Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Changes in default behavior

Bug ID

Description

718290

When using FortiGuard servers for DNS, FortiOS will default to using DNS over TLS (DoT) to secure the DNS traffic. New FortiGuard DNS servers are added as primary and secondary servers.

738438

Split-task VDOM mode is removed. When a VDOM is set to multi-vdom mode, individual VDOMs can be configured as an admin type.

  • When the vdom-type is set to admin, the VDOM is used for local traffic only. Administrative users can log in to the FortiGate using SSH, HTTPS, and so on.
  • When the vdom-type is set to traffic, the VDOM can pass traffic just like regular VDOMs previously.

Upon upgrade, if a FortiGate is in split-vdom mode, then it will be converted to multi-vdom mode. The FG-traffic VDOM will become a traffic type VDOM. The root VDOM will become an admin VDOM.

743583

AV and IPS packages are now signed by the Fortinet CA to ensure authenticity of the packages. The FortiGate will execute the following checks based on the method used to perform updates:

  • During automatic updates, only signed and validated packages are accepted.
  • During manual package updates, signed and validated packages will be accepted. If a package is not signed, the following applies:
    • Level-0: accept the new package even if it is unsigned.
    • Level-1: display a warning and request a user confirmation to accept.
    • Level-2: display an error and reject the image.
    • If no level is configured, apply Level-1.
  • For HA and configuration synchronization, the secondary device will synchronize signature files from the primary in the presence of a saved signed package.

FDN will maintain signed and unsigned packages for 7.2 and pre-7.2 compatibility. FortiManagers used for package distribution will also download signed and unsigned packages for backwards compatibility.

Changes in default behavior

Bug ID

Description

718290

When using FortiGuard servers for DNS, FortiOS will default to using DNS over TLS (DoT) to secure the DNS traffic. New FortiGuard DNS servers are added as primary and secondary servers.

738438

Split-task VDOM mode is removed. When a VDOM is set to multi-vdom mode, individual VDOMs can be configured as an admin type.

  • When the vdom-type is set to admin, the VDOM is used for local traffic only. Administrative users can log in to the FortiGate using SSH, HTTPS, and so on.
  • When the vdom-type is set to traffic, the VDOM can pass traffic just like regular VDOMs previously.

Upon upgrade, if a FortiGate is in split-vdom mode, then it will be converted to multi-vdom mode. The FG-traffic VDOM will become a traffic type VDOM. The root VDOM will become an admin VDOM.

743583

AV and IPS packages are now signed by the Fortinet CA to ensure authenticity of the packages. The FortiGate will execute the following checks based on the method used to perform updates:

  • During automatic updates, only signed and validated packages are accepted.
  • During manual package updates, signed and validated packages will be accepted. If a package is not signed, the following applies:
    • Level-0: accept the new package even if it is unsigned.
    • Level-1: display a warning and request a user confirmation to accept.
    • Level-2: display an error and reject the image.
    • If no level is configured, apply Level-1.
  • For HA and configuration synchronization, the secondary device will synchronize signature files from the primary in the presence of a saved signed package.

FDN will maintain signed and unsigned packages for 7.2 and pre-7.2 compatibility. FortiManagers used for package distribution will also download signed and unsigned packages for backwards compatibility.