Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

442996

Add GUI support for configuring IPv6 settings for IPv6 MAC address, SNMP, DHCPv6 server and client, DHCPv6 SLAAC, and prefix delegation. Updates include:

  • When IPv6 is enabled, a user can view, edit, and create IPv6 host entries.
  • General IPv6 options can be set on the Interface page, including the ability to configure SLAAC and DHCPv6.
  • Ability to retrieve IPv6 information for a DHCPv6 client similar to the existing DHCP support for IPv4.
  • IPv6 MAC is available form the address creation context menu.

489956

Add a new LAG implementation so each session uses the same NP6 and XAUI for ingress and egress direction to avoid the fast path congestion (the default value is disable).

config system npu
    set lag-out-port-select {enable | disable}
end

Add a new algorithm in the NPU driver to the bond algorithm list (AGG_ALGORITHM_NPU).

497049

Support HTTP2 in proxy mode by adding the ability to inspect HTTP2 via ALPN.

config firewall ssl-ssh-profile
    edit <name>
        set supported-alpn {http1-1 | http2 | all | none}
    next
end

520385

Allow denied sessions to be offloaded by the NPU when session-denied traffic is also enabled. This enables sessions to be offloaded for packets that are denied by the firewall policy, which can help reduce CPU usage.

config system npu
    session-denied-offload {enable | disable}
end

566452

Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed:

config system virtual-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end
config system physical-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end

566967

Add security rating test to check if two-factor authentication is enabled for each active SSL VPN and IPsec user.

609692

Add new setting to enable auto provisioning of FortiSwitch firmware upon authorization. On FortiGate models with a disk, up to four images of the same FortiSwitch model can be uploaded. On FortiGate models without a disk, one image of the same FortiSwitch model can be uploaded.

611992

Add a specific auth-timeout field in the SSL VPN monitor.

618359

In scenarios where the FortiGate is sandwiched by load-balancers and SSL processing is offloaded on the external load-balancers, the FortiGate can perform scanning on the unencrypted traffic by specifying the ssl-offloaded option in the protocol options profile. This was previously supported in proxy mode only, but now it is also supported in flow mode.

621725

Add settings to enable flow control and pause metering. Pause metering allows the FortiSwitch to apply flow control to ingress traffic when the queue is congested and to resume once it is cleared.

621728

On supported managed switch ports, the FortiGate allows the port to be configured with a forward error correction (FEC) state of Clause 74 FC-FEC for 25 Gbps ports, or Clause 91 RS-FEC for 100 Gbps ports.

config switch-controller managed-switch
    edit <serial number>
        config ports
            edit <name>
                set fec-state {disabled | cl74 | cl91}
            next
        end
    next
end

622053

Add RADIUS CoA support for SSL-VPN. After receiving a Disconnect Request(40) from a RADIUS server, the SSL VPN daemon will search related sessions according to user name and RADIUS server name to log off the specific user (including web and tunnel session).

622547

When a device first connects to a switch port, or when a device goes from offline to online, the FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy. Optimizations made to the process shortens the time it takes for a new device to be recognized and assigned to the VLAN.

628133

Add dual stack IPv4/IPv6 support for SSL VPN servers, which enables a client to establish a dual stack tunnel that allows IPv4 and IPv6 traffic to pass through.

config vpn ssl settings
    set dual-stack-tunnel {enable | disable}
end

In web mode, users can access IPv4 and IPv6 bookmarks in the portal. A new attribute, prefer-ipv6-dns, is added to prefer querying IPv6 DNS first.

630468

Make the following enhancements to the antiphishing profile:

  • Allow username and password field patterns to be fetched from FortiGuard.
  • Add DNS support for domain controller IP fetching.
  • Add support to specify a source IP or port for the fetching domain controller.
  • Add LDAP server as a credential source.
  • Block or log valid usernames regardless of password match.
  • Add literal custom patterns type for username and password.

633543

Port policy configurations are moved out of NAC policies into a standalone dynamic port policy configuration. Physical ports now have a choice of thee access modes: static, dynamic (default), and NAC. In dynamic mode, a Dynamic Port Policy profile can be assigned, allowing devices matching defined criteria to apply specific port properties based on LLDP, QoS, 802.1X, or VLAN policies. NAC policies, provide more criteria to match devices and assign them to an appropriate VLAN.

634006

OpenSSL updated to 1.1.1j for security fixes.

635344

Add XAuth User to VPN chart in the PDF report.

636804

FortiClient EMS with fabric authorization and silent approval capabilities will be able to approve the root FortiGate in a Security Fabric once, then silently approve remaining downstream FortiGates in the Fabric. Similarly, in an HA scenario, approval only needs to be made once to the HA primary unit. The remaining cluster members will be approved silently.

637108

In 6.2, stream-based AV scan was added in proxy mode for HTTP(S). This is now supported for FTP(S), SFTP, and SCP. The stream-based scan optimizes memory utilization for large archive files like ZIP, TAR.GZ, and so on by decompressing the files on the fly and scanning files as they are extracted. Smaller files can also be scanned directly on the proxy-based WAD daemon, improving traffic throughput.

637552

Enhance freestyle log filtering so that users can specify more powerful filters. The config free-style setting is added to log filters for each log device. For example:

config log memory filter
    config free-style
        edit 1
           set category {event | virus | webfilter | attack | spam | anomaly | voip | dlp | app-ctrl | waf | gtp | dns | ssh | ssl | file-filter | icap}
           set filter <string>
           set filter-type include
        next
    end
end

The filter string can be a legal regular filter string. For example, ((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60).

638352

To avoid large number of new IKEv2 negotiations from starving other SAs from progressing to established states, the following enhancements have been made to the IKE daemon:

  • Prioritize established SAs.
  • Offload groups 20 and 21 to CP9.
  • Optimize the default embryonic limits for mid- and high-end platforms.

The IKE embryonic limit can now be configured in the CLI.

config system global
    set ike-embryonic-limit <integer>
end

640763

Users can configure advanced BGP and OSPF routing options in the GUI. A new Routing Objects page allows users to configure Route Map, Access List, Prefix List, AS Path List, and Community List from the GUI. The Dashboard > Network routing monitor now displays BGP Neighbors, BGP Paths, and OSPF Neighbors.

641077

After authorizing a FortiAP, administrators can also register the FortiAP to FortiCloud directly from the FortiGate GUI.

641524

Add interface selection for IPS TLS protocol active probing.

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

644218

The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper.

config monitoring npu-hpe
    set status {enable | disable}
    set interval <integer>
    set multipliers <m1>, <m2>, ... <m12>
end

The interval is set in seconds (1 - 60, default = 1). The multiplies are twelve integers ranging from 1 - 255, the default is 4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8.

An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. An attack log is generated after every (4 × multiplier) number of continuous event logs.

644235

Support reference to any action results in chained actions of automation stitches.

647800

AWS and Azure now support FIPS ciphers mode.

648595

A custom IKE port and IKE NAT-T port can be specified to replace the default UDP/500 and UDP/4500 respectively for IKE negotiation.

config system settings
    set ike-port <1024 - 65535>
    set ike-natt-port <1024 - 65535>
end

648602

When creating a Cisco ACI direct connector, configuring multiple IPs allows the FortiGate to connect to the server in a round-robin fashion. Only one server will be active and the remaining will serve as backups if the active one fails.

649903

When a FortiClient endpoint is managed by EMS, logged in user and domain information is shared with FortiOS via the EMS connector. This information is used to fetch additional attributes over the Exchange connector to produce more complete user information for the user store.

649933

Security rating notifications are shown on the settings page, which has configuration issues as determined by the security rating. Users can open the recommendation to see which configuration item needs to be fixed. This frees users from going back and forth between the Security Rating page and the settings page. Notifications appear either in the gutter, the footer, or as a mutable. Notifications can be dismissed.

650416

On IBM VPC Cloud, users can deploy their BYOL FortiGate VMs in unicast HA. HA failover triggers routing changes and floating IP reassignment on the IBM Cloud automatically via the API.

651866

FortiSwitch events now have their own category on the Events log page.

652003

In a tenant VDOM, allow lldp-profile and lldp-status to be configurable on a leased switch port.

652503

By configuring the service chain and service index, NSX-T east-west traffic can be redirected to a designated FortiGate VDOM.

config nsxt setting
    set liveness {enable | disable}
    set service <service name>
end
config nsxt service-chain
    edit <ID>
        set name <chain name>
        config service-index
            edit <forward index>
                set reverse-index <value>
                set name <index name>
                set vd <VDOM>
            next
        end
    next
end

The default value for reverse-index is 1. The vd setting is required.

653386

This feature enables the FortiGate to be configured as an SSL VPN client. A new SSL type interface is added to support the SSL VPN client configuration. When the SSL VPN client connection is established, the SSL VPN client will dynamically add a route to the subnets returned by the SSL VPN server. Subsequently, you can define policies to allow users behind the FortiGate acting as SSL VPN clients to be tunneled through SSL VPN to the destinations on the SSL VPN server.

654032

The route tag is a mechanism to map a BGP community string to a specific tag. The string may correspond to a specific network that a BGP router advertised. Using this tag, an SD-WAN service rule can be used to define specific handling of traffic to that network. In this enhancement, IPv6 route tags are now supported.

654619

With the video filter profile, users can filter YouTube videos by channel ID for a more granular override of a single channel, user, or video. The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection.

655388

When units are out-of-sync in an HA cluster, the GUI will now compare the HA checksums and display the tables that caused HA to be out-of-sync. This can be visualized in the HA monitor page and the HA Status widget.

655942

Add new commands execute telnet-options and execute ssh-options to allow administrators to set the source interface and address for their connection.

656039

Allow SD-WAN duplication rules to specify SD-WAN service rules to trigger packet duplication. This allows SD-WAN duplication to occur based on an SD-WAN rule instead of the source, destination, or service parameters in the duplication rule.

657598

In an application control list, the exclusion option allows users to specify a list of applications they wish to exclude from an entry filtered by category, technology, or others.

config application list
    edit <list>
        config entries
            edit 1
                set category <ID>
                set exclusion <signature ID> ... <signature ID>
            next
        end
    next
end

657812

When an SSL inspection profile is configured to protect the SSL server, multiple sites can potentially be deployed on the same protected server IP. This change adds support for multiple SSL certificates to attach to a SSL profile, allowing inspection based on matching SNI in the certificate.

