The default DH groups for Phase1 and Phase2 IPsec VPN tunnels is updated from 14 and 5 to 20 and 21 when configured from the CLI.

Upon upgrade, VPNs that had the default DH group 14 and 5 will be updated to DH groups 14, 20 and 21 when upgraded.

On FortiGates with NP7 processors, the default setting for vlan-lookup-cache has been changed to disable, and the htab-msg-queue mode is now set to dedicated.

config system npu
    set vlan-lookup-cache disable
    set htab-msg-queue dedicated
end

See also Changing vlan-lookup-cache requires system restart.

With asymroute-icmp and asymroute6-icmp enabled, ICMP replies are no longer strictly routed back through the same interface they arrived on. If a return route via the incoming interface is unavailable, the system will now choose the best available route instead. This behavior improves reliability and reduces packet drops in asymmetric routing scenarios.

config system settings
   set asymroute-icmp {enable | disable}
   set asymroute6-icmp {enable | disable}
end

When auth-ike-saml-port is used, iprope will match the local-in traffic only when the destination port is auth-ike-saml-port, and the destination interface has ike-saml-server enabled.

FortiGate models with two (2) WAN ports will have the following added to their default configuration:

• Both WAN ports are set to DHCP mode.

• An SD-WAN zone is created, and both WAN ports are added as members.

• Default firewall policy utilizes the SD-WAN zone.

• An SLA is created, utilizing IP addresses 1.1.1.1 and 9.9.9.9 for internet connectivity evaluation.

Affected models (where x can be 0 or 1): 6xE, 6xF, 7xF, 7xG, 8xE, 8xF, 9xE, 9xG, 10xE, 100EF, 10xF, 12xG, 140E, 20xE, 20xF.

See also Create default configuration of SD-WAN on FortiGate models with two WAN ports.