Fortinet Feature Requests

I really like the FortiGate firewalls. They are easy to manage and have lots of functionality. However, I am also aware of some other firewall products and therefore have some feature requests to Fortinet that are not currently implemented in their firewalls. I am sometimes forwarding these FRs to the Fortinet support or to a SE, but they are not really interested in that. ;( So here is a list of my ideas that could improve the firewall. Hopefully/maybe some of them will be implemented one day…

This is a living list. I’ll update it every time I discover something new.

  • [PLATFORM] You cannot upgrade HA cluster members independently. Normally you’re only upgrading *one* device, testing your production with the new firmware, and upgrading the second device a few days later. With Fortinet, *all* devices are updated at once. That is: A new bug is immediately distributed to all devices. Oh boy. (With Palo Alto Networks, for example, you can upgrade the HA pair independently.)
  • [PLATFORM] Downgrade to an older firmware version. Currently, you can only factory-reset the device, upload an old firmware and restore a previously saved configuration.
  • [IPv6] One single policy rule set for both Internet protocols (IPv4 and IPv6), not different policies. (Really a major design flaw!) Furthermore, address objects should be generic and *not* separated v4 or v6 objects. While FortiOS v6.2 adds the “consolidated policy mode”, it still uses protocol-dependent address objects. Sigh.
  • [IPv6] For every new IPv6 policy the “NAT” checkbox is enabled by default. This is so stupid I don’t know whether I should cry or laugh about it. Tweet here.
  • [IPv6] When using DHCPv6-PD you cannot find out which complete IPv6 addresses the internal/downstream interfaces have. get system interface physical does not list hardware/software switches and  show system interface <name> only shows the configured subnets but not the actual real IPv6 addresses currently used.
  • [IPv6] More than 3 custom options within a DHCPv6 server. Blogpost here.
  • [IPv6] FQDN objects for IPv6. Currently, FQDN objects are only capable of legacy IPv4 addresses. (I don’t know why there is a differentiation between those Internet Protocols anyway. If an FQDN holds resource records for both IP address families, why should I add it twice, namely to “ipv4 object” and “ipv6 object”?)
  • [IPv6] Geography objects for IPv6. Same as above. Currently, those geography countries/regions are only available for legacy IP.
  • [IPv6] Possibility to change the link-local address (fe80::…/64) of an interface rather than adding (!) another link-local address via “config ip6-extra-addr” and the need to reboot the whole device to have the RAs coming from the “changed” LL address.
  • [POLICY] Usage of applications within security policies, such as Palo Alto Networks does it. Currently, the applications can only be used for logs (which is already great!) but there is no simple way to use them within several policies. –> Possible since FortiOS v5.6, when the Inspection Mode is set to “Flow-based” and the NGFW Mode to “Policy-based”. –> However, this is not working stable. Refer to my comment on the Fortinet site.
  • [MGMT] I want to be able to ping the wan interface from any without presenting the ssh/https login prompt to anyone, too. Currently, if I am allowing an administrator to come from ::0/0 (or 0.0.0.0/0), both ping and ssh/https (etc.) are reachable. Though the login can be limited, I don’t want that anybody knows that there is a FortiGate in place.
  • [MGMT] Configuration Revisions: It would be great to have a list of the last x full-configurations or configuration steps that were done on the firewall. Even better, a compare feature between two configurations, e.g., the one from yesterday compared to the one from last week. –> Thanks to James’ comment: this can be enabled via the CLI to store the config after each logout.
  • [MGMT] SCP copy of the running-config after each admin logout. Report.
  • [MGMT] A separate management plane with its own port and default route. Currently, the FortiGate can only be managed inline via data ports. If you’re using an own management subnet but still want to use online services you must create a separate vdom for that. Not that comfortable. (Please have a look at the great out-of-band management plane and port from Palo Alto Networks.)
  • [MGMT] The dedicated-mgmt port (which is a step in the right direction!) is missing the default-gateway for IPv6. Only legacy IPv4 is working. “config system dedicated-mgmt” -> “set default-gateway <ipv4 address>”.
