New features or enhancements
More detailed information is available in the New Features Guide.
Bug ID |
Description |
---|---|
366327 |
Add
|
648609 |
Add HA support for multiple ACI clusters for Cisco ACI external SDN connector VMs. The multiple IPs in the Cisco ACI external SDN connector VM configuration allows the FortiGate to connect to SDN connector VMs in the same ACI cluster in a round-robin fashion. Only one SDN connector VM is active, and the remaining serve as backups if the active one fails. config system sdn-connector edit "ACI-1" set type aci set server-list "10.105.152.96" "10.105.152.97" "100.101.1.98" set server-port 5671 set username "admin" set password ********** next edit "ACI-2" set type aci set server-list "20.105.152.91" " 20.105.152.92" "40.111.1.3" set server-port 5671 set username "admin" set password ********** next end ACI-1 and ACI-2 are different ACI clusters. They each have multiple SDN connector VMs in synchronization. Each firewall address can point to either ACI-1 or ACI-2. |
655389 |
Add IPv6 options for SSH client in the CLI.
|
675164 |
Add support for WPA3 encryption on local radios of all FortiWiFi F-series models. These models can now support security modes WPA3-SAE, WPA3-OWE, and WPA3-Enterprise. |
691337 |
Allow a GCP SDN connector to have multiple projects attached to it. Previously, GCP SDN connectors could only be associated with one project, a limit of 256 SDN connectors, and users could only add a maximum 256 projects to the FortiGate. A single GCP SDN connection can now have thousands of projects attached to it. Add support for dynamic address filters based on project name and zones: config system sdn-connector edit <name> set type gcp config gcp-project-list edit <name> set gcp-zone-list <name_1> <name_2> ... <name_n> next end next end GUI changes:
|
696871 |
Allow SSL VPN web portals to be defined in the ZTNA access proxy settings. The ZTNA access proxy handles the user and device authentication, posture check, and establishes the HTTPS connection between the end user and the access proxy. Then it forwards the user to the web portal where they can use pre-defined bookmarks to access internal and external resources. |
711577 |
Add warnings to inform users when an installed firmware is not signed by Fortinet. The warning message appears in the CLI when the uploaded firmware fails signature validation, and when logging in to the FortiGate from the GUI. Additional messages are added in various places once a user is logged in to the GUI to remind them of the unsigned firmware. |
717947 |
FortiGuard outbreak alerts, which identify outbreaks of security incidents and exploits, are now included as Security Rating posture checks. This helps provide information and remediation methods within the Security Rating module to protect the network from the exploits and attacks. |
718332 |
In previous DARRP implementation, channel bandwidth was not considered. Now, DARRP will also consider the radio bandwidth in its channel selection, adding support for 40, 80, and 160 MHz channel bandwidth. |
720539 |
Support SMB for ZTNA TCP forwarding. |
720687 |
Add VLAN switch support on FG-20xF. |
721285 |
Add FortiAP auto firmware provisioning option on the WiFi Settings page to allow for a federated upgrade of a FortiAP upon discovery and authorization by the WiFi controller. FortiAP will be upgraded to the latest firmware from FDS, if the FortiGate has the available FDS service contract. |
726974 |
Support UPN format for the user when adding it to an HTTP header. config web-proxy profile edit "AddUPNHeader" set log-header-change enable config headers edit 1 set name "X-Authenticated-User" set content "$user" next edit 3 set name "X-Authenticated-UPN" set content "$upn" next edit 2 set name "X-Authenticated-Domain" set content "$domain" next end next end |
727514 |
Enhance the System > Fabric Management to include the ability to authorize and register Fabric devices, and display the FortiCare registration status and device type. |
727890 |
Improve communication between FortiOS and FortiClient EMS with more efficient queries that request incremental updates. Retrieved device information can be written into the FortiGate's FortiClient NAC daemon cache. This increases ZTNA scalability to support up to 50 thousand concurrent endpoints. This feature requires FortiClient EMS 7.0.3 or later that has the |
728915 |
Add REST API events log subtype to log POST, PUT, DELETE, and GET REST API requests. config log setting set rest-api-set enable set rest-api-get enable end |
730337 |
Add the following ZTNA enhancements to FortiView and the log view:
|
731720 |
Add wireless controller syslog profile, which enables APs to send logs to the syslog server configured in the profile. |
