Support automatic vCPU hot add and hot remove to the limit of the license entitlements after activating an S-series license or a FortiFlex license. This enhancement removes the requirement for running the execute cpu add <integer> command or rebooting when the FortiGate VM has a lower number of vCPUs allocated than the licensed number of vCPUs.

The ISDB lookup penalty when revisiting the same resources can be circumvented by enabling the software ISDB cache:

config system settings
   set internet-service-database-cache {enable | disable}
end

Add GUI support for IPv6 addresses in Internet Service Database (ISDB), and allow them to be configured in firewall policies.

The /api/v2/monitor/ips/session/performance REST API can be used to query the FortiGate for its IPS session information.

Display IoT devices with known vulnerabilities on the Security Fabric > Asset Identity Center page's Asset list view. Hovering over the vulnerabilities count displays a View IoT Vulnerabilities tooltip, which opens the View IoT Vulnerabilities table that includes the Vulnerability ID, Type, Severity, Reference, Description, and Patch Signature ID. Each entry in the Reference column includes the CVE number and a link to the CVE details.

The Security Fabric > Security Rating > Security Posture report includes FortiGuard IoT Detection Subscription and FortiGuard IoT Vulnerability checks. The FortiGuard IoT Detection Subscription rating check will pass if the System > FortiGuard page shows that the IoT Detection Service is licensed. The FortiGuard IoT Vulnerability rating check will fail if any IoT vulnerabilities are found.

To detect IoT vulnerabilities, the FortiGate must have a valid IoT Detection Service license, device detection must be configured on a LAN interface used by IoT devices, and a firewall policy with an application control sensor must be configured.

Add GUI support for ip6-delegated-prefix-iaid.

Enhance the Security Fabric > Fabric Connectors page to show a high-level overview of the Fabric components that are enabled and how they connect to each other. The System > Fabric Management page can be used to register and authorize Security Fabric devices instead of the using the Security Fabric network topology gutter, which has been removed from the Security Fabric > Fabric Connectors page.

Changes include:

• Improve the Security Fabric configuration settings to select the Security Fabric role.
• Merge relevant connectors into Core Network Security Connectors and Security Fabric Connectors sections.
  • The Core Network Security Connectors section includes the Security Fabric Setup, LAN Edge Devices, Logging & Analytics, and FortiClient EMS cards.
  • The Security Fabric Connectors section includes the Central Management, Sandbox, and Supported Connectors cards.

Add support to allow the SSL VPN client to add source ranges for routing through an SSL interface.

config vpn ssl client
    edit <name>
        set ipv4-subnets <subnets>
        set ipv6-subnets <subnets>
    next
end

config vpn ssl web portal
    edit <name>
        set client-src-range {enable | disable}
		set ip-mode {range | user-group | dhcp | no-ip}
    next
end

Add the Fabric Overlay Orchestrator, which is an easy-to-use GUI wizard within FortiOS that simplifies the process of configuring a self-orchestrated SD-WAN overlay within a single Security Fabric without requiring additional tools or licensing. Currently, the Fabric Overlay Orchestrator supports a single hub architecture and builds upon an existing Security Fabric configuration. This feature configures the root FortiGate as the SD-WAN overlay hub and configures the downstream FortiGates (first-level children) as the spokes. After configuring the Fabric Overlay, you can proceed to complete the SD-WAN deployment configuration by configuring SD-WAN rules.

Add support to use FortiMonitor to detect link quality based on sending probes from behind the FortiGate for selected applications to measure additional values, such as network transmit time (NTT), server response time (SRT), and application errors (app_err).

config system sdwan
    config health-check
        edit <name>
            set detect-mode agent-based
        next
    end
    config service
        edit <id>
            set agent-exclusive {enable | disable}
        next
    end
end

Add the ability to perform multi-processing for the wireless daemon (cw_acd) by allowing users to specify the acd-process-count. The count varies by model based on the number of FortiAPs it is allowed to manage.

config wireless-controller global
    set acd-process-count <integer>
end

Before this enhancement, certificate-based authentication against Active Directory LDAP (AD LDAP) only supported the UserPrincipleName (UPN) as the unique identifier in the Subject Alternative Name (SAN) field in peer user certificates. This enhancement extends the use case to cover the RFC 822 Name (corporate email address) defined in the SAN extension of the certificate to contain the unique identifier used to match a user in AD LDAP. It also allows the DNS defined in the user certificate to be used as a unique identifier.

