wp_fg_FortiOS_2.8_outline

Document Sample
wp_fg_FortiOS_2.8_outline Powered By Docstoc
					http://laptop1.blogbus.com/




         FortiGate™ Antivirus Firewall


                FortiOS™ v2.80
                 Product Brief

                  Version 1.0




                 July 22, 2004




              This is trial version
              www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                                                       FortiOS v2.80 Release


                                                           Table of Contents
   PREFACE ............................................................................................................................................................... 4
       INTRODUCTION ...................................................................................................................................................... 4
       DISCLAIMER .......................................................................................................................................................... 4
   1.0.0 SYSTEM ENHANCEMENTS ......................................................................................................................... 5
       1.1.0 ROLE BASED ADMINISTRATION ...................................................................................................................... 5
       1.2.0 IMPROVED MAINTENANCE FUNCTIONS ........................................................................................................... 6
       1.3.0 REDESIGNED WEBUI .................................................................................................................................... 7
          1.3.1 Centralized System Status Screen........................................................................................................ 7
          1.3.2 Session Filter ......................................................................................................................................... 8
          1.3.3 Enhanced Quick Launch Features ........................................................................................................ 9
       1.4.0 IMPROVED NETWORK FUNCTIONS ............................................................................................................... 10
       1.5.0 IMPROVED DHCP FUNCTIONALITY .............................................................................................................. 11
       1.6.0 IMPROVED CONFIGURATION FUNCTIONS ...................................................................................................... 12
       1.7.0 HIGH AVAILABILITY (HA) ENHANCEMENTS ................................................................................................... 14
          1.7.1 Non-dedicated HA port ........................................................................................................................ 14
          1.7.2 Link Fail-over ....................................................................................................................................... 14
          1.7.3 Firmware Upgrade and Configuration Upload..................................................................................... 14
          1.7.4 HA link security .................................................................................................................................... 14
          1.7.5 Support for FortiGate-60/100/200 and FortiWiFi-60 Models ............................................................... 14
          1.7.6 HA Active-Active Mode Load Balances Non-AV Traffic ...................................................................... 14
       1.8.0 VIRTUAL DOMAIN ........................................................................................................................................ 15
       1.9.0 IMPROVED USABILITY FOR SOHO MODELS.................................................................................................. 16
       1.10.0 USERNAME & PASSWORD EXTENDED CHARACTER SUPPORT ..................................................................... 16
       1.11.0 IMPROVED CONFIGURATION WIZARD ......................................................................................................... 16
   2.0.0 ROUTER ENHANCEMENTS....................................................................................................................... 17
       2.1.0 STATIC ROUTE ENHANCEMENTS.................................................................................................................. 17
       2.2.0 POLICY BASED ROUTING ENHANCEMENT ..................................................................................................... 17
       2.3.0 RIP ENHANCEMENTS .................................................................................................................................. 18
       2.4.0 ROUTER OBJECTS FEATURE ....................................................................................................................... 19
       2.5.0 ROUTER MONITOR FEATURE ....................................................................................................................... 19
   3.0.0 FIREWALL ENHANCEMENTS ................................................................................................................... 20
       3.1.0 POLICY ENHANCEMENT ............................................................................................................................... 20
       3.2.0 ADDRESS AND SERVICES MODIFICATION...................................................................................................... 22
       3.3.0 SCHEDULE, VIRTUAL IP, IP POOL, IP/MAC BINDING .................................................................................... 22
       3.4.0 PROTECTION PROFILE ................................................................................................................................ 22
       3.5.0 OTHER FIREWALL IMPROVEMENTS .............................................................................................................. 25
   4.0.0 USER ENHANCEMENTS ............................................................................................................................ 26
       4.1.0 LOCAL USER CHANGES .............................................................................................................................. 26
       4.2.0 USER GROUP ENHANCEMENTS ................................................................................................................... 26
   5.0.0 VPN ENHANCEMENTS............................................................................................................................... 27
       5.1.0 IPSEC VPN ENHANCEMENTS ..................................................................................................................... 27
          5.1.1 IPSEC Phase 1 Enhancements........................................................................................................... 27
          5.1.2 IPSEC Phase 2 Enhancements........................................................................................................... 28
          5.1.3 IPSEC Manual Key, Concentrator, and Monitor Functions ................................................................. 29
          5.1.4 Ping Generator .................................................................................................................................... 29
       5.2.0 OTHER VPN IMPROVEMENTS ...................................................................................................................... 29


   FortiGate Antivirus Firewalls, Product Brief                                                                                       Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                        This is trial version
                                                                        Fortinet Inc., Confidential                                                 Page 2 of 44


                                                        www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                                             FortiOS v2.80 Release

   6.0.0 IPS ENHANCEMENTS ................................................................................................................................ 30
      6.1.0 IPS SIGNATURE ENHANCEMENTS ................................................................................................................ 31
      6.2.0 IPS ANOMALY ENHANCEMENTS................................................................................................................... 32
      6.3.0 OTHER IPS IMPROVEMENTS........................................................................................................................ 32
   7.0.0 ANTIVIRUS ENHANCEMENTS .................................................................................................................. 33
      7.1.0 GRAYWARE PROTECTION ............................................................................................................................ 33
      7.2.0 OTHER ANTIVIRUS IMPROVEMENTS ............................................................................................................. 34
   8.0.0 WEB FILTER ENHANCEMENTS................................................................................................................ 35
      8.1.0 CONTENT BLOCK (BANNED WORD) PATTERN TYPE ....................................................................................... 35
      8.2.0 WEB FILTER CATEGORY BLOCKING ............................................................................................................. 35
      8.3.0 WEB FILTERING FEATURE DIFFERENCES ..................................................................................................... 36
   9.0.0 SPAM FILTER ENHANCEMENTS.............................................................................................................. 37
      9.1.0 IP ADDRESS ENHANCEMENT ....................................................................................................................... 37
      9.2.0 RBL & ORDBL ENHANCEMENT .................................................................................................................. 38
      9.3.0 EMAIL ADDRESS ENHANCEMENT ................................................................................................................. 38
      9.4.0 MIME HEADERS ENHANCEMENT ................................................................................................................. 39
      9.5.0 BANNED WORD ENHANCEMENT................................................................................................................... 40
      9.6.0 OTHER SPAM FILTERING IMPROVEMENTS .................................................................................................... 40
   10.0.0 LOG & REPORT ENHANCEMENTS ........................................................................................................ 41
      10.1.0 LOG CONFIGURATION IMPROVEMENTS ....................................................................................................... 41
   11.0.0 CLI COMMAND ENHANCEMENTS.......................................................................................................... 43
      11.1.0 CLI ENHANCEMENTS ................................................................................................................................ 43
      11.2.0 FEATURES AVAILABLE ONLY IN CLI INTERFACE.......................................................................................... 43
   OTHER ENHANCEMENTS .................................................................................................................................. 44
   WHERE TO OBTAIN ADDITIONAL INFORMATION .......................................................................................... 44
      V2.80 MR3 FORTIGATE ADMINISTRATION GUIDES ................................................................................................ 44
      V2.80 MR3 FORTIGATE CLI GUIDE ..................................................................................................................... 44
      CUSTOMER SUPPORT WEB SITE .......................................................................................................................... 44
      FORTIOS V2.80 ONLINE HELP ............................................................................................................................. 44




   FortiGate Antivirus Firewalls, Product Brief                                                                             Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                   This is trial version
                                                                  Fortinet Inc., Confidential                                             Page 3 of 44


                                                   www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                            FortiOS v2.80 Release




   Preface
   Introduction
   This document contains the major enhancements and features for the FortiOS v2.80 software and will highlight
   the key enhancements and changes over the FortiOS v2.50’s features. This Product Brief should be used in
   conjunction with the FortiOS v2.80 Maintenance Release Notes and product documentation for completeness.
   The FortiOS v2.80 image, release notes, installation guides, and product manuals can be found on Fortinet’s
   support site at: http://support.fortinet.com/Login/UserLogin.aspx

   FortiOS v2.80 is a major enhancement over FortiOS v2.50 and contains changes to many areas to enhance
   usability as well as functionality. The key areas of enhancement include:

        •    System
        •    Routing
        •    Firewall
        •    User Management
        •    VPN
        •    IPS
        •    Antivirus
        •    Web Filter
        •    Spam Filter
        •    High Availability
        •    CLI Command Structure




   Disclaimer
   Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal
   responsibility for the accuracy or completeness of the information. More specific information is available on
   request from Fortinet. Please note that Fortinet’s product information does not constitute or contain any
   guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed
   writing.


   Copyright
   © Copyright 2004 Fortinet Inc. All rights reserved.
   No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or
   translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose,
   without prior written permission of Fortinet Inc.

   FortiOS v2.80 Product Brief
   Version 1.0
   21 July 2004


   Trademarks
   Products mentioned in this document are trademarks or registered trademarks of their respective holders.




   FortiGate Antivirus Firewalls, Product Brief                                            Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                       Page 4 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                           FortiOS v2.80 Release

   FortiOS v2.80 greatly enhances the WebUI’s usability and presentation of information to make it easier to obtain
   information and manage the FortiGate antivirus firewalls. There are many areas where key functions have been
   combined to make it easier to quickly scan information or to set feature parameters. A few features that were
   not popular in the Web interface have been removed but kept in CLI. The following sections detail the v2.80
   enhancements and WebUI modifications.