  • [MGMT] RADIUS servers are not accessible via IPv6, but only via legacy IP.
  • [VPN] There is no way to find out the actual used Diffie-Hellman groups for either phase 1 of IKE or phase 2 (PFS) of IPsec. The only way to find out which proposal is chosen, the tunnel must be set “down” while capturing the IKE/IPsec packets on the CLI. There should be a “get …” command that shows not only the used symmetric ciphers and algorithms but also the used DH groups.
  • [VPN] The FortiGate has some tunnel templates for IPsec VPNs. Great feature, but unfortunately very limited. At first, the tunnel templates have outdated security settings such as “3des-md5” for a Cisco VPN. Though this might work it is not recommended from a security perspective. Second, it would be really great if the admin could add own tunnel templates. I have some customers that have 50+ VPN connections to a certain type of firewall. They always must configure all settings manually (or with a script). Why not making the tunnel templates editable?
  • [SSL-VPN] A working IPv6 SSL-VPN. Currently, it is not possible to have a native IPv6 connection to the FortiGate while the tunneled IP addresses are IPv4-only. This is a common requirement for customers since they want a solution for IPv6-only remote users to access their VPN while not deploying IPv6 internally. With FortiGate, you must have a dummy IPv6 policy to have the SSL-VPN portal enabled for IPv6 at all, which simultaneously breaks the whole FortiClient connection at all, even for IPv4.
  • [SECURITY PROFILES] Cloning a DLP profile does NOT really add a new one with same values, but references to other internal CLI statements. Changing something at the cloned object also changes the same values on the original profile! Tweet here.
  • [USER] The great two-factor authentication, e.g., via SMS, is only working for users with their phone number configured locally on the FortiGate. This feature is not available for users within LDAP groups, even though their numbers are present at the AD. That is, if the 2FA features must be used, every (!) user must be created locally on the FortiGate, too.
  • [DNS] The FortiGate can be used as a DNS proxy. It forwards DNS queries to its recursive DNS server. It would be great if it could also do iterative DNS queries with DNSSEC validation. This would increase some kind of security (authentication) for all users behind a FortiGate.
  • [NTP] NTP authentication works only with NTPv3. Why?!? The authentications commands are hidden unless NTPv3 is enabled explicitly. Furthermore, no single “show|get|diag” command reveals whether NTP authentication is working or not. Of course, there should be warnings in case of spoofed or unauthenticated NTP packets. –> Added with FortiOS 6.2: “SHA-1 Authentication Support (for NTPv4)”. (I have not yet verified whether spoofed NTP packets throw errors or not.
  • [CLI] There is no way to find out all internal IP addresses used on hardware interfaces AND virtual/hardware/software switches. The CLI command  get system interface can only be followed by physical, hence it does not list the switches.
  • [CLI] Possibility to ping and traceroute with one single command instead of those shitty “ping-options” or “traceroute-options” subcommands.
  • [CLI] Same structure for traceroute and tracert6. Currently, traceroute for IPv4 uses the “traceroute-options” subcommands, while tracert6 for IPv6 uses all arguments in the line such as “-i -m -w host”.
  • [GUI] IPv6 settings through the GUI, e.g., router advertisements, DHCPv6, OSPFv6. Currently, only the mere IPv6 address can be entered.
  • [GUI] Fields for more than one Syslog server.
  • [GUI] The Log Config -> Alert E-mail page is only visible if an SMTP server is specified under System -> Config -> Advanced. This is really confusing when searching after the alert email settings.
  • [GUI] The Security Log should be visible anytime, not only after security events. It is confusing that it is hidden by default.
  • [GUI] It is great to “select columns to display” within the policies. However, after each logout, the columns are set to their default values. Why?
  • [GUI] Missing option within the user definition to “Enable Two-factor Authentication” for SMS. This must be done via the CLI. You can configure an SMS number but not enable it for two-factor authentication. Where is the sense?
  • [GUI] Cannot configure custom NTP servers and NTP authentication. If those are configured through the CLI, only the first one is displayed in the GUI. Confusing!
  • [GUI] A simple dashboard widget to write down some notes. Report.

