Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 7.0.1 FortiOS Release Notes
7.0.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Changes in CLI

Changes in CLI

Bug ID

Description

550819

Rewrite RDP and VNC handling.

The following commands have been added:

  • Add color depth under VNC bookmark entry.
    config vpn ssl web portal
    edit <name>
        config bookmark-group
            edit <name>
                config bookmarks
                    edit <name>
                        set apptype vnc
                        set color-depth {32 | 16 | 8}
                        set logon-user <string>
                    next
                end
            next
        end
    next
end
    config vpn ssl web {user-group-bookmark user-bookmark}
    config bookmarks
        edit <name>
            set apptype vnc
            set color-depth {32 | 16 | 8}
            set logon-user <string>
        next
    end
end
  • Add color depth, restricted administrator, send pre-connection ID, and keyboard layout under RDP bookmark entry.
    config vpn ssl web portal
    edit <name>
        config bookmark-group
            edit <name>
                config bookmarks
                    edit <name>
                        set apptype rdp
                        set color-depth {32 | 16 | 8}
                        set restricted-admin {enable | disable}
                        set send-preconnection-id {enable | disable}
                        set keyboard-layout <option>
                    next
                end
            next
        end
    next
end

    config vpn ssl web {user-group-bookmark user-bookmark}
    config bookmarks
        edit <name>
            set apptype rdp
            set color-depth {32 | 16 | 8}
            set restricted-admin {enable | disable}
            set send-preconnection-id {enable | disable}
            set keyboard-layout <option>
        next
    end
end
  • Add web mode RDP and VNC clipboard control.
    config vpn ssl web portal
    edit <name>
        set clipboard {enable | disable}
    next
end

The following commands have changed:

  • Change maximum value for pre-connection ID under all RDP bookmark entries.

    config vpn ssl web portal
    edit <name>
        config bookmark-group
            edit <name>
                config bookmarks
                    edit <name>
                        set apptype rdp
                        set preconnection-id <integer, 0 - 4294967295>
                    next
                end
            next
        end
    next
end 

    config vpn ssl web {user-group-bookmark user-bookmark}
    config bookmarks
        edit <name>
            set apptype rdp
            set preconnection-id <integer, 0 - 4294967295>
        next
    end
end

The following commands have been removed:

  • Remove server-layout attribute under all RDP bookmark entries.
  • Remove unsupported application types (citrix and portforward) from all bookmark entries for allow-user-access attribute.
  • Remove diagnose app guacd debug command.

585899

Add management-port-use-admin-sport option under config system global to enable/disable using the admin-sport as management port. If disabled, allow specifying the management-port.

config system global
    set management-port-use-admin-sport {enable | disable}
end

630083

Add traceroute option to use SD-WAN rules for output interface.

# execute traceroute-options use-sdwan
Use SDWAN rules to get output interface  <yes | no>.

674576

Extend CRL verification options (formerly strict-crl-check) to include CRL expiry, leaf absence, and chain absence in certificate verification. If any of the CRL verification options are enabled upon revoke, the certificate status will be marked as revoke.

config vpn certificate setting
    config crl-verification
        set expiry {ignore | revoke}
        set leaf-crl-absence {ignore | revoke}
        set chain-crl-absence {ignore | revoke}
    end
end

The default setting for each option is ignore.

687486

Move configuration option for youtube-restrict from videofilter profile back to webfilter profile.

687833

Introduce a new DNS server selection method and CLI option to change how configured DNS servers are prioritized. The server-select-method option specifies how configured servers are prioritized, either based on least round-trip time (least-rtt) or the order they are configured (failover). Alternate primary and secondary DNS servers can be configured, but they are not used as failover DNS servers.

config system {dns vdom-dns}
    set server-select-method {least-rtt | failover}
    set alt-primary <class_ip>
    set alt-secondary <class_ip>
end

688989

Change username-case-sensitivity option to username-sensitivity. This new option includes both case sensitivity and accent sensitivity. When disabled, both case and accents are ignored when comparing names during matching.

config user local
    edit <name>
        set username-sensitivity {enable | disable}
    next
end

693347

Restrict IPv6 pools address and IPv6 split tunneling routing address to be IP mask or range type only so SSL VPN can support EMS tag dynamic addresses.

config vpn ssl web portal
    edit <name>
        set ipv6-pools <address>
        set ipv6-split-tunneling-routing-address <address>
    next
end

696675

Update the options for the auto-scale role:

config system auto-scale
    set role {primary | secondary}
end

697566

Allow ip_no_pmtu_disc to be set manually under config system global by adding am option to configure PMTU discovery. This value will set the kernel value for ip_no_pmtu_disc (default = 1).

config system global
    set pmtu-discovery {enable | disable}
end

700840

Add support for IPv6 VRF.

config router bgp
    config vrf-leak6
        edit <vrf>
            config target
                edit <vrf>
                    set route-map <string>
                    set interface <string>
                end
            end
        next
end

The VRF origin and target IDs are an integer between 0 - 31.

config router static6
    edit <id>
        set vrf <integer>
    next
end

The VRF is an integer between 0 - 31.

