Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

477886

Allow ingress and egress ports to be configured so the PRP trailer is not stripped when PRP packets come in or go out.

config system npu
    set prp-port-in <port>
    set prp-port-out <port>
end

489956

Add LAG implementation so each session uses the same NP6 and XAUI for ingress and egress directions to avoid fast path congestion (this setting is disabled by default).

config system npu
    set lag-out-port-select {enable | disable}
end

Add algorithm in NPU driver for distribution, AGG_ALGORITHM_NPU.

568534

The DHCP snooping server access list allows servers on that list to respond to DHCP requests, while blocking requests to servers that are not on the list. The DHCP server access list feature can be enabled from the VDOM or switch level. Server lists are configured per switch VLAN interface.

VDOM level:

config switch-controller global
    set dhcp-server-access-list {enable | disable}
end

FortiSwitch level:

config switch-controller managed-switch 
    edit <switch>
        set dhcp-server-access-list {global | enable | disable}
    next
end

Interface:

config system interface 
    edit <interface>
        config dhcp-snooping-server-list
            edit <list>
                set server-ip <class_ip>
            next
        end
    next
end

575686

When configuring an SSID in bridge mode, users can select individual security profiles instead of a security profile group. This applies to models in the FAP-U series that can perform UTM on the FortiAP itself.

613092

Allow SSL VPN to be explicitly enabled or disabled from the GUI and CLI. To connect, SSL VPN must be enabled and the SSL VPN interface must be up.

config vpn ssl settings
    set status {enable | disable}
end

658039

Add CLI option set auto-discovery-shortcut-mode in the OCVPN configuration to control if shortcuts should be torn down when the parent tunnel is down. This option is only available on the primary hub, and is shared with spokes via the cloud.

Setting this option in the OCVPN configuration will cause the generated phase1-interface object to set its auto-discovery-shortcuts option.

config vpn ocvpn
    set auto-discovery-shortcut-mode {independent | dependent}
end

669942

In the scenario where session synchronization is down between two FGSP members that results in a split-brain situations, the IKE monitor provides a mechanism to maintain the integrity of state tables and primary/secondary roles for each gateway. It continues to provide fault tolerance by keeping track of the timestamp of the latest received traffic, and it uses the ESP sequence number jump ahead value to preserve the sequence number per gateway. Once the link is up, the cluster resolves the role and synchronizes the session and IKE data. During this process, if the IKE fails over from one unit to another, the tunnel will remain valid due to the IKE session and role being out of sync, and the ESP anti-replay detection.

670058

Conventionally, public cloud FortiGate deployments require four NICs (external data processing, internal data processing, heartbeat/synchronization, and HA management). The HA heartbeat and management have been merged into the same interface, so only three NICs are required.

687892

Add replacement message for video filter and show block reason (video category or channel).

config videofilter profile
    edit <profile>
        set replacemsg-group <profile_name>
    next
end

689139

Add shortcuts to various locations in the GUI to help users register their FortiGate to FortiCare. This option is also added to newly authorized Fabric FortiGates.

689931

With NAC LAN segment support, the VLAN segmentation is handled by the FortiSwitch. Devices can maintain the same IP that they initially receive while onboarding. When a NAC policy is matched, the device gets placed into the appropriate VLAN by the FortiSwitch, providing segmentation from other LAN segments.

690671

Filtering PFCP traffic is supported on FortiOS Carrier. PFCP filtering is required to provide security for evolving 4G networks and upcoming 5G networks. PFCP filtering is configured similar to GTP filtering. PFCP message filters and profiles are created and applied in firewall policies.

692529

Enhance MAC authentication bypass so that the MAC authentication status is recorded in authd. The MAC authentication is retired in 10 seconds and is always sent to the portal for HTTP authentication sessions.

696057

Add REST API to retrieve a list of FortiSwitch models that are supported on the FortiGate:

/api/v2/monitor/switch-controller/managed-switch/models

697340

When indoor AP models are placed outdoors, or outdoor AP models are placed indoors, there is an option to override the indoor or outdoor flag. This enables the available channels list to reflect the region based on the AP placement.

697843

On models that have an internal switch that supports modifying the distribution algorithm, enhanced hashing can be used to help distribute traffic evenly across links on the LAG interface. The enhanced hashing algorithm is based on a 5-tuple of the IP protocol, source IP address, destination IP address, source port, and destination port. The computation method can also be specified.

