New features or enhancements
More detailed information is available in the New Features Guide.
Bug ID |
Description |
---|---|
477886 |
Allow ingress and egress ports to be configured so the PRP trailer is not stripped when PRP packets come in or go out. config system npu set prp-port-in <port> set prp-port-out <port> end |
489956 |
Add LAG implementation so each session uses the same NP6 and XAUI for ingress and egress directions to avoid fast path congestion (this setting is disabled by default). config system npu set lag-out-port-select {enable | disable} end Add algorithm in NPU driver for distribution, |
568534 |
The DHCP snooping server access list allows servers on that list to respond to DHCP requests, while blocking requests to servers that are not on the list. The DHCP server access list feature can be enabled from the VDOM or switch level. Server lists are configured per switch VLAN interface. VDOM level: config switch-controller global set dhcp-server-access-list {enable | disable} end FortiSwitch level: config switch-controller managed-switch edit <switch> set dhcp-server-access-list {global | enable | disable} next end Interface: config system interface edit <interface> config dhcp-snooping-server-list edit <list> set server-ip <class_ip> next end next end |
575686 |
When configuring an SSID in bridge mode, users can select individual security profiles instead of a security profile group. This applies to models in the FAP-U series that can perform UTM on the FortiAP itself. |
613092 |
Allow SSL VPN to be explicitly enabled or disabled from the GUI and CLI. To connect, SSL VPN must be enabled and the SSL VPN interface must be up. config vpn ssl settings set status {enable | disable} end |
658039 |
Add CLI option Setting this option in the OCVPN configuration will cause the generated config vpn ocvpn set auto-discovery-shortcut-mode {independent | dependent} end |
669942 |
In the scenario where session synchronization is down between two FGSP members that results in a split-brain situations, the IKE monitor provides a mechanism to maintain the integrity of state tables and primary/secondary roles for each gateway. It continues to provide fault tolerance by keeping track of the timestamp of the latest received traffic, and it uses the ESP sequence number jump ahead value to preserve the sequence number per gateway. Once the link is up, the cluster resolves the role and synchronizes the session and IKE data. During this process, if the IKE fails over from one unit to another, the tunnel will remain valid due to the IKE session and role being out of sync, and the ESP anti-replay detection. |
670058 |
Conventionally, public cloud FortiGate deployments require four NICs (external data processing, internal data processing, heartbeat/synchronization, and HA management). The HA heartbeat and management have been merged into the same interface, so only three NICs are required. |
687892 |
Add replacement message for video filter and show block reason (video category or channel). config videofilter profile edit <profile> set replacemsg-group <profile_name> next end |
689139 |
Add shortcuts to various locations in the GUI to help users register their FortiGate to FortiCare. This option is also added to newly authorized Fabric FortiGates. |
689931 |
With NAC LAN segment support, the VLAN segmentation is handled by the FortiSwitch. Devices can maintain the same IP that they initially receive while onboarding. When a NAC policy is matched, the device gets placed into the appropriate VLAN by the FortiSwitch, providing segmentation from other LAN segments. |
690671 |
Filtering PFCP traffic is supported on FortiOS Carrier. PFCP filtering is required to provide security for evolving 4G networks and upcoming 5G networks. PFCP filtering is configured similar to GTP filtering. PFCP message filters and profiles are created and applied in firewall policies. |
692529 |
Enhance MAC authentication bypass so that the MAC authentication status is recorded in authd. The MAC authentication is retired in 10 seconds and is always sent to the portal for HTTP authentication sessions. |
696057 |
Add REST API to retrieve a list of FortiSwitch models that are supported on the FortiGate:
|
696844 |
In central NAT mode, allow VIPs to have a status option to enable or disable its status. |
697340 |
When indoor AP models are placed outdoors, or outdoor AP models are placed indoors, there is an option to override the indoor or outdoor flag. This enables the available channels list to reflect the region based on the AP placement. |
697843 |
On models that have an internal switch that supports modifying the distribution algorithm, enhanced hashing can be used to help distribute traffic evenly across links on the LAG interface. The enhanced hashing algorithm is based on a 5-tuple of the IP protocol, source IP address, destination IP address, source port, and destination port. The computation method can also be specified. |
699006 |
On a FortiCarrier, the new RAT (radio access technology) timeout profile allows users to customize the timeout values for each RAT type. This profile can be applied to GTP profiles to allow GTP tunnel timeout per RAT type (default value is 0 seconds). |
699205 |
Add dynamic firewall address subtype, Switch Controller NAC Policy Tag. This type of address can be assigned to a NAC policy under Switch Controller Action. All device MACs discovered in the NAC policy will be added to the firewall address dynamically. |
699226 |
Add # diagnose switch-controller switch-info port-properties S548DF********** Switch: S548DF********** Port: port1 PoE : 802.3af/at,30.0W Connector : RJ45 Speed : 10Mhalf/10Mfull/100Mhalf/100Mfull/1Gauto/auto |
699268 |
Add realm support on FortiGate SSL VPN client. config vpn ssl client edit <client> set realm <string> next end |
699456 |
