Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

535099

When editing an SSID interface within WiFi & Switch Controller > SSIDs, an address group containing wireless clients' MAC addresses and an address group policy (disable, allow, or deny) can be configured for the client MAC address filtering feature.

652281

Certain unused WAD proxy processes are not started by default on FortiGate models with 2 GB of RAM or less to reduce memory usage. These process will only start when relevant proxy features are configured.

688237

Add support for a FortiGate to manage a Procend 180-T DSL transceiver (FN-TRAN-DSL) that is plugged into an SFP port.

The management of the DSL transceiver includes the ability to program the physical layer attributes on the DSL module, retrieve the status and statistics from the module, support firmware upgrade of the module, and reset the module. The following VDSL profiles are supported: 8a, 8b, 8c, 8d, 12a, 12b, 17a, and 30a.

Supported platforms: FG-80F, FG-81F, FG-80F-BP, FGR-60F, and FGR-60F_3G4G.

735929

Add REST API in both FortiNAC and FortiGate that is used by FortiNAC to send user logon/logoff information to the FortiGate. A new dynamic firewall address type (FortiNAC tag) is added to FortiOS, which is used to store the device IP, FortiNAC firewall tags, and FortiNAC group information sent from FortiNAC via the REST API when user logon/logoff events are registered.

The FortiNAC tags connector under Security Fabric > Fabric Connectors is deprecated. For upgrade support, the FSSO FortiNAC user type can still be configured from the CLI.

739174

For a FortiGate with a valid Security Rating license, the separate Security Rating package downloaded from FortiGuard adds support for PSIRT vulnerabilities, which allows the security rating result to highlight them. If the security rating result highlights a vulnerability with a critical severity, then the FortiGate GUI displays a new warning message in the header and a new notification under the bell icon. Both GUI enhancements link to the System > Fabric Management page to encourage updating any affected Fortinet Fabric devices to the latest firmware releases to resolve the critical vulnerabilities.

A new View Vulnerability link in the header is visible for global administrators, and a new tooltip for the critical vulnerability label on the System > Fabric Management page both link to the Security Rating page and highlight the critical vulnerability. On the Security Rating page, the search bar supports using the PSIRT keyword to filter for PSIRT vulnerabilities, and the security panel provides a link to the System > Fabric Management page when a PSIRT vulnerability is selected.

739182

Allow FortiClients to learn the available ZTNA services from the FortiGate ZTNA portal. The services that can be learned include HTTP/HTTPS web services, TCP forwarding services, and web portals. The FortiClient must connect to the FortiGate using a DoT or DoH tunnel. Then, it can retrieve the service mapping in JSON format.

743804

Add a RADIUS option to allow the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign.

745135

Provide three sizes of internet service databases, and an option to choose between full, standard, or mini databases. Only FortiGate 30 and 50 series models can configure mini size.

config system global
    set internet-service-database {mini | standard | full}
end

750320

Add command to add ZTNA virtual hosts and domains to the FortiGates local DNS database. Each virtual host and domain is mapped to the VIP defined for the corresponding access proxy. Each virtual host can only be used in one access proxy.

config firewall access-proxy
    edit <name>
        set add-vhost/domain-to-dnsdb {enable | disable}
    next
end

753742

Improve the Security Fabric backend to allow physical topology, logical topology, and security rating report information to be gathered through distributed means through each downstream FortiGate device. This results in less delays and memory usage on the Fabric root, and less API calls to the downstream devices.

760932

The SAP external Fabric connector allows the FortiGate to connect to an SAP controller to synchronize dynamic address objects and ports for SAP workloads. These address objects can be used in firewall policies to grant access control to dynamic SAP workloads.

764957

Add automation trigger for certificate expiry by introducing local-certificate-near-expiry event type if a user-supplied local certificate used for SSL VPN, deep inspection, or other purpose is about to expire. This trigger relies on a VPN certificate setting in the CLI configuration setting for the certificate log expiring warning threshold:

config vpn certificate setting
    set cert-expire-warning <integer>
end

Where <integer> is the certificate log expiring warning threshold, in days (0 - 100, default = 14).

The local certificate expiry trigger can be used with an email notification action, for example, to remind an administrator to re-sign or load a new local certificate to avoid any service interruptions.

766158

In a video filter profile, when the FortiGuard category-based filter and YouTube channel override are used together, by default a video will be blocked if it matches either category or YouTube channel and the action is set to block. This enhancement enables the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled.

773555

Add option to push updates to external threat feeds through the REST API. When configuring a FortiGuard Category, Malware Hash, IP Address, or Domain Name threat feed from the Security Fabric > External Connectors page, select the Push API update method to provide the code samples needed to perform add, remove, and snapshot operations.

775285

Enhance LAN extension on the FortiGate to allow a remote FortiGate (FortiGate Connector) to provide remote connectivity back to the FortiGate (FortiGate Controller) over a backhaul connection. A FortiGate deployed at a remote location will discover the FortiGate Controller and form an IPsec tunnel (or multiple tunnels when multiple links exists on the FortiGate Connector) back to the FortiGate Controller. A VXLAN is established over the IPsec tunnels to create an L2 network between the FortiGate Controller and the network behind the FortiGate Connector.

775287

Allow an administrator to deregister a FortiGate if the device has been registered for three or more years. After the device is deregistered, all associated contracts are also deregistered.

775288

Enhance IP address management (IPAM) in the GUI and the CLI to allow multiple pools and assign them to different interfaces based on name and/or role using IPAM rules.

In the GUI of a FortiGate not in a Security Fabric or on the root FortiGate of a Security Fabric, IPAM pools can be defined under Network > IPAM > IPAM Settings, and IPAM rules can be defined under Network > IPAM > IPAM Rules.