731721 |
Add support for advertising vendor specific elements over beacon frames containing information about the FortiAP name, model, and serial number. This allows wireless administrators doing site surveys to easily determine the coverage area of an AP. |
732010 |
When a FortiAP is connected to a switch port with 802.1x authentication enabled, the FortiAP can be configured to act as an 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS, or EAP-PEAP. |
735929 |
Add REST API in both FortiNAC and FortiGate that is used by FortiNAC to send user logon/logoff information to the FortiGate. A new dynamic firewall address type (FortiNAC tag) is added to FortiOS, which is used to store the device IP, FortiNAC firewall tags, and FortiNAC group information sent from FortiNAC via the REST API when user logon/logoff events are registered. The FortiNAC tags connector under Security Fabric > Fabric Connectors is deprecated. For upgrade support, the FSSO FortiNAC user type can still be configured from the CLI. |
738640 |
Add 100 Mbps transceiver support for FGR-60F and FGR-60F-3G4G. |
739145 |
Federated upgrade for managed FortiSwitches allows a newly authorized FortiSwitch to be upgraded to the latest supported version automatically. The latest compatible FortiSwitch firmware is downloaded from FortiGuard without needing user intervention. config switch-controller managed-switch edit <id> set fsw-wan1-peer <interface> set fsw-wan1-admin enable set firmware-provision-latest {once | disable} next end config switch-controller global set firmware-provision-on-authorization {enable | disable} end If When the FortiSwitch connection status becomes authorized or up, a one-time upgrade to the latest compatible firmware version starts if A FortiSwitch can connect to multiple VDOMs, and it will be upgraded through any VDOM that it is authorized in. |
739170 |
Add settings on Network > Interfaces page to configure DSL interfaces and associated DSL settings. |
739173 |
This enhancement improves upon BGP conditional advertisement by accepting multiple conditions to be used together. The conditional route map entries are treated with an AND operator. When the
When the
|
739740 |
Add a map of FortiSwitch model prefixes to full model names, and update the GUI to use these full model names on the Managed FortiSwitches page. For example, in previous versions the Model displayed for a FortiSwitch would be FS1D24, and now it is displayed as FortiSwitch 1024D. |
739882 |
Allow configurations pushed from FortiManager to edit tags, FortiClient EMS certificate fingerprints, and FortiClient EMS capabilities. FortiManager sourced changes to the following tables/attributes are allowed:
|
740525 |
Add support for multiple DARRP profiles to assign different DARRP settings and optimization schedules to different sets of APs. |
740774 |
Previously, users could be assigned to VLANs dynamically according to the RADIUS attribute |
741715 |
Add option to allow administrators to enable or disable FFDHE groups for VIP SSL key share. config firewall vip edit "access-proxy" set type access-proxy set ssl-accept-ffdhe-groups {enable | disable} next edit "server-load-balance" set server-load-balance set ssl-accept-ffdhe-groups {enable | disable} next end |
742162 |
License enforcement on downstream devices by:
|
742364 |
Add options to increase flexibility in controlling how the FortiGate's routing engine resolves the BGP route's next hops. config router bgp set tag-resolve-mode {disable | preferred | merge} end The The |
743766 |
A Security Fabric can be created on the root device using FortiGate Cloud for cloud logging. When the FortiCloud account enforcement is enabled (by default), members joining the Fabric must be registered to the same FortiCloud account. Devices that are not activated with FortiCloud are also allowed. A new FortiGate Cloud Event Handler automation trigger is available. The Compromised Host trigger can be used for IOC events detected in FortiGate Cloud. Both triggers require a FortiGate Cloud log retention license. |
749939 |
Allow FortiExtender to be managed and used in a non-root VDOM. Previously, FortiExtender could only be used in the root VDOM. |
745135 |
Provide three sizes of internet service databases and an option to choose between full, standard, and mini databases. The FortiGate 30 and 50 series can only configure the mini size. config system global set internet-service-database {mini | standard | full} end |
745240 |
Add maximal field for each resource in Extend |
745590 |
Add user configuration clock skew tolerance for SAML users. config user saml edit <name> set clock-tolerance <integer> next end The clock skew tolerance is set in seconds (0 - 300, default = 15, 0 = no tolerance). |
