Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Changes in CLI

Bug ID

Description

570152

Remove redundant set override attribute for logging in config log fortianalyzer override-setting and config log syslogd override-setting.

587183

Remove the intelligent mode option from the IPS global configuration:

config ips global
    set intelligent-mode {enable | disable}
end

640488

Add option to configure the maximum memory usage on the FortiGate's proxy for processing resources, such as block lists, allow lists, and external resources.

config system global
    set proxy-resource-mode {enable | disable}
end

640620

In the wireless-controller arrp-profile configuration, the include-weather-channel and include-dfs-channel options have changed from yes/no to enable/disable.

645241

Remove prp-port-out and prp-port-in settings from system npu and replace with the following:.

config system npu setting prp
    set prp-port-in port-list
    set prp-port-out port-list
end

657726

Remove option to rate images by URL for web filter profile in the GUI and CLI.

666855

FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients.

Add attribute to control signature algorithms related to client authentication (only affects TLS 1.2):

config vpn ssl settings
    set client-sigalgs {no-rsa-pss | all}
end

672183

Disable IHP IPsec anti-replay, and also use large MTU check values in NAT traversal sessions to avoid fragmentation and MTU exceptions. This affects the FG-3800D.

config system npu
    set uesp-offload  {enable | disable}
end

673049

When localid-type address is configured, users have the option to directly set an ID for IPv4 or IPv6 addresses.

config vpn ipsec phase1
    set localid-type address
    set localid <string>
end

673747

Support IPv6 in execute restore and execute backup commands to TFTP and FTP servers.

675511

Update diagnose debug application virtual-wan-link to diagnose debug application sdwan.

677552

Add failover-hold-time to avoid flips caused by monitor interface failure, in seconds (0 - 300, default = 0).

config system ha
    set failover-hold-time <integer>
end

682561

Add command, get system instance-id.

687197

Allows administrators to set requirements for any number of new characters in a new password, as opposed to a minimum of 4 unique new characters.

config system password-policy
    set min-change-characters <integer>
end

The set change-4-characters {enable | disable} option has been removed.

690981

Daily hit counts for central NAT and DNAT can now be displayed in the CLI using the following commands:

# diagnose firewall iprope show 10000d <index>
# diagnose firewall iprope show 100000 <index>

695259

Rename the following setting:

config system dns
    set dns-over-tls {disable | enable | enforce}
end

To:

config system dns
    set protocol {cleartext | DoT | DoH}
end

695979

Support wildcard MAC addresses in firewall address for users to easily use pattern matching, like vendor prefix, to define a group of addresses. The MAC address range is now defined by specifying <start> - <end> in a single field, instead of defining a start-mac and end-mac. Multiple addresses can be defined in a single line.

config firewall address
    edit "address"
        set type mac
        set macaddr 00:0c:29:8d:7e:e3 00:0c:**:8d:7*:e3 00:0c:29:8d:7e:e3-00:22:29:8d:7e:e
    next
end

700098

With the new IPsec kernel design, route tree is not available in the IPsec tunnel list used to select tunnels by next-hop, so the IPsec phase1-interface option tunnel-search is not useful and was removed. tunn-id is automatically generated and is used to link routes with IPsec tunnels.

# diagnose vpn tunnel list
name=hub1_0 ver=2 serial=a 22.1.6.1:4500->11.1.1.2:64916 tun_id=10.10.1.100 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
     ....................................
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:0.0.0.0-255.255.255.255:0
  SA: ref=3 options=a26 type=00 soft=0 mtu=1358 expire=22685/0B replaywin=2048
       seqno=312 esn=0 replaywin_lastseq=00000312 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=43185/43200
  dec: spi=4688373e esp=aes key=16 b399004593b5fe93fa70fda8cd053f28
       ah=sha1 key=20 39ca51549367baed7d3aadda12deef8ed9b2a

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
......................................
B 10.1.100.0/24 [200/0] via 10.10.1.100 (recursive via hub1 tunnel 10.10.1.100), 6d04h41m

Changes in CLI

Bug ID

Description

570152

Remove redundant set override attribute for logging in config log fortianalyzer override-setting and config log syslogd override-setting.

