Add function for SMC NTP on supported platforms.

config system smc-ntp <==added
    set ntpsync enable <==added
    set syncinterval 120 <==added
    config ntpserver <==added
        edit 1 
            set server 208.91.114.98 <==added
        next
    end
end

Rename diagnose system botnet to diagnose system botnet-ip.

Remove stat, reload, and file under diagnose system botnet-ip.

Add certificate attribute to the endpoint-control.fctems table.

config endpoint-control fctems
    edit <name>
        ...
        set certificate <cert-name> <==added
        ...
    next
    ...
end

Add execute fctems verify.

execute fctems verify <fctems name>

Move frequency-handoff and ap-handoff from radio level to AP level.

config wireless-controller wtp-profile
    edit "FAP423E-default"
        config platform
            set type 423E
        end
        set handoff-sta-thresh 55
        set frequency-handoff enable <==changed
        set ap-handoff enable <==changed
        config radio-1
            set band 802.11n,g-only
        end
        config radio-2
            set band 802.11ac
        end
    next
end

Collect EIP from cloud-VMS (Azure, AWS, GCP, AliCloud, and OCI).

pcui-cloudinit-test # execute <?>
update-eip Update external IP. <==added

config sys interface
    edit [Name]
        set eip                <==added
    next
end

Add SD-WAN health check DNS monitoring related configuration.

config system virtual-wan-link
    config health-check
        set protocol dns <==added dns option
        set system-dns <==added
    end
end

Add type under sdn-connector.

config system sdn-connector
    edit "aci_direct1"
        set type aci-direct <==added
    next
end

Add external-web-format setting under captive-portal VAP when external portal is selected.

config wireless-controller vap
    edit guestwifi
        set ssid "GuestWiFi"
        set security captive-portal
        set external-web "http://170.00.00.000/portal/index.php"
        set selected-usergroups "Guest-group"
        set intra-vap-privacy enable
        set schedule "always"
        set external-web-format auto-detect <==added
    next
end

Add vendor-mac option under firewall policy.

config firewall policy
    edit 9
        set name "policy_id_9"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set vendor-mac 36 16 <==added
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end

Add diagnose commands to show vendor information.

diagnose vendor-mac id

diagnose vendor-mac match

Add UTM scan for HTTP and HTTPS over SSH tunnel (AV, WF, WAF, ICAP, DLP).

config firewall proxy-policy
    edit 4
        set av-profile "av" <==added
        set webfilter-profile "webfilter" <==added
        set dlp-sensor "dlp" <==added
        set icap-profile "icap" <==added
        set waf-profile "waf" <==added
    next
end

Add GRE and L2TP support in WiFi.

config wireless-controller wag-profile <==added 
    edit [Profile Name]                <==added
end

config wireless-controller vap
    edit "80e_gre"
        set ssid "FOS-QA_Bruce_80e_gre"
        set local-bridging enable
        set vlanid 3135
        set primary-wag-profile "tunnel" <==added
        set secondary-wag-profile "l2tp" <==added
    next
end

FAP-U431F and FAP-U433F can support 802.11ax on 2.4 GHz radio-2 when the platform mode is single-5G.

config wireless-controller wtp-profile
    edit "FAPU431F-default"
        config platform
            set type U431F
            set mode single-5G
        end
        config radio-1
            set band 802.11ax-5G
        end
        config radio-2
            set band 802.11ax
        end
        config radio-3
            set mode monitor
        end
    next
end

Add NAT option under virtual wire pair policy and virtual wire pair policy6 with mandatory IP pool.

config firewall policy
    edit 88
        set srcintf "port4"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname "vwp-pool-1" <==required
        set nat enable <==added
    next
end

Add hidden option never to session-ttl under firewall policy, firewall service, and system session-ttl.

config firewall policy
    edit 201
        set srcintf "wan1"
        set dstintf "wan2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "TCP_8080"
        set logtraffic disable
        set session-ttl never <==added
        set nat enable
    next
end

Add config firewall internet-service-name.

