Remove sticky clients by maintaining good SNR clients in BSS. Low SNR-based clients shall be deauthenticated and not allowed in BSS until SNR improves for these.

config wireless-controller vap
    edit weak-signal-vap
        set probe-resp-suppression enable|disable
        set probe-resp-threshold
        set radio-sensitivity enable|disable
        set radio-2g-threshold
        set radio-5g-threshold
        set sticky-client-remove enable|disable <==added
        set sticky-client-2g-threshold <==added
        set sticky-client-5g-threshold <==added
    end
end

For DFS-approved countries, add 160 MHz channel bonding support for FortiAP U421EV, U422EV, and U423EV models

config wireless-controller wtp-profile
    edit [ FAPU421EV-default | FAPU422EV-default | FAPU423EV-default ]
        config radio-2
            set band 802.11ac
            set channel-bonding 160MHz
        end
    next
end

Add virtual switch feature for FG-140E and FG-140E-POE.

Support SSL VPN sign on using certificate and remote (LDAP or RADIUS) username/password authentication.

Support VMWare tag filters in ESXi SDN connectors. Support obtaining and filtering of addresses by distributed port group names when a VM is attached to a distributed virtual switch.

Decouple the memory size limit from the private VM license.

In wids-profile, add the new ap-scan-threshold setting, which is the minimum signal level of rogue APs detected and required by the managed FortiAP devices. Only the rogue APs with a signal level higher than the threshold will be reported to the FortiGate WiFi Controller.

config wireless-controller wids-profile
    edit <WIDS-profile-name>
        set ap-scan enable
        set ap-scan-threshold "-80"
    next
end

The range of ap-scan-threshold, in dBm, is -95 to -20 (default = -90).

Support proxy traffic after TCP three-way handshake from client to original server for a specific port.

CLI changes:

• Add proxy-after-tcp-handshake option in protocol option and SSL-SSH profile.

REST API to support transaction operation.

Monitor API to check SLBC cluster checksum status. New API added - monitor/system/config-sync/status.

Introduce 802.11ax support for FortiAP-U431F and FortiAP-U433F:

• Tri-radio support
• Radio mode 11ax support
• Dual 5G and single 5G mode support
• HE (high efficiency)/160 MHz bandwidth/TWT support

Consolidate Monitor and FortiView pages.

FortiView and Monitor entries have been removed from the navigation bar. Most of the pages under them now show up as widgets in several newly added default dashboards. Exceptions being:

• WiFi Client Monitor, which has been renamed to WiFi Clients and moved to the WiFi & Switch Controller section
• Modem and WAN OPT pages which will still show up under Monitor if the feature is enabled.

Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labeled Fabric Connection. If either CAPWAP or FortiTelemetry were enabled on a particular interface, the new fabric option will be enabled after upgrading.

FortiGate support for NSX-T v2.4: East/West traffic.

Move SAML configuration to the Security Fabric menu.

• Move the SAML settings page to a slide with an Advanced Options button on the Security Fabric Setup page.
• On the Security Fabric Setup page and SAML SSO configuration slide, show SAML toggle and some basic fields: default login page and default login profile for SP, IdP certificate. This way, the workflow to enable downstream SSO can be done from the root FortiGate. The backend will auto-configure the SP.
• Show a warning message box in the topology tree when the FortiGate does not have SSO configured if the root is the IdP. The Configure button is orange and matches the warning message box.

External IP list (threat feed) object support added to security policy.

Add support for EMS cloud.

• Added CMDB attribute fortinet-one-cloud-authentication to FortiClient EMS table.
• Added curl verbose diagnosis debugs to FortiClient NAC daemon for debug images.
• Added fortiems-cloud option to type attribute in user.fsso table.

Add IPv4 source guard to the switch controller.

Added CLI command to push ip-source-guard static entries to FortiSwitch.

