What Features Do You Want Fortinet To Bring To FortiOS?
HTML-код
- Опубликовано: 9 июл 2024
- I talk a lot of trash about Fortinet from time to time but one thing I have noticed is that they are doing a good job of paying attention to the community and the features we wish to see in future FortiOS deployments. So this video, is going to serve as an opportunity to to brainstorm ideas and see what we can do from a recommendation standpoint.
Buy Hardware: bit.ly/2QZVeqh
Get Consulting: bit.ly/36FinSU
My Other Projects:
Office Of The CISO: bit.ly/3HGMH1o
Packet Llama: bit.ly/3SEX3H4
###### SOCIAL LINKS ######
Twitter: bit.ly/2WXiRAv
Facebook: bit.ly/3eigz4D
Instagram: bit.ly/3cZneAz
######################
"diag debug flow" in GUI :)
A diagnose debug just for ssl certificate inspection. To see everything the certificate inspection profile does when ssl traffic goes trough it. I face a lot of issues related to ssl inspection in my job
This. It should be better debug and logs for SSL errors in the GUI.
Wireguard VPN. The tech is awesome, but the management of it... that's where it falls short. The fortinet gui is adequate, and it could be a killer feature.
In the Firewall Policy, having "reputation-minimum : 0-5" and "direction" as a gui item would be nice, helps juniors when diagnosing an issue can forget its enabled.
A tool like packet tracer in ASA to quickly see what should happen to a packet based on all the rules set.
That would be a very welcome feature
There is already an active NFR (New Feature Request) for this feature. Hopefully, this feature will be added in a future release.
I am a security engineer that supports/deploys mostly Fortinet firewalls and FortiSwitches. For me the following functionality would be nice.
1. A traffic generator that can run from different source interfaces/networks.
I always get questions about how fast is this line including the preceding devices, but can not test this without having a computer on location.
2. A way to execute http/s requests. For example curl for linux. This wil make it easy to get the global Ip-adress, or test some website output.
There is some functionality with telnet, but not enough some times.
3. Diagnose debug flow in the gui. This is the command I use the most in troubleshooting. It is so simple but is the best tool for troubleshooting issues.
4. Openvpn client integration. This is more a personal preference, but I had to build a pfsense firewall next to my fortigate, because I needed this functionality. With openvpn I can act as if my network is in another country and I only have to pay a few euro's a year to make this possible.
I understand this stands a bit in the way of the sslvpn from Fortinet so I understand that this would only work in the cli.
And the following is more of a improvement needed in FortiSwitches de instead of functionality.
I have a customer who want to deploy remotely firewalls and switches. This customer attaches fortigates, switches and fortiaps directly to their network to let me configure it for them.
Fortiswitch deployments gives me issues most of the time.
1. Sometimes the fortiswitch doesn't get an Ip-adres and I have to console to in to enable fortilink. (annoying my customer)
2. Some new fortiswitches can't be handled by the fortigate because they have to old firmware. I need to build a temporary portforward to access and update it....
3. I need to check if ntp is working properly because if the time between the switch and FortiGate has to much difference I get no link sometimes.
4. Some strange POE problem the fortios 6.2.3 has. POE randomely stops and upgrading to 6.4 seems to be the fix. Not fun when you have 400 locations with fortiswitches and a angry customer that their phones aren't working.
5. A way to upgrade al the FortiSwitches at the same time in the fortimanager. It is no fun to upgrade 700 FortiSwitches 1 by 1...... Why don't you make this the same as FortiAP's?
6. When I edit a dynamic object in de Fortiswitch section all the Fortigates get in a modified state. This is no fun because I cannot just do a install on every Fortigate. So I have to check
a few hundred install logs every time. This is annoying because I only at configuration for 1 new unit.
Most of these would be wicked adds if Fortinet were to do them.
[1] Generally more settings in the GUI. If it gets cluttered then just hide them in an "advanced" section FortiManager style. For starters, I often have to have specify SYSLOG/SNMP/FMG/FAZ/RADIUS source addresses in the CLI.
[2] Packet-tracer tool so we can easily see which DNAT/route/policy-route/fw-policy/nat-policy/etc a packet would take.
[3] Maybe a new "Diagnostic" tab in GUI containing GUI-based diagnostic & troubleshooting tools such as ping/traceroute/packet capture/packet-tracer/traffic-generator/speed-test/"diag debug flow"/etc.
[4] IPv6 VRF support. We have IPv4 VRFs, but no IPv6.
[5] The ability to schedule a one-off reboot.
[6] LLDP neighbor display in GUI
I'd love to see a more natural integration with Azure AD and Intune and MDM, that's going to be a whole new level if they implement Wifi Auth against AAD with MFA without having the need to get a radius server.
if they could integrate more seamlessly and easily with Azure it would be a huge win IMO
@@FortinetGuru absolutely, the list of features they can implement in this domain is huge. and MS CAS integration would be great
I'd like the ability to use third party TOTP apps like Authy or Google Authenticator instead of the FortiToken Mobile app.
FortiMonitor - network orchestration automation integration with FortiGate... I hear it's tentatively earmarked for 7.2 FortiOS but DEAR GOD, to have SaltStack or Ansible like network device control of cisco switches or routers, to backup and or apply different configuration changes to automatically respond to discovered conditions/events would be game changing. No other firewall provider could come close!
A commit review/approval (junior netadmin can perform change on the FW, but senior has to review and push the change) :)
Would be nice to implement the Phase 2 Remote Proxy Id into a dynamic routing protocol like in a Dial Up VPN.
Fortinet needs a report for wan throughput speeds. That tiny widget in the UI is booboo, and fortianalyzer doesnt have a speed report. Only an amount of data report. Thanks Mike
This is actually a complaint of mine as well. I wouldn't mind seeing that ASAP
Ability to use own USB Disks for LOGS !!^^ cuz FortiCloud sucks so much xd
Me: sliding 8 TB disk drive into USB port, done LOL. I could get behind this.
@@FortinetGuru c'mon, why not. I mean, dont see benefits in it ?:p
Oh I would totes do it in many cases LOL
Just making more stuff into a GUI will be helpful
I would really like to get Device Type policies from 6.0 back.
Google, cloudflare, and generic dyndns support.
Ability for policy mode to pass/ignore on non-standard ports on an accept rule instead of blocking them, like PA.
Reject option on policies built into GUI.
A traffic manipulator, similar to the "Network Emulator" in GNS3, would be handy to add artificial packet loss + latency etc to traffic to test SDWAN configurations etc.
That is not a bad idea at all.
Rules/Policy history... (ie: when/who create the rule, who/what change on that specific date.....)
I'd like to see support for Wireguard VPNs.
Auto renew lets encrypt certificate
They brought let’s encrypt to 7.0
No new features that break things in 0.0.x releases
😂
Underrated comment LOL
Better FortiAnalyzer GUI. I think FortiAnalyzer a lot of data, but it is not very useful because the GUI is difficult to use and not intuitive.
quota system EX give 1G byte daily for an user or give it limit speed for an an user
Remove that feature that tell you that you can upgrade to 7.0
Stop releasing new features in non x.x.0 releases.