In the CLI of a FortiGate not in a Security Fabric or on the root FortiGate of a Security Fabric, IPAM pools can be defined as follows where a.b.c.d/x is the IP/netmask of the subnet:

config system ipam
    config pools
        edit <name>
            set subnet <a.b.c.d/x>
        next
    end
end

In the CLI of a FortiGate not in a Security Fabric or on the root FortiGate of a Security Fabric, IPAM rules can be defined as follows (device and interface fields accept * wildcard inputs):

config system ipam
    config rules
        edit <rule_name>
            set device {<FortiGate_serial_number> | *}
            set interface {<name> | *}
            set pool <pool_name>
        next
    end
end

779304

YAML can be selected as file format when backing up or restoring configurations from the GUI.

780993

When registering using FortiCare, users can select a Government end user type for parity with the registration process using the support portal.

784630

Support BGP Autonomous System (AS) numbers as input in asdot and asdot+ format from RFC 5396 for the following CLI commands:

  • BGP AS
  • BGP neighbour/neighbour group local AS
  • BGP neighbour/neighbour group remote AS
  • Route map set AS path

get router info bgp summary and other BGP router commands still display the AS numbers in asplain format.

784665

Add option for a FortiGate to use FortiManager as an override server for IoT query services.

config system central-management
    config server-list
        edit 1
            set server-type {iot-query iot-collect}
        next
    end
end

786329

Extend VCI (vendor class identifier) support in DHCP to allow for VCI pattern matching as a condition for IP or DHCP option assignment. This allows the mapping of a single IP address, IP ranges of a pool, and dedicated DHCP options to a specific VCI string.

786559

Add fgFwAuthUserTables table for SNMP to gather information about authenticated users, which are users authenticated by the user authentication methods supported on the FortiGate. This table supports SNMP VDOM access control and OIDs for IPv4 and IPv6 authenticated users.

787019

Perform FortiExtender auto firmware provisioning using CLI commands to allow a federated upgrade of a FortiExtender upon discovery and authorization by the FortiGate. The FortiExtender will be upgraded to the latest firmware from FortiGuard, based on the matching FortiExtender firmware version that matches each FortiOS firmware version.

787020

Add information and logs to record and trace connection failures to the EMS server.

787021

In an SD-WAN scenario when DSCP tags are used to mark traffic from the branch to the hub, it is sometimes desirable for the hub to mark the reply traffic with the same DCSP tags. A setting has been added to the firewall policy configurations to allow the DSCP tag to be copied to the reply direction.

config firewall policy
    edit <id>
        set diffserv-copy {enable | disable}
    next
end

787477

Ensure that session synchronization happens correctly in the FGCP over FGSP topology.

  1. When the session synchronization filter is applied on FGSP, the filter will only affect sessions synchronized between the FGSP peers.
  2. When virtual clustering is used, sessions synchronized between each virtual cluster can also be synchronized to FGSP peers. The peers' syncvd must all be in the same HA vcluster.

789032

Embed SLA information into ICMP probes, which consists of three parts:

  1. Embed spokes' SLA information (latency, jitter, packet loss) into the ICMP probes that the spokes send to the hub. In turn, the hub will read the embedded ICMP probes to gather SLA information on each overlay from each spoke.

  2. Allow SD-WAN to change the IKE route's priority according to SLA status (within SLA or out of SLA) on IPsec overlays.

  3. Allow a recursively resolved BGP route to inherit the priority from its parent.

By passing SLA information to the hub, the hub can route traffic to the spoke symmetrically based on the overlay that is in SLA on the spoke.

790243

Inline scanning is supported when the FortiGate is licensed with the FortiGuard AI-Based Sandbox Service (FAIS). It works similar to inline scanning for the FortiSandbox appliance, by holding a file up to 50 seconds for the verdict to be returned. Timed out scans can either be set to block, log, or ignore. Inline scanning can be enabled from the GUI on the Cloud Sandbox configuration page.

791091

Add settings to disable a FortiGate administrator account with a customized access profile from running execute ssh and execute telnet, thus restricting jump host capability using SSH and Telnet from the FortiGate to another host.

config system accprofile
    edit <name>
        set system-execute-ssh {enable | disable}
        set system-execute-telnet {enable | disable}
    next
end

791129

Add the underlay link cost property to the IPsec VPN tunnel phase 1 configuration and enhance IPsec VPN to exchange the link cost with a remote peer as a private notified payload in the phase 1 negotiation of IKEv1 and IKEv2. This avoids possible health check daemon process load issues and improves network scalability in a large-scale SD-WAN networks with ADVPN.

config vpn ipsec phase1-interface
    edit <name>
        set link-cost <0 - 255>
    next
end

791732

Allow interface-select-method and interface to be configured for FortiClient EMS Fabric connectors.

792170

The FortiGate explicit web proxy supports the Cross-Origin Resource Sharing (CORS) protocol, which allows the FortiGate to process a CORS preflight request and an actual CORS request properly, in addition to a simple CORS request when using session-based, cookie-enabled, and captive portal-enabled SAML authentication. This allows a FortiGate explicit web proxy user with this specific configuration to properly view a web page requiring CORS with domains embedded in it other than its own domain.

793303

Add a system action automation action type to back up the configuration of the FortiGate to the disk revisions, reboot the FortiGate, or shutdown the FortiGate. This action type allows these actions to occur even if the FortiGate is in conserve mode and allows the automation stitch to bypass the CLI user confirmation prompts, which the CLI script action does not support.

config system automation-action
    edit <name>
        set action-type system-actions
        set system-action {reboot | shutdown | backup-config}
    next
end

793304

Enhance the scheduled automation trigger to execute only once at a specific date and time in the future. This trigger may be useful to support one-time automated FortiGate system actions in the future, such as a configuration backup to disk, reboot, or shut down.

config system automation-trigger
    edit <name>
        set trigger-type scheduled
        set trigger-frequency once
        set trigger-datetime <YYYY-MM-DD HH:MM:SS>
    next
end

794494

Proxy auto-config (PAC) files can be downloaded for an explicit proxy through the FortiGate's captive portal using HTTPS to ensure a secure download.

