Call a Specialist Today! 800-886-5787

Fortinet FortiOS Software
Network Security Operating System

Fortinet FortiOS 5

 

Overview:

The World’s Most Advanced Security Operating System

FortiOS is a security-hardened, purpose-built operating system that is the foundation of all FortiGate® platforms. FortiOS 5 software leverages the hardware acceleration provided by custom FortiASIC™ processors, delivering the most comprehensive suite of IPv6-ready security and networking services available within a single device.

Complete Security
Fortinet designed and built FortiOS 5 to deliver the advanced protection and performance that standalone products simply cannot match. The services work together as a system to provide better visibility and mitigation of the latest network and application threats, stopping attacks before damage can occur.

Unmatched Performance
FortiOS 5 enables high performance, ultra low latency multi-threat security by leveraging the hardware acceleration provided by purpose-built FortiASIC processors. This combination of custom hardware and software gives you the best security and performance possible from a single device.

Unique Visibility and Control
Advanced security features such as Flow-based Inspection and Integrated Wireless Controller capability allow you to monitor and protect your network from endpoints to core, and from remote offices to headquarters, for wired and wireless traffic. FortiOS allows greater traffic visibility and more consistent, granular control over users, applications and sensitive data.

Increased Simplicity
FortiOS 5 lowers costs and reduces IT staff workloads. Physical or virtual FortiGate appliances give you the flexibility to match your security to your environment while enforcing a uniform security policy. Single pane of glass management and centralized analysis ensure consistent policy creation and enforcement while minimizing deployment and configuration challenges.

More Security, More Control, More Intelligence

Building on our history of innovation, FortiOS 5 includes over 150 new features and enhancements to help you fight advanced threats, securely integrate mobile devices and build smart policies.

More Security

More Security - Fighting Advanced Threats

  • Client Reputation – Signature-based security isn’t enough anymore. You need to understand how the devices on your network are behaving. Client Reputation gives you a cumulative security ranking of each client device on your network based on a range of behaviors. It provides specific, actionable information that enables you to identify compromised systems and potential zero-day attacks in real time.
  • Advanced Anti-malware Detection System: A new advanced anti-malware detection system adds an on-device behavior-based heuristic engine and cloud-based AV services that includes an operating system sandbox and botnet IP reputation database. Together with superior industry-validated AV signatures, FortiOS 5 delivers unbeatable multi-layered protection against today’s sophisticated malware.
More Control

More Control - Securing Mobile Devices

You can secure you mobile device and BYOD environments (including iOS®, Android® and Windows® clients) by identifying devices and applying specific access policies as well as security profiles, according to the device type or device group, location, and usage.

More Intelligence

More Intelligence - Building Smart Policies For Smart Security

FortiOS 5 gives you intelligent, automatic adjustment of role-based policies for users and guests based on location, data, and application profile. Enhanced reporting and analysis provides deeper insights into the behavior of your network, users, devices, applications and threats.


Key FortiOS Features:

With over 40 new features, Fortinet engineers have enhanced virtually every aspect of the operating system, including the addition of two distinct services, Data Leakage Prevention and WAN Optimization, which have previously been available as standalone products only. Other features extend existing services, such as an identity-based policy feature, which allows the FortiGate’s firewall policies to be defined by user or group. Multiple enhancements to the existing intrusion prevention service allow passive IDS support, and also make the intrusion prevention service IPv6 ready.

  • Client Reputation Analysis
  • Extended Single Sign-On
  • On-Device Sandbox
  • Cloud-Based Sandbox
  • Per-Device Security Policies
  • Secure Guest Access
  • Enterprise-class Firewall
  • VPN - IPSec and SSL
  • SSL-encrypted Traffic Inspection
  • Antivirus / Antispyware
  • Antispam
  • Intrusion Prevention System (IPS)
  • Data Loss Prevention (DLP)
  • Flow-based Inspection Options
  • Web Filtering
  • Application Control
  • Endpoint Network Access Control (NAC)
  • Vulnerability Management
  • Monitoring, Logging and Reporting
  • WAN Optimization
  • Wireless Controller
  • VoIP Security
  • Central Management
  • Virtual Domains
  • High Availability
  • Layer 2/3 Routing Services
  • FortiGuard Security Updates
  • IPv6-Ready

Fighting Advanced Threats:

Cybercriminals today are organized, sophisticated and have powerful resources at their fingertips. In most cases, attacks are initiated with specific targets and objectives in mind. The aim is to infiltrate hosts in networks and steal valuable data. The data may be personal information, accounts or intellectual property. This information can be used for future attacks (second stage) to further penetrate networks.