658096

Add four new SNMP OIDs for polling the number of packets and bytes that conform to traffic shaping, or are discarded by traffic shaping.

658206

New REST API POST /api/v2/monitor/vpn/ike/clear?mkey=<gateway_name> will bring down IKE SAs tunnel the same way as diagnose vpn ike gateway clear.

658525

The limit of BGP paths that can be selected and advertised has increased to 255 (originally 8).

658904

When defining an automation stitch with an email action, users can enable replacement message and customize their message using a standard template.

659105

Add a toggle to return node IP addresses only in dynamic firewall addresses for Kubernetes SDN connectors.

659127

Add support to deploy FortiGate-VMs that are paravirtualized with SR-IOV and DPDK/vNP on OCI shapes that use Mellanox network cards.

659346

Add additional information such as DHCP server MAC, gateway, subnet, and DNS to wireless DHCP logs.

659994

In firewall sniffer mode, you can record traffic logs each time a source or destination address matches an IP address on an external threat feed.

660250

Add global option fortiipam-integration to control FortiIPAM. When enabled, ipamd will run and report to FortiIPAM to allow automatic IP address/subnet management.

config system global
    set fortiipam-integration {enable | disable}
end

660273

By default, the FortiGate uses the outbound interface's IP to communicate with a FortiSwitch managed over layer 3. The switch-controller-source-ip option allows the switch controller to use the FortiLink fixed address instead.

660283

Add system event logs for the execution of CLI commands. When cli-audit-log is enabled under system global, the execution of execute, config, show, get, and diagnose commands will trigger system event logs.

660295

Provide specific SNMP objects (OIDs) that allow the status of the mobile network connection to be monitored.

660596

Because pre-standard POE devices are uncommon in the field, poe-pre-standard-detection is set to disable by default. Upgrading from previous builds will carry forward the configured value.

660624

When enabling the Security Fabric on the root FortiGate, the following FortiAnalyzer GUI behavior has changed:

  • If a FortiAnalyzer appliance is enabled, then the dialog will be for the FortiAnalyzer connector.
  • If a FortiAnalyzer appliance is disabled but FortiAnalyzer Cloud is enabled, then the dialog will be for the Cloud Logging connector.
  • If neither the FortiAnalyzer appliance or FortiAnalyzer Cloud are enabled:
    • If the device has a FAZC (standard FortiAnalyzer Cloud subscription) or AFAC (premium subscription) entitlement, then the dialog will be for the Cloud Logging connector.
    • If the device does not have a FAZC or AFAC entitlement, then the dialog will be for the FortiAnalyzer connector.
  • When FortiAnalyzer Cloud is enabled and the FortiAnalyzer appliance is disabled, then the Cloud Logging connector will not let you switch to the FortiGate Cloud FortiAnalyzer.

660653

The Wi-Fi Alliance Agile Multiband Operation (MBO) feature enables better use of Wi-Fi network resources in roaming decisions and improves overall performance. This enhancement allows the FortiGate to push the MBO configuration to managed APs, which adds the MBO information element to the beacon and probe response for 802.11ax.

661105

By using session-sync-dev to offload session synchronization processing to the kernel with various optimizations, four-member FGSP session synchronization can be supported to handle heavy loads.

661131

Enabling IGMP snooping on an SSID allows the wireless controller to detect which FortiAPs have IGMP clients. The wireless controller will only forward a multicast stream to the FortiAP where there is a listener for the multicast group.

661252

Add object synchronization improvements:

  • Simplify the conflict resolution procedure so a multi-step wizard is no longer required. All conflicts appear in one table for all FortiGates in the Fabric and supported tables.
  • Add an object diff feature to display the difference between FortiGate objects that are in conflict.
  • Add new CLI command for the root FortiGate:
    config system csf
        set fabric-object-unification {default | local}
    end

    When set to default, objects will be synchronized in the Security Fabric. On downstream FortiGates, if configuration-sync is set to local, the synchronized objects from the root to downstream FortiGates is not applied locally. However, the device will still send the configuration to lower FortiGates.

  • The fabric-object {enable | disable} command was added to the following tables:

    • firewall.address
    • firewall.address6
    • firewall.addrgrp
    • firewall.addrgrp6
    • firewall.service.category
    • firewall.service.group
    • firewall.service.custom
    • firewall.schedule.group
    • firewall.schedule.onetime
    • firewall.schedule.recurring

    Enabling fabric-object on the root starts synchronizing this object as a Fabric object to downstream devices. Disabling fabric-object makes the object local to the device.

  • Add setting to define how many task worker process are created to handle synchronizations (1 - 4, default = 2). The worker processes dies if there is no task to perform after 60 seconds.

    config system csf
        set fabric-workers <integer>
    end

662437

When a FortiSwitch upgrade is stuck due to connectivity issues, the following command allows the process to be cancelled.

# execute switch-controller switch-software cancel {all | sn | switch-group}

663206

When an AliCloud SDN connector is configured, dynamic address objects can support Kubernetes filters based on cluster, service, node, pod, and more.

663530

IoT background scanning is disabled by default. Users can enable this option on the FortiLink Interface page in the GUI or with the switch-controller-iot-scanning in the CLI.

663877

Add Application Bandwidth widget:

  • It can be added to a dashboard to display bandwidth utilization for the top 50 applications.
  • The favorites will be included even if they are not in the top 50.
  • A firewall policy must have an application profile configured so the widget can capture information.
  • A new CLI was added.

664312

Integrate Broadcom bnxt_en 1.10.1 driver to drive new vfNIC to replace 1.9.2 version. The following new cards are supported:

  • [BCM57508] = { "Broadcom BCM57508 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

  • [BCM57504] = { "Broadcom BCM57504 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

  • [BCM57502] = { "Broadcom BCM57502 NetXtreme-E 10Gb/25Gb/50Gb Ethernet" }

  • [BCM57508_NPAR] = { "Broadcom BCM57508 NetXtreme-E Ethernet Partition" }

  • [BCM57504_NPAR] = { "Broadcom BCM57504 NetXtreme-E Ethernet Partition" }

  • [BCM57502_NPAR] = { "Broadcom BCM57502 NetXtreme-E Ethernet Partition" }

  • [BCM58812] = { "Broadcom BCM58812 NetXtreme-S 2x50G Ethernet" }

  • [BCM58814] = { "Broadcom BCM58814 NetXtreme-S 2x100G Ethernet" }

  • [BCM58818] = { "Broadcom BCM58818 NetXtreme-S 2x200G Ethernet" }

  • [NETXTREME_E_P5_VF] = { "Broadcom BCM5750X NetXtreme-E Ethernet Virtual Function" }

664826

When multi-VDOM mode is enabled, the threat feed external connector can be defined in global or within a VDOM. Global threat feeds can be used in any VDOMs, but are not editable within the VDOM. FortiGuard category and domain name based external feeds have added a category number field to identify the threat feed.

665186

Add Security Rating test, Activate FortiCloud Services, to check whether FortiCloud services can be activated for FortiAnalyzer Cloud, FortiManager Cloud, FortiClient EMS Cloud, and FortiSandbox Cloud. If the account has a valid subscription to a service or cloud appliance, but the Fabric connection to it on the FortiGate is not enabled, then the test fails.

665695

An HA failover can be triggered when memory utilization exceeds the threshold for a specific amount of time.

config system ha
    set memory-based-failover {enable | disable}
    set memory-failover-threshold <0 - 95>
    set memory-failover-monitor-period <1 - 300>
    set memory-failover-sample-rate <1 - 60>
    set memory-failover-flip-timeout <6 - 2147483647>
end

665735

The user device store allows user and device data collected from different daemons to be centralized for quicker access and performance:

diagnose user-device-store device memory list
diagnose user-device-store device memory query mac <value>
diagnose user-device-store device memory query ip <value>
diagnose user-device-store device disk list
diagnose user-device-store device disk query <SQL WHERE clause>

667181

Connection to FortiSandbox Cloud, which allows users to create an instance of FortiSandbox on FortiCloud, can now be easily configured from the Fabric Connectors page. In the Cloud Sandbox Settings, choose between connecting to FortiGate Cloud Sandbox or FortiSandbox Cloud. The connection to FortiSandbox Cloud will automatically use the cloud user ID of the FortiGate to connect to the right FortiSandbox Cloud account.

667285

When configuring a NAC policy, it is sometimes useful to manually specify a MAC address to match the device. Wildcards in the MAC address are supported by specifying the * character.

667774

The AV engine AI malware detection model integrates into regular AV scanning to help detect potentially malicious Windows Portable Executables (PEs) in order to mitigate zero-day attacks. Previously, this type of detection was handled by heuristics that analyze file behavior. With AV Engine AI, the module is trained by FortiGuard AV against many malware samples to identify file features that make up the malware. The AV Engine AI package is downloaded by FortiOS from FortiGuard via FortiGuard updates. Devices with an active AV subscription can download this package.

The setting is enabled by default at a per-VDOM level:

config antivirus settings
    set machine-learning-detection enable
end

668362

Support multiple LDAP server configurations for Kerberos keytab and agentless NTLM domain controller in multiple forest deployments.

668487

In NGFW policy mode, application groups can be defined with the following filters: risk, protocols, vendor, technology, behavior, and popularity.

668991

Security Fabric rating reports can now be generated in multi-VDOM mode, against all VDOMs. The Security Rating is visible under Global scope.

669033

Backend update to support a TCP connection pool to maintain local-out TCP connections to the external ICAP server.

669158

The SD-WAN Network Monitor service now supports running a speed test based on a schedule. The test results are automatically updated in the interface measured-upstream-bandwidth and measured-downstream-bandwidth fields. When the scheduled speed tests run, it is possible to temporarily bypass the bandwidth limits set on the interface and configure custom maximum or minimum bandwidth limits. These configurations are optional.

669487

Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiGate's transparent web proxy to an upstream web proxy to avoid overwhelming the proxy server. Traffic can be selected by specifying the proxy address, which can be based on a FortiGuard URL category.

669942

In the scenario where session synchronization is down between two FGSP members that results in a split-brain situations, the IKE monitor provides a mechanism to maintain the integrity of state tables and primary/secondary roles for each gateway. It continues to provide fault tolerance by keeping track of the timestamp of the latest received traffic, and it uses the ESP sequence number jump ahead value to preserve the sequence number per gateway. Once the link is up, the cluster resolves the role and synchronizes the session and IKE data. During this process, if the IKE fails over from one unit to another, the tunnel will remain valid due to the IKE session and role being out of sync, and the ESP anti-replay detection.

670067

To accommodate the new web filter categories, Child Abuse is renamed as Child Sexual Abuse. A new category 96, Terrorism, has been added to FortiOS and FortiGuard servers.

670089

A secure SSL connection from the FortiGate to the ICAP server can be configured as follows:

config icap server
    edit "server"
        set secure enable
        set ssl-cert <certificate>
    next
end

670345

Support Strict-Transport-Security in HTTPS redirect.

670568

The Security Fabric can be enabled for a multi-VDOM environment, allowing access to all Fabric features including: Fabric topologies, security rating, and automation across the VDOM deployment. Users can navigate to downstream FortiGates directly from the root FortiGate via the new Fabric selection top-menu.

670677

When a BGP next hop requires recursive resolution, the default behavior is to consider all other routes except BGP routes. The following option, when enabled, allows the recursive next hop resolution to use BGP routes as well.

config router bgp
    set recursive-next-hop {enable | disable}
end

671563

Add option to switch between Peer and Peer Group view on PKI user page.

672573

FortiExtender and VPN tunnel interfaces now support NetFlow sampling. VPN tunnel interfaces can be IPsec, IP in IP, or GRE tunnels. NetFlow sampling is supported on NPU and non-NPU offloaded tunnels.

673072

When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure HTTPS captive portal. Once authentication is done, the client can be redirected back to the original destination over HTTP.

673205

In Dashboard > Users and Devices, administrators can use the FortiSwitch NAC VLANs widget to see which devices have been added to which VLANs by the NAC policy. A donut chart overview summarizes the number of devices in each VLAN.

673371

Support ICMP type 13 at local interface.

673590

Policy hit counters are now seven-day rolling counters. Instead of storing a single number for the hit count and byte count collected since the inception of each policy, seven numbers for the last seven days plus an active counter for the current day are stored. The past seven-day hit count is displayed on the policy list and policy dialog page. A seven-day bar chart for additional visualization of the statistics has been added. These changes help put the policy hit count comparison on the same footing.

674653

In order to support packet duplication on dial-up IPsec tunnels between sites, each spoke must configure a location ID. On the dial-up VPN hub, packet duplication can be performed on tunnels in the IPsec aggregate with the same location ID.

config system settings
    set location-id <IPv4 address>
end

674724

Once an incoming webhook connector is created in Microsoft Teams, this webhook URL can be used in an automation stitch under the action Microsoft Teams connector.

config system automation-action
    edit <action name>
        set action-type microsoft-teams-notification
    next
end

674759

IPv6 multicast policies can be configured in the GUI by enabling IPv6 and Multicast Policy under System > Feature Visibility.

675049

Add support for PRP (Parallel Redundancy Protocol) in NAT mode for a virtual wire pair. This preserves the PRP RCT (redundancy control trailer) while the packet is processed by the FortiGate.

675200

Improve SOCKS/SSH proxy to support internet-service.

675401

Provide options for controlling concurrent TCP/UDP connections by introducing a connection quota in the per-IP shaper and a port quota in the fixed port range type IP pool.

675958

A DNS health check monitor can be configured for server load balancing. The monitor uses TCP or UDP DNS as the probes. The request domain is matched against the configured IP address to verify the response.

config firewall ldb-monitor
    edit <name>
        set type dns
        set port <string>
        set dns-protocol {udp | tcp}
        set dns-request-domain <string>
        set dns-match-ip <class_ip>
    next
end

676063

Add support for OCI IMDSv2 that offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and during instance deployments with bootstrap metadata.

676260

FortiGates with a premium subscription (AFAC contract) for cloud-based central logging and analytics are able to send traffic logs to FortiAnalyzer Cloud, in addition to UTM logs and event logs. FortiGates with a standard FortiAnalyzer Cloud subscription (FAZC contract) can send UTM and event logs only.

676484

When configuring the generic DDNS service provider as a DDNS server, the server type and address type can be set to IPv6. This allows the FortiGate to connect to an IPv6 DDNS server and provide the FortiGate's IPv6 interface address for updates.

config system ddns
    edit <name>
        set ddns-server genericDDNS
        set server-type {ipv4 | ipv6}
        set ddns-server-addr <address>
        set addr-type ipv6 {ipv4 | ipv6}
        set monitor-interface <port>
    next
end

676549

The past seven-day hit count is displayed on the policy list page and the policy dialog page for IPv4 and IPv6 multicast policies. A seven-day bar chart for additional visualization of the statistics has been added.

676577

Introduce FortiGuard updates for OUI files used to identify device vendors by MAC address. This database is used in WiFi and device detection.

677334

Add support for MacOS Big Sur 11.1 in SSL VPN OS check.

677684

In a Hub and Spoke SD-WAN topology with shortcuts created over ADVPN, a downed or recovered shortcut may affect which member is selected by a SD-WAN service strategy. The SD-WAN hold-down-time ensures that when a downed shortcut tunnel comes back up and the shortcut is added back into the service strategy equation, the shortcut is held to low priority until the hold-down-time has passed.

677750

The Local Out Routing page consolidates features where a source IP and an outgoing interface attribute can be configured to route local out traffic. The outgoing interface has a choice of Auto, SD-WAN, or Specify to allow granular control over the interface in which to route the local out traffic. Local Out Routing must be enabled from System > Feature Visibility, and it supports multi-VDOM mode.

677784

Add commands to debug traffic statistics for traffic monitor interfaces (interface), interface traffic in real-time data (peek), and to dump interface traffic history data (history):

# diagnose debug traffic {interface | peek | history}

678015

A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate. Once the FortiWeb joins the Fabric, the following features are available:

  • View the FortiWeb on topology pages.

  • Create a dashboard Fabric Device widget to view FortiWeb data.

  • Configure single sign-on using SAML.

678783

Add option for users to set a non-default SD-WAN member zone for OCVPN IPsec interfaces. The sdwan-zone option is only available if SD-WAN is enabled. sdwan-zone references the entries in the SD-WAN configuration, and the default is virtual-wan-link.

config vpn ocvpn
    ... 
    set sdwan enable
    set sdwan-zone {virtual-wan-link | <zone> | ...}
    ...
end

679175

Add interface-select option for email-server.

config system email-server
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

679245

This enhancement allows a FortiGate to use the WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up dynamic RADIUS VSAs (vendor-specific attributes) to control the traffic rates permitted for a certain device. The FortiGate can apply different traffic shaping to different users who authenticate with RADIUS based on the returned RADIUS VSA values. When the same user logs in from an additional device, the RADIUS server will send a CoA (change of authorization) message to update the bandwidth values to 1/N of the total values, where N is the number of logged in devices from the same user.

config firewall policy
    edit 1
        set dynamic-shaping {enable | disable}
    next
end

680599

Increase the ICMP rate limit to allow more ICMP error message to be sent by the FortiGate per second. The ICMP rate limit has changed from 1 second (100 jiffies) to 10 milliseconds (1 jiffy).

680622

Allow option to configure a lowest unit of heartbeat interval of 10 ms, compared to the default of 100 ms.

config system ha
    set hb-interval-in-milliseconds {100ms | 10ms}
end

681600

Add support for syslog RFC 5424 format, which can be enabled when the syslog mode is UDP or reliable.

config log syslogd setting
    set format {default | csv | cef | RFC5424}
end

682106

If a FortiCloud account has a FortiManager Cloud account level subscription (ALCI), a FortiGate registered to the FortiCloud account can recognize it and enable FortiManager Cloud central management.

682246

SAML user authentication is supported for explicit web proxies and transparent web proxies with the FortiGate acting as a SAML SP. SAML is supported as a new authentication method for an authentication scheme that requires using a captive portal.

config authentication scheme
    edit <name>
        set method saml
        set saml-server <server>
        set saml-timeout <seconds>
        set user-database <database>
    next
end

682470

Add srcaddr-negate, dstaddr-negate, and service-negate to local-in policy.

682480

Flow-based SIP inspection is now done by the IPS engine. Proxy ALG features that are supported in flow mode include blocking scenarios, rate limitation, and malformed header detection. Inspection mode is selected at the firewall policy level.

683647

The following enhancements allow better integration with carrier CPE (customer premises equipment) management tools:

  • Add SNMP OIDs to collect the reason for a FortiGate reboot.

  • Add SNMP OIDs to collect traffic shaping profile and policy related configurations.

  • Add a description field on the modem interface that can be fetched over SNMP.

  • Bring a loopback or VLAN interface down when the link monitor fails.

  • Add DSCP and shaping class ID support on the link monitor probe.

  • Allow multiple link monitors with the same source and destination address, but different ports or protocols.

683791

From the CLI, users are allowed to enable malware threat feeds and outbreak prevention without performing an AV scan. In the GUI and CLI, users can choose to use all malware thread feeds, or specify the ones they want to use. New replacement message for external block lists have been added.

config antivirus profile
    edit <name>
        config http
            set av-scan {disable | block | monitor}
            set outbreak-prevention {disable | block | monitor}
            set external-blocklist {disable | block | monitor}
            set quarantine {enable | disable}
        end
        set outbreak-prevention-archive-scan {enable | disable}
        set external-blocklist-archive-scan {enable | disable}
        set external-blocklist-enable-all {enable | disable}
        set external-blocklist <source>
    next
end

Note that the external-blocklist <source> option is hidden if external-blocklist-enable-all is enabled.

684133

Support site-to-site IPsec VPN in an asymmetric routing scenario with a loopback interface as a VPN bound interface.

config vpn ipsec phase1-interface
    edit <name> 
        set interface "loopback"
        set loopback-asymroute {enable | disable}
    next
end

686019

FortiGate can be configured to allow administrators to log in using FortiCloud single sign-on. Both IAM and non-IAM users on the FortiCloud support portal are supported. Non‑IAM users must be the FortiCloud account that the FortiGate is registered to. When enabled, the FortiGate login page will display options to Sign in with FortiCloud or sign in with regular administrator username.

