FIPS-CC cipher mode is silently enabled when configured using cloud-init for AWS.

FortiGate-VM is officially certified on AliCloud Apsara Stack.

Users can now use FortiSwitch event log IDs as triggers for automation stitches. This allows for automated actions like console alerts, script execution, and email notifications in response to events, such as switch group modifications or location changes. This boosts automation and system management efficiency.

FortiOS WiFi controller allows customers to generate MPSK keys using the FortiGuest self-registration portal. This addition empowers customers to independently create and assign MPSK keys to their devices, streamlining the process and enhancing security.

Users connected to a WiFi Access Point in a FortiExtender can now access the internet, even when the FortiGate is in LAN-extension mode. This ensures seamless internet connectivity for WiFi clients using the FortiGate LAN-extension interface.

The FortiAP K series now supports IEEE 802.11be, also known as Wi-Fi 7, for these models: FAP-441K, FAP-443K, FAP-241K and FAP-243K. This expands device compatibility, boosts network performance, and enhances user experience.

Support for Dynamic Access Control List (DACL) on the 802.1x ports of managed switches. This allows customers to use RADIUS attributes to configure DACLs, enabling traffic control on a per-user session or per-port basis for switch ports directly connected to user clients.

FortiOS extends captive portal support to newer wireless authentication methods, such as OWE and WPA3-SAE varieties. This ensures that users can benefit from the most advanced and secure authentication methods available.

Enhanced memory optimization in FortiGate-managed FAPs by introducing controls to limit data from rogue APs, station capabilities, rogue stations, and Bluetooth devices. This prevents rapid memory increase and enhances CAPWAP stability.

FortiOS supports managing the USB port status on compatible FortiAP models.

conf wireless-controller wtp-profile
    edit <name>
        set usb-port {enable | disable}
    next
end

FortiOS supports beacon protection, improving Wi-Fi security by protecting beacon frames. This helps devices connect to legitimate networks, reducing attack risks.

config wireless-controller vap
    edit <name>
        set beacon-protection {enable | disable}
    next
end

Supports receiving the NAS-Filter-Rule attribute after successful WiFi 802.1X authentication. These rules can be forwarded to FortiAP to create dynamic Access Control Lists (dACLs) for the WiFi station, enhancing network access control and security.

Enhanced device matching logic based on DPP policy priority. Users can utilize the CLI to dictate the retention duration of matched devices for dynamic port or NAC policies, providing greater control over device management.

FortiOS WiFi controllers MPSK feature now includes both WPA2-Personal and WPA3-SAE security modes. This provides customers with more versatile security options, leveraging the MPSK feature with the latest WPA3-SAE security mode.

Disable all proxy features on FortiGate models with 2 GB of RAM or less by default. Mandatory and basic mandatory category processes start on 2 GB memory platforms. Proxy dependency and multiple workers category processes start based on a configuration change on 2 GB memory platforms.

Support DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) for transparent and local-in DNS modes. Connections can be established faster than with DNS over TLS (DoT) or DNS over HTTPS (DoH). Additionally, the FortiGate is now capable of handling the QUIC/TLS handshake and performing deep inspection for HTTP3 and QUIC traffic.

Internal Switch Fabric (ISF) Hash Configuration Support for NP7 Platforms. This provides a new level of flexibility and control to NP7 platform users, allowing them to fine-tune network settings for optimal performance and security. These NP7 FortiGate models support this feature: FG-1800F, FG-2600F, FG-3500F, FG-4200F, and FG-4400F.

Use the following command to configure NPU port mapping:

config system npu-post
    config port-npu-map
        edit <interface-name>
            set npu-group <group-name>
        next
end

Use the following command to configure the load balancing algorithm used by the ISF to distribute traffic received by an interface to the interfaces of the NP7 processors in your FortiGate:

config system interface
    edit <interface>
        set sw-algorithm {l2 | l3 | eh | default}
    next
end

Support Radius Vendor-Specific Attributes (VSA) for Captive Portal redirects. This provides a smoother user experience during Captive Portal redirects, especially in environments where vendor-specific attributes are heavily used such as corporate networks or public WiFi hotspots.

