• No results found

Feature Brief. FortiGate TM Multi-Threat Security System v3.00 MR5 Rev. 1.1 July 20, 2007

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Feature Brief. FortiGate TM Multi-Threat Security System v3.00 MR5 Rev. 1.1 July 20, 2007"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

FortiGate

TM

Multi-Threat Security

System

v3.00 MR5

Rev. 1.1

(2)

Revision History

Revision Change Description

1.0

Initial Release.

1.1

Removed sectoin on Content Archive and AV Quarantine – Feature Modification.

Introduction

The FortiOS v3.00 MR5 release of the FortiGate Multi-Threat Security System introduces new features and

enhancements. The following is a description of these changes.

Central Management Services

FortiOS v3.00 MR5 enhances the subscription based services offered by FortiGuard. The new service is called Central Management Services. The service includes the following:

On-demand FortiOS image upgrade

Scheduled FortiOS image upgrade

Configuration file backup and restore with version control

The features are available, with a valid subscription, through the System > Admin page. The features also are being provided by FortiManager v3.00 MR5. Please look at the web UI screenshots below.

When the Account ID is applied, Management Services field in the same page, is updated with the users subscription information.

(3)

The Account ID in this web UI page is updated automatically from the field in the System > Maintenance > FortiGuard Center page.

Interface Aliases

A name alias can be added to any physical interface. When this is configured the alias is appended to the end of the interface name in brackets () in each part of the Web UI it is displayed, such as the System > Network page and the Firewall > Policy page. Please look at the web UI screenshots below.

(4)

Disabling Maintainer User for Password Recovery

A CLI only command has been added that allows for disabling the maintainer user. Essentially, this means password recovery is disabled. The only way to recover the FortiGate in this scenario is to load the firmware using the TFTP boot process. The CLI commands are shown below.

config sys global

set admin-maintainer <enable | disable>

PKI Enhancements

Some additional enhancements to the FortiGates PKI support have been implemented:

Creation for local certificates with multiple organisational unit (OU) fields. Up to five are allowed. This is supported in the Web UI, but the CLI only supports one OU.

Multiple PKI administrators.

Separate administrative server certificates from user server certificates.

HTTPS administrative access using PKI only. Upon receipt of an invalid client certificate, the Web UI displays a login failure page.

(5)

MEMORY KEY

FortiOS firmware and configuration files can now be loaded from and saved to any manufactutere's USB external USB flash memory key. Furthermore, FortiGates can now be configured to automatically upgrade firmware versions and load

configurations stored on the USB flash memory key.

Protection Profiles Per Virtual Domains

FortiOS v3.00 MR5 adds support firewall protection profiles to be configured on a per-virtual domain basis. Now, each VDom has it's own copy of protection profiles. This further means protection profiles are neither shared nor visible acros VDoms.

Multicast Destination NAT in a PIM-SM Environment

Support

The FortiGate now supports NAT'ing of multicast streams, this feature has the capability to NAT both the source and/or the multicast destination address of the stream. When used in conjunction with PIM-SM the FortiGate can translate externally received multicast destination addresses to multicast addresses that may be used internally in a private network. The feature has the capability to forward NAT'ed or non NAT'ed multicast packets out of the same egress interface. A loopback interface is required to perform the translation in a PIM-SM environment. This feature can only be configured via the CLI.

Firewall Policy Authentication Enhancement

The authentication method has been enchanced for FortiOS v3.00 MR5. In previous releases, if two or more firewall policies had authentication configured only one would be used for authentication. For example:

policy ID 2: internal to DMZ, service = HTTP, authentication = ENABLED

policy ID 3: internal to DMZ, service = FTP, authentication = ENABLED

If HTTP traffic arrived at the internal port destined for an IP address on WAN1, the FortiGate would prompt for authentication and upon a successful attempt, the traffic would be allowed through. When FTP traffic arrived at the internal port destined for an IP address on DMZ, the FortiGate would not prompt for authentication because the authentication was based purely on source IP address. In FortiOS v3.00 MR5, the authentication lookup is based on source IP address an policy ID. In the example above, when the HTTP traffic arrives at the internal port, the FortiGate creates an entry in the kernel that includes both the source IP address and the policy ID. When the FTP traffic arrives at the internal interface, the FortiGate performs a lookup on the source IP address and the policy ID, which results in no entries being found, and the FortiGate prompts for authentication. The web UI screenshot below demonstrate the configuration of the two policies described above.

IPv6 IPSec

(6)

IKE

Support for configuring a phase1 with an IPv6 address for the remote gateway.

Support for configuring a phase2 that uses IPv6 addresses in the selectors.

Support for attaching a phase2 with IPv6 selectors to a phase1 with an IPv6 address (IPv6 over IPv6).

Support for attaching a phase2 with IPv4 selectors to a phase1 with an IPv6 address (IPv4 over IPv6).

Support for attaching a phase2 with IPv6 selectors to a phase1 with an IPv4 address (IPv6 over IPv4).

