Changes in CLI defaults
AntiVirus
Add SSH inspection. This is only compatible with proxy inspection.
Previous releases |
6.2.2 release |
---|---|
config antivirus profile edit "profile_name" next end |
config antivirus profile edit "profile_name" config ssh <==added set options scan <==added unset archive-block <==added unset archive-log <==added set emulator enable <==added set outbreak-prevention disabled <==added end next end |
Endpoint Control
Add fortiems-cloud
option under FSSO user.
Previous releases |
6.2.2 release |
---|---|
config user fsso edit <name> next end |
config user fsso edit <name> set type fortiems-cloud <==added next end |
Add attribute fortinetone-cloud-authentication
to endpoint control fctems
.
Previous releases |
6.2.2 release |
---|---|
config endpoint-control fctems edit <name> next end |
config endpoint-control fctems edit <name> set fortinetone-cloud-authentication [enable | disable] <==added next end |
Add sub-second-sampling
under GTP.
Previous releases |
6.2.2 release |
---|---|
config firewall gtp edit "gtpp" next end |
config firewall gtp edit "gtpp" set sub-second-sampling enable <==added set sub-second-interval 0.1 <==added next end |
Firewall
Add HTTPS as a type of health check for VIP load-balance monitor.
Previous releases |
6.2.2 release |
---|---|
config firewall ldb-monitor edit [Monitor Name] set type ? ping PING health monitor. tcp TCP-connect health monitor. http HTTP-GET health monitor. |
config firewall ldb-monitor edit [Monitor Name] set type ? ping PING health monitor. tcp TCP-connect health monitor. http HTTP-GET health monitor. https HTTP-GET health monitor with SSL. <==added |
Remove set type wildcard-fqdn
and set wildcard-fqdn <string>
from firewall address.
Previous releases |
6.2.2 release |
---|---|
config firewall address edit [Address] set type wildcard-fqdn <==removed set wildcard-fqdn <string> <==removed next end |
config firewall address edit [Address] next end |
Add CLI commands to support address and service negate in consolidated policy.
Previous releases |
6.2.2 release |
---|---|
config firewall consolidated policy edit [Policy ID] next end |
config firewall consolidated policy edit [Policy ID] set srcaddr-negate [enable | disable] <==added set dstaddr-negate [enable | disable] <==added set service-negate [enable | disable] <==added set internet-service-negate [enable | disable] <==added set internet-service-src-negate [enable | disable] <==added next end |
Proxy
In protocol option profile, add ssl-offloaded
command under each protocol.
Previous releases |
6.2.2 release |
---|---|
config firewall profile-protocol-options edit ""default-clone"" config http end config ftp end config imap end config pop3 end config smtp end next end |
config firewall profile-protocol-options edit ""default-clone"" config http set ssl-offloaded no <==added end config ftp set ssl-offloaded no <==added end config imap set ssl-offloaded no <==added end config pop3 set ssl-offloaded no <==added end config smtp set ssl-offloaded no <==added end next end |
Traffic Shaping
Add a new global CLI table to define traffic classes. This is 's a mapping between class-ID
and naming. class-ID
from shaping-policy, shaping-profile, and traffic-shaper need to be data-sourced from this CLI table.
Previous releases |
6.2.2 release |
---|---|
|
config firewall traffic-class <==added edit [Class-ID] <==added end <==added |
Log & Report
Add CLI allowing user to configure socket priority and maximum log rate per remote log device.
Similar setting apply to config log fortiguard setting
and config log syslogd setting
.
Previous releases |
6.2.2 release |
---|---|
config log fortianalyzer setting end config log fortianalyzer override-setting end |
config log fortianalyzer setting set priority [default | low] <==added set max-log-rate [Log Rate, unit is MBps] <==added end config log fortianalyzer override-setting set priority [default | low] <==added set max-log-rate [Log Rate, unit is MBps] <==added end |
Add the test command option in CLI.
