Version 5.6.6 enhancements include adding FortiOS 5.6.6 to the FortiGate-7000 platform. This release also includes bug fixes and improvements and the following new features.
- Support for FortiOS 5.6.6 and most 5.6.6 features including FortiOS 5.6.6 GUI features.
- You can configure new Resource Usage dashboard widgets to show CPU use, log rate, memory use, session creation rate, and the number of active sessions for individual FIMs, the management plane, the data plan and the security fabric.
- The Security Fabric dashboard widget shows high level status and configuration information for all of the FPMs.
- The Sensor Information dashboard widget displays temperature information and allows you to drill down for information about individual temperature sensors.
- DP2 firmware upgrade
- VRRP support.
- The management VDOM is now named mgmt-vdom (was dmgmt-vdom).
diagnose sniffer packetcommand now shows the name of the FPM that processed the packet.
- You can now use the
execute traceroutecommands from an FIM CLI to an external destination.
- FIMs directly query LDAP/FSSO/RADIUS servers. These queries no longer have to go through the management VDOM.
- The Route Monitor displays accurate routing information.
- SNMP integration improvements including new MIBs.
- The following FortiOS 5.6.6 features are not supported:
- Some IPsec VPN features
- Policy learning mode
- HA dedicated management interfaces
FortiOS 5.6.6 includes the following IPsec VPN improvements:
- Including a phase 2 selector is no longer mandatory.
- Dynamic routing (RIP, OSPF, BGP) is supported over IPsec VPN tunnels.
FortiOS 5.6.6 for FortiGate-7000 supports the following IPsec VPN features.
- Interface-based IPsec VPN (also called route-based IPsec VPN).
- Static routes can point IPsec VPN interfaces.
- Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels.
- Remote networks with 16- to 32-bit netmasks.
- IPsec VPN tunnels must terminate on the primary FPM (the ELBC master).
- Site-to-Site IPsec VPN.
- Dialup IPsec VPN. The FortiGate-7000 can be the dialup server or client.
- IPv4 clear-text traffic (IPv4 over IPv4 or IPv4 over IPv6)
FortiOS 5.6.6 for FortiGate-7000 does not support the following IPsec VPN features.
- Policy-based IPsec VPN.
- Policy routes for VPN traffic.
- Remote networks with 0- to 15-bit netmasks.
- IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6).
- Load-balancing IPsec VPN tunnels to multiple FPMs.
- IPsec SA synchronization between both FortiGate-7000s in an HA configuration.
Configuring FortiGate-7000 HA has been simplified for FortiOS 5.6.6. To set up HA, you no longer have to configure HA settings for both of the FIMs in a FortiGate-7000. Instead, you configure HA settings on the primary FIM and this configuration is synchronized to the other FIM.
As well, FortiGate-7000 HA is configured and operates more like standard FGCP HA. The link failure threshold concept that was part of FortiGate-7000 for FortiOS 5.4 has been removed and board failover tolerance has been simplified. As well, primary unit selection has been simplified to be more like FGCP primary unit selection.
FortiOS 5.6.6 also includes the following new features and changes:
- The System > HA GUI page now appears and can be used to configure most HA settings.
- You can configure HA interface monitoring (or port monitoring) to detect link failures.
- You can configure HA remote link failover (also called remote IP monitoring) to detect remote link failures using the following options:
- Enable remote IP monitoring with the
- Set the remote IP monitoring failover threshold with the
- Force the cluster to negotiate after a remote IP monitoring failover with the
- Adjust the time to wait in minutes before renegotiating after a remote IP monitoring failover with the
- Enable remote IP monitoring with the
- You can use the
get system ha statuscommand to display HA status. The
diagnose sys ha statuscommand is no longer available.
diagnose sys ha force-slave-statecommand is no longer available. To force the primary FortiGate-7000 into a secondary (or slave) state you can use the
diagnose sys ha reset-uptimecommand.
- The HA
link-failure-thresholdoption has been removed.
board-failover-toleranceoption has been simplified and determines how the cluster responds to failed FIMs.