What's new

What's new for 26.2.57 (26.2.1 FortiSASE v7.4)
What's new for 26.1.107 (26.1.2.2 FortiSASE v7.4)
What's new for 26.1.99 (26.1.2.1.1 FortiSASE v7.4)
What's new for 26.1.97 (26.1.2.1 FortiSASE v7.4)
What's new for 26.1.92 (26.1.2 FortiSASE v7.4)
What's new for 26.1.73 (26.1.1.2 FortiSASE v7.4)
What's new for 26.1.40 (26.1.1.1 FortiSASE v7.4)
What's new for 26.1.26 (26.1.1 FortiSASE v7.4)
What's new for 25.4.124 (25.4.c.1 FortiSASE v7.4)
What's new for 25.4.109 (25.4.c FortiSASE v7.4)
What's new for 25.4.96 (25.4.b.2 FortiSASE v7.4)
What's new for 25.4.88 (25.4.b.1 FortiSASE v7.4)
What's new for 25.4.78 (25.4.b FortiSASE v7.4)

What's new for 26.2.57 (26.2.1 FortiSASE v7.4)

Starting in 26.2.1, throughout all FortiSASE documentation, the following naming convention will now be used:

FortiSASE Feature will be referred to as FortiSASE v7.4.
FortiSASE Mature will be referred to as FortiSASE v7.2.

Integrated FortiCASB-SSPM basic cloud access security broker (CASB) management and advanced SaaS security posture management (SSPM) into FortiSASE for secure SaaS access. A FortiSASE SSPM Protection add-on subscription is required to integrate with several SaaS applications via connectors and to access advanced SSPM features through the Workflows, Activities, Identities, and 3rd party apps pages. See FortiCASB-SSPM.
Granular control of pre-logon tunnels has been implemented through Secure Private Access (SPA) and Secure Internet Access (SIA) policy management. New SPA and SIA policies can be configured and applied to all or a custom group of pre-logon users. Pre-logon users and traffic can be monitored in Operations > Connected users and Operations > Logs > Traffic. See Pre-logon tunnel.
Added support for LDAP user authentication with IPsec agent tunnels for both Windows and macOS using the EAP for LDAP authentication setting. This setting is only supported on instances supporting FortiClient 7.4. See Configuring EAP for LDAP authentication for IPsec agent tunnels.
Security PoPs can be created, disabled/enabled, decommissioned, and migrated in Operations > Infrastructure. See Infrastructure.
A FortiClient 7.4.7 ARM installer for Windows is available for endpoint onboarding. See Windows ARM installer.
In Endpoint management > Configuration, the On connect script and On disconnect script fields allow the entry of Windows and macOS scripts that will trigger actions when connecting to or disconnecting from Secure Internet Access (SIA), IPsec, or SSL tunnels. See Advanced settings.
The Security PoP icons and naming convention have been updated to the format City, State (Country) when provisioning a FortiSASE instance and in Operations > Infrastructure. When selecting an entry, hover over the Security PoP name to see more details. See Infrastructure.
Added support for bring your own device (BYOD) enrollment to a mobile device management (MDM) platform used for installing FortiClient and automatically provisioning a ZTNA client certificate to a device. Currently, only iOS mobile devices are supported with the Intune and JAMF platforms. See MDM integration.
When FortiPAM integration is enabled, added support for adding the FortiPAM agent to the FortiClient installer available on the FortiSASE portal. Also, when FortiPAM integration is disabled in FortiSASE, added support for removing the FortiPAM agent from the FortiClient installer and for removing the FortiPAM browser extension. See FortiPAM integration.
Improved usability of the Connection tab in an endpoint profile to clearly indicate that local LAN access options apply when connected to a tunnel and that the network lockdown option applies when not connected to a tunnel. See Network lockdown.
Added option for administrators to override global FortiSASE Cloud Security Tunnel encapsulation to IPsec over TCP via endpoint profile. This allows for IPsec remote user connectivity in cases when Auto option for FortiSASE Cloud Security Tunnel encapsulation is not working since initial IKE negotiation over UDP works fine but ISP blocks UDP ports 500/4500 so fail back to TCP never occurs. See Advanced settings.
For new instances or existing instances provisioned in 25.4.c Feature or later supporting FortiClient 7.4, added support for the Show Vulnerability Popup toggle that allows administrators to control whether a vulnerability scan summary popup is shown when a scan finds vulnerabilities on a given endpoint. See Protection.
Added support for Public Cloud security PoPs: Dubai (United Arab Emirates). See Global data centers.
Updated support for Fortinet security PoPs: Ashburn, Virginia (United States), Bangalore (India), Burnaby (Canada), Singapore, Toronto (Canada), Sydney (Australia). See Global data centers.

What's new for 26.1.107 (26.1.2.2 FortiSASE v7.4)

For new instances and existing users already on FortiClient 7.4.6, support has been added for FortiClient 7.4.7 for FortiSASE desktop users. See Supported FortiClient 7.4.7 features.
Added support for external feeds and FSSO features when using SPA hubs configured for BGP on loopback. When an existing SPA hub configured for BGP on loopback has had its SPA service connection previously configured in 26.1.2.1 or earlier, to enable support for these features go to Operations > Secure private access, edit the SPA service connection, leave settings unchanged, and click OK. See Supported features for each SPA BGP routing design.

What's new for 26.1.99 (26.1.2.1.1 FortiSASE v7.4)

26.1.2.1.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 26.1.97 (26.1.2.1 FortiSASE v7.4)

Added support for integrated management of the FortiSASE Secure Browser extension used with unmanaged and contractor devices. With the deployment of the FortiSASE Secure Browser extension, administrators can gain full visibility into browser activity without deep packet inspection (DPI), can monitor and block Web-based threats, and can prevent data exfiltration. This feature is a select availability feature in FortiSASE that is not enabled by default on new instances. If you require this feature for your new or existing FortiSASE instance, create a new ticket with FortiCare Support. See Secure Browser.
Added support for configuring dead peer detection (DPD) settings applicable to IPsec agent tunnels via the Global configuration settings page to configure Security PoPs and via Advanced settings within an endpoint profile for the FortiSASE Cloud Security tunnel and any custom IPsec tunnels, respectively. This is a select availability feature that requires a Fortinet Support ticket to enable on new and existing instances. See IPsec dead peer detection customization.
Remote browser isolation (RBI) is now a select availability feature and is disabled by default. See RBI.
Added support for applying Fortinet Location and Public Cloud Location Branch On-ramp licenses to a FortiSASE instance with the Comprehensive or Advanced subscription. On-ramp locations can only be provisioned based on the licenses registered, be that a Fortinet Location or Public Cloud Location. See Appendix A - FortiSASE data centers.
In Endpoint management > Endpoint profiles, when configuring the Protection tab details of a new or existing profile, enabling Trigger vulnerability scan on software change will result in a vulnerability scan occurring on the endpoint when new software is installed and detected. See Protection.

What's new for 26.1.92 (26.1.2 FortiSASE v7.4)

Added support for bandwidth policies and profiles used for providing bandwidth control of internet access and private access traffic. See Bandwidth control.
The FortiClient Log Level can be customized per endpoint profile in your FortiSASE instance to simplify debug log collection. In Endpoint management > Endpoint profiles > FortiClient GUI settings, enabling Allow debug log generation will set the associated endpoints' FortiClient Log Level to Debug. This feature is disabled by default. When disabled, the Log Level is set to Info. See FortiClient GUI Settings.
Added support for synchronizing SSO SAML IdP server settings and SSO user groups with firewall policies and firewall proxy policies. This support relies on synchronizing policy packages from FortiManager to FortiSASE using the central management select availability feature. See Central management.
Added support for synchronizing one-time schedules with firewall policies and firewall proxy policies. This support relies on synchronizing policy packages from FortiManager to FortiSASE using the central management select availability feature. See Central management.
Added support for Public Cloud security PoPs: Amsterdam - Netherlands, Ashburn - Virginia - USA, Chicago - Illinois - USA, Melbourne - Australia, Montreal - Canada, Osaka - Japan, Santiago - Chile, Stockholm - Sweden. See Global data centers.
Updated support for Fortinet security PoPs: Frankfurt - Germany, Miami - Florida - USA. See Global data centers.

What's new for 26.1.73 (26.1.1.2 FortiSASE v7.4)

For new instances and existing users already on FortiClient 7.4.5, support has been added for FortiClient 7.4.6 for FortiSASE desktop users. See Supported FortiClient 7.4.7 features.
For existing instances, support has been added for FortiClient 7.2.14 for FortiSASE desktop users. See Supported FortiClient 7.2.14 features.

What's new for 26.1.40 (26.1.1.1 FortiSASE v7.4)

For IPsec instances, added support for updating the pre-shared key for the FortiSASE Cloud Security tunnel. This enables IPsec instances to support regional compliance rules to on-premise devices and failover sequence features. See Geofencing.
For instances supporting IPsec and FortiClient 7.4, added support for FortiSASE Cloud Security tunnel autoconnect using the session resumption timeout. See Global connection settings.
Added support for configuring FortiClient internet check that validates internet connectivity before agent tunnel autoconnect. See Advanced settings.
Added support for Public Cloud security PoPs: Abu Dhabi - United Arab Emirates, Jeddah - Saudi Arabia, Milan - Italy. See Global data centers.