config firewall internet-service-name
    edit "test-locaction-isdb-1"
        set type location
        set internet-service-id 65537
        set country-id 840
        set region-id 283
        set city-id 23352
    next
end

Rename internet-service-id to internet-service-src-id, and internet-service-name to internet-service-src-name under firewall policy.

config firewall policy
    edit 99
        set internet-service enable
        set internet-service-name "test-locaction-isdb-1" <==changed
        set internet-service-src enable
        set internet-service-src-name "test-location-isdb-3" <==changed
    next
end

Add DPDK related CLI commands.

config dpdk global
    set status [enable | disable]
    set multiqueue [enable | disable] 
    set sleep-on-idle [enable | disable] 
    set elasticbuffer [enable | disable] 
    set hugepage-percentage [Percentage of main memory allocated to hugepages] 
    set mbufpool-percentage [Percentage of main memory allocated to DPDK packet buffer] 
end

config dpdk cpus
    set rx-cpus [CPUs enabled to run DPDK RX engines] 
    set vnp-cpus [CPUs enabled to run DPDK VNP engines] 
    set ips-cpus [CPUs enabled to run DPDK IPS engines] 
    set tx-cpus [CPUs enabled to run DPDK TX engines] 
end

Add split-route-negate option under vpn.ssl.web.portal.

config vpn ssl web portal
    edit tunnel-portal
        set split-tunneling-routing-negate [enable | disable] <==added
        set ipv6-split-tunneling-routing-negate [enable | disable] <==added
    next
end

Add type under firewall central-snat-map.

config firewall central-snat-map
    edit 2
        set type ipv6 <==added
        set srcintf "wan2"
        set dstintf "wan1"
        set orig-addr6 "all"
        set dst-addr6 "all"
        set nat-ippool6 "test-ippool6-1"
    next
end

Add geoip-match under firewall policy.

config firewall policy
    edit 1
        set name "policy_id_1"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "test-geoip-CA"
        set action accept
        set schedule "always"
        set service "ALL"
        set geoip-match registered-location <==added
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end

Remove acct-interim-interval setting under vap configuration, and acct-interim-interval can only be configured for RADIUS server.

Replace captive-portal-radius-server with radius-server on captive portal VAP with CMCC portal type.

config wireless-controller vap
    edit "vap-cmcc"
        set ssid "vap-cmcc"
        set security captive-portal
        set external-web "http://172.30.144.11:8080/am/portal/ac/FG81EP4Q16000601/ssid/vap-cmcc"
        set radius-server "cmcc-radius" <==added
        set local-bridging enable
        set portal-type cmcc
    next
end

Replace captive-portal-macauth-radius-server with radius-mac-auth-server on captive portal VAP with CMCC mac-auth portal type.

config wireless-controller vap
    edit "Melody-CMCC"
        set ssid "vap-CMCC-macauth"
        set security captive-portal
        set external-web "http://172.30.144.11:8080/am/portal/ac/FG81EP4Q16000601/ssid/vap-CMCC-macauth"
        set radius-mac-auth enable
        set radius-mac-auth-server "cmcc_mac_auth_svr" <==added
        set radius-server "cmcc_auth_svr" <==added
        set local-bridging enable
        set portal-type cmcc-macauth
    next
end

Change the least value of acct-interim-interval from 600 to 60 in RADIUS server.

config user radius
    edit radius
        set acct-interim-interval <60 - 86400> <==new range
    next
end

Add the ability to create IPv6 geography-based address, which can be applied in firewall policy6.

config firewall address6
    edit "test-ipv6-geoip"
        set type geography <==added
        set country "CA"
    next
end

Add new command, execute factoryreset-shutdown.

