Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Changes in CLI defaults

Anti-Spam

Rename spamfilter to emailfilter.

Previous releases

6.2.1 release

config spamfilter bwl
end

config spamfilter profile
end

config firewall policy
   edit [Policy ID]
      set spamfilter-profile [Profile Name]
   next
end
config emailfilter bwl
end

config emailfilter profile
end

config firewall policy
   edit [Policy ID]
      set emailfilter-profile [Profile Name]
   next
end

 

Data Leak Prevention

Rename DLP fp-sensitivity to sensitivity.

Previous releases

6.2.1 release

config dlp fp-sensitivity
end
config dlp sensitivity
end

 

Firewall

Rename utm-inspection-mode to inspection-mode under firewall policy.

Previous releases

6.2.1 release

config firewall policy
   edit [Policy ID]
      set utm-inspection-mode [proxy | flow]
   next
end
config firewall policy
   edit [Policy ID]
      set inspection-mode [proxy | flow]
   next
end

 

Add a new direction command to Internet service group. Members are filtered according to the direction selected. The direction of a group cannot be changed after it is set.

Previous releases

6.2.1 release

config firewall internet-service-group
   edit [Internet Service Group Name]
      set member 65537 65538
   next
end
config firewall internet-service-group
   edit [Internet Service Group Name]
      set direction [source | destination | both]
      set member 65537 65538
   next
end

 

FortiView

The following FortiView CLI has been changed in this release.

Previous releases

6.2.1 release

config system admin
 edit [User Name]
  config gui
   edit [Dashboard ID]
     config widget
       edit [Widget ID]
         set type fortiview 
         set report-by source <==removed
         set timeframe realtime <==removed
         set sort-by "bytes" <==removed
         set visualization table <==removed
       next
     end
   next
  end
 next
end
config system admin
 edit [User Name]
  config gui
   edit [Dashboard ID]
    config widget
     edit [Widget ID]
      set type fortiview 
      set fortiview-type '' <==added
      set fortiview-sort-by '' <==added
      set fortiview-timeframe '' <==added
      set fortiview-visualization '' <==added
      set fortiview-device '' <==added
     next
    end
   next
  end
 next
end

 

HA

The CLI command for HA member management is changed.

Previous releases

6.2.1 release

execute ha manage [ID]
execute ha manage [ID] [admin-username]

 

Intrusion Prevention

Move Botnet configuration option from interface level and policy level to IPS profile.

Previous releases

6.2.1 release

config system interface
   edit [Interface Name]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall proxy-policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall interface-policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall sniffer
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end
config ips sensor
   edit [Sensor name]
      set scan-botnet-connections [disable | block | monitor]
   next
end

 

IPsec VPN

Add net-device option under static/DDNS tunnel configuration.

Previous releases

6.2.1 release

config vpn ipsec phase1-interface
   edit [Tunnel Name]
      set type [static | ddns]
   next
end
config vpn ipsec phase1-interface
   edit [Tunnel Name]
      set type [static | ddns]
      set net-device [enable | disable]
   next
end

 

Log & Report

Move botnet-connection detection from malware to log threat-weight.

Previous releases

6.2.1 release

config log threat-weight
   config malware
      set botnet-connection [critical | high | medium | low | disable]
   end
end 
config log threat-weight
      set botnet-connection [critical | high | medium | low | disable]
end

 

SDS.

Previous releases

6.2.1 release

config log threat-weight
   config malware
      set botnet-connection [critical | high | medium | low | disable]
   end
end 
config log threat-weight
      set botnet-connection [critical | high | medium | low | disable]
end

 

Add new certificate verification option under FortiAnalyzer setting.

Previous releases

6.2.1 release

config log fortianalyzer setting
   set status enable
   set server [FortiAnalyzer IP address]
end
config log fortianalyzer setting
   set status enable
   set server [FortiAnalyzer IP address]
   set certificate-verification [enable | disable]
   set serial [FortiAnalyzer Serial number]
   set access-config [enable | disable]
end

 

Proxy

Move SSH redirect option from firewall ssl-ssh-profile to firewall policy.

