Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Release Notes

    Home FortiSASE Release Notes

    What's new

    What's new

    What's new for 25.2.30 (25.2.a.1)

    25.2.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

    What's new for 25.2.24 (25.2.a)

    • Added support for FortiGate SASE Bundle license to accelerate the journey from SD-WAN to SASE. The bundle includes a Starter Kit with FortiSASE Standard remote user licenses and Secure Private Access (SPA) connectivity to G-series FortiGate models starting with 120G.
    • FortiClient 7.2.9 is the recommended supported version for existing and new FortiSASE instances using IPsec and SSL VPN remote user connectivity. See Product integration and support.
    • Added support to enhance default pre-logon tunnel security settings for IPsec by using stronger hashing algorithm (SHA 256) and key exchange algorithm (DH group 15) with IKE version 2. See 10607.
    • Access to Fortinet or Regional Public Cloud Locations and features included with the Advanced remote users FortiSASE license are now supported with the Professional remote users FortiSASE license. See Licensing.
      • Network performance of Regional Public Cloud Locations differs from Public Cloud Locations supported with the Comprehensive license.
      • Since dedicated public IPs are provided by the Public Cloud provider, IP reputation control is not guaranteed, and source IP anchoring is not supported.
    • Added support for the Global Region Add-on license that can be added on top of an existing Comprehensive license. This add-on license entitles the instance to use an unlimited number of Security PoPs selected from existing and future Fortinet Cloud and Public Cloud locations. See Appendix A - FortiSASE data centers.
    • Added support for registering FortiCASB data protection add-on licenses. See Product integration and support.
    • Number of private applications supported per agentless ZTNA bookmark policy increased from 20 to 200. See Configuring the bookmark portal.

    What's new for 25.1.75 (25.1.c)

    • Added support for displaying endpoint details in Network > Managed Endpoints > Endpoints and Network > Connected Users including FortiSASE VPN Tunnel IP and FortiSASE agent session details, and the Last Seen timestamp in Managed Endpoints. The FortiSASE VPN Tunnel IP can be used with server-client applications with server traffic originating from SPA hubs destined for a FortiSASE managed endpoint. See Managed Endpoints and Connected Users.

    • Added support for displaying the learned BGP multi-exit discriminator (MED) values in Health and VPN Tunnel Status > View Learned BGP Routes when Network > Network Configuration is configured with Hub selection method as BGP MED. See Viewing MED values of SPA routes and Viewing health and VPN tunnel status.

    • Added data center support for Querétaro, Mexico and Sydney, Australia as Public Cloud locations. See Global data centers.

    • Added data center support for Sao Paulo, Brazil as a Fortinet Cloud location. See Global data centers.

    What’s new for 25.1.51 (25.1.b)

    • Added support for the SD-WAN On-Ramp connection add-on license for 1-2000 FortiGate IPsec connections. Since you can purchase a maximum of eight SD-WAN On-Ramp locations for a single account, with SD-WAN On-Ramp connection add-on licenses it is possible for an account to have a maximum of 16000 SD-WAN On-Ramp connections. See SD-WAN On-Ramp.
    • Added support for the agentless zero trust network access (ZTNA) bookmark portal to show private applications’ bookmarks based on the authenticated user’s permission level which is controlled by Agentless ZTNA bookmark policies. See Configuring the bookmark portal.
    • Added enhancements to the Network Lockdown feature by enabling FortiClient endpoints to enter strict lockdown with a configurable grace period of 0 seconds. Also added support for detecting and exempting traffic to captive portals and domains specified under Exempt destinations. See Network lockdown.
    • Added enhancements to the Geofencing feature by enabling granular control over prioritization of connection attempts and failover to connections of type On-premise device and Security PoP based on the endpoint’s country or region. See Geofencing.
    • Added support for administrators to clone endpoint profiles using an existing endpoint profile, simplifying profile management and reducing configuration time. See Profiles.
    • Added support to configuration of ZTNA application gateway and ZTNA destinations under Configuration > Agent-based ZTNA. These configuration settings can now be easily referenced and applied to individual endpoint profiles under ZTNA tab, streamlining ZTNA configuration. See ZTNA.
    • Added enhancements to Digital Experience Monitoring (DEM), enabling FortiSASE administrators to view TCP latency metrics for endpoints as a Beta feature, offering deeper visibility into underlay network performance from the endpoint to FortiSASE Security PoP. See Digital experience: TCP latency.
    • Added support for an increased maximum number of FortiAP edge devices that FortiSASE supports. See SIA for FortiAP site-based remote users.
    • Added datacenter support for Madrid, Spain as a Fortinet Cloud location. See Global data centers.

