Feature Brief FortiGate TM Multi-Threat Security System v3.00 MR5 Rev. 1.1 July 20, 2007
Revision History Revision Change Description 1.0 Initial Release. 1.1 Removed sectoin on Content Archive and AV Quarantine Feature Modification. Introduction The FortiOS v3.00 MR5 release of the FortiGate Multi-Threat Security System introduces new features and enhancements. The following is a description of these changes. Central Management Services FortiOS v3.00 MR5 enhances the subscription based services offered by FortiGuard. The new service is called Central Management Services. The service includes the following: On-demand FortiOS image upgrade Scheduled FortiOS image upgrade Configuration file backup and restore with version control The features are available, with a valid subscription, through the System > Admin page. The features also are being provided by FortiManager v3.00 MR5. Please look at the web UI screenshots below. When the Account ID is applied, Management Services field in the same page, is updated with the users subscription information. July 20, 2007 2
The Account ID in this web UI page is updated automatically from the field in the System > Maintenance > FortiGuard Center page. Interface Aliases A name alias can be added to any physical interface. When this is configured the alias is appended to the end of the interface name in brackets () in each part of the Web UI it is displayed, such as the System > Network page and the Firewall > Policy page. Please look at the web UI screenshots below. July 20, 2007 3
Disabling Maintainer User for Password Recovery A CLI only command has been added that allows for disabling the maintainer user. Essentially, this means password recovery is disabled. The only way to recover the FortiGate in this scenario is to load the firmware using the TFTP boot process. The CLI commands are shown below. config sys global set admin-maintainer <enable disable> PKI Enhancements Some additional enhancements to the FortiGates PKI support have been implemented: Creation for local certificates with multiple organisational unit (OU) fields. Up to five are allowed. This is supported in the Web UI, but the CLI only supports one OU. Multiple PKI administrators. Separate administrative server certificates from user server certificates. HTTPS administrative access using PKI only. Upon receipt of an invalid client certificate, the Web UI displays a login failure page. USB Disk Support UPDATED FOR ANY USB FLASH July 20, 2007 4
MEMORY KEY FortiOS firmware and configuration files can now be loaded from and saved to any manufactutere's USB external USB flash memory key. Furthermore, FortiGates can now be configured to automatically upgrade firmware versions and load configurations stored on the USB flash memory key. Protection Profiles Per Virtual Domains FortiOS v3.00 MR5 adds support firewall protection profiles to be configured on a per-virtual domain basis. Now, each VDom has it's own copy of protection profiles. This further means protection profiles are neither shared nor visible acros VDoms. Multicast Destination NAT in a PIM-SM Environment Support The FortiGate now supports NAT'ing of multicast streams, this feature has the capability to NAT both the source and/or the multicast destination address of the stream. When used in conjunction with PIM-SM the FortiGate can translate externally received multicast destination addresses to multicast addresses that may be used internally in a private network. The feature has the capability to forward NAT'ed or non NAT'ed multicast packets out of the same egress interface. A loopback interface is required to perform the translation in a PIM-SM environment. This feature can only be configured via the CLI. Firewall Policy Authentication Enhancement The authentication method has been enchanced for FortiOS v3.00 MR5. In previous releases, if two or more firewall policies had authentication configured only one would be used for authentication. For example: policy ID 2: internal to DMZ, service = HTTP, authentication = ENABLED policy ID 3: internal to DMZ, service = FTP, authentication = ENABLED If HTTP traffic arrived at the internal port destined for an IP address on WAN1, the FortiGate would prompt for authentication and upon a successful attempt, the traffic would be allowed through. When FTP traffic arrived at the internal port destined for an IP address on DMZ, the FortiGate would not prompt for authentication because the authentication was based purely on source IP address. In FortiOS v3.00 MR5, the authentication lookup is based on source IP address an policy ID. In the example above, when the HTTP traffic arrives at the internal port, the FortiGate creates an entry in the kernel that includes both the source IP address and the policy ID. When the FTP traffic arrives at the internal interface, the FortiGate performs a lookup on the source IP address and the policy ID, which results in no entries being found, and the FortiGate prompts for authentication. The web UI screenshot below demonstrate the configuration of the two policies described above. IPv6 IPSec FortiOS v3.00 MR5 introduces IPv6 IPSec interfaces. This is a CLI feature only. The following outlines the support: July 20, 2007 5
