PRP support for SoC4:

• Configure ingress port to allow the PRP trailer to not be stripped off when the PRP packets come in.
• Configure egress port to allow the PRP trailer to not be stripped off when the PRP packets go out.

config system npu
    set prp-port-in "port1"
    set prp-port-out "port2"
end

Add a specific auth-timeout field in the SSL VPN monitor.

Add settings to enable flow control and pause metering. Pause metering allows the FortiSwitch to apply flow control to ingress traffic when the queue is congested and to resume once it is cleared.

When 802.1x authentication requests to a RADIUS server time out, the authserver-timeout settings within the switch-controller security-policy 802.1x will assign the port to a timeout VLAN.

Add NPU support for GTP-U encapsulated in IPv6.

To avoid large number of new IKEv2 negotiations from starving other SAs from progressing to established states, the following enhancements have been made to the IKE daemon:

• Prioritize established SAs.

• Offload groups 20 and 21 to CP9.

• Optimize the default embryonic limits for mid- and high-end platforms.

The IKE embryonic limit can now be configured in the CLI:

config system global
    set ike-embryonic-limit <integer>
end

After authorizing a FortiAP, administrators can also register the FortiAP to FortiCloud directly from the FortiGate GUI.

AWS and Azure now support FIPS ciphers mode.

FortiGate-VMs on AWS now use Amazon EC2 instance metadata service version 2 (IMDSv2) to query and retrieve metadata from the AWS cloud.

Add support for FortiFlex, an enterprise license agreement for virtual machine licensing where users can manage and monitor their VM subscription in the FortiCloud portal.

FortiSwitch events now have their own category on the Events log page.

In a tenant VDOM, allow lldp-profile and lldp-status to be configurable on a leased switch port.

Configuring the DiffServ code in phase 2 of an IPsec tunnel allows the tag to be applied to the ESP packet. NPU offloading must be disabled for this tunnel.

By configuring the service chain and service index, NSX-T east-west traffic can be redirected to a designated FortiGate VDOM.

config nsxt setting
    set liveness {enable | disable}
    set service <service name>
end
config nsxt service-chain
    edit <ID>
        set name <chain name>
        config service-index
            edit <forward index>
                set reverse-index <value>
                set name <index name>
                set vd <VDOM>
            next
        end
    next
end

The default value for reverse-index is 1. The vd setting is required.

Support 802.11v load balancing and optimized roaming.

Adaptive Radio Architecture (ARA) allows FortiAPs to calculate the network coverage factor (NCF) based on radio interference. When Dynamic Radio Mode Assignment (DRMA) is enabled, if interference crosses a threshold, the radio becomes redundant by moving from AP mode to monitor mode.

config wireless-controller wtp-profile
    edit <profile>
        config radio-1
            set band 802.11n/g-only
            set drma {enable | disable}
            set drma-sensitivity {high | medium | low}
        end
    next
end

Allow SD-WAN duplication rules to specify SD-WAN service rules to trigger packet duplication. This allows SD-WAN duplication to occur based on an SD-WAN rule instead of the source, destination, or service parameters in the duplication rule.

In an application control list, the exclusion option allows users to specify a list of applications they wish to exclude from an entry filtered by category, technology, or others.

config application list
    edit <list>
        config entries
            edit 1
                set category <ID>
                set exclusion <signature ID> ... <signature ID>
            next
        end
    next
end

Simplify FortiExtender deployment so it is displayed in the topology.

The limit of BGP paths that can be selected and advertised has increased to 255 (originally 8).

Add support to deploy FortiGate-VMs that are paravirtualized with SR-IOV and DPDK/vNP on OCI shapes that use Mellanox network cards.

Add additional information such as DHCP server MAC, gateway, subnet, and DNS to wireless DHCP logs.

Add global option fortiipam-integration to control FortiIPAM. When enabled, ipamd will run and report to FortiIPAM to allow automatic IP address/subnet management.

config system global
    set fortiipam-integration {enable | disable}
end

By default, the FortiGate uses the outbound interface's IP to communicate with a FortiSwitch managed over layer 3. The switch-controller-source-ip option allows the switch controller to use the FortiLink fixed address instead.

Enabling IGMP snooping on an SSID allows the wireless controller to detect which FortiAPs have IGMP clients. The wireless controller will only forward a multicast stream to the FortiAP where there is a listener for the multicast group.

IoT background scanning is disabled by default. Users can enable this option on the FortiLink Interface page in the GUI or with the switch-controller-iot-scanning in the CLI.

Integrate Broadcom bnxt_en 1.10.1 driver to drive new vfNIC to replace 1.9.2 version. The following new cards are supported:

• [BCM57508] = { "Broadcom BCM57508 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

• [BCM57504] = { "Broadcom BCM57504 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

• [BCM57502] = { "Broadcom BCM57502 NetXtreme-E 10Gb/25Gb/50Gb Ethernet" }

• [BCM57508_NPAR] = { "Broadcom BCM57508 NetXtreme-E Ethernet Partition" }

• [BCM57504_NPAR] = { "Broadcom BCM57504 NetXtreme-E Ethernet Partition" }

• [BCM57502_NPAR] = { "Broadcom BCM57502 NetXtreme-E Ethernet Partition" }

• [BCM58812] = { "Broadcom BCM58812 NetXtreme-S 2x50G Ethernet" }

• [BCM58814] = { "Broadcom BCM58814 NetXtreme-S 2x100G Ethernet" }

• [BCM58818] = { "Broadcom BCM58818 NetXtreme-S 2x200G Ethernet" }

• [NETXTREME_E_P5_VF] = { "Broadcom BCM5750X NetXtreme-E Ethernet Virtual Function" }

The user device store allows user and device data collected from different daemons to be centralized for quicker access and performance:

diagnose user-device-store device memory list

diagnose user-device-store device memory query mac <value>

diagnose user-device-store device memory query ip <value>

diagnose user-device-store device disk list

diagnose user-device-store device disk query <SQL WHERE clause>

Support multiple LDAP server configurations for Kerberos keytab and agentless NTLM domain controller in multiple forest deployments.