Fortinet black logo

Changes in CLI

Changes in CLI

Bug ID

Description

713694

Configuring individual ciphers to be used in SSH administrative access can now be done from the CLI. Administrators can select the ciphers and algorithms used for SSH encryption, key exchange, and MAC using the following settings:

config system global
    set ssh-enc-algo <algo 1> [<algo 2> ... <algo n>]
    set ssh-kex-algo <algo 1> [<algo 2> ... <algo n>]
    set ssh-mac-algo <algo 1> [<algo 2> ... <algo n>]
end

Previous configurations for enabling or disabling certain ciphers and algorithms have been deprecated.

719315

Add a new block-sevrfail option for block-action attribute in dnsfilter profile. Returns SERVFAIL for blocked domains.

721747

Add authd SSL control options for maximum protocol version SSL/TLS connections and signature algorithms for HTTPS authentication (affects TLS versions 1.2 and lower):

config user setting
    set auth-ssl-max-proto-version [default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2]
    set auth-ssl-sigalgs [no-rsa-pss | all]
end

The auth-ssl-max-proto-version default setting is no limit (default). The auth-ssl-sigalgs default setting is all.

725877

Change auto-scale master-ip to primary-ip.

config system auto-scale
    set primary-ip <IP address>
end

732645

Allow Security Fabric upstream to be specified as IP or FQDN, and change the setting from upstream-ip to upstream.

config system csf
    set upstream <IP or FQDN>
end

Changes in CLI

Bug ID

Description

713694

Configuring individual ciphers to be used in SSH administrative access can now be done from the CLI. Administrators can select the ciphers and algorithms used for SSH encryption, key exchange, and MAC using the following settings:

config system global
    set ssh-enc-algo <algo 1> [<algo 2> ... <algo n>]
    set ssh-kex-algo <algo 1> [<algo 2> ... <algo n>]
    set ssh-mac-algo <algo 1> [<algo 2> ... <algo n>]
end

Previous configurations for enabling or disabling certain ciphers and algorithms have been deprecated.

719315

Add a new block-sevrfail option for block-action attribute in dnsfilter profile. Returns SERVFAIL for blocked domains.

721747

Add authd SSL control options for maximum protocol version SSL/TLS connections and signature algorithms for HTTPS authentication (affects TLS versions 1.2 and lower):

config user setting
    set auth-ssl-max-proto-version [default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2]
    set auth-ssl-sigalgs [no-rsa-pss | all]
end

The auth-ssl-max-proto-version default setting is no limit (default). The auth-ssl-sigalgs default setting is all.

725877

Change auto-scale master-ip to primary-ip.

config system auto-scale
    set primary-ip <IP address>
end

732645

Allow Security Fabric upstream to be specified as IP or FQDN, and change the setting from upstream-ip to upstream.

config system csf
    set upstream <IP or FQDN>
end