Monday, March 21, 2011

Enhancements in FortiOS 4.3 (aka 4.0 MR3 GA)

Here is Fortinet's official list of new and improved features.
As with any major new release the recommendation is to not run this on critical production systems but instead give the community some time to work out some of the early bugs with Fortinet.

· Supports "Local In" Policies to and from the FortiGate
· Introduces Unified AV Engine
· Supports Configuration Object Tagging
· Introduces Configuration Rollback feature
· Supports Explicit FTP proxy
· Enhanced Explicit Proxy feature to support Proxy Chaining
· Supports FAS (previously known as FAMS) and FortiAnalyzer Logging Extensions
· Flow-based DLP Support
· Flow-based Web Content Filtering
· Supports IPv6 Firewall offload feature on ASM-CE4, ADM-XE2 and ADM-FB8 modules
· FTPS protocol support for SSL Inspection feature
· Supports Log Viewer Filters
· Network Scan feature Improvements
· Supports Per-VDom Configuration Files
· Policy Table web UI Improvements
· Introduces 'Port Pair' feature in Transparent mode
· Supports SSL-VPN Client in Port Forward mode
· Enhanced User Authentication feature
· Extends Wireless Controller feature support to FortiAP-220A and FortiAP-220B
· Introduces 2-Factor Authentication
· Supports Dynamic Profiles
· Added support for Pictures in Replacement Messages
· Authentication Page Style Improvements
· Enhanced Logging feature
· Supports Configuration Restore via SCP Protocol
· Improved Dashboard Widgets
· Supports DHCP Address Reservation
· Support for DHCP6
· Endpoint NAC Improvement
· Facebook Application Control
· Firewall Schedule Enforcement
· FortiASIC traffic offload Improvements
· HTTP Host Load Balancing
· Improved Chart Display
· Improved Firewall Session Control
· Firewall Session Control Improvements
· IPS Sensor Enhancements
· Supports IPS Signature Search and IPS Signature Threshold
· IPSec 'get' Command Improvement
· IPv6 Firewall Authentication
· Added IPv6 SNMP Support
· Traffic Logging Improvements
· Modem Interface Improvements
· MultiCast IGMP Static Join and PIM Enhancement
· Session Table Enhancements
· NTLM Authentication Extensions
· Supports Per-IP Traffic Shaping for Application Control
· Firewall Policy Enhancements
· Proxy Support with SSL Offload
· RADIUS Accounting Extension
· 'Top Session widget' supports IPv6 sessions
· Simplify Report Configuration
· SNMP Enhancements including web UI support for SNMPv3
· Various web UI consolidation and Enhancements
· SSL-VPN Tunnel Widget Improvements
· Supports SSL-VPN Web Mode over IPv6
· Supports SSL-VPN Policy DE-Authentication
· Static Route web UI Improvements
· Supports sub-second Failover for NP4 Ports
· Supports Authentication Group Matching for TACACS+
· Troubleshooting Improvement
· SQL Logging Enhancements
· VRRP Virtual MAC Support
· Enhanced Web Filter Override feature
· Weighted HA Failover Improvements
· WiFi Enterprise Authentication Support
· Supports per-zone option for Local DNS Server
· Explicit Proxy Improvements
· Supports Hosted NAT traversal for RTP pin-holing
· Introduced Quotas for Web Cache / Byte Cache
· Supports Password Renewal for LDAP Users over SSLVPN
· Supports FMC-XG2 Module
· Generate protocol identification tag for FDN reporting on AV
· Extension of SP acceleration to support offloading of interface-based IPS
· Support for Monitoring Dynamic Data on FMG
· Support for Internet Content Adaptation Protocol (ICAP)
· PKI Authentication Extensions (Merge Top3 1359)
· Merge UTM Logs into one Category
· Configurable Global Admin Profiles
· Add monitor section in menu system
· Support IPS one-arm on XLR
· Inter-Product Secure Communications
· DiffServ per Application Filter
· DLP: Document Fingerprinting
· Geography-based Filtering
· FortiGate Default Report
· Endpoint NAC Extension
· Rogue AP Detection & Reporting
· Captive Portal for Wifi Authentication
· Rogue AP Suppression
· Distributed ARRP (automatic radio resource provisioning)
· Simplify Email Filtering
· ELBCv3 graceful firmware upgrade
· File Filter Reorganization
· SHA-384 and SHA-512 support to IKE and IPsec
· SSL Proxy: Verify Host SSL Certificates
· Dynamic Profile & Endpoint Filter Extensions
· Replacement Message Reorganization
· DNS zone transfer and dns forwarder feature
· Setup Wizard for FOS
· Simple Forticlient VPN GUI
· Web Filter Improvement
· Web Filtering Disclaimer
· Web Filter Category Reorg
· Report Editor Improvements
· FortiGate Default Report - Improvements


skiman said...

FortiManager MR2 Patch 6 is required to support MR3 device but Patch 6 is not yet available. Any idea when it will be available? I'm testing MR3 on two 50B and so far everything seems to work fine.

Exstatica said...

There is a small bug on graphs with Chrome. If you edit the CPU widget and change it to historical. the box will grow down. It doesn't stop either. Just thought it was worth mentioning.

Kevin said...

I get a bug with internet explorer 8 in the web filter page, I cannot see all items.

Items are present with Firefox.

Anonymous said...

There is a bug related to DLP.

With Google Chrome and DLP for file type avoidance ... firewall cannot avoid the access or the download to the specific extensions .com, .bat, .zip ... only using HTTP.