Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

699301

Add Q-in-Q ingress/egress point NP6 support on FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, and FG-3601E.

714788

Add HA uninterruptible upgrade option, which allows users to configure a timeout value in minutes (1 - 30, default = 30) where the primary HA unit waits before the secondary HA unit is considered upgraded.

config system ha
    set uninterruptible-primary-wait <integer>
end

720631

Add fields for source-ip and source-ip6 to set the source address used to connect to the ACME server.

config system acme
    set source-ip <class_ip>
    set source-ip6 <IPv6_address>
end

722647

Add IPsec fast path in VPN/DPDK for FG-VM (ESXi, KVM, Hyper-V, AWS, and Azure). Only GCM128 and GCM256 cyphers supported. IPv6 tunnels, anti-replay, and transport mode are not supported.

config dpdk global
    set ipsec-offload {enable | disable}
end

728408

Add handling for expect sessions created by session helpers in NGFW policy mode. For protocols that are only supported by IPS but not session helpers (IPv6 SIP), IPS falls back on using its own handling of these sessions, which is similar to profile mode.

750224

To enhance BFD support, FortiOS can now support neighbors connected over multiple hops. When BFD is down, BGP sessions will be reset and try to re-establish neighbor connection immediately.

753368

Add support for 802.1X under the hardware switch interface on NP6 platforms: FG-30xE, FG-40xE, and FG-110xE.

755141

The following existing options can be used to control explicit DoT handshakes.

config system global
    set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2 | TLSv1-3}
    set ssl-static-key-ciphers {enable | disable}
    set strong-crypto {enable | disable}
end

756538

Add Windows 11 and macOS 12 to the SSL VPN OS check. The following options are available for config os-check-list <name>: macos-bigsur-11, macos-catalina-10.15, macos-mojave-10.14, macos-monterey-12, windows-7, windows-8.1, windows-10, and windows-11.

Operating systems no longer supported by FortiClient were removed.

758560

Add macOS 12 and Windows 11 to SSL VPN host check. Windows 8 and macOS 10.9 to 10.13 are removed from the SSL VPN host check.

759344

NP7 CAPWAP offloading for WiFi traffic now supports VLAN-related features such as dynamic VLANs and VLAN stacking (also called QinQ or inner VLANs).

761382

FortiOS now incorporates maturity levels in the released firmware images. Two maturity levels are defined: feature and mature.

In the GUI and CLI, administrators are able to identify the maturity level of the current firmware by the Feature or Mature tags. On the System > Fabric Management page, administrators can view the maturity levels of each firmware available for upgrade. When upgrading from a Mature to a Feature firmware, a warning message is displayed.

763021

Allow dedicated scan to be disabled on FortiAP F-series profiles, which then allows background scanning using the WIDS profile to be enabled on radios 1 and 2.

766158

In a video filter profile, when the FortiGuard category-based filter and YouTube channel override are used together, by default a video will be blocked if it matches either category or YouTube channel and the action is set to block. This enhancement enables the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled.

773126

Add support for Apple French keyboard layout for RDP in SSL web portal, user bookmark, and user group bookmark settings (set keyboard-layout fr-apple).

773530

Allow a two-hour grace period for Flex-VMs to begin passing traffic upon retrieving a license from FortiCare without VM entitlement verification from FortiGuard.

776052

Add four SNMP OIDs for polling critical port block allocations (PBAs) IP pool statistics including:

  • Total PBAs: fgFwIppStatsTotalPBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.9)
  • In use PBAs: fgFwIppStatsInusePBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.10)
  • Expiring PBAs: fgFwIppStatsExpiringPBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.11)
  • Free PBAs: fgFwIppStatsFreePBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.12)

777660

Add options to disable using the FortiGuard IP address rating for SSL exemptions and proxy addresses.

config firewall ssl-ssh-profile
    edit <name>
        set ssl-exemption-ip-rating {enable | disable}
    next
end
config firewall profile-protocol-options
    edit <name>
        config http
            set address-ip-rating {enable | disable}
        end
    next
end

By default, the ssl-exemption-ip-rating and address-ip-rating options are enabled. If both a website domain and its IP address return different categories after being rated by FortiGuard, then the IP address category takes precedence when evaluating SSL exemptions associated with the SSL inspection profile and proxy addresses associated with the proxy protocol options profile.

