Support Websense Integrated Services Protocol (WISP) server in flow mode, which allows the FortiGate to send traffic to the third-party web filtering service for rating. This feature was previously only supported in proxy-based security profiles.

Update MAC address filter under VAP configuration to directly use a firewall address group containing MAC addresses.

config wireless-controller vap
    edit <name>
        set address-group <firewall_address_group>
        set address-group-policy {allow | deny}
    next
end

Previous wireless-controller address and wireless-controller addrgrp commands have been removed.

Add IPv6 options for SSH client in the CLI.

# execute ssh6-options {interface <outgoing_interface> | reset | source6 <source_IPv6_interface> | view-settings}

Report wireless client application usage for wireless clients connected to bridge mode SSIDs. This enhances the diagnose wireless-controllerwlac -d sta online command to include application usage data for each wireless client connected to a bridge mode SSID.

Switch controller supports dynamic discovery in FortiLink over L3 mode for new FortiSwitch platforms and FortiSwitches with split ports (phy-mode).

Add option to configure MAC authentication bypass (MAB) re-authentication from the switch controller globally or as a local override.

In NGFW policy mode, a security policy can be configured in Learn Mode to monitor traffic that passes through the source and destination interfaces. These traffic and UTM logs use a special prefix in the policymode and profile fields so that FortiAnalyzer and the FortiManager Policy Analyzer can identify these logs for policy analysis.

Add support for configuring flap guard settings on FortiSwitch through switch controller. When the configured number of changed events (flap-rate) is reached within a certain period of time (flap-duration), the flap guard is triggered and FortiSwitch will shut down the switch port. The protection is disabled after the timeout (flap-timeout) expires.

Allow a GCP SDN connector to have multiple projects attached to it. Previously, GCP SDN connectors could only be associated with one project, a limit of 256 SDN connectors, and users could only add a maximum 256 projects to the FortiGate. A single GCP SDN connection can now have thousands of projects attached to it.

Add support for dynamic address filters based on project name and zones:

config system sdn-connector
    edit <name>
        set type gcp
        config gcp-project-list
            edit <name>
                set gcp-zone-list <name_1> <name_2> ... <name_n>
            next
        end
    next
end

GUI changes:

• Add buttons to switch between Simple and Advanced project configurations. The simple configuration displays a single text field to add one project to the GCP SDN connector.
• The advanced configuration displays a mutable table for users to add multiple projects to the GCP SDN connectors. Adding projects displays a slide-out pane to specify the project name and zones.
• A confirmation slide-out pane appears when switching from advanced to simple to warn about projects being deleted from the GCP SDN connector.
• A tooltip on the GCP SDN connector card shows the list of projects, and the filter list of GCP dynamic addresses shows the project and zones.

Allow SSL VPN web portals to be defined in the ZTNA access proxy settings. The ZTNA access proxy handles the user and device authentication, posture check, and establishes the HTTPS connection between the end user and the access proxy. Then it forwards the user to the web portal where they can use pre-defined bookmarks to access internal and external resources.

Improve FortiAnalyzer log caching in reliable mode to prevent lost logs sent when the FortiAnalyzer connection is down. Logs are first cached in memory, and once sent, they are moved to a confirm queue. The FortiGate periodically queries the FortiAnalyzer for the latest seq_no of the last log received and clears the logs from the confirm queue up to that seq_no. If the connection is down, the logs in the confirm queue will be re-sent when the connection is re-established.

Add HA uninterruptible upgrade option, which allows users to configure a timeout value in minutes (1 - 30, default = 30) where the primary HA unit waits before the secondary HA unit is considered upgraded.

config system ha
    set uninterruptible-primary-wait <integer>
end

On some FortiSwitch models, the PHY mode on some ports can be changed in order to enable or disable split ports. When this configuration changes, it reboots the FortiSwitch and subsequently requires the FortiGate to re-discover and re-authorize the device. In this enhancement, the FortiGate is able to automatically update the port list and avoids re-discovering and re-authorizing the FortiSwitch after PHY mode changes and the device reboots.

Support manual licensing for FortiGates running in air-gapped environments, such as industrial environments, where devices have no internet connections. The license can be uploaded from the System > FortiGuard page or CLI.

# execute restore manual-license {ftp | tftp} <license_file> <server> [args]

In previous DARRP implementation, channel bandwidth was not considered. Now, DARRP will also consider the radio bandwidth in its channel selection, adding support for 40, 80, and 160 MHz channel bandwidth.

