Fortinet Feature Requests

I really like the FortiGate firewalls. They are easy to manage and have lots of functionality. However, I am also aware of some other firewall products and therefore have some feature requests to Fortinet that are not currently implemented in their firewalls. I am sometimes forwarding these FRs to the Fortinet support or to an SE, but they are not really interested in that. ;( So here is a list of my ideas that could improve the firewall. Hopefully/maybe some of them will be implemented one day…

This is a living list. I’ll update it every time I discover something new.

  • [IPv6] One single policy rule set for both protocols (IPv4 and IPv6), not different policies. (Really a major design flaw!)
  • [POLICY] Usage of applications within security policies, such as Palo Alto Networks does it. Currently, the applications can only be used for logs (which is already great!) but there is no simply way to use them within several policies. –> Introduced with FortiOS 5.6.
  • [MGMT] I want to be able to ping the wan interface from any without presenting the ssh/https login prompt to anyone, too. Currently, if I am allowing an administrator to come from ::0/0 (or 0.0.0.0/0), both ping and ssh/https (etc.) are reachable. Though the login can be limited, I don’t want that anybody knows that there is a FortiGate in place.
  • [MGMT] Configuration Revisions: It would be great to have a list of the last x full-configurations or configuration steps that were done on the firewall. Even better, a compare feature between two configurations, e.g., the one from yesterday compared to the one from last week.
  • [MGMT] A separate management plane with its own port and default route. Currently, the FortiGate can only be managed inline via data ports. If you’re using an own management subnet but still want to use online services you must create a separate vdom for that. Not that comfortable. (Please have a look at the great out-of-band management plane and port from Palo Alto Networks.)
  • [VPN] There is no way to find out the actual used Diffie-Hellman groups for either phase 1 of IKE or phase 2 (PFS) of IPsec. The only way to find out which proposal is chosen, the tunnel must be set “down” while capturing the IKE/IPsec packets on the CLI. There should be a “get …” command that shows not only the used symmetric ciphers and algorithms, but also the used DH groups.
  • [VPN] The FortiGate has some tunnel templates for IPsec VPNs. Great feature, but unfortunately very limited. At first, the tunnel templates have outdated security settings such as “3des-md5” for a Cisco VPN. Though this might work it is not recommended from a security perspective. Second, it would be really great if the admin could add own tunnel templates. I have some customers that have 50+ VPN connections to a certain type of firewall. They always must configure all settings manually (or with a script). Why not making the tunnel templates editable?
  • [SSL-VPN] A working IPv6 SSL-VPN. Currently it is not possible to have a native IPv6 connection to the FortiGate while the tunneled IP addresses are IPv4-only. This is a common requirement for customers since they want a solution for IPv6-only remote users to access their VPN while not deploying IPv6 internally. With FortiGate you must have a dummy IPv6 policy to have the SSL-VPN portal enabled for IPv6 at all, which simultaneously breaks the whole FortiClient connection at all, even for IPv4.
  • [USER] The great two-factor authentication, e.g., via SMS, is only working for users with their phone number configured locally on the FortiGate. This feature is not available for users within LDAP groups, even though their numbers are present at the AD. That is, if the 2FA features must be used, every (!) user must be created locally on the FortiGate, too.
  • [DNS] The FortiGate can be used as a DNS proxy. It forwards DNS queries to its recursive DNS server. It would be great if it could also do iterative DNS queries with DNSSEC validation. This would increase some kind of security (authentication) for all users behind a FortiGate.
  • [GUI] IPv6 settings through the GUI, e.g., router advertisements, DHCPv6, OSPFv6. Currently, only the mere IPv6 address can be entered.
  • [GUI] Fields for more than one Syslog server.
  • [GUI] The Log Config -> Alert E-mail page is only visible if an SMTP server is specified under System -> Config -> Advanced. This is really confusing when searching after the alert email settings.
  • [GUI] The Security Log should be visible anytime, not only after security events. It is confusing that it is hidden by default.
  • [GUI] It is great to “select columns to display” within the policies. However, after each logout the columns are set to its default values. Why?
  • [GUI] Missing option within the user definition to “Enable Two-factor Authentication” for SMS. This must be done via the CLI. You can configure a SMS number but not enable it for two-factor authentication. Where is the sense?

GUI, GUI, GUI

One of my main problems with FortiGate is the GUI. There are so many features that are not accessible through the GUI. (Even though everything is enabled within System -> Config -> Features.) Some really good technical persons might be able to configure everything through the CLI, but I am selling firewalls to “normal” IT guys that also manage Windows AD, AV, APT, MDM, routers, mail, DNS, end users, etc. Everything that’s not included in the GUI is simply not present.

Fortinet, why aren’t you improving your GUI?

5 thoughts on “Fortinet Feature Requests

  1. Hello Johannes,

    We solves your feature request
    “I want to be able to ping the wan interface from any without allowing ssh access from any, too.”
    with this configuration:
    – access-profice “no-access” with NO permission
    – access-profile “admin” (default) with all permission
    – user “ping_only” with accessprofile “no-access” and no ip restriction
    – user “admin” with accessprofile “admin” with ip restriction
    – wan1 interface allowed SSH and ping

    CLI example:
    config system accprofile
    edit “no_access”
    set comments “to have a profile for ping and suspended admin-users”
    next
    end
    config system admin
    edit “ping_only”
    set accprofile “no_access”
    set password ENC ***I=do=not=want=to=publish=the=password=here***
    next
    edit “admin”
    set trusthost1 192.0.2.0 255.255.255.0
    set ip6-trusthost1 2001:db8:cafe::/48
    set accprofile “super_admin”
    set password ENC ***I=do=not=want=to=publish=the=password=here***
    next
    end

    Regards
    Ulrich

    1. Hi Ulrich,

      thanks for your effort. Unluckily this is not exaclty what I need. I have updated my description above. That is: I want to be able to ping from any while not presenting the login page to any, too. With your example anyone can ping (good), but the login prompt is showing up, too, that is, anyone know that there is a FortiGate in place. I want that the ssh daemon is NOT listening on the wan1 interface at all…

      Thanks,
      Johannes

      1. Hi Johannes,
        if you set only “PING” as allowed management protocol on external interface, this works as expected.
        And yes, an administrator from a know ip-range is not able to login with SSH or HTTPS now…

        Regards
        Ulrich

  2. Hi Johannes,

    You can solve the request for the enhancement of “ping the wan interface from any” by using “config firewall local-in-policy” rules. I have done this for many customers where they are able to ping the FortiGate from anywhere but not access the login page.

    You can change and retain the default column settings as described in the following documentation:

    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Gui%20and%20CLI/GUI%20and%20CLI%20-%20What%20You%20May%20Not%20Know.htm

    See section on “Changing the default column setting…”

    1. Hi Jonathan,

      thanks for your hints. Seems that the local-in-policy indeed solves my problem.

      Concerning the default column settings: LOL, really funny to see that Fortinet provides a way through the CLI to change the GUI settings. :D :D :D This is one more example which is much better on the Palo Alto firewalls. However, thanks for that, too. Indeed, at least the policy colums can be changed.

Leave a Reply

Your email address will not be published. Required fields are marked *