system administrator passwords that are converted to PBKDF2
hash will immediately remove the SHA256 hashed password. Upon downgrading
the FortiOS firmware to a lower version, where safer passwords are unsupported,
the administrators will be locked out.

When creating a new administrative user in FortiOS 7.6.1 or later, the PBKDF2 hashing scheme is used to store the
password. When displayed in the CLI, the password is encoded with a prefix of PB2:
# config system admin
(admin)# edit admin2
new entry 'admin2' added
(admin2)# set accprofile super_admin

FortiOS 7.6.0 New Features Guide 565

Fortinet Inc.
System

(admin2)# set vdom root

(admin2)# set password 123456
(admin2)# show
config system admin
edit "admin2"
set accprofile "super_admin"
set vdom "root"
set password ENC
PB20jOHUbfWEI7eKFTnKkE/qBgE5md70OjpXqiHhHTxo48GnIZshrIq67dT1IUouJSxgEZ6NYeAdAS9vLHpZGlcpBmtf
UbfFOa6qKaVAN+F9CM=
next
end

Upgrade

To view system administrator passwords before and after upgrade to FortiOS 7.6.1:

1. Before upgrade to FortiOS 7.6.1 or later, view the encoded password. The encoded password shows a SH2 prefix
because it was hashed with the SHA256 algorithm:
# show system admin
config system admin
edit "admin1"
set accprofile "prof_admin"
set vdom "root"
set password ENC SH2RHqyB8gaEKC10dzpgU6lZg7YSpnb21wWLFOtqzMlpyKJZyyq3ISFYPyIL/s=
next
end

2. Upgrade to FortiOS 7.6.1 or later. Each system administrator password hashed with SHA256 is stored on FortiGate
until each system administrator successfully logs in to FortiOS.
If a system administrator does not log in to FortiGate after upgrading to FortiOS 7.6.1 or later, their password
remains saved as the SHA256 hashed password.
3. Log in to FortiOS. The password is converted to a PBKDF2 hashed password.
4. View the encoded password. The encoded password shows a PB2 prefix because it was hashed with the PBKDF2
algorithm:
FortiGate login: admin1
Password:
Verifying password...
$ show system admin
config system admin
edit "admin1"
set accprofile "prof_admin"
set vdom "root"
set password ENC
PB2a2X8D3DIt0gXbBXVdknLZb48BKrGTD50z//UrbpWAD5kpFdwqBKie0h8STxL6Db//wQ2ZWN/5FW3+DkX3+0nB
E1RNbeTKSVi18WcFmSPDQM=
next
end

FortiOS 7.6.0 New Features Guide 566

Fortinet Inc.
System

Downgrade

To support downgrading to an older version that does not support the PBKDF2 hashed password, by default, the old
SHA256 hashed password is still stored in the system after being converted to PBKDF2. This is controlled by the
following setting that is disabled by default:
config system password-policy
set login-lockout-upon-downgrade disable
end

Downgrading will successfully restore the SHA256 hashed password and operations will continue uninterrupted.
If the login-lockout-upon-downgrade option is enabled:
config system password-policy
set login-lockout-upon-downgrade enable
end

The SHA256 hashed password will be removed from the system as soon as it is converted to a PBKDF2 hashed
password upon a successful login.
During a downgrade operation, the system will display the following warning:
# execute restore image ftp FGT_2601F-v7.6.0.F-build3401-FORTINET.out 172.16.106.105
username password
This operation will replace the current firmware version and reboot the system!
Do you want to continue? (y/n)y
Please wait...
Connect to ftp server 172.16.106.105 ...
Get image from ftp server OK.
Verifying the signature of the firmware image.
Image verification OK!
Warning: Installing image v7.6.0 from v7.6.1 is not a recommended upgrade path. Continuing
with the upgrade may result in loss of configuration. Do you want to proceed?
Do you want to continue? (y/n)y
…
You are downgrading to a version that does not support safer passwords.
After downgrade, some administrative user (e.g., admin1) no longer will be able to login.
Do you want to continue? (y/n)

Administrators can choose to proceed or abort this downgrade.

Finally, if an administrator wants to restore the SHA256 hashed password for a downgrade, they can do the following:
1. Disable the login-lockout-upon-downgrade option.
2. Log out the current administrator.
3. For each system administrator, log in to the FortiGate to generate the SHA256 hashed password by running the
SHA256 hashing algorithm.

After administrator passwords are converted to PBKDF2 hashed passwords, loading the
config file to an older version that does not support safer passwords will lock out the
administrators.

FortiOS 7.6.0 New Features Guide 567

Fortinet Inc.
 System

BIOS security Low and High level classification - 7.6.1

The BIOS security level has been updated from levels 0/1/2 to levels Low and High. Level High will correspond to
previous behaviors in level 2, and level Low will correspond to behaviors in level 1. A BIOS that still uses levels 0 will now
behave like level Low.
For more information about this feature, see BIOS security Low and High level classification.

SNMP

This section includes information about SNMP related new features:

l Ethernet Statistics Group on page 568
l Non-management VDOMs perform queries using SNMP v3 on page 569
l SNMP support for BIOS security level on page 570

Ethernet Statistics Group

This information is also available in the FortiOS 7.6 Administration Guide:

l SNMP examples

FortiOS supports the Ethernet Statistics Group for Remote Network Monitoring (RMON), which provides detailed
statistics about the traffic that passes through the Ethernet interface, such as drop events and collisions. This
enhancement enables comprehensive monitoring and management of network performance, helping to ensure optimal
operation and quickly identify any potential issues.
The Ethernet Statistics Group consists of the etherStatsTable .1.3.6.1.2.1.16.1.1 and can be leveraged using the
following:
config system snmp rmon-stat
edit 1
set source <data source of the Ethernet statistics entry>
set owner <owner of the Ethernet statistics entry>
next
end

To enable entries to the Ethernet Statistics Group:

1. Configure the RMON group on the FortiGate:

config system snmp rmon-stat
edit 1
set source "port2"
set owner "test"
next
end

An etherStatsEntry is created in the rmon-statistics table.

FortiOS 7.6.0 New Features Guide 568

Fortinet Inc.
 System

2. Query the etherStatsTable .1.3.6.1.2.1.16.1.1 on the SNMP server:

# snmpwalk -v2c -c REGR-SYS 172.16.200.1 etherStatsTable
RMON-MIB::etherStatsIndex.1 = INTEGER: 1
RMON-MIB::etherStatsDataSource.1 = OID: IF-MIB::ifIndex.8
RMON-MIB::etherStatsDropEvents.1 = Counter32: 0
RMON-MIB::etherStatsOctets.1 = Counter32: 39388877 Octets
RMON-MIB::etherStatsPkts.1 = Counter32: 125770 Packets
RMON-MIB::etherStatsBroadcastPkts.1 = Counter32: 0 Packets
RMON-MIB::etherStatsMulticastPkts.1 = Counter32: 84212 Packets
RMON-MIB::etherStatsCRCAlignErrors.1 = Counter32: 0 Packets
RMON-MIB::etherStatsUndersizePkts.1 = Counter32: 0 Packets
RMON-MIB::etherStatsOversizePkts.1 = Counter32: 0 Packets
RMON-MIB::etherStatsFragments.1 = Counter32: 0 Packets
RMON-MIB::etherStatsJabbers.1 = Counter32: 0 Packets
RMON-MIB::etherStatsCollisions.1 = Counter32: 0 Collisions
RMON-MIB::etherStatsPkts64Octets.1 = Counter32: 0 Packets
RMON-MIB::etherStatsPkts65to127Octets.1 = Counter32: 0 Packets
RMON-MIB::etherStatsPkts128to255Octets.1 = Counter32: 0 Packets
RMON-MIB::etherStatsPkts256to511Octets.1 = Counter32: 0 Packets
RMON-MIB::etherStatsPkts512to1023Octets.1 = Counter32: 0 Packets
RMON-MIB::etherStatsPkts1024to1518Octets.1 = Counter32: 0 Packets
RMON-MIB::etherStatsOwner.1 = STRING: "test"
RMON-MIB::etherStatsStatus.1 = INTEGER: valid(1)

Non-management VDOMs perform queries using SNMP v3

This information is also available in the FortiOS 7.6 Administration Guide:

l SNMP examples

Non-management VDOMs can now perform queries using SNMP v3. Previously only management VDOMs could
perform queries. By expanding query capabilities to non-management VDOMs, the system's versatility is improved.
The config system snmp sysinfo command includes a new option:
config system snmp sysinfo
set non-mgmt-vdom-query {enable | disable}
end

set non-mgmt-vdom-query Enable/disable allowance of SNMP v3 query from non-management VDOMs

(default = disable).

Example

FortiOS 7.6.0 New Features Guide 569

Fortinet Inc.
 System

In this example, PC1 connects to the port on FortiGate for the non-management VDOM, and SNMP v3 queries from non-
management VDOMs are enabled. PC5 connects to the port on FortiGate for the management VDOM. With this
configuration, SNMP queries are performed by both the non-management and the management VDOMs

To enable non-management VDOM SNMP v3 queries:

1. On FortiGate, enable non-management VDOM queries:

config system snmp sysinfo

set status enable
set engine-id-type text
set engine-id ''
set description ''
set contact-info ''
set location ''
set trap-high-cpu-threshold 80
set trap-low-memory-threshold 80
set trap-log-full-threshold 90
set trap-free-memory-threshold 5
set trap-freeable-memory-threshold 60
set append-index disable
set non-mgmt-vdom-query enable
end

2. Check the SNMP information:

This example uses the SNMP walk application to confirm that both management and non-management VDOMs are
performing SNMP queries to PC1 and PC5.
pc01:~$ snmpwalk -v3 -u v3user 10.1.100.1 1.3.6.1.4.1.12356.101.5.1.2.1.1.1
FORTINET-FORTIGATE-MIB::fgFwPolID.1.0 = INTEGER: 0
FORTINET-FORTIGATE-MIB::fgFwPolID.1.1 = INTEGER: 1
FORTINET-FORTIGATE-MIB::fgFwPolID.2.0 = INTEGER: 0

pc05~$ snmpwalk -v3 -u v3user 172.16.200.1 1.3.6.1.4.1.12356.101.5.1.2.1.1.1

FORTINET-FORTIGATE-MIB::fgFwPolID.1.0 = INTEGER: 0
FORTINET-FORTIGATE-MIB::fgFwPolID.1.1 = INTEGER: 1
FORTINET-FORTIGATE-MIB::fgFwPolID.2.0 = INTEGER: 0

SNMP support for BIOS security level

This information is also available in the FortiOS 7.6 Administration Guide:

l Important SNMP traps

SNMP clients can query the BIOS security level of a FortiGate using the OID 1.3.6.1.4.1.12356.101.4.1.38.

FortiOS 7.6.0 New Features Guide 570

Fortinet Inc.
System

To configure SNMP and query for the BIOS security level:

1. Configure an SNMP community:

config system snmp community
edit 1
set name "REGR-SYS"
set status enable
config hosts
edit 1
set source-ip 0.0.0.0
set ip 172.18.200.109 255.255.255.255
set ha-direct disable
set host-type any
next
end
set query-v1-status enable
set query-v1-port 161
set query-v2c-status enable
set query-v2c-port 161
set trap-v1-status enable
set trap-v1-lport 162
set trap-v1-rport 162
set trap-v2c-status enable
set trap-v2c-lport 162
set trap-v2c-rport 162
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down security_
level_change ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-
pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up
ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-
blocked ips-pkg-update ips-fail-open temperature-high voltage-alert power-supply-failure
faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balance-
real-server-down per-cpu-high dhcp pool-usage ospf-nbr-state-change ospf-virtnbr-state-
change
next
end

2. Configure an SNMP user:

config system snmp user
edit "v3user"
set status enable
set trap-status enable
set trap-lport 162
set trap-rport 162
set queries enable
set query-port 161
set notify-hosts 172.18.200.109
set source-ip 0.0.0.0
set source-ipv6 ::
set ha-direct disable
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down security_
level_change ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-
pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up
ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-
blocked ips-pkg-update ips-fail-open temperature-high voltage-alert power-supply-failure
faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balance-

FortiOS 7.6.0 New Features Guide 571

Fortinet Inc.
System

real-server-down per-cpu-high dhcp pool-usage ospf-nbr-state-change ospf-virtnbr-state-

change
set security-level no-auth-no-priv
next
end

3. Query OID 1.3.6.1.4.1.12356.101.4.1.38 to check the security level:

fos@pc05:~$ snmpwalk -v1 -c REGR-SYS 172.16.200.4 1.3.6.1.4.1.12356.101.4.1.38
FORTINET-FORTIGATE-MIB::fgSystemInfo.38.0 = Gauge32: 1
fos@pc05:~$ snmpwalk -v2c -c REGR-SYS 172.16.200.4 1.3.6.1.4.1.12356.101.4.1.38
FORTINET-FORTIGATE-MIB::fgSystemInfo.38.0 = Gauge32: 1
fos@pc05:~$ snmpwalk -v3 -u v3user 172.16.200.4 1.3.6.1.4.1.12356.101.4.1.38
FORTINET-FORTIGATE-MIB::fgSystemInfo.38.0 = Gauge32: 1

FortiOS 7.6.0 New Features Guide 572

Fortinet Inc.
 Security Fabric

Security Fabric

This section includes information about Security Fabric related new features:
l Fabric settings and connectors on page 573
l Security ratings on page 592
l General on page 600

Fabric settings and connectors

This section includes information about Security Fabric settings and Fabric connector related new features:
l Apply threat feed connectors as source addresses in central SNAT on page 573
l Automatic serial number retrieval from FortiManager on page 577
l Support multi-tenant FortiClient Cloud fabric connectors in the GUI 7.6.1 on page 577
l Generic connector for importing addresses 7.6.1 on page 579
l Support mTLS client certification for threat feed connections 7.6.1 on page 586
l GUI support for mTLS of threat feed connections 7.6.3 on page 587
l Enhancing FortiSandbox TLS security with CA and CN controls 7.6.3 on page 588

Apply threat feed connectors as source addresses in central SNAT

This information is also available in the FortiOS 7.6 Administration Guide:

l Apply threat feed connectors as source addresses in central SNAT

FortiOS allows an IP address threat feed to be applied as a source address in central SNAT. This enhancement allows
for more dynamic and responsive network security configuration.
The IP address threat feed can be applied in the GUI and the CLI:

FortiOS 7.6.0 New Features Guide 573

Fortinet Inc.
Security Fabric

l In the GUI, select a threat feed object from the IP Address Threat Feed section when creating and editing a policy.

l In the CLI, the IP address threat feed connector can be applied when configuring the central-snat-map.

Example

In the following example, an external IP list threat feed object will be created and used in a central SNAT map as the
source address.

To apply a threat feed connector in central SNAT:

1. Create a threat feed IP list object:

config system external-resource
edit "External-iplist-central-snat"
set type address
set resource "http://172.16.200.55/ip_list_test/test-external-iplist-central-
snat.txt"
next
end

The threat feed list is as follows:

10.1.100.22
10.1.100.41

FortiOS 7.6.0 New Features Guide 574

Fortinet Inc.
Security Fabric

2000:10:1:100::22
2000:10:1:100::41

See IP address threat feed for more information.

2. Apply the threat feed connector in a central SNAT map as the source address:
config firewall central-snat-map
edit 1
set type ipv6
set srcintf "port2"
set dstintf "port1"
set orig-addr6 "External-iplist-central-snat"
set dst-addr6 "all"
next
edit 2
set srcintf "port2"
set dstintf "port1"
set orig-addr "External-iplist-central-snat"
set dst-addr "all"
next
end

3. Verify that the threat feed connector has been applied and taken effect:
# diagnose firewall iprope list 10000d
policy index=2 uuid_idx=8391 action=accept
flag (8041100): nat sport use_src pol_stats
flag3 (80): best-route
flag4 (200): port-preserve
schedule()
cos_fwd=0 cos_rev=0
group=0010000d av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 8 -> zone(1): 7
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=8031,
source external ip pool(1): 8390
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto

# diagnose firewall iprope6 list 10000d

policy id: 1, group: 0010000d, uuid_idx=8163
action: accept, schedule:
cos_fwd=0 cos_rev=0
flag (08041100): nat sport use_src pol_stats
flag3(00000080): best-route
shapers: / per_ip=
sub_groups: av 00000000 auth 00000000 split 00000000 misc 00000000
app_list: 0 ips_view: 0
vdom_id: 0
zone_from(1): 8
zone_to(1): 7
address_dst(1):
all uuid_idx=8045
source external ip pool(1):
8390
service(1):

FortiOS 7.6.0 New Features Guide 575

Fortinet Inc.
Security Fabric

[0:0x0:0/(0,65535)->(0,65535)] helper:auto
nat(0):
nat_64(0):

The source external IP pool is attached.

# diagnose sys external-address-resource list
List of external address resources:
name:External-iplist-central-snat, uuid-idx:8390, num of ipv4/ipv6 ranges:2/2, used:yes

# diagnose sys external-address-resource list External-iplist-central-snat

IPv4 ranges of uuid-idx 8390 (num=2)
10.1.100.22-10.1.100.22
10.1.100.41-10.1.100.41
IPv6 ranges of uuid-idx 8390 (num=2)
2000:10:1:100::22-2000:10:1:100::22
2000:10:1:100::41-2000:10:1:100::41

The external IP list UUID index matches.

4. Verify that sending packets from IP addresses included in the IP list will hit the central SNAT map and that SNAT will
take effect:
a. Send packets from an IPv4 address that is included in the IP list. In this example, the packets are sent from
10.1.100.41.
# diagnose sniffer packet any icmp 4
interfaces=[any]
filters=[icmp]
7.269689 port2 in 10.1.100.41 -> 172.16.200.55: icmp: echo request
7.269727 port1 out 172.16.200.6 -> 172.16.200.55: icmp: echo request
7.269850 port1 in 172.16.200.55 -> 172.16.200.6: icmp: echo reply
7.269861 port2 out 172.16.200.55 -> 10.1.100.41: icmp: echo reply
...
8 packets received by filter
0 packets dropped by kernel

SNAT will take effect. The outgoing packet is SNAT'd to the IP address of the port1 interface.
b. Send packets from an IPv4 address that is not included in the IP list. In this example, the packets are sent from
10.1.100.11.
# diagnose sniffer packet any icmp 4
interfaces=[any]
filters=[icmp]
2.323329 port2 in 10.1.100.11 -> 172.16.200.55: icmp: echo request
2.323362 port1 out 10.1.100.11 -> 172.16.200.55: icmp: echo request
...
4 packets received by filter
0 packets dropped by kernel

SNAT will not take effect.

c. Send packets from an IPv6 address that is included in the IP list. In this example, the packets are sent from
2000:10:1:100::41.
# diagnose sniffer packet any icmp6 4
interfaces=[any]
filters=[icmp6]
2.105798 port2 in 2000:10:1:100::41 -> 2000:172:16:200::55: icmp6: echo request seq 1

FortiOS 7.6.0 New Features Guide 576

Fortinet Inc.
 Security Fabric

[flowlabel 0x204d4]
2.105844 port1 out 2000:172:16:200::6 -> 2000:172:16:200::55: icmp6: echo request seq
1 [flowlabel 0x204d4]
2.105959 port1 in 2000:172:16:200::55 -> 2000:172:16:200::6: icmp6: echo reply seq 1
[flowlabel 0xebd44]
2.105971 port2 out 2000:172:16:200::55 -> 2000:10:1:100::41: icmp6: echo reply seq 1
[flowlabel 0xebd44]
...
8 packets received by filter
0 packets dropped by kernel

SNAT will take effect. The outgoing packet is SNAT'd to the IPv6 address of the port1 interface.
d. Send packets from an IPv6 address that is not included in the IP list. In this example, the packets are sent from
2000:10:1:100::11.
# diagnose sniffer packet any icmp6 4
interfaces=[any]
filters=[icmp6]
1.917946 port2 in 2000:10:1:100::11 -> 2000:172:16:200::55: icmp6: echo request seq 1
1.917979 port1 out 2000:10:1:100::11 -> 2000:172:16:200::55: icmp6: echo request seq
1
...
8 packets received by filter
0 packets dropped by kernel

SNAT will not take effect.

Automatic serial number retrieval from FortiManager

Starting with version 7.6.0, FortiGate devices can now automatically retrieve the FortiManager serial number by
establishing a connection with FortiManager. This enhancement eliminates the need for manual serial number entry,
even when configuring with the CLI. This update ensures that CLI functionality is now aligned with the GUI, which
already supports automatic serial number retrieval.
For more information about this feature, see Automatic serial number retrieval from FortiManager.

Support multi-tenant FortiClient Cloud fabric connectors in the GUI - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l FortiClient multi-tenancy

FortiGate now supports connecting to a FortiClient Cloud instance registered under a FortiCloud sub-OU in the GUI.

This feature is an extension of a 7.4.4 CLI-based feature. See Support multi-tenant FortiClient
Cloud fabric connectors for more information on scope and troubleshooting.

FortiOS 7.6.0 New Features Guide 577

Fortinet Inc.
Security Fabric

Example

In this example, a FortiGate will connect to different FortiClient Cloud instances between the Global EMS connector, root
and vdom1.

To connect to different FortiClient Cloud instances in the GUI:

1. Obtain the access by from FortiClient Cloud by going to FortiCloud > FortiClient Cloud.
2. Click Access Key and switch to the FortiGate Access Key tab.
3. Click Create New Key to generate a new key.

4. Repeat this for another FortiClient Cloud instance to be applied to vdom1.

5. On the FortiGate with multi-vdom enabled, go to Global.
a. Go to Security Fabric > Fabric Connectors.
b. Edit the FortiClient EMS connector.
c. Set Status to Enabled.
d. Set Type to FortiClient EMS Cloud.
e. Set Name to Cloud_EMS_Global.
f. Set Connect via to FortiCloud Account.
g. Click OK to save. Verify the certificate when prompted and continue saving the settings.

FortiOS 7.6.0 New Features Guide 578

Fortinet Inc.
 Security Fabric

6. Switch to the root vdom.

a. Go to Security Fabric > Fabric Connectors.
b. Edit the FortiClient EMS connector.
c. Set Status to Enabled.
d. Set Type to FortiClient EMS Cloud.
e. Set Name to cloud_ems_root.
f. Set Access key to the key retrieved from FortiClient Cloud.
g. Click OK to save.

7. Repeat the same steps above for vdom1.

Generic connector for importing addresses - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Generic connector for importing addresses

FortiOS 7.6.0 New Features Guide 579

Fortinet Inc.
Security Fabric

This features allows for seamless integration with any third-party database using a JSON based REST API. Each JSON
entry is converted into an address object on the FortiGate, which can be used in policies like any other address.
Each dynamic firewall address can parse up to 100,000 IP addresses and 3,000 MAC addresses. IPv6 addresses are
not supported.
When VDOMs are enabled, a generic connector that is created in the Global VDOM must have g- prepended to it's
name. The connector and imported addresses are synchronized to all VDOMs. A generic connector that is created in a
specific VDOM is not synchronized to other VDOMs, and the address objects are only imported to that VDOM.
When VDOMs are not enabled, generic connectors cannot use the g- prefix in their name.

External feed update method example

In this example, the FortiGate pulls updates from an external resource: a REST API interface created using JSONBIN.io.

To create the REST API interface:

1. Go to JSONBIN.io and click Quick Create JSON.

2. Enter a name for the JSON file and select when it expires.
3. Copy in the following JSON then click Create Bin:
{
"addresses": [
{
"name": "ip_address",
"value": [
"172.16.200.1-172.16.200.254",
"192.168.4.1-192.168.4.254"
],
"description": "generic object IP Address"
},
{
"name": "mac_address",
"value": [
"00:0c:29:1b:40:c9",
"00:0c:29:f6:0d:49",
"00:0c:29:63:40:09"
],
"description": "generic object MAC Address"
}
]
}

4. Copy the generated Access URL.

To create and test a generic connector that uses the external feed update method in the GUI:

1. On the FortiGate, go to Security Fabric > External Connectors and click Create New.
2. Enter a name for the connector, such as gen_obj_range.
3. Set Update method to External feed.
4. Set the URL of external resource to the Access URL copied from JSONBIN.io.
5. In the JSON Mapping, change the Path to address object to record.addresses.

FortiOS 7.6.0 New Features Guide 580

Fortinet Inc.
Security Fabric

6. Click OK.
The connector imports the IP and MAC addresses and automatically creates address objects on the FortiGate. The
address object names are a combination of the connector name and the name of the content, for example gen_obj_
range_ip_address.

7. Edit the address object then select View Matched Addresses from the right side bar, or hover over the object name
then select View Matched Addresses in the popup message.

FortiOS 7.6.0 New Features Guide 581

Fortinet Inc.
Security Fabric

To create a generic connector that uses the external feed update method in the CLI:

1. Create the generic connector:

config system external-resource
edit "gen_obj_range"
set type generic-address
set namespace "gen_obj_range"
set object-array-path "$.record.addresses"
set resource "https://api.jsonbin.io/v3/qs/6748a04dacd3cb34a8b09811"
next
end

2. Check the matched IP addresses:

# show firewall address gen_obj_range_ip_address
config firewall address
edit "gen_obj_range_ip_address"
set uuid 711443a0-a6cc-51ef-9a0c-0db7194a28d7
set type dynamic
set sub-type external-resource
set comment "generic object IP Address"
set obj-tag "ip_address"
set tag-type "classification"
next
end
# diagnose firewall dynamic list gen_obj_range_ip_address
CMDB name: gen_obj_range_ip_address
gen_obj_range_ip_address: ID(88)
RANGE(172.16.200.1-172.16.200.254)
RANGE(192.168.4.1-192.168.4.254)
Total IP dynamic range blocks: 2.
Total IP dynamic addresses: 508.

3. Check the matched MAC addresses:

# show firewall address gen_obj_range_mac_address
config firewall address
edit "gen_obj_range_mac_address"
set uuid 7114802c-a6cc-51ef-c4d3-c98a769ccf33
set type dynamic
set sub-type external-resource
set comment "generic object MAC Address"
set obj-tag "mac_address"
set obj-type mac

FortiOS 7.6.0 New Features Guide 582

Fortinet Inc.
Security Fabric

set tag-type "classification"

next
end
# diagnose firewall dynamic list gen_obj_range_mac_address
CMDB name: gen_obj_range_mac_address
gen_obj_range_mac_address: ID(220)
MAC(00:0c:29:1b:40:c9)
MAC(00:0c:29:f6:0d:49)
MAC(00:0c:29:63:40:09)
Total MAC dynamic addresses: 3.

Push API update method example

In this example, an external resource update is pushed to the FortiGate through the FortiGate's REST API. A Linux PC is
connected to the FortiGate and used as the external resource.

To create and test a generic connector that uses the push API update method in the GUI:

1. On the FortiGate, go to Security Fabric > External Connectors and click Create New.
2. Enter a name for the connector, such as gen_push_range.
3. Set Update method to Push API.

4. Click OK.
The External Feed Push API Information pane opens.

FortiOS 7.6.0 New Features Guide 583

Fortinet Inc.
Security Fabric

5. Copy the Sample cURL request and edit the entries, such as API key, IP Address, and son on.
In this example, the cURL request is:
curl -k -X POST -H 'Authorization: Bearer xxxxxxxxxxx' --data '{"mkey": "gen_push_
range", "data": {"addresses":[{"name":"ip_address","value":["172.16.200.1-
172.16.200.254","192.168.4.1-192.168.4.254"],"description":"generic object IP Address"},
{"name":"mac_address","value":
["00:0c:29:1b:40:c9","00:0c:29:f6:0d:49","00:0c:29:63:40:09"],"description":"generic
object MAC Address"}]}}' "https://172.16.116.210:48182/api/v2/monitor/system/external-
resource/generic-address"

6. Send the JSON request to the FortiGate through the Linux PC.
The connector imports the IP and MAC addresses and automatically creates address objects on the FortiGate. The
address object names are a combination of the connector name and the name of the content, for example gen_obj_
push_ip_address.

7. Edit the address object then select View Matched Addresses from the right side bar, or hover over the object name
then select View Matched Addresses in the popup message.

FortiOS 7.6.0 New Features Guide 584

Fortinet Inc.
Security Fabric

To create and test a generic connector that uses the push API update method in the CLI:

1. Create the generic connector:

config system external-resource
edit "gen_push_range"
set type generic-address
set namespace "gen_push_range"
set update-method push
set comments "test gen_push_range"
next
end

2. Send the JSON request to the FortiGate through the Linux client used in this example.
curl -k -X POST -H 'Authorization: Bearer xxxxxxxxxxx' --data '{"mkey": "gen_push_
range", "data": {"addresses":[{"name":"ip_address","value":["172.16.200.1-
172.16.200.254","192.168.4.1-192.168.4.254"],"description":"generic object IP Address"},
{"name":"mac_address","value":
["00:0c:29:1b:40:c9","00:0c:29:f6:0d:49","00:0c:29:63:40:09"],"description":"generic
object MAC Address"}]}}' "https://172.16.116.210:48182/api/v2/monitor/system/external-
resource/generic-address"

3. Check the matched IP addresses:

# show firewall address gen_push_range_ip_address
config firewall address
edit "gen_push_range_ip_address"
set uuid b2012094-ac5e-51ef-354d-cd13120322c4
set type dynamic
set sub-type external-resource
set comment "generic object IP Address"

FortiOS 7.6.0 New Features Guide 585

Fortinet Inc.
 Security Fabric

set obj-tag "ip_address"

set tag-type "classification"
next
end
# diagnose firewall dynamic list gen_push_range_ip_address
CMDB name: gen_push_range_ip_address
gen_push_range_ip_address: ID(254)
RANGE(172.16.200.1-172.16.200.254)
RANGE(192.168.4.1-192.168.4.254)
Total IP dynamic range blocks: 2.
Total IP dynamic addresses: 508.

4. Check the matched MAC addresses:

# show firewall address gen_push_range_mac_address
config firewall address
edit "gen_push_range_mac_address"
set uuid b2015c62-ac5e-51ef-75ef-8bc7586e5238
set type dynamic
set sub-type external-resource
set comment "generic object MAC Address"
set obj-tag "mac_address"
set obj-type mac
set tag-type "classification"
next
end
# diagnose firewall dynamic list gen_push_range_mac_address
CMDB name: gen_push_range_mac_address
gen_push_range_mac_address: ID(98)
MAC(00:0c:29:1b:40:c9)
MAC(00:0c:29:f6:0d:49)
MAC(00:0c:29:63:40:09)
Total MAC dynamic addresses: 3.

Support mTLS client certification for threat feed connections - 7.6.1

Administrators can configure and define a trusted client certificate for mutual TLS (mTLS) authentication in the CLI. This
enhances security for the threat feed server when connecting to an HTTPS external resource.
During configuration of external resources, a client certificate can be configured that is signed and trusted by a remote
mTLS server. When the server asks for client certification upon connection, FortiOS will use the configured client
certificate in the TLS handshake process and pass the mTLS authentication.

To configure client certification mTLS:

config system external-resource

edit "mTLS"
set type address
set client-cert-auth enable
set client-cert <mTLS_client>
set resource <HTTPS external resource>
next
end

FortiOS 7.6.0 New Features Guide 586

Fortinet Inc.
 Security Fabric

If FortiOS cannot provide the correct certificate, the server may choose to deny or accept the
connection based on its authentication protocol. Therefore, it is crucial to specify client
certificate authentication when connecting to an mTLS server. This requirement does not
apply if the server is not using mTLS.

Limitations

The client certificate must comply with standard mTLS certificate practice to properly configure the external resource.

GUI support for mTLS of threat feed connections - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Configuring a threat feed

Administrators can configure and define a trusted client certificate for mutual TLS (mTLS) authentication in the GUI.
This feature is in addition to a previous feature implemented in FortiOS 7.6.1 that focused on the CLI configuration of
mTLS authentication. For more information on the purpose of this feature, see Support mTLS client certification for
threat feed connections 7.6.1 on page 586.

To configure client certification mTLS in the GUI:

1. Go to Security Fabric > External Connectors.

2. Click Create New.
3. Select External Feeds > IP Address.
4. Set the Status to Enabled.
5. Enable Client certificate authentication and select the mTLS client certificate from the dropdown list.

If the mTLS client certificate has not yet been created, click Create and proceed with the
configuration.

6. Configure other settings, as needed.

FortiOS 7.6.0 New Features Guide 587

Fortinet Inc.
 Security Fabric

7. Click OK.

Logs related to the mTLS client certificate authentication can be found in Log & Report > System Events > Logs.

Enhancing FortiSandbox TLS security with CA and CN controls - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Configuring sandboxing

FortiOS now supports controls for CA (Certificate Authority) and CN (Common Name) fields for FortiSandbox.
Previously, FortiSandbox could not verify certificates nor could it automatically retrieve CNs from remote FortiSandbox
units. Now, you can manually set a trusted CA and expected CN or enable automatic CN retrieval through serial number
verification to improve FortiSandbox TLS connection security.

FortiOS 7.6.0 New Features Guide 588

Fortinet Inc.
Security Fabric

Only Fortinet CA certificates are supported. Third-party certificates are not supported.
FortiOS uses the following methods with FortiSandbox: post transfer and inline. Certificate checks and verification have
only been implemented for the post-transfer method.
New commands are available:
config system fortisandbox
set ca <string>
set cn <string>
set certificate-verification {enable | disable}
end

Command Description
ca <string> Name of the CA used to sign remote FortiSandbox certificates. When set, the
remote FortiSandbox certificate must be signed by this CA certificate. When not
set, the CA is not checked.
cn <string> Case-sensitive name of the CN used for remote server certificates. When set, the
remote FortiSandbox certificate CN field must exactly match this value. When not
set, the CN is not checked.
certificate-verification Enable/disable identity verification of FortiSandbox by use of certificate (default =
{enable | disable} enabled).

Manual configuration of CA and CN values for FortiSandbox is only available from the CLI.
Automatic certificate verification for FortiSandbox is available from the CLI and GUI.

Example 1: automatic certificate verification with correct SN

This example demonstrates the automatic certificate verification process, which is enabled by default. After the
IP address for FortiSandbox is configured in the fabric connector, FortiOS connects to FortiSandbox to retrieve and
display its serial number for verification. Once verified, FortiOS adds the serial number to the cn field.

To use automatic certificate verification in the CLI:

1. On FortiOS, enable FortiSandbox and configure its IP address:

config system fortisandbox
set status enable
set server "172.18.70.76"
end

2. After the message is displayed, type y to establish a connection and retrieve the FortiSandbox serial number:
In order to verify identity of FortiSandbox serial number is needed.
If serial number is not set, connection will be set as unverified and
access to local config and files will be accessible only with user name/password.
FortiGate can establish a connection to obtain the serial number now. Do you want to try
to connect now? (y/n)y

3. After FortiOS obtains the correct FortiSandbox serial number, type y to verify it:
Obtained serial number from X509 certificate of FortiSandbox is: FSA3KET321000049
Serial number from certificate MUST be the same as serial number observed in

FortiOS 7.6.0 New Features Guide 589

Fortinet Inc.
Security Fabric

FortiSandbox.
If these two serial numbers don't match, connection will be dropped.
Please make sure the serial numbers are matching.
Do you confirm that this is the correct serial number? (y/n)y

FortiOS adds the serial number to the cn field.

4. Show the FortiSandbox settings to verify the CN field:
show system fortisandbox
config system fortisandbox
set status enable
set server "172.18.70.76"
set cn "FSA3KET321000049"
end

5. Check the FortiSandbox connection status:

# execute system fortisandbox test-connectivity
Reachable.

To use automatic certificate verification in the GUI:

1. Go to Security Fabric > Fabric Connectors, and double-click the Sandbox card to open it.
2. Set the following options, and click OK:
l Set Status to Enabled.
l Set Server to the IP address of FortiSandbox.
A verification message is displayed.

3. Click Accept to verify the correct serial number.

The serial number is displayed beside Verify FortiSandbox certificate, and the Connection status is Connected.

FortiOS 7.6.0 New Features Guide 590

Fortinet Inc.
Security Fabric

1. View the event log:

4.
date=2025-03-26 time=13:45:42 eventtime=1743021941319647848 tz="-0700"
logid="0110052002" type="event" subtype="security-rating" level="notice" vd="vdom1"
logdesc="Security Rating check result" msg="Security Rating check completed."
auditreporttype="coverage" checkname="FortiSandboxConfigured" result="pass"

Example 2: manual configuration of CN and CA fields

In this example, you correctly configure the CN and CA fields for the FortiSandbox certificate and disable certificate
verification. After FortiOS connects to FortiSandbox, the certificate is used to verify the FortiSandbox identity, and the
status is reachable (CLI) and connected (GUI).

To configure CN and CA fields in the CLI:

config system fortisandbox

set status enable
set server "172.18.70.76"
set ca "Fortinet_CA_Backup"
set cn "FSA3KET321000049"
set certificate-verification disable
end

FortiOS 7.6.0 New Features Guide 591

Fortinet Inc.
Security Fabric

To check FortiSandbox connection status:

l In the CLI, run the following command to view the Reachable status:
# execute system fortisandbox test-connectivity

Reachable

l In the GUI, go to Security Fabric > Fabric Connectors, and double-click the Sandbox card to open it. The
Connection status is Connected.

l View the fabric log:

date=2025-03-26 time=11:47:32 eventtime=1743014852850144618 tz="-0700"
logid="0110052002" type="event" subtype="security-rating" level="notice" vd="vdom1"
logdesc="Security Rating check result" msg="Security Rating check completed."
auditreporttype="coverage" checkname="FortiSandboxConfigured" result="pass"

Security ratings

This section includes information about security rating related new features:
l Enhanced security rating customization 7.6.1 on page 593

FortiOS 7.6.0 New Features Guide 592

Fortinet Inc.
 Security Fabric

Enhanced security rating customization - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l Security rating visibility

Security ratings tests that are not relevant can be hidden, streamlining the user experience by displaying only pertinent
information.
A Security Fabric is not required for this feature. If multiple FortiGates are in a Security Fabric, hidden security ratings
can be synchronized from the root FortiGate device to downstream FortiGate devices, or overridden locally on the
downstream devices.

To disable showing a security rating control in the default report:

1. Go to Security Fabric > Security Rating.

2. Find Unsecure Protocol - Telnet in the table, right-click on it, and select Report Visibility > Hide.

The Unsecure Protocol - Telnet control is no longer shown in the list.

3. Change the View to All to show the Unsecure Protocol - Telnet control in the table when Report Visibility is set to
Hide.