Previous releases |
6.2.2 release |
---|---|
diag test application miglogd |
diag test application miglogd 40 <==added option "40" |
SSH
Add file transfer scan over SSH (SCP and SFTP).
Previous releases |
6.2.2 release |
---|---|
config ssh-filter profile edit [Profile Name] set default-command-log disable next end |
config ssh-filter profile edit [Profile Name] set block x11 shell exec port-forward tun-forward sftp scp unknown <==added scp set log x11 shell exec port-forward tun-forward sftp scp unknown <==added scp set default-command-log disable config file-filter <==added set status enable <==added set log enable <==added set scan-archive-contents enable <==added config entries <==added edit [Entry] <==added set comment '' <==added set action block <==added set direction any <==added set password-protected any <==added set file-type "msoffice" <==added next end end next end |
SSL VPN
Remove citrix
and portforward
from apptype
in the three entries in SSL VPN web bookmark.
Previous releases |
6.2.2 release |
---|---|
conf vpn ssl web user-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix. <==removed ftp FTP. portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS. ssh SSH. telnet Telnet. vnc VNC. web HTTP/HTTPS. next end next end conf vpn ssl web user-group-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix. <==removed ftp FTP. portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS. ssh SSH. telnet Telnet. vnc VNC. web HTTP/HTTPS. next end next end conf vpn ssl web portal edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix. <==removed ftp FTP. portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS. ssh SSH. telnet Telnet. vnc VNC. web HTTP/HTTPS. next end next end |
conf vpn ssl web user-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS. ssh SSH. telnet Telnet. vnc VNC. web HTTP/HTTPS. next end next end conf vpn ssl web user-group-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS. ssh SSH. telnet Telnet. vnc VNC. web HTTP/HTTPS. next end next end conf vpn ssl web portal edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS. ssh SSH. telnet Telnet. vnc VNC. web HTTP/HTTPS. next end next end |
System
Add description in system security zones.
Previous releases |
6.2.2 release |
---|---|
config system zone edit [Zone Name] next end |
config system zone edit [Zone Name] set description "" <==added next end |
Increase the maximum number of DNS servers supported in DHCP server from 3 to 4.
Previous releases |
6.2.2 release |
---|---|
config system dhcp server edit [Server ID] set dns-server1 1.1.1.1 set dns-server2 2.2.2.2 set dns-server3 3.3.3.3 next end |
config system dhcp server edit [Server ID] set dns-server1 1.1.1.1 set dns-server2 2.2.2.2 set dns-server3 3.3.3.3 set dns-server4 4.4.4.4 <==added next end |
VM
Remove vdom-mode
multi-vdom
option for cloud-based ondemand FGT-VM.
Previous releases |
6.2.2 release |
---|---|
config sys global set vdom-mode ? no-vdom Disable split/multiple VDOMs mode. split-vdom Enable split VDOMs mode. multi-vdom Enable multiple VDOMs mode. <==removed end |
config sys global set vdom-mode ? no-vdom Disable split/multiple VDOMs mode. split-vdom Enable split VDOMs mode. end |
Remove security rating from FGT_VMX and FGT_SVM.
Previous releases |
6.2.2 release |
---|---|
diagnose security-rating version <==removed |
|
Enable CPU hot plug in kernel configuration.
Previous releases |
6.2.2 release |
---|---|
|
execute cpu show <==added Active CPU number: 1 Total CPU number: 8 execute cpu add 1 <==added Active CPU number: 2 Total CPU number: 8 |
Collect EIP from cloud VMs (Azure, AWS, GCP, AliCloud, and OCI).
Previous releases |
6.2.2 release |
---|---|
pcui-cloudinit-test # execute <?> config system global set sslvpn-cipher-hardware-acceleration <==removed end |
pcui-cloudinit-test # execute <?> update-eip [Update external IP.] <==added config system global ... end |
WiFi Controller
Add portal-type external-auth
when captive-portal
is enabled on local-bridge VAP.
