Changes in CLI defaults
Anti-Spam
Rename spamfilter
to emailfilter
.
Previous releases |
6.2.1 release |
---|---|
config spamfilter bwl end config spamfilter profile end config firewall policy edit [Policy ID] set spamfilter-profile [Profile Name] next end |
config emailfilter bwl end config emailfilter profile end config firewall policy edit [Policy ID] set emailfilter-profile [Profile Name] next end |
Data Leak Prevention
Rename DLP fp-sensitivity
to sensitivity
.
Previous releases |
6.2.1 release |
---|---|
config dlp fp-sensitivity end |
config dlp sensitivity end |
Firewall
Rename utm-inspection-mode
to inspection-mode
under firewall policy.
Previous releases |
6.2.1 release |
---|---|
config firewall policy edit [Policy ID] set utm-inspection-mode [proxy | flow] next end |
config firewall policy edit [Policy ID] set inspection-mode [proxy | flow] next end |
Add a new direction command to Internet service group. Members are filtered according to the direction selected. The direction of a group cannot be changed after it is set.
Previous releases |
6.2.1 release |
---|---|
config firewall internet-service-group edit [Internet Service Group Name] set member 65537 65538 next end |
config firewall internet-service-group edit [Internet Service Group Name] set direction [source | destination | both] set member 65537 65538 next end |
FortiView
The following FortiView CLI has been changed in this release.
Previous releases |
6.2.1 release |
---|---|
config system admin edit [User Name] config gui edit [Dashboard ID] config widget edit [Widget ID] set type fortiview set report-by source <==removed set timeframe realtime <==removed set sort-by "bytes" <==removed set visualization table <==removed next end next end next end |
config system admin edit [User Name] config gui edit [Dashboard ID] config widget edit [Widget ID] set type fortiview set fortiview-type '' <==added set fortiview-sort-by '' <==added set fortiview-timeframe '' <==added set fortiview-visualization '' <==added set fortiview-device '' <==added next end next end next end |
HA
The CLI command for HA member management is changed.
Previous releases |
6.2.1 release |
---|---|
execute ha manage [ID] |
execute ha manage [ID] [admin-username] |
Intrusion Prevention
Move Botnet configuration option from interface level and policy level to IPS profile.
Previous releases |
6.2.1 release |
---|---|
config system interface edit [Interface Name] set scan-botnet-connections [disable | block | monitor] next end config firewall policy edit [Policy ID] set scan-botnet-connections [disable | block | monitor] next end config firewall proxy-policy edit [Policy ID] set scan-botnet-connections [disable | block | monitor] next end config firewall interface-policy edit [Policy ID] set scan-botnet-connections [disable | block | monitor] next end config firewall sniffer edit [Policy ID] set scan-botnet-connections [disable | block | monitor] next end |
config ips sensor edit [Sensor name] set scan-botnet-connections [disable | block | monitor] next end |
IPsec VPN
Add net-device
option under static/DDNS tunnel configuration.
Previous releases |
6.2.1 release |
---|---|
config vpn ipsec phase1-interface edit [Tunnel Name] set type [static | ddns] next end |
config vpn ipsec phase1-interface edit [Tunnel Name] set type [static | ddns] set net-device [enable | disable] next end |
Log & Report
Move botnet-connection
detection from malware to log threat-weight
.
Previous releases |
6.2.1 release |
---|---|
config log threat-weight config malware set botnet-connection [critical | high | medium | low | disable] end end |
config log threat-weight set botnet-connection [critical | high | medium | low | disable] end |
SDS.
Previous releases |
6.2.1 release |
---|---|
config log threat-weight config malware set botnet-connection [critical | high | medium | low | disable] end end |
config log threat-weight set botnet-connection [critical | high | medium | low | disable] end |
Add new certificate verification option under FortiAnalyzer setting.
Previous releases |
6.2.1 release |
---|---|
config log fortianalyzer setting set status enable set server [FortiAnalyzer IP address] end |
config log fortianalyzer setting set status enable set server [FortiAnalyzer IP address] set certificate-verification [enable | disable] set serial [FortiAnalyzer Serial number] set access-config [enable | disable] end |
Proxy
Move SSH redirect option from firewall ssl-ssh-profile
to firewall policy.
Previous releases |
6.2.1 release |
---|---|
config firewall ssl-ssh-profile edit [Profile Name] config ssh set ssh-policy-check [enable | disable] end next end |
config firewall policy edit [Policy ID] set ssh-policy-redirect [enable | disable] next end |
Move HTTP redirect option from profile protocol option to firewall policy.
Previous releases |
6.2.1 release |
---|---|
config firewall profile-protocol-option edit [Profile Name] config http set http-policy [enable | disable] end next end |
config firewall policy edit [Policy ID] set http-policy-redirect [enable | disable] next end |
Move UTM inspection mode from VDOM setting/AV profile/webfilter profile/emailfilter profile/DLP sensor to firewall policy.