Previous releases

6.2.1 release

config firewall ssl-ssh-profile
  edit [Profile Name]
    config ssh
      set ssh-policy-check [enable | disable] 
    end
  next
end
config firewall policy
 edit [Policy ID]
  set ssh-policy-redirect [enable | disable]
 next
end

 

Move HTTP redirect option from profile protocol option to firewall policy.

Previous releases

6.2.1 release

config firewall profile-protocol-option
  edit [Profile Name]
    config http
      set http-policy [enable | disable]
    end
  next
end
config firewall policy
 edit [Policy ID]
  set http-policy-redirect [enable | disable]
 next
end

 

Move UTM inspection mode from VDOM setting/AV profile/webfilter profile/emailfilter profile/DLP sensor to firewall policy.

Previous releases

6.2.1 release

config system setting
  set inspection-mode [proxy | flow]
end

config antivirus profile
  edit [Profile Name]
    set inspection-mode [proxy | flow-based]
  next
end

config webfilter profile
  edit [Profile Name]
    set inspection-mode [proxy | flow-based]
  next
end

config spamfilter profile
   edit [Profile Name]
     set flow-based [enable | disable]
   next
end

config dlp sensor
  edit [Sensor Name]
    set flow-based [enable | disable]
  next
end
config firewall policy
  edit [Policy ID]
    set inspection-mode [flow | proxy]
  next
end

 

Routing

For compatibility with the API, the CLI command for OSPF MD5 is changed from a single line configuration to sub-table configuration.

Previous releases

6.2.1 release

config router ospf
  config ospf-interface
    edit [Interface Entry Name]
      set interface [Interface]
      set authentication md5 
      set md5-key [Key ID] [Key String Value] 
    next
  end
end
config router ospf
  config ospf-interface
    edit [Interface Entry Name]
      set interface [Interface]
      set authentication md5
      config md5-keys
        edit [Key ID]
          set key-string [Key String Value]
        next
      end
    next
  end
end

 

The name internet-service-ctrl and internet-service-ctrl-group is changed to internet-service-app-ctrl and internet-service-app-ctrl-group to specify it’s using application control.

Previous releases

6.2.1 release

config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set internet-service enable
         set internet-service-ctrl [Application ID]
         set internet-service-ctrl-group [Group Name]
      next
   end
end
config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set internet-service enable
         set internet-service-app-ctrl [Application ID]
         set internet-service-app-ctrl-group [Group Name]
      next
   end
end

 

Add cost for each SD-WAN member so that in the SLA mode in a SD-WAN rule, if SLAs are met for each member, the selection is based on the cost.

Previous releases

6.2.1 release

config system virtual-wan-link
   config member
      edit [Sequence Number]
      next
   end
end
config system virtual-wan-link
   config member
      edit [Sequence Number]
         set cost [Value]
      next
   end
end

 

Add a load-balance mode for SD-WAN rule. When traffic matches this rule, this traffic should be distributed based on the LB algorithm.

Previous releases

6.2.1 release

config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set mode [auto | manual | priority | sla]
      next
   end
end
config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set mode [auto | manual | priority | sla | load-balance]
      next
   end
end

 

Security Fabric

Add control to collect private or public IP address in SDN connectors.

Previous releases

6.2.1 release

config firewall address
 edit [Address Name]
   set type dynamic
   set comment ''
   set visibility enable
   set associated-interface ''
   set sdn aws
   set filter "tag.Name=publicftp"
 next
end
config firewall address
 edit [Address Name]
   set type dynamic
   set comment ''
   set visibility enable
   set associated-interface ''
   set sdn aws
   set filter "tag.Name=publicftp"
   set sdn-addr-type [private | public | all]
 next
end

 

Add generic support for integrating ET products (FortiADC, FortiMail, FortiWeb, FortiDDoS, FortiWLC) with Security Fabric.

Previous releases

6.2.1 release

config system csf
  config fabric-device
    edit [Device Name]
       set device-ip [Device IP]
       set device-type fortimail
       set login [Login Name]
       set password [Login Password]
    next
  end
end
config system csf
  config fabric-device
    edit [Device Name]
       set device-ip [Device IP]
       set https-port 443
       set access-token [Device Access Token]
    next
  end
end

 

Add support for multiple SDN connectors under dynamic firewall address.

