Friday, March 25, 2011

HTTP A/V scanning breaks web requests - it's back

We confirmed with Fortinet today that a bug that was fixed in 4.1.6 apparently exists in 4.2.x. It is scheduled to be fixed (again) in 4.2.6.

Here is the original problem from March 2010. It's not a good thing that this was fixed a year ago and is still around in newer builds of the 4.2 branch.
http://firewallguru.blogspot.com/2010/03/http-av-scanning-breaking-web.html

** Update **

Due to 4.2.6 being a quick fix for the split tcp handshake the bug fix will be included in 4.2.7.

Wednesday, March 23, 2011

Monday, March 21, 2011

Enhancements in FortiOS 4.3 (aka 4.0 MR3 GA)

Here is Fortinet's official list of new and improved features.
As with any major new release the recommendation is to not run this on critical production systems but instead give the community some time to work out some of the early bugs with Fortinet.

· Supports "Local In" Policies to and from the FortiGate
· Introduces Unified AV Engine
· Supports Configuration Object Tagging
· Introduces Configuration Rollback feature
· Supports Explicit FTP proxy
· Enhanced Explicit Proxy feature to support Proxy Chaining
· Supports FAS (previously known as FAMS) and FortiAnalyzer Logging Extensions
· Flow-based DLP Support
· Flow-based Web Content Filtering
· Supports IPv6 Firewall offload feature on ASM-CE4, ADM-XE2 and ADM-FB8 modules
· FTPS protocol support for SSL Inspection feature
· Supports Log Viewer Filters
· Network Scan feature Improvements
· Supports Per-VDom Configuration Files
· Policy Table web UI Improvements
· Introduces 'Port Pair' feature in Transparent mode
· Supports SSL-VPN Client in Port Forward mode
· Enhanced User Authentication feature
· Extends Wireless Controller feature support to FortiAP-220A and FortiAP-220B
· Introduces 2-Factor Authentication
· Supports Dynamic Profiles
· Added support for Pictures in Replacement Messages
· Authentication Page Style Improvements
· Enhanced Logging feature
· Supports Configuration Restore via SCP Protocol
· Improved Dashboard Widgets
· Supports DHCP Address Reservation
· Support for DHCP6
· Endpoint NAC Improvement
· Facebook Application Control
· Firewall Schedule Enforcement
· FortiASIC traffic offload Improvements
· HTTP Host Load Balancing
· Improved Chart Display
· Improved Firewall Session Control
· Firewall Session Control Improvements
· IPS Sensor Enhancements
· Supports IPS Signature Search and IPS Signature Threshold
· IPSec 'get' Command Improvement
· IPv6 Firewall Authentication
· Added IPv6 SNMP Support
· Traffic Logging Improvements
· Modem Interface Improvements
· MultiCast IGMP Static Join and PIM Enhancement
· Session Table Enhancements
· NTLM Authentication Extensions
· Supports Per-IP Traffic Shaping for Application Control
· Firewall Policy Enhancements
· Proxy Support with SSL Offload
· RADIUS Accounting Extension
· 'Top Session widget' supports IPv6 sessions
· Simplify Report Configuration
· SNMP Enhancements including web UI support for SNMPv3
· Various web UI consolidation and Enhancements
· SSL-VPN Tunnel Widget Improvements
· Supports SSL-VPN Web Mode over IPv6
· Supports SSL-VPN Policy DE-Authentication
· Static Route web UI Improvements
· Supports sub-second Failover for NP4 Ports
· Supports Authentication Group Matching for TACACS+
· Troubleshooting Improvement
· SQL Logging Enhancements
· VRRP Virtual MAC Support
· Enhanced Web Filter Override feature
· Weighted HA Failover Improvements
· WiFi Enterprise Authentication Support
· Supports per-zone option for Local DNS Server
· Explicit Proxy Improvements
· Supports Hosted NAT traversal for RTP pin-holing
· Introduced Quotas for Web Cache / Byte Cache
· Supports Password Renewal for LDAP Users over SSLVPN
· Supports FMC-XG2 Module
· Generate protocol identification tag for FDN reporting on AV
· Extension of SP acceleration to support offloading of interface-based IPS
· Support for Monitoring Dynamic Data on FMG
· Support for Internet Content Adaptation Protocol (ICAP)
· PKI Authentication Extensions (Merge Top3 1359)
· Merge UTM Logs into one Category
· Configurable Global Admin Profiles
· Add monitor section in menu system
· Support IPS one-arm on XLR
· Inter-Product Secure Communications
· DiffServ per Application Filter
· DLP: Document Fingerprinting
· Geography-based Filtering
· FortiGate Default Report
· Endpoint NAC Extension
· Rogue AP Detection & Reporting
· Captive Portal for Wifi Authentication
· Rogue AP Suppression
· Distributed ARRP (automatic radio resource provisioning)
· Simplify Email Filtering
· ELBCv3 graceful firmware upgrade
· File Filter Reorganization
· SHA-384 and SHA-512 support to IKE and IPsec
· SSL Proxy: Verify Host SSL Certificates
· Dynamic Profile & Endpoint Filter Extensions
· Replacement Message Reorganization
· DNS zone transfer and dns forwarder feature
· Setup Wizard for FOS
· Simple Forticlient VPN GUI
· Web Filter Improvement
· Web Filtering Disclaimer
· Web Filter Category Reorg
· Report Editor Improvements
· FortiGate Default Report - Improvements

Saturday, March 19, 2011

FortiOS 4.3 Released

FortiOS 4.0 MR3 GA was released on Friday. As soon as it shows up on the FTP site it'll get a good kicking of the tires. Stay tuned for initial reviews and new features.

Friday, March 4, 2011

FortiOS 4.2.4 Released

We have had 4.2.4 running on some of our test systems for the past 24 hours with no adverse affects. Specifically CPU usage is staying within normal levels. I will also test this on the FWF 60C platform over the weekend.
Please post your feedback after you try it out.