Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Changes in CLI

Bug ID

Description

614892

Remove spectrum-analysis in wtp-profile and override-analysis in wtp.

621751

In a FortiSwitch LACP trunk, ports of the same negotiated speed are grouped into an aggregator. The aggregator-mode setting allows users to select the aggregator based on bandwidth or number of links.

config switch-controller managed-switch
    edit <serial_number>
        config ports
            edit <port>
                set mode lacp-passive
                set aggregator-mode {bandwidth | count}
            next
        end
    next
end

639237

EMS server can now generate dynamic address with MAC address in addition to IP address. The switch controller's NAC policy can reference MAC-based dynamic firewall address from EMS as a match condition.

config firewall address
    edit <name>
        set type dynamic
        set sub-type ems-tag
        set obj-type [ip | mac]
    next
end
config user nac-policy
    edit <ID>
        set category ems-tag
        set ems-tag <address>
    next
end

643514

The hold-time option allows users to set a hold time in hours or days to hold their signatures after a FortiGuard IPS signature update. During the hold period, the signature's action becomes monitor.

config system ips
    set signature-hold-time <##d##h>
    set override-signature-hold-by-id <enable|disable>
end

643831

Enable users to filter IPS signatures based on CVE IDs (CVE-YYYY-NNNN), or by a CVE wildcard (CVE-YYYY).

config ips sensor
    edit "cve"
        config entries
            edit 1
                set cve <CVE ID or Wildcard>
            next
        end
    next
end

Changes in CLI

Bug ID

Description

614892

Remove spectrum-analysis in wtp-profile and override-analysis in wtp.

621751

In a FortiSwitch LACP trunk, ports of the same negotiated speed are grouped into an aggregator. The aggregator-mode setting allows users to select the aggregator based on bandwidth or number of links.

config switch-controller managed-switch
    edit <serial_number>
        config ports
            edit <port>
                set mode lacp-passive
                set aggregator-mode {bandwidth | count}
            next
        end
    next
end

639237

EMS server can now generate dynamic address with MAC address in addition to IP address. The switch controller's NAC policy can reference MAC-based dynamic firewall address from EMS as a match condition.

config firewall address
    edit <name>
        set type dynamic
        set sub-type ems-tag
        set obj-type [ip | mac]
    next
end
config user nac-policy
    edit <ID>
        set category ems-tag
        set ems-tag <address>
    next
end

643514

The hold-time option allows users to set a hold time in hours or days to hold their signatures after a FortiGuard IPS signature update. During the hold period, the signature's action becomes monitor.

config system ips
    set signature-hold-time <##d##h>
    set override-signature-hold-by-id <enable|disable>
end

643831

Enable users to filter IPS signatures based on CVE IDs (CVE-YYYY-NNNN), or by a CVE wildcard (CVE-YYYY).

config ips sensor
    edit "cve"
        config entries
            edit 1
                set cve <CVE ID or Wildcard>
            next
        end
    next
end