   1.0.0 System Enhancements
   The following features were added or changed in FortiOS v2.80:

   •    Role Based Administration
   •    Improved Maintenance functions
   •    Redesigned WebUI
   •    Improved Network & Router functions
   •    Improved DHCP functions
   •    Improved Configuration functions
   •    Virtual Domain
   •    Improved “out-of-the-box” usability for SOHO models
   •    Support extended characters in username/password
   •    Improved Configuration Wizard


   1.1.0 Role Based Administration
   Role Based Administration adds additional flexibility to offer customers greater granularity when creating new
   administration accounts and roles for their FortiGate products. In the past, newly created accounts were only
   given “Read Only” or “Read/Write” privileges for every FortiOS component. With v2.80, an additional privilege
   has be been added and account privileges can now be applied to uniquely for key FortiGate objects.

   Version 2.80 User Privileges include:

   •    Deny Access (uncheck both)
   •    Read Only
   •    Write Only
   •    Read/Write


   User privileges can be applied to the following v2.80 FortiGate objects to create Access Profiles:

   •    System Configuration
   •    Log and Report
   •    Security Policy
   •    Authenticate Users
   •    Admin Users
   •    FortiProtect Update
   •    System Shutdown




   FortiGate Antivirus Firewalls, Product Brief                                            Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                       Page 5 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                FortiOS v2.80 Release




   Figure 1: Access Profiles


   Customers with departmental IT, or levels of IT that
   require different access privileges, can now create
   additional users and assign them with the necessary
   access rights to give them more control, or limit their
   control, over the respective functions they manage.

   In addition to the new access profiles, accounts can still be restricted by their “Trusted Host” IP information,
   limiting where the remote management access can originate from. Combined together, these new features will
   give large institutions with departmentalized IT the most flexibility in assigning access and management rights to
   FortiGate products running v2.80 software.


   1.2.0 Improved Maintenance Functions
   A new “Maintenance” submenu has been created to consolidate the unit’s maintenance functions to improve
   usability. Under the Maintenance submenu are the following features:

   Backup/Restore                 Backup/Restore now allows the customer to backup all configuration files stored on the
                                  FortiGate unit or to individually backup and restore the System Settings, Web Filtering
                                  Settings, Spam Filtering Settings, IPS Signatures, and VPN Certificates.




                                  Figure 2: New Maintenance Menu – Backup & Restore




   FortiGate Antivirus Firewalls, Product Brief                                                 Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                            Page 6 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                 FortiOS v2.80 Release


   Update Center                  Update Center allows the user to setup the FortiProtect Distribution Network (FDP) to
                                  automate the signature databases for AV and IDS components. There are no changes
                                  from v2.50 for this feature.

   Support                        Support allows the customer to quickly access the Fortinet Customer Support site to file
                                  a new bug or to register Fortinet products. The ability to file a bug online is new to
                                  v2.80’s Support feature. By checking the “send diagnostic information”, customers can
                                  now send troubleshooting information which includes the FortiOS version information,
                                  version of AV, NIDS definition files, system configurations, etc.

   Shutdown                       Shutdown consolidates several functions into one location to offer better usability. The
                                  following functions are now available under the Shutdown tab: Logout, Reboot,
                                  Shutdown, Restore to Factory Default.




   1.3.0 Redesigned WebUI
   FortiOS v2.80’s WebUI has been significantly redesigned to allow the customer to access information faster and
   provision the FortiGate units in a more logical fashion to decrease setup time. The key improvements are listed
   in each of the respective sections in this Product Brief. For the System function, the improvements include the
   following:

   •    Centralized System Status
   •    Quick Launch Application Icons
   •    Up Time Display


   1.3.1 Centralized System Status Screen
   The most obvious screen improvement in FortiOS v2.80 is the centralized “Status Screen” which is
   automatically displayed when the user logs into the Web interface. Customers can now view and update key
   FortGate unit information in one consolidated screen.

   The v2.80 main Status screen shows a centralized view for the following key function statuses:

   •    System Status
   •    Unit Information
   •    Recent Virus Detections
   •    Interface Information
   •    System Resources (with history)
   •    Recent Intrusion Detections


   Customers can change the Host Name and upload new firmware, antivirus and attack definitions from the
   centralized System Status function.


   FortiGate Antivirus Firewalls, Product Brief                                                  Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                             Page 7 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                      FortiOS v2.80 Release




   Figure 3: System Status Screen




                                                                        The System Resources Status section has a new
                                                                        “History” feature that consolidates the unit’s critical
                                                                        resource history: CPU, memory, session, network
                                                                        utilization, virus detection, and intrusion detection
                                                                        information.

                                                                        The History Screen is displayed in a separate
                                                                        window and automatically refreshes every 3 seconds
                                                                        to allow customers and NOC centers to proactively
                                                                        monitor their unit’s critical resources in near real-
                                                                        time.



   Figure 4: System Resource History Screen



   1.3.2 Session Filter
   The System Status Session report now allows the customer to filter the session information based on
   Source/Destination IP Address and Port information to quickly narrow the search for specific session
   information. In addition to the filtering parameters, the customer can also select the “Virtual Domain” to view.
   When tracking a specific host or application for forensic reporting purposes, this feature will help customers
   “zoom” in on the necessary information.




   FortiGate Antivirus Firewalls, Product Brief                                                      Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                                 Page 8 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                  FortiOS v2.80 Release




   Figure 5: System Status Session Filters


   1.3.3 Enhanced Quick Launch Features
   FortiOS v2.80 enhances usability with two new Quick Launch Application icons, located at the top right corner of
   the Web GUI, to assist in faster access to key utilities. The Online Help feature is now context-sensitive to
   increase efficiency when looking up information on the FortiGate’s features. In addition to v2.50’s Logout, Easy
   Setup Wizard, and Online Help utilities, v2.80 adds the following:

   Contact Customer Support                         Provides a link to Fortinet’s Customer Support Web Site.

   Console Access                                   Opens a new console connection to the FortiGate unit to allow the
                                                    customer to access the CLI interface while still working within the Web
                                                    GUI. This feature greatly enhances productivity by not requiring the
                                                    customer to open a separate remote connection or serial console
                                                    connection.




                                                    Figure 6: Console Access Quick Launch Application




   FortiGate Antivirus Firewalls, Product Brief                                                   Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                         Fortinet Inc., Confidential                            Page 9 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                   FortiOS v2.80 Release

   1.4.0 Improved Network Functions
   The System Network function has been enhanced to regroup specific functions and add new features to
   improve usability and make access to key network information easier. FortiOS v2.80 adds a new Router menu
   option in addition the Network submenu to separate functionality.

   Network Submenu                           The Network function now groups the Interface, Zone, DNS, and Modem
                                             features together.

   Router Menu                               The new Router function groups all router related features together and adds
                                             several new routing options. Key Router functionality includes: Static Route,
                                             Routing Policies (new), RIP, Router Objects (new), and Route Monitor.


   New WebUI features for the Network function includes:

   Network Interface                         New capabilities of the Network Interface include:
                                             • The ability to Bring Down and Bring Up any FortGate interface.
                                             • The addition of Dynamic DNS (DDNS) support. New DDNS servers
                                                supported include: dhs.org, dyndns.org, dyns.net, ods.org, tzo.com,
                                                dnsalias.com, dnsart.com, vavic.com, dipdns.com, now.net.cn
                                             • The addition of Ping Server support.
                                             • Create New replaces the v2.50 New VLAN to create new interfaces.

   Network DNS                               New functionality for the SoHo FortiGate units’ Network DNS feature include:
                                             • The ability to obtain the DNS servers addresses automatically.
                                             • The ability to Enable DNS Forwarding from the internal or DMZ interfaces.

   Network Zone                              Network Zones have been streamlined in v2.80 to allow interfaces to be added
                                             to the zones from the Zone function to reduce the number of steps necessary to
                                             add interfaces to zones.

   Network Modem                             Remains the same as v2.50.




   Figure 7: FortiOS v2.80 Network Menu Features




   FortiGate Antivirus Firewalls, Product Brief                                                    Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                          Fortinet Inc., Confidential                            Page 10 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                             FortiOS v2.80 Release


   1.5.0 Improved DHCP Functionality
   FortiOS v2.80 separates the DHCP function into a submenu item under the System menu. A new DHCP Server
   feature has been added to the WebUI to allow the creation of DHCP Servers for any FortiGate interface.
   Multiple DHCP Servers can be created for a single interface to allow the customer to provide DHCP services to
   multiple networks on each interface. In addition to the v2.50 DHCP Scope parameters, FortiOS v2.80 adds the
   ability to specify the DNS servers, WINS servers, and up to three optional DHCP parameters for each DHCP
   Scope.

   The administrator now has the ability to define and choose an IP pool per firewall policy. In addition, the IP pool
   may be in a different address range as the FortiGate interface IP address.