699006

On a FortiCarrier, the new RAT (radio access technology) timeout profile allows users to customize the timeout values for each RAT type. This profile can be applied to GTP profiles to allow GTP tunnel timeout per RAT type (default value is 0 seconds).

699205

Add dynamic firewall address subtype, Switch Controller NAC Policy Tag. This type of address can be assigned to a NAC policy under Switch Controller Action. All device MACs discovered in the NAC policy will be added to the firewall address dynamically.

699226

Add diagnose switch-controller switch-info port-properties [<switch>] [<port>] command to display FortiSwitch port properties, such as PoE power level, connector module form factor, and speed capabilities.

# diagnose switch-controller switch-info port-properties S548DF**********
Switch: S548DF**********
Port: port1
PoE           : 802.3af/at,30.0W
Connector     : RJ45
Speed         : 10Mhalf/10Mfull/100Mhalf/100Mfull/1Gauto/auto

699268

Add realm support on FortiGate SSL VPN client.

config vpn ssl client
    edit <client>
        set realm <string>
    next
end

699456

Increase the generated RSA key bits from 1024 to 2048.

700073

Add a default-action into youtube-channel-filter configuration to apply a default action to all channels when there is no match.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

The default settings are monitor for default-action, and disable for log.

700665

Allow FortiAI to be used with antivirus profiles in proxy inspection mode. FortiAI inspects high-risk files and issues a verdict to the firewall based on how close a file's features match those of malware. When enabled, FortiAI can log, block, or ignore the file based on the verdict.

701033

Support octets and MAC address formats in SNMP engine ID configuration that are defined in RFC-2571.

config system snmp sysinfo
    set engine-id-type {text | hex | mac}
    set engine-id <string, maximum 27 characters>
end

702665

Add support for BGP conditional advertisement for IPv6 on the FortiGate:

config router bgp
    config neighbor
        edit <name>
            config conditional-advertise6
                edit <name>
                    set condition-routemap <string>
                    set condition-type {exist | non-exist}
                next
            end
        next
    end
end

703312

Improve switch controller performance in large topologies.

703900

In an SD-WAN transit routing setup with Google Network Connectivity Center (NCC), you can route data and exchange border gateway protocol (BGP) routing information between two or more remote sites via GCP.

704318

Add SNMP OIDs to query FortiSwitch CPU, memory, and port status via the FortiGate. These objects are added to the FortiOS enterprise MIB 2 tables.

704662

Allow the FortiGate to use the built-in speed test functionality to dynamically populate egress bandwidth to individual dial-up tunnels from the hub. Changes include:

  • Allow upload speed tests to be run from the hub to spokes for dial-up IPsec tunnels.

  • Allow an SD-WAN member on a spoke to switch routes when speed test is being run from the hub to spokes.

  • Allow speed test result to be applied dynamically on dial-up IPsec tunnel interface for egress traffic shaping.

  • Allow traffic shaping profile to be applied on dial-up IPsec tunnel interface on the hub.

  • Add the ability to apply class ID and percentage based QoS settings to individual child tunnels using a traffic shaping policy and profile.

704819

Using the RADIUS attribute Tunnel-Private-Group-Id, a wireless controller can now accept a VLAN name as a string, and match the VLAN sub-interface attached to a VAP interface when dynamically assigning a VLAN. Users logging into an SSID can be dynamically assigned to the proper VLAN based on the VLAN configurations on RADIUS for the particular user.

706491

On FortiClient EMS versions that support push CA certs capability, the FortiGate will push CA certificates used in SSL deep inspection to the EMS server. On the EMS server, the CA certificates can be selected in the managed endpoint profiles so they can be installed on managed endpoints.

707143

NetFlow and SFlow now support using SD-WAN in interface-select-method for selecting the outgoing interface.

config system {netflow sflow vdom-netflow vdom-sflow}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

707388

EMS shares Is_online information with the FortGate, which is used to decide whether the FortiGate will allow the traffic by the ZTNA access proxy policy.

707475

Enhancements for ZTNA logging:

  • Add ZTNA log subtype to UTM logs.

  • Six scenarios will generate allow and deny logs in the new ZTNA category.

  • Add traffic log ID for ZTNA related traffic.

707643

Implement best route mode for SD-WAN rules, including ECMP support for the longest match and the longest match overriding the quality comparison.

