Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Changes in CLI

Bug ID

Description

550819

Rewrite RDP and VNC handling.

The following commands have been added:

  • Add color depth under VNC bookmark entry.
    config vpn ssl web portal
        edit <name>
            config bookmark-group
                edit <name>
                    config bookmarks
                        edit <name>
                            set apptype vnc
                            set color-depth {32 | 16 | 8}
                            set logon-user <string>
                        next
                    end
                next
            end
        next
    end
    config vpn ssl web {user-group-bookmark user-bookmark}
        config bookmarks
            edit <name>
                set apptype vnc
                set color-depth {32 | 16 | 8}
                set logon-user <string>
            next
        end
    end
  • Add color depth, restricted administrator, send pre-connection ID, and keyboard layout under RDP bookmark entry.
    config vpn ssl web portal
        edit <name>
            config bookmark-group
                edit <name>
                    config bookmarks
                        edit <name>
                            set apptype rdp
                            set color-depth {32 | 16 | 8}
                            set restricted-admin {enable | disable}
                            set send-preconnection-id {enable | disable}
                            set keyboard-layout <option>
                        next
                    end
                next
            end
        next
    end
    
    config vpn ssl web {user-group-bookmark user-bookmark}
        config bookmarks
            edit <name>
                set apptype rdp
                set color-depth {32 | 16 | 8}
                set restricted-admin {enable | disable}
                set send-preconnection-id {enable | disable}
                set keyboard-layout <option>
            next
        end
    end
  • Add web mode RDP and VNC clipboard control.
    config vpn ssl web portal
        edit <name>
            set clipboard {enable | disable}
        next
    end

The following commands have changed:

  • Change maximum value for pre-connection ID under all RDP bookmark entries.

    config vpn ssl web portal
        edit <name>
            config bookmark-group
                edit <name>
                    config bookmarks
                        edit <name>
                            set apptype rdp
                            set preconnection-id <integer, 0 - 4294967295>
                        next
                    end
                next
            end
        next
    end 
    
    config vpn ssl web {user-group-bookmark user-bookmark}
        config bookmarks
            edit <name>
                set apptype rdp
                set preconnection-id <integer, 0 - 4294967295>
            next
        end
    end

The following commands have been removed:

  • Remove server-layout attribute under all RDP bookmark entries.
  • Remove unsupported application types (citrix and portforward) from all bookmark entries for allow-user-access attribute.
  • Remove diagnose app guacd debug command.

630083

Add traceroute option to use SD-WAN rules for output interface.

# execute traceroute-options use-sdwan
Use SDWAN rules to get output interface  <yes | no>.

674576

Extend CRL verification options (formerly strict-crl-check) to include CRL expiry, leaf absence, and chain absence in certificate verification. If any of the CRL verification options are enabled upon revoke, the certificate status will be marked as revoke.

config vpn certificate setting
    config crl-verification
        set expiry {ignore | revoke}
        set leaf-crl-absence {ignore | revoke}
        set chain-crl-absence {ignore | revoke}
    end
end

The default setting for each option is ignore.

687486

Move configuration option for youtube-restrict from videofilter profile back to webfilter profile.

687833

Introduce a new DNS server selection method and CLI option to change how configured DNS servers are prioritized. The server-select-method option specifies how configured servers are prioritized, either based on least round-trip time (least-rtt) or the order they are configured (failover). Alternate primary and secondary DNS servers can be configured, but they are not used as failover DNS servers.

config system {dns vdom-dns}
    set server-select-method {least-rtt | failover}
    set alt-primary <class_ip>
    set alt-secondary <class_ip>
end

688989

Change username-case-sensitivity option to username-sensitivity. This new option includes both case sensitivity and accent sensitivity. When disabled, both case and accents are ignored when comparing names during matching.

config user local
    edit <name>
        set username-sensitivity {enable | disable}
    next
end

693347

Restrict IPv6 pools address and IPv6 split tunneling routing address to be IP mask or range type only so SSL VPN can support EMS tag dynamic addresses.

config vpn ssl web portal
    edit <name>
        set ipv6-pools <address>
        set ipv6-split-tunneling-routing-address <address>
    next
end

700840

Add support for IPv6 VRF.

config router bgp
    config vrf-leak6
        edit <vrf>
            config target
                edit <vrf>
                    set route-map <string>
                    set interface <string>
                end
            end
        next
end

The VRF origin and target IDs are an integer between 0 - 31.

config router static6
    edit <id>
        set vrf <integer>
    next
end

The VRF is an integer between 0 - 31.