687282

When FortiGuard DDNS is configured as a DDNS server, the server type and address type can be set to IPv6. This allows the FortiGate to connect to FortiGuard over IPv6 and provide the FortiGate's IPv6 interface address for updates.

689140

FortiAI can be added to the Security Fabric so it appears in the topology views and the dashboard widgets.

689150

When the detect server becomes unavailable in a link monitoring configuration, instead of removing all routes associated with the gateway and interface defined in the link monitor, only remove specific routes. These subnets can be specified in the link-monitor configuration.

config system link-monitor
    edit <id>
        set srcintf <interface>
        set server <server IP>
        set gateway-ip <gateway IP>
        set route <subnet 1> ... <subnet n>
    next
end

689174

Adds support for Layer 3 unicast standalone config sync. This allows peers to be synchronized in cloud environments that do not support Layer 2 networking, which expands support for auto-scale scenarios. Configuring a unicast gateway allows peers to be in different subnets altogether (this is an optional setting).

config system ha
    set unicast-status enable
    set unicast-gateway <address>
    config unicast-peers
        edit 1
            set peer-ip <address>
        next
    ...
    end
end

689807

Add dual stack IPv4/IPv6 support for FortiGate's SSL VPN client, which enables it to establish a dual stack tunnel to allow IPv4 and IPv6 traffic to pass through. Dual stack is enabled unconditionally, and will form dual stack tunnels when the server supports it.

690179

The SD-WAN REST API for health-check and sla-log now exposes ADVPN shortcut information in its result. The child_intfs attribute returns the statistics for the corresponding shortcuts. The following command displays real-time SLA information for ADVPN shortcuts:

# diagnose sys sdwan sla-log <health check name> <sequence number> <child name>

690688

Add UX enhancements:

  • When selecting objects, the omni-select menu displays recently used items.

  • Support nested object tooltips.

690691

The radio transmit power can now be configured in dBm or as a percentage in FortiAP profiles and override settings.

690711

Synchronize wildcard FQDN IPs to other autoscale members whenever a peer learns of a wildcard FQDN address.

690801

FortiDeceptor can be added to the Security Fabric so it appears in the topology views and the dashboard widgets.

691254

Firewall policies can be configured in full ZTNA or ZTNA IP/MAC filtering mode when you enable Zero Trust Network Access from the Feature Visibility menu. When configuring firewall policies in ZTNA IP/MAC filtering mode, ZTNA tags are used for access control. ZTNA tags are equivalent to FortiOS 6.4 EMS tags that were part of dynamic firewall addresses. In 7.0, ZTNA tags can be accessed from the Policy & Objects > ZTNA > ZTNA Tags tab.

691340

DHCP address enforcement ensures that clients who connect must complete the DHCP process to obtain an IP address; otherwise, they are disconnected from the SSID. This prevents users with static addresses that may conflict with the DHCP address scheme, or users that fail to obtain a DHCP IP assignment to connect to the SSID.

691411

Ensure EMS logs are recorded for dynamic address related events under Log & Report > Events > SDN Connector Events logs:

  • Add EMS tag
  • Update EMS tag
  • Remove EMS tag

691676

Wireless controller now supports NAC profiles to onboard wireless clients into default VLANs. It can also apply NAC policies to match clients based on device properties, user groups or EMS tags, and assign clients to specific VLANs. VLAN sub-interfaces based on the VAP interfaces are used for the VLAN assignment.

691693

The performance of updates between the FortiGate and FortiClient EMS is improved by using WebSockets. On supported FortiClient EMS firmware, the FortiGate can open a WebSocket connection with EMS to register for notifications about system information, host tags, avatars, and vulnerabilities. When these tables are updated, EMS pushes notifications to the corresponding FortiGate. The FortiGate then fetches the updated information using the REST API.

691902

Support pulling malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV is enabled with block or monitor actions.

692272

Add DNS filtering support in flow inspection mode. In FortiOS 6.4, the DNS proxy daemon handles the DNS filter in flow and proxy mode policies. Starting in 7.0, the IPS engine handles the DNS filter in flow mode policies. All features previously supported in the DNS filter profile are supported in flow mode.

693799

Add the following enhancements for voice-enterprise SSID:

  • Support 802.11k neighbor report dual band.

  • Enhance 802.11v BSS transition management by adding bstm-disassociation-imminent option, disassociation timer for low RSSI, and disassociation timer for AP load-balancing.

694102

Improve the session in/out dev handling when the session is dirty, re-routing occurs, and so on. Avoid clearing the session in/out dev, and only update it when is changes.

694148

Support file filter profile in a one-arm sniffer policy in the GUI and CLI.

694839

GCP PAYG instances can obtain FortiCare generated licenses upon a new deployment, or by the command line (execute vm-license) when upgrading from previous firmware. The process generates Fortinet_Factory and Fortinet_Factory_Backup certificates that contain the common name (CN) of the FortiGate serial number to uniquely identify this FortiGate.

695259

Adds support for DNS over TLS (DoT) and DNS over HTTPS (DoH) in DNS inspection. Prior to 7.0, DoT and DoH traffic silently passes through DNS proxy. In 7.0, WAD is able to handle DoT and DoH, and redirect DNS queries to the DNS proxy for further inspection.

config firewall ssl-ssh-profile
    edit "dot-deep"
        config dot
            set status deep-inspection
            set client-certificate bypass
            set unsupported-ssl-cipher allow
            set unsupported-ssl-negotiation allow
            set expired-server-cert block
            set revoked-server-cert block
            set untrusted-server-cert allow
            set cert-validation-timeout allow
            set cert-validation-failure block
        end
    next
end

695855

In the wireless controller settings, add options to specify the delimiter used for various RADIUS attributes for RADIUS MAC authentication and accounting. The options are hyphen, single-hyphen, colon, or none.

config wireless-controller vap
    edit <name>
        set mac-username-delimiter {hyphen | single-hyphen | colon | none}
        set mac-password-delimiter {hyphen | single-hyphen | colon | none}
        set mac-calling-station-delimiter {hyphen | single-hyphen | colon | none}
        set mac-called-station-delimiter {hyphen | single-hyphen | colon | none}
        set mac-case MAC {uppercase | lowercase}
    next
end

695972

Remove FortiGuard Accept push updates option. On 2U models and larger (excluding VMs), the Immediately download updates option has been added. This allows the FortiGate to form a secure persistent connection with FortiGuard to get notifications of new updates. Once notified, the FortiGate can download the updates immediately.

695983

In a scenario where a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with other interfaces via a software switch, support is added to allow captive portal authentication on the SSID or VLAN sub-interface. This requires that intra-switch-policy is set to explicit from the CLI when the switch interface is created. Users accessing the SSID will be redirected to the captive portal for authentication.

698239

Introduce GUI support for configuring Zero Touch Network Access. ZTNA is a method of access control that utilizes zero-trust tags and various authentication methods to provide role-based application access. In full ZTNA mode, users can securely connect to the FortiGate access proxy over HTTPS to connect to protected resources.

698462

Add the ability to perform SD-WAN passive WAN health measurement, which reduces the amount of configuration required and decreases the traffic that is produced by health check monitor probes doing active measurements. The passive and prefer-passive detection modes rely on session information captured in firewall policies with passive-wan-health-measurement enabled.

config system sdwan
    config health-check
        edit <name>
            set detect-mode {active | passive | prefer-passive}
        next
    end
end
config firewall policy
    edit <id>
        set passive-wan-health-measurement {enable | disable}
    next
end

699161

Allow service assurance management (SAM) mode to be configured from the CLI where a radio is designated to operate as a client and perform tests against another AP. Ping and iPerf tests can run on an interval and the results are captured in the Wi-Fi event logs. This allows the FortiGate to verify and assure an existing Wi-Fi network can provide acceptable services.

699231

In ZTNA, the integration between FortiClient EMS and the FortiGate is extended so the device identity and device trust context is established through client certificates and other information shared between the three entities. When a FortiClient endpoint registers to FortiClient EMS, it requests and obtains a client device certificate signed by the EMS certificate authority. Information about the endpoint device and the certificate is synchronized to the FortiGate. When the endpoint attempts to connect to the access proxy, the client is prompted to provide its certificate, which is verified by the FortiGate to establish a trusted relationship.

699232

In ZTNA, the FortiGate access proxy can apply SAML authentication to authenticate the client. The FortiGate will act as the SAML SP, while a SAML authenticator will serve as the IdP. In addition to verifying user and device identity using the client certificate, you can also authorize the user based on user credentials to establish a trust context before granting access to the protected resource.

699233

Once the client certificate is obtained by the endpoint, and endpoint information is synchronized between the FortiGate and FortiClient EMS, the client is ready to establish a connection to the FortiGate access proxy. By default, client certificate authentication is enabled on the access proxy, so when the HTTPS request comes in, the FortiGate's WAD process will challenge the client to identify itself with its certificate. Based on the client response, WAD will allow or block further processing by the ZTNA proxy rule.

699234

In ZTNA, a HTTPS access proxy functions as a reverse proxy on behalf of the web server it is protecting. It verifies user identity, device identity, and trust context before granting access to the protected resource.

699235

In ZTNA, a TCP forwarding access proxy (TFAP) functions in two parts. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS. Then, it verifies user identity, device identity, and trust context before forwarding the TCP traffic to the protected resource.

701185

Support DoT and DoH in explicit mode, where FortiGate acts as an explicit DNS server listening for DoT and DoH requests. Add support for local-out DNS traffic over TLS and HTTPS.

701819

The DNP3 application signature dissector supports detecting DNP3 traffic that is encapsulated by the RealPort protocol (Net.CX). DNP3 is used in industrial solutions over serial ports, USB ports, printers, and so on. RealPort encapsulation allows transportation of the underlying protocols over TCP/IP. The FortiGate industrial signatures must be enabled to use RealPort.DNP3 signatures.

705248

The new GUI retro theme showcases a style of FortiOS giving homage to FortiOS 3.0. To enable it, go to System > Settings. Under View Settings, for Theme, select FortiOS v3 Retro.

706387

Support different sizes of the C5d instance type, which is currently the only C5 class instance available for AWS Outposts. Both FortiGate listings (BYOL and PAYG) are supported in the AWS marketplace.