On a software switch interface that is dedicated to FortiSwitch (FortiLink enabled), it is now possible to add an aggregate interface as an interface member. This allows FortiSwitches to be managed on a software switch that has aggregate interfaces as a member.

Add fields for source-ip and source-ip6 to set the source address used to connect to the ACME server.

config system acme
    set source-ip <class_ip>
    set source-ip6 <IPv6_address>
end

Add VLAN switch support on FG-20xF.

Add IPsec fast path in VPN/DPDK for FG-VM (ESXi, KVM, Hyper-V, AWS, and Azure). Only GCM128 and GCM256 cyphers supported. IPv6 tunnels, anti-replay, and transport mode are not supported.

config dpdk global
    set ipsec-offload {enable | disable}
end

Add option to set the application default port as service port in NGFW mode. This allows applications to match the policy and be blocked immediately the first time that traffic hits the firewall. When this option is enabled, the NGFW policy aggregates the ports used by the applications in the policy and does a pre-match on the traffic. This is changed from previous behavior where traffic must first be identified by IPS, and then policy matching occurs based on the matched port.

config system settings
    set default-app-port-as-service {enable | disable}
end

New installations have this setting enabled by default. Upgrades will have this setting disabled to maintain previous post-application-match default port enforcement behavior.

Support captive portal addresses and authentication certificates at the VAP level and on physical interfaces.

config wireless-controller vap
    edit <name>
        set security captive-portal
        set auth-cert <HTTPS_server_certificate>
        set auth-portal-addr <portal_address>
    next
end

config system interface
    edit <name>
        set security-mode captive-portal
        set auth-cert <HTTPS_server_certificate>
        set auth-portal-addr <portal_address>
    next
end

Enhance the System > Fabric Management to include the ability to authorize and register Fabric devices, and display the FortiCare registration status and device type.

Improve communication between FortiOS and FortiClient EMS with more efficient queries that request incremental updates. Retrieved device information can be written into the FortiGate's FortiClient NAC daemon cache. This increases ZTNA scalability to support up to 50 thousand concurrent endpoints. This feature requires FortiClient EMS 7.0.3 or later that has the common-tags-api capability.

Add handling for expect sessions created by session helpers in NGFW policy mode. For protocols that are only supported by IPS but not session helpers (IPv6 SIP), IPS falls back on using its own handling of these sessions, which is similar to profile mode.

For ZTNA, user information and TLS sessions are synchronized between HA members. When a HA failover occurs, the new primary unit will continue allowing sessions from the logged in users without asking for the client certificate and re-authentication again.

Add the following ZTNA enhancements to FortiView and the log view:

• Add FortiView ZTNA Servers monitor, which includes options to drill down by Sources, Rules, Real Servers, and Sessions.
• Add context menu shortcuts on the ZTNA Rules and ZTNA Servers tabs to redirect to the FortiView and log view pages.
• Replace Log & Report > ZTNA page with Log & Report > ZTNA Traffic page. ZTNA logs now have a traffic type and ZTNA subtype.
• Add fields to ZTNA traffic logs.

Add restart-on-topology-change option to control if OSPF/OSPFv3 should continue with a graceful restart when detecting topology changes.

config router ospf6
    set restart-mode {none | graceful-restart}
    set restart-period <1 - 3600>
    set restart-on-topology-change {enable | disable}
end

config router ospf
    set restart-on-topology-change {enable | disable}
end

FortiOS supports FortiSandbox inline scanning in proxy inspection mode. When inline scanning is enabled, the client's file is held while it is sent to FortiSandbox for inspection. Once a verdict is returned, the appropriate action (allow or block) is performed on the held file. If there is an error or timeout on the FortiSandbox, the FortiGate's configuration determines what to do with the held file. Inline scanning requires a FortiSandbox appliance running version 4.2 or later. This feature is not supported on FortiSandbox Cloud or FortiGate Cloud Sandbox.

config system fortisandbox
    set inline-scan {enable | disable}
end

In the antivirus profile, the ftgd-analytics option is renamed to fortisandbox-mode. There are new options to set FortiSandbox inline scan error and timeout actions.

config antivirus profile
    edit <name>
        set fortisandbox-mode {inline | analytics-suspicious | analytics-everything}
        set fortisandbox-error-action {ignore | log-only | block}  
        set fortisandbox-timeout-action {ignore | log-only | block}
        set fortisandbox-max-upload <integer>
        config {http | ftp | imap | pop3 | smtp | mapi | cifs | ssh}
            set av-scan {disable | block | monitor}
            set fortisandbox {disable | block | monitor}
        end	
    next
end

Mark endpoint records and host tags as out of synchronization when failure timeout occurs for the EMS APIs, report/fct/sysinfo and report/fct/host_tags. The out-of-sync threshold (in seconds, 10 - 3600) can be configured from the CLI.

config endpoint fctems
    edit <name>
        set out-of-sync-threshold <integer>
    next
end

Add two new options, policy change summary and policy expiry, to workflow management. The policy change summary enforces an audit trail for changes to firewall policies. The policy expiry allows administrators to set a date for the policy to be disabled.