708358

Passive health check for SD-WAN can be configured in the GUI from two locations:

  1. Network > SD-WAN > Performance SLA tab: probe mode options are Active, Passive, or Prefer Passive. The disabled option can only be configured in the CLI.

  2. In a Firewall Policy where the destination is a SD-WAN zone, the passive health check option is available. By enabling Passive Health Check in a policy, the TCP traffic for that policy will be used in health check measurements.

709061

In WiFi & Switch Controller > Managed Switch > Topology View, a new Reorder button provide users with the ability to rearrange the order that the FortiSwitches appear.

709067

Add support for RFC 5709 HMAC-SHA cryptographic authentication for OSPF:

config router key-chain
    edit <name>
        config key
            edit <id>
                set algorithm {md5 | hmac-sha1 | hmac-sha256 | hmac-sha384 | hmac-sha512}
            next
        end
    next
end

709090

The FortiWiFi mesh function supports obtaining Fortinet MAC OUI ranges from the FortiGuard MAC address database (MADB), so that leaf FortiAPs with new MAC OUIs can be automatically recognized and allowed.

709104

WANOpt supports SSL offloading of traffic without needing to define an SSL server. The server side FortiGate will re-sign the HTTP server's certificate without needing to configure an SSL server (in both scenarios where an external proxy is and is not used). This enhancement also adds support for GCM cipher and ChaCha ciphers in the SSL connection.

709107

Allow FortiGate to support client certificate authentication used in mTLS communication between client and server. In this communication, clients are issued certificates by the CA. An access proxy configured on the FortiGate may use the new certificate method in the authentication scheme to identify and approve the client certificate provided by the client when it tries to connect to the access proxy. Optionally, the FortiGate may add the HTTP header X-Forwarded-Client-Cert to forward the certificate information to the server.

709108

The TCP forwarding access proxy supports communication between the client and access proxy without SSL/TLS encryption. The connection between the client and access proxy still begins with a TLS handshake. The client uses the HTTP 101 response to switch protocols and remove the HTTPS stack. Further end-to-end communication between the client and server is encapsulated in the specified TCP port, but otherwise not encrypted by the access proxy.

710318

Add security rating test in Access Control and Authentication to mitigate against the following high-priority vulnerability:

  • LDAP Server Identity Check: ensures certificate validation takes place against LDAP server.

710323

Add security rating test in Access Control and Authentication to mitigate against the following high-priority vulnerability:

  • Disable Username Case-Sensitivity Check: ensures users cannot bypass two-factor authentication by using a different case than configured in the user object.

710423

When connecting to FortiAnalyzer in the Security Fabric, the FortiGate displays an Authorize button when the FortiGate has not be authorized on the FortiAnalyzer side. This opens a shortcut to log in to the FortiAnalyzer and approve the FortiGate.

711577

Add warnings to inform users when an installed firmware is not signed by Fortinet. The warning message appears in the CLI when the uploaded firmware fails signature validation, and when logging in to the FortiGate from the GUI. Additional messages are added in various places once a user is logged in to the GUI to remind them of the unsigned firmware.

711868

FortiTester can be added to the Security Fabric and authorized from the Security Fabric topology view. Once added, the FortiTester appears in the dashboard Security Fabric widget, and it can be added to the dashboard as a Fabric device widget.

712102

The REST API can retrieve dynamic information about LTE modems, such as RSSI signal strength, SIM information, data session, and usage levels from 3G and 4G FortiGates.

712304

Support new Google gVNIC interface, which offers improved performance and bandwidth and is required in some VM shapes that are tuned for optimal performance.

712916

SD-WAN zones can be applied in three new ways:

  1. Use the SD-WAN zone in IPv4 and IPv6 static routes.

  2. Use the SD-WAN zone in SD-WAN service rules.

  3. Add a pre-defined SD-WAN zone called SASE.

The following commands are added:

config router {static | static6}
    edit <id>
        set sdwan-zone <string>
    next
end
config system sdwan
    config service
        edit <id>
            set priority-zone <string>
        next
    end
end

The following commands are removed:

config router {static  static6}
    edit <id>
        set sdwan {enable | disable}
    next
end

713011

When a FortiGate has multiple EMS entries configured, instead of querying every EMS server to fetch device information for device certificate validation, add optional EMS server information for WAD device query to fcnacd. This allows fcnacd to direct the query for the device only to the specific EMS.

