Fortinet Document Library
Version:
6.4.0
6.2.0
Table of Contents
GUI
Getting started
Firmware upgrade notifications
FortiCloud account title transfer 6.4.1
FortiCare registration disclaimer 6.4.1
Dashboards and widgets
Consolidate Monitor and FortiView pages
IP address tooltips
View session information for a compromised host 6.4.1
Consolidated dashboard usability improvements 6.4.1
Add detachable CLI console tabs 6.4.2
Implement a user device store to centralize device data 6.4.3
Security Fabric
Fabric settings
Integrate FortiAnalyzer management into the Security Fabric using SAML SSO
Simplify FortiClient EMS setup
Simplify the synchronization of EMS tags and configurations
Allow FortiNAC to join the Security Fabric
Redesign Fortinet Fabric Connectors and Fabric setup pages
Display endpoints in Topology using donut chart
Using the root FortiGate with disk to store historic user and device information
Synchronizing objects across the Security Fabric
Streamlined Fortinet Security Fabric setup between FortiGates 6.4.2
Use an FQDN in FortiSandbox fabric connectors 6.4.2
FortiMail Security Fabric integration 6.4.2
Improvements to synchronizing objects across the Security Fabric 6.4.4
Detect FortiManager Cloud account level subscription 6.4.4
SDN connectors
SDN connector for Cisco ACI northbound API integration
Support multiple SDN connector instances for Cisco ACI and Nuage
Multifunction tooltip for Fabric connectors
Exchange Server connector with Kerberos KDC auto-discovery
Support IBM Cloud SDN connector 6.4.1
Support ServiceTag and Region for Azure SDN connector address objects 6.4.2
Multiple IP addresses on Cisco ACI connectors 6.4.4
Automation stitches
Automation stitches
Slack notification action
NSX-T quarantine action 6.4.1
FortiNAC quarantine action for automation 6.4.2
Security ratings
Redesign Security Rating scorecards
Tests for FortiSwitch added to Security Rating 6.4.2
Security rating report in multi VDOM mode 6.4.3
Network
SD-WAN
SD-WAN event log subtype
SD-WAN logging improvement to identify matched application
SD-WAN configuration portability
SD-WAN log format improvements
SD-WAN monitor on ADVPN shortcuts
SD-WAN GUI and monitoring enhancements
Enhance ADVPN to support UDP hole punching for spokes behind NAT
SD-WAN health check packet enhancement
Weighted round robin for IPsec aggregate tunnels
Default_DNS performance SLA profile
Interface speedtest
Support SD-WAN integration with OCVPN
Allow FortiClient to join OCVPN
Support SD-WAN interface as a security zone 6.4.1
ADVPN hub and spoke VPN Wizard improvements 6.4.2
Allow MAC addresses to be used in SD-WAN rules and policy routes 6.4.2
Up to 1024 spokes in OCVPN 6.4.2
SD-WAN enhancements 6.4.2
Define SD-WAN duplication rules to duplicate packets on other members of the SD-WAN zone 6.4.2
Allow packet duplication on SD-WAN based on SD-WAN rules 6.4.3
BGP additional path limit increased to 255 6.4.3
SD-WAN IPv6 route tag 6.4.4
General
Route leaking between VRFs
IBGP and EBGP support in VRF
Set minimum RIP update timer to one second
DHCP client options
Assign a subnet to FortiGate with the FortiIPAM service 6.4.1
VRF GUI support 6.4.2
Determine if recursive distance is evaluated in BGP's next hops under ECMP 6.4.2
IPv6
IPv6 geography-based address support
Support for IPv6 in central SNAT table
FQDN support for remote gateways
MAP-E support 6.4.1
IPv6 MAC addresses and usage in firewall policies 6.4.2
Web proxy
Authentication support for upstream proxy in transparent proxy mode
Support TLS 1.3 for proxy forward servers in certificate inspection mode 6.4.1
System
General
Admin profile option for diagnostic access
FortinetOne renamed FortiCloud
No session timeout
Confirmation prompt when creating new VDOMs
