Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiDDoS-F 7.2.1 Release Notes
    7.2.1
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.2
    6.4.1
    6.4.0
    6.3.5
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0

    Introduction

    Introduction

    This Release Notes covers the new features, enhancements, resolved issues and known issues of FortiDDoS version 7.2.1 build 0818.

    Special Notes

    Upgrade any FortiDDoS F-Series firmware Release directly to 7.2.1. No intermediate steps are required.

    GUI changes on upgrade from releases below 7.0.1

    • In Release 7.2.1, IP Profiles > UDP Empty Checksum Check is disabled by default. If it was previously enabled in a lower release, it will also be disabled during the upgrade, changing your configuration. The only SPPs that require this feature to be disabled are those using IPsec NAT Traversal.

      If upgrading from Release 7.0.3 or higher, review all IP Profiles and note which ones had this feature enabled. After the upgrade, re-enable the feature for those Profiles.

      UDP Empty Checksum Check helps stop scans for known UDP reflection ports but can block IPsec NAT Traversal traffic (IPsec over UDP 4500).

    • GUI access via TLS 1.1 will be disabled after upgrade to 7.0.1 or higher as a security improvement. The option can be re-enabled by the user if desired.

    • On upgrade to 7.0.1 or higher, the existing LQ table is replaced by a new, much larger, and more granular table for improved mitigation.

      Existing entries are deleted.

      DNS Allowlists or Blocklists are not affected.

      Fortinet strongly recommends placing any SPP using LQ in Detection Mode for upgrade and allowing LQ to learn for at least one day on Authoritative DNS Servers before returning to Prevention Mode. For details, contact Fortinet.

    • The Report period of Last 30 Days has been removed as redundant with Last Month. Before upgrading, check Log & Report > Log Configurations for Reports with Last 30 Days selected and change them to Last Month.

    • Renamed licensing labels on System and Dashboard pages for improved clarity.

    Manual traffic bypass may not enable in Fail Closed Mode

    Global Protection > Deployment > Power Off Bypass Mode operates correctly in Fail Closed Mode for all F-Series models. However, manual traffic bypass cannot be enabled when the Power Off Bypass Mode is in Fail Closed Mode, for earlier hardware versions. Please see the 7.2.0 handbook for information or use the workaround below to force bypass.

    Workaround:
    Temporarily place the system into Fail Open Mode, then manually bypass the traffic using either the GUI (Dashboard > System Information panel > Bypass Status link) or CLI (execute bypass-traffic enable). After returning FortiDDoS to inline, change the Power Off Bypass Mode back to Fail Closed Mode.

    Monitor > TRAFFIC MONITOR > Subnets graphs affected by upgrade

    The following only affects the Monitor > TRAFFIC MONITOR > Subnets graphs. All other graphs retain all previous information:

    If you are upgrading from a Release lower than 6.5.0, the Round Robin Databases used for these graphs (all protected subnets for all SPPs) are modified during the upgrade and all previous data is deleted. New data will display in the next 5-minute reporting period after upgrade. This does not affect on any other Monitor graph.

    See above Special Note. If the system is in Fail Closed Mode, change the setting to Fail Open Mode. Afterwards, place FortiDDoS into Bypass mode. You can do this via GUI from Dashboard > Status > System Information > Bypass Status Inline/Bypass link or using CLI:

    FortiddoS #execute bypass-traffic enable

    This operation will enable traffic bypass!

    Do you want to continue? (y/n) y

    It is recommended to perform upgrades in a maintenance window to avoid disrupting other network settings such as OSPF, RSTP and BGP that affect traffic when the physical ports are changed from inline to bypass and back to inline.

    After the upgrade is complete, FortiDDoS will return to inline mode. As above, if system is normally in Fail Closed Mode, change that setting back to Fail Closed.

    Ensure to clear your browser cache (or operate in incognito mode) after a firmware upgrade. The GUI is coded in Javascript in the browser and code changes in the system do not automatically signal the browser to rebuild the GUI. Changes to the GUI will not appear until the cache is cleared. If the cache is not cleared, you may see misaligned tables or entire Dashboard panels missing or appearing in the wrong place.

    FortiGate Transition from client SSLVN to IPSec

    FortiGate systems will be transitioning away from SSLVPN in newer releases. If FortiDDoS has not seen IPsec or has seen only site-to-site VPN traffic, VPN Thresholds may be too low.

    Ensure you understand the transition with the firewall team and that Thresholds for:

    • Protocol 50 (ESP/IPsec),

    • UDP 4500 (IPsec NAT Traversal) (sometimes UDP 4501 for non-FortiGate VPNs) and

    • UDP 500 (IKE)

    are adequate. Too-low Thresholds will block VPN traffic.

