Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 7.4.1 FortiOS Release Notes
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Changes in default behavior

Changes in default behavior

Bug ID

Description

907096

The IoT Detection service, which includes IoT Detection Definitions (APDB) and the IoT Query service (IOTH), is merged into the Attack Surface Security Rating service (FGSA).

909045

Support enabling one-arm sniffer mode on mirrored ports (RSPAN or ESPAN) between a FortiSwitch port and a FortiGate VLAN interface. Prior to this change, one-arm sniffer mode could only be applied to physical interfaces. After this change, it can be applied to VLAN, VXLAN, and GRE interfaces.

914302

When creating a new wtp-profile entry, automatically set channel-bonding 40 MHz for 5 GHz radios, and to 160 MHz for 6 GHz radios (FortiWiFi 60E models only).

917647

Support five-digit build numbers for the IPS engine instead of the previous three-digit major/minor version number. When the FortiGate extracts the IPS engine binary, it will now be able to extract IPS engine versions in the five-digit object ID format. Displaying the engine version remains the same in the GUI and CLI, as it already displays the minor version in the five-digit format.

921074

Reposition PSIRT related packages and functionality from the Security Rating entitlement into the Firmware entitlement. This allows more customers with the basic Firmware entitlement to have access to the latest PSIRT package updates, which can be run under Security Fabric > Security Rating > Security Posture checks.

923718

Update SSL VPN default behavior and visibility in the GUI:

  • By default, disable and hide SSL VPN web mode settings from the GUI and the CLI.
  • By default, hide the SSL VPN tunnel mode settings and the VPN > SSL-VPN menus from the GUI.
  • Divide the CLI configuration settings for VPN GUI feature visibility into IPsec (set gui-vpn under config system settings) and SSL VPN (set gui-sslvpn under config system settings), where IPsec is still enabled by default and SSL VPN is now disabled by default.
  • Add warning messages in the GUI on the VPN > SSL-VPN Settings page under the SSL-VPN status and Authentication/Portal Mapping fields when SSL VPN tunnel or web mode are enabled.
  • Add a new check on the Security Fabric > Security Rating page called Disable SSL-VPN Settings. This check fails whenever SSL VPN is enabled.

To enable SSL VPN web mode:

config system global
    set sslvpn-web-mode enable
end

To enable VPN > SSL-VPN menus in the GUI:

config system settings
    set gui-sslvpn enable
end

If SSL VPN web mode and tunnel mode were configured in a FortiOS version prior to upgrading to FortiOS 7.4.1 and later, then the VPN > SSL-VPN menus and SSL VPN web mode settings remain visible in the GUI.

In FortiOS, alternative remote access solutions are IPsec VPN and ZTNA.

930122

Automatic firmware upgrades are now enabled by default on entry-level FortiGates (lower than 100 series). Upgrades will be made to the next stable patch. However, if a FortiGate is part of a Fabric or managed by FortiManager, the Automatic image upgrade option is disabled.
Previous
Next

Changes in default behavior

Bug ID

Description

907096

The IoT Detection service, which includes IoT Detection Definitions (APDB) and the IoT Query service (IOTH), is merged into the Attack Surface Security Rating service (FGSA).

909045

Support enabling one-arm sniffer mode on mirrored ports (RSPAN or ESPAN) between a FortiSwitch port and a FortiGate VLAN interface. Prior to this change, one-arm sniffer mode could only be applied to physical interfaces. After this change, it can be applied to VLAN, VXLAN, and GRE interfaces.

914302

When creating a new wtp-profile entry, automatically set channel-bonding 40 MHz for 5 GHz radios, and to 160 MHz for 6 GHz radios (FortiWiFi 60E models only).

917647

Support five-digit build numbers for the IPS engine instead of the previous three-digit major/minor version number. When the FortiGate extracts the IPS engine binary, it will now be able to extract IPS engine versions in the five-digit object ID format. Displaying the engine version remains the same in the GUI and CLI, as it already displays the minor version in the five-digit format.

921074

Reposition PSIRT related packages and functionality from the Security Rating entitlement into the Firmware entitlement. This allows more customers with the basic Firmware entitlement to have access to the latest PSIRT package updates, which can be run under Security Fabric > Security Rating > Security Posture checks.

923718

Update SSL VPN default behavior and visibility in the GUI:

  • By default, disable and hide SSL VPN web mode settings from the GUI and the CLI.
  • By default, hide the SSL VPN tunnel mode settings and the VPN > SSL-VPN menus from the GUI.
  • Divide the CLI configuration settings for VPN GUI feature visibility into IPsec (set gui-vpn under config system settings) and SSL VPN (set gui-sslvpn under config system settings), where IPsec is still enabled by default and SSL VPN is now disabled by default.
  • Add warning messages in the GUI on the VPN > SSL-VPN Settings page under the SSL-VPN status and Authentication/Portal Mapping fields when SSL VPN tunnel or web mode are enabled.
  • Add a new check on the Security Fabric > Security Rating page called Disable SSL-VPN Settings. This check fails whenever SSL VPN is enabled.

To enable SSL VPN web mode:

config system global
    set sslvpn-web-mode enable
end

To enable VPN > SSL-VPN menus in the GUI:

config system settings
    set gui-sslvpn enable
end

If SSL VPN web mode and tunnel mode were configured in a FortiOS version prior to upgrading to FortiOS 7.4.1 and later, then the VPN > SSL-VPN menus and SSL VPN web mode settings remain visible in the GUI.

In FortiOS, alternative remote access solutions are IPsec VPN and ZTNA.

930122

Automatic firmware upgrades are now enabled by default on entry-level FortiGates (lower than 100 series). Upgrades will be made to the next stable patch. However, if a FortiGate is part of a Fabric or managed by FortiManager, the Automatic image upgrade option is disabled.
Previous
Next