The antivirus (AV) exempt list allows users to exempt known safe files that happen to be incorrectly classified as malicious by our AV signature and AV engine scan. By configuring an antivirus exempt list in the CLI, users can specify file hashes in MD5, SHA1, or SHA256 for matching, When matched, the FortiGate ignores the AV scan verdict so that the corresponding UTM behavior defined in the AV profile is not performed. The exempt list does not apply to results of outbreak prevention, machine learning, FortiNDR, or FortiSandbox inline scans.

Add server-cert and server-ca-cert options for Symantec Endpoint Protection Manager (SEPM) SDN connectors, which allow users to specify a certificate or series of certificates for the FortiGate to trust when connecting to the SEPM server.

config system sdn-connector
    edit <name>
        set server-cert <remote_certificate>
        set server-ca-cert <remote_or_CA_certificate>
    next
end

Add Logs Sent Daily chart for remote logging sources (FortiAnalyzer, FortiGate Cloud, and FortiAnalyzer Cloud) to the Logging & Analytics Fabric Connector card within the Security Fabric > Fabric Connectors page and to the Dashboard as a widget for a selected remote logging source.

Allow virtual patching to be applied to traffic destined to the FortiGate by applying IPS signatures to the local in interface using local in policies. Attacks geared towards GUI and SSH management access, for example, can be mitigated using IPS signatures pushed from FortiGuard, thereby virtually patching these vulnerabilities.

config firewall local-in-policy 
    edit <id>
        set virtual-patch {enable | disable}
    next
end

Allow device statistics (bytes and packets) to be displayed on FortiGate when a FortiSwitch NAC policy is enabled. Statistics are collected per device/MAC address connected to FortiSwitch.

# diagnose switch-controller telemetry show mac-stats switch <serial_number>

Add command to clean up old configurations, except for serial number and FortiManager IP, in system.central-management.

# execute factoryreset-for-central-management

Add support to source the packets with the address of the client-facing interface instead of using the server-facing interface’s address.

config system interface
    edit <name>
        config ipv6
            set dhcp6-relay-source-interface {enable | disable}
        end
    next
end

Add the gui-proxy-inspection setting under config system settings, which is enabled on most models except for entry-level platforms with 2 GB of RAM or less. When this setting is disabled:

• Proxy-based only profiles such as ICAP, Web Application Firewall, Video Filter, and Zero Trust Network Access are disabled (grayed out) on the System > Feature Visibility page.

• The Feature set field is disabled on UTM profiles. Only flow-based features are shown.

• Firewall policy pages do not have option to select a Flow-based or Proxy-based inspection mode.

• Proxy-based UTM profiles cannot be selected within policy configurations or other areas.

Note the following exceptions:

• If the proxy feature set is enabled from the CLI or carried over from upgrading, it can be displayed in the GUI.

• If proxy-based inspection mode is enabled from the CLI or carried over from upgrading, it can be displayed in GUI firewall policy pages.

Increase the number of supported NAC devices to 48 times the maximum number of FortiSwitch units supported on that FortiGate model.

Support ZTNA policy access control of unmanageable and unknown devices in the ZTNA application gateway by using the EMS_ALL_UNMANAGEABLE_CLIENTS and EMS_ALL_UNKNOWN_CLIENTS dynamic address local tags, respectively.

Enhance diagnostic commands:

• Use diagnose firewall dynamic address to view IP addresses of clients associated with EMS_ALL_UNMANAGEABLE_CLIENTS and EMS_ALL_UNKNOWN_CLIENTS dynamic addresses.
• Use diagnose user-device-store device memory list to view tags of devices identified through FortiGate device detection.

Enhance ZTNA traffic logs:

• The emsconnection (CLI) or EMS Connection (GUI) field is used for the client connection status with EMS server; possible values of unknown, offline, or online.
• The clientdevicemanageable (CLI) or Client Device Manageable (GUI) field is used for device manageability status.