713535

Sniffer traffic logs from the IPS engine are expanded to 64-bit variable sizes (previously 32-bit for sent/received bytes fields).

713690

Add user count per LDAP group in an Active Directory. When LDAP users log on through firewall authentication, the active users per LDAP group is counted and displayed in the Firewall Users view and CLI.

713717

The FortiGate can automatically downgrade to use TLS version 1.2 when there are no proper custom ciphers configured in TLS 1.3 in a server load-balance VIP configuration.

713793

Allow FortiGates to read the Cisco Security Group Tag (SGT) in Ethernet frames and use them as matching criteria in firewall policies. A policy can match based on the presence of an SGT, or the detection of a specific ID or IDs. This feature is available in flow mode policies for virtual wire pair policies or policies in transparent mode VDOMs.

714713

Allow SSL VPN interfaces to be used in zones.

715031

Add option in the SSL VPN web portal profile to disable the use of the copy and paste clipboard in RDP and VNC connections while using web mode.

715100

Allow FortiClient to use a browser as an external user agent to perform SAML authentication for SSL VPN tunnel mode. In prior versions, SAML authentication must be performed within the FortiClient embedded login window. A new setting is added to configure the SAML redirection port upon successful SAML authentication:

config vpn ssl settings
    set saml-redirect-port <port>
end

716453

On KVM, FortiOS can support bootstrapping using a MIME file via config drive.

716683

FIPS CC mode is now supported on OCI and GCP FortiGate VMs.

config system fips-cc
    set status fips-ciphers
end

To enable this feature, all VPNs must be removed.

717579

Add command in the WTP profile to disable console login from the FortiAP:

config wireless-controller wtp-profile
    edit <profile>
        set console-login {enable | disable}
    next
end

All managed APs using this profile will be rebooted and changes will be applied.

717591

For SSIDs in local standalone NAT mode, add the option to define up to three DNS servers to assign to wireless endpoints through DHCP.

717907

Add option in CLI to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost:

config user fsso
    edit <name>
        set logon-timeout <integer>
    next
end

The logon-timeout is measured in minutes (1 - 2880, default = 5).

719581

Allow the FortiGate to use the built-in speed test functionality to dynamically populate egress bandwidth to individual dial-up tunnels from the hub. It allows the speed test results of dial-up tunnels to be cached for reuse when the tunnel is up again.

719764

Allows IPv6 to be configured in several ZTNA scenarios:

  • IPv6 client with IPv6 server
  • IPv6 client with IPv4 server
  • IPv4 client with IPv6 server

Configuration changes include:

  • Add access-proxy type in firewall.vip6
  • Add firewall.access-proxy6
  • Add firewall.access-proxy(6).api-gateway6
  • Add access-proxy6 in firewall.proxy-policy

720046

Add option to toggle between enabling or disabling policy route updates when a link monitor fails. By disabling policy route updates, a link monitor failure will not cause corresponding policy based routes to be removed.

720136

When configuring a radio in service assurance management (SAM) mode, support is added to configure the client to authenticate with the captive portal. The captive portal match string, success string, and failure string must be specified to automatically detect the authentication success or failure.

720723

The link monitor can configure multiple servers and allow each server to have its own weight setting. If the link monitor is down, it will trigger static route updates and cascade interface updates if the weight of all dead servers exceeds the monitor's fail weight threshold.

721280

New options are added to the SSL/SSH profile to log server certificate information and TLS handshakes. New fields are added to the UTM SSL logs when these options are enabled.

722649

ZTNA can be configured with an SSH access proxy to provide a seamless SSH connection to the server. The advantages of an SSH access proxy over a TCP forwarding access proxy include:

  • Establishing device trust context with user identity and device identity checks

  • Applying SSH deep inspection to the traffic through an SSH related profile

  • Performing optional SSH host key validation of the server

  • Having one-time user authentication to authenticate the ZTNA SSH access proxy and SSH server connections

723178

When a user disconnects from an IPsec VPN tunnel, it is sometimes not desirable for the released IP to be immediately used up in the current first available IP assignment method. A new setting is added to hold an IP for a delay interval in seconds (0 - 28800) before it is released for use. IPs are still assigned by the first available method.

config vpn ipsec phase1-interface
    edit <name>
        set ip-delay-interval <integer>
    next
end

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

477886

Allow ingress and egress ports to be configured so the PRP trailer is not stripped when PRP packets come in or go out.

config system npu
    set prp-port-in <port>
    set prp-port-out <port>
end

489956

Add LAG implementation so each session uses the same NP6 and XAUI for ingress and egress directions to avoid fast path congestion (this setting is disabled by default).

config system npu
    set lag-out-port-select {enable | disable}
end

Add algorithm in NPU driver for distribution, AGG_ALGORITHM_NPU.

