When configuring a FortiGate VM as a network virtual appliance (NVA) as part of the Azure vWAN solution, the FortiGate can make API calls and send health metrics to Azure for integration with Azure Monitor.

Add GUI support for configuring various AWS resource addresses using an AWS SDN connector.

Remote access with read and write rights through FortiGate Cloud now requires a paid FortiGate Cloud subscription. The FortiGate can still be accessed in a read-only state with the free tier of FortiGate Cloud. Alternatively, you can access your FortiGate through its web interface.

Please contact your Fortinet Sales/Partner for details on purchasing a FortiGate Cloud Service subscription license for your FortiGate device.

FortiOS supports customizing retry times and intervals for token activation for FortiFlex/Flex-VM licenses.

execute vm-license-options count <integer>
execute vm-license-options interval <integer>

Support the transmission of logs using TCP. This is a significant improvement from the previous version, which only supported UDP. TCP provides a more reliable connection, ensuring no logs are lost during transmission. This is beneficial for carrier customers who require a robust and dependable logging system.

IPv4 or IPv6 IP address threat feeds can be added to hyperscale firewall policies as source or destination addresses.

Support NetFlow version 9 for session logging in hyperscale VDOMs. By integrating NetFlow version 9 for session logging, the hyperscale software offers users a more comprehensive and precise view of network traffic data. This leads to enhanced network monitoring, troubleshooting, and planning capabilities.

On FortiGates with multiple NP7 processors with hyperscale enabled, you can use the following command to optimize NP7 network session setup (NSS) engine performance.

config system npu
    set nss-threads-option {4T-EIF | 4T-NOEIF | 2T}
end

• 4T-EIF: the NSS is configured with four threads and the Endpoint Independent Filtering (EIF) feature is allowed (the default). NSS with four threads supports the maximum NP7 Connections Per Second (CPS) performance.

• 4T-NOEIF: the NSS is configured with four threads and the EIF feature is not allowed. Also supports the maximum NP7 CPS performance.

• 2T: the NSS is configured with two threads and the EIF feature is allowed. This setting reduces the maximum NP7 CPS performance.

Changing the nss-threads-option causes the FortiGate to restart.

In hyperscale CGNAT PBA and SPA configurations, quick port re-use can occur because the default direct port selection mode always selects the next available port number in the port range. So if a port number that is low in the port range, becomes available it will be selected first. Quick port re-use can cause delays for some clients in some network configurations.

You can use the following commands to change the PBA and SPA port selection modes to random. In random mode, after selecting the first port number in the range, random mode randomly selects any port number in the range. Selecting a random port number makes it less likely to quickly re-use the same port numbers.

To change the PBA port selection mode:

config system npu
    set pba-port-select-mode {random | direct}
end

Introduce FortiSwitch management using the HTTPS protocol. This new capability supports all the same FortiLink features, offering users a simpler alternative to the more complex CAPWAP protocol.

The local radio of FortiWiFi 8xF, 6xF, and 40F models when operating in client mode and connecting with a third-party SSID can be configured in the GUI to use either WPA3 SAE or Opportunistic Wireless Encryption (OWE) security mode.

When a specific Fortinet external antenna is installed, the FortiAP profiles of FAP-432F, FAP-433F, FAP-U432F, and FAP-U433F models can be configured using the optional-antenna setting by choosing from a list of supported Fortinet external antenna models. For example, for the FAP-433F:

config wireless-controller wtp-profile
    edit "FAP433F"
        config radio-1
            set optional-antenna {none | FANT-04ABGN-0606-O-R | FANT-04ABGN-0606-P-R}
        end
    next
end

This setting can be configured in the GUI for supported FortiAP profile in the Radio section. Enable External antenna and select the external antenna model from the list of defined values.

This setting allows antenna gains that are specific to the Fortinet external antenna model and the Wi-Fi band (2.4 GHz or 5 GHz) being used to be taken into consideration by the FortiGate wireless controller to set transmit power properly for a managed FortiAP device.

FortiOS allows you to define the formatting of specific RADIUS request attributes when they are transmitted to the RADIUS server, including: User-Name, User-Password, Called-Station-Id, and Calling-Station-Id.

When authenticating users with a RADIUS server, FortiOS can now dynamically assign a different NAS-IP-Address attribute to the managed switches. For more control, this feature also allows you to manually override the dynamic assignment and set the NAS-IP-Address attribute for individual switches as per your requirements.

FortiOS supports assigning a priority to each VLAN. If there is more than one VLAN with the same name, the VLAN with the lowest priority value will be selected by the managed FortiSwitch.

