DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

New Features

Overview
GUI
- General usability enhancements
- FortiView
  - Graphical display for application performance monitoring analytics
Network
SD-WAN
- Overlays and underlays
- Performance SLA
  - SD-WAN speed test scheduling improvements
Policy and objects
- Policies
  - Upstream SSL/TLS support for virtual load-balancing servers
- Objects
  - Custom tags for addresses, policies, and dynamic tag address groups
Zero Trust Network Access
- General
  - ZTNA configuration simplification
  - ZTNA service connector
    - ZTNA connector - reverse gateway and forwarder
- Security posture and EMS connectors
  - Support tags in dual stack IPv4/IPv6 ZTNA policies
Security profiles
- Others
- Protecting LLM and GenAI
  - Application control support for generative AI
  - Agentic AI protocol support in FortiOS
VPN
- IPsec and Agentless VPN
User and authentication
- Authentication
  - Enable secure LDAP connection by default in the GUI
  - SSO integration with FortiIdentity Cloud
LAN Edge
- Wireless
- Switch controller
System
Security Fabric
- Fabric settings and connectors
- External SDN connectors
  - Support for Cisco ACI External EPG Subnets in Direct Connector
  - Negation support in ACI direct connector address filters
Log and report
- Logging
Cloud
- Public and private cloud
  - AWS SDN connector EKS filtering support
FortiOS Carrier
FortiASIC
- Hardware acceleration
- Hyperscale firewall
Operational Technology
- System
  - MACsec support for FortiGate Rugged Models with hardware switch
  - FortiGate Rugged digital I/O trigger logging enhancement
Index
- 8.0.0
Change Log

Home FortiGate / FortiOS 8.0.0 New Features

8.0.0

Support tags in dual stack IPv4/IPv6 ZTNA policies

IPv6 security posture tags and groups can be applied to dual stack IPv4/IPv6 ZTNA policies.

FortiClient and FortiClient EMS 7.4.5 or 8.0.0 or later are required to support this feature.

A new option is available to set the address sub-type to ems-tag:

config firewall address6
    edit 1
        set type dynamic
        set sub-type {sdn | ems-tag | 8021x}
        ...
    next
end

Option	Description
`sub-type`	Set the sub-type for the address: `sdn`: SDN address. `ems-tag`: FortiClient EMS tag. `8021x`: 802.1x address Available when `type` is set to `dynamic`.

Option

Description

sub-type

Set the sub-type for the address:

sdn: SDN address.
ems-tag: FortiClient EMS tag.
8021x: 802.1x address

Available when type is set to dynamic.

A new parameter is available to identify IPv6 security posture tags from FortiClient EMS:

config firewall policy
    edit 1
        ...
        set ztna-status enable
        set ztna-ems-tag6 <name>
        ...
    next
end

Option	Description
`ztna-ems-tag6 <name>`	Specify the name of the IPv6 security posture tag. Available when `ztna-status` is set to `enable`.

Example

To add IPv6 security posture tags to a firewall policy in the GUI:

Go to Policy & Objects > ZTNA > Security Posture Tags > IPv6 Tag to view a list of security posture tags for IPv6.

Hover over a tag to display a tooltip of information.
Click IPv6 Tag Group to view a group of IPv6 tags.
Go to Policy & Objects > Firewall Policy and open for editing a firewall policy with Source configured to support IPv4 and IPv6.
Enable Security posture tag and select a security posture tag for IPv6.
Click OK to save the policy.