FortiOS 7.6.0 New Features Guide 593

Fortinet Inc.
Security Fabric

All hidden controls are then shown in the table.

To disable showing a security rating control as an insight across the GUI:

1. Go to Network > Interfaces.

2. Edit an interface to enable TELNET administrative access.
3. Click on the Security Rating Insights, or hover over the interface name to see the Unsecure Protocol - Telnet
warning.

FortiOS 7.6.0 New Features Guide 594

Fortinet Inc.
Security Fabric

4. Go to Security Fabric > Security Rating.

5. Find Unsecure Protocol - Telnet in the table, right-click on it, and select Insight Visibility > Hide.

6. Go to Network > Interfaces.

7. Click on the Security Rating Insights, or hover over the interface name to see that the Unsecure Protocol - Telnet
warning is no longer shown.

To configure security rating control in the CLI:

config system security-rating controls

edit <control name>
set display-report {enable | disable}
set display-insight {enable | disable}
next
end

Variable Description
display-report {enable | Enable/disable displaying the Security Rating control in the default report (default
disable} = enable).
display-insight {enable | Enable/disable displaying the Security Rating control as an insight across the GUI
disable} (default = enable).

FortiOS 7.6.0 New Features Guide 595

Fortinet Inc.
 Security Fabric

Security rating control names are hidden in the CLI until they are configured.

To configure synchronizing security rating visibility settings on downstream devices in a Security

Fabric:

config system csf

set configuration-sync {default | local}
end
config system security-rating settings
set override-sync {enable | disable}
end

Variable Description
configuration-sync Configuration sync mode.
{default | local} l default: Synchronize configuration for IPAM, FortiAnalyzer, FortiSandbox,

and Central Management to root node (default).

l local: Do not synchronize configuration with root node.
override-sync {enable | Enable/disable overriding Security Rating control settings that are synchronized
disable} from the Security Fabric's root FortiGate (default = disable).

When configuration-sync is set to local, the system security-rating settings command is not
available.

Unified OT virtual patching and IPS signatures - 7.6.1

Virtual patching now includes OT virtual patching and IPS signatures. This allows IPS signatures to be used in OT/IoT
vulnerability lookup and response, covering additional threats and vulnerabilities.
Virtual patching works by:
1. Collecting device information on connected devices.
2. Performing a vulnerability query through FortiGuard for device-specific vulnerabilities.
3. Retrieving and caching application signatures and mitigation rules for the device.
4. Applying the application rules on matched device traffic.

In the second step, FortiGuard now returns additional signature IDs based on IPS database that can match
vulnerabilities on most IT devices, like Windows, Mac, and so on.

Examples

To demonstrate the flow of a virtual patching detection, an IPS signature (Eicar.Virus.Test.File (id=29844)) was added to
a demo FortiGuard Server. This can be observed in the following debug:
# diagnose ips share list otvp_cfgcache
10.1.100.11 f2:d7:39:5d:40:11 3 29844(ips) 10000673(n/a) 10000684

FortiOS 7.6.0 New Features Guide 596

Fortinet Inc.
Security Fabric

This cache output shows the cached response of an application rule that identifies the IPS signature 29844 matching the
source device 10.1.100.11.
Traffic originating from a device (10.1.100.11) that matches this signature (29844) will trigger either the virtual patching
profile, if enabled, or the IPS profile, if enabled. This use case demonstrates that an OT virtual profile can use an IPS
signature for matching, and will either drop or reset the connection.
Note that rule 29844 is not valid on the production server; it is only for testing and demonstration purposes.

To configure the profiles and firewall:

config virtual-patch profile

edit "g-default"
set comment ''
set severity info low medium high critical
set action block
set log enable
next
end
config ips sensor
edit "test"
config entries
edit 1
set rule 29844
set status enable
next
end
next
end
config firewall policy
edit 1
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set nat enable
next
end

Example 1

If only the virtual patch profile is enabled in the firewall policy, its configuration takes effect and a virtual patch log is
generated.

To configure the firewall:

config firewall policy

edit 1
set virtual-patch-profile "g-default"

FortiOS 7.6.0 New Features Guide 597

Fortinet Inc.
Security Fabric

next
end

To check the log:

# execute log filter category 24

# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:40:09 eventtime=1731721208854825766 tz="+1200" logid="2400064600"

type="utm" subtype="virtual-patch" eventtype="ot-vpatch" level="warning" vd="vd1"
severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55
dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1"
dstintfrole="undefined" sessionid=266 action="dropped" proto=6 service="HTTP" policyid=1
poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy"
attack="Eicar.Virus.Test.File" srcport=48970 dstport=80 hostname="172.16.200.55"
url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844
profile="g-default" msg="file_transfer: Eicar.Virus.Test.File, (signature is from IPS DB)"

Example 2

If both the IPS sensor's and virtual patch profile's actions are set to block, the IPS sensor configuration takes effect and
an IPS log is generated.

To configure the IPS sensor and firewall:

config ips sensor

edit "test"
config entries
edit 1
set action block
next
end
next
end
config firewall policy
edit 1
set ips-sensor "test"
set virtual-patch-profile "g-default"
next
end

To check the log:

# execute log filter category 4

# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:43:03 eventtime=1731721383128922224 tz="+1200" logid="0419016384"

type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="info"
srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved"
srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined"

FortiOS 7.6.0 New Features Guide 598

Fortinet Inc.
Security Fabric

sessionid=304 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-

51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=32880
dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET"
direction="incoming" attackid=29844 profile="test"
ref="http://www.fortinet.com/ids/VID29844" incidentserialno=156237864 msg="file_transfer:
Eicar.Virus.Test.File"

Example 3

If the IPS sensor's action is pass and the virtual patch profile's action is block, the virtual patch profile configuration takes
effect and a virtual patch log is generated.

To configure the IPS sensor and firewall:

config ips sensor

edit "test"
config entries
edit 1
set action pass
next
end
next
end
config firewall policy
edit 1
set ips-sensor "test"
set virtual-patch-profile "g-default"
next
end

To check the log:

# execute log filter category 24

# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:50:24 eventtime=1731721824022513590 tz="+1200" logid="2400064600"

type="utm" subtype="virtual-patch" eventtype="ot-vpatch" level="warning" vd="vd1"
severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55
dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1"
dstintfrole="undefined" sessionid=411 action="dropped" proto=6 service="HTTPS" policyid=1
poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy"
attack="Eicar.Virus.Test.File" srcport=37108 dstport=443 hostname="172.16.200.55"
url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844
profile="g-default" msg="file_transfer: Eicar.Virus.Test.File, (signature is from IPS DB)"

Example 4

If only the IPS sensor enabled, its configuration takes effect and an IPS log is generated.

FortiOS 7.6.0 New Features Guide 599

Fortinet Inc.
 Security Fabric

To configure the IPS sensor and firewall:

config ips sensor

edit "test"
config entries
edit 1
set action reset
next
end
next
end
config firewall policy
edit 1
set ips-sensor "test"
next
end

To check the log:

# execute log filter category 4

# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:44:57 eventtime=1731721497986271293 tz="+1200" logid="0419016384"

type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="info"
srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved"
srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined"
sessionid=345 action="reset" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-
3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=39416
dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET"
direction="incoming" attackid=29844 profile="test"
ref="http://www.fortinet.com/ids/VID29844" incidentserialno=156237865 msg="file_transfer:
Eicar.Virus.Test.File"

General

This section includes information about general Security Fabric related new features:
l Enhanced security visibility for IoT/OT vulnerabilities 7.6.1 on page 600

Enhanced security visibility for IoT/OT vulnerabilities - 7.6.1

This information is also available in the FortiOS 7.6 Administration Guide:

l KEV information in IoT/OT vulnerabilities

FortiOS 7.6.0 New Features Guide 600

Fortinet Inc.
Security Fabric

Known Exploited Vulnerabilities (KEVs) information is added to IoT/OT vulnerabilities in the user/device store. KEV
counts and warnings are displayed in the Assets widget on the Asset & Identities dashboard, enhancing security
visibility.

To enable device detection for IoT/OT devices, device identification must be enabled on the
interface and utm-status must be enabled in firewall policy:
config system interface
edit <interface>
set device-identification enable
next
end
config firewall policy
edit <policy ID>
set utm-status enable
next
end

Example

When Ubuntu is updated and upgraded from an older version, like 18.04, using the sudo apt-get update && sudo
apt-get -y upgrade command, OT device information is logged in an appctrl log and sent to WAD:
1: date=2024-11-15 time=10:00:53 eventtime=1731621653528292983 tz="+1200" logid="1059028704"
type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1"
appid=10000501 srcip=10.1.100.11 srccountry="Reserved" dstip=91.189.91.81 dstcountry="United
States" srcport=37186 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1"
dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1
poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" sessionid=1469
applist="g-default" action="pass" appcat="OT" app="Canonical.Ubuntu"
hostname="ca.archive.ubuntu.com" incidentserialno=170919395
url="/ubuntu/dists/bionic/InRelease" agent="Debian APT-HTTP/1.3 (1.6.17)" httpmethod="GET"
msg="OT: Canonical.Ubuntu" clouddevice="Vendor=Canonical, Product=Ubuntu, Version=18.04"
apprisk="low"

WAD then sends a device query to FortiGuard to retrieve the vulnerability list for this OT device. The KEV information is
included in the vulnerability list and can be viewed in the GUI and CLI.

To view the KEV information in the GUI:

1. Go to Dashboard > Assets & Identities.

2. Expand the Assets widget. The KEV vulnerabilities are shown in the Vulnerabilities column:

FortiOS 7.6.0 New Features Guide 601

Fortinet Inc.
Security Fabric

3. Hover over the device name. In the tooltip, a Known Exploited Vulnerabilities detected label is added when KEVs
are detected for IoT/OT:

4. Hover over the vulnerabilities. In the tooltip, the CVEs in KEV category field shows the number of potential KEVs
detected by the FortiGuard IoT/OT service:

FortiOS 7.6.0 New Features Guide 602

Fortinet Inc.
Security Fabric

5. In the tooltip, click View vulnerabilities to open the Asset Details pane on the Vulnerabilities tab and select IoT/OT.
A KEV label is shown as a critical severity label next to the CVE-ID in the Reference column, and a KEV column can
be added to show if a vulnerability has a KEV.

To view the KEV information in the CLI:

# diagnose user-device-store device memory list

Record #1:
device_info
'ipv4_address' = '10.1.100.11'
'mac' = 'f2:d7:39:5d:40:11'
'hardware_type' = 'Unknown'
'vdom' = 'vd1'
'os_name' = 'Ubuntu'
'hostname' = 'PC01'
'last_seen' = '1731621105'
'host_src' = 'mwbs'
'unjoined_forticlient_endpoint' = 'false'

FortiOS 7.6.0 New Features Guide 603

Fortinet Inc.
Security Fabric

'is_online' = 'false'
'active_start_time' = '1731612432'
'is_fortiguard_src' = 'false'
'purdue_level' = '3'
'iot_vuln_count' = '200'
'iot_kev_count' = '1'
'max_vuln_level' = 'High'
'total_vuln_count' = '200'
'device_type' = 'OT'
'generation' = '16'
interface_info
'ipv4_address' = '10.1.100.11'
'mac' = 'f2:d7:39:5d:40:11'
'master_mac' = 'f2:d7:39:5d:40:11'
'detected_interface' = 'port2'
'last_seen' = '1731621105'
'is_master_device' = 'true'
'is_detected_interface_role_wan' = 'false'
'detected_interface_fortitelemetry' = 'false'
'is_online' = 'false'
'is_fortiguard_src' = 'false'
iot_info
'vendor' = 'Canonical'
'product' = 'Ubuntu'
'version-min' = '18.04'
'validity' = 'true'
'outdated' = 'false'
'db_date_updated' = '2024-11-14T20:40:07'
'kev_db_date_released' = '2024-11-14T18:00:41'
iot_vulnerability
'vulnerability_id' = '944608'
'severity' = '3'
'type' = 'Resource Management Errors'
'description' = 'It was discovered that a nft object or expression could
reference a nft set on a different nft table, leading to a use-after-free once that table
was deleted.'
'references' = 'CVE-2022-2586'
'kevs' = 'CVE-2022-2586'
'date_added' = '2024-01-15T09:00:30'
'date_updated' = '2024-01-15T09:00:30'

FortiOS 7.6.0 New Features Guide 604

Fortinet Inc.
 Log and report

Log and report

This section includes information about logging and reporting related new features:
l Logging on page 605

Logging

This section includes information about logging related new features:

l Logging MAC address flapping events on page 605
l Non-management VDOMs send logs to both global and vdom-override syslog servers on page 606
l Logging message IDs on page 610
l Incorporating endpoint device data in the web filter UTM logs on page 612
l Set the source interface for syslog and NetFlow settings on page 613
l Logging detection of duplicate IPv4 addresses on page 616
l Logging local traffic per local-in policy on page 621
l Logs generated when starting and stopping packet capture and TCP dump operations on page 627

Logging MAC address flapping events

This information is also available in the FortiOS 7.6 Administration Guide:

l Logging MAC address flapping events

FortiOS logs MAC address flapping events when a device’s MAC address is learned on different interfaces within the
MAC address table in transparent mode. The log provides comprehensive details about the event, such as the specific
MAC address involved, the ports where the flapping occurred, and the exact time of the event. This enhancement assists
network administrators in quickly identifying and addressing related issues, thereby enhancing network stability and
performance.

Example

In this example, the end user initiates internet traffic from PC1, which has an authentic MAC address. Subsequently, the
user generates internet traffic from PC2 using a packet manipulation tool, such as Scapy, but with the spoofed MAC
address of PC1. This event is successfully identified and logged by FortiGate running in transparent (TP) mode.

FortiOS 7.6.0 New Features Guide 605

Fortinet Inc.
 Log and report

To view the logs:

# execute log filter category 1

# execute log filter start-line 1
# execute log display

36 logs found.
10 logs returned.
1: date=2024-03-26 time=14:05:33 eventtime=1711487133347757075 tz="-0700" logid="0100022970"
type="event" subtype="system" level="information" vd="vdom1" logdesc="MAC flapping"
service="kernel" mac="00:0c:29:90:21:c3" src_int="port1" msg="The incoming port of MAC
address 00:0c:29:90:21:c3 has been switched from port2 to port1"

Non-management VDOMs send logs to both global and vdom-override syslog

servers

This information is also available in the FortiOS 7.6 Administration Guide:

l Configuring syslog overrides for VDOMs

FortiOS can now send logs from non-management VDOMs to both global and VDOM-override syslog servers.
Previously, configuring an override syslog server under a non-management VDOM would halt the transmission of logs to
the global syslog server. The new update ensures uninterrupted log transmission to the global server, enhancing the log
management experience.
The config log syslogd override-setting command includes a new option:
config log syslogd override-setting
set use-management-vdom {enable | disable}
end

set use-management-vdom Enable/disable use of management VDOM as source VDOM for logs sent to
{enable | disable} syslog server.
l enable: Send logs through the management VDOM.

l disable: Do not send logs through the management VDOM.

When use-management-vdom is enabled under non-management VDOM, only the

management VDOM is used to forward logs to configured syslog servers. Non-management
VDOM override syslog servers must be reachable through the management VDOM.

FortiOS 7.6.0 New Features Guide 606

Fortinet Inc.
Log and report

Example

This example covers the following scenarios:

l Non-management VDOM with use-management-vdom disabled on page 607
l Non-management VDOM with use-management-vdom enabled on page 608
l Non-management VDOM with mix of use-management-vdom enabled and disabled on page 609
All scenarios use the following IP addresses:
l Global syslog server: 10.6.30.22
l Root VDOM gateway: 192.168.5.254
l Management VDOM (vdom1) gateway: 172.16.200.254

Non-management VDOM with use-management-vdom disabled

In this example, a global syslog server is enabled. For the root VDOM, an override syslog server is enabled with use-
management-vdom disabled. For the management VDOM, an override syslog server is enabled. With this
configuration, logs are sent to the following locations:
l All VDOMs, except the root and management VDOMs, send logs to the global syslog server (10.6.30.22).
l The root VDOM sends logs to its override syslog server at 192.168.5.44.
l The management VDOM sends logs to its override syslog server at 172.16.200.55.

To configure syslog servers:

1. Enable the global syslog server:

config log syslogd setting
set status enable
set server "10.6.30.22"
set facility local6
end

2. For the root VDOM, enable an override syslog server and disable use-management-vdom:
config log syslogd override-setting
set status enable
set server "192.168.5.44"
set use-management-vdom disable

FortiOS 7.6.0 New Features Guide 607

Fortinet Inc.
Log and report

set facility local6

end

3. For the management VDOM (vdom1), enable an override syslog server:

config log syslogd override-setting
set status enable
set server "172.16.200.55"
set facility local6
end

Non-management VDOM with use-management-vdom enabled

In this example, a global syslog server is enabled. For the root VDOM, an override syslog server and use-
management-vdom are enabled. For the management VDOM, two override syslog servers are enabled. With this
configuration, logs are sent to the following locations:
l All VDOMs, except root and management VDOMs, send logs to the global syslog server (10.6.30.22).
l The root VDOM cannot send logs to syslog servers because the servers are not reachable through the
management VDOM.
To send logs to 192.168.5.44, set use-management-vdom to disable for the root VDOM. Alternately, configure the
root VDOM to use an override syslog server that is reachable through the management VDOM.
l The management VDOM sends logs to the override syslog server at 172.16.200.55.

To configure syslog servers:

1. Enable the global syslog server:

config log syslogd setting
set status enable
set server "10.6.30.22"
set facility local6
end

2. For the root VDOM, enable an override syslog server and enable use-management-vdom:
config log syslogd override-setting
set status enable
set server "192.168.5.44"
set use-management-vdom enable

FortiOS 7.6.0 New Features Guide 608

Fortinet Inc.
Log and report

set facility local6

end

3. For the management VDOM, enable an override syslog server:

config log syslogd override-setting
set status enable
set server "172.16.200.55"
set facility local6
end

Non-management VDOM with mix of use-management-vdom enabled and disabled

In this example, a global syslog server is enabled. For the root VDOM, three override syslog servers are enabled with a
mix of use-management-vdom set to enabled and disabled. For the management VDOM, an override syslog
server is enabled. With this configuration, logs are sent from non-management VDOMs to both global and VDOM-
override syslog servers. The logs are sent to the following locations:
l All VDOMs, except the root and management VDOMs, send logs to the global syslog server (10.6.30.22).
l The root VDOM sends logs to the following syslog servers:
l For syslogd, logs are sent to the root VDOM override server at 192.168.5.44 because use-management-
vdom is disabled.
l For syslogd2, logs are sent through the management VDOM to the root VDOM override server at
172.16.200.55 and to the syslog server reachable by the management VDOM because use-management-
vdom is enabled.
l For syslogd3, logs are sent through the management VDOM to the root VDOM override syslog server at
10.6.30.22 and to the syslog server reachable by the management VDOM because use-management-vdom
is enabled.
l The management VDOM (vdom1) sends logs to the override syslog server at 172.16.200.55.