   The IP/MAC Binding (static) and Dynamic IP features have been moved from the Firewall function in v2.50 to
   the DHCP submenu in v2.80. IP/MAC binding is now enabled per interface verses a global setting in v2.50.
   The ability to create IP/MAC Binding pairs in the DHCP IP/MAC Binding menu is still possible in v2.80, but the
   ability to Enable and Disable the IP/MAC Binding feature has been removed from the v2.80 WebUI. This was
   removed to reduce complexity as this was a seldom used feature in the WebUI. To enable and disable the
   IP/MAC Binding feature, use the appropriate CLI commands.




   Figure 8: DHCP Scope Configuration Screen




   FortiGate Antivirus Firewalls, Product Brief                                             Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                        Page 11 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                      FortiOS v2.80 Release


   1.6.0 Improved Configuration Functions
   The FortiOS v2.80 System Config submenu has consolidated several features from other areas and removed
   others to enhance the functionality and usability. The following functions are available with the System Config
   submenu:

   Time                                      Left unchanged from v2.50

   Options                                   Left unchanged from v2.50

   HA                                        New enhancement to allow customers to configure HA configurations from the
                                             WebUI. The FortiGate unit can be configured as “Standalone Mode” or “High
                                             Availability”. HA mode offers the ability to configure the units in Active-Active or
                                             Active-Passive and allows the customer to modify the priorities of the Heartbeat
                                             Device and Monitoring properties.




                                             Figure 9: HA Setup Screen


   SNMP v1/v2c                               Enhanced SNMP Trap setup is now available to allow customers to customize
                                             the SNMP Port Number and SNMP Trap Events that are sent to the trap
                                             receiver. A maximum of eight trap receiver hosts are now allowed per
                                             community. The supported SNMP Events include:

                                             CPU Overusage                              Memory Low
                                             Log Disk Space Low                         HA Cluster Status Changed
                                             Interface IP Changed                       Virus Detected
                                             Port Scan Detected                         SYN Flood Detected
                                             VPN Tunnel Up                              VNP Tunnel Down




   FortiGate Antivirus Firewalls, Product Brief                                                      Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                          Fortinet Inc., Confidential                              Page 12 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                   FortiOS v2.80 Release




   Figure 10: SNMP Configuration Screens




   Replacement Messages                      Replacement Messages is enhanced and expanded to group replacement
                                             messages into categories: Mail, HTTP, FTP, Alert Mail, Spam, and Category
                                             Block.

   FortiManager                              v2.80 offers a new WebUI feature to allow the customer to quickly setup the
                                             communication path to the FortiManager Server. All traffic between the
                                             FortiGate unit and the FortiManager server will be encrypted using an IPSec
                                             VPN tunnel to ensure strong security between the two end points.

                                             To enable this feature, enter the appropriate FortiManager Server information:
                                             FortiManager ID and FortiManager IP Address.




                                             Figure 11: FortiManager Setup Screen




   FortiGate Antivirus Firewalls, Product Brief                                                    Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                          Fortinet Inc., Confidential                            Page 13 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                FortiOS v2.80 Release


   1.7.0 High Availability (HA) Enhancements
   The HA feature has also been modified to support the following functionality enhancements:

   •    Non-dedicated HA port
   •    Link Fail-over
   •    Firmware upgrade and Configuration upload
   •    HA link security
   •    Support for FortiGate-60/100/200 and FortiWiFi-60 models
   •    HA Active-Active Mode Load Balances Non-AV Traffic


   1.7.1 Non-dedicated HA port
   HA cluster communication can now be configured for one or more interfaces, enabling cluster communications
   for more interfaces to increase reliability. If an interface fails, cluster communication can be diverted to other
   interfaces. By default, HA cluster communication is enabled for two interfaces: the DMZ or HA interface and the
   normal external interface.

   1.7.2 Link Fail-over
   If a monitored cluster member’s interface detects a link failure, the cluster member reports the status of its links
   to the primary unit. The primary unit attempts to re-balance traffic according to the link failure status of all cluster
   members. If an interface on the primary unit detects a link failure, the FortiGate unit with the next highest HA
   score becomes the primary unit.

   1.7.3 Firmware Upgrade and Configuration Upload
   To improve ease of maintenance, HA in v2.80 supports firmware upgrades and configuration uploads while in
   operation. Once the master unit has been updated, the slave cluster members will be automatically updated.
   This feature offers the maximum up time possible for mission critical installations.

   1.7.4 HA link security
   With v2.80, HA data is now encrypted between members of an HA cluster. This reduces the effectiveness of a
   malicious attack through re-play or spoofed data using the HA interfaces.

   1.7.5 Support for FortiGate-60/100/200 and FortiWiFi-60 Models
   FortiOS v2.80 now offers HA support on FortiGate-60, FortiGate-100, FortiGate-200 and FortiWiFi-60 models.
   For the FortiWiFi-60, the WLAN interface is not a supported HA interface. This feature brings the high level of
   performance and reliability to smaller customers who have not deployed Fortinet’s larger security platforms.

   1.7.6 HA Active-Active Mode Load Balances Non-AV Traffic
   HA Active-Active mode can now load-balance other TCP sessions that are not being AV scanned. Previously,
   only AV scanned traffic (e.g. HTTP, FTP, SMTP, POP3, etc.) would have the sessions distributed among the HA
   Cluster members. This feature offers enhanced load balancing to better distribute traffic amongst all HA Active-
   Active members to improve overall throughput and performance.




   FortiGate Antivirus Firewalls, Product Brief                                                Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                           Page 14 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                            FortiOS v2.80 Release


   1.8.0 Virtual Domain
   The new FortiOS Virtual Domain feature allows the customer to create multiple logical firewalls and routers in a
   single FortiGate unit. Virtual Domains (VDOMs) allow customers to simplify their management activities by
   logically separating specific network interfaces, VLAN subinterfaces, zones, firewall policies, routing, and VPN
   configurations. Virtual Domains reduce management complexity by decreasing the number of routes or firewall
   policies that has to be managed at any one time. Customers can use VDOMs in conjunction with VLANs to
   create multiple, independently managed security domains, either to secure discrete departments within an
   enterprise or as the basis for a service provider’s managed security service.

   Traffic destined for a particular Virtual Domain is restricted to that domain and can not traverse into other
   domains. Within a Virtual Domain, customers can create firewall policies to regulate and inspect traffic between
   VLAN subinterfaces or zones defined in the Virtual Domain. Virtual domains share firmware versions, antivirus
   and attack databases, and user databases.

   Virtual domains are functionally similar in both the NAT/Route mode and in the Transparent mode. In both
   cases, the interfaces, VLAN subinterfaces, zones, firewall policies, routing, and VPN configurations are
   exclusive to each virtual domain and other configuration settings are shared. A major difference between
   NAT/Route and Transparent mode is that in Transparent mode, interfaces, and VLAN interfaces do not have IP
   addresses and routing isn’t performed between the interfaces.

   By default, FortiGate units supports 2 virtual domains: root and one addition virtual domain.




   Figure 12: Virtual Domain Screen


   FortiOS v2.36 and v2.50 releases supported 802.1q VLAN processing, a pre-requisite of Virtual Domain
   (VDOM) functionality. FortiOS v2.80’s VDOM functionality extends these capabilities to provide more complete
   and granular virtualization, with the following key features:

   •    Multi-tier security domain design concept: One FortiGate unit can have multiple VDOMs, and within each
        VDOM, multiple security zones plus interfaces can be defined – each zone further made of physical
        interfaces as well as sub-interfaces mapped to VLAN tags; no traffic is allowed between VDOMs
   •    Firewall policies and addresses configurable on a per VDOM basis
   •    Role-based administration to provide delegated administration is not based on VDOM. Administration
        accounts are shared between all domains.
   •    Logging and reporting on a per VDOM basis
   •    802.1Q VLAN trunking.
   •    802.1Q VLAN tagged packet processing.
   •    AV profiles, firewall services, system times, etc. are shared across all VDOMs.


   FortiGate Antivirus Firewalls, Product Brief                                            Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                       Page 15 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                FortiOS v2.80 Release

   •    Virtual router support on a per VDOM basis in NAT/Route mode, so that overlapping IP addresses defined
        in different VDOMs are supported.
   •    Two VDOMs are supported in all FortiGate models with the standard FortiOS v2.80 firmware. (In MR3, this
        applies to NAT and Transparent mode operation, but in future releases additional Transparent mode
        VDOMs will be supported in the standard v2.80 firmware.)
   •    Customers requiring more than two VDOMs will require a special version of FortiOS that is available as an
        “additional cost” option on the FortiGate-3000 and higher models. Pricing of this option software revision is
        dependant the number of VDOMs supported.


   1.9.0 Improved Usability for SOHO Models
   FortiGate 100 models and lower have been reconfigured to allow easier and faster setup.

   HTTP                           HTTP is now enabled by default on the Internal interface in addition to PING and
                                  HTTPS

   DNS Forwarding                 By default, all DNS requests sent to the FortiGate unit are forwarded to the DNS server
                                  configured in the FortiGate unit. DNS Forwarding can be disabled by the customer.


   1.10.0 Username & Password Extended Character Support
   FortiOS v2.80 has enhanced the ability to use special characters such as “_” and “@” in both Usernames and
   Passwords fields to allow greater flexibility in naming and password schemes.


