Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiOS Release Notes

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

477886

Allow ingress and egress ports to be configured so the PRP trailer is not stripped when PRP packets come in or go out.

config system npu
    set prp-port-in <port>
    set prp-port-out <port>
end

489956

Add LAG implementation so each session uses the same NP6 and XAUI for ingress and egress directions to avoid fast path congestion (this setting is disabled by default).

config system npu
    set lag-out-port-select {enable | disable}
end

Add algorithm in NPU driver for distribution, AGG_ALGORITHM_NPU.

566452

Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed:

config system virtual-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end
config system physical-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end

641524

Add interface selection for IPS TLS protocol active probing.

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

663468

Support hardware switch on FG-300E, FG-400E, and FG-1100E models.

667285

When configuring a NAC policy, it is sometimes useful to manually specify a MAC address to match the device. Wildcards in the MAC address are supported by specifying the * character.

685910

Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.

692529

Enhance MAC authentication bypass so that the MAC authentication status is recorded in authd. The MAC authentication is retired in 10 seconds and is always sent to the portal for HTTP authentication sessions.

699456

Increase the generated RSA key bits from 1024 to 2048.

700073

Add a default-action into youtube-channel-filter configuration to apply a default action to all channels when there is no match.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

The default settings are monitor for default-action, and disable for log.

717907

Add option in CLI to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost.

config user fsso
    edit <name>
        set logon-timeout <integer>
    next
end

The logon-timeout is measured in minutes (1 - 2880, default = 5).

720371

New ciphers have been added in FIPS ciphers mode on FortiGate VMs so that cloud instances running this mode can form IPsec tunnels with hardware models running FIPS-CC mode.

Added to IPsec phase 1:

  • aes128-sha256

  • aes128-sha384

  • aes128-sha512

  • aes256-sha256

  • aes256-sha384

  • aes256-sha512

Added to IPsec phase 2:

  • aes128-sha256

  • aes128-sha384

  • aes128-sha512

  • aes256-sha256

  • aes256-sha384

  • aes256-sha512

726268

Previously, estimated-downstream-bandwidth and ingress-shaping-profile needed to be configured to use the ingress traffic shaping feature work. Now, estimated-downstream-bandwidth changed to inbandwidth.

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

477886

Allow ingress and egress ports to be configured so the PRP trailer is not stripped when PRP packets come in or go out.

config system npu
    set prp-port-in <port>
    set prp-port-out <port>
end

489956

Add LAG implementation so each session uses the same NP6 and XAUI for ingress and egress directions to avoid fast path congestion (this setting is disabled by default).

config system npu
    set lag-out-port-select {enable | disable}
end

Add algorithm in NPU driver for distribution, AGG_ALGORITHM_NPU.

566452

Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed:

config system virtual-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end
config system physical-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end

641524

Add interface selection for IPS TLS protocol active probing.

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

663468

Support hardware switch on FG-300E, FG-400E, and FG-1100E models.

667285

When configuring a NAC policy, it is sometimes useful to manually specify a MAC address to match the device. Wildcards in the MAC address are supported by specifying the * character.

685910

Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.

692529

Enhance MAC authentication bypass so that the MAC authentication status is recorded in authd. The MAC authentication is retired in 10 seconds and is always sent to the portal for HTTP authentication sessions.

699456

Increase the generated RSA key bits from 1024 to 2048.

700073

Add a default-action into youtube-channel-filter configuration to apply a default action to all channels when there is no match.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

The default settings are monitor for default-action, and disable for log.

717907

Add option in CLI to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost.

config user fsso
    edit <name>
        set logon-timeout <integer>
    next
end

The logon-timeout is measured in minutes (1 - 2880, default = 5).

720371

New ciphers have been added in FIPS ciphers mode on FortiGate VMs so that cloud instances running this mode can form IPsec tunnels with hardware models running FIPS-CC mode.

Added to IPsec phase 1:

  • aes128-sha256

  • aes128-sha384

  • aes128-sha512

  • aes256-sha256

  • aes256-sha384

  • aes256-sha512

Added to IPsec phase 2:

  • aes128-sha256

  • aes128-sha384

  • aes128-sha512

  • aes256-sha256

  • aes256-sha384

  • aes256-sha512

726268

Previously, estimated-downstream-bandwidth and ingress-shaping-profile needed to be configured to use the ingress traffic shaping feature work. Now, estimated-downstream-bandwidth changed to inbandwidth.