To configure syslog servers:

1. Enable the global syslog server:

config log syslogd setting
set status enable
set server "10.6.30.22"
set facility local6
end

FortiOS 7.6.0 New Features Guide 609

Fortinet Inc.
 Log and report

2. For root, configure three override syslog servers:

a. For syslogd, enable an override syslog server and disable use-management-vdom:
config log syslogd override-setting
set status enable
set server "192.168.5.44"
set use-management-vdom disable
set facility local6
end

b. For syslog2, enable an override syslog server and enable use-management-vdom:

config log syslogd2 override-setting
set status enable
set server "172.16.200.55"
set use-management-vdom enable
set facility local6
end

c. For syslog3, enable an override syslog server and enable use-management-vdom:

config log syslogd3 override-setting
set status enable
set server "10.6.30.22"
set use-management-vdom enable
end

3. For the management VDOM, configure an override syslog server:

config log syslogd override-setting
set status enable
set server "172.16.200.55"
set facility local6
end

Logging message IDs

This information is also available in the FortiOS 7.6 Administration Guide:

l Message ID in UTM logs

FortiOS can now log the message ID (messageid) field in UTM logs under the email filter, file filter, and DLP subtypes.
The message ID can be used with FortiMail to locate an undesired email. The message ID can also be used with
FortiAnalyzer to trace the email and locate the device that sent the undesired traffic.

To view the message ID:

1. Go to Log & Report > Security Events and select Logs.

2. Set the filters to display the email filter, file filter, or DLP subtypes. In this example, the Anti-Spam and Disk filters are
set to display an entry with the Message ID field.

FortiOS 7.6.0 New Features Guide 610

Fortinet Inc.
Log and report

3. Select the log, and click Details. The Message ID field is displayed.

Following are examples of the message ID (messageid) field in email filter, file filter, and DLP logs:
l Email filter logs:
1: date=2024-05-27 time=15:20:30 eventtime=1716848430551966694 tz="-0700"
logid="0512020481" type="utm" subtype="emailfilter" eventtype="email"
level="information" vd="vdom1" policyid=1 poluuid="12c1682e-18a5-51ef-dc3d-459a4231c9e6"
policytype="policy" sessionid=162 srcip=10.1.100.22 srcport=41344 srccountry="Reserved"
srcintf="port21" srcintfrole="undefined" srcuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26"
dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17"
dstintfrole="undefined" dstuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" proto=6
service="SMTP" profile="730866" action="log-only" from="[email protected]"
to="[email protected]" sender="[email protected]"
recipient="[email protected]" messageid="<20240527222030.000384@spam_pc1>"
direction="outgoing" msg="general email log" subject="testcase215001" size="246"
attachment="no"

l File filter logs:

1: date=2024-05-27 time=18:52:21 eventtime=1716861141191537397 tz="-0700"
logid="1900064001" type="utm" subtype="file-filter" eventtype="file-filter"
level="notice" vd="vdom1" policyid=1 poluuid="12c1682e-18a5-51ef-dc3d-459a4231c9e6"
policytype="policy" sessionid=536 srcip=10.1.100.22 srcport=55966 srccountry="Reserved"
srcintf="port21" srcintfrole="undefined" srcuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26"
dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17"
dstintfrole="undefined" dstuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" proto=6
service="SMTP" profile="msgId_test" direction="outgoing" action="log-only"
from="[email protected]" to="[email protected]"
sender="[email protected]" recipient="[email protected]"
messageid="<20240528015221.001679@spam_pc1>" subject="703400" attachment="no"
rulename="bannedFiles" filesize=105749 filetype="jpeg" msg="File was detected by file
filter."

FortiOS 7.6.0 New Features Guide 611

Fortinet Inc.
 Log and report

l DLP logs:
1: date=2024-05-28 time=11:59:50 eventtime=1716922790136310107 tz="-0700"
logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1"
ruleid=1 rulename="test_exe" dlpextra="Sensor 'test' matching any: ('Test-Dictionary'=1)
>= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1
poluuid="12c1682e-18a5-51ef-dc3d-459a4231c9e6" policytype="policy" sessionid=1976
epoch=1523674618 eventid=2 srcip=10.1.100.22 srcport=52998 srccountry="Reserved"
srcintf="port21" srcintfrole="undefined" srcuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26"
dstip=172.16.200.55 dstport=25 dstcountry="Reserved" dstintf="port17"
dstintfrole="undefined" dstuuid="f29a920a-18a4-51ef-4fca-8c6dc5db9e26" proto=6
service="SMTP" filetype="N/A" direction="outgoing" action="block"
from="[email protected]" to="[email protected]"
sender="[email protected]" recipient="[email protected]"
messageid="<20240528185950.007871@spam_pc1>" subject="731047" attachment="no"
profile="testing"

Incorporating endpoint device data in the web filter UTM logs

This information is also available in the FortiOS 7.6 Administration Guide:

l Incorporating endpoint device data in the web filter UTM logs

Endpoint device data, including hostname and MAC address, have been incorporated in the web filter UTM logs.
Endpoint device data can be incorporated in the logs using the following:
config log setting
set extended-utm-log {enable | disable}
end

To incorporate endpoint device data in the web filter UTM logs, ensure a firewall policy with a
web filter profile is configured and Device detection is configured on the interfaces. Device
detection can be configured in Network > Interfaces and the CLI.

When this command is enabled, the srcmac and srcname fields are included in the web filter UTM logs:
1: date=2024-04-04 time=09:34:31 eventtime=1712248470720798942 tz="-0700" logid="0316013056"
type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" policyid=1
poluuid="9f550138-ed67-51ee-b593-e4c9c3cd549f" policytype="policy" sessionid=20910
srcip=10.1.100.123 srcport=59705 srccountry="Reserved" srcintf="port2"
srcintfrole="undefined" srcuuid="04df25b6-ed67-51ee-3006-8c2d12813f90"
srcmac="00:0c:29:06:7e:5b" srcname="AVPC3" dstip=52.201.199.27 dstport=443
dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="04df25b6-ed67-
51ee-3006-8c2d12813f90" proto=6 httpmethod="GET" service="HTTPS" hostname="www.httpbin.org"
agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" profile="webfilter"
action="blocked" reqtype="referral" url="https://www.httpbin.org/favicon.ico"
referralurl="https://www.httpbin.org/" sentbyte=2088 rcvdbyte=5709 direction="outgoing"
msg="URL belongs to a denied category in policy" ratemethod="domain" cat=52
catdesc="Information Technology"

Likewise, the Device column is populated with the endpoint hostname information in the Log & Report > Security Events
> Logs table:

FortiOS 7.6.0 New Features Guide 612

Fortinet Inc.
 Log and report

When this command is disabled, the new fields are excluded from the web filter UTM logs and
the Device column does not display the client hostname information. The command is
disabled by default.

Set the source interface for syslog and NetFlow settings

This information is also available in the FortiOS 7.6 Administration Guide:

l NetFlow

FortiOS supports setting the source interface when configuring syslog and NetFlow. This allows syslog and NetFlow to
utilize the IP address of the specified interface as the source when sending out the messages. It also simplifies changing
the source IP address when an interface IP address is updated or the IP address from a different interface is used. The
process becomes more efficient and less time consuming, especially when managing many remote locations.
config log syslogd setting
set status enable
set source-ip-interface <name>
end
config system netflow
config collectors
edit <id>
set source-ip-interface <name>
next
end
end

Command differences

The source-ip-interface, source-ip, and interface-select-method commands are similar, but perform different functions.

source-ip-interface Utilize the IP address of the specified interface as the source when sending out
<name> the syslog or NetFlow messages. Routing of the messages does not change
based on this setting.
The interface’s IP address must be in the same family (IPv4 or IPv6) as the syslog
server. For example, if a syslog server address is IPv6, source-ip-interface
cannot have an IPv4 address or both an IPv6 and IPv4 address.
If the FortiGate is in transparent VDOM mode, source-ip-interface is not
available for NetFlow or syslog configurations.

FortiOS 7.6.0 New Features Guide 613

Fortinet Inc.
Log and report

source-ip <ip address>
interface-select-method
{auto | sdwan |
specify}
Utilize the specified IP address as the source when sending out the syslog or
NetFlow messages. Routing of the messages does not change based on this
setting.
The routing of the syslog and NetFlow messages is determined by the selected
method. If neither source-ip-interface nor source-ip is configured, then
the source address of the message is the IP address of the interface selected by
the interface select method.
See Local out traffic for details.

The source-ip-interface and source-ip commands are not available for syslog or NetFlow configurations if ha-direct is
enabled (see config system ha in the CLI Reference guide). They are also mutually exclusive; they cannot be used at the
same time, but one or the other can be used together with the interface-select-method command.

Examples

To configure a source interface for syslog:

1. Configure the interface:

config system interface
edit "loopback"
set vdom "vdom1"
set ip 10.10.10.2 255.255.255.0
set allowaccess ping
set type loopback
next
end

2. Configure the syslog device:

config log syslogd setting
set status enable
set server "172.16.200.55"
set facility local6
set source-ip-interface "loopback"
end

3. Using the migsock sniffer, note that traffic is routed out from the loop interface IP address: 10.10.10.2:
# diagnose sniffer migsock filter "service=udp dstip=172.16.200.55 dstport=514"
# diagnose sniffer migsock start

Tracing:

enabled: yes
ctx_id: 0x0000219366197668
pid: any
vdom: vdom1(1)
name: any
service: udp
dstip: 172.16.200.55
dstport: 514
srcip: any
srcport: any

FortiOS 7.6.0 New Features Guide 614

Fortinet Inc.
Log and report

unixpath: any
ssl trace: disabled
debug trace: disabled
timestamp: disabled

Press 'CTRL+D' or 'CTRL+C' to stop.

pid:236 vdom1 syslog-glob-1 udp connected 10.10.10.2:10651 => 172.16.200.55:514 386

0x0000 3c31 3832 3e64 6174 653d 3230 3234 2d30 <182>date=2024-0
0x0010 342d 3132 2074 696d 653d 3131 3a30 303a 4-12.time=11:00:
0x0020 3531 2064 6576 6e61 6d65 3d22 4647 542d 51.devname="FGT-
0x0030 422d 4c4f 4722 2064 6576 6964 3d22 4647 B-LOG".devid="FG
0x0040 3130 3146 544b 3139 3030 3232 3131 2220 101FTK19002211".
0x0050 6576 656e 7474 696d 653d 3137 3132 3934 eventtime=171294
0x0060 3438 3530 3631 3737 3338 3333 3920 747a 4850617738339.tz
0x0070 3d22 2d30 3730 3022 206c 6f67 6964 3d22 ="-0700".logid="
0x0080 3031 3030 3034 3435 3436 2220 7479 7065 0100044546".type
0x0090 3d22 6576 656e 7422 2073 7562 7479 7065 ="event".subtype
0x00a0 3d22 7379 7374 656d 2220 6c65 7665 6c3d ="system".level=
0x00b0 2269 6e66 6f72 6d61 7469 6f6e 2220 7664 "information".vd
0x00c0 3d22 7664 6f6d 3122 206c 6f67 6465 7363 ="vdom1".logdesc
0x00d0 3d22 4174 7472 6962 7574 6520 636f 6e66 ="Attribute.conf
0x00e0 6967 7572 6564 2220 7573 6572 3d22 6164 igured".user="ad
0x00f0 6d69 6e22 2075 693d 2273 7368 2831 302e min".ui="ssh(10.
0x0100 362e 3330 2e32 3534 2922 2061 6374 696f 6.30.254)".actio
0x0110 6e3d 2245 6469 7422 2063 6667 7469 643d n="Edit".cfgtid=
0x0120 3538 3137 3633 3037 3520 6366 6770 6174 581763075.cfgpat
0x0130 683d 226c 6f67 2e73 6574 7469 6e67 2220 h="log.setting".
0x0140 6366 6761 7474 723d 2273 7973 6c6f 672d cfgattr="syslog-
0x0150 6f76 6572 7269 6465 5b65 6e61 626c 652d override[enable-
0x0160 3e64 6973 6162 6c65 5d22 206d 7367 3d22 >disable]".msg="
0x0170 4564 6974 206c 6f67 2e73 6574 7469 6e67 Edit.log.setting
0x0180 2022 ."

4. On the syslog server, verify that the source IP address is shown after the source IP interface is configured:
Apr 12 18:01:17 10.10.10.2 date=2024-04-12 time=11:01:16 devname="FGT-B-LOG"
devid="FG101FTK19002211" eventtime=1712944876777719599 tz="-0700" logid="0100044546"
type="event" subtype="system" level="information" vd="vdom2" logdesc="Attribute
configured" user="admin" ui="ssh(10.6.30.254)" action="Edit" cfgtid=581763079
cfgpath="log.setting" cfgattr="syslog-override[enable->disable]" msg="Edit log.setting "

To configure a source interface for NetFlow:

1. Configure the interface:

config system interface
edit "wan2"
set vdom "vdom1"
set ip 10.1.100.2 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set netflow-sampler both
set snmp-index 4
next
end

FortiOS 7.6.0 New Features Guide 615

Fortinet Inc.
 Log and report

2. Configure and verify NetFlow:

config system netflow
set template-tx-timeout 60
config collectors
edit 1
set collector-ip "172.16.200.44"
set source-ip-interface "wan2"
next
end
end
# diagnose test application sflowd 3

===== Netflow Vdom Configuration =====

Global collector(s) active-timeout(seconds):1800 inactive-timeout(seconds):15
Collector id:1: 172.16.200.44[2055]
|_ Source IP:
|_ Source IP interface: wan2

____ vdom: vdom1, index=1, is master, collector: disabled (use global config) (mgmt
vdom)
|_ coll_ip:172.16.200.44:2055,src_ip:10.1.100.2,out_intf=0
|_ seq_num:275 pkts/time to next template: 16/16
|_ exported: Bytes:0, Packets:0, Sessions:0 Flows:0
|_ active_intf: 1
|____ interface:wan2 sample_direction:both device_index:8 snmp_index:4

3. Verify that traffic is forwarded to the Netflow agent through the designated source IP interface:
# diagnose sniffer packet any "host 172.16.200.44 and port 2055" 3
interfaces=[any]
filters=[host 172.16.200.44 and port 2055]
6.031971 10.1.100.2.1275 -> 172.16.200.44.2055: udp 60
0x0000 0000 0000 0000 e81c baf2 65b6 0800 4500 ..........e...E.
0x0010 0058 d133 0000 4011 c721 0a01 6402 ac10 .X.3..@..!..d...
0x0020 c82c 0c3c 0807 0044 f615 0009 0001 001a .,.<...D........
0x0030 1e04 6619 84c5 0000 0083 0000 0002 0100 ..f.............
0x0040 0028 0001 0000 0000 0000 0000 0000 0000 .(..............
0x0050 0000 0000 0000 0000 0000 0000 0708 000f ................
0x0060 0000 0001 0100 ......

Logging detection of duplicate IPv4 addresses

This information is also available in the FortiOS 7.6 Administration Guide:

l Logging detection of duplicate IPv4 addresses

When enabled, FortiOS can now log each detection of duplicate IPv4 addresses on physical interfaces and VLAN
interfaces in the event log under the new log ID 32701. Previously, detection of duplicate IPv4 addresses was not
logged. This feature also supports a new SNMP event and new diagnose commands.
The config system global command includes a new option:

FortiOS 7.6.0 New Features Guide 616

Fortinet Inc.
Log and report

config system global

set ip-conflict-detection {enable | disable}
end

set ip-conflict-detection Enable/disable logging of IPv4 address conflict detection.

{enable | disable}

FortiOS uses the following methods to detect duplicate IPv4 addresses, and can generate a log for each detection:

Detection method Description

Active Detection of duplicate physical and VLAN IPv4 addresses on FortiGate is

triggered when:
l FortiOS starts

l The miglogd daemon restarts

l A new physical interface is created
l A physical interface status changes to up
l A physical interface configuration changes
l The diagnose test app miglogd 55 command is run

Passive Detection of duplicate IPv4 address on a client is triggered when a device

connected to FortiGate attempts to use an IPv4 address that is already in use.
FortiOS identifies duplicate IPv4 addresses by monitoring the Gratuitous
ARP packet. When the source IP in the Gratuitous ARP packet is duplicated in the
cache, but the source MAC address is different, then the IP address is considered
a duplicate.
In addition to physical interfaces, passive detection is also valid for VLAN.

In addition, a packet can be sent to the SNMP host when the SNMP event is set to interface.
The config system snmp community command includes a new interface event:
config system snmp community
edit 1
set name "test"
config hosts
edit 1
set ip 172.18.71.107 255.255.255.0
next
end
config hosts6
edit 1
next
end
set events {interface}
next
end

set events {interface} Send a trap for interface events.

The following new debug commands are also available:

FortiOS 7.6.0 New Features Guide 617

Fortinet Inc.
Log and report

diagnose test application Shows the cache for IPv4 address conflict detection.
miglogd 54
diagnose test application Executes a IPv4 address conflict detection.
miglogd 55

To enable logging of IPv4 address conflicts:

config system global

set ip-conflict-detection enable
end

To trigger an active detection and log of IPv4 conflicts:

1. In FortiOS, go to Network > Interfaces, and double-click an interface, such as wan1, to open it for editing.
2. In the IP/Netmask box, change the IP address from 172.16.200.2/24 to 172.16.200.55/24. The following warning is
displayed: This IP address is already in use by device <MAC address>.

3. Go to Log & Report > System Events. A Duplicate IP address log entry is displayed.

FortiOS 7.6.0 New Features Guide 618

Fortinet Inc.
Log and report

The same information is visible in the raw log

date=2024-04-30 time=18:08:56 eventtime=1714525736800388800 tz="-0700"
logid="0100032701" type="event" subtype="system" level="error" vd="vdom1"
logdesc="Detected IP conflicts on FGT interfaces." msg="Duplicate IP address
172.16.200.55 of MAC 02:42:ac:10:c8:37 was detected on interface wan1, also in use by
wan1 (e8:1c:ba:f2:65:b6)"

To trigger a passive detection and log of IPv4 conflicts:

1. On a client, change the interface. For example, change the interface from 192.168.5.44 to 192.168.5.100/24.

2. Go to Log & Report > System Events. A Duplicate IP address log entry is displayed.

FortiOS 7.6.0 New Features Guide 619

Fortinet Inc.
Log and report

The same information is visible in the raw log

date=2024-04-30 time=18:00:08 eventtime=1714525207888886460 tz="-0700"
logid="0100032701" type="event" subtype="system" level="error" vd="vdom1"
logdesc="Detected IP conflicts on FGT interfaces." msg="Duplicate IP address
192.168.5.100 of MAC 00:0c:29:d3:30:4e was detected on interface dmz, also in use by
dmzVLAN (e8:1c:ba:f2:65:b4)"

To configure SNMP traps for interfaces:

1. Configure an SNMP host and set up an event trap for interface.

config system snmp community
edit 1
set name "test"
config hosts
edit 1
set ip 172.16.200.55 255.255.255.0
next
end
set events interface
next
end

To show the IPv4 address conflict detection cache:

# diagnose test application miglogd 54

index IPv4 address MAC dev vlanid
50 10.10.100.2 00:00:00:00:00:00 Loopback2
58 192.168.5.44 e8:1c:ba:f2:65:b4 dmzVLAN 50
48 10.255.1.1 00:00:00:00:00:00 fortilink
51 10.1.10.3 00:00:00:00:00:00 Loopback3
8 10.1.100.2 e8:1c:ba:f2:65:b7 wan2
49 10.10.10.2 00:00:00:00:00:00 loopback
6 10.6.30.107 e8:1c:ba:f2:65:b5 mgmt
52 192.168.100.99 e8:1c:ba:f2:65:bb lan
23 10.2.2.2 e8:1c:ba:f2:65:c6 x1
7 172.16.200.2 e8:1c:ba:f2:65:b6 wan1

FortiOS 7.6.0 New Features Guide 620

Fortinet Inc.
 Log and report

To execute an IPv4 address conflict detection:

# diagnose test application miglogd 55

Sending probe for 10.10.100.2 via Loopback2.
Sending probe for 192.168.5.44 via dmzVLAN.
Sending probe for 10.255.1.1 via fortilink.
Sending probe for 10.1.10.3 via Loopback3.
Sending probe for 10.1.100.2 via wan2.
Sending probe for 10.10.10.2 via loopback.
Sending probe for 10.6.30.107 via mgmt.
Sending probe for 192.168.100.99 via lan.
Sending probe for 10.2.2.2 via x1.
Sending probe for 172.16.200.2 via wan1.

