Tuesday, April 13, 2010

Software Updates

FortiOS
  •  4.0 MR2 GA, Build 272
FortiAnalyzer
  • 4.0 MR2 GA, Build 198
 FortiManager
  • 4.0 MR2 GA, Build  336

Friday, April 2, 2010

FortiOS 4.0 MR2 - Initial Impressions

Fortinet has shown once again that they continuously work on improving their products. The WEB UI has been give a complete overhaul. While the new look will certainly take some getting used to it is fairly clean and efficient. Some of the initial things I noticed:

  • Performance of the UI is better in Internet Explorer than in Firefox

  • The new UI no longer uses the edit and trashcan icons on the right. Instead you now use check boxes. One of the advantages is that it's easier to quickly remove multiple rules or objects.

    On the downside you can no longer quickly determine whether an object is in use or not by looking for the trashcan icon next to the object. If you select an object that is in use the "Delete" option stays greyed out. And if you select multiple objects (including ones that are in use) and delete them you get a warning that some elements could not be deleted. In my opinion that is a step backwards as far as usability goes. It would be nice to have a column indicating if the objects are in use or not.

    Personally I use the "trashcan indicator" frequently to weed out unused objects.
  • The release notes mention "Protection Profile Re-work". What that apparently means is that protection profiles are gone and you select individual UTM policies on a per-rule basis. This is something I spoke to the Fortinet guys about during the RSA show in early March.

    While I certainly see the intention of making rule creation more flexible it also provides a significant downside. If for example I wanted to change the UTM policies for several rules I will now have to find each rule where the UTM policy is applied and change it there. Previously I could make a change to the protection profile and it would apply to all rules which use the profile.

    A possible solution would be to have a radio button which would allow the use of a pre-defined protection profile or to let you select individual UTM policies.
  • Some of the links do not work in IE. For example in the "Top Sessions" widget on the dashboard the "Details" link does not work in Internet Explorer, no problems in Firefox. Also the link to change the operation mode on the main dashboard has this problem.
    (Funny thing I just noticed is that the "Logout" button is also broken in IE :)
  • When using the "Insert" function to add a firewall policy above an existing one there appears to be a bug in the GUI. No matter in which section I insert a policy (such as internal to DMZ) the destination interface is always set to WAN1. In the drop down box that is the only destination interface available. The workaround right now is to add a policy and then move it to the right location.
    More feedback later.

    Software Update - 4.0 MR2

    Fortinet has released FortiOS 4.0 MR2. This is a major release and below are highlights of new features from the release notes.
    I shall sink my teeth into the new version later today. However since this is a major release with lots of new features my recommendation is as usual to wait one or two patch releases before deploying to mission critical production firewalls.

    · New Web UI Design
    · Supports Dynamic Proxy Allocation
    · IS-IS Routing Protocol Support
    · WCCP Client Support
    · Explicit Proxy Improvements
    · HA Management Port Reservation
    · SSL Proxy Exemption by FortiGuard Category
    · Web 2.0 Log Viewer
    · Introduced 'grep' Capability in the CLI
    · Supports sFlow (Client)
    · Supports FortiGuard Widget on the Dashboard
    · Local Content Archive Support
    · Introduces Report Module Feature
    · HA Sub-second Failover Support
    · Enhanced Support for BGP Routing
    · Introduction of Web Filtering Quota
    · Supports ELBC Synchronization
    · Endpoint Control - Extension to Endpoint Application Detection
    · Dashboard Widget Extensions
    · Supports L2TP with IPSec
    · Skype Control Improvement
    · Supports VRRP and Link Failure Control
    · Per-IP Bandwidth Dashboard Widget
    · Improved Client Certificate Handling for SSL Inspection
    · Maximum Concurrent Users for Explicit Proxy
    · Full SIP Feature Support
    · FSAE Support Polling Domain Controllers
    · Improved DC Agent Distribution (MSI)
    · Storage Health Monitor Feature
    · Improved Disk I/O Scalability
    · Protection Profile Re-work
    · Supports Web Cache Exempt List
    · Introduction of Network Scan Feature
    · Introduction of Network Monitoring Feature
    · Supports Password Renewal for LDAP or RADIUS Users
    · Disk Management
    · Supports Extreme AV Database
    · Introduction of Flow-based AntiVirus Feature
    · Supports Diagnostic Command Lock-down
    · Configuration Revision History and Templates
    · Enhanced Customizable Web UI Feature
    · Introduces Support for Statefull SCTP Firewall