Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FG1kc
New Contributor

Features that you would like to see

Why limit to Authentication-based routing,can' t fortinet have Address-based and Device Identity routing on the policy tab itself rahter than putting it on the policy route tab would be very nice to have when your using/have multiple gateways
114 REPLIES 114
Adrian_Lewis

instead of using | grep -2000 <search term>
command | grep -f <search term>
Istvan_Takacs_FTNT

Great, thank you! That helps if I know the value that I' m looking for. How about the command that I could use in ' diagnose' to troubleshoot some issue? # tree diagnose | grep -f bgp node ' |' is not found in cmdb
Adrian_Lewis

Not quite what you' re looking for but: http://wiki.diagnose.fortinet.com:1080/index.php/Overview
Andre_Backs

I am working with the Webbased Manager for a few weeks now. What I *realy* would like to see is a consistent user interface. Example: In " Firewall Objects / Address / Addresses" you can Search and you can Filter In " Firewall Objects / Virtual IPs / Virtual IPs" you can neither Search nor Filter And in both views you can' t sort, something you can do in " Router / Static / Static Routes" (where incidentaly you cant Search) And I would love to see my (column) settings save on a user base on the device and not by web browser.

ABB@ProBiblio Fortigate 200D (slave master)

nothingel
New Contributor III

As others have mentioned, I would like PBR integrated into individual policies. Also, I would like the ability to combine NAT IP pools in policies while also using multiple WAN interfaces grouped into zones with common policies. (I think this has also been mentioned on page 1 of this thread.) Third, I would like a layer 2 VPN (e.g. L2TPv3) so that subnet_A in Site_A is bridged over a VPN to Site_B. I understand this may not be the right answer in every situation and there' s gotchas like MTU challenges. However, I' ve been forced to use a pair of Cisco routers for this functionality and it would have been preferable to use a pair of Fortigates exclusively.
fruit_company

I' d like a firewall policy diagnostic tool. One that detects unused objects, redundant rules (i.e. earlier rule in the stack that permits the same thing), poor choices (any any?), and the like. Cisco has had sanity checking tools for this for a long time. They' re not perfect, but they' re extremely helpful when their output is taken with a grain of salt. In real life, it' s not unusual for an infosec person to find themselves " inheriting" a firewall managed by someone else, some other group, or some company that was acquired. With 60 VLANs and 800+ rules. That have a lot of suckage. Fortinet is offering tools to parse and migrate from Cisco and Juniper that do some of this. How about a tool specific to Fortigate firewalls that audit their rule sets and highlight masked rules and best-practices deviations?
Jordan_Thompson_FTNT

I' d like a firewall policy diagnostic tool. One that detects unused objects, redundant rules (i.e. earlier rule in the stack that permits the same thing), poor choices (any any?), and the like.
FortiOS already supports some of this today:- * You can see unused objects (addresses, groups, etc) by filtering on the reference counters throughout the GUI * Unused policies can be tracked by enabling the optional " Last Used" column. This will give you an indication of when the last time the policy was hit (if at all). I' d be interested in feedback as to how these features can be improved further.
fruit_company

Agreed... and this describe how I painfully, manually go through FW configs to try to clean them up. It' s not a big problem when you' re talking about a few firewalls with a few dozen normal rules on them. It becomes an issue when you have dozens of firewalls with craploads of VLANs and hundreds of rules on each.
babo
New Contributor

I' d really like to be able to adjust the cookie name for persistence. Lync / Exchange setups require a specific custom cookie name of like MS-WSMAN or something similar. The current Fortigate product seems to let you setup cookies and cookie types, but without being able to adjust the cookie name really doesn' t help much for Microsoft products. It really caught me by surprise on a recent project. http://blogs.technet.com/b/nexthop/archive/2011/11/03/hardware-load-balancer-requirements-for-lync-server-2010.aspx
FlashOver
New Contributor

I would like to have a " time budget" feature to be able to sell time vouchers in hotels for example. And the ability to assign a Dialup VPN configuration to a FQDN like Cisco ASA does it really well.