Fortinet white logo
Fortinet white logo

Changes in default behavior

Changes in default behavior

Bug ID

Description

655991

Consolidates multiple NAT46/NAT64 related objects into regular objects, and introduce a per-VDOM virtual interface, naf.<vdom>, that is automatically added to process NAT46/NAT64 traffic. The new changes and additions include:

  • Consolidate vip46 and vip64 setting into vip and vip6 configurations.
  • Consolidate policy46 and policy64 settings into firewall policy settings.
  • Introduce nat46/nat64 in firewall policy settings.
  • Extend ippool and ippool6 to support NAT46 and NAT64.
  • Extend central SNAT to support NAT46 and NAT64.
  • Remove firewall vip46/vip64, vipgrp46/vipgrp64, and policy46/policy64 settings.
  • Rename system.nat64 to system.dns64.

To configure NAT46/NAT64 translation, users can use the standard vip/vip6 setting, apply it in a firewall policy, enable NAT46/NAT64, and enter the IP pool to complete the configuration.

699533

In FortiOS 7.0, the default authentication protocol for a switch controller SNMP user is SHA256, as opposed to the default SHA1 in previous versions.

709056

Previously, the tie-break fib-best-match option in SD-WAN service rules selected the outgoing interface between all links that has a valid route to the destination. In this update, the option is extended to consider only the best routes. This works on manual, priority, and SLA SD-WAN service modes. The longest match routes will override the quality comparisons when all of the specific routes are out of SLA. This applies to priority and SLA SD-WAN rules.

709391

The link monitor health check for access proxy real servers had been added for ZTNA. This enhancement will deploy the server health check status to the WAD daemon.

  • Add server health check status (ALIVE/DIE) to the wad_vs_server.

  • Query the link monitor health check status when creating the wad_vs_server.

  • When the link monitor health check status changes, the generation in the CMDB debug zone is updated.

  • WAD daemon updates the wad_vs_server health check status when a generation change is detected.

714831

Remove related ZTNA tags when an EMS connection is deleted from Fabric connector.

717170

The interface TCP MSS setting now applies to RX and TX TCP MSS.

718512

Allow policy route match in the reply direction, and improve IPv6 route search for policy route to keep the same behavior as IPv4.

718571

DHCP relay interfaces are released/initialized for added/deleted relay interfaces only. All other relay interfaces will remain unchanged.

All DHCP relay interfaces now share one socket instead of one socket per interface.

Additionally, DHCP relay now listens on the Layer 3 socket. If customers are using local-in policies to deny any/all traffic, they must create an accept policy to allow UDP/67 traffic before the deny policy, since the FortiGate will now block these packets on the Layer 3 socket.

Changes in default behavior

Changes in default behavior

Bug ID

Description

655991

Consolidates multiple NAT46/NAT64 related objects into regular objects, and introduce a per-VDOM virtual interface, naf.<vdom>, that is automatically added to process NAT46/NAT64 traffic. The new changes and additions include:

  • Consolidate vip46 and vip64 setting into vip and vip6 configurations.
  • Consolidate policy46 and policy64 settings into firewall policy settings.
  • Introduce nat46/nat64 in firewall policy settings.
  • Extend ippool and ippool6 to support NAT46 and NAT64.
  • Extend central SNAT to support NAT46 and NAT64.
  • Remove firewall vip46/vip64, vipgrp46/vipgrp64, and policy46/policy64 settings.
  • Rename system.nat64 to system.dns64.

To configure NAT46/NAT64 translation, users can use the standard vip/vip6 setting, apply it in a firewall policy, enable NAT46/NAT64, and enter the IP pool to complete the configuration.

699533

In FortiOS 7.0, the default authentication protocol for a switch controller SNMP user is SHA256, as opposed to the default SHA1 in previous versions.

709056

Previously, the tie-break fib-best-match option in SD-WAN service rules selected the outgoing interface between all links that has a valid route to the destination. In this update, the option is extended to consider only the best routes. This works on manual, priority, and SLA SD-WAN service modes. The longest match routes will override the quality comparisons when all of the specific routes are out of SLA. This applies to priority and SLA SD-WAN rules.

709391

The link monitor health check for access proxy real servers had been added for ZTNA. This enhancement will deploy the server health check status to the WAD daemon.

  • Add server health check status (ALIVE/DIE) to the wad_vs_server.

  • Query the link monitor health check status when creating the wad_vs_server.

  • When the link monitor health check status changes, the generation in the CMDB debug zone is updated.

  • WAD daemon updates the wad_vs_server health check status when a generation change is detected.

714831

Remove related ZTNA tags when an EMS connection is deleted from Fabric connector.

717170

The interface TCP MSS setting now applies to RX and TX TCP MSS.

718512

Allow policy route match in the reply direction, and improve IPv6 route search for policy route to keep the same behavior as IPv4.

718571

DHCP relay interfaces are released/initialized for added/deleted relay interfaces only. All other relay interfaces will remain unchanged.

All DHCP relay interfaces now share one socket instead of one socket per interface.

Additionally, DHCP relay now listens on the Layer 3 socket. If customers are using local-in policies to deny any/all traffic, they must create an accept policy to allow UDP/67 traffic before the deny policy, since the FortiGate will now block these packets on the Layer 3 socket.