Support phase 2 selectors for injecting IKE routes on shortcut tunnels in IPsec mode-cfg mode, thereby eliminating the requirement of reflecting BGP routes between spokes in SD-WAN and ADVPN configurations.

config vpn ipsec phase1-interface
    edit <phase1-interface_name>
        set mode-cfg-allow-client-selector {enable | disable}
    next
end

Add six new automation triggers based on event log categories:

• IPS logs
• Anomaly logs
• Virus logs
• SSH logs
• Traffic violations
• Web filter violations

When multi-VDOM mode is enabled, individual VDOMs can be specified so that the trigger is only applied to the specified VDOMs.

Support using IP addresses in dynamic firewall address list in the IKE mode-cfg split-include option. The first item under the dynamic address' configuration list that can be successfully converted into an IP address will be used.

Federated upgrade for managed FortiSwitches allows a newly authorized FortiSwitch to be upgraded to the latest supported version automatically. The latest compatible FortiSwitch firmware is downloaded from FortiGuard without needing user intervention.

config switch-controller managed-switch
    edit <id>
        set fsw-wan1-peer <interface>
        set fsw-wan1-admin enable
        set firmware-provision-latest {once | disable}
    next
end

config switch-controller global
    set firmware-provision-on-authorization {enable | disable}
end

If firmware-provision-on-authorization is set to enable, firmware-provision-latest will be set to once automatically when the FortiSwitch administrative status (fsw-wan1-admin) is enabled.

When the FortiSwitch connection status becomes authorized or up, a one-time upgrade to the latest compatible firmware version starts if firmware-provision-latest is set to once.

A FortiSwitch can connect to multiple VDOMs, and it will be upgraded through any VDOM that it is authorized in.

L3 roaming between different VLANs and subnets on the same or different wireless controller is supported. A client connected to the SSID on one FortiAP can roam to the same SSID on another FortiAP managed by the same or different FortiGate wireless controller and continue to use the same IP. When the client idles longer than the client-idle-rehome-timeout, the client will rehome and receive an address on the new subnet from the new FortiAP.

config wireless-controller timers
    set client-idle-rehome-timeout <integer>
end

config wireless-controller vap
    edit <name>
        set l3-roaming {enable | disable}
    next
end

config wireless-controller inter-controller
    set l3-roaming {enable | disable}
end

When performing a Fabric or non-Fabric upgrade under System > Fabric Management while choosing a firmware that requires multiple builds in the upgrade path, the FortiGate can follow the upgrade path to complete the upgrade automatically. This can be performed immediately or during a scheduled time.

This enhancement improves upon BGP conditional advertisement by accepting multiple conditions to be used together. The conditional route map entries are treated with an AND operator.

When the condition-type is exist:

• If the conditional route map matches, then advertised route map will apply.
• If the conditional route map does not match, then the advertised route map will not apply.

When the condition-type is non-exist:

• If the conditional route map matches, then the advertised route map will not apply.
• If the conditional route map not matches, then advertised route map will apply.

Add IP Address Lookup to the Internet Service Database page that allows users to look up IP information on demand from the ISDB and GeoIP database. Returned information includes reverse IP/domain lookup, location, reputation, and other internet service information.

Improve the channel selection for each of the 2.4 GHz and 5 GHz wireless radios. For 2.4 GHz, two default channel plans (Three Channels and Four Channels) can be selected to automatically configure non-overlapping channels. For 5 GHz, a new slide-in page (Set Channels) with improved visualization is added to help users select their desired channels.

Add a map of FortiSwitch model prefixes to full model names, and update the GUI to use these full model names on the Managed FortiSwitches page. For example, in previous versions the Model displayed for a FortiSwitch would be FS1D24, and now it is displayed as FortiSwitch 1024D.

