What's new

• What's new for 24.1.56 (24.1.c)
• What's new for 24.1.37 (24.1.b)
• What's new for 24.1.10 (24.1.a)
• What's new for 23.4.49 (23.4.b)
• What's new for 23.4.31 (23.4.a)

What's new for 24.1.56 (24.1.c)

• All FortiSASE instances have log retention enabled with a log retention period of 30 days by default. See Log retention policy.
• Added support for provisioning FortiSASE instances with fewer security PoPs, removing the previous restriction to select four security PoPs. Also, FortiSASE administrators can add more security PoPs after initial provisioning if fewer security PoPs have been allocated than the entitled maximum number of security PoPs. See Appendix A - FortiSASE data centers.
• Added support for the FortiSASE Region Add-on license. Once the license has been applied, FortiSASE administrators can select extra security PoPs after logging into the FortiSASE portal. See Appendix A - FortiSASE data centers.
• The configuration of SSO on FortiSASE now supports Active Directory Federation Services (AD FS). With this support FortiSASE administrators can import and use a custom Service Provider (SP) certificate of their choice or select in-built FortiSASE Default Certificate inside the SSO configuration. The custom or in-built SSO certificate can then be imported into the required Identity Provider for SP verification. The feature now also supports SHA-256 for signing SAML Authentication Requests. See Configuring FortiSASE with AD FS SSO.
• The feature allows FortiSASE administrator to group non-AD endpoints in a nested group structure and assign the configured nested group to a custom endpoint profile. Endpoint profiles assigned to the non-AD endpoints can be viewed from Profile column under Network > Managed Endpoints. See Groups & AD Users.
• Added support for configuring Custom IPS signatures and applying it in Custom IPS Rules inside Intrusion Prevention Security profile. This feature also adds concept of Profile resources that enables central configuration and sharing of Custom IPS Signatures, FortiGuard categories, and Custom Web Filter categories across different security profiles. See Intrusion prevention.
• FortiSASE now supports configuration of custom IPsec and SSL VPNs (also called as Alternative VPN) in the endpoint profiles. These custom VPNs are typically useful for users or endpoints that require VPN connection to on-prem FortiGate or VPN gateways. Endpoints with the custom VPN endpoint profiles would need to manually re-connect to FortiSASE VPN if it's used as a backup VPN connection. See Connection.
• Added support for requesting FortiClient diagnostic logs on-demand from a single online Windows endpoint from either the Details tab in View Endpoint Details or from More options in the Endpoints tab in the Managed Endpoints page. Once the endpoint receives the log request, log collection will take place in the background. This process takes approximately 20 minutes. When new logs are generated, then the old ones will be overwritten. See Requesting FortiClient diagnostic logs from endpoints.
• Added support for resource-based access control in FortiSASE by showing or hiding GUI features based on the Read-Only, Read & Write, or No Access permissions assigned to IAM users using the FortiCare IAM management portal. See Configuration workflow. Access control of the following resources has been added:
  • User & Authentication
  • Policy
  • Logging
  • Monitoring
  • Dashboards
  • Network
  • System
  • Security
  • Endpoint Management
  • Infrastructure
• Added support in FortiSASE DLP for managing access to files with Microsoft Purview Information Protection (MPIP) sensitivity labels applied. MPIP sensitivity labels are created in a Microsoft portal and applied to files using Office 365 applications. The Globally Unique Identifier (GUID) of an MPIP sensitivity label is configured and selected in a DLP rule with the Data Source Type of MPIP Label. See Blocking file with MPIP sensitivity label example.
• Enhancement to FortiSASE portal's user interface through optimizations to backend services for seamless user experience.
• Enhancements made to FortiSASE's backend to optimize auto-connect feature.
• Added datacenter support for additional Public Cloud Locations:
  • Johannesburg, South Africa
  • Sao Paulo, Brazil

  See Global data centers.

