I really like the FortiGate firewalls. They are easy to manage and have lots of functionality. However, I am also aware of some other firewall products and therefore have some feature requests to Fortinet that are not currently implemented in their firewalls. I am sometimes forwarding these FRs to the Fortinet support or to a SE, but they are not really interested in that. ;( So here is a list of my ideas that could improve the firewall. Hopefully/maybe some of them will be implemented one day…
This is a living list. I’ll update it every time I discover something new.
- [PLATFORM] You cannot upgrade HA cluster members independently. Normally you’re only upgrading *one* device, testing your production with the new firmware, and upgrading the second device a few days later. With Fortinet, *all* devices are updated at once. That is: A new bug is immediately distributed to all devices. Oh boy. (With Palo Alto Networks, for example, you can upgrade the HA pair independently.)
- [PLATFORM] Downgrade to an older firmware version. Currently, you can only factory-reset the device, upload an old firmware and restore a previously saved configuration.
- [IPv6] One single policy rule set for both Internet protocols (IPv4 and IPv6), not different policies. (Really a major design flaw!) Furthermore, address objects should be generic and *not* separated v4 or v6 objects. While FortiOS v6.2 adds the “consolidated policy mode”, it still uses protocol-dependent address objects. Sigh.
- [IPv6] For every new IPv6 policy the “NAT” checkbox is enabled by default. This is so stupid I don’t know whether I should cry or laugh about it. Tweet here.
- [IPv6] When using DHCPv6-PD you cannot find out which complete IPv6 addresses the internal/downstream interfaces have. get system interface physical does not list hardware/software switches and show system interface <name> only shows the configured subnets but not the actual real IPv6 addresses currently used.
- [IPv6] More than 3 custom options within a DHCPv6 server. Blogpost here.
- [IPv6] FQDN objects for IPv6. Currently, FQDN objects are only capable of legacy IPv4 addresses. (I don’t know why there is a differentiation between those Internet Protocols anyway. If an FQDN holds resource records for both IP address families, why should I add it twice, namely to “ipv4 object” and “ipv6 object”?)
- [IPv6] Geography objects for IPv6. Same as above. Currently, those geography countries/regions are only available for legacy IP.
- [IPv6] Possibility to change the link-local address (fe80::…/64) of an interface rather than adding (!) another link-local address via “config ip6-extra-addr” and the need to reboot the whole device to have the RAs coming from the “changed” LL address.
- [POLICY] Usage of applications within security policies, such as Palo Alto Networks does it. Currently, the applications can only be used for logs (which is already great!) but there is no simple way to use them within several policies. –> Possible since FortiOS v5.6, when the Inspection Mode is set to “Flow-based” and the NGFW Mode to “Policy-based”. –> However, this is not working stable. Refer to my comment on the Fortinet site.
- [MGMT] I want to be able to ping the wan interface from any without presenting the ssh/https login prompt to anyone, too. Currently, if I am allowing an administrator to come from ::0/0 (or 0.0.0.0/0), both ping and ssh/https (etc.) are reachable. Though the login can be limited, I don’t want that anybody knows that there is a FortiGate in place.
[MGMT] Configuration Revisions: It would be great to have a list of the last x full-configurations or configuration steps that were done on the firewall. Even better, a compare feature between two configurations, e.g., the one from yesterday compared to the one from last week.–> Thanks to James’ comment: this can be enabled via the CLI to store the config after each logout.
- [MGMT] SCP copy of the running-config after each admin logout. Report.
- [MGMT] A separate management plane with its own port and default route. Currently, the FortiGate can only be managed inline via data ports. If you’re using an own management subnet but still want to use online services you must create a separate vdom for that. Not that comfortable. (Please have a look at the great out-of-band management plane and port from Palo Alto Networks.)
- [MGMT] The dedicated-mgmt port (which is a step in the right direction!) is missing the default-gateway for IPv6. Only legacy IPv4 is working. “config system dedicated-mgmt” -> “set default-gateway <ipv4 address>”.
- [MGMT] RADIUS servers are not accessible via IPv6, but only via legacy IP.
- [VPN] There is no way to find out the actual used Diffie-Hellman groups for either phase 1 of IKE or phase 2 (PFS) of IPsec. The only way to find out which proposal is chosen, the tunnel must be set “down” while capturing the IKE/IPsec packets on the CLI. There should be a “get …” command that shows not only the used symmetric ciphers and algorithms but also the used DH groups.