To add IPv6 security posture tags to a firewall policy in the CLI:

Enable the sub-type ems-tag option for an IPv6 security posture tag:

In this example, sub-type ems-tag is set for the EMS7_ZTNA_ems_linux31_management_tag IPv6 security posture tag.

config firewall address6
    edit "EMS7_ZTNA_ems_linux31_management_tag"
        set uuid 880ef31c-fcba-51f0-e348-1f01acd82c22
        set type dynamic
        set sub-type ems-tag
        set dirty clean
        set obj-tag "ems_linux31_management_tag"
        set tag-type "zero_trust"
    next
end

Select the IPv6 security posture tag in a firewall policy configured to support IPv4 and IPv6 sources:

In this example ztna-ems-tag6 is set to the EMS7_ZTNA_ems_linux31_management_tag IPv6 tag.

config firewall policy
    edit 1
        set name "lan_2_wan1"
        set uuid de52dcac-fc17-51ee-6a37-645e65221a24
        set srcintf "lan"
        set dstintf "wan1"
        set action accept
        set ztna-status enable
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set ztna-ems-tag6 "EMS7_ZTNA_ems_linux31_management_tag"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

Support tags in dual stack IPv4/IPv6 ZTNA policies

IPv6 security posture tags and groups can be applied to dual stack IPv4/IPv6 ZTNA policies.

FortiClient and FortiClient EMS 7.4.5 or 8.0.0 or later are required to support this feature.

A new option is available to set the address sub-type to ems-tag:

config firewall address6
    edit 1
        set type dynamic
        set sub-type {sdn | ems-tag | 8021x}
        ...
    next
end

Option	Description
`sub-type`	Set the sub-type for the address: `sdn`: SDN address. `ems-tag`: FortiClient EMS tag. `8021x`: 802.1x address Available when `type` is set to `dynamic`.

Option

Description

sub-type

Set the sub-type for the address:

sdn: SDN address.
ems-tag: FortiClient EMS tag.
8021x: 802.1x address

Available when type is set to dynamic.

A new parameter is available to identify IPv6 security posture tags from FortiClient EMS:

config firewall policy
    edit 1
        ...
        set ztna-status enable
        set ztna-ems-tag6 <name>
        ...
    next
end

Option	Description
`ztna-ems-tag6 <name>`	Specify the name of the IPv6 security posture tag. Available when `ztna-status` is set to `enable`.

Example

To add IPv6 security posture tags to a firewall policy in the GUI:

Go to Policy & Objects > ZTNA > Security Posture Tags > IPv6 Tag to view a list of security posture tags for IPv6.

Hover over a tag to display a tooltip of information.
Click IPv6 Tag Group to view a group of IPv6 tags.
Go to Policy & Objects > Firewall Policy and open for editing a firewall policy with Source configured to support IPv4 and IPv6.
Enable Security posture tag and select a security posture tag for IPv6.
Click OK to save the policy.

To add IPv6 security posture tags to a firewall policy in the CLI:

Enable the sub-type ems-tag option for an IPv6 security posture tag:

In this example, sub-type ems-tag is set for the EMS7_ZTNA_ems_linux31_management_tag IPv6 security posture tag.

config firewall address6
    edit "EMS7_ZTNA_ems_linux31_management_tag"
        set uuid 880ef31c-fcba-51f0-e348-1f01acd82c22
        set type dynamic
        set sub-type ems-tag
        set dirty clean
        set obj-tag "ems_linux31_management_tag"
        set tag-type "zero_trust"
    next
end

Select the IPv6 security posture tag in a firewall policy configured to support IPv4 and IPv6 sources:

In this example ztna-ems-tag6 is set to the EMS7_ZTNA_ems_linux31_management_tag IPv6 tag.

config firewall policy
    edit 1
        set name "lan_2_wan1"
        set uuid de52dcac-fc17-51ee-6a37-645e65221a24
        set srcintf "lan"
        set dstintf "wan1"
        set action accept
        set ztna-status enable
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set ztna-ems-tag6 "EMS7_ZTNA_ems_linux31_management_tag"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

New Features

Support tags in dual stack IPv4/IPv6 ZTNA policies

Support tags in dual stack IPv4/IPv6 ZTNA policies

Example

To add IPv6 security posture tags to a firewall policy in the GUI:

To add IPv6 security posture tags to a firewall policy in the CLI:

Support tags in dual stack IPv4/IPv6 ZTNA policies

Support tags in dual stack IPv4/IPv6 ZTNA policies

Example

To add IPv6 security posture tags to a firewall policy in the GUI:

To add IPv6 security posture tags to a firewall policy in the CLI: