Fortinet black logo

Changes in default behavior

Changes in default behavior

Firewall

Remove dependency of ssl-ssh-profile on utm-status under firewall policy (531885).

Previous releases

6.2.1 release

You must enable utm-status under firewall policy before configuring ssl-ssh-profile.

You can configure ssl-ssh-profile by itself. When you upgrade, this configuration is added to the existing firewall policy.

Log & Report

Starting from the 6.2.1 release, exe log list displays the result of the current log device.

Previous releases

6.2.1 release

exe log list only lists the disk log file.

exe log list lists the log file from the current log device (disk/memory).

exe log list shows the memory log file in exe log filter device memory.

exe log list shows the disk log file in exe log filter device disk.

Separate policy and address log-uuid options into two individual options.

Previous releases

6.2.1 release

config system global
   set log-uuid [policy-only | extended | disable]
end 
config system global
   set log-uuid-policy [enable | disable]
   set log-uuid-address [enable | disable]
end

System

Starting from the 6.2.1 release, Global admin can only back up but not restore the configuration file.

Previous releases

6.2.1 release

Super admin: can back up and restore configuration file.

Global admin: can back up and restore configuration file.

VDOM admin: can back up and restore VDOM configuration file with full Admin and Maintenance permission.

Super admin: can back up and restore configuration file.

Global admin: can only back up configuration file.

VDOM admin: can back up and restore VDOM configuration file with full Admin and Maintenance permission.

Devices configured under security-exempt-list are void after upgrading to 6.2.1.

FortiOS 6.2.1 removes any use of device enforcement from various FortiGate features.

Previous releases

6.2.1 release

config user device-category    <==removed
config user device-access-list <==removed
config user device-group       <==removed

config user security-exempt-list
   edit [List Name]
      config rule
         edit [Rule ID]
            set devices [Device or group name] <==removed
            set srcaddr [Address or group name]
         next
      end
   next
end

config system interface
   edit [Interface]
      set ip [IP address and subnet mask]
      set device-access-list [Access list name] <==removed
      set device-identification-active-scan [enable | disable] <==removed
   next
end

config firewall policy
   edit [Policy ID]
      set name [Policy name]
      set device [Device or group name] <==removed
   next
end

config firewall policy6
   edit [Policy ID]
      set name [Policy name]
      set device [Device or group name] <==removed
   next
end
config user security-exempt-list
   edit [List Name]
      config rule
         edit [Rule ID]
            set srcaddr [Address or group name]
         next
      end
   next
end

config system interface
   edit [Interface]
      set ip [IP address and subnet mask]
   next
end

config firewall policy
   edit [Policy ID]
      set name [Policy name]
   next
end

config firewall policy6
   edit [Policy ID]
      set name [Policy name]
   next
end

WiFi Controller

The VAP schedule is changed from accepting only a recurring schedule to accepting all types of firewall schedule: recurring schedule, one-time schedule, and schedule group.

Previous releases

6.2.1 release

config wireless-controller vap
    edit "wifi-t-1"
        set schedule "group1"
    next
end

The LED schedule is changed from accepting only a recurring schedule to accepting all types of firewall schedule: recurring schedule, one-time schedule, and schedule group.

Previous releases

6.2.1 release

config wireless-controller wtp-profile
    edit "FAP321C-default"
        set led-schedules "group1"
    next
end

The ble-profile setting in wtp-profile is now configurable for the FAP-321E platform.

Previous releases

6.2.1 release

config wireless-controller wtp-profile
    edit "FAP321E-default"
        config platform
            set type 321E
        end
        set ble-profile "BLE-full" <==configurable
        set handoff-sta-thresh 55
        config radio-1
            set band 802.11n,g-only
        end
        config radio-2
            set band 802.11ac
        end
    next
end

Changes in default behavior

Firewall

Remove dependency of ssl-ssh-profile on utm-status under firewall policy (531885).

Previous releases

6.2.1 release

You must enable utm-status under firewall policy before configuring ssl-ssh-profile.

You can configure ssl-ssh-profile by itself. When you upgrade, this configuration is added to the existing firewall policy.

Log & Report

Starting from the 6.2.1 release, exe log list displays the result of the current log device.

Previous releases

6.2.1 release

exe log list only lists the disk log file.

exe log list lists the log file from the current log device (disk/memory).

exe log list shows the memory log file in exe log filter device memory.

exe log list shows the disk log file in exe log filter device disk.

Separate policy and address log-uuid options into two individual options.

Previous releases

6.2.1 release

config system global
   set log-uuid [policy-only | extended | disable]
end 
config system global
   set log-uuid-policy [enable | disable]
   set log-uuid-address [enable | disable]
end

System

Starting from the 6.2.1 release, Global admin can only back up but not restore the configuration file.

Previous releases

6.2.1 release

Super admin: can back up and restore configuration file.

Global admin: can back up and restore configuration file.

VDOM admin: can back up and restore VDOM configuration file with full Admin and Maintenance permission.

Super admin: can back up and restore configuration file.

Global admin: can only back up configuration file.

VDOM admin: can back up and restore VDOM configuration file with full Admin and Maintenance permission.

Devices configured under security-exempt-list are void after upgrading to 6.2.1.

FortiOS 6.2.1 removes any use of device enforcement from various FortiGate features.

Previous releases

6.2.1 release

config user device-category    <==removed
config user device-access-list <==removed
config user device-group       <==removed

config user security-exempt-list
   edit [List Name]
      config rule
         edit [Rule ID]
            set devices [Device or group name] <==removed
            set srcaddr [Address or group name]
         next
      end
   next
end

config system interface
   edit [Interface]
      set ip [IP address and subnet mask]
      set device-access-list [Access list name] <==removed
      set device-identification-active-scan [enable | disable] <==removed
   next
end

config firewall policy
   edit [Policy ID]
      set name [Policy name]
      set device [Device or group name] <==removed
   next
end

config firewall policy6
   edit [Policy ID]
      set name [Policy name]
      set device [Device or group name] <==removed
   next
end
config user security-exempt-list
   edit [List Name]
      config rule
         edit [Rule ID]
            set srcaddr [Address or group name]
         next
      end
   next
end

config system interface
   edit [Interface]
      set ip [IP address and subnet mask]
   next
end

config firewall policy
   edit [Policy ID]
      set name [Policy name]
   next
end

config firewall policy6
   edit [Policy ID]
      set name [Policy name]
   next
end

WiFi Controller

The VAP schedule is changed from accepting only a recurring schedule to accepting all types of firewall schedule: recurring schedule, one-time schedule, and schedule group.

Previous releases

6.2.1 release

config wireless-controller vap
    edit "wifi-t-1"
        set schedule "group1"
    next
end

The LED schedule is changed from accepting only a recurring schedule to accepting all types of firewall schedule: recurring schedule, one-time schedule, and schedule group.

Previous releases

6.2.1 release

config wireless-controller wtp-profile
    edit "FAP321C-default"
        set led-schedules "group1"
    next
end

The ble-profile setting in wtp-profile is now configurable for the FAP-321E platform.

Previous releases

6.2.1 release

config wireless-controller wtp-profile
    edit "FAP321E-default"
        config platform
            set type 321E
        end
        set ble-profile "BLE-full" <==configurable
        set handoff-sta-thresh 55
        config radio-1
            set band 802.11n,g-only
        end
        config radio-2
            set band 802.11ac
        end
    next
end