Changes in CLI defaults
AntiVirus
Add SSH inspection. This is only compatible with proxy inspection.
|
Previous releases |
6.2.2 release |
|---|---|
config antivirus profile edit "profile_name" next end |
config antivirus profile
edit "profile_name"
config ssh <==added
set options scan <==added
unset archive-block <==added
unset archive-log <==added
set emulator enable <==added
set outbreak-prevention disabled <==added
end
next
end
|
Endpoint Control
Add fortiems-cloud option under FSSO user.
|
Previous releases |
6.2.2 release |
|---|---|
config user fsso edit <name> next end |
config user fsso
edit <name>
set type fortiems-cloud <==added
next
end
|
Add attribute fortinetone-cloud-authentication to endpoint control fctems.
|
Previous releases |
6.2.2 release |
|---|---|
config endpoint-control fctems edit <name> next end |
config endpoint-control fctems
edit <name>
set fortinetone-cloud-authentication [enable | disable] <==added
next
end
|
Add sub-second-sampling under GTP.
|
Previous releases |
6.2.2 release |
|---|---|
config firewall gtp edit "gtpp" next end |
config firewall gtp
edit "gtpp"
set sub-second-sampling enable <==added
set sub-second-interval 0.1 <==added
next
end
|
Firewall
Add HTTPS as a type of health check for VIP load-balance monitor.
|
Previous releases |
6.2.2 release |
|---|---|
config firewall ldb-monitor
edit [Monitor Name]
set type ?
ping PING health monitor.
tcp TCP-connect health monitor.
http HTTP-GET health monitor.
|
config firewall ldb-monitor
edit [Monitor Name]
set type ?
ping PING health monitor.
tcp TCP-connect health monitor.
http HTTP-GET health monitor.
https HTTP-GET health monitor with SSL. <==added
|
Remove set type wildcard-fqdn and set wildcard-fqdn <string> from firewall address.
|
Previous releases |
6.2.2 release |
|---|---|
config firewall address
edit [Address]
set type wildcard-fqdn <==removed
set wildcard-fqdn <string> <==removed
next
end
|
config firewall address edit [Address] next end |
Add CLI commands to support address and service negate in consolidated policy.
|
Previous releases |
6.2.2 release |
|---|---|
config firewall consolidated policy edit [Policy ID] next end |
config firewall consolidated policy
edit [Policy ID]
set srcaddr-negate [enable | disable] <==added
set dstaddr-negate [enable | disable] <==added
set service-negate [enable | disable] <==added
set internet-service-negate [enable | disable] <==added
set internet-service-src-negate [enable | disable] <==added
next
end
|
Proxy
In protocol option profile, add ssl-offloaded command under each protocol.
|
Previous releases |
6.2.2 release |
|---|---|
config firewall profile-protocol-options
edit ""default-clone""
config http
end
config ftp
end
config imap
end
config pop3
end
config smtp
end
next
end
|
config firewall profile-protocol-options
edit ""default-clone""
config http
set ssl-offloaded no <==added
end
config ftp
set ssl-offloaded no <==added
end
config imap
set ssl-offloaded no <==added
end
config pop3
set ssl-offloaded no <==added
end
config smtp
set ssl-offloaded no <==added
end
next
end
|
Traffic Shaping
Add a new global CLI table to define traffic classes. This is 's a mapping between class-ID and naming. class-ID from shaping-policy, shaping-profile, and traffic-shaper need to be data-sourced from this CLI table.
|
Previous releases |
6.2.2 release |
|---|---|
|
|
config firewall traffic-class <==added edit [Class-ID] <==added end <==added |
Log & Report
Add CLI allowing user to configure socket priority and maximum log rate per remote log device.
Similar setting apply to config log fortiguard setting and config log syslogd setting.
|
Previous releases |
6.2.2 release |
|---|---|
config log fortianalyzer setting end config log fortianalyzer override-setting end |
config log fortianalyzer setting set priority [default | low] <==added set max-log-rate [Log Rate, unit is MBps] <==added end config log fortianalyzer override-setting set priority [default | low] <==added set max-log-rate [Log Rate, unit is MBps] <==added end |
Add the test command option in CLI.
|
Previous releases |
6.2.2 release |
|---|---|
diag test application miglogd |
diag test application miglogd 40 <==added option "40" |
SSH
Add file transfer scan over SSH (SCP and SFTP).
