Add uncompressed/compressed parameter for execute backup disk log ftp command to upload uncompressed log files to an FTP server. An FTP PUT file callback is used to decompress LZ4 log data to text in the memory and send it to the server for storage.

• # execute backup disk alllogs ftp <IP_address> <username> <password> <compressed | uncompressed>
• # execute backup disk log ftp <IP_address> <username> <password> <log_type> <compressed |uncompressed>

Add HA support for multiple ACI clusters for Cisco ACI external SDN connector VMs. The multiple IPs in the Cisco ACI external SDN connector VM configuration allows the FortiGate to connect to SDN connector VMs in the same ACI cluster in a round-robin fashion. Only one SDN connector VM is active, and the remaining serve as backups if the active one fails.

config system sdn-connector
    edit "ACI-1"
        set type aci
        set server-list "10.105.152.96" "10.105.152.97" "100.101.1.98"
        set server-port 5671
        set username "admin"
        set password **********
    next
    edit "ACI-2"
        set type aci
        set server-list "20.105.152.91" " 20.105.152.92" "40.111.1.3"
        set server-port 5671
        set username "admin"
        set password **********
    next
end

ACI-1 and ACI-2 are different ACI clusters. They each have multiple SDN connector VMs in synchronization. Each firewall address can point to either ACI-1 or ACI-2.

Add IPv6 options for SSH client in the CLI.

# execute ssh6-options {interface <outgoing_interface> | reset | source6 <source_IPv6_interface> | view-settings}

Add support for WPA3 encryption on local radios of all FortiWiFi F-series models. These models can now support security modes WPA3-SAE, WPA3-OWE, and WPA3-Enterprise.

Allow a GCP SDN connector to have multiple projects attached to it. Previously, GCP SDN connectors could only be associated with one project, a limit of 256 SDN connectors, and users could only add a maximum 256 projects to the FortiGate. A single GCP SDN connection can now have thousands of projects attached to it.

Add support for dynamic address filters based on project name and zones:

config system sdn-connector
    edit <name>
        set type gcp
        config gcp-project-list
            edit <name>
                set gcp-zone-list <name_1> <name_2> ... <name_n>
            next
        end
    next
end

GUI changes:

• Add buttons to switch between Simple and Advanced project configurations. The simple configuration displays a single text field to add one project to the GCP SDN connector.
• The advanced configuration displays a mutable table for users to add multiple projects to the GCP SDN connectors. Adding projects displays a slide-out pane to specify the project name and zones.
• A confirmation slide-out pane appears when switching from advanced to simple to warn about projects being deleted from the GCP SDN connector.
• A tooltip on the GCP SDN connector card shows the list of projects, and the filter list of GCP dynamic addresses shows the project and zones.

Allow SSL VPN web portals to be defined in the ZTNA access proxy settings. The ZTNA access proxy handles the user and device authentication, posture check, and establishes the HTTPS connection between the end user and the access proxy. Then it forwards the user to the web portal where they can use pre-defined bookmarks to access internal and external resources.

Add warnings to inform users when an installed firmware is not signed by Fortinet. The warning message appears in the CLI when the uploaded firmware fails signature validation, and when logging in to the FortiGate from the GUI. Additional messages are added in various places once a user is logged in to the GUI to remind them of the unsigned firmware.

FortiGuard outbreak alerts, which identify outbreaks of security incidents and exploits, are now included as Security Rating posture checks. This helps provide information and remediation methods within the Security Rating module to protect the network from the exploits and attacks.

In previous DARRP implementation, channel bandwidth was not considered. Now, DARRP will also consider the radio bandwidth in its channel selection, adding support for 40, 80, and 160 MHz channel bandwidth.

Support SMB for ZTNA TCP forwarding.

Add VLAN switch support on FG-20xF.

Add FortiAP auto firmware provisioning option on the WiFi Settings page to allow for a federated upgrade of a FortiAP upon discovery and authorization by the WiFi controller. FortiAP will be upgraded to the latest firmware from FDS, if the FortiGate has the available FDS service contract.

