Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Changes in CLI defaults

Anti-Spam

Rename spamfilter to emailfilter.

Previous releases

6.2.0 release

config spamfilter bwl
end

config spamfilter profile
end

config firewall policy
   edit [Policy ID]
      set spamfilter-profile [Profile Name]
   next
end
config emailfilter bwl
end

config emailfilter profile
end

config firewall policy
   edit [Policy ID]
      set emailfilter-profile [Profile Name]
   next
end

 

Data Leak Prevention

Rename DLP fp-sensitivity to sensitivity.

Previous releases

6.2.0 release

config dlp fp-sensitivity
end
config dlp sensitivity
end

 

Firewall

Rename utm-inspection-mode to inspection-mode under firewall policy.

Previous releases

6.2.0 release

config firewall policy
   edit [Policy ID]
      set utm-inspection-mode [proxy | flow]
   next
end
config firewall policy
   edit [Policy ID]
      set inspection-mode [proxy | flow]
   next
end

 

Add a new direction command to Internet service group. Members are filtered according to the direction selected. The direction of a group cannot be changed after it is set.

Previous releases

6.2.0 release

config firewall internet-service-group
   edit [Internet Service Group Name]
      set member 65537 65538
   next
end
config firewall internet-service-group
   edit [Internet Service Group Name]
      set direction [source | destination | both]
      set member 65537 65538
   next
end

 

FortiView

The following FortiView CLI has been changed in this release.

Previous releases

6.2.0 release

config system admin
 edit [User Name]
  config gui
   edit [Dashboard ID]
     config widget
       edit [Widget ID]
         set type fortiview 
         set report-by source <- removed
         set timeframe realtime <- removed
         set sort-by "bytes" <- removed
         set visualization table <- removed
       next
     end
   next
  end
 next
end
config system admin
 edit [User Name]
  config gui
   edit [Dashboard ID]
    config widget
     edit [Widget ID]
      set type fortiview 
      set fortiview-type '' <- added
      set fortiview-sort-by '' <- added
      set fortiview-timeframe '' <- added
      set fortiview-visualization '' <- added
      set fortiview-device '' <- added
     next
    end
   next
  end
 next
end

 

HA

The CLI command for HA member management is changed.

Previous releases

6.2.0 release

execute ha manage [ID]
execute ha manage [ID] [admin-username]
Intrusion Prevention

Move Botnet configuration option from interface level and policy level to IPS profile.

Previous releases

6.2.0 release

config system interface
   edit [Interface Name]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall proxy-policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall interface-policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall sniffer
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end
config ips sensor
   edit [Sensor name]
      set scan-botnet-connections [disable | block | monitor]
   next
end
IPsec VPN

Add net-device option under static/DDNS tunnel configuration.

Previous releases

6.2.0 release

config vpn ipsec phase1-interface
   edit [Tunnel Name]
      set type [static | ddns]
   next
end
config vpn ipsec phase1-interface
   edit [Tunnel Name]
      set type [static | ddns]
      set net-device [enable | disable]
   next
end
Log & Report

Move botnet-connection detection from malware to log threat-weight.

Previous releases

6.2.0 release

config log threat-weight
   config malware
      set botnet-connection [critical | high | medium | low | disable]
   end
end 
config log threat-weight
      set botnet-connection [critical | high | medium | low | disable]
end

 

SDS.

Previous releases

6.2.0 release

config log threat-weight
   config malware
      set botnet-connection [critical | high | medium | low | disable]
   end
end 
config log threat-weight
      set botnet-connection [critical | high | medium | low | disable]
end

 

Add new certificate verification option under FortiAnalyzer setting.

Previous releases

6.2.0 release

config log fortianalyzer setting
   set status enable
   set server [FortiAnalyzer IP address]
end
config log fortianalyzer setting
   set status enable
   set server [FortiAnalyzer IP address]
   set certificate-verification [enable | disable]
   set serial [FortiAnalyzer Serial number]
   set access-config [enable | disable]
end
Proxy

Move SSH redirect option from firewall ssl-ssh-profile to firewall policy.

Previous releases

6.2.0 release

config firewall ssl-ssh-profile
  edit [Profile Name]
    config ssh
      set ssh-policy-check [enable | disable] 
    end
  next
end
config firewall policy
 edit [Policy ID]
  set ssh-policy-redirect [enable | disable]
 next
end

 

Move HTTP redirect option from profile protocol option to firewall policy.

Previous releases

6.2.0 release

config firewall profile-protocol-option
  edit [Profile Name]
    config http
      set http-policy [enable | disable]
    end
  next
end
config firewall policy
 edit [Policy ID]
  set http-policy-redirect [enable | disable]
 next
end

 

Move UTM inspection mode from VDOM setting/AV profile/webfilter profile/emailfilter profile/DLP sensor to firewall policy.