709109

Add the following option to backup configuration files using SFTP:

# execute backup config sftp <file name> <SFTP server><:SFTP port> [user] [password]

710125

Add support for static, round-robin, weighted, first alive, and HTTP host load-balancing methods to have hold down option to the real server of the access proxy.

config firewall access-proxy
    edit <name>
        config api-gateway
            edit <id>
                config realservers
                    edit <id>
                        set ip <address>
                        set port <integer>
                        set status active
                        set health-check enable
                        set holddown-interval {enable | disable}
                        set health-check-proto {ping | http | tcp-connect}
                    next
                end
            next
        end
    next
end

The holddown-intervaloption is only available if the real server health check of the access proxy is enabled.

710730

Update antivirus quarantine settings to reflect that they are now based on machine learning malware detection instead of heuristics.

config antivirus quarantine
    set drop-machine-learning <option>
    set store-machine-learning <option>
end

711484

Add certificate authentication support for proxy policy authentication.

config authentication setting
    set cert-auth {enable | disable}
    set cert-captive-portal <hostname>
    set cert-captive-portal-ip <address>
    set cert-captive-portal-port <integer>
end

Where cert-captive-portal-port is the captive portal port number (1 - 65535, default = 7832).

712794

Allow the wireless controller to obtain temperature values from FortiAP-F models that have built-in temperature sensors:

# diagnose wireless-controller wlac -c wtp <serial number> | grep Temp

Changes in CLI

Bug ID

Description

550819

Rewrite RDP and VNC handling.

The following commands have been added:

  • Add color depth under VNC bookmark entry.
    config vpn ssl web portal
        edit <name>
            config bookmark-group
                edit <name>
                    config bookmarks
                        edit <name>
                            set apptype vnc
                            set color-depth {32 | 16 | 8}
                            set logon-user <string>
                        next
                    end
                next
            end
        next
    end
    config vpn ssl web {user-group-bookmark user-bookmark}
        config bookmarks
            edit <name>
                set apptype vnc
                set color-depth {32 | 16 | 8}
                set logon-user <string>
            next
        end
    end
  • Add color depth, restricted administrator, send pre-connection ID, and keyboard layout under RDP bookmark entry.
    config vpn ssl web portal
        edit <name>
            config bookmark-group
                edit <name>
                    config bookmarks
                        edit <name>
                            set apptype rdp
                            set color-depth {32 | 16 | 8}
                            set restricted-admin {enable | disable}
                            set send-preconnection-id {enable | disable}
                            set keyboard-layout <option>
                        next
                    end
                next
            end
        next
    end
    
    config vpn ssl web {user-group-bookmark user-bookmark}
        config bookmarks
            edit <name>
                set apptype rdp
                set color-depth {32 | 16 | 8}
                set restricted-admin {enable | disable}
                set send-preconnection-id {enable | disable}
                set keyboard-layout <option>
            next
        end
    end
  • Add web mode RDP and VNC clipboard control.
    config vpn ssl web portal
        edit <name>
            set clipboard {enable | disable}
        next
    end

The following commands have changed:

  • Change maximum value for pre-connection ID under all RDP bookmark entries.

    config vpn ssl web portal
        edit <name>
            config bookmark-group
                edit <name>
                    config bookmarks
                        edit <name>
                            set apptype rdp
                            set preconnection-id <integer, 0 - 4294967295>
                        next
                    end
                next
            end
        next
    end 
    
    config vpn ssl web {user-group-bookmark user-bookmark}
        config bookmarks
            edit <name>
                set apptype rdp
                set preconnection-id <integer, 0 - 4294967295>
            next
        end
    end

The following commands have been removed:

  • Remove server-layout attribute under all RDP bookmark entries.
  • Remove unsupported application types (citrix and portforward) from all bookmark entries for allow-user-access attribute.
  • Remove diagnose app guacd debug command.