FortiOS image signing and verification
Consistent style for replacement messages 6.4.2
High availability
Force HA failover for testing and demonstrations
Support UTM inspection on asymmetric traffic in FGSP
Support UTM inspection on asymmetric traffic on L3
Add encryption for L3 on asymmetric traffic in FGSP
Override FortiAnalyzer and syslog server settings
Source interface setting for NetFlow data
SNMP
SNMP bridge MIB module support
Support SHA-2 for SNMPv3
SNMP traps and query for monitoring DHCP pool
SNMP polling extensions to support new OIDs 6.4.2
FortiGuard
Use anycast to communicate with FortiGuard servers
IoT detection service
Display cloud service communications statistics
Support third party CA signed certificates with OCSP stapling 6.4.2
Policy and Objects
Policies
Support SSL mirroring in proxy mode
Consolidated IPv4 and IPv6 policy configuration
UUID field added to all policy types
SNAT support for policies with virtual wire pairs
Interface-based traffic shaping with NP acceleration
Objects
Array structure for address objects
Allow creation of ISDB objects with regional information
IP definitions database merged into the internet service database
Extend ISDB to include well-known MAC address list
GeoIP matching by registered and physical location
Group address objects synchronized from FortiManager
Increase in maximum number of VIP real servers
GUI support for real server configurations using address objects 6.4.2
Security profiles
Antivirus
Security Profiles enhancements
Antivirus uses the extended database by default
Scan compressed messages over CIFS protocol in proxy mode 6.4.2
Application control
SSL-based application detection over decrypted traffic in a sandwich topology
Matching multiple parameters on application control signatures
Allow exclusion of signatures in application control profile 6.4.3
Web filter
Credential phishing prevention
Explicitly enable custom categories for web filter profiles, SSL/SSH inspection profiles, and proxy addresses 6.4.2
Configure web filter profiles in NGFW policy mode 6.4.2
Remove the option to rate images by URL in Web filter profiles 6.4.3
Rating submission link on web filter block and warning pages 6.4.5
IPS
Detecting IEC 61850 MMS protocol in IPS
IPS signature filter options 6.4.2
Others
Redirect to WAD after handshake completion
ICAP response filtering
Separate file filter into a standalone profile 6.4.1
Handling SSL offloaded traffic from an external decryption device in flow mode 6.4.4
VPN
IPsec and SSL VPN
Dynamic address support for SSL VPN policies
NAS-IP support per SSL VPN realm
Support defining gateway IP addresses in IPsec with mode-config and DHCP
Provision SSL VPN users in FortiClient Mobile with an email or SMS message 6.4.2
Configure DSCP for IPsec tunnels 6.4.3
User and authentication
Authentication
SAML SP for VPN authentication
Support for Okta RADIUS attributes filter-Id and class
Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers 6.4.3
Secure access
Wireless
Wireless IPv6 support
Tunnel mode SSID IPv6 traffic
Local bridge mode SSID IPv6 traffic
CLI commands for IPv6 rules
Support for spectrum analysis of FortiAPĀ EĀ models
Increase in maximum number of managed FortiAPs
Even distribution of FortiAP reports
View detailed information for individual WiFi connections
VLAN probe report
FortiAP client load balancing per AP
Layer three ACL configurations for Wireless APs
Maintain radio SSID WLAN IDs
Support for FAP431F and FAP433F
Support logging the signal-to-noise ratio and signal strength per client 6.4.1
Simplify BLE profiles to support broadcast of FortiAP UUID 6.4.2
Add ARRP profile for wireless controller 6.4.2
Extend spectrum analysis to support FortiAPs with three radios 6.4.2
Antenna Rx chain status check and notification 6.4.2
