Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.2.3 FortiOS Release Notes

New features or enhancements

6.2.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
Copy Link
Copy Doc ID 04593667-1177-11ea-9384-00505692583a:930644
Download PDF

New features or enhancements

Bug ID

Description

529445

In wids-profile, add the new ap-scan-threshold setting, which is the minimum signal level of rogue APs detected and required by the managed FortiAP devices. Only the rogue APs with a signal level higher than the threshold will be reported to the FortiGate WiFi Controller.

config wireless-controller wids-profile
    edit <WIDS-profile-name>
        set ap-scan enable
        set ap-scan-threshold "-80"
    next
end

The range of ap-scan-threshold, in dBm, is -95 to -20 (default = -90).

553372

Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labeled Fabric Connection. If either CAPWAP or FortiTelemetry were enabled on a particular interface, the new fabric option will be enabled after upgrading.

557614

FortiGate support for NSX-T v2.4: East/West traffic.

562394

Add support for EMS cloud:

  • Added CMDB attribute fortinet-one-cloud-authentication to FortiClient EMS table.
  • Added curl verbose diagnosis debugs to FortiClient NAC daemon for debug images.
  • Added fortiems-cloud option to type attribute in user.fsso table.

571639

Add support for tracking number of hits to a policy route:

  • Policy route hit counter and last used tag added to each policy displayed in diagnose firewall proute list command.
  • New CLI command diagnose firewall proute show, displays policy route hit counter and last used for a given proute id, (if 0, dumps all).
  • New CLI command diagnose firewall proute clear, clears policy route hit counter and last used for a given proute id, (if 0, clears all).

573568

Change public IP and routing table entries allocated in different resource groups in Azure HA.

In an Azure HA scenario, the EIP and route table to fail over is specified in the SDN connector configuration. A new attribute, resource-group, is added to allow customers to specify the resource group that a EIP or route table is from. This new attribute can be empty so upgrade code is not needed.

If the resource-group of the EIP or route table is not provided, it is assumed the resource comes from the same resource group as the SDN connector setting (if it is not set there, assume the same resource group as the FortiGate itself by getting it from the instance metadata).

579484

Limit OCVPN spoke to only join existing overlay.

580889

DPDK support on FortiOS VM platform.

591567

Add support for additional SHA-2 algorithms with SNMPv3.

593148

Update interface-related pages to use AngularJS and muTable.

Interfaces list:

  • Radio buttons in the top-right corner let users switch between grouping by type, role, and sort lists alphabetically have been removed. There is a dropdown instead with the following options:
    • Group by type
    • Group by zone
    • Group by status,
    • Group by role
    • No grouping
  • Zones do not support parent-child relationships anymore.
  • The DHCP Server column has been divided into two separate columns, DHCP Clients and DHCP Ranges.
  • CSF support has been added. When switching to a downstream device, both the list and the faceplate should update.
  • For VDOMs, administrators can only view complete information about interfaces for the VDOM they are in. This applies even to administrators who have access to more than one VDOM.
  • On devices that support VLAN switching, the VLAN Switch Mode toggle has been removed from the list page. It now shows up under System> Settings.
  • Faceplates do not auto-refresh on page load anymore. For auto-refresh, users need to enable the muTable refresh feature from the button in the bottom-right corner.

Interfaces dialog:

  • Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labeled Fabric Connection.
  • The secondary IP address toggle has been moved from the Miscellaneous section to the Address section.
  • A gutter has been added that displays the device hostname, the interface it belongs to, and relevant help links.

CLI changes:

  • Consolidate fortitelemetry and capwap into fabric for allowaccess in system.interface.

