Allow SSL VPN to be explicitly enabled or disabled from the GUI and CLI. To connect, SSL VPN must be enabled and the SSL VPN interface must be up.

config vpn ssl settings
    set status {enable | disable}
end

Add HA support for multiple ACI clusters for Cisco ACI external SDN connector VMs. The multiple IPs in the Cisco ACI external SDN connector VM configuration allows the FortiGate to connect to SDN connector VMs in the same ACI cluster in a round-robin fashion. Only one SDN connector VM is active, and the remaining serve as backups if the active one fails.

config system sdn-connector
    edit "ACI-1"
        set type aci
        set server-list "10.105.152.96" "10.105.152.97" "100.101.1.98"
        set server-port 5671
        set username "admin"
        set password **********
    next
    edit "ACI-2"
        set type aci
        set server-list "20.105.152.91" " 20.105.152.92" "40.111.1.3"
        set server-port 5671
        set username "admin"
        set password **********
    next
end

ACI-1 and ACI-2 are different ACI clusters. They each have multiple SDN connector VMs in synchronization. Each firewall address can point to either ACI-1 or ACI-2.

Add system event logs for the execution of CLI commands. When cli-audit-log is enabled under system global, the execution of execute, config, show, get, and diagnose commands will trigger system event logs.

Support site-to-site IPsec VPN in an asymmetric routing scenario with a loopback interface as a VPN bound interface.

Add support for a FortiGate to manage a Procend 180-T DSL transceiver (FN-TRAN-DSL) that is plugged in to an SFP port. The management of the DSL transceiver includes the ability to program the physical layer attributes on the DSL module, retrieve the status and statistics from the module, support firmware upgrades of the module, and reset the module. Supported VDSL profiles: 8a, 8b, 8c, 8d, 12a, 12b, 17a, and 30a. Supported platforms: FG-80F, FG-81F, FG-80F-BP, FGR-60F, and FGR-60F-3G4G.

Allow inspection of double-tagged (802.1Q + 802.1Q) traffic on virtual wire pairs with wildcard VLANs. Other enhancements include optimizing NPU receive packet steering and configuring traffic distribution on the ISF to achieve higher throughput.

Add Q-in-Q ingress/egress point NP6 support on FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, and FG-3601E.

NetFlow and SFlow now support using SD-WAN in interface-select-method for selecting the outgoing interface.

config system {netflow sflow vdom-netflow vdom-sflow}
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

Add HA uninterruptible upgrade option, which allows users to configure a timeout value in minutes (1 - 30, default = 30) where the primary HA unit waits before the secondary HA unit is considered upgraded.

config system ha
    set uninterruptible-primary-wait <integer>
end

Support subscription-based VDOM licensing for FG-VM S-series using the new stackable subscription-based SKU.

When a FortiGate is in NAT mode, a VLAN tag with a drop eligible indicator (DEI) bit set resets to 0 after passing through the FortiGate.

On the NAC Policy configuration page, specifying FortiSwitch groups is now supported. Previously, individual FortiSwitches had to be specified. The CLI command to specify individual switches is now updated to specify switch groups.

Add 100 Mbps transceiver support for FGR-60F and FGR-60F-3G4G.

Supply better heartbeat timing information to the auto-scale callback URL. Previously, the auto-scale heartbeat request made to the auto-scale callback URL did not contain a timestamp or sequence number. This information was estimated in the cloud function called by the callback URL, but the cloud function platform's timing was not as reliable as initially expected.

Support Q-in-Q (802.1Q in 802.1Q) for FortiGate-VMs.

Add Windows 11 and macOS 12 to the SSL VPN OS check. The following options are available for config os-check-list <name>: macos-bigsur-11, macos-catalina-10.15, macos-mojave-10.14, macos-monterey-12, windows-7, windows-8.1, windows-10, and windows-11.

Operating systems no longer supported by FortiClient were removed.

Update the OVF package so it reflects newer VMware ESXi and hardware versions.

Add macOS 12 and Windows 11 to SSL VPN host check. Windows 8 and macOS 10.9 to 10.13 are removed from the SSL VPN host check.

Updating dynamic addresses using the OpenStack SDN connector now supports: Rocky, Stein, Train, Ussuri, Victoria, Wallaby, and Xena.