These attacks are often crafted to evade common traditional security tools, such as firewalls, intrusion prevention systems and antivirus gateways. This is referred to as advanced evasion techniques, or AETs. They're low-profile, targeted and stealthy, avoiding notice and suspicion. These threats are a combination of malware – executable code running on the attack target – and exploits for vulnerabilities, weaknesses on a system. These exploits can attack what is known as a zero-day vulnerability, a software flaw to which there is no patch, update or fix. These attacks usually cannot be detected by signature-based filters that compare them to known attacks. Other advanced threats include spearphishing, impersonation and polymorphic malware.

Threats that we see today typically adopt a six-stage lifecycle:

six-stage lifecycle

  1. Reconnaissance
    Unlike typical malware infiltration, advanced threats either perform initial probes towards targets or collect information about them by various means, such as phishing, social engineering or obtaining intel from other infected hosts.
  2. Infiltration Vector
    Armed with relevant information, these threats infiltrate their targets in various ways – these are also known as attack vectors. Think of these vectors as things like phishing emails, malicious flash (SWF) or PDF documents, malicious websites that attack flaws in browsers like Internet Explorer or Firefox. Phishing emails can be targeted and very convincing, with the goal to get the victim to click on a malicious link or open an attachment. These are known as spear phishes.
  3. Host Infection
    To evade traditional security systems, malware transmissions are typically encrypted and arrive via unexpected routes like corporate email with a file share invitation or a prompt for software updates from an impersonated site. There are many tricks that modern malware employ, including security software evasion – code specifically designed to destroy antivirus processes running on the system. Another trick is polymorphism, code that shifts shape constantly to escape signature-based antivirus detection.
  4. Malware Action
    Once the malware is installed, it often attempts to initiate a call back, using common transmission methods that are allowed by typical security policies. Otherwise, it keeps a low profile, generating no activities that are likely to be noticed. It remains in sleep mode, awaiting further instructions. Increasingly, malware is aware of its environment and won't allow itself to be detected in a virtual machine sandbox.
  5. Exfiltration Vector
    The exfiltration usually involves the surreptitious delivery of stolen data via often encrypted but common channels, such as HTTPS, back to the command center or to another compromised system controlled by cybercriminals.
  6. Further Exploitation
    With successful communication links between the command center and the compromised hosts, further exploitation is easy to accomplish. These malicious acts include attempts to access materials the host has connection to, such as documents on servers, cloud-based applications and database credentials.

Best Practices against new advanced Threats: Advanced Persistent Defence

In order to defend against advanced threats, organizations must update and adjust existing network security and adopt new security implementations.

Best Practices against new advanced Threats: Advanced Persistent Defence

The challenge is to add protection to the network without straining budgets, resources or performance. The components of a comprehensive approach are:

  • Multi-layer Defense System
  • Multi-pass Anti-Malware Protection
  • Integrated Systems & Security Tools

Multi-layer Defense System
Next generation threats use multiple vectors of attack to exploit weak defenses, avoid detection and increase the odds of penetration.

To detect these threats, organizations can no longer simply rely on a single solution; multiple layers of defense are needed to fill possible network security gaps. Multi layer defense seeks to detect polymorphic malware, prevent receipt of phishing emails, block connection to compromised websites, and deny malware access to its command channel.

Multi-pass Anti-Malware Protection
Detecting and blocking stealthy malware is becoming more challenging. Many malicious codes are now designed to evade traditional signature-based filters. Although antivirus signatures remain a critical part of the solution, new proactive real-time technologies that don't rely on signatures are necessary for air-tight protection. An intelligent virus inspection engine is key to proactively detect these threat

Cloud-based services with real-time databases and robust processing resources are also an important component.

Integrated Systems & Security Tools
Cybercriminals no longer work alone. They use coordinated expertise and share resources, producing disparate components that challenge many typical network security implementations. It's difficult to collate information to identify and deter these advanced threats.