Previous releases

6.2.1 release

config firewall address
   edit [Address Name]
      set type dynamic
      set color 2
      set sdn azure
      set filter "location=NorthEurope"
   next
end
config firewall address
   edit [Address Name]
      set type dynamic
      set color 2
      set sdn [SDN connector instance]
      set filter "location=NorthEurope"
   next
end

 

System

Add split VDOM mode configuration.

Previous releases

6.2.1 release

config global
   set vdom-admin [enable | disable]
end
config global
   set vdom-mode [no-vdom | split-vdom | multi-vdom]
end

 

WiFi Controller

Option changes for darrp.

Previous releases

6.2.1 release

config wireless-controller timers
    set darrp-optimize 0
    set darrp-day monday      <==removed
    set darrp-time "12:00"    <==removed
end
config wireless-controller timers
    set darrp-optimize-schedules "default-darrp-optimize" <==added
end

 

Option changes for wids-profile.

Previous releases

6.2.1 release

config wireless-controller wids-profile
  edit "default"
    set ap-bgscan-disable-day monday  <==removed
    set ap-bgscan-disable-start 00:00 <==removed
    set ap-bgscan-disable-end 23:59   <==removed
  next
end
config wireless-controller wids-profile
    edit "default"
        set ap-bgscan-disable-schedules "always" <==added
    next
end

 

New wfa-compatibility command for compatibility with previous WiFi specifications. This command only controls the minimum length of the pre-shared key (PSK) in WPA/WPA2-Personal SSID. When disabled, the PSK must contain 12 or more characters. When enabled, the PSK must contain eight or more characters. The default is disable for security enforcement.

Previous releases

6.2.1 release

 

config wireless-controller setting
    set wfa-compatibility [enable | disable]
end

 

New command to enable or disable multi-user MIMO on "Wave 2" 802.11ac FAP units managed by FortiGate. The default is enable.

Previous releases

6.2.1 release

 

config wireless-controller vap
    edit [VAP Name]
        set mu-mimo [enable | disable]
    next
end

Changes in CLI defaults

Anti-Spam

Rename spamfilter to emailfilter.

Previous releases

6.2.1 release

config spamfilter bwl
end

config spamfilter profile
end

config firewall policy
   edit [Policy ID]
      set spamfilter-profile [Profile Name]
   next
end
config emailfilter bwl
end

config emailfilter profile
end

config firewall policy
   edit [Policy ID]
      set emailfilter-profile [Profile Name]
   next
end

 

Data Leak Prevention

Rename DLP fp-sensitivity to sensitivity.

Previous releases

6.2.1 release

config dlp fp-sensitivity
end
config dlp sensitivity
end

 

Firewall

Rename utm-inspection-mode to inspection-mode under firewall policy.

Previous releases

6.2.1 release

config firewall policy
   edit [Policy ID]
      set utm-inspection-mode [proxy | flow]
   next
end
config firewall policy
   edit [Policy ID]
      set inspection-mode [proxy | flow]
   next
end

 

Add a new direction command to Internet service group. Members are filtered according to the direction selected. The direction of a group cannot be changed after it is set.

Previous releases

6.2.1 release

config firewall internet-service-group
   edit [Internet Service Group Name]
      set member 65537 65538
   next
end
config firewall internet-service-group
   edit [Internet Service Group Name]
      set direction [source | destination | both]
      set member 65537 65538
   next
end

 

FortiView

The following FortiView CLI has been changed in this release.

Previous releases

6.2.1 release

config system admin
 edit [User Name]
  config gui
   edit [Dashboard ID]
     config widget
       edit [Widget ID]
         set type fortiview 
         set report-by source <==removed
         set timeframe realtime <==removed
         set sort-by "bytes" <==removed
         set visualization table <==removed
       next
     end
   next
  end
 next
end
config system admin
 edit [User Name]
  config gui
   edit [Dashboard ID]
    config widget
     edit [Widget ID]
      set type fortiview 
      set fortiview-type '' <==added
      set fortiview-sort-by '' <==added
      set fortiview-timeframe '' <==added
      set fortiview-visualization '' <==added
      set fortiview-device '' <==added
     next
    end
   next
  end
 next
end

 

HA

The CLI command for HA member management is changed.

