Few additional features in FortiOS 3.0 MR Release Candidate

There are few additional features that I just discovered in addition to those described in a previous post.

• Port for Telnet and SSH can be changed via WebUI. In addition you can enable SCP for secure file transfer
• Addresses can be bound to specific interface
• When configuring Operation Mode (NAT/Transparent) you can click a check box to use Asymmetric routing
• You can group several VIPs with "VIP Group" option
• Multicast configuration tab added to Dynamic Routing configuration

FortiGate FortiOS 3.0 MR3 RC1 Build 388 (Maintenance Release 3, Release Candidate 1) is out

Fortinet just published a FortiGate FortiOS 3.0 MR3 RC1 Build 388 (Maintenance Release 3, Release Candidate 1) on the support FTP.

Please be aware that this is an interim build: do not use it in a production environment unless technical support asks you to do it in order to resolve some specific issues.

What's new in this build:

• Nice menu opening animation ;)
• You can add "section headers" into your policy table in order to separate some blocks of policy - i.e policies for particular customer, policies for specific server, etc. Also you can select which colums to display and filter policies by any field.
• You can easily specify multiple addresses or services in a policy without creating a group - to do it simply click "Multiple" button next to the appropriate combo box.
• URL filtering now works not only for HTTP, but also for encrypted HTTPS
• AntiVirus scanning now works for NNTP (Network News Transfer Protocol)
• Most of the lists supports creation of several separate lists and then attaching different lists to different policies (in previous builds of FortiOS 3.0 it was supported only starting from FortiGate-800 model, now it is possible on all models): File Pattern Block List, URL Block Lists (Web content Block, Web Content Exempt, URL Filter) , Anti-Spam Block Lists (Banned Words, IP Address Black/White List, E-mail Address Black/White List)
• Status Dashboard slightly reworked: small CLI Console added directly to a dashboard, you can expand it to a full window and edit colors by clicking small icons in top right corner; also number of administrators logged in is now shown in a "System Information" section, not on a bottom bar.
• SSL VPN now supports VNC and RDC remote terminals via built-in Java client

Fortinet changes Release Management Process: Release Candidates are available now!

Starting from now Fortinet makes available "Candidate Release" builds of FortiOS software via support FTP site. If you are running Candidate Release you will immediately notice big "Candidate Release" banner on top of WebUI.

Warning: please be careful before installing Candidate releases in a production environment, these builds are targeted to a lab environment. Please read "Who should use these build" section below before installing it!

What is a Candidate Release?

A part of Fortinet's Release Management Process is to make available builds of product firmware (FortiOS, FortiAnalyzer, FortiManager, etc.) specifically for evaluation and feedback. Obtaining comments on how the firmware functions in a variety of environments is crucial to improving the quality. To that end, Fortinet releases preliminary builds, called "Candidate Releases", to its customers (external and internal) for the purpose of gaining insight on the quaility of the firmware. This is done at various stages of the maintenance release test cycle. Starting with FortiOS v3.00 MR3, the Release Management Process has included adding a label at the top of the Web UI - "MRx Candidate y" - PD builds will have the label removed. B0388 has been qualified to the point where QA has approved it for release as CR and thus the label reads "MR3 Candidate 1".

Who should use these builds?

Fortinet encourages customers who need a certain bug fix or wish to test the latest software to load the build, verify its functionality, and provide us with feedback. However, Fortinet does not guarantee uninterrupted or error-free operation of the firmware therefore, if your network is considered mission-critical and can not tolerate any risk, then MR3 Candidate1 is not recommended. You should wait for the official release of the firmware.

FortiAnalyzer 3.0 MR2 (Maintenance Release 2) Build Changed

Please be aware that on August 29th Fortinet silently updated FortiAnalyzer 3.0 MR2 code. Build 364 is removed from support FTP and Build 365 placed instead.

It is strongly recommended to check which build you are running and if you have a Build 364 on your machine update it to a newer Build 365, which is now an official MR2 Build.

There is no exact information about Build change, probably some minor fixes.

FortiGate FortiOS 3.0 MR2 Build 318 (Maintenance Release 2) is out

Fortinet just released Maintenance Release 2 version of FortiOS 3.0 for all FortiGate devices. In addition to numerous bugs fixed it provides some new functionality:

• Drag-and-drop policy reordering: While editing policies in Firewall->Policy you can simply grab a policy with a mouse and move it to a new location with a mouse. Simple and looks nice!
• Drag-and-drop works also in Web Filter URL list
• Columns button in a top right corner of policy list can be used to add/hide additional columns. For example you can add Protection Profile column and easily see Protection Profiles assigned to each policy
• Authentication Keep-alive page is now being used after FortiGate authenticated the user to keep a session from timing out
• Run only configuration allows you to edit configuration without saving it to the flash. This is extremely useful when experimenting with a remote box: if you will loose the box due to erroneous configuration just ask someone to recycle power and box will boot up with old config. Don't forget to return to standard mode once you finished configuring the box.
• DHCP Renew and PPPoE Reconnect slightly reworked
• Static ARP entries: when working in NAT mode you can staticly bind ARP entries via CLI
• FortiGuard status indicators redesigned for better representation of service availability
• Changing default ports for TELNET and SSH: finally you can change ports for TELNET and SSH servers, this can be done via CLI only
• Loopback Interface: you can use virtual Loopback interfaces for easier dynamic routing configuration or as a source for IPSec tunnel
• Uninterpretable firmware upgrade in HA mode: cluster member upgrades themselves one by one without interrupting traffic!
• Equal Cost Multi-Path Routes can be used to load-balance traffic between multiple interfaces on a per-session level
• Enhanced H.323 support
• Multiple IP Pools in firewall policy can be configured via CLI for noncontagious pools support
• Log&Report part redesigned
• When using FQDN based policies FortiGate actively queries DNS servers instead of monitoring passing DNS traffic

More information provided in Release Notes document

Inbound Traffic Shaping per Interface

Traffic shaping prior to FortiOS v3.00 was performed on a per firewall policy basis. Starting from FortiOS 3.0 MR1 FortiGate supports limiting the amount of inbound traffic on an interface.

The CLI command to enable inbound traffic is:

conf sys int

• edit port1
• set inbandwidth 99

end

An inbandwidth value of zero (kilobytes per second) means unlimited - no inbound traffic shaping configured.

FortiClient 3.0 updated to MR1

Fortinet recently released new build of FortiClient version 3.0. It is available for download now.