Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.4.2 FortiOS Release Notes

Changes in default behavior

6.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
Copy Link
Copy Doc ID d5e5a1e1-d1ea-11ea-96b9-00505692583a:230510
Download PDF

Changes in default behavior

Bug ID

Description

630433

Local category and remote category override can now be controlled at the profile level.

In proxy mode, webfilter profile, ssl-exempt, and proxy-address have similar behavior in handling local and remote categories. For example, in local category:

  • In 6.0.x, 6.2.x, 6.4.0, and 6.4.1, once a host is configured in the local rating as category 140, it will be always rated as 140 at the global or VDOM level. There is no profile-level option to control it.
  • In 6.4.2, the host will be rated as the configured local rating only when that category is explicitly configured in a web filter profile. This override can be applied to webfilter profile, ssl-exempt, and proxy-address.

The following is an example configuration for a web filter profile:

config webfilter profile
  edit webf-use-local-rating
    config ftgd-wf
      config filters
        edit 1
          set category 140
          set action monitor
        next
      end
    end
  next
end

The rating in webfilter profile, ssl-exempt, and proxy-address are independent from each other.

In the GUI, an Allow action of a local/remote category when editing a web filter profile is effectively a shortcut to disable the local/remote category overrides.

For flow mode, only webfilter profile is involved, and it has different behavior as the change is in the IPS engine:

  • In 6.2.5 and 6.4.2, the local/remote rating only takes effect when the category is enabled in webfilter profile.
  • In 6.2.1-6.2.4 and 6.4.0-6.4.1, currently the local/remote rating is still at the global or VDOM level. After the next IPS engine public release, the behavior will be changed to be the same as 6.2.5/6.4.2.

There is no change in ssl-exempt for FortiGuard with flow mode and the NGFW URL category.
Previous
Next

Changes in default behavior

Bug ID

Description

630433

Local category and remote category override can now be controlled at the profile level.

In proxy mode, webfilter profile, ssl-exempt, and proxy-address have similar behavior in handling local and remote categories. For example, in local category:

  • In 6.0.x, 6.2.x, 6.4.0, and 6.4.1, once a host is configured in the local rating as category 140, it will be always rated as 140 at the global or VDOM level. There is no profile-level option to control it.
  • In 6.4.2, the host will be rated as the configured local rating only when that category is explicitly configured in a web filter profile. This override can be applied to webfilter profile, ssl-exempt, and proxy-address.

The following is an example configuration for a web filter profile:

config webfilter profile
  edit webf-use-local-rating
    config ftgd-wf
      config filters
        edit 1
          set category 140
          set action monitor
        next
      end
    end
  next
end

The rating in webfilter profile, ssl-exempt, and proxy-address are independent from each other.

In the GUI, an Allow action of a local/remote category when editing a web filter profile is effectively a shortcut to disable the local/remote category overrides.

For flow mode, only webfilter profile is involved, and it has different behavior as the change is in the IPS engine:

  • In 6.2.5 and 6.4.2, the local/remote rating only takes effect when the category is enabled in webfilter profile.
  • In 6.2.1-6.2.4 and 6.4.0-6.4.1, currently the local/remote rating is still at the global or VDOM level. After the next IPS engine public release, the behavior will be changed to be the same as 6.2.5/6.4.2.

There is no change in ssl-exempt for FortiGuard with flow mode and the NGFW URL category.
Previous
Next