The FortiGate setup wizard includes options to configure a gateway to establish internet connectivity, which is required for successful registration with FortiCare. Additionally, for air-gapped environments, the wizard allows users to upload an offline license file directly, enabling successful registration even when the device cannot reach FortiCare. This enhancement resolves setup-blocking issues and improves deployment flexibility.

FortiAP now supports management over IPv6. This enhancement enables seamless integration into modern, IPv6-based network environments. It improves scalability, simplifies configuration in large deployments, and ensures compliance with evolving regulatory and infrastructure standards

DARRP channel selection can be handled by FortiAIOps when available, which collects radio data from FortiGate via REST APIs and recommends optimal channels to reduce interference. This shift enables smarter, centralized Wi-Fi tuning in high-density environments like campuses.

Added support for WPA2/WPA3-Enterprise and WPA3-SAE authentication in client mode on FWF G-series models, enabling secure and flexible network authentication.

FortiAPs can now automatically request certificates from EST or SCEP servers configured in the wtp-profile, eliminating the need for manual CA uploads via TFTP. This streamlines 802.1X WAN deployments and simplifies certificate renewal.

FortiAP-K models now support Multi-Link Operation (MLO) as part of Wi-Fi 7, enabling simultaneous data transmission across multiple bands (2.4, 5, and 6 GHz) for improved performance and efficiency.

Default soft-switch interfaces and open SSIDs have been removed across FortiWiFi platforms to enhance security and simplify network design. For 4xF/6xF/G-series models, the default WiFi VAP remains in tunnel mode with preconfigured IP, DHCP, and firewall policies for easy setup. On 8xF-2R models, WiFi VAPs now operate in bridge mode, integrating with the hardware switch so clients receive DHCP from the internal interface and benefit from firewall policy control.

Mesh leaf FAP settings can now be configured directly through the GUI, enabling faster, more intuitive setup of mesh connections.

When customers run an older FortiOS version that does not support a newly released FortiAP model, the AP will now be classified as FAP MVP, a generic Wi-Fi 7 2x2 dual-band profile. This provides limited management and visibility until the user upgrades to a FortiOS release that fully supports the AP mode.

Add LoRaWAN gateway support to the FortiAP 222KL, enabling the device to receive LoRaWAN sensor data and securely forward it to supported network servers. This enhancement allows the AP to operate as both a WiFi and LoRaWAN gateway, streamlining IoT sensor integration within existing network environments.

If your FortiGate with NP7 processors is experiencing high CPUusage because the CPU is processing many denied sessions, you can use the following command to offload those denied sessions to NP7 processors and reduce CPU usage:

config system npu
    set session-denied-offload {enable | disable}
end

FQDN address groups within the ISDB, previously supported in firewall policies, can now also be applied to NGFW policies.

Added IPv6 support for HTTP and TWAMP protocols in SD-WAN health-checks. Added `probe-response` in ipv6-allowaccess of interface settings.

FGT_A:

config system sdwan
    config health-check
        edit "ipv6_test"
            set addr-mode ipv6
            set server 2000:172:16:200::1
            set protocol twamp
        next
    end
end

FGT_B:

config system interface
    edit "port3"
        ...
        config ipv6
            set ip6-address 2000:172:16:200::1/64
            set ip6-allowaccess ping https ssh probe-response
        end
    next
end
config system probe-response
    set mode twamp
end

Enhancements to SD-WAN interface speed test to allow for dynamic QoS application and more resiliency for cloud speed test connections.

• Automatically apply scheduled speed-test results (Out/In Bandwidth) to interface for QoS purpose. Respect any configured min+max in/out bandwidth values.

• Select FTNT_Auto as default cloud server group to perform speed-test if a specific server group isn't specified.

• Initiate retry mechanism once speed-test against cloud server fails.

• Allow to choose three-hour window in firewall schedule setting. If the time-based firewall schedule is applied to speed-test, it will randomize the start of the speed test during the three-hour window.

  config firewall schedule recurring
      edit <name>
          set label-day <none | over-night | early-morning | morning | midday | afternoon | evening | night | late-night>
      next
  end

• Two new attributes retries and retry-pause are added into speed-test-schedule to improve retry mechanism. When retries X and retry-pause Y are set, FortiGate attempts test X times then pauses Y seconds. Three attempts total are made in the same pattern. If all attempts fail, the next server is selected, and the pattern is repeated.

  config system speed-test-schedule
      edit "port1"
          set retries <value>
          set retry-pause <value>
      next
  end

• The server-name attribute is allowed in speed-test-schedule to define what cloud server-group will do the speed-test first.

  config system speed-test-schedule
      edit "port1"
          set server-name <server group name>
      next
  end

In this enhancement, proxy-based inspection is brought back for email protocols on FortiGate models with 2 GB RAM. This covers the following services:

• SMTP(s)

• POP3(s)

• IMAP(s)

• NNTP

Firewall policies can once again support proxy-based inspection mode when users select one or more of the above services in the firewall policy.

Improved Hyperscale FortiOS support for SNMP MIB OIDs to monitor IP and PBA usage in CGNAT IP pools. The newly supported fields include:

• fgFwIppStatsFreePBAs, number of free PBAs in ippool list.

• fgFwIppStatsInusePBAs, number of in-use PBAs in ippool list.

• fgFwIppStatsTotalPBAs, number of PBAs in ippool list.

• fgFwIppStatsInuseIPs, number of in-use IPs in ippool.

• fgFwIppStatsFreeIPs number of free IPs in ippool.

The fgFwIppStatsExpiringPBAs SNMP field is not supported by FortiOS 7.6.5.

Granular failure details for each device in a federated upgrade are now reported, allowing users to identify individual devices with specific failure reasons during the upgrade process.

Added support for FortiSASE Sovereign licensing bundles for FortiGate 91G and 901G. With this licensing applied, the GUI and CLI is restricted to read-only after the following CLI settings are configured:

config system sov-sase
   set status enable
end

After the CLI settings above are configured, all FortiGate configuration changes are managed from FortiSASE-Sovereign Portal.

Optimize memory usage on FortiGate models with 2GB or 4GB of RAM by:

• Starting the router daemon only when routing configurations are detected

• Reducing the memory reserved for Network Processors (NPs)

• Setting nTurbo max frame size to 1500. Interfaces with higher MTU will not offload to nTurbo

Affected 2GB model families: 40F, 60F and 50G

Affected 4GB model families: 70F, 80F and 70G

The black box feature, which captures and saves information about the system on supported models with TPM and NVMe drive, such as the FG-700G, now supports uploading debug logs in SCP and SFTP.

To upload:

diagnose debug black-box upload scp <destination string> <yyyymmdd>

diagnose debug black-box upload sftp <destination ip> <user> <pwd> <dst folder> <yyyymmdd>

FortiOS now supports Post-Quantum Cryptography (PQC) for Agentless VPN. This enhancement introduces new CLI options for Agentless VPN, allowing you to select pure and hybrid PQC algorithms to prepare for future quantum computing threats.

WiFi controllers now process the RADIUS Filter-ID attribute during 802.1X authentication to automatically map clients to existing user groups. This enhancement triggers the creation of WSSO firewall authentication entries, ensuring the correct firewall policies are applied immediately without requiring additional user login steps.