Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

480717

Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2 ports.

555169

FortiToken Cloud GUI enhancements:

  • Add warning message when FortiToken Cloud balance is negative.
  • Add warning message when FortiToken Cloud user count exceeds quota.
  • Move email and SMS settings under the 2FA section.
  • Add CSF support for user definition, user groups, TACACS+, and FortiToken.

556054

With the newly-added compression methods used in the CIFS messages, FortiGates can now scan these compressed messages in proxy mode.

562031

Support security policy srcaddr-negate and dstaddr-negate options, which can be configured under firewall security policy.

config firewall security-policy
    edit <policyid>
        ...
        set srcaddr-negate[enable|disable]
        set dstaddr-negate [enable|disable]
        ...
    next
end

573076

FortiGate generates a UUID for every managed FortiAP (WTP entry). A new BLE profile, fortiap-discovery, can facilitate iBeacon UUID deployment over FortiAP devices.

589621

New Azure on-demand and upgraded instances can retrieve a FortiGate serial number and license from FortiCare servers. Using the serial number, users can register the device to their account and start using FortiToken and FortiGate Cloud services.

596002

Add two new tables to the FortiOS enterprise MIB: FgSwDeviceEntry for details about connected FortiSwitches and FgSwPortEntry for port related information.

596870

Add kernel support for the IEEE 802.1ad (QinQ) standard. Previously, the 802.1Q standard allowed a single VLAN header to be inserted into an Ethernet frame. This new feature allows one more VLAN tag to be inserted into a single frame.

597301

Display information about autoscale members in the GUI and CLI, such as their serial number, IP address, instance ID, and transit gateway (AWS only).

600037

BSS coloring support on FAP-U431F/U433F (802.11ax AP).

606167

When the network monitor feature is enabled on the switch controller, the update-user-device option allows granular control of which sources to collect device information from. The information is populated on the FortiGate device list.

608557

Support proxy server for push service.

610596

Users can define IPv6 MAC addresses and apply them in a firewall policy, virtual wire pair policy, and other policy types.

610990

Add IPv6 only and IPv4v6 dual stack support for GTPv1 and GTPv2 on FortiOS Carrier.

614924

Users can configure automation with the Quarantine via FortiNAC action when setting triggers for Compromised Host or Incoming Webhook. When the automation is triggered, the client PC will be quarantined with its MAC address disabled in the configured FortiNAC.

617640

Add new filter keys servicetag and region in Azure SDN connector to filter out IP ranges of service tags. This can be applied to dynamic firewall addresses.

620994

For FortiAP models with three radios, spectrum analysis can be performed on the thrid radio on all channels from the 2.4 GHz and 5 GHz bands. On FortiAPs with two radios operating in AP mode, spectrum analysis can be performed on operating channels.

621714

For the purpose of communicating timing precision between two ends, transparent clock can be enabled to measure the overall path delay. This feature allows the FortiGate to configure this setting for supported FortiSwitch models.

621742

Add support to configure the FortiSwitch to send multiple RADIUS attribute values within a single RADIUS access request.

621746

Support explicit congestion notification (ECN) configuration for managed FortiSwitch.

621757

Add support to configure switch ports to enable inter-operability with rapid PVST+ on managed FortiSwitches.

622291

Health metrics calculations are standardized in the backend, and consistent colors are used to represent good, fair, and poor metrics. In addition, the health data is now available through a REST API.

623821

For WiFi clients associated with a bridge SSID on a FortiAP that is connected to an Ethernet interface of a FortiGate, the DHCP Monitor widget can indicate the AP bridge and the SSID name in the Interface column of those clients' IP leases.

In the CLI, dhcp-option43-insertion is added under VAP configuration to support this feature.

config wireless-controller vap
    edit VAP01
        set dhcp-option43-insertion {enable | disable}
    next
end

By default, dhcp-option43-insertion is set to enable.

The minimum version required for FAP-U is 6.0.3. The minimum version required for FAP-W2 is 6.4.1.