It's important to integrate security components in the network, including threat and network activity correlations. Deploying an integrated security platform can yield even more benefits, like efficient traffic processing, with better network performance and low-latency communications.

Integrated Systems & Security Tools

There should be abilities to correlate threat landscape information, enabling administrators to use a cumulative security ranking of network terminals to spot suspicious activities that might evade detection in a typical isolated setup. This client reputation capability allows administrators to detect signs of advanced threats within their networks and set up appropriate responses. Most malicious infections are the result of exploits on vulnerable hosts, particularly those with out-of-date operating systems and application patches, weak passwords or poorly configured security settings. Vulnerability scans are one of the most useful tools against these threats, identifying weaknesses before the bad guys do.

How FortiOS 5 fights next generation threats

FortiOS 5 has enhanced anti-malware capabilities, including file analysis with intelligent sandboxing and a botnet IP blacklist. We introduced the patent-pending client reputation system to assist administrators in protecting their networks with advanced analytics and controls.

How FortiOS 5 fights next generation threats

FortiOS 5 includes:

  • AV Signatures
    Detect and block known malware and most of its variants. Highly accurate with few false positives. The signature approach is backed by a sophisticated antivirus engine that can detect polymorphic malware. In fact, the signatures are quite intelligent. For example, one single signature can detect over 50,000 polymorphic viruses in some scenarios.
  • Behavioral and attribute-based heuristic detection
    Detects and blocks malware based on a scoring system of known malicious behaviors or characteristics. This detects malware that doesn't match a signature, but behaves similarly to known malware. Used to flag suspicious files for further analysis, either local or cloud based.
  • File Analysis
    Detects new threats by running suspicious files in a contained emulator to determine whether they're malicious. This technique is resource-intensive and may impact performance and latency while increasing visibility for zero-day or previously unknown threats. Modern malware is written to detect such analysis machines, however Fortinet's file analysis engine has lots of technology built in to defeat these countermeasures cyber criminals employ.
  • Application Control
    Detects and blocks known botnet activities by examining traffic that passes through the gateway. Also effective in preventing zombies from leaking data or communicating instructions. This is known as chatter. By identifying and blocking chatter, these threats are mitigated since it doesn't matter what URL, domain, or IP the infected host is trying to connect to.
  • Botnet Servers Backlist Filter
    Detects and blocks known botnet command and control communication by matching against blacklisted IP addresses. Stops dial-back by infected zombies.

FortiGate AV Engine 2.0
The new engine is designed to detect and block today's advanced threats. It provides inline file processing capability that utilizes the FortiGate's hardware acceleration component.

FortiGate AV Engine 2.0

  • Signature Match Processor
    The signature match processor uses the unique and patent-pending Compact Pattern Recognition Language (CPRL), which is optimized for performance without compromising accuracy. With CPRL, a single signature is able to cover well over 50,000 different viruses, including zero-day virus variants as previously mentioned. The processor also performs blacklisted file checksum matching for common large-volume static malwares. To achieve this, FortiGuard analysts go through intensive training to write optimized CPRL signatures.
  • Decryption/Unpacking System
    Most modern malware is compressed or encrypted to evade traditional file matching systems. This system unveils the actual content for further analysis to detect stealthy polymorphic malware. Think of it as matching the inner components, or true DNA of a virus.
  • Local Sandbox
    This system consists of various OS-independent emulators and uses intelligent filetyping to execute suspicious codes, such as malware that uses JavaScript obfuscation.
  • Behavior Analysis Engine
    This heuristic engine performs behavioral and attribute-based analysis to detect zero-day malicious code for further analysis. It looks at the intent of a virus – what is it trying to do based on the executable code that is analyzed by the engine.

New FortiGuard Services
The new FortiGuard services are cloud-based capabilities that enhance the detection and provide real-time protection against next-generation threats. Unlike some competitors' solutions, file submissions to FortiGuard services are minimal since the in-box local engine captures most malware.

