I really like the FortiGate firewalls. They are easy to manage and have lots of functionality. However, I am also aware of some other firewall products and therefore have some feature requests to Fortinet that are not currently implemented in their firewalls. I am sometimes forwarding these FRs to the Fortinet support or to an SE, but they are not really interested in that. ;( So here is a list of my ideas that could improve the firewall. Hopefully/maybe some of them will be implemented one day…
This is a living list. I’ll update it every time I discover something new.
- [PLATFORM] You cannot upgrade HA cluster members independently. Normally you’re only upgrading *one* device, testing your production with the new firmware, and upgrading the second device a few days later. With Fortinet, *all* devices are updated at once. That is: A new bug is immediately distributed to all devices. Oh boy. (With Palo Alto Networks for example, you can upgrade the HA pair independently.)
- [PLATFORM] Downgrade to an older firmware version. Currently you can only factory-reset the device, upload an old firmware and restore a previously saved configuration.
- [IPv6] One single policy rule set for both protocols (IPv4 and IPv6), not different policies. (Really a major design flaw!)
- [IPv6] For every new IPv6 policy the “NAT” checkbox is enabled by default. This is so stupid I don’t know whether I should cry or laugh about it. Tweet here.
- [IPv6] When using DHCPv6-PD you cannot find out which complete IPv6 addresses the internal/downstream interfaces have. get system interface physical does not list hardware/software switches and show system interface <name> only shows the configured subnets but not the actual real IPv6 addresses currently used.
- [IPv6] FQDN objects for IPv6. Currently FQDN objects are only capable of legacy IPv4 addresses. (I don’t know why there is a differentiation between those Internet Protocols anyway. If an FQDN holds resource records for both IP address families, why should I add it twice, namely to “ipv4 object” and “ipv6 object”?)
- [IPv6] Possibility to change the link-local address (fe80::…/64) of an interface rathern than adding (!) another link-local address via “config ip6-extra-addr” and the need to reboot the whole device to have the RAs coming from the “changed” LL address.
[POLICY] Usage of applications within security policies, such as Palo Alto Networks does it. Currently, the applications can only be used for logs (which is already great!) but there is no simply way to use them within several policies.–> Possible since FortiOS v5.6, when the Inspection Mode is set to “Flow-based” and the NGFW Mode to “Policy-based”. –> However, this is not working stable. Refer to my comment on the Fortinet site.
- [MGMT] I want to be able to ping the wan interface from any without presenting the ssh/https login prompt to anyone, too. Currently, if I am allowing an administrator to come from ::0/0 (or 0.0.0.0/0), both ping and ssh/https (etc.) are reachable. Though the login can be limited, I don’t want that anybody knows that there is a FortiGate in place.
[MGMT] Configuration Revisions: It would be great to have a list of the last x full-configurations or configuration steps that were done on the firewall. Even better, a compare feature between two configurations, e.g., the one from yesterday compared to the one from last week.–> Thanks to James’ comment: this can be enabled via the CLI to store the config after each logout.
- [MGMT] A separate management plane with its own port and default route. Currently, the FortiGate can only be managed inline via data ports. If you’re using an own management subnet but still want to use online services you must create a separate vdom for that. Not that comfortable. (Please have a look at the great out-of-band management plane and port from Palo Alto Networks.)
- [MGMT] The dedicated-mgmt port (which is a step in the right direction!) is missing the default-gateway for IPv6. Only legacy IPv4 is working. “config system dedicated-mgmt” -> “set default-gateway <ipv4 address>”.
- [VPN] There is no way to find out the actual used Diffie-Hellman groups for either phase 1 of IKE or phase 2 (PFS) of IPsec. The only way to find out which proposal is chosen, the tunnel must be set “down” while capturing the IKE/IPsec packets on the CLI. There should be a “get …” command that shows not only the used symmetric ciphers and algorithms, but also the used DH groups.
- [VPN] The FortiGate has some tunnel templates for IPsec VPNs. Great feature, but unfortunately very limited. At first, the tunnel templates have outdated security settings such as “3des-md5” for a Cisco VPN. Though this might work it is not recommended from a security perspective. Second, it would be really great if the admin could add own tunnel templates. I have some customers that have 50+ VPN connections to a certain type of firewall. They always must configure all settings manually (or with a script). Why not making the tunnel templates editable?
- [SSL-VPN] A working IPv6 SSL-VPN. Currently it is not possible to have a native IPv6 connection to the FortiGate while the tunneled IP addresses are IPv4-only. This is a common requirement for customers since they want a solution for IPv6-only remote users to access their VPN while not deploying IPv6 internally. With FortiGate you must have a dummy IPv6 policy to have the SSL-VPN portal enabled for IPv6 at all, which simultaneously breaks the whole FortiClient connection at all, even for IPv4.
- [USER] The great two-factor authentication, e.g., via SMS, is only working for users with their phone number configured locally on the FortiGate. This feature is not available for users within LDAP groups, even though their numbers are present at the AD. That is, if the 2FA features must be used, every (!) user must be created locally on the FortiGate, too.
- [DNS] The FortiGate can be used as a DNS proxy. It forwards DNS queries to its recursive DNS server. It would be great if it could also do iterative DNS queries with DNSSEC validation. This would increase some kind of security (authentication) for all users behind a FortiGate.
- [CLI] There is not way to find out all internal IP addresses used on hardware interfaces AND virtual/hardware/software switches. The CLI command get system interface can only be followed by physical, hence does not list the switches.
- [CLI] Possibility to ping and traceroute with one single command instead of those shitty “ping-options” or “traceroute-options” subcommands.
- [CLI] Same structure for traceroute and tracert6. Currently, traceroute for IPv4 uses the “traceroute-options” subcommands, while tracert6 for IPv6 uses all arguments in the line such as “-i -m -w host”.
- [GUI] IPv6 settings through the GUI, e.g., router advertisements, DHCPv6, OSPFv6. Currently, only the mere IPv6 address can be entered.
- [GUI] Fields for more than one Syslog server.
- [GUI] The Log Config -> Alert E-mail page is only visible if an SMTP server is specified under System -> Config -> Advanced. This is really confusing when searching after the alert email settings.
- [GUI] The Security Log should be visible anytime, not only after security events. It is confusing that it is hidden by default.
- [GUI] It is great to “select columns to display” within the policies. However, after each logout the columns are set to its default values. Why?
- [GUI] Missing option within the user definition to “Enable Two-factor Authentication” for SMS. This must be done via the CLI. You can configure a SMS number but not enable it for two-factor authentication. Where is the sense?
GUI, GUI, GUI
One of my main problems with FortiGate is the GUI. There are so many features that are not accessible through the GUI. (Even though everything is enabled within System -> Config -> Features.) Some really good technical persons might be able to configure everything through the CLI, but I am selling firewalls to “normal” IT guys that also manage Windows AD, AV, APT, MDM, routers, mail, DNS, end users, etc. Everything that’s not included in the GUI is simply not present.
Fortinet, why aren’t you improving your GUI?
CLI, CLI, CLI
Unfortunately the CLI isn’t better at all. Coming from a really good CLI from Cisco, it’s a huge mess to find your way through those hundred sub-sections and different keywords such as show | get | execute | diagnose. I am completely annoyed.