When the categories associated with the website domain and IP address are different, using these options to disable the FortiGuard IP rating ensures that the FortiGuard domain category takes precedence when evaluating the above objects.

777675

By default, the connection from the ZTNA access proxy to the backend servers uses the IP of the outgoing interface as the source. This enhancement enables customers to use an IP pool as the source IP, or use the client's original IP as the source IP. This allows ZTNA to support more sessions without source port conflict.

config firewall proxy-policy
   edit <id>
      set type access-proxy
      set poolname <ip_pool>
      set transparent {enable | disable}
   next
end

779031

Add support for NTurbo port SSL mirror traffic on NP7.

787477

Ensure that session synchronization happens correctly in the FGCP over FGSP topology.

  1. When the session synchronization filter is applied on FGSP, the filter will only affect sessions synchronized between the FGSP peers.
  2. When virtual clustering is used, sessions synchronized between each virtual cluster can also be synchronized to FGSP peers. The peers' sync_vd must all be in the same HA vcluster.

791732

Allow interface-select-method and interface to be configured for FortiClient EMS Fabric connectors.

792170

The FortiGate explicit web proxy supports the Cross-Origin Resource Sharing (CORS) protocol, which allows the FortiGate to process a CORS preflight request and an actual CORS request properly, in addition to a simple CORS request when using session-based, cookie-enabled, and captive portal-enabled SAML authentication. This allows a FortiGate explicit web proxy user with this specific configuration to properly view a web page requiring CORS with domains embedded in it other than its own domain.

799971

To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication can be enabled under the user ldap object definition. This enhancement reduces the number of the AD users returned by allowing the use of a group filter to synchronize only the users who meet the group filter criteria.

802001

Add command to clean up old configurations, except for serial number and FortiManager IP, in system.central-management.

# execute factoryreset-for-central-management

802702

When local-out traffic such as SD-WAN health checks, SNMP, syslog, and so on are initiated from an interface on one VRF and then pass through interfaces on another VRF, the reply traffic will be successfully forwarded back to the original VRF.

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

699301

Add Q-in-Q ingress/egress point NP6 support on FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, and FG-3601E.

714788

Add HA uninterruptible upgrade option, which allows users to configure a timeout value in minutes (1 - 30, default = 30) where the primary HA unit waits before the secondary HA unit is considered upgraded.

config system ha
    set uninterruptible-primary-wait <integer>
end

720631

Add fields for source-ip and source-ip6 to set the source address used to connect to the ACME server.

config system acme
    set source-ip <class_ip>
    set source-ip6 <IPv6_address>
end

722647

Add IPsec fast path in VPN/DPDK for FG-VM (ESXi, KVM, Hyper-V, AWS, and Azure). Only GCM128 and GCM256 cyphers supported. IPv6 tunnels, anti-replay, and transport mode are not supported.

config dpdk global
    set ipsec-offload {enable | disable}
end

728408

Add handling for expect sessions created by session helpers in NGFW policy mode. For protocols that are only supported by IPS but not session helpers (IPv6 SIP), IPS falls back on using its own handling of these sessions, which is similar to profile mode.

750224

To enhance BFD support, FortiOS can now support neighbors connected over multiple hops. When BFD is down, BGP sessions will be reset and try to re-establish neighbor connection immediately.

753368

Add support for 802.1X under the hardware switch interface on NP6 platforms: FG-30xE, FG-40xE, and FG-110xE.

755141

The following existing options can be used to control explicit DoT handshakes.

config system global
    set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2 | TLSv1-3}
    set ssl-static-key-ciphers {enable | disable}
    set strong-crypto {enable | disable}
end

756538

Add Windows 11 and macOS 12 to the SSL VPN OS check. The following options are available for config os-check-list <name>: macos-bigsur-11, macos-catalina-10.15, macos-mojave-10.14, macos-monterey-12, windows-7, windows-8.1, windows-10, and windows-11.

Operating systems no longer supported by FortiClient were removed.

758560

Add macOS 12 and Windows 11 to SSL VPN host check. Windows 8 and macOS 10.9 to 10.13 are removed from the SSL VPN host check.