What's new for 24.1.37 (24.1.b)

• For new instances, added support for unique SSL VPN IP address ranges per FortiSASE security PoP within the overall 100.65.0.0/16 range. Previously, SSL VPN IP address ranges were not unique between security PoPs. Also, for new instances added support for removing source NAT (SNAT) for remote VPN user traffic destined for secure private access (SPA) hubs. By default, FortiSASE performs SNAT for such traffic. On new instances, both features are enabled together and allow administrators to identify remote VPN users accessing private resources that SPA hubs protect. See Remote VPN user identification.
• For new instances, added support for FortiClient variations based on the FortiSASE remote users license type. Instances with a Standard remote users FortiSASE license use the standard FortiClient installer. Instances with an Advanced or a Comprehensive remote users FortiSASE license use the FortiClient installer with the digital experience monitoring (DEM) agent. See Digital Experience.
• DEM provides granular and real-time information regarding endpoint health by employing a DEM agent installed on endpoints. You can monitor information such has CPU, memory, hard drive, and network usage in real time. It can also trace network performance from an endpoint to various SaaS providers, thus providing end-to-end network visibility and performance insights. To use DEM, FortiSASE requires an Advanced or a Comprehensive remote user license. See Digital Experience.
• Expanded REST API support with resource API v2 for managing additional network and security configuration settings:
  • Antivirus file types
  • Applications and application categories
  • DNS and implicit DNS rules
  • FortiGuard categories and FortiGuard local categories
  • Geography address countries
  • Hosts and host groups
  • Services, service groups, service categories
  • Wildcard FQDNs custom

  See Appendix C - REST API.

• Added support for configuration and use of custom DNS servers that VPN, secure web gateway (SWG), and Thin Edge users use. You can configure custom DNS servers inside the implicit DNS rules for these user types. See DNS Settings.
• Added support for creating external threat feeds of types such as threat hosts, DNS filter domains, and web filter FQDNs. After creation, you can use the external threat feeds inside the Destination address field in a secure Internet access (VPN/SWG) and/or private access policy and in the web filter and/or the DNS filter to restrict/allow access accordingly. See Feeds.
• Added support for exporting endpoint details such as device name, OS version, FortiClient version, and endpoint groups in a CSV file. You can perform the export operation from Network > Managed Endpoints using Export All. See Managed Endpoints.

What's new for 24.1.10 (24.1.a)

• Added support within the managed security services provider (MSSP) portal for organizational unit administrators other than the primary account to provision tenant accounts associated with placeholder member accounts. See Configuration workflow.
• Added support for configuring Sonoma as a macOS version in ZTNA tagging rules. See Tagging rule types.
• FortiSASE instances with an Advanced or a Comprehensive remote users FortiSASE license include an embedded onboarding guide that is displayed upon first login. This guide contains instructions and videos that streamline initial configurations for the secure Internet access (SIA) endpoint use case. The information presented may not apply to instances with existing configurations. When skipped, the guide can be accessed later from the Help dropdown in the app header. See Embedded onboarding guide.
• Added support for requesting a new FortiGuard Forensics Analysis for a suspicious endpoint and viewing a summary of analysis requests from the Managed Endpoints page. After a forensics analyst completes the analysis within five business days, the verdict along with a downloadable report are updated in FortiSASE. You can have a maximum of five forensic analysis requests in progress at a given time. This feature requires either an Advanced or a Comprehensive remote users FortiSASE license. See FortiGuard Forensics Analysis.
• Added support for configuring FortiSASE data loss prevention (DLP) from within the DLP widget in Configuration > Security. DLP prevents sensitive data from leaving or entering your network. DLP requires enabling SSL deep inspection to decrypt and inspect content in encrypted traffic. See DLP.
• Added support for a new generated Shadow IT report under the Applications section within Analytics > Scheduled Reports. This report summarizes the usage of SaaS applications compared to all applications, sanctioned versus unsanctioned SaaS applications, and total bandwidth by SaaS sanctioned and unsanctioned applications. See Report types.
• Added support for sending reports as email attachments to selected recipients when the report is generated on demand and on schedule. This is configured by creating email groups using the Manage email groups button in Analytics > Scheduled Reports and by selecting email groups within the Customize report slide-in for a scheduled report. See Scheduling a report.
• Added user experience improvements to the Network > Asset Map for larger topologies including grouping multiple asset types and single asset types for global, regional, and local views, and hiding endpoints by default. Also, FortiAP edge devices are now shown by default on the asset map. See Network.
• Added datacenter support for Pune, India as a Fortinet Cloud Location. See Global data centers.
• Added datacenter support for Sydney, Australia as an endpoint management location. See Global data centers.