Support UPN format for the user when adding it to an HTTP header.

config web-proxy profile
    edit "AddUPNHeader"
        set log-header-change enable
        config headers
            edit 1
                set name "X-Authenticated-User"
                set content "$user"
            next
            edit 3
                set name "X-Authenticated-UPN"
                set content "$upn"
            next
            edit 2
                set name "X-Authenticated-Domain"
                set content "$domain"
            next
        end
    next
end

Enhance the System > Fabric Management to include the ability to authorize and register Fabric devices, and display the FortiCare registration status and device type.

Improve communication between FortiOS and FortiClient EMS with more efficient queries that request incremental updates. Retrieved device information can be written into the FortiGate's FortiClient NAC daemon cache. This increases ZTNA scalability to support up to 50 thousand concurrent endpoints. This feature requires FortiClient EMS 7.0.3 or later that has the common-tags-api capability.

Add REST API events log subtype to log POST, PUT, DELETE, and GET REST API requests.

config log setting
    set rest-api-set enable
    set rest-api-get enable
end

Add the following ZTNA enhancements to FortiView and the log view:

• Add FortiView ZTNA Servers monitor, which includes options to drill down by Sources, Rules, Real Servers, and Sessions.
• Add context menu shortcuts on the ZTNA Rules and ZTNA Servers tabs to redirect to the FortiView and log view pages.
• Replace Log & Report > ZTNA page with Log & Report > ZTNA Traffic page. ZTNA logs now have a traffic type and ZTNA subtype.
• Add fields to ZTNA traffic logs.

Add wireless controller syslog profile, which enables APs to send logs to the syslog server configured in the profile.

Add support for advertising vendor specific elements over beacon frames containing information about the FortiAP name, model, and serial number. This allows wireless administrators doing site surveys to easily determine the coverage area of an AP.

When a FortiAP is connected to a switch port with 802.1x authentication enabled, the FortiAP can be configured to act as an 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS, or EAP-PEAP.

Add REST API in both FortiNAC and FortiGate that is used by FortiNAC to send user logon/logoff information to the FortiGate. A new dynamic firewall address type (FortiNAC tag) is added to FortiOS, which is used to store the device IP, FortiNAC firewall tags, and FortiNAC group information sent from FortiNAC via the REST API when user logon/logoff events are registered.

The FortiNAC tags connector under Security Fabric > Fabric Connectors is deprecated. For upgrade support, the FSSO FortiNAC user type can still be configured from the CLI.

Add 100 Mbps transceiver support for FGR-60F and FGR-60F-3G4G.

Federated upgrade for managed FortiSwitches allows a newly authorized FortiSwitch to be upgraded to the latest supported version automatically. The latest compatible FortiSwitch firmware is downloaded from FortiGuard without needing user intervention.

config switch-controller managed-switch
    edit <id>
        set fsw-wan1-peer <interface>
        set fsw-wan1-admin enable
        set firmware-provision-latest {once | disable}
    next
end

config switch-controller global
    set firmware-provision-on-authorization {enable | disable}
end

If firmware-provision-on-authorization is set to enable, firmware-provision-latest will be set to once automatically when the FortiSwitch administrative status (fsw-wan1-admin) is enabled.

When the FortiSwitch connection status becomes authorized or up, a one-time upgrade to the latest compatible firmware version starts if firmware-provision-latest is set to once.

A FortiSwitch can connect to multiple VDOMs, and it will be upgraded through any VDOM that it is authorized in.

Add settings on Network > Interfaces page to configure DSL interfaces and associated DSL settings.

This enhancement improves upon BGP conditional advertisement by accepting multiple conditions to be used together. The conditional route map entries are treated with an AND operator.

When the condition-type is exist:

• If the conditional route map matches, then advertised route map will apply.
• If the conditional route map does not match, then the advertised route map will not apply.

When the condition-type is non-exist:

• If the conditional route map matches, then the advertised route map will not apply.
• If the conditional route map not matches, then advertised route map will apply.

Add a map of FortiSwitch model prefixes to full model names, and update the GUI to use these full model names on the Managed FortiSwitches page. For example, in previous versions the Model displayed for a FortiSwitch would be FS1D24, and now it is displayed as FortiSwitch 1024D.

Allow configurations pushed from FortiManager to edit tags, FortiClient EMS certificate fingerprints, and FortiClient EMS capabilities.