New FortiGuard Services

  • Cloud Based Sandbox Environment & File Analysis
    The sandbox environment consists of various operating system simulators that execute suspicious programs and compute a Bayesian score based on lists of activities and attributes. FortiGuard antivirus researchers are based around the world, providing 24x7 round-the-clock malware analysis. New viruses and variants are examined to provide accurate detection, reduce false positives and discover new evasion techniques. When these techniques are discovered, researchers work side by side with Fortinet development to built in the appropriate technology to defeat evasion techniques.
  • Database Updates
    Up-to-date signatures are essential in stopping malicious activities in the network. Apart from regular antivirus, intrusion prevention systems and application control signatures, FortiOS 5 introduces a new botnet blacklist database. With this new database, users will be able to prevent zombies in the network from communicating to botnet servers.

Conclusion

With FortiOS 5, Fortinet has taken the fight against advanced threats to a new level, breaking the lifecycle of today's malware to ensure comprehensive security without compromising performance.

Securing Mobile Devices:

Organizations are increasingly dependent on mobile information technology in every activity. Employees rely heavily on more and more portable network devices that allow them critical flexibility to roam for increased productivity. But mobile devices put networks at increased risk of data leaks and exposure to malicious infection.

The BYOD phenomenon

BYOD (bring your own device) started out as an informal trend that saw staff using smartphones and tablets in the workplace to access privileged internal resources. These devices rely heavily on network connectivity for many of their functions and applications.

However, it quickly evolved to include a broader phenomenon of the use of a variety of devices in the workplace that aren't controlled by the corporation that hosts them.

Employees like bringing their own devices for the familiarity, ease of use and, by extension, access to the organization's applications. Companies embrace BYOD because it allows employees increased mobility, higher job satisfaction and greater efficiency and productivity.

Although BYOD brings new advantages to the workforce, it also brings its fair share of challenges. Many of these challenges revolve around security. The most significant problem for IT departments is the lack of visibility and control of these devices.

Unmanaged devices
These are typically wifi devices brought in by employees. Users access the network, logging in on their smartphones, tablets or laptops with their usual credentials, but the devices can evade security policies because they're not a formal part of the enterprise's managed environment. Yet installing a host agent to manage these devices can be unwelcome and intrusive to the owner of the device. And, unlike corporate equipment, personal mobile devices often run on different operating systems (and many different versions of operating systems), making the installation of a host agent difficult, if not impossible.

Personal devices can also add to network misuse, with applications such as internet radio and video streaming

Corporate mobile devices
These are portable devices issued by the corporation, so they're more likely components of the managed network environment than purely personal devices. But when they're out of the corporate network, they're out of the range of the security policy enforced by the security gateway.

In both cases, mobile devices can be lost or stolen. Without proper control, they can also be used to leak corporate data, inadvertently or maliciously.

How FortiOS 5 secures mobile devices

There are three elements to the FortiOS 5 solution for securing mobile devices; identification, access control and security application.

How FortiOS 5 secures mobile devices

Device identification
FortiOS 5 identifies all devices, wired and wireless, and their operating systems in two ways:

  1. Agentless detection
    Agentless detection identifies devices that log on to the network without requiring additional software on the devices themselves. It utilizes a broad range of measures to accurately determine device type, with traditional TCP and MAC vendor code fingerprinting, the use of DHCP attributes, and application layer analysis including HTTP user agent and SIP message parsing. These measures can be updated via our FortiGuard network as the device landscape evolves.
  2. Agent-based identification
    For agent-based identification, FortiClient is installed on devices to feed information directly to FortiOS. This technique is the most reliable and allows identification even when the devices are on remote networks.

Access control

Access control diagram

After devices are identified, they're automatically assigned to device groups according to type and OS. Administrators also have the ability to create custom groups for policy enforcement.

Security Application
The administrator can then control access and assign security profiles based on device groups or individual devices. These profiles include web content filtering and application control.

For example, a school can set policies where teachers can access server resources, while students only access permitted areas of the Internet, avoiding plagiarism sites and other inappropriate content. In addition, to prevent bandwidth abuse, students are blocked from streaming multimedia. Or a corporation that uses contractors on its guest network can allow their devices access to project-specific resources while allowing only internet access to other guests.

Device contextual information for visibility
Device identification also allows the FortiGate to provide new contextual information in status widgets and logs. This allows administrators to better understand their network posture and identify problem spots quickly.

