OpenSSL updated to 1.1.1i for security fixes.

The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper.

config monitoring npu-hpe
    set status {enable | disable}
    set interval <integer>
    set multipliers <m1>, <m2>, ... <m12>
end

The interval is set in seconds (1 - 60, default = 1). The multiplies are twelve integers ranging from 1 - 255, the default is 4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8.

An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. An attack log is generated after every (4 × multiplier) number of continuous event logs.

Support Strict-Transport-Security in HTTPS redirect.

When configuring the generic DDNS service provider as a DDNS server, the server type and address type can be set to IPv6. This allows the FortiGate to connect to an IPv6 DDNS server and provide the FortiGate's IPv6 interface address for updates.

config system ddns
    edit <name>
        set ddns-server genericDDNS
        set server-type {ipv4 | ipv6}
        set ddns-server-addr <address>
        set addr-type ipv6 {ipv4 | ipv6}
        set monitor-interface <port>
    next
end

In a hub and spoke SD-WAN topology with shortcuts created over ADVPN, a downed or recovered shortcut may affect which member is selected by a SD-WAN service strategy. The SD-WAN hold-down-time ensures that when a downed shortcut tunnel comes back up and the shortcut is added back into the service strategy equation, the shortcut is held to low priority until the hold-down-time has passed.

This enhancement allows a FortiGate to use the WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up dynamic RADIUS VSAs (vendor-specific attributes) to control the traffic rates permitted for a certain device. The FortiGate can apply different traffic shaping to different users who authenticate with RADIUS based on the returned RADIUS VSA values. When the same user logs in from an additional device, the RADIUS server will send a CoA (change of authorization) message to update the bandwidth values to 1/N of the total values, where N is the number of logged in devices from the same user.

config firewall policy
    edit 1
        set dynamic-shaping {enable | disable}
    next
end

Add support for syslog RFC 5424 format, which can be enabled when the syslog mode is UDP or reliable.

config log syslogd setting
    set format {default | csv | cef | RFC5424}
end

The SD-WAN REST API for health-check and sla-log now exposes ADVPN shortcut information in its result. The child_intfs attribute returns the statistics for the corresponding shortcuts. The following command displays real-time SLA information for ADVPN shortcuts:

# diagnose sys sdwan sla-log <health check name> <sequence number> <child name>

Synchronize wildcard FQDN IPs to other autoscale members whenever a peer learns of a wildcard FQDN address.

Ensure EMS logs are recorded for dynamic address related events under Log & Report > Events > SDN Connector Events logs:

• Add EMS tag
• Update EMS tag
• Remove EMS tag

Improve the session in/out dev handling when the session is dirty, re-routing occurs, and so on. Avoid clearing the session in/out dev, and only update it when is changes.

Add a default-action into youtube-channel-filter configuration to apply a default action to all channels when there is no match.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

The default settings are monitor for default-action, and disable for log.

Using the RADIUS attribute Tunnel-Private-Group-Id, a wireless controller can now accept a VLAN name as a string, and match the VLAN sub-interface attached to a VAP interface when dynamically assigning a VLAN. Users logging into an SSID can be dynamically assigned to the proper VLAN based on the VLAN configurations on RADIUS for the particular user.