    • Added support for signing a preconfigured FortiClient installer using your own CA certificate or using the Fortinet CA certificate via FortiCare Support ticket request.

    What’s new for 25.1.39 (25.1.a.2)

    25.1.a.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

    What’s new for 25.1.37 (25.1.a.1)

    25.1.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

    What’s new for 25.1.28 (25.1.a)

    • Added support in endpoint profiles for enabling patching of vulnerabilities detected where automatic patching is available and for configuring the minimum severity level of vulnerabilities to patch. Also, added support in the Vulnerability Summary widget for selecting individual vulnerabilities to schedule to be automatically patched on affected endpoints. See Drilling down on vulnerabilities.
    • Added support for configuring schedules and service groups for VPN and secure web gateway (SWG) policies, both Internet Access and Private Access policies. See Adding policies to perform granular firewall actions and inspection.
    • Added support for synchronization of service groups for VPN and SWG policies using FortiManager with the central management select availability feature. See Central Management.
    • Added support for adding administrator-defined comments to VPN and SWG policies, both Internet Access and Private Access policies. See Adding policies to perform granular firewall actions and inspection.
    • Added support to allows administrators to configure, edit, and delete personal VPN settings on FortiClient on per-endpoint profile basis. As FortiSASE does not manage personal VPN settings, enabling this feature is recommended only for endpoint profiles designated for FortiClient users belonging to your organization’s administrative group. This ensures flexibility while maintaining security and compliance across managed devices. See Connection.
    • Added support to allow remote VPN users to access their local network resources such as printers or fileshares while remaining connected to FortiSASE secure internet access (SIA). You can enable this feature on a per-endpoint profile basis. Additionally, if you enable on-net detection, you can enable the feature based on an endpoint’s on-net status, allowing more granularity. See Connection.
    • Extended existing REST API support to include security profiles, user groups, and authentication sources.
    • Added datacenter support for Plano, Texas, USA as a Fortinet Cloud location. See Global data centers.
    • FortiClient 7.2.8 is the recommended supported version for existing and new FortiSASE instances using SSL VPN and IPsec remote user connectivity.
    • Added support for displaying comprehensive error messages for failed synchronization attempts when using FortiManager with the central management select availability feature. See Displaying error messages for failed synchronization attempts.
    • Added support for authenticating agent-based remote users via SAML single sign on (SSO) during their onboarding. FortiSASE acts as a service provider, supporting integration with other identity providers such as FortiAuthenticator, Okta, and Microsoft Entra ID to ensure that only authenticated users can connect to the FortiSASE Endpoint Management service using an invitation code. This is a select availability feature and you must enable it for it to be visible under Configuration > User Onboarding SSO. See User onboarding SSO.
    • Added support for administrators to add, change, and delete security PoP locations dynamically from Network > Infrastructure as a select availability feature. See Infrastructure. This is available only when a FortiSASE instance meets these specific conditions:
      • The following features are not configured:
        • SWG
        • Source IP address anchoring
      • Default VPN remote users’ IP address range has not been exceeded.
      • The following have not been deployed:
        • Edge devices
        • SD-WAN On-Ramp locations
      • Other custom changes to the instance have not been made.
    Previous
    Next