FortiManager sourced changes to the following tables/attributes are allowed:

• endpoint.fctems:capabilites
• endpoint.fctems:certificate-fingerprint
• firewall.address:address of type ems-tag

Add support for multiple DARRP profiles to assign different DARRP settings and optimization schedules to different sets of APs.

Previously, users could be assigned to VLANs dynamically according to the RADIUS attribute Tunnel-Private-Group-Id returned from the Access-Accept message. The value can either match a particular VLAN ID or a VLAN interface name. A third option is now added to match based on a VLAN name table defined under the virtual AP.

Add option to allow administrators to enable or disable FFDHE groups for VIP SSL key share.

config firewall vip
    edit "access-proxy"
        set type access-proxy
        set ssl-accept-ffdhe-groups {enable | disable}
    next
    edit "server-load-balance"
        set server-load-balance
        set ssl-accept-ffdhe-groups {enable | disable}
    next
end

License enforcement on downstream devices by:

• Supporting the CSF REST API via a FortiGate Cloud (FGC) tunnel from the root to downstream devices and vice-versa.
• Restricting create, edit, and delete permissions when accessing devices without a subscription from the FortiGate Cloud portal.
• Adding the ability to re-run notifications when switching via the CSF FortiGate chooser dropdown.
• Showing read-only access notifications when users switch to a downstream device without a paid subscription from the FortiGate Cloud portal.

Add options to increase flexibility in controlling how the FortiGate's routing engine resolves the BGP route's next hops.

config router bgp
    set tag-resolve-mode {disable | preferred | merge}
end

The preferred option uses a tag match if a BGP route resolution with another route containing the same tag is successful

The merge option merges the tag match with best match if they are using different routes. The results excludes the next hops of tag matches whose interfaces have appeared in best match.

A Security Fabric can be created on the root device using FortiGate Cloud for cloud logging. When the FortiCloud account enforcement is enabled (by default), members joining the Fabric must be registered to the same FortiCloud account. Devices that are not activated with FortiCloud are also allowed.

A new FortiGate Cloud Event Handler automation trigger is available. The Compromised Host trigger can be used for IOC events detected in FortiGate Cloud. Both triggers require a FortiGate Cloud log retention license.

Allow FortiExtender to be managed and used in a non-root VDOM. Previously, FortiExtender could only be used in the root VDOM.

Provide three sizes of internet service databases and an option to choose between full, standard, and mini databases. The FortiGate 30 and 50 series can only configure the mini size.

config system global
    set internet-service-database {mini | standard | full}
end

Add maximal field for each resource in get system performance status and improve average value accuracy by rolling over samples immediately when queried.

Extend api/v2/monitor/system/resource/usage to include new maximum, minimum, and average fields for each resource.

Add user configuration clock skew tolerance for SAML users.

config user saml
    edit <name>
        set clock-tolerance <integer>
    next
end

The clock skew tolerance is set in seconds (0 - 300, default = 15, 0 = no tolerance).

Optimize broadcast and multicast suppression over SSID tunnel mode across the FortiAP network.

Allow customization of RDP display size (width and height settings) for SSL VPN web mode when creating a new connection or bookmark. Administrators can also specify the display size when pre-configuring bookmarks.

Support Q-in-Q (802.1Q in 802.1Q) for FortiGate-VMs.

The execute fortitoken-cloud migrate-ftm <license> <vdom> command allows the migration of FortiToken Mobile users from FortiOS to FortiToken Cloud. The FortiToken Cloud account must be using a time-based subscription license. A request must be made to Fortinet Customer Service to initiate and pre-authorize the transfer. All current active FortiToken Mobile users will be migrated to the FortiToken Cloud license with no changes to the FortiToken Mobile serial number. The FortiOS user or administrator's two-factor setting is automatically converted from fortitoken to fortitoken-cloud. After migration, end users will be able to authenticate as before without any changes to their FortiToken mobile app.

When creating a new virtual AP in WPA2 Personal mode or WPA3 SAE Transition, administrators can apply Multiple PSK mode and enable/disable RADIUS MAC authentication from the GUI.

The network-import-check option in BGP can now be configured per prefix, in order to override the setting configured at the global BGP level.