Endpoint control with off-net protection

Endpoint control with off-net protection

When mobile devices leave the local network and go "off-net", they're no longer protected by a security gateway. The tight integration between FortiClient and FortiOS provides off-net protection, reducing corporate vulnerability to malware infection and data leaks and enforcing corporate access policies. Adopting endpoint control allows users not only to bring their own devices, but to take their security policy home.

Web filtering, for example, can block malicious and phishing sites even when the user is telecommuting or web browsing. The user can access the Internet safely anywhere without needing a VPN. When a VPN is required to connect to corporate resources, FortiOS distributes new VPN configurations to roaming devices.

Synchronizing fixed and mobile security policies allows the simple implementation of updates and modifications to ensure up-to-date protection.

Conclusion

The combination of FortiClient and FortiOS 5 provides a powerful solution ensuring the most appropriate level of security is present on all devices, at all times, in all places.

Making Smart Policies:

Today, the network is everywhere, and with it, the expectation of continuous connectivity. But to maintain security, organizations demand more visibility and control. Control of what applications are accessed, from where, when and by whom. Traditionally, IT departments have tried to solve this complex problem with more complexity.

Taming the complexity of security policies

Administrators have typically created policies with precise granularity to yield more secure networks. But policy accumulation and complexity is a problem. As a security gateway sits in the network for years, rules are constantly added but seldom removed. The risk increases as the "holes" get bigger; complexity increases and control decreases. Security is breached.

Administrators find it increasingly hard to understand the security that's actually being implemented by this bloated set of security policies. A complex system is a fragile one.

An oversized policy list also makes troubleshooting difficult. Administrators have to spend more time examining how traffic is affected by the rule set. Unfortunately, this also results in even more unnecessary ad-hoc or "hot patch" rules, further decreasing security.

How FortiOS 5 can help set up smart policies

FortiOS 5 makes policy creation easier and more efficient.

Policy Consolidation
Traditionally, network access policies are configured separately from other security policies, very often on separate systems.

Policy Consolidation

FortiOS 5 implements comprehensive user authorization technologies so administrators can configure access policies along with security policies. Network access can be configured for wireless and wired networks, supporting a variety of entry modes such as captive portals and 802.1x.

The ID-based policies of FortiOS 5 provides an authorization model which, after successful authentication, determines where you can go, what applications you can use and what information you can access.

The system seamlessly determines which destinations, services, applications and profiles are applied. Depending on the ingress interface a user logs into (for example, a wireless LAN in the lobby or on the wired desktop), different policies can be intelligently assigned.

Reusing user credentials with a single sign-on

Reusing user credentials with a single sign-on

FortiOS 5 FSSO (Fortinet Single Sign-On) framework provides a single sign-on from a diverse range of authentication environments, allowing you to use and reuse credentials. This includes:

  • Windows AD
  • External radius authentication
  • Citrix/terminal service
  • Network access via 802.1x, WEP, captive portal, etc.
  • FortiClient single sign-on

Complex implementations simplified
Traditionally, some security implementations require complex setup and configuration. FortiOS 5 simplifies them.

  1. Guest Access
    Temporary secured network access for guests is essential. FortiOS 5 makes it easy by providing:
    • Integrated guest administration portal for personnel such as a receptionist who provides guest access.
    • Random credential generation so that every guest can be uniquely identified.
    • Time quota to ensure guest access expires appropriately, preventing unnecessary exposure.
  2. Dynamic Remote VPN
    Client VPN provisioning and setup has been a constant challenge to administrators. FortiOS 5 makes setup easier and more secure by reducing the potential for misconfiguration. With tight FortiClient integration, SSL and IPSEC client configurations can be provisioned and updated easily. FortiClient also now includes enterprise VPN capabilities such as auto redundant VPN gateway selection.

Providing deep knowledge for administrators
FortiOS 5 provides detailed visibility, critical in helping administrators quickly understand network and system status, configurations and threats.

Providing deep knowledge for administrators

Comprehensive contextual and unified information is now available on status widgets, logs and reports. This includes information such as:

  • Device identity, operating system and hostname
  • Identity of user and user groups
  • Pop-up information from our FortiGuard Threat Encyclopedia
  • Applications, their category and risk type

Conclusion

Smart policies break the spiral of increasing complexity by unifying access and security policies, providing a powerful and accurate tool for the security administrator.

