Fortigate FortiOS 7.0 is out - what's new Visual Guide

It is a tradition for Fortinet to redesign Web management GUI of each new major FortiOS release, with most of their hit-and-miss redesigns being a miss. Finally, in Fortigate 6.0, they came up with the Green theme that most of the people liked. Only that in FortiOS 7.0 …​ it was removed. To provoke emotional selling point they added the Retro theme, see below. Unfortunately, to me, this theme of FortiOS 2.8 era provokes not much nostalgia (Fortinet marketing hoped), but bad memories of Fortigate 60 never coming up after you push Reboot button in this Web GUI. The only theme I find the least ugly is the Mariner one, but let’s hope that after much discontent I see coming, Fortinet will get back the Green theme.

That’s pretty cool - now we can see underlying API calls to automate the configuration. A bit of context - Fortigate (and other Fortinet products), have well working REST API, which you can use to programmatically configure/monitor these devices via HTTPS REST API requests. Unfortunately for us, Fortinet hid the API Documentation behind the paywall. To access the full Fortigate API reference, you have to have subscription to the Fortinet Developers Network, which costs about 2000 Euro a year. They offer a free access (kind of) though - if you can find 2 "sponsors" to vouch for you at Fortinet, you can ask for free developer access to the FDN (without ability to post on forums or any support obviously). But now, with this API Preview button, we can see the API calls and get along without access to API documentation.

This enters configuration level up to the very object we have opened in GUI.

It was previously in pink, but now it screams at the administrators "What are you doing?". The Telnet access was even removed from GUI and can only be enabled on CLI.

That was begging to be fixed - no sense to separate part of the same feature into 3 different pages.

Not sure whether it is marketing-reasoned or technically based, but we have clients with various D models that work just fine, also with valid updated subscriptions. And the thought of upgrading firewall just because no new FortiOS versions will be released for it is not much fun as puts pressure on admins to upgrade while everything works fine. Fortinet announced few months ago Long Time Support program to keep older FortiOS versions up-to-date security-wise, but I haven’t heard anything about it since then.

This feature was available in CLI only, now it has been exposed in GUI as well. We can control what source IP Fortigate will use for the traffic it originates, e.g. FortiGuard/DNS etc. When enabling SD-WAN it can be quite important.

Another "cool category" feature - we can set up Fortigate to request and update automatically SSL certificate from Let’s Encrypt certificates issuer, and of course it is totally free. This takes away the last reason not to install valid SSL certificate for admin access "But it costs money …​".

Here too, they just combined Automation related pages into tabs of the same page, no new functionality.

Finally, not only cool, but essential feature - all routing-related configs available in CLI until now, got their own page in Network → Routing objects. Prefix lists, Community, route-map - all the things you can’t really do without when enabling dynamic routing protocols on Fortigate. I , personally, will continue configuring those things on CLI.

Also, not new functionality, but re-arrangement that was only logical.

Quite important one for those who use Fortigate to protect their internal servers with load-balancing and SSL offloading.

What was in the past part of Web Filtering profiles, now has moved to its own page. I see it mostly used by K-12, university environments, and for regular Enterprise admins it was just a distraction on the Web Filtering page.

This is completely new feature - we can now (seemingly) set up local Fortigate to connect to the remote one as VPN SSL client. Fortigate as IPSec VPN client capability has been around for ages and works actually well. Let’s wait and see how it works in production. Usually, brand new features take their time to work as expected.

This one is so new that I can’t find much information on the Fortinet site. So can’t say much except that exists, will update once have some experience with it, as every vendor means different things for Zero Trust Access.

That’s all for today, I will be posting about new features as I test them, so come back again to read about them.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.