Previous releases

6.2.0 release

config system setting
  set inspection-mode [proxy | flow]
end

config antivirus profile
  edit [Profile Name]
    set inspection-mode [proxy | flow-based]
  next
end

config webfilter profile
  edit [Profile Name]
    set inspection-mode [proxy | flow-based]
  next
end

config spamfilter profile
   edit [Profile Name]
     set flow-based [enable | disable]
   next
end

config dlp sensor
  edit [Sensor Name]
    set flow-based [enable | disable]
  next
end
config firewall policy
  edit [Policy ID]
    set inspection-mode [flow | proxy]
  next
end

 

Routing

For compatibility with the API, the CLI command for OSPF MD5 is changed from a single line configuration to sub-table configuration.

Previous releases

6.2.0 release

config router ospf
  config ospf-interface
    edit [Interface Entry Name]
      set interface [Interface]
      set authentication md5 
      set md5-key [Key ID] [Key String Value] 
    next
  end
end
config router ospf
  config ospf-interface
    edit [Interface Entry Name]
      set interface [Interface]
      set authentication md5
      config md5-keys
        edit [Key ID]
          set key-string [Key String Value]
        next
      end
    next
  end
end

 

The name internet-service-ctrl and internet-service-ctrl-group is changed to internet-service-app-ctrl and internet-service-app-ctrl-group to specify it’s using application control.

Previous releases

6.2.0 release

config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set internet-service enable
         set internet-service-ctrl [Application ID]
         set internet-service-ctrl-group [Group Name]
      next
   end
end
config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set internet-service enable
         set internet-service-app-ctrl [Application ID]
         set internet-service-app-ctrl-group [Group Name]
      next
   end
end

 

Add cost for each SD-WAN member so that in the SLA mode in a SD-WAN rule, if SLAs are met for each member, the selection is based on the cost.

Previous releases

6.2.0 release

config system virtual-wan-link
   config member
      edit [Sequence Number]
      next
   end
end
config system virtual-wan-link
   config member
      edit [Sequence Number]
         set cost [Value]
      next
   end
end

 

Add a load-balance mode for SD-WAN rule. When traffic matches this rule, this traffic should be distributed based on the LB algorithm.

Previous releases

6.2.0 release

config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set mode [auto | manual | priority | sla]
      next
   end
end
config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set mode [auto | manual | priority | sla | load-balance]
      next
   end
end

 

Security Fabric

Add control to collect private or public IP address in SDN connectors.

Previous releases

6.2.0 release

config firewall address
 edit [Address Name]
   set type dynamic
   set comment ''
   set visibility enable
   set associated-interface ''
   set sdn aws
   set filter "tag.Name=publicftp"
 next
end
config firewall address
 edit [Address Name]
   set type dynamic
   set comment ''
   set visibility enable
   set associated-interface ''
   set sdn aws
   set filter "tag.Name=publicftp"
   set sdn-addr-type [private | public | all]
 next
end

 

Add generic support for integrating ET products (FortiADC, FortiMail, FortiWeb, FortiDDoS, FortiWLC) with Security Fabric.

Previous releases

6.2.0 release

config system csf
  config fabric-device
    edit [Device Name]
       set device-ip [Device IP]
       set device-type fortimail
       set login [Login Name]
       set password [Login Password]
    next
  end
end
config system csf
  config fabric-device
    edit [Device Name]
       set device-ip [Device IP]
       set https-port 443
       set access-token [Device Access Token]
    next
  end
end

 

Add support for multiple SDN connectors under dynamic firewall address.

Previous releases

6.2.0 release

config firewall address
   edit [Address Name]
      set type dynamic
      set color 2
      set sdn azure
      set filter "location=NorthEurope"
   next
end
config firewall address
   edit [Address Name]
      set type dynamic
      set color 2
      set sdn [SDN connector instance]
      set filter "location=NorthEurope"
   next
end

 

System

Add split VDOM mode configuration.

Previous releases

6.2.0 release

config global
   set vdom-admin [enable | disable]
end
config global
   set vdom-mode [no-vdom | split-vdom | multi-vdom]
end

 

WiFi Controller

Remove http and telnet in allowaccess options under wireless-controller wtp-profile and wireless-controller wtp.

Previous releases

6.2.0 release

config wireless-controller wtp-profile
  edit [WTP Profile Name]
    set allowaccess http | https | telnet | ssh
  next
end

config wireless-controller wtp
  edit [WTP ID]
    set override-allowaccess enable 
    set allowaccess http | https | telnet | ssh
  next
end
config wireless-controller wtp-profile
  edit [WTP Profile Name]
     set allowaccess https | ssh
  next
end

config wireless-controller wtp
  edit [WTP ID]
     set override-allowaccess enable 
     set allowaccess https | ssh
  next
end

Changes in CLI defaults

Anti-Spam

Rename spamfilter to emailfilter.

