Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2 ports.

Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.

Add a RADIUS option to allow the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign.

FortiOS supports customizing the source IP address and the outgoing interface for communication with the upstream FortiGate in the Security Fabric:

config  system csf
    set source-ip <class_ip>
    set upstream-interface-select-method {auto | sdwan | specify}
end

Support matching by destination port when matching a central NAT rule if the protocols are TCP, UDP, or SCTP.

Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved.

FortiOS allows customers to enable or disable the INDEX extension that appends the VDOM or interface index in RFC tables.

config system snmp sysinfo
    set append-index  {enable | disable }
end

Add support for FAP-234G management.

Support switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable. Once the connectivity is restored, it will automatically fall back to the primary FortiAnalyzer.

This enhancement changes to the Internet Key Exchange (IKE) protocol to bolster the security measures and improve the performance of IPsec VPN. The three key changes include EMS SN Verification, IPsec SAML-based authentication, and IPsec Split DNS.

Support EMS serial number checking per IPsec phase 1 interface.

config vpn ipsec phase1-interface
    edit <name>
        set ems-sn-check {enable | disable}
    next
end

Add two FortiGuard web filter categories:

• Artificial intelligence technology (category 100): sites that offer solutions, insights, and resources related to artificial intelligence (AI).

• Cryptocurrency (category 101): sites that specialize in digital or virtual currencies that are secured by cryptography and operate on decentralized networks.

Support autoconnect to IPsec VPN using Microsoft Entra ID. This enables seamless and secure connectivity for users accessing corporate resources by automatically establishing IPsec VPN connections based on Microsoft Entra ID logon session information.

Remote access with read and write rights through FortiGate Cloud now requires a paid FortiGate Cloud subscription. The FortiGate can still be accessed in a read-only state with the free tier of FortiGate Cloud. Alternatively, you can access your FortiGate through its web interface.

Please contact your Fortinet Sales/Partner for details on purchasing a FortiGate Cloud Service subscription license for your FortiGate device.

FortiOS supports Automatic Firmware Modification Attempt Reporting. This enhancement improves upon the Real-time file system integrity checking feature by implementing an automatic reporting mechanism in the event of an unauthorized firmware modification attempt.

Support the BGP graceful restart helper-only mode. This ensures that during a FortiGate HA failover, the neighboring router that only supports BGP graceful restart helper mode retains its routes.

FortiOS supports customizing retry times and intervals for token activation for FortiFlex/Flex-VM licenses.

execute vm-license-options count <integer>
execute vm-license-options interval <integer>

In hyperscale CGNAT PBA and SPA configurations, quick port re-use can occur because the default direct port selection mode always selects the next available port number in the port range. So if a port number that is low in the port range, becomes available it will be selected first. Quick port re-use can cause delays for some clients in some network configurations.

You can use the following commands to change the PBA and SPA port selection modes to random. In random mode, after selecting the first port number in the range, random mode randomly selects any port number in the range. Selecting a random port number makes it less likely to quickly re-use the same port numbers.

To change the PBA port selection mode:

config system npu
    set pba-port-select-mode {random | direct}
end

To change the SPA port selection mode:

config system npu
    set sba-port-select-mode {random | direct}
end

FortiOS supports up to six NetFlow collectors. This enhancement extends to multi-VDOM environments where a maximum of six NetFlow collectors can be used globally or on a per-VDOMs basis.

FortiOS supports source IP address anchoring in dial-up IPsec tunnels. This allows the gateway to match connections based on the IPv4/IPv6 gateway address parameters, such as the subnet, address range, or country.

A new CLI option allows users to choose to discard or permit IPv4 SCTP packets with zero checksums on the NP7 platform:

config system npu
    config fp-anomaly
        set sctp-csum-err {allow | drop | trap-to-host}
    next
end

FIPS-CC cipher mode is silently enabled when configured using cloud-init for AWS.