Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FlashOver
New Contributor

Wishlist for FortiOS.

Cause this board is for wishes in the newer release, I like to wish two things, the competitors " Astaro, WatchGuard etc.) can since the oldest versions. 1) I like to copy or clone a policy and don' t have to create a complete new one every time. 2) The local logging must be give the user more information about what happens on the system in real-time. You can see absolutely too less. Have a look at checkpoint or watchguard. At this time you can not see what' s up in your network. Protecting without seeing anything? Time for a live tracker with every information and without a forty analyer which (i think so like i saw the online demo) isn' t able to disply that informations at this time too. 3) a Greylisting Feature for the antispam defense. Sure, a FG isn' t a FortiMail but every competitor has it and customers like to have it. It should not be hard to implement. 4) An exemption port for specific domains (AntiSPAM) for a specific AS-Feature. Maybe the mailserver from customer.com isn' t working fine and I just like to exemp the EHELO feature, but the others can stay and check. 5) The possibility to add a commercial third party AV vendor. That is one of the most thigs we get back from pot. customers and most of them change to competitors (Juniper for example). 6) WIthing the SSL-Portal we would love to see the possibility to set up an external SMS gateway which send an one way token via sms for securing the login page. 7) I' m not sure but with the latest relase we can not use any longer the configuration from a 80C at a 111C...? Distribution told us, that has changed in one of the last relases... that is shit if that is the truth... We still haven' t had luck with the last two systems and the configuration import between different models. SUrely we have changed by hand the ports. 8) The Mails the admin get on some different alers could be in a better looking form like html or whatever. 9) I would love to copy protection profiles between VDOM' s. If you start with a transparent configuration and move all systems and subnets step by step, you have to create everything new - and you will miss some thins at this time ... maybe. So, don' t bring out so many different models and new special systems and have a look on the market and smaller but easy to implementing details which would make live easyer. !! Surely I know I can do that all with the CLI but that is not intuitive nor fast. On the other hand, fortinet loves his great GUI, so why should we do so simple things on a CLI if there is a basicly great GUI? What do other administrators miss most?
13 REPLIES 13
rwpatterson
Valued Contributor III

I can hit a couple of these...
ORIGINAL: FlashOver 1) I like to copy or clone a policy and don' t have to create a complete new one every time.
You can do that from the CLI with a bit of cut/paste and changing policy numbers. I do it all the time.
5) The possibility to add a commercial third party AV vendor. That is one of the most thigs we get back from pot. customers and most of them change to competitors (Juniper for example).
I would agree with you if the Fortiguard network didn' t provide decent A/V capabilities. This would be like buying a Cadillac and throwing in a Lincoln engine....
7) I' m not sure but with the latest relase we can not use any longer the configuration from a 80C at a 111C...? Distribution told us, that has changed in one of the last relases... that is shit if that is the truth... We still haven' t had luck with the last two systems and the configuration import between different models. SUrely we have changed by hand the ports.
Configuration restores between different models was never officially supported. With some file editing it worked, and we were happy. I can' t see why it' s not working now, unless the firmware versions ARE NOT THE SAME.
So, don' t bring out so many different models and new special systems and have a look on the market and smaller but easy to implementing details.
Variety is the spice of life. My 2 cents

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
abelio
Valued Contributor

1) I like to copy or clone a policy and don' t have to create a complete new one every time.
within GUI, that' s was available once (3.0 MR4 i guess), it caused more confussions and issues that it apparently solved; cloning firewall policies with just a click could be error prone; I agree with you about cloning firewall protection profiles, but for policies i prefer CLI method Bob' s referred.
2) The local logging must be give the user more information about what happens on the system in real-time. You can see absolutely too less. Have a look at checkpoint or watchguard. At this time you can not see what' s up in your network. Protecting without seeing anything? Time for a live tracker with every information and without a forty analyer which (i think so like i saw the online demo) isn' t able to disply that informations at this time too.
you can see a lot of things now, through session and traffic widgets; with watchguard or juniper units (not to mention pix) you´ll also get same session info, ip based; Analyzer completes the panorama; I agree with you that a more complete vision to catch for example a bandwidth hog should be necessary. I strongly disagree with your expression ' protection without seeing anything" ; you' ve a lot of things to see within the logs.
3) a Greylisting Feature for the antispam defense. Sure, a FG isn' t a FortiMail but every competitor has it and customers like to have it. It should not be hard to implement.
i' m not sure if that feature could push up the UTM fortigate unit to its limits. graylisting is a session intensive task, it require db storage. FortiGate is an UTM with a lot a services embedded; if spam is the main concern, i' ll go for the FortiMail No other UTM vendor includes such number of features in a box.
4) An exemption port for specific domains (AntiSPAM) for a specific AS-Feature. Maybe the mailserver from customer.com isn' t working fine and I just like to exemp the EHELO feature, but the others can stay and check.
you can do it with different firewall profiles; one with no EHLO dns check applied to a firewall policy involved such customer mailserver and another one with ehlo dns check applied to the others.
5) The possibility to add a commercial third party AV vendor. That is one of the most thigs we get back from pot. customers and most of them change to competitors (Juniper for example).
i really doubt that a customer switch to juniper or another vendor just for follow an AV specific brand... maybe that customer has previous contracts with third party vendor and it would save his money; if so, buying AV/IPS it' s not mandatory when you buy a FortiGate for medium sized units (for smaller units, bundle services is the only option)
6) WIthing the SSL-Portal we would love to see the possibility to set up an external SMS gateway which send an one way token via sms for securing the login page.
really specific requirement AFAIK; maybe you would contact your regional SE Fortinet guy to post it as a topic within the roadmap,
7) I' m not sure but with the latest relase we can not use any longer the configuration from a 80C at a 111C...?
as Bob pointed; these kind of things are never supported; migrating configs between different unit models is a manual task to do carefully.
Distribution told us, that has changed in one of the last relases... that is shit if that is the truth...
false; an opportunity to reconsider the skills of that distributor.
!! Surely I know I can do that all with the CLI but that is not intuitive nor fast.
CLI is as intuitive as any other you ' ve the habit to work with in a daily basis; do you think that juniper or pix cli are more ' intuitives' ?
On the other hand, fortinet loves his great GUI, so why should we do so simple things on a CLI if there is a basicly great GUI?
one possible answer IMHO: it´s not matter of simple or complex task to do what define if the task will be within the GUI or CLI; through different firmware releases it' s possible detect that more common or used tasks are pushed into GUI and more specific or not so popular are pushed into CLI. regards