    If unsure, contact Fortinet Support.
    Previous
    Next

    Introduction

    Introduction

    This Release Notes covers the new features, enhancements, resolved issues and known issues of FortiDDoS version 7.2.1 build 0818.

    Special Notes

    Upgrade any FortiDDoS F-Series firmware Release directly to 7.2.1. No intermediate steps are required.

    GUI changes on upgrade from releases below 7.0.1

    • In Release 7.2.1, IP Profiles > UDP Empty Checksum Check is disabled by default. If it was previously enabled in a lower release, it will also be disabled during the upgrade, changing your configuration. The only SPPs that require this feature to be disabled are those using IPsec NAT Traversal.

      If upgrading from Release 7.0.3 or higher, review all IP Profiles and note which ones had this feature enabled. After the upgrade, re-enable the feature for those Profiles.

      UDP Empty Checksum Check helps stop scans for known UDP reflection ports but can block IPsec NAT Traversal traffic (IPsec over UDP 4500).

    • GUI access via TLS 1.1 will be disabled after upgrade to 7.0.1 or higher as a security improvement. The option can be re-enabled by the user if desired.

    • On upgrade to 7.0.1 or higher, the existing LQ table is replaced by a new, much larger, and more granular table for improved mitigation.

      Existing entries are deleted.

      DNS Allowlists or Blocklists are not affected.

      Fortinet strongly recommends placing any SPP using LQ in Detection Mode for upgrade and allowing LQ to learn for at least one day on Authoritative DNS Servers before returning to Prevention Mode. For details, contact Fortinet.

    • The Report period of Last 30 Days has been removed as redundant with Last Month. Before upgrading, check Log & Report > Log Configurations for Reports with Last 30 Days selected and change them to Last Month.

    • Renamed licensing labels on System and Dashboard pages for improved clarity.

    Manual traffic bypass may not enable in Fail Closed Mode

    Global Protection > Deployment > Power Off Bypass Mode operates correctly in Fail Closed Mode for all F-Series models. However, manual traffic bypass cannot be enabled when the Power Off Bypass Mode is in Fail Closed Mode, for earlier hardware versions. Please see the 7.2.0 handbook for information or use the workaround below to force bypass.

    Workaround:
    Temporarily place the system into Fail Open Mode, then manually bypass the traffic using either the GUI (Dashboard > System Information panel > Bypass Status link) or CLI (execute bypass-traffic enable). After returning FortiDDoS to inline, change the Power Off Bypass Mode back to Fail Closed Mode.

    Monitor > TRAFFIC MONITOR > Subnets graphs affected by upgrade

    The following only affects the Monitor > TRAFFIC MONITOR > Subnets graphs. All other graphs retain all previous information:

    If you are upgrading from a Release lower than 6.5.0, the Round Robin Databases used for these graphs (all protected subnets for all SPPs) are modified during the upgrade and all previous data is deleted. New data will display in the next 5-minute reporting period after upgrade. This does not affect on any other Monitor graph.

    See above Special Note. If the system is in Fail Closed Mode, change the setting to Fail Open Mode. Afterwards, place FortiDDoS into Bypass mode. You can do this via GUI from Dashboard > Status > System Information > Bypass Status Inline/Bypass link or using CLI:

    FortiddoS #execute bypass-traffic enable

    This operation will enable traffic bypass!

    Do you want to continue? (y/n) y

    It is recommended to perform upgrades in a maintenance window to avoid disrupting other network settings such as OSPF, RSTP and BGP that affect traffic when the physical ports are changed from inline to bypass and back to inline.

    After the upgrade is complete, FortiDDoS will return to inline mode. As above, if system is normally in Fail Closed Mode, change that setting back to Fail Closed.

    Ensure to clear your browser cache (or operate in incognito mode) after a firmware upgrade. The GUI is coded in Javascript in the browser and code changes in the system do not automatically signal the browser to rebuild the GUI. Changes to the GUI will not appear until the cache is cleared. If the cache is not cleared, you may see misaligned tables or entire Dashboard panels missing or appearing in the wrong place.

    FortiGate Transition from client SSLVN to IPSec

    FortiGate systems will be transitioning away from SSLVPN in newer releases. If FortiDDoS has not seen IPsec or has seen only site-to-site VPN traffic, VPN Thresholds may be too low.

    Ensure you understand the transition with the firewall team and that Thresholds for:

    • Protocol 50 (ESP/IPsec),

    • UDP 4500 (IPsec NAT Traversal) (sometimes UDP 4501 for non-FortiGate VPNs) and

    • UDP 500 (IKE)

    are adequate. Too-low Thresholds will block VPN traffic.

    If unsure, contact Fortinet Support.
    Previous
    Next