Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.4.4 FortiOS Release Notes
6.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

New features or enhancements

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

618359

In scenarios where the FortiGate is sandwiched by load-balancers and SSL processing is offloaded on the external load-balancers, the FortiGate can perform scanning on the unencrypted traffic by specifying the ssl-offloaded option in firewall profile-protocol-options. Previously, this was only supported in proxy mode. Now it is supported in proxy and flow mode.

641524

Add interface selection for IPS TLS protocol active probing.

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

648602

When creating a Cisco ACI direct connector, configuring multiple IPs allows the FortiGate to connect to the server in a round-robin fashion. Only one server will be active, and the remaining IPs will serve as backups if the active one fails.

654032

The route-tag is a mechanism to map a BGP community string to a specific tag. The string may correspond to a specific network that a BGP router advertised. With this tag, an SD-WAN service rule can be used to define specific traffic handling to that network. IPv6 route tags are now supported.

660295

Provide specific SNMP objects (OIDs) that allow the status of the mobile network connection to be monitored.

660624

When enabling the Security Fabric on the root FortiGate, the following FortiAnalyzer GUI behavior has changed:

  • If a FortiAnalyzer appliance is enabled, then the dialog will be for the FortiAnalyzer connector.
  • If a FortiAnalyzer appliance is disabled but FortiAnalyzer Cloud is enabled, then the dialog will be for the Cloud Logging connector.
  • If neither the FortiAnalyzer appliance or FortiAnalyzer Cloud are enabled:
    • If the device has a FAZC (standard FortiAnalyzer Cloud subscription) or AFAC (premium subscription) entitlement, then the dialog will be for the Cloud Logging connector.
    • If the device does not have a FAZC or AFAC entitlement, then the dialog will be for the FortiAnalyzer connector.
  • When FortiAnalyzer Cloud is enabled and the FortiAnalyzer appliance is disabled, then the Cloud Logging connector will not let you switch to the FortiGate Cloud FortiAnalyzer.

661252

Add object synchronization improvements:

  • Simplify the conflict resolution procedure so a multi-step wizard is no longer required. All conflicts appear in one table for all FortiGates in the Fabric and supported tables.
  • Add an object diff feature to display the difference between FortiGate objects that are in conflict.
  • Add new CLI command for the root FortiGate:
    config system csf
    set fabric-object-unification {default | local}
end

    When set to default, objects will be synchronized in the Security Fabric. On downstream FortiGates, if configuration-sync is set to local, the synchronized objects from the root to downstream FortiGates is not applied locally. However, the device will still send the configuration to lower FortiGates.

  • The fabric-object {enable | disable} command was added to the following tables:

    • firewall.address
    • firewall.address6
    • firewall.addrgrp
    • firewall.addrgrp6
    • firewall.service.category
    • firewall.service.group
    • firewall.service.custom
    • firewall.schedule.group
    • firewall.schedule.onetime
    • firewall.schedule.recurring

    Enabling fabric-object on the root starts synchronizing this object as a Fabric object to downstream devices. Disabling fabric-object makes the object local to the device.

  • Add setting to define how many task worker process are created to handle synchronizations (1 - 4, default = 2). The worker processes dies if there is no task to perform after 60 seconds.

    config system csf
    set fabric-workers <integer>
end

671563

Add option to switch between Peer and Peer Group view on PKI user page.

676063

Add support for OCI IMDSv2 that offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and during instance deployments with bootstrap metadata.

676260

FortiGates with a premium subscription (AFAC contract) for cloud-based central logging and analytics are able to send traffic logs to FortiAnalyzer Cloud, in addition to UTM logs and event logs. FortiGates with a standard FortiAnalyzer Cloud subscription (FAZC contract) can send UTM and event logs only.