Add the UUID field under multicast-policy/local-in-policy/local-in-policy6/central-snat-map.

config firewall local-in-policy
    edit 1
        set uuid 1aeb7d98-0016-51ea-7913-b6d62f4409cd <==added
    next
end

Add comments field under multicast-policy.

config firewall multicast-policy
    edit 1
        set uuid d0f74f64-fc41-51e9-2dfc-729f027e9979
        set comments "multicast-policy-1"
    next
end

Add fabric-object-unification command under csf.

config system csf
    set fabric-object-unification [default | local] <==added
end

Add encrypt-and-store-password and transform-backward-slashes under SSL VPN settings.

config vpn ssl settings 
    set encrypt-and-store-password [enable | disable] <==added
    set transform-backward-slashes [enable | disable] <==added
end

The captive-portal-session-timeout-interval setting in local-bridge with external-portal vap is replaced with captive-portal-auth-timeout. The help message is improved to Hard timeout - AP will always clear the session after timeout regardless of traffic (0 - 864000 sec, default = 0).

Consolidate fortitelemetry and capwap into fabric for allowaccess in system interface.

config system interface 
    edit port4
        set allowaccess ?
        ping PING access.
        https HTTPS access.
        ssh SSH access.
        snmp SNMP access.
        http HTTP access.
        telnet TELNET access.
        fgfm FortiManager access.
        radius-acct RADIUS accounting access.
        probe-response Probe access.
        fabric Security Fabric access. <==added
        ftm FTM access.
    next
end

Rename members to priority-members under manual mode SD-WAN service.

config sys virtual-wan-link
    config service
        edit 2
            set mode manual
            set priority-members 2 3 <==changed
        next
    end
end

Add eap-auto-untagged-vlans under 802.1x security policy.

config switch-controller security-policy 802-1X
    edit "802-1X-policy-874535"
        set security-mode 802.1X-mac-based
        set user-group "SSO_Guest_Users"
        set mac-auth-bypass disable
        set open-auth disable
        set eap-passthru enable
        set eap-auto-untagged-vlans disable <==added
        set guest-vlan disable
        set auth-fail-vlan disable
        set framevid-apply enable
        set radius-timeout-overwrite disable
    next
end

Add support for multiple parameters under application list.

config application list
    edit "app-list-1"
        config entries
            edit 1000008
                config parameters
                    edit 1
                        config members <==added
                            edit 1 <==added
                                set name command <==added
                            next
                        end
                    next
                end
            next
        end
    next
end

Add weighted-round-robin under ipsec-aggregate.

config system ipsec-aggregate
    edit testagg
        set algorithm ?
        L3 Use layer 3 address for distribution.
        L4 Use layer 4 information for distribution.
        round-robin Per-packet round-robin distribution.
        redundant Use first tunnel that is up for all traffic.
        weighted-round-robin Weighted round-robin distribution. <==added
    next
end

Add aggregate-weight under ipsec phase1-interface.

config vpn ipsec phase1-interface
    edit testp1
        set net-device disable
        set aggregate member enable
        set aggregate-weight 1 <==added
    next
end

Add timeout setting under auto-script.

config system auto-script
    edit 1
        set timeout 0 <==added
    next
end

To populate the interface bandwidth into the interface widget, set monitor-bandwidth must be enabled.

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.111.255.86 255.255.255.0
        set allowaccess ping
        set type physical
        set monitor-bandwidth enable
        set snmp-index 1
    next
end

Add new command for Azure SDN connector for FortiGate-VM deployed on Azure.

config system sdn-connector
    edit "azure1"
        set type azure
        set use-metadata-iam [enable|disable] <==added
    next
end

Add new address group type, folder.

config firewall addrgrp
    edit "test-folder-addrgrp-1"
        set type folder <==added
        set member "172-16-200-156"
        set allow-routing enable
    next
end

Remove top-summary from diagnose system.

Remove log-policy-name under log setting.

Add probe-timeout under virtual-wan-link health-check and system link-monitor.

config system virtual-wan-link
    config health-check
        set probe-timeout 500 <==added
    end
end

No warning is shown in GUI when FortiGuard filtering protocol/port setting is not saved.