Add GUI configuration and improvements to the NAC LAN segmentation feature introduced in FOS 7.0.1. Improvements include:

• Display NAC segment and LAN segment VLANs as parent and child on the Network > Interface page.
• Add a VLAN segment toggle to apply VLAN segmentation to a switch VLAN interface.
• Add a NAC Settings dialog to the NAC Policies page to enable NAC VLANs and modify the primary, onboarding, and segment VLANs.

Previously, users could be assigned to VLANs dynamically according to the RADIUS attribute Tunnel-Private-Group-Id returned from the Access-Accept message. The value can either match a particular VLAN ID or a VLAN interface name. A third option is now added to match based on a VLAN name table defined under the virtual AP.

Add option to allow administrators to enable or disable FFDHE groups for VIP SSL key share.

config firewall vip
    edit "access-proxy"
        set type access-proxy
        set ssl-accept-ffdhe-groups {enable | disable}
    next
    edit "server-load-balance"
        set server-load-balance
        set ssl-accept-ffdhe-groups {enable | disable}
    next
end

Enhance link-monitor to measure the SLA information of dynamic VPN interfaces that assign IP addresses to their clients during tunnel establishment. This includes SSL VPN tunnels, IPsec remote access, and IPsec site-to-site tunnels.

config system link-monitor
    edit <name>
        set server-type {static | dynamic}
    next
end

# diagnose sys link-monitor tunnel {name | all} <tunnel_name>

Upon receiving direct FSSO logon REST API requests, the FortiGate now returns the HTTP response code instantaneously and offloads the LDAP group membership query to a backend API. This improves response times, and prevents delays and backlogs when many requests are sent in a short time period.

License enforcement on downstream devices by:

• Supporting the CSF REST API via a FortiGate Cloud (FGC) tunnel from the root to downstream devices and vice-versa.
• Restricting create, edit, and delete permissions when accessing devices without a subscription from the FortiGate Cloud portal.
• Adding the ability to re-run notifications when switching via the CSF FortiGate chooser dropdown.
• Showing read-only access notifications when users switch to a downstream device without a paid subscription from the FortiGate Cloud portal.

Add options to increase flexibility in controlling how the FortiGate's routing engine resolves the BGP route's next hops.

config router bgp
    set tag-resolve-mode {disable | preferred | merge}
end

The preferred option uses a tag match if a BGP route resolution with another route containing the same tag is successful

The merge option merges the tag match with best match if they are using different routes. The results excludes the next hops of tag matches whose interfaces have appeared in best match.

Add mean opinion score (MOS) calculation and logging for performance SLA health checks. The MOS is a method of measuring voice quality using a formula that takes latency, jitter, packet loss, and the codec into account to produce a score from zero to five (0 - 5). The G.711, G.729, and G.722 codecs can be selected in the health check configurations, and an MOS threshold can be entered to indicate the minimum MOS score for the SLA to pass. The maximum MOS score will depend on which codec is used, since each codec has a theoretical maximum limit. Currently, the MOS cannot be used as the link-cost-factor to steer traffic in an SD-WAN rule.

Enhance the SD-WAN, VPN, and BGP configurations to support the segmentation over a single overlay scenario. In this scenario, a hub and spoke SD-WAN deployment requires that branch sites, or spokes, are able to accommodate multiple companies or departments. Each company's subnet is separated by a different VRF. A subnet on one VRF cannot communicate with a subnet on another VRF between different branches, but can communicate with the same VRF.

Add a RADIUS option to allow the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign.

Add maximum output size (megabytes) and timeout (seconds) limit to the CLI script automation action settings. The script will stop if the either one of the limits is reached.

config system automation-action
    edit <name>
        set output-size <integer>
        set timeout <integer>
    next
end

Add maximum concurrent stitch setting in config automation setting that limits how many stitches can run at same time.

config automation setting
    set max-concurrent-stitches <integer>
end

Exchange the SD-WAN member's local cost on an ADVPN shortcut tunnel to give spokes the capability of using remote cost as a tie-breaker to select the preferred shortcut.

When creating a software switch from Network > Interfaces, it is possible to add multiple FortiSwitch FortiLink VLANs as Interface members.

Depending on which region a customer chooses to deploy their FortiSandbox Cloud instance, the FortiGate will automatically connect to fortisandboxcloud.com and discover the specific region and server to connect to.

Add maximal field for each resource in get system performance status and improve average value accuracy by rolling over samples immediately when queried.

Extend api/v2/monitor/system/resource/usage to include new maximum, minimum, and average fields for each resource.