682106

If a FortiCloud account has a FortiManager Cloud account level subscription (ALCI), a FortiGate registered to the FortiCloud account can recognize it and enable FortiManager Cloud central management.
Previous
Next

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

618359

In scenarios where the FortiGate is sandwiched by load-balancers and SSL processing is offloaded on the external load-balancers, the FortiGate can perform scanning on the unencrypted traffic by specifying the ssl-offloaded option in firewall profile-protocol-options. Previously, this was only supported in proxy mode. Now it is supported in proxy and flow mode.

641524

Add interface selection for IPS TLS protocol active probing.

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

648602

When creating a Cisco ACI direct connector, configuring multiple IPs allows the FortiGate to connect to the server in a round-robin fashion. Only one server will be active, and the remaining IPs will serve as backups if the active one fails.

654032

The route-tag is a mechanism to map a BGP community string to a specific tag. The string may correspond to a specific network that a BGP router advertised. With this tag, an SD-WAN service rule can be used to define specific traffic handling to that network. IPv6 route tags are now supported.

660295

Provide specific SNMP objects (OIDs) that allow the status of the mobile network connection to be monitored.

660624

When enabling the Security Fabric on the root FortiGate, the following FortiAnalyzer GUI behavior has changed:

  • If a FortiAnalyzer appliance is enabled, then the dialog will be for the FortiAnalyzer connector.
  • If a FortiAnalyzer appliance is disabled but FortiAnalyzer Cloud is enabled, then the dialog will be for the Cloud Logging connector.
  • If neither the FortiAnalyzer appliance or FortiAnalyzer Cloud are enabled:
    • If the device has a FAZC (standard FortiAnalyzer Cloud subscription) or AFAC (premium subscription) entitlement, then the dialog will be for the Cloud Logging connector.
    • If the device does not have a FAZC or AFAC entitlement, then the dialog will be for the FortiAnalyzer connector.
  • When FortiAnalyzer Cloud is enabled and the FortiAnalyzer appliance is disabled, then the Cloud Logging connector will not let you switch to the FortiGate Cloud FortiAnalyzer.

661252

Add object synchronization improvements:

  • Simplify the conflict resolution procedure so a multi-step wizard is no longer required. All conflicts appear in one table for all FortiGates in the Fabric and supported tables.
  • Add an object diff feature to display the difference between FortiGate objects that are in conflict.
  • Add new CLI command for the root FortiGate:
    config system csf
    set fabric-object-unification {default | local}
end

    When set to default, objects will be synchronized in the Security Fabric. On downstream FortiGates, if configuration-sync is set to local, the synchronized objects from the root to downstream FortiGates is not applied locally. However, the device will still send the configuration to lower FortiGates.

  • The fabric-object {enable | disable} command was added to the following tables:

    • firewall.address
    • firewall.address6
    • firewall.addrgrp
    • firewall.addrgrp6
    • firewall.service.category
    • firewall.service.group
    • firewall.service.custom
    • firewall.schedule.group
    • firewall.schedule.onetime
    • firewall.schedule.recurring

    Enabling fabric-object on the root starts synchronizing this object as a Fabric object to downstream devices. Disabling fabric-object makes the object local to the device.

  • Add setting to define how many task worker process are created to handle synchronizations (1 - 4, default = 2). The worker processes dies if there is no task to perform after 60 seconds.

    config system csf
    set fabric-workers <integer>
end

671563

Add option to switch between Peer and Peer Group view on PKI user page.

676063

Add support for OCI IMDSv2 that offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and during instance deployments with bootstrap metadata.

676260

FortiGates with a premium subscription (AFAC contract) for cloud-based central logging and analytics are able to send traffic logs to FortiAnalyzer Cloud, in addition to UTM logs and event logs. FortiGates with a standard FortiAnalyzer Cloud subscription (FAZC contract) can send UTM and event logs only.

682106

If a FortiCloud account has a FortiManager Cloud account level subscription (ALCI), a FortiGate registered to the FortiCloud account can recognize it and enable FortiManager Cloud central management.
Previous
Next