587183

Remove the intelligent mode option from the IPS global configuration:

config ips global
    set intelligent-mode {enable | disable}
end

640488

Add option to configure the maximum memory usage on the FortiGate's proxy for processing resources, such as block lists, allow lists, and external resources.

config system global
    set proxy-resource-mode {enable | disable}
end

640620

In the wireless-controller arrp-profile configuration, the include-weather-channel and include-dfs-channel options have changed from yes/no to enable/disable.

645241

Remove prp-port-out and prp-port-in settings from system npu and replace with the following:.

config system npu setting prp
    set prp-port-in port-list
    set prp-port-out port-list
end

657726

Remove option to rate images by URL for web filter profile in the GUI and CLI.

666855

FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients.

Add attribute to control signature algorithms related to client authentication (only affects TLS 1.2):

config vpn ssl settings
    set client-sigalgs {no-rsa-pss | all}
end

672183

Disable IHP IPsec anti-replay, and also use large MTU check values in NAT traversal sessions to avoid fragmentation and MTU exceptions. This affects the FG-3800D.

config system npu
    set uesp-offload  {enable | disable}
end

673049

When localid-type address is configured, users have the option to directly set an ID for IPv4 or IPv6 addresses.

config vpn ipsec phase1
    set localid-type address
    set localid <string>
end

673747

Support IPv6 in execute restore and execute backup commands to TFTP and FTP servers.

675511

Update diagnose debug application virtual-wan-link to diagnose debug application sdwan.

677552

Add failover-hold-time to avoid flips caused by monitor interface failure, in seconds (0 - 300, default = 0).

config system ha
    set failover-hold-time <integer>
end

682561

Add command, get system instance-id.

687197

Allows administrators to set requirements for any number of new characters in a new password, as opposed to a minimum of 4 unique new characters.

config system password-policy
    set min-change-characters <integer>
end

The set change-4-characters {enable | disable} option has been removed.

690981

Daily hit counts for central NAT and DNAT can now be displayed in the CLI using the following commands:

# diagnose firewall iprope show 10000d <index>
# diagnose firewall iprope show 100000 <index>

695259

Rename the following setting:

config system dns
    set dns-over-tls {disable | enable | enforce}
end

To:

config system dns
    set protocol {cleartext | DoT | DoH}
end

695979

Support wildcard MAC addresses in firewall address for users to easily use pattern matching, like vendor prefix, to define a group of addresses. The MAC address range is now defined by specifying <start> - <end> in a single field, instead of defining a start-mac and end-mac. Multiple addresses can be defined in a single line.

config firewall address
    edit "address"
        set type mac
        set macaddr 00:0c:29:8d:7e:e3 00:0c:**:8d:7*:e3 00:0c:29:8d:7e:e3-00:22:29:8d:7e:e
    next
end

700098

With the new IPsec kernel design, route tree is not available in the IPsec tunnel list used to select tunnels by next-hop, so the IPsec phase1-interface option tunnel-search is not useful and was removed. tunn-id is automatically generated and is used to link routes with IPsec tunnels.

# diagnose vpn tunnel list
name=hub1_0 ver=2 serial=a 22.1.6.1:4500->11.1.1.2:64916 tun_id=10.10.1.100 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
     ....................................
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:0.0.0.0-255.255.255.255:0
  SA: ref=3 options=a26 type=00 soft=0 mtu=1358 expire=22685/0B replaywin=2048
       seqno=312 esn=0 replaywin_lastseq=00000312 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=43185/43200
  dec: spi=4688373e esp=aes key=16 b399004593b5fe93fa70fda8cd053f28
       ah=sha1 key=20 39ca51549367baed7d3aadda12deef8ed9b2a

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
......................................
B 10.1.100.0/24 [200/0] via 10.10.1.100 (recursive via hub1 tunnel 10.10.1.100), 6d04h41m