Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed:

config system virtual-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end

config system physical-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end

When configuring an SSID in bridge mode, users can select individual security profiles instead of a security profile group. This applies to models in the FAP-U series that can perform UTM on the FortiAP itself.

When defining the FortiPresence server for location based services, allow the server address entry to be configured as an FQDN.

Add interface selection for IPS TLS protocol active probing.

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

FortiOS Carrier now has the ability to set up, monitor, and filter messages, as well as manipulate a GTP tunnel on an S10 interface based on mobility management messages defined in 3GPP TS 29.274 section 7.3. It adds the capability for carrier customers to manipulate GTP tunnels and perform message filtering when deployed in inter-LTE/MME handover scenario.

Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.

Add support for IGMP snooping proxy to be configurable per VLAN. For each VLAN with IGMP snooping proxy enabled, an IGMP snooping querier can also be configured per VLAN for a selected managed switch.

Add support for a FortiGate to manage a Procend 180-T DSL transceiver (FN-TRAN-DSL) that is plugged in to an SFP port. The management of the DSL transceiver includes the ability to program the physical layer attributes on the DSL module, retrieve the status and statistics from the module, support firmware upgrades of the module, and reset the module. Supported VDSL profiles: 8a, 8b, 8c, 8d, 12a, 12b, 17a, and 30a. Supported platforms: FG-80F, FG-81F, FG-80F-BP, FGR-60F, and FGR-60F-3G4G.

The new Asset Identity Center page unifies information from detected addresses, devices, and users into a single page, while building a data structure to store the user and device information in the backend. Asset view groups information by Device, while Identity view groups information by User. When hovering over a device or a user in the GUI, it is possible to perform different actions relevant to the object, such as adding a firewall device address, adding an IP address, banning the IP, quarantining the host, and more.

Add options to enable caching infected scan results and cleaning scan results in AV stream-based scans to help detect malware in oversized archives when downloads are interrupted. Cached traffic is released after five minutes.

config antivirus settings
    set cache-infection-result {enable | disable}
    set cache-clean-result {enable | disable}
end

The MTU of an IPv6 tunnel interface will be calculated from the MTU of its parent interface minus headers.

Add a default-action into youtube-channel-filter configuration to apply a default action to all channels when there is no match.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

The default settings are monitor for default-action, and disable for log.

LAN extension is a new configuration mode on the FortiGate that allows FortiExtender to provide remote thin edge connectivity back to the FortiGate over a backhaul connection. A FortiExtender deployed at a remote location will discover the FortiGate access controller (AC) and form an IPsec tunnel (or multiple tunnels when multiple links exists on the FortiExtender) back to the FortiGate. A VXLAN is established over the IPsec tunnels to create an L2 network between the FortiGate and the network behind the remote FortiExtender.

Add switch-recommendations command to check the firmware used in the managed switches in order to make a recommendation on which tunnel mode to use:

execute switch-controller switch-recommendations tunnel-mode-settings <FortiLink interface>

Add support for a FortiGate to manage a Procend 180-T DSL transceiver (FN-TRAN-DSL) that is plugged in to a FortiSwitch port being managed through FortiLink. The management of the DSL transceiver and the FortiSwitch port includes the ability to program the physical layer attributes on the DSL module, retrieve the status and statistics from the module, support firmware upgrades of the module, and reset the module. A FortiSwitch running in standalone mode does not support programmability of the DSL module. Supported platforms: FG-60F and FG-40F-3G4G.

Allow customers to send Fortinet system log entries to external TACACS+ accounting servers. Up to three external TACACS+ servers can be configured, each with different filters for log events. These filters include TACACS+ accounting for login events, configuration change events, and CLI command audits.

The Fabric Management page allows administrators to manage the firmware running on each of the FortiGate, FortiAP, and FortiSwitch devices in the Security Fabric. A Fabric Upgrade can be performed either immediately or during a scheduled time. Administrators can choose a firmware from FortiGuard that the Fabric member will download directly to upgrade.

Support FQDN address type in ZTNA access proxy real servers configurations.

Add warnings to inform users when an installed firmware is not signed by Fortinet. The warning message appears in the CLI when the uploaded firmware fails signature validation, and when logging in to the FortiGate from the GUI. Additional messages are added in various places once a user is logged in to the GUI to remind them of the unsigned firmware.