What's new for 23.4.49 (23.4.b)

• Added support for FortiFlex licensing in FortiSASE. FortiSASE entitlements created in the FortiFlex portal must be active for at least 90 days. See FortiFlex licensing.
• Added FortiSASE REST API support for configuring up to two IPsec overlays to two different WAN interfaces of a single SPA hub using BGP on loopback. See Appendix C - REST API.
• To provide integration with FortiGuard SOC-as-a-Service (SOCaaS), added the ability to configure log forwarding from FortiSASE to a SOCaaS collector using Log Forwarding to SOCaaS in Analytics > Settings. This feature requires an Advanced remote users FortiSASE license or a Comprehensive remote users FortiSASE license. See Forwarding logs to SOCaaS.
• Access to Public Cloud Locations and features included with the Advanced remote users FortiSASE license are now supported with the Comprehensive remote users FortiSASE license. See Global data centers.
• FortiSASE security PoP instances now have a feature release environment to support FortiGate Secure Edge and FortiAP edge devices.
• For new instances, the following networks are now available for your network configuration:
  • 10.8.0.0/16
  • 10.16.0.0/16
  • 100.64.0.0/10 (except 100.65.0.0/16)
  • 172.16.0.0/12
  • 192.168.0.0/16

  For existing instances, create a new FortiCare ticket to add support for these removed network restrictions. See Network restrictions removed.

• To provide administrators with an offline method for deregistering a FortiClient endpoint from FortiSASE Endpoint Management Service, added an option in Configuration > Profiles under the Access tab to enable allow disconnecting from FortiClient with password and to configure a password for this option. See Profiles.
• Added support in the FortiSASE Endpoint Management Service so that FortiClient endpoints prefer using DTLS, by default, when connecting to FortiSASE using VPN. If the endpoint attempts to use DTLS and fails due to network issues or otherwise, then it will fall back to TLS. If the endpoint does not support DTLS, then it will ignore the setting and prefer TLS. See Appendix D - VPN performance.
• Added datacenter support for the following Public Cloud Locations:
  • Amsterdam, Netherlands
  • Ashburn, Virginia, USA
  • Doha, Qatar
  • Hamina, Finland
  • Jakarta, Indonesia
  • Portland, Oregon, USA
  • Madrid, Spain
  • Melbourne, Australia
  • Milan, Italy
  • Santiago, Chile
  • Seoul, South Korea
  • Tel Aviv, Israel

  Access to these locations requires a Comprehensive remote users FortiSASE license. See Global data centers.

What's new for 23.4.31 (23.4.a)

• To allow administrators to adhere to privacy requirements, added support for configuring the FortiSASE log retention period from 2-30 days in Analytics > Settings. For existing instances, this feature remains disabled by default, which allows a default log retention period of 60 days until this setting is configured. New instances will have a default log retention period of 30 days. See Log retention policy.
• Added support for audit logging in the Analytics > Events > Administrator Events page of administrator login attempts and events, administrator FortiSASE portal configuration changes, and any changes made using the API or by an MSSP account. See Administrator Events.
• Added support for improved historical report data and formatting in Analytics > Scheduled Reports and Analytics > Generated Reports. See Scheduling a report, Manually running a report, and Report types.
• Added support for edge device connectivity using FortiAP, also known as FortiAP micro-branch. FortiAP micro-branch is a controlled General Availability feature with these requirements:
  • A separate FortiSASE subscription license per FortiAP. See the FortiSASE Ordering Guide.
  • FortiAP 231F and 431F devices running FortiAP firmware 7.2.4 and above.
  • The FortiSASE security PoPs running a feature release environment. If you require this support for your FortiSASE instance, contact FortiCare Support.

  See FortiAP.