You can monitor ARP packets for a specific VLAN on a DHCP-snooping trusted port of a managed FortiSwitch unit and save the VLAN ID, MAC addresses, and IP addresses in the DHCP-snooping database.

Selective Subnet Assignment is now supported in IPAM. This ensures that the configured IPAM pool will not utilize any subnets listed in the exclude table, providing more control and flexibility over the configuration of IPAM pools.

FortiOS allows backup interval customization for DHCP leases during power cycles. This provides enhanced control and flexibility, ensuring lease preservation during events like outages or reboots.

config system global
    set dhcp-lease-backup-interval < integer >
end

The new dhcp-relay-allow-no-end-option supports DHCP packets without an end option, enhancing our systems adaptability to diverse network conditions. In the realm of DHCP packets, the end option signifies the end of valid information in the options field. However, there may be scenarios where this end option is absent. This enhancement is designed to manage such situations effectively.

config system interface
    edit <interface>
        set dhcp-relay-allow-no-end-option {disable |enable}
    next
end

You can now specify a tagged VLAN for users to be assigned to when the authentication server is unavailable. Previously, you could only specify an untagged VLAN. This feature is available with 802.1x MAC-based authentication. It is compatible with both Extensible Authentication Protocol (EAP) and MAC authentication bypass (MAB).

FortiOS includes support for source IP anchoring in dial-up IPsec Tunnels. This allows the gateway to match connections based on the IPv4/IPv6 gateway address parameters, such as the subnet, address range, or country.

A new CLI option allows users to choose to discard or permit IPv4 SCTP packets with zero checksums on the NP7 platform.

config system npu
    config fp-anomaly
        set sctp-csum-err {allow | drop | trap-to-host}
    end
end

Users can upgrade their LTE modem firmware directly from the FortiGuard. This eliminates the need for manual downloading and uploading and provides users flexibility to schedule the upgrade.

Enhancement to Packet Capture Functionality. This feature adds the capability to store packet capture criteria, allowing for the re-initiation of packet captures multiple times using the same parameters such as interface, filters, and more, thereby streamlining packet capture management. Additionally, this feature incorporates diagnostic commands to list, initiate, terminate, and remove GUI packet captures, enhancing the level of control users have over their packet capture operations.

Support for Modbus Serial to Modbus TCP has been added. All FortiGate rugged models equipped with a Serial RS-232 (DB9/ RJ45) interface can perform real-time monitoring, control, and coordination across your network. Industrial automation users can now transfer Modbus data more efficiently, reducing the need for extra devices and streamlining operations.

FortiOS supports NPU offloading for shaping ingress traffic on NP7 and SOC5 models. This enhances system performance and efficiency, especially when there is a high volume of incoming traffic. NPU offloading for shaping ingress traffic is not supported by NP6 and SOC4 FortiGate models.

This feature combines the policy name and ID into a unified Policy column, ensuring the ID and name are consistently visible. It also introduces the ability to move policies using their ID, simplifying management when handling large policy tables that may include hundreds of policies.

The src-vip-filter in VIP now allows src-filter to be used as the destination filter for reverse SNAT rules, in addition to its traditional role in forward DNAT rules. This dual functionality simplifies bidirectional NAT, enhancing IP address mapping and translation efficiency.

config firewall vip
    edit <name>
        set src-filter <IP>
        set extip <IP>
        set mappedip <IP>
        set extintf <string>
        set nat-source-vip enable
        set src-vip-filter enable
    next
end

FortiOS now supports a configurable interim log for PBA NAT logging. This enables continuous access to PBA event logs during an ongoing session, providing comprehensive logging throughout the session's lifespan.

config firewall ippool
    edit <name>
        set type port-block-allocation
        set pba-interim-log <integer>
    next
end

FortiOS allows internet service as source addresses in the local-in policy. This provides more flexibility and control in managing local traffic, improving network security and efficiency.

Enhancements have been added to improve overall ADVPN 2.0 operation for SD-WAN, including:

• The local spoke directly sends a shortcut-query to a remote spoke to trigger a shortcut after ADVPN 2.0 path management makes a path decision.