795820

Support Layer 3 roaming between different VLANs and subnets on the same or different wireless controller for bridge mode SSIDs. A client connected to the bridge mode SSID on one FortiAP can roam to the same SSID on another FortiAP managed by the same or different FortiGate wireless controller and continue to use the same IP.

795821

Support WiFi 6 Release 2 security enhancements by adding support for Hash-to-Element (H2E) only and Simultaneous Authentication of Equals Public Key (SAE-PK) for FortiAP models that support WPA3-SAE security modes.

config wireless-controller vap
    edit <name>
        set ssid <ssid>
        set security wpa3-sae
        set sae-h2e-only {enable | disable}
    next
end
config wireless-controller vap
    edit <name>
        set ssid <ssid>
        set security wpa3-sae
        set sae-pk {enable | disable}
        set sae-private-key <private_key>
    next
end

795822

Enhance the FortiGate ZTNA access proxy to act as an inline cloud access security broker (CASB) by providing access control to software as a service (SaaS) traffic using ZTNA access control rules. This enhancement introduces a new FortiGuard Inline CASB Database (ICDB) that includes all FQDNs related to specific SaaS applications and corresponding FortiGuard packages for FortiOS and FortiClient. The inline CASB feature is included with the FortiClient ZTNA license. No separate license is needed for inline CASB.

Previously, ZTNA SaaS access control was possible using the TCP forwarding access proxy configuration on FortiGate and FortiClient:

  • On the FortiGate, users would need to search all hostnames used by a SaaS application, configure these hostnames as FQDN addresses, and configure these addresses as part of the ZTNA TCP forwarding settings.
  • In FortiClient, users would need to manually add all the hostnames as destinations for ZTNA connection rules or use FortiClient EMS to push those rules to FortiClient.

With this enhancement and service, users can configure the ZTNA access proxy with a new SaaS proxy access type and conveniently specify SaaS application destinations by application name or by application group name without needing to manually search for and enter FQDNs specific to each SaaS application. Currently, CLI commands must be used for the configuration. Users can configure the SaaS application destination by adding support for SaaS in config firewall proxy-address, which can be used in config firewall proxy-policy. The FortiGate traffic log has been enhanced with a new log field, saasname.

Support for this feature will be available in a future version of FortiClient and FortiClient EMS

796798

Support wireless controller VAP set rates-11ac-mcs-map and set rates-11ax-mcs-map commands to configure 802.11ac and 802.11ax Modulation and Coding Scheme (MCS) rates. These commands replace the set rates-11ac-ss12, set rates-11ac-ss34, set rates-11ax-ss12, and set rates-11ax-ss34 VAP commands.

796961

Add attribute under config switch-controller igmp-snooping to configure the query-interval under FortiLink, and add a check to ensure the query-interval is less than the aging-time interval.

797054

When backing up configurations for the purpose of troubleshooting from a third party, it is helpful to sanitize the configuration file for passwords and secrets so they are not leaked. To streamline this process, the Password mask option on the Backup System Configuration page enables passwords and secrets to be obfuscated during the backup process. This can also be accomplished from the CLI by running:

# execute backup obfuscated-config {flash | ftp | management-station | sftp | tftp | usb}
# execute backup obfuscated-full-config {ftp | sftp | tftp | usb}
# execute backup obfuscated-yaml-config {ftp | tftp}

798310

In addition to per-tunnel IPsec failover for FGSP peers, FGCP over FGSP is also supported. For additional redundancy, an FGCP cluster on one site may form FGSP peering with FGCP clusters on other sites. The FGCP over FGSP peers can still synchronize IPsec SAs and act as the primary gateway for individual tunnels for the same dialup servers. When failover happens within an FGCP cluster, tunnel traffic will fail over to the other FGCP cluster member. When an FGCP cluster fails, tunnel traffic will fail over to the other FGSP peer.

798773

Add options in IPv6 static and policy routes for parity with IPv4 static and policy routes.

799621

Support wireless authentication using SAML and a captive portal configured on a tunnel mode SSID.

When a SAML user has been configured on the FortiGate, a user group containing this SAML user can be applied to a captive portal in a wireless tunnel mode SSID. When configured with both a captive portal exempt firewall policy to allow wireless clients to contact the SAML IdP and a firewall policy with the SAML user group applied to allow authenticated traffic, upon connecting to this SSID, wireless clients will be redirected to a login page for wireless authentication using SAML.

799971

To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication can be enabled under the user ldap object definition. This enhancement reduces the number of the AD users returned by allowing the use of a group filter to synchronize only the users who meet the group filter criteria.

config user ldap
    edit <name>
        set dn <string> 
        set two-factor {disable | fortitoken-cloud}
        set two-factor-filter <string> 
    next
end

799987

Add support for multitenant FortiClient EMS deployments that have the Manage Multiple Customer Sites setting enabled with multiple sites. Since a FortiClient EMS site is no longer unique using its serial number alone, the FortiGate configuration for FortiClient EMS connectors and related diagnostic commands have been enhanced to distinguish EMS sites using serial number and tenant ID:

  • Update config endpoint-control fctems to predefine five FortiClient EMS Fabric connectors that are referred to using numerical IDs from 1 to 5. Administrators can configure the status and name settings, and to display the tenant ID retrieved from FortiClient EMS sites with Manage Multiple Customer Sites enabled.

    A single tenant EMS server or the default site on a multitenant EMS server has a tenant ID consisting of all zeros (00000000000000000000000000000000).

  • Update the FortiClient EMS Fabric connector to retrieve specific ZTNA tags from each configured FortiClient EMS site.

  • Update diagnose endpoint record list to return the EMS tenant id field retrieved from each respective FortiClient EMS server.

  • Update ZTNA and EMS debug commands to accept the EMS serial number and tenant ID as parameters.

    # diagnose endpoint lls-comm send ztna find-uid <uid> <EMS_serial_number> <EMS_tenant_id>
    # diagnose wad dev query-by uid <uid> <EMS_serial_number> <EMS_tenant_id>
  • FortiClient 7.0.3 and later is required to use this feature.