• This feature enables source guard entries to be set for physical switches as well as trunk ports.
• The source guard IP needs to be unique for every source guard entry across all ports.
• The binding entry is a second level table (switch_id being the base) with port_name as the parent key. Deleted events work at a switch level, but the with second level tables, there is a need to store grandparent context as well. An opaque data field has been created in the queue node and the corresponding flcfg_add_event_queue and flcfg_delete_sw_event_queue have been modified accordingly.
• Any calls to the flcfg_add_event_queue have been modified.
• There are two kinds of events that will be generated with this command: FLCFG_MSW_CMF_SOURCE_GUARD_UPDATE for port level info change and FLCFG_MSW_CMF_SOURCE_GUARD_ENTRY_UPDATE for binding entry level info change.

Support FSSO for dynamic addresses and support ClearPass endpoint connector (via FortiManager).

CLI changes:

• Add command to show FSSO dynamic address from authd daemon:

  diagnose debug authd fsso show-address

• Make diagnose firewall dynamic commands to accept one optional parameter as address name:

  diagnose firewall dynamic list

  diagnose firewall dynamic address

• Add FSSO subtype for firewall address:

  config firewall address
      edit <name>
          set sub-type fsso
      next
  end

GUI changes:

• Address dialog page
  • New subtype field to select between FSSO and Fabric Connector
  • New FSSO group field to select address group
• Address list page
• Tooltip for new FSSO dynamic address supports resolved address
• Detail column shows the address groups for the address

Support SAML method in firewall and SSL VPN authentications.

CLI changes:

• Add new CLI setting for SAML user:

  config user saml
      edit *
      set ?
          cert Certificate to sign SAML messages.
          *entity-id SP entity ID.
          *single-sign-on-url SP single sign-on URL.
          single-logout-url SP single logout URL.
          *idp-entity-id IDP entity ID.
          *idp-single-sign-on-url IDP single sign-on URL.
          idp-single-logout-url IDP single logout url.
          *idp-cert IDP Certificate name.
          user-name User name in assertion statement.
          group-name Group name in assertion statement.
      next
  end

Policy route changes:

• Added Hit Count and Last Used columns for Routing Monitor > Policy, Policy Route List, and SD-WAN Rules pages.

SD-WAN interfaces:

• SD-WAN in navigation bar renamed SD-WAN Interfaces.
• SD-WAN Interfaces list converted to a full page list with pie charts at the top.
• Added Sessions, Upload, Download (bandwidth), Bytes Sent, and Bytes Received columns to the table.
• The Edit dialog is no longer a slide in so it is consistent with other full page lists.

SD-WAN rules:

• Added a checkmark next to interface that is currently selected by SD-WAN.
• Checkmark has Member is selected tooltip. A reason (has best measured performances/meets most SLAs) is further stated for Best Performance (priority) and SLA (SLA/load-balance) strategies.
• If multiple members are selected at the same time, GUI only marks the highest ranked member, unless mode is load-balance.
• Added health check/SLA statistics tables for SD-WAN member omni select tooltip.
• In the Edit dialog, the Strategies field changed to cards to allow a brief description of each strategy.
• Added gutter to the Edit dialog. The gutter contains Last used and Hit count of the rule.
• The gutter also contains a table showing statistics of currently selected members for SLA.
• Added support for multiple members being selected in manual mode.

Performance SLA:

• Added support for IPv4 DNS protocol.
• Added support for using system DNS. GUI will display the system DNS server in this case.
• Support set members 0, which means all SD-WAN members participate in a health check.

SD-WAN rule correlation improvement.

Support destination MAC addresses in the sniffer traffic log.

For FortiGate Azure HA, change public IP and routing table entries allocated in different resource groups.

In an Azure HA scenario, EIP and route tables failover are specified in the SDN connector configuration. A new attribute, resource-group, was added, which allows a user to specifying the resource group that an EIP or route table is from. This new attribute can be empty so upgrade code is not required.

If the resource-group of an EIP or route table is not provided, it is assumed the resource comes from the same resource group setting in the SDN connector (if there is no setting, it assumes the same resource group as the FortiGate itself by getting it from the instance metadata).

CLI changes:

• Add resource-group attribute.

Add UTM log for FortiAnalyzer cloud-based subscription.

CLI changes:

• Default FortiAnalyzer Cloud filters set to enable

  config log fortianalyzer-cloud filter

Most options within config log fortianalyzer-cloud filter defaulted to disable and could not be changed. Now, they default to enable and can be changed. License-based restrictions still apply, but the configuration can be used to refine the logs being sent to FortiAnalyzer Cloud.