   1.11.0 Improved Configuration Wizard
   The FortiOS v2.80 Configuration Wizard feature has been enhanced to add new functionality to help novice
   users setup the box quickly. In addition to the v2.50 components, FortiOS v2.80 adds the Antivirus and
   Confirmation functions.




   Figure 13: Configuration Wizard




   FortiGate Antivirus Firewalls, Product Brief                                                 Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                            Page 16 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                             FortiOS v2.80 Release

   2.0.0 Router Enhancements
   FortiOS v2.80 adds a new top level “Router” menu option to combine the existing and new router features into
   one “easy-to-navigate” location. Under the new Router menu option, the following feature can be found:

   •    Static
   •    Policy
   •    RIP
   •    OSPF (CLI only)
   •    IPV6 Support
   •    Router Objects
   •    Monitor


   2.1.0 Static Route Enhancements
   The Static submenu is used to add Static Routes and is nearly identical to FortiOS v2.50. The new addition is
   the “Distance” parameter that allows customers to specify the Administrative Distance of the static route. The
   lower the distance value, the more preferred the route is. This is useful to allow customers to prioritize multiple
   routes to the same destination to give priority of one path over another. The Distance option is also definable in
   the PPPoE and DHCP features.


   2.2.0 Policy Based Routing Enhancement
   The Policy Based Routing feature is new in the WebUI for FortiOS v2.80 and allows customers to configure the
   FortiGate unit to route traffic based on one of the following parameters:

   •    Source Address
   •    Protocol, Service Type, or Port Range
   •    Incoming Interface

   Policies are matched in a top down manner from the Policy List. If there is a match, the packet is routed to the
   next hop gateway on the interface specified in the policy. If there is no match, the FortiGate unit will route the
   traffic based on the normal route table entries. This feature is very useful to allow customers to redirect traffic
   based on matchable parameters. Examples may include redirection of suspicious traffic to “Honey Pot” VLANs
   or other 3rd party inspection hosts.




   Figure 14: Routing Policy Creation Screen




   FortiGate Antivirus Firewalls, Product Brief                                             Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                        Page 17 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                            FortiOS v2.80 Release


   2.3.0 RIP Enhancements
   The RIP submenu option has been consolidated and enhanced to make the “look and feel” of the RIP features
   more efficient and to provide additional features and navigational capabilities. New options include:

   •     RIP Redistribute option that gives the customer more granularity to control how Redistribution is to take
         place.
   •     The ability to create Networks that support RIP Routing is now available. Networks identified are allowed to
         send and receive RIP updates. If a Network is not defined, interfaces in that network will not be advertised
         in the RIP updates.
   •     The Interface option has been enhanced to allow the customer to specify what type of “Split Horizon” is
         applied to the RIP interface – Regular or Poisoned Reverse.
   •     Distribution List replaces the RIP Filter feature found in FortiOS v2.50 and is used to filter incoming or
         outgoing updates using an access list or a prefix list.
   •     Offset List is used to add the specified offset to the metric of a route.


   Other RIP routing enhancements include:

   •   Classful and Classless subnet support
   •   Keychain security
   •   Access, prefix, and router map lists
   •   Database and status viewing




   Figure 15: RIP Configuration Screen




   FortiGate Antivirus Firewalls, Product Brief                                            Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                       Page 18 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                             FortiOS v2.80 Release


   2.4.0 Router Objects Feature
   Router Objects is a new feature that allows the customer to create the objects used in the routing functions.
   The following Router Objects are supported:

        •    Access List
        •    Prefix List
        •    Route-map
        •    Key-chain




   Figure 16: Router Object Configuration Screen


   2.5.0 Router Monitor Feature
   The Router Monitor function is a consolidation of Network Interface and Router Table information that allows the
   customer to quickly check the status and metrics of each defined network route in the FortiGate unit. Filters can
   be applied to limit the amount of information displayed. Monitoring filters include: All, Kernel, Connected, Static,
   RIP, RIPNG, OSPF, OSPF6, BGP, IS-IS.




   Figure 17: Router Monitor Screen




   FortiGate Antivirus Firewalls, Product Brief                                             Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                        Page 19 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                             FortiOS v2.80 Release



   3.0.0 Firewall Enhancements
   The FortiOS v2.80 Firewall enhancements include a host of new features and WebUI rework to increase
   usability. The enhancements include:

   •    Policy configuration enhancements for NAT: IP address ranges, Multiple IP Pools, and DiffServ
   •    Protection Profile
   •    FortiGuard Web Content Filtering
   •    Virtual Domain upport in NAT and Transparent modes
   •    Improved Custom TCP/IP support pre-defined services including new SIP support
   •    Multiple Secondary IP addresses per interface
   •    IPv6 traffic forwarding
   •    Enhanced RIP routing protocol support
   •    OSPF routing protocol support
   •    ADSL (PPPoE) connection idle timeout support


   3.1.0 Policy Enhancement
   FortiOS v2.80’s WebUI now displays the firewall policies in a tabular list with the ability to expand each interface
   to view the policies defined. This enhancement improves the usability and navigation capabilities over v2.50’s
   “security matrix” interface and allows customers with numerous interfaces and policies to quickly view and
   modify firewall policy settings.




   Figure 18: Firewall Policy Screen




   FortiGate Antivirus Firewalls, Product Brief                                             Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                        Page 20 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                      FortiOS v2.80 Release




                                                                           Under the new Policy submenu option, the
                                                                           features have been regrouped to improve usability.
                                                                           Sophisticated features have been removed from
                                                                           the default screen and placed into the Advanced
                                                                           option to reduce complexity and decrease setup
                                                                           time. FortiOS v2.80’s Policy/Advanced feature
                                                                           provides the following options:

                                                                           •     Authentication
                                                                           •     Traffic Shaping
                                                                           •     Differentiated Services




   Figure 19: Policy Creation Screen


   Differentiated Services
   Differentiated Services allows the customer to specify the DiffServ DSCP value for packets satisfying the FW
   policy. The network uses the DSCP values to classify, mark, shape, and police traffic, and to perform intelligent
   queuing. DSCP values are typically applied to network traffic by routers based on the routing policies defined
   for a particular application – such as voice traffic or video streams.

   With FortiOS v2.80, customers can configure policies to apply DiffServ values for both forward and reverse
   traffic. These values are optional and may be enabled independently from each other. When both are disabled,
   no changes to the DS field are made (default mode). This feature allows the customer to re-prioritize network
   traffic in either direction as it traverses the FortiGate unit.

   Multiple IP Pools
   FortiOS v2.80 allows multiple IP Pools to be created for use with NAT. Under v2.50, if multiple IP Pools were
   created for a single interface, the system would assign IP addresses to NAT policies from the first defined IP
   Pool. With the v2.80 enhancement, customers can now create multiple IP Pools and select the IP Pool to
   assign. If multiple IP Pools are defined for a single interface, the assigned NAT source address can now be
   randomly assigned from the IP Pool rather than being limited to the IP address of the destination interface. The
   IP Pools can also contain IP addresses belonging to subnets that are different from the subnet of the interface
   on which the IP Pools are defined.

   Policy User Look-up Change
   The “Try other servers if connect to selected server fails” option was removed from the User->Local->Create WebUI
   interface in v2.80 along with the “set-other” CLI command. The “Try other servers” feature is now achieved
   through the order defined in the User Group list. The Local Users authentication database will always override
   any external authentication server and is checked first.




   FortiGate Antivirus Firewalls, Product Brief                                                       Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                                  Page 21 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                      FortiOS v2.80 Release

   3.2.0 Address and Services Modification
   A small enhancement was made to the Firewall Address and Service features to reduce complexity. The
   addresses and services are now listed in one continuous list and the need to filter based on Interface has been
   removed. This holds true for both the Group lists options as well.


   3.3.0 Schedule, Virtual IP, IP Pool, IP/MAC Binding
   FortiOS v2.80 keeps the Schedule, Virtual IP, and IP Pool features the same allowing for consistency across
   these features from v2.50. IP Pool in v2.80 now lists all IP Pools in one continuous list and the need to filter
   based on Interface has been removed.

   IP/MAC Binding has been removed from its old location in v2.50’s Firewall IP/MAC Binding submenu and placed
   in the System DHCP sub menu with V2.80. The ability to enable and disable the IP/MAC Binding feature from
   the WebUI has been removed in v2.80, but it can still be enabled and disabled from the CLI.


   3.4.0 Protection Profile
   FortiOS v2.80’s Protection Profile renames the “Content Profile” menu option in v2.50, adds new functionality,
   and provides improved information consolidation for improved usability. Protection Profile provides the following
   profile categories under v2.80:

   Antivirus                                 The Antivirus profile category allows the customer to define the Antivirus
                                             scanning characteristics for HTTP, FTP, IMAP, POP3, and SMTP. File Block,
                                             Pass Fragmented Emails, Oversized File/Email Passing are other features
                                             carried over from FortiOS v2.50.

                                             New for v2.80 is the ability to add a signature to outgoing emails. The “Add
                                             Signature to Outgoing Emails” feature allows customers to append a custom
                                             signature to all outgoing emails to identify specific email traffic. This feature
                                             applies to SMTP mail only.




