On 30th of March Fortinet released FortiOS 7.0 for all the supported models (alas, many D series Fortigates like 500D, are not supported), and here is the visual walkthrough of changes that can be seen in GUI.
|All the videos below come without sound.|
New color themes were added, some old ones were removed (bad)
It is a tradition for Fortinet to redesign Web management GUI of each new major FortiOS release, with most of their hit-and-miss redesigns being a miss. Finally, in Fortigate 6.0, they came up with the Green theme that most of the people liked. Only that in FortiOS 7.0 … it was removed. To provoke emotional selling point they added the Retro theme, see below. Unfortunately, to me, this theme of FortiOS 2.8 era provokes not much nostalgia (Fortinet marketing hoped), but bad memories of Fortigate 60 never coming up after you push Reboot button in this Web GUI. The only theme I find the least ugly is the Mariner one, but let’s hope that after much discontent I see coming, Fortinet will get back the Green theme.
API Preview option is available almost for all configuration screens (good)
That’s pretty cool - now we can see underlying API calls to automate the configuration. A bit of context - Fortigate (and other Fortinet products), have well working REST API, which you can use to programmatically configure/monitor these devices via HTTPS REST API requests. Unfortunately for us, Fortinet hid the API Documentation behind the paywall. To access the full Fortigate API reference, you have to have subscription to the Fortinet Developers Network, which costs about 2000 Euro a year. They offer a free access (kind of) though - if you can find 2 "sponsors" to vouch for you at Fortinet, you can ask for free developer access to the FDN (without ability to post on forums or any support obviously). But now, with this API Preview button, we can see the API calls and get along without access to API documentation.
Edit in CLI option added in many places
This enters configuration level up to the very object we have opened in GUI.
Insecure admin protocols are highlighted in bold red on the interface page (good)
It was previously in pink, but now it screams at the administrators "What are you doing?". The Telnet access was even removed from GUI and can only be enabled on CLI.
All SD-WAN related configs are now in a single page on different tabs (good)
That was begging to be fixed - no sense to separate part of the same feature into 3 different pages.
Dropped support for many/most of the D series Fortigates (bad)
Not sure whether it is marketing-reasoned or technically based, but we have clients with various D models that work just fine, also with valid updated subscriptions. And the thought of upgrading firewall just because no new FortiOS versions will be released for it is not much fun as puts pressure on admins to upgrade while everything works fine. Fortinet announced few months ago Long Time Support program to keep older FortiOS versions up-to-date security-wise, but I haven’t heard anything about it since then.
new Local Out settings (must be 1st enabled in Visibility) to set Source IP for Fortigate-originated traffic (good)
This feature was available in CLI only, now it has been exposed in GUI as well. We can control what source IP Fortigate will use for the traffic it originates, e.g. FortiGuard/DNS etc. When enabling SD-WAN it can be quite important.
Free SSL Certificates via ACME Let’s Encrypt with DNS verification, but only for 60 days validity max (good)
Another "cool category" feature - we can set up Fortigate to request and update automatically SSL certificate from Let’s Encrypt certificates issuer, and of course it is totally free. This takes away the last reason not to install valid SSL certificate for admin access "But it costs money …".
Security Fabric → Automation rearranged, new tabs for Triggers, Actions (good)
Here too, they just combined Automation related pages into tabs of the same page, no new functionality.
New: Network → Routing Objects (good)
Finally, not only cool, but essential feature - all routing-related configs available in CLI until now, got their own page in Network → Routing objects. Prefix lists, Community, route-map - all the things you can’t really do without when enabling dynamic routing protocols on Fortigate. I , personally, will continue configuring those things on CLI.
Merge all Traffic Shaping related pages into one with Policy & Objects → Traffic Shaping with multiple tabs (good)
Also, not new functionality, but re-arrangement that was only logical.
Security Profiles → SSL Inspection, now multiple SSL certificates can be chosen for the same profile to protect multiple web sites residing on the same IP/server (good)
Quite important one for those who use Fortigate to protect their internal servers with load-balancing and SSL offloading.
Security Profiles → Video Filter (good)
What was in the past part of Web Filtering profiles, now has moved to its own page. I see it mostly used by K-12, university environments, and for regular Enterprise admins it was just a distraction on the Web Filtering page.
SSL VPN Client configuration is now available for Fortigate to connect as VPN SSL Client to another Fortigate (good)
This is completely new feature - we can now (seemingly) set up local Fortigate to connect to the remote one as VPN SSL client. Fortigate as IPSec VPN client capability has been around for ages and works actually well. Let’s wait and see how it works in production. Usually, brand new features take their time to work as expected.
Zero Trust Network capability (good, probably?)
This one is so new that I can’t find much information on the Fortinet site. So can’t say much except that exists, will update once have some experience with it, as every vendor means different things for Zero Trust Access.
That’s all for today, I will be posting about new features as I test them, so come back again to read about them.
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.