Increase the generated RSA key bits from 1024 to 2048. |
700073 |
Add a default-action into config videofilter youtube-channel-filter edit <id> set default-action {block | monitor | allow} set log {enable | disable} next end The default settings are |
700665 |
Allow FortiAI to be used with antivirus profiles in proxy inspection mode. FortiAI inspects high-risk files and issues a verdict to the firewall based on how close a file's features match those of malware. When enabled, FortiAI can log, block, or ignore the file based on the verdict. |
701033 |
Support octets and MAC address formats in SNMP engine ID configuration that are defined in RFC-2571. config system snmp sysinfo set engine-id-type {text | hex | mac} set engine-id <string, maximum 27 characters> end |
702665 |
Add support for BGP conditional advertisement for IPv6 on the FortiGate: config router bgp config neighbor edit <name> config conditional-advertise6 edit <name> set condition-routemap <string> set condition-type {exist | non-exist} next end next end end |
703312 |
Improve switch controller performance in large topologies. |
703900 |
In an SD-WAN transit routing setup with Google Network Connectivity Center (NCC), you can route data and exchange border gateway protocol (BGP) routing information between two or more remote sites via GCP. |
704318 |
Add SNMP OIDs to query FortiSwitch CPU, memory, and port status via the FortiGate. These objects are added to the FortiOS enterprise MIB 2 tables. |
704662 |
Allow the FortiGate to use the built-in speed test functionality to dynamically populate egress bandwidth to individual dial-up tunnels from the hub. Changes include:
|
704819 |
Using the RADIUS attribute Tunnel-Private-Group-Id, a wireless controller can now accept a VLAN name as a string, and match the VLAN sub-interface attached to a VAP interface when dynamically assigning a VLAN. Users logging into an SSID can be dynamically assigned to the proper VLAN based on the VLAN configurations on RADIUS for the particular user. |
706491 |
On FortiClient EMS versions that support |
707143 |
NetFlow and SFlow now support using SD-WAN in config system {netflow sflow vdom-netflow vdom-sflow} set interface-select-method {auto | sdwan | specify} set interface <interface> end |
707388 |
EMS shares |
707475 |
Enhancements for ZTNA logging:
|
707643 |
Implement best route mode for SD-WAN rules, including ECMP support for the longest match and the longest match overriding the quality comparison. |
708358 |
Passive health check for SD-WAN can be configured in the GUI from two locations:
|
709061 |
In WiFi & Switch Controller > Managed Switch > Topology View, a new Reorder button provide users with the ability to rearrange the order that the FortiSwitches appear. |
709067 |
Add support for RFC 5709 HMAC-SHA cryptographic authentication for OSPF: config router key-chain edit <name> config key edit <id> set algorithm {md5 | hmac-sha1 | hmac-sha256 | hmac-sha384 | hmac-sha512} next end next end |
709090 |
The FortiWiFi mesh function supports obtaining Fortinet MAC OUI ranges from the FortiGuard MAC address database (MADB), so that leaf FortiAPs with new MAC OUIs can be automatically recognized and allowed. |
709104 |
WANOpt supports SSL offloading of traffic without needing to define an SSL server. The server side FortiGate will re-sign the HTTP server's certificate without needing to configure an SSL server (in both scenarios where an external proxy is and is not used). This enhancement also adds support for GCM cipher and ChaCha ciphers in the SSL connection. |
709107 |
Allow FortiGate to support client certificate authentication used in mTLS communication between client and server. In this communication, clients are issued certificates by the CA. An access proxy configured on the FortiGate may use the new certificate method in the authentication scheme to identify and approve the client certificate provided by the client when it tries to connect to the access proxy. Optionally, the FortiGate may add the HTTP header |
709108 |
The TCP forwarding access proxy supports communication between the client and access proxy without SSL/TLS encryption. The connection between the client and access proxy still begins with a TLS handshake. The client uses the HTTP 101 response to switch protocols and remove the HTTPS stack. Further end-to-end communication between the client and server is encapsulated in the specified TCP port, but otherwise not encrypted by the access proxy. |
710318 |
Add security rating test in Access Control and Authentication to mitigate against the following high-priority vulnerability:
|
710323 |
Add security rating test in Access Control and Authentication to mitigate against the following high-priority vulnerability:
|
710423 |
When connecting to FortiAnalyzer in the Security Fabric, the FortiGate displays an Authorize button when the FortiGate has not be authorized on the FortiAnalyzer side. This opens a shortcut to log in to the FortiAnalyzer and approve the FortiGate. |
711577 |
Add warnings to inform users when an installed firmware is not signed by Fortinet. The warning message appears in the CLI when the uploaded firmware fails signature validation, and when logging in to the FortiGate from the GUI. Additional messages are added in various places once a user is logged in to the GUI to remind them of the unsigned firmware. |
711868 |
FortiTester can be added to the Security Fabric and authorized from the Security Fabric topology view. Once added, the FortiTester appears in the dashboard Security Fabric widget, and it can be added to the dashboard as a Fabric device widget. |
712102 |
The REST API can retrieve dynamic information about LTE modems, such as RSSI signal strength, SIM information, data session, and usage levels from 3G and 4G FortiGates. |
712304 |