    What's new

    What's new

    What's new for 25.2.30 (25.2.a.1)

    25.2.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

    What's new for 25.2.24 (25.2.a)

    • Added support for FortiGate SASE Bundle license to accelerate the journey from SD-WAN to SASE. The bundle includes a Starter Kit with FortiSASE Standard remote user licenses and Secure Private Access (SPA) connectivity to G-series FortiGate models starting with 120G.
    • FortiClient 7.2.9 is the recommended supported version for existing and new FortiSASE instances using IPsec and SSL VPN remote user connectivity. See Product integration and support.
    • Added support to enhance default pre-logon tunnel security settings for IPsec by using stronger hashing algorithm (SHA 256) and key exchange algorithm (DH group 15) with IKE version 2. See 10607.
    • Access to Fortinet or Regional Public Cloud Locations and features included with the Advanced remote users FortiSASE license are now supported with the Professional remote users FortiSASE license. See Licensing.
      • Network performance of Regional Public Cloud Locations differs from Public Cloud Locations supported with the Comprehensive license.
      • Since dedicated public IPs are provided by the Public Cloud provider, IP reputation control is not guaranteed, and source IP anchoring is not supported.
    • Added support for the Global Region Add-on license that can be added on top of an existing Comprehensive license. This add-on license entitles the instance to use an unlimited number of Security PoPs selected from existing and future Fortinet Cloud and Public Cloud locations. See Appendix A - FortiSASE data centers.
    • Added support for registering FortiCASB data protection add-on licenses. See Product integration and support.
    • Number of private applications supported per agentless ZTNA bookmark policy increased from 20 to 200. See Configuring the bookmark portal.

    What's new for 25.1.75 (25.1.c)

    • Added support for displaying endpoint details in Network > Managed Endpoints > Endpoints and Network > Connected Users including FortiSASE VPN Tunnel IP and FortiSASE agent session details, and the Last Seen timestamp in Managed Endpoints. The FortiSASE VPN Tunnel IP can be used with server-client applications with server traffic originating from SPA hubs destined for a FortiSASE managed endpoint. See Managed Endpoints and Connected Users.

    • Added support for displaying the learned BGP multi-exit discriminator (MED) values in Health and VPN Tunnel Status > View Learned BGP Routes when Network > Network Configuration is configured with Hub selection method as BGP MED. See Viewing MED values of SPA routes and Viewing health and VPN tunnel status.

    • Added data center support for Querétaro, Mexico and Sydney, Australia as Public Cloud locations. See Global data centers.

    • Added data center support for Sao Paulo, Brazil as a Fortinet Cloud location. See Global data centers.

    What’s new for 25.1.51 (25.1.b)

    • Added support for the SD-WAN On-Ramp connection add-on license for 1-2000 FortiGate IPsec connections. Since you can purchase a maximum of eight SD-WAN On-Ramp locations for a single account, with SD-WAN On-Ramp connection add-on licenses it is possible for an account to have a maximum of 16000 SD-WAN On-Ramp connections. See SD-WAN On-Ramp.
    • Added support for the agentless zero trust network access (ZTNA) bookmark portal to show private applications’ bookmarks based on the authenticated user’s permission level which is controlled by Agentless ZTNA bookmark policies. See Configuring the bookmark portal.
    • Added enhancements to the Network Lockdown feature by enabling FortiClient endpoints to enter strict lockdown with a configurable grace period of 0 seconds. Also added support for detecting and exempting traffic to captive portals and domains specified under Exempt destinations. See Network lockdown.
    • Added enhancements to the Geofencing feature by enabling granular control over prioritization of connection attempts and failover to connections of type On-premise device and Security PoP based on the endpoint’s country or region. See Geofencing.
    • Added support for administrators to clone endpoint profiles using an existing endpoint profile, simplifying profile management and reducing configuration time. See Profiles.
    • Added support to configuration of ZTNA application gateway and ZTNA destinations under Configuration > Agent-based ZTNA. These configuration settings can now be easily referenced and applied to individual endpoint profiles under ZTNA tab, streamlining ZTNA configuration. See ZTNA.
    • Added enhancements to Digital Experience Monitoring (DEM), enabling FortiSASE administrators to view TCP latency metrics for endpoints as a Beta feature, offering deeper visibility into underlay network performance from the endpoint to FortiSASE Security PoP. See Digital experience: TCP latency.
    • Added support for an increased maximum number of FortiAP edge devices that FortiSASE supports. See SIA for FortiAP site-based remote users.
    • Added datacenter support for Madrid, Spain as a Fortinet Cloud location. See Global data centers.