To verify the trap has been sent:

# diagnose debug application snmp -1

# diagnose debug enable
snmpd: queue is 2 entries long.
snmpd: queueing trap 8008000000000000@4295121097 (4295121097)
snmpd: queue is 3 entries long.
snmpd: dequeueing trap 8008000000000000@4295121097 (4295121097)
snmpd: sending to hosts: interface(1601)
snmpd: attempting v1 trap: interface(1601)
snmpd: trap from (172.16.200.1 -> 172.16.200.55)
snmpd: trap send(172.16.200.1:162 -> 172.16.200.55:162) bytes sent=264 total=264
snmpd: attempting v2c trap: interface(1601)
snmpd: get : system.3.0 -> () -> 0
snmpd: trap send(172.16.200.1:162 -> 172.16.200.55:162) bytes sent=288 total=288

Logging local traffic per local-in policy

This information is also available in the FortiOS 7.6 Administration Guide:

l Local-in policy

Local traffic logging can be configured for each local-in policy. This enables more precise and targeted logging by
focusing on specific local-in policies that are most relevant to your needs.
Logging can be configured per local-in policy in the Log & Report > Log Settings page or by using the following
commands:
config log setting
set local-in-policy-log {enable | disable}
end
config firewall local-in-policy
edit <id>
set logtraffic {enable | disable}
next
end
config firewall local-in-policy6
edit <id>
set logtraffic {enable | disable}

FortiOS 7.6.0 New Features Guide 621

Fortinet Inc.
Log and report

next
end

If per policy local-in traffic logging is enabled, the allowed traffic, denied unicast traffic, and denied broadcast traffic
logging does not need to be configured for the log settings. When traffic logging is enabled for the local-in policy, the
denied unicast traffic and denied broadcast traffic logs will be included.

To log local traffic per local-in policy in the GUI:

1. Enable local-in traffic logging per policy:

a. Go to Log & Report > Log Settings.
b. Go to the Global Settings tab.
c. Set Local traffic logging to Specify.
d. Enable Log local-in traffic and set it to Per policy.

2. Log traffic in a local-in policy:

a. Go to Policy & Objects > Local-In Policy.
b. Select whether you want to configure a Local-In Policy or IPv6 Local-In Policy.
c. Create a new policy or edit an existing policy.
d. Enable traffic logging:

FortiOS 7.6.0 New Features Guide 622

Fortinet Inc.
Log and report

l For policies with the Action set to ACCEPT, enable Log allowed traffic.

l For policies with the Action set to DENY, enable Log violation traffic.

FortiOS 7.6.0 New Features Guide 623

Fortinet Inc.
Log and report

If traffic logging is enabled in the local-in policy, log denied unicast traffic and log denied broadcast traffic logs
will display in Log & Report > Local Traffic.

To log local traffic per local-in policy in the CLI:

1. Enable logging local-in traffic per policy:

config log setting
set local-in-policy-log enable
end

2. Enable local traffic logging in the policy:

config firewall local-in-policy
edit 1
set logtraffic enable
next
end
config firewall local-in-policy6
edit 2
set logtraffic enable
next
end

3. Review local logs. Traffic is logged for the local-in policies and denied unicast traffic and denied broadcast traffic
logs are included.
date=2024-04-17 time=12:32:02 eventtime=1713382322595245756 tz="-0700"
logid="0001000014" type="traffic" subtype="local" level="notice" vd="vdom1"
srcip=2000:10:1:100::11 identifier=28808 srcintf="port1" srcintfrole="undefined"

FortiOS 7.6.0 New Features Guide 624

Fortinet Inc.
Log and report

dstip=2000:172:16:200::5 dstintf="vdom1" dstintfrole="undefined" sessionid=317 proto=58

action="deny" policyid=1 policytype="local-in-policy6" poluuid="a07ee45a-fcf0-51ee-7740-
806252a3d358" srccountry="Reserved" dstcountry="Reserved" service="PING6"
trandisp="noop" app="PING6" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0
appcat="unscanned" crscore=5 craction=262144 crlevel="low" msg="Connection Failed"

date=2024-04-17 time=14:32:15 eventtime=1713389535257923782 tz="-0700"

logid="0001000014" type="traffic" subtype="local" level="notice" vd="vdom1"
srcip=10.1.100.11 identifier=5747 srcintf="port1" srcintfrole="undefined"
dstip=172.16.200.5 dstintf="vdom1" dstintfrole="undefined" srccountry="Reserved"
dstcountry="Reserved" sessionid=11134 proto=1 action="deny" policyid=1
policytype="local-in-policy" poluuid="c9b22eda-fc51-51ee-c116-1f07e0898ea3"
service="TIMESTAMP" trandisp="noop" app="TIMESTAMP" duration=0 sentbyte=0 rcvdbyte=0
sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
msg="Connection Failed"

date=2024-04-17 time=14:35:29 eventtime=1713389729517452423 tz="-0700"

logid="0001000014" type="traffic" subtype="local" level="notice" vd="vdom1"
srcip=10.1.100.11 identifier=29479 srcintf="port1" srcintfrole="undefined"
dstip=10.1.100.255 dstintf="unknown-0" dstintfrole="undefined" replysrcintf="vdom1"
srccountry="Reserved" dstcountry="Reserved" sessionid=11180 proto=1 action="deny"
policyid=1 policytype="local-in-policy" poluuid="c9b22eda-fc51-51ee-c116-1f07e0898ea3"
service="PING" trandisp="noop" app="PING" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 appcat="unscanned" msg="Connection Failed"

Global logging

Local-in traffic can also continue to be logged globally instead of per policy. To configure global local-in traffic logging in
the CLI, disable local-in-policy-log.

To configure global local traffic logging in the GUI:

1. Enable local-in traffic logging per policy:

a. Go to Log & Report > Log Settings.
b. Go to the Global Settings tab.
c. Set Local traffic logging to Specify.
d. Enable Log local-in traffic and set it to Global.

FortiOS 7.6.0 New Features Guide 625

Fortinet Inc.
Log and report

e. Enable the log events that should be globally logged.

2. Review logging in a local-in policy:
a. Go to Policy & Objects > Local-In Policy.
b. Select whether you want to configure a Local-In Policy or IPv6 Local-In Policy.
c. Create a new policy or edit an existing policy.

FortiOS 7.6.0 New Features Guide 626

Fortinet Inc.
 Log and report

Log allowed traffic and Log violation traffic will be set to Custom and cannot be changed in the policy.

Logs generated when starting and stopping packet capture and TCP dump
operations

This information is also available in the FortiOS 7.6 Administration Guide:

l Using the packet capture tool

l Performing a sniffer trace or packet capture

System event logs are generated when a packet capture is started or stopped in the GUI, and when a sniffer operation is
started or stopped in the CLI. This provides a clear audit trail of packet capture and TCP dump activities, improving
transparency and control.
In these examples, packet capture and then sniffer are started and stopped, and then the system event logs are checked
to see the logs generated by those events.

To generate system event logs when packet capture is started/stopped in the GUI:

1. Go to Network > Diagnostics, select the Packet capture tab, and click New packet capture.
2. Configure the capture. In this example, a filter is applied for IP address 172.16.200.250 and port 514 on port2.

FortiOS 7.6.0 New Features Guide 627

Fortinet Inc.
Log and report

3. Click Start capture.

4. Wait for some packets to be captured, then click Stop capture.

5. Go to Log & Report > System Events, select the Logs tab, and add a filter for the notice level to see the logs
generated when the packet capture was started and stopped.

FortiOS 7.6.0 New Features Guide 628

Fortinet Inc.
Log and report

6. Check the packet logs in the CLI:

l Sniffer packet stop log display number of received packets and applied filters:
date=2024-06-06 time=15:36:33 eventtime=1717713392677816242 tz="-0700"
logid="0100035101" type="event" subtype="system" level="notice" vd="vdom1"
logdesc="Packet sniffer stopped" user="admin" ui="https:10.6.30.254" msg="Packet
sniffer stopped on interfaces[port2] with filters[(net 172.16.200.250) and (port 514)
and (ip or ip6)] Number of packets received: 27"

l Sniffer packet start log with applied filters:

date=2024-06-06 time=15:35:56 eventtime=1717713355668177832 tz="-0700"
logid="0100035100" type="event" subtype="system" level="notice" vd="vdom1"
logdesc="Packet sniffer started" user="admin" ui="https:10.6.30.254" msg="Packet
sniffer started on interfaces[port2] with filters[(net 172.16.200.250) and (port 514)
and (ip or ip6)]"

To generate system event logs when the sniffer is started/stopped in the CLI:

1. In the CLI, start the sniffer. In this example, packets are sniffed without any filters on all interfaces.
# diagnose sniffer packet
interfaces=[any]
filters=[none]
0.841988 stp 802.1w, rapid stp, flags [forward], bridge-id 801e.00:0d:bb:33:ff:00.8809
0.850097 stp 802.1w, rapid stp, flags [forward], bridge-id 8014.00:0d:bb:33:ff:00.8817
0.913049 arp who-has 172.16.200.4 tell 172.16.200.44
1.046108 10.6.30.105.443 -> 10.6.30.254.50655: psh 1975442041 ack 3271831242
1.102052 10.6.30.254.50655 -> 10.6.30.105.443: ack 1975442092
1.756654 172.16.200.5.23608 -> 172.16.200.250.514: udp 343
2.046682 10.6.30.105.443 -> 10.6.30.254.50655: psh 1975442092 ack 3271831242
2.101271 10.6.30.254.50655 -> 10.6.30.105.443: ack 1975442203
2.846037 stp 802.1w, rapid stp, flags [forward], bridge-id 801e.00:0d:bb:33:ff:00.8809
2.854158 stp 802.1w, rapid stp, flags [forward], bridge-id 8014.00:0d:bb:33:ff:00.8817
3.047792 10.6.30.105.443 -> 10.6.30.254.50655: psh 1975442203 ack 3271831242
3.101855 10.6.30.254.50655 -> 10.6.30.105.443: ack 1975442275
3.440701 arp who-has 10.6.30.105 tell 10.6.30.254
3.440706 arp reply 10.6.30.105 is-at e8:11:bb:88:44:be
3.919708 arp who-has 172.16.200.4 tell 172.16.200.44
^C
25 packets received by filter
0 packets dropped by kernel

To apply the same filters to this sniffer as where used in the GUI example, enter the
following:
diagnose sniffer packet port2 "172.16.200.250 and udp and port 514"

2. Check the packet logs:

l Sniffer packet stop log with number of received packets:
date=2024-06-06 time=15:48:43 eventtime=1717714123114194052 tz="-0700"
logid="0100035101" type="event" subtype="system" level="notice" vd="vdom1"
logdesc="Packet sniffer stopped" user="admin" ui="jsconsole(10.6.30.105)" msg="Packet
sniffer stopped on interfaces[any] with filters[none] Number of packets received: 25"

l Sniffer packet start log:

FortiOS 7.6.0 New Features Guide 629

Fortinet Inc.
Log and report

date=2024-06-06 time=15:48:40 eventtime=1717714120008104471 tz="-0700"

logid="0100035100" type="event" subtype="system" level="notice" vd="vdom1"
logdesc="Packet sniffer started" user="admin" ui="jsconsole(10.6.30.105)" msg="Packet
sniffer started on interfaces[any] with filters[none]"

FortiOS 7.6.0 New Features Guide 630

Fortinet Inc.
 Cloud

Cloud

This section includes information about cloud related new features:

l Public and private cloud on page 631

Public and private cloud

This section includes information about public and private cloud related new features:
l Azure SDN connector relay through FortiManager support on page 631
l IBM Cloud virtual network interface support on page 633
l GCP SDN connector relay through FortiManager support on page 633
l Support the AWS r8g instance family on page 633
l KVM Red Hat Enterprise Linux 9.4 support on page 633
l Azure SDN connector moves private IP address on trusted NIC during A-P HA failover 7.6.1 on page 633
l Support the OCI E5.Flex instance type 7.6.1 on page 634
l Azure SDN connector GraphQL bulk query support 7.6.1 on page 634
l AWS NitroTPM support 7.6.1 on page 634
l GCP C4 Intel instance support 7.6.1 on page 639
l FortiGate-VM GDC V support 7.6.1 on page 639
l OCI SDN connector IPv6 address object support 7.6.1 on page 648
l GCP SDN connector IPv6 address object support 7.6.1 on page 648
l Support for Azure upcoming MANA NIC 7.6.1 on page 648
l Azure SDN connector IPv6 address object support 7.6.1 on page 648
l FGT_VM64_KVM IPsec performance improvement through virtio and RPS 7.6.1 on page 649
l FGT_VM64_KVM IPsec performance through DPDK improvement 7.6.1 on page 649
l FortiGate-VM config system affinity-packet-redistribution optimization 7.6.1 on page 649
l OCI support for on-premise solutions 7.6.1 on page 649
l AliCloud GWLB support 7.6.1 on page 649
l AliCloud ecs.g8i instance type support 7.6.3 on page 649

Azure SDN connector relay through FortiManager support

FortiOS Azure SDN connector API calls can be relayed through a FortiManager proxy. FortiManager 7.6 supports this
feature.

FortiOS 7.6.0 New Features Guide 631

Fortinet Inc.
Cloud

To configure Azure SDN connector relay through FortiManager support:

1. Configure the FortiManager:

a. Provision an FMG_VM64_AZURE 7.6 instance in Azure. See Creating a FortiManager-VM.
b. License the FortiManager instance. See Connecting to FortiManager.
c. In FortiManager, go to System Settings > Administrators.
d. Create a new administrator or edit an existing one.
e. For JSON API Access, select Read-Write.
f. Configure other fields as desired, then click OK.
2. Provision a FGT_VM64_AZURE pay as you go instance in Azure.
3. Configure the FortiManager proxy in the CLI:
config system sdn-proxy
edit "FMG_proxy"
set type fortimanager
set server "fmg.labs.ca"
set server-port 443
set username "admin"
set password "-=redacted=-"
next
end

4. Configure two SDN connectors:

config system sdn-connector
edit "FMG_proxy"
set type azure
set proxy "FMG_proxy"
set use-metadata-iam disable
set tenant-id "<tenant ID>"
set client-id "<client ID>"
set client-secret "-=redacted=-"
set subscription-id "<subscription ID>"
set resource-group "<resource group >"
next
end
config firewall address
edit "FMG_proxy"
set type dynamic
set sdn "FMG_proxy"
set filter "Vnet=VNET0"
set sdn-addr-type all
next
end
config system sdn-connector
edit "AZURE"
set type azure
set use-metadata-iam disable
set tenant-id "<tenant ID>"
set client-id "<client ID>"
set client-secret "-=redacted=-"
set subscription-id "<subscription ID>"
set resource-group "<resource group >"
next

FortiOS 7.6.0 New Features Guide 632

Fortinet Inc.
 Cloud

end
config firewall address
edit "AZURE"
set type dynamic
set sdn "AZURE"
set filter "Vnet=VNET0"
set sdn-addr-type all
next
end

5. Go to Security Fabric > External Connectors and confirm that the connectors were created.
6. Compare the resolved IP address list between the FMG_proxy and AZURE connectors and verify that the list is
complete.

IBM Cloud virtual network interface support

FortiGate-VM on IBM Cloud supports virtual network interfaces. This interface type is selected by default. See Deploying
FortiGate-VM on IBM Cloud.

GCP SDN connector relay through FortiManager support

FortiOS Azure SDN connector API calls can be relayed through a FortiManager proxy. FortiManager 7.6 supports this
feature. See Using FortiManager as a SDN proxy for GCP connectors.

Support the AWS r8g instance family

FortiGate-VM supports the AWS r8g instance family. See Instance type support.

Support the AWS c8g instance family

FortiGate-VM supports the AWS c8g instance family. See Instance type support.

KVM Red Hat Enterprise Linux 9.4 support

FortiGate-VM on KVM supports Red Hat Enterprise Linux 9.4.

Azure SDN connector moves private IP address on trusted NIC during A-P HA
failover - 7.6.1

This feature introduces a floating private IP address on the trusted NIC (port2).
For more information about this feature, see Azure SDN connector moves private IP address on trusted NIC during A-P
HA failover.

FortiOS 7.6.0 New Features Guide 633

Fortinet Inc.
 Cloud

Support the OCI E5.Flex instance type - 7.6.1

FortiGate-VM supports the OCI VM.Standard.E5.Flex instance type. See Instance type support.

Azure SDN connector GraphQL bulk query support - 7.6.1

In FortiOS 7.6.1 and later versions, Azure SDN connectors support GraphQL bulk queries.

AWS NitroTPM support - 7.6.1

FortiGate-VM supports the AWS Nitro Trusted Platform Module (NitroTPM) 2.0 specification. NitroTPM is a virtual device
that the AWS Nitro System provides that conforms to the TPM 2.0 specification. It securely stores artifacts such as
passwords, certificates, or encryption keys that are used to authenticate the instance. NitroTPM can generate keys and
use them for cryptographic functions such as hashing, signing, encryption, and decryption.
This feature is disabled by default on marketplace images. You must create your own image to use NitroTPM.