759344

NP7 CAPWAP offloading for WiFi traffic now supports VLAN-related features such as dynamic VLANs and VLAN stacking (also called QinQ or inner VLANs).

761382

FortiOS now incorporates maturity levels in the released firmware images. Two maturity levels are defined: feature and mature.

In the GUI and CLI, administrators are able to identify the maturity level of the current firmware by the Feature or Mature tags. On the System > Fabric Management page, administrators can view the maturity levels of each firmware available for upgrade. When upgrading from a Mature to a Feature firmware, a warning message is displayed.

763021

Allow dedicated scan to be disabled on FortiAP F-series profiles, which then allows background scanning using the WIDS profile to be enabled on radios 1 and 2.

766158

In a video filter profile, when the FortiGuard category-based filter and YouTube channel override are used together, by default a video will be blocked if it matches either category or YouTube channel and the action is set to block. This enhancement enables the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled.

773126

Add support for Apple French keyboard layout for RDP in SSL web portal, user bookmark, and user group bookmark settings (set keyboard-layout fr-apple).

773530

Allow a two-hour grace period for Flex-VMs to begin passing traffic upon retrieving a license from FortiCare without VM entitlement verification from FortiGuard.

776052

Add four SNMP OIDs for polling critical port block allocations (PBAs) IP pool statistics including:

  • Total PBAs: fgFwIppStatsTotalPBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.9)
  • In use PBAs: fgFwIppStatsInusePBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.10)
  • Expiring PBAs: fgFwIppStatsExpiringPBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.11)
  • Free PBAs: fgFwIppStatsFreePBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.12)

777660

Add options to disable using the FortiGuard IP address rating for SSL exemptions and proxy addresses.

config firewall ssl-ssh-profile
    edit <name>
        set ssl-exemption-ip-rating {enable | disable}
    next
end
config firewall profile-protocol-options
    edit <name>
        config http
            set address-ip-rating {enable | disable}
        end
    next
end

By default, the ssl-exemption-ip-rating and address-ip-rating options are enabled. If both a website domain and its IP address return different categories after being rated by FortiGuard, then the IP address category takes precedence when evaluating SSL exemptions associated with the SSL inspection profile and proxy addresses associated with the proxy protocol options profile.

When the categories associated with the website domain and IP address are different, using these options to disable the FortiGuard IP rating ensures that the FortiGuard domain category takes precedence when evaluating the above objects.

777675

By default, the connection from the ZTNA access proxy to the backend servers uses the IP of the outgoing interface as the source. This enhancement enables customers to use an IP pool as the source IP, or use the client's original IP as the source IP. This allows ZTNA to support more sessions without source port conflict.

config firewall proxy-policy
   edit <id>
      set type access-proxy
      set poolname <ip_pool>
      set transparent {enable | disable}
   next
end

779031

Add support for NTurbo port SSL mirror traffic on NP7.

787477

Ensure that session synchronization happens correctly in the FGCP over FGSP topology.

  1. When the session synchronization filter is applied on FGSP, the filter will only affect sessions synchronized between the FGSP peers.
  2. When virtual clustering is used, sessions synchronized between each virtual cluster can also be synchronized to FGSP peers. The peers' sync_vd must all be in the same HA vcluster.

791732

Allow interface-select-method and interface to be configured for FortiClient EMS Fabric connectors.

792170

The FortiGate explicit web proxy supports the Cross-Origin Resource Sharing (CORS) protocol, which allows the FortiGate to process a CORS preflight request and an actual CORS request properly, in addition to a simple CORS request when using session-based, cookie-enabled, and captive portal-enabled SAML authentication. This allows a FortiGate explicit web proxy user with this specific configuration to properly view a web page requiring CORS with domains embedded in it other than its own domain.

799971

To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication can be enabled under the user ldap object definition. This enhancement reduces the number of the AD users returned by allowing the use of a group filter to synchronize only the users who meet the group filter criteria.

802001

Add command to clean up old configurations, except for serial number and FortiManager IP, in system.central-management.

# execute factoryreset-for-central-management

802702

When local-out traffic such as SD-WAN health checks, SNMP, syslog, and so on are initiated from an interface on one VRF and then pass through interfaces on another VRF, the reply traffic will be successfully forwarded back to the original VRF.