Previous releases

6.2.0 release

config spamfilter bwl
end

config spamfilter profile
end

config firewall policy
   edit [Policy ID]
      set spamfilter-profile [Profile Name]
   next
end
config emailfilter bwl
end

config emailfilter profile
end

config firewall policy
   edit [Policy ID]
      set emailfilter-profile [Profile Name]
   next
end

 

Data Leak Prevention

Rename DLP fp-sensitivity to sensitivity.

Previous releases

6.2.0 release

config dlp fp-sensitivity
end
config dlp sensitivity
end

 

Firewall

Rename utm-inspection-mode to inspection-mode under firewall policy.

Previous releases

6.2.0 release

config firewall policy
   edit [Policy ID]
      set utm-inspection-mode [proxy | flow]
   next
end
config firewall policy
   edit [Policy ID]
      set inspection-mode [proxy | flow]
   next
end

 

Add a new direction command to Internet service group. Members are filtered according to the direction selected. The direction of a group cannot be changed after it is set.

Previous releases

6.2.0 release

config firewall internet-service-group
   edit [Internet Service Group Name]
      set member 65537 65538
   next
end
config firewall internet-service-group
   edit [Internet Service Group Name]
      set direction [source | destination | both]
      set member 65537 65538
   next
end

 

FortiView

The following FortiView CLI has been changed in this release.

Previous releases

6.2.0 release

config system admin
 edit [User Name]
  config gui
   edit [Dashboard ID]
     config widget
       edit [Widget ID]
         set type fortiview 
         set report-by source <- removed
         set timeframe realtime <- removed
         set sort-by "bytes" <- removed
         set visualization table <- removed
       next
     end
   next
  end
 next
end
config system admin
 edit [User Name]
  config gui
   edit [Dashboard ID]
    config widget
     edit [Widget ID]
      set type fortiview 
      set fortiview-type '' <- added
      set fortiview-sort-by '' <- added
      set fortiview-timeframe '' <- added
      set fortiview-visualization '' <- added
      set fortiview-device '' <- added
     next
    end
   next
  end
 next
end

 

HA

The CLI command for HA member management is changed.

Previous releases

6.2.0 release

execute ha manage [ID]
execute ha manage [ID] [admin-username]
Intrusion Prevention

Move Botnet configuration option from interface level and policy level to IPS profile.

Previous releases

6.2.0 release

config system interface
   edit [Interface Name]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall proxy-policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall interface-policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall sniffer
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end
config ips sensor
   edit [Sensor name]
      set scan-botnet-connections [disable | block | monitor]
   next
end
IPsec VPN

Add net-device option under static/DDNS tunnel configuration.

Previous releases

6.2.0 release

config vpn ipsec phase1-interface
   edit [Tunnel Name]
      set type [static | ddns]
   next
end
config vpn ipsec phase1-interface
   edit [Tunnel Name]
      set type [static | ddns]
      set net-device [enable | disable]
   next
end
Log & Report

Move botnet-connection detection from malware to log threat-weight.

Previous releases

6.2.0 release

config log threat-weight
   config malware
      set botnet-connection [critical | high | medium | low | disable]
   end
end 
config log threat-weight
      set botnet-connection [critical | high | medium | low | disable]
end

 

SDS.

Previous releases

6.2.0 release

config log threat-weight
   config malware
      set botnet-connection [critical | high | medium | low | disable]
   end
end 
config log threat-weight
      set botnet-connection [critical | high | medium | low | disable]
end

 

Add new certificate verification option under FortiAnalyzer setting.

Previous releases

6.2.0 release

config log fortianalyzer setting
   set status enable
   set server [FortiAnalyzer IP address]
end
config log fortianalyzer setting
   set status enable
   set server [FortiAnalyzer IP address]
   set certificate-verification [enable | disable]
   set serial [FortiAnalyzer Serial number]
   set access-config [enable | disable]
end
Proxy

Move SSH redirect option from firewall ssl-ssh-profile to firewall policy.

Previous releases

6.2.0 release

config firewall ssl-ssh-profile
  edit [Profile Name]
    config ssh
      set ssh-policy-check [enable | disable] 
    end
  next
end
config firewall policy
 edit [Policy ID]
  set ssh-policy-redirect [enable | disable]
 next
end

 

Move HTTP redirect option from profile protocol option to firewall policy.

Previous releases

6.2.0 release

config firewall profile-protocol-option
  edit [Profile Name]
    config http
      set http-policy [enable | disable]
    end
  next
end
config firewall policy
 edit [Policy ID]
  set http-policy-redirect [enable | disable]
 next
end

 

Move UTM inspection mode from VDOM setting/AV profile/webfilter profile/emailfilter profile/DLP sensor to firewall policy.