What's new for 26.1.26 (26.1.1 FortiSASE v7.4)

Added support for the new FortiGate SD-WAN Service Bundle subscription to accelerate the journey from SD-WAN to SASE. The new bundle includes a FortiSASE Starter Kit with FortiSASE Standard remote user subscriptions and secure private access (SPA) connectivity to F-series FortiGate models starting with 100F and G-series FortiGate models starting with 120G. See Common use cases.
In endpoint profiles, added the ability to disable agent-based ZTNA functionality, also known as ZTNA destination on FortiClient, when this functionality conflicts with other applications on managed endpoints. See ZTNA.
In endpoint profiles, added the ability to show only selected FortiClient tabs including Remote Access, ZTNA Destination, Malware Protection, Sandbox Detection, and Vulnerability Scan, and added the ability to select the default tab shown in FortiClient. Features disabled within an endpoint profile will also be disabled from being shown in FortiClient. See FortiClient GUI Settings.
Additional log forwarding servers can be configured in the Log Forwarding to Self-Managed Service settings. See Forwarding logs to an external server.
Log forwarding to FortiAnalyzer Cloud can be enabled in the Log Settings. This feature requires the FortiAnalyzer Cloud Storage Add-On License subscription and FortiAnalyzer 7.6.3 or later. If there is no FortiAnalyzer Cloud Storage Add-On License, token generation will not be successful. See Forwarding logs to FortiAnalyzer Cloud and the FortiAnalyzer Ordering Guide for more information.
Added enhancements for Digital experience monitoring (DEM) SaaS monitoring:
- Visualize DEM health measurement metrics to quickly detect health events trend. Using additional filters and time brush event control, compare health metrics across multiple SaaS applications and security PoPs.
- Review DEM health events with additional controls, including time brush control for viewing health events within a specific time period, application and security PoP filters, and so on.
- DEM health event incident drill down enhancements have been implemented, including metric graphs, SaaS application and security PoP user access information, health event traceroutes, and so on.
See SaaS monitoring.
Added the ability for customers to customize the management IP address range used for FortiExtender and LAN extension control plane subnet. This can be configured to avoid addressing conflicts with your on-prem network.
- Prior to customization, by default, the management subnet of 10.253.0.0/16 is reserved, in addition to the subnet that is visible on the page (default: 10.252.0.0/16).
- Once a custom subnet has been configured, the previously reserved management subnet of 10.253.0.0/16 is also removed.
See IP management.
Added a new maintenance window 22:00–06:00 JST (13:00 - 21:00 UTC) that is more suitable for Japanese instances. For new instances with a Japanese security PoP selected, their maintenance windows will be automatically assigned to this new window. For existing instances with a Japanese security PoP selected, administrators can select this new window from Software audit & version > Version. See Software audit & version.
Added source IP anchoring support for designated Public Cloud locations whose naming convention includes -O or -A. See Global data centers.
Added support for Public Cloud security PoPs: Bogota - Colombia, Frankfurt - Germany, London - United Kingdom, Mumbai - India, Muscat - Oman, Paris - France, Sydney - Australia, Vinhedo - Brazil. See Global data centers.
Added support for Fortinet security PoPs: Auckland - New Zealand. See Global data centers.
Updated support for Fortinet security PoPs: London - United Kingdom, Komagome - Japan. See Global data centers.

What's new for 25.4.124 (25.4.c.1 FortiSASE v7.4)

25.4.c.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.4.109 (25.4.c FortiSASE v7.4)

For new instances, support has been added for FortiClient 7.4.5 for FortiSASE desktop users. The transition path for existing customers is not yet available and will be expected in an upcoming release. See Supported FortiClient 7.4.7 features.
For existing instances, support has been added for FortiClient 7.2.13 for FortiSASE desktop users. This support will be made available some time after the release and is being incrementally deployed for certain tenants. See Supported FortiClient 7.2.14 features.
For new instances supporting FortiClient 7.4, where security posture tags and tagging rules can be created and managed together in the combined Tagging rules tab in Endpoint management > Security Posture tags. The transition path for existing customers is not yet available and will be expected in an upcoming release. See Security posture tags and tagging rules.
For new instances, as a remote user connectivity alternative when standard IPsec ports over UDP are blocked by networks, added support for IPsec over TCP with TCP port 443. This feature requires Windows or Mac endpoints running FortiClient 7.4.5 or later. See Global connection settings.
For new instances, added support for configuring DNS suffixes for IPsec tunnels in an endpoint profile under Connection > Advanced Settings. DNS suffixes are used for resolving short hostnames and are appended to subdomains. Also, DNS resolutions of endpoints apply the DNS suffixes in the order they are configured. Whenever a DNS suffix is configured or modified, users must reconnect the agent tunnel for changes to take effect. This feature requires Windows endpoints running FortiClient 7.4.5 or later. See Advanced settings.
For new instances, added a new rule type for security posture tagging based on CrowdStrike ZTA scores, which are generated by the CrowdStrike Falcon sensor, reflecting the endpoint's security posture. This feature requires Windows and Mac endpoints running FortiClient 7.4.5 or later. See Tagging rule types.
For new instances, added support for ZTNA automatic login using OAuth, which allows Windows users signed in to their workstations, joined to a Microsoft Entra ID domain, to be automatically allowed access to ZTNA-protected TCP resources by using the same login information. This feature requires valid supporting Entra ID configuration, Windows endpoints running FortiClient 7.4.5 or later, and FortiGate devices acting as a ZTNA application gateways running FortiOS 7.6.1 or later. See ZTNA.
For new instances, FortiSASE can now learn security posture tags directly from FortiClient when using ZTNA application gateway sharing. By enabling Record client tags and information in the Endpoint management > Security posture tags > Settings tab, the security posture tag timeout can be defined in FortiSASE. This feature requires FortiClient 7.4.5 and later. See Endpoint management settings.
Added System for Cross-domain Identity Management (SCIM) support for automated user provisioning from Entra ID, FortiAuthenticator, and Okta SAML IdPs. The SCIM client (IdP) sends user and group information to the SCIM server (FortiSASE as SP). This is a select availability feature that requires a Fortinet Support ticket to enable on new and existing instances. See SCIM server support.
Added support for configuring and matching geography addresses as the source in policies which allow specific security profiles to be applied to remote user agents connecting from specific geolocations. See Configuring a geography-based policy.
For MSSPs, added central management support for synchronizing multiple tenants' FortiSASE instances from a single FortiManager instance or from multiple FortiManager instances.
- Currently, each ADOM in FortiManager supports synchronizing configuration with a single FortiSASE instance.
- A FortiManager key, if configured, allows a FortiManager appliance registered under a FortiCare account belonging to a parent Organization Unit (OU) to manage the FortiSASE tenant.
- The FortiManager key can be revoked to only allow connections from FortiManager appliances registered to the current FortiCare account and disable connections from parent OU FortiManagers.
- The FortiManager key will be strictly matched and must match in both FortiManager and FortiSASE connector settings. If a key is revoked on the FortiSASE tenant, then the key must also be removed on the FortiManager intending to manage the tenant.
- Central management is still a select availability feature that requires a Fortinet Support ticket to enable on new and existing instances.
See Central management for MSSP tenants.
Extended existing REST API support to include retrieval of data transfer statistics for FortiSASE instances, including annual allotment, consumed bytes, and consumption percentage. See Appendix B - REST API.
Added support for Public Cloud security PoPs: Bangkok - Thailand, Cyberjaya - Malaysia, Columbus - Ohio - USA, Montreal - Canada, Moncks Corner - South Carolina - USA, Tokyo - Japan. See Global data centers.

What's new for 25.4.96 (25.4.b.2 FortiSASE v7.4)

25.4.b.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.4.88 (25.4.b.1 FortiSASE v7.4)

25.4.b.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.4.78 (25.4.b FortiSASE v7.4)

For greater performance and security, FortiSASE Cloud Security tunnel will be migrating from SSL to IPsec starting early 2027. FortiSASE Cloud Security tunnel will support a hybrid IPsec/SSL mode during the transition period that is available as an opt-in feature for SSL VPN instances through the Operations > Administration > Software audit & version page's best practices. This allows customers time to verify client-side changes for IPsec mode before migrating with confidence. See Hybrid IPsec/SSL mode.
Added support for configuring authenticated onboarding with Entra ID for SAML SSO using an existing Entra ID domain, which allows an endpoint profile configured with a matching AD group from the domain to be assigned to matching endpoints with users authenticated using an Entra ID account. Authenticated onboarding is still a select availability feature. See Authenticated onboarding.
Simplified pre-logon tunnels such that endpoints establish tunnels with the nearest FortiSASE Security PoP using certificate-based authentication. This simplified approach supports a shared policy to allow destinations and requires configuring an SPA hub with connectivity to an Active Directory server. For instances with existing pre-logon tunnels configured, the previous approach is still supported and only the simplified approach is supported going forward after disabling existing pre-logon tunnels in all endpoint profiles. See Pre-logon tunnel.
Added support for configuring the FortiClient built-in browser used for SAML SSO authentication in an endpoint profile under Connection > Tunnel settings. See Tunnel settings.
Added the Disable native Windows captive portal prompt option, which when enabled means that FortiClient will handle the captive portal on Windows endpoints.
- This option is only available when Lockdown endpoint when off-net (network lockdown) is enabled.
- The default setting for this option is disabled, which means that Windows handles the captive portal on endpoints. This ensures that when network lockdown is enabled, WiFi does not disconnect after agent tunnel disconnects.
See Network lockdown.
Added support for SAML single signout in the agentless ZTNA bookmark portal. See Accessing the bookmark portal.
Added support for configuring one-time schedules with policies and proxy policies. See Schedules.
For existing instances, support has been added for a new endpoint vulnerability report based on logs collected from FortiClient endpoints. See Report types.
For existing instances, support has been added for a new Secure Private Access (SPA) report displaying the health of each connected SPA hub, the traffic through popular hubs, and the status of SD-WAN performance SLAs. See Report types.
For existing instances, support has been added for a new Cloud Security Usage Report to identify the total number of users in the reporting period and per PoP, the number of sessions, and total traffic. Average hourly underlay activity is reported by security PoP. Top authentication failures are listed by region and originating IP address. See Report types.
For existing instances, added an Automation page in Operation > Administration to allow configuring of actions, such as sending alert emails, based on predefined triggers to proactively notify administrators of events. Currently, alert emails can be triggered for an unstable Secure Private Access (SPA) connection only when SLA failures, routing changes, and BGP neighbor status changes all occur. See Automation.
Added support for performing a factory reset on a FortiSASE instance that returns it to its initial provision point, disconnects all users, and deregisters all endpoints.
- This feature includes options to keep the dedicated public IP addresses or to repick PoP locations (you can only choose one option and they cannot be used together).
- After accepting the acknowledgment, an email with a passcode is sent to the email address for the instance's primary FortiCloud account, and after entering the passcode, the reset will begin.
- Currently, this feature is enabled by default for FortiSASE instances with the Not-for-Resale (NFR) and Advanced NFR licenses applied.
- For FortiSASE instances with other licenses applied, this is a select availability feature requiring a FortiCare Support ticket.
- This feature is available only when logged into the FortiSASE portal with the principal FortiCloud account, where an OTP code is sent via email. This feature is not available from IAM accounts.
See Factory reset.
Enhanced endpoint upgrade rule page to more clearly indicate the option to defer a FortiClient installation and to indicate that once the installation starts, the endpoint will automatically reboot upon completion. See Endpoint upgrade.
Simplify security PoP selection for Advanced and Comprehensive customers to show all available locations in one page. See Provisioning.
Added support for Public Cloud security PoPs: Dubai - United Arab Emirates, Frankfurt - Germany, Miami – USA, Paris - France, Toronto - Canada. See Global data centers.
Updated support for Fortinet security PoPs: Ashburn - Virginia - USA. See Global data centers.
Support has been added to view the FortiSASE portal in French. See Language support.
Support has been added to view the FortiSASE portal in Japanese. See Language support.

