Rewrite RDP and VNC handling.

The following commands have been added:

• Add color depth under VNC bookmark entry.

  config vpn ssl web portal
      edit <name>
          config bookmark-group
              edit <name>
                  config bookmarks
                      edit <name>
                          set apptype vnc
                          set color-depth {32 | 16 | 8}
                          set logon-user <string>
                      next
                  end
              next
          end
      next
  end

  config vpn ssl web {user-group-bookmark user-bookmark}
      config bookmarks
          edit <name>
              set apptype vnc
              set color-depth {32 | 16 | 8}
              set logon-user <string>
          next
      end
  end

• Add color depth, restricted administrator, send pre-connection ID, and keyboard layout under RDP bookmark entry.

  config vpn ssl web portal
      edit <name>
          config bookmark-group
              edit <name>
                  config bookmarks
                      edit <name>
                          set apptype rdp
                          set color-depth {32 | 16 | 8}
                          set restricted-admin {enable | disable}
                          set send-preconnection-id {enable | disable}
                          set keyboard-layout <option>
                      next
                  end
              next
          end
      next
  end
  

  config vpn ssl web {user-group-bookmark user-bookmark}
      config bookmarks
          edit <name>
              set apptype rdp
              set color-depth {32 | 16 | 8}
              set restricted-admin {enable | disable}
              set send-preconnection-id {enable | disable}
              set keyboard-layout <option>
          next
      end
  end

• Add web mode RDP and VNC clipboard control.

  config vpn ssl web portal
      edit <name>
          set clipboard {enable | disable}
      next
  end

The following commands have changed:

• Change maximum value for pre-connection ID under all RDP bookmark entries.

  config vpn ssl web portal
      edit <name>
          config bookmark-group
              edit <name>
                  config bookmarks
                      edit <name>
                          set apptype rdp
                          set preconnection-id <integer, 0 - 4294967295>
                      next
                  end
              next
          end
      next
  end 
  

  config vpn ssl web {user-group-bookmark user-bookmark}
      config bookmarks
          edit <name>
              set apptype rdp
              set preconnection-id <integer, 0 - 4294967295>
          next
      end
  end

The following commands have been removed:

• Remove server-layout attribute under all RDP bookmark entries.
• Remove unsupported application types (citrix and portforward) from all bookmark entries for allow-user-access attribute.
• Remove diagnose app guacd debug command.

Add management-port-use-admin-sport option under config system global to enable/disable using the admin-sport as management port. If disabled, allow specifying the management-port.

config system global
    set management-port-use-admin-sport {enable | disable}
end

Add traceroute option to use SD-WAN rules for output interface.

# execute traceroute-options use-sdwan
Use SDWAN rules to get output interface  <yes | no>.

Extend CRL verification options (formerly strict-crl-check) to include CRL expiry, leaf absence, and chain absence in certificate verification. If any of the CRL verification options are enabled upon revoke, the certificate status will be marked as revoke.

config vpn certificate setting
    config crl-verification
        set expiry {ignore | revoke}
        set leaf-crl-absence {ignore | revoke}
        set chain-crl-absence {ignore | revoke}
    end
end

The default setting for each option is ignore.

Move configuration option for youtube-restrict from videofilter profile back to webfilter profile.

Introduce a new DNS server selection method and CLI option to change how configured DNS servers are prioritized. The server-select-method option specifies how configured servers are prioritized, either based on least round-trip time (least-rtt) or the order they are configured (failover). Alternate primary and secondary DNS servers can be configured, but they are not used as failover DNS servers.

config system {dns vdom-dns}
    set server-select-method {least-rtt | failover}
    set alt-primary <class_ip>
    set alt-secondary <class_ip>
end

Change username-case-sensitivity option to username-sensitivity. This new option includes both case sensitivity and accent sensitivity. When disabled, both case and accents are ignored when comparing names during matching.

config user local
    edit <name>
        set username-sensitivity {enable | disable}
    next
end

Restrict IPv6 pools address and IPv6 split tunneling routing address to be IP mask or range type only so SSL VPN can support EMS tag dynamic addresses.

config vpn ssl web portal
    edit <name>
        set ipv6-pools <address>
        set ipv6-split-tunneling-routing-address <address>
    next
end

Update the options for the auto-scale role:

config system auto-scale
    set role {primary | secondary}
end

Allow ip_no_pmtu_disc to be set manually under config system global by adding am option to configure PMTU discovery. This value will set the kernel value for ip_no_pmtu_disc (default = 1).

config system global
    set pmtu-discovery {enable | disable}
end

Add support for IPv6 VRF.

config router bgp
    config vrf-leak6
        edit <vrf>
            config target
                edit <vrf>
                    set route-map <string>
                    set interface <string>
                end
            end
        next
end

The VRF origin and target IDs are an integer between 0 - 31.

config router static6
    edit <id>
        set vrf <integer>
    next
end

The VRF is an integer between 0 - 31.

Move the delay and required settings from the automation-action table to the automation-stitch table within an actions subtable so they can be set per stitch.

config system automation-stitch
    edit <name>
        set trigger <name>
        config actions
            edit 1
                set action <name>
                set delay <integer>
                set required {enable | disable}
            next
            edit 2
                set action <name>
            next
        end
    next
end

Add the following option to backup configuration files using SFTP:

# execute backup config sftp <file name> <SFTP server><:SFTP port> [user] [password]

Add support for static, round-robin, weighted, first alive, and HTTP host load-balancing methods to have hold down option to the real server of the access proxy.

config firewall access-proxy
    edit <name>
        config api-gateway
            edit <id>
                config realservers
                    edit <id>
                        set ip <address>
                        set port <integer>
                        set status active
                        set health-check enable
                        set holddown-interval {enable | disable}
                        set health-check-proto {ping | http | tcp-connect}
                    next
                end
            next
        end
    next
end

The holddown-intervaloption is only available if the real server health check of the access proxy is enabled.

Update antivirus quarantine settings to reflect that they are now based on machine learning malware detection instead of heuristics.

config antivirus quarantine
    set drop-machine-learning <option>
    set store-machine-learning <option>
end

Add certificate authentication support for proxy policy authentication.

config authentication setting
    set cert-auth {enable | disable}
    set cert-captive-portal <hostname>
    set cert-captive-portal-ip <address>
    set cert-captive-portal-port <integer>
end

Where cert-captive-portal-port is the captive portal port number (1 - 65535, default = 7832).