Standardize wireless health metrics 6.4.2
FortiAP query to FortiGuard IoT service to determine device details 6.4.2
Enhance MPSK functionalities for wireless controller 6.4.2
Adaptive radio architecture support 6.4.3
Support 802.11v optimized roaming and load balancing 6.4.3
Support IGMP Snooping (Wireless) 6.4.3
Use FortiGate to register managed FortiAP to FortiCloud 6.4.3
Add fields for wireless DHCP logs 6.4.3
Switch controller
Switch controller - quarantine by redirect
VLAN interface templates for FortiSwitch devices
Improved FortiSwitch support
GUI support for FortiLink groups
FortiSwitch link status visibility improvements
SNMP queries to the FortiGate Switch Controller for FortiSwitch and port information 6.4.2
Allow FortiSwitch Trunk mode selection on FortiGate 6.4.2
Send multiple RADIUS attribute values in a single RADIUS Access-Request 6.4.2
ECN configuration for managed FortiSwitch devices 6.4.2
Configure PTP Transparent Clock mode for managed FortiSwitch devices 6.4.2
Inter-operability with per instance RSTP 802.1w 6.4.2
FortiGate HA between remote sites over managed FortiSwitches 6.4.2
Register FortiSwitch to FortiCloud from the GUI 6.4.2
GUI support for multiple FortiLink interfaces 6.4.2
Switch controller option to control the sources used to update the user device list 6.4.2
Log sub-category for switch controller 6.4.3
Configure LLDP settings on a switch port that is leased to a tenant VDOM 6.4.3
Add a RADIUS timeout VLAN to a security policy 6.4.3
Add option to enable flow control and pause metering 6.4.3
Allow switch controller to set source IP for outbound connections 6.4.3
Enable IoT background scanning 6.4.3
NAC
Support NAC policies on switch ports
Added ability in FortiSwitch to query FortiGuard IoT service for device details
FortiSwitch voice device detection
Extend NAC matching condition to include EMS tags 6.4.2
FortiExtender
Support FortiExtender models with two modems 6.4.2
Support data plan profiles for FortiExtender 6.4.2
Log and report
Logging
Log buffer on FortiGates with an SSD disk
WAD and Proxyd SSL logging improvement
WAN interface bandwidth log
Include RSSO information for authenticated destination users in logs 6.4.1
Application logging in NGFW policy mode 6.4.2
Send traffic logs to FortiAnalyzer Cloud 6.4.4
Log updates to dynamic objects 6.4.5
Cloud
Public and private cloud
Simplify Azure Fabric connector configuration for a FortiGate-VM deployed on Azure
Support filtering on AWS autoscaling group for dynamic address objects
Support dynamic address objects in real servers under virtual server load balance
Support up to 24 interfaces on FortiGate VM
Enhanced autoscale clusters for FortiGate VM
Support FortiGate-VM in IBM Cloud platform 6.4.2
Obtaining a FortiCare-generated license for Azure on-demand instances 6.4.2
Configure FQDN-based VIPs from the GUI 6.4.2
Enhance the display of VM autoscale member information 6.4.2
Support for new VM bandwidth-limited SKUs 6.4.2
FOS support of VM-ELA (Flex-VM) 6.4.2
Liveness detection on NSX-T 6.4.3
Add FIPS cipher mode for AWS and Azure FortiGate VMs 6.4.3
IMDSv2 for FortiGate-VM on AWS 6.4.3
Add VDOM support for NSX-T 6.4.3
Support OCI compute shapes that use Mellanox network cards 6.4.3
Support OCI IMDSv2 6.4.4
FortiCarrier
GTP
IPv6 support for GTP 6.4.2
Add fields to correlate between traffic, GTP, and UTM logs 6.4.2
Multiple identities from the ULI field in GTP logs 6.4.2
NPU support for GTP-U encapsulated in IPv6 6.4.3
FortiASIC
Hardware acceleration
Use CP9/SoC3 entropy source
Identify the XAUI link used for a specific traffic stream
Change Log
Home
FortiGate / FortiOS 6.4.0
New Features
New Features
GUI
Getting started
Firmware upgrade notifications
FortiCloud account title transfer 6.4.1