Previous releases |
6.2.1 release |
---|---|
config system setting set inspection-mode [proxy | flow] end config antivirus profile edit [Profile Name] set inspection-mode [proxy | flow-based] next end config webfilter profile edit [Profile Name] set inspection-mode [proxy | flow-based] next end config spamfilter profile edit [Profile Name] set flow-based [enable | disable] next end config dlp sensor edit [Sensor Name] set flow-based [enable | disable] next end |
config firewall policy edit [Policy ID] set inspection-mode [flow | proxy] next end |
Routing
For compatibility with the API, the CLI command for OSPF MD5 is changed from a single line configuration to sub-table configuration.
Previous releases |
6.2.1 release |
---|---|
config router ospf config ospf-interface edit [Interface Entry Name] set interface [Interface] set authentication md5 set md5-key [Key ID] [Key String Value] next end end |
config router ospf config ospf-interface edit [Interface Entry Name] set interface [Interface] set authentication md5 config md5-keys edit [Key ID] set key-string [Key String Value] next end next end end |
The name internet-service-ctrl
and internet-service-ctrl-group
is changed to internet-service-app-ctrl
and internet-service-app-ctrl-group
to specify it’s using application control.
Previous releases |
6.2.1 release |
---|---|
config system virtual-wan-link config service edit [Priority Rule ID] set internet-service enable set internet-service-ctrl [Application ID] set internet-service-ctrl-group [Group Name] next end end |
config system virtual-wan-link config service edit [Priority Rule ID] set internet-service enable set internet-service-app-ctrl [Application ID] set internet-service-app-ctrl-group [Group Name] next end end |
Add cost for each SD-WAN member so that in the SLA mode in a SD-WAN rule, if SLAs are met for each member, the selection is based on the cost.
Previous releases |
6.2.1 release |
---|---|
config system virtual-wan-link config member edit [Sequence Number] next end end |
config system virtual-wan-link config member edit [Sequence Number] set cost [Value] next end end |
Add a load-balance mode for SD-WAN rule. When traffic matches this rule, this traffic should be distributed based on the LB algorithm.
Previous releases |
6.2.1 release |
---|---|
config system virtual-wan-link config service edit [Priority Rule ID] set mode [auto | manual | priority | sla] next end end |
config system virtual-wan-link config service edit [Priority Rule ID] set mode [auto | manual | priority | sla | load-balance] next end end |
Security Fabric
Add control to collect private or public IP address in SDN connectors.
Previous releases |
6.2.1 release |
---|---|
config firewall address edit [Address Name] set type dynamic set comment '' set visibility enable set associated-interface '' set sdn aws set filter "tag.Name=publicftp" next end |
config firewall address edit [Address Name] set type dynamic set comment '' set visibility enable set associated-interface '' set sdn aws set filter "tag.Name=publicftp" set sdn-addr-type [private | public | all] next end |
Add generic support for integrating ET products (FortiADC, FortiMail, FortiWeb, FortiDDoS, FortiWLC) with Security Fabric.
Previous releases |
6.2.1 release |
---|---|
config system csf config fabric-device edit [Device Name] set device-ip [Device IP] set device-type fortimail set login [Login Name] set password [Login Password] next end end |
config system csf config fabric-device edit [Device Name] set device-ip [Device IP] set https-port 443 set access-token [Device Access Token] next end end |
Add support for multiple SDN connectors under dynamic firewall address.
Previous releases |
6.2.1 release |
---|---|
config firewall address edit [Address Name] set type dynamic set color 2 set sdn azure set filter "location=NorthEurope" next end |
config firewall address edit [Address Name] set type dynamic set color 2 set sdn [SDN connector instance] set filter "location=NorthEurope" next end |
System
Add split VDOM mode configuration.
Previous releases |
6.2.1 release |
---|---|
config global set vdom-admin [enable | disable] end |
config global set vdom-mode [no-vdom | split-vdom | multi-vdom] end |
WiFi Controller
Option changes for darrp
.
Previous releases |
6.2.1 release |
---|---|
config wireless-controller timers set darrp-optimize 0 set darrp-day monday <==removed set darrp-time "12:00" <==removed end |
config wireless-controller timers set darrp-optimize-schedules "default-darrp-optimize" <==added end |
Option changes for wids-profile
.
Previous releases |
6.2.1 release |
---|---|
config wireless-controller wids-profile edit "default" set ap-bgscan-disable-day monday <==removed set ap-bgscan-disable-start 00:00 <==removed set ap-bgscan-disable-end 23:59 <==removed next end |
config wireless-controller wids-profile edit "default" set ap-bgscan-disable-schedules "always" <==added next end |
New wfa-compatibility
command for compatibility with previous WiFi specifications. This command only controls the minimum length of the pre-shared key (PSK) in WPA/WPA2-Personal SSID. When disabled, the PSK must contain 12 or more characters. When enabled, the PSK must contain eight or more characters. The default is disable for security enforcement.
Previous releases |
6.2.1 release |
---|---|
|
config wireless-controller setting set wfa-compatibility [enable | disable] end |
New command to enable or disable multi-user MIMO
on "Wave 2" 802.11ac FAP units managed by FortiGate. The default is enable.
Previous releases |
6.2.1 release |
---|---|
|
config wireless-controller vap edit [VAP Name] set mu-mimo [enable | disable] next end |