New features or enhancements
More detailed information is available in the New Features Guide.
Bug ID |
Description |
---|---|
596988 |
Support automatic vCPU hot add and hot remove to the limit of the license entitlements after activating an S-series license or a FortiFlex license. This enhancement removes the requirement for running the |
676463 |
The ISDB lookup penalty when revisiting the same resources can be circumvented by enabling the software ISDB cache: config system settings set internet-service-database-cache {enable | disable} end |
727383 |
Add GUI support for IPv6 addresses in Internet Service Database (ISDB), and allow them to be configured in firewall policies. |
750073 |
The |
753177 |
Display IoT devices with known vulnerabilities on the Security Fabric > Asset Identity Center page's Asset list view. Hovering over the vulnerabilities count displays a View IoT Vulnerabilities tooltip, which opens the View IoT Vulnerabilities table that includes the Vulnerability ID, Type, Severity, Reference, Description, and Patch Signature ID. Each entry in the Reference column includes the CVE number and a link to the CVE details. The Security Fabric > Security Rating > Security Posture report includes FortiGuard IoT Detection Subscription and FortiGuard IoT Vulnerability checks. The FortiGuard IoT Detection Subscription rating check will pass if the System > FortiGuard page shows that the IoT Detection Service is licensed. The FortiGuard IoT Vulnerability rating check will fail if any IoT vulnerabilities are found. To detect IoT vulnerabilities, the FortiGate must have a valid IoT Detection Service license, device detection must be configured on a LAN interface used by IoT devices, and a firewall policy with an application control sensor must be configured. |
763752 |
Add GUI support for |
766646 |
Enhance the Security Fabric > Fabric Connectors page to show a high-level overview of the Fabric components that are enabled and how they connect to each other. The System > Fabric Management page can be used to register and authorize Security Fabric devices instead of the using the Security Fabric network topology gutter, which has been removed from the Security Fabric > Fabric Connectors page. Changes include:
|
766811 |
Add support to allow the SSL VPN client to add source ranges for routing through an SSL interface. config vpn ssl client edit <name> set ipv4-subnets <subnets> set ipv6-subnets <subnets> next end config vpn ssl web portal edit <name> set client-src-range {enable | disable} set ip-mode {range | user-group | dhcp | no-ip} next end |
767570 |
Add the Fabric Overlay Orchestrator, which is an easy-to-use GUI wizard within FortiOS that simplifies the process of configuring a self-orchestrated SD-WAN overlay within a single Security Fabric without requiring additional tools or licensing. Currently, the Fabric Overlay Orchestrator supports a single hub architecture and builds upon an existing Security Fabric configuration. This feature configures the root FortiGate as the SD-WAN overlay hub and configures the downstream FortiGates (first-level children) as the spokes. After configuring the Fabric Overlay, you can proceed to complete the SD-WAN deployment configuration by configuring SD-WAN rules. |
768062 |
Add support to use FortiMonitor to detect link quality based on sending probes from behind the FortiGate for selected applications to measure additional values, such as network transmit time (NTT), server response time (SRT), and application errors (app_err). config system sdwan config health-check edit <name> set detect-mode agent-based next end config service edit <id> set agent-exclusive {enable | disable} next end end |
768458 |
Add the ability to perform multi-processing for the wireless daemon (cw_acd) by allowing users to specify the config wireless-controller global set acd-process-count <integer> end |
768966 |
Before this enhancement, certificate-based authentication against Active Directory LDAP (AD LDAP) only supported the UserPrincipleName (UPN) as the unique identifier in the Subject Alternative Name (SAN) field in peer user certificates. This enhancement extends the use case to cover the RFC 822 Name (corporate email address) defined in the SAN extension of the certificate to contain the unique identifier used to match a user in AD LDAP. It also allows the DNS defined in the user certificate to be used as a unique identifier. |
