New features
FortiSASE has added powerful new capabilities that are enabled by default on new instances created after the 25.2.c release.
These new capabilities also become available after implementing the New major features available best practice upgrade in FortiSASE v7.2 to migrate to FortiSASE v7.4. For details on implementing this best practice upgrade, see New major features available.
-
Before the upgrade in a FortiSASE v7.2 instance, the version tooltip at the bottom-left of the portal displays Mature within the version number.
-
After the upgrade or on new instances created after 25.2.c in a FortiSASE v7.4 instance, the version tooltip at the bottom-left of the portal displays v7.4 and Feature within the version number.
The versions displayed in the images are demonstrations. The exact version numbers displayed in your environment will differ per release.
Below is the list of features available only in the 7.4 version.
|
New feature |
Description |
Requirements |
|---|---|---|
|
Agent-based zero trust network access (ZTNA) FortiClient endpoint sharing |
Added support for sharing the resolved IP and MAC addresses (host tags) of a FortiClient endpoint with ZTNA application gateways (i.e. FortiGate devices) when the endpoint has a security posture tag applied. |
None |
|
Added support for specifying ZTNA destination hosts as an IP range or subnet and optionally with a port list or port range when the FortiSASE instance is configured with a default FortiClient version of FortiClient 7.2.8 or later. |
Instance configured with a default FortiClient 7.2.8 version or later |
|
|
Added support for using a custom domain and a certificate for the custom domain that can be used to access a ZTNA private application. |
Administrator must previously own a custom domain and have already generated a server certificate for the custom domain. The administrator must configure the custom domain DNS CNAME record with the FortiSASE private application domain for the private application. |
|
|
Added support for configuring application control filter overrides based on multiple filters including application category, behavior, popularity, protocol, risk, technology, and vendor. Also, added support for configuring actions for custom application signatures. |
None |
|
|
Authenticated onboarding with Entra ID for SAML SSO using an existing Entra ID domain |
Added support for configuring authenticated onboarding with Entra ID for SAML SSO using an existing Entra ID domain, which allows an endpoint profile configured with a matching AD group from the domain to be assigned to matching Entra ID-joined endpoints. |
Authenticated onboarding is a select availability feature that is not enabled by default on new instances. If you require this feature for your new or existing FortiSASE instance, create a new ticket with FortiCare Support. |
|
Automation to trigger alert emails for unstable Secure Private Access (SPA) connection. |
Added an Automation page in Operation > Administration to allow configuring of actions, such as sending alert emails, based on predefined triggers to proactively notify administrators of events. Currently, alert emails can be triggered for an unstable Secure Private Access (SPA) connection only when SLA failures, routing changes, and BGP neighbor status changes all occur. |
Requires licensing and configuration for SPA. |
|
Support for bandwidth policies and profiles used for providing bandwidth control of internet access and private access traffic. |
For bandwidth control of private access traffic, requires licensing and configuration for SPA. |
|
|
Support for simplified branch on-ramp licensing where each on-ramp Security PoP provides up to 1 Gbps for up to 2000 simultaneous dialup IPsec connections, changed from the previous limit of 10 connections. |
The Branch On-ramp Connection add-on subscription is discontinued. |
|
|
Support IPsec connections to Branch On-ramp Security PoPs from third-party IPsec devices. |
Requires licensing and configuration for Branch On-ramp feature |
|
|
Support for branch on-ramp with the Standard subscription for new and upgraded instances. |
An Advanced branch on-ramp subscription must also be applied to a Standard instance to enable the branch on-ramp feature. |
|
|
For MSSPs, added central management support for synchronizing multiple tenants' FortiSASE instances from a single FortiManager instance or from multiple FortiManager instances. Currently, each ADOM in FortiManager supports synchronizing configuration with a single FortiSASE instance. |
See central management for MSSP tenants Prerequisites and considerations. Central management is a select availability feature. If you require this feature for your new or existing FortiSASE instance, create a new ticket with FortiCare Support. |
|
|
Central management support for policy packages in FortiManager |
Added support for synchronizing firewall policies, firewall proxy policies, firewall schedules and security posture tags in policy packages from FortiManager to FortiSASE using the central management select availability feature. |