704624

Move the delay and required settings from the automation-action table to the automation-stitch table within an actions subtable so they can be set per stitch.

config system automation-stitch
    edit <name>
        set trigger <name>
        config actions
            edit 1
                set action <name>
                set delay <integer>
                set required {enable | disable}
            next
            edit 2
                set action <name>
            next
        end
    next
end

709109

Add the following option to backup configuration files using SFTP:

# execute backup config sftp <file name> <SFTP server><:SFTP port> [user] [password]

710125

Add support for static, round-robin, weighted, first alive, and HTTP host load-balancing methods to have hold down option to the real server of the access proxy.

config firewall access-proxy
    edit <name>
        config api-gateway
            edit <id>
                config realservers
                    edit <id>
                        set ip <address>
                        set port <integer>
                        set status active
                        set health-check enable
                        set holddown-interval {enable | disable}
                        set health-check-proto {ping | http | tcp-connect}
                    next
                end
            next
        end
    next
end

The holddown-intervaloption is only available if the real server health check of the access proxy is enabled.

710730

Update antivirus quarantine settings to reflect that they are now based on machine learning malware detection instead of heuristics.

config antivirus quarantine
    set drop-machine-learning <option>
    set store-machine-learning <option>
end

711484

Add certificate authentication support for proxy policy authentication.

config authentication setting
    set cert-auth {enable | disable}
    set cert-captive-portal <hostname>
    set cert-captive-portal-ip <address>
    set cert-captive-portal-port <integer>
end

Where cert-captive-portal-port is the captive portal port number (1 - 65535, default = 7832).

712794

Allow the wireless controller to obtain temperature values from FortiAP-F models that have built-in temperature sensors:

# diagnose wireless-controller wlac -c wtp <serial number> | grep Temp
Previous
Next

Changes in CLI

Bug ID

Description

550819

Rewrite RDP and VNC handling.

The following commands have been added:

  • Add color depth under VNC bookmark entry.
    config vpn ssl web portal
    edit <name>
        config bookmark-group
            edit <name>
                config bookmarks
                    edit <name>
                        set apptype vnc
                        set color-depth {32 | 16 | 8}
                        set logon-user <string>
                    next
                end
            next
        end
    next
end
    config vpn ssl web {user-group-bookmark user-bookmark}
    config bookmarks
        edit <name>
            set apptype vnc
            set color-depth {32 | 16 | 8}
            set logon-user <string>
        next
    end
end
  • Add color depth, restricted administrator, send pre-connection ID, and keyboard layout under RDP bookmark entry.
    config vpn ssl web portal
    edit <name>
        config bookmark-group
            edit <name>
                config bookmarks
                    edit <name>
                        set apptype rdp
                        set color-depth {32 | 16 | 8}
                        set restricted-admin {enable | disable}
                        set send-preconnection-id {enable | disable}
                        set keyboard-layout <option>
                    next
                end
            next
        end
    next
end

    config vpn ssl web {user-group-bookmark user-bookmark}
    config bookmarks
        edit <name>
            set apptype rdp
            set color-depth {32 | 16 | 8}
            set restricted-admin {enable | disable}
            set send-preconnection-id {enable | disable}
            set keyboard-layout <option>
        next
    end
end
  • Add web mode RDP and VNC clipboard control.
    config vpn ssl web portal
    edit <name>
        set clipboard {enable | disable}
    next
end

The following commands have changed:

  • Change maximum value for pre-connection ID under all RDP bookmark entries.

    config vpn ssl web portal
    edit <name>
        config bookmark-group
            edit <name>
                config bookmarks
                    edit <name>
                        set apptype rdp
                        set preconnection-id <integer, 0 - 4294967295>
                    next
                end
            next
        end
    next
end 

    config vpn ssl web {user-group-bookmark user-bookmark}
    config bookmarks
        edit <name>
            set apptype rdp
            set preconnection-id <integer, 0 - 4294967295>
        next
    end
end

The following commands have been removed:

  • Remove server-layout attribute under all RDP bookmark entries.
  • Remove unsupported application types (citrix and portforward) from all bookmark entries for allow-user-access attribute.
  • Remove diagnose app guacd debug command.

