RE: Features that you would like to see (in reply to emnoc)  quote: I agree on diff, the lack of a configuration diff on appliance is really bad. Fortinet approach has been to use the fortimanager, but that' s not a easy to sale devicve. I guess for now you have to dump the config and do it old fashion way This can be done directly from the FortiGate on many models. On the main dashboard on the GUI, click on " Revisions" on the " System Configuration" line in the " System Information" widget. You can do a highlighted diff of historical versions of your configuration, and restore it. quote: What would be a great tools wizzard for building vpn between fortigate and some other devices or another fortigate. Juniper has start their own and I' m really surprised that wiith all of the VPN problems person encountered, that fortinet has made a simple vpnwizzard builder as a onboard wizzard or a website tool. There is a simple VPN wizard available in FortiOS 5.0 and 4.3. Several types of tunnels can be created, including iOS. In the next release, this feature will be significantly better. Are there any particular VPN configurations that you' d like to see supported in a wizard?  

WFIW: The system revison tool, is not very usefull nor automated by any means. On the VPN wizard, a wizard should be allowed for crafting all types of VPNs and not just remote-access. Fortinet could also build a tool for lan2lan vpns to include fortigate2fortigate and fortigate2" <non-fortigate+common firewalls >" I' m really surprised, that nobody has came close to doing this outside of Juniper e.g https://i2j.juniper.net/greenfield/jsp/index.jsp https://www.juniper.net/customers/support/configtools/vpnconfig.html IMHO, 90% of the fortigate VPN configuraton problems could vanish, if a simple vpn automation tool was to be crafted. Even cisco vpn wizard is slightly better than fortinet imho to some degree , and they had it out much longer than fortigate but it too lack vpn confgurations to a non-cisco-device. I really think somebody should build something that works off this guy example, but make it device selectable. e.g http://sheeponline.net/onlinetools/asa-l2l-vpn VPNs are not that hard to build, but most fwadmin dont do enough of them and lack WTF. Nor do they know every other firewall type out in the market and that other remote fwadmin is probably in the same boat ( doesn' t do enough of them on a regular basis, nor does he/she WTF,etc.....) So a tool that covers fortigate to ciscoASA, ciscoIOSrouter,checkpoint,juniper,etc..... would be very beneficial.

Better CLI features like Juniper has. For example a compare and rollback feature. AND the ability for better filtering with grep, include and greping grep outputs again. Maybe also to possibility to push a complete configuration entry within one vewer lines like " show configuration display set" from JunOS.

and a small local CA server - maybe limited to 10 users. At the moment we have to set up an external one even for really small users. I know, that' s a ressource consuming feature but hey, users do not have to use it if they don' t need / like it.

Port knocking to allow dynamic whitelisting of IP' s that need access to SSH or other outside ports on the firewall.

ORIGINAL: billp Port knocking to allow dynamic whitelisting of IP' s that need access to SSH or other outside ports on the firewall.

+1 for this...

Multiple assignement for a single FortiToken to an admin account and a normal user account at the same time. Because the admin user is also a normal user. At the moment, the user have to carry two token. http://support.fortinet.com/forum/tm.asp?m=105153&p=1&tmode=1&smode=1

OpenVPN flavoured SSL-VPN support. Replacing VPN clients on road-warrior laptops is a long and tedious process so support for OpenVPN would allow earlier retirement of those old *BSD and *nix boxes out there.

Allow console settings per user or similar, currently a single system setting. Specifically, allow various settings of output standard | more. So FortiManager logs in and has console output standard and some human logs in (me, perhaps) and has console output more.

FSSO should be more compatible with non-windows system in Active Directory. We have few linux that are in Active Directory. User logon is well detected by FSSO (poll method). But the status become " not verified" after few minutes. Linux doesn' t have registry accessible by 139 and 445 ports . I know keep alive (workstation verify interval) checking can be stopped (->0), but it is a good feature to avoid ghost sessions. And the ' Dead entry timeout interval' is brutal if the verification is not done. So, it would be good to have a way to do differently this verification. Like a ssh request or a script to launch ( example : who |grep <connected user>)...