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

442996

Add GUI support for configuring IPv6 settings for IPv6 MAC address, SNMP, DHCPv6 server and client, DHCPv6 SLAAC, and prefix delegation. Updates include:

  • When IPv6 is enabled, a user can view, edit, and create IPv6 host entries.
  • General IPv6 options can be set on the Interface page, including the ability to configure SLAAC and DHCPv6.
  • Ability to retrieve IPv6 information for a DHCPv6 client similar to the existing DHCP support for IPv4.
  • IPv6 MAC is available form the address creation context menu.

489956

Add a new LAG implementation so each session uses the same NP6 and XAUI for ingress and egress direction to avoid the fast path congestion (the default value is disable).

config system npu
    set lag-out-port-select {enable | disable}
end

Add a new algorithm in the NPU driver to the bond algorithm list (AGG_ALGORITHM_NPU).

497049

Support HTTP2 in proxy mode by adding the ability to inspect HTTP2 via ALPN.

config firewall ssl-ssh-profile
    edit <name>
        set supported-alpn {http1-1 | http2 | all | none}
    next
end

520385

Allow denied sessions to be offloaded by the NPU when session-denied traffic is also enabled. This enables sessions to be offloaded for packets that are denied by the firewall policy, which can help reduce CPU usage.

config system npu
    session-denied-offload {enable | disable}
end

566452

Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed:

config system virtual-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end
config system physical-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end

566967

Add security rating test to check if two-factor authentication is enabled for each active SSL VPN and IPsec user.

609692

Add new setting to enable auto provisioning of FortiSwitch firmware upon authorization. On FortiGate models with a disk, up to four images of the same FortiSwitch model can be uploaded. On FortiGate models without a disk, one image of the same FortiSwitch model can be uploaded.

611992

Add a specific auth-timeout field in the SSL VPN monitor.

618359

In scenarios where the FortiGate is sandwiched by load-balancers and SSL processing is offloaded on the external load-balancers, the FortiGate can perform scanning on the unencrypted traffic by specifying the ssl-offloaded option in the protocol options profile. This was previously supported in proxy mode only, but now it is also supported in flow mode.

621725

Add settings to enable flow control and pause metering. Pause metering allows the FortiSwitch to apply flow control to ingress traffic when the queue is congested and to resume once it is cleared.

621728

On supported managed switch ports, the FortiGate allows the port to be configured with a forward error correction (FEC) state of Clause 74 FC-FEC for 25 Gbps ports, or Clause 91 RS-FEC for 100 Gbps ports.

config switch-controller managed-switch
    edit <serial number>
        config ports
            edit <name>
                set fec-state {disabled | cl74 | cl91}
            next
        end
    next
end

622053

Add RADIUS CoA support for SSL-VPN. After receiving a Disconnect Request(40) from a RADIUS server, the SSL VPN daemon will search related sessions according to user name and RADIUS server name to log off the specific user (including web and tunnel session).

622547

When a device first connects to a switch port, or when a device goes from offline to online, the FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy. Optimizations made to the process shortens the time it takes for a new device to be recognized and assigned to the VLAN.

628133

Add dual stack IPv4/IPv6 support for SSL VPN servers, which enables a client to establish a dual stack tunnel that allows IPv4 and IPv6 traffic to pass through.

config vpn ssl settings
    set dual-stack-tunnel {enable | disable}
end

In web mode, users can access IPv4 and IPv6 bookmarks in the portal. A new attribute, prefer-ipv6-dns, is added to prefer querying IPv6 DNS first.

630468

Make the following enhancements to the antiphishing profile:

  • Allow username and password field patterns to be fetched from FortiGuard.
  • Add DNS support for domain controller IP fetching.
  • Add support to specify a source IP or port for the fetching domain controller.
  • Add LDAP server as a credential source.
  • Block or log valid usernames regardless of password match.
  • Add literal custom patterns type for username and password.

633543

Port policy configurations are moved out of NAC policies into a standalone dynamic port policy configuration. Physical ports now have a choice of thee access modes: static, dynamic (default), and NAC. In dynamic mode, a Dynamic Port Policy profile can be assigned, allowing devices matching defined criteria to apply specific port properties based on LLDP, QoS, 802.1X, or VLAN policies. NAC policies, provide more criteria to match devices and assign them to an appropriate VLAN.

634006

OpenSSL updated to 1.1.1j for security fixes.

635344

Add XAuth User to VPN chart in the PDF report.

636804

FortiClient EMS with fabric authorization and silent approval capabilities will be able to approve the root FortiGate in a Security Fabric once, then silently approve remaining downstream FortiGates in the Fabric. Similarly, in an HA scenario, approval only needs to be made once to the HA primary unit. The remaining cluster members will be approved silently.

637108

In 6.2, stream-based AV scan was added in proxy mode for HTTP(S). This is now supported for FTP(S), SFTP, and SCP. The stream-based scan optimizes memory utilization for large archive files like ZIP, TAR.GZ, and so on by decompressing the files on the fly and scanning files as they are extracted. Smaller files can also be scanned directly on the proxy-based WAD daemon, improving traffic throughput.

637552

Enhance freestyle log filtering so that users can specify more powerful filters. The config free-style setting is added to log filters for each log device. For example:

config log memory filter
    config free-style
        edit 1
           set category {event | virus | webfilter | attack | spam | anomaly | voip | dlp | app-ctrl | waf | gtp | dns | ssh | ssl | file-filter | icap}
           set filter <string>
           set filter-type include
        next
    end
end

The filter string can be a legal regular filter string. For example, ((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60).

638352

To avoid large number of new IKEv2 negotiations from starving other SAs from progressing to established states, the following enhancements have been made to the IKE daemon:

  • Prioritize established SAs.
  • Offload groups 20 and 21 to CP9.
  • Optimize the default embryonic limits for mid- and high-end platforms.

The IKE embryonic limit can now be configured in the CLI.

config system global
    set ike-embryonic-limit <integer>
end

640763

Users can configure advanced BGP and OSPF routing options in the GUI. A new Routing Objects page allows users to configure Route Map, Access List, Prefix List, AS Path List, and Community List from the GUI. The Dashboard > Network routing monitor now displays BGP Neighbors, BGP Paths, and OSPF Neighbors.

641077

After authorizing a FortiAP, administrators can also register the FortiAP to FortiCloud directly from the FortiGate GUI.

641524

Add interface selection for IPS TLS protocol active probing.

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

644218

The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper.

config monitoring npu-hpe
    set status {enable | disable}
    set interval <integer>
    set multipliers <m1>, <m2>, ... <m12>
end

The interval is set in seconds (1 - 60, default = 1). The multiplies are twelve integers ranging from 1 - 255, the default is 4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8.

An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. An attack log is generated after every (4 × multiplier) number of continuous event logs.

644235

Support reference to any action results in chained actions of automation stitches.

647800

AWS and Azure now support FIPS ciphers mode.

648595

A custom IKE port and IKE NAT-T port can be specified to replace the default UDP/500 and UDP/4500 respectively for IKE negotiation.

config system settings
    set ike-port <1024 - 65535>
    set ike-natt-port <1024 - 65535>
end

648602

When creating a Cisco ACI direct connector, configuring multiple IPs allows the FortiGate to connect to the server in a round-robin fashion. Only one server will be active and the remaining will serve as backups if the active one fails.

649903

When a FortiClient endpoint is managed by EMS, logged in user and domain information is shared with FortiOS via the EMS connector. This information is used to fetch additional attributes over the Exchange connector to produce more complete user information for the user store.

649933

Security rating notifications are shown on the settings page, which has configuration issues as determined by the security rating. Users can open the recommendation to see which configuration item needs to be fixed. This frees users from going back and forth between the Security Rating page and the settings page. Notifications appear either in the gutter, the footer, or as a mutable. Notifications can be dismissed.

650416

On IBM VPC Cloud, users can deploy their BYOL FortiGate VMs in unicast HA. HA failover triggers routing changes and floating IP reassignment on the IBM Cloud automatically via the API.

651866

FortiSwitch events now have their own category on the Events log page.

652003

In a tenant VDOM, allow lldp-profile and lldp-status to be configurable on a leased switch port.

652503

By configuring the service chain and service index, NSX-T east-west traffic can be redirected to a designated FortiGate VDOM.

config nsxt setting
    set liveness {enable | disable}
    set service <service name>
end
config nsxt service-chain
    edit <ID>
        set name <chain name>
        config service-index
            edit <forward index>
                set reverse-index <value>
                set name <index name>
                set vd <VDOM>
            next
        end
    next
end

The default value for reverse-index is 1. The vd setting is required.

653386

This feature enables the FortiGate to be configured as an SSL VPN client. A new SSL type interface is added to support the SSL VPN client configuration. When the SSL VPN client connection is established, the SSL VPN client will dynamically add a route to the subnets returned by the SSL VPN server. Subsequently, you can define policies to allow users behind the FortiGate acting as SSL VPN clients to be tunneled through SSL VPN to the destinations on the SSL VPN server.

654032

The route tag is a mechanism to map a BGP community string to a specific tag. The string may correspond to a specific network that a BGP router advertised. Using this tag, an SD-WAN service rule can be used to define specific handling of traffic to that network. In this enhancement, IPv6 route tags are now supported.

654619

With the video filter profile, users can filter YouTube videos by channel ID for a more granular override of a single channel, user, or video. The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection.

655388

When units are out-of-sync in an HA cluster, the GUI will now compare the HA checksums and display the tables that caused HA to be out-of-sync. This can be visualized in the HA monitor page and the HA Status widget.

655942

Add new commands execute telnet-options and execute ssh-options to allow administrators to set the source interface and address for their connection.

656039

Allow SD-WAN duplication rules to specify SD-WAN service rules to trigger packet duplication. This allows SD-WAN duplication to occur based on an SD-WAN rule instead of the source, destination, or service parameters in the duplication rule.

657598

In an application control list, the exclusion option allows users to specify a list of applications they wish to exclude from an entry filtered by category, technology, or others.

config application list
    edit <list>
        config entries
            edit 1
                set category <ID>
                set exclusion <signature ID> ... <signature ID>
            next
        end
    next
end

657812

When an SSL inspection profile is configured to protect the SSL server, multiple sites can potentially be deployed on the same protected server IP. This change adds support for multiple SSL certificates to attach to a SSL profile, allowing inspection based on matching SNI in the certificate.