801700

Add option to enable automatic firmware updates based on the FortiGuard upgrade path. When enabled, the FortiGate will look for an upgrade path and perform an upgrade at a time within the time period specified by the administrator. The upgrade will only be performed on a patch within the same major release version.

config system fortiguard
    set auto-firmware-upgrade {enable | disable}
    set auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday}
    set auto-firmware-upgrade-start-hour <integer>
    set auto-firmware-upgrade-end-hour <integer>
end

801701

Certain unused WAD proxy processes are not started by default on FortiGate models with 2 GB of RAM or less to reduce memory usage. These process will only start when relevant proxy features are configured.

801707

During FGSP per-tunnel failover for IPsec, the same IPsec dialup server configured on each FGSP member may establish tunnels with dialup clients as the primary gateway. The IPsec SAs are synchronized to all other FGSP peers that have FGSP synchronization for IPsec enabled. Other FGSP members may establish a tunnel with other clients on the same dialup server and synchronize their SAs to other peers.

Upon the failure of the FGSP member that is the primary gateway for a tunnel, the upstream router will fail over the tunnel traffic to another FGSP member. The other FGSP member will move from standby to the primary gateway for that tunnel and continue to forward traffic.

config vpn ipsec phase1-interface
    edit <name>
        set fgsp-sync {enable | disable}
    next
end

801708

In conjunction with support for FGSP per-tunnel failover for IPsec, configuring DPD (dead peer detection) on an FGSP member is now permitted. This allows a failed FGSP member to send out DPD probes during failover to detect the unreachable remote peer and flush the corresponding tunnels.

802702

When local-out traffic such as SD-WAN health checks, SNMP, syslog, and so on are initiated from an interface on one VRF and then pass through interfaces on another VRF, the reply traffic will be successfully forwarded back to the original VRF.

802785

Add the ability to toggle 802.11d support for 2.4 GHz radios using a FortiAP profile. 802.11d only applies to the 802.11g band (2.4 GHz band). By default, this option is always enabled. When 802.11d is enabled, the FortiAPs broadcast the country code in beacons, probe requests, and probe responses. The ability to disable 802.11d on the FortiAPs provides backwards compatibility with old or legacy Wi-Fi clients in the 802.11g band (2.4 GHz band) that failed to associate to a FortiAP with 802.11d enabled.

803326

Vendor-Specific Attributes (VSAs) can be used with TACACS authentication and authorization in wildcard system administrator access to FortiGates from browsers and SSH. The new VSAs allows the FortiGate to perform group matching, and overwrite VDOM settings under system admin.

803336

Add option for private key retention during SCEP renewal.

config vpn certificate local
    edit <name>
        set enroll-protocol scep
        set private-key-retain {enable | disable}
    next
end

805611

Support custom replacement message groups for each ZTNA virtual host. The %%ZTNA_DETAIL_TAG%% variable can be used in replacement messages.

config firewall access-proxy-virtual-host
    edit <name>
        set host <string>
        set replacemsg-group <string>
    next
end

805870

Add setting to enforce ZTNA trusted client before the user can successfully establish a SSL VPN tunnel when connecting to FortiGate SSL VPN in tunnel mode, and has a device certificated issued by EMS.

config vpn ssl setting
    set ztna-trusted-client {enable | disable}
end

805871

Add support in Azure FG-VM to generate a unique vWAN cluster/group ID and display a line with the Azure NVA name and the generated cluster/group ID in get system status. This line is only displayed for FortiGate instances that are NVA VMs. FortiManager uses the cluster/group ID to display FortiGate VM instances from the same vWAN as a group.

805872

Allow FortiManager to apply a license to a BYOL FortiGate VM instance. For example, when launching a BYOL FortiGate VM on Azure, the FortiGate receives a serial number with the FGVMEV prefix and a VM license with an invalid status by default. This unlicensed FortiGate VM can register to a FortiManager for authorization and management. Subsequently, the FortiManager can apply a VM license to the FortiGate VM instance.

806166

Add NetFlow support on EMAC VLAN interface.

806628

Added endpoint to return HA non-synchronized checksum. The HA checksum calculation module has new parameter to switch between the regular checksum calculation and the non-synchronized checksum calculation.

# diagnose sys ha checksum show-nonsync [global | vdom_name]

806993

Enhance the ZTNA access proxy to determine whether a client device that does not have FortiClient installed is a mobile device that is considered unmanageable, or is not a mobile device that is considered unknown and tag the device as either either ems-tag-unmanageable or ems-tag-unknown respectively. The FortiGate WAD process achieves this by either matching device TLS fingerprints against a library or learning information from the HTTP User-Agent header if the set user-agent-detect setting is enabled. These new tags allow for ZTNA access control of unmanaged devices using config firewall proxy-policy. Also, enhance the set empty-cert-action setting by adding an accept-unmanageable option to allow unmanageable clients to continue ZTNA proxy rule processing.

807431

In proxy mode antivirus profiles, add option under HTTP to customize the action for files with unknown content encoding (default = block).

config antivirus profile
    edit <name>
        set feature-set proxy
        config http
            set unknown-content-encoding {block | inspect | bypass}
        end
    next
end

809701

Support auto revision backup on FortiSwitch upon log out or firmware upgrade in FortiLink mode (both settings are disabled by default).

config switch-controller switch-profile
    edit <name>
        set revision-backup-on-logout {enable | disable}
        set revision-backup-on-upgrade {enable | disable}
    next
end

812209

This enhancement builds on the AWS SDN connector, which uses the AWS security token service (STS) to connect to multiple AWS accounts concurrently. To enhance security, the SDN connector supports the use of an External ID, which allows the target account owner to permit the role to be assumed by the source account only under specific circumstances.

813346

Improve GTPv2 message filtering to include all GTPv2 message types, based on 3GPP TS 29.274. Also, by adding message types UE Registration Query request (61) and UE Registration Query response (62), FortiOS Carrier can now filter all GTPv0 and GTPv1 message types based on 3GPP release 3GPP TS 29.060.

