Changes in CLI

Changes in CLI

Bug ID	Description
614892	Remove `spectrum-analysis` in `wtp-profile` and `override-analysis` in `wtp`.
621751	In a FortiSwitch LACP trunk, ports of the same negotiated speed are grouped into an aggregator. The `aggregator-mode` setting allows users to select the aggregator based on bandwidth or number of links. config switch-controller managed-switch edit <serial_number> config ports edit <port> set mode lacp-passive set aggregator-mode {bandwidth \| count} next end next end
639237	EMS server can now generate dynamic address with MAC address in addition to IP address. The switch controller's NAC policy can reference MAC-based dynamic firewall address from EMS as a match condition. config firewall address edit <name> set type dynamic set sub-type ems-tag set obj-type [ip \| mac] next end config user nac-policy edit <ID> set category ems-tag set ems-tag <address> next end
643514	The `hold-time` option allows users to set a hold time in hours or days to hold their signatures after a FortiGuard IPS signature update. During the hold period, the signature's action becomes monitor. config system ips set signature-hold-time <##d##h> set override-signature-hold-by-id <enable\|disable> end
643831	Enable users to filter IPS signatures based on CVE IDs (CVE-YYYY-NNNN), or by a CVE wildcard (CVE-YYYY). config ips sensor edit "cve" config entries edit 1 set cve <CVE ID or Wildcard> next end next end

Changes in CLI

Bug ID

Description

614892

Remove spectrum-analysis in wtp-profile and override-analysis in wtp.

621751

In a FortiSwitch LACP trunk, ports of the same negotiated speed are grouped into an aggregator. The aggregator-mode setting allows users to select the aggregator based on bandwidth or number of links.

config switch-controller managed-switch
    edit <serial_number>
        config ports
            edit <port>
                set mode lacp-passive
                set aggregator-mode {bandwidth | count}
            next
        end
    next
end

639237

EMS server can now generate dynamic address with MAC address in addition to IP address. The switch controller's NAC policy can reference MAC-based dynamic firewall address from EMS as a match condition.

config firewall address
    edit <name>
        set type dynamic
        set sub-type ems-tag
        set obj-type [ip | mac]
    next
end

config user nac-policy
    edit <ID>
        set category ems-tag
        set ems-tag <address>
    next
end

643514

The hold-time option allows users to set a hold time in hours or days to hold their signatures after a FortiGuard IPS signature update. During the hold period, the signature's action becomes monitor.

config system ips
    set signature-hold-time <##d##h>
    set override-signature-hold-by-id <enable|disable>
end

643831

Enable users to filter IPS signatures based on CVE IDs (CVE-YYYY-NNNN), or by a CVE wildcard (CVE-YYYY).

config ips sensor
    edit "cve"
        config entries
            edit 1
                set cve <CVE ID or Wildcard>
            next
        end
    next
end

FortiOS Release Notes

Changes in CLI

Changes in CLI