|
Previous releases |
6.2.2 release |
|---|---|
config ssh-filter profile
edit [Profile Name]
set default-command-log disable
next
end
|
config ssh-filter profile
edit [Profile Name]
set block x11 shell exec port-forward tun-forward sftp scp unknown <==added scp
set log x11 shell exec port-forward tun-forward sftp scp unknown <==added scp
set default-command-log disable
config file-filter <==added
set status enable <==added
set log enable <==added
set scan-archive-contents enable <==added
config entries <==added
edit [Entry] <==added
set comment '' <==added
set action block <==added
set direction any <==added
set password-protected any <==added
set file-type "msoffice" <==added
next
end
end
next
end
|
SSL VPN
Remove citrix and portforward from apptype in the three entries in SSL VPN web bookmark.
|
Previous releases |
6.2.2 release |
|---|---|
conf vpn ssl web user-bookmark
edit [Name]
config bookmarks
edit [Boormark Name]
set apptype ?
citrix Citrix. <==removed
ftp FTP.
portforward Port Forward. <==removed
rdp RDP.
sftp SFTP.
smb SMB/CIFS.
ssh SSH.
telnet Telnet.
vnc VNC.
web HTTP/HTTPS.
next
end
next
end
conf vpn ssl web user-group-bookmark
edit [Name]
config bookmarks
edit [Boormark Name]
set apptype ?
citrix Citrix. <==removed
ftp FTP.
portforward Port Forward. <==removed
rdp RDP.
sftp SFTP.
smb SMB/CIFS.
ssh SSH.
telnet Telnet.
vnc VNC.
web HTTP/HTTPS.
next
end
next
end
conf vpn ssl web portal
edit [Name]
config bookmarks
edit [Boormark Name]
set apptype ?
citrix Citrix. <==removed
ftp FTP.
portforward Port Forward. <==removed
rdp RDP.
sftp SFTP.
smb SMB/CIFS.
ssh SSH.
telnet Telnet.
vnc VNC.
web HTTP/HTTPS.
next
end
next
end
|
conf vpn ssl web user-bookmark
edit [Name]
config bookmarks
edit [Boormark Name]
set apptype ?
ftp FTP.
rdp RDP.
sftp SFTP.
smb SMB/CIFS.
ssh SSH.
telnet Telnet.
vnc VNC.
web HTTP/HTTPS.
next
end
next
end
conf vpn ssl web user-group-bookmark
edit [Name]
config bookmarks
edit [Boormark Name]
set apptype ?
ftp FTP.
rdp RDP.
sftp SFTP.
smb SMB/CIFS.
ssh SSH.
telnet Telnet.
vnc VNC.
web HTTP/HTTPS.
next
end
next
end
conf vpn ssl web portal
edit [Name]
config bookmarks
edit [Boormark Name]
set apptype ?
ftp FTP.
rdp RDP.
sftp SFTP.
smb SMB/CIFS.
ssh SSH.
telnet Telnet.
vnc VNC.
web HTTP/HTTPS.
next
end
next
end
|
System
Add description in system security zones.
|
Previous releases |
6.2.2 release |
|---|---|
config system zone edit [Zone Name] next end |
config system zone
edit [Zone Name]
set description "" <==added
next
end
|
Increase the maximum number of DNS servers supported in DHCP server from 3 to 4.
|
Previous releases |
6.2.2 release |
|---|---|
config system dhcp server
edit [Server ID]
set dns-server1 1.1.1.1
set dns-server2 2.2.2.2
set dns-server3 3.3.3.3
next
end
|
config system dhcp server
edit [Server ID]
set dns-server1 1.1.1.1
set dns-server2 2.2.2.2
set dns-server3 3.3.3.3
set dns-server4 4.4.4.4 <==added
next
end
|
VM
Remove vdom-mode multi-vdom option for cloud-based ondemand FGT-VM.
|
Previous releases |
6.2.2 release |
|---|---|
config sys global
set vdom-mode ?
no-vdom Disable split/multiple VDOMs mode.
split-vdom Enable split VDOMs mode.
multi-vdom Enable multiple VDOMs mode. <==removed
end
|
config sys global
set vdom-mode ?
no-vdom Disable split/multiple VDOMs mode.
split-vdom Enable split VDOMs mode.
end
|
Remove security rating from FGT_VMX and FGT_SVM.
|
Previous releases |
6.2.2 release |
|---|---|
diagnose security-rating version <==removed |
|
Enable CPU hot plug in kernel configuration.
|
Previous releases |
6.2.2 release |
|---|---|
|
|
execute cpu show <==added Active CPU number: 1 Total CPU number: 8 execute cpu add 1 <==added Active CPU number: 2 Total CPU number: 8 |
Collect EIP from cloud VMs (Azure, AWS, GCP, AliCloud, and OCI).
|
Previous releases |
6.2.2 release |
|---|---|
pcui-cloudinit-test # execute <?> config system global set sslvpn-cipher-hardware-acceleration <==removed end |
pcui-cloudinit-test # execute <?>
update-eip [Update external IP.] <==added
config system global
...