Specifications:

FortiGate—Purpose-Built Hardware, Software, and Services

FortiGate platforms are based on an integrated hardware, software, and services architecture specifically designed for improved security and performance in perimeter, core, and data center environments. The FortiASIC™ Content Processor (CP) is a key component in FortiGate security platforms; providing a hardware scanning engine, hardware encryption, and real-time content analysis processing capabilities. The FortiASIC Network Processor (NP) series of processors provides acceleration for firewall, encryption/decryption, signature and heuristic packet scanning, and bandwidth shaping. FortiOS security applications can be selectively enabled to provide a full suite or a unique set security services all within a single platform. The FortiGuard™ network dynamically updates system software and security services such as antivirus, antispam, Web filtering, antispyware, and intrusion prevention to ensure the maximum level of protection is being provided.

FortiOS Security Services:
System Administration:
  • Support configuration from Andriod & iOS devices through USB interface with FortiExplorer App
  • Web-based Manager filtering & Columns improvements
  • New option to format boot device before firmware update
  • New CLI command to set factory default except VDOM/ interface settings
  • Ability to disable the console login
  • SNMP trap for FortiAP or FortiSwitch events
  • SNMP implementation for Intelligent Platform Management Interface (IPMI) sensor
  • SNMP Extensions for BGP
  • Simplify GUI for FortiGate/FortiWiFi 20C and 40C
  • Set DHCP options to get TFTP server IP and config file name to restore the configurations
  • New setup wizard, included for all 1U models
  • Central management configuration improvement
  • Improved support for long hostnames in the CLI prompt

Visibility:

  • Additional dashboard Widgets
  • New & expanded Real-time Sessions Widgets
  • Contextual Information: Device, OS, User, destination hostname & geographic visibility
  • Unit operation widget on FortiGate 600C, 800C, and 1000C
  • Display threat information from FortiGuard Encyclopedia

FortiGuard Services:

  • FortiGuard Real time GeoIP updates
  • FortiGuard SMS messaging service
  • FortiGuard NTP & DNS Service
  • FortiGuard DDNS Service
  • FortiGuard USB Modem DB updates
  • FortiGuard Device/OS Visibility signature updates
  • Device based licensing for FortiCloud Service

Routing & Network Services:

  • Support Spanning Tree Protocol (STP) for FortiGate Switch Mode interfaces
  • Support Virtual Switch & Hardware Switch feature
  • Switch port extensions
  • Switch Fabric access control list (ACL)
  • WCCP L2 mode
  • Support per VLAN MTU setting
  • SSH handover support
  • Option to restrict the number of IP addresses that can be leased to the same MAC address
  • BGP AS-Path rewrite
  • Increased Router Policy limit
  • Dynamically cost of lag interface
  • DNS service profile
  • Authentication-based routing

High Availability:

  • Fortinet redundant UTM protocol (FRUP)
  • Support configuration synchronization in standalone mode
  • SSL-VPN authentication high availability (HA) failover support

User Based Identity:

  • Access Based SSO using 802.1x, Captive portal & FortiClient VPN
  • Citrix & terminal services SSO Agent
  • RADIUS-based SSO (Dynamic Profile)
  • Support for secondary/backup remote authentication server
  • Direct FSSO Polling Mode from FortiGate
  • Support dynamic-profile for SSH proxy
  • HTTP-only authentication over HTTPS channel
  • Guest access provisioning

OTP Token Server:

  • Secure OTP seed import
  • Soft Token Activation & Management
  • JSON API for token support
Device Based Identity:
  • Device identification
  • Device type/group classification & management
  • Device based security policy

Endpoint Control:

  • FortiClient ubiquitous authentication
  • FortiClient Registration & Management
  • Captive Portal for Endpoint control client checking & install
  • FortiClient configuration provisioning for "off-net" security enhancement
  • Support device based policy on remote location & routed network
  • Endpoint Logging

Client Reputation:

  • Multi-vector scoring
  • Real-time client reputation monitoring

User Notification:

  • Fortinet Top Bar

Firewall:

  • Reorganized service items
  • Policy list enhancement
  • Mac address access list
  • Web-based manager support for multicast policy and multicast address
  • Dynamic comment field
  • GeoIP override
  • Improvements to support asymmetric traffic flows
  • IP fragment and NAT enhancements
  • IP pool fixed port range
  • Restriction to virtual IP (VIP) on specific interfaces
  • SIP NAT enhancement & support for TLS inspection