                                             Figure 20: Anti-Virus Protection Profile


   Web Filtering                             The Web Filtering profile allows the customization of the Web Content Block,
                                             Web URL Block, Web Exempt List, and Web Script Filter. New for v2.80 is the
                                             “Web Resume Download Block” feature which will be available in the next
                                             release after v2.80 MR3.




   FortiGate Antivirus Firewalls, Product Brief                                                       Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                           Fortinet Inc., Confidential                              Page 22 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                     FortiOS v2.80 Release




                                             Figure 21: Web Filtering Protection Profile


   Web Category Filtering                    The Web Category Filtering feature is new for FortiOS v2.80 and allows
                                             customers to define the type of web content that should be allowed, blocked, or
                                             monitored. Beginning with v2.80, the Cerberian web filtering services has been
                                             discontinued and replaced with the FortiGuard web filtering service.

                                             The following options are available for filtering the various web categories:

                                                  •   Enable Category Block (HTTP)
                                                  •   Block Unrated Web Sites (HTTP)
                                                  •   Allow Websites When a Rating Error Occurs (HTTP)

                                             V2.80 offers the new FortiGuard service and provides the filtering categories
                                             illustrated in the figure below. Each major category can be expanded to show
                                             the detailed subcategories allowing the customer to enable or disable each
                                             category for Allow, Block, or Monitor.




                                             Figure 22: Web Category Filtering Protection Profile


   FortiGate Antivirus Firewalls, Product Brief                                                      Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                          Fortinet Inc., Confidential                              Page 23 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                      FortiOS v2.80 Release


   Spam Filtering                            Email Spam Filtering has been greatly enhanced in FortiOS v2.80 to include
                                             several new and improved spam filtering capabilities. There are now ten ways
                                             to define how spam is filtered and handled compared to v2.50’s spam feature.
                                             The following figure illustrates the ten spam filter features that can be applied to
                                             IMAP, POP3, and SMTP.




                                             Figure 23: Spam Filtering Protection Profile


   IPS                                       The FortiOS v2.80 IPS protection profile has been greatly enhanced with many
                                             more IPS signatures to detect a much wider range of threats and vulnerabilities.
                                             The IPS profile allows the customer to enable and disable the IPS Signature
                                             (formally NIDS Detection) and IPS Anomaly (formally NIDS Prevention) for all
                                             services in one convenient location. The v.280 IPS functionality has been
                                             enhanced to be fully “inline” and is enabled per policy via the Protection Profile.




                                             Figure 24: IPS Protection Profile

                                             For more information on the signatures detected, see the IPS section.




   FortiGate Antivirus Firewalls, Product Brief                                                       Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                           Fortinet Inc., Confidential                              Page 24 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                  FortiOS v2.80 Release


   Content Log                               The FortiOS v2.80 Content Log protection profile allows the customer to enable
                                             or disable the logging of content meta-data for each protocol. Content meta-
                                             data can include date and time, source and destination information, request
                                             and response size, and scan result. Content Logging can be turned on for
                                             HTTP, FTP, IMAP, POP3, and SMTP traffic.




                                             Figure 25: IPS Protection Profile


   3.5.0 Other Firewall Improvements
   Other improvements and enhancements made to FortiOS v2.80 include the following:

   Improved Custom TCP/IP Support and Pre-defined Services
   Custom TCP/IP services can now be defined for ICMP in addition to TCP and UDP. The SIP protocol for VoIP
   networks is now supported in FortiOS v2.80 as well as for new pre-defined services for traffic types such as
   AOL and MSN Messenger.

   IP Address Ranges
   The IP addresses for firewall policies can now be specified as a range in addition to the typical subnet
   groupings. The range is limited to span 256 addresses. However, Encrypt (IPSec) firewall polices must
   continue to use subnet ranges.

   Multiple Secondary IP Addresses per Interface
   An interface can now be assigned multiple secondary IP addresses. In FortiOS v2.50, only a single secondary
   IP address was allowed. FortiOS v2.80 allows up to 32 secondary IP addresses. This is a CLI-only command.

   IPv6 Traffic Forwarding
   FortiOS v2.80 provides forwarding of IPv6 traffic and is configured through the CLI. IPV6 support for the other
   FortiGate functions such as firewall polices, content filtering, AV scanning, etc. are currently not available with
   FortiOS v2.80 MR3.

   OSPF Routing Protocol Support
   OSPF routing protocol support has been added in FortiOS 2.80 with the following features. OSPF configuration
   are CLI-only commands.

        • OSPF Version 2 Support
        • OSPF Area Support (50 maximum)
        • Route Redistribution with Type
        • Multiple Instances Support (OSPF per virtual domain)
        • Opaque LSA Support
        • Database Overflow Support


   FortiGate Antivirus Firewalls, Product Brief                                                   Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                          Fortinet Inc., Confidential                           Page 25 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                          FortiOS v2.80 Release

        • Simple Password Authentication
        • MD5 authentication
        • OSPF Hello Parameter Configuration
        • OSPF Interface Configuration (100 maximum)
        • OSPF NSSA
        • Type 1 and Type 2 External
        • Virtual Links Support

   ADSL (PPPoE ) Connection Idle Timeout Support
   To improve support for ADSL environments using PPPoE where service providers bill based on connection
   time, an idle timeout option can be configured to automatically disconnect the connection after a period of
   inactivity.




   4.0.0 User Enhancements
   To provide consistency with FortiOS v2.50, FortiOS v2.80 keeps most of the User features the same with some
   minor fixes and enhancements in the following areas:

   •    Local User Settings
   •    User Group Settings


   4.1.0 Local User Changes
   FortiOS v2.80 removed the “Try other servers if connect to selected server fails” checkbox for the Local user
   accounts. The “Try other servers” feature is now achieved through the order defined in the User Group list.
   Users defined in the FortGate Local Users database will always override any external authentication server and
   is checked first.




   Figure 26: Local User Screen


   4.2.0 User Group Enhancements
   An expanded User Group function allows a User Group to be associated with a Protection Profile. The benefits
   of being able to assign a protection profile for a user group are to simplify policy configuration when
   authentication is enabled. An example of how this would work is:

   1. Configure local users
   2. Configure local user group, selecting the protection profile associated with this group.
   3. In policy configuration when authentication is enabled, select multiple groups to the allowed authentication
      group.




   FortiGate Antivirus Firewalls, Product Brief                                           Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                      Page 26 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                        FortiOS v2.80 Release




   Figure 27: User Group Screen




   5.0.0 VPN Enhancements
   The FortiOS v2.80 VPN enhancements include several new features and WebUI improvements to increase
   usability. The new VPN enhancements include:

   •    Dynamic DNS as Remote Gateway
   •    Internet Browsing
   •    IPSec tunnel in Transparent mode
   •    DHCP support over IPSec
   •    User Authentication via RSA SecureID™
   •    Redundant dial-up tunnels
   •    Overlapping address support
   •    VIP over IPSec


   5.1.0 IPSEC VPN Enhancements
   FortiOS v2.80 added a few IPSEC enhancements to increase operability and to make the WebUI easier to
   navigate. The IPSEC menu tabs have been reordered to better reflect the actual steps taken to create a VPN
   tunnel: Phase 1, Phase 2, Manual Key, Concentrator, Ping Generator (new), and Monitor.


   5.1.1 IPSEC Phase 1 Enhancements
   Phase 1 enhancements for v2.80 include a reconfiguration of the WebUI to better align the Phase 1 information
   for provisioning and navigation. The most commonly used parameters are now displayed by default and an
   “Advanced” option is created to group the other Phase 1 VPN settings.




   FortiGate Antivirus Firewalls, Product Brief                                        Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                   Page 27 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                     FortiOS v2.80 Release




                                                                                          Advanced options include:
                                                                                          • Encryption Proposal
                                                                                          • DH Group
                                                                                          • Keylife
                                                                                          • Local ID
                                                                                          • XAuth
                                                                                          • Nat-transversal
                                                                                          • Keepalive Frequency
                                                                                          • Dead Peer Detection




   Figure 28: IPSEC Phase 1 Screen


   IPSec Dynamic DNS support
   The Remote Gateway in v2.80 has been enhanced to support Dynamic DNS (DynDNS) as an option for
   supporting Domain Names. Using DynDNS, IPSec VPN tunnels can be constructed even when dynamic IP
   addresses are being used on the termination points of the tunnel. FortiOS v2.80 provides full support for
   Dynamic DNS, enabling the FortiGate unit to be able to automatically register itself with a number of available
   “Dynamic DNS” services whenever the external interface IP address changes. Either through a user-initiated
   change or through dynamic addressing schemes implemented by IP service providers.


   5.1.2 IPSEC Phase 2 Enhancements
   Phase 2 enhancements for v2.80 includes a reorganized WebUI with an “Advanced” option to group encryption,
   replay attack, keepalive and other advanced tunneling functions. New for the Advanced features is the “Internet
                                                                    Browsing” feature which can be applied to any
                                                                    interface defined on the FortiGate unit. The
                                                                    Internet Browsing feature allows the customer
                                                                    to select the interface through which remote
                                                                    VPN users can connect to the Internet.

                                                                                The Internet Browsing interface becomes the
                                                                                virtual source interface from which VPN users
                                                                                can connect through the firewall to browse the
                                                                                Internet. In most configurations, the Internet
                                                                                Browsing interface would be the internal
                                                                                interface and VPN users would be able to
                                                                                browse the Internet using the same firewall
                                                                                policies as users on the internal network (for
                                                                                example, internal -> wan1 policies).

