Friday, April 2, 2010

FortiOS 4.0 MR2 - Initial Impressions

Fortinet has shown once again that they continuously work on improving their products. The WEB UI has been give a complete overhaul. While the new look will certainly take some getting used to it is fairly clean and efficient. Some of the initial things I noticed:

  • Performance of the UI is better in Internet Explorer than in Firefox

  • The new UI no longer uses the edit and trashcan icons on the right. Instead you now use check boxes. One of the advantages is that it's easier to quickly remove multiple rules or objects.

    On the downside you can no longer quickly determine whether an object is in use or not by looking for the trashcan icon next to the object. If you select an object that is in use the "Delete" option stays greyed out. And if you select multiple objects (including ones that are in use) and delete them you get a warning that some elements could not be deleted. In my opinion that is a step backwards as far as usability goes. It would be nice to have a column indicating if the objects are in use or not.

    Personally I use the "trashcan indicator" frequently to weed out unused objects.
  • The release notes mention "Protection Profile Re-work". What that apparently means is that protection profiles are gone and you select individual UTM policies on a per-rule basis. This is something I spoke to the Fortinet guys about during the RSA show in early March.

    While I certainly see the intention of making rule creation more flexible it also provides a significant downside. If for example I wanted to change the UTM policies for several rules I will now have to find each rule where the UTM policy is applied and change it there. Previously I could make a change to the protection profile and it would apply to all rules which use the profile.

    A possible solution would be to have a radio button which would allow the use of a pre-defined protection profile or to let you select individual UTM policies.
  • Some of the links do not work in IE. For example in the "Top Sessions" widget on the dashboard the "Details" link does not work in Internet Explorer, no problems in Firefox. Also the link to change the operation mode on the main dashboard has this problem.
    (Funny thing I just noticed is that the "Logout" button is also broken in IE :)
  • When using the "Insert" function to add a firewall policy above an existing one there appears to be a bug in the GUI. No matter in which section I insert a policy (such as internal to DMZ) the destination interface is always set to WAN1. In the drop down box that is the only destination interface available. The workaround right now is to add a policy and then move it to the right location.
    More feedback later.


    Anonymous said...

    Thanks. Very interested in your additional observations.

    I agree the missing trashcan is a step backwards.

    The docs imply that there is better control over apps. Any way to traffic shape or otherwise control individual apps, such as iTunes or Youtube?

    Anonymous said...

    This does not make me happy, fortinet: go back to the green webgui, that was the best i've ever seen...

    Ben said...

    Pegged 110C CPU for over 20 hours due to IPS Engine bug #122860. Rolled back before I could apply the support-issued patch, (aka nids-400-1162-122860_V4.2.pkg).

    As far as the GUI is concerned, there are several screens that look incomplete, and the white background is not as nice as the previous soothing green. Looks more like they tried to mix the Sofaware feel with the ASDM feel.

    I too will miss the protection profiles we have known for the last, oh 6 years? On a new setup, not that big of a deal - but on an upgrade, a real logistical nightmare - cli purge was my friend and I started anew.

    yngve6 said...

    What about IPSEC/AutoKey? I see all existing Phase1/2, but there are no actions shown for adding, deleting, modifying?


    Sebastian said...

    1) Make sure that if you are using a customized Admin profile that VPN changes are enabled (System -> Admin -> Admin Profile)
    2) In the VPN -> Auto Key (IKE) section at the top there are links called "Create Phase 1" and "Create Phase 2"
    3) Select and delete a Phase 2 before you can delete a Phase 1

    Anonymous said...

    Another widget that appears not to work is the Traffic History widget. Have tried setting to internal/WAN1 etc, but it never shows any data.

    Anonymous said...

    the dashboard dont work - it cant refresh any info, the button works fine but nothing happens... example: CPU and MEM from about 5 days always 0% ?!?!?! voip and p2p the same... shame but probably i will return to FortiOS 3 cause it worked fine

    Anonymous said...

    I've had 30B customers that went back to MR1P4 because the firewall would become unresponsive and unreachable via that GUI. I've heard rumors that they may pull MR1 for the lower models (30 and 50) until they get the performance issue addressed. MR1 was full of problems too until they came out with patched versions. I recommend to everyone, experiment now, but do not implement in production until patched versions become available.

    Sebastian said...

    I myself am eagerly awaiting 4.1 Patch 5 since it is supposed to include some specific bugfixes for problems we found with the IPS engine.