Previous releases

6.2.0 release

config system setting
  set inspection-mode [proxy | flow]
end

config antivirus profile
  edit [Profile Name]
    set inspection-mode [proxy | flow-based]
  next
end

config webfilter profile
  edit [Profile Name]
    set inspection-mode [proxy | flow-based]
  next
end

config spamfilter profile
   edit [Profile Name]
     set flow-based [enable | disable]
   next
end

config dlp sensor
  edit [Sensor Name]
    set flow-based [enable | disable]
  next
end
config firewall policy
  edit [Policy ID]
    set inspection-mode [flow | proxy]
  next
end

 

Routing

For compatibility with the API, the CLI command for OSPF MD5 is changed from a single line configuration to sub-table configuration.

Previous releases

6.2.0 release

config router ospf
  config ospf-interface
    edit [Interface Entry Name]
      set interface [Interface]
      set authentication md5 
      set md5-key [Key ID] [Key String Value] 
    next
  end
end
config router ospf
  config ospf-interface
    edit [Interface Entry Name]
      set interface [Interface]
      set authentication md5
      config md5-keys
        edit [Key ID]
          set key-string [Key String Value]
        next
      end
    next
  end
end

 

The name internet-service-ctrl and internet-service-ctrl-group is changed to internet-service-app-ctrl and internet-service-app-ctrl-group to specify it’s using application control.

Previous releases

6.2.0 release

config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set internet-service enable
         set internet-service-ctrl [Application ID]
         set internet-service-ctrl-group [Group Name]
      next
   end
end
config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set internet-service enable
         set internet-service-app-ctrl [Application ID]
         set internet-service-app-ctrl-group [Group Name]
      next
   end
end

 

Add cost for each SD-WAN member so that in the SLA mode in a SD-WAN rule, if SLAs are met for each member, the selection is based on the cost.

Previous releases

6.2.0 release

config system virtual-wan-link
   config member
      edit [Sequence Number]
      next
   end
end
config system virtual-wan-link
   config member
      edit [Sequence Number]
         set cost [Value]
      next
   end
end

 

Add a load-balance mode for SD-WAN rule. When traffic matches this rule, this traffic should be distributed based on the LB algorithm.

Previous releases

6.2.0 release

config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set mode [auto | manual | priority | sla]
      next
   end
end
config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set mode [auto | manual | priority | sla | load-balance]
      next
   end
end

 

Security Fabric

Add control to collect private or public IP address in SDN connectors.

Previous releases

6.2.0 release

config firewall address
 edit [Address Name]
   set type dynamic
   set comment ''
   set visibility enable
   set associated-interface ''
   set sdn aws
   set filter "tag.Name=publicftp"
 next
end
config firewall address
 edit [Address Name]
   set type dynamic
   set comment ''
   set visibility enable
   set associated-interface ''
   set sdn aws
   set filter "tag.Name=publicftp"
   set sdn-addr-type [private | public | all]
 next
end

 

Add generic support for integrating ET products (FortiADC, FortiMail, FortiWeb, FortiDDoS, FortiWLC) with Security Fabric.

Previous releases

6.2.0 release

config system csf
  config fabric-device
    edit [Device Name]
       set device-ip [Device IP]
       set device-type fortimail
       set login [Login Name]
       set password [Login Password]
    next
  end
end
config system csf
  config fabric-device
    edit [Device Name]
       set device-ip [Device IP]
       set https-port 443
       set access-token [Device Access Token]
    next
  end
end

 

Add support for multiple SDN connectors under dynamic firewall address.

Previous releases

6.2.0 release

config firewall address
   edit [Address Name]
      set type dynamic
      set color 2
      set sdn azure
      set filter "location=NorthEurope"
   next
end
config firewall address
   edit [Address Name]
      set type dynamic
      set color 2
      set sdn [SDN connector instance]
      set filter "location=NorthEurope"
   next
end

 

System

Add split VDOM mode configuration.

Previous releases

6.2.0 release

config global
   set vdom-admin [enable | disable]
end
config global
   set vdom-mode [no-vdom | split-vdom | multi-vdom]
end

 

WiFi Controller

Remove http and telnet in allowaccess options under wireless-controller wtp-profile and wireless-controller wtp.

Previous releases

6.2.0 release

config wireless-controller wtp-profile
  edit [WTP Profile Name]
    set allowaccess http | https | telnet | ssh
  next
end

config wireless-controller wtp
  edit [WTP ID]
    set override-allowaccess enable 
    set allowaccess http | https | telnet | ssh
  next
end
config wireless-controller wtp-profile
  edit [WTP Profile Name]
     set allowaccess https | ssh
  next
end

config wireless-controller wtp
  edit [WTP ID]
     set override-allowaccess enable 
     set allowaccess https | ssh
  next
end