Add option in ZTNA deny policy to display a block notification when a client is blocked instead of silently dropped (default = disable).

config firewall proxy-policy
    edit <id>
        set proxy access-proxy
        set block-notification {enable | disable}
    next
end

Allow the AWS SDN connector to use the AWS security token service (STS) API to connect to multiple AWS accounts concurrently. This allows a single AWS SDN connector to retrieve dynamic objects from multiple accounts, instead of needing to create an SDN connector for each account.

config system sdn-connector
    edit "aws1"
        config external-account-list
            edit "arn:aws:iam::6*******5494:role/CrossAccountSTS"
                set region-list "us-west-1" "us-west-2"
            next
            edit "arn:aws:iam::9*******1167:role/CrossAccountSTS"
                set region-list "us-west-1" "us-west-2"
            next
        end
    next
end

Support activation of FortiFlex when connecting to the internet using a web proxy.

# execute vm-license <token> http://user:pass@proxyip:proxyport

Support UTM scanning and deep inspection for mail protocols SMTP, IMAP, and POP3 in ZTNA TCP forwarding access proxy.

Add support for FQDN and ZTNA TCP forwarding. A wildcard domain name can be in the TCP forwarding access proxy with the domain option under the real server settings. When a domain name request arrives, it matches the domain in the request with the configured domain.

If there is a match, a DNS request is made and the destination of the request is the DNSed IP. If there is no match, a DNS request is made and the DNSed IP is matched with the configured real server's IP.

Introduce real-time FortiView monitors for Proxy Sources, Proxy Destinations, and all Proxy Sessions. Proxy policy sessions are no longer show in FortiView Policies and FortiView Applications.

Enhanced the GUI to differentiate UTM capability between UTM capable and incapable models.

• SSIDs page: a warning icon appears when enabling Security Profiles that the profile can only be applied to UTM capable models.
• FortiAP Profiles page: a warning appears if the model is not UTM capable when selecting an SSID that uses security profiles.
• UTM capable models have a new icon compared to UTM incapable models.
• A new tooltip appears when hovering over a FortiAP to display whether the unit is UTM capable or not.
• The new FortiAP UTM SSID Compatibility security rating check verifies if a UTM SSID is applied to a model that cannot support UTM scanning.

Add WebSocket for Security Fabric events. Subscribers to the WebSocket , such as the Fabric Management page, will be updated upon new Fabric events and alert users to reload the page.

Support new speed option, media type, and FEC implementation on the following models: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, FG-396xE, and FG-398xE.

When configuring a FortiExtender in LAN extension mode, the addressing mode for the new LAN extension interface can use IPAM to assign an interface address and DHCP server address range.

Add FortiExtender LAN extension to FortiGate VMs running on public clouds.

Update the OVF package to reflects newer VMware ESXI and hardware versions.

Add sub-option 5 to DHCP relay daemon to support some DHCP servers that identify the required client subnets.

config system interface
    edit <interface>
        set dhcp-relay-link-selection <class_IP>
    next
end

Add Process Monitor page for displaying running processes with their CPU and memory usage levels. Administrators can view a list of running processes, sort and filter them, and select a process to terminate it.

Enhancements have been made to the FortiGate Support Tool Chrome extension, including: backend capture support, CSF support, more daemon logging, pre-process CPU and memory charts, crash log support, REST API profiling, organized node logging, and WebSocket messages.

In dynamic port policies, it is now possible to use the hardware vendor as a filter for the device patterns.

DNS servers learned through DHCP may not support the default FortiOS configured DoT protocol. The dns-server-protocol setting under config system interface > edit <name> is introduced to offer the ability to chose the protocol for DNS servers learned through DHCP under any interface.

When sending a response to an SNMP request for ipAddressTable, append the IP address type (type 1 for IPv4, type 2 for IPv6) and number of octets (four for IPv4, 16 for IPv6) in the format 1.3.6.1.2.1.4.34.1.3.<type>.<octet>.

To improve GUI performance, an option is added to enable loading static GUI artifacts cached in CDN (content delivery network) servers closer to the user rather than from the FortiGate. On failure, the files can fall back to loading from the FortiGate.

config system global
    set gui-cdn-usage {enable | disable}
end