568534

The DHCP snooping server access list allows servers on that list to respond to DHCP requests, while blocking requests to servers that are not on the list. The DHCP server access list feature can be enabled from the VDOM or switch level. Server lists are configured per switch VLAN interface.

VDOM level:

config switch-controller global
    set dhcp-server-access-list {enable | disable}
end

FortiSwitch level:

config switch-controller managed-switch 
    edit <switch>
        set dhcp-server-access-list {global | enable | disable}
    next
end

Interface:

config system interface 
    edit <interface>
        config dhcp-snooping-server-list
            edit <list>
                set server-ip <class_ip>
            next
        end
    next
end

575686

When configuring an SSID in bridge mode, users can select individual security profiles instead of a security profile group. This applies to models in the FAP-U series that can perform UTM on the FortiAP itself.

613092

Allow SSL VPN to be explicitly enabled or disabled from the GUI and CLI. To connect, SSL VPN must be enabled and the SSL VPN interface must be up.

config vpn ssl settings
    set status {enable | disable}
end

658039

Add CLI option set auto-discovery-shortcut-mode in the OCVPN configuration to control if shortcuts should be torn down when the parent tunnel is down. This option is only available on the primary hub, and is shared with spokes via the cloud.

Setting this option in the OCVPN configuration will cause the generated phase1-interface object to set its auto-discovery-shortcuts option.

config vpn ocvpn
    set auto-discovery-shortcut-mode {independent | dependent}
end

669942

In the scenario where session synchronization is down between two FGSP members that results in a split-brain situations, the IKE monitor provides a mechanism to maintain the integrity of state tables and primary/secondary roles for each gateway. It continues to provide fault tolerance by keeping track of the timestamp of the latest received traffic, and it uses the ESP sequence number jump ahead value to preserve the sequence number per gateway. Once the link is up, the cluster resolves the role and synchronizes the session and IKE data. During this process, if the IKE fails over from one unit to another, the tunnel will remain valid due to the IKE session and role being out of sync, and the ESP anti-replay detection.

670058

Conventionally, public cloud FortiGate deployments require four NICs (external data processing, internal data processing, heartbeat/synchronization, and HA management). The HA heartbeat and management have been merged into the same interface, so only three NICs are required.

687892

Add replacement message for video filter and show block reason (video category or channel).

config videofilter profile
    edit <profile>
        set replacemsg-group <profile_name>
    next
end

689139

Add shortcuts to various locations in the GUI to help users register their FortiGate to FortiCare. This option is also added to newly authorized Fabric FortiGates.

689931

With NAC LAN segment support, the VLAN segmentation is handled by the FortiSwitch. Devices can maintain the same IP that they initially receive while onboarding. When a NAC policy is matched, the device gets placed into the appropriate VLAN by the FortiSwitch, providing segmentation from other LAN segments.

690671

Filtering PFCP traffic is supported on FortiOS Carrier. PFCP filtering is required to provide security for evolving 4G networks and upcoming 5G networks. PFCP filtering is configured similar to GTP filtering. PFCP message filters and profiles are created and applied in firewall policies.

692529

Enhance MAC authentication bypass so that the MAC authentication status is recorded in authd. The MAC authentication is retired in 10 seconds and is always sent to the portal for HTTP authentication sessions.

696057

Add REST API to retrieve a list of FortiSwitch models that are supported on the FortiGate:

/api/v2/monitor/switch-controller/managed-switch/models

697340

When indoor AP models are placed outdoors, or outdoor AP models are placed indoors, there is an option to override the indoor or outdoor flag. This enables the available channels list to reflect the region based on the AP placement.

697843

On models that have an internal switch that supports modifying the distribution algorithm, enhanced hashing can be used to help distribute traffic evenly across links on the LAG interface. The enhanced hashing algorithm is based on a 5-tuple of the IP protocol, source IP address, destination IP address, source port, and destination port. The computation method can also be specified.

