Fortinet black logo

Handbook

Security

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:449386
Download PDF

Security

This section introduces new security features in FortiOS 6.0.

FortiGuard virus outbreak prevention

FortiGuard virus outbreak prevention is an additional layer of protection that keeps your network safe from newly emerging malware. Quick virus outbreaks can infect a network before signatures can be developed to stop them. Outbreak protection stops these virus outbreaks until signatures become available in FortiGuard.

For more information, see FortiGuard virus outbreak prevention.

FortiGuard content disarm and reconstruction

Content Disarm and Reconstruction (CDR) removes exploitable content and replaces it with content that's known to be safe. As files are processed through an enabled AntiVirus profile, content that's found to be malicious or unsafe is replaced with content that allows the traffic to continue, but doesn't put the recipient at risk.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (such as, HTTP web download, SMTP email send, IMAP and POP3 email retrieval—MAPI isn't supported).

This feature works even if FortiSandbox is not configured, but only if you want to discard the original file. If FortiSandbox is configured and it responds that the file is clean, it passes the content unmodified.

For more information, see Content Disarm and Reconstruction (CDR).

Application groups for NGFW policies

When a FortiGate operates in NGFW policy mode, you can create application groups when you add NGFW policies. Then, when you add IPv4 or IPv6 policies you can create application groups to simplify policy creation.

For more information, see Application groups for NGFW policies.

Application control rule sequencing

To have more control over application control outcomes, you can control the order that application signatures appear in application control sensors. Signatures for applications that are more sensitive can appear higher in the list so they get matched first.

For more information, see Application control.

Threat Feeds (external dynamic block lists)

This feature introduces the ability to dynamically import external block lists from an HTTP server. You can use the block lists to enforce special security requirements that your organization has. This can include long term policies to always block access to some websites or short time requirements to block access to known compromised locations. Since the lists are dynamically imported any changes made to the list are instantly imported by FortiOS. Dynamic block lists can be added to:

  • Web Filter profiles and SSL inspection exemptions.
  • DNS Filter profiles and "Source/Destination" addresses in proxy policies.

In each profile, the administrator can configure multiple external block lists.

For more information, see Threat Feed Connectors.

FortiAP-S bridge mode security profiles

If you have enabled bridge mode for a managed FortiAP-S, you can add a UTM profile to the wireless controller configuration that allows you to apply the following security profile features to all traffic accepted by the managed FortiAP-S:

  • AntiVirus (including Botnet protection),
  • IPS,
  • Application control, and
  • Web Filtering.

For more information, see FortiAP-S bridge mode security profiles.

Security

This section introduces new security features in FortiOS 6.0.

FortiGuard virus outbreak prevention

FortiGuard virus outbreak prevention is an additional layer of protection that keeps your network safe from newly emerging malware. Quick virus outbreaks can infect a network before signatures can be developed to stop them. Outbreak protection stops these virus outbreaks until signatures become available in FortiGuard.

For more information, see FortiGuard virus outbreak prevention.

FortiGuard content disarm and reconstruction

Content Disarm and Reconstruction (CDR) removes exploitable content and replaces it with content that's known to be safe. As files are processed through an enabled AntiVirus profile, content that's found to be malicious or unsafe is replaced with content that allows the traffic to continue, but doesn't put the recipient at risk.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (such as, HTTP web download, SMTP email send, IMAP and POP3 email retrieval—MAPI isn't supported).

This feature works even if FortiSandbox is not configured, but only if you want to discard the original file. If FortiSandbox is configured and it responds that the file is clean, it passes the content unmodified.

For more information, see Content Disarm and Reconstruction (CDR).

Application groups for NGFW policies

When a FortiGate operates in NGFW policy mode, you can create application groups when you add NGFW policies. Then, when you add IPv4 or IPv6 policies you can create application groups to simplify policy creation.

For more information, see Application groups for NGFW policies.

Application control rule sequencing

To have more control over application control outcomes, you can control the order that application signatures appear in application control sensors. Signatures for applications that are more sensitive can appear higher in the list so they get matched first.

For more information, see Application control.

Threat Feeds (external dynamic block lists)

This feature introduces the ability to dynamically import external block lists from an HTTP server. You can use the block lists to enforce special security requirements that your organization has. This can include long term policies to always block access to some websites or short time requirements to block access to known compromised locations. Since the lists are dynamically imported any changes made to the list are instantly imported by FortiOS. Dynamic block lists can be added to:

  • Web Filter profiles and SSL inspection exemptions.
  • DNS Filter profiles and "Source/Destination" addresses in proxy policies.

In each profile, the administrator can configure multiple external block lists.

For more information, see Threat Feed Connectors.

FortiAP-S bridge mode security profiles

If you have enabled bridge mode for a managed FortiAP-S, you can add a UTM profile to the wireless controller configuration that allows you to apply the following security profile features to all traffic accepted by the managed FortiAP-S:

  • AntiVirus (including Botnet protection),
  • IPS,
  • Application control, and
  • Web Filtering.

For more information, see FortiAP-S bridge mode security profiles.