OpenSSL updated to 1.1.1j for security fixes.

To avoid large number of new IKEv2 negotiations from starving other SAs from progressing to established states, the following enhancements have been made to the IKE daemon:

• Prioritize established SAs.
• Offload groups 20 and 21 to CP9.
• Optimize the default embryonic limits for mid- and high-end platforms.

The IKE embryonic limit can now be configured in the CLI:

config system global
    set ike-embryonic-limit <integer>
end

The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper.

config monitoring npu-hpe
    set status {enable | disable}
    set interval <integer>
    set multipliers <m1>, <m2>, ... <m12>
end

The interval is set in seconds (1 - 60, default = 1). The multiplies are twelve integers ranging from 1 -255, the default is 4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8.

An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. An attack log is generated after every (4 × multiplier) number of continuous event logs.

Because pre-standard POE devices are uncommon in the field, poe-pre-standard-detection is set to disable by default. Upgrading from previous builds will carry forward the configured value.

When enabling the Security Fabric on the root FortiGate, the following FortiAnalyzer GUI behavior has changed:

• If a FortiAnalyzer appliance is enabled, then the dialog will be for the FortiAnalyzer connector.
• If a FortiAnalyzer appliance is disabled but FortiAnalyzer Cloud is enabled, then the dialog will be for the Cloud Logging connector.
• If neither the FortiAnalyzer appliance or FortiAnalyzer Cloud are enabled:
  • If the device has a FAZC (standard FortiAnalyzer Cloud subscription) or AFAC (premium subscription) entitlement, then the dialog will be for the Cloud Logging connector.
  • If the device does not have a FAZC or AFAC entitlement, then the dialog will be for the FortiAnalyzer connector.
• When FortiAnalyzer Cloud is enabled and the FortiAnalyzer appliance is disabled, then the Cloud Logging connector will not let you switch to the FortiGate Cloud FortiAnalyzer.

Support Strict-Transport-Security in HTTPS redirect.

Support ICMP type 13 at local interface.

Increase the ICMP rate limit to allow more ICMP error message to be sent by the FortiGate per second. The ICMP rate limit has changed from 1 second (100 jiffies) to 10 milliseconds (1 jiffy).