Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiOS Release Notes

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

613092

Allow SSL VPN to be explicitly enabled or disabled from the GUI and CLI. To connect, SSL VPN must be enabled and the SSL VPN interface must be up.

config vpn ssl settings
    set status {enable | disable}
end

648609

Add HA support for multiple ACI clusters for Cisco ACI external SDN connector VMs. The multiple IPs in the Cisco ACI external SDN connector VM configuration allows the FortiGate to connect to SDN connector VMs in the same ACI cluster in a round-robin fashion. Only one SDN connector VM is active, and the remaining serve as backups if the active one fails.

config system sdn-connector
    edit "ACI-1"
        set type aci
        set server-list "10.105.152.96" "10.105.152.97" "100.101.1.98"
        set server-port 5671
        set username "admin"
        set password **********
    next
    edit "ACI-2"
        set type aci
        set server-list "20.105.152.91" " 20.105.152.92" "40.111.1.3"
        set server-port 5671
        set username "admin"
        set password **********
    next
end

ACI-1 and ACI-2 are different ACI clusters. They each have multiple SDN connector VMs in synchronization. Each firewall address can point to either ACI-1 or ACI-2.

660283

Add system event logs for the execution of CLI commands. When cli-audit-log is enabled under system global, the execution of execute, config, show, get, and diagnose commands will trigger system event logs.

684133

Support site-to-site IPsec VPN in an asymmetric routing scenario with a loopback interface as a VPN bound interface.

688237

Add support for a FortiGate to manage a Procend 180-T DSL transceiver (FN-TRAN-DSL) that is plugged in to an SFP port. The management of the DSL transceiver includes the ability to program the physical layer attributes on the DSL module, retrieve the status and statistics from the module, support firmware upgrades of the module, and reset the module. Supported VDSL profiles: 8a, 8b, 8c, 8d, 12a, 12b, 17a, and 30a. Supported platforms: FG-80F, FG-81F, FG-80F-BP, FGR-60F, and FGR-60F-3G4G.

696412

Allow inspection of double-tagged (802.1Q + 802.1Q) traffic on virtual wire pairs with wildcard VLANs. Other enhancements include optimizing NPU receive packet steering and configuring traffic distribution on the ISF to achieve higher throughput.

707143

NetFlow and SFlow now support using SD-WAN in interface-select-method for selecting the outgoing interface.

config system {netflow sflow vdom-netflow vdom-sflow}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

714788

Add HA uninterruptible upgrade option, which allows users to configure a timeout value in minutes (1 - 30, default = 30) where the primary HA unit waits before the secondary HA unit is considered upgraded.

config system ha
    set uninterruptible-primary-wait <integer>
end

731532

When a FortiGate is in NAT mode, a VLAN tag with a drop eligible indicator (DEI) bit set resets to 0 after passing through the FortiGate.

735938

On the NAC Policy configuration page, specifying FortiSwitch groups is now supported. Previously, individual FortiSwitches had to be specified. The CLI command to specify individual switches is now updated to specify switch groups.

738640

Add 100 Mbps transceiver support for FGR-60F and FGR-60F-3G4G.

740204

Supply better heartbeat timing information to the auto-scale callback URL. Previously, the auto-scale heartbeat request made to the auto-scale callback URL did not contain a timestamp or sequence number. This information was estimated in the cloud function called by the callback URL, but the cloud function platform's timing was not as reliable as initially expected.

747640

Support Q-in-Q (802.1Q in 802.1Q) for FortiGate-VMs.

756538

Add Windows 11 and macOS 12 to the SSL VPN OS check. The following options are available for config os-check-list <name>: macos-bigsur-11, macos-catalina-10.15, macos-mojave-10.14, macos-monterey-12, windows-7, windows-8.1, windows-10, and windows-11.

Operating systems no longer supported by FortiClient were removed.

756639

Update the OVF package so it reflects newer VMware ESXi and hardware versions.

758560

Add macOS 12 and Windows 11 to SSL VPN host check. Windows 8 and macOS 10.9 to 10.13 are removed from the SSL VPN host check.

767575

Updating dynamic addresses using the OpenStack SDN connector now supports: Rocky, Stein, Train, Ussuri, Victoria, Wallaby, and Xena.

773530

Allow a two-hour grace period for Flex-VMs to begin passing traffic upon retrieving a license from FortiCare without VM entitlement verification from FortiGuard.