   Figure 29: IPSEC Phase 2 Screen

   FortiGate Antivirus Firewalls, Product Brief                                                      Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                                 Page 28 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                          FortiOS v2.80 Release

   5.1.3 IPSEC Manual Key, Concentrator, and Monitor Functions
   FortiOS v2.80 keeps the Manual Key and Concentrator features the same from v2.50. No changes were made
   in these two areas. The Monitor function now supports site-to-site tunnel monitoring in addition to dial-up VPN
   connections to report all active VPN tunnels on the FortGate unit.


   5.1.4 Ping Generator
   The Ping Generator feature was added to the WebUI to allow a “tunnel keep-alive” to be created for keeping the
   VPN tunnel up and active. Ping sessions are generated from the FortiGate’s gateway address to the remote
   destination IP address. Ping Generator creates traffic through one of two VPN tunnels to keep the tunnel
   connections open even if the tunnel is not processing traffic.

   This feature is useful for keeping branch-to-branch VPN tunnels up to reduce the setup latency that may occur if
   the VPN tunnel is dropped due to inactivity.




   Figure 30: Ping Generator Screen




   5.2.0 Other VPN Improvements
   FortiOS v2.80 kept the PPTP, L2TP, and Certificate functions unchanged from v2.50. Additional improvements
   for VPN functionality includes:

   IPSec Tunnel Support in Transparent Mode
   FortiOS v2.80 supports IPSec VPNs constructed in Transparent mode as well as NAT or Route mode. All
   features of IPSec VPN that are available in NAT/Route mode except for Concentrator (hub & spoke) are
   available in Transparent mode. Transparent mode doesn’t support the Concentrator function.

   DHCP Support Over IPSec
   In many remote access scenarios, a mechanism for making the remote host appear to be present on the local
   corporate network is useful. This may be accomplished by assigning the host a “virtual” address from the
   corporate network, and then tunneling traffic via IPSec from the host's ISP-assigned address to the corporate
   security gateway. In FortiOS v2.80, DHCP over IPSec is supported by DHCP relay for an external DHCP server.
   This feature is configured from the CLI.

   User Authentication via RSA SecureID™
   FortiOS v2.80 supports user authentication for IPSec tunnels using RSA SecureID. The user must be configured
   in a RADIUS server to require SecureID authentication.




   FortiGate Antivirus Firewalls, Product Brief                                          Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                     Page 29 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                             FortiOS v2.80 Release


   Overlapping Address Support
   FortiOS v2.80 supports site-to-site VPN configurations in which the addresses overlap between the two sides of
   the tunnel. This is supported by adding address mapping (configuring outbound NAT for the two subnets on two
   sides that have the same addressing scheme) to support address overlap on the two sides.

   Support VIP Over IPSec VPN
   To support connectivity across an IPSec VPN tunnel between two overlapping subnets (i.e. both sides of the
   VPN tunnel are in the same subnet), VIP addresses can be used to map the hosts on either side of the tunnel.

   For example, to allow host1 to access host2 in the following scenario:




   Figure 31: VIP Over IPSEC


   Set a VIP on FortiGate #1 that resolves to the Host 2 address and a VIP on FortiGate #2 that points at Host 1.
   This method is distinct from using outbound NAT on an encrypt policy to support VPN connectivity between two
   overlapping subnets.




   6.0.0 IPS Enhancements
   FortiOS v2.80 enhances the IPS functionality with new capabilities and new IPS signatures. The greatest
   improvement is the creation of a “Dynamic Threat Prevention System” that combines the Intrusion Detection and
   Prevention functions to create a stronger defense against known and unknown attacks.

   The new Dynamic Threat Prevention IPS can be applied on a per-firewall policy basis through the Protection
   Profiles. All current NIDS signatures (approximately 1400 with v2.80 MR3) will include the option for a
   prevention action to be taken when the attack is detected. The detection signatures and prevention actions are
   updated automatically in real time via the FortiProtect Network.

   New in FortiOS v2.80 are “anomalies” to identify network traffic that does not fit known or preset traffic patterns.
   The FortiGate IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP protocols. Each
   anomaly comes with a recommended configuration that can be modified as required. New anomaly lists are
   only provided in new firmware releases and are not automatically updated through FortiProtect.




   FortiGate Antivirus Firewalls, Product Brief                                              Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                         Page 30 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                 FortiOS v2.80 Release


   6.1.0 IPS Signature Enhancements
   FortiOS v2.80’s IPS Signature screen is improved to combine several features onto one user interface. The
   signatures are now grouped with a new “drop down list” capability and shows the Enable and Logging statuses
   along with the IPS Prevention Action and the Revision information. Individual IPS signatures can be edited
   within each category grouping for enabling, logging, and corrective action.


                                                                                     Corrective actions include the ability
                                                                                     to:

                                                                                         •   Pass
                                                                                         •   Drop
                                                                                         •   Reset
                                                                                         •   Reset Client
                                                                                         •   Reset Server
                                                                                         •   Drop Session
                                                                                         •   Pass Session
                                                                                         •   Clear Session




   Figure 32: IPS Signature Screen


   With v2.80, customers can now enter Custom IPS signatures into the database without having to import them
   from a file. The IPS Signature’s Custom feature has been enhanced with an online form to allow customers to
   type in the new custom signatures.




   Figure 33: IPS Custom Signature Screen




   FortiGate Antivirus Firewalls, Product Brief                                                 Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                            Page 31 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                FortiOS v2.80 Release


   6.2.0 IPS Anomaly Enhancements
   FortiOS v2.80 renames the NIDS Prevention feature to “IPS Anomaly” to better describe the security activities
   associated with IPS anomaly prevention. The new WebUI presents the information in a more clear concise
   manner and displays the Attack Name, Enable state, Logging state, and Prevention Action.




                                                                                     With v2.80, customers can now
                                                                                     specify the Anomaly Prevention
                                                                                     Action (same actions as IPS
                                                                                     signatures) and enable Logging for
                                                                                     each individual anomaly attack
                                                                                     signature.




   Figure 34: IPS Anomaly Screen


   6.3.0 Other IPS Improvements
   In addition to the improvements listed above, FortiOS v2.80 has also made the following changes and
   enhancements to the IPS security module.

   Support for "Bit Torrent" traffic
   Bit Torrent (see http://bitconjurer.org/BitTorrent) traffic can now be identified by the IPS module allowing the
   customer to take appropriate action to allow or disallow this type of traffic.

   Log for Repeated Attack Alerts
   In order to prevent attack log flooding, FortiOS will accumulate the unreported alerts and report the repeated
   number once the attack stops.




   FortiGate Antivirus Firewalls, Product Brief                                                Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                           Page 32 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                           FortiOS v2.80 Release



   7.0.0 Antivirus Enhancements
   The FortiOS v2.80 Antivirus enhancements include several new key developments to improve virus detection
   and mitigation. Key improvements include:

   •    Grayware Scanning
   •    Heuristic Virus Detection
   •    Scan Large Files on Hard Drive
   •    Submit quarantined virus sample to Fortinet
   •    HTML link for scanned virus detection
   •    Append Customized text to email messages
   •    PPTP and L2TP AV scanning

   The Antivirus File Block and Antivirus Config functions for the Virus List and Oversize Threshold Configuration
   remains largely unchanged from v2.50.


   7.1.0 Grayware Protection
   FortiOS v2.80 provides a new category of antivirus protection called Grayware. Grayware programs are
   unsolicited commercial software programs that get installed on computers, often without the user's consent or
   knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system
   performance problems or be used for malicious means – such as gathering personal information or surfing
   patterns.

   The FortiGate unit scans for known grayware executable programs in each category the customer enables. The
   category list and contents are added or updated whenever the FortiGate unit receives a virus update package.
   New categories may be added at any time and will be loaded with the virus updates. By default, all new
   categories are disabled. When the Grayware option is enabled, files matching the grayware signatures are
   dropped.




   Figure 35: AV Grayware Configuration Screen




   FortiGate Antivirus Firewalls, Product Brief                                           Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                      Page 33 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                            FortiOS v2.80 Release


   7.2.0 Other Antivirus Improvements
   Antivirus improvements that may not be immediately obvious through the WebUI include the following:

   Heuristic Virus Detection
   FortiOS v2.80 release includes heuristic detection of virus, worm, and Trojan attacks, which complements
   existing signature-based detection and is also especially effective at detecting new or so-called “Zero Day”
   attacks. In the first phase provided by v2.80 MR3, binary executable files are scanned for the common
   techniques used by malicious code to take control of program flow execution.

   Scan Large Files on Hard Drive
   FortiGate models equipped with hard drives can now scan files up to 1GB.

   Submit Quarantined Virus Sample to Fortinet
   FortiOS v2.80 allows system administrators to submit files that have been quarantined by their FortiGate units to
   Fortinet’s Threat Response Team through a simple, one-button click from the FortiGate web administrative GUI.

   HTML Link for Scanned Virus Detection
   In the event that log records are generated for virus and worm detection, an HTML link will be provided that
   points to the Fortinet virus encyclopedia definition available on the Fortinet website.