The exception is the dlp-archive option, which is still set to disable and cannot be changed.

Consolidate IPv4 and IPv6 policy configuration.

CLI changes:

• policy6 removed, related function and attribute removed
• consolidated.policy removed, related function and attribute removed
• system.settings.consolidated-firewall-mode removed, consolidated related function and attribute removed
• Both policies are merged to firewall.policy
• Application changes related to policy merge including ips, wad, sslvpn, ocvpn, dnsproxy, voip, urlfilter, proxy, scanunit, authd, snmp, updated, miglogd, etc.

GUI changes:

• IPv4 Policy and IPv6 Policy menu entries have been removed and both can now be configured under the new Firewall Policy menu.

Increase IPS custom signature length to 4096.

Automatically disable NPU offloading if the session interface has shaping-profile enabled.

Add IKE HA support for combined FGSP (L3 cluster) and FGCP (L2 cluster). This corrects the synchronization between FGCP and FGSP clusters in order to guarantee a real ability to failover IPsec tunnels.

FortiGate debugger Chrome extension support.

The extension improves the quality of GUI bug reports. The extension communicates with FortiOS and allows users to perform a capture. The capture includes (but is not limited to) the following:

• Screen recording
• Device metadata
• Client (browser) metadata
• HTTP network logs
• JavaScript console logs
• Various daemon logs
• Client memory and CPU usage
• Device memory and CPU usage

Authentication support for upstream/chained proxy in transparent mode.

FortiAP profile support for FortiAP-231E NPI model.

CLI changes:

• Added wtp-profile support for FAP-231E NPI platform.
• Multimode: single 5G and dual 5G same as U43xF with minor differences:
  • Single 5G
    • Radio 1 operates at 2.4 GHz
    • Radio 2 operates at 5 GHz
    • Radio 3 set to monitor mode
      • Dual 5G
        • Radio 1 operates at 5 GHz and uses the higher spectrum of channels ( >= 64 )
        • Radio 2: operates at 5 GHz and uses the lower spectrum of channels ( < 64)
        • Radio 3: can be set to AP mode
• New wtp-profile platform property ddscan.
• FortiGate will configure DFS channels on FAP-231E with region code E, I, V, Y, and D.
• Default mode for 3-radio AP models set to single 5G .

GUI changes:

• Added GUI support for FAP-231E platform:
  • New GUI option, Dedicated scan, which is counterpart of ddscan platform property.
  • When dedicated scan is enabled:
    • Monitor mode becomes exclusive to radio 3
    • No AP mode for radio 3, even in dual 5G
    • No WIDS profile setting for radio 1 and 2

API changes:

• /api/v2/monitor/wifi/ap_platforms
  • Radio property changed from object to array to accommodate for multimode platforms. First element is single 5G, and second is dual 5G platform radio configuration. For non-multimode platforms, array is of length 1.

The feature extends the quarantine function on the FortiSwitch by allowing a device to be quarantined but remain with the VLAN where it was detected. The option to quarantine devices to a VLAN remains available.

GUI changes in OCVPN to map user workflow habit.

Limit OCVPN spoke to only join existing overlay.

Monitoring DHCP Pool via SNMP query and trap.

• Added SNMP query OIDs (1.3.6.1.4.1.12356.101.23) for the following DHCP servers:
  • OID: 1.3.6.1.4.1.12356.101.23.1.1
  • FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgDhcp.fgDhcpInfo.fgDhcpServerNumber
  • OID: 1.3.6.1.4.1.12356.101.23.2.1.1.2
  • FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgDhcp.fgDhcpTables.fgDhcpTable.fgDhcpEntry.

    fgDhcpLeaseUsage

• Added one SNMP trap (1301) for 3 DHCP events (DHCP server runs out of IP pool, IP address is already in use, or DHCP client interface received NAK).
• In CLI, added dhcp option to events setting in SNMP configuration.

NetFlow using HA reserved management interface.

DPDK support on FortiOS VM platform.

Allow administrators the ability to modify some configuration options of automatically generated VLANs by the switch controller. These changes are applied at the time of VLAN creation.