773551 |
The antivirus (AV) exempt list allows users to exempt known safe files that happen to be incorrectly classified as malicious by our AV signature and AV engine scan. By configuring an antivirus exempt list in the CLI, users can specify file hashes in MD5, SHA1, or SHA256 for matching, When matched, the FortiGate ignores the AV scan verdict so that the corresponding UTM behavior defined in the AV profile is not performed. The exempt list does not apply to results of outbreak prevention, machine learning, FortiNDR, or FortiSandbox inline scans. |
774766 |
Add config system sdn-connector edit <name> set server-cert <remote_certificate> set server-ca-cert <remote_or_CA_certificate> next end |
780571 |
Add Logs Sent Daily chart for remote logging sources (FortiAnalyzer, FortiGate Cloud, and FortiAnalyzer Cloud) to the Logging & Analytics Fabric Connector card within the Security Fabric > Fabric Connectors page and to the Dashboard as a widget for a selected remote logging source. |
795829 |
Allow virtual patching to be applied to traffic destined to the FortiGate by applying IPS signatures to the local in interface using local in policies. Attacks geared towards GUI and SSH management access, for example, can be mitigated using IPS signatures pushed from FortiGuard, thereby virtually patching these vulnerabilities. config firewall local-in-policy edit <id> set virtual-patch {enable | disable} next end |
801495 |
Allow device statistics (bytes and packets) to be displayed on FortiGate when a FortiSwitch NAC policy is enabled. Statistics are collected per device/MAC address connected to FortiSwitch.
|
802001 |
Add command to clean up old configurations, except for serial number and FortiManager IP, in # execute factoryreset-for-central-management |
804870 |
Add support to source the packets with the address of the client-facing interface instead of using the server-facing interface’s address. config system interface edit <name> config ipv6 set dhcp6-relay-source-interface {enable | disable} end next end |
805565 |
Add the
Note the following exceptions:
|
805867 |
Increase the number of supported NAC devices to 48 times the maximum number of FortiSwitch units supported on that FortiGate model. |
806993 |
Support ZTNA policy access control of unmanageable and unknown devices in the ZTNA application gateway by using the Enhance diagnostic commands:
Enhance ZTNA traffic logs:
In the GUI, tags can be specified in proxy policies (Policy & Objects > ZTNA > ZTNA Rules), and tags are visible on various pages (Policy & Objects > ZTNA > ZTNA Tags, Dashboard > FortiClient widget, and Security Fabric > Asset Identity Center). |
812120 |
Support non-English keyboards for SSL VPN web mode with VNC by adding the The available options are: |
812993 |
Support the blocking of a discovered FortiExtender device on a FortiGate configured as a FortiExtender controller using Reject Status in the GUI and config extension-controller extender edit <name> set id <string> set authorized disable next end |
813333 |
Allow configuration of |
814796 |
Remove the threat level threshold option from compromised host automation triggers in the GUI and CLI. |
818343 |
HTTP2 connection coalescing and concurrent multiplexing allows multiple HTTP2 requests to share the same TLS connection when the destination IP is the same and host names are compatible in the certificate. This is supported for ZTNA, virtual server load balancing, and explicit proxy. |
819508 |
A FortiGate can allow single sign-on (SSO) from FortiCloud and FortiCloud IAM users with administrator profiles inherited from FortiCloud or overridden locally by the FortiGate. Similarly, users accessing the FortiGate remotely from FortiGate Cloud can have their permissions inherited or overridden by the FortiGate. |
819583 |
Add guards to Node.JS log generation and move logs to # diagnose nodejs logs {list | show <arg> | show-all | delete <arg>} |
820902 |
Add option to exclude the first and last IP of a NAT64 IP pool. This setting is enabled by default. config firewall ippool edit <name> set nat64 enable set subnet-broadcast-in-ippool {enable | disable} next end |
820989 |
Improve device identification of a router or proxy:
|
822249 |
