What's new

• What's new for 25.3.203 (26.1.1 Mature)
• What's new for 25.3.175 (25.4.c.1 Mature)
• What's new for 25.3.175 (25.4.c Mature)
• What's new for 25.3.168 (25.4.b.2 Mature)
• What's new for 25.3.168 (25.4.b.1 Mature)*
• What's new for 25.3.168 (25.4.b Mature)
• What's new for 25.3.148 (25.4.a Mature)*
• What's new for 25.3.148 (25.3.c.1 Mature)
• What's new for 25.3.134 Mature (25.3.c Mature)

*Infrastructure change only

What's new for 25.3.203 (26.1.1 Mature)

• After the 26.1.1 release, selected Mature instances will be migrated to Feature. See Mature to Feature migration FAQ.

• Added support for the new FortiGate SD-WAN Service Bundle subscription to accelerate the journey from SD-WAN to SASE. The new bundle includes a FortiSASE Starter Kit with FortiSASE Standard remote user subscriptions and secure private access (SPA) connectivity to F-series FortiGate models starting with 100F and G-series FortiGate models starting with 120G. See Common use cases.

• Added support for Fortinet security PoPs: Auckland - New Zealand. See Global data centers.

• Updated support for Fortinet security PoPs: London - United Kingdom, Komagome - Japan. See Global data centers.

What's new for 25.3.175 (25.4.c.1 Mature)

There are no changes for 25.4.c.1.

What's new for 25.3.175 (25.4.c Mature)

• Support has been added for FortiClient 7.2.13 for FortiSASE desktop users. This support will be made available some time after the release and is being incrementally deployed for certain tenants. See Product integration and support.

• Added support for Public Cloud security PoPs: Columbus - Ohio - USA, Montreal - Canada, Moncks Corner - South Carolina - USA, Tokyo - Japan. See Global data centers.

What's new for 25.3.168 (25.4.b.2 Mature)

There are no changes for 25.4.b.2.

What's new for 25.3.168 (25.4.b.1 Mature)

25.4.b.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.168 (25.4.b Mature)

• Added the Disable native Windows captive portal prompt option, which when enabled means that FortiClient will handle the captive portal on Windows endpoints.

  • This option is only available when Lockdown endpoint when off-net (network lockdown) is enabled.

  • The default setting for this option is disabled, which means that Windows handles the captive portal on endpoints. This ensures that when network lockdown is enabled, WiFi does not disconnect after agent tunnel disconnects.

  See Network lockdown.

• Added support for Public Cloud security PoPs: Frankfurt - Germany, Paris - France, Singapore - Republic of Singapore, Toronto - Canada. See Global data centers.

• Updated support for Fortinet security PoPs: Ashburn - Virginia - USA. See Global data centers.

What's new for 25.3.148 (25.4.a Mature)

• Enhanced ZTNA tag validation for VPN policy enforcement to improve VPN tunnel connectivity and to improve reliability in cases when FortiSASE Endpoint Management service is unavailable. See Tagging.

• Added support for Public Cloud security PoPs: London - United Kingdom, St. Ghislain - Belgium, Warsaw - Poland, Zurich - Switzerland. See Global data centers.

What's new for 25.3.148 (25.3.c.1 Mature)

25.3.c.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.134 Mature (25.3.c Mature)

• Support FortiClient 7.2.12 as the recommended version for FortiSASE desktop users. See Product integration and support.

• The UI version has been removed from the FortiSASE portal URL, ensuring a consistent path for ease of access.

• Added support for Delhi, India as a Public Cloud security PoP. See Global data centers.

What's new for 25.3.112 Mature (25.3.b.1 Mature)

25.3.b.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.89 Mature (25.3.b Mature)

• Added Feature or Mature tag to the version tooltip at the bottom of the navigation menu. See New major features available.

• Added support for highlighting best practices recommendations by displaying an additional prompt upon portal login. For the Mature release, the New major features available best practice has been highlighted.

• Added support for branch on-ramp with the Standard subscription after applying the New major features available best practice to upgrade an existing instance. An Advanced branch on-ramp subscription must also be applied to a Standard instance to enable the branch on-ramp feature. See SIA for Branch On-ramp site-based remote users.

• Added support for simplified branch on-ramp licensing. See SIA for Branch On-ramp site-based remote users.

  • Each on-ramp Security PoP provides up to 1 Gbps for up to 2000 simultaneous dialup IPsec connections, changed from the previous limit of 10 connections, and includes 50 TB of data transfer per year based on 50 Mbps usage during business hours.

  • Data transfer is aggregated at the account level and shared with remote users (250 GB per user).

  • Additional data transfer subscriptions can be purchased if required.

  • The Branch On-ramp Connection add-on subscription is discontinued after this release. See SIA for Branch On-ramp site-based remote users.

