Fortinet black logo

SD-WAN Orchestrator 6.4.1 r6 Release Notes

Home FortiManager 6.4.5 SD-WAN Orchestrator 6.4.1 r6 Release Notes
6.4.5
6.4.5

What’s new

What’s new

This section identifies new features and enhancements available with SD-WAN Orchestrator MEA 6.4.1.r6.

For information about what's new in FortiManager 6.4, see the FortiManager 6.4 New Features Guide.

Support new FortiGate & FortiWiFi models

SD-WAN Orchestrator MEA now supports the following models:

  • FortiGate-60E-DSL, FortiGate-60E-DSLJ
  • FortiGate-80F, FortiGate-80F-Bypass, FortiGate-81F
  • FortiWiFi-60E-DSL, FortiWiFi-60E-DSLJ
  • FortiWiFi-40F, FortiWiFi-40F-3G4G
  • FortiWiFi-60F, FortiWiFi-61F

Support BGP to exchange route with external router

Support for the Border Gateway Protocol (BGP) is enhanced and used to exchange route entries between devices that are managed by SD-WAN Orchestrator MEA and devices that are not managed by SD-WAN Orchestrator MEA.

SD-WAN devices can advertise the route entries learned from an external BGP router to the entire SD-WAN network.

SD-WAN devices can set BGP community to the route entries when advertising to external routers, and the administrator can set routing policy on external router according to the BGP community.

Support OSPF to exchange route with external router

Support for the OSPF (Open Shortest Path First) protocol is enhanced to exchange the routing table with external routers that are not managed by SD-WAN Orchestrator MEA.

SD-WAN devices can advertise the route entries learned from an external OSPF router to the entire SD-WAN network.

SD-WAN devices can also redistribute SD-WAN route to external OSPF routers.

Support VDOM for hub and edge

Support to configure VDOMs as hub or edge FortiGate devices.

Support FortiExtender as WAN port

Support for three FortiExtender platforms to be used as WAN ports for FortiGate devices.

Expose more DHCP server options

More DHCP server options are now available, such as Lease Time and DNS Server Res Type.

Support for DMZ set IP auto assign and allow overlap

The profile settings for DMZ now support enabling IP auto assignment and allowing overlap.

Monitoring enhancement for database protection and recovery

The Monitor tree menu now includes a real-time status icon that communicates when you should clean up old monitoring data to reduce disk usage. The following statuses available:

  • Active (checkmark in green circle) - Monitoring is active and operating below the disk usage warning threshold. No cleanup is required.
  • Warning (exclamation mark in yellow triangle) - Monitoring is active, but disk usage has passed the warning threshold. Click Confirm Cleanup to clear old monitoring data and reduce disk usage.
  • Stopping (vertical lines in red circle) - Monitoring is stopped because disk usage has passed the stopping threshold. You must manually check disk usage.

Click the status icon to display details and access the Confirm Cleanup button.

Monitoring support for FortiSwitch and FortiAP

From the Monitor tree menu, you can go to Devices > Local Branch to view topology and statistics for FortiSwitch and FortiAP.

Monitoring support for edge behind NAT device ADVPN

From the Monitor tree menu, you can view shortcut path and shortcut statistics, even when edge devices are behind NAT devices.

Address group change

Starting with SD-WAN Orchestrator MEA 6.4.1.r6 and later, all user specified, custom IP addresses in the LAN/DMZ interface must also be in an IP pool. As a result, the GROUP.CUSTOM_groupname address group is no longer needed.

All subnets of LAN/DMZ must be included in a blackhole static route, and the subnet of the blackhole must not equal any subnet of LAN/DMZ. If the subnet of the blackhole equals any subnet of LAN/DMZ, the route of that interface becomes invalid. All user specified, custom IP addresses must be included in an IP pool.

Address groups in SD-WAN Orchestrator MEA 6.4.1.r5 and earlier

In SD-WAN Orchestrator MEA 6.4.1.r5 and earlier, users could create an address group named GROUP.CUSTOM_groupname for each region, and it contained user specified, custom IP addresses. A custom IP address is an address specified by the user in the LAN/DMZ interface. The IP address is not allocated by SD-WAN Orchestrator MEA. The custom IP address must NOT be in an IP pool, or a conflict occurs.

GROUP_ALL contains all regions' GROUP.CUSTOM_groupname address group and all address groups for IP pools, because all addresses allocated from IP pool are included in IP pool address group. As a result, GROUP_ALL contains all addresses.