• ADVPN 2.0 path management can trigger multiple shortcuts for load-balancing SD-WAN rules.Traffic can be load-balanced over these multiple shortcuts to use as much of the available WAN bandwidth as possible without wasting idle links if they are healthy. The algorithm to calculate multiple shortcuts for the load-balancing service considers transport group and in- SLA status for both local and remote parent overlays.

• Spokes can automatically deactivate all shortcuts connecting to the same spoke when user traffic is not observed for a specified time interval. This is enabled by configuring a shared idle timeout setting in the IPsec VPN Phase 1 interface settings for the associated overlays.

FortiOS supports customizing the source IP address and the outgoing interface for communication with the upstream FortiGate in the Security Fabric.

config system csf
    set source-ip <class_ip>
    set upstream-interface-select-method {auto | sdwan | specify}
end

Users can apply a FortiVoice tag dynamic address to a NAC policy.

config user nac-policy
    edit <name>
        set category fortivoice-tag
        set fortivoice-tag <string>
    next
end

The external resource entry limit is now global. Additionally, file size restrictions now adjust according to the device model. This allows for a more flexible and optimized use of resources, tailored to the specific capabilities and requirements of different device models.

FortiOS extends Search Engine support to Flow-based Web Filter Profiles. This introduces several features, including: Safe Search, Restrict YouTube Access, and Restrict Vimeo Access.

FortiOS antivirus supports XLSB, OpenOffice, and RTF files through its CDR feature. This allows FortiGate to sanitize these files by removing active content, such as hyperlinks and embedded media, while preserving the text. It also provides an additional tool for network administrators to protect users from malicious documents.

GUI support for Exact Data Match (EDM) for Data Loss Prevention. This improves the user experience during configuration and optimizes data management.

Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2 ports.

FortiOS allows customers to enable or disable the INDEX extension, which appends a VDOM or an interface index in RFC tables.

config system snmp sysinfo
    set append-index {enable | disable}
end

Supports the separation of the SSHD host key and administration server certificate. This improvement introduces support for ECDSA 384 and ECDSA 256, allowing the SSHD to accommodate the most commonly used host key algorithms.

config system global
    set ssh-hostkey-override {enable | disable}
    set ssh-hostkey-password <password>
    set ssh-hostkey <encrypted_private_key>
end

New hyperscale feature to control the rate at which NP7 processors generate ICMPv4 and ICMPv6 error packets to prevent excessive CPU usage. This feature is enabled by default, and you can use the following options to change the configuration if required for your network conditions:

config system npu
    config icmp-error-rate-ctrl
        set icmpv4-error-rate-limit {disable | enable}
        set icmpv4-error-rate <packets-per-second>
        set icmpv4-error-bucket-size <token-bucket-size>
        set icmpv6-error-rate-limit {disable | enable}
        set icmpv6-error-rate <packets-per-second>
        set icmpv6-error-bucket-size <token-bucket-size>
    next
end

GUI support added to control the use of CLI commands in administrator profiles.

In this enhancement, a hash of all executable binary files and shared libraries are taken during image build time. The file containing these hashes, called the executable hash, is also hashed and as a result signed. The signature for this hash is verified during bootup to ensure integrity of the file. After validation, the hashes of all executable and share libraries can be loaded into memory for real-time protection.

Support for client certificate validation and EMS tag matching has been added to the explicit proxy policy, improving user experience and security.

FortiOS supports a cross-validation mechanism for IPsec VPN, bolstering security and user authentication. This mechanism cross-checks whether the username provided by the client matches the identity field specified in the peer certificate. The identity field, which could be an Othername, RFC822Name, or CN, serves as a unique identifier for the client.

FortiOS supports the TCP Encapsulation of IKE and IPsec packets across multiple vendors. This cross-vendor interoperability ensures that users can maintain a secure and efficient network, while also having the flexibility to choose the hardware that aligns best with user requirements.

FIPS-CC cipher mode is silently enabled when configured using cloud-init for AWS.

FortiOS supports session resumptions for IPSec tunnel version 2. This enhances user experience by maintaining the tunnel in an idle state, allowing for uninterrupted usage even after a client resumes from sleep or when connectivity is restored after a disruption. It also removes the necessity for re-authentication when reconnecting, improving efficiency.