Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiOS Release Notes

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

477886

Allow ingress and egress ports to be configured so the PRP trailer is not stripped when PRP packets come in or go out.

config system npu
    set prp-port-in <port>
    set prp-port-out <port>
end

489956

Add LAG implementation so each session uses the same NP6 and XAUI for ingress and egress directions to avoid fast path congestion (this setting is disabled by default).

config system npu
    set lag-out-port-select {enable | disable}
end

Add algorithm in NPU driver for distribution, AGG_ALGORITHM_NPU.

566452

Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed:

config system virtual-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end
config system physical-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end

641524

Add interface selection for IPS TLS protocol active probing.

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

663468

Support hardware switch on FG-300E, FG-400E, and FG-1100E models.

667285

When configuring a NAC policy, it is sometimes useful to manually specify a MAC address to match the device. Wildcards in the MAC address are supported by specifying the * character.

685910

Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.

691337

Allow a GCP SDN connector to have multiple projects attached to it. Previously, GCP SDN connectors could only be associated with one project, a limit of 256 SDN connectors, and users could only add a maximum 256 projects to the FortiGate. A single GCP SDN connection can now have thousands of projects attached to it.

Add support for dynamic address filters based on project name and zones:

config system sdn-connector
    edit <name>
        set type gcp
        config gcp-project-list
            edit <name>
                set gcp-zone-list <name_1> <name_2> ... <name_n>
            next
        end
    next
end

GUI changes:

  • Add buttons to switch between Simple and Advanced project configurations. The simple configuration displays a single text field to add one project to the GCP SDN connector.
  • The advanced configuration displays a mutable table for users to add multiple projects to the GCP SDN connectors. Adding projects displays a slide-out pane to specify the project name and zones.
  • A confirmation slide-out pane appears when switching from advanced to simple to warn about projects being deleted from the GCP SDN connector.
  • A tooltip on the GCP SDN connector card shows the list of projects, and the filter list of GCP dynamic addresses shows the project and zones.

692529

Enhance MAC authentication bypass so that the MAC authentication status is recorded in authd. The MAC authentication is retired in 10 seconds and is always sent to the portal for HTTP authentication sessions.

699456

Increase the generated RSA key bits from 1024 to 2048.

700073

Add a default-action into youtube-channel-filter configuration to apply a default action to all channels when there is no match.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

The default settings are monitor for default-action, and disable for log.

717907

Add option in CLI to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost.

config user fsso
    edit <name>
        set logon-timeout <integer>
    next
end

The logon-timeout is measured in minutes (1 - 2880, default = 5).

720371

New ciphers have been added in FIPS ciphers mode on FortiGate VMs so that cloud instances running this mode can form IPsec tunnels with hardware models running FIPS-CC mode.

Added to IPsec phase 1:

  • aes128-sha256

  • aes128-sha384

  • aes128-sha512

  • aes256-sha256

  • aes256-sha384

  • aes256-sha512

Added to IPsec phase 2:

  • aes128-sha256

  • aes128-sha384

  • aes128-sha512

  • aes256-sha256

  • aes256-sha384

  • aes256-sha512

726268

Previously, estimated-downstream-bandwidth and ingress-shaping-profile needed to be configured to use the ingress traffic shaping feature work. Now, estimated-downstream-bandwidth changed to inbandwidth.

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

477886

Allow ingress and egress ports to be configured so the PRP trailer is not stripped when PRP packets come in or go out.

config system npu
    set prp-port-in <port>
    set prp-port-out <port>
end

489956

Add LAG implementation so each session uses the same NP6 and XAUI for ingress and egress directions to avoid fast path congestion (this setting is disabled by default).

config system npu
    set lag-out-port-select {enable | disable}
end

Add algorithm in NPU driver for distribution, AGG_ALGORITHM_NPU.

566452

Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed:

config system virtual-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end
config system physical-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end

641524

Add interface selection for IPS TLS protocol active probing.

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

663468

Support hardware switch on FG-300E, FG-400E, and FG-1100E models.

667285

When configuring a NAC policy, it is sometimes useful to manually specify a MAC address to match the device. Wildcards in the MAC address are supported by specifying the * character.

685910

Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.

691337

Allow a GCP SDN connector to have multiple projects attached to it. Previously, GCP SDN connectors could only be associated with one project, a limit of 256 SDN connectors, and users could only add a maximum 256 projects to the FortiGate. A single GCP SDN connection can now have thousands of projects attached to it.

Add support for dynamic address filters based on project name and zones:

config system sdn-connector
    edit <name>
        set type gcp
        config gcp-project-list
            edit <name>
                set gcp-zone-list <name_1> <name_2> ... <name_n>
            next
        end
    next
end

GUI changes:

  • Add buttons to switch between Simple and Advanced project configurations. The simple configuration displays a single text field to add one project to the GCP SDN connector.
  • The advanced configuration displays a mutable table for users to add multiple projects to the GCP SDN connectors. Adding projects displays a slide-out pane to specify the project name and zones.
  • A confirmation slide-out pane appears when switching from advanced to simple to warn about projects being deleted from the GCP SDN connector.
  • A tooltip on the GCP SDN connector card shows the list of projects, and the filter list of GCP dynamic addresses shows the project and zones.

692529

Enhance MAC authentication bypass so that the MAC authentication status is recorded in authd. The MAC authentication is retired in 10 seconds and is always sent to the portal for HTTP authentication sessions.

699456

Increase the generated RSA key bits from 1024 to 2048.

700073

Add a default-action into youtube-channel-filter configuration to apply a default action to all channels when there is no match.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

The default settings are monitor for default-action, and disable for log.

717907

Add option in CLI to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost.

config user fsso
    edit <name>
        set logon-timeout <integer>
    next
end

The logon-timeout is measured in minutes (1 - 2880, default = 5).

720371

New ciphers have been added in FIPS ciphers mode on FortiGate VMs so that cloud instances running this mode can form IPsec tunnels with hardware models running FIPS-CC mode.

Added to IPsec phase 1:

  • aes128-sha256

  • aes128-sha384

  • aes128-sha512

  • aes256-sha256

  • aes256-sha384

  • aes256-sha512

Added to IPsec phase 2:

  • aes128-sha256

  • aes128-sha384

  • aes128-sha512

  • aes256-sha256

  • aes256-sha384

  • aes256-sha512

726268

Previously, estimated-downstream-bandwidth and ingress-shaping-profile needed to be configured to use the ingress traffic shaping feature work. Now, estimated-downstream-bandwidth changed to inbandwidth.