Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 7.0.4 FortiOS Release Notes

Changes in CLI

7.0.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
Copy Link
Copy Doc ID 807880d0-7f0e-11ec-a0d0-fa163e15d75b:517622
Download PDF

Changes in CLI

Bug ID

Description

735470

The following settings under config firewall vip/vip6 are hidden when NAT46/NAT64 is enabled:

  • http-redirect
  • http-multiplex
  • max-embryonic-connections
  • http-host
  • http-host option for ldb-method

736850

Add min-allowed-ssl-version option that allows administrators to set a minimum allowed TLS/SSL version (default = TLS 1.1). If the minimum allowed version is not met in the ClientHello or ServerHello, the connection is blocked.

Change the default setting of unsupported-ssl-version to block, and remove the inspect option.

config firewall ssl-ssh-profile
    edit <name>
        config SSL
            set inspect-all deep-inspection
            set unsupported-ssl-version {allow | block}
            set min-allowed-ssl-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | tls-1.3}
        end
    next
end

738151

Previously, SSL certificate options for VIP access proxy configurations contained an option for CA certificates. A configuration using a CA certificate would cause a ERR_SSL_KEY_USAGE_INCOMPATIBLE error because it is not a server certificate.

Now, the CLI will filter out certificates that do not exist, are a CA certificate, or are not valid.

Previous configurations in which SSL certificate options get filtered are upgraded to use default the FORTINET_SSL certificate.

749250

Add setting for IPv4 reachable time (previously only IPv6 was supported).

config system interface
    edit <name>
        set reachable-time <integer>
    next
end

The IPv4 reachable time is measured in milliseconds (30000 - 3600000, default = 30000).

751346

Allow IPv6 DNS server override to be set when DHCPv6 prefix delegation is enabled.

config system interface
    edit <name>
        config ipv6
            set ip6-mode static
            set dhcp6-prefix-delegation enable
            set ip6-dns-server-override enable
        end
    next
end

753631

Add option to configure H323/RAS direct model traffic.

config system settings
    set h323-direct-model {enable | disable}
end

The setting is disabled by default (the wide open pinhole will be closed); however when upgrading from an older version, the setting will be enabled to preserve the previous behavior.
Previous
Next

Changes in CLI

Bug ID

Description

735470

The following settings under config firewall vip/vip6 are hidden when NAT46/NAT64 is enabled:

  • http-redirect
  • http-multiplex
  • max-embryonic-connections
  • http-host
  • http-host option for ldb-method

736850

Add min-allowed-ssl-version option that allows administrators to set a minimum allowed TLS/SSL version (default = TLS 1.1). If the minimum allowed version is not met in the ClientHello or ServerHello, the connection is blocked.

Change the default setting of unsupported-ssl-version to block, and remove the inspect option.

config firewall ssl-ssh-profile
    edit <name>
        config SSL
            set inspect-all deep-inspection
            set unsupported-ssl-version {allow | block}
            set min-allowed-ssl-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | tls-1.3}
        end
    next
end

738151

Previously, SSL certificate options for VIP access proxy configurations contained an option for CA certificates. A configuration using a CA certificate would cause a ERR_SSL_KEY_USAGE_INCOMPATIBLE error because it is not a server certificate.

Now, the CLI will filter out certificates that do not exist, are a CA certificate, or are not valid.

Previous configurations in which SSL certificate options get filtered are upgraded to use default the FORTINET_SSL certificate.

749250

Add setting for IPv4 reachable time (previously only IPv6 was supported).

config system interface
    edit <name>
        set reachable-time <integer>
    next
end

The IPv4 reachable time is measured in milliseconds (30000 - 3600000, default = 30000).

751346

Allow IPv6 DNS server override to be set when DHCPv6 prefix delegation is enabled.

config system interface
    edit <name>
        config ipv6
            set ip6-mode static
            set dhcp6-prefix-delegation enable
            set ip6-dns-server-override enable
        end
    next
end

753631

Add option to configure H323/RAS direct model traffic.

config system settings
    set h323-direct-model {enable | disable}
end

The setting is disabled by default (the wide open pinhole will be closed); however when upgrading from an older version, the setting will be enabled to preserve the previous behavior.
Previous
Next