746496 |
Optimize broadcast and multicast suppression over SSID tunnel mode across the FortiAP network. |
747602 |
Allow customization of RDP display size (width and height settings) for SSL VPN web mode when creating a new connection or bookmark. Administrators can also specify the display size when pre-configuring bookmarks. |
747640 |
Support Q-in-Q (802.1Q in 802.1Q) for FortiGate-VMs. |
749070 |
The |
749283 |
When creating a new virtual AP in WPA2 Personal mode or WPA3 SAE Transition, administrators can apply Multiple PSK mode and enable/disable RADIUS MAC authentication from the GUI. |
749895 |
The |
749917 |
Add option in ZTNA deny policy to display a block notification when a client is blocked instead of silently dropped (default = disable). config firewall proxy-policy edit <id> set proxy access-proxy set block-notification {enable | disable} next end |
749981 |
Allow the AWS SDN connector to use the AWS security token service (STS) API to connect to multiple AWS accounts concurrently. This allows a single AWS SDN connector to retrieve dynamic objects from multiple accounts, instead of needing to create an SDN connector for each account. config system sdn-connector edit "aws1" config external-account-list edit "arn:aws:iam::6*******5494:role/CrossAccountSTS" set region-list "us-west-1" "us-west-2" next edit "arn:aws:iam::9*******1167:role/CrossAccountSTS" set region-list "us-west-1" "us-west-2" next end next end |
749982 |
Support activation of FortiFlex when connecting to the internet using a web proxy. # execute vm-license <token> http://user:pass@proxyip:proxyport |
750319 |
Support UTM scanning and deep inspection for mail protocols SMTP, IMAP, and POP3 in ZTNA TCP forwarding access proxy. |
750702 |
Add support for FQDN and ZTNA TCP forwarding. A wildcard domain name can be in the TCP forwarding access proxy with the If there is a match, a DNS request is made and the destination of the request is the DNSed IP. If there is no match, a DNS request is made and the DNSed IP is matched with the configured real server's IP. |
750902 |
Introduce real-time FortiView monitors for Proxy Sources, Proxy Destinations, and all Proxy Sessions. Proxy policy sessions are no longer show in FortiView Policies and FortiView Applications. |
750931 |
Enhanced the GUI to differentiate UTM capability between UTM capable and incapable models.
|
751275 |
Add WebSocket for Security Fabric events. Subscribers to the WebSocket , such as the Fabric Management page, will be updated upon new Fabric events and alert users to reload the page. |
753409 |
Support new speed option, media type, and FEC implementation on the following models: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, FG-396xE, and FG-398xE. |
756637 |
When configuring a FortiExtender in LAN extension mode, the addressing mode for the new LAN extension interface can use IPAM to assign an interface address and DHCP server address range. |
756638 |
Add FortiExtender LAN extension to FortiGate VMs running on public clouds. |
756639 |
Update the OVF package to reflects newer VMware ESXI and hardware versions. |
757948 |
Add sub-option 5 to DHCP relay daemon to support some DHCP servers that identify the required client subnets. config system interface edit <interface> set dhcp-relay-link-selection <class_IP> next end |
761397 |
Add Process Monitor page for displaying running processes with their CPU and memory usage levels. Administrators can view a list of running processes, sort and filter them, and select a process to terminate it. Enhancements have been made to the FortiGate Support Tool Chrome extension, including: backend capture support, CSF support, more daemon logging, pre-process CPU and memory charts, crash log support, REST API profiling, organized node logging, and WebSocket messages. |
763275 |
In dynamic port policies, it is now possible to use the hardware vendor as a filter for the device patterns. |
763832 |
DNS servers learned through DHCP may not support the default FortiOS configured DoT protocol. The |
764679 |
When sending a response to an SNMP request for ipAddressTable, append the IP address type (type 1 for IPv4, type 2 for IPv6) and number of octets (four for IPv4, 16 for IPv6) in the format |
765322 |
To improve GUI performance, an option is added to enable loading static GUI artifacts cached in CDN (content delivery network) servers closer to the user rather than from the FortiGate. On failure, the files can fall back to loading from the FortiGate. config system global set gui-cdn-usage {enable | disable} end |
767575 |
Updating dynamic addresses using the OpenStack SDN connector now supports: Rocky, Stein, Train, Ussuri, Victoria, Wallaby, and Xena. |