Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.4.3 FortiOS Release Notes

New features or enhancements

6.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
Copy Link
Copy Doc ID 0dc932e5-0e51-11eb-96b9-00505692583a:743723
Download PDF

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

477886

PRP support for SoC4:

  • Configure ingress port to allow the PRP trailer to not be stripped off when the PRP packets come in.
  • Configure egress port to allow the PRP trailer to not be stripped off when the PRP packets go out.
config system npu
    set prp-port-in "port1"
    set prp-port-out "port2"
end

611992

Add a specific auth-timeout field in the SSL VPN monitor.

621725

Add settings to enable flow control and pause metering. Pause metering allows the FortiSwitch to apply flow control to ingress traffic when the queue is congested and to resume once it is cleared.

628963

When 802.1x authentication requests to a RADIUS server time out, the authserver-timeout settings within the switch-controller security-policy 802.1x will assign the port to a timeout VLAN.

634357

Add NPU support for GTP-U encapsulated in IPv6.

638352

To avoid large number of new IKEv2 negotiations from starving other SAs from progressing to established states, the following enhancements have been made to the IKE daemon:

  • Prioritize established SAs.

  • Offload groups 20 and 21 to CP9.

  • Optimize the default embryonic limits for mid- and high-end platforms.

The IKE embryonic limit can now be configured in the CLI:

config system global
    set ike-embryonic-limit <integer>
end

641077

After authorizing a FortiAP, administrators can also register the FortiAP to FortiCloud directly from the FortiGate GUI.

647800

AWS and Azure now support FIPS ciphers mode.

649075

FortiGate-VMs on AWS now use Amazon EC2 instance metadata service version 2 (IMDSv2) to query and retrieve metadata from the AWS cloud.

650936

Add support for FortiFlex, an enterprise license agreement for virtual machine licensing where users can manage and monitor their VM subscription in the FortiCloud portal.

651866

FortiSwitch events now have their own category on the Events log page.

652003

In a tenant VDOM, allow lldp-profile and lldp-status to be configurable on a leased switch port.

652225

Configuring the DiffServ code in phase 2 of an IPsec tunnel allows the tag to be applied to the ESP packet. NPU offloading must be disabled for this tunnel.

652503

By configuring the service chain and service index, NSX-T east-west traffic can be redirected to a designated FortiGate VDOM.

config nsxt setting
    set liveness {enable | disable}
    set service <service name>
end
config nsxt service-chain
    edit <ID>
        set name <chain name>
        config service-index
            edit <forward index>
                set reverse-index <value>
                set name <index name>
                set vd <VDOM>
            next
        end
    next
end

The default value for reverse-index is 1. The vd setting is required.

655920

Support 802.11v load balancing and optimized roaming.

655931

Adaptive Radio Architecture (ARA) allows FortiAPs to calculate the network coverage factor (NCF) based on radio interference. When Dynamic Radio Mode Assignment (DRMA) is enabled, if interference crosses a threshold, the radio becomes redundant by moving from AP mode to monitor mode.

config wireless-controller wtp-profile
    edit <profile>
        config radio-1
            set band 802.11n/g-only
            set drma {enable | disable}
            set drma-sensitivity {high | medium | low}
        end
    next
end

656039

Allow SD-WAN duplication rules to specify SD-WAN service rules to trigger packet duplication. This allows SD-WAN duplication to occur based on an SD-WAN rule instead of the source, destination, or service parameters in the duplication rule.

657598

In an application control list, the exclusion option allows users to specify a list of applications they wish to exclude from an entry filtered by category, technology, or others.

config application list
    edit <list>
        config entries
            edit 1
                set category <ID>
                set exclusion <signature ID> ... <signature ID>
            next
        end
    next
end

658006

Simplify FortiExtender deployment so it is displayed in the topology.

658525

The limit of BGP paths that can be selected and advertised has increased to 255 (originally 8).

659127

Add support to deploy FortiGate-VMs that are paravirtualized with SR-IOV and DPDK/vNP on OCI shapes that use Mellanox network cards.

659346

Add additional information such as DHCP server MAC, gateway, subnet, and DNS to wireless DHCP logs.

660250

Add global option fortiipam-integration to control FortiIPAM. When enabled, ipamd will run and report to FortiIPAM to allow automatic IP address/subnet management.

config system global
    set fortiipam-integration {enable | disable}
end

660273

By default, the FortiGate uses the outbound interface's IP to communicate with a FortiSwitch managed over layer 3. The switch-controller-source-ip option allows the switch controller to use the FortiLink fixed address instead.