IPAM (IP address management) is now available locally on the FortiGate. A standalone FortiGate or a Fabric root in the Security Fabric can act as the IPAM server. Interfaces configured to be auto-managed by IPAM will receive an address from the IPAM server's address/subnet pool. DHCP Server is automatically enabled in the GUI, with the address range also populated by IPAM. Users can customize the address pool subnet and the size of a subnet that an interface can request.

The following setting for FortiIPAM has been moved:

config system global
    set fortiipam-integration {enable | disable}
end

To:

config system ipam
    set status enable
    set server-type cloud
end

Add user count per LDAP group in an Active Directory. When LDAP users log on through firewall authentication, the active users per LDAP group is counted and displayed in the Firewall Users view and in the CLI.

Add HA uninterruptible upgrade option that allows users to configure a timeout value in minutes (1 - 300, default = 30) where the primary HA unit waits before the secondary HA unit is considered upgraded.

config system ha
    set uninterruptible-primary-wait <integer>
end

Add option to enable NAT64 and NAT46 for security policy in NGFW policy mode.

The dedicated management CPU feature ensures that CPU 0 is only used for management traffic. This feature, which was previously available for 2U models and higher, is extended to 1U models.

Add support for the recently released Wi-Fi Alliance Hotspot 2.0 Release 3 specifications. The release version can now be configured in the wireless controller hotspot profile.

Support for RFC 7606 extends BGP error handling for malformed attributes in UPDATE messages. Instead of only using the session reset approach from the base BGP specifications, the FortiGate will also use the treat-as-withdraw approach and the attribute discard approach specified in RFC 7606.

The dstuser field added to UTM logs records the username of a destination device when that user has been authenticated on the FortiGate.

Add the ability to specify EU servers as the location to send FortiGuard updates and queries. This option can be toggled from the GUI under System > FortiGuard > FortiGuard Updates, or from the CLI:

config system fortiguard
    set update-server-location {automatic | us | eu }
end

Support configuration save (workspace) mode in the GUI. When in workspace mode, setting changes are saved to the memory and take effect right away as normal. However, setting changes are not saved to the flash until committed. If the device is rebooted, uncommitted configuration changes will be reverted. The Revert upon timeout setting can be enabled, which automatically reboots the device after the configured timeout and reverts configuration changes back to the previous save point.

Three new web filter categories have been added to the FortiOS and FortiGuard servers: URL shortening (97), crypto mining (98), and potentially unwanted program (99).

Location based services (LBS) information of associated and unassociated wireless stations can be retrieved through the REST API.

Endpoint posture changes trigger active ZTNA proxy sessions to be re-verified and terminated if the endpoint is no longer compliant to the ZTNA policy. The FortiGate monitors changes to endpoint tags that are updated by EMS through the fcnacd process. When a change is detected, active ZTNA sessions for the endpoint must match the ZTNA policy again before data can pass.

As of 7.0.1, IPv6 can be configured in ZTNA in the following scenarios:

• IPv6 client with IPv6 server
• IPv6 client with IPv4 server
• IPv4 client with IPv6 server

Configuration changes:

• Add access-proxy type in config firewall vip6
• Add config firewall access-proxy6
• Add config firewall access-proxy(6) > config api-gateway6
• Add access-proxy6 in config firewall proxy-policy

As of 7.0.2, IPv6 can be configured in GUI in the ZTNA Server settings:

• The server IP Type can be selected when creating a new server.
• When IPv6 is enabled, the ZTNA server table will have multiple sections for IPv4 and IPv6 servers.
• Server service mappings can now be selected as either IPv4 or IPv6.
• TCP forwarding now contains IPv6 addresses.

GTP sessions state synchronization for FortiOS Carrier is now extended to FGSP over FGCP clusters. This allows session synchronization for FGCP clusters across different sites in the same FGSP peer group, enhancing customer network's local redundancy and geo redundancy.

When specifying ZTNA tags in a ZTNA rule, it is now possible to use the logical AND for tag matching. When Match ZTNA tags is configured to All, the client must match all the tags. When Match ZTNA tags is configured to Any, the client can match any of the tags.

Support subscription-based VDOM licensing for FG-VM S-series using the new stackable subscription-based SKU.