Optimize broadcast and multicast suppression over SSID tunnel mode across the FortiAP network.

Allow customization of RDP display size (width and height settings) for SSL VPN web mode when creating a new connection or bookmark. Administrators can also specify the display size when pre-configuring bookmarks.

Allow FortiExtender to be managed and used in a non-root VDOM. Previously, FortiExtender could only be used in the root VDOM.

Improve CAPWAP tunnel performance on FortiGates managing FortiExtenders in WAN extension deployments.

Allow the AWS SDN connector to use the AWS security token service (STS) API to connect to multiple AWS accounts concurrently. This allows a single AWS SDN connector to retrieve dynamic objects from multiple accounts, instead of needing to create an SDN connector for each account.

config system sdn-connector
    edit "aws1"
        config external-account-list
            edit "arn:aws:iam::6*******5494:role/CrossAccountSTS"
                set region-list "us-west-1" "us-west-2"
            next
            edit "arn:aws:iam::9*******1167:role/CrossAccountSTS"
                set region-list "us-west-1" "us-west-2"
            next
        end
    next
end

Support activation of Flex-VMs when connecting to the internet using a web proxy.

# execute vm-license <token> http://user:pass@proxyip:proxyport

When configuring security policies in NGFW policy-based mode, it is possible to select and apply web filter URL categories and URL category groups.

config firewall security-policy
    edit <id>
        set url-category {g<group_value> <category_value>}
    next
end

To enhance BFD support, FortiOS can now support neighbors connected over multiple hops. When BFD is down, BGP sessions will be reset and try to re-establish neighbor connection immediately.

An application category can be selected as an SD-WAN service rule destination criterion. Previously, only application groups or individual applications could be selected.

config system sdwan
    config service
        edit <id>
            set internet-service enable
            set internet-service-app-ctrl-category <id_1> <id_2> ... <id_n> 
        next
    end
end

The new Netflow fields, ipClassOfService and postIpClassOfService, for identifying class of service in traffic flows are supported in FortiOS. The FortiGate reads the TOS(IPv4)/Traffic Class(IPv6) fields from the first packet of incoming traffic flow for the ipClassOfService value, and the first packet of outgoing traffic flow for postIpClassOfService value. These fields were added to NetFlow template ID 262.

Indicator of compromise (IoC) detection for local out traffic helps detect any FortiGate locally generated traffic that is destined for a known compromised location. The FortiGate will generate an event log to warn administrators of IoC detection.

Support tracking of authenticated LDAP users by logging the users' group memberships and logon/logout timestamps into local files on the log disk over a rolling four-week period. The historical records can be queried from CLI. This feature is only enabled on FortiGate models with a log disk.

Support UTM scanning and deep inspection for mail protocols SMTP, IMAP, and POP3 in ZTNA TCP forwarding access proxy.

Enable TLS sessions to use an abbreviated TLS handshake instead of a full TLS handshake upon failover from a primary HA unit to a secondary HA unit in A-A or A-P mode. Instead of using the admin-server-cert to generate the key that is used in a TLS session ticket, FortiOS uses the web proxy global ssl-ca-cert that can be synchronized to the secondary HA member. When a TLS session reconnects after HA failover using the same session ticket as the first session, the new primary unit is able to generate the same key matching that session ticket and allow an abbreviated handshake.

Enhance the FortiSwitch Ports page in port and trunk mode by adding a Statistics button and slide-in pane to view traffic statistics and issues.

Enhance the Diagnostics and Tools slide-in pane by adding the fan and PSU status to the general health status, and a Clients tab to view clients for the specific FortiSwitch.

Add support for FQDN and ZTNA TCP forwarding. A wildcard domain name can be in the TCP forwarding access proxy with the domain option under the real server settings. When a domain name request arrives, it matches the domain in the request with the configured domain.

If there is a match, a DNS request is made and the destination of the request is the DNSed IP. If there is no match, a DNS request is made and the DNSed IP is matched with the configured real server's IP.

Introduce real-time FortiView monitors for Proxy Sources, Proxy Destinations, and all Proxy Sessions. Proxy policy sessions are no longer show in FortiView Policies and FortiView Applications.

Allow flow-tracking to be configurable for multiple NetFlow collectors. FortiSwitch 7.0.0 or later is required to support the multiple collectors configuration; otherwise, only the first collector will be supported.