661131

Enabling IGMP snooping on an SSID allows the wireless controller to detect which FortiAPs have IGMP clients. The wireless controller will only forward a multicast stream to the FortiAP where there is a listener for the multicast group.

663530

IoT background scanning is disabled by default. Users can enable this option on the FortiLink Interface page in the GUI or with the switch-controller-iot-scanning in the CLI.

664312

Integrate Broadcom bnxt_en 1.10.1 driver to drive new vfNIC to replace 1.9.2 version. The following new cards are supported:

  • [BCM57508] = { "Broadcom BCM57508 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

  • [BCM57504] = { "Broadcom BCM57504 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

  • [BCM57502] = { "Broadcom BCM57502 NetXtreme-E 10Gb/25Gb/50Gb Ethernet" }

  • [BCM57508_NPAR] = { "Broadcom BCM57508 NetXtreme-E Ethernet Partition" }

  • [BCM57504_NPAR] = { "Broadcom BCM57504 NetXtreme-E Ethernet Partition" }

  • [BCM57502_NPAR] = { "Broadcom BCM57502 NetXtreme-E Ethernet Partition" }

  • [BCM58812] = { "Broadcom BCM58812 NetXtreme-S 2x50G Ethernet" }

  • [BCM58814] = { "Broadcom BCM58814 NetXtreme-S 2x100G Ethernet" }

  • [BCM58818] = { "Broadcom BCM58818 NetXtreme-S 2x200G Ethernet" }

  • [NETXTREME_E_P5_VF] = { "Broadcom BCM5750X NetXtreme-E Ethernet Virtual Function" }

665735

The user device store allows user and device data collected from different daemons to be centralized for quicker access and performance:

diagnose user-device-store device memory list
diagnose user-device-store device memory query mac <value>
diagnose user-device-store device memory query ip <value>
diagnose user-device-store device disk list
diagnose user-device-store device disk query <SQL WHERE clause>

668362

Support multiple LDAP server configurations for Kerberos keytab and agentless NTLM domain controller in multiple forest deployments.

668991

Security Fabric rating reports can now be generated in multi-VDOM mode, against all VDOMs. The Security Rating is visible under Global scope.
Previous
Next

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

477886

PRP support for SoC4:

  • Configure ingress port to allow the PRP trailer to not be stripped off when the PRP packets come in.
  • Configure egress port to allow the PRP trailer to not be stripped off when the PRP packets go out.
config system npu
    set prp-port-in "port1"
    set prp-port-out "port2"
end

611992

Add a specific auth-timeout field in the SSL VPN monitor.

621725

Add settings to enable flow control and pause metering. Pause metering allows the FortiSwitch to apply flow control to ingress traffic when the queue is congested and to resume once it is cleared.

628963

When 802.1x authentication requests to a RADIUS server time out, the authserver-timeout settings within the switch-controller security-policy 802.1x will assign the port to a timeout VLAN.

634357

Add NPU support for GTP-U encapsulated in IPv6.

638352

To avoid large number of new IKEv2 negotiations from starving other SAs from progressing to established states, the following enhancements have been made to the IKE daemon:

  • Prioritize established SAs.

  • Offload groups 20 and 21 to CP9.

  • Optimize the default embryonic limits for mid- and high-end platforms.

The IKE embryonic limit can now be configured in the CLI:

config system global
    set ike-embryonic-limit <integer>
end

641077

After authorizing a FortiAP, administrators can also register the FortiAP to FortiCloud directly from the FortiGate GUI.

647800

AWS and Azure now support FIPS ciphers mode.

649075

FortiGate-VMs on AWS now use Amazon EC2 instance metadata service version 2 (IMDSv2) to query and retrieve metadata from the AWS cloud.

650936

Add support for FortiFlex, an enterprise license agreement for virtual machine licensing where users can manage and monitor their VM subscription in the FortiCloud portal.

651866

FortiSwitch events now have their own category on the Events log page.

652003

In a tenant VDOM, allow lldp-profile and lldp-status to be configurable on a leased switch port.

652225

Configuring the DiffServ code in phase 2 of an IPsec tunnel allows the tag to be applied to the ESP packet. NPU offloading must be disabled for this tunnel.