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID

Description

535099

When editing an SSID interface within WiFi & Switch Controller > SSIDs, an address group containing wireless clients' MAC addresses and an address group policy (disable, allow, or deny) can be configured for the client MAC address filtering feature.

652281

Certain unused WAD proxy processes are not started by default on FortiGate models with 2 GB of RAM or less to reduce memory usage. These process will only start when relevant proxy features are configured.

688237

Add support for a FortiGate to manage a Procend 180-T DSL transceiver (FN-TRAN-DSL) that is plugged into an SFP port.

The management of the DSL transceiver includes the ability to program the physical layer attributes on the DSL module, retrieve the status and statistics from the module, support firmware upgrade of the module, and reset the module. The following VDSL profiles are supported: 8a, 8b, 8c, 8d, 12a, 12b, 17a, and 30a.

Supported platforms: FG-80F, FG-81F, FG-80F-BP, FGR-60F, and FGR-60F_3G4G.

735929

Add REST API in both FortiNAC and FortiGate that is used by FortiNAC to send user logon/logoff information to the FortiGate. A new dynamic firewall address type (FortiNAC tag) is added to FortiOS, which is used to store the device IP, FortiNAC firewall tags, and FortiNAC group information sent from FortiNAC via the REST API when user logon/logoff events are registered.

The FortiNAC tags connector under Security Fabric > Fabric Connectors is deprecated. For upgrade support, the FSSO FortiNAC user type can still be configured from the CLI.

739174

For a FortiGate with a valid Security Rating license, the separate Security Rating package downloaded from FortiGuard adds support for PSIRT vulnerabilities, which allows the security rating result to highlight them. If the security rating result highlights a vulnerability with a critical severity, then the FortiGate GUI displays a new warning message in the header and a new notification under the bell icon. Both GUI enhancements link to the System > Fabric Management page to encourage updating any affected Fortinet Fabric devices to the latest firmware releases to resolve the critical vulnerabilities.

A new View Vulnerability link in the header is visible for global administrators, and a new tooltip for the critical vulnerability label on the System > Fabric Management page both link to the Security Rating page and highlight the critical vulnerability. On the Security Rating page, the search bar supports using the PSIRT keyword to filter for PSIRT vulnerabilities, and the security panel provides a link to the System > Fabric Management page when a PSIRT vulnerability is selected.

739182

Allow FortiClients to learn the available ZTNA services from the FortiGate ZTNA portal. The services that can be learned include HTTP/HTTPS web services, TCP forwarding services, and web portals. The FortiClient must connect to the FortiGate using a DoT or DoH tunnel. Then, it can retrieve the service mapping in JSON format.

743804

Add a RADIUS option to allow the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign.

745135

Provide three sizes of internet service databases, and an option to choose between full, standard, or mini databases. Only FortiGate 30 and 50 series models can configure mini size.

config system global
    set internet-service-database {mini | standard | full}
end

750320

Add command to add ZTNA virtual hosts and domains to the FortiGates local DNS database. Each virtual host and domain is mapped to the VIP defined for the corresponding access proxy. Each virtual host can only be used in one access proxy.

config firewall access-proxy
    edit <name>
        set add-vhost/domain-to-dnsdb {enable | disable}
    next
end

753742

Improve the Security Fabric backend to allow physical topology, logical topology, and security rating report information to be gathered through distributed means through each downstream FortiGate device. This results in less delays and memory usage on the Fabric root, and less API calls to the downstream devices.

760932

The SAP external Fabric connector allows the FortiGate to connect to an SAP controller to synchronize dynamic address objects and ports for SAP workloads. These address objects can be used in firewall policies to grant access control to dynamic SAP workloads.

764957

Add automation trigger for certificate expiry by introducing local-certificate-near-expiry event type if a user-supplied local certificate used for SSL VPN, deep inspection, or other purpose is about to expire. This trigger relies on a VPN certificate setting in the CLI configuration setting for the certificate log expiring warning threshold:

config vpn certificate setting
    set cert-expire-warning <integer>
end

Where <integer> is the certificate log expiring warning threshold, in days (0 - 100, default = 14).

The local certificate expiry trigger can be used with an email notification action, for example, to remind an administrator to re-sign or load a new local certificate to avoid any service interruptions.

766158

In a video filter profile, when the FortiGuard category-based filter and YouTube channel override are used together, by default a video will be blocked if it matches either category or YouTube channel and the action is set to block. This enhancement enables the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled.

773555

Add option to push updates to external threat feeds through the REST API. When configuring a FortiGuard Category, Malware Hash, IP Address, or Domain Name threat feed from the Security Fabric > External Connectors page, select the Push API update method to provide the code samples needed to perform add, remove, and snapshot operations.

775285

Enhance LAN extension on the FortiGate to allow a remote FortiGate (FortiGate Connector) to provide remote connectivity back to the FortiGate (FortiGate Controller) over a backhaul connection. A FortiGate deployed at a remote location will discover the FortiGate Controller and form an IPsec tunnel (or multiple tunnels when multiple links exists on the FortiGate Connector) back to the FortiGate Controller. A VXLAN is established over the IPsec tunnels to create an L2 network between the FortiGate Controller and the network behind the FortiGate Connector.

775287

Allow an administrator to deregister a FortiGate if the device has been registered for three or more years. After the device is deregistered, all associated contracts are also deregistered.

775288

Enhance IP address management (IPAM) in the GUI and the CLI to allow multiple pools and assign them to different interfaces based on name and/or role using IPAM rules.

In the GUI of a FortiGate not in a Security Fabric or on the root FortiGate of a Security Fabric, IPAM pools can be defined under Network > IPAM > IPAM Settings, and IPAM rules can be defined under Network > IPAM > IPAM Rules.

