Changes in CLI defaults
Anti-Spam
Rename spamfilter to emailfilter.
|
Previous releases |
6.2.0 release |
|---|---|
config spamfilter bwl
end
config spamfilter profile
end
config firewall policy
edit [Policy ID]
set spamfilter-profile [Profile Name]
next
end
|
config emailfilter bwl
end
config emailfilter profile
end
config firewall policy
edit [Policy ID]
set emailfilter-profile [Profile Name]
next
end
|
Data Leak Prevention
Rename DLP fp-sensitivity to sensitivity.
|
Previous releases |
6.2.0 release |
|---|---|
config dlp fp-sensitivity end |
config dlp sensitivity end |
Firewall
Rename utm-inspection-mode to inspection-mode under firewall policy.
|
Previous releases |
6.2.0 release |
|---|---|
config firewall policy
edit [Policy ID]
set utm-inspection-mode [proxy | flow]
next
end
|
config firewall policy
edit [Policy ID]
set inspection-mode [proxy | flow]
next
end
|
Add a new direction command to Internet service group. Members are filtered according to the direction selected. The direction of a group cannot be changed after it is set.
|
Previous releases |
6.2.0 release |
|---|---|
config firewall internet-service-group
edit [Internet Service Group Name]
set member 65537 65538
next
end
|
config firewall internet-service-group
edit [Internet Service Group Name]
set direction [source | destination | both]
set member 65537 65538
next
end
|
FortiView
The following FortiView CLI has been changed in this release.
|
Previous releases |
6.2.0 release |
|---|---|
config system admin
edit [User Name]
config gui
edit [Dashboard ID]
config widget
edit [Widget ID]
set type fortiview
set report-by source <- removed
set timeframe realtime <- removed
set sort-by "bytes" <- removed
set visualization table <- removed
next
end
next
end
next
end
|
config system admin
edit [User Name]
config gui
edit [Dashboard ID]
config widget
edit [Widget ID]
set type fortiview
set fortiview-type '' <- added
set fortiview-sort-by '' <- added
set fortiview-timeframe '' <- added
set fortiview-visualization '' <- added
set fortiview-device '' <- added
next
end
next
end
next
end
|
HA
The CLI command for HA member management is changed.
|
Previous releases |
6.2.0 release |
|---|---|
execute ha manage [ID] |
execute ha manage [ID] [admin-username] |
Intrusion Prevention
Move Botnet configuration option from interface level and policy level to IPS profile.
|
Previous releases |
6.2.0 release |
|---|---|
config system interface
edit [Interface Name]
set scan-botnet-connections [disable | block | monitor]
next
end
config firewall policy
edit [Policy ID]
set scan-botnet-connections [disable | block | monitor]
next
end
config firewall proxy-policy
edit [Policy ID]
set scan-botnet-connections [disable | block | monitor]
next
end
config firewall interface-policy
edit [Policy ID]
set scan-botnet-connections [disable | block | monitor]
next
end
config firewall sniffer
edit [Policy ID]
set scan-botnet-connections [disable | block | monitor]
next
end
|
config ips sensor
edit [Sensor name]
set scan-botnet-connections [disable | block | monitor]
next
end
|
IPsec VPN
Add net-device option under static/DDNS tunnel configuration.
|
Previous releases |
6.2.0 release |
|---|---|
config vpn ipsec phase1-interface
edit [Tunnel Name]
set type [static | ddns]
next
end
|
config vpn ipsec phase1-interface
edit [Tunnel Name]
set type [static | ddns]
set net-device [enable | disable]
next
end
|
Log & Report
Move botnet-connection detection from malware to log threat-weight.
|
Previous releases |
6.2.0 release |
|---|---|
config log threat-weight
config malware
set botnet-connection [critical | high | medium | low | disable]
end
end
|
config log threat-weight
set botnet-connection [critical | high | medium | low | disable]
end
|
SDS.
|
Previous releases |
6.2.0 release |
|---|---|
config log threat-weight
config malware
set botnet-connection [critical | high | medium | low | disable]
end
end
|
config log threat-weight
set botnet-connection [critical | high | medium | low | disable]
end
|
Add new certificate verification option under FortiAnalyzer setting.
|
Previous releases |
6.2.0 release |
|---|---|
config log fortianalyzer setting set status enable set server [FortiAnalyzer IP address] end |
config log fortianalyzer setting set status enable set server [FortiAnalyzer IP address] set certificate-verification [enable | disable] set serial [FortiAnalyzer Serial number] set access-config [enable | disable] end |
Proxy
Move SSH redirect option from firewall ssl-ssh-profile to firewall policy.
|
Previous releases |
6.2.0 release |
|---|---|
config firewall ssl-ssh-profile
edit [Profile Name]
config ssh
set ssh-policy-check [enable | disable]
end
next
end
|
config firewall policy edit [Policy ID] set ssh-policy-redirect [enable | disable] next end |
Move HTTP redirect option from profile protocol option to firewall policy.
