What's new for FortiGate-7000 5.6.6
Version 5.6.6 enhancements include adding FortiOS 5.6.6 to the FortiGate-7000 platform. This release also includes bug fixes and improvements and the following new features.
- Support for FortiOS 5.6.6 and most 5.6.6 features including FortiOS 5.6.6 GUI features.
- You can configure new Resource Usage dashboard widgets to show CPU use, log rate, memory use, session creation rate, and the number of active sessions for individual FIMs, the management plane, the data plan and the security fabric.
- The Security Fabric dashboard widget shows high level status and configuration information for all of the FPMs.
- The Sensor Information dashboard widget displays temperature information and allows you to drill down for information about individual temperature sensors.
- DP2 firmware upgrade
- VRRP support.
- The management VDOM is now named mgmt-vdom (was dmgmt-vdom).
- The
diagnose sniffer packet
command now shows the name of the FPM that processed the packet. - You can now use the
execute ping
andexecute traceroute
commands from an FIM CLI to an external destination. - FIMs directly query LDAP/FSSO/RADIUS servers. These queries no longer have to go through the management VDOM.
- The Route Monitor displays accurate routing information.
- SNMP integration improvements including new MIBs.
- The following FortiOS 5.6.6 features are not supported:
- SD-WAN
- Some IPsec VPN features
- Policy learning mode
- HA dedicated management interfaces
New IPsec VPN features
FortiOS 5.6.6 includes the following IPsec VPN improvements:
- Including a phase 2 selector is no longer mandatory.
- Dynamic routing (RIP, OSPF, BGP) is supported over IPsec VPN tunnels.
IPsec VPN features supported by FortiOS 5.6.6 for FortiGate-7000
FortiOS 5.6.6 for FortiGate-7000 supports the following IPsec VPN features.
- Interface-based IPsec VPN (also called route-based IPsec VPN).
- Static routes can point IPsec VPN interfaces.
- Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels.
- Remote networks with 16- to 32-bit netmasks.
- IPsec VPN tunnels must terminate on the primary FPM (the ELBC master).
- Site-to-Site IPsec VPN.
- Dialup IPsec VPN. The FortiGate-7000 can be the dialup server or client.
- IPv4 clear-text traffic (IPv4 over IPv4 or IPv4 over IPv6)
IPsec VPN features not supported by FortiOS 5.6.6 for FortiGate-7000
FortiOS 5.6.6 for FortiGate-7000 does not support the following IPsec VPN features.
- Policy-based IPsec VPN.
- Policy routes for VPN traffic.
- Remote networks with 0- to 15-bit netmasks.
- IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6).
- Load-balancing IPsec VPN tunnels to multiple FPMs.
- IPsec SA synchronization between both FortiGate-7000s in an HA configuration.
New High Availability features and changes
Configuring FortiGate-7000 HA has been simplified for FortiOS 5.6.6. To set up HA, you no longer have to configure HA settings for both of the FIMs in a FortiGate-7000. Instead, you configure HA settings on the primary FIM and this configuration is synchronized to the other FIM.
As well, FortiGate-7000 HA is configured and operates more like standard FGCP HA. The link failure threshold concept that was part of FortiGate-7000 for FortiOS 5.4 has been removed and board failover tolerance has been simplified. As well, primary unit selection has been simplified to be more like FGCP primary unit selection.
FortiOS 5.6.6 also includes the following new features and changes:
- The System > HA GUI page now appears and can be used to configure most HA settings.
- You can configure HA interface monitoring (or port monitoring) to detect link failures.
- You can configure HA remote link failover (also called remote IP monitoring) to detect remote link failures using the following options:
- Enable remote IP monitoring with the
pingserver-monitor-interface
option. - Set the remote IP monitoring failover threshold with the
pingserver-failover-threshold
option. - Force the cluster to negotiate after a remote IP monitoring failover with the
pingserver-slave-force-reset
option. - Adjust the time to wait in minutes before renegotiating after a remote IP monitoring failover with the
pingserver-flip-timeout
option.
- Enable remote IP monitoring with the
- You can use the
get system ha status
command to display HA status. Thediagnose sys ha status
command is no longer available. - The
diagnose sys ha force-slave-state
command is no longer available. To force the primary FortGate-7000 into a secondary (or slave) state you can use thediagnose sys ha reset-uptime
command. - The HA
link-failure-threshold
option has been removed. - The
board-failover-tolerance
option has been simplified and determines how the cluster responds to failed FIMs.