Prior to this enhancement, individual applications can be selected in SD-WAN rules by default. Upon upgrade, the GUI functionality is available if applications are already configured in SD-WAN rules prior to upgrading. Otherwise, by default, individual applications and application groups cannot be selected in SD-WAN rules.

To enable in the GUI:

1. Go to System > Feature Visibility.
2. In the Additional Features section, enable Application Detection Based SD-WAN.
3. Click Apply.

To enable in the CLI:

config system global
    set gui-app-detection-sdwan enable
end

Change the encryption and decryption method of backup files to AES-GCM method. The backup configuration file encrypted by the new algorithm in 7.2.1 cannot be restored on FortiGates running FortiOS 7.2.0 and earlier.

The 15-day evaluation period for a FortiGate VM is replaced with a permanent evaluation VM license. When spinning up a new FortiGate VM, the user will have a choice of logging in to FortiCare to activate the VM trial or to upload a full license. Each FortiCare account is entitled to one evaluation VM license.

Limitations of the evaluation VM license include:

• There is only support for low encryption operation, except for GUI management access and FortiManager communications.
• There is a maximum of one CPU and 2 GB of memory.
• There is a maximum of three interfaces, firewall policies, and routes.
• There is no FortiCare support.

The evaluation VM license is applicable to all private cloud (VMware ESXi, KVM, and so on) and all BYOL public cloud instances.

By default on a new deployment, the FortiGate will use the certificate named Fortinet_GUI_Server for HTTPS administrative access. This certificate is generated and signed by the built-in Fortinet_CA_SSL certificate, which dynamically updates the SAN field of the Fortinet_GUI_Server certificate with IP addresses of all interfaces enabled for HTTPS. After installing the Fortinet_CA_SSL CA certificate on a PC, administrators can access the FortiGate GUI through a browser without any warnings.

Prior to 7.2.1, after an HA failover due to memory utilization, the original primary device will not fail over back to the primary after memory has dropped below the threshold. Starting in 7.2.1, the original primary device will fail over back to the primary once its memory usage drops below the threshold.

Loopback interfaces are no longer allowed to be configured as gateway interfaces on static routes. Upon upgrade, static route configurations with loopbacks as gateway interfaces will be removed.

Affected use case: a loopback interface may be used in a static route so that the route can be advertised by BGP using network or redistribute static. This scenario can no longer be configured.

Workaround: instead of creating a static route using a loopback interface, create a black hole route for the same destination. Then, advertise the network in BGP using network or redistribute static.