What's new for 25.3.148 (25.4.a FortiSASE v7.4)

Added support for Public Cloud security PoPs: Buenos Aires - Argentina, Lima - Peru, London - United Kingdom, Manila - Philippines, St. Ghislain - Belgium, Warsaw - Poland, Zurich - Switzerland. See Global data centers.

What's new for 25.3.148 (25.3.c.1 FortiSASE v7.4)

25.3.c.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.139 (25.3.c FortiSASE v7.4)

Support FortiClient 7.2.12 as the recommended version for FortiSASE desktop users. See Product integration and support.
Added support for using a custom domain and a certificate for the custom domain that can be used to access a ZTNA private application. The administrator must configure the custom domain DNS CNAME record with the FortiSASE private application domain for the private application. See Configuring a private application.
Added a built-in custom PAC file editor for creating and editing PAC files hosted on FortiSASE.
- These hosted PAC files can be downloaded or referenced via its hosted URL by Proxy (formerly SWG) users.
- Each FortiSASE instance supports a maximum of 32 hosted PAC files.
See Customizing the PAC file.
For FortiSASE instances with Proxy (formerly SWG) enabled, added a best practice recommendation to migrate to Secure Proxy using HTTPS connections. Hosted PAC files will be updated as part of the migration.
- After the migration, to ensure Proxy user functionality, custom PAC files maintained by administrators themselves must be edited to support Secure Proxy and redeployed on Proxy endpoints.
See Secure proxy migration.
Added support for additional Web Filter configuration settings including the ability to prioritize URL filter entries, logging search keywords, and displaying the FortiGuard web filter category and subcategory in a tooltip when hovering over a domain. Also, added support for synchronizing these settings using FortiManager with the central management select availability feature. See Configuring and applying a Web Filter profile.
Added support for configuring application control filter overrides based on multiple filters including application category, behavior, popularity, protocol, risk, technology, and vendor. Also, added support for configuring actions for custom application signatures. Moreover, added support for synchronizing these settings using FortiManager with the central management select availability feature. See Application Control With Inline-CASB.
For new instances, support has been added for a new endpoint vulnerability report based on logs collected from FortiClient endpoints. See Report types.
For new instances, support has been added for a new Secure Private Access (SPA) report displaying the health of each connected SPA hub, the traffic through popular hubs, and the status of SD-WAN performance SLAs. See Report types.
For new instances, support has been added for a new Cloud Security Usage Report to identify the total number of users in the reporting period and per PoP, the number of sessions, and total traffic. Average hourly underlay activity is reported by security PoP. Top authentication failures are listed by region and originating IP address. See Report types.
The recommendation to use SOCaaS log forwarding is presented in the Operations > Logs > Settings page and through additional portal notifications. Enabling SOCaaS log forwarding is included as a best practice recommendation. See Forwarding logs to SOCaaS and Software audit & version.
Administrator logins, configuration audit logs, and user audit logs have been introduced in the System > Administration page. Once the feature has been enabled, any configuration changes made by an administrator will require a change summary to be submitted. See Administration.
The UI version has been removed from the FortiSASE portal URL, ensuring a consistent path for ease of access.
Added support for Chicago, Illinois, USA as a Public Cloud security PoPs. See Global data centers.
For new instances, added an Automation page in Operation > Administration to allow configuring of actions, such as sending alert emails, based on predefined triggers to proactively notify administrators of events. Currently, alert emails can be triggered for an unstable Secure Private Access (SPA) connection only when SLA failures, routing changes, and BGP neighbor status changes all occur. See Automation.

What's new for 25.3.112 (25.3.b.1 FortiSASE v7.4)

25.3.b.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.89 (25.3.b FortiSASE v7.4)

Added v7.4 or v7.2tag to the version tooltip at the bottom of the navigation menu. See New major features available.
Added support for highlighting best practices recommendations by displaying an additional prompt upon portal login. See New major features available.
Added support for branch on-ramp with the Standard subscription for new and upgraded instances. An Advanced branch on-ramp subscription must also be applied to a Standard instance to enable the branch on-ramp feature. See SIA for Branch On-ramp site-based remote users.
Added support for simplified branch on-ramp licensing. See SIA for Branch On-ramp site-based remote users.
- Each on-ramp Security PoP provides up to 1 Gbps for up to 2000 simultaneous dialup IPsec connections, changed from the previous limit of 10 connections, and includes 50 TB of data transfer per year based on 50 Mbps usage during business hours.
- Data transfer is aggregated at the account level and shared with remote users (250 GB per user).
- Additional data transfer subscriptions can be purchased if required.
- The Branch On-ramp Connection add-on subscription is discontinued after this release. See SIA for Branch On-ramp site-based remote users.
Added support for FIDO2 authentication for FortiClient agent tunnels, which is configurable in Endpoint profiles for the FortiSASE Cloud Security tunnel and custom tunnels when Authenticate with SSO and Use FortiClient built-in browser for SAML authentication are enabled. See Advanced settings.
Added support in the AntiVirus security profile for content disarm and reconstruction (CDR), which sanitizes Microsoft Office documents and PDF files by removing potentially malicious and untrusted content from them (disarm) without affecting the integrity of its textual content (reconstruction). CDR does not support SMTP, FTP, and CIFS protocols. See AntiVirus.
Added support for configuring and viewing predefined DLP sensors and DLP dictionaries managed by the FortiGuard DLP service in the DLP security profile and in Security > Traffic > Security profiles > Profile resources, respectively. See Profile resources.
Added support for displaying IPAM usage information in a chart in Network > IP management > IPAM indicating which subnets are allocated, the percentage of the IPAM pool that remains unallocated, and the percentage of each IP block allocated via DHCP. See IP management.
Added support for displaying security PoPs, logging PoPs, and endpoint management PoPs on a map during provisioning and after provisioning in Operations > Connectivity > Infrastructure. See Infrastructure.
Added support for synchronizing firewall policies, firewall proxy policies, firewall schedules and security posture tags in policy packages from FortiManager to FortiSASE using the central management select availability feature. See Configuring settings using policy packages in FortiManager.
Added support for Auckland, New Zealand as a Public Cloud security PoP. See Global data centers.
Added support for Perth, Australia as a Public Cloud security PoP. See Global data centers.
Added support for Delhi, India as a Public Cloud security PoP. See Global data centers.

What's new for 25.3.67 (25.3.a.3 FortiSASE v7.4)

25.3.a.3 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.57 (25.3.a.2 FortiSASE v7.4)

25.3.a.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.47 (25.3.a.1 FortiSASE v7.4)

25.3.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.40 (25.3.a FortiSASE v7.4)

Enhancements for Digital Experience Monitoring (DEM), including a path diagram for endpoint traceroute results, support for displaying additional SaaS monitoring metrics, and customizing the list of SaaS applications to monitor. See Digital Experience Monitoring.
Updated log retention period for newly provisioned instances to FortiView, Log View, and Report functions to seven days. See Log retention policy.
Added support for secure explicit proxy. Secure explicit proxy is enabled by default when enabling proxy for newly provisioned instances. Instances provisioned before 25.3.a have the option to enable secure explicit proxy. See Proxy configuration.
Added support for configuring an action to inspect or block QUIC traffic for agent and Edge device traffic. See Configuring an action for QUIC traffic.
Added support for configuring additional trusted remote gateways as failover options alongside the FortiSASE Cloud Security tunnel, with the ability to define their connection priority order within each endpoint profile. See Advanced settings.
Added support for Secure Private Access (SPA) application monitoring, allowing up to 20 custom applications hosted behind SPA Hubs to be defined and monitored using ICMP health check probes initiated by Security PoPs to verify application availability. See SPA application monitoring.
Added support for enabling the BGP MED options always-compare-med and deterministic-med on FortiSASE to enable selecting a preferred SPA Hub based on MED values, particularly when receiving prefixes from SPA Hubs belonging to different ASes. See BGP MED Setting.
Added support to enable and manage communication between remote endpoints connected via the FortiSASE Cloud Security tunnel through a Secure Private Access (SPA) Hub. Administrators can enforce granular control by defining endpoint-to-endpoint policies that selectively allow specific traffic between designated endpoints. See Enabling endpoint to endpoint communication.
Added support for administrators to schedule FortiSASE upgrades by selecting from a list of predefined maintenance window slots, directly through the FortiSASE portal. See Software audit & version.
Added support to control and specify the public IP address used by a Security PoP to perform source NAT on remote user traffic as it exits the PoP, based on matching criteria such as user group and the originating country or region of the remote user's traffic. See IP management.
Added support to change the isolation data limit from a user-based and monthly-based model to a tenant-based and yearly-based model. Each tenant is now entitled to a maximum amount of isolation data per year. Once this limit is exceeded, any traffic configured for isolation will be blocked for all users within the tenant. See RBI.
Added support for configuring new security posture tagging rules, including tagging based on CVEs, using negation to identify non-vulnerable devices, and combining multiple tagging rules using logical AND/OR operators. See Security posture tags and tagging rules.
Added support for enforcing pre-connection posture checks using security posture tags to allow or deny endpoints from establishing a connection to the FortiSASE Cloud Security tunnel based on their associated tags. See Pre-connection posture checks.
Added support for optionally displaying a sequence number column in the policy list to help administrators manage and identify policy order using their sequence number. See Policies.
Added support for customers having Advanced remote user subscriptions to select certain Public cloud locations to launch their FortiSASE Security PoPs. See Global data centers.
Added support for customizing captive portal replacement message for Edge devices. See HTML templates.
Support FortiClient 7.2.11 as the recommended version for FortiSASE desktop users. See Product integration and support.
Added support for Dublin, Ireland (DUB-A2) as a Public Cloud security PoP. See Global data centers.