In the GUI, tags can be specified in proxy policies (Policy & Objects > ZTNA > ZTNA Rules), and tags are visible on various pages (Policy & Objects > ZTNA > ZTNA Tags, Dashboard > FortiClient widget, and Security Fabric > Asset Identity Center).

Support non-English keyboards for SSL VPN web mode with VNC by adding the vnc-keyboard-layout option for config bookmarks under vpn ssl web portal, vpn ssl web user-bookmark, and vpn ssl web user-group-bookmark. The server and client must have the same keyboard layout.

The available options are: default, da (Danish), nl (Dutch), en-uk (English, United Kingdom), en-uk-ext (English, United Kingdom Extended), fi (Finnish), fr (French), fr-be (French, Belgium), fr-ca-mul (French, Canadian multilingual standard), de (German), de-ch (German, Switzerland), it (Italian), it-142 (Italian 142), pt (Portuguese), pt-br-abnt2 (Portuguese Brazilian ABNT2), no (Norwegian), gd (Scottish Gaelic), es (Spanish), sv (Swedish), and us-intl (United States international).

Support the blocking of a discovered FortiExtender device on a FortiGate configured as a FortiExtender controller using Reject Status in the GUI and set authorized disable in the CLI.

config extension-controller extender
    edit <name>
        set id <string>
        set authorized disable
    next
end

Allow configuration of interface-select-method and source-ip for TACACS+ accounting servers.

Remove the threat level threshold option from compromised host automation triggers in the GUI and CLI.

HTTP2 connection coalescing and concurrent multiplexing allows multiple HTTP2 requests to share the same TLS connection when the destination IP is the same and host names are compatible in the certificate. This is supported for ZTNA, virtual server load balancing, and explicit proxy.

A FortiGate can allow single sign-on (SSO) from FortiCloud and FortiCloud IAM users with administrator profiles inherited from FortiCloud or overridden locally by the FortiGate. Similarly, users accessing the FortiGate remotely from FortiGate Cloud can have their permissions inherited or overridden by the FortiGate.

Add guards to Node.JS log generation and move logs to tmpfs to prevent conserve mode issues. Node.JS logs only last a calendar day and will store up to 5 MB of logs. Once this limit is exceeded, the log file is deleted and a new file is created. A delete option has been added to the Node.JS debug command.

# diagnose nodejs logs {list | show <arg> | show-all | delete <arg>}

Add option to exclude the first and last IP of a NAT64 IP pool. This setting is enabled by default.

config firewall ippool
    edit <name>
        set nat64 enable
        set subnet-broadcast-in-ippool {enable | disable}
    next
end

Improve device identification of a router or proxy:

• Re-introduce the concept of router detection based on detecting the device type changing.
• Do not perform a signature check when scanning HTTP traffic if the headers contain Via, Forwarded, X-Forwarded-For, X-Forwarded-Host, or X-Forwarded-Proto.
• Modify the rules for TTL-based router detection.

Add DHCP relay parameters under config vpn ssl web portal so user groups can get different scope IP addresses from the DHCP server.

config vpn ssl web portal
    edit <name>
        set dhcp-ra-giaddr <gateway_IP_address>
        set dhcp6-ra-linkaddr <IPv6_link_address>
    next
end

Add option to support minimum and maximum version restrictions for the user agent.

config firewall proxy-address
    edit <name>
        set type {src-advanced | ua}
        set ua <browser>
        set ua-min-ver <string>
        set ua-max-ver <string>
    next
end

BGP extended community route targets can be matched in route maps. This can be applied in a scenario where the BGP route reflector receives routes from many VRFs, and instead of reflecting all routes from all VRFs, users only want to reflect routes based on a specific extended community route target.

config router extcommunity-list
    edit <name>
        set type {standard | expanded}
        config rule
            edit <id>
                set action {deny | permit}
                set type {rt | soo}
                set match <extended_community_specifications>
                set regexp <ordered_list_of_attributes>
            next
        end
    next
end

config router route-map
    edit <name>
        config rule
            edit <id>
                set match-extcommunity <list>
                set match-extcommunity-exact {enable | disable}
            next
        end
    next
end

Allow VLAN sub-interfaces, such as regular 802.1Q and 802.1ad (QinQ), to be members of a virtual wire pair.