Previous releases |
6.2.2 release |
---|---|
config wireless-controller vap edit "wifi.fap.02" set ssid "bridge-captive" set local-bridging enable set security captive-portal set external-web "170.00.00.000/portal/index.php" set radius-server "peap" next end |
config wireless-controller vap edit "wifi.fap.02" set ssid "bridge-captive" set local-bridging enable set security captive-portal set portal-type external-auth <==added set external-web "170.00.00.000/portal/index.php" set radius-server "peap" next end |
Move darrp-optimize
and darrp-optimize-schedules
configurations from Global level to VDOM level.
Previous releases |
6.2.2 release |
---|---|
### Global ### config wireless-controller timers set darrp-optimize 86400 <==removed set darrp-optimize-schedules "default-darrp-optimize" <==removed end |
### VDOM ### config wireless-controller setting set darrp-optimize 86400 <==added set darrp-optimize-schedules "default-darrp-optimize" <==added end |
Add external-web-format
setting under captive-portal
VAP when external portal is selected.
Previous releases |
6.2.2 release |
---|---|
config wireless-controller vap edit guestwifi set ssid "GuestWiFi" set security captive-portal set external-web "http://170.00.00.000/portal/index.php" set selected-usergroups "Guest-group" set intra-vap-privacy enable set schedule "always" next end |
config wireless-controller vap edit guestwifi set ssid "GuestWiFi" set security captive-portal set external-web "http://170.00.00.000/portal/index.php" set selected-usergroups "Guest-group" set intra-vap-privacy enable set schedule "always" set external-web-format auto-detect <==added next end |
Add new WTP profiles FAPU431F-default
and FAPU433F-default
.
Previous releases |
6.2.2 release |
---|---|
config wireless-controller wtp-profile edit [FAPU431F-default | FAPU433F-default] config platform end |
config wireless-controller wtp-profile edit [FAPU431F-default | FAPU433F-default] config platform set type [U431F | U433F] <==added set mode [dual-5G | single-5G] <==added end |
config wireless-controller wtp-profile edit [FAPU431F-default | FAPU433F-default] next end |
config wireless-controller wtp-profile edit [FAPU431F-default | FAPU433F-default] config radio-1 <==added set band 802.11ax-5G <==added end config radio-2 <==added set band 802.11ax-5G <==added end config radio-3 <==added set band 802.11n,g-only <==added end next end |
config wireless-controller vap edit [SSID name] next end |
config wireless-controller vap edit [SSID name] set high-efficiency enable <==added set target-wake-time enable <==added next end |
For DFS approved countries, add 160 MHz channel bonding support for FortiAP U421EV/U422EV/U423EV models.
Previous releases |
6.2.2 release |
---|---|
config wireless-controller wtp-profile edit [ FAPU421EV-default | FAPU422EV-default | FAPU423EV-default ] config radio-2 set band 802.11ac end next end |
config wireless-controller wtp-profile edit [ FAPU421EV-default | FAPU422EV-default | FAPU423EV-default ] config radio-2 set band 802.11ac set channel-bonding 160MHz <==added end next end |
Add MPSK schedule that allows setting valid period for MPSK.
Previous releases |
6.2.2 release |
---|---|
config wireless-controller vap edit [SSID Interface Name] set mpsk enable config mpsk-key edit [MPSK Entry Name] set passphrase 11111111 next end next end |
config wireless-controller vap edit [SSID Interface Name] set mpsk enable config mpsk-key edit [MPSK Entry Name] set passphrase 11111111 set mpsk-schedules "always" <==added next end next end |
Add GRE&L2TP support in WiFi.
Previous releases |
6.2.2 release |
---|---|
config wireless-controller vap edit "80e_gre" set ssid "FOS-QA_Bruce_80e_gre" set local-bridging enable set vlanid 3135 next end |
config wireless-controller wag-profile <==added edit [Profile Name] <==added end config wireless-controller vap edit "80e_gre" set ssid "FOS-QA_Bruce_80e_gre" set local-bridging enable set vlanid 3135 set primary-wag-profile "tunnel" <==added set secondary-wag-profile "l2tp" <==added next end |