Add email-to and subject types in email filter block-allow-list. The email type has been renamed to email-from.

config emailfilter block-allow-list
    edit 1
        set name "bal list"
        config entries
            edit 1
                set type email-to
                set pattern "test@fortinet.com"
            next
            edit 2
                set type subject
                set pattern "Spam!"
            next
        end
    next
end

The Email Regular Expression and Email Wildcard types have been replaced with Sender Address, Recipient Address, and Subject. Add Pattern Type selector with two values, Wildcard and Regular Expression for each type.

Add support for 802.1X under the hardware switch interface on NP6 platforms: FG-30xE, FG-40xE, and FG-110xE.

Remove support for Security Fabric loose pairing. Affected devices include: FortiADC, FortiDDoS, and FortiWLC.

Add tabs in the Asset Identity Center page for viewing the OT asset list and OT network topology using Purdue levels. This feature can be enabled in the GUI by going to System > Feature Visibility, and enabling Operational Technology (OT).

Implement support for NAT46 and NAT64 for SIP ALG, allowing customers that have mix of IPv4 and IPv6 networks to use SIP ALG for proper call handling.

When authenticating with RADIUS in a wired or wireless scenario, the FortiGate can support proper handling of the Termination-Action AVP. In the wired scenario, a hardware switch configured with 802.1X security authentication can read the Termination-Action attribute value from the RADIUS Access-Accept response. If the Termination-Action is 1, the FortiGate will initiate re-authentication when the session time has expired. During re-authentication, the port stays authorized. If the Termination-Action is 0, the session will be terminated.

The following existing options can be used to control explicit DoT handshakes.

config system global
    set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2 | TLSv1-3}
    set ssl-static-key-ciphers {enable | disable}
    set strong-crypto {enable | disable}
end

Allow both primary and secondary HA members to be registered to FortiCare at the same time from the primary unit. The secondary unit will register through the HA proxy. Display a new FortiCare Register option in the GUI on various Fabric related pages and widgets.

Add Windows 11 and macOS 12 to the SSL VPN OS check. The following options are available for config os-check-list <name>: macos-bigsur-11, macos-catalina-10.15, macos-mojave-10.14, macos-monterey-12, windows-7, windows-8.1, windows-10, and windows-11.

Operating systems no longer supported by FortiClient were removed.

Update the OVF package so it reflects newer VMware ESXi and hardware versions.

Allow pre-authorization of a FortiAP on the FortiGate wireless controller by specifying a wildcard serial number that represents the model of FortiAP being pre-authorized. For example, a wildcard serial number of FP231F****000001 will allow the first FortiAP-231F that registers to the wireless controller to be authorized automatically and adopt the profile configurations.

Allow pre-authorization of a FortiSwitch on the FortiGate switch controller by specifying a wildcard serial number that represents the model of FortiSwitch being pre-authorized. For example, a wildcard serial number of S248EP****000001 will allow the first FortiSwitch-248E-POE that registers to the switch controller to be authorized automatically and adopt the profile configurations.

Automatically detect and display the SSL VPN portal login page based on the user's browser language.

Add macOS 12 and Windows 11 to SSL VPN host check. Windows 8 and macOS 10.9 to 10.13 are removed from the SSL VPN host check.

A client certificate is configured on an LDAP server configuration when an LDAP server expects the LDAP client to use the client certificate to authenticate itself in order to access to the LDAP server.

config user ldap
    set client-cert-auth {enable | disable}
    set client-cert <source>
end

The client certificate source comes from config vpn certificate local, and is filtered by client authentication key usage.

On supported FortiSwitch models, it is possible to establish a VXLAN tunnel with the FortiGate over a layer 3 network, and use the VXLAN interface for the FortiLink connection. This allows for a layer 2 overlay over layer 3 routed network.

Users have more options to filter IPS signatures when configuring IPS sensor profiles. Signatures can be selected by these additional attributes: default status, default action, vulnerability type, and last update date.

config ips sensor
    edit <name>
        config entries
            edit <id>
                set last-modified {before <date> | after <date> | between <start-date> <end-date>}
                set vuln-type <id_1> ... <id_n>
                set default-action {all | pass | drop}
                set default-status {all | enable | disable}
            next
        end
    next
end

FortiOS now incorporates maturity levels in the released firmware images. Two maturity levels are defined: feature and mature.

In the GUI and CLI, administrators are able to identify the maturity level of the current firmware by the Feature or Mature tags. On the System > Fabric Management page, administrators can view the maturity levels of each firmware available for upgrade. When upgrading from a Mature to a Feature firmware, a warning message is displayed.