630083

Add traceroute option to use SD-WAN rules for output interface.

# execute traceroute-options use-sdwan
Use SDWAN rules to get output interface  <yes | no>.

674576

Extend CRL verification options (formerly strict-crl-check) to include CRL expiry, leaf absence, and chain absence in certificate verification. If any of the CRL verification options are enabled upon revoke, the certificate status will be marked as revoke.

config vpn certificate setting
    config crl-verification
        set expiry {ignore | revoke}
        set leaf-crl-absence {ignore | revoke}
        set chain-crl-absence {ignore | revoke}
    end
end

The default setting for each option is ignore.

687486

Move configuration option for youtube-restrict from videofilter profile back to webfilter profile.

687833

Introduce a new DNS server selection method and CLI option to change how configured DNS servers are prioritized. The server-select-method option specifies how configured servers are prioritized, either based on least round-trip time (least-rtt) or the order they are configured (failover). Alternate primary and secondary DNS servers can be configured, but they are not used as failover DNS servers.

config system {dns vdom-dns}
    set server-select-method {least-rtt | failover}
    set alt-primary <class_ip>
    set alt-secondary <class_ip>
end

688989

Change username-case-sensitivity option to username-sensitivity. This new option includes both case sensitivity and accent sensitivity. When disabled, both case and accents are ignored when comparing names during matching.

config user local
    edit <name>
        set username-sensitivity {enable | disable}
    next
end

693347

Restrict IPv6 pools address and IPv6 split tunneling routing address to be IP mask or range type only so SSL VPN can support EMS tag dynamic addresses.

config vpn ssl web portal
    edit <name>
        set ipv6-pools <address>
        set ipv6-split-tunneling-routing-address <address>
    next
end

700840

Add support for IPv6 VRF.

config router bgp
    config vrf-leak6
        edit <vrf>
            config target
                edit <vrf>
                    set route-map <string>
                    set interface <string>
                end
            end
        next
end

The VRF origin and target IDs are an integer between 0 - 31.

config router static6
    edit <id>
        set vrf <integer>
    next
end

The VRF is an integer between 0 - 31.

709109

Add the following option to backup configuration files using SFTP:

# execute backup config sftp <file name> <SFTP server><:SFTP port> [user] [password]

710125

Add support for static, round-robin, weighted, first alive, and HTTP host load-balancing methods to have hold down option to the real server of the access proxy.

config firewall access-proxy
    edit <name>
        config api-gateway
            edit <id>
                config realservers
                    edit <id>
                        set ip <address>
                        set port <integer>
                        set status active
                        set health-check enable
                        set holddown-interval {enable | disable}
                        set health-check-proto {ping | http | tcp-connect}
                    next
                end
            next
        end
    next
end

The holddown-intervaloption is only available if the real server health check of the access proxy is enabled.

710730

Update antivirus quarantine settings to reflect that they are now based on machine learning malware detection instead of heuristics.

config antivirus quarantine
    set drop-machine-learning <option>
    set store-machine-learning <option>
end

711484

Add certificate authentication support for proxy policy authentication.

config authentication setting
    set cert-auth {enable | disable}
    set cert-captive-portal <hostname>
    set cert-captive-portal-ip <address>
    set cert-captive-portal-port <integer>
end

Where cert-captive-portal-port is the captive portal port number (1 - 65535, default = 7832).

712794

Allow the wireless controller to obtain temperature values from FortiAP-F models that have built-in temperature sensors:

# diagnose wireless-controller wlac -c wtp <serial number> | grep Temp