end
|
WiFi Controller
Add portal-type external-auth when captive-portal is enabled on local-bridge VAP.
|
Previous releases |
6.2.2 release |
|---|---|
config wireless-controller vap
edit "wifi.fap.02"
set ssid "bridge-captive"
set local-bridging enable
set security captive-portal
set external-web "170.00.00.000/portal/index.php"
set radius-server "peap"
next
end
|
config wireless-controller vap
edit "wifi.fap.02"
set ssid "bridge-captive"
set local-bridging enable
set security captive-portal
set portal-type external-auth <==added
set external-web "170.00.00.000/portal/index.php"
set radius-server "peap"
next
end
|
Move darrp-optimize and darrp-optimize-schedules configurations from Global level to VDOM level.
|
Previous releases |
6.2.2 release |
|---|---|
### Global ###
config wireless-controller timers
set darrp-optimize 86400 <==removed
set darrp-optimize-schedules "default-darrp-optimize" <==removed
end
|
### VDOM ###
config wireless-controller setting
set darrp-optimize 86400 <==added
set darrp-optimize-schedules "default-darrp-optimize" <==added
end
|
Add external-web-format setting under captive-portal VAP when external portal is selected.
|
Previous releases |
6.2.2 release |
|---|---|
config wireless-controller vap
edit guestwifi
set ssid "GuestWiFi"
set security captive-portal
set external-web "http://170.00.00.000/portal/index.php"
set selected-usergroups "Guest-group"
set intra-vap-privacy enable
set schedule "always"
next
end
|
config wireless-controller vap
edit guestwifi
set ssid "GuestWiFi"
set security captive-portal
set external-web "http://170.00.00.000/portal/index.php"
set selected-usergroups "Guest-group"
set intra-vap-privacy enable
set schedule "always"
set external-web-format auto-detect <==added
next
end
|
Add new WTP profiles FAPU431F-default and FAPU433F-default.
|
Previous releases |
6.2.2 release |
|---|---|
config wireless-controller wtp-profile
edit [FAPU431F-default | FAPU433F-default]
config platform
end
|
config wireless-controller wtp-profile
edit [FAPU431F-default | FAPU433F-default]
config platform
set type [U431F | U433F] <==added
set mode [dual-5G | single-5G] <==added
end
|
config wireless-controller wtp-profile
edit [FAPU431F-default | FAPU433F-default]
next
end
|
config wireless-controller wtp-profile
edit [FAPU431F-default | FAPU433F-default]
config radio-1 <==added
set band 802.11ax-5G <==added
end
config radio-2 <==added
set band 802.11ax-5G <==added
end
config radio-3 <==added
set band 802.11n,g-only <==added
end
next
end
|
config wireless-controller vap
edit [SSID name]
next
end
|
config wireless-controller vap
edit [SSID name]
set high-efficiency enable <==added
set target-wake-time enable <==added
next
end
|
For DFS approved countries, add 160 MHz channel bonding support for FortiAP U421EV/U422EV/U423EV models.
|
Previous releases |
6.2.2 release |
|---|---|
config wireless-controller wtp-profile
edit [ FAPU421EV-default | FAPU422EV-default | FAPU423EV-default ]
config radio-2
set band 802.11ac
end
next
end
|
config wireless-controller wtp-profile
edit [ FAPU421EV-default | FAPU422EV-default | FAPU423EV-default ]
config radio-2
set band 802.11ac
set channel-bonding 160MHz <==added
end
next
end
|
Add MPSK schedule that allows setting valid period for MPSK.
|
Previous releases |
6.2.2 release |
|---|---|
config wireless-controller vap
edit [SSID Interface Name]
set mpsk enable
config mpsk-key
edit [MPSK Entry Name]
set passphrase 11111111
next
end
next
end
|
config wireless-controller vap
edit [SSID Interface Name]
set mpsk enable
config mpsk-key
edit [MPSK Entry Name]
set passphrase 11111111
set mpsk-schedules "always" <==added
next
end
next
end
|
Add GRE&L2TP support in WiFi.
|
Previous releases |
6.2.2 release |
|---|---|
config wireless-controller vap
edit "80e_gre"
set ssid "FOS-QA_Bruce_80e_gre"
set local-bridging enable
set vlanid 3135
next
end
|
config wireless-controller wag-profile <==added
edit [Profile Name] <==added
end
config wireless-controller vap
edit "80e_gre"
set ssid "FOS-QA_Bruce_80e_gre"
set local-bridging enable
set vlanid 3135
set primary-wag-profile "tunnel" <==added
set secondary-wag-profile "l2tp" <==added
next
end
|