AzureSDN connectors support IPv6 address objects.

FortiOS Azure SDN connector moves private IP on the trusted NIC during A/P HA failover.

Introduce GraphQL bulk query to FortiGate on Azure to reduce the number of API queries going out to Azure and as a result, reducing the time taken to resolve SDN connector Dynamic objects in a large environment.

Configure the FGT_VM64_AZURE SDN connector and firewall address objects. The following IP address filters are supported:

Spoke_1 (AZ) # show

config firewall address
    edit "AZ"
        set uuid 6b18eb16-7069-51ef-c174-58f82ee3d1b2
        set type dynamic
        set sdn "6899_AutoScale_1"
    next
end

Spoke_1 (AZ) # set filter
<key1=value1> [& <key2=value2>] [| <key3=value3>]

Available filter keys are:

<Vm><Tag.><Size><Location><SecurityGroup>

<Vnet><Subnet><ResourceGroup><ApplicationSecurityGroup><Vmss><Subscription>

<LoadBalancer><ApplicationGateway>

<ServiceTag><Region>

<K8S_Cluster><K8S_Namespace><K8S_ServiceName><K8S_NodeName>

<K8S_PodName><K8S_Region><K8S_Zone><K8S_Label.>

FortiGate-VM supports AWS Nitro TPM 2.0 specification.

FortiOS version 7.6.1 supports the use of MLX5/4 and the upcoming MANA NIC on Azure Dv6/Ev6 instance types.

Introducing the new Asset Details slide-in page, accessible using the action buttons/menus on multiple GUI pages. This page provides comprehensive endpoint information, streamlining the diagnostic process and reducing reliance on CLI commands.

Introducing a new tab in the command palette called Diagnostics. This new tab provides a list of troubleshooting commands, allowing users to browse and search for debug commands directly within the GUI, enhancing efficiency and ease of use.

FOS supports QinQ for the switch controller, allowing MSSPs to manage multiple clients networks by having a unique customer VLAN for each client and each client can have its own, self-managed 4K VLAN range in their virtual domain. This ensures better segregation and control over network traffic.

Introducing Split Tunnel Mode for FortiExtender in LAN extension mode. With this feature, specific traffic patterns defined by the split service are sent directly to the FEXT local gateway. This reduces the load on the central FGT by routing less traffic through the LAN extension tunnel, thereby enhancing efficiency and network performance.

Previously, VLAN optimization could only be enabled or disabled. The new VLAN pruning feature selectively allows only necessary VLANs on the path between destinations on auto-generated trunks, reducing traffic congestion and enhancing network performance.

Added support for VLANs over a FortiExtender configured as a LAN extension. VLAN support is configured on the FortiGate Access Controller using the GUI or using these CLI commands:

config extension-controller extender-profile
    edit <FortiExtender Profile>
        set extension lan-extension
        config lan-extension
            config downlinks
                edit <id>
                    set type port
                    set port <port>
                    set pvid <vlanid>
                next
            end
        end
    next
end

Where port is the VLAN interface added to the FortiExtender interface and vlanid is the desired VLAN ID.

FortiOS now includes advanced Wireless Intrusion Detection System (WIDS) options, enhancing the detection and reporting of a wider range of wireless threats. This upgrade boosts security, providing customers with superior detection against potential intrusions.

FortiGate can now register authorized FEXT (FortiExtender) devices. Previously, it could only register FAP (FortiAP) and FSW (FortiSwitch) devices. This new feature ensures comprehensive network management by including all connected devices.

The FOS WiFi Controller now includes a called-station-id-type setting, allowing customization of the Called-Station-Id attribute in RADIUS Access-Request packets to use MAC:SSID, IP:SSID, or APName:SSID formats, enhancing network configuration flexibility.

conf wireless-controller vap
    edit <name>
        set called-station-id-type {mac | ip | apname}
    next
end

FortiAP now supports console, SSH, or HTTPS login using remote user accounts from a third-party TACACS server, enhancing flexibility and security in account management.

FortiGate now generates accounting messages when WiFi clients connect to an SSID with MPSK created through the FortiGuest self-registration portal, enhancing network management and user accountability.

