Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Changes in CLI

Bug ID

Description

570152

Remove redundant set override attribute for logging in config log fortianalyzer override-setting and config log syslogd override-setting.

587183

Remove the intelligent mode option from the IPS global configuration:

config ips global
    set intelligent-mode {enable | disable}
end

640488

Add option to configure the maximum memory usage on the FortiGate's proxy for processing resources, such as block lists, allow lists, and external resources.

config system global
    set proxy-resource-mode {enable | disable}
end

640620

In the wireless-controller arrp-profile configuration, the include-weather-channel and include-dfs-channel options have changed from yes/no to enable/disable.

645241

Remove prp-port-out and prp-port-in settings from system npu and replace with the following:.

config system npu setting prp
    set prp-port-in port-list
    set prp-port-out port-list
end

657726

Remove option to rate images by URL for web filter profile in the GUI and CLI.

666855

FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients.

Add attribute to control signature algorithms related to client authentication (only affects TLS 1.2):

config vpn ssl settings
    set client-sigalgs {no-rsa-pss | all}
end

673049

When localid-type address is configured, users have the option to directly set an ID for IPv4 or IPv6 addresses.

config vpn ipsec phase1
    set localid-type address
    set localid <string>
end

673747

Support IPv6 in execute restore and execute backup commands to TFTP and FTP servers.

675511

Update diagnose debug application virtual-wan-link to diagnose debug application sdwan.

677552

Add failover-hold-time to avoid flips caused by monitor interface failure, in seconds (0 - 300, default = 0).

config system ha
    set failover-hold-time <integer>
end

682561

Add command, get system instance-id.

687197

Allows administrators to set requirements for any number of new characters in a new password, as opposed to a minimum of 4 unique new characters.

config system password-policy
    set min-change-characters <integer>
end

The set change-4-characters {enable | disable} option has been removed.

690981

Daily hit counts for central NAT and DNAT can now be displayed in the CLI using the following commands:

# diagnose firewall iprope show 10000d <index>
# diagnose firewall iprope show 100000 <index>

695259

Rename the following setting:

config system dns
    set dns-over-tls {disable | enable | enforce}
end

To:

config system dns
    set protocol {cleartext | DoT | DoH}
end

695979

Support wildcard MAC addresses in firewall address for users to easily use pattern matching, like vendor prefix, to define a group of addresses. The MAC address range is now defined by specifying <start> - <end> in a single field, instead of defining a start-mac and end-mac. Multiple addresses can be defined in a single line.

config firewall address
    edit "address"
        set type mac
        set macaddr 00:0c:29:8d:7e:e3 00:0c:**:8d:7*:e3 00:0c:29:8d:7e:e3-00:22:29:8d:7e:e
    next
end

Changes in CLI

Bug ID

Description

570152

Remove redundant set override attribute for logging in config log fortianalyzer override-setting and config log syslogd override-setting.

587183

Remove the intelligent mode option from the IPS global configuration:

config ips global
    set intelligent-mode {enable | disable}
end

640488

Add option to configure the maximum memory usage on the FortiGate's proxy for processing resources, such as block lists, allow lists, and external resources.

config system global
    set proxy-resource-mode {enable | disable}
end

640620

In the wireless-controller arrp-profile configuration, the include-weather-channel and include-dfs-channel options have changed from yes/no to enable/disable.

645241

Remove prp-port-out and prp-port-in settings from system npu and replace with the following:.

config system npu setting prp
    set prp-port-in port-list
    set prp-port-out port-list
end

657726

Remove option to rate images by URL for web filter profile in the GUI and CLI.

666855

FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients.

Add attribute to control signature algorithms related to client authentication (only affects TLS 1.2):

config vpn ssl settings
    set client-sigalgs {no-rsa-pss | all}
end

673049

When localid-type address is configured, users have the option to directly set an ID for IPv4 or IPv6 addresses.

config vpn ipsec phase1
    set localid-type address
    set localid <string>
end

673747

Support IPv6 in execute restore and execute backup commands to TFTP and FTP servers.

675511

Update diagnose debug application virtual-wan-link to diagnose debug application sdwan.

677552

Add failover-hold-time to avoid flips caused by monitor interface failure, in seconds (0 - 300, default = 0).

config system ha
    set failover-hold-time <integer>
end

682561

Add command, get system instance-id.

687197

Allows administrators to set requirements for any number of new characters in a new password, as opposed to a minimum of 4 unique new characters.

config system password-policy
    set min-change-characters <integer>
end

The set change-4-characters {enable | disable} option has been removed.

690981

Daily hit counts for central NAT and DNAT can now be displayed in the CLI using the following commands:

# diagnose firewall iprope show 10000d <index>
# diagnose firewall iprope show 100000 <index>

695259

Rename the following setting:

config system dns
    set dns-over-tls {disable | enable | enforce}
end

To:

config system dns
    set protocol {cleartext | DoT | DoH}
end

695979

Support wildcard MAC addresses in firewall address for users to easily use pattern matching, like vendor prefix, to define a group of addresses. The MAC address range is now defined by specifying <start> - <end> in a single field, instead of defining a start-mac and end-mac. Multiple addresses can be defined in a single line.

config firewall address
    edit "address"
        set type mac
        set macaddr 00:0c:29:8d:7e:e3 00:0c:**:8d:7*:e3 00:0c:29:8d:7e:e3-00:22:29:8d:7e:e
    next
end