In the CLI of a FortiGate not in a Security Fabric or on the root FortiGate of a Security Fabric, IPAM pools can be defined as follows where a.b.c.d/x is the IP/netmask of the subnet:

config system ipam
    config pools
        edit <name>
            set subnet <a.b.c.d/x>
        next
    end
end

In the CLI of a FortiGate not in a Security Fabric or on the root FortiGate of a Security Fabric, IPAM rules can be defined as follows (device and interface fields accept * wildcard inputs):

config system ipam
    config rules
        edit <rule_name>
            set device {<FortiGate_serial_number> | *}
            set interface {<name> | *}
            set pool <pool_name>
        next
    end
end

779304

YAML can be selected as file format when backing up or restoring configurations from the GUI.

780993

When registering using FortiCare, users can select a Government end user type for parity with the registration process using the support portal.

784630

Support BGP Autonomous System (AS) numbers as input in asdot and asdot+ format from RFC 5396 for the following CLI commands:

  • BGP AS
  • BGP neighbour/neighbour group local AS
  • BGP neighbour/neighbour group remote AS
  • Route map set AS path

get router info bgp summary and other BGP router commands still display the AS numbers in asplain format.

784665

Add option for a FortiGate to use FortiManager as an override server for IoT query services.

config system central-management
    config server-list
        edit 1
            set server-type {iot-query iot-collect}
        next
    end
end

786329

Extend VCI (vendor class identifier) support in DHCP to allow for VCI pattern matching as a condition for IP or DHCP option assignment. This allows the mapping of a single IP address, IP ranges of a pool, and dedicated DHCP options to a specific VCI string.

786559

Add fgFwAuthUserTables table for SNMP to gather information about authenticated users, which are users authenticated by the user authentication methods supported on the FortiGate. This table supports SNMP VDOM access control and OIDs for IPv4 and IPv6 authenticated users.

787019

Perform FortiExtender auto firmware provisioning using CLI commands to allow a federated upgrade of a FortiExtender upon discovery and authorization by the FortiGate. The FortiExtender will be upgraded to the latest firmware from FortiGuard, based on the matching FortiExtender firmware version that matches each FortiOS firmware version.

787020

Add information and logs to record and trace connection failures to the EMS server.

787021

In an SD-WAN scenario when DSCP tags are used to mark traffic from the branch to the hub, it is sometimes desirable for the hub to mark the reply traffic with the same DCSP tags. A setting has been added to the firewall policy configurations to allow the DSCP tag to be copied to the reply direction.

config firewall policy
    edit <id>
        set diffserv-copy {enable | disable}
    next
end

787477

Ensure that session synchronization happens correctly in the FGCP over FGSP topology.

  1. When the session synchronization filter is applied on FGSP, the filter will only affect sessions synchronized between the FGSP peers.
  2. When virtual clustering is used, sessions synchronized between each virtual cluster can also be synchronized to FGSP peers. The peers' syncvd must all be in the same HA vcluster.

789032

Embed SLA information into ICMP probes, which consists of three parts:

  1. Embed spokes' SLA information (latency, jitter, packet loss) into the ICMP probes that the spokes send to the hub. In turn, the hub will read the embedded ICMP probes to gather SLA information on each overlay from each spoke.

  2. Allow SD-WAN to change the IKE route's priority according to SLA status (within SLA or out of SLA) on IPsec overlays.

  3. Allow a recursively resolved BGP route to inherit the priority from its parent.

By passing SLA information to the hub, the hub can route traffic to the spoke symmetrically based on the overlay that is in SLA on the spoke.

790243

Inline scanning is supported when the FortiGate is licensed with the FortiGuard AI-Based Sandbox Service (FAIS). It works similar to inline scanning for the FortiSandbox appliance, by holding a file up to 50 seconds for the verdict to be returned. Timed out scans can either be set to block, log, or ignore. Inline scanning can be enabled from the GUI on the Cloud Sandbox configuration page.

791091

Add settings to disable a FortiGate administrator account with a customized access profile from running execute ssh and execute telnet, thus restricting jump host capability using SSH and Telnet from the FortiGate to another host.

config system accprofile
    edit <name>
        set system-execute-ssh {enable | disable}
        set system-execute-telnet {enable | disable}
    next
end

791129

Add the underlay link cost property to the IPsec VPN tunnel phase 1 configuration and enhance IPsec VPN to exchange the link cost with a remote peer as a private notified payload in the phase 1 negotiation of IKEv1 and IKEv2. This avoids possible health check daemon process load issues and improves network scalability in a large-scale SD-WAN networks with ADVPN.

config vpn ipsec phase1-interface
    edit <name>
        set link-cost <0 - 255>
    next
end

791732

Allow interface-select-method and interface to be configured for FortiClient EMS Fabric connectors.

792170

The FortiGate explicit web proxy supports the Cross-Origin Resource Sharing (CORS) protocol, which allows the FortiGate to process a CORS preflight request and an actual CORS request properly, in addition to a simple CORS request when using session-based, cookie-enabled, and captive portal-enabled SAML authentication. This allows a FortiGate explicit web proxy user with this specific configuration to properly view a web page requiring CORS with domains embedded in it other than its own domain.

793303

Add a system action automation action type to back up the configuration of the FortiGate to the disk revisions, reboot the FortiGate, or shutdown the FortiGate. This action type allows these actions to occur even if the FortiGate is in conserve mode and allows the automation stitch to bypass the CLI user confirmation prompts, which the CLI script action does not support.

config system automation-action
    edit <name>
        set action-type system-actions
        set system-action {reboot | shutdown | backup-config}
    next
end

793304

Enhance the scheduled automation trigger to execute only once at a specific date and time in the future. This trigger may be useful to support one-time automated FortiGate system actions in the future, such as a configuration backup to disk, reboot, or shut down.

config system automation-trigger
    edit <name>
        set trigger-type scheduled
        set trigger-frequency once
        set trigger-datetime <YYYY-MM-DD HH:MM:SS>
    next
end

794494

Proxy auto-config (PAC) files can be downloaded for an explicit proxy through the FortiGate's captive portal using HTTPS to ensure a secure download.