To deploy a FortiGate-VM on AWS that uses NitroTPM:

1. When deploying a FortiGate-VM on AWS using an Amazon machine image (AMI), ensure that the aws ec2
register-image command has the following options:
aws ec2 register-image \
--boot-mode uefi \
--tpm-support v2.0\

2. Verify that you can create a TPM 2.0 support-enabled AMI with the fgtaws.bin file:
[ec2-user@MY-AWSLINUX ~]$ ./uefi-aws-ondemand-TPM20-and-Secure-Boot.sh fortios-
fgtvm64-aws-payg-dut.qcow2 3433-v761-tpm20-pmdb31082-secureboot
[STEP 1]: Create rawfile from qcow2
[STEP 1]: DONE
...
[STEP 8]: create register
Creating AMI: ami-05ca9cdc344639f3a
[STEP 8]: done
[STEP 9]: modify for permissions
[STEP 9]: done

[ec2-user@MY-AWSLINUX ~]$ aws ec2 describe-images --image-ids ami-05ca9cdc344639f3a

{
"Images": [
{
"Architecture": "x86_64",
"CreationDate": "2024-10-08T19:11:22.000Z",
"ImageId": "ami-05ca9cdc344639f3a",
"ImageLocation": "269503439203/FortiGate-VM64-AWSONDEMAND build3433-
v761-tpm20-pmdb31082-secureboot-QA",
"ImageType": "machine",
"Public": false,
"OwnerId": "269503439203",
"PlatformDetails": "Linux/UNIX",
"UsageOperation": "RunInstances",

FortiOS 7.6.0 New Features Guide 634

Fortinet Inc.
Cloud

"State": "available",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"DeleteOnTermination": true,
"SnapshotId": "snap-040f7d9a04a20bcfd",
"VolumeSize": 2,
"VolumeType": "gp2",
"Encrypted": false
}
},
{
"DeviceName": "/dev/sdb",
"Ebs": {
"DeleteOnTermination": true,
"VolumeSize": 30,
"VolumeType": "gp2",
"Encrypted": false
}
}
],
"Description": "FortiGate-VM64-AWSONDEMAND build3433-v761-tpm20-
pmdb31082-secureboot-QA",
"EnaSupport": true,
"Hypervisor": "xen",
"Name": "FortiGate-VM64-AWSONDEMAND build3433-v761-tpm20-pmdb31082-
secureboot-QA",
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "ebs",
"SriovNetSupport": "simple",
"VirtualizationType": "hvm",
"BootMode": "uefi",
"TpmSupport": "v2.0"
}
]
}

3. Verify that the FortiGate-VM supports TPM 2.0. For details, see TPM support for FortiGate-VM:
FGTAWSHZY4GDAGF8 (Interim)# get sys stat
Version: FortiGate-VM64-AWS v7.6.1,build3433,241007 (Interim)

FGTAWSHZY4GDAGF8 (Interim)# sysctl ls /dev/tpm0

/dev/tpm0

FGTAWSHZY4GDAGF8 (Interim)# diagnose hardware deviceinfo tpm

TPM capability information of fixed properties:

=========================================================
TPM_PT_FAMILY_INDICATOR: 2.0
TPM_PT_LEVEL: 0
TPM_PT_REVISION: 162
TPM_PT_DAY_OF_YEAR: 53
TPM_PT_YEAR: 2020
TPM_PT_MANUFACTURER: AMZN
TPM_PT_VENDOR_STRING: NitroTPMv1.0

FortiOS 7.6.0 New Features Guide 635

Fortinet Inc.
Cloud

TPM_PT_VENDOR_STRING_1 in HEX: 0x4e697472

TPM_PT_VENDOR_STRING_2 in HEX: 0x6f54504d
TPM_PT_VENDOR_STRING_3 in HEX: 0x76312e30
TPM_PT_VENDOR_STRING_4 in HEX: 0x00000000
TPM_PT_VENDOR_TPM_TYPE: 1
TPM_PT_FIRMWARE_VERSION: 8217.4131.22.13878
TPM_PT_FIRMWARE_VERSION in HEX: 0x2019102300163636

TPM_PT_MEMORY:
=========================================================
Shared RAM: 0 CLEAR
Shared NV: 1 SET
Object Copied To Ram: 1 SET

TPM_PT_PERMANENT:
=========================================================
Owner Auth Set: 0 CLEAR
Sendorsement Auth Set: 0 CLEAR
Lockout Auth Set: 0 CLEAR
Disable Clear: 0 CLEAR
In Lockout: 0 CLEAR
TPM Generated EPS: 1 SET

FGTAWSHZY4GDAGF8 (Interim)# diagnose tpm get-var-property

TPM capability information of variable properties:
TPM_PT_STARTUP_CLEAR:
=========================================================
Ph Enable: 1 SET
Sh Enable: 1 SET
Eh Enable: 1 SET
Orderly: 1 SET

FGTAWSHZY4GDAGF8 (Interim)# diagnose tpm read-clock

Clock info:
=========================================================
Time since the last TPM_Init:
8969358 ms = 0 y, 0 d, 2 h, 29 min, 29 s, 358 ms

Time during which the TPM has been powered:

9331689 ms = 0 y, 0 d, 2 h, 35 min, 31 s, 689 ms

TPM Reset since the last TPM2_Clear: 5

Number of times that TPM2_Shutdown: 0
Safe: 1 = Yes

FGTAWSHZY4GDAGF8 (Interim)# diagnose tpm shutdown-prepare

Shutdown works as expected.

FGTAWSHZY4GDAGF8 (Interim)# diagnose tpm selftest

Successfully tested. Works as expected.

FGTAWSHZY4GDAGF8 (Interim)# diagnose tpm generate-random-number

FortiOS 7.6.0 New Features Guide 636

Fortinet Inc.
Cloud

Random value:
0x00000000: 0x7F 0x89 0xAF 0xFA

FGTAWSHZY4GDAGF8 (Interim)# diagnose tpm SHA-1 1234567890abcdef1234567890abcdef

TPM2_Hash of '1234567890abcdef1234567890abcdef' with SHA-1:
0x00000000: 62 0A 31 15 69 9A 42 2B
0x00000008: D8 74 DE 31 D3 E6 91 1C
0x00000010: 58 3A 76 75
1234567890abcdef1234567890abcdef

FGTAWSHZY4GDAGF8 (Interim)# diagnose tpm SHA-256 1234567890abcdef1234567890abcdef

TPM2_Hash of '1234567890abcdef1234567890abcdef' with SHA-256:
0x00000000: C5 12 D9 2E 35 45 B2 F1
0x00000008: 22 2E 4B 4C 6A F6 D3 30
0x00000010: EC 30 02 A0 4B CA A4 1D
0x00000018: F9 CC 2C 49 62 84 96 D6
1234567890abcdef1234567890abcdef

FGTAWSHZY4GDAGF8 (Interim)# exec private-encryption-key sample

Private encryption is not enabled.
Command fail. Return code 7

FGTAWSHZY4GDAGF8 (Interim)# config system global

FGTAWSHZY4GDAGF8 (global) (Interim)# set private-data-encryption enable

FGTAWSHZY4GDAGF8 (global) (Interim)# end

Please type your private data encryption key (32 hexadecimal numbers):
1234567890abcdef1234567890abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
1234567890abcdef1234567890abcdef
Your private data encryption key is accepted.

FGTAWSHZY4GDAGF8 (Interim)# exec private-encryption-key sample

B64TEXT: tXzJbdpQnIgYUPoeMKLVEbMIL3lpW9ewZwItJilR8I0=
B64HMAC: LOVD6uhDA3k5xqr3S8WS/L19wsE=

FGTAWSHZY4GDAGF8 (Interim)# exec factoryreset

This operation will reset the system to factory default!
Do you want to continue? (y/n)y

The system is going down NOW !!

FGTAWSHZY4GDAGF8 (Interim)#
Please stand by while rebooting the system.
Restarting system

FortiGate-VM64-AWS (Interim)# exec restore config ftp FGTAWSHZY4GDAGF8_7-6_3433_

202410081451.conf 10.6.30.218 root xxxxxx
This operation will overwrite the current setting and could possibly reboot the
system!
Do you want to continue? (y/n)y

Please wait...

FortiOS 7.6.0 New Features Guide 637

Fortinet Inc.
Cloud

Connect to ftp server 10.6.30.218 ...

Get config file from ftp server OK.
The configuration was encrypted with a private encryption key but encryption is not
enabled. Required: Enable private-data-encryption under system.global.
Command fail. Return code -910

FortiGate-VM64-AWS (Interim)# conf sys global

FortiGate-VM64-AWS (global) (Interim)# set private-data-encryption enable
FortiGate-VM64-AWS (global) (Interim)# end
Please type your private data encryption key (32 hexadecimal numbers):
ac6bdcdee2701a1edc6d594898e34f50
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
ac6bdcdee2701a1edc6d594898e34f50
Your private data encryption key is accepted.

FortiGate-VM64-AWS (Interim)# exec restore config ftp FGTAWSHZY4GDAGF8_7-6_3433_

202410081451.conf 10.6.30.218 root xxxxxx

This operation will overwrite the current setting and could possibly reboot the
system!
Do you want to continue? (y/n)y

Please wait...

Connect to ftp server 10.6.30.218 ...

Get config file from ftp server OK.
The configuration was encrypted with a private encryption key that does not match
the current in-use private encryption key.
Command fail. Return code -911

FortiGate-VM64-AWS (Interim)# conf sys global

FortiGate-VM64-AWS (global) (Interim)# set private-data-encryption disable
FortiGate-VM64-AWS (global) (Interim)# end
FortiGate-VM64-AWS (Interim)# conf sys global

FortiGate-VM64-AWS (global) (Interim)# set private-data-encryption enable

FortiGate-VM64-AWS (global) (Interim)# end
Please type your private data encryption key (32 hexadecimal numbers):
1234567890abcdef1234567890abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
1234567890abcdef1234567890abcdef
Your private data encryption key is accepted.

FortiGate-VM64-AWS (Interim)# exec restore config ftp FGTAWSHZY4GDAGF8_7-6_3433_

202410081451.conf 10.6.30.218 root xxxxxx
This operation will overwrite the current setting and could possibly reboot the
system!
Do you want to continue? (y/n)y
Please wait...
Connect to ftp server 10.6.30.218 ...
Get config file from ftp server OK.
File check OK.

FortiGate-VM64-AWS (Interim)#
The system is going down NOW !!

FortiOS 7.6.0 New Features Guide 638

Fortinet Inc.
 Cloud

Please stand by while rebooting the system.

Restarting system

4. If you enabled private data encryption, confirm that the FortiGate-VM configuration file has the private-
encryption-key field:
[ec2-user@MY-AWSLINUX ~]$ more FGTAWSHZY4GDAGF8_7-6_3433_202410081451.conf
#config-version=FGVMA6-7.6.1-FW-build3433-241007:opmode=0:vdom=0:user=admin
#conf_file_ver=346174364138168
#buildno=3433
#global_vdom=1
#private-encryption-key=Whoxar8K7iFQgA9TIt4sLq/wYeM=
config system global
set alias "FGTAWSHZY4GDAGF8"
set allow-traffic-redirect disable
set gui-auto-upgrade-setup-warning disable
set hostname "FGTAWSHZY4GDAGF8"
set ipv6-allow-traffic-redirect disable
set private-data-encryption enable
set timezone "US/Pacific"
end

AWS SDN connector IPv6 address object support - 7.6.1

AWS SDN connectors support IPv6 address objects.

GCP C4 Intel instance support - 7.6.1

FortiOS 7.6.1 and later versions support the GCP C4 Intel instance family. See Machine type support.

FortiGate-VM GDC V support - 7.6.1

FortiGate-VM supports the Google Distributed Cloud Virtual (GDC V) environment. The example deploys a KVM build of
the FortiGate-VM into a GDC environment. The GDC V runs on a cluster of Ubuntu VMs.

The following diagram depicts traffic sent from the client through the FortiGate-VM to the internet:

FortiOS 7.6.0 New Features Guide 639

Fortinet Inc.
Cloud

The document divides the configuration into two procedures:

l Configuring the GDC V environment. See To configure the GDC V environment: on page 640.
l Deploying and configuring the FortiGate-VM. See To deploy and configure the FortiGate-VM: on page 646.

To configure the GDC V environment:

1. Create four Ubuntu VMs as Plan for a basic installation on your hardware describes.
2. Create the admin and user clusters on top of the four VM nodes as Create basic clusters describes. The following
shows the example values for the information that you must gather before creating the clusters:

Information Example value

Basic cluster information

Name of the admin cluster you are creating. The location and naming of admincluster
cluster artifacts on the admin workstation are based on the cluster name. The
cluster namespace is derived from the cluster name.

Name of the user cluster you are creating. The location and naming of cluster usercluster
artifacts on the admin workstation are based on the cluster name. The cluster
namespace is derived from the cluster name.

bmctl version that you downloaded. 1.30.100-gke.96

Account information

Path to the SSH private key file on your admin workstation. By default, the path /home/aturner/.ssh/id_rsa
is /home/USERNAME/.ssh/id_rsa.

ID of the Google Cloud project that you want to use for connecting your cluster dev-project-001-166400
to Google Cloud and viewing logs and metrics. This project is also referred to
as the fleet host project.

The email address that is associated with your Google Cloud account. For [email protected]
example:[email protected].

Node machine IP addresses

One IP address for the admin cluster control plane node. 172.16.200.71

One IP address for the user cluster control plane node. 172.16.200.72

One IP address for the user cluster worker node. 172.16.200.73

VIP addresses

FortiOS 7.6.0 New Features Guide 640

Fortinet Inc.
Cloud

Information Example value

VIP for the Kubernetes API server of the admin cluster. 172.16.200.74

VIP for the Kubernetes API server of the user cluster. 172.16.200.75

One VIP to use as the external address for the ingress proxy. 172.16.200.76

Range of ten IP addresses for use as external IP addresses for Services of 172.16.200.76-172.16.200.86
type LoadBalancer. Notice that this range includes the ingress VIP, which is
required by MetalLB. No other IP addresses can overlap this range.

Pod and Service CIDRs

Range of IP addresses in CIDR block notation for use by Pods on the admin 192.168.0.0/16
cluster. The recommended starting value, which is pre-filled in the generated
cluster configuration file is 192.168.0.0/16.

Range of IP addresses in CIDR block notation for use by Services on the 10.96.0.0/20
admin cluster. The recommended starting value, which is pre-filled in the
generated cluster configuration file is 10.96.0.0/20.

Range of IP addresses in CIDR block notation for use by Pods on the user 192.168.0.0/16
cluster. The recommended starting value, which is pre-filled in the generated
cluster configuration file and is the default value in the console is
192.168.0.0/16.

Range of IP addresses in CIDR block notation for use by Services on the user 10.96.0.0/20
cluster. The recommended starting value, which is pre-filled in the generated
cluster configuration file and is the default value in the console is 10.96.0.0/20.

3. In Google Cloud, go to Clusters. Select the clusters that you created and confirm that you can see the clusters
connected on Google Kubernetes Engine (GKE).

FortiOS 7.6.0 New Features Guide 641

Fortinet Inc.
Cloud

4. To enable multiple NICs for a pod or VM, you must enable it in usercluster.yaml as Configure multiple network
interfaces for Pods describes, specifically to include the following:
apiVersion: v1
multipleNetworkInterfaces: true
enableDataplaneV2: true

5. On the admin workstatin, run the following to enable vmruntime on the user cluster to allow VM virtualization:
bmctl enable vmruntime --kubeconfig bmctl-workspace/usercluster/usercluster-kubeconfig

FortiOS 7.6.0 New Features Guide 642

Fortinet Inc.
Cloud

6. Create a separate yaml file to create the NetworkAttachmentDefinition (NAD) based on the following yaml. This
creates a network definition that you can attach to pods or the FortiGate-VM so that they can communicate on the
same internal subnet:
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
name: test-bridge
spec:
config: '{ "cniVersion": "0.3.1", "type": "bridge", "bridge": "br0", "ipam": { "type":
"host-local", "subnet": "172.16.1.0/24" } }'

7. Create the DataVolume for the FortiGate-VM in a separate yaml file. You must download the qcow2 file from the
KVM FortiGate-VM image from the Fortinet Support site and place it in an accessible location for the image creation
to succeed:
apiVersion: cdi.kubevirt.io/v1beta1
kind: DataVolume
metadata:
name: "fgt-boot-dv"
spec:
source:
http:
url: "https://alextestbucket.s3.ap-southeast-1.amazonaws.com/fos3401.qcow2" # S3
or GCS
pvc:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "5000Mi"

8. Create the FortiGate-VM for KVM instance using the boot disk created in step 7 and a secondary interface. The
interface configuration in this yaml file uses multus=test-bridge which is defined in step 6 for eth1 and a default
network name bridge, which is a system default and should not be changed in this configuration file.
apiVersion: vm.cluster.gke.io/v1
kind: VirtualMachine
metadata:
creationTimestamp: null
labels:
kubevirt/vm: fgt
name: fgt
namespace: default
spec:
compute:
cpu:
vcpus: 2
memory:
capacity: 4Gi
disks:
- boot: true
driver: virtio
virtualMachineDiskName: fgt-boot-dv
guestEnvironment: {}
interfaces:
- default: true
name: eth0

FortiOS 7.6.0 New Features Guide 643

Fortinet Inc.
Cloud

networkName: bridge
- name: eth1
networkName: multus=test-bridge
osType: Linux
status: {}

9. Create an SSH server on an pod or container by creating a yaml file as follows:

apiVersion: v1
kind: Pod
metadata:
name: ssh-pod
labels:
app: ssh-server
annotations:
k8s.v1.cni.cncf.io/networks: test-bridge
spec:
containers:
- name: ssh-server
image: ubuntu:20.04
command:
- /bin/bash
- -c
- |
apt-get update && \
apt-get install -y openssh-server && \
mkdir -p /run/sshd && \
echo 'root:Fortinet123#' | chpasswd && \
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config && \
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config && \
service ssh start && \
while true; do sleep 3600; done
ports:
- containerPort: 22
securityContext:
privileged: true # Needed for sshd
---
apiVersion: v1
kind: Service
metadata:
name: ssh-service
spec:
type: NodePort
selector:
app: ssh-server
ports:
- port: 22
targetPort: 22
nodePort: 30022 # You can change this port. If you change it, you must specify
the port number on your SSH connection string. For example: ssh [email protected]

FortiOS 7.6.0 New Features Guide 644

Fortinet Inc.
Cloud

-p 30022

10. From the admin workstation instance, apply the created yaml files from step 6 through 9 using kubectl apply -
f example.yaml . Applying the yaml files creates the resources that the files define.
11. From the adminworkstation instance use kubectl get vmi to confirm that the VMs are visible and running, and
that you can reach them from the worker node through their pod-network IP address:
aturner@adminworkstation:~$ kubectl get vmi
NAME AGE PHASE IP NODENAME
ssh-pod 1/1 Running 0 8d
virt-launcher-fgt-6d5nh 2/2 Running 0 8d

aturner@userclusterworkernode:~$ ping 192.168.2.202

PING 192.168.2.202 (192.168.2.202) 56(84) bytes of data.
64 bytes from 192.168.2.202: icmp_seq=1 ttl=254 time=0.650 ms
^C
--- 192.168.2.202 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.650/0.650/0.650/0.000 ms
aturner@userclusterworkernode:~$ ping 192.168.2.29
PING 192.168.2.29 (192.168.2.29) 56(84) bytes of data.
64 bytes from 192.168.2.29: icmp_seq=1 ttl=63 time=0.438 ms
^C
--- 192.168.2.29 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.438/0.438/0.438/0.000 ms
aturner@userclusterworkernode:~$ ssh [email protected]
[email protected]'s password:
FGVM08TM... # get sys stat
Version: FortiGate-VM64-KVM v7.6.0,build3401,240724 (GA.F)
First GA patch build date: 240724
Security Level: 2
Firmware Signature: certified
Virus-DB: 92.08924(2024-11-19 16:31)
Extended DB: 92.08924(2024-11-19 16:30)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 3.01796(2024-11-19 15:50)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-ETDB: 6.00741(2015-12-01 02:30)
Proxy-APP-DB: 6.00741(2015-12-01 02:30)
FMWP-DB: 24.00111(2024-11-06 13:20)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2022-08-17 17:31)
OT-Detect-DB: 0.00000(2001-01-01 00:00)
OT-Patch-DB: 0.00000(2001-01-01 00:00)
OT-Threat-DB: 6.00741(2015-12-01 02:30)
IPS-Engine: 7.01014(2024-07-02 21:57)
Serial-Number: FGVM08TM...
License Status: Valid
License Expiration Date: 2025-08-24
VM Resources: 2 CPU/8 allowed, 3946 MB RAM
Log hard disk: Not available
Hostname: FGVM08TM...