   Append Customized Text to Email Messages
   FortiOS v2.80 release allows the system administrator to define a message that will be appended to email
   messages that are destined towards destinations outside of the network protected by a FortiGate unit. For
   example, for a law firm this user definable message could be a disclaimer for the firm. For another corporation,
   the message can state that this particular mail is virus free as inspected by a FortiGate Antivirus Firewall. This
   feature adds more flexibility to give the system administrator additional options for their corporate messaging
   policy.

   PPTP and L2TP AV Scanning
   When the FortiGate is a terminating end-point to a PPTP or L2TP tunnel, the tunnel contents can now be AV
   scanned. This compliments the ability to scan IPSec tunnel traffic supported by previous FortiOS releases.

   High-end Models AV Optimize Command
   On high-end models (FortiGate-3000and higher) an AV optimize feature is available to achieve the best AV
   scanning performance. The CLI commands “config system global” > “set optimize antivirus” will optimize
   FortiGate operation for AV. Note that this command will reboot the FortiGate unit.

   Antivirus Scan Support for ARJ Compression Format
   The ARJ compression format is now supported for antivirus scanning.




   FortiGate Antivirus Firewalls, Product Brief                                            Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                       Page 34 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                         FortiOS v2.80 Release



   8.0.0 Web Filter Enhancements
   FortiOS v2.80 includes the new FortiGuard Web Filtering module that replaces the Cerberian Web Filtering
   module available with previous releases. Along with this major enhancement, several minor improvements were
   made. Improvements with FortiOS v2.80’s Web Filter security module includes:

   •    Banned Word Pattern Type
   •    Category Block


   8.1.0 Content Block (banned word) Pattern Type
   FortiOS v2.80 added a “Pattern Type” match to the Banned Word feature to allow greater flexibility for matching
   words to filter web URLs on. The Pattern Type can be either “Wildcard” or “Regular Expression”. Regular
   Expression is based on the Perl regular expressions and more information regarding this filtering syntax can be
   found at:

   http://www.perldoc.com/perl5.8.0/pod/perlre.html




   Figure 37: Content Blocking with Banned Word Pattern Type


   8.2.0 Web Filter Category Blocking
   The Web Filter Category Block is a new feature for FortiOS v2.80. Category Blocking uses Fortinet’s high
   performance, server-based categorized URL filtering service called FortiGuard. The FortiGuard Web Rating
   System is a fee-based service that classifies suspect web sites for proactive action. FortiGuard allows the
   FortiGard units to cache web classification information using a default Time-To-Live (TTL) value of 3600
   seconds.

   The administrator has the ability to define and choose the categories of URLs or web sites that can be blocked
   or monitored per firewall policy. FortiGuard capabilities include:

   •    52 content categories
   •    Granular policy enforcement
   •    URL rating cache for high performance
   •    Ability to monitor or deny users access to specific categories
   •    Comprehensive historical statistics for all categories by profile
   •    Log of all requests for websites in monitored or denied categories




   FortiGate Antivirus Firewalls, Product Brief                                          Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                     Page 35 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                          FortiOS v2.80 Release




   Figure 38: Web Filter Category Blocking with FortiGuard




                                                                                     FortiGuard Reports offer a
                                                                                     quick snapshot of the
                                                                                     FortiGuard Web Blocking
                                                                                     activity – showing the various
                                                                                     content categories and the
                                                                                     number of hits in each action
                                                                                     class: Allowed, Blocked, and
                                                                                     Monitored.




   Figure 39: FortiGuard Report Screen


   8.3.0 Web Filtering Feature Differences
   The items that carry over from FortiOS v2.50 unchanged include the URL Block, URL Exempt, and Script Filter
   features. New for FortiOS v2.80 is Username Logging. Administrators can now obtain the username
   credentials from authenticated employees who are using the corporate web resources – providing much better
   tracking of web resources. In order to turn on Username Logging, User Authentication must be enabled on the
   firewall policy.




   FortiGate Antivirus Firewalls, Product Brief                                           Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                      Page 36 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                   FortiOS v2.80 Release



   9.0.0 Spam Filter Enhancements
   The FortiOS v2.80 Email Spam Filter features have been significantly enhanced from FortiOS v2.50 to increase
   the effectiveness of isolating and blocking spam email. In addition, the WebUI has been improved to increase
   usability. The new Spam Filter enhancements include:

   •    Email Content Filtering support for SMTP, IMAP, and POP3
   •    Verification Against IP Black/White Address List (SMTP only)
   •    Verification Against RBL (Real-time Black Lists) or ORDB (Open Relay Database)
   •    Verification Against Email Addresses
   •    Verification Against MIME Headers
   •    Reverse DNS Lookup (SMTP only)
   •    Return Email DNS Check
   •    Action for Spam Email: providing options to Reject / Delete
   •    Support for Content-based Lists
   •    Improved Logging and Reporting Capabilities


   9.1.0 IP Address Enhancement
   FortiOS v2.80 adds the ability to create and enforce an IP Address Black/White List to filter email against. By
   specifying the IP address mask, customers can define individual hosts, a range of hosts, or entire subnets for
   spam blocking. Email received from these spam sources can be marked as:

   Spam                           Mark as Spam to apply the spam action configured in the Protection Profile.

   Clear                          Mark as Clear to allow the email to pass through to the next filter.

   Reject                         Mark as Reject to delete the email (SMTP only).




   Figure 40: Spam Filter IP Address Screen


   IP Address BWL filtering is enabled through the Protection Profile’s Spam Filtering option and is only applicable
   to SMTP email.




   FortiGate Antivirus Firewalls, Product Brief                                                   Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                        Fortinet Inc., Confidential                             Page 37 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                               FortiOS v2.80 Release


   9.2.0 RBL & ORDBL Enhancement
   New for FortiOS v2.80 is the ability to block email based on Real-time Black Hole lists (RBL) and Open Relay
   Database (ORDB) servers. Using RBLs and ORDBLs is an effective way to tag or reject spam as it enters the
   FortiGate unit. RBLs keep track of reported spam source addresses and ORDBLs keep track of unsecured third
   party SMTP servers, known as open relays, which some spammers use to send unsolicited bulk email. There
   are several free and fee-based subscription servers available that provide reliable access to continually updated
   RBLs and ORDBLs. Check with the service you are using to confirm the correct domain name for connecting to
   the server.

   The RBL and ORDBL lists act as domain name servers that match the domain of incoming email to a list of IP
   addresses known to send spam or allow spam to pass through. The FortiGate unit compares the IP address or
   domain name of the sender to any database lists the administrator configures in sequence. If a match is found,
   the corresponding action is taken. If no match is found, the email is passed on to the next spam filter.

   RBL & ORDBL filtering is enabled through the Protection Profile’s Spam Filtering option and is applicable to
   IMAP, POP3, and SMTP email. Actions that can be taken against emails sent from the IP addresses listed in
   the RBL and ORDBL lists include:

   Mark                           Marks the emails as Spam and uses the spam action defined in the Protection Profile to
                                  handle.

   Reject                         Marks as Reject and deletes the email.




   Figure 41: Spam Filter RBL & ORDBL Screen


   9.3.0 Email Address Enhancement
   FortiOS v2.80’s new Email Address feature allows customers to create email address lists to filter incoming
   messages against. Emails with matching email addresses or domain names of the sender can be marked as
   “Spam” or marked as “Clear” to allow the email to pass through to the next address list in the filter. To filter out
   an individual email address, enter the complete email address, such as “baduser@spammers.net”. To filter
   email from an entire domain, enter the domain address, such as “spammers.net”.

   The Email Address feature also allows the customer to specify the Pattern Type as Wildcard or Regular
   Expression. Email Address filtering is enabled through the Protection Profile’s Spam Filtering option and is
   applicable to IMAP, POP3, and SMTP email.


   FortiGate Antivirus Firewalls, Product Brief                                               Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                          Page 38 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                          FortiOS v2.80 Release




   Figure 42: Spam Filter Email Address




   9.4.0 MIME Headers Enhancement
   The FortiOS v2.80’s new MIME Headers feature gives greater control over spotting spam or malicious email
   based on MIME content. MIME (Multipurpose Internet Mail Extensions) headers are added to email messages
   to describe the content type and content encoding, such as the type of text in the email body or the program that
   generated the email. Spammers will often insert comments into the MIME headers or leave them blank to
   create malformed headers in an attempt to bypass, or fool, some spam and virus filters.

   To take action on spam arriving from bulk email sources, customers can create MIME Headers to filter incoming
   email against. Email that matches the MIME Header list can be marked as Spam or marked as Clear to allow
   the email to pass through to the next address list in the filter. The MIME Headers feature also allows the
   customer to specify the Pattern Type as Wildcard or Regular Expression. MIME Headers filtering is enabled
   through the Protection Profile’s Spam Filtering option and is applicable to IMAP, POP3, and SMTP email.




   Figure 43: Spam Filter MIME Headers




   FortiGate Antivirus Firewalls, Product Brief                                           Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                      Page 39 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                     FortiOS v2.80 Release


   9.5.0 Banned Word Enhancement
   The Banned Word feature in FortiOS v2.80 is enhanced to support the following new functions:

   Pattern Type                              Pattern Type allows the customer to set the pattern matching to either
                                             Wildcard or Regular Expression.