Add automated detection and recommendations to configuration and conditions observed in the switch controller and FortiSwitch network. Administrators may accept the recommendations and have them automatically applied.

Provide an integrated FortiGate network access control (NAC) function to the FortiAP and FortiSwitch networks by using a shared set of NAC policies. The NAC policy can be applied based on data from the user device list.

Add antiphishing feature. The initial implementation adds functionality into WAD by parsing incoming HTTP requests, looking for known credentials, and if there is a match, performing the configured action.

Extend SSL and certificate options in ssl-ssh-profile.

config firewall ssl-ssh-profile
    edit "custom-deep-inspection"
        set comment "Customizable deep inspection profile."
        config ssl
            set inspect-all disable
        end
        config https
            set ports 443
            set status deep-inspection
            set proxy-after-tcp-handshake disable
            set client-certificate bypass
            set unsupported-ssl-cipher allow       <==added
            set unsupported-ssl-negotiation allow  <==added
            set expired-server-cert block          <==added
            set revoked-server-cert block          <==added
            set untrusted-server-cert allow
            set cert-validation-timeout allow      <==added
            set cert-validation-failure block      <==added
            set sni-server-cert-check enable
        end
    next
end

Add new style-3 option for dhcp-option82-circuit-id-insertion when dhcp-option82-insertion is enabled. style-3 is an ASCII string composed of NETWORK-TYPE:WTPPROF-NAME:VLAN:SSID:AP-MODEL:AP-HOSTNAME:AP-MAC.

config wireless-controller vap
    edit br-vap
        set dhcp-option82-insertion enable
        set dhcp-option82-circuit-id-insertion style-3 <==added
    next
end

Add match-vrf under route-map.

config router route-map
    edit <name>
        config rule
            edit <id>
                set match-vrf Match VRF ID. <==added
            next
        end
    next
end

Add vrf-leak under BGP configuration.

config router bgp
    config vrf-leak added
        edit <id> added
            config target added
                edit <id> added
                    set route-map <==added
                    set interface <==added
                next
            end
        next
    end
end

Add clear route vrf-leak commands.

execute router clear bgp all vrf-leak

execute router clear bgp all soft vrf-leak

Support MAC and weight in device identification signatures to improve IoT detection. All device identification signatures have been updated to:

• Allow the MAC address of the device to be part of the key for a signature so it can be used to allow to signatures that would otherwise be identical to be separated by MAC address, and allow them to identify the correct device.
• Allow every signature to have a weight (0-255) that is used as a component of the new rules, which determines when the result of one signature should override the result of another signature.

Add client DHCP options.

config system interface
    edit wan1
        set mode dhcp
        ....
        config client-options
            edit 1
                set code 60
                set type {hex | string | ip | fqdn}
                set value|ip "xxxxxx"
            next
        end
    next
end

Support for additional SHA2 algorithms with SNMPv3.

Support UTM inspection on asymmetric traffic in FGSP where traffic returning to the session owner is encapsulated in UDP via the peer interface. As a result, the inter-cluster-session-sync setting under config system ha is removed.

WiFi client IPv6 traffic is supported by tunnel mode and local bridge mode SSID.

Add new IPv6 suppression rule under VAP configuration.

config wireless-controller vap
    edit vap-ipv6
        set ipv6-rules drop-icmp6ra drop-icmp6rs drop-llmnr6 drop-icmp6mld2 drop-dhcp6s drop-dhcp6c ndp-proxy drop-ns-dad drop-ns-nondad 
    next
end

Update interface-related pages to use AngularJS and muTable.

Interfaces list:

• Radio buttons in the top-right corner let users switch between grouping by type, role, and sort lists alphabetically have been removed. There is a dropdown instead with the following options:
  • Group by type
  • Group by zone
  • Group by status,
  • Group by role
  • No grouping
• Zones do not support parent-child relationships anymore.
• The DHCP Server column has been divided into two separate columns, DHCP Clients and DHCP Ranges.
• CSF support has been added. When switching to a downstream device, both the list and the faceplate should update.
• For VDOMs, administrators can only view complete information about interfaces for the VDOM they are in. This applies even to administrators who have access to more than one VDOM.
• On devices that support VLAN switching, the VLAN Switch Mode toggle has been removed from the list page. It now shows up under System> Settings.
• Faceplates do not auto-refresh on page load anymore. For auto-refresh, users need to enable the muTable refresh feature from the button in the bottom-right corner.

