Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Device detection label changes  6.2.1

In FortiOS 6.2.1, the device detection-related labels have been modified. This affects control parts, such as device-based firewall policies, captive portals, and access lists. The device discovery system uses new tagging and types.

GUI changes

  • When you create a firewall policy, the Device option is no longer available in the Source and Destination entry lists. The available options are: Address, User, and Internet Service.

  • In the User & Device menu, the Custom Devices & Groups option is no longer available.

Custom devices and device groups can now be configured as MAC addresses.

To configure a device or device group using the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New.
  3. Select Address or Address Group.
  4. For Type, select Device (MAC Address).

  5. Configure the other fields as needed.
  6. Click OK.

CLI changes

The following CLI commands have been removed:

config user device
config user device-access-list
config user device-category
config user device-group
config firewall policy
    edit 1
        set devices
    next
end
config firewall policy6
    edit 1
        set devices
    next
end

Device tagging and type

The device discovery system now uses the following tags and types:

  • Hardware vendor
  • Hardware version
  • Software OS
  • Software version
  • Type

As a result, the user device list diagnostic command output has changed:

(root) # diag user device list
hosts
  vd root/0  00:08:e3:ed:35:16  gen 12  req OUS/16
    created 2178s  gen 11  seen 17s  port1  gen 6
    ip 172.16.200.253  src cdp
    hardware vendor 'Cisco'  src cdp  id  60
    type 'Networking'  src cdp  id  60
    family 'Catalyst'  src cdp  id  60
    os 'IOS'  src cdp  id  60
    hardware version 'C2950'  src cdp  id  60
    software version '12.1(12c)EA1'  src cdp  id  60
    host 'SW8'  src cdp

Upgrading from FortiOS 6.0 to 6.2

Caution

All custom devices and device groups not being used in a firewall policy prior to upgrading will not be retained after upgrading.

In certain circumstances, custom devices and device groups can be upgraded.

To configure a device or device group after upgrading using the CLI:
config firewall policy
    edit 1
        set name "p1"
        set uuid 6eaeef92-7db1-51e9-4b73-6701d7749026
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "_upg_devgrp_grp1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable
    next
end
config firewall addrgrp
    edit "_upg_devgrp_grp1"
        set uuid 97274902-8887-51e9-ca99-732d3cb9adbe
        set member "_upg_dev_dev1@00:08:e3:ed:35:16"
        set visibility disable
    next   
end
config firewall address
    edit "_upg_dev_dev1@00:08:e3:ed:35:16"
        set uuid 97274b64-8887-51e9-7a02-2efee81068cb
        set type mac
        set start-mac 00:08:e3:ed:35:16
        set end-mac 00:08:e3:ed:35:16
        set visibility disable
    next
end

Device detection label changes  6.2.1

In FortiOS 6.2.1, the device detection-related labels have been modified. This affects control parts, such as device-based firewall policies, captive portals, and access lists. The device discovery system uses new tagging and types.

GUI changes

  • When you create a firewall policy, the Device option is no longer available in the Source and Destination entry lists. The available options are: Address, User, and Internet Service.

  • In the User & Device menu, the Custom Devices & Groups option is no longer available.

Custom devices and device groups can now be configured as MAC addresses.

To configure a device or device group using the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New.
  3. Select Address or Address Group.
  4. For Type, select Device (MAC Address).

  5. Configure the other fields as needed.
  6. Click OK.

CLI changes

The following CLI commands have been removed:

config user device
config user device-access-list
config user device-category
config user device-group
config firewall policy
    edit 1
        set devices
    next
end
config firewall policy6
    edit 1
        set devices
    next
end

Device tagging and type

The device discovery system now uses the following tags and types:

  • Hardware vendor
  • Hardware version
  • Software OS
  • Software version
  • Type

As a result, the user device list diagnostic command output has changed:

(root) # diag user device list
hosts
  vd root/0  00:08:e3:ed:35:16  gen 12  req OUS/16
    created 2178s  gen 11  seen 17s  port1  gen 6
    ip 172.16.200.253  src cdp
    hardware vendor 'Cisco'  src cdp  id  60
    type 'Networking'  src cdp  id  60
    family 'Catalyst'  src cdp  id  60
    os 'IOS'  src cdp  id  60
    hardware version 'C2950'  src cdp  id  60
    software version '12.1(12c)EA1'  src cdp  id  60
    host 'SW8'  src cdp

Upgrading from FortiOS 6.0 to 6.2

Caution

All custom devices and device groups not being used in a firewall policy prior to upgrading will not be retained after upgrading.

In certain circumstances, custom devices and device groups can be upgraded.

To configure a device or device group after upgrading using the CLI:
config firewall policy
    edit 1
        set name "p1"
        set uuid 6eaeef92-7db1-51e9-4b73-6701d7749026
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "_upg_devgrp_grp1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable
    next
end
config firewall addrgrp
    edit "_upg_devgrp_grp1"
        set uuid 97274902-8887-51e9-ca99-732d3cb9adbe
        set member "_upg_dev_dev1@00:08:e3:ed:35:16"
        set visibility disable
    next   
end
config firewall address
    edit "_upg_dev_dev1@00:08:e3:ed:35:16"
        set uuid 97274b64-8887-51e9-7a02-2efee81068cb
        set type mac
        set start-mac 00:08:e3:ed:35:16
        set end-mac 00:08:e3:ed:35:16
        set visibility disable
    next
end