Add 2.5G and 5G speed options for the 10/1 GigE RJ45 interfaces (port1-16) on the FortiGate 2600F platform. Also add an auto option (the new default) that automatically adjusts the port speed. Existing port speed configurations will be maintained during the firmware upgrade.

Support including denied multicast sessions in the session table. This feature allows the creation of sessions for denied multicast traffic, enabling subsequent packets to be directly matched and dropped, reducing CPU usage and improving performance.

config system setting
    set ses-denied-multicast-traffic {disable | enable}
end

To support VRF route leaking, on FortiGates with NP6 and NP7 processors, you can use the following command to enable accelerated NPU inter-VDOM links without enabling multi-VDOM mode.

config system global
    set single-vdom-npuvlink {enable | disable}
end

Enhanced flexibility and performance in network with smaller configurable TTL for UDP traffic on hyperscale firewall VDOMs. Previously, the minimum TTL for UDP traffic was set at 120 seconds for Hyperscale firewall VDOMs. This enhancement removes that restriction, allowing users to configure the TTL to 1 second or more. This change offers greater flexibility in network management and enhances network performance.

Extended VRF ID Range for Enhanced Network Scalability. Previously, up to 252 Virtual Routing and Forwarding (VRF) instances could be configured per VDOM, with VRF IDs ranging from 0 to 251. With this enhancement, the VRF ID range has been extended to 0-511, allowing for a minimum of 512 unique VRFs per VDOM. This enhancement allows for greater scalability and flexibility in network configurations.

FortiGate now supports inspecting 802.1ah packets within a virtual wire pair configuration. This enhancement enables deep packet inspection and UTM scanning. By leveraging this capability, FortiGate can effectively analyze and inspect the 802.1ah header, perform the necessary inspection, and then re-add the header, ensuring robust protection against a wide range of cyber threats.

Previously, local-out traffic could not specify a Virtual Routing and Forwarding (VRF) instance, but now it can, allowing for traffic segregation, optimized routing, and enhanced policy enforcement, which improves network organization, security, and performance.

Introducing a new FortiGate feature that disables IP address translation within the SIP payload in 464XLAT environments. This ensures SIP packets with IPv4 information reach user equipment without translation, preventing RTP connection issues and improving the reliability of SIP-based services.

Added support for specifying the outgoing interface and VRF for a web proxy forward server or a web proxy isolator server, such as FortiIsolator.

config web-proxy forward-server
    edit <name>
        set interface-select-method specify
        set interface <port>
        set vrf-select <vrf-id>
    next
end

config web-proxy isolator-server
    edit <name>
        set interface-select-method specify
        set interface <port>
        set vrf-select <vrf-id>
    next
end

The hw-session-sync-dev option now supports multiple physical interfaces, up to twice the number of Network Processors (NPs). Additionally, it now shares the ports between hardware and software session-sync devices. This enhancement increases reliability and flexibility in network configurations.

FortiGate Rugged 70F and FortiGate Rugged 70F-3G4G include a general purpose input output (GPIO) module, also known as, a digital I/O (DIO) module. Added support for SNMP traps or notifications and automation stitch notifications when DIO module alarm functionality is activated, that is, when a change in any digital input is detected and the digital output is activated. Notification support depends on previously configured config system digital-io and execute digital-io set-output settings prior to event notification.

SNMP and automation stitch notifications can be configured using these CLI commands on FortiGate Rugged 70F and FortiGate Rugged 70F-3G4G devices only:

• For automation stitch support, in config system automation-condition added new options set condition-type input and set input-state open | close

• For SNMP support, in config system snmp community added new option set events dio

Added support for a web proxy isolator server, such as FortiIsolator, in proxy policies and added a new Isolate action in proxy-policy to distinguish isolated traffic from normal traffic in logs. Isolators are fundamentally the same as web proxy forward servers because both will redirect HTTP/HTTPS requests to an HTTP/HTTPS proxy server. However, isolators have the specific function of isolating potentially unsafe traffic from a user environment.