Add DHCP relay parameters under config vpn ssl web portal edit <name> set dhcp-ra-giaddr <gateway_IP_address> set dhcp6-ra-linkaddr <IPv6_link_address> next end |
822423 |
Add option to support minimum and maximum version restrictions for the user agent. config firewall proxy-address edit <name> set type {src-advanced | ua} set ua <browser> set ua-min-ver <string> set ua-max-ver <string> next end |
823374 |
BGP extended community route targets can be matched in route maps. This can be applied in a scenario where the BGP route reflector receives routes from many VRFs, and instead of reflecting all routes from all VRFs, users only want to reflect routes based on a specific extended community route target. config router extcommunity-list edit <name> set type {standard | expanded} config rule edit <id> set action {deny | permit} set type {rt | soo} set match <extended_community_specifications> set regexp <ordered_list_of_attributes> next end next end config router route-map edit <name> config rule edit <id> set match-extcommunity <list> set match-extcommunity-exact {enable | disable} next end next end |
823702 |
Allow VLAN sub-interfaces, such as regular 802.1Q and 802.1ad (QinQ), to be members of a virtual wire pair. |
823709 |
Add TPM support for FG-VM64 platforms. Hypervisors with software TPM emulator packages installed will be able to support the TPM feature on FortiOS. This is currently supported on KVM and QEMU. |
823917 |
Add option to set the IP fragment memory threshold manually (in MB, 32 - 2047, default = 32). A large memory threshold can reduce the number of ReasmFails due to the large number of fragment packets. config system global set ip-fragment-mem-thresholds <integer> end |
825139 |
Add option to embed a Base64 string instead of a plain text URL for images on the block pages. config webfilter fortiguard set embed-image {enable | disable} end |
825308 |
Allow FortiGate-VMs for OCI to work on ARM-based Oracle Cloud Ampere A1 Compute instances. |
825951 |
Add the ability for Dynamic ARP Inspection (DAI) to examine ARP packets against static clients with static IP-MAC binding. Configurations can be pushed by the FortiGate switch controller to managed switches. config switch-controller managed-switch edit <serial_number> config dhcp-snooping-static-client edit <name> set ip <IP_address> set vlan <vlan_ID> set mac <MAC_address> set port <port> next end next end |
827460 |
Allow users to specify cloud mode in the user data during deployment to insert a |
829628 |
Add option for matching IPv4 mapped IPv6 URLs. This setting is disabled by default. When enabled, if the URL filter entry's URL hostname is an IPv4 address, the URL filter list will build an extra entry with the mapped IPv6 hostname URL This is the same URL as the original URL, except that the hostname is replaced with the mapped IPv6 hostname. config webfilter urlfilter edit <id> set ip4-mapped-ip6 {enable | disable} next end |
830527 |
Added option to set the VRF route on a VPN interface with config router static edit <seq-num> set device "vpn1" set vrf 1 next end BFD is skipped when the VPN interface uses |
831010 |
Support wireless client mode on FortiWiFi 80F series models. When wireless client mode is successfully configured, a default static route to the |
831427 |
Add config system global set log-single-cpu-high {enable | disable} end |
831492 |
Add support to allow individual FortiGates in the Security Fabric to have their own automation setting. config automation setting set fabric-sync {enable | disable} end |
832041 |
Add options to filter WAD log messages by process type or process ID, and print WAD log messages by default when the session is unknown. # diagnose wad filter process-type <integer> # diagnose wad filter process-id <integer> When running |
832435 |
Add support for PoE mode, power, and priority switch port options on FortiSwitch through the switch controller for supported models. config switch-controller managed-switch edit <switch-id> config ports edit <name> set poe-port-mode {ieee802-3af | ieee802-3at} set poe-port-priority {critical-priority | high-priority | low-priority} set poe-port-power {normal | perpetual | perpetual-fast} next end next end |
833111 |
Add option to enable or disable rewriting the config firewall vip edit <vip> set type server-load-balance config realservers edit <id> set translate-host {enable | disable} next end next end config firewall access-proxy edit <name> config api-gateway edit <id> config realservers edit <id> set translate-host {enable | disable} next end next end next end |