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

613092

Allow SSL VPN to be explicitly enabled or disabled from the GUI and CLI. To connect, SSL VPN must be enabled and the SSL VPN interface must be up.

config vpn ssl settings
    set status {enable | disable}
end

648609

Add HA support for multiple ACI clusters for Cisco ACI external SDN connector VMs. The multiple IPs in the Cisco ACI external SDN connector VM configuration allows the FortiGate to connect to SDN connector VMs in the same ACI cluster in a round-robin fashion. Only one SDN connector VM is active, and the remaining serve as backups if the active one fails.

config system sdn-connector
    edit "ACI-1"
        set type aci
        set server-list "10.105.152.96" "10.105.152.97" "100.101.1.98"
        set server-port 5671
        set username "admin"
        set password **********
    next
    edit "ACI-2"
        set type aci
        set server-list "20.105.152.91" " 20.105.152.92" "40.111.1.3"
        set server-port 5671
        set username "admin"
        set password **********
    next
end

ACI-1 and ACI-2 are different ACI clusters. They each have multiple SDN connector VMs in synchronization. Each firewall address can point to either ACI-1 or ACI-2.

660283

Add system event logs for the execution of CLI commands. When cli-audit-log is enabled under system global, the execution of execute, config, show, get, and diagnose commands will trigger system event logs.

684133

Support site-to-site IPsec VPN in an asymmetric routing scenario with a loopback interface as a VPN bound interface.

688237

Add support for a FortiGate to manage a Procend 180-T DSL transceiver (FN-TRAN-DSL) that is plugged in to an SFP port. The management of the DSL transceiver includes the ability to program the physical layer attributes on the DSL module, retrieve the status and statistics from the module, support firmware upgrades of the module, and reset the module. Supported VDSL profiles: 8a, 8b, 8c, 8d, 12a, 12b, 17a, and 30a. Supported platforms: FG-80F, FG-81F, FG-80F-BP, FGR-60F, and FGR-60F-3G4G.

696412

Allow inspection of double-tagged (802.1Q + 802.1Q) traffic on virtual wire pairs with wildcard VLANs. Other enhancements include optimizing NPU receive packet steering and configuring traffic distribution on the ISF to achieve higher throughput.

707143

NetFlow and SFlow now support using SD-WAN in interface-select-method for selecting the outgoing interface.

config system {netflow sflow vdom-netflow vdom-sflow}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

714788

Add HA uninterruptible upgrade option, which allows users to configure a timeout value in minutes (1 - 30, default = 30) where the primary HA unit waits before the secondary HA unit is considered upgraded.

config system ha
    set uninterruptible-primary-wait <integer>
end

731532

When a FortiGate is in NAT mode, a VLAN tag with a drop eligible indicator (DEI) bit set resets to 0 after passing through the FortiGate.

735938

On the NAC Policy configuration page, specifying FortiSwitch groups is now supported. Previously, individual FortiSwitches had to be specified. The CLI command to specify individual switches is now updated to specify switch groups.

738640

Add 100 Mbps transceiver support for FGR-60F and FGR-60F-3G4G.

740204

Supply better heartbeat timing information to the auto-scale callback URL. Previously, the auto-scale heartbeat request made to the auto-scale callback URL did not contain a timestamp or sequence number. This information was estimated in the cloud function called by the callback URL, but the cloud function platform's timing was not as reliable as initially expected.

747640

Support Q-in-Q (802.1Q in 802.1Q) for FortiGate-VMs.

756538

Add Windows 11 and macOS 12 to the SSL VPN OS check. The following options are available for config os-check-list <name>: macos-bigsur-11, macos-catalina-10.15, macos-mojave-10.14, macos-monterey-12, windows-7, windows-8.1, windows-10, and windows-11.

Operating systems no longer supported by FortiClient were removed.

756639

Update the OVF package so it reflects newer VMware ESXi and hardware versions.

758560

Add macOS 12 and Windows 11 to SSL VPN host check. Windows 8 and macOS 10.9 to 10.13 are removed from the SSL VPN host check.

767575

Updating dynamic addresses using the OpenStack SDN connector now supports: Rocky, Stein, Train, Ussuri, Victoria, Wallaby, and Xena.

773530

Allow a two-hour grace period for Flex-VMs to begin passing traffic upon retrieving a license from FortiCare without VM entitlement verification from FortiGuard.