To support configuration of isolator servers for explicit web proxy and transparent web proxy types:

• Added CLI commands:

  • config web-proxy isolator-server for configuring isolator servers

  • set action isolate and set isolator-server <name> for config firewall proxy-policy, set proxy explicit-web, or set proxy transparent-web

Support Fully Qualified Domain Name (FQDN) address groups within the Internet Service Database (ISDB), addressing the challenge of frequently changing IP addresses and ensuring accurate and reliable firewall policies.

The current Port block allocation (PBA) and Fixed port range (FPR) IP Pool mechanisms use a sequential port selection algorithm, assigning the next available non-conflicting port within the specified range. This enhancement introduces the port-random firewall policy option for enabling a randomized port selection algorithm, making the allocation process less predictable, thus enhancing security.

FortiOS has introduced a new dynamic address object subtype, RSSO, which can be used in both the source and destination fields of firewall policies. This enhancement allows for more granular and precise policies based on RSSO group membership, enhancing security and flexibility in managing network traffic and enforcing policies.

Introducing a new ISDB entry for Fortinet SOCaaS, Fortinet-FortiGuard.SOCaaS. This feature enables customers to configure policies for devices to forward data to SOCaaS collectors without relying on DNS. By eliminating the dependency on DNS, this enhancement reduces the risk of DNS mapping failures, ensuring a more reliable and seamless data forwarding process.

Hyperscale FortiOS now supports a configurable interim log for PBA NAT logging. This enables continuous access to PBA event logs during an ongoing session, providing comprehensive logging throughout the session's lifespan.

config firewall ippool
    edit <name>
        set type cgn-resource-allocation
        set pba-interim-log
    next
end

The log-interval range is 600 to 86400 seconds. Default is 0 which disables interim logging.

Interim logging is supported by the NP7 hardware log module and host hardware logging. Interim logging is also compatible with per-session, per-mapping, and per-session ending logging modes and works with the NetFlow and syslog log formats.

Interim logging for PBA sessions was added to mainstream FortiOS version 7.6.0.

A new default local-in-policy has been added with internet service source enabled for Malicious-Malicious.Server, Tor-Exit.Node, and Tor-Relay.Node. This policy is designed to utilize these 3 ISDB sources to identify known malicious threat actors and prevent them from accessing any interface on the FortiGate on any service and port.

In this enhancement, support for a new FortiGuard SLA Database (SLA Database), which includes popular SaaS and Internet destinations and recommended settings that can be selected as probe servers for SD-WAN Performance SLA configuration in the GUI using the Performance SLA and SLA Target fields in the New Performance SLA page and in the CLI using these commands:

config system sdwan
    config health-check
        edit <health-check name>
            set fortiguard enable
            set fortiguard-name <target-name-from-SLA-Database>
        next
    end
end

The FortiGate requires a valid SD-WAN Network Monitor (SWNM) entitlement to be applied for the FortiGuard SLA Database to be downloaded or updated.

In this enhancement, an SD-WAN wizard is added to the SD-WAN > SD-WAN Zones page to provide guided configuration of these settings for a simple SD-WAN setup (maximum of two members can be added in the SD-WAN wizard):

• Interface

• Networking

• Performance SLA

• SD-WAN Rule

After the wizard is used, a default static route using the newly created SD-WAN interface must still be configured.

The FortiGate requires a valid SD-WAN Network Monitor (SWNM) entitlement to be applied for the SD-WAN wizard to be visible.

In this enhancement, support has been added for passive application performance monitoring (APM) by measuring and logging these metrics per TCP session:

• Network response time

• Server response time

• Original retransmits

• Reply retransmits

• SYN retransmits

• SYN-ACK retransmits

• Original or reply resets

These passive measurements are configured in firewall policies with the SD-WAN zone as the destination interface using these CLI commands:

configure firewall policy
    edit <entry>
        set app-monitor <enable | disable>
    next
end

Upon enabling this feature, NPU offloading for the firewall policy is disabled automatically.

This feature assists with monitoring performance of TCP traffic and locating potential network issues. TCP metrics can be displayed using diag sys session list in the CLI and in forward traffic logs displayed in either the CLI or the GUI.