Interfaces dialog:

• Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labeled Fabric Connection.
• The secondary IP address toggle has been moved from the Miscellaneous section to the Address section.
• A gutter has been added that displays the device hostname, the interface it belongs to, and relevant help links.

CLI changes:

• Consolidate fortitelemetry and capwap into fabric for allowaccess in system.interface.

In order to more accurately detect Internet of Things (IoT), a new FortiGuard service provides a large database of device IoT identification. Devices detected on the local FortiGate and via FortiAP and FortiSwitch networks can be queried with the FortiGuard IoT device database to provide enhanced identification.

Add prompt in CLI when creating a new VDOM.

This backend implementation allows the root FortiGate in a Security Fabric to store historic user and device information in a database on its disk.

Add kernel support for the IEEE 802.1ad (QinQ) feature.

In the past, 802.1Q specification allowed a single VLAN header to be inserted into an Ethernet frame. This new feature allows one more VLAN tag to be inserted into a single frame.

Enable autoscale feature in KVM platforms for use in OpenStack.

Starting from FortiOS 6.2.3 and 6.4.0, a single annually contracted SKU contains both VM base and one of the FC service bundles. It is BYOL (bring-your-own-license) and supports VMware ESXi, KVM, Hyper-V, Xen, AWS, Azure, Azure Stack, GCP, OCI, Alibaba Cloud, Rackspace, VMware NSX-T, and Nutanix.

Replace FSSO with REST API for EMS connector.

Add option to enable/disable DFS zero wait functionality for 5 GHz radio on FAP-U platforms.

config wireless-controller wtp-profile
    edit "FAPU431F-default"
        config platform
            set type U431F
        end
        set handoff-sta-thresh 30
        config radio-1
            set band 802.11ax-5G
            set zero-wait-dfs [enable | disable] <==added, default is enable
        end
        config radio-2
            set band 802.11ax
        end
        config radio-3
            set mode monitor
        end
    next
end

New feature added so local-standalone can be enabled on local bridge mode VAP with external captive portal type.

config wireless-controller vap
    edit "lo-sd-cap"
        set ssid "local-stand-cap"
        set security captive-portal
        set external-web "https://172.18.56.163/portal/index.php"
        set radius-server "peap"
        set local-standalone enable <==added
        set local-bridging enable
        set portal-type external-auth
    next
end

Support ADVPN peer-to-peer shortcuts through NAT.

This solution provides hole punching support for RFC 4787 compliant NATs that use endpoint independent mapping. For a given source IP/port, the NAT mapping observed by the hub does not change when communicating with other endpoints, such as spoke-to-spoke shortcuts.

GUI change:

• After setting the radio to monitor mode, the spectrum analysis tag is enabled in the FortiAP View More Details page. The tag displays the spectrum scan results for 2.4G and 5G bands.

CLI changes:

• Add get command to view spectrum data for an AP.

  get wireless-controller spectral-info <wtp_id> <radio_id>

• Add exec command to start spectrum analysis.

  exec wireless-controller spectral-scan <wtp_id> <radio_id> <on/off> <duration(s)> <channels> <report-interval>

Allow SD-WAN monitor to work on ADVPN shortcut.

With this enhancement, SD-WAN can monitor link quality of the shortcut VPN between spoke-to-spoke. The SD-WAN service rules among spokes can accurately rely on SLA performance to determine which link to use.

CLI changes:

• Add a configurable probe count as number of most recent probes to calculate latency and jitter.
• This new option is under config system virtual-wan-link > config health-check > edit a health-check.

Add apcfg-profile in WiFi controller to allow storing and pushing FortiAP local configuration to FortiAP units.

config wireless-controller apcfg-profile <==added
    edit [Profile Name] <==added
    next
end

config wireless-controller wtp-profile
    edit "FAP423E-default"
        config platform
            set type 423E
        end
        set apcfg-profile "FAP423E-apcfg" <==added
    next
end

This feature is currently only applicable on FAP-W2/S models with the latest 6.4 firmware.