Add TPM support for FG-VM64 platforms. Hypervisors with software TPM emulator packages installed will be able to support the TPM feature on FortiOS. This is currently supported on KVM and QEMU.

Add option to set the IP fragment memory threshold manually (in MB, 32 - 2047, default = 32). A large memory threshold can reduce the number of ReasmFails due to the large number of fragment packets.

config system global
    set ip-fragment-mem-thresholds <integer>
end

Add option to embed a Base64 string instead of a plain text URL for images on the block pages.

config webfilter fortiguard
    set embed-image {enable | disable}
end

Allow FortiGate-VMs for OCI to work on ARM-based Oracle Cloud Ampere A1 Compute instances.

Add the ability for Dynamic ARP Inspection (DAI) to examine ARP packets against static clients with static IP-MAC binding. Configurations can be pushed by the FortiGate switch controller to managed switches.

config switch-controller managed-switch
    edit <serial_number>
        config dhcp-snooping-static-client
            edit <name>
                set ip <IP_address>
                set vlan <vlan_ID>
                set mac <MAC_address>
                set port <port>
            next
        end
    next
end

Allow users to specify cloud mode in the user data during deployment to insert a Cloud mode: cnf identification in the get system status output. This allows FortiManager to detect the managed FortiGate as a FortiGate-CNF device and disable certain settings.

Add option for matching IPv4 mapped IPv6 URLs. This setting is disabled by default. When enabled, if the URL filter entry's URL hostname is an IPv4 address, the URL filter list will build an extra entry with the mapped IPv6 hostname URL This is the same URL as the original URL, except that the hostname is replaced with the mapped IPv6 hostname.

config webfilter urlfilter
    edit <id>
        set ip4-mapped-ip6 {enable | disable}
    next
end

Added option to set the VRF route on a VPN interface with vpn-id-ipip encapsulation. Previously, VRFs in static routes could only be set if the blackhole was enabled.

config router static
    edit <seq-num>
        set device "vpn1"
        set vrf 1
    next
end

BFD is skipped when the VPN interface uses vpn-id-ipip encapsulation.

Support wireless client mode on FortiWiFi 80F series models. When wireless client mode is successfully configured, a default static route to the aplink interface is automatically created. For outgoing traffic using this wireless client connection, a firewall policy from the wired internal/LAN interface as the source interface to the aplink interface as the destination interface must be configured.

Add log-single-cpu-high option under config system global. When enabled, CPU single core usage will be polled every three seconds, and any single CPU core usage above the CPU usage threshold will report an event log. If a core is reported, that core will not be checked again for the next 30 seconds.

config system global
    set log-single-cpu-high {enable | disable}
end

Add support to allow individual FortiGates in the Security Fabric to have their own automation setting.

config automation setting
    set fabric-sync {enable | disable}
end

Add options to filter WAD log messages by process type or process ID, and print WAD log messages by default when the session is unknown.

# diagnose wad filter process-type <integer>

# diagnose wad filter process-id <integer>

When running diagnose wad filter list , the process type and process id are visible in the output.

Add support for PoE mode, power, and priority switch port options on FortiSwitch through the switch controller for supported models.

config switch-controller managed-switch
    edit <switch-id>
        config ports
            edit <name>
                set poe-port-mode {ieee802-3af | ieee802-3at}
                set poe-port-priority {critical-priority | high-priority | low-priority}
                set poe-port-power {normal | perpetual | perpetual-fast}
            next
        end
    next
end

Add option to enable or disable rewriting the Host field in HTTP requests through a virtual server or access proxy before being sent to a real server.

config firewall vip
    edit <vip>
        set type server-load-balance
        config realservers
            edit <id>
                set translate-host {enable | disable}
            next
        end
    next
end

config firewall access-proxy
    edit <name>
        config api-gateway
            edit <id>
                config realservers
                    edit <id>
                        set translate-host {enable | disable}
                    next
                end
            next
        end
    next
end

Add route tags to static routes.

config router static
    edit <seq-num>
        set tag <id>
    next
end

Add password field to BGP neighbor group to be used for the neighbor range.

config router bgp
    config neighbor-group
        edit <name>
            set password <password>
        next
    end
end

Support adding YAML to the file name when backing up the config as YAML, and detecting file format when restoring the configuration.