New ciphers have been added in FIPS ciphers mode on FortiGate VMs so that cloud instances running this mode can form IPsec tunnels with hardware models running FIPS-CC mode.

Added to IPsec phase 1:

• aes128-sha256

• aes128-sha384

• aes128-sha512

• aes256-sha256

• aes256-sha384

• aes256-sha512

Added to IPsec phase 2:

• aes128-sha256

• aes128-sha384

• aes128-sha512

• aes256-sha256

• aes256-sha384

• aes256-sha512

Add FortiAP auto firmware provisioning option on the WiFi Settings page to allow for a federated upgrade of a FortiAP upon discovery and authorization by the WiFi controller. FortiAP will be upgraded to the latest firmware from FDS, if the FortiGate has the available FDS service contract.

User fields in logs can be anonymized by generating a hash based on the user name and salt value with the set anonymization-hash option.

config log setting
    set user-anonymize enable
    set anonymization-hash <string> 
end

Introduce an MSRP (Message Session Relay Protocol) decoder in the IPS engine to scan for IPS signatures against the application data. Malicious payload in the text message can be blocked. Both VoIP and IPS profiles must be configured in the firewall policy, and the inspection mode must be flow.

Increase the number of HA group IDs to 1024, and extend the HA virtual MAC address range to support 1024 groups. Groups 0-255 will use the same VMACs as before, but groups 256-1023 will use VMAC addresses with the prefix e0:23:ff:fc.

The FortiGate LAN extension controller can push out a bandwidth limit to the FortiExtender thin edge. The limit will be enforced on the FortiExtender side using traffic shaping.

Support external browser-based SAML authentication for ZTNA policies. Add SAML redirect option to enable redirection after successful SAML authentication.

Previously, estimated-downstream-bandwidth and ingress-shaping-profile needed to be configured to use the ingress traffic shaping feature work. Now, estimated-downstream-bandwidth changed to inbandwidth.

Add WebSocket enhancements to allow users to subscribe to and listen to configuration table changes from the GUI. New alerts are added to notify users to reload the page when configuration changes occur on the page.

When querying a FortiExtender or LTE-modem through the FortiGate REST API, GPS coordinates are now included in the response.

Add action-type cli-script attribute to config system automation-action for CLI scripts to execute on all FortiGates in the Security Fabric.

Add option to perform server identity check for FSSO SSL/TLS connection. The server FQDN or IP must match the SAN field in the collector agent certificate. If no SAN field is present, the IP must match the IP in the certificate's CN field.

config user fsso
    edit <FSSO server>
        set server <FQDN or valid IP>
        set ssl-server-host-ip-check {enable | disable}
    next
end

Add support for FortiMonitor to join the Security Fabric. When a FortiMonitor joins the Fabric, it appears in the FortiGate's Fabric topology and can be authorized from there.

Add commands to lock down ISL/ICL links between FortiSwitches so that they become static configurations:

• execute switch-controller switch-recommendations fabric-lockdown-check
• execute switch-controller switch-recommendations fabric-lockdown-disable
• execute switch-controller switch-recommendations fabric-lockdown-enable

This adds stability during events such as cable disconnection or power outages.

When a FortiGate is in NAT mode, a VLAN tag with a drop eligible indicator (DEI) bit set resets to 0 after passing through the FortiGate.

Add wireless controller syslog profile that enables APs to send logs to the syslog server configured in the profile.

Add support for advertising vendor specific elements over beacon frames containing information about the FortiAP name, model, and serial number. This allows wireless administrators doing site surveys to easily determine the coverage area of an AP.

The certificate wizard helps administrators add local certificates either by provisioning them through ACME, generating them using the self-signed Fortinet_CA_SSL CA certificate, or importing a server certificate signed by a public or private CA. When generating a new certificate on the SSL-VPN Settings page, the Common name and Subject alternate name (SAN) fields are pre-filled with the address from the SSL VPN listening interface.

When a FortiAP is connected to a switch port with 802.1x authentication enabled, the FortiAP can be configured to act as an 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS, or EAP-PEAP.

Extend passive health measurement to support passive detection per internet service/application. If internet services/applications are defined in an SD-WAN rule with a passive health check, the SLA information per internet service/application will be differentiated and collected. Then, the SLA metrics (latency, jitter, and packet loss) on each SD-WAN member in this rule will be calculated based on relevant internet services/applications SLA information.

config system sdwan
    config service
        edit <id>
            set passive-measurement {enable | disable}
        next
    end
end

This feature is disabled by default.