Continue to support attaching a phase2 with IPv4 selectors to a phase1 with IPv4 address (IPv4 over IPv4).

Manual Key

Support for configuring a manual connection between two IPv6 addresses.

IPSec

Support for encrypting IPv6 traffic and encapsulating it with an IPv6 tunnel mode ESP header.

Support for encrypting IPv6 traffic and encapsulating it with an IPv4 tunnel mode ESP header.

Support for encrypting IPv4 traffic and encapsulating it with an IPv6 tunnel mode ESP header.

Continue to support encrypting IPv4 traffic and encapsulating it with an IPv4 tunnel mode ESP header.

Support for decrypting an IPv6 ESP packet and forwarding the enclosed IPv4 or IPv6 packet.

Limitations

IPv6 based IPSec sessions are not accelerated by the FortiASIC.

Only interface-based IPv6 IPSec is supported, there is no support for policy-based IPv6 IPSec. Consequently,

FortiAnalyzer IPSec connections cannot be IPv6.

FortiManager IPSec connections cannot be IPv6.

FortiOS has no IPv6 DNS support, therefore no "type ddns" for IPv6 IPSec phase1.

Support for DNS names in RSA certificates that resolve to IPv6 addresses.

FortiOS does not support IPv6 addresses in a certificate. Specifically, the "cn-type" attribute in "config user peer" does not have an "ipv6" option and so it is not possible to validate certificates that use IPv6

addresses.

There is no support for defining multiple IPv6 subnets in a phase2 selector such as the "src-addr-type name" and "dst-addr-type name" attributes of a phase2 have not been extended to IPv6.

FortiOS has no routing daemon support for IPv6.

FortiOS has no IPv6 DHCP support, therefore DHCP over IPSec not supported for IPv6.

FortiOS has no IPv6 SNMP support.

FortiOS has no support for IPv6 PPPoE and thus no support for IPv6 IPSec over PPPoE exists.

FortiOS has no support for IPv6 PPP for modem and thus no support for IPv6 IPSec over modem exists.

It is possible to specify an IPv6 address for an IPSec interface using "config ipv6" and specifying the "ip6-address". This allows a subnet to be defined which may or may not work well with ZebOS if/when it

supports IPv6. At that point it may require extending the ipv6 configuration to support defining a remote IPv6 address.

FortiOS does not re-assemble fragmented IPv6 packets -- regardless of whether IPSec is involved or not.

SSL-VPN Group Level Bookmarks

This convenient feature allows the FortiGate administrator to configure multiple bookmarks, add them to a group, and make the group available for SSL-VPN users. The bookmark group needs to be enabled, using the checkbox and pull-down menu, in the User Group configuration when an SSL VPN type User Group is configured. When an SSL-VPN user logs-in, the group of pre-defined bookmarks are available. Group bookmarks can be created for Web, Telnet, FTP, SMB, VNC, and RDP. Please look at the web UI screenshots below.

(7)

Once SSL-VPN Bookmark Groups are created, they must be assigned to the SSL-VPN User Group as shown here.

(8)

Hard Disk Upload to FortiAnalyzer

This CLI only feature allows for log files stored on the hard disk of the FortiGate to be uploaded to a FortiAnalyzer at scheduled time, when the file is rolled, and other parametres.

config log disk setting

set upload-destination fortianalyzer set uploadip <IP address of FortiAnalyzer> end

References

Download now ( PDF - 8 Page - 614.67 KB )

Related documents

Individual Assignment Fundamental of Entrepenuership (ENT300) : Ni-Shar Sdn. Bhd / Manisha Abd Rahim

Based on our trademark, we choose women as a target market because no women in this world does not want to be a beautiful person.. We can improve our self-esteem or confidence if we

Opportunities for advancing biomarkers for patient stratification and early diagnosis in liver disease

Among the 202,000 volunteers who have donated serum, over 230 were diagnosed with early stage fatty liver disease (alcoholic or non-alcoholic), 50 of whom donated serum annually

Quinoa in Bolivia - Food Sovereignty and Food Security

It can be said that the above mentioned articles that deal with food sovereignty implicitly, show the dedication and importance the Government places within

Standard on Teleradiology

A teleradiology report should contain the type of the service (primary interpretation, second opinion etc.), the name of both the transmitting and receiving sites, the

Internet Peering, IPv6, and NATs. Mike Freedman V Networks

If IPv6 client connects to IPv4 server, server needs IPv4 packet, but client could use IPv4-mapped IPv6 address. 2 leading bytes of 1’s, 32-bit address, pad with

Are You Ready to Teach IPv6?

• The entire 128-bit IPv4-compatible IPv6 address is used as the IPv6 address of a node and the IPv4 address embedded in the low-order 32 bits is used as the IPv4 address of

In Situ Subsurface Characterization

Characterization Techniques Test Invasive/ Noninvasive Sample Recovered Usage Standard penetration test Invasive Yes Extensive Cone penetration test Invasive No Extensive

SolarWinds Technical Reference

Flow record NetFlow match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port