Requires a FortiManager or FortiManager cloud running a supported version. See Central management using FortiManager. Central management is a select availability feature. If you require this feature for your new or existing FortiSASE instance, create a new ticket with FortiCare Support. |
|
Added support in the System > Administration page, for the Require comments for configuration audit feature. When enabled, this feature ensures any configuration changes made by an administrator require a change summary to be entered. This includes all configuration changes on FortiSASE, such as those to objects, endpoint profiles, and analytics and reporting configurations. |
None |
|
|
Support in the AntiVirus security profile for content disarm and reconstruction (CDR) of Microsoft Office documents and PDF files by removing potentially malicious and untrusted content from them. |
CDR does not support SMTP, FTP, and CIFS protocols. |
|
|
Enhancements for Digital Experience Monitoring (DEM), including a path diagram for endpoint traceroute results, support for displaying additional SaaS monitoring metrics, and customizing the list of SaaS applications to monitor. |
Requires an Advanced or Comprehensive subscription. |
|
|
Added support for DLP Exact Data Matching (EDM) that identifies specific data values within an indexed data source. EDM relies on an administrator-defined EDM template, which is used to specify the dataset in a CSV or TXT file that is either uploaded directly to FortiSASE or accessed as an external feed. |
None |
|
|
Support for configuring and viewing predefined DLP sensors and DLP dictionaries managed by the FortiGuard DLP service in the DLP security profile and in Security > Traffic > Security profiles > Profile resources, respectively. |
None |
|
|
Added support for Indexed Document Matching (IDM) with DLP fingerprinting. IDM creates unique fingerprints for each of the files detected in network and compares all the checksums stored in its database. Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is updated. |
None |
|
|
FortiSASE adds support for FortiAP devices in the FortiAP 441K series. FortiAP configuration options are also enhanced to streamline the FortiAP configuration process in FortiSASE. |
Requires separate FortiSASE subscription subscription for FortiAP edge device support. |
|
|
Added support for editing a public IP of a Security PoP with a geolocation tag (country/region) different than the default for the PoP and for configuring source IP anchoring rule, known as an IP anchor, which associates remote users from a source country/region (and starting in 25.3.a, remote users from a specified user group) with a specific public IP with a configurable geolocation tag. |
Requires prior Fortinet request for configuring security PoP public IP addresses features. |
|
|
Endpoint profile connection script fields allows the entry of Windows and macOS scripts that will trigger actions when connecting to or disconnecting from Secure Internet Access (SIA), IPsec, or SSL tunnels. |
None |
|
|
Support to enable and manage communication between remote endpoints connected via the FortiSASE Cloud Security tunnel through a Secure Private Access (SPA) Hub. Administrators can enforce granular control by defining endpoint-to-endpoint policies that selectively allow specific traffic between designated endpoints. |
Requires licensing and configuration for SPA |
|
|
Support for performing a factory reset on a FortiSASE instance that returns it to its initial provision point, disconnect all users, and deregister all endpoints. |
Enabled by default on instances with NFR and Advanced NFR licenses. It is a select availability feature for all other licenses that requires a FortiCare Support ticket. All data will be permanently deleted. |
|
|
Support for FIDO2 authentication for FortiClient agent tunnels, which is configurable in 'Endpoint profiles' for the 'FortiSASE Cloud Security' tunnel and custom tunnels. |
Supported for FortiClient endpoints on Windows and MacOS. Requires FIDO authentication method configured on Entra ID. |
|
|
Added support in File Filter for blocking password-protected files of 7z, MSOFFICE, MSOFFICEX, PDF, RAR, and ZIP file types. |
None |
|
|
Integrated FortiCASB-SSPM basic cloud access security broker (CASB) management and advanced SaaS security posture management (SSPM) into FortiSASE for secure SaaS access. |
A FortiSASE SSPM Protection add-on subscription is required to integrate with several SaaS applications via connectors and to access advanced SSPM features through the Workflows, Activities, Identities, and 3rd Party Apps pages. |
|
|
Support for customizing FortiClient Log Level per endpoint profile in your FortiSASE instance to simplify debug log collection. In Endpoint management > Configuration > FortiClient GUI settings, enabling Allow debug log generation will set the associated endpoints' FortiClient Log Level to Debug. This feature is disabled by default. When disabled, the Log Level is set to Info. |
None |
|
|