Support new Google gVNIC interface, which offers improved performance and bandwidth and is required in some VM shapes that are tuned for optimal performance. |
712916 |
SD-WAN zones can be applied in three new ways:
The following commands are added: config router {static | static6} edit <id> set sdwan-zone <string> next end config system sdwan config service edit <id> set priority-zone <string> next end end The following commands are removed: config router {static static6} edit <id> set sdwan {enable | disable} next end |
713011 |
When a FortiGate has multiple EMS entries configured, instead of querying every EMS server to fetch device information for device certificate validation, add optional EMS server information for WAD device query to fcnacd. This allows fcnacd to direct the query for the device only to the specific EMS. |
713535 |
Sniffer traffic logs from the IPS engine are expanded to 64-bit variable sizes (previously 32-bit for sent/received bytes fields). |
713690 |
Add user count per LDAP group in an Active Directory. When LDAP users log on through firewall authentication, the active users per LDAP group is counted and displayed in the Firewall Users view and CLI. |
713717 |
The FortiGate can automatically downgrade to use TLS version 1.2 when there are no proper custom ciphers configured in TLS 1.3 in a server load-balance VIP configuration. |
713793 |
Allow FortiGates to read the Cisco Security Group Tag (SGT) in Ethernet frames and use them as matching criteria in firewall policies. A policy can match based on the presence of an SGT, or the detection of a specific ID or IDs. This feature is available in flow mode policies for virtual wire pair policies or policies in transparent mode VDOMs. |
714713 |
Allow SSL VPN interfaces to be used in zones. |
715031 |
Add option in the SSL VPN web portal profile to disable the use of the copy and paste clipboard in RDP and VNC connections while using web mode. |
715100 |
Allow FortiClient to use a browser as an external user agent to perform SAML authentication for SSL VPN tunnel mode. In prior versions, SAML authentication must be performed within the FortiClient embedded login window. A new setting is added to configure the SAML redirection port upon successful SAML authentication: config vpn ssl settings set saml-redirect-port <port> end |
716453 |
On KVM, FortiOS can support bootstrapping using a MIME file via config drive. |
716683 |
FIPS CC mode is now supported on OCI and GCP FortiGate VMs. config system fips-cc set status fips-ciphers end To enable this feature, all VPNs must be removed. |
717336 |
The dedicated management CPU feature ensures that CPU 0 is only used for management traffic. This feature, which was previously available for 2U models and higher, is now available on 1U models. |
717579 |
Add command in the WTP profile to disable console login from the FortiAP: config wireless-controller wtp-profile edit <profile> set console-login {enable | disable} next end All managed APs using this profile will be rebooted and changes will be applied. |
717591 |
For SSIDs in local standalone NAT mode, add the option to define up to three DNS servers to assign to wireless endpoints through DHCP. |
717907 |
Add option in CLI to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost: config user fsso edit <name> set logon-timeout <integer> next end The |
719581 |
Allow the FortiGate to use the built-in speed test functionality to dynamically populate egress bandwidth to individual dial-up tunnels from the hub. It allows the speed test results of dial-up tunnels to be cached for reuse when the tunnel is up again. |
719764 |
Allows IPv6 to be configured in several ZTNA scenarios:
Configuration changes include:
|
720046 |
Add option to toggle between enabling or disabling policy route updates when a link monitor fails. By disabling policy route updates, a link monitor failure will not cause corresponding policy based routes to be removed. |
720136 |
When configuring a radio in service assurance management (SAM) mode, support is added to configure the client to authenticate with the captive portal. The captive portal match string, success string, and failure string must be specified to automatically detect the authentication success or failure. |
720723 |
The link monitor can configure multiple servers and allow each server to have its own weight setting. If the link monitor is down, it will trigger static route updates and cascade interface updates if the weight of all dead servers exceeds the monitor's fail weight threshold. |
721280 |
New options are added to the SSL/SSH profile to log server certificate information and TLS handshakes. New fields are added to the UTM SSL logs when these options are enabled. |
721798 |
When a FortiGate FGCP HA active-passive cluster fails over, CAPWAP traffic is able to quickly fail over to a secondary device, which prevents significant AP downtime with minimal impact for wireless clients. CAPWAP hitless failover with FGCP is only available on FortiAP AX platforms and F-series models when FortiGates are running in active-passive mode. |
722649 |
ZTNA can be configured with an SSH access proxy to provide a seamless SSH connection to the server. The advantages of an SSH access proxy over a TCP forwarding access proxy include:
|
723176 |
Support logging for FortiGate generated local out DNS traffic. A new setting is added for the local DNS log: config system dns set log {disable | error | all} end |
723178 |
When a user disconnects from an IPsec VPN tunnel, it is sometimes not desirable for the released IP to be immediately used up in the current first available IP assignment method. A new setting is added to hold an IP for a delay interval in seconds (0 - 28800) before it is released for use. IPs are still assigned by the first available method. config vpn ipsec phase1-interface edit <name> set ip-delay-interval <integer> next end |