652503

By configuring the service chain and service index, NSX-T east-west traffic can be redirected to a designated FortiGate VDOM.

config nsxt setting
    set liveness {enable | disable}
    set service <service name>
end
config nsxt service-chain
    edit <ID>
        set name <chain name>
        config service-index
            edit <forward index>
                set reverse-index <value>
                set name <index name>
                set vd <VDOM>
            next
        end
    next
end

The default value for reverse-index is 1. The vd setting is required.

655920

Support 802.11v load balancing and optimized roaming.

655931

Adaptive Radio Architecture (ARA) allows FortiAPs to calculate the network coverage factor (NCF) based on radio interference. When Dynamic Radio Mode Assignment (DRMA) is enabled, if interference crosses a threshold, the radio becomes redundant by moving from AP mode to monitor mode.

config wireless-controller wtp-profile
    edit <profile>
        config radio-1
            set band 802.11n/g-only
            set drma {enable | disable}
            set drma-sensitivity {high | medium | low}
        end
    next
end

656039

Allow SD-WAN duplication rules to specify SD-WAN service rules to trigger packet duplication. This allows SD-WAN duplication to occur based on an SD-WAN rule instead of the source, destination, or service parameters in the duplication rule.

657598

In an application control list, the exclusion option allows users to specify a list of applications they wish to exclude from an entry filtered by category, technology, or others.

config application list
    edit <list>
        config entries
            edit 1
                set category <ID>
                set exclusion <signature ID> ... <signature ID>
            next
        end
    next
end

658006

Simplify FortiExtender deployment so it is displayed in the topology.

658525

The limit of BGP paths that can be selected and advertised has increased to 255 (originally 8).

659127

Add support to deploy FortiGate-VMs that are paravirtualized with SR-IOV and DPDK/vNP on OCI shapes that use Mellanox network cards.

659346

Add additional information such as DHCP server MAC, gateway, subnet, and DNS to wireless DHCP logs.

660250

Add global option fortiipam-integration to control FortiIPAM. When enabled, ipamd will run and report to FortiIPAM to allow automatic IP address/subnet management.

config system global
    set fortiipam-integration {enable | disable}
end

660273

By default, the FortiGate uses the outbound interface's IP to communicate with a FortiSwitch managed over layer 3. The switch-controller-source-ip option allows the switch controller to use the FortiLink fixed address instead.

661131

Enabling IGMP snooping on an SSID allows the wireless controller to detect which FortiAPs have IGMP clients. The wireless controller will only forward a multicast stream to the FortiAP where there is a listener for the multicast group.

663530

IoT background scanning is disabled by default. Users can enable this option on the FortiLink Interface page in the GUI or with the switch-controller-iot-scanning in the CLI.

664312

Integrate Broadcom bnxt_en 1.10.1 driver to drive new vfNIC to replace 1.9.2 version. The following new cards are supported:

  • [BCM57508] = { "Broadcom BCM57508 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

  • [BCM57504] = { "Broadcom BCM57504 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

  • [BCM57502] = { "Broadcom BCM57502 NetXtreme-E 10Gb/25Gb/50Gb Ethernet" }

  • [BCM57508_NPAR] = { "Broadcom BCM57508 NetXtreme-E Ethernet Partition" }

  • [BCM57504_NPAR] = { "Broadcom BCM57504 NetXtreme-E Ethernet Partition" }

  • [BCM57502_NPAR] = { "Broadcom BCM57502 NetXtreme-E Ethernet Partition" }

  • [BCM58812] = { "Broadcom BCM58812 NetXtreme-S 2x50G Ethernet" }

  • [BCM58814] = { "Broadcom BCM58814 NetXtreme-S 2x100G Ethernet" }

  • [BCM58818] = { "Broadcom BCM58818 NetXtreme-S 2x200G Ethernet" }

  • [NETXTREME_E_P5_VF] = { "Broadcom BCM5750X NetXtreme-E Ethernet Virtual Function" }

665735

The user device store allows user and device data collected from different daemons to be centralized for quicker access and performance:

diagnose user-device-store device memory list
diagnose user-device-store device memory query mac <value>
diagnose user-device-store device memory query ip <value>
diagnose user-device-store device disk list
diagnose user-device-store device disk query <SQL WHERE clause>

668362

Support multiple LDAP server configurations for Kerberos keytab and agentless NTLM domain controller in multiple forest deployments.

668991

Security Fabric rating reports can now be generated in multi-VDOM mode, against all VDOMs. The Security Rating is visible under Global scope.
Previous
Next