   Where                                     Where sets the location of the email to search for the Banned Word: Subject,
                                             Body, or All.

   Action                                    Mark the suspect email as Spam or Clear. Marking it as Spam will apply the
                                             spam action configured in the Protection Profile. Marking it as Clear will let the
                                             email pass to the next filter.


   Banned Word filtering is enabled through the Protection Profile’s Spam Filtering option and is applicable to
   IMAP, POP3, and SMTP email.




   Figure 44: Spam Filter Banned Word




   9.6.0 Other Spam Filtering Improvements
   Additional Spam Filtering improvements were made to include the validation of the sender’s address and return
   email address.

   Reverse DNS Lookup
   Reverse DNS Lookup helps to counter email address spoofing by checking the SMTP mail server’s reported
   HELO domain declaration with the result of a DNS look-up and comparing the IP address of the SMTP server.
   This option is enabled through the Protection Profile’s Spam Filtering options.

   Return Email DNS Check
   The return email address can be checked for a valid domain with Reverse DNS look-up. The options checks to
   make sure that the email’s return address is legitimate. This option is enabled through the Protection Profile’s
   Spam Filtering options.




   FortiGate Antivirus Firewalls, Product Brief                                                      Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                          Fortinet Inc., Confidential                              Page 40 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                    FortiOS v2.80 Release


   Spam Action
   The Spam Action has been enhanced in v2.80 to tag or pass the spam email. The tag is customizable and
   defaults to the word “Spam” which can be placed in the subject line or in the MIME header. In previous
   releases, the Spam tag was only appended to the subject line.




   10.0.0 Log & Report Enhancements
   FortiOS v2.80’s logging capabilities has been enhanced with the following changes and improvements:

   •    Per user log/report for Web Filtering
   •    Traffic Log displays the Group and User information when authentication is enabled in the firewall policy
   •    SNMP support for dial-up VPN tunnel monitoring (requires updated 2.80-MR3 version MIB)
   •    Alert Email now contains the FortiGate serial number information for identifying the FortiGate unit
   •    The spam log action type has been removed from the firewall content profile so that the logging behavior is
        centrally controlled from the system wide log setting.


   10.1.0 Log Configuration Improvements
   The Log Configuration feature in FortiOS v2.80 has been improved to include new capabilities and better
   navigation of the WebUI. The Log Configuration function includes the following logging features:

   Log Setting                               The Log Setting feature improves the configuration features for all Logging
                                             options. V2.80 supports logging to the following types of log servers:

                                             •    Syslog servers
                                             •    WebTrends servers
                                             •    Memory (local to FortiGate unit)
                                             •    FortiLog servers




                                             Figure 45: Log Setting Screen


   FortiGate Antivirus Firewalls, Product Brief                                                    Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                           Fortinet Inc., Confidential                           Page 41 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                     FortiOS v2.80 Release

   Alert Email                               Alert Email is used to send an alert email to a maximum of three recipients
                                             when the selected events occur. The Alert Email feature has been enhanced to
                                             allow alert emails to be sent according to the level and time intervals specified
                                             in the alert email options. All messages are collected and assembled in one
                                                                                          alert email and sent when the time
                                                                                          interval is reached for the message
                                                                                          category.

                                                                                        For example, if the Alert level was
                                                                                        selected as the logging security level
                                                                                        and the time interval for Emergency
                                                                                        and Alert was set to 3 minutes, then
                                                                                        all Alert and Emergency log
                                                                                        messages collected are sent in a
                                                                                        single email every three minutes.




   Figure 46: Alert Email Screen


   Log Filter                                The Log Filter feature consolidates all of the logging options into one screen
                                             and allows the customer to quickly select which traps and alerts are logged.
                                             Log categories that can be chosen include: Traffic Log, Event Log, Antivirus
                                             Log, Web Filter Log, Attack Log, Spam Filter Log, and Content Log.




   Figure 47: Log Filter Configuration Screen



   FortiGate Antivirus Firewalls, Product Brief                                                     Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                          Fortinet Inc., Confidential                             Page 42 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                           FortiOS v2.80 Release



   11.0.0 CLI Command Enhancements
   FortiOS v2.80 has added many new features and has made significant changes to both the WebUI and the CLI
   to enhance usability and efficiency. For a complete list of CLI enhancements, please refer to the FortiOS v2.80
   CLI Reference Guide. Some of the key CLI enhancements are listed here along with the features that are
   available only with the CLI interface.


   Note: Because of all the new enhancements, the v2.50 configuration files can NOT be used on FortiGate units
   running v2.80. All v2.50 CLI commands are incompatible with FortiOS v2.80 commands and restoring v2.50
   configuration files to a v2.80 unit will not be permitted. Existing FortiGate units running v2.50 can be upgraded
   or the customer can choose to enter a new configuration using the FortiOS v2.80 CLI or WebUI.


   11.1.0 CLI Enhancements
   •    Basic HA information is added to the output of “get system status”.
   •    DHCP and PPPoE information is now displayed in CLI “get system interface”.
   •    CLI is now multilevel providing improved organization and consistency. All functionality can now be invoked
        through the CLI. Type “tree” to view the entire CLI tree structure and obtain a list of commands.
   •    The “config” command branch now augments the “set” command branch. Config is used to access the
        different functional areas of the CLI.
   •    The “set” command has been modified to disallow the ability to enter separate “set” lines in an additive
        fashion.
   •    The “unset” function has been moved under the config branch.
   •    The “get” command branch has some changes to how it functions.
   •    The “execute” command branch has been updated.
   •    The “show” command branch has been added.
   •    The “diagnose” command branch has been updated.


   11.2.0 Features Available Only In CLI Interface
   Many new features were only added to the FortiOS v2.80 CLI interface. Some of the key CLI features added
   are listed below. For complete information, check the FortiOS v2.80 CLI Reference and the Administration
   Guides.

   •    OSPF
   •    IPv6
   •    AV Fail-open
   •    Some Interface Setting parameters (speed, secondary IP, etc)
   •    Some System Global Configuration parameters (RADIUS port, optimize, etc)
   •    Many of the “Execute” commands (dhcpclear, formatlogdisk, traceroute, etc)
   •    AV/Throughput Optimize
   •    Reset-sessionless-TCP
   •    HA options: Route-wait, Route -TTL, Route-hold, load-balance-all




   FortiGate Antivirus Firewalls, Product Brief                                            Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                       Fortinet Inc., Confidential                       Page 43 of 44


                                                  www.adultpdf.com
http://laptop1.blogbus.com/
   Product Brief                                                                                FortiOS v2.80 Release



   Other Enhancements
   IEEE 802.11 WLAN Client Mode Supported
   On the FortiWiFi-60, IEEE 802.11b/g client mode is now supported. Previous FortiOS versions only supported
   access point mode. This is configured from the WLAN GUI or CLI commands.

   Splice Enhancement
   The “Splice” feature has been enhanced to support a protection profile approach rather than a global approach.
   This allows the customer to apply the Splice feature more granularly to meet their needs rather than enabling or
   disabling the feature for all interfaces and firewall policies.




   Where to Obtain Additional Information
   In order to get more information on the FortiOS v2.80 features and enhancements, please refer to the follow list
   of resources.


   v2.80 MR3 FortiGate Administration Guides
   01-28003-0001-20040716_FortiGate-50A_Administration_Guide.pdf
   01-28003-0002-20040716_FortiGate-60_Administration_Guide.pdf
   01-28003-0003-20040716_FortiGate-100_Administration_Guide.pdf
   01-28003-0004-20040716_FortiGate-200_Administration_Guide.pdf
   01-28003-0005-20040716_FortiGate-300_Administration_Guide.pdf
   01-28003-0006-20040716_FortiGate-400_Administration_Guide.pdf
   01-28003-0007-20040716_FortiGate-500_Administration_Guide.pdf
   01-28003-0008-20040716_FortiGate-800_Administration-Guide.pdf
   01-28003-0009-20040716_FortiGate-1000_Administration_Guide.pdf
   01-28003-0010-20040716_FortiGate-3000_Administration_Guide.pdf
   01-28003-0011-20040716_FortiGate-3600_Administration_Guide.pdf
   01-28003-0012-20040716_FortiGate-4000_Administration_Guide.pdf
   01-28003-0013-20040716_FortiGate-5000_Administration_Guide.pdf
   01-28003-0014-20040716_FortiWiFi-60_Administration_Guide.pdf
   01-28003-0016-20040716_Log_Message_Reference_Guide.pdf


   v2.80 MR3 FortiGate CLI Guide
   01-28003-0015-20040716_FortiGate_CLI_Reference_Guide.pdf


   Customer Support Web Site
   support.fortinet.com                      FortiOS v2.80 software image, release notes, and documentation


   FortiOS v2.80 Online Help
   The FortiOS v2.80’s online help can provide much of the configuration information required to navigate and
   setup the FortiGard units running v.280 software.




   FortiGate Antivirus Firewalls, Product Brief                                                 Copyright © 2004 Fortinet, Inc.
   July, 2004
                                                  This is trial version
                                                         Fortinet Inc., Confidential                          Page 44 of 44


                                                  www.adultpdf.com

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:5/16/2010
language:English
pages:44