FortiOS 7.6.0 New Features Guide 645

Fortinet Inc.
Cloud

Private Encryption: Disable

Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 3401
Release Version Information: GA
FortiOS x86-64: Yes
System time: Tue Nov 19 17:07:49 2024
Last reboot reason: warm reboot

To deploy and configure the FortiGate-VM:

The test environment uses an SSH session to access the SSH server pod or container and through that session, triggers
an EICAR test file download that flows through the FortiGate and triggers UTM processing via a firewall policy.
1. Upload a license to the FortiGate-VM:
FortiGate-VM64-KVM # execute restore vmlicense ftp workingfolder/FGVM08TM....lic
...86.126 **omitted**
This operation will overwrite the current VM license and reboot the system!
Do you want to continue? (y/n)y

Please wait...

Connect to ftp server ...86.126 ...

Get VM license from ftp server OK.
VM license install succeeded. Rebooting firewall.

2. The primary interface obtains its IP address using DHCP. Therefore, the NAD is the only address that you must
configure. Configure the IP address in FortiOS and on the Ubuntu pod using the IP address that the NAD provides:
kubectl describe vmi fgt
...
Ip Address: 172.16.1.250
Ip Addresses:
172.16.1.250
...
FGVM08TM24003117 (port2) # show
config system interface
edit "port2"
set vdom "root"
set ip 172.16.1.250 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response
fabric ftm speed-test
set type physical
set snmp-index 2
set mtu-override enable
next
end
FGVM08TM24003117 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

FortiOS 7.6.0 New Features Guide 646

Fortinet Inc.
Cloud

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [5/0] via 192.168.3.33, port1, [1/0]
C 172.16.1.0/24 is directly connected, port2
C 192.168.2.202/32 is directly connected, port1
S 192.168.3.33/32 [5/0] is directly connected, port1, [1/0]

3. Configure a firewall policy with unified threat management (UTM) and an antivirus (AV) profile:
config firewall policy
edit 1
set uuid 2864e7e4-a6d7-51ef-cc59-2a9e5ff5a48e
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set av-profile "default"
set nat enable
next
end

4. Configure the Ubuntu server with the route pointing to the FortiGate port2 address. In the example, the server IP
address is ...86.126:
root@ssh-pod:~# ip route show
default via 192.168.3.33 dev eth0 mtu 1450
...86.126 via 172.16.1.250 dev net1
172.16.1.0/24 dev net1 proto kernel scope link src 172.16.1.253
192.168.3.33 dev eth0 scope link
root@ssh-pod:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen
1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: net1@if69: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group
default
link/ether 2a:a9:65:6f:1c:bc brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.1.253/24 brd 172.16.1.255 scope global net1
valid_lft forever preferred_lft forever
inet6 fe80::28a9:65ff:fe6f:1cbc/64 scope link
valid_lft forever preferred_lft forever
67: eth0@if68: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group
default qlen 1000
link/ether be:d5:28:86:c2:27 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.3.179/32 scope global eth0
valid_lft forever preferred_lft forever

FortiOS 7.6.0 New Features Guide 647

Fortinet Inc.
 Cloud

inet6 fe80::bcd5:28ff:fe86:c227/64 scope link

valid_lft forever preferred_lft forever

5. To test the configuration, attempt to use cURL to download an Eicar file to the server. Confirm that the UTM and AV
features are active and block download of the Eicar file:
root@ssh-pod:~# curl http://...86.126/samplevirus/eicar.txt
<!DOCTYPE html>
<html lang="en">
**omitted**
<h1>High Security Alert</h1>
<p>You are not permitted to download the file "eicar.txt" because it is infected
with the virus "EICAR_TEST_FILE".</p>
<table><tbody>
<tr>
<td>URL</td>
<td>http://...86.126/samplevirus/eicar.txt</td>
</tr>
<tr>
<td>Quarantined File Name</td>
<td></td>
</tr>
<tr>
<td>Reference URL</td>
<td><a
href="https://fortiguard.com/encyclopedia/virus/2172">https://fortiguard.com/encyclopedi
a/virus/2172</A></td>
</tr>
</tbody></table>
</div></body>
</html>

OCI SDN connector IPv6 address object support - 7.6.1

OCI SDN connectors support IPv6 address objects.

GCP SDN connector IPv6 address object support - 7.6.1

GCP SDN connectors support IPv6 address objects.

Support for Azure upcoming MANA NIC - 7.6.1

FortiOS 7.6.1 supports the use of MLX5/4 and the upcoming MANA NIC on Azure Dv6/Ev6 instance types.

Azure SDN connector IPv6 address object support - 7.6.1

Azure SDN connectors support IPv6 address objects.

FortiOS 7.6.0 New Features Guide 648

Fortinet Inc.
 Cloud

FGT_VM64_KVM IPsec performance improvement through virtio and RPS - 7.6.1

Improvements have been made for FGT_VM64_KVM IPsec performance by enhancing virtio and optimizing RPS.

FGT_VM64_KVM IPsec performance through DPDK improvement - 7.6.1

Improvements have been made for FGT_VM64_KVM IPsec performance through DPDK.

FortiGate-VM config system affinity-packet-redistribution optimization - 7.6.1

config system affinity-packet-redistribution default setting for FortiGate-VM has been optimized to
simplify configuration procedure.

OCI support for on-premise solutions - 7.6.1

FortiOS 7.6.1 supports on-premise solutions for OCI that include the following:
l Dedicated Region (DRCC). See Dedicated Region.
l Cloud @ Customer and X9. See Oracle Private Cloud Appliance.

AliCloud GWLB support - 7.6.1

FortiOS supports AliCloud gateway load balancer (GWLB). See What is GWLB?.

AliCloud ecs.g8i instance type support - 7.6.3

FortiOS supports the ecs.g8i instance type on AliCloud. See Instance type support.

FortiOS 7.6.0 New Features Guide 649

Fortinet Inc.
 Operational Technology

Operational Technology

This section includes information about Operational Technology related new features:
l System on page 650

System

This section includes information about system related Operational Technology new features:
l CLI to configure FGR-70F/FGR-70F-3G4G GPIO/DIO module alarm functionality 7.6.1 on page 650
l SNMP traps and automation-stitch notifications for DIO module alarm functionality 7.6.1 on page 652
l Support Ethernet layer protocols in the IPS engine 7.6.3 on page 654

CLI to configure FGR-70F/FGR-70F-3G4G GPIO/DIO module alarm functionality - 7.6.1

FortiGate Rugged 70F and FortiGate Rugged 70F-3G4G include a general purpose input output (GPIO) module, also
known as a digital I/O (DIO) module. This module activates a digital output when triggered by a change in any digital
input. For example, the digital input can be connected to a cabinet door to monitor the open/close status or low/high
voltage status, and the output can be connected to a buzzer. When the DIO module detects a change from open to
closed or a voltage change from low to high, it triggers the buzzer.
New CLI for configuring DIO module alarms is available only on FortiGate Rugged 70F and FortiGate Rugged 70F-
3G4G devices.
A new config system digital-io command is available to configure the input status for the DIO module to
monitor:
config system digital-io
set input1-detection-mode {default | voltage}
set input2-detection-mode {default | voltage}
set output-keep-last-state {enable | disable}
end

set input1-detection-mode Configure the input mode:

{default | voltage} l default: Detect change from open to closed or closed to open.

l voltage: Detect change from low to high voltage or high to low voltage.
set output-keep-last- Enable/disable FortiGate to keep the alarm status after a reboot.
state {enable |
disable}

A new execute digital-io set-output command is available to configure the output mode when an alarm is
triggered, namely, the state of the normally closed to common (NC_COM) output and the normally open to common (NO_
COM) output:
# execute digital-io set-output
alternating Alternates between default and opposite.

FortiOS 7.6.0 New Features Guide 650

Fortinet Inc.
Operational Technology

default NC_COM=closed and NO_COM=open.

opposite NC_COM=open and NO_COM=closed.

A new diagnose sys digital-io state command is available to check the input and output status reported by
the DIO module:
# diagnose sys digital-io state
Input1: mode=default(open/closed) and state=open.
Input2: mode=voltage(low/high) and state=low.
Output: state=default, NO_COM=open, and NC_COM=closed.
output-keep-last-state: enable

New commands are also available to trigger SNMP traps and automation stitches for the DIO module. See SNMP traps
and automation-stitch notifications for DIO module alarm functionality 7.6.1 on page 652 for more information.
For more information about the DIO module, see the FortiGate Rugged 70F Series QuickStart Guide and the Technical
Tip: Overview of the Digital Input/Output (DIO) Module in FortiGate Rugged 70F Series community article.

Example

In this example, a FortiGate Rugged 70F is configured to monitor the open/close and low/high voltage status of a cabinet
door, and the output is connected to a buzzer. When the status of the cabinet door changes, FortiGate triggers the
buzzer

To configure the DIO module alarm:

1. Configure the input-detection mode:

In this example, the input-detection mode for input1 is set to default and input2 is set to voltage, and the last
output state is retained if FortiGate reboots.
config system digital-io
set input1-detection-mode default
set input2-detection-mode voltage
set output-keep-last-state enable
end

2. Configure the output mode:

In this example, the output is set to default. When triggered, the output is in a default state with the normally open
to common (NO_COM) output being open, and the normally closed to common (NC_COM) output being closed. The
output is triggered when the DIO module detects a change in the status of the inputs or detects an alarm event.
# execute digital-io set-output default

3. View the input/output status being reported by the DIO module:

In this example, the default state of Input1 is open, and the default state of Input2 is low voltage, which means
the cabinet door is open, and the voltage is low.
# diagnose sys digital-io state
Input1: mode=default(open/closed), state=open
Input2: mode=voltage(low/high), state=low

FortiOS 7.6.0 New Features Guide 651

Fortinet Inc.
 Operational Technology

Output: state=default, NO_COM=open, NC_COM=closed

output-keep-last-state: enable

4. Close the cabinet door.

5. View the input/output status being reported by the DIO module:
The state of Input1 has changed to closed, and the state of Input2 has changed to high voltage.
# diagnose sys digital-io state
Input1: mode=default(open/closed), state=closed
Input2: mode=voltage(low/high), state=high
Output: state=default, NO_COM=open, NC_COM=closed
output-keep-last-state: enable

The change in state triggers the buzzer.

SNMP traps and automation-stitch notifications for DIO module alarm functionality -
7.6.1

FortiGate Rugged 70F and FortiGate Rugged 70F-3G4G include a general purpose input output (GPIO) module, also
known as a digital I/O (DIO) module. The module supports SNMP traps and automation-stitch notifications when DIO
module alarm functionality is activated. The DIO module triggers an alarm when it detects a change in any digital input,
and the digital output is activated. Notification support depends on previously configured config system digital-
io and execute digital-io set-output settings prior to event notification. See CLI to configure FGR-70F/FGR-
70F-3G4G GPIO/DIO module alarm functionality 7.6.1 on page 650 for more information.
New CLI for configuring SNMP traps and automation-stitch notifications is available only on FortiGate Rugged 70F and
FortiGate Rugged 70F-3G4G devices.
The config system automation-condition command includes new options:
config system automation-condition
edit <name>
set condition-type input
set input-state {open|close}
next
end

set condition-type input Configure the type of condition to input for the DIO module on the FortiGate 70F
series.
set input-state Configure the input state:
{open|close} l open: Input switch is open.

l close: Input switch is closed.

The config system snmp community command includes a new option:

config system snmp community
edit <id>
set events dio
next
end

set events dio Configure the SNMP trap event for the DIO module of the FortiGate Rugged 70F
series. When enabled, system events are also logged.

FortiOS 7.6.0 New Features Guide 652

Fortinet Inc.
Operational Technology

For more information about the DIO module, see the FortiGate Rugged 70F Series QuickStart Guide and the Technical
Tip: Overview of the Digital Input/Output (DIO) Module in FortiGate Rugged 70F Series community article.

Example

In this example, a FortiGate Rugged 70F is configured to monitor the open/close status of a cabinet door, and the output
is connected to a buzzer. An automation stitch and SNMP trap are also configured.
When the status of the cabinet door changes from open to closed or closed to open, FortiGate triggers the buzzer,
automation stitch, and SNMP trap. A system event is also logged when SNMP traps are sent.

Before you configure automation stitches and SNMP traps for DIO module alarms, you must configure the alarms using
the config system digital-io and execute digital-io set-output settings. See CLI to configure FGR-
70F/FGR-70F-3G4G GPIO/DIO module alarm functionality 7.6.1 on page 650 for more information.

To configure an automation stitch for DIO module alarms:

1. Configure an automation-stitch condition for when the DIO module detects an input state of open:
In this example, the condition type is set to input, and the input state is set to open.
config system automation-condition
edit "Cabinet-Open"
set description "Cabinet open"
set condition-type input
set input-state open
next
end

2. Configure an automation-stitch trigger:

config system automation-trigger
edit "DIO-trigger"
set description "DIO-trigger"
next
end

3. Configure a stitch to use the condition to trigger an action, such as an email notification:
In this example, the automation stitch uses the previously configured trigger (DIO-trigger) and condition (Cabinet-
Open) to trigger an email notification.
config system automation-stitch
edit "dio"
set description "DIO-stitch"
set trigger "DIO-trigger"

FortiOS 7.6.0 New Features Guide 653

Fortinet Inc.
 Operational Technology

set condition "Cabinet-Open"

config actions
edit 1
set action "Email Notification"
set required enable
next
end
next
end

To configure an SNMP trap for DIO module alarms:

1. Configure a DIO module event in an SNMP community:

With set events dio configured, SNMP traps are triggered for DIO module alarms.
config system snmp community
edit 1
set name "DIO_TEST"
config hosts
edit 1
set ip 172.16.200.55 255.255.255.255
next
end
set events dio
next
end

Results:

When the cabinet door being monitored by the DIO module opens unexpectedly, it triggers an SNMP event:

It also triggers a system log:

9: date=2024-11-18 time=17:26:13 eventtime=1731979573581176380 tz="-0800" logid="0100022907"
type="event" subtype="system" level="notice" vd="root" logdesc="Digital-IO input state
change" connector="input_IN1_REF" mode="default" state="open" msg="The state of IN1_REF
terminals has changed from closed to open"

When the cabinet door is opened, it also triggers an email notification as configured by the automation stitch.

Support Ethernet layer protocols in the IPS engine - 7.6.3

This information is also available in the FortiOS 7.6 Administration Guide:

l Support Ethernet layer protocols in the IPS engine

FortiOS 7.6.0 New Features Guide 654

Fortinet Inc.
Operational Technology

The IPS engine has been enhanced to detect industrial Ethernet protocols such as LLDP, GOOSE, EtherCAT, and
PROFINET RT. Device detection starts to detect and log the Ethernet devices through the L2 protocol. Additionally, the
IPS sensor detects the Ethernet protocol and logs the traffic.
Custom signature rules have been enhanced with three new rule options for ethertype, mac_src, and mac_dst.
The L2 protocol to be detected by the custom signature is specified by the administrator through the Ethertype
hexadecimal value for the ethertype option.
In Examples 2 and 3 below, the ethertype value of 0x88cc is used to detect LLDP protocol traffic.
The following examples are explored:
l Example 1: Ethernet protocol device detection on the interface on page 655
l Example 2: Ethernet protocol detection with custom IPS signatures on the interface policy on page 656
l Example 3: Ethernet protocol detection with custom IPS signatures on the sniffer policy on page 657

Example 1: Ethernet protocol device detection on the interface

Device detection requires new signatures included in both the IoT Detection package and OT
Detection package, which will be available in future FortiGuard updates.

In this example, the IPS engine detects Ethernet devices, such as those using the LLDP protocol, which contains device
information.

To apply Ethernet protocol device detection on the interface:

1. Enable device detection and passive gathering of identity information about the host:
config system interface
edit "port15"
set vdom "root"
set type physical
set device-identification enable
set snmp-index 17
next
end

2. Apply the interface to the firewall interface policy:

config firewall interface-policy
edit 1
set interface "port15"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
next
end

3. Generate traffic from the client.

4. Review the application control log for device detection on Ethernet protocol LLDP:

FortiOS 7.6.0 New Features Guide 655

Fortinet Inc.
Operational Technology

# diagnose log filter category 4

# diagnose log display
1: date=2025-03-20 time=18:46:52 eventtime=1742521612517801102 tz="-0700"
logid="1059028738" type="utm" subtype="app-ctrl" eventtype="signature" level="warning"
vd="root" ethertype=35020 srcmac="00:0c:29:c6:ae:bf" dstmac="e0:23:ff:83:2d:2d"
appid=10008004 srcintf="port15" srcintfrole="undefined" dstintf="port15"
dstintfrole="undefined" policyid=1 poluuid="c5ed61a0-0445-51f0-1e08-ea9d568326bd"
policytype="interface-policy" action="pass" appcat="IoT" app="LLDP.Device.Test"
msg="IoT: LLDP.Device.Test" clouddevice="Vendor=HP, Product=ProCurve Swtich,
Model=ProCurve Swtich 2600-8-PWR, Version=H.08.89" apprisk="low"

The ethertype field has been added in the device detection log. The src_mac and dst_mac log fields have been
added instead of the source and destination IP addresses. These three new fields are not included for regular
application control logs.

Example 2: Ethernet protocol detection with custom IPS signatures on the interface
policy

In this example, the IPS sensor is able to detect Ethernet protocols by matching signatures in the NIDS database or by
using custom-defined signatures.

To apply Ethernet protocol detection with custom IPS signatures on the interface policy:

1. Create a new custom signature for LLDP protocol with source MAC address and destination MAC address defined:
config ips custom
edit "LLDP-test"
set signature "F-SBID( --attack_id 6312; --name \"LLDP-test-mac\"; --default_
action drop; --ethertype 0x88cc; --mac_src 00:0c:29:c6:ae:bf; --mac_dst
e0:23:ff:83:2d:2d; --severity high; --status disable; )"
next
end

2. Create a new IPS sensor and allow the new custom signatures to pass:
config ips sensor
edit "l2-test"
config entries
edit 1
set rule 6312
set status enable
set action pass
next
end
next
end

The rule identifies the IPS signatures to add to the sensor.

3. Enable the IPS sensor in a firewall interface policy and apply the new IPS sensor:
config firewall interface-policy
edit 1
set interface "port15"
set srcaddr "all"
set dstaddr "all"

FortiOS 7.6.0 New Features Guide 656

Fortinet Inc.
Operational Technology

set service "ALL"

set ips-sensor-status enable
set ips-sensor "l2-test"
next
end

4. Generate traffic from the client.

5. Review the IPS sensor log for the Ethernet protocol LLDP custom signature:
# diagnose log filter category 4
# diagnose log display
1: date=2025-03-21 time=10:16:03 eventtime=1742577362746522425 tz="-0700"
logid="0419016402" type="utm" subtype="ips" eventtype="signature" level="warning"
vd="root" ethertype=35020 srcmac="00:0c:29:c6:ae:bf" dstmac="e0:23:ff:83:2d:2d"
srcintf="port15" srcintfrole="undefined" dstintf="port15" dstintfrole="undefined"
policyid=1 poluuid="8fcb4bf0-0675-51f0-fa7a-9fec94e8115c" policytype="interface-policy"
action="dropped" attack="\"LLDP-test\"" attackid=6312 profile="l2-test"
incidentserialno=75497498 msg="custom: \"LLDP-test\"" crscore=30 craction=8192
crlevel="high"

A new log ID has been created for the L2 detection logs.