658096

Add four new SNMP OIDs for polling the number of packets and bytes that conform to traffic shaping, or are discarded by traffic shaping.

658206

New REST API POST /api/v2/monitor/vpn/ike/clear?mkey=<gateway_name> will bring down IKE SAs tunnel the same way as diagnose vpn ike gateway clear.

658525

The limit of BGP paths that can be selected and advertised has increased to 255 (originally 8).

658904

When defining an automation stitch with an email action, users can enable replacement message and customize their message using a standard template.

659105

Add a toggle to return node IP addresses only in dynamic firewall addresses for Kubernetes SDN connectors.

659127

Add support to deploy FortiGate-VMs that are paravirtualized with SR-IOV and DPDK/vNP on OCI shapes that use Mellanox network cards.

659346

Add additional information such as DHCP server MAC, gateway, subnet, and DNS to wireless DHCP logs.

659994

In firewall sniffer mode, you can record traffic logs each time a source or destination address matches an IP address on an external threat feed.

660250

Add global option fortiipam-integration to control FortiIPAM. When enabled, ipamd will run and report to FortiIPAM to allow automatic IP address/subnet management.

config system global
    set fortiipam-integration {enable | disable}
end

660273

By default, the FortiGate uses the outbound interface's IP to communicate with a FortiSwitch managed over layer 3. The switch-controller-source-ip option allows the switch controller to use the FortiLink fixed address instead.

660283

Add system event logs for the execution of CLI commands. When cli-audit-log is enabled under system global, the execution of execute, config, show, get, and diagnose commands will trigger system event logs.

660295

Provide specific SNMP objects (OIDs) that allow the status of the mobile network connection to be monitored.

660596

Because pre-standard POE devices are uncommon in the field, poe-pre-standard-detection is set to disable by default. Upgrading from previous builds will carry forward the configured value.

660624

When enabling the Security Fabric on the root FortiGate, the following FortiAnalyzer GUI behavior has changed:

  • If a FortiAnalyzer appliance is enabled, then the dialog will be for the FortiAnalyzer connector.
  • If a FortiAnalyzer appliance is disabled but FortiAnalyzer Cloud is enabled, then the dialog will be for the Cloud Logging connector.
  • If neither the FortiAnalyzer appliance or FortiAnalyzer Cloud are enabled:
    • If the device has a FAZC (standard FortiAnalyzer Cloud subscription) or AFAC (premium subscription) entitlement, then the dialog will be for the Cloud Logging connector.
    • If the device does not have a FAZC or AFAC entitlement, then the dialog will be for the FortiAnalyzer connector.
  • When FortiAnalyzer Cloud is enabled and the FortiAnalyzer appliance is disabled, then the Cloud Logging connector will not let you switch to the FortiGate Cloud FortiAnalyzer.

660653

The Wi-Fi Alliance Agile Multiband Operation (MBO) feature enables better use of Wi-Fi network resources in roaming decisions and improves overall performance. This enhancement allows the FortiGate to push the MBO configuration to managed APs, which adds the MBO information element to the beacon and probe response for 802.11ax.

661105

By using session-sync-dev to offload session synchronization processing to the kernel with various optimizations, four-member FGSP session synchronization can be supported to handle heavy loads.

661131

Enabling IGMP snooping on an SSID allows the wireless controller to detect which FortiAPs have IGMP clients. The wireless controller will only forward a multicast stream to the FortiAP where there is a listener for the multicast group.

661252

Add object synchronization improvements:

  • Simplify the conflict resolution procedure so a multi-step wizard is no longer required. All conflicts appear in one table for all FortiGates in the Fabric and supported tables.
  • Add an object diff feature to display the difference between FortiGate objects that are in conflict.
  • Add new CLI command for the root FortiGate:
    config system csf
        set fabric-object-unification {default | local}
    end

    When set to default, objects will be synchronized in the Security Fabric. On downstream FortiGates, if configuration-sync is set to local, the synchronized objects from the root to downstream FortiGates is not applied locally. However, the device will still send the configuration to lower FortiGates.

  • The fabric-object {enable | disable} command was added to the following tables:

    • firewall.address
    • firewall.address6
    • firewall.addrgrp
    • firewall.addrgrp6
    • firewall.service.category
    • firewall.service.group
    • firewall.service.custom
    • firewall.schedule.group
    • firewall.schedule.onetime
    • firewall.schedule.recurring

    Enabling fabric-object on the root starts synchronizing this object as a Fabric object to downstream devices. Disabling fabric-object makes the object local to the device.

  • Add setting to define how many task worker process are created to handle synchronizations (1 - 4, default = 2). The worker processes dies if there is no task to perform after 60 seconds.

    config system csf
        set fabric-workers <integer>
    end

662437

When a FortiSwitch upgrade is stuck due to connectivity issues, the following command allows the process to be cancelled.

# execute switch-controller switch-software cancel {all | sn | switch-group}

663206

When an AliCloud SDN connector is configured, dynamic address objects can support Kubernetes filters based on cluster, service, node, pod, and more.

663530

IoT background scanning is disabled by default. Users can enable this option on the FortiLink Interface page in the GUI or with the switch-controller-iot-scanning in the CLI.

663877

Add Application Bandwidth widget:

  • It can be added to a dashboard to display bandwidth utilization for the top 50 applications.
  • The favorites will be included even if they are not in the top 50.
  • A firewall policy must have an application profile configured so the widget can capture information.
  • A new CLI was added.

664312

Integrate Broadcom bnxt_en 1.10.1 driver to drive new vfNIC to replace 1.9.2 version. The following new cards are supported:

  • [BCM57508] = { "Broadcom BCM57508 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

  • [BCM57504] = { "Broadcom BCM57504 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

  • [BCM57502] = { "Broadcom BCM57502 NetXtreme-E 10Gb/25Gb/50Gb Ethernet" }

  • [BCM57508_NPAR] = { "Broadcom BCM57508 NetXtreme-E Ethernet Partition" }

  • [BCM57504_NPAR] = { "Broadcom BCM57504 NetXtreme-E Ethernet Partition" }

  • [BCM57502_NPAR] = { "Broadcom BCM57502 NetXtreme-E Ethernet Partition" }

  • [BCM58812] = { "Broadcom BCM58812 NetXtreme-S 2x50G Ethernet" }

  • [BCM58814] = { "Broadcom BCM58814 NetXtreme-S 2x100G Ethernet" }

  • [BCM58818] = { "Broadcom BCM58818 NetXtreme-S 2x200G Ethernet" }

  • [NETXTREME_E_P5_VF] = { "Broadcom BCM5750X NetXtreme-E Ethernet Virtual Function" }

664826

When multi-VDOM mode is enabled, the threat feed external connector can be defined in global or within a VDOM. Global threat feeds can be used in any VDOMs, but are not editable within the VDOM. FortiGuard category and domain name based external feeds have added a category number field to identify the threat feed.

665186

Add Security Rating test, Activate FortiCloud Services, to check whether FortiCloud services can be activated for FortiAnalyzer Cloud, FortiManager Cloud, FortiClient EMS Cloud, and FortiSandbox Cloud. If the account has a valid subscription to a service or cloud appliance, but the Fabric connection to it on the FortiGate is not enabled, then the test fails.

665695

An HA failover can be triggered when memory utilization exceeds the threshold for a specific amount of time.

config system ha
    set memory-based-failover {enable | disable}
    set memory-failover-threshold <0 - 95>
    set memory-failover-monitor-period <1 - 300>
    set memory-failover-sample-rate <1 - 60>
    set memory-failover-flip-timeout <6 - 2147483647>
end

665735

The user device store allows user and device data collected from different daemons to be centralized for quicker access and performance:

diagnose user-device-store device memory list
diagnose user-device-store device memory query mac <value>
diagnose user-device-store device memory query ip <value>
diagnose user-device-store device disk list
diagnose user-device-store device disk query <SQL WHERE clause>

667181

Connection to FortiSandbox Cloud, which allows users to create an instance of FortiSandbox on FortiCloud, can now be easily configured from the Fabric Connectors page. In the Cloud Sandbox Settings, choose between connecting to FortiGate Cloud Sandbox or FortiSandbox Cloud. The connection to FortiSandbox Cloud will automatically use the cloud user ID of the FortiGate to connect to the right FortiSandbox Cloud account.

667285

When configuring a NAC policy, it is sometimes useful to manually specify a MAC address to match the device. Wildcards in the MAC address are supported by specifying the * character.

667774

The AV engine AI malware detection model integrates into regular AV scanning to help detect potentially malicious Windows Portable Executables (PEs) in order to mitigate zero-day attacks. Previously, this type of detection was handled by heuristics that analyze file behavior. With AV Engine AI, the module is trained by FortiGuard AV against many malware samples to identify file features that make up the malware. The AV Engine AI package is downloaded by FortiOS from FortiGuard via FortiGuard updates. Devices with an active AV subscription can download this package.

The setting is enabled by default at a per-VDOM level:

config antivirus settings
    set machine-learning-detection enable
end

668362

Support multiple LDAP server configurations for Kerberos keytab and agentless NTLM domain controller in multiple forest deployments.

668487

In NGFW policy mode, application groups can be defined with the following filters: risk, protocols, vendor, technology, behavior, and popularity.

668991

Security Fabric rating reports can now be generated in multi-VDOM mode, against all VDOMs. The Security Rating is visible under Global scope.

669033

Backend update to support a TCP connection pool to maintain local-out TCP connections to the external ICAP server.

669158

The SD-WAN Network Monitor service now supports running a speed test based on a schedule. The test results are automatically updated in the interface measured-upstream-bandwidth and measured-downstream-bandwidth fields. When the scheduled speed tests run, it is possible to temporarily bypass the bandwidth limits set on the interface and configure custom maximum or minimum bandwidth limits. These configurations are optional.

669487

Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiGate's transparent web proxy to an upstream web proxy to avoid overwhelming the proxy server. Traffic can be selected by specifying the proxy address, which can be based on a FortiGuard URL category.