Previous releases

6.2.1 release

execute ha manage [ID]
execute ha manage [ID] [admin-username]

 

Intrusion Prevention

Move Botnet configuration option from interface level and policy level to IPS profile.

Previous releases

6.2.1 release

config system interface
   edit [Interface Name]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall proxy-policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall interface-policy
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end

config firewall sniffer
   edit [Policy ID]
      set scan-botnet-connections [disable | block | monitor]
   next
end
config ips sensor
   edit [Sensor name]
      set scan-botnet-connections [disable | block | monitor]
   next
end

 

IPsec VPN

Add net-device option under static/DDNS tunnel configuration.

Previous releases

6.2.1 release

config vpn ipsec phase1-interface
   edit [Tunnel Name]
      set type [static | ddns]
   next
end
config vpn ipsec phase1-interface
   edit [Tunnel Name]
      set type [static | ddns]
      set net-device [enable | disable]
   next
end

 

Log & Report

Move botnet-connection detection from malware to log threat-weight.

Previous releases

6.2.1 release

config log threat-weight
   config malware
      set botnet-connection [critical | high | medium | low | disable]
   end
end 
config log threat-weight
      set botnet-connection [critical | high | medium | low | disable]
end

 

SDS.

Previous releases

6.2.1 release

config log threat-weight
   config malware
      set botnet-connection [critical | high | medium | low | disable]
   end
end 
config log threat-weight
      set botnet-connection [critical | high | medium | low | disable]
end

 

Add new certificate verification option under FortiAnalyzer setting.

Previous releases

6.2.1 release

config log fortianalyzer setting
   set status enable
   set server [FortiAnalyzer IP address]
end
config log fortianalyzer setting
   set status enable
   set server [FortiAnalyzer IP address]
   set certificate-verification [enable | disable]
   set serial [FortiAnalyzer Serial number]
   set access-config [enable | disable]
end

 

Proxy

Move SSH redirect option from firewall ssl-ssh-profile to firewall policy.

Previous releases

6.2.1 release

config firewall ssl-ssh-profile
  edit [Profile Name]
    config ssh
      set ssh-policy-check [enable | disable] 
    end
  next
end
config firewall policy
 edit [Policy ID]
  set ssh-policy-redirect [enable | disable]
 next
end

 

Move HTTP redirect option from profile protocol option to firewall policy.

Previous releases

6.2.1 release

config firewall profile-protocol-option
  edit [Profile Name]
    config http
      set http-policy [enable | disable]
    end
  next
end
config firewall policy
 edit [Policy ID]
  set http-policy-redirect [enable | disable]
 next
end

 

Move UTM inspection mode from VDOM setting/AV profile/webfilter profile/emailfilter profile/DLP sensor to firewall policy.

Previous releases

6.2.1 release

config system setting
  set inspection-mode [proxy | flow]
end

config antivirus profile
  edit [Profile Name]
    set inspection-mode [proxy | flow-based]
  next
end

config webfilter profile
  edit [Profile Name]
    set inspection-mode [proxy | flow-based]
  next
end

config spamfilter profile
   edit [Profile Name]
     set flow-based [enable | disable]
   next
end

config dlp sensor
  edit [Sensor Name]
    set flow-based [enable | disable]
  next
end
config firewall policy
  edit [Policy ID]
    set inspection-mode [flow | proxy]
  next
end

 

Routing

For compatibility with the API, the CLI command for OSPF MD5 is changed from a single line configuration to sub-table configuration.

Previous releases

6.2.1 release

config router ospf
  config ospf-interface
    edit [Interface Entry Name]
      set interface [Interface]
      set authentication md5 
      set md5-key [Key ID] [Key String Value] 
    next
  end
end
config router ospf
  config ospf-interface
    edit [Interface Entry Name]
      set interface [Interface]
      set authentication md5
      config md5-keys
        edit [Key ID]
          set key-string [Key String Value]
        next
      end
    next
  end
end

 

The name internet-service-ctrl and internet-service-ctrl-group is changed to internet-service-app-ctrl and internet-service-app-ctrl-group to specify it’s using application control.