It is not recommended to use GROUP.CUSTOM_groupname address group in business rules and in FortiManager policy packages, because it only contains part of the addresses of the corresponding region. It contains only user specified custom addresses of that region, and doesn't contain the addresses allocated from IP pool.

Example

For example, we have a region named Seattle, and an IP pool named pool1 with a subnet 192.168.0.0/16, a user specified custom address 172.1.1.0/24 for port4 in device with ID 1, and an address 192.168.1.0/24 for port5.

SD-WAN Orchestrator MEA 6.4.1.r5 and earlier handles the scenario as follows:

  • GROUP_ALL includes address group GROUP.CUSTOM_Seattle, POOL_pool1 two address groups.
  • GROUP.CUSTOM_Seattle contains DEVICE_1_port4 (with address 172.1.1.0/24).
  • POOL_pool1 contains POOL_192.168.0.0_16 (with address 192.168.0.0/16).
  • The address port5 doesn't need to merge in GROUP_ALL as an item, because it is included in POOL_192.168.0.0_16.

GROUP_Seattle for region Seattle is also created, and this group contains address group DEVICE_1, which includes DEVICE_1_port4 (with address 172.1.1.0/24) and DEVICE_1_port5 (with address 192.168.1.0/24).

GROUP.CUSTOM_Seattle is not recommended for use in business rules and in FortiManager policy packages; GROUP_Seattle is recommended instead.

SD-WAN Orchestrator MEA 6.4.1.r6 and later handles the scenario as follows:

  • User must create an IP pool for port4, for example, an IP pool named pool2 with a subnet 172.1.0.0/23.

As a result, GROUP_ALL contains POOL_pool1 and POOL_pool2.

POOL_pool1 contains POOL_192.168.0.0_16 (with address 192.168.0.0/16).

POOL_pool2 contains POOL_172.1.0.0_23 (with address 172.1.0.0/23).

The GROUP.CUSTOM_Seattle is not need any more, because 172.1.1.0/24 is included in GROUP_ALL already.

The old GROUP_Seattle and its members are not changed, and you can use the group in business rules and FortiManager policy packages as before.

Other improvements

  • Log search

    You can now search logs by using subtypes. The page displays a brief description for the logs, and you can click the Detail button to view more details.

  • Naming rules for IPsec tunnels

    An alias with the format p1.<peer_device>.p2 is used IPsec tunnels/interfaces. The new naming format allows the administrator to better distinguish between tunnels by using the FortiOS GUI, especially when troubleshooting.

Previous
Next

What’s new

This section identifies new features and enhancements available with SD-WAN Orchestrator MEA 6.4.1.r6.

For information about what's new in FortiManager 6.4, see the FortiManager 6.4 New Features Guide.

Support new FortiGate & FortiWiFi models

SD-WAN Orchestrator MEA now supports the following models:

  • FortiGate-60E-DSL, FortiGate-60E-DSLJ
  • FortiGate-80F, FortiGate-80F-Bypass, FortiGate-81F
  • FortiWiFi-60E-DSL, FortiWiFi-60E-DSLJ
  • FortiWiFi-40F, FortiWiFi-40F-3G4G
  • FortiWiFi-60F, FortiWiFi-61F

Support BGP to exchange route with external router

Support for the Border Gateway Protocol (BGP) is enhanced and used to exchange route entries between devices that are managed by SD-WAN Orchestrator MEA and devices that are not managed by SD-WAN Orchestrator MEA.

SD-WAN devices can advertise the route entries learned from an external BGP router to the entire SD-WAN network.

SD-WAN devices can set BGP community to the route entries when advertising to external routers, and the administrator can set routing policy on external router according to the BGP community.

Support OSPF to exchange route with external router

Support for the OSPF (Open Shortest Path First) protocol is enhanced to exchange the routing table with external routers that are not managed by SD-WAN Orchestrator MEA.

SD-WAN devices can advertise the route entries learned from an external OSPF router to the entire SD-WAN network.

SD-WAN devices can also redistribute SD-WAN route to external OSPF routers.

Support VDOM for hub and edge

Support to configure VDOMs as hub or edge FortiGate devices.

Support FortiExtender as WAN port

Support for three FortiExtender platforms to be used as WAN ports for FortiGate devices.

Expose more DHCP server options

More DHCP server options are now available, such as Lease Time and DNS Server Res Type.

Support for DMZ set IP auto assign and allow overlap

The profile settings for DMZ now support enabling IP auto assignment and allowing overlap.