699006

On a FortiCarrier, the new RAT (radio access technology) timeout profile allows users to customize the timeout values for each RAT type. This profile can be applied to GTP profiles to allow GTP tunnel timeout per RAT type (default value is 0 seconds).

699205

Add dynamic firewall address subtype, Switch Controller NAC Policy Tag. This type of address can be assigned to a NAC policy under Switch Controller Action. All device MACs discovered in the NAC policy will be added to the firewall address dynamically.

699226

Add diagnose switch-controller switch-info port-properties [<switch>] [<port>] command to display FortiSwitch port properties, such as PoE power level, connector module form factor, and speed capabilities.

# diagnose switch-controller switch-info port-properties S548DF**********
Switch: S548DF**********
Port: port1
PoE           : 802.3af/at,30.0W
Connector     : RJ45
Speed         : 10Mhalf/10Mfull/100Mhalf/100Mfull/1Gauto/auto

699268

Add realm support on FortiGate SSL VPN client.

config vpn ssl client
    edit <client>
        set realm <string>
    next
end

699456

Increase the generated RSA key bits from 1024 to 2048.

700073

Add a default-action into youtube-channel-filter configuration to apply a default action to all channels when there is no match.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

The default settings are monitor for default-action, and disable for log.

700665

Allow FortiAI to be used with antivirus profiles in proxy inspection mode. FortiAI inspects high-risk files and issues a verdict to the firewall based on how close a file's features match those of malware. When enabled, FortiAI can log, block, or ignore the file based on the verdict.

701033

Support octets and MAC address formats in SNMP engine ID configuration that are defined in RFC-2571.

config system snmp sysinfo
    set engine-id-type {text | hex | mac}
    set engine-id <string, maximum 27 characters>
end

702665

Add support for BGP conditional advertisement for IPv6 on the FortiGate:

config router bgp
    config neighbor
        edit <name>
            config conditional-advertise6
                edit <name>
                    set condition-routemap <string>
                    set condition-type {exist | non-exist}
                next
            end
        next
    end
end

703312

Improve switch controller performance in large topologies.

703900

In an SD-WAN transit routing setup with Google Network Connectivity Center (NCC), you can route data and exchange border gateway protocol (BGP) routing information between two or more remote sites via GCP.

704318

Add SNMP OIDs to query FortiSwitch CPU, memory, and port status via the FortiGate. These objects are added to the FortiOS enterprise MIB 2 tables.

704662

Allow the FortiGate to use the built-in speed test functionality to dynamically populate egress bandwidth to individual dial-up tunnels from the hub. Changes include:

  • Allow upload speed tests to be run from the hub to spokes for dial-up IPsec tunnels.

  • Allow an SD-WAN member on a spoke to switch routes when speed test is being run from the hub to spokes.

  • Allow speed test result to be applied dynamically on dial-up IPsec tunnel interface for egress traffic shaping.

  • Allow traffic shaping profile to be applied on dial-up IPsec tunnel interface on the hub.

  • Add the ability to apply class ID and percentage based QoS settings to individual child tunnels using a traffic shaping policy and profile.

704819

Using the RADIUS attribute Tunnel-Private-Group-Id, a wireless controller can now accept a VLAN name as a string, and match the VLAN sub-interface attached to a VAP interface when dynamically assigning a VLAN. Users logging into an SSID can be dynamically assigned to the proper VLAN based on the VLAN configurations on RADIUS for the particular user.

706491

On FortiClient EMS versions that support push CA certs capability, the FortiGate will push CA certificates used in SSL deep inspection to the EMS server. On the EMS server, the CA certificates can be selected in the managed endpoint profiles so they can be installed on managed endpoints.

707143

NetFlow and SFlow now support using SD-WAN in interface-select-method for selecting the outgoing interface.

config system {netflow sflow vdom-netflow vdom-sflow}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

707388

EMS shares Is_online information with the FortGate, which is used to decide whether the FortiGate will allow the traffic by the ZTNA access proxy policy.

707475

Enhancements for ZTNA logging:

  • Add ZTNA log subtype to UTM logs.

  • Six scenarios will generate allow and deny logs in the new ZTNA category.

  • Add traffic log ID for ZTNA related traffic.

707643

Implement best route mode for SD-WAN rules, including ECMP support for the longest match and the longest match overriding the quality comparison.