669942

In the scenario where session synchronization is down between two FGSP members that results in a split-brain situations, the IKE monitor provides a mechanism to maintain the integrity of state tables and primary/secondary roles for each gateway. It continues to provide fault tolerance by keeping track of the timestamp of the latest received traffic, and it uses the ESP sequence number jump ahead value to preserve the sequence number per gateway. Once the link is up, the cluster resolves the role and synchronizes the session and IKE data. During this process, if the IKE fails over from one unit to another, the tunnel will remain valid due to the IKE session and role being out of sync, and the ESP anti-replay detection.

670067

To accommodate the new web filter categories, Child Abuse is renamed as Child Sexual Abuse. A new category 96, Terrorism, has been added to FortiOS and FortiGuard servers.

670089

A secure SSL connection from the FortiGate to the ICAP server can be configured as follows:

config icap server
    edit "server"
        set secure enable
        set ssl-cert <certificate>
    next
end

670345

Support Strict-Transport-Security in HTTPS redirect.

670568

The Security Fabric can be enabled for a multi-VDOM environment, allowing access to all Fabric features including: Fabric topologies, security rating, and automation across the VDOM deployment. Users can navigate to downstream FortiGates directly from the root FortiGate via the new Fabric selection top-menu.

670677

When a BGP next hop requires recursive resolution, the default behavior is to consider all other routes except BGP routes. The following option, when enabled, allows the recursive next hop resolution to use BGP routes as well.

config router bgp
    set recursive-next-hop {enable | disable}
end

671563

Add option to switch between Peer and Peer Group view on PKI user page.

672573

FortiExtender and VPN tunnel interfaces now support NetFlow sampling. VPN tunnel interfaces can be IPsec, IP in IP, or GRE tunnels. NetFlow sampling is supported on NPU and non-NPU offloaded tunnels.

673072

When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure HTTPS captive portal. Once authentication is done, the client can be redirected back to the original destination over HTTP.

673205

In Dashboard > Users and Devices, administrators can use the FortiSwitch NAC VLANs widget to see which devices have been added to which VLANs by the NAC policy. A donut chart overview summarizes the number of devices in each VLAN.

673371

Support ICMP type 13 at local interface.

673590

Policy hit counters are now seven-day rolling counters. Instead of storing a single number for the hit count and byte count collected since the inception of each policy, seven numbers for the last seven days plus an active counter for the current day are stored. The past seven-day hit count is displayed on the policy list and policy dialog page. A seven-day bar chart for additional visualization of the statistics has been added. These changes help put the policy hit count comparison on the same footing.

674653

In order to support packet duplication on dial-up IPsec tunnels between sites, each spoke must configure a location ID. On the dial-up VPN hub, packet duplication can be performed on tunnels in the IPsec aggregate with the same location ID.

config system settings
    set location-id <IPv4 address>
end

674724

Once an incoming webhook connector is created in Microsoft Teams, this webhook URL can be used in an automation stitch under the action Microsoft Teams connector.

config system automation-action
    edit <action name>
        set action-type microsoft-teams-notification
    next
end

674759

IPv6 multicast policies can be configured in the GUI by enabling IPv6 and Multicast Policy under System > Feature Visibility.

675049

Add support for PRP (Parallel Redundancy Protocol) in NAT mode for a virtual wire pair. This preserves the PRP RCT (redundancy control trailer) while the packet is processed by the FortiGate.

675200

Improve SOCKS/SSH proxy to support internet-service.

675401

Provide options for controlling concurrent TCP/UDP connections by introducing a connection quota in the per-IP shaper and a port quota in the fixed port range type IP pool.

675958

A DNS health check monitor can be configured for server load balancing. The monitor uses TCP or UDP DNS as the probes. The request domain is matched against the configured IP address to verify the response.

config firewall ldb-monitor
    edit <name>
        set type dns
        set port <string>
        set dns-protocol {udp | tcp}
        set dns-request-domain <string>
        set dns-match-ip <class_ip>
    next
end

676063

Add support for OCI IMDSv2 that offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and during instance deployments with bootstrap metadata.

676260

FortiGates with a premium subscription (AFAC contract) for cloud-based central logging and analytics are able to send traffic logs to FortiAnalyzer Cloud, in addition to UTM logs and event logs. FortiGates with a standard FortiAnalyzer Cloud subscription (FAZC contract) can send UTM and event logs only.

676484

When configuring the generic DDNS service provider as a DDNS server, the server type and address type can be set to IPv6. This allows the FortiGate to connect to an IPv6 DDNS server and provide the FortiGate's IPv6 interface address for updates.

config system ddns
    edit <name>
        set ddns-server genericDDNS
        set server-type {ipv4 | ipv6}
        set ddns-server-addr <address>
        set addr-type ipv6 {ipv4 | ipv6}
        set monitor-interface <port>
    next
end

676549

The past seven-day hit count is displayed on the policy list page and the policy dialog page for IPv4 and IPv6 multicast policies. A seven-day bar chart for additional visualization of the statistics has been added.

676577

Introduce FortiGuard updates for OUI files used to identify device vendors by MAC address. This database is used in WiFi and device detection.

677334

Add support for MacOS Big Sur 11.1 in SSL VPN OS check.

677684

In a Hub and Spoke SD-WAN topology with shortcuts created over ADVPN, a downed or recovered shortcut may affect which member is selected by a SD-WAN service strategy. The SD-WAN hold-down-time ensures that when a downed shortcut tunnel comes back up and the shortcut is added back into the service strategy equation, the shortcut is held to low priority until the hold-down-time has passed.

677750

The Local Out Routing page consolidates features where a source IP and an outgoing interface attribute can be configured to route local out traffic. The outgoing interface has a choice of Auto, SD-WAN, or Specify to allow granular control over the interface in which to route the local out traffic. Local Out Routing must be enabled from System > Feature Visibility, and it supports multi-VDOM mode.

677784

Add commands to debug traffic statistics for traffic monitor interfaces (interface), interface traffic in real-time data (peek), and to dump interface traffic history data (history):

# diagnose debug traffic {interface | peek | history}

678015

A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate. Once the FortiWeb joins the Fabric, the following features are available:

  • View the FortiWeb on topology pages.

  • Create a dashboard Fabric Device widget to view FortiWeb data.

  • Configure single sign-on using SAML.

678783

Add option for users to set a non-default SD-WAN member zone for OCVPN IPsec interfaces. The sdwan-zone option is only available if SD-WAN is enabled. sdwan-zone references the entries in the SD-WAN configuration, and the default is virtual-wan-link.

config vpn ocvpn
    ... 
    set sdwan enable
    set sdwan-zone {virtual-wan-link | <zone> | ...}
    ...
end

679175

Add interface-select option for email-server.

config system email-server
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

679245

This enhancement allows a FortiGate to use the WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up dynamic RADIUS VSAs (vendor-specific attributes) to control the traffic rates permitted for a certain device. The FortiGate can apply different traffic shaping to different users who authenticate with RADIUS based on the returned RADIUS VSA values. When the same user logs in from an additional device, the RADIUS server will send a CoA (change of authorization) message to update the bandwidth values to 1/N of the total values, where N is the number of logged in devices from the same user.

config firewall policy
    edit 1
        set dynamic-shaping {enable | disable}
    next
end

680599

Increase the ICMP rate limit to allow more ICMP error message to be sent by the FortiGate per second. The ICMP rate limit has changed from 1 second (100 jiffies) to 10 milliseconds (1 jiffy).

680622

Allow option to configure a lowest unit of heartbeat interval of 10 ms, compared to the default of 100 ms.

config system ha
    set hb-interval-in-milliseconds {100ms | 10ms}
end

681600

Add support for syslog RFC 5424 format, which can be enabled when the syslog mode is UDP or reliable.

config log syslogd setting
    set format {default | csv | cef | RFC5424}
end

682106

If a FortiCloud account has a FortiManager Cloud account level subscription (ALCI), a FortiGate registered to the FortiCloud account can recognize it and enable FortiManager Cloud central management.

682246

SAML user authentication is supported for explicit web proxies and transparent web proxies with the FortiGate acting as a SAML SP. SAML is supported as a new authentication method for an authentication scheme that requires using a captive portal.

config authentication scheme
    edit <name>
        set method saml
        set saml-server <server>
        set saml-timeout <seconds>
        set user-database <database>
    next
end

682470

Add srcaddr-negate, dstaddr-negate, and service-negate to local-in policy.

682480

Flow-based SIP inspection is now done by the IPS engine. Proxy ALG features that are supported in flow mode include blocking scenarios, rate limitation, and malformed header detection. Inspection mode is selected at the firewall policy level.

683647

The following enhancements allow better integration with carrier CPE (customer premises equipment) management tools:

  • Add SNMP OIDs to collect the reason for a FortiGate reboot.

  • Add SNMP OIDs to collect traffic shaping profile and policy related configurations.

  • Add a description field on the modem interface that can be fetched over SNMP.

  • Bring a loopback or VLAN interface down when the link monitor fails.

  • Add DSCP and shaping class ID support on the link monitor probe.

  • Allow multiple link monitors with the same source and destination address, but different ports or protocols.

683791

From the CLI, users are allowed to enable malware threat feeds and outbreak prevention without performing an AV scan. In the GUI and CLI, users can choose to use all malware thread feeds, or specify the ones they want to use. New replacement message for external block lists have been added.

config antivirus profile
    edit <name>
        config http
            set av-scan {disable | block | monitor}
            set outbreak-prevention {disable | block | monitor}
            set external-blocklist {disable | block | monitor}
            set quarantine {enable | disable}
        end
        set outbreak-prevention-archive-scan {enable | disable}
        set external-blocklist-archive-scan {enable | disable}
        set external-blocklist-enable-all {enable | disable}
        set external-blocklist <source>
    next
end

Note that the external-blocklist <source> option is hidden if external-blocklist-enable-all is enabled.

684133

Support site-to-site IPsec VPN in an asymmetric routing scenario with a loopback interface as a VPN bound interface.

config vpn ipsec phase1-interface
    edit <name> 
        set interface "loopback"
        set loopback-asymroute {enable | disable}
    next
end

686019

FortiGate can be configured to allow administrators to log in using FortiCloud single sign-on. Both IAM and non-IAM users on the FortiCloud support portal are supported. Non‑IAM users must be the FortiCloud account that the FortiGate is registered to. When enabled, the FortiGate login page will display options to Sign in with FortiCloud or sign in with regular administrator username.

