Fortigate – FortiOS 6.2, some new settings

Fortinet released FortiOS 6.2 for Fortigate firewalls in March 2019. See the official what’s new document from Fortinet. I would like to highlight some nice new settings in this blog.

Before I get into describing the new settings, first things first. Fortinet released a patch 6.2.1 on July 19, 2019 to fix a critical hole. What exactly was fixed is not known. Interestingly, even end of life FortiOS versions received the patch.

The screenshots used are from a Fortigate 60E with the UTM protection bundle. The bundle has more features like Web filtering, DNS filtering and Application Control.

Remember to always begin with a configuration backup. If you upgrade the firmware online from the WebGUI, Fortigate will create one for you. I liked the configuration file. It’s in easy to understand language and perfectly viewable in Notepad++. It is possible to make changes directly in the file and restore it. But important to note that a configuration file cannot be restored to another Fortigate model. For that you would need FortiConverter. This is a wonderful tool to convert your configuration to another model. It even converts configuration files from other firewall manufacturers. FortiConverter is available free for conversion within the Fortigate family. To convert configuration files from other manufacturers one needs to buy a license.

And now for a look at some of the nice new settings I mentioned earlier.

FortiView

A great new feature. almost all Sub-Menus let you drill-down to get more detailed information for the session by right clicking. And that’s not all. Various tabs like Sources or Destinations show more specific details. I found the policy tab to be useful, since it shows which firewall policy allowed the session.

Automation

Fortigate FortiOS 6.2 Automation
Automation

A very powerful way to schedule a CLI script for certain tasks. For example, you could schedule a daily backup of the firewall configuration. The FortiOS Event log is another new trigger. Here you can select a log event and get notified by email.

Fabric Connector

The Fabric Connector under Security Fabric now has more choices. By adding Vcenter or ESXi host(s) you are able to create objects from Vcenter under addresses. How cool is that! The address objects could also be used for firewall policy. VM networks objects are available too. This connector simplifies things because you don’t need to add objects manually with IP address.

Threat feeds,. in the same list, are new too. You could add IP abuse lists found on the internet. The list is refreshed periodically, with a default of 5 min. No need to create an object in addresses first. After that the IP addresses could also be used in a firewall policy. Simple enough, yet efficient.

Reputation

Fortigate FortiOS 6.2 Reputation
reputation

Here I could query any IP address to check their reputation. Quickly obtain information for an IP. A very convenient new feature.

Internet Service Database

Fortigate added a new column called Reputation to rate different kinds of internet services. Numbered from 1 to 5, with 1 being malware services, 2 being Tor or peer to peer, 3 being neutral and 4 being social media. The good thing is, it is possible to use the data for a firewall policy. By the way every service which is not in the database has the reputation 3 which is neutral. For example grant only traffic to destination with minimum reputation of 3.


An example: Set reputation to 3 minimum and direction to destination

set reputation-minimum 3
set reputation-direction destination
FortiOS 6.2 edit in CLI
Edit in CLI

Unfortunately you cannot use the GUI to configure a firewall policy with reputation data. So you will need to use the CLI. Go to the policy you want to change in the GUI, right click and select “edit in CLI”. It’s the best way to reach the CLI and see how the policy has been configured so far.

What does this mean in practical terms? All outgoing connections to destination addresses with reputation below 3 will be blocked. Cool isn’t it? However, in the GUI the destination field remains blank. I hope Fortigate changes this in a future FortiOS release. also It will then become possible to configure reputation in the GUI.

Addresses

I would like to mention two new features. In the menu interface there is a new field called ”Create address object matching subnet”. This might be useful in certain scenarios. In menu addresses there is a new type called “device MAC address” with scope of single or range. I could well imagine that this would be great to create a device group and use in a firewall policy.

Some other new changes:

firewall policy
Firewall policy – Inspection Mode
  • Consolidated policy
    Combine IPv4 and IPv6 firewall rule into one rule. Time saver if you are someone who uses both.
    Activate the new mode in the CLI
  • Application control / Network Protocol Enforcement
    Make sure a port is used only for the specifically assigned service. For example, DNS traffic on port 53 should not be used for traffic other than DNS.
  • Inspection mode
    New feature to configure inspection mode for each individual firewall policy.
    flow based or proxy based. In earlier firmware the choice applied to the entire firewall. Could be helpful for some use case.

FortiClient

Fortinet changed its licensing policy. FortiClient is no longer free with endpoint security capability. A new application called FortiClient VPN is available now, which is a free version with VPN functionality only. It provides only IPSec VPN and SSL VPN. This should not be a problem, as most likely for endpoint security you would have another solution in place

FortiClient download page

I think FortiOS 6.2 has some nice new features that are not apparent at first glance. Sometimes you need to look closer to discover a new change. This article is more to describe some of the cool new features and not meant to be comprehensive.

Leave a Reply

17 − 8 =

Close Menu

Contact form:

Privacy Policy

Privacy Policy

Effective date: July 26, 2019

Edy Werder ("us", "we", or "our") operates the https://edywerder.ch website (hereinafter referred to as the "Service").

This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data. The Privacy Policy for Edy Werder has been created with the help of TermsFeed.

We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from https://edywerder.ch

Definitions

  • Service

    Service is the https://edywerder.ch website operated by Edy Werder

  • Personal Data

    Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).

  • Usage Data

    Usage Data is data collected automatically either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

  • Cookies

    Cookies are small files stored on your device (computer or mobile device).

Information Collection and Use

We collect several different types of information for various purposes to provide and improve our Service to you.

Types of Data Collected

Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you ("Personal Data"). Personally identifiable information may include, but is not limited to:

  • Email address
  • First name and last name
  • Cookies and Usage Data

Usage Data

We may also collect information how the Service is accessed and used ("Usage Data"). This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

Tracking & Cookies Data

We use cookies and similar tracking technologies to track the activity on our Service and we hold certain information.

Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags and scripts to collect and track information and to improve and analyse our Service.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

Examples of Cookies we use:

  • Session Cookies. We use Session Cookies to operate our Service.
  • Preference Cookies. We use Preference Cookies to remember your preferences and various settings.
  • Security Cookies. We use Security Cookies for security purposes.

Use of Data

Edy Werder uses the collected data for various purposes:

  • To provide and maintain the Service
  • To notify you about changes to our Service
  • To allow you to participate in interactive features of our Service when you choose to do so
  • To provide customer care and support
  • To provide analysis or valuable information so that we can improve the Service
  • To monitor the usage of the Service
  • To detect, prevent and address technical issues

Transfer Of Data

Your information, including Personal Data, may be transferred to - and maintained on - computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

If you are located outside Switzerland and choose to provide information to us, please note that we transfer the data, including Personal Data, to Switzerland and process it there.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

Edy Werder will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

Disclosure Of Data

Legal Requirements

Edy Werder may disclose your Personal Data in the good faith belief that such action is necessary to:

  • To comply with a legal obligation
  • To protect and defend the rights or property of Edy Werder
  • To prevent or investigate possible wrongdoing in connection with the Service
  • To protect the personal safety of users of the Service or the public
  • To protect against legal liability

As an European citizen, under GDPR, you have certain individual rights. You can learn more about these guides in the GDPR Guide.

Security of Data

The security of your data is important to us but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

Service Providers

We may employ third party companies and individuals to facilitate our Service ("Service Providers"), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Links to Other Sites

Our Service may contain links to other sites that are not operated by us. If you click a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Children's Privacy

Our Service does not address anyone under the age of 18 ("Children").

We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, please contact us:

  • By email: info@edywerder.ch