New features or enhancements

Bug ID	Description
634006	OpenSSL updated to 1.1.1j for security fixes.
638352	To avoid large number of new IKEv2 negotiations from starving other SAs from progressing to established states, the following enhancements have been made to the IKE daemon: Prioritize established SAs. Offload groups 20 and 21 to CP9. Optimize the default embryonic limits for mid- and high-end platforms. The IKE embryonic limit can now be configured in the CLI: config system global set ike-embryonic-limit <integer> end
644218	The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper. config monitoring npu-hpe set status {enable \| disable} set interval <integer> set multipliers <m1>, <m2>, ... <m12> end The interval is set in seconds (1 - 60, default = 1). The multiplies are twelve integers ranging from 1 -255, the default is `4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8`. An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. An attack log is generated after every (4 × multiplier) number of continuous event logs.
660596	Because pre-standard POE devices are uncommon in the field, `poe-pre-standard-detection` is set to `disable` by default. Upgrading from previous builds will carry forward the configured value.
660624	When enabling the Security Fabric on the root FortiGate, the following FortiAnalyzer GUI behavior has changed: If a FortiAnalyzer appliance is enabled, then the dialog will be for the FortiAnalyzer connector. If a FortiAnalyzer appliance is disabled but FortiAnalyzer Cloud is enabled, then the dialog will be for the Cloud Logging connector. If neither the FortiAnalyzer appliance or FortiAnalyzer Cloud are enabled: If the device has a FAZC (standard FortiAnalyzer Cloud subscription) or AFAC (premium subscription) entitlement, then the dialog will be for the Cloud Logging connector. If the device does not have a FAZC or AFAC entitlement, then the dialog will be for the FortiAnalyzer connector. When FortiAnalyzer Cloud is enabled and the FortiAnalyzer appliance is disabled, then the Cloud Logging connector will not let you switch to the FortiGate Cloud FortiAnalyzer.
670345	Support Strict-Transport-Security in HTTPS redirect.
673371	Support ICMP type 13 at local interface.
680599	Increase the ICMP rate limit to allow more ICMP error message to be sent by the FortiGate per second. The ICMP rate limit has changed from 1 second (100 jiffies) to 10 milliseconds (1 jiffy).
684133	Support site-to-site IPsec VPN in an asymmetric routing scenario with a loopback interface as a VPN bound interface.

Bug ID

Description

634006

OpenSSL updated to 1.1.1j for security fixes.

638352

To avoid large number of new IKEv2 negotiations from starving other SAs from progressing to established states, the following enhancements have been made to the IKE daemon:

Prioritize established SAs.
Offload groups 20 and 21 to CP9.
Optimize the default embryonic limits for mid- and high-end platforms.

The IKE embryonic limit can now be configured in the CLI:

config system global
    set ike-embryonic-limit <integer>
end

644218

The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper.

config monitoring npu-hpe
    set status {enable | disable}
    set interval <integer>
    set multipliers <m1>, <m2>, ... <m12>
end

The interval is set in seconds (1 - 60, default = 1). The multiplies are twelve integers ranging from 1 -255, the default is 4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8.

An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. An attack log is generated after every (4 × multiplier) number of continuous event logs.

660596

Because pre-standard POE devices are uncommon in the field, poe-pre-standard-detection is set to disable by default. Upgrading from previous builds will carry forward the configured value.

660624

When enabling the Security Fabric on the root FortiGate, the following FortiAnalyzer GUI behavior has changed:

If a FortiAnalyzer appliance is enabled, then the dialog will be for the FortiAnalyzer connector.
If a FortiAnalyzer appliance is disabled but FortiAnalyzer Cloud is enabled, then the dialog will be for the Cloud Logging connector.
If neither the FortiAnalyzer appliance or FortiAnalyzer Cloud are enabled:
- If the device has a FAZC (standard FortiAnalyzer Cloud subscription) or AFAC (premium subscription) entitlement, then the dialog will be for the Cloud Logging connector.
- If the device does not have a FAZC or AFAC entitlement, then the dialog will be for the FortiAnalyzer connector.
When FortiAnalyzer Cloud is enabled and the FortiAnalyzer appliance is disabled, then the Cloud Logging connector will not let you switch to the FortiGate Cloud FortiAnalyzer.

670345

Support Strict-Transport-Security in HTTPS redirect.

673371

Support ICMP type 13 at local interface.

680599

Increase the ICMP rate limit to allow more ICMP error message to be sent by the FortiGate per second. The ICMP rate limit has changed from 1 second (100 jiffies) to 10 milliseconds (1 jiffy).

684133

Support site-to-site IPsec VPN in an asymmetric routing scenario with a loopback interface as a VPN bound interface.

FortiOS Release Notes

New features or enhancements

New features or enhancements

New features or enhancements