Support RADIUS accounting interim updates on roaming for WPA-Enterprise security. The enhancement is specifically designed to resolve compatibility issues with Cisco's Identity Services Engine (ISE) session stitching feature with improved interoperability between devices and networks, leading to a more seamless and secure wireless connectivity experience. This is beneficial for organizations that rely on Cisco ISE for network access control, as it ensures their security protocols align with industry standards.

config wireless-controller vap
    edit <name>
        set security wpa2-only-enterprise
        set roaming-acct-interim-update {enable | disable}
    next
end

Support the Hunting-and-Pecking (HnP) Only authentication method for WPA3-SAE SSIDs. This setting is disabled by default.

config wireless-controller vap
    edit <name>
        set ssid <name>
        set security wpa3-sae
        set pmf enable
        set sae-hnp-only {enable | disable}
    next
end

When a third-party external antenna is installed, the FortiAP profiles of selected models can be configured with set optional-antenna custom and set optional-antenna-gain <integer> (in dBi, 0 - 20, default = 0).

Supported FortiAP models include: FAP-432F, FAP-432FR, FAP-433F, FAP-233G, FAP-432G, FAP-433G, FAP-U432F, and FAP-U433F. For example:

config wireless-controller wtp-profile
    edit "FP433G"
        config platform
            set type 433G
        end
        config radio-2
            set optional-antenna custom
            set optional-antenna-gain "10"
        end
    next
end

These settings can be configured in the GUI for supported FortiAP profile in the Radio section. Enable External antenna, select Custom from the dropdown, and enter a value for External antenna gain (dB).

Support WPA3 options when the radio mode is set to Fortinet's SAM (Service Assurance Manager). This includes WPA3-SAE and WPA3 OWE. In also includes support for WPA2/WPA3-Enterprise with certificate authentication, encompassing both PEAP and EAP-TLS.

config wireless-controller wtp-profile
    edit <name>
        config radio-1
            set mode sam
            set sam-ssid <string>
            set sam-security-type {wpa-enterprise |wpa3-sae | owe}
        end
    next
end

Support individual control of the 802.11k and 802.11v protocols. In previous FortiOS versions, these protocols were jointly controlled with the voice-enterprise option.

config wireless-controller vap
    edit <name>
        set 80211k {enable | disable}
        set 80211v {enable | disable}
    next
end

Simplify the Bonjour profile provisioning and failover mechanism.

• Users can set the Bonjour profile in the WTP configuration and WTP profile.

  config wireless-controller wtp-profile
      edit <name>
          set bonjour-profile <name>
      next
  end

• To ensure uninterrupted service, introduce a new election procedure among the APs. This provides a failover mechanism or redundancy if the Bonjour gateway goes down.

Support hitless rolling AP upgrades. This feature smartly upgrades APs by not upgrading all APs at once. It queues some APs and considers the reachability of neighboring APs and their locations. This prevents service drops during simultaneous upgrades, ensuring uninterrupted WiFi service.

Enhance CAPWAP management over NAT to provide a stability boost for Fortinet APs that operate behind a NAT device. This allows users to set the frequency of keep-alive messages, thereby improving connectivity.

config wireless-controller timers
    set nat-session-keep-alive <integer>
end

Support the generation of a private key, a crucial component for SAE-PK authentication. This enhancement is significant as it offers an integrated mechanism for key generation, eliminating the need for third-party tools. This makes the FortiGate a more self-sufficient and secure system for SAE-PK authentication.

# execute wireless-controller create-sae-pk

Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.

BGP now incorporates the advanced security measures of the TCP Authentication Option (TCP-AO). This integration bolsters the security of BGP connections and enhances the reliability of these connections, thereby contributing to the overall security of the internet.

• Add cmac-aes128 option in the router key-chain settings:

  config router key-chain
      edit <name>
          config key
              edit <id>
                  set algorithm cmac-aes128
              next
          end
      next
  end

• Add auth-options for BGP neighbor and neighbor-group settings:

  config router bgp
      config neighbor
          edit <ip>
              set auth-options <key-chain>
          end
      next
      config neighbor-group
          edit <name>
              set auth-options <key-chain>
          end
      next
  end

• Add debug command for tcp-auth-options:

  # diagnose sys tcp-auth-options

Support port mirroring with NP7 offloaded traffic. Offloaded packets are copied to a mirroring port, which can be linked to an external device for in-depth analytics.

Simplify the configuration of the FortiGate LAN extension feature by automatically configuring a VDOM link between a traffic VDOM, by default, the root VDOM and the LAN extension VDOM.

After connecting to the FortiGate Controller, the following settings are automatically configured on the FortiGate Connector:

• VDOM link interface in the LAN extension VDOM is a part of the LAN extension software switch
• VDOM link interface in the traffic VDOM is dynamically assigned an IP address, which has been obtained from the FortiGate Controller

This feature is required to support the FortiGate Secure Edge use case for FortiSASE.

FortiOS can be configured with a maximum of three sFlow collectors. This also applies to multi-VDOM environments where a maximum of three sFlow collectors can be used globally and/or on a per-VDOMs basis. This feature enables up to a maximum of three unique parallel sFlow streams or transmissions per sFlow sample to three different sFlow collectors. The sFlow collector configuration can only be configured in the CLI.