|
Previous releases |
6.2.0 release |
|---|---|
config firewall profile-protocol-option
edit [Profile Name]
config http
set http-policy [enable | disable]
end
next
end
|
config firewall policy edit [Policy ID] set http-policy-redirect [enable | disable] next end |
Move UTM inspection mode from VDOM setting/AV profile/webfilter profile/emailfilter profile/DLP sensor to firewall policy.
|
Previous releases |
6.2.0 release |
|---|---|
config system setting
set inspection-mode [proxy | flow]
end
config antivirus profile
edit [Profile Name]
set inspection-mode [proxy | flow-based]
next
end
config webfilter profile
edit [Profile Name]
set inspection-mode [proxy | flow-based]
next
end
config spamfilter profile
edit [Profile Name]
set flow-based [enable | disable]
next
end
config dlp sensor
edit [Sensor Name]
set flow-based [enable | disable]
next
end
|
config firewall policy
edit [Policy ID]
set inspection-mode [flow | proxy]
next
end
|
Routing
For compatibility with the API, the CLI command for OSPF MD5 is changed from a single line configuration to sub-table configuration.
|
Previous releases |
6.2.0 release |
|---|---|
config router ospf
config ospf-interface
edit [Interface Entry Name]
set interface [Interface]
set authentication md5
set md5-key [Key ID] [Key String Value]
next
end
end
|
config router ospf
config ospf-interface
edit [Interface Entry Name]
set interface [Interface]
set authentication md5
config md5-keys
edit [Key ID]
set key-string [Key String Value]
next
end
next
end
end
|
The name internet-service-ctrl and internet-service-ctrl-group is changed to internet-service-app-ctrl and internet-service-app-ctrl-group to specify it’s using application control.
|
Previous releases |
6.2.0 release |
|---|---|
config system virtual-wan-link
config service
edit [Priority Rule ID]
set internet-service enable
set internet-service-ctrl [Application ID]
set internet-service-ctrl-group [Group Name]
next
end
end
|
config system virtual-wan-link
config service
edit [Priority Rule ID]
set internet-service enable
set internet-service-app-ctrl [Application ID]
set internet-service-app-ctrl-group [Group Name]
next
end
end
|
Add cost for each SD-WAN member so that in the SLA mode in a SD-WAN rule, if SLAs are met for each member, the selection is based on the cost.
|
Previous releases |
6.2.0 release |
|---|---|
config system virtual-wan-link
config member
edit [Sequence Number]
next
end
end
|
config system virtual-wan-link
config member
edit [Sequence Number]
set cost [Value]
next
end
end
|
Add a load-balance mode for SD-WAN rule. When traffic matches this rule, this traffic should be distributed based on the LB algorithm.
|
Previous releases |
6.2.0 release |
|---|---|
config system virtual-wan-link
config service
edit [Priority Rule ID]
set mode [auto | manual | priority | sla]
next
end
end
|
config system virtual-wan-link
config service
edit [Priority Rule ID]
set mode [auto | manual | priority | sla | load-balance]
next
end
end
|
Security Fabric
Add control to collect private or public IP address in SDN connectors.
|
Previous releases |
6.2.0 release |
|---|---|
config firewall address edit [Address Name] set type dynamic set comment '' set visibility enable set associated-interface '' set sdn aws set filter "tag.Name=publicftp" next end |
config firewall address edit [Address Name] set type dynamic set comment '' set visibility enable set associated-interface '' set sdn aws set filter "tag.Name=publicftp" set sdn-addr-type [private | public | all] next end |
Add generic support for integrating ET products (FortiADC, FortiMail, FortiWeb, FortiDDoS, FortiWLC) with Security Fabric.
|
Previous releases |
6.2.0 release |
|---|---|
config system csf
config fabric-device
edit [Device Name]
set device-ip [Device IP]
set device-type fortimail
set login [Login Name]
set password [Login Password]
next
end
end
|
config system csf
config fabric-device
edit [Device Name]
set device-ip [Device IP]
set https-port 443
set access-token [Device Access Token]
next
end
end
|
Add support for multiple SDN connectors under dynamic firewall address.
|
Previous releases |
6.2.0 release |
|---|---|
config firewall address
edit [Address Name]
set type dynamic
set color 2
set sdn azure
set filter "location=NorthEurope"
next
end
|
config firewall address
edit [Address Name]
set type dynamic
set color 2
set sdn [SDN connector instance]
set filter "location=NorthEurope"
next
end
|
System
Add split VDOM mode configuration.
|
Previous releases |
6.2.0 release |
|---|---|
config global set vdom-admin [enable | disable] end |
config global set vdom-mode [no-vdom | split-vdom | multi-vdom] end |
WiFi Controller
Remove http and telnet in allowaccess options under wireless-controller wtp-profile and wireless-controller wtp.
|
Previous releases |
6.2.0 release |
|---|---|
config wireless-controller wtp-profile
edit [WTP Profile Name]
set allowaccess http | https | telnet | ssh
next
end
config wireless-controller wtp
edit [WTP ID]
set override-allowaccess enable
set allowaccess http | https | telnet | ssh
next
end
|
config wireless-controller wtp-profile
edit [WTP Profile Name]
set allowaccess https | ssh
next
end
config wireless-controller wtp
edit [WTP ID]
set override-allowaccess enable
set allowaccess https | ssh
next
end
|