Add Process Monitor page for displaying running processes with their CPU and memory usage levels. Administrators can view a list of running processes, sort and filter them, and select a process to terminate it.

Enhancements have been made to the FortiGate Support Tool Chrome extension, including: backend capture support, CSF support, more daemon logging, pre-process CPU and memory charts, crash log support, REST API profiling, organized node logging, and WebSocket messages.

In the Top FortiSandbox Files FortiView monitor, users can select a submitted file and drill down to view its static and dynamic file analysis. The full FortiSandbox report can be downloaded in PDF format. This feature works with FortiGate Cloud Sandbox, FortiSandbox Cloud, and FortiSandbox appliance. FortiSandbox must be running version 3.2.1 and later.

Display a warning in the GUI and CLI when upgrading a device in an HA cluster that is out of synchronization.

Allow dedicated scan to be disabled on FortiAP F-series profiles, which then allows background scanning using the WIDS profile to be enabled on radios 1 and 2.

In dynamic port policies, it is now possible to use the hardware vendor as a filter for the device patterns.

Support multiple members per SD-WAN neighbor configuration and the new minimum-sla-meet-members option to configure the minimum number of members that must be in an SLA for preferable route map to be used.

For a current SD-WAN neighbor plus route-map-out-preferable design, only one member can be defined in the SD-WAN neighbor configuration for one BGP neighbor. If the member is in SLA, the preferable route map will be applied on the BGP neighbor; otherwise, the default route map will be applied.

In the case of one BGP neighbor over multiple SD-WAN members, the current SD-WAN neighbor plus route-map-out-preferable mechanism is enhanced to allow defining multiple members in the SD-WAN neighbor configuration for one BGP neighbor. The new minimum-sla-meet-members option can flexibly trigger a route map change based on a minimum threshold of in-SLA members.

DNS servers learned through DHCP may not support the default FortiOS configured DoT protocol. The dns-server-protocol setting under config system interface > edit <name> is introduced to offer the ability to chose the protocol for DNS servers learned through DHCP under any interface.

When sending a response to an SNMP request for ipAddressTable, append the IP address type (type 1 for IPv4, type 2 for IPv6) and number of octets (four for IPv4, 16 for IPv6) in the format 1.3.6.1.2.1.4.34.1.3.<type>.<octet>.

Display LTE modem configurations in the GUI for FG-40F-3G4G models under Network > Interfaceson the wwan interface page. The LTE modem and SIM statuses are displayed in the right- side gutter.

In multi VDOM mode, users can choose which VDOM is used by FortiGuard services to initiate updates, instead of being locked to the management VDOM. This allows deployment scenarios where the management VDOM is a closed network.

config global
    config system fortiguard
        set vdom <vdom>
    end
end

Add advpnsc log field to the VPN event log to indicate that a VPN event is based on an ADVPN shortcut. A value of 1 indicates the tunnel is an ADVPN shortcut, and 0 indicates that it is not.

When authenticating with RADIUS in a wireless scenario, the FortiGate can support proper handling of the Termination-Action AVP. In the wireless scenario, when a virtual AP is configured with WPA2-Enterprise security with RADIUS and has CoA enabled, it processes the RADIUS CoA request immediately upon receiving it and re-authenticates when the Termination-Action is 1.

To improve GUI performance, an option is added to enable loading static GUI artifacts cached in CDN (content delivery network) servers closer to the user rather than from the FortiGate. On failure, the files can fall back to loading from the FortiGate.

config system global
    set gui-cdn-usage {enable | disable}
end

Support access control for SNMP based on MIB view and VDOM. Administrators can provide access control to SNMP based on restricting an MIB view to specific OID subtrees or by VDOM. This allows multi-tenant FortiGate deployments to give restricted access per VDOM.

When the admin-restrict-local setting is enabled under config system global, local administrators cannot be used until all remote authentication servers are down. In this enhancement, the FortiGate only checks all remote authentication servers that are applied in config system admin are down, instead of all remote servers configured on the FortiGate, before allowing local administrators to log in.

On the WiFi & Switch Controller > FortiSwitch Clients page, client devices connected to the managed FortiSwitches are displayed. Clicking a client entry shows more information about the port and policies associated with the client device.