VPN:

  • Simplified VPN setup
  • SSO support for FTP and SMB added under SSL-VPN
  • Support SSL-VPN push configuration of DNS suffix
  • Auto-IPsec restricted to desktop platforms
  • Create new IPsec site-to-site and dial up tunnels directly from the policy page
  • Support for IKE to bind to loop-back interface
  • ARIA encryption

IPS:

  • IPS Engine version 2 - Improved resource usage & Performance
  • DOS policy improvements
  • Medium severity added to default IPS sensor

Application Control:

  • Custom Application Control Signatures
  • Improve App Control profile for ftp and facebook
  • Support SSH inspection

Antivirus:

  • New AV engine v5 - behavioral heuristic engine & OS independent sand boxing
  • Auto submission to FortiGuard Analytics - Cloud based sand boxing
  • Botnet C&C blocking with IP reputation DB
  • MAPI & SMB protocol support

Email Filter:

  • Flow-based Email Inspection Mode

Web Filter:

  • DNS-based Web Filter
  • Flow-based Web Filter support for replacement message in HTTPS Web Filter
  • Yandex search engine; safe search support
  • Search engine configuration
  • One-arm URL filtering
  • Content type scanning by FortiGuard category
DLP:
  • DLP watermarking
  • New DLP GUI Configuration

Vulnerability Scanning:

  • FortiClient vulnerability scan

Wireless Controller:

  • Wireless IDS
  • Wireless client load balance
  • Wireless mesh & bridging
  • Bridge SSID with physical port
  • Fake AP detection
  • Automatic TX power adjustment
  • Automatic Rogue APs suppression
  • CAPWAP data channel encryption

SSL Offloading & Inspection:

  • Improved SSL inspection performance
  • SSL inspection Support for IPS and Application Control
  • Support for adding X-Forwarded-Proto for SSL offload half mode

WAN Optimization:

  • Support WAN Optimization and content scan in a single VDOM
  • WAN Optimization per policy
  • Dynamic data chunking for WAN Optimization byte cache
  • HTTPS offload and HTTPS cache features
  • Support Internet Content Adaptation Protocol (ICAP) in explicit Web Proxy
  • Support cache-cookie option to set web cache behavior on cookie
  • Explicit proxy and SSL decryption
  • Explicit proxy (HTTP and FTP) support for dynamic profiles
  • Explicit proxy integration with IPS and Application Control

Virtual Systems:

  • Standalone management VDOM
  • Support DHCP servers on the VDOM-link interface
  • NP4 accelerate inter-VDOM traffic
  • Per VDOM and global limits on guest user accounts
  • Global View Menu implementation
  • Global FortiGuard server override
  • Multi-VDOM admin
  • Suppor VDOM link between transparent VDOM with NAT/Route VDOM

Log & Report:

  • New Log message organization
  • MAC address logging
  • Local-in policy logging
  • Merge UTM incidents into traffic log
  • Added option to log to FortiManager
  • FortiCarrier: logging Improvements
  • PDF report improvements
  • Enhanced drill-down reports

IPv6:

  • IPv6 NAT: NAT66, NAT64, DNS64
  • IPv6 explicit proxy
  • IPv6 MIBs
  • IPv6 Per-IP shaper
  • IPv6 policy routing
  • IPv6 session pickup in HA mode
  • NAT64 acceleration (XLR/XLP)
  • Support IPS for IPv6 forwarding policy
  • IPv6 SSL proxy IPS inspection
  • NAT64 High Availability (HA)
  • Support DHCP Client for IPv6 addresses
  • DHCPv6 relay

Others:

  • Increased limit on URL filter, Web Profile, Group Profile, and Policy
  • FortiCarrier: GTP monitor mode
  • FortiCarrier: Support GPRS tunneling protocol version 2 (GTPv2) & extensions
  • ELBCv3 enhancements & Support for FG5101C
  • LACP support on the FortiSwitch 5203B

Note: This list may not be complete. Features may not be available to all FortiGate models. Please refer to FortiOS 5.0 release notes and administration guide.

Documentation:

Download the Fortinet FortiOS Software Datasheet (PDF).