The following settings under config firewall vip/vip6 are hidden when NAT46/NAT64 is enabled:

• http-redirect
• http-multiplex
• max-embryonic-connections
• http-host
• http-host option for ldb-method

Add min-allowed-ssl-version option that allows administrators to set a minimum allowed TLS/SSL version (default = TLS 1.1). If the minimum allowed version is not met in the ClientHello or ServerHello, the connection is blocked.

Change the default setting of unsupported-ssl-version to block, and remove the inspect option.

config firewall ssl-ssh-profile
    edit <name>
        config SSL
            set inspect-all deep-inspection
            set unsupported-ssl-version {allow | block}
            set min-allowed-ssl-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | tls-1.3}
        end
    next
end

Previously, SSL certificate options for VIP access proxy configurations contained an option for CA certificates. A configuration using a CA certificate would cause a ERR_SSL_KEY_USAGE_INCOMPATIBLE error because it is not a server certificate.

Now, the CLI will filter out certificates that do not exist, are a CA certificate, or are not valid.

Previous configurations in which SSL certificate options get filtered are upgraded to use default the FORTINET_SSL certificate.

Add setting for IPv4 reachable time (previously only IPv6 was supported).

config system interface
    edit <name>
        set reachable-time <integer>
    next
end

The IPv4 reachable time is measured in milliseconds (30000 - 3600000, default = 30000).

Allow IPv6 DNS server override to be set when DHCPv6 prefix delegation is enabled.

config system interface
    edit <name>
        config ipv6
            set ip6-mode static
            set dhcp6-prefix-delegation enable
            set ip6-dns-server-override enable
        end
    next
end