597685

Starting from 6.2.3 and 6.4.0, a single annually contracted SKU that contains both a VM base and one of the FortiCare service bundles. It is BYOL (bring your own license) and supports VMware ESXi, KVM, Hyper-V, Xen, AWS, Azure, AzureStack, GCP, OCI, Alibaba Cloud, Rackspace, VMware NSX-T, and Nutanix.
Previous
Next

New features or enhancements

Bug ID

Description

529445

In wids-profile, add the new ap-scan-threshold setting, which is the minimum signal level of rogue APs detected and required by the managed FortiAP devices. Only the rogue APs with a signal level higher than the threshold will be reported to the FortiGate WiFi Controller.

config wireless-controller wids-profile
    edit <WIDS-profile-name>
        set ap-scan enable
        set ap-scan-threshold "-80"
    next
end

The range of ap-scan-threshold, in dBm, is -95 to -20 (default = -90).

553372

Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labeled Fabric Connection. If either CAPWAP or FortiTelemetry were enabled on a particular interface, the new fabric option will be enabled after upgrading.

557614

FortiGate support for NSX-T v2.4: East/West traffic.

562394

Add support for EMS cloud:

  • Added CMDB attribute fortinet-one-cloud-authentication to FortiClient EMS table.
  • Added curl verbose diagnosis debugs to FortiClient NAC daemon for debug images.
  • Added fortiems-cloud option to type attribute in user.fsso table.

571639

Add support for tracking number of hits to a policy route:

  • Policy route hit counter and last used tag added to each policy displayed in diagnose firewall proute list command.
  • New CLI command diagnose firewall proute show, displays policy route hit counter and last used for a given proute id, (if 0, dumps all).
  • New CLI command diagnose firewall proute clear, clears policy route hit counter and last used for a given proute id, (if 0, clears all).

573568

Change public IP and routing table entries allocated in different resource groups in Azure HA.

In an Azure HA scenario, the EIP and route table to fail over is specified in the SDN connector configuration. A new attribute, resource-group, is added to allow customers to specify the resource group that a EIP or route table is from. This new attribute can be empty so upgrade code is not needed.

If the resource-group of the EIP or route table is not provided, it is assumed the resource comes from the same resource group as the SDN connector setting (if it is not set there, assume the same resource group as the FortiGate itself by getting it from the instance metadata).

579484

Limit OCVPN spoke to only join existing overlay.

580889

DPDK support on FortiOS VM platform.

591567

Add support for additional SHA-2 algorithms with SNMPv3.

593148

Update interface-related pages to use AngularJS and muTable.

Interfaces list:

  • Radio buttons in the top-right corner let users switch between grouping by type, role, and sort lists alphabetically have been removed. There is a dropdown instead with the following options:
    • Group by type
    • Group by zone
    • Group by status,
    • Group by role
    • No grouping
  • Zones do not support parent-child relationships anymore.
  • The DHCP Server column has been divided into two separate columns, DHCP Clients and DHCP Ranges.
  • CSF support has been added. When switching to a downstream device, both the list and the faceplate should update.
  • For VDOMs, administrators can only view complete information about interfaces for the VDOM they are in. This applies even to administrators who have access to more than one VDOM.
  • On devices that support VLAN switching, the VLAN Switch Mode toggle has been removed from the list page. It now shows up under System> Settings.
  • Faceplates do not auto-refresh on page load anymore. For auto-refresh, users need to enable the muTable refresh feature from the button in the bottom-right corner.

Interfaces dialog:

  • Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labeled Fabric Connection.
  • The secondary IP address toggle has been moved from the Miscellaneous section to the Address section.
  • A gutter has been added that displays the device hostname, the interface it belongs to, and relevant help links.

CLI changes:

  • Consolidate fortitelemetry and capwap into fabric for allowaccess in system.interface.

597685

Starting from 6.2.3 and 6.4.0, a single annually contracted SKU that contains both a VM base and one of the FortiCare service bundles. It is BYOL (bring your own license) and supports VMware ESXi, KVM, Hyper-V, Xen, AWS, Azure, AzureStack, GCP, OCI, Alibaba Cloud, Rackspace, VMware NSX-T, and Nutanix.
Previous
Next