What's new for 25.2.91 (25.2.c.2 FortiSASE v7.4)

25.2.c.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.90 (25.2.c.1 FortiSASE v7.4)

25.2.c.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.81 (25.2.c FortiSASE v7.4)

Support FortiClient 7.2.10 as the recommended version for FortiSASE desktop users. See Product integration and support.
Added a new audit page providing configuration best practice recommendations. See Software audit & version.
For new FortiSASE tenants created after 25.2.c, support dedicated public IP addresses for FortiSASE tenants with the Standard subscription without additional licensing.
RBI now supports isolation for the following categories only. See RBI.
- Unrated
- Newly Observed Domain
- Newly Registered Domain
- Malicious Websites
FortiSASE has added powerful new capabilities that are enabled by default on new instances created after the 25.2.c release. For complete list, see New features.
- Navigation menu items have been reorganized for improved usability and to group items with related functionality and usage. Terminology has been standardized for clarity and consistency.
- Added System > License overview page to provide FortiSASE licensing details.
- Integrated FortiCASB API-based cloud access security broker (CASB) management and protection into FortiSASE for secure SaaS access (SSA).
- Added DLP enhancements including support for DLP Exact Data Matching (EDM) and Indexed Document Matching (IDM) with DLP fingerprinting.
- Support IPsec connections to Branch On-ramp Security PoPs from third-party IPsec devices.
- DNS redirection (formerly split DNS) rules transparently apply to all passthrough traffic for FortiClient agent tunnels, Edge device clients, and Proxy clients.

What's new for 25.2.56 (25.2.b.2)

25.2.b.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.48 (25.2.b.1)

25.2.b.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.45 (25.2.b)

FortiSASE now supports Branch On-ramp deployment for up to 20 On-Ramp security PoPs.
Improved site provisioning process for new tenant with additional recovery mechanism when a site provision does not complete successfully. See PoPs.

What's new for 25.2.30 (25.2.a.1)

25.2.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.24 (25.2.a)

Added support for FortiGate SASE Bundle subscription to accelerate the journey from SD-WAN to SASE. The bundle includes a Starter Kit with FortiSASE Standard remote user subscriptions and secure private access (SPA) connectivity to G-series FortiGate models starting with 120G.
FortiClient 7.2.9 is the recommended supported version for existing and new FortiSASE instances using IPsec and SSL remote agent connectivity. See Product integration and support.
Added support to enhance default pre-logon tunnel security settings for IPsec by using stronger hashing algorithm (SHA 256) and key exchange algorithm (DH group 15) with IKE version 2. See 10607.
Added support for the Global Region Add-on subscription that can be added on top of an existing Comprehensive subscription. This add-on subscription entitles the instance to use an unlimited number of Security PoPs selected from existing and future Fortinet Cloud and Public Cloud security PoPs. See Appendix A - FortiSASE data centers.
Added support for registering FortiCASB data protection add-on subscriptions. See Product integration and support.
Number of private applications supported per agentless ZTNA bookmark policy increased from 20 to 200. See Configuring the bookmark portal.

What's new for 25.1.75 (25.1.c)

Added support for displaying endpoint details in Network > Managed Endpoints > Endpoints and Network > Connected Users including FortiSASE VPN Tunnel IP and FortiSASE agent session details, and the Last Seen timestamp in Managed Endpoints. The FortiSASE VPN Tunnel IP can be used with server-client applications with server traffic originating from SPA hubs destined for a FortiSASE managed endpoint. See Managed Endpoints and Connected Users.
Added support for displaying the learned BGP multi-exit discriminator (MED) values in Health and VPN Tunnel Status > View Learned BGP Routes when Network > Network Configuration is configured with Hub selection method as BGP MED. See Viewing MED values of SPA routes and Viewing health and VPN tunnel status.
Added support for Querétaro, Mexico and Sydney, Australia as Public Cloud security PoPs. See Global data centers.
Added support for Sao Paulo, Brazil as a Fortinet Cloud security PoP. See Global data centers.

What’s new for 25.1.51 (25.1.b)

Added support for the Branch On-ramp connection add-on subscription for 1-2000 FortiGate IPsec connections. Since you can purchase a maximum of eight Branch On-ramp security PoPs for a single account, with Branch On-ramp connection add-on subscriptions it is possible for an account to have a maximum of 16000 Branch On-ramp connections. See On-ramp tunnel.
Added support for the agentless zero trust network access (ZTNA) bookmark portal to show private applications’ bookmarks based on the authenticated user’s permission level which is controlled by Agentless ZTNA bookmark policies. See Configuring the bookmark portal.
Added enhancements to the Network Lockdown feature by enabling FortiClient endpoints to enter strict lockdown with a configurable grace period of 0 seconds. Also added support for detecting and exempting traffic to captive portals and domains specified under Exempt destinations. See Network lockdown.
Added enhancements to the Geofencing feature by enabling granular control over prioritization of connection attempts and failover to connections of type On-premise device and Security PoP based on the endpoint’s country or region. See Geofencing.
Added support for administrators to clone endpoint profiles using an existing endpoint profile, simplifying profile management and reducing configuration time. See Profiles.
Added support to configuration of ZTNA application gateway and ZTNA destinations under Configuration > Agent-based ZTNA. These configuration settings can now be easily referenced and applied to individual endpoint profiles under ZTNA tab, streamlining ZTNA configuration. See ZTNA.
Added enhancements to DEM, enabling FortiSASE administrators to view TCP latency metrics for endpoints as a Beta feature, offering deeper visibility into underlay network performance from the endpoint to FortiSASE Security PoP. See Digital experience: TCP latency.
Added support for an increased maximum number of FortiAP edge devices that FortiSASE supports. See SIA for FortiAP site-based remote users.
Added datacenter support for Madrid, Spain as a Fortinet Cloud security PoP. See Global data centers.
Added support for signing a preconfigured FortiClient installer using your own CA certificate or using the Fortinet CA certificate via FortiCare Support ticket request.

What’s new for 25.1.39 (25.1.a.2)

25.1.a.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What’s new for 25.1.37 (25.1.a.1)

25.1.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What’s new for 25.1.28 (25.1.a)

Added support in endpoint profiles for enabling patching of vulnerabilities detected where automatic patching is available and for configuring the minimum severity level of vulnerabilities to patch. Also, added support in the Vulnerability Summary widget for selecting individual vulnerabilities to schedule to be automatically patched on affected endpoints. See Drilling down on vulnerabilities.
Added support for configuring schedules and service groups for agent and proxy policies, both Internet Access and Private Access policies. See Adding policies to perform granular firewall actions and inspection.
Added support for synchronization of service groups for agent and proxy policies using FortiManager with the central management select availability feature. See Central Management.
Added support for adding administrator-defined comments to agent and proxy policies, both Internet Access and Private Access policies. See Adding policies to perform granular firewall actions and inspection.
Added support to allows administrators to configure, edit, and delete personal VPN settings on FortiClient on per-endpoint profile basis. As FortiSASE does not manage personal VPN settings, enabling this feature is recommended only for endpoint profiles designated for FortiClient users belonging to your organization’s administrative group. This ensures flexibility while maintaining security and compliance across managed devices. See Connection.
Added support to allow remote VPN users to access their local network resources such as printers or fileshares while remaining connected to FortiSASE secure internet access (SIA). You can enable this feature on a per-endpoint profile basis. Additionally, if you enable on-net detection, you can enable the feature based on an endpoint’s on-net status, allowing more granularity. See Connection.
Extended existing REST API support to include security profiles, user groups, and authentication sources.
Added support for Plano, Texas, USA as a Fortinet Cloud security PoP. See Global data centers.
FortiClient 7.2.8 is the recommended supported version for existing and new FortiSASE instances using SSL VPN and IPsec remote user connectivity.
Added support for displaying comprehensive error messages for failed synchronization attempts when using FortiManager with the central management select availability feature. See Displaying error messages for failed synchronization attempts.
Added support for authenticating agent-based remote users via SAML single sign on (SSO) during their onboarding. FortiSASE acts as a service provider, supporting integration with other identity providers such as FortiAuthenticator, Okta, and Microsoft Entra ID to ensure that only authenticated users can connect to the FortiSASE Endpoint Management service using an invitation code. This is a select availability feature and you must enable it for it to be visible under Configuration > User Onboarding SSO. See User onboarding SSO.
Added support for administrators to add, change, and delete security PoPs dynamically from Network > Infrastructure as a select availability feature. See Infrastructure. This is available only when a FortiSASE instance meets these specific conditions:
- The following features are not configured:
  - Proxy
  - Source IP address anchoring
- Default VPN remote users’ IP address range has not been exceeded.
- The following have not been deployed:
  - Edge devices
  - Branch On-ramp security PoPs
- Other custom changes to the instance have not been made.

