When upgrading from previous FortiOS 6.2 versions to 6.4.0, the default WTP profiles with zero reference are deleted.

In FortiOS 6.4.0, the default WTP profiles are not created by default until a FortiAP is added by discovery or manually.

Interface egress shaping offload to NPU when shaping-offload is enabled.

Command exe log roll only rolls disk log, no matter what device filter is set.

Implement third-party certificate verification and OCSP stapling check for all FortiGuard servers connected from FortiOS. Make fortiguard-anycast enabled by default and through upgrading.

Allow user set gateway when they use VPN IPsec static and remote IP is empty.

CSF root FortiGate SDN connector and automation settings will not be synced down to CMDB in CSF downstream FortiGate anymore.

In a scenario where there are duplicate entries of config icap server with a duplicate combination of ip-addresss, ip-version, and port, the duplicate config icap server entries must be removed and replaced in the source data configuration (config icap profile). This step needs to be performed before upgrading in case of configuration loss.

Services that require connection to FortiGuard services such as web filter (FURL), spam filter (SPAM) and zero hour virus outbreak prevention (ZHVO), will now default to connecting through HTTPS/443 via Anycast. FortiGuard servers will also use 3rd party signed certificates and OSCP stapling.

From the CLI, the default has changed

From:

config system fortiguard
    set fortiguard-anycast disable
    set protocol https
    set port 8888
end

To:

config system fortiguard
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
    set protocol https
    set port 443
end

When upgrading, if fortiguard-anycast is enabled before the upgrade, system.fortiguard settings will remain after upgrade. If fortiguard-anycast is disabled, then new defaults will be enforced.

Change set interface setting under SD-WAN member as an optional configuration.