The execute restore yaml-config command has been removed and execute restore config should be used.

In the GUI, the File format field has been removed from the Restore system Configuration page.

Add option for each FortiClient EMS connector (trust-ca-cn). This option is enabled by default. When enabled, the CA and CN information is stored with the connector, which allows the FortiGate to automatically approve an updated certificate so long as it has the same CA and CN.

config endpoint-control fctems
    edit <id>
        set trust-ca-cn {enable | disable}
    next
end

On FortiGates licensed for hyperscale firewall features, the following diagnose commands display summary information for IPv4 or IPv6 hardware sessions.

# diagnose sys npu-session list-brief

# diagnose sys npu-session list-brief6

Enhance DHCP:

• Increase the number of supported IP ranges from 3 to 10
• Support DHCP option 77 for User Class information
• Support customizing the lease time per IP range (CLI only)

Internet Service Database (ISDB) on-demand mode replaces the full-sized ISDB file with a much smaller file that is downloaded onto the flash drive. This file contains only the essential entries for Internet Services. When a service is used in a firewall policy, the FortiGate queries FortiGuard to download the IP addresses and stores them on the flash drive. The FortiGate also queries the local MAC Database (MADB) for corresponding MAC information.

config system global
    set internet-service-database on-demand
end

Support the IP addresses of AWS WorkSpaces, VPC endpoints, transit gateways, and the ENIs associated with various AWS load balancers in the AWS SDN connector.

config system sdn-connector
    edit <name>
        set alt-resource-ip {enable | disable}
    next
end

FortiPolicy can be added to the Security Fabric. When FortiPolicy joins the Security Fabric and is authorized in the Security Fabric widget, it appears in the Fabric topology pages. A FortiGate can grant permission to FortiPolicy to perform firewall address and policy changes. Two security rating tests for FortiPolicy have been added to the Security Posture scorecard.

Add FGT-ARM64-GCP image to support ARM64-based GCP VMs of the GCP Tau T2A instance family.

In some scenarios where it is necessary to simulate a system crash, the following commands allow a super_admin administrator to safely trigger a kernel crash using a SysRq key.

# diagnose debug kernel sysrq status

# diagnose debug kernel sysrq {enable | disable}

# diagnose debug kernel sysrq command crash

A kernel crash dump is outputted to the console. The FortiGate reboots and recovers without losing any functionality. This is only supported on FortiGate VMs.

Enhance the FortiGate AWS SDN connector to resolve various AWS endpoint ENI IP addresses:

• API Gateway private endpoints
• VPC endpoints for Aurora Data API
• AWS PrivateLink for S3
• VPC endpoints for Lamdba

This adds support for dynamic policies in FortiGate CNF, and to resolve various AWS PrivateLink endpoints for dynamic policies in typical deployments.

When WAN-LAN operation and LAN port options are configured on the FortiGate and FortiAP, the FortiGate can display details about wired clients connected to the FortiAP LAN port in each of the following cases:

• LAN2 port of FortiAP models with LAN1 and LAN2 ports
• LAN port of FortiAP models with LAN and WAN ports

The following configuration settings are required:

• WAN-LAN operation must be configured using set wan-port-mode wan-lan on the FortiGate's FortiAP profile and cfg -a WANLAN_MODE=WAN-LAN using the FortiAP CLI, respectively.
• LAN port mode can be configured using any of the port-mode options (nat-to-wan, bridge-to-wan, bridge-to-ssid) under config lan within config wireless-controller wtp-profile.

Details about wired clients are displayed in the FortiOS CLI using diagnose wireless-controller wlac -c lan-sta, and in the FortiAP CLI using cw_diag -c k-lan-host.

Support Shielded and Confidential VM modes on GCP where the UEFI VM image is used for secure boot, and data in use is encrypted during processing.

Allow users to configure the RADIUS NAS-ID as a custom ID or the hostname. When deploying a wireless network with WPA-Enterprise and RADIUS authentication, or using the RADIUS MAC authentication feature, the FortiGate can use the custom NAS-ID in its Access-Request.

config user radius
    edit <name>
        set nas-id-type {legacy | custom | hostname}
        set nas-id <string>
    next
end