795820

Support Layer 3 roaming between different VLANs and subnets on the same or different wireless controller for bridge mode SSIDs. A client connected to the bridge mode SSID on one FortiAP can roam to the same SSID on another FortiAP managed by the same or different FortiGate wireless controller and continue to use the same IP.

795821

Support WiFi 6 Release 2 security enhancements by adding support for Hash-to-Element (H2E) only and Simultaneous Authentication of Equals Public Key (SAE-PK) for FortiAP models that support WPA3-SAE security modes.

config wireless-controller vap
    edit <name>
        set ssid <ssid>
        set security wpa3-sae
        set sae-h2e-only {enable | disable}
    next
end
config wireless-controller vap
    edit <name>
        set ssid <ssid>
        set security wpa3-sae
        set sae-pk {enable | disable}
        set sae-private-key <private_key>
    next
end

795822

Enhance the FortiGate ZTNA access proxy to act as an inline cloud access security broker (CASB) by providing access control to software as a service (SaaS) traffic using ZTNA access control rules. This enhancement introduces a new FortiGuard Inline CASB Database (ICDB) that includes all FQDNs related to specific SaaS applications and corresponding FortiGuard packages for FortiOS and FortiClient. The inline CASB feature is included with the FortiClient ZTNA license. No separate license is needed for inline CASB.

Previously, ZTNA SaaS access control was possible using the TCP forwarding access proxy configuration on FortiGate and FortiClient:

  • On the FortiGate, users would need to search all hostnames used by a SaaS application, configure these hostnames as FQDN addresses, and configure these addresses as part of the ZTNA TCP forwarding settings.
  • In FortiClient, users would need to manually add all the hostnames as destinations for ZTNA connection rules or use FortiClient EMS to push those rules to FortiClient.

With this enhancement and service, users can configure the ZTNA access proxy with a new SaaS proxy access type and conveniently specify SaaS application destinations by application name or by application group name without needing to manually search for and enter FQDNs specific to each SaaS application. Currently, CLI commands must be used for the configuration. Users can configure the SaaS application destination by adding support for SaaS in config firewall proxy-address, which can be used in config firewall proxy-policy. The FortiGate traffic log has been enhanced with a new log field, saasname.

Support for this feature will be available in a future version of FortiClient and FortiClient EMS

796798

Support wireless controller VAP set rates-11ac-mcs-map and set rates-11ax-mcs-map commands to configure 802.11ac and 802.11ax Modulation and Coding Scheme (MCS) rates. These commands replace the set rates-11ac-ss12, set rates-11ac-ss34, set rates-11ax-ss12, and set rates-11ax-ss34 VAP commands.

796961

Add attribute under config switch-controller igmp-snooping to configure the query-interval under FortiLink, and add a check to ensure the query-interval is less than the aging-time interval.

797054

When backing up configurations for the purpose of troubleshooting from a third party, it is helpful to sanitize the configuration file for passwords and secrets so they are not leaked. To streamline this process, the Password mask option on the Backup System Configuration page enables passwords and secrets to be obfuscated during the backup process. This can also be accomplished from the CLI by running:

# execute backup obfuscated-config {flash | ftp | management-station | sftp | tftp | usb}
# execute backup obfuscated-full-config {ftp | sftp | tftp | usb}
# execute backup obfuscated-yaml-config {ftp | tftp}

798310

In addition to per-tunnel IPsec failover for FGSP peers, FGCP over FGSP is also supported. For additional redundancy, an FGCP cluster on one site may form FGSP peering with FGCP clusters on other sites. The FGCP over FGSP peers can still synchronize IPsec SAs and act as the primary gateway for individual tunnels for the same dialup servers. When failover happens within an FGCP cluster, tunnel traffic will fail over to the other FGCP cluster member. When an FGCP cluster fails, tunnel traffic will fail over to the other FGSP peer.

798773

Add options in IPv6 static and policy routes for parity with IPv4 static and policy routes.

799621

Support wireless authentication using SAML and a captive portal configured on a tunnel mode SSID.

When a SAML user has been configured on the FortiGate, a user group containing this SAML user can be applied to a captive portal in a wireless tunnel mode SSID. When configured with both a captive portal exempt firewall policy to allow wireless clients to contact the SAML IdP and a firewall policy with the SAML user group applied to allow authenticated traffic, upon connecting to this SSID, wireless clients will be redirected to a login page for wireless authentication using SAML.

799971

To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication can be enabled under the user ldap object definition. This enhancement reduces the number of the AD users returned by allowing the use of a group filter to synchronize only the users who meet the group filter criteria.

config user ldap
    edit <name>
        set dn <string> 
        set two-factor {disable | fortitoken-cloud}
        set two-factor-filter <string> 
    next
end

799987

Add support for multitenant FortiClient EMS deployments that have the Manage Multiple Customer Sites setting enabled with multiple sites. Since a FortiClient EMS site is no longer unique using its serial number alone, the FortiGate configuration for FortiClient EMS connectors and related diagnostic commands have been enhanced to distinguish EMS sites using serial number and tenant ID:

  • Update config endpoint-control fctems to predefine five FortiClient EMS Fabric connectors that are referred to using numerical IDs from 1 to 5. Administrators can configure the status and name settings, and to display the tenant ID retrieved from FortiClient EMS sites with Manage Multiple Customer Sites enabled.

    A single tenant EMS server or the default site on a multitenant EMS server has a tenant ID consisting of all zeros (00000000000000000000000000000000).

  • Update the FortiClient EMS Fabric connector to retrieve specific ZTNA tags from each configured FortiClient EMS site.

  • Update diagnose endpoint record list to return the EMS tenant id field retrieved from each respective FortiClient EMS server.

  • Update ZTNA and EMS debug commands to accept the EMS serial number and tenant ID as parameters.

    # diagnose endpoint lls-comm send ztna find-uid <uid> <EMS_serial_number> <EMS_tenant_id>
    # diagnose wad dev query-by uid <uid> <EMS_serial_number> <EMS_tenant_id>
  • FortiClient 7.0.3 and later is required to use this feature.

