Fortinet black logo

(Windows) Release Notes

Home FortiClient 7.2.4 (Windows) Release Notes
7.2.4
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0

Special notices

Special notices

SAML IdP configuration for Save Password

FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the identity provider (IdP), discussed as follows:

If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.

The FortiClient save password feature is commonly used along with autoconnect and always-up features.

FortiClient support for newer Realtek drivers in Windows 11

Issues regarding FortiClient support for newer Realtek drivers in Windows 11 have been resolved. The issue is that Realtek and Qualcomm used the NetAdapterCx structure in their drivers, and Microsoft's API had an error in translating the flags, which may result in IPsec VPN connection failure.

FortiGuard Web Filtering Category v10 Update

Fortinet has updated its web filtering categories to v10, which includes two new URL categories for AI chat and cryptocurrency websites. To use the new categories, customers must upgrade their Fortinet products to one of the versions below:

  • FortiManager - Fixed in 6.0.12, 6.2.9, 6.4.7, 7.0.2, 7.2.0, 7.4.0.
  • FortiOS - Fixed in 7.2.8 and 7.4.1.
  • FortiClient - Fixed in Windows 7.2.3, macOS 7.2.3, Linux 7.2.3.
  • FortiClient EMS - Fixed in 7.2.1.
  • FortiMail - Fixed in 7.0.7, 7.2.5, 7.4.1.
  • FortiProxy - Fixed in 7.4.1.

Please read the following CSB for more information to caveats on the usage in FortiManager and FortiOS: https://support.fortinet.com/Information/Bulletin.aspx

SSL VPN with SAML issue

SSL VPN with SAML may fail to bring up the VPN when the CA certificate is saved to Personal Certificates. When this occurs, you may observe the VPN stuck at 0% with an error message in the Notifications tab reading: The server you want to connect to requests identification, please choose a certificate and try again. (-6005)

You can use one of the following workarounds for this issue. The workarounds support Windows 10 and 11 with external and internal browsers:

  1. Move the CA certificate to the corresponding folder instead of the personal store. For example, you may move the certificate to Certificates (Current User)\Trusted Root Certification Authorities or Intermediate Certification Authorities.
  2. Remove the CA certificate from Certificates (Current User)\Personal\Certificates if unneeded.
  3. If the SSL VPN tunnel does not require certificate authentication, set a certificate filter to NOT match any certificate. The following shows an example XML configuration:

    <certificate>

    <common_name>

    <match_type>wildcard</match_type>

    <pattern>*</pattern>

    </common_name>

    <issuer>

    <match_type>simple</match_type>

    <pattern>NOTHING</pattern>

    </issuer>

    </certificate>

  4. Set <certs_require_keyspec> to 1.
    • If you set this element to 0, FortiClient includes all certificates that have a NULL key specification when prompting the user to select a certificate.
    • If you set this element to 1, FortiClient only lists certificates that include AT_KEYEXCHANGE/AT_SIGNATURE/CERT_NCRYPT_KEY_SPEC when prompting the user to select a certificate. The state of the key spec is only accessible by querying the certificate for its private key. If the certificate is on a smartcard or if the private key is password-protected, Windows requests a PIN/password. This can result in unwanted PIN/password prompts when the FortiClient GUI is opened. For example, it can result in PIN/password prompts when just viewing the Remote Access tab in the FortiClient GUI, with potentially one prompt for each certificate on the smartcard.

    The following shows an example XML configuration:

    <vpn>

    <options>

    <certs_require_keyspec>1</certs_require_keyspec>

    </options>

    </vpn>

Previous
Next

Special notices

SAML IdP configuration for Save Password

FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the identity provider (IdP), discussed as follows:

If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.

The FortiClient save password feature is commonly used along with autoconnect and always-up features.

FortiClient support for newer Realtek drivers in Windows 11

Issues regarding FortiClient support for newer Realtek drivers in Windows 11 have been resolved. The issue is that Realtek and Qualcomm used the NetAdapterCx structure in their drivers, and Microsoft's API had an error in translating the flags, which may result in IPsec VPN connection failure.

FortiGuard Web Filtering Category v10 Update

Fortinet has updated its web filtering categories to v10, which includes two new URL categories for AI chat and cryptocurrency websites. To use the new categories, customers must upgrade their Fortinet products to one of the versions below:

  • FortiManager - Fixed in 6.0.12, 6.2.9, 6.4.7, 7.0.2, 7.2.0, 7.4.0.
  • FortiOS - Fixed in 7.2.8 and 7.4.1.
  • FortiClient - Fixed in Windows 7.2.3, macOS 7.2.3, Linux 7.2.3.
  • FortiClient EMS - Fixed in 7.2.1.
  • FortiMail - Fixed in 7.0.7, 7.2.5, 7.4.1.
  • FortiProxy - Fixed in 7.4.1.

Please read the following CSB for more information to caveats on the usage in FortiManager and FortiOS: https://support.fortinet.com/Information/Bulletin.aspx

SSL VPN with SAML issue

SSL VPN with SAML may fail to bring up the VPN when the CA certificate is saved to Personal Certificates. When this occurs, you may observe the VPN stuck at 0% with an error message in the Notifications tab reading: The server you want to connect to requests identification, please choose a certificate and try again. (-6005)

You can use one of the following workarounds for this issue. The workarounds support Windows 10 and 11 with external and internal browsers:

  1. Move the CA certificate to the corresponding folder instead of the personal store. For example, you may move the certificate to Certificates (Current User)\Trusted Root Certification Authorities or Intermediate Certification Authorities.
  2. Remove the CA certificate from Certificates (Current User)\Personal\Certificates if unneeded.
  3. If the SSL VPN tunnel does not require certificate authentication, set a certificate filter to NOT match any certificate. The following shows an example XML configuration:

    <certificate>

    <common_name>

    <match_type>wildcard</match_type>

    <pattern>*</pattern>

    </common_name>

    <issuer>

    <match_type>simple</match_type>

    <pattern>NOTHING</pattern>

    </issuer>

    </certificate>

  4. Set <certs_require_keyspec> to 1.
    • If you set this element to 0, FortiClient includes all certificates that have a NULL key specification when prompting the user to select a certificate.
    • If you set this element to 1, FortiClient only lists certificates that include AT_KEYEXCHANGE/AT_SIGNATURE/CERT_NCRYPT_KEY_SPEC when prompting the user to select a certificate. The state of the key spec is only accessible by querying the certificate for its private key. If the certificate is on a smartcard or if the private key is password-protected, Windows requests a PIN/password. This can result in unwanted PIN/password prompts when the FortiClient GUI is opened. For example, it can result in PIN/password prompts when just viewing the Remote Access tab in the FortiClient GUI, with potentially one prompt for each certificate on the smartcard.

    The following shows an example XML configuration:

    <vpn>

    <options>

    <certs_require_keyspec>1</certs_require_keyspec>

    </options>

    </vpn>

Previous
Next