GUI, GUI, GUI

One of my main problems with FortiGate is the GUI. There are so many features that are not accessible through the GUI. (Even though everything is enabled within System -> Config -> Features.) Some really good technical persons might be able to configure everything through the CLI, but I am selling firewalls to “normal” IT guys that also manage Windows AD, AV, APT, MDM, routers, mail, DNS, end-users, etc. Everything that’s not included in the GUI is simply not present.

Fortinet, why aren’t you improving your GUI?

CLI, CLI, CLI

Unfortunately, the CLI isn’t better at all. Coming from a really good CLI from Cisco, it’s a huge mess to find your way through those hundred sub-sections and different keywords such as show | get | execute | diagnose. I am completely annoyed.

Featured image “Bagger” by Christian Allinger is licensed under CC BY 2.0.

12 thoughts on “Fortinet Feature Requests

  1. Hello Johannes,

    We solves your feature request
    “I want to be able to ping the wan interface from any without allowing ssh access from any, too.”
    with this configuration:
    – access-profice “no-access” with NO permission
    – access-profile “admin” (default) with all permission
    – user “ping_only” with accessprofile “no-access” and no ip restriction
    – user “admin” with accessprofile “admin” with ip restriction
    – wan1 interface allowed SSH and ping

    CLI example:
    config system accprofile
    edit “no_access”
    set comments “to have a profile for ping and suspended admin-users”
    next
    end
    config system admin
    edit “ping_only”
    set accprofile “no_access”
    set password ENC ***I=do=not=want=to=publish=the=password=here***
    next
    edit “admin”
    set trusthost1 192.0.2.0 255.255.255.0
    set ip6-trusthost1 2001:db8:cafe::/48
    set accprofile “super_admin”
    set password ENC ***I=do=not=want=to=publish=the=password=here***
    next
    end

    Regards
    Ulrich

    1. Hi Ulrich,

      thanks for your effort. Unluckily this is not exaclty what I need. I have updated my description above. That is: I want to be able to ping from any while not presenting the login page to any, too. With your example anyone can ping (good), but the login prompt is showing up, too, that is, anyone know that there is a FortiGate in place. I want that the ssh daemon is NOT listening on the wan1 interface at all…

      Thanks,
      Johannes

      1. Hi Johannes,
        if you set only “PING” as allowed management protocol on external interface, this works as expected.
        And yes, an administrator from a know ip-range is not able to login with SSH or HTTPS now…

        Regards
        Ulrich

  2. Hi Johannes,

    You can solve the request for the enhancement of “ping the wan interface from any” by using “config firewall local-in-policy” rules. I have done this for many customers where they are able to ping the FortiGate from anywhere but not access the login page.

    You can change and retain the default column settings as described in the following documentation:

    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Gui%20and%20CLI/GUI%20and%20CLI%20-%20What%20You%20May%20Not%20Know.htm

    See section on “Changing the default column setting…”

    1. Hi Jonathan,

      thanks for your hints. Seems that the local-in-policy indeed solves my problem.

      Concerning the default column settings: LOL, really funny to see that Fortinet provides a way through the CLI to change the GUI settings. :D :D :D This is one more example which is much better on the Palo Alto firewalls. However, thanks for that, too. Indeed, at least the policy colums can be changed.

  3. Hi Johannes,

    You can enable config revision on logout with the following command

    # config system global
    # set revision-backup-on-logout enable
    # end

    This will also add a “Revisions” button next to the Backup and Restore buttons on the main dashboard.

    Thanks, James

  4. Hello Johannes,
    I agree with nearly all feature requests you listed, but I can accept the way to configure it with the CLI is the documentation in CLI and CLI reference guide will become better.

    One this I missed one more time today is something like “execute ssh6 ” . It doesn’t care if the destination is an address or a hostname.
    I requested this in 2014(?) ago but it looks as too simple for Fortinet to implement this. It still doesn’t exist in 6.2.1 (October 2019).

  5. Hi Johannes,
    during increasing IPv6 experience with Fortigate, I found two more DNS related issues.

    If you use the Fortigate as a DNSproxy and you enable NAT64, DNS64 is enabled, too.
    This is not a bad idea, but if you have a mix or IPv4/IPv6 DualStack networks and IPv6only networks, even the DualStack networks get DNS response with NAT64 prefix (and need a firewall policy to communicate)
    Good idea could be to configure the network range for DNS64 response somewhere at “config system nat64” section.
    In BIND you can configure the network range where requests should be answered with DNS64 function.

    My next request is DNS related, too.
    If you configure a forwarder for a dns-zone somewhere around of “config system dns-database”, the forwarder must be an IPv4 address. It’s not possible to set an IPv6 address :-(

    Any ideas for a workaround?

  6. to add list of your confusions
    1. higher number priority in HA mean higher priority but
    in SD-WAN, higher number mean lower priority
    2. grep command exist in FortiGate but not others

    QUESTIONS:
    1. you said there are two command for ipv6, ip6 and ipv6
    in which product using ipv6 and which ip6

    tq

  7. Hi Team
    We have FAZ 100D we are struggling with report taking with WAN interfaces so we need a feature of bandwidth chat with MBPS in chart kindly update on same.

    Thanks In advance
    Kirubakaran

Leave a Reply

Your email address will not be published. Required fields are marked *