SD-WAN traffic steering remains independent from the measured TCP session metrics.

In this enhancement, when a spoke advertises routes using iBGP to a hub, introduced mapping of SD-WAN member priorities into the BGP MED attribute using these CLI commands:

config system sdwan
    config neighbor
        edit <bgp-peer-IP>
            set member <num_1> <num_n>
            set route-metric priority
            set health-check <health-check-name>
        next
    end
end

Routes to prefixes behind spokes are advertised by the SD-WAN hub to eBGP peers on an external network. The relative values of the BGP MED attribute for each hub are used to indicate to eBGP peers the more preferred paths, namely, the preferred hub used to route to spoke prefixes.

This enhancement depends on the spoke SD-WAN configuration defined in the Embed SLA priorities in ICMP probes feature and hub SD-WAN and BGP configuration defined in the Embed SLA status in ICMP probes feature.

Hubs are not necessarily connected to all the same underlay transports as Spokes. For ADVPN 2.0, added support for shortcuts between Spokes using transports to which Hubs are not connected using overlay placeholders. For example, if Spokes are configured with an overlay over the Internet and an overlay over MPLS using this tunnel interface as a placeholder since it is not established with the Hub, ADVPN 2.0 allows a shortcut tunnel to be established over MPLS if this path is in-SLA and is the best quality. Each Spoke should be configured with these CLI commands:

config vpn ipsec phase1-interface
    edit <placeholder_phase1_interface_name>
        set type dynamic
        ...
        set net-device enable
        ...
        set auto-discovery-dialup-placeholder enable
    next
end

The duplication-max-discrepancy latency setting defines the interval in which a duplicate packet received during packet duplication will be dropped when packet-de-duplication is enabled.

config system sdwan
  set duplication-max-discrepancy <interval>
end

Where <interval> is 250-1000ms (default = 250ms).

Add Known Exploited Vulnerabilities (KEVs) information to IoT/OT vulnerabilities stored in the user/device store, and display KEV counts and warnings accordingly on the GUI Asset Identity Center page, thereby enhancing security visibility for users.

OCI SDN connectors support IPv6 address objects.

GCP SDN connectors support IPv6 address objects.

Users can now hide non-relevant Security Rating tests, streamlining the user experience by displaying only pertinent information.

OCI SDN connectors support IPv6 for dynamic firewall addresses and high availability failover.

Generic Connector for Importing Addresses. This new feature allows seamless integration with any third-party database using a JSON-based REST API, converting each JSON entry into an address object on the FortiGate, thus automating the process and enhancing efficiency.

Introducing controls for CA (Certificate Authority) and CN (Common Name) fields. Previously, FortiSandbox could not verify certificates or automatically retrieve CNs from remote FSAs. Now, users can manually set a trusted CA and expected CN or enable automatic CN retrieval and verification, improving FortiSandbox TLS connection security.

In this enhancement, risk level rating is added to the FortiGuard URL rating service. FortiGate can query the rating service to retrieve the risk score for a URL. This risk score rates the likelihood that a website has malicious intent. This risk score and level can be used in a webfilter profile to apply a block or monitor action, or it can be used as a match criteria for a web proxy policy.

A new ocr-only option has been added to the ICAP profile, allowing you to forward only image files (such as JPEG, JPG, PNG) relevant for OCR scanning to the ICAP server, such as FortiProxy. This selective forwarding applies exclusively to responses, not web requests. This feature enhances overall system efficiency by reducing processing time and optimizing resource usage.

config icap profile
    edit <name>
        set ocr-only enable
    next
end

FOS now supports dynamic shaping profiles for traffic offloaded by NP7 and NP7Lite (SoC5) processors, allowing traffic control policies to be applied per user based on authentication details and bandwidth parameters from the RADIUS server. This enables flexible QoS strategies tailored to individual users instead of static interface-based shaping.

The inline CASB security profile has been enhanced to support control factors such as tenant information in JSON data exchanged between a web browser and a custom SaaS application. For example, for some custom SaaS applications, the URL does not change to reflect the type or identity of the user or organization when logged in as such tenant information is exchanged using JSON data instead of through changes in the URL. With this enhancement, JSON data can be extracted using JQ filters.