FortiCare registration disclaimer 6.4.1
Dashboards and widgets
Consolidate Monitor and FortiView pages
IP address tooltips
View session information for a compromised host 6.4.1
Consolidated dashboard usability improvements 6.4.1
Add detachable CLI console tabs 6.4.2
Implement a user device store to centralize device data 6.4.3
Security Fabric
Fabric settings
Integrate FortiAnalyzer management into the Security Fabric using SAML SSO
Simplify FortiClient EMS setup
Simplify the synchronization of EMS tags and configurations
Allow FortiNAC to join the Security Fabric
Redesign Fortinet Fabric Connectors and Fabric setup pages
Display endpoints in Topology using donut chart
Using the root FortiGate with disk to store historic user and device information
Synchronizing objects across the Security Fabric
Streamlined Fortinet Security Fabric setup between FortiGates 6.4.2
Use an FQDN in FortiSandbox fabric connectors 6.4.2
FortiMail Security Fabric integration 6.4.2
Improvements to synchronizing objects across the Security Fabric 6.4.4
Detect FortiManager Cloud account level subscription 6.4.4
SDN connectors
SDN connector for Cisco ACI northbound API integration
Support multiple SDN connector instances for Cisco ACI and Nuage
Multifunction tooltip for Fabric connectors
Exchange Server connector with Kerberos KDC auto-discovery
Support IBM Cloud SDN connector 6.4.1
Support ServiceTag and Region for Azure SDN connector address objects 6.4.2
Multiple IP addresses on Cisco ACI connectors 6.4.4
Automation stitches
Automation stitches
Slack notification action
NSX-T quarantine action 6.4.1
FortiNAC quarantine action for automation 6.4.2
Security ratings
Redesign Security Rating scorecards
Tests for FortiSwitch added to Security Rating 6.4.2
Security rating report in multi VDOM mode 6.4.3
Network
SD-WAN
SD-WAN event log subtype
SD-WAN logging improvement to identify matched application
SD-WAN configuration portability
SD-WAN log format improvements
SD-WAN monitor on ADVPN shortcuts
SD-WAN GUI and monitoring enhancements
Enhance ADVPN to support UDP hole punching for spokes behind NAT
SD-WAN health check packet enhancement
Weighted round robin for IPsec aggregate tunnels
Default_DNS performance SLA profile
Interface speedtest
Support SD-WAN integration with OCVPN
Allow FortiClient to join OCVPN
Support SD-WAN interface as a security zone 6.4.1
ADVPN hub and spoke VPN Wizard improvements 6.4.2
Allow MAC addresses to be used in SD-WAN rules and policy routes 6.4.2
Up to 1024 spokes in OCVPN 6.4.2
SD-WAN enhancements 6.4.2
Define SD-WAN duplication rules to duplicate packets on other members of the SD-WAN zone 6.4.2
Allow packet duplication on SD-WAN based on SD-WAN rules 6.4.3
BGP additional path limit increased to 255 6.4.3
SD-WAN IPv6 route tag 6.4.4
General
Route leaking between VRFs
IBGP and EBGP support in VRF
Set minimum RIP update timer to one second
DHCP client options
Assign a subnet to FortiGate with the FortiIPAM service 6.4.1
VRF GUI support 6.4.2
Determine if recursive distance is evaluated in BGP's next hops under ECMP 6.4.2
IPv6
IPv6 geography-based address support
Support for IPv6 in central SNAT table
FQDN support for remote gateways
MAP-E support 6.4.1
IPv6 MAC addresses and usage in firewall policies 6.4.2
Web proxy
Authentication support for upstream proxy in transparent proxy mode
Support TLS 1.3 for proxy forward servers in certificate inspection mode 6.4.1
System
General
Admin profile option for diagnostic access
FortinetOne renamed FortiCloud
No session timeout
Confirmation prompt when creating new VDOMs
FortiOS image signing and verification
Consistent style for replacement messages 6.4.2
High availability
Force HA failover for testing and demonstrations
