DOCUMENT LIBRARY

FortiOS Release Notes

Home FortiGate / FortiOS 7.0.0 FortiOS Release Notes

7.0.0

Changes in CLI

Changes in CLI

Bug ID	Description
570152	Remove redundant `set override` attribute for logging in `config log fortianalyzer override-setting` and `config log syslogd override-setting`.
587183	Remove the intelligent mode option from the IPS global configuration: config ips global set intelligent-mode {enable \| disable} end
640488	Add option to configure the maximum memory usage on the FortiGate's proxy for processing resources, such as block lists, allow lists, and external resources. config system global set proxy-resource-mode {enable \| disable} end
640620	In the `wireless-controller arrp-profile` configuration, the `include-weather-channel` and `include-dfs-channel` options have changed from `yes`/`no` to `enable`/`disable`.
645241	Remove `prp-port-out` and `prp-port-in` settings from `system npu` and replace with the following:. config system npu setting prp set prp-port-in port-list set prp-port-out port-list end
657726	Remove option to rate images by URL for web filter profile in the GUI and CLI.
666855	FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients. Add attribute to control signature algorithms related to client authentication (only affects TLS 1.2): config vpn ssl settings set client-sigalgs {no-rsa-pss \| all} end
672183	Disable IHP IPsec anti-replay, and also use large MTU check values in NAT traversal sessions to avoid fragmentation and MTU exceptions. This affects the FG-3800D. config system npu set uesp-offload {enable \| disable} end
673049	When `localid-type address` is configured, users have the option to directly set an ID for IPv4 or IPv6 addresses. config vpn ipsec phase1 set localid-type address set localid <string> end
673747	Support IPv6 in `execute restore` and `execute backup` commands to TFTP and FTP servers.
675511	Update `diagnose debug application virtual-wan-link` to `diagnose debug application sdwan`.
677552	Add `failover-hold-time` to avoid flips caused by monitor interface failure, in seconds (0 - 300, default = 0). config system ha set failover-hold-time <integer> end
682561	Add command, `get system instance-id`.
687197	Allows administrators to set requirements for any number of new characters in a new password, as opposed to a minimum of 4 unique new characters. config system password-policy set min-change-characters <integer> end The `set change-4-characters {enable \| disable}` option has been removed.
690981	Daily hit counts for central NAT and DNAT can now be displayed in the CLI using the following commands: # diagnose firewall iprope show 10000d <index> # diagnose firewall iprope show 100000 <index>
695259	Rename the following setting: config system dns set dns-over-tls {disable \| enable \| enforce} end To: config system dns set protocol {cleartext \| DoT \| DoH} end
695979	Support wildcard MAC addresses in firewall address for users to easily use pattern matching, like vendor prefix, to define a group of addresses. The MAC address range is now defined by specifying <start> - <end> in a single field, instead of defining a `start-mac` and `end-mac`. Multiple addresses can be defined in a single line. config firewall address edit "address" set type mac set macaddr 00:0c:29:8d:7e:e3 00:0c:*:8d:7:e3 00:0c:29:8d:7e:e3-00:22:29:8d:7e:e next end
700098	With the new IPsec kernel design, `route tree` is not available in the IPsec tunnel list used to select tunnels by next-hop, so the IPsec `phase1-interface` option `tunnel-search` is not useful and was removed. `tunn-id` is automatically generated and is used to link routes with IPsec tunnels. # diagnose vpn tunnel list name=hub1_0 ver=2 serial=a 22.1.6.1:4500->11.1.1.2:64916 tun_id=10.10.1.100 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1 .................................... src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0 SA: ref=3 options=a26 type=00 soft=0 mtu=1358 expire=22685/0B replaywin=2048 seqno=312 esn=0 replaywin_lastseq=00000312 itn=0 qat=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=43185/43200 dec: spi=4688373e esp=aes key=16 b399004593b5fe93fa70fda8cd053f28 ah=sha1 key=20 39ca51549367baed7d3aadda12deef8ed9b2a Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 ...................................... B 10.1.100.0/24 [200/0] via 10.10.1.100 (recursive via hub1 tunnel 10.10.1.100), 6d04h41m