What's new

What's new for 26.2.57 (26.2.1 FortiSASE v7.4)
What's new for 26.1.107 (26.1.2.2 FortiSASE v7.4)
What's new for 26.1.99 (26.1.2.1.1 FortiSASE v7.4)
What's new for 26.1.97 (26.1.2.1 FortiSASE v7.4)
What's new for 26.1.92 (26.1.2 FortiSASE v7.4)
What's new for 26.1.73 (26.1.1.2 FortiSASE v7.4)
What's new for 26.1.40 (26.1.1.1 FortiSASE v7.4)
What's new for 26.1.26 (26.1.1 FortiSASE v7.4)
What's new for 25.4.124 (25.4.c.1 FortiSASE v7.4)
What's new for 25.4.109 (25.4.c FortiSASE v7.4)
What's new for 25.4.96 (25.4.b.2 FortiSASE v7.4)
What's new for 25.4.88 (25.4.b.1 FortiSASE v7.4)
What's new for 25.4.78 (25.4.b FortiSASE v7.4)

What's new for 26.2.57 (26.2.1 FortiSASE v7.4)

Starting in 26.2.1, throughout all FortiSASE documentation, the following naming convention will now be used:

FortiSASE Feature will be referred to as FortiSASE v7.4.
FortiSASE Mature will be referred to as FortiSASE v7.2.

Integrated FortiCASB-SSPM basic cloud access security broker (CASB) management and advanced SaaS security posture management (SSPM) into FortiSASE for secure SaaS access. A FortiSASE SSPM Protection add-on subscription is required to integrate with several SaaS applications via connectors and to access advanced SSPM features through the Workflows, Activities, Identities, and 3rd party apps pages. See FortiCASB-SSPM.
Granular control of pre-logon tunnels has been implemented through Secure Private Access (SPA) and Secure Internet Access (SIA) policy management. New SPA and SIA policies can be configured and applied to all or a custom group of pre-logon users. Pre-logon users and traffic can be monitored in Operations > Connected users and Operations > Logs > Traffic. See Pre-logon tunnel.
Added support for LDAP user authentication with IPsec agent tunnels for both Windows and macOS using the EAP for LDAP authentication setting. This setting is only supported on instances supporting FortiClient 7.4. See Configuring EAP for LDAP authentication for IPsec agent tunnels.
Security PoPs can be created, disabled/enabled, decommissioned, and migrated in Operations > Infrastructure. See Infrastructure.
A FortiClient 7.4.7 ARM installer for Windows is available for endpoint onboarding. See Windows ARM installer.
In Endpoint management > Configuration, the On connect script and On disconnect script fields allow the entry of Windows and macOS scripts that will trigger actions when connecting to or disconnecting from Secure Internet Access (SIA), IPsec, or SSL tunnels. See Advanced settings.
The Security PoP icons and naming convention have been updated to the format City, State (Country) when provisioning a FortiSASE instance and in Operations > Infrastructure. When selecting an entry, hover over the Security PoP name to see more details. See Infrastructure.
Added support for bring your own device (BYOD) enrollment to a mobile device management (MDM) platform used for installing FortiClient and automatically provisioning a ZTNA client certificate to a device. Currently, only iOS mobile devices are supported with the Intune and JAMF platforms. See MDM integration.
When FortiPAM integration is enabled, added support for adding the FortiPAM agent to the FortiClient installer available on the FortiSASE portal. Also, when FortiPAM integration is disabled in FortiSASE, added support for removing the FortiPAM agent from the FortiClient installer and for removing the FortiPAM browser extension. See FortiPAM integration.
Improved usability of the Connection tab in an endpoint profile to clearly indicate that local LAN access options apply when connected to a tunnel and that the network lockdown option applies when not connected to a tunnel. See Network lockdown.
Added option for administrators to override global FortiSASE Cloud Security Tunnel encapsulation to IPsec over TCP via endpoint profile. This allows for IPsec remote user connectivity in cases when Auto option for FortiSASE Cloud Security Tunnel encapsulation is not working since initial IKE negotiation over UDP works fine but ISP blocks UDP ports 500/4500 so fail back to TCP never occurs. See Advanced settings.
For new instances or existing instances provisioned in 25.4.c Feature or later supporting FortiClient 7.4, added support for the Show Vulnerability Popup toggle that allows administrators to control whether a vulnerability scan summary popup is shown when a scan finds vulnerabilities on a given endpoint. See Protection.
Added support for Public Cloud security PoPs: Dubai (United Arab Emirates). See Global data centers.
Updated support for Fortinet security PoPs: Ashburn, Virginia (United States), Bangalore (India), Burnaby (Canada), Singapore, Toronto (Canada), Sydney (Australia). See Global data centers.

What's new for 26.1.107 (26.1.2.2 FortiSASE v7.4)

For new instances and existing users already on FortiClient 7.4.6, support has been added for FortiClient 7.4.7 for FortiSASE desktop users. See Supported FortiClient 7.4.7 features.
Added support for external feeds and FSSO features when using SPA hubs configured for BGP on loopback. When an existing SPA hub configured for BGP on loopback has had its SPA service connection previously configured in 26.1.2.1 or earlier, to enable support for these features go to Operations > Secure private access, edit the SPA service connection, leave settings unchanged, and click OK. See Supported features for each SPA BGP routing design.

What's new for 26.1.99 (26.1.2.1.1 FortiSASE v7.4)

26.1.2.1.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 26.1.97 (26.1.2.1 FortiSASE v7.4)

Added support for integrated management of the FortiSASE Secure Browser extension used with unmanaged and contractor devices. With the deployment of the FortiSASE Secure Browser extension, administrators can gain full visibility into browser activity without deep packet inspection (DPI), can monitor and block Web-based threats, and can prevent data exfiltration. This feature is a select availability feature in FortiSASE that is not enabled by default on new instances. If you require this feature for your new or existing FortiSASE instance, create a new ticket with FortiCare Support. See Secure Browser.
Added support for configuring dead peer detection (DPD) settings applicable to IPsec agent tunnels via the Global configuration settings page to configure Security PoPs and via Advanced settings within an endpoint profile for the FortiSASE Cloud Security tunnel and any custom IPsec tunnels, respectively. This is a select availability feature that requires a Fortinet Support ticket to enable on new and existing instances. See IPsec dead peer detection customization.
Remote browser isolation (RBI) is now a select availability feature and is disabled by default. See RBI.
Added support for applying Fortinet Location and Public Cloud Location Branch On-ramp licenses to a FortiSASE instance with the Comprehensive or Advanced subscription. On-ramp locations can only be provisioned based on the licenses registered, be that a Fortinet Location or Public Cloud Location. See Appendix A - FortiSASE data centers.
In Endpoint management > Endpoint profiles, when configuring the Protection tab details of a new or existing profile, enabling Trigger vulnerability scan on software change will result in a vulnerability scan occurring on the endpoint when new software is installed and detected. See Protection.

What's new for 26.1.92 (26.1.2 FortiSASE v7.4)

Added support for bandwidth policies and profiles used for providing bandwidth control of internet access and private access traffic. See Bandwidth control.
The FortiClient Log Level can be customized per endpoint profile in your FortiSASE instance to simplify debug log collection. In Endpoint management > Endpoint profiles > FortiClient GUI settings, enabling Allow debug log generation will set the associated endpoints' FortiClient Log Level to Debug. This feature is disabled by default. When disabled, the Log Level is set to Info. See FortiClient GUI Settings.
Added support for synchronizing SSO SAML IdP server settings and SSO user groups with firewall policies and firewall proxy policies. This support relies on synchronizing policy packages from FortiManager to FortiSASE using the central management select availability feature. See Central management.
Added support for synchronizing one-time schedules with firewall policies and firewall proxy policies. This support relies on synchronizing policy packages from FortiManager to FortiSASE using the central management select availability feature. See Central management.
Added support for Public Cloud security PoPs: Amsterdam - Netherlands, Ashburn - Virginia - USA, Chicago - Illinois - USA, Melbourne - Australia, Montreal - Canada, Osaka - Japan, Santiago - Chile, Stockholm - Sweden. See Global data centers.
Updated support for Fortinet security PoPs: Frankfurt - Germany, Miami - Florida - USA. See Global data centers.

What's new for 26.1.73 (26.1.1.2 FortiSASE v7.4)

For new instances and existing users already on FortiClient 7.4.5, support has been added for FortiClient 7.4.6 for FortiSASE desktop users. See Supported FortiClient 7.4.7 features.
For existing instances, support has been added for FortiClient 7.2.14 for FortiSASE desktop users. See Supported FortiClient 7.2.14 features.

What's new for 26.1.40 (26.1.1.1 FortiSASE v7.4)

For IPsec instances, added support for updating the pre-shared key for the FortiSASE Cloud Security tunnel. This enables IPsec instances to support regional compliance rules to on-premise devices and failover sequence features. See Geofencing.
For instances supporting IPsec and FortiClient 7.4, added support for FortiSASE Cloud Security tunnel autoconnect using the session resumption timeout. See Global connection settings.
Added support for configuring FortiClient internet check that validates internet connectivity before agent tunnel autoconnect. See Advanced settings.
Added support for Public Cloud security PoPs: Abu Dhabi - United Arab Emirates, Jeddah - Saudi Arabia, Milan - Italy. See Global data centers.