To enhance the security of system administrator passwords, FortiGate now uses PBKDF2 as the hashing scheme with randomized salts to hash and store the password.

To maintain downgrade support, a new command is introduced:

config system password-policy
    set login-lockout-upon-downgrade {enable | disable}
end

Previously, customers had to register each Fortinet device to their FortiCare account individually. This new feature simplifies the process with a one-click solution, allowing customers to register all Fortinet devices in the same security fabric group at once. It lists all unregistered fabric components (FGT, FAP, FSW) and provides a Register All option, saving time and effort.

Support Firmware Upgrade Report. This enhancement allows users to perform sanity checks by comparing configurations and statistics before and after a firewall upgrade, thereby enhancing the upgrade process and providing detailed assurance of successful upgrades.

FortiGate A-P HA cluster now supports sharing a single FortiGuard service license for both cluster units for the following models and their variants: 40F, 60F, 70F, 80F, and 100F.

Subscriptions and FortiGuard settings are now organized into separate tabs with clear distinctions between licensed, expired, and available-for-purchase subscriptions, providing customers with a more intuitive and informative layout.

This enhancement reduces ipshelper CPU usage during the database update process, optimizing system performance and ensuring smoother operations.

For the FortiGate 7000F platform, you can use the following commands to control how traffic from individual VDOMs is load balanced to FPMs. By default, traffic from any VDOM is distributed to all FPMs using the default dp-load-distribution-method. However, you can set up groups of FPMs (called worker groups) and send traffic from individual VDOMs to a selected worker group.

Use the following command to create a new worker group:

config system global
    config load-balance worker-group
        edit wrk-grp-678
            set member 6 7 8
end

The default worker group (named default) sends traffic to all FPMs. You cannot edit or delete this worker group. By default, each VDOM is configured to send traffic to the default worker group.

You can change the worker group that a VDOM sends traffic to by editing the VDOM and using the following command to change the worker group:

config vdom
    edit root
        config system settings
            set dp-load-distribution-group wrk-grp-678
end

You can also configure the load distribution method used for traffic for each VDOM:

config vdom
    edit root
        config system settings
            set dp-load-distribution-method {to-primary | src-ip |dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport | derived}
end

Added route monitoring to FGSP, enhancing network stability by detecting route prefix withdrawals. This prevents traffic loss in complex environments and improves the UTM scanning experience.

Introducing Bearer Token authentication alongside the current pre-shared secret improves security between the SCIM server and client. The new bearer tokens, generated by FortiOS, are temporary, minimizing the risk of unauthorized access and adhering to modern security standards.

Support Post-Quantum Cryptography (PQC) for IPsec key exchange, enhancing security with algorithms that protect against quantum computer attacks. This update ensures future-proof encryption and addresses vulnerabilities in traditional methods, aligning with upcoming security standards.

In FortiOS, the WiFi controller supported the MPSK feature on a WPA2-Personal SSID by applying an MPSK profile or enabling RADIUS MAC authentication. However, for a WPA3-SAE SSID, the MPSK feature was only supported through the application of an MPSK profile. This enhancement allows WPA3-SAE SSIDs to utilize RADIUS MAC authentication to implement the MPSK feature.

A ZTNA web portal is added for accessing applications directly within the portal without requiring FortiClient to be installed on the endpoint or a client certificate check. The ZTNA portal handles authentication and authorization of traffic destined for the protected resources. It is implemented entirely in WAD.

config ztna web-portal
    edit <name>
        set vip <vip name>
        set host <Virtual host name>
        set auth-portal {enable | disable}
        set vip6 <Virtual IPv6 name>
        set auth-rule <rule>
    next
end
config ztna web-portal-bookmark
    edit <name>
        set users <users>
        set groups <groups>
        config bookmarks
            edit <name>
                set apptype {ftp | rdp | sftp | smb | ssh | telnet | vnc | web}
                set url <string>
                set host <name or IP>
                set description <Description>
                set port <remote port>
                set sso {enable | disable}
            next
        end
    next
end