Support UTM inspection on asymmetric traffic in FGSP
Support UTM inspection on asymmetric traffic on L3
Add encryption for L3 on asymmetric traffic in FGSP
Override FortiAnalyzer and syslog server settings
Source interface setting for NetFlow data
SNMP
SNMP bridge MIB module support
Support SHA-2 for SNMPv3
SNMP traps and query for monitoring DHCP pool
SNMP polling extensions to support new OIDs 6.4.2
FortiGuard
Use anycast to communicate with FortiGuard servers
IoT detection service
Display cloud service communications statistics
Support third party CA signed certificates with OCSP stapling 6.4.2
Policy and Objects
Policies
Support SSL mirroring in proxy mode
Consolidated IPv4 and IPv6 policy configuration
UUID field added to all policy types
SNAT support for policies with virtual wire pairs
Interface-based traffic shaping with NP acceleration
Objects
Array structure for address objects
Allow creation of ISDB objects with regional information
IP definitions database merged into the internet service database
Extend ISDB to include well-known MAC address list
GeoIP matching by registered and physical location
Group address objects synchronized from FortiManager
Increase in maximum number of VIP real servers
GUI support for real server configurations using address objects 6.4.2
Security profiles
Antivirus
Security Profiles enhancements
Antivirus uses the extended database by default
Scan compressed messages over CIFS protocol in proxy mode 6.4.2
Application control
SSL-based application detection over decrypted traffic in a sandwich topology
Matching multiple parameters on application control signatures
Allow exclusion of signatures in application control profile 6.4.3
Web filter
Credential phishing prevention
Explicitly enable custom categories for web filter profiles, SSL/SSH inspection profiles, and proxy addresses 6.4.2
Configure web filter profiles in NGFW policy mode 6.4.2
Remove the option to rate images by URL in Web filter profiles 6.4.3
Rating submission link on web filter block and warning pages 6.4.5
IPS
Detecting IEC 61850 MMS protocol in IPS
IPS signature filter options 6.4.2
Others
Redirect to WAD after handshake completion
ICAP response filtering
Separate file filter into a standalone profile 6.4.1
Handling SSL offloaded traffic from an external decryption device in flow mode 6.4.4
VPN
IPsec and SSL VPN
Dynamic address support for SSL VPN policies
NAS-IP support per SSL VPN realm
Support defining gateway IP addresses in IPsec with mode-config and DHCP
Provision SSL VPN users in FortiClient Mobile with an email or SMS message 6.4.2
Configure DSCP for IPsec tunnels 6.4.3
User and authentication
Authentication
SAML SP for VPN authentication
Support for Okta RADIUS attributes filter-Id and class
Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers 6.4.3
Secure access
Wireless
Wireless IPv6 support
Tunnel mode SSID IPv6 traffic
Local bridge mode SSID IPv6 traffic
CLI commands for IPv6 rules
Support for spectrum analysis of FortiAPĀ EĀ models
Increase in maximum number of managed FortiAPs
Even distribution of FortiAP reports
View detailed information for individual WiFi connections
VLAN probe report
FortiAP client load balancing per AP
Layer three ACL configurations for Wireless APs
Maintain radio SSID WLAN IDs
Support for FAP431F and FAP433F
Support logging the signal-to-noise ratio and signal strength per client 6.4.1
Simplify BLE profiles to support broadcast of FortiAP UUID 6.4.2
Add ARRP profile for wireless controller 6.4.2
Extend spectrum analysis to support FortiAPs with three radios 6.4.2
Antenna Rx chain status check and notification 6.4.2
Standardize wireless health metrics 6.4.2
FortiAP query to FortiGuard IoT service to determine device details 6.4.2