IKE Support for configuring a phase1 with an IPv6 address for the remote gateway. Support for configuring a phase2 that uses IPv6 addresses in the selectors. Support for attaching a phase2 with IPv6 selectors to a phase1 with an IPv6 address (IPv6 over IPv6). Support for attaching a phase2 with IPv4 selectors to a phase1 with an IPv6 address (IPv4 over IPv6). Support for attaching a phase2 with IPv6 selectors to a phase1 with an IPv4 address (IPv6 over IPv4). Continue to support attaching a phase2 with IPv4 selectors to a phase1 with IPv4 address (IPv4 over IPv4). Manual Key Support for configuring a manual connection between two IPv6 addresses. IPSec Support for encrypting IPv6 traffic and encapsulating it with an IPv6 tunnel mode ESP header. Support for encrypting IPv6 traffic and encapsulating it with an IPv4 tunnel mode ESP header. Support for encrypting IPv4 traffic and encapsulating it with an IPv6 tunnel mode ESP header. Continue to support encrypting IPv4 traffic and encapsulating it with an IPv4 tunnel mode ESP header. Support for decrypting an IPv6 ESP packet and forwarding the enclosed IPv4 or IPv6 packet. Limitations IPv6 based IPSec sessions are not accelerated by the FortiASIC. Only interface-based IPv6 IPSec is supported, there is no support for policy-based IPv6 IPSec. Consequently, FortiAnalyzer IPSec connections cannot be IPv6. FortiManager IPSec connections cannot be IPv6. FortiOS has no IPv6 DNS support, therefore no "type ddns" for IPv6 IPSec phase1. Support for DNS names in RSA certificates that resolve to IPv6 addresses. FortiOS does not support IPv6 addresses in a certificate. Specifically, the "cn-type" attribute in "config user peer" does not have an "ipv6" option and so it is not possible to validate certificates that use IPv6 addresses. There is no support for defining multiple IPv6 subnets in a phase2 selector such as the "src-addr-type name" and "dst-addr-type name" attributes of a phase2 have not been extended to IPv6. FortiOS has no routing daemon support for IPv6. FortiOS has no IPv6 DHCP support, therefore DHCP over IPSec not supported for IPv6. FortiOS has no IPv6 SNMP support. FortiOS has no support for IPv6 PPPoE and thus no support for IPv6 IPSec over PPPoE exists. FortiOS has no support for IPv6 PPP for modem and thus no support for IPv6 IPSec over modem exists. It is possible to specify an IPv6 address for an IPSec interface using "config ipv6" and specifying the "ip6- address". This allows a subnet to be defined which may or may not work well with ZebOS if/when it supports IPv6. At that point it may require extending the ipv6 configuration to support defining a remote IPv6 address. FortiOS does not re-assemble fragmented IPv6 packets -- regardless of whether IPSec is involved or not. SSL-VPN Group Level Bookmarks This convenient feature allows the FortiGate administrator to configure multiple bookmarks, add them to a group, and make the group available for SSL-VPN users. The bookmark group needs to be enabled, using the checkbox and pull-down menu, in the User Group configuration when an SSL VPN type User Group is configured. When an SSL-VPN user logs-in, the group of pre-defined bookmarks are available. Group bookmarks can be created for Web, Telnet, FTP, SMB, VNC, and RDP. Please look at the web UI screenshots below. July 20, 2007 6
Once SSL-VPN Bookmark Groups are created, they must be assigned to the SSL-VPN User Group as shown here. And after an SSL-VPN user connects to the FortiGate, SSL-VPN Bookmark Groups appear like below: July 20, 2007 7
Hard Disk Upload to FortiAnalyzer This CLI only feature allows for log files stored on the hard disk of the FortiGate to be uploaded to a FortiAnalyzer at scheduled time, when the file is rolled, and other parametres. config log disk setting set upload-destination fortianalyzer set uploadip <IP address of FortiAnalyzer> end In HA A-A mode, only the master's logs are uploaded either to the hard disk or FortiAnalyzer. July 20, 2007 8