708358

Passive health check for SD-WAN can be configured in the GUI from two locations:

  1. Network > SD-WAN > Performance SLA tab: probe mode options are Active, Passive, or Prefer Passive. The disabled option can only be configured in the CLI.

  2. In a Firewall Policy where the destination is a SD-WAN zone, the passive health check option is available. By enabling Passive Health Check in a policy, the TCP traffic for that policy will be used in health check measurements.

709061

In WiFi & Switch Controller > Managed Switch > Topology View, a new Reorder button provide users with the ability to rearrange the order that the FortiSwitches appear.

709067

Add support for RFC 5709 HMAC-SHA cryptographic authentication for OSPF:

config router key-chain
    edit <name>
        config key
            edit <id>
                set algorithm {md5 | hmac-sha1 | hmac-sha256 | hmac-sha384 | hmac-sha512}
            next
        end
    next
end

709090

The FortiWiFi mesh function supports obtaining Fortinet MAC OUI ranges from the FortiGuard MAC address database (MADB), so that leaf FortiAPs with new MAC OUIs can be automatically recognized and allowed.

709104

WANOpt supports SSL offloading of traffic without needing to define an SSL server. The server side FortiGate will re-sign the HTTP server's certificate without needing to configure an SSL server (in both scenarios where an external proxy is and is not used). This enhancement also adds support for GCM cipher and ChaCha ciphers in the SSL connection.

709107

Allow FortiGate to support client certificate authentication used in mTLS communication between client and server. In this communication, clients are issued certificates by the CA. An access proxy configured on the FortiGate may use the new certificate method in the authentication scheme to identify and approve the client certificate provided by the client when it tries to connect to the access proxy. Optionally, the FortiGate may add the HTTP header X-Forwarded-Client-Cert to forward the certificate information to the server.

709108

The TCP forwarding access proxy supports communication between the client and access proxy without SSL/TLS encryption. The connection between the client and access proxy still begins with a TLS handshake. The client uses the HTTP 101 response to switch protocols and remove the HTTPS stack. Further end-to-end communication between the client and server is encapsulated in the specified TCP port, but otherwise not encrypted by the access proxy.

710318

Add security rating test in Access Control and Authentication to mitigate against the following high-priority vulnerability:

  • LDAP Server Identity Check: ensures certificate validation takes place against LDAP server.

710323

Add security rating test in Access Control and Authentication to mitigate against the following high-priority vulnerability:

  • Disable Username Case-Sensitivity Check: ensures users cannot bypass two-factor authentication by using a different case than configured in the user object.

710423

When connecting to FortiAnalyzer in the Security Fabric, the FortiGate displays an Authorize button when the FortiGate has not be authorized on the FortiAnalyzer side. This opens a shortcut to log in to the FortiAnalyzer and approve the FortiGate.

711577

Add warnings to inform users when an installed firmware is not signed by Fortinet. The warning message appears in the CLI when the uploaded firmware fails signature validation, and when logging in to the FortiGate from the GUI. Additional messages are added in various places once a user is logged in to the GUI to remind them of the unsigned firmware.

711868

FortiTester can be added to the Security Fabric and authorized from the Security Fabric topology view. Once added, the FortiTester appears in the dashboard Security Fabric widget, and it can be added to the dashboard as a Fabric device widget.

712102

The REST API can retrieve dynamic information about LTE modems, such as RSSI signal strength, SIM information, data session, and usage levels from 3G and 4G FortiGates.

712304

Support new Google gVNIC interface, which offers improved performance and bandwidth and is required in some VM shapes that are tuned for optimal performance.

712916

SD-WAN zones can be applied in three new ways:

  1. Use the SD-WAN zone in IPv4 and IPv6 static routes.

  2. Use the SD-WAN zone in SD-WAN service rules.

  3. Add a pre-defined SD-WAN zone called SASE.

The following commands are added:

config router {static | static6}
    edit <id>
        set sdwan-zone <string>
    next
end
config system sdwan
    config service
        edit <id>
            set priority-zone <string>
        next
    end
end

The following commands are removed:

config router {static  static6}
    edit <id>
        set sdwan {enable | disable}
    next
end

713011

When a FortiGate has multiple EMS entries configured, instead of querying every EMS server to fetch device information for device certificate validation, add optional EMS server information for WAD device query to fcnacd. This allows fcnacd to direct the query for the device only to the specific EMS.