Add action-type under automation-action.

config system automation-action
    edit "slack1"
        set action-type slack-notification <==added
    next
end

Add radius_server and nas_ip to SSL VPN realm definition.

config vpn ssl web realm
    edit <realm_name>
        set radius-server <radius_server> <==added
        set nas-ip <nas_ip> <==added
    next
end

Add tx-period under both VDOM and FortiSwitch 802.1x settings.

config switch-controller 802-1X-settings
    set tx-period 30 <==added
end

config switch-controller managed-switch
    edit S524DN4K16000116
        config 802-1X-settings
            set local-override enable
            set tx-period 30 <==added
        end
    next
end

Support filtering on AWS Auto Scaling group for dynamic address objects.

config firewall address
    edit "aws-asg-addr1"
        set type dynamic
        set sdn "aws-sdn"
        set filter "AutoScaleGroup=10703c-4f731e90-fortigate-payg-auto-scaling-group" <==added filter
    next
end

Support dynamic address objects in real servers under virtual server load balance.

config firewall vip
    config realservers
        set type address <==added
        set address [firewall.address.dynamic_address] <==added
    end
end

Remove igmp-snooping command from switch-controller managed-switch.

config switch-controller managed-switch
    edit S248EPTF18001384
        config ports
            edit port1
                get | grep igmp-snooping <==removed
            next
        end
    next
end

Remove sla-compare-method under virtual-wan-link load-balance.

config sys virtual-wan-link
    config service
        edit 1
            set mode load-balance
            set sla-compare-method number <==removed
        next
    end
end

Remove scan-mode from AV when feature-set is set to flow.

config antivirus profile
    edit "av"
        set scan-mode legacy <==removed
    next
end

Remove default-db option under antivirus settings.

config antivirus settings
    set default-db extended <==removed
    set grayware enable
    set override-timeout 0
end

Add use-extreme-db option is on mid- and high-end FortiGates under antivirus setting.

config antivirus settings
    set use-extreme-db [enable | disable] <==added only on mid- and high-end FortiGates
    set grayware enable
    set override-timeout 0
end

Add feature-set option under antivirus profile. It is used to hide non-supported features based on value.

config antivirus profile
    edit "av"
        set feature-set [flow | proxy] <==added
    next
end

Resource record limit is now a configurable value for secondary DNS can be edited per dns-zone. The rr-max attribute for secondary DNS was added. The maximum number of resource records is an integer: 10–65536, or infinite is 0; the default is 16384.

config system dns-database
    edit "secondary"
        set domain "fm.tvssa.net"
        set type slave
        set rr-max 0
        set ip-master 172.16.78.171
    next
    edit "secondary2"
        set status disable
        set domain "test.edu"
        set type slave
        set rr-max 40000
        set ip-master 172.16.78.171
    next
end

Remove the visibility attribute from various firewall address tables.

config firewall addrgrp
    edit 1
        set visibility {enable | disable} <==removed
    next
end

This attribute was removed from: firewall.addrgrp, firewall.addrgrp6, firewall.address, firewall.address6, firewall.proxy-address, firewall.multicast-address, firewall.multicast-address6, firewall.proxy-addrgrp, firewall.wildcard-fqdn group, and firewall.wildcard-fqdn custom.

Add force-inclusion-ssl-di-sigs under application profile.

config application list
    edit "app-list-1"
        set force-inclusion-ssl-di-sigs disable <==added
    next
end

Add object under vdom-exception that allows HA primary and secondary devices to send logs to different syslog servers.

config sys vdom-exception
    edit 1
        set object log.syslogd.setting <==added
    next
    edit 2
        set object log.syslogd.override-setting <==added
        set scope inclusive
        set vdom root
    next
end

Add dhcp-ra-giaddr under ipsec phase1-interface.

config vpn ipsec phase1-interface
    edit "1"
        set type dynamic
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set assign-ip-from dhcp
        set dhcp-ra-giaddr <==added
    next
end

Remove all MMS-related configurations, which includes:

• Remove mms/mm1/mm3/mm4/mm7 under config system replacemsg-group.
• Remove mms/mm1/mm3/mm4/mm7 under config system replacemsg.
• Remove mms-profile under config firewall and config firewall policy.
• Remove mms-checksum under config antivirus.
• Remove carrier-endpoint-bwl under config firewall.
• Remove config notification under config global.