Monitoring enhancement for database protection and recovery

The Monitor tree menu now includes a real-time status icon that communicates when you should clean up old monitoring data to reduce disk usage. The following statuses available:

  • Active (checkmark in green circle) - Monitoring is active and operating below the disk usage warning threshold. No cleanup is required.
  • Warning (exclamation mark in yellow triangle) - Monitoring is active, but disk usage has passed the warning threshold. Click Confirm Cleanup to clear old monitoring data and reduce disk usage.
  • Stopping (vertical lines in red circle) - Monitoring is stopped because disk usage has passed the stopping threshold. You must manually check disk usage.

Click the status icon to display details and access the Confirm Cleanup button.

Monitoring support for FortiSwitch and FortiAP

From the Monitor tree menu, you can go to Devices > Local Branch to view topology and statistics for FortiSwitch and FortiAP.

Monitoring support for edge behind NAT device ADVPN

From the Monitor tree menu, you can view shortcut path and shortcut statistics, even when edge devices are behind NAT devices.

Address group change

Starting with SD-WAN Orchestrator MEA 6.4.1.r6 and later, all user specified, custom IP addresses in the LAN/DMZ interface must also be in an IP pool. As a result, the GROUP.CUSTOM_groupname address group is no longer needed.

All subnets of LAN/DMZ must be included in a blackhole static route, and the subnet of the blackhole must not equal any subnet of LAN/DMZ. If the subnet of the blackhole equals any subnet of LAN/DMZ, the route of that interface becomes invalid. All user specified, custom IP addresses must be included in an IP pool.

Address groups in SD-WAN Orchestrator MEA 6.4.1.r5 and earlier

In SD-WAN Orchestrator MEA 6.4.1.r5 and earlier, users could create an address group named GROUP.CUSTOM_groupname for each region, and it contained user specified, custom IP addresses. A custom IP address is an address specified by the user in the LAN/DMZ interface. The IP address is not allocated by SD-WAN Orchestrator MEA. The custom IP address must NOT be in an IP pool, or a conflict occurs.

GROUP_ALL contains all regions' GROUP.CUSTOM_groupname address group and all address groups for IP pools, because all addresses allocated from IP pool are included in IP pool address group. As a result, GROUP_ALL contains all addresses.

It is not recommended to use GROUP.CUSTOM_groupname address group in business rules and in FortiManager policy packages, because it only contains part of the addresses of the corresponding region. It contains only user specified custom addresses of that region, and doesn't contain the addresses allocated from IP pool.

Example

For example, we have a region named Seattle, and an IP pool named pool1 with a subnet 192.168.0.0/16, a user specified custom address 172.1.1.0/24 for port4 in device with ID 1, and an address 192.168.1.0/24 for port5.

SD-WAN Orchestrator MEA 6.4.1.r5 and earlier handles the scenario as follows:

  • GROUP_ALL includes address group GROUP.CUSTOM_Seattle, POOL_pool1 two address groups.
  • GROUP.CUSTOM_Seattle contains DEVICE_1_port4 (with address 172.1.1.0/24).
  • POOL_pool1 contains POOL_192.168.0.0_16 (with address 192.168.0.0/16).
  • The address port5 doesn't need to merge in GROUP_ALL as an item, because it is included in POOL_192.168.0.0_16.

GROUP_Seattle for region Seattle is also created, and this group contains address group DEVICE_1, which includes DEVICE_1_port4 (with address 172.1.1.0/24) and DEVICE_1_port5 (with address 192.168.1.0/24).

GROUP.CUSTOM_Seattle is not recommended for use in business rules and in FortiManager policy packages; GROUP_Seattle is recommended instead.

SD-WAN Orchestrator MEA 6.4.1.r6 and later handles the scenario as follows:

  • User must create an IP pool for port4, for example, an IP pool named pool2 with a subnet 172.1.0.0/23.

As a result, GROUP_ALL contains POOL_pool1 and POOL_pool2.

POOL_pool1 contains POOL_192.168.0.0_16 (with address 192.168.0.0/16).

POOL_pool2 contains POOL_172.1.0.0_23 (with address 172.1.0.0/23).

The GROUP.CUSTOM_Seattle is not need any more, because 172.1.1.0/24 is included in GROUP_ALL already.

The old GROUP_Seattle and its members are not changed, and you can use the group in business rules and FortiManager policy packages as before.

Other improvements

  • Log search

    You can now search logs by using subtypes. The page displays a brief description for the logs, and you can click the Detail button to view more details.

  • Naming rules for IPsec tunnels

    An alias with the format p1.<peer_device>.p2 is used IPsec tunnels/interfaces. The new naming format allows the administrator to better distinguish between tunnels by using the FortiOS GUI, especially when troubleshooting.

Previous
Next