What's new for 25.3.67 Mature (25.3.a.3 Mature)

25.3.a.3 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.57 Mature (25.3.a.2 Mature)

25.3.a.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.47 Mature (25.3.a.1 Mature)

25.3.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.3.40 Mature (25.3.a Mature)

• Added support for customizing captive portal replacement message for Edge devices. See HTML templates.

• Added support for customers having Advanced remote user subscriptions to select certain Public cloud locations to launch their FortiSASE Security PoPs. See Global data centers.

• Support FortiClient 7.2.11 as the recommended version for FortiSASE desktop users. See Product integration and support.

• Added support for Dublin, Ireland (DUB-A2) as a Public Cloud security PoP. Contact FortiCare Support to upgrade to FortiSASE Feature in order to support provisioning of this Security PoP. See Global data centers.

What's new for 25.2.91 Mature (25.2.c.2 Mature)

25.2.c.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.90 Mature (25.2.c.1 Mature)

25.2.c.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.81 Mature (25.2.c Mature)

• Support FortiClient 7.2.10 as the recommended version for FortiSASE desktop users. See Product integration and support.
• Added a new audit page providing configuration best practice recommendations. See Software audit & version.
• Option to upgrade to new major features from the audit page that appears once available for your tenant. This upgrade option is being incrementally deployed. See New major features available.

• Once the new major features upgrade option is available for your tenant and is visible in the audit page, as part of this upgrade option, if your tenant is using the Standard subscription, it will be upgraded to support dedicated public IP addresses without additional licensing. See New major features available.

• Using the single upgrade option from the audit page offers access to new major features for enhanced FortiSASE functionality. These features are not available if you do not use the upgrade option. See the following for examples of these new features. For the complete list, see New features.

  • Navigation menu items have been reorganized for improved usability and to group items with related functionality and usage. Terminology has been standardized for clarity and consistency.

  • Added System > License overview page to provide FortiSASE licensing details.

  • Integrated FortiCASB API-based cloud access security broker (CASB) management and protection into FortiSASE for secure SaaS access (SSA).

  • Added DLP enhancements including support for DLP Exact Data Matching (EDM) and Indexed Document Matching (IDM) with DLP fingerprinting.

  • Support IPsec connections to Branch On-ramp Security PoPs from third-party IPsec devices.

  • DNS redirection (formerly split DNS) rules transparently apply to all passthrough traffic for FortiClient agent tunnels, Edge device clients, and Proxy clients.

What's new for 25.2.56 (25.2.b.2)

25.2.b.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.48 (25.2.b.1)

25.2.b.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.45 (25.2.b)

• FortiSASE now supports Branch On-ramp deployment for up to 20 On-Ramp locations.
• Improved site provisioning process for new tenant with additional recovery mechanism when a site provision does not complete successfully. See PoPs.

What's new for 25.2.30 (25.2.a.1)

25.2.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What's new for 25.2.24 (25.2.a)

• Added support for FortiGate SASE Bundle subscription to accelerate the journey from SD-WAN to SASE. The bundle includes a Starter Kit with FortiSASE Standard remote user subscriptions and secure private access (SPA) connectivity to G-series FortiGate models starting with 120G.
• FortiClient 7.2.9 is the recommended supported version for existing and new FortiSASE instances using IPsec and SSL VPN remote user connectivity. See Product integration and support.
• Added support to enhance default pre-logon tunnel security settings for IPsec by using stronger hashing algorithm (SHA 256) and key exchange algorithm (DH group 15) with IKE version 2. See 10607.
• Added support for the Global Region Add-on subscription that can be added on top of an existing Comprehensive subscription. This add-on subscription entitles the instance to use an unlimited number of Security PoPs selected from existing and future Fortinet Cloud and Public Cloud locations. See Appendix A - FortiSASE data centers.
• Added support for registering FortiCASB data protection add-on subscriptions. See Product integration and support.
• Number of private applications supported per agentless ZTNA bookmark policy increased from 20 to 200. See Configuring the bookmark portal.

What's new for 25.1.75 (25.1.c)

• Added support for displaying endpoint details in Network > Managed Endpoints > Endpoints and Network > Connected Users including FortiSASE VPN Tunnel IP and FortiSASE agent session details, and the Last Seen timestamp in Managed Endpoints. The FortiSASE VPN Tunnel IP can be used with server-client applications with server traffic originating from SPA hubs destined for a FortiSASE managed endpoint. See Managed Endpoints and Connected Users.

• Added support for displaying the learned BGP multi-exit discriminator (MED) values in Health and VPN Tunnel Status > View Learned BGP Routes when Network > Network Configuration is configured with Hub selection method as BGP MED. See Viewing MED values of SPA routes and Viewing health and VPN tunnel status.

• Added data center support for Querétaro, Mexico and Sydney, Australia as Public Cloud locations. See Global data centers.

• Added data center support for Sao Paulo, Brazil as a Fortinet Cloud location. See Global data centers.