801700

Add option to enable automatic firmware updates based on the FortiGuard upgrade path. When enabled, the FortiGate will look for an upgrade path and perform an upgrade at a time within the time period specified by the administrator. The upgrade will only be performed on a patch within the same major release version.

config system fortiguard
    set auto-firmware-upgrade {enable | disable}
    set auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday}
    set auto-firmware-upgrade-start-hour <integer>
    set auto-firmware-upgrade-end-hour <integer>
end

801701

Certain unused WAD proxy processes are not started by default on FortiGate models with 2 GB of RAM or less to reduce memory usage. These process will only start when relevant proxy features are configured.

801707

During FGSP per-tunnel failover for IPsec, the same IPsec dialup server configured on each FGSP member may establish tunnels with dialup clients as the primary gateway. The IPsec SAs are synchronized to all other FGSP peers that have FGSP synchronization for IPsec enabled. Other FGSP members may establish a tunnel with other clients on the same dialup server and synchronize their SAs to other peers.

Upon the failure of the FGSP member that is the primary gateway for a tunnel, the upstream router will fail over the tunnel traffic to another FGSP member. The other FGSP member will move from standby to the primary gateway for that tunnel and continue to forward traffic.

config vpn ipsec phase1-interface
    edit <name>
        set fgsp-sync {enable | disable}
    next
end

801708

In conjunction with support for FGSP per-tunnel failover for IPsec, configuring DPD (dead peer detection) on an FGSP member is now permitted. This allows a failed FGSP member to send out DPD probes during failover to detect the unreachable remote peer and flush the corresponding tunnels.

802702

When local-out traffic such as SD-WAN health checks, SNMP, syslog, and so on are initiated from an interface on one VRF and then pass through interfaces on another VRF, the reply traffic will be successfully forwarded back to the original VRF.

802785

Add the ability to toggle 802.11d support for 2.4 GHz radios using a FortiAP profile. 802.11d only applies to the 802.11g band (2.4 GHz band). By default, this option is always enabled. When 802.11d is enabled, the FortiAPs broadcast the country code in beacons, probe requests, and probe responses. The ability to disable 802.11d on the FortiAPs provides backwards compatibility with old or legacy Wi-Fi clients in the 802.11g band (2.4 GHz band) that failed to associate to a FortiAP with 802.11d enabled.

803326

Vendor-Specific Attributes (VSAs) can be used with TACACS authentication and authorization in wildcard system administrator access to FortiGates from browsers and SSH. The new VSAs allows the FortiGate to perform group matching, and overwrite VDOM settings under system admin.

803336

Add option for private key retention during SCEP renewal.

config vpn certificate local
    edit <name>
        set enroll-protocol scep
        set private-key-retain {enable | disable}
    next
end

805611

Support custom replacement message groups for each ZTNA virtual host. The %%ZTNA_DETAIL_TAG%% variable can be used in replacement messages.

config firewall access-proxy-virtual-host
    edit <name>
        set host <string>
        set replacemsg-group <string>
    next
end

805870

Add setting to enforce ZTNA trusted client before the user can successfully establish a SSL VPN tunnel when connecting to FortiGate SSL VPN in tunnel mode, and has a device certificated issued by EMS.

config vpn ssl setting
    set ztna-trusted-client {enable | disable}
end

805871

Add support in Azure FG-VM to generate a unique vWAN cluster/group ID and display a line with the Azure NVA name and the generated cluster/group ID in get system status. This line is only displayed for FortiGate instances that are NVA VMs. FortiManager uses the cluster/group ID to display FortiGate VM instances from the same vWAN as a group.

805872

Allow FortiManager to apply a license to a BYOL FortiGate VM instance. For example, when launching a BYOL FortiGate VM on Azure, the FortiGate receives a serial number with the FGVMEV prefix and a VM license with an invalid status by default. This unlicensed FortiGate VM can register to a FortiManager for authorization and management. Subsequently, the FortiManager can apply a VM license to the FortiGate VM instance.

806166

Add NetFlow support on EMAC VLAN interface.

806628

Added endpoint to return HA non-synchronized checksum. The HA checksum calculation module has new parameter to switch between the regular checksum calculation and the non-synchronized checksum calculation.

# diagnose sys ha checksum show-nonsync [global | vdom_name]

806993

Enhance the ZTNA access proxy to determine whether a client device that does not have FortiClient installed is a mobile device that is considered unmanageable, or is not a mobile device that is considered unknown and tag the device as either either ems-tag-unmanageable or ems-tag-unknown respectively. The FortiGate WAD process achieves this by either matching device TLS fingerprints against a library or learning information from the HTTP User-Agent header if the set user-agent-detect setting is enabled. These new tags allow for ZTNA access control of unmanaged devices using config firewall proxy-policy. Also, enhance the set empty-cert-action setting by adding an accept-unmanageable option to allow unmanageable clients to continue ZTNA proxy rule processing.

807431

In proxy mode antivirus profiles, add option under HTTP to customize the action for files with unknown content encoding (default = block).

config antivirus profile
    edit <name>
        set feature-set proxy
        config http
            set unknown-content-encoding {block | inspect | bypass}
        end
    next
end

809701

Support auto revision backup on FortiSwitch upon log out or firmware upgrade in FortiLink mode (both settings are disabled by default).

config switch-controller switch-profile
    edit <name>
        set revision-backup-on-logout {enable | disable}
        set revision-backup-on-upgrade {enable | disable}
    next
end

812209

This enhancement builds on the AWS SDN connector, which uses the AWS security token service (STS) to connect to multiple AWS accounts concurrently. To enhance security, the SDN connector supports the use of an External ID, which allows the target account owner to permit the role to be assumed by the source account only under specific circumstances.

813346

Improve GTPv2 message filtering to include all GTPv2 message types, based on 3GPP TS 29.274. Also, by adding message types UE Registration Query request (61) and UE Registration Query response (62), FortiOS Carrier can now filter all GTPv0 and GTPv1 message types based on 3GPP release 3GPP TS 29.060.