Support the BGP graceful restart helper-only mode. This ensures that during a FortiGate HA failover, the neighboring router that only supports BGP graceful restart helper mode retains its routes.

Enhance FortiOS packet capture. If the browser is closed or refreshed, users can return at a later time to view, stop, restart, or download the capture. The number of captures that can be stored on FortiGate is determined by the device's capabilities. REST APIs have been introduced for starting, stopping, deleting, and downloading packet captures.

FortiOS provides the ability to enable or disable 802.1x authentication on a per-port basis, providing administrators precise management over which ports use 802.1x.

FortiOS provides the ability to enable or disable Spanning Tree Protocol (STP) on a per-port basis, providing administrators precise management over which ports use STP.

Add GUI support for port block allocation (PBA) IP pools for NAT64 traffic.

Support IPS inspection for multicast UDP traffic.

Update SD-WAN with ADVPN to version 2.0 with major changes to ADVPN design and operation, namely, introducing edge discovery and path management for ADVPN spokes.

ADVPN 2.0 incorporates intelligence into the spokes to ensure shortcut tunnels, known as shortcuts, are established using underlays available on both spokes and chosen based on matching certain link health criteria.

ADVPN 2.0 provides a more flexible SD-WAN solution than the original ADVPN to achieve resiliency against underlay outages or degraded underlay performance that is no longer dependent on specific BGP routing designs or mechanisms.

Add IPv6 support for SD-WAN segmentation over a single overlay. This allows seamless communication between IPv6 devices within virtual routing and forwarding (VRF) overlay networks, benefiting organizations transitioning to IPv6 or operating in a dual-stack environment.

Support Punycode encoding in the url and hostname fields in flow mode web filter UTM logs. This caters to domain names containing non-ASCII characters, such as internationalized domain names (IDNs). Is also aligns the functionality of flow and proxy modes, offering a more unified and improved user experience.

config webfilter profile
    edit <name>
        set web-flow-log-encoding {utf-8 | punycode}
    next
end

Diameter protocol inspection is supported on the FortiGate. Key features include:

• Diameter-based packet forwarding and routing: the FortiGate can forward and route Diameter packets that match a firewall policy with an enabled diameter-filter profile.

• Packet sanity checking: this feature checks if the packet passing through the FortiGate conforms to the Diameter protocol standards as defined in RFC 3588.

• Logging: for network auditing purposes, the traffic for both dropped and forwarded Diameter-based packets can be logged.

This is crucial for interfaces used to exchange information with roaming partners over the IPX network.

Enhance customization and control in the video filter profile with two keyword-based filters for video titles and descriptions that offer AND'/'OR logic options. Users can prioritize configured filters, and manage all categories and channels that match the filters using the Any option.

DLP has been enhanced with a Data Threat Feed, Exact Data Match Support, and Enhanced Keyword Search. These upgrades aim to optimize data management and minimize false positives.

Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2 ports.

Add GUI support to prevent FortiGates with an expired support contract from upgrading to a major or minor firmware release.

Enhance IPv6 VRRP to manage and control the VRRP states. Previously, the VRRP states would continue to be primary as long as the IPv6 VRRP destination could be reached by any route, including the default route.

config system interface
    edit <name>
        config ipv6
            config vrrp6
                edit <id>
                    set ignore-default-route {enable | disable}
                next
            end
        end
    next
end

Support SNMP traps for monitoring the free and freeable memory usage on FortiGates.

config system snmp sysinfo
    set trap-free-memory-threshold <integer>
    set trap-freeable-memory-threshold <integer>
end

Rename the mdst-addr6 IKE debug filter option to mrem-addr6.

Add the ability to rename their IPsec tunnels. Once a tunnel name is changed, all references to that tunnel, such as routing and policies, are automatically updated to reflect the new name. This ensures consistency and saves users the trouble of manually updating each reference.

config vpn ipsec phase1-interface
    rename <string> to <string>
end

IPsec tunnels between HA members use manual keys to encrypt and authenticate, which may not be sufficient for some internal security policies. The IKE daemon has been updated to use auto-negotiation for the IPsec tunnel key, and to establish and maintain the tunnel.

config system ha
    set ipsec-phase2-proposal <option>
end

Support IPsec key retrieval with a quantum key distribution (QKD) system using the ETSI standardized API. This eliminates negotiation, simplifies the process, and enhances efficiency in IPsec key management.

Support autoconnect to IPsec VPN using Microsoft Entra ID. This enables seamless and secure connectivity for users accessing corporate resources by automatically establishing IPsec VPN connections based on Microsoft Entra ID logon session information.

Introduce Fabric integration between the FortiGate and FortiGSLB, which allows a FortiGate to publish custom host and domain names directly to FortiGSLB. This enables external IPs on VIPs used in ZTNA server objects to be published with the host and domain names directly to FortiGSLB, where its DNS service can provide nameserver lookups for the FQDNs.