    • Added support for signing a preconfigured FortiClient installer using your own CA certificate or using the Fortinet CA certificate via FortiCare Support ticket request.

    What’s new for 25.1.39 (25.1.a.2)

    25.1.a.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

    What’s new for 25.1.37 (25.1.a.1)

    25.1.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

    What’s new for 25.1.28 (25.1.a)

    • Added support in endpoint profiles for enabling patching of vulnerabilities detected where automatic patching is available and for configuring the minimum severity level of vulnerabilities to patch. Also, added support in the Vulnerability Summary widget for selecting individual vulnerabilities to schedule to be automatically patched on affected endpoints. See Drilling down on vulnerabilities.
    • Added support for configuring schedules and service groups for VPN and secure web gateway (SWG) policies, both Internet Access and Private Access policies. See Adding policies to perform granular firewall actions and inspection.
    • Added support for synchronization of service groups for VPN and SWG policies using FortiManager with the central management select availability feature. See Central Management.
    • Added support for adding administrator-defined comments to VPN and SWG policies, both Internet Access and Private Access policies. See Adding policies to perform granular firewall actions and inspection.
    • Added support to allows administrators to configure, edit, and delete personal VPN settings on FortiClient on per-endpoint profile basis. As FortiSASE does not manage personal VPN settings, enabling this feature is recommended only for endpoint profiles designated for FortiClient users belonging to your organization’s administrative group. This ensures flexibility while maintaining security and compliance across managed devices. See Connection.
    • Added support to allow remote VPN users to access their local network resources such as printers or fileshares while remaining connected to FortiSASE secure internet access (SIA). You can enable this feature on a per-endpoint profile basis. Additionally, if you enable on-net detection, you can enable the feature based on an endpoint’s on-net status, allowing more granularity. See Connection.
    • Extended existing REST API support to include security profiles, user groups, and authentication sources.
    • Added datacenter support for Plano, Texas, USA as a Fortinet Cloud location. See Global data centers.
    • FortiClient 7.2.8 is the recommended supported version for existing and new FortiSASE instances using SSL VPN and IPsec remote user connectivity.
    • Added support for displaying comprehensive error messages for failed synchronization attempts when using FortiManager with the central management select availability feature. See Displaying error messages for failed synchronization attempts.
    • Added support for authenticating agent-based remote users via SAML single sign on (SSO) during their onboarding. FortiSASE acts as a service provider, supporting integration with other identity providers such as FortiAuthenticator, Okta, and Microsoft Entra ID to ensure that only authenticated users can connect to the FortiSASE Endpoint Management service using an invitation code. This is a select availability feature and you must enable it for it to be visible under Configuration > User Onboarding SSO. See User onboarding SSO.
    • Added support for administrators to add, change, and delete security PoP locations dynamically from Network > Infrastructure as a select availability feature. See Infrastructure. This is available only when a FortiSASE instance meets these specific conditions:
      • The following features are not configured:
        • SWG
        • Source IP address anchoring
      • Default VPN remote users’ IP address range has not been exceeded.
      • The following have not been deployed:
        • Edge devices
        • SD-WAN On-Ramp locations
      • Other custom changes to the instance have not been made.
    Previous
    Next