The ethertype field has been added in the device detection log. The src_mac and dst_mac log fields have been
added instead of the source and destination IP addresses. These new fields are not included in a regular IPS sensor
log.

Example 3: Ethernet protocol detection with custom IPS signatures on the sniffer
policy

Ethernet protocol detection is supported in sniffer policies. In this example, the software switch with spanning is set for
the sniffer detection.

To apply Ethernet protocol detection with custom IPS signatures on the sniffer policy:

1. Create a new software switch with the destination and source ports for spanning configured:
config system switch-interface
edit "test-sw"
set vdom "root"
set member "port2" "port15"
set span enable
set span-dest-port "port2"
set span-source-port "port15"
next
end

2. Enable one arm sniffer on the destination interface:

config system interface
edit "port2"
set vdom "root"
set ips-sniffer-mode enable
set type physical
set snmp-index 4
next
end

FortiOS 7.6.0 New Features Guide 657

Fortinet Inc.
Operational Technology

3. Create a new custom signature for LLDP protocol with source MAC address and destination MAC address defined:
config ips custom
edit "LLDP-test"
set signature "F-SBID( --attack_id 6312; --name \"LLDP-test-mac\"; --default_
action drop; --ethertype 0x88cc; --mac_src 00:0c:29:c6:ae:bf; --mac_dst
01:80:c2:00:00:0e; --severity high; --status disable; )"
next
end

4. Configure the IPS sensor:

config ips sensor
edit "g-sniffer-profile"
set comment "Monitor IPS attacks."
config entries
edit 2
set rule 29844
set status enable
set action block
next
edit 1
set rule 6312
set status enable
set action pass
next
end
next
end

5. Apply the interface to the firewall sniffer policy:

config firewall sniffer
edit 1
set non-ip enable
set interface "port2"
set ips-sensor-status enable
set ips-sensor "g-sniffer-profile"
next
end

Confirm that non-IP address packet sniffing is also enabled. If it is not enabled, L2 traffic
will not be detected.

6. Generate Ethernet traffic and mirror it to the designated interface port.

7. Review new log for sniffer policy Ethernet protocol detection:
# diagnose log filter category 4
# diagnose log display
1: date=2025-04-14 time=17:28:21 eventtime=1744676901127125507 tz="-0700"
logid="0419016402" type="utm" subtype="ips" eventtype="signature" level="warning"
vd="root" ethertype=35020 srcmac="00:0c:29:c6:ae:bf" dstmac="01:80:c2:00:00:0e"
srcintf="port2" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined"
policyid=1 poluuid="39650ea6-011e-51f0-c237-d19ed520eaf1" policytype="sniffer"
action="detected" attack="LLDP-test-mac" attackid=6312 profile="g-sniffer-profile"

FortiOS 7.6.0 New Features Guide 658

Fortinet Inc.
Operational Technology

incidentserialno=216006666 msg="custom: LLDP-test-mac" crscore=30 craction=8192

crlevel="high"

The Ethernet protocol detection does not support traffic logging; only an IPS log will be generated if the sniffer policy
is matched.

FortiOS 7.6.0 New Features Guide 659

Fortinet Inc.
Index

The following index provides a list of all new features added to FortiOS 7.6. The index allows you to quickly identify the
version where the feature first became available in FortiOS.
Select a version number to navigate in the index to the new features available for that patch:
l 7.6.0 on page 660
l 7.6.1 on page 664
l 7.6.3 on page 668

7.6.0

GUI

General usability enhancements l GUI support for local-in policies on page 13

l GUI support for internet service groups on page 17
l GUI displays logic between firewall policy objects on page 20
l GUI support to create policies in FortiView Sources and traffic logs on page
23
l GUI improvements to device upgrade on page 28
l GUI support for enhanced logging for threat feeds on page 34
l Expanded support for Advanced Threat Protection Statistics widget on page
38
l GUI improvements to the IPsec VPN Wizard on page 40
l GUI improvements to Security Rating on page 55
l GUI support for web proxy forward server over IPv6 on page 57

Network

General l Configure the VRRP hello timer in milliseconds on page 74

l FortiGate as a recursive DNS resolver on page 75
l BGP network prefixes utilize firewall addresses and groups on page 81
l Support UDP-Lite traffic on page 83
l Custom LSA refresh rates and fast link-down detection on VLAN interfaces
for OSPF on page 87
l Filter NetFlow sampling on page 88
l SOCKS proxy supports UTM scanning, authentication, and forward server
on page 92

FortiOS 7.6.0 New Features Guide 660

Fortinet Inc.
 Index

l Implement the interface name as the source IP address in RADIUS, LDAP,

and DNS configurations on page 96
l Include groups in PIM join/prune messages on page 99
l Automatic LTE connection establishment on page 104
l Netflow sampling on page 105
l Support source-IP interface for system DNS database on page 107

IPv6 l Recursive resolution of BGP routes using IPv6 prefix with on-link flag from
route aggregation on page 154
l DHCPv6 enhancements on page 151

SD-WAN

Overlays and underlays l ADVPN 2.0 enhancements on page 170

Performance SLA l Embed SLA priorities in ICMP probes on page 196

l Embed SLA status in ICMP probes on page 208

Service rules l Allow SD-WAN rules to steer IPv6 multicast traffic on page 236

Policy and objects

NGFW l Seven-day policy hit counter on page 246

Policies l NPTv6 protocol for IPv6 address translation on page 248

l MAP-E supports multiple VNE interfaces in the same VDOM on page 251
l Full cone NAT for fixed port range IP pools on page 252
l Custom port ranges for PBA and FPR IP pools on page 255
l HTTP transaction logging on page 258
l Support for NAT64 in FPR IP pools on page 263

Zero Trust Network Access

Security posture and l Share ZTNA information through the EMS connector on page 283
EMS connector

General l ZTNA support for UDP traffic on page 293

l ZTNA support for SaaS application access control in the GUI on page 306
l Include EMS tag information in traffic logs on page 308

FortiOS 7.6.0 New Features Guide 661

Fortinet Inc.
 Index

Security Profiles

Antivirus l Sanitize Microsoft OneNote files through content disarm and reconstruction
on page 319
l Stream-based antivirus scanning for HTML and Javascript files on page 321

DLP l FortiGuard managed DLP dictionaries on page 334

Application control l Introducing domain fronting protection on page 339

Others l Support the Zstandard compression algorithm for web content on page 348
l DNS filtering in proxy policies on page 351
l DNS translation support for Service records over the DNS Filter profile on
page 354
l Control TLS connections that utilize Encrypted Client Hello on page 358

VPN

IPsec and SSL VPN l Automatic selection of IPsec tunneling protocol on page 376
l Security posture tag match enforced before dial-up IPsec VPN connection on
page 381

User & Authentication

Authentication l Customizable password reuse thresholds on page 423

l Trigger RADIUS authentication with DNS and ICMP queries on page 426
l Authentication sessions preserved after a reboot on page 429
l SCIM server support on page 431

LAN Edge

Wireless l Support the 802.11mc protocol in FortiAP on page 442

l Support OpenRoaming Standards on FortiAP on page 445
l Support segregating WLAN traffic on FortiAPs operating in WAN-LAN mode
on page 447
l Support isolating mDNS traffic on the Bonjour profile on page 450
l Support RADIUS NAS-ID on FortiAPs in standalone mode on page 453
l Improve packet detection on the FortiAP sniffer on page 454
l Support RADSEC on WPA2/WPA3-Enterprise SSID on page 457
l Add GUI support for configuring wireless data rates and sticky client
thresholds on page 458
l Support self-registration of MPSKs through FortiGuest on page 461

FortiOS 7.6.0 New Features Guide 662

Fortinet Inc.
 Index

l Support IKEv2 for FortiAP IPsec data channel management on page 463
l Support WPA3-SAE and WPA3-SAE Transition security modes in MPSK
profiles on page 466

Switch Controller l Change the priority of MAB and EAP 802.1X authentication on page 483
l Send SNMP traps for MAC address changes on page 488

FortiExtender l Support fast failover for FortiExtender on page 498.

System

General l Restrict local administrator logins through the console on page 521
l Configure TCP NPU session delay globally on page 523
l Object usage included in the print tablesize command output on page 525

FortiGuard l Streamline timezone updates with a downloadable database on page 532

High availability
l Manual and automatic HA virtual MAC address assignment on page 543
l Backup heartbeat interface mitigates split-brain scenarios on page 545
l RSSO authenticated user logon information synchronized between FGSP
peers on page 547
l FGSP support for failover with asymmetric traffic and UTM on page 552

Security l Encrypt configuration files in the eCryptfs file system on page 560
l Closed network VM license security enhancement on page 561
l OpenSSL FIPS provider installed globally at startup on page 563

SNMP l Ethernet Statistics Group on page 568

l Non-management VDOMs perform queries using SNMP v3 on page 569
l SNMP support for BIOS security level on page 570

Security Fabric

Fabric settings and connectors l Apply threat feed connectors as source addresses in central SNAT on page
573
l Automatic serial number retrieval from FortiManager on page 577

Log & Report

Logging l Logging MAC address flapping events on page 605

l Non-management VDOMs send logs to both global and vdom-override
syslog servers on page 606
l Logging message IDs on page 610
l Incorporating endpoint device data in the web filter UTM logs on page 612

FortiOS 7.6.0 New Features Guide 663

Fortinet Inc.
 Index

l Set the source interface for syslog and NetFlow settings on page 613
l Logging detection of duplicate IPv4 addresses on page 616
l Logging local traffic per local-in policy on page 621
l Logs generated when starting and stopping packet capture and TCP dump
operations on page 627

Cloud

Public and private cloud
l Azure SDN connector relay through FortiManager support on page 631
l IBM Cloud virtual network interface support on page 633
l GCP SDN connector relay through FortiManager support on page 633
l Support the AWS r8g instance family on page 633
l Support the AWS c8g instance family on page 633
l KVM Red Hat Enterprise Linux 9.4 support on page 633

7.6.1

GUI

General usability enhancements l GUI support for security posture tags in dial-up IPsec VPN tunnels 7.6.1 on
page 59
l CLI diagnostic shortcuts in the GUI 7.6.1 on page 60
l Asset Details pane 7.6.1 on page 61

Network

General l Extended VRF ID range for enhanced network scalability 7.6.1 on page 109
l Enhanced PIM support for VRFs 7.6.1 on page 109
l Including denied multicast sessions in the session table 7.6.1 on page 111
l Support specific VRF ID for local-out traffic 7.6.1 on page 112
l Support source IP interface for system DNS 7.6.1 on page 118
l Improvements to IPsec monitoring 7.6.1 on page 119

IPv6 l Enhancing SIP reliability in 464XLAT environments 7.6.1 on page 156

Explicit and transparent proxy l Specifying outgoing interface and VRF for a web proxy forward server or
isolator server 7.6.1 on page 163
l Isolator servers in proxy policies 7.6.1 on page 165

FortiOS 7.6.0 New Features Guide 664

Fortinet Inc.
 Index

SD-WAN

Overlays and underlays l ADVPN 2.0 overlay placeholders for shortcuts between spokes 7.6.1 on
page 177
l SD-WAN Setup wizard for guided configuration 7.6.1 on page 185

Performance SLA l Map SD-WAN member priorities to BGP MED attribute when spoke
advertises routes using iBGP to hub 7.6.1 on page 220
l FortiGuard SLA database for SD-WAN performance SLA 7.6.1 on page 226
l Passive monitoring of TCP metrics 7.6.1 on page 230

Service rules l Specify SD-WAN zones in some policies 7.6.1 on page 242

Policy and objects

Policies l Support for randomized port selection in IP pool mechanisms 7.6.1 on page
266
l Enhanced security with default local-in policy 7.6.1 on page 268
l DHCP-PD support for MAP-E 7.6.1 on page 271

Objects l RSSO dynamic address subtype 7.6.1 on page 277

l New ISDB record for SOCaaS 7.6.1 on page 280

Zero Trust Network Access

Application gateway l ZTNA agentless web-based application access 7.6.1 on page 283

Security Profiles

Web filter l Introduce URL risk-scores in determining policy action 7.6.1 on page 323

Virtual patching l Streamline IoT/OT device detection 7.6.1 on page 341

l Unified OT virtual patching and IPS signatures 7.6.1 on page 596

Others l Selective forwarding to ICAP server 7.6.1 on page 358

VPN

IPsec and SSL VPN l Enhancing security with Post-Quantum Cryptography for IPsec key
exchange 7.6.1 on page 385

FortiOS 7.6.0 New Features Guide 665

Fortinet Inc.
 Index

User & Authentication

Authentication l GUI support for SCIM clients 7.6.1 on page 435

l Bearer token authentication for SCIM 7.6.1 on page 439

LAN Edge

Wireless l Add Advanced WIDS Options 7.6.1 on page 471

l Support RADSEC on Local Bridge mode captive portals 7.6.1 on page 476
l Add a RADIUS Called Station ID setting 7.6.1 on page 478
l Support remote TACACS access to FortiAP 7.6.1 on page 479
l Support RADIUS Accounting messages over FortiGuest MPSK
Authentication 7.6.1 on page 481

Switch Controller l Support QinQ with the switch controller 7.6.1 on page 489
l Enhance network performance with VLAN pruning 7.6.1 on page 494

FortiExtender l Support VLAN over FortiExtender LAN-extension mode 7.6.1 on page 498
l Support split tunneling in LAN extension mode 7.6.1 on page 506
l Support multiple APNs in WAN extension mode 7.6.1 on page 511
l Support FortiCare registration for FortiExtender 7.6.1 on page 513

System

General l Simplified device registration for Security Fabric devices 7.6.1 on page 525
l Firmware upgrade report 7.6.1 on page 527

FortiGuard l Streamlined subscription and FortiGuard settings management 7.6.1 on

page 533
l FortiGate StateRamp support 7.6.1 on page 536

High availability l Monitor routing prefix for FGSP session failover 7.6.1 on page 553
l Single FortiGuard license for FortiGate A-P HA cluster 7.6.1 on page 556

Security l Use per-FortiGate generated random password for private-data-encryption

7.6.1 on page 564
l Enhanced administrator password security 7.6.1 on page 565
l BIOS security Low and High level classification 7.6.1 on page 568

Security Fabric

Fabric settings and connectors l Support multi-tenant FortiClient Cloud fabric connectors in the GUI 7.6.1 on
page 577

FortiOS 7.6.0 New Features Guide 666

Fortinet Inc.
 Index

l Generic connector for importing addresses 7.6.1 on page 579

l Support mTLS client certification for threat feed connections 7.6.1 on page
586

Security ratings l Enhanced security rating customization 7.6.1 on page 593

General l Enhanced security visibility for IoT/OT vulnerabilities 7.6.1 on page 600

Cloud

Public and private cloud
l Azure SDN connector moves private IP address on trusted NIC during A-P
HA failover 7.6.1 on page 633
l Support the OCI E5.Flex instance type 7.6.1 on page 634
l Azure SDN connector GraphQL bulk query support 7.6.1 on page 634
l AWS NitroTPM support 7.6.1 on page 634
l AWS SDN connector IPv6 address object support 7.6.1 on page 639
l GCP C4 Intel instance support 7.6.1 on page 639
l FortiGate-VM GDC V support 7.6.1 on page 639
l OCI SDN connector IPv6 address object support 7.6.1 on page 648
l GCP SDN connector IPv6 address object support 7.6.1 on page 648
l Support for Azure upcoming MANA NIC 7.6.1 on page 648
l Azure SDN connector IPv6 address object support 7.6.1 on page 648
l FGT_VM64_KVM IPsec performance improvement through virtio and RPS
7.6.1 on page 649
l FGT_VM64_KVM IPsec performance through DPDK improvement 7.6.1 on
page 649
l FortiGate-VM config system affinity-packet-redistribution optimization 7.6.1
on page 649
l OCI support for on-premise solutions 7.6.1 on page 649
l AliCloud GWLB support 7.6.1 on page 649

Operational Technology

System l CLI to configure FGR-70F/FGR-70F-3G4G GPIO/DIO module alarm

functionality 7.6.1 on page 650
l SNMP traps and automation-stitch notifications for DIO module alarm
functionality 7.6.1 on page 652

FortiOS 7.6.0 New Features Guide 667

Fortinet Inc.
 Index

7.6.3

GUI

General usability enhancements l GUI access for global search 7.6.3 on page 68
l GUI warnings for IKE-TCP port conflicts 7.6.3 on page 70
l GUI improvements of PIM support for VRFs 7.6.3 on page 72

Network

General l Connectivity Fault Management (CFM) now available for FG-80F-POE and
FG-20xF models 7.6.3 on page 123
l Application and network performance monitoring with FortiTelemetry 7.6.3
on page 123
l Fortinet Support Tool for capturing incidents on page 145

Explicit and transparent proxy l GUI support of isolator servers for proxy policies 7.6.3 on page 168

SD-WAN

Overlays and underlays l Fabric Overlay Orchestrator Topology dashboard widget for hub FortiGates
7.6.3 on page 193

Performance SLA l Enhanced passive monitoring of TCP metrics 7.6.3 on page 234

Zero Trust Network Access

General l ZTNA single sign-on with Entra ID 7.6.3 on page 308

l ZTNA tags on 2 GB entry-level platforms in IP/MAC-based access control
7.6.3 on page 317

Security Profiles

IPS l AI and ML-based IPS detection 7.6.3 on page 331

Others l Control TLS connections that utilize Encrypted Client Hello in flow mode
7.6.3 on page 361
l Inline CASB security profile to support control factors in exchanged JSON
data for custom SaaS applications 7.6.3 on page 368

FortiOS 7.6.0 New Features Guide 668

Fortinet Inc.
 Index

VPN

IPsec and Agentless VPN
l Migration from SSL VPN tunnel mode to IPsec VPN 7.6.3 on page 392
l Agentless VPN 7.6.3 on page 413
l Configure FortiClient SIA for IPsec VPN tunnels 7.6.3 on page 413
l Support Quantum Key Distribution and Digital Signature Algorithm Post-
Quantum Cryptography 7.6.3 on page 417

LAN Edge

Switch Controller l Provide an enhanced GUI for NAC policies 7.6.3 on page 495
l Support IPv6 addresses for managed FortiSwitch units 7.6.3 on page 496
l Prevent automatically created VLANs 7.6.3 on page 497

FortiExtender l Add GUI support for split tunneling in LAN extension mode 7.6.3 on page 514
l Add GUI support for multiple APNs in WAN extension mode 7.6.3 on page
516
l Add GUI support for FortiCare registration for FortiExtender 7.6.3 on page
518

System

General l Optimizations for physical FortiGate devices with 2 GB RAM 7.6.3 on page
531

FortiGuard l AMQP-powered subscription notifications for FortiGuard 7.6.3 on page 539

Certificates l ACME External Account Binding support 7.6.3 on page 557

Security Fabric

Fabric settings and connectors l GUI support for mTLS of threat feed connections 7.6.3 on page 587
l Enhancing FortiSandbox TLS security with CA and CN controls 7.6.3 on
page 588

Cloud

Public and private cloud l AliCloud ecs.g8i instance type support 7.6.3 on page 649

FortiOS 7.6.0 New Features Guide 669

Fortinet Inc.
 Index

Operational Technology

System l Support Ethernet layer protocols in the IPS engine 7.6.3 on page 654

FortiOS 7.6.0 New Features Guide 670

Fortinet Inc.
 www.fortinet.com

Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.