629530

Support running BYOL FortiGate VMs on IBM Cloud platform.

630238

Allow configuration of up to 16 FGSP standalone peers in system standalone-cluster.

630881

Various new scenarios are added in Security Rating to test the FortiSwitch network and make recommendations to optimize the setup.

631818

Add new OIDs to support SNMP queries for IPv4 and IPv6 IPsec tunnels, and SNMP queries for license details.

635717

Monitoring FortiAP antenna (per Rx chain) status and logging wireless events upon antenna defect detection.

635795

The ARRP profile improves upon DARRP by enabling more factors to be considered for optimizing channel selection among FortiAPs.

637508

Add CLI commands to improve WAD debugging.

  • diagnose wad memory report prints memory-related statistics of all workers, which includes those shown in diagnose test app wad {2 3 803 21 22 23 25 27 70 120 123}.

  • diagnose wad memory monitor monitors WAD memory usage. WAD memory usage is checked at a regular interval, and a report is generated if the WAD memory usage is over the threshold.

  • diagnose wad debug crash {enable | disable} saves debug messages to a file for later viewing when the WAD crashes.

  • diagnose wad debug crash list lists all crash logs.

  • diagnose wad debug crash read <proc_type> <id> reads a specific crash log.

637829

Support adding FortiMail to the Security Fabric with standard authorization steps using FortiMail's certificate. As part of the Security Fabric, FortiMail appears in the Fabric navigation, topologies, Fabric widgets and under Security Rating.

637946

Replace previous slide-out terminal with a full page masking terminal. Allow admins to open multiple CLI consoles that can be minimized.

638975

SD-WAN and policy route now allow users to choose the device MAC address object as source. In addition, the FABRIC_DEVICE object can also be used in SD-WAN and policy route.

639590

In NGFW mode application control logs will be generated when an application, application category, or application group is selected on a security policy and log traffic is set to UTM or all. In addition, when one signature is accepted under the security policy, all child signatures are assessed and logged correspondingly.

640563

The default command to restrict FortiLink interfaces to one interface has been removed. The GUI will now display multiple FortiLink interfaces if more than one interface has FortiLink enabled from the CLI.

641152

New bandwidth-limited VM licenses allow VM deployments with limited bandwidth usage per interface. Dedicated management interfaces are exempt from calculation.

641928

Add an option to control whether BGP's ECMP next hops can use recursive distance to determine which of them should be installed.

config router bgp
    set multipath-recursive-distance {enable | disable}
end

If the next hop is resolved by connected route, its distance will be 0. If it is resolved by another route, its distance will be same as that route. Only the shortest next hop can form ECMP routes and be installed into the kernel when this option is enabled.

641990

The diagnose wad session list command is available in models without WANopt support.

642898

The following options are configurable in the flow-based web filter security profile in NGFW policy mode, and they can be applied to a security policy:

  • Block invalid URLs
  • Static URL Filter
  • Block malicious URLs discovered by FortiSandbox
  • Content Filter

643616

Support FortiAP to query FortiGuard IoT service through FortiGate to determine device details.

643912

Sometimes it is necessary to map a VIP to an FQDN address. This setting can now be configured from the GUI.

644049

Enhancements to multiple pre-shared key per SSID include the ability to batch generate or import MPSK keys, export keys to CSV, dynamically assign VLANs based on the MPSK used, and to apply an MPSK schedule in the GUI.

645140

Tunnel ID is added to traffic logs and GTP logs for GTP related traffic in order to correlate the sessions.

648568

In additional to servers added in 6.4.0, FortiGuard servers for GeoIP, DDNS, and FortiToken Mobile registration now support third-party CA signed certificates with OCSP stapling.

648604

For user location information (ULI) in GTP, it may contain more than one identity of different type. This log enhancement displays all identity information in GTP logs.

651206

The GUI in the downstream FortiGate allows users to log in to the Fabric root device to authorize a pending join request.