Enhance MPSK functionalities for wireless controller 6.4.2
Adaptive radio architecture support 6.4.3
Support 802.11v optimized roaming and load balancing 6.4.3
Support IGMP Snooping (Wireless) 6.4.3
Use FortiGate to register managed FortiAP to FortiCloud 6.4.3
Add fields for wireless DHCP logs 6.4.3
Switch controller
Switch controller - quarantine by redirect
VLAN interface templates for FortiSwitch devices
Improved FortiSwitch support
GUI support for FortiLink groups
FortiSwitch link status visibility improvements
SNMP queries to the FortiGate Switch Controller for FortiSwitch and port information 6.4.2
Allow FortiSwitch Trunk mode selection on FortiGate 6.4.2
Send multiple RADIUS attribute values in a single RADIUS Access-Request 6.4.2
ECN configuration for managed FortiSwitch devices 6.4.2
Configure PTP Transparent Clock mode for managed FortiSwitch devices 6.4.2
Inter-operability with per instance RSTP 802.1w 6.4.2
FortiGate HA between remote sites over managed FortiSwitches 6.4.2
Register FortiSwitch to FortiCloud from the GUI 6.4.2
GUI support for multiple FortiLink interfaces 6.4.2
Switch controller option to control the sources used to update the user device list 6.4.2
Log sub-category for switch controller 6.4.3
Configure LLDP settings on a switch port that is leased to a tenant VDOM 6.4.3
Add a RADIUS timeout VLAN to a security policy 6.4.3
Add option to enable flow control and pause metering 6.4.3
Allow switch controller to set source IP for outbound connections 6.4.3
Enable IoT background scanning 6.4.3
NAC
Support NAC policies on switch ports
Added ability in FortiSwitch to query FortiGuard IoT service for device details
FortiSwitch voice device detection
Extend NAC matching condition to include EMS tags 6.4.2
FortiExtender
Support FortiExtender models with two modems 6.4.2
Support data plan profiles for FortiExtender 6.4.2
Log and report
Logging
Log buffer on FortiGates with an SSD disk
WAD and Proxyd SSL logging improvement
WAN interface bandwidth log
Include RSSO information for authenticated destination users in logs 6.4.1
Application logging in NGFW policy mode 6.4.2
Send traffic logs to FortiAnalyzer Cloud 6.4.4
Log updates to dynamic objects 6.4.5
Cloud
Public and private cloud
Simplify Azure Fabric connector configuration for a FortiGate-VM deployed on Azure
Support filtering on AWS autoscaling group for dynamic address objects
Support dynamic address objects in real servers under virtual server load balance
Support up to 24 interfaces on FortiGate VM
Enhanced autoscale clusters for FortiGate VM
Support FortiGate-VM in IBM Cloud platform 6.4.2
Obtaining a FortiCare-generated license for Azure on-demand instances 6.4.2
Configure FQDN-based VIPs from the GUI 6.4.2
Enhance the display of VM autoscale member information 6.4.2
Support for new VM bandwidth-limited SKUs 6.4.2
FOS support of VM-ELA (Flex-VM) 6.4.2
Liveness detection on NSX-T 6.4.3
Add FIPS cipher mode for AWS and Azure FortiGate VMs 6.4.3
IMDSv2 for FortiGate-VM on AWS 6.4.3
Add VDOM support for NSX-T 6.4.3
Support OCI compute shapes that use Mellanox network cards 6.4.3
Support OCI IMDSv2 6.4.4
FortiCarrier
GTP
IPv6 support for GTP 6.4.2
Add fields to correlate between traffic, GTP, and UTM logs 6.4.2
Multiple identities from the ULI field in GTP logs 6.4.2
NPU support for GTP-U encapsulated in IPv6 6.4.3
FortiASIC
Hardware acceleration
Use CP9/SoC3 entropy source
Identify the XAUI link used for a specific traffic stream
Change Log
6.4.0
6.4.0
6.2.0
Download PDF
Copy Link
GUI
This section includes new features related to the FortiOS GUI:
Getting started
Dashboards and widgets
GUI
This section includes new features related to the FortiOS GUI:
Getting started
Dashboards and widgets
Link
PDF
TOC