Previous releases

6.2.1 release

config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set internet-service enable
         set internet-service-ctrl [Application ID]
         set internet-service-ctrl-group [Group Name]
      next
   end
end
config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set internet-service enable
         set internet-service-app-ctrl [Application ID]
         set internet-service-app-ctrl-group [Group Name]
      next
   end
end

 

Add cost for each SD-WAN member so that in the SLA mode in a SD-WAN rule, if SLAs are met for each member, the selection is based on the cost.

Previous releases

6.2.1 release

config system virtual-wan-link
   config member
      edit [Sequence Number]
      next
   end
end
config system virtual-wan-link
   config member
      edit [Sequence Number]
         set cost [Value]
      next
   end
end

 

Add a load-balance mode for SD-WAN rule. When traffic matches this rule, this traffic should be distributed based on the LB algorithm.

Previous releases

6.2.1 release

config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set mode [auto | manual | priority | sla]
      next
   end
end
config system virtual-wan-link
   config service
      edit [Priority Rule ID]
         set mode [auto | manual | priority | sla | load-balance]
      next
   end
end

 

Security Fabric

Add control to collect private or public IP address in SDN connectors.

Previous releases

6.2.1 release

config firewall address
 edit [Address Name]
   set type dynamic
   set comment ''
   set visibility enable
   set associated-interface ''
   set sdn aws
   set filter "tag.Name=publicftp"
 next
end
config firewall address
 edit [Address Name]
   set type dynamic
   set comment ''
   set visibility enable
   set associated-interface ''
   set sdn aws
   set filter "tag.Name=publicftp"
   set sdn-addr-type [private | public | all]
 next
end

 

Add generic support for integrating ET products (FortiADC, FortiMail, FortiWeb, FortiDDoS, FortiWLC) with Security Fabric.

Previous releases

6.2.1 release

config system csf
  config fabric-device
    edit [Device Name]
       set device-ip [Device IP]
       set device-type fortimail
       set login [Login Name]
       set password [Login Password]
    next
  end
end
config system csf
  config fabric-device
    edit [Device Name]
       set device-ip [Device IP]
       set https-port 443
       set access-token [Device Access Token]
    next
  end
end

 

Add support for multiple SDN connectors under dynamic firewall address.

Previous releases

6.2.1 release

config firewall address
   edit [Address Name]
      set type dynamic
      set color 2
      set sdn azure
      set filter "location=NorthEurope"
   next
end
config firewall address
   edit [Address Name]
      set type dynamic
      set color 2
      set sdn [SDN connector instance]
      set filter "location=NorthEurope"
   next
end

 

System

Add split VDOM mode configuration.

Previous releases

6.2.1 release

config global
   set vdom-admin [enable | disable]
end
config global
   set vdom-mode [no-vdom | split-vdom | multi-vdom]
end

 

WiFi Controller

Option changes for darrp.

Previous releases

6.2.1 release

config wireless-controller timers
    set darrp-optimize 0
    set darrp-day monday      <==removed
    set darrp-time "12:00"    <==removed
end
config wireless-controller timers
    set darrp-optimize-schedules "default-darrp-optimize" <==added
end

 

Option changes for wids-profile.

Previous releases

6.2.1 release

config wireless-controller wids-profile
  edit "default"
    set ap-bgscan-disable-day monday  <==removed
    set ap-bgscan-disable-start 00:00 <==removed
    set ap-bgscan-disable-end 23:59   <==removed
  next
end
config wireless-controller wids-profile
    edit "default"
        set ap-bgscan-disable-schedules "always" <==added
    next
end

 

New wfa-compatibility command for compatibility with previous WiFi specifications. This command only controls the minimum length of the pre-shared key (PSK) in WPA/WPA2-Personal SSID. When disabled, the PSK must contain 12 or more characters. When enabled, the PSK must contain eight or more characters. The default is disable for security enforcement.

Previous releases

6.2.1 release

 

config wireless-controller setting
    set wfa-compatibility [enable | disable]
end

 

New command to enable or disable multi-user MIMO on "Wave 2" 802.11ac FAP units managed by FortiGate. The default is enable.

Previous releases

6.2.1 release

 

config wireless-controller vap
    edit [VAP Name]
        set mu-mimo [enable | disable]
    next
end