Add the ability to authenticate wireless clients using MAC authentication and MPSK against a RADIUS server. Instead of statically storing the MPSK passphrases on the FortiGate, they can be passed from the RADIUS server dynamically when the client MAC is authenticated by the RADIUS server. The result passphrase will be cached on the FortiGate for future authentication, with a timeout configured per VAP.

config wireless-controller vap
    edit <name>
        set radius-mac-auth enable
        set radius-mac-auth-server <server>
        set mpsk-profile <profile>
        set radius-mac-mpsk-auth enable
        set radius-mac-mpsk-timeout <integer>
    next
end

Adaptive Forward Error Check (FEC) improves upon the previous FEC mechanism in many ways. While the previous FEC mechanism always sends out x number of redundant packets for every y number of base packets, adaptive FEC takes link conditions into consideration and adaptively adjusts the FEC packet ratio. FEC can be configured to apply to only certain streams that are sensitive to packet loss to reduce unnecessary bandwidth. Since FEC does not support NPU offloading, being able to specify streams and policies that do not require FEC allows that traffic to be offloaded.

ECDSA (Elliptic Curve Digital Signature Algorithm) is now supported in SSH administrative access. Administrative users can connect using an ECDSA key pair or ECDSA based-certificate.

On the NAC Policy configuration page, specifying FortiSwitch groups is now supported. Previously, individual FortiSwitches had to be specified. The CLI command to specify individual switches is now updated to specify switch groups.

Add 100 Mbps transceiver support for FGR-60F and FGR-60F-3G4G.

Add DNS dashboard widget that shows latency to configured and dynamically retrieved DNS servers.

When the FortiGate LAN extension controller is behind a NAT device, remote thin edge FortiExtenders must connect to the FortiGate via a backhaul address. This is an address on the upstream NAT device that forwards traffic to the FortiGate. It can be configured as an IP or FQDN on the FortiGate extender profile. When the default IKE port 500 is not accessible, it is possible to configure a custom IKE port on the FortiExtender and FortiGate.

Add REST APIs to close multiple IPv4 or IPv6 sessions at once (previously, only a single session could be closed each time):

• POST https://<FortiGate IP>/api/v2/monitor/firewall/session/close-multiple
• POST https://<FortiGate IP>/api/v2/monitor/firewall/session6/close-multiple
• POST https://<FortiGate IP>/api/v2/monitor/firewall/session6/close-all

Supply better heartbeat timing information to the auto-scale callback URL. Previously, the auto-scale heartbeat request made to the auto-scale callback URL did not contain a timestamp or sequence number. This information was estimated in the cloud function called by the callback URL, but the cloud function platform's timing was not as reliable as initially expected.

Configuring SAML single sign-on configurations can now be done from the GUI under User & Authentication > User Groups. The new GUI wizard helps generate the SP URLs based on the supplied SP address. The created SAML object can also be selected when defining a new user group.

Support configuring 802.11ax specified VAP data rates from the FortiGate wireless controller in order to cover 802.11ax data rates and modulation schemes that 802.11ac does not support.

It is now possible to configure auto-BSS coloring from the FortiGate wireless controller so that the FortiAP radios to automatically change colors when BSS coloring conflicts are detected. The new setting is set to auto by default.

config wireless-controller wtp-profile
    edit <profile>
        config <radio>
            set bss-color-mode {auto | static}
        end
    next
end

Allow administrators to select which ciphers to use for TLS 1.3 in HTTPS connections, and which ciphers to ban for TLS 1.2 and below.

config system global
    set admin-https-ssl-ciphersuites {<option1>}, [<option2]>, ...
    set admin-https-ssl-banned-ciphers {<option1>}, [<option2>], ...
end

Isolate the CPUs used by the DPDK engine from being used by other services in order to improve DPDK performance. This excludes processes that have affinity explicitly configured.

config dpdk cpus
    set isolated-cpus <CPU_IDs or range>
end

Add fields in the custom OVF template for License Token and Configuration URL to allow users to input a Flex VM token code and a web URL where a bootstrap configuration for the FortiGate is stored.