No, this is not an April Fools Day joke.
This particular post will deviate from the typical content I try to publish. Instead of publishing a “how-to” guide, this post will mostly be informational as it will explain (from my perspective) the direction in where Fortinet is heading.
The much anticipated release of FortiOS 6.2 happened late last week. With this new release comes some exciting features that help strengthen the argument for the Security Fabric vision that Fortinet has placed a huge bet on. From the New Features in FortiOS 6.2 document, there is new functionality added that has me quite excited. Below are features that stand out to me the most:
Split-Task VDOM Support
Prior to the addition of this feature, if you enabled Virtual Domains (VDOMs) on your FortiGate, it could not participate in the Fortinet Security Fabric. Now, with this feature, VDOMs can be enabled and you can participate in the Security Fabric. Read more details about this at the following link.
FortiClientEMS SSO Integration
It looks like the soon to be released FortiClientEMS 6.2 can serve as a source to the FortiGate’s single sign-on. According to the documentation, tags can be created at FortiClientEMS for certain FortiClients (based on compliance checking) and dynamically update the FortiGate so specific network policy can be applied to those FortiClients as they traverse the firewall.
This is an interesting feature to me because I believe it overlaps with the functionality provided by the FortiAuthenticator and the built-in mobility agent in the FortiClient. However, I think the main distinction between these two features is that FortiAuthenticator is used for user/group mapping while FortiClientEMS SSO is used for compliance.
WiFi Location Map
Now the FortiGate has the ability to display your floorplan and place your FortiAPs. This enhancement does not to seem much from a functional standpoint, however, it does add a bit more “polished” feature set to the secure access layer of the Security Fabric. For more details, consult the following documentation.
Monitor and Suppress Phishing SSID
Another feature added is the ability to configure the FortiAP security to supress phishing SSIDs which can be:
- SSIDs that are applied to the FortiAP
- SSID patterns that are defined by the FortiGate administrator
Dynamic VLAN “Name” Assignment from RADIUS Attribute
Prior to FortiOS 6.2 and FortiSwitchOS 6.2, if you wanted to use dynamic VLAN assignment with a FortiLink managed FortiSwitch, you had to use a RADIUS vendor specific attribute (VSA) that defined the VLAN number. While this functionality worked well, it causes scale issues where you may have the same VLAN in different locations each with a unique VLAN number. On your RADIUS device, you would need to define an individual entry for each site in order to be able to customize the VLAN number.
Now with this new feature, you can refer to the VLAN by its name and the FortiGate will automatically map that name to the correct VLAN number. This allows for a much simpler configuration from your RADIUS device that serves these VSAs to your secure access network equipment.
ERSPAN Support in FortiSwitch
This particular feature is exciting because it is a great tool that can simplify troubleshooting complex network problems via the fabric. Prior to 6.2, troubleshooting traffic on FortiSwitches was limited to configuring a “mirror port” on the switch and directly connecting some type of network analyzer directly to the switch.
Now, this capability has been expanded upon greatly because configured network filters can send their traffic up to the FortiGate for review. To further expand beyond that, the FortiGate can then route that traffic (using General Routing Encapsulation [GRE]) to a host that has some network analyzer software (such as Wireshark) to receive that traffic.
AD-VPN Supporting Multiple Paths
This is a huge step in the direction of getting ADVPN to be able to operate with SD-WAN. Prior to 6.2, ADVPN could only support one active path at any given time. With the addition of this feature, ADVPN can maintain up to four paths between the spoke and the hub and subsequently, use one of those paths when establishing dynamic spoke to spoke communication.
CLI Script as Automation Action
This feature is such a simple but powerful addition to the automation toolkit that was introduced with FortiOS 6.0. Now FortiGate administrators can leverage the full potential of the CLI when configuring the FortiGate to respond to a triggered action.
Per Policy Inspection Mode
Prior to FortiOS 6.2, the policy mode had to be defined at the “VDOM” level. This method was primarily added in order to prevent administrators from mis-configuring the FortiGate and potentially causing resource issues by using both flow and proxy security profiles within the same policy. This change introduced other issues where features were “hidden” because the firewall was not configured for the correct inspection mode.
Now with the introduction of this new feature, the inspection mode is configured on a “per policy” basis. I believe this, by far, is the best way for this to be configured as it allows for the most flexibility in the configuration of the FortiGate.
Authenticate and Warning Actions supported in Flow Web-filter
This is great because it brings feature parity between the flow mode and proxy mode inspection types. Due to this added functionality, users can use the speed advantages of the flow inspection while retaining the extended capabilities that used to be only limited to proxy mode web-filter.
There are still some features that are only available in proxy mode web-filter, however, this is a great step in the right direction.
The list of additional features goes on and on however these items I referenced were what I consider to be highlights of this firmware. I hope to soon write a few articles showing these new features in action and provide a more in-depth overview of the benefits that they provide.
CAVEAT: With any “patch 0” release, there will be some issues inherent to the software. Please do not deploy this in a production environment unless you have thoroughly tested this platform and absolutely have to. In other words, it’s best to use this in a lab environment until it can get through a few patch releases.