What's new for 26.1.26 (26.1.1 FortiSASE v7.4)

Added support for the new FortiGate SD-WAN Service Bundle subscription to accelerate the journey from SD-WAN to SASE. The new bundle includes a FortiSASE Starter Kit with FortiSASE Standard remote user subscriptions and secure private access (SPA) connectivity to F-series FortiGate models starting with 100F and G-series FortiGate models starting with 120G. See Common use cases.
In endpoint profiles, added the ability to disable agent-based ZTNA functionality, also known as ZTNA destination on FortiClient, when this functionality conflicts with other applications on managed endpoints. See ZTNA.
In endpoint profiles, added the ability to show only selected FortiClient tabs including Remote Access, ZTNA Destination, Malware Protection, Sandbox Detection, and Vulnerability Scan, and added the ability to select the default tab shown in FortiClient. Features disabled within an endpoint profile will also be disabled from being shown in FortiClient. See FortiClient GUI Settings.
Additional log forwarding servers can be configured in the Log Forwarding to Self-Managed Service settings. See Forwarding logs to an external server.
Log forwarding to FortiAnalyzer Cloud can be enabled in the Log Settings. This feature requires the FortiAnalyzer Cloud Storage Add-On License subscription and FortiAnalyzer 7.6.3 or later. If there is no FortiAnalyzer Cloud Storage Add-On License, token generation will not be successful. See Forwarding logs to FortiAnalyzer Cloud and the FortiAnalyzer Ordering Guide for more information.
Added enhancements for Digital experience monitoring (DEM) SaaS monitoring:
- Visualize DEM health measurement metrics to quickly detect health events trend. Using additional filters and time brush event control, compare health metrics across multiple SaaS applications and security PoPs.
- Review DEM health events with additional controls, including time brush control for viewing health events within a specific time period, application and security PoP filters, and so on.
- DEM health event incident drill down enhancements have been implemented, including metric graphs, SaaS application and security PoP user access information, health event traceroutes, and so on.
See SaaS monitoring.
Added the ability for customers to customize the management IP address range used for FortiExtender and LAN extension control plane subnet. This can be configured to avoid addressing conflicts with your on-prem network.
- Prior to customization, by default, the management subnet of 10.253.0.0/16 is reserved, in addition to the subnet that is visible on the page (default: 10.252.0.0/16).
- Once a custom subnet has been configured, the previously reserved management subnet of 10.253.0.0/16 is also removed.
See IP management.
Added a new maintenance window 22:00–06:00 JST (13:00 - 21:00 UTC) that is more suitable for Japanese instances. For new instances with a Japanese security PoP selected, their maintenance windows will be automatically assigned to this new window. For existing instances with a Japanese security PoP selected, administrators can select this new window from Software audit & version > Version. See Software audit & version.
Added source IP anchoring support for designated Public Cloud locations whose naming convention includes -O or -A. See Global data centers.
Added support for Public Cloud security PoPs: Bogota - Colombia, Frankfurt - Germany, London - United Kingdom, Mumbai - India, Muscat - Oman, Paris - France, Sydney - Australia, Vinhedo - Brazil. See Global data centers.
Added support for Fortinet security PoPs: Auckland - New Zealand. See Global data centers.
Updated support for Fortinet security PoPs: London - United Kingdom, Komagome - Japan. See Global data centers.

What's new for 25.4.124 (25.4.c.1 FortiSASE v7.4)

25.4.c.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.4.109 (25.4.c FortiSASE v7.4)

For new instances, support has been added for FortiClient 7.4.5 for FortiSASE desktop users. The transition path for existing customers is not yet available and will be expected in an upcoming release. See Supported FortiClient 7.4.7 features.
For existing instances, support has been added for FortiClient 7.2.13 for FortiSASE desktop users. This support will be made available some time after the release and is being incrementally deployed for certain tenants. See Supported FortiClient 7.2.14 features.
For new instances supporting FortiClient 7.4, where security posture tags and tagging rules can be created and managed together in the combined Tagging rules tab in Endpoint management > Security Posture tags. The transition path for existing customers is not yet available and will be expected in an upcoming release. See Security posture tags and tagging rules.
For new instances, as a remote user connectivity alternative when standard IPsec ports over UDP are blocked by networks, added support for IPsec over TCP with TCP port 443. This feature requires Windows or Mac endpoints running FortiClient 7.4.5 or later. See Global connection settings.
For new instances, added support for configuring DNS suffixes for IPsec tunnels in an endpoint profile under Connection > Advanced Settings. DNS suffixes are used for resolving short hostnames and are appended to subdomains. Also, DNS resolutions of endpoints apply the DNS suffixes in the order they are configured. Whenever a DNS suffix is configured or modified, users must reconnect the agent tunnel for changes to take effect. This feature requires Windows endpoints running FortiClient 7.4.5 or later. See Advanced settings.
For new instances, added a new rule type for security posture tagging based on CrowdStrike ZTA scores, which are generated by the CrowdStrike Falcon sensor, reflecting the endpoint's security posture. This feature requires Windows and Mac endpoints running FortiClient 7.4.5 or later. See Tagging rule types.
For new instances, added support for ZTNA automatic login using OAuth, which allows Windows users signed in to their workstations, joined to a Microsoft Entra ID domain, to be automatically allowed access to ZTNA-protected TCP resources by using the same login information. This feature requires valid supporting Entra ID configuration, Windows endpoints running FortiClient 7.4.5 or later, and FortiGate devices acting as a ZTNA application gateways running FortiOS 7.6.1 or later. See ZTNA.
For new instances, FortiSASE can now learn security posture tags directly from FortiClient when using ZTNA application gateway sharing. By enabling Record client tags and information in the Endpoint management > Security posture tags > Settings tab, the security posture tag timeout can be defined in FortiSASE. This feature requires FortiClient 7.4.5 and later. See Endpoint management settings.
Added System for Cross-domain Identity Management (SCIM) support for automated user provisioning from Entra ID, FortiAuthenticator, and Okta SAML IdPs. The SCIM client (IdP) sends user and group information to the SCIM server (FortiSASE as SP). This is a select availability feature that requires a Fortinet Support ticket to enable on new and existing instances. See SCIM server support.
Added support for configuring and matching geography addresses as the source in policies which allow specific security profiles to be applied to remote user agents connecting from specific geolocations. See Configuring a geography-based policy.
For MSSPs, added central management support for synchronizing multiple tenants' FortiSASE instances from a single FortiManager instance or from multiple FortiManager instances.
- Currently, each ADOM in FortiManager supports synchronizing configuration with a single FortiSASE instance.
- A FortiManager key, if configured, allows a FortiManager appliance registered under a FortiCare account belonging to a parent Organization Unit (OU) to manage the FortiSASE tenant.
- The FortiManager key can be revoked to only allow connections from FortiManager appliances registered to the current FortiCare account and disable connections from parent OU FortiManagers.
- The FortiManager key will be strictly matched and must match in both FortiManager and FortiSASE connector settings. If a key is revoked on the FortiSASE tenant, then the key must also be removed on the FortiManager intending to manage the tenant.
- Central management is still a select availability feature that requires a Fortinet Support ticket to enable on new and existing instances.
See Central management for MSSP tenants.
Extended existing REST API support to include retrieval of data transfer statistics for FortiSASE instances, including annual allotment, consumed bytes, and consumption percentage. See Appendix B - REST API.
Added support for Public Cloud security PoPs: Bangkok - Thailand, Cyberjaya - Malaysia, Columbus - Ohio - USA, Montreal - Canada, Moncks Corner - South Carolina - USA, Tokyo - Japan. See Global data centers.

What's new for 25.4.96 (25.4.b.2 FortiSASE v7.4)

25.4.b.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.4.88 (25.4.b.1 FortiSASE v7.4)

25.4.b.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.4.78 (25.4.b FortiSASE v7.4)

For greater performance and security, FortiSASE Cloud Security tunnel will be migrating from SSL to IPsec starting early 2027. FortiSASE Cloud Security tunnel will support a hybrid IPsec/SSL mode during the transition period that is available as an opt-in feature for SSL VPN instances through the Operations > Administration > Software audit & version page's best practices. This allows customers time to verify client-side changes for IPsec mode before migrating with confidence. See Hybrid IPsec/SSL mode.
Added support for configuring authenticated onboarding with Entra ID for SAML SSO using an existing Entra ID domain, which allows an endpoint profile configured with a matching AD group from the domain to be assigned to matching endpoints with users authenticated using an Entra ID account. Authenticated onboarding is still a select availability feature. See Authenticated onboarding.
Simplified pre-logon tunnels such that endpoints establish tunnels with the nearest FortiSASE Security PoP using certificate-based authentication. This simplified approach supports a shared policy to allow destinations and requires configuring an SPA hub with connectivity to an Active Directory server. For instances with existing pre-logon tunnels configured, the previous approach is still supported and only the simplified approach is supported going forward after disabling existing pre-logon tunnels in all endpoint profiles. See Pre-logon tunnel.
Added support for configuring the FortiClient built-in browser used for SAML SSO authentication in an endpoint profile under Connection > Tunnel settings. See Tunnel settings.
Added the Disable native Windows captive portal prompt option, which when enabled means that FortiClient will handle the captive portal on Windows endpoints.
- This option is only available when Lockdown endpoint when off-net (network lockdown) is enabled.
- The default setting for this option is disabled, which means that Windows handles the captive portal on endpoints. This ensures that when network lockdown is enabled, WiFi does not disconnect after agent tunnel disconnects.
See Network lockdown.
Added support for SAML single signout in the agentless ZTNA bookmark portal. See Accessing the bookmark portal.
Added support for configuring one-time schedules with policies and proxy policies. See Schedules.
For existing instances, support has been added for a new endpoint vulnerability report based on logs collected from FortiClient endpoints. See Report types.
For existing instances, support has been added for a new Secure Private Access (SPA) report displaying the health of each connected SPA hub, the traffic through popular hubs, and the status of SD-WAN performance SLAs. See Report types.
For existing instances, support has been added for a new Cloud Security Usage Report to identify the total number of users in the reporting period and per PoP, the number of sessions, and total traffic. Average hourly underlay activity is reported by security PoP. Top authentication failures are listed by region and originating IP address. See Report types.
For existing instances, added an Automation page in Operation > Administration to allow configuring of actions, such as sending alert emails, based on predefined triggers to proactively notify administrators of events. Currently, alert emails can be triggered for an unstable Secure Private Access (SPA) connection only when SLA failures, routing changes, and BGP neighbor status changes all occur. See Automation.
Added support for performing a factory reset on a FortiSASE instance that returns it to its initial provision point, disconnects all users, and deregisters all endpoints.
- This feature includes options to keep the dedicated public IP addresses or to repick PoP locations (you can only choose one option and they cannot be used together).
- After accepting the acknowledgment, an email with a passcode is sent to the email address for the instance's primary FortiCloud account, and after entering the passcode, the reset will begin.
- Currently, this feature is enabled by default for FortiSASE instances with the Not-for-Resale (NFR) and Advanced NFR licenses applied.
- For FortiSASE instances with other licenses applied, this is a select availability feature requiring a FortiCare Support ticket.
- This feature is available only when logged into the FortiSASE portal with the principal FortiCloud account, where an OTP code is sent via email. This feature is not available from IAM accounts.
See Factory reset.
Enhanced endpoint upgrade rule page to more clearly indicate the option to defer a FortiClient installation and to indicate that once the installation starts, the endpoint will automatically reboot upon completion. See Endpoint upgrade.
Simplify security PoP selection for Advanced and Comprehensive customers to show all available locations in one page. See Provisioning.
Added support for Public Cloud security PoPs: Dubai - United Arab Emirates, Frankfurt - Germany, Miami – USA, Paris - France, Toronto - Canada. See Global data centers.
Updated support for Fortinet security PoPs: Ashburn - Virginia - USA. See Global data centers.
Support has been added to view the FortiSASE portal in French. See Language support.
Support has been added to view the FortiSASE portal in Japanese. See Language support.