834861 |
Add route tags to static routes. config router static edit <seq-num> set tag <id> next end Add password field to BGP neighbor group to be used for the neighbor range. config router bgp config neighbor-group edit <name> set password <password> next end end |
836287 |
Support adding YAML to the file name when backing up the config as YAML, and detecting file format when restoring the configuration. The In the GUI, the File format field has been removed from the Restore system Configuration page. |
836613 |
Add option for each FortiClient EMS connector ( config endpoint-control fctems edit <id> set trust-ca-cn {enable | disable} next end |
836653 |
On FortiGates licensed for hyperscale firewall features, the following diagnose commands display summary information for IPv4 or IPv6 hardware sessions. # diagnose sys npu-session list-brief # diagnose sys npu-session list-brief6 |
836851 |
Enhance DHCP:
|
838363 |
Internet Service Database (ISDB) on-demand mode replaces the full-sized ISDB file with a much smaller file that is downloaded onto the flash drive. This file contains only the essential entries for Internet Services. When a service is used in a firewall policy, the FortiGate queries FortiGuard to download the IP addresses and stores them on the flash drive. The FortiGate also queries the local MAC Database (MADB) for corresponding MAC information. config system global set internet-service-database on-demand end |
839076 |
Support the IP addresses of AWS WorkSpaces, VPC endpoints, transit gateways, and the ENIs associated with various AWS load balancers in the AWS SDN connector. config system sdn-connector edit <name> set alt-resource-ip {enable | disable} next end |
839877 |
FortiPolicy can be added to the Security Fabric. When FortiPolicy joins the Security Fabric and is authorized in the Security Fabric widget, it appears in the Fabric topology pages. A FortiGate can grant permission to FortiPolicy to perform firewall address and policy changes. Two security rating tests for FortiPolicy have been added to the Security Posture scorecard. |
839951 |
Add FGT-ARM64-GCP image to support ARM64-based GCP VMs of the GCP Tau T2A instance family. |
841928 |
In some scenarios where it is necessary to simulate a system crash, the following commands allow a super_admin administrator to safely trigger a kernel crash using a SysRq key. # diagnose debug kernel sysrq status # diagnose debug kernel sysrq {enable | disable} # diagnose debug kernel sysrq command crash A kernel crash dump is outputted to the console. The FortiGate reboots and recovers without losing any functionality. This is only supported on FortiGate VMs. |
841934 |
Enhance the FortiGate AWS SDN connector to resolve various AWS endpoint ENI IP addresses:
This adds support for dynamic policies in FortiGate CNF, and to resolve various AWS PrivateLink endpoints for dynamic policies in typical deployments. |
844039 |
When WAN-LAN operation and LAN port options are configured on the FortiGate and FortiAP, the FortiGate can display details about wired clients connected to the FortiAP LAN port in each of the following cases:
The following configuration settings are required:
Details about wired clients are displayed in the FortiOS CLI using |
849771 |
Support Shielded and Confidential VM modes on GCP where the UEFI VM image is used for secure boot, and data in use is encrypted during processing. |
855684 |
Allow users to configure the RADIUS NAS-ID as a custom ID or the hostname. When deploying a wireless network with WPA-Enterprise and RADIUS authentication, or using the RADIUS MAC authentication feature, the FortiGate can use the custom NAS-ID in its Access-Request. config user radius edit <name> set nas-id-type {legacy | custom | hostname} set nas-id <string> next end |
858786 |
When configuring a CGN IP pool for a hyperscale firewall, exclude IP addresses within this IP pool from being used for source NAT ( config firewall ippool edit <name> set type cgn-resource-allocation set startip <IPv4_address> set endip <IPv4_address> set excludeip <IPv4_address>, <IPv4_address>, <IPv4_address> ... next end This option is currently not supported with a fixed allocation CGN IP pool (when |