687282

When FortiGuard DDNS is configured as a DDNS server, the server type and address type can be set to IPv6. This allows the FortiGate to connect to FortiGuard over IPv6 and provide the FortiGate's IPv6 interface address for updates.

689140

FortiAI can be added to the Security Fabric so it appears in the topology views and the dashboard widgets.

689150

When the detect server becomes unavailable in a link monitoring configuration, instead of removing all routes associated with the gateway and interface defined in the link monitor, only remove specific routes. These subnets can be specified in the link-monitor configuration.

config system link-monitor
    edit <id>
        set srcintf <interface>
        set server <server IP>
        set gateway-ip <gateway IP>
        set route <subnet 1> ... <subnet n>
    next
end

689174

Adds support for Layer 3 unicast standalone config sync. This allows peers to be synchronized in cloud environments that do not support Layer 2 networking, which expands support for auto-scale scenarios. Configuring a unicast gateway allows peers to be in different subnets altogether (this is an optional setting).

config system ha
    set unicast-status enable
    set unicast-gateway <address>
    config unicast-peers
        edit 1
            set peer-ip <address>
        next
    ...
    end
end

689807

Add dual stack IPv4/IPv6 support for FortiGate's SSL VPN client, which enables it to establish a dual stack tunnel to allow IPv4 and IPv6 traffic to pass through. Dual stack is enabled unconditionally, and will form dual stack tunnels when the server supports it.

690179

The SD-WAN REST API for health-check and sla-log now exposes ADVPN shortcut information in its result. The child_intfs attribute returns the statistics for the corresponding shortcuts. The following command displays real-time SLA information for ADVPN shortcuts:

# diagnose sys sdwan sla-log <health check name> <sequence number> <child name>

690688

Add UX enhancements:

  • When selecting objects, the omni-select menu displays recently used items.

  • Support nested object tooltips.

690691

The radio transmit power can now be configured in dBm or as a percentage in FortiAP profiles and override settings.

690711

Synchronize wildcard FQDN IPs to other autoscale members whenever a peer learns of a wildcard FQDN address.

690801

FortiDeceptor can be added to the Security Fabric so it appears in the topology views and the dashboard widgets.

691254

Firewall policies can be configured in full ZTNA or ZTNA IP/MAC filtering mode when you enable Zero Trust Network Access from the Feature Visibility menu. When configuring firewall policies in ZTNA IP/MAC filtering mode, ZTNA tags are used for access control. ZTNA tags are equivalent to FortiOS 6.4 EMS tags that were part of dynamic firewall addresses. In 7.0, ZTNA tags can be accessed from the Policy & Objects > ZTNA > ZTNA Tags tab.

691340

DHCP address enforcement ensures that clients who connect must complete the DHCP process to obtain an IP address; otherwise, they are disconnected from the SSID. This prevents users with static addresses that may conflict with the DHCP address scheme, or users that fail to obtain a DHCP IP assignment to connect to the SSID.

691411

Ensure EMS logs are recorded for dynamic address related events under Log & Report > Events > SDN Connector Events logs:

  • Add EMS tag
  • Update EMS tag
  • Remove EMS tag

691676

Wireless controller now supports NAC profiles to onboard wireless clients into default VLANs. It can also apply NAC policies to match clients based on device properties, user groups or EMS tags, and assign clients to specific VLANs. VLAN sub-interfaces based on the VAP interfaces are used for the VLAN assignment.

691693

The performance of updates between the FortiGate and FortiClient EMS is improved by using WebSockets. On supported FortiClient EMS firmware, the FortiGate can open a WebSocket connection with EMS to register for notifications about system information, host tags, avatars, and vulnerabilities. When these tables are updated, EMS pushes notifications to the corresponding FortiGate. The FortiGate then fetches the updated information using the REST API.

691902

Support pulling malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV is enabled with block or monitor actions.

692272

Add DNS filtering support in flow inspection mode. In FortiOS 6.4, the DNS proxy daemon handles the DNS filter in flow and proxy mode policies. Starting in 7.0, the IPS engine handles the DNS filter in flow mode policies. All features previously supported in the DNS filter profile are supported in flow mode.

693799

Add the following enhancements for voice-enterprise SSID:

  • Support 802.11k neighbor report dual band.

  • Enhance 802.11v BSS transition management by adding bstm-disassociation-imminent option, disassociation timer for low RSSI, and disassociation timer for AP load-balancing.

694102

Improve the session in/out dev handling when the session is dirty, re-routing occurs, and so on. Avoid clearing the session in/out dev, and only update it when is changes.

694148

Support file filter profile in a one-arm sniffer policy in the GUI and CLI.

694839

GCP PAYG instances can obtain FortiCare generated licenses upon a new deployment, or by the command line (execute vm-license) when upgrading from previous firmware. The process generates Fortinet_Factory and Fortinet_Factory_Backup certificates that contain the common name (CN) of the FortiGate serial number to uniquely identify this FortiGate.

695259

Adds support for DNS over TLS (DoT) and DNS over HTTPS (DoH) in DNS inspection. Prior to 7.0, DoT and DoH traffic silently passes through DNS proxy. In 7.0, WAD is able to handle DoT and DoH, and redirect DNS queries to the DNS proxy for further inspection.

config firewall ssl-ssh-profile
    edit "dot-deep"
        config dot
            set status deep-inspection
            set client-certificate bypass
            set unsupported-ssl-cipher allow
            set unsupported-ssl-negotiation allow
            set expired-server-cert block
            set revoked-server-cert block
            set untrusted-server-cert allow
            set cert-validation-timeout allow
            set cert-validation-failure block
        end
    next
end

695855

In the wireless controller settings, add options to specify the delimiter used for various RADIUS attributes for RADIUS MAC authentication and accounting. The options are hyphen, single-hyphen, colon, or none.

config wireless-controller vap
    edit <name>
        set mac-username-delimiter {hyphen | single-hyphen | colon | none}
        set mac-password-delimiter {hyphen | single-hyphen | colon | none}
        set mac-calling-station-delimiter {hyphen | single-hyphen | colon | none}
        set mac-called-station-delimiter {hyphen | single-hyphen | colon | none}
        set mac-case MAC {uppercase | lowercase}
    next
end

695972

Remove FortiGuard Accept push updates option. On 2U models and larger (excluding VMs), the Immediately download updates option has been added. This allows the FortiGate to form a secure persistent connection with FortiGuard to get notifications of new updates. Once notified, the FortiGate can download the updates immediately.

695983

In a scenario where a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with other interfaces via a software switch, support is added to allow captive portal authentication on the SSID or VLAN sub-interface. This requires that intra-switch-policy is set to explicit from the CLI when the switch interface is created. Users accessing the SSID will be redirected to the captive portal for authentication.

698239

Introduce GUI support for configuring Zero Touch Network Access. ZTNA is a method of access control that utilizes zero-trust tags and various authentication methods to provide role-based application access. In full ZTNA mode, users can securely connect to the FortiGate access proxy over HTTPS to connect to protected resources.

698462

Add the ability to perform SD-WAN passive WAN health measurement, which reduces the amount of configuration required and decreases the traffic that is produced by health check monitor probes doing active measurements. The passive and prefer-passive detection modes rely on session information captured in firewall policies with passive-wan-health-measurement enabled.

config system sdwan
    config health-check
        edit <name>
            set detect-mode {active | passive | prefer-passive}
        next
    end
end
config firewall policy
    edit <id>
        set passive-wan-health-measurement {enable | disable}
    next
end

699161

Allow service assurance management (SAM) mode to be configured from the CLI where a radio is designated to operate as a client and perform tests against another AP. Ping and iPerf tests can run on an interval and the results are captured in the Wi-Fi event logs. This allows the FortiGate to verify and assure an existing Wi-Fi network can provide acceptable services.

699231

In ZTNA, the integration between FortiClient EMS and the FortiGate is extended so the device identity and device trust context is established through client certificates and other information shared between the three entities. When a FortiClient endpoint registers to FortiClient EMS, it requests and obtains a client device certificate signed by the EMS certificate authority. Information about the endpoint device and the certificate is synchronized to the FortiGate. When the endpoint attempts to connect to the access proxy, the client is prompted to provide its certificate, which is verified by the FortiGate to establish a trusted relationship.

699232

In ZTNA, the FortiGate access proxy can apply SAML authentication to authenticate the client. The FortiGate will act as the SAML SP, while a SAML authenticator will serve as the IdP. In addition to verifying user and device identity using the client certificate, you can also authorize the user based on user credentials to establish a trust context before granting access to the protected resource.

699233

Once the client certificate is obtained by the endpoint, and endpoint information is synchronized between the FortiGate and FortiClient EMS, the client is ready to establish a connection to the FortiGate access proxy. By default, client certificate authentication is enabled on the access proxy, so when the HTTPS request comes in, the FortiGate's WAD process will challenge the client to identify itself with its certificate. Based on the client response, WAD will allow or block further processing by the ZTNA proxy rule.

699234

In ZTNA, a HTTPS access proxy functions as a reverse proxy on behalf of the web server it is protecting. It verifies user identity, device identity, and trust context before granting access to the protected resource.

699235

In ZTNA, a TCP forwarding access proxy (TFAP) functions in two parts. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS. Then, it verifies user identity, device identity, and trust context before forwarding the TCP traffic to the protected resource.

701185

Support DoT and DoH in explicit mode, where FortiGate acts as an explicit DNS server listening for DoT and DoH requests. Add support for local-out DNS traffic over TLS and HTTPS.

701819

The DNP3 application signature dissector supports detecting DNP3 traffic that is encapsulated by the RealPort protocol (Net.CX). DNP3 is used in industrial solutions over serial ports, USB ports, printers, and so on. RealPort encapsulation allows transportation of the underlying protocols over TCP/IP. The FortiGate industrial signatures must be enabled to use RealPort.DNP3 signatures.

705248

The new GUI retro theme showcases a style of FortiOS giving homage to FortiOS 3.0. To enable it, go to System > Settings. Under View Settings, for Theme, select FortiOS v3 Retro.

706387

Support different sizes of the C5d instance type, which is currently the only C5 class instance available for AWS Outposts. Both FortiGate listings (BYOL and PAYG) are supported in the AWS marketplace.