regards




/ Abel

regards / Abel
daveywavey
New Contributor

To see static reserved icon from address table.
Forti OS 4.0: FLG_100B-v400-build0705 (4.3.7) FWF_80CM-v400-build0665 (4.3.15) Forti OS 5.0: FWF_90D-v500-build0228 (5.0.3)
Forti OS 4.0: FLG_100B-v400-build0705 (4.3.7) FWF_80CM-v400-build0665 (4.3.15) Forti OS 5.0: FWF_90D-v500-build0228 (5.0.3)
Geom
New Contributor III

6) WIthing the SSL-Portal we would love to see the possibility to set up an external SMS gateway which send an one way token via sms for securing the login page.
What would be nice is if it supported saml assertion instead so that you don' t have to build this in, but can offload it to another service like secureauth, myonelogin, or entrust type products.
Carlos_Menezes
New Contributor

I´d like to see an auto-submmit of " unrated" url´s to be categorized by Fortinet support. Att,
Carlos Alfredo Fortigate 600-C, 300-A (4.0MR3-P5)
Carlos Alfredo Fortigate 600-C, 300-A (4.0MR3-P5)
rwpatterson

ORIGINAL: Carlos Menezes I´d like to see an auto-submmit of " unrated" url´s to be categorized by Fortinet support. Att,
The problem with that is for example, if each person had a private web server, and they all went to it just once, then the dynamic DNS address changed, and they went back.... This would overwhelm the FGT network.... Each private server would have to be re-rated each time. Not efficient. It already takes 24-48 hours to get a new site rated. Imagine the overload then...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
FortiRack_Eric
New Contributor III

6) WIthing the SSL-Portal we would love to see the possibility to set up an external SMS gateway which send an one way token via sms for securing the login page.
This is functionality of an external radius server like Vasco Identikey server. This functionality should not be in the Fortigate.

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
FlashOver
New Contributor

about the SSL-Portal I will have a look with a external Radios solution - thanks for that. On the other points - just point' s of view for everyone. But about the greylisting. If that would push the fortigate unit to there limits, I would like to ask why the fortinet technical sheeds spreading over in extreme values. Mabe compare 310B with the hole portfolio from juniper and cisco for example. they never tell there customers in there data sheets so heavy thruput values or max conncurrent connections. So that should not bring the unit to it' s limit if the values in the data sheer tell the truth. On the other hand, every administrator can use just as much performance as the box can handle ... so, you have to buy a bigger one or disable some features. One thing I realy miss on fortigate Units... I like to see each change and restore it if I have done a misstage. At this time i Have to put the complete configuration back (yes I know, in the cli I can change seperate parts) but that would be surely a fine thing to see, who have changed which policy and so on.
romanr
Valued Contributor

ORIGINAL: FlashOver Mabe compare 310B with the hole portfolio from juniper and cisco for example. they never tell there customers in there data sheets so heavy thruput values or max conncurrent connections. So that should not bring the unit to it' s limit if the values in the data sheer tell the truth.
That will have nothing to do with it! The specs from fortigate models with NP2 processors (200B, 310B, 620B and 1240B) are just unique on the market for firewall and IPSec throughput. These processors can' t do anything on a higher (content) level! Greylisting would require local storage, so if it where in FortiOS, you would need a harddisk-model and additionaly quiet some memory and processing power on the content level! Additionaly for greylisting to be a serious option, you would need Black/Whitelisting features AND (what actually kills the idea totally) a recipient verification mechanism upfront!!! Fortinet has a really good Antispam solution (with Fortimail version 3 at least, 4 is still a bit beta stadium!) which is from price performance view far better then the " market leaders" Ironport and Barracuda! The AntiSpam feature in FortiOS has actually a damn low price for what it offers on helps in a lot of situations, if thats not enough, you will need to look for a real AntiSpam solution and the offering from Fortinet there is FortiMail and not Fortigate!!!
At this time i Have to put the complete configuration back (yes I know, in the cli I can change seperate parts) but that would be surely a fine thing to see, who have changed which policy and so on.
There are different logging mechanisms (including e-mail) to see WHO has changed which part of the configuration! And if you want to have a complete revision history - FortiManager will provide you with this feature as well.
Labels
Top Kudoed Authors