Proxy-related features not supported on FortiGate 2 GB RAM models
As part of improvements to enhance performance and optimize memory usage on FortiGate models with 2 GB RAM or less, starting from version 7.4.4, FortiOS no longer supports proxy-related features. This change impacts the FortiGate/FortiWiFi 40F, 60E, 60F, 80E, and 90E series of devices and their variants, and FortiGate-Rugged 60F (2 GB versions only).
FortiGate VMs are not affected by the size of the memory and will continue to support proxy-related features after upgrading to FortiOS 7.4.4. However, it is recommended to have at least 4 GB of RAM for proper operation. |
After upgrade to FortiOS 7.4.4 or later, the following proxy features are no longer supported on impacted devices:
-
Zero Trust Network Access (ZTNA)
This includes all ZTNA objects and functionalities, including applying ZTNA tags in IP/MAC based access control. For example,
ztna-status
can no longer be enabled, andztna-ems-tag
andztna-geo-tag
can no longer be used. -
UTM profile with proxy-based inspection mode
-
Firewall policy with proxy-based inspection mode
-
Explicit and transparent proxies
-
Layer 7 Virtual server types (HTTP/HTTPS/IMAPS/POP3S/SMTPS/SSL)
-
Proxy-only UTM profiles:
-
Video Filter
-
Inline CASB
-
ICAP
-
Web application firewall (WAF)
-
SSH Filter
-
DNS filter profile for scanning DoT and DoH
-
-
WAN optimization
To confirm whether your FortiGate model has 2 GB RAM or less, enter diagnose hardware sysinfo conserve
in the CLI. If the total RAM value is below 2000 MB (1000 MB = 1 GB), then your device has 2 GB RAM or less.
Upgrading from previous firmware versions
Before starting the upgrade from a firmware version that supports proxy-related features to FortiOS 7.4.4 or later that no longer supports proxy-related features on FortiGate 2 GB RAM models, it is crucial that you carefully review the following upgrade scenarios. The scenarios provide important information about the upgrade process and its potential impacts. Please proceed with the upgrade only after you fully understand and are comfortable with the conditions and potential outcomes outlined in these upgrade scenarios.
Previous version |
Upon upgrade to FortiOS 7.4.4 or later |
---|---|
Proxy-based inspection mode is enabled on a firewall policy. |
Inspection mode is converted to flow mode. |
Proxy-based inspection mode is enabled on a firewall policy with proxy-only UTM profiles, such as WAF applied. |
Inspection mode is converted to flow mode, and the proxy-only UTM profiles are removed. Proxy-only UTM profiles are no longer supported. |
Proxy-related settings are configured on a security profile, such as Content Disarm on an AntiVirus Profile. |
The security profile is converted to flow-based, and the proxy-related setting is no longer available. |
A proxy-only feature, such as ZTNA, explicit proxy or WAN optimization, is enabled. |
The proxy-only configuration is removed. |
Before initiating the firmware upgrade process, it is crucial to create a backup of the current working configuration. This step ensures that you have a fallback option in case of any unforeseen issues during the upgrade. Once you have secured a backup, you can proceed with the upgrade process. After the upgrade has been successfully completed, it is highly recommended to thoroughly review all your policies. This review process lets you confirm that all the policies that you expect to be in place are present and will function as intended. Ensure any settings that are removed do not impact the security of your firewall policy. See the Best Practices guide for more information. |