Add option to perform SD-WAN on-demand packet duplication only when SLAs in the configured service is matched. When the sla-match-service option is enabled, only the SLA health checks and targets used in the service rule are used to trigger the packet duplication. Prior to this, when using an SD-WAN on-demand duplication rule that is configured to match a service rule, the duplication will only be triggered when all SLA health checks miss their thresholds. This is the same behavior as when sla-match-service is disabled.

config system sdwan
    config duplication
        edit <id>
            set service-id <rule_id>
            set packet-duplication on-demand
            set sla-match-service {enable | disable}
        next
    end
end

Add Fortinet objects to the built-in Internet Service Database (ISDB) in the FortiOS image to assist in scenarios where firewall rules or policy routes use the ISDB to access FortiGuard servers after booting up.

Allow the FortiGate to act as an 802.1X supplicant. The new configurations can be enabled from the network interface in the CLI. The EAP authentication method can be either PEAP or TLS using a user certificate.

config system interface
    edit <interface>
        set eap-supplicant {enable | disable}
        set eap-method {peap | tls}
        set eap-identity <identity>
        set eap-password <password>
        set eap-ca-cert <CA_cert>
        set eap-user-cert <user_cert>
    next
end

Add and update the following log fields for HTTP transaction related logs to improve log analysis coverage:

• Add field for HTTP method (httpmethod).
• Change URL rating method field (method) to ratemethod.
• Extend user agent field (agent) to save the whole User-Agent header.
• Remove referrer from rawdata field and insert it into the referralurl field.

Remove overlap check for VIPs so there are no constraints when configuring multiple VIPs with the same external interface and IP. Instead, a new security rating report will alert users of any VIP overlaps.

Allow empty address groups with no members in the GUI, CLI and through the API.

Add option to configure console port login on a managed FortiSwitch.

config switch-controller switch-profile
    edit "default"
        set login {enable | disable}
    next
end

Multicast traffic shaping is supported under the following conditions:

• In config router multicast, multicast-routing is enabled (and multicast routing is properly configured).
• In config firewall shaper traffic-shaper, per-policy is disabled (default setting). Per-policy enabled shapers are not supported.
• In config firewall multicast-policy, auto-asic-offload is disabled.

config firewall multicast-policy
    edit <id>
        set traffic-shaper <string>
    next
end

Running diagnose sys mcast-session list displays traffic shaper information for each path.

Add support for Apple French keyboard layout for RDP in SSL web portal, user bookmark, and user group bookmark settings (set keyboard-layout fr-apple).

Allow a two-hour grace period for Flex-VMs to begin passing traffic upon retrieving a license from FortiCare without VM entitlement verification from FortiGuard.

Allow VRRP to be configured on an EMAC-VLAN interface.

Support IPv4 over IPv6 DS-Lite service in virtual network enabler (VNE) tunnels. In addition, the VNE tunnel fixed IP mode supports username and password authentication.

Add four SNMP OIDs for polling critical port block allocations (PBAs) IP pool statistics including: total PBAs, in use PBAs, expiring PBAs, and free PBAs.

Add options to disable using the FortiGuard IP address rating for SSL exemptions and proxy addresses.

config firewall ssl-ssh-profile
    edit <name>
        set ssl-exemption-ip-rating {enable | disable}
    next
end

config firewall profile-protocol-options
    edit <name>
        config http
            set address-ip-rating {enable | disable}
        end
    next
end

By default, the ssl-exemption-ip-rating and address-ip-rating options are enabled. If both a website domain and its IP address return different categories after being rated by FortiGuard, then the IP address category takes precedence when evaluating SSL exemptions associated with the SSL inspection profile and proxy addresses associated with the proxy protocol options profile.

When the categories associated with the website domain and IP address are different, using these options to disable the FortiGuard IP rating ensures that the FortiGuard domain category takes precedence when evaluating the above objects.

By default, the connection from the ZTNA access proxy to the backend servers uses the IP of the outgoing interface as the source. This enhancement enables customers to use an IP pool as the source IP, or use the client's original IP as the source IP. This allows ZTNA to support more sessions without source port conflict.

config firewall proxy-policy
   edit <id>
      set type access-proxy
      set poolname <ip_pool>
      set transparent {enable | disable}
   next
end

Support backing up and restoring configuration files in YAML format.

# execute backup yaml-config {ftp | tftp} <filename> <server> [username] [password]

# execute restore yaml-config {ftp | tftp} <filename> <server> [username] [password]

When the Security Fabric is not enabled on a FortiGate, it will still run a lightweight mode to display managed FortiSwitches and FortiAPs in topology view and tree view. It also supports federated upgrades between the FortiGate and the managed FortiSwitches and FortiAPs.