The NP7 session accounting interval range is now 1 to 600 seconds. Increase the per-session accounting interval to reduce bandwidth usage:

config system npu
    set session-acct-interval <seconds>
end

New options to control the bandwidth allowed for traffic flow between NP7 processors and the internal switch fabric (ISF). In some high-traffic configurations, limiting this bandwidth can improve performance, for example by reducing DSW drops and ReasmFails:

config system npu
    set sw-np-rate <rate>
    sw-np-rate-unit {mbps | pps}
    sw-np-rate-burst <burst-rate}
end

Add IPv6 address pool support in explicit proxy policies:

config firewall proxy-policy
    edit <id>
        set poolname6 <name>
    next
end

You can enable the following option to add all multicast traffic denied by a firewall policy to the session table:

config system settings
    set ses-denied-multicast-traffic enable
end

Enabling this option can affect CPU usage since the software needs to maintain more sessions in the session table. However, on FortiGates with NP6 or NP7 processors, you can use the following command to offload denied multicast sessions to NP processors and reduce CPU usage:

config system npu
    set mcast-denied-ses-offload enable
end

When multi-vdom mode is disabled, hide the settings:

config endpoint-control settings
    set override {enable | disable}
end

If your FortiGate with NP7 processors is terminating VXLAN-over-IPsec connections, you may notice traffic drops during broadcast storms. One cause of the traffic drops could be VXLAN MAC flapping. VXLAN MAC flapping can occur when the FortiGate receives large numbers of packets that flip MAC addresses in the forwarding database (FDB) between local and remote paths. This activity can use excessive CPU resources and can lead to FDB instability.

You can use the following command to stop VXLAN MAC flapping:

config system npu
   set vxlan-mac-flapping-guard enable
end

When vxlan-mac-flapping-guard is enabled, each VXLAN FDB entry records the encapsulation direction when it is first learned and if a later packet tries to flip the same MAC to the opposite direction, the update is rejected. This behavior prevents VXLAN MAC flapping during loops or broadcast storms.

You can restore normal VXLAN FDB behavior by disabling this option.

NP7 traffic anomaly protection for TCP, UDP, and ICMP checksum error detection now includes the option to allow TCP, UDP, and ICMPpackets with incorrect checksums.

config system npu
    config fp-anomaly
        set tcp-csum-err {allow | drop | trap-to-host}
        set udp-csum-err {allow | drop | trap-to-host}
        set icmp-csum-err {allow | drop | trap-to-host}
    next  
end

The encrypted DNS certificate configuration behavior has been updated. The TLS certificate used by FortiGate for encrypted DNS services is now taken from:

config system dns-server
    edit <interface>
        set ssl-cert <certificate_name>
    next
end

rather than:

config web-proxy global
    set ssl-cert <certificate_name>
end

If no certificate is configured under config system dns-server, FortiGate automatically falls back to the config web-proxy global certificate.

Enhance the CLI command diagnose ip router bgp show to include disabled items as well as the enabled items.

When captive portal is not enabled, these settings are hidden:

config authentication setting
    set captive-portal-port
    set captive-portal-ssl-port
    set auth-https
end

To change these settings, first enable captive portal.

Support IPv6 BGP route dampening by introducing these CLI commands:

config router bgp
    set dampening6 {enable|disable}
    set dampening6-route-map <string>
    set dampening6-reachability-half-life <integer>
    set dampening6-reuse <integer>
    set dampening6-suppress <integer>
    set dampening6-max-suppress-time <integer>
    set dampening6-unreachability-half-life <integer>
end

The CLI attribute hw-model has been renamed to hw-version under config firewall address for device identification dynamic addresses.

The intra-vap-privacy setting has been removed from local-bridging vap.

In Agentless VPN settings, when multiple domains in dns-suffix are configured, parse each entry separated by ";".

The FortiGate 120G and 121G port17 to port24 interface speed can be changed to 100Mbps. To operate these interfaces as 100 Mbps interfaces, you must use 100 Mbps Serial Gigabit Media Independent Interface (SGMII) transceivers.

You can use the following command to change the speed of the port-17 to port24 interfaces:

config system interface
    edit port17
        set speed {auto | 1000full | sgmii-100full | sgmii-auto}
    next
end

The SFP speed detect CLI option has been updated, replacing auto-module with detect-by-module for improved clarity.

Added enforce-preferred-source BGP neighbor option to ensure the BGP session source IP (update-source) is used as the preferred source for IPv4 routes learned from the neighbor. This prevents incorrect source IP selection when egress interfaces are unnumbered.

config router bgp
    config neighbor
        edit <neighbor-ip>
            set enforce-preferred-source {enable | disable}
        next
    next
end