Fragmented packets with different Explicit Congestion Notification (ECN) values are now allowed. Not allowing fragmented packets with different ECN values had resulted in some customers experiencing dropped packets.

SFP28 and QSFP28 interfaces in FortiGates with NP7 processors now support Clause 74 forward error correction (FEC).

Sessions are no longer lost if a policy route is deleted or an interface is shut down.

The get system ha status command displays information about the total number of hardware session-sync sessions.

The implicit deny policy can now appear on the GUI in hyperscale firewall policy lists.

Improved dependency checking when adding or editing GCN IP pools and hyperscale firewall policies.

FortiGate-1800F and 1801F sensor data now appears as expected on the GUI and CLI.

Resolved a BGP memory leak.

Resolved an issue that caused the iked process to crash on the secondary FortiGate in an FGCP HA cluster for IPsec VPN tunnels using XAUTH authentication.

Hyperscale firewall systems can now generate system event log messages to report on network processor daemon (NPD) and PLE errors that would otherwise just have been written to the console. Example log message: date=2021-04-28 time=22:18:40 logid="0100053300" type="event" subtype="system" level="warning" vd="root" eventtime=1619673521069002897 tz="-0700" logdesc="NPD INFO" msg=" NPD INIT DONE "

Resolved an issue that caused packets to randomly be dropped when passing through NPU accelerated VDOM link interfaces.

Policy hit counters have been implemented for hyperscale firewall policies.

The Sessions dashboard will no longer revert to 3 x 1 after being re-sized.

The diagnose sys npu-session purge command now successfully purges all session data.

BGP no longer consumes high amounts of CPU time when an ADVPN disconnects after a socket writing error.

Resolved an issue that caused timeout errors on the secondary FortiGate in an FGCP cluster when a fixed allocation IP pool was changed to an overload IP pool.

Resolved an issue that blocked NAT64 traffic when a hyperscale firewall policy included an IPv6 firewall virtual IP.

Error messages no longer appear on the CLI console when setting VDOM mode to no-vdom.

You can now create a cluster of two FortiGates with different interface configurations. If you do this, the secondary FortiGate will be re-configured to match the configuration of the primary FortiGate. However, it is still recommended that both FortiGates have the same interface configuration before creating a cluster.

Policy routing works as expected.

Resolved an issue that can cause BGP flapping.

When configuring a Hyperscale firewall SPU offload logging from the GUI you can set the logging mode of a log server group to Per-Session ending.

If you restore a configuration and the configuration file contains a VDOM with the policy offload level set to full-offload but with a VDOM name that doesn't following the hyperscale firewall VDOM naming convention, the policy offload level will be set to disable when the configuration is restored.

Resolved an issue that blocked administrative access to a transparent mode VDOM when connecting to an interface in the VDOM.

Resolved an issue that could cause the NPD to hang and result in PBA leaks.

MTU settings for VLAN interfaces are now kept after a system restart.

MTU size settings are no longer lost for VLAN interfaces after a system restart.

Resolved an issue that could cause a kernel panic when creating an EMAC VLAN.

In an active-passive FCGP cluster of two FortiGates licensed for hyperscale firewall features, the secondary FortiGate in the cluster no longer responds to ARP requests.

Resolved an issue that in some cases caused the Sessions dashboard widget to show more sessions than what the system was actually processing.

The diagnose npu np7 gtp-stats-all command no longer requires an NPU ID.

Improved the accuracy of the SPU statistics displayed on the GUI.

The interface used for HA hardware session synchronization can no longer incorrectly be assigned an IP address.

Resolved a VXLAN throughput performance issue.

The execute disk scan command now works as expected on systems with log disks.

Resolved multiple NP7-related DoS protection bugs.

Resolved an issue that could block session synchronization between FGSP peers.

FortiGates with NP7 processors now support using a LAG interface for FGSP session synchronization.

Resolved multiple issue with NP7 CAPWAP offloading that could block client traffic when the dtls-policy setting on the FortiAP device is set to clear text or IPsec VPN.

Resolved an issue that caused a PBA leak while running a high amount of UDP traffic.

Resolved an issue with EIF and ALG session handling that can cause sessions to be lost and problems with resource allocation.

Resolved syntax check issues that prevented adding valid policy routes that do not have a gateway configured and allowed adding invalid policy routes with no outgoing interface configured.

Any valid address object, including an FQDN address, can be added to a DoS policy.

Resolved an issue that caused the output of the diagnose sys npu-session list command to show the wrong duration time for sessions on a secondary FortiGate in an FGCP cluster.

Improved the quality of the information displayed by the diagnose npd policy sync command.

Various NPD process crash issues.

Resolved an issue that could cause a FortiGate with CAPWAP offloading to become unresponsive when adding a VLAN interface to a wireless interface.

Resolved an issue that could cause delays for some types of traffic after an HA failover.

Resolved an issue that could cause inaccurate statistics reporting when the system is processing a large number of sessions.

Added support for proxy-based SIP in hyperscale firewall VDOMs.

Added support for VLANs over LAG for GTPu enhanced mode traffic.

Resolved an issue that caused BGP flapping when processing high levels of bursty traffic or when processing fragmented packets.

The diagnose sys npu-session stats command now displays the correct IPv6 session setup rate.

Resolved an issue that could prevent QSFP28 interfaces from connecting when speed is set to 40000full.

The config dsw-dts-profile option of the config system npu command is now available for the FortiGate-4200F/4201F/4400F/4401F. See config dsw-dts-profile.

Forward error correction (FEC) is now set correctly for split interfaces.

Resolved multiple issues that could prevent NAT64 hairpin policies from working as expected.

Information displayed by the diagnose firewall iprope6 show command is now correct.

The diagnose hardware deviceinfo nic command no longer shows extra interfaces.

Resolved an issue that could cause the VLAN ID to be missing from exception packets to and from VLAN interfaces.