What’s new for 25.1.51 (25.1.b)

• Added support for the Branch On-ramp connection add-on subscription for 1-2000 FortiGate IPsec connections. Since you can purchase a maximum of eight Branch On-ramp locations for a single account, with Branch On-ramp connection add-on subscriptions it is possible for an account to have a maximum of 16000 Branch On-ramp connections. See SD-WAN On-Ramp.
• Added support for the agentless zero trust network access (ZTNA) bookmark portal to show private applications’ bookmarks based on the authenticated user’s permission level which is controlled by Agentless ZTNA bookmark policies. See Configuring the bookmark portal.
• Added enhancements to the Network Lockdown feature by enabling FortiClient endpoints to enter strict lockdown with a configurable grace period of 0 seconds. Also added support for detecting and exempting traffic to captive portals and domains specified under Exempt destinations. See Network lockdown.
• Added enhancements to the Geofencing feature by enabling granular control over prioritization of connection attempts and failover to connections of type On-premise device and Security PoP based on the endpoint’s country or region. See Geofencing.
• Added support for administrators to clone endpoint profiles using an existing endpoint profile, simplifying profile management and reducing configuration time. See Profiles.
• Added support to configuration of ZTNA application gateway and ZTNA destinations under Configuration > Agent-based ZTNA. These configuration settings can now be easily referenced and applied to individual endpoint profiles under ZTNA tab, streamlining ZTNA configuration. See ZTNA.
• Added enhancements to Digital Experience Monitoring (DEM), enabling FortiSASE administrators to view TCP latency metrics for endpoints as a Beta feature, offering deeper visibility into underlay network performance from the endpoint to FortiSASE Security PoP. See Digital experience: TCP latency.
• Added support for an increased maximum number of FortiAP edge devices that FortiSASE supports. See Product integration and support.
• Added datacenter support for Madrid, Spain as a Fortinet Cloud location. See Global data centers.

• Added support for signing a preconfigured FortiClient installer using your own CA certificate or using the Fortinet CA certificate via FortiCare Support ticket request.

What’s new for 25.1.39 (25.1.a.2)

25.1.a.2 is a maintenance release. For a list of resolved issues, see Resolved issues.

What’s new for 25.1.37 (25.1.a.1)

25.1.a.1 is a maintenance release. For a list of resolved issues, see Resolved issues.

What’s new for 25.1.28 (25.1.a)

• Added support in endpoint profiles for enabling patching of vulnerabilities detected where automatic patching is available and for configuring the minimum severity level of vulnerabilities to patch. Also, added support in the Vulnerability Summary widget for selecting individual vulnerabilities to schedule to be automatically patched on affected endpoints. See Drilling down on vulnerabilities.
• Added support for configuring schedules and service groups for VPN and secure web gateway (SWG) policies, both Internet Access and Private Access policies. See Adding policies to perform granular firewall actions and inspection.
• Added support for synchronization of service groups for VPN and SWG policies using FortiManager with the central management select availability feature. See Central Management.
• Added support for adding administrator-defined comments to VPN and SWG policies, both Internet Access and Private Access policies. See Adding policies to perform granular firewall actions and inspection.
• Added support to allows administrators to configure, edit, and delete personal VPN settings on FortiClient on per-endpoint profile basis. As FortiSASE does not manage personal VPN settings, enabling this feature is recommended only for endpoint profiles designated for FortiClient users belonging to your organization’s administrative group. This ensures flexibility while maintaining security and compliance across managed devices. See Connection.
• Added support to allow remote VPN users to access their local network resources such as printers or fileshares while remaining connected to FortiSASE secure internet access (SIA). You can enable this feature on a per-endpoint profile basis. Additionally, if you enable on-net detection, you can enable the feature based on an endpoint’s on-net status, allowing more granularity. See Connection.
• Extended existing REST API support to include security profiles, user groups, and authentication sources.
• Added datacenter support for Plano, Texas, USA as a Fortinet Cloud location. See Global data centers.
• FortiClient 7.2.8 is the recommended supported version for existing and new FortiSASE instances using SSL VPN and IPsec remote user connectivity.
• Added support for displaying comprehensive error messages for failed synchronization attempts when using FortiManager with the central management select availability feature. See Displaying error messages for failed synchronization attempts.
• Added support for authenticating agent-based remote users via SAML single sign on (SSO) during their onboarding. FortiSASE acts as a service provider, supporting integration with other identity providers such as FortiAuthenticator, Okta, and Microsoft Entra ID to ensure that only authenticated users can connect to the FortiSASE Endpoint Management service using an invitation code. This is a select availability feature and you must enable it for it to be visible under Configuration > User Onboarding SSO. See User onboarding SSO.
• Added support for administrators to add, change, and delete security PoP locations dynamically from Network > Infrastructure as a select availability feature. See Infrastructure. This is available only when a FortiSASE instance meets these specific conditions:
  • The following features are not configured:
    • SWG
    • Source IP address anchoring
  • Default VPN remote users’ IP address range has not been exceeded.
  • The following have not been deployed:
    • Edge devices
    • Branch On-ramp locations
  • Other custom changes to the instance have not been made.