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

480717

Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2 ports.

555169

FortiToken Cloud GUI enhancements:

  • Add warning message when FortiToken Cloud balance is negative.
  • Add warning message when FortiToken Cloud user count exceeds quota.
  • Move email and SMS settings under the 2FA section.
  • Add CSF support for user definition, user groups, TACACS+, and FortiToken.

556054

With the newly-added compression methods used in the CIFS messages, FortiGates can now scan these compressed messages in proxy mode.

562031

Support security policy srcaddr-negate and dstaddr-negate options, which can be configured under firewall security policy.

config firewall security-policy
    edit <policyid>
        ...
        set srcaddr-negate[enable|disable]
        set dstaddr-negate [enable|disable]
        ...
    next
end

573076

FortiGate generates a UUID for every managed FortiAP (WTP entry). A new BLE profile, fortiap-discovery, can facilitate iBeacon UUID deployment over FortiAP devices.

589621

New Azure on-demand and upgraded instances can retrieve a FortiGate serial number and license from FortiCare servers. Using the serial number, users can register the device to their account and start using FortiToken and FortiGate Cloud services.

596002

Add two new tables to the FortiOS enterprise MIB: FgSwDeviceEntry for details about connected FortiSwitches and FgSwPortEntry for port related information.

596870

Add kernel support for the IEEE 802.1ad (QinQ) standard. Previously, the 802.1Q standard allowed a single VLAN header to be inserted into an Ethernet frame. This new feature allows one more VLAN tag to be inserted into a single frame.

597301

Display information about autoscale members in the GUI and CLI, such as their serial number, IP address, instance ID, and transit gateway (AWS only).

600037

BSS coloring support on FAP-U431F/U433F (802.11ax AP).

606167

When the network monitor feature is enabled on the switch controller, the update-user-device option allows granular control of which sources to collect device information from. The information is populated on the FortiGate device list.

608557

Support proxy server for push service.

610596

Users can define IPv6 MAC addresses and apply them in a firewall policy, virtual wire pair policy, and other policy types.

610990

Add IPv6 only and IPv4v6 dual stack support for GTPv1 and GTPv2 on FortiOS Carrier.

614924

Users can configure automation with the Quarantine via FortiNAC action when setting triggers for Compromised Host or Incoming Webhook. When the automation is triggered, the client PC will be quarantined with its MAC address disabled in the configured FortiNAC.

617640

Add new filter keys servicetag and region in Azure SDN connector to filter out IP ranges of service tags. This can be applied to dynamic firewall addresses.

620994

For FortiAP models with three radios, spectrum analysis can be performed on the thrid radio on all channels from the 2.4 GHz and 5 GHz bands. On FortiAPs with two radios operating in AP mode, spectrum analysis can be performed on operating channels.

621714

For the purpose of communicating timing precision between two ends, transparent clock can be enabled to measure the overall path delay. This feature allows the FortiGate to configure this setting for supported FortiSwitch models.

621742

Add support to configure the FortiSwitch to send multiple RADIUS attribute values within a single RADIUS access request.

621746

Support explicit congestion notification (ECN) configuration for managed FortiSwitch.

621757

Add support to configure switch ports to enable inter-operability with rapid PVST+ on managed FortiSwitches.

622291

Health metrics calculations are standardized in the backend, and consistent colors are used to represent good, fair, and poor metrics. In addition, the health data is now available through a REST API.

623821

For WiFi clients associated with a bridge SSID on a FortiAP that is connected to an Ethernet interface of a FortiGate, the DHCP Monitor widget can indicate the AP bridge and the SSID name in the Interface column of those clients' IP leases.

In the CLI, dhcp-option43-insertion is added under VAP configuration to support this feature.

config wireless-controller vap
    edit VAP01
        set dhcp-option43-insertion {enable | disable}
    next
end

By default, dhcp-option43-insertion is set to enable.

The minimum version required for FAP-U is 6.0.3. The minimum version required for FAP-W2 is 6.4.1.