Added support for FortiPAM integration, allowing FortiSASE managed endpoints to leverage the FortiClient PAM module for secure and controlled privileged access. The feature also enables custom port configuring for FortiPAM integration. |
Requires licensed and configured FortiPAM server. Only Windows endpoints support FortiPAM integration. Ensure to use a supported FortiClient version. |
|
|
Support for forwarding logs to a FortiAnalyzer Cloud instance. |
Requires the FortiAnalyzer Cloud Storage Add-On License subscription and FortiAnalyzer 7.6.3 or later. |
|
|
Added support to enable integration of FortiSASE with Fortinet single sign on (FSSO) collector agent that enables collection of FSSO records for domain authenticated users. You can use the FSSO records available on FortiSASE as FSSO user groups to authorize user traffic access to resources that FortiSASE protects without having to reauthenticate. |
Requires FSSO agent deployed via FortiAuthenticator or via independent collector agent installed on Windows domain controller. |
|
|
Support for SSL inspection of HTTP/3 traffic, which allows security features requiring such inspection to work without the need to block QUIC. |
Supported for agent and edge device traffic only. |
|
|
For greater performance and security, FortiSASE Cloud Security tunnel will be migrating from SSL to IPsec starting early 2027. FortiSASE Cloud Security tunnel will support a hybrid IPsec/SSL mode during the transition period that is available as an opt-in feature for SSL VPN instances through the Operations > Administration > Software audit & version page's best practices. This allows customers time to verify client-side changes for IPsec mode before migrating with confidence. |
Available for instances with SSL VPN remote agent support. |
|
|
Integrated FortiCASB API-based cloud access security broker (CASB) management and protection into FortiSASE for secure SaaS access . |
None |
|
|
Support for displaying IPAM usage information in a chart in Network > IP management > IPAM. |
None |
|
|
Added support for creating IPS custom filters and for creating custom IPS and Application Control signatures. Also, added central management support for synchronizing IPS custom filters. |
None |
|
|
For instances supporting IPsec and FortiClient 7.4, added support for FortiSASE Cloud Security tunnel autoconnect using the session resumption timeout. |
Available for instances with IPsec remote agent and FortiClient 7.4 support. |
|
|
For instances supporting IPsec, added support for customizing dead peer detection settings applicable to IPsec agent tunnels. Dead peer detection reestablishes IPsec agent tunnels on idle connections and cleans up dead IKE peers if required. |
Available for FortiSASE instances with IPsec remote agent support. It is strongly recommended to schedule a maintenance window before changing dead peer detection settings. Currently connected endpoints will be disconnected from FortiSASE for a few minutes while the change is applied. This is a select availability feature. If you require this feature for your new or existing FortiSASE instance, create a new ticket with FortiCare Support. |
|
|
For new instances supporting FortiClient 7.4, as a remote user connectivity alternative when standard IPsec ports over UDP are blocked by networks, added support for IPsec over TCP with TCP port 443 via the Auto global tunnel encapsulation setting. This feature requires Windows or Mac endpoints running FortiClient 7.4.5 or later. See Global. Override available per endpoint profile to enforce IPsec over TCP. See Advanced settings. |
Available for FortiSASE instances supporting IPsec remote agents and FortiClient 7.4. Override available per endpoint profile to enforce IPsec over TCP is only available when global tunnel encapsulation setting set to Auto. |
|
|
For IPsec instances, added support for updating the pre-shared key for the FortiSASE Cloud Security tunnel. This enables IPsec instances to support regional compliance rules to on-premise devices and failover sequence features. |
Available for instances with IPsec remote agent support. It is strongly recommended to schedule a maintenance window before changing the pre-shared key for IPsec instances. Currently connected endpoints will be disconnected from FortiSASE for a few minutes while the change is applied. |
|
|
Support has been added to view the FortiSASE portal in French and Japanese. |
None |
|
|
Added support for LDAP user authentication with IPsec agent tunnels for both Windows and macOS using the EAP for LDAP authentication setting. |
This setting is only supported on instances supporting FortiClient 7.4. |
|
|
Added System > License overview page to provide granular usage and expiry information for all FortiSASE subscriptions. |
None |
|
|
Navigation reorganization |
Navigation menu items have been reorganized for improved usability and to group items with related functionality and usage. Terminology has been standardized for clarity and consistency. |
None |
|
Added support for new report types:
|
None |
|
|
Added a built-in custom PAC file editor for creating and editing PAC files hosted on FortiSASE.