713535

Sniffer traffic logs from the IPS engine are expanded to 64-bit variable sizes (previously 32-bit for sent/received bytes fields).

713690

Add user count per LDAP group in an Active Directory. When LDAP users log on through firewall authentication, the active users per LDAP group is counted and displayed in the Firewall Users view and CLI.

713717

The FortiGate can automatically downgrade to use TLS version 1.2 when there are no proper custom ciphers configured in TLS 1.3 in a server load-balance VIP configuration.

713793

Allow FortiGates to read the Cisco Security Group Tag (SGT) in Ethernet frames and use them as matching criteria in firewall policies. A policy can match based on the presence of an SGT, or the detection of a specific ID or IDs. This feature is available in flow mode policies for virtual wire pair policies or policies in transparent mode VDOMs.

714713

Allow SSL VPN interfaces to be used in zones.

715031

Add option in the SSL VPN web portal profile to disable the use of the copy and paste clipboard in RDP and VNC connections while using web mode.

715100

Allow FortiClient to use a browser as an external user agent to perform SAML authentication for SSL VPN tunnel mode. In prior versions, SAML authentication must be performed within the FortiClient embedded login window. A new setting is added to configure the SAML redirection port upon successful SAML authentication:

config vpn ssl settings
    set saml-redirect-port <port>
end

716453

On KVM, FortiOS can support bootstrapping using a MIME file via config drive.

716683

FIPS CC mode is now supported on OCI and GCP FortiGate VMs.

config system fips-cc
    set status fips-ciphers
end

To enable this feature, all VPNs must be removed.

717579

Add command in the WTP profile to disable console login from the FortiAP:

config wireless-controller wtp-profile
    edit <profile>
        set console-login {enable | disable}
    next
end

All managed APs using this profile will be rebooted and changes will be applied.

717591

For SSIDs in local standalone NAT mode, add the option to define up to three DNS servers to assign to wireless endpoints through DHCP.

717907

Add option in CLI to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost:

config user fsso
    edit <name>
        set logon-timeout <integer>
    next
end

The logon-timeout is measured in minutes (1 - 2880, default = 5).

719581

Allow the FortiGate to use the built-in speed test functionality to dynamically populate egress bandwidth to individual dial-up tunnels from the hub. It allows the speed test results of dial-up tunnels to be cached for reuse when the tunnel is up again.

719764

Allows IPv6 to be configured in several ZTNA scenarios:

  • IPv6 client with IPv6 server
  • IPv6 client with IPv4 server
  • IPv4 client with IPv6 server

Configuration changes include:

  • Add access-proxy type in firewall.vip6
  • Add firewall.access-proxy6
  • Add firewall.access-proxy(6).api-gateway6
  • Add access-proxy6 in firewall.proxy-policy

720046

Add option to toggle between enabling or disabling policy route updates when a link monitor fails. By disabling policy route updates, a link monitor failure will not cause corresponding policy based routes to be removed.

720136

When configuring a radio in service assurance management (SAM) mode, support is added to configure the client to authenticate with the captive portal. The captive portal match string, success string, and failure string must be specified to automatically detect the authentication success or failure.

720723

The link monitor can configure multiple servers and allow each server to have its own weight setting. If the link monitor is down, it will trigger static route updates and cascade interface updates if the weight of all dead servers exceeds the monitor's fail weight threshold.

721280

New options are added to the SSL/SSH profile to log server certificate information and TLS handshakes. New fields are added to the UTM SSL logs when these options are enabled.

722649

ZTNA can be configured with an SSH access proxy to provide a seamless SSH connection to the server. The advantages of an SSH access proxy over a TCP forwarding access proxy include:

  • Establishing device trust context with user identity and device identity checks

  • Applying SSH deep inspection to the traffic through an SSH related profile

  • Performing optional SSH host key validation of the server

  • Having one-time user authentication to authenticate the ZTNA SSH access proxy and SSH server connections

723178

When a user disconnects from an IPsec VPN tunnel, it is sometimes not desirable for the released IP to be immediately used up in the current first available IP assignment method. A new setting is added to hold an IP for a delay interval in seconds (0 - 28800) before it is released for use. IPs are still assigned by the first available method.

config vpn ipsec phase1-interface
    edit <name>
        set ip-delay-interval <integer>
    next
end