629530

Support running BYOL FortiGate VMs on IBM Cloud platform.

630238

Allow configuration of up to 16 FGSP standalone peers in system standalone-cluster.

630881

Various new scenarios are added in Security Rating to test the FortiSwitch network and make recommendations to optimize the setup.

631818

Add new OIDs to support SNMP queries for IPv4 and IPv6 IPsec tunnels, and SNMP queries for license details.

635717

Monitoring FortiAP antenna (per Rx chain) status and logging wireless events upon antenna defect detection.

635795

The ARRP profile improves upon DARRP by enabling more factors to be considered for optimizing channel selection among FortiAPs.

637508

Add CLI commands to improve WAD debugging.

  • diagnose wad memory report prints memory-related statistics of all workers, which includes those shown in diagnose test app wad {2 3 803 21 22 23 25 27 70 120 123}.

  • diagnose wad memory monitor monitors WAD memory usage. WAD memory usage is checked at a regular interval, and a report is generated if the WAD memory usage is over the threshold.

  • diagnose wad debug crash {enable | disable} saves debug messages to a file for later viewing when the WAD crashes.

  • diagnose wad debug crash list lists all crash logs.

  • diagnose wad debug crash read <proc_type> <id> reads a specific crash log.

637829

Support adding FortiMail to the Security Fabric with standard authorization steps using FortiMail's certificate. As part of the Security Fabric, FortiMail appears in the Fabric navigation, topologies, Fabric widgets and under Security Rating.

637946

Replace previous slide-out terminal with a full page masking terminal. Allow admins to open multiple CLI consoles that can be minimized.

638975

SD-WAN and policy route now allow users to choose the device MAC address object as source. In addition, the FABRIC_DEVICE object can also be used in SD-WAN and policy route.

639590

In NGFW mode application control logs will be generated when an application, application category, or application group is selected on a security policy and log traffic is set to UTM or all. In addition, when one signature is accepted under the security policy, all child signatures are assessed and logged correspondingly.

640563

The default command to restrict FortiLink interfaces to one interface has been removed. The GUI will now display multiple FortiLink interfaces if more than one interface has FortiLink enabled from the CLI.

641152

New bandwidth-limited VM licenses allow VM deployments with limited bandwidth usage per interface. Dedicated management interfaces are exempt from calculation.

641928

Add an option to control whether BGP's ECMP next hops can use recursive distance to determine which of them should be installed.

config router bgp
    set multipath-recursive-distance {enable | disable}
end

If the next hop is resolved by connected route, its distance will be 0. If it is resolved by another route, its distance will be same as that route. Only the shortest next hop can form ECMP routes and be installed into the kernel when this option is enabled.

641990

The diagnose wad session list command is available in models without WANopt support.

642898

The following options are configurable in the flow-based web filter security profile in NGFW policy mode, and they can be applied to a security policy:

  • Block invalid URLs
  • Static URL Filter
  • Block malicious URLs discovered by FortiSandbox
  • Content Filter

643616

Support FortiAP to query FortiGuard IoT service through FortiGate to determine device details.

643912

Sometimes it is necessary to map a VIP to an FQDN address. This setting can now be configured from the GUI.

644049

Enhancements to multiple pre-shared key per SSID include the ability to batch generate or import MPSK keys, export keys to CSV, dynamically assign VLANs based on the MPSK used, and to apply an MPSK schedule in the GUI.

645140

Tunnel ID is added to traffic logs and GTP logs for GTP related traffic in order to correlate the sessions.

648568

In additional to servers added in 6.4.0, FortiGuard servers for GeoIP, DDNS, and FortiToken Mobile registration now support third-party CA signed certificates with OCSP stapling.

648604

For user location information (ULI) in GTP, it may contain more than one identity of different type. This log enhancement displays all identity information in GTP logs.

651206

The GUI in the downstream FortiGate allows users to log in to the Fabric root device to authorize a pending join request.