|
None |
|
|
Support for displaying PoPs on a map during provisioning and after provisioning in Operations > Connectivity > Infrastructure. |
None |
|
|
Support for enforcing pre-connection posture checks using security posture tags to allow or deny endpoints from establishing a connection to the FortiSASE Cloud Security tunnel based on their associated tags. |
Only available for FortiSASE instances enabled with IPsec remote agent support |
|
|
Pre-logon tunnels for endpoints simplified and established with nearest security PoPs |
Simplified pre-logon tunnels such that endpoints establish tunnels with the nearest FortiSASE Security PoP using certificate-based authentication. This simplified approach supports a shared policy to allow destinations and requires configuring an SPA hub with connectivity to an Active Directory server. For instances with existing pre-logon tunnels configured, the previous approach is still supported and only the simplified approach is supported going forward after disabling existing pre-logon tunnels in all endpoint profiles. |
Only available for FortiSASE instances enabled with IPsec remote agent support. Windows administrators must prestage the domain-joined Windows machines with a preconfigured FortiClient installer with the proper supported FortiClient version, along with machine certificates before shipping devices to users. |
|
Granular control of pre-logon tunnels has been implemented through Secure Private Access (SPA) and Secure Internet Access (SIA) policy management. New SPA and SIA policies can be configured and applied to all or a custom group of pre-logon users. Pre-logon users and traffic can be monitored in Operations > Connected users and Operations > Logs > Traffic. |
Pre-logon authentication and tunnels must be configured. |
|
|
Security PoPs can be created, enabled/disabled, decommissioned, and migrated from a source location to a target location, providing granular control of load balancing. |
This feature is available only when a FortiSASE instance meets these specific conditions:
|
|
|
Support for administrators to schedule FortiSASE upgrades by selecting from a list of predefined maintenance window slots, directly through the FortiSASE portal |
None |
|
|
Support for System for Cross-domain Identity Management (SCIM) for automated user provisioning from Entra ID, FortiAuthenticator, and Okta SAML IdPs. The SCIM client (IdP) sends user and group information to the SCIM server (FortiSASE as SP). |
Only available for FortiSASE instances enabled with IPsec remote agent support. Not supported in instances with hybrid IPsec/SSL enabled. SCIM server support is a select availability feature. If you require this feature for your new or existing FortiSASE instance, create a new ticket with FortiCare Support. |
|
|
Support for configuring and forwarding logs to a secondary external server. |
None |
|
|
Support for integrated management of the FortiSASE Secure Browser extension used with unmanaged and contractor devices. With the deployment of the FortiSASE Secure Browser extension, administrators can gain full visibility into browser activity without deep packet inspection (DPI), can monitor and block Web-based threats, and can prevent data exfiltration. |
Requires a FortiSASE instance with an Advanced or Comprehensive remote users FortiSASE subscription. Browser extension is supported in Windows and MacOS on Google Chrome and Microsoft Edge web browsers. SAML SSO users must be integrated with FortiSASE Secure Browser. Secure Browser is a select availability feature. If you require this feature for your new or existing FortiSASE instance, create a new ticket with FortiCare Support. |
|
|
Support for Secure Proxy that provides secure connectivity between the proxy user web client and FortiSASE using HTTPS connections. |
Existing instances with Proxy enabled must run best practice for Secure Proxy migration. When using a self-hosted PAC file, must update the PAC file and redeploy it in the self-hosted environment. |
|
|
Support for configuring new security posture tagging rules, including tagging based on CVEs, using negation to identify non-vulnerable devices, and combining multiple tagging rules using logical AND/OR operators |
None |
|
|
Support for configuring protocol options within security profile group settings, specifically, handling of unknown content types and performance optimization with handling oversized files. Also, added central management synchronization support of protocol options for handling unknown content types and handling oversized files. |
None |
|
|
Simplified pre-logon tunnels such that endpoints establish tunnels with the nearest FortiSASE Security PoP using certificate-based authentication. The previous approach was to establish tunnels using certificate-based authentication with a customer-managed FortiGate configured as an SSL or IPsec gateway. |
For instances with existing pre-logon tunnels configured, the previous approach is still supported. Only the simplified approach is supported going forward after disabling existing pre-logon tunnels in all endpoint profiles. |
|
|
Support for enabling Security PoPs to advertise the configured Hub Priority and SLA status using BGP community when announcing remote user's client pool prefixes to Hubs in multiple SPA Hub scenarios. |
Requires licensing and configuration for SPA |
|
|
Support for Secure Private Access (SPA) application monitoring, allowing up to 20 custom applications hosted behind SPA Hubs to be defined and monitored using ICMP health check probes initiated by Security PoPs to verify application availability. |
Requires licensing and configuration for SPA |
|
|
Support for Secure Private Access (SPA) connectivity to SD-WAN networks deployed across different BGP autonomous systems (AS), enabling the configuration of both iBGP & eBGP peering between FortiSASE security PoPs and FortiGate SD-WAN hub/SPA Hubs. |
Requires SD-WAN networks deployed across different BGP autonomous systems (AS). Requires licensing and configuration for SPA. |
|
|
SPA Monitoring allows administrators to track the health and performance of SPA (Secure Private Access) service connections configured within FortiSASE. |
Requires licensing and configuration for SPA |
|
|
Support for enabling the BGP MED options always-compare-med and deterministic-med on FortiSASE to enable selecting a preferred SPA Hub based on MED values, particularly when receiving prefixes from SPA Hubs belonging to different ASes |
Requires SD-WAN networks deployed across different BGP autonomous systems (AS). Requires licensing and configuration for SPA. |
|
|
Rules for DNS redirection, also known as split DNS, transparently apply to all passthrough traffic for FortiClient agent tunnels (including mobile), Edge device clients, and Proxy clients. |
None |
|
|
Added support for additional Web Filter configuration settings:
|
None |