Previous

Next

Changes in CLI

Changes in CLI

Bug ID	Description
570152	Remove redundant `set override` attribute for logging in `config log fortianalyzer override-setting` and `config log syslogd override-setting`.
587183	Remove the intelligent mode option from the IPS global configuration: config ips global set intelligent-mode {enable \| disable} end
640488	Add option to configure the maximum memory usage on the FortiGate's proxy for processing resources, such as block lists, allow lists, and external resources. config system global set proxy-resource-mode {enable \| disable} end
640620	In the `wireless-controller arrp-profile` configuration, the `include-weather-channel` and `include-dfs-channel` options have changed from `yes`/`no` to `enable`/`disable`.
645241	Remove `prp-port-out` and `prp-port-in` settings from `system npu` and replace with the following:. config system npu setting prp set prp-port-in port-list set prp-port-out port-list end
657726	Remove option to rate images by URL for web filter profile in the GUI and CLI.
666855	FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients. Add attribute to control signature algorithms related to client authentication (only affects TLS 1.2): config vpn ssl settings set client-sigalgs {no-rsa-pss \| all} end
672183	Disable IHP IPsec anti-replay, and also use large MTU check values in NAT traversal sessions to avoid fragmentation and MTU exceptions. This affects the FG-3800D. config system npu set uesp-offload {enable \| disable} end
673049	When `localid-type address` is configured, users have the option to directly set an ID for IPv4 or IPv6 addresses. config vpn ipsec phase1 set localid-type address set localid <string> end
673747	Support IPv6 in `execute restore` and `execute backup` commands to TFTP and FTP servers.
675511	Update `diagnose debug application virtual-wan-link` to `diagnose debug application sdwan`.
677552	Add `failover-hold-time` to avoid flips caused by monitor interface failure, in seconds (0 - 300, default = 0). config system ha set failover-hold-time <integer> end
682561	Add command, `get system instance-id`.
687197	Allows administrators to set requirements for any number of new characters in a new password, as opposed to a minimum of 4 unique new characters. config system password-policy set min-change-characters <integer> end The `set change-4-characters {enable \| disable}` option has been removed.
690981	Daily hit counts for central NAT and DNAT can now be displayed in the CLI using the following commands: # diagnose firewall iprope show 10000d <index> # diagnose firewall iprope show 100000 <index>
695259	Rename the following setting: config system dns set dns-over-tls {disable \| enable \| enforce} end To: config system dns set protocol {cleartext \| DoT \| DoH} end
695979	Support wildcard MAC addresses in firewall address for users to easily use pattern matching, like vendor prefix, to define a group of addresses. The MAC address range is now defined by specifying <start> - <end> in a single field, instead of defining a `start-mac` and `end-mac`. Multiple addresses can be defined in a single line. config firewall address edit "address" set type mac set macaddr 00:0c:29:8d:7e:e3 00:0c:*:8d:7:e3 00:0c:29:8d:7e:e3-00:22:29:8d:7e:e next end
700098	With the new IPsec kernel design, `route tree` is not available in the IPsec tunnel list used to select tunnels by next-hop, so the IPsec `phase1-interface` option `tunnel-search` is not useful and was removed. `tunn-id` is automatically generated and is used to link routes with IPsec tunnels. # diagnose vpn tunnel list name=hub1_0 ver=2 serial=a 22.1.6.1:4500->11.1.1.2:64916 tun_id=10.10.1.100 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1 .................................... src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0 SA: ref=3 options=a26 type=00 soft=0 mtu=1358 expire=22685/0B replaywin=2048 seqno=312 esn=0 replaywin_lastseq=00000312 itn=0 qat=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=43185/43200 dec: spi=4688373e esp=aes key=16 b399004593b5fe93fa70fda8cd053f28 ah=sha1 key=20 39ca51549367baed7d3aadda12deef8ed9b2a Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 ...................................... B 10.1.100.0/24 [200/0] via 10.10.1.100 (recursive via hub1 tunnel 10.10.1.100), 6d04h41m

Previous

Next