- [VPN] The FortiGate has some tunnel templates for IPsec VPNs. Great feature, but unfortunately very limited. At first, the tunnel templates have outdated security settings such as “3des-md5” for a Cisco VPN. Though this might work it is not recommended from a security perspective. Second, it would be really great if the admin could add own tunnel templates. I have some customers that have 50+ VPN connections to a certain type of firewall. They always must configure all settings manually (or with a script). Why not making the tunnel templates editable?
- [SSL-VPN] A working IPv6 SSL-VPN. Currently, it is not possible to have a native IPv6 connection to the FortiGate while the tunneled IP addresses are IPv4-only. This is a common requirement for customers since they want a solution for IPv6-only remote users to access their VPN while not deploying IPv6 internally. With FortiGate, you must have a dummy IPv6 policy to have the SSL-VPN portal enabled for IPv6 at all, which simultaneously breaks the whole FortiClient connection at all, even for IPv4.
- [SECURITY PROFILES] Cloning a DLP profile does NOT really add a new one with same values, but references to other internal CLI statements. Changing something at the cloned object also changes the same values on the original profile! Tweet here.
- [USER] The great two-factor authentication, e.g., via SMS, is only working for users with their phone number configured locally on the FortiGate. This feature is not available for users within LDAP groups, even though their numbers are present at the AD. That is, if the 2FA features must be used, every (!) user must be created locally on the FortiGate, too.
- [DNS] The FortiGate can be used as a DNS proxy. It forwards DNS queries to its recursive DNS server. It would be great if it could also do iterative DNS queries with DNSSEC validation. This would increase some kind of security (authentication) for all users behind a FortiGate.
[NTP] NTP authentication works only with NTPv3. Why?!? The authentications commands are hidden unless NTPv3 is enabled explicitly. Furthermore, no single “show|get|diag” command reveals whether NTP authentication is working or not. Of course, there should be warnings in case of spoofed or unauthenticated NTP packets.–> Added with FortiOS 6.2: “SHA-1 Authentication Support (for NTPv4)”. (I have not yet verified whether spoofed NTP packets throw errors or not.
- [CLI] There is no way to find out all internal IP addresses used on hardware interfaces AND virtual/hardware/software switches. The CLI command get system interface can only be followed by physical, hence it does not list the switches.
- [CLI] Possibility to ping and traceroute with one single command instead of those shitty “ping-options” or “traceroute-options” subcommands.
- [CLI] Same structure for traceroute and tracert6. Currently, traceroute for IPv4 uses the “traceroute-options” subcommands, while tracert6 for IPv6 uses all arguments in the line such as “-i -m -w host”.
- [GUI] IPv6 settings through the GUI, e.g., router advertisements, DHCPv6, OSPFv6. Currently, only the mere IPv6 address can be entered.
- [GUI] Fields for more than one Syslog server.
- [GUI] The Log Config -> Alert E-mail page is only visible if an SMTP server is specified under System -> Config -> Advanced. This is really confusing when searching after the alert email settings.
- [GUI] The Security Log should be visible anytime, not only after security events. It is confusing that it is hidden by default.
- [GUI] It is great to “select columns to display” within the policies. However, after each logout, the columns are set to their default values. Why?
- [GUI] Missing option within the user definition to “Enable Two-factor Authentication” for SMS. This must be done via the CLI. You can configure an SMS number but not enable it for two-factor authentication. Where is the sense?
- [GUI] Cannot configure custom NTP servers and NTP authentication. If those are configured through the CLI, only the first one is displayed in the GUI. Confusing!
- [GUI] A simple dashboard widget to write down some notes. Report.
GUI, GUI, GUI
One of my main problems with FortiGate is the GUI. There are so many features that are not accessible through the GUI. (Even though everything is enabled within System -> Config -> Features.) Some really good technical persons might be able to configure everything through the CLI, but I am selling firewalls to “normal” IT guys that also manage Windows AD, AV, APT, MDM, routers, mail, DNS, end-users, etc. Everything that’s not included in the GUI is simply not present.
Fortinet, why aren’t you improving your GUI?
CLI, CLI, CLI
Unfortunately, the CLI isn’t better at all. Coming from a really good CLI from Cisco, it’s a huge mess to find your way through those hundred sub-sections and different keywords such as show | get | execute | diagnose. I am completely annoyed.