What's new for 25.3.148 (25.4.a FortiSASE v7.4)

Added support for Public Cloud security PoPs: Buenos Aires - Argentina, Lima - Peru, London - United Kingdom, Manila - Philippines, St. Ghislain - Belgium, Warsaw - Poland, Zurich - Switzerland. See Global data centers.

What's new for 25.3.148 (25.3.c.1 FortiSASE v7.4)

25.3.c.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.139 (25.3.c FortiSASE v7.4)

Support FortiClient 7.2.12 as the recommended version for FortiSASE desktop users. See Product integration and support.
Added support for using a custom domain and a certificate for the custom domain that can be used to access a ZTNA private application. The administrator must configure the custom domain DNS CNAME record with the FortiSASE private application domain for the private application. See Configuring a private application.
Added a built-in custom PAC file editor for creating and editing PAC files hosted on FortiSASE.
- These hosted PAC files can be downloaded or referenced via its hosted URL by Proxy (formerly SWG) users.
- Each FortiSASE instance supports a maximum of 32 hosted PAC files.
See Customizing the PAC file.
For FortiSASE instances with Proxy (formerly SWG) enabled, added a best practice recommendation to migrate to Secure Proxy using HTTPS connections. Hosted PAC files will be updated as part of the migration.
- After the migration, to ensure Proxy user functionality, custom PAC files maintained by administrators themselves must be edited to support Secure Proxy and redeployed on Proxy endpoints.
See Secure proxy migration.
Added support for additional Web Filter configuration settings including the ability to prioritize URL filter entries, logging search keywords, and displaying the FortiGuard web filter category and subcategory in a tooltip when hovering over a domain. Also, added support for synchronizing these settings using FortiManager with the central management select availability feature. See Configuring and applying a Web Filter profile.
Added support for configuring application control filter overrides based on multiple filters including application category, behavior, popularity, protocol, risk, technology, and vendor. Also, added support for configuring actions for custom application signatures. Moreover, added support for synchronizing these settings using FortiManager with the central management select availability feature. See Application Control With Inline-CASB.
For new instances, support has been added for a new endpoint vulnerability report based on logs collected from FortiClient endpoints. See Report types.
For new instances, support has been added for a new Secure Private Access (SPA) report displaying the health of each connected SPA hub, the traffic through popular hubs, and the status of SD-WAN performance SLAs. See Report types.
For new instances, support has been added for a new Cloud Security Usage Report to identify the total number of users in the reporting period and per PoP, the number of sessions, and total traffic. Average hourly underlay activity is reported by security PoP. Top authentication failures are listed by region and originating IP address. See Report types.
The recommendation to use SOCaaS log forwarding is presented in the Operations > Logs > Settings page and through additional portal notifications. Enabling SOCaaS log forwarding is included as a best practice recommendation. See Forwarding logs to SOCaaS and Software audit & version.
Administrator logins, configuration audit logs, and user audit logs have been introduced in the System > Administration page. Once the feature has been enabled, any configuration changes made by an administrator will require a change summary to be submitted. See Administration.
The UI version has been removed from the FortiSASE portal URL, ensuring a consistent path for ease of access.
Added support for Chicago, Illinois, USA as a Public Cloud security PoPs. See Global data centers.
For new instances, added an Automation page in Operation > Administration to allow configuring of actions, such as sending alert emails, based on predefined triggers to proactively notify administrators of events. Currently, alert emails can be triggered for an unstable Secure Private Access (SPA) connection only when SLA failures, routing changes, and BGP neighbor status changes all occur. See Automation.

What's new for 25.3.112 (25.3.b.1 FortiSASE v7.4)

25.3.b.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.89 (25.3.b FortiSASE v7.4)

Added v7.4 or v7.2tag to the version tooltip at the bottom of the navigation menu. See New major features available.
Added support for highlighting best practices recommendations by displaying an additional prompt upon portal login. See New major features available.
Added support for branch on-ramp with the Standard subscription for new and upgraded instances. An Advanced branch on-ramp subscription must also be applied to a Standard instance to enable the branch on-ramp feature. See SIA for Branch On-ramp site-based remote users.
Added support for simplified branch on-ramp licensing. See SIA for Branch On-ramp site-based remote users.
- Each on-ramp Security PoP provides up to 1 Gbps for up to 2000 simultaneous dialup IPsec connections, changed from the previous limit of 10 connections, and includes 50 TB of data transfer per year based on 50 Mbps usage during business hours.
- Data transfer is aggregated at the account level and shared with remote users (250 GB per user).
- Additional data transfer subscriptions can be purchased if required.
- The Branch On-ramp Connection add-on subscription is discontinued after this release. See SIA for Branch On-ramp site-based remote users.
Added support for FIDO2 authentication for FortiClient agent tunnels, which is configurable in Endpoint profiles for the FortiSASE Cloud Security tunnel and custom tunnels when Authenticate with SSO and Use FortiClient built-in browser for SAML authentication are enabled. See Advanced settings.
Added support in the AntiVirus security profile for content disarm and reconstruction (CDR), which sanitizes Microsoft Office documents and PDF files by removing potentially malicious and untrusted content from them (disarm) without affecting the integrity of its textual content (reconstruction). CDR does not support SMTP, FTP, and CIFS protocols. See AntiVirus.
Added support for configuring and viewing predefined DLP sensors and DLP dictionaries managed by the FortiGuard DLP service in the DLP security profile and in Security > Traffic > Security profiles > Profile resources, respectively. See Profile resources.
Added support for displaying IPAM usage information in a chart in Network > IP management > IPAM indicating which subnets are allocated, the percentage of the IPAM pool that remains unallocated, and the percentage of each IP block allocated via DHCP. See IP management.
Added support for displaying security PoPs, logging PoPs, and endpoint management PoPs on a map during provisioning and after provisioning in Operations > Connectivity > Infrastructure. See Infrastructure.
Added support for synchronizing firewall policies, firewall proxy policies, firewall schedules and security posture tags in policy packages from FortiManager to FortiSASE using the central management select availability feature. See Configuring settings using policy packages in FortiManager.
Added support for Auckland, New Zealand as a Public Cloud security PoP. See Global data centers.
Added support for Perth, Australia as a Public Cloud security PoP. See Global data centers.
Added support for Delhi, India as a Public Cloud security PoP. See Global data centers.

What's new for 25.3.67 (25.3.a.3 FortiSASE v7.4)

25.3.a.3 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.57 (25.3.a.2 FortiSASE v7.4)

25.3.a.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.47 (25.3.a.1 FortiSASE v7.4)

25.3.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.40 (25.3.a FortiSASE v7.4)

Enhancements for Digital Experience Monitoring (DEM), including a path diagram for endpoint traceroute results, support for displaying additional SaaS monitoring metrics, and customizing the list of SaaS applications to monitor. See Digital Experience Monitoring.
Updated log retention period for newly provisioned instances to FortiView, Log View, and Report functions to seven days. See Log retention policy.
Added support for secure explicit proxy. Secure explicit proxy is enabled by default when enabling proxy for newly provisioned instances. Instances provisioned before 25.3.a have the option to enable secure explicit proxy. See Proxy configuration.
Added support for configuring an action to inspect or block QUIC traffic for agent and Edge device traffic. See Configuring an action for QUIC traffic.
Added support for configuring additional trusted remote gateways as failover options alongside the FortiSASE Cloud Security tunnel, with the ability to define their connection priority order within each endpoint profile. See Advanced settings.
Added support for Secure Private Access (SPA) application monitoring, allowing up to 20 custom applications hosted behind SPA Hubs to be defined and monitored using ICMP health check probes initiated by Security PoPs to verify application availability. See SPA application monitoring.
Added support for enabling the BGP MED options always-compare-med and deterministic-med on FortiSASE to enable selecting a preferred SPA Hub based on MED values, particularly when receiving prefixes from SPA Hubs belonging to different ASes. See BGP MED Setting.
Added support to enable and manage communication between remote endpoints connected via the FortiSASE Cloud Security tunnel through a Secure Private Access (SPA) Hub. Administrators can enforce granular control by defining endpoint-to-endpoint policies that selectively allow specific traffic between designated endpoints. See Enabling endpoint to endpoint communication.
Added support for administrators to schedule FortiSASE upgrades by selecting from a list of predefined maintenance window slots, directly through the FortiSASE portal. See Software audit & version.
Added support to control and specify the public IP address used by a Security PoP to perform source NAT on remote user traffic as it exits the PoP, based on matching criteria such as user group and the originating country or region of the remote user's traffic. See IP management.
Added support to change the isolation data limit from a user-based and monthly-based model to a tenant-based and yearly-based model. Each tenant is now entitled to a maximum amount of isolation data per year. Once this limit is exceeded, any traffic configured for isolation will be blocked for all users within the tenant. See RBI.
Added support for configuring new security posture tagging rules, including tagging based on CVEs, using negation to identify non-vulnerable devices, and combining multiple tagging rules using logical AND/OR operators. See Security posture tags and tagging rules.
Added support for enforcing pre-connection posture checks using security posture tags to allow or deny endpoints from establishing a connection to the FortiSASE Cloud Security tunnel based on their associated tags. See Pre-connection posture checks.
Added support for optionally displaying a sequence number column in the policy list to help administrators manage and identify policy order using their sequence number. See Policies.
Added support for customers having Advanced remote user subscriptions to select certain Public cloud locations to launch their FortiSASE Security PoPs. See Global data centers.
Added support for customizing captive portal replacement message for Edge devices. See HTML templates.
Support FortiClient 7.2.11 as the recommended version for FortiSASE desktop users. See Product integration and support.
Added support for Dublin, Ireland (DUB-A2) as a Public Cloud security PoP. See Global data centers.