Add encryption option for FGSP.

Support 24 interfaces in FG-VM.

New profiles added for NPI platforms, FAP-431F and FAP-433F.

config wireless-controller wtp-profile
    edit "FAP433F-default"
        config platform
            set type 433F <==new type
            set ddscan enable
        end
        set handoff-sta-thresh 55
        config radio-1
            set band 802.11ax,n,g-only
        end
        config radio-2
            set band 802.11ax-5G
        end
        config radio-3
            set mode monitor
        end
    next
    edit "FAP431F-default"
        config platform
            set type 431F <==new type
            set ddscan enable
        end
        set handoff-sta-thresh 55
        config radio-1
            set band 802.11ax,n,g-only
        end
        config radio-2
            set band 802.11ax-5G
        end
        config radio-3
            set mode monitor
        end
    next
end

New subscription service for IoT device identification.

For FortiAPs managed by the FortiGate, a new layer-3 access control list (ACL) can be applied to the bridge or tunnel mode SSID. This is supported on 6.4.0 FortiAP-S and FortiAP-W2, and 5.4.3 FortiAP-C platforms.

config wireless-controller access-control-list <==added
    edit "ACL-1"
        config layer3-ipv4-rules
            edit 10
                set dstaddr 172.16.200.44/255.255.255.255
                set action deny
            next
            edit 20
                set protocol 1
                set action deny
            next
            edit 30
                set dstport 21
                set action deny
            next
        end
    next
end

config wireless-controller vap
    edit "wifi.fap.01"
        set ssid "starr-ssid.fap.01"
        set passphrase xxxxxxxx
        set local-bridging enable
        set access-control-list "ACL-1" <==added
    next
end

FortiGate will assign a report index for each managed FAP, so the FAP can send client, rogue AP, and rogue station information in order. This can prevent the burst CPU usage to deal with reports from all FAPs at the same time. This is not a visible functionality. It is a backend optimization feature.

Add provision for FortiAP unit to upgrade to designated firmware version that has been stored on the FortiGate, while upgrading by image download after it joined.

config wireless-controller wtp
    edit "FP423E3X16000020"
        set admin enable
        set firmware-provision "6.4.0412" <==added
        set wtp-profile "FAP423E-default"
        config radio-1
        end
        config radio-2
        end
    next
end

With this change, a FortiGate with a built-in disk can hold up to four versions of firmware for each FAP model instead of one as before. A FortiGate without built-in disk can hold one version as before.

This change includes multiple behavior changes to both the CLI and GUI:

• Add default automation rules (after factory reset). They are all disabled by default except for the FortiExplorer push notification.
• Add new incoming webhook trigger for automation.
• Remove Email Elert Settings page.
• Add new API for POST /api/v2/monitor/system/automation-stitch/webhook/<trigger mkey>.

Allow mtu-override for an IPsec interface.

config system interface
    edit ipsec-tunnel-1
        set type tunnel
        set mtu-override enable/disable <==added
        set mtu 1400 <==added
    next
end

Support diffserv code setting for SD-WAN health check probe packet. When SD-WAN health check packet is sent out, the differentiated services code point (DSCP) can be set with the set diffservcode command:

config system virtual-wan-link
    config health-check
        edit h1
            ....
            set diffservcode <6-bits binary, range 000000–111111>
            next
        end
    next
end

The purpose of the VLAN probe tool is to help customers to decide whether or not there is a WiFi problem when they cannot reach the internet. The FortiGate and FortiAP work together to scan all available VLANs to help customers to find the real internet issue.

Simplify the Security Fabric > Settings page.

The Security Fabric Settings page has been renamed to Fabric Connectors and all the settings under it now show up as separate cards. The Fabric Connectors menu entry is renamed and shows up as External Connectors.

• Fabric Connectors is now a card view similar to External Connectors with various Fortinet products (FortiSandbox, FortiManager, Cloud Logging, etc.).
• Every card goes to its own dialog instead of having a dialog with all the configuration settings.
• CSF support is not added in this version.
• Various statistics and connectivity results have been moved from the main dialog to the gutter to reduce clutter from the Edit dialog views.