585899

Add management-port-use-admin-sport option under config system global to enable/disable using the admin-sport as management port. If disabled, allow specifying the management-port.

config system global
    set management-port-use-admin-sport {enable | disable}
end

630083

Add traceroute option to use SD-WAN rules for output interface.

# execute traceroute-options use-sdwan
Use SDWAN rules to get output interface  <yes | no>.

674576

Extend CRL verification options (formerly strict-crl-check) to include CRL expiry, leaf absence, and chain absence in certificate verification. If any of the CRL verification options are enabled upon revoke, the certificate status will be marked as revoke.

config vpn certificate setting
    config crl-verification
        set expiry {ignore | revoke}
        set leaf-crl-absence {ignore | revoke}
        set chain-crl-absence {ignore | revoke}
    end
end

The default setting for each option is ignore.

687486

Move configuration option for youtube-restrict from videofilter profile back to webfilter profile.

687833

Introduce a new DNS server selection method and CLI option to change how configured DNS servers are prioritized. The server-select-method option specifies how configured servers are prioritized, either based on least round-trip time (least-rtt) or the order they are configured (failover). Alternate primary and secondary DNS servers can be configured, but they are not used as failover DNS servers.

config system {dns vdom-dns}
    set server-select-method {least-rtt | failover}
    set alt-primary <class_ip>
    set alt-secondary <class_ip>
end

688989

Change username-case-sensitivity option to username-sensitivity. This new option includes both case sensitivity and accent sensitivity. When disabled, both case and accents are ignored when comparing names during matching.

config user local
    edit <name>
        set username-sensitivity {enable | disable}
    next
end

693347

Restrict IPv6 pools address and IPv6 split tunneling routing address to be IP mask or range type only so SSL VPN can support EMS tag dynamic addresses.

config vpn ssl web portal
    edit <name>
        set ipv6-pools <address>
        set ipv6-split-tunneling-routing-address <address>
    next
end

696675

Update the options for the auto-scale role:

config system auto-scale
    set role {primary | secondary}
end

697566

Allow ip_no_pmtu_disc to be set manually under config system global by adding am option to configure PMTU discovery. This value will set the kernel value for ip_no_pmtu_disc (default = 1).

config system global
    set pmtu-discovery {enable | disable}
end

700840

Add support for IPv6 VRF.

config router bgp
    config vrf-leak6
        edit <vrf>
            config target
                edit <vrf>
                    set route-map <string>
                    set interface <string>
                end
            end
        next
end

The VRF origin and target IDs are an integer between 0 - 31.

config router static6
    edit <id>
        set vrf <integer>
    next
end

The VRF is an integer between 0 - 31.

704624

Move the delay and required settings from the automation-action table to the automation-stitch table within an actions subtable so they can be set per stitch.

config system automation-stitch
    edit <name>
        set trigger <name>
        config actions
            edit 1
                set action <name>
                set delay <integer>
                set required {enable | disable}
            next
            edit 2
                set action <name>
            next
        end
    next
end

709109

Add the following option to backup configuration files using SFTP:

# execute backup config sftp <file name> <SFTP server><:SFTP port> [user] [password]

710125

Add support for static, round-robin, weighted, first alive, and HTTP host load-balancing methods to have hold down option to the real server of the access proxy.

config firewall access-proxy
    edit <name>
        config api-gateway
            edit <id>
                config realservers
                    edit <id>
                        set ip <address>
                        set port <integer>
                        set status active
                        set health-check enable
                        set holddown-interval {enable | disable}
                        set health-check-proto {ping | http | tcp-connect}
                    next
                end
            next
        end
    next
end

The holddown-intervaloption is only available if the real server health check of the access proxy is enabled.

710730

Update antivirus quarantine settings to reflect that they are now based on machine learning malware detection instead of heuristics.

config antivirus quarantine
    set drop-machine-learning <option>
    set store-machine-learning <option>
end

711484

Add certificate authentication support for proxy policy authentication.

config authentication setting
    set cert-auth {enable | disable}
    set cert-captive-portal <hostname>
    set cert-captive-portal-ip <address>
    set cert-captive-portal-port <integer>
end

Where cert-captive-portal-port is the captive portal port number (1 - 65535, default = 7832).

712794

Allow the wireless controller to obtain temperature values from FortiAP-F models that have built-in temperature sensors:

# diagnose wireless-controller wlac -c wtp <serial number> | grep Temp
Previous
Next