What's new for 25.2.91 (25.2.c.2 FortiSASE v7.4)

25.2.c.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.90 (25.2.c.1 FortiSASE v7.4)

25.2.c.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.81 (25.2.c FortiSASE v7.4)

Support FortiClient 7.2.10 as the recommended version for FortiSASE desktop users. See Product integration and support.
Added a new audit page providing configuration best practice recommendations. See Software audit & version.
For new FortiSASE tenants created after 25.2.c, support dedicated public IP addresses for FortiSASE tenants with the Standard subscription without additional licensing.
RBI now supports isolation for the following categories only. See RBI.
- Unrated
- Newly Observed Domain
- Newly Registered Domain
- Malicious Websites
FortiSASE has added powerful new capabilities that are enabled by default on new instances created after the 25.2.c release. For complete list, see New features.
- Navigation menu items have been reorganized for improved usability and to group items with related functionality and usage. Terminology has been standardized for clarity and consistency.
- Added System > License overview page to provide FortiSASE licensing details.
- Integrated FortiCASB API-based cloud access security broker (CASB) management and protection into FortiSASE for secure SaaS access (SSA).
- Added DLP enhancements including support for DLP Exact Data Matching (EDM) and Indexed Document Matching (IDM) with DLP fingerprinting.
- Support IPsec connections to Branch On-ramp Security PoPs from third-party IPsec devices.
- DNS redirection (formerly split DNS) rules transparently apply to all passthrough traffic for FortiClient agent tunnels, Edge device clients, and Proxy clients.

What's new for 25.2.56 (25.2.b.2)

25.2.b.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.48 (25.2.b.1)

25.2.b.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.45 (25.2.b)

FortiSASE now supports Branch On-ramp deployment for up to 20 On-Ramp security PoPs.
Improved site provisioning process for new tenant with additional recovery mechanism when a site provision does not complete successfully. See PoPs.

What's new for 25.2.30 (25.2.a.1)

25.2.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.24 (25.2.a)

Added support for FortiGate SASE Bundle subscription to accelerate the journey from SD-WAN to SASE. The bundle includes a Starter Kit with FortiSASE Standard remote user subscriptions and secure private access (SPA) connectivity to G-series FortiGate models starting with 120G.
FortiClient 7.2.9 is the recommended supported version for existing and new FortiSASE instances using IPsec and SSL remote agent connectivity. See Product integration and support.
Added support to enhance default pre-logon tunnel security settings for IPsec by using stronger hashing algorithm (SHA 256) and key exchange algorithm (DH group 15) with IKE version 2. See 10607.
Added support for the Global Region Add-on subscription that can be added on top of an existing Comprehensive subscription. This add-on subscription entitles the instance to use an unlimited number of Security PoPs selected from existing and future Fortinet Cloud and Public Cloud security PoPs. See Appendix A - FortiSASE data centers.
Added support for registering FortiCASB data protection add-on subscriptions. See Product integration and support.
Number of private applications supported per agentless ZTNA bookmark policy increased from 20 to 200. See Configuring the bookmark portal.

What's new for 25.1.75 (25.1.c)

Added support for displaying endpoint details in Network > Managed Endpoints > Endpoints and Network > Connected Users including FortiSASE VPN Tunnel IP and FortiSASE agent session details, and the Last Seen timestamp in Managed Endpoints. The FortiSASE VPN Tunnel IP can be used with server-client applications with server traffic originating from SPA hubs destined for a FortiSASE managed endpoint. See Managed Endpoints and Connected Users.
Added support for displaying the learned BGP multi-exit discriminator (MED) values in Health and VPN Tunnel Status > View Learned BGP Routes when Network > Network Configuration is configured with Hub selection method as BGP MED. See Viewing MED values of SPA routes and Viewing health and VPN tunnel status.
Added support for Querétaro, Mexico and Sydney, Australia as Public Cloud security PoPs. See Global data centers.
Added support for Sao Paulo, Brazil as a Fortinet Cloud security PoP. See Global data centers.

What’s new for 25.1.51 (25.1.b)

Added support for the Branch On-ramp connection add-on subscription for 1-2000 FortiGate IPsec connections. Since you can purchase a maximum of eight Branch On-ramp security PoPs for a single account, with Branch On-ramp connection add-on subscriptions it is possible for an account to have a maximum of 16000 Branch On-ramp connections. See On-ramp tunnel.
Added support for the agentless zero trust network access (ZTNA) bookmark portal to show private applications’ bookmarks based on the authenticated user’s permission level which is controlled by Agentless ZTNA bookmark policies. See Configuring the bookmark portal.
Added enhancements to the Network Lockdown feature by enabling FortiClient endpoints to enter strict lockdown with a configurable grace period of 0 seconds. Also added support for detecting and exempting traffic to captive portals and domains specified under Exempt destinations. See Network lockdown.
Added enhancements to the Geofencing feature by enabling granular control over prioritization of connection attempts and failover to connections of type On-premise device and Security PoP based on the endpoint’s country or region. See Geofencing.
Added support for administrators to clone endpoint profiles using an existing endpoint profile, simplifying profile management and reducing configuration time. See Profiles.
Added support to configuration of ZTNA application gateway and ZTNA destinations under Configuration > Agent-based ZTNA. These configuration settings can now be easily referenced and applied to individual endpoint profiles under ZTNA tab, streamlining ZTNA configuration. See ZTNA.
Added enhancements to DEM, enabling FortiSASE administrators to view TCP latency metrics for endpoints as a Beta feature, offering deeper visibility into underlay network performance from the endpoint to FortiSASE Security PoP. See Digital experience: TCP latency.
Added support for an increased maximum number of FortiAP edge devices that FortiSASE supports. See SIA for FortiAP site-based remote users.
Added datacenter support for Madrid, Spain as a Fortinet Cloud security PoP. See Global data centers.
Added support for signing a preconfigured FortiClient installer using your own CA certificate or using the Fortinet CA certificate via FortiCare Support ticket request.

What’s new for 25.1.39 (25.1.a.2)

25.1.a.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What’s new for 25.1.37 (25.1.a.1)

25.1.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What’s new for 25.1.28 (25.1.a)

Added support in endpoint profiles for enabling patching of vulnerabilities detected where automatic patching is available and for configuring the minimum severity level of vulnerabilities to patch. Also, added support in the Vulnerability Summary widget for selecting individual vulnerabilities to schedule to be automatically patched on affected endpoints. See Drilling down on vulnerabilities.
Added support for configuring schedules and service groups for agent and proxy policies, both Internet Access and Private Access policies. See Adding policies to perform granular firewall actions and inspection.
Added support for synchronization of service groups for agent and proxy policies using FortiManager with the central management select availability feature. See Central Management.
Added support for adding administrator-defined comments to agent and proxy policies, both Internet Access and Private Access policies. See Adding policies to perform granular firewall actions and inspection.
Added support to allows administrators to configure, edit, and delete personal VPN settings on FortiClient on per-endpoint profile basis. As FortiSASE does not manage personal VPN settings, enabling this feature is recommended only for endpoint profiles designated for FortiClient users belonging to your organization’s administrative group. This ensures flexibility while maintaining security and compliance across managed devices. See Connection.
Added support to allow remote VPN users to access their local network resources such as printers or fileshares while remaining connected to FortiSASE secure internet access (SIA). You can enable this feature on a per-endpoint profile basis. Additionally, if you enable on-net detection, you can enable the feature based on an endpoint’s on-net status, allowing more granularity. See Connection.
Extended existing REST API support to include security profiles, user groups, and authentication sources.
Added support for Plano, Texas, USA as a Fortinet Cloud security PoP. See Global data centers.
FortiClient 7.2.8 is the recommended supported version for existing and new FortiSASE instances using SSL VPN and IPsec remote user connectivity.
Added support for displaying comprehensive error messages for failed synchronization attempts when using FortiManager with the central management select availability feature. See Displaying error messages for failed synchronization attempts.
Added support for authenticating agent-based remote users via SAML single sign on (SSO) during their onboarding. FortiSASE acts as a service provider, supporting integration with other identity providers such as FortiAuthenticator, Okta, and Microsoft Entra ID to ensure that only authenticated users can connect to the FortiSASE Endpoint Management service using an invitation code. This is a select availability feature and you must enable it for it to be visible under Configuration > User Onboarding SSO. See User onboarding SSO.
Added support for administrators to add, change, and delete security PoPs dynamically from Network > Infrastructure as a select availability feature. See Infrastructure. This is available only when a FortiSASE instance meets these specific conditions:
- The following features are not configured:
  - Proxy
  - Source IP address anchoring
- Default VPN remote users’ IP address range has not been exceeded.
- The following have not been deployed:
  - Edge devices
  - Branch On-ramp security PoPs
- Other custom changes to the instance have not been made.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Release Notes

What's new

What's new

What's new for 26.2.57 (26.2.1 FortiSASE v7.4)

What's new for 26.1.107 (26.1.2.2 FortiSASE v7.4)

What's new for 26.1.99 (26.1.2.1.1 FortiSASE v7.4)

What's new for 26.1.97 (26.1.2.1 FortiSASE v7.4)

What's new for 26.1.92 (26.1.2 FortiSASE v7.4)

What's new for 26.1.73 (26.1.1.2 FortiSASE v7.4)

What's new for 26.1.40 (26.1.1.1 FortiSASE v7.4)

What's new for 26.1.26 (26.1.1 FortiSASE v7.4)

What's new for 25.4.124 (25.4.c.1 FortiSASE v7.4)