Add support for multiple internet service matches in NGFW policy mode. Previously, the ISDB query that IPS uses for security policy matching only returned the highest priority match, which led to policy matching issues when the source or destination matched multiple internet services and a lower priority internet service was configured in a policy.

Add Q-in-Q ingress/egress point NP6 support on FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, and FG-3601E.

Add HA uninterruptible upgrade option, which allows users to configure a timeout value in minutes (1 - 30, default = 30) where the primary HA unit waits before the secondary HA unit is considered upgraded.

config system ha
    set uninterruptible-primary-wait <integer>
end

Add fields for source-ip and source-ip6 to set the source address used to connect to the ACME server.

config system acme
    set source-ip <class_ip>
    set source-ip6 <IPv6_address>
end

Add IPsec fast path in VPN/DPDK for FG-VM (ESXi, KVM, Hyper-V, AWS, and Azure). Only GCM128 and GCM256 cyphers supported. IPv6 tunnels, anti-replay, and transport mode are not supported.

config dpdk global
    set ipsec-offload {enable | disable}
end

Add handling for expect sessions created by session helpers in NGFW policy mode. For protocols that are only supported by IPS but not session helpers (IPv6 SIP), IPS falls back on using its own handling of these sessions, which is similar to profile mode.

To enhance BFD support, FortiOS can now support neighbors connected over multiple hops. When BFD is down, BGP sessions will be reset and try to re-establish neighbor connection immediately.

Add support for 802.1X under the hardware switch interface on NP6 platforms: FG-30xE, FG-40xE, and FG-110xE.

The following existing options can be used to control explicit DoT handshakes.

config system global
    set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2 | TLSv1-3}
    set ssl-static-key-ciphers {enable | disable}
    set strong-crypto {enable | disable}
end

Add Windows 11 and macOS 12 to the SSL VPN OS check. The following options are available for config os-check-list <name>: macos-bigsur-11, macos-catalina-10.15, macos-mojave-10.14, macos-monterey-12, windows-7, windows-8.1, windows-10, and windows-11.

Operating systems no longer supported by FortiClient were removed.

Add macOS 12 and Windows 11 to SSL VPN host check. Windows 8 and macOS 10.9 to 10.13 are removed from the SSL VPN host check.

NP7 CAPWAP offloading for WiFi traffic now supports VLAN-related features such as dynamic VLANs and VLAN stacking (also called QinQ or inner VLANs).

FortiOS now incorporates maturity levels in the released firmware images. Two maturity levels are defined: feature and mature.

In the GUI and CLI, administrators are able to identify the maturity level of the current firmware by the Feature or Mature tags. On the System > Fabric Management page, administrators can view the maturity levels of each firmware available for upgrade. When upgrading from a Mature to a Feature firmware, a warning message is displayed.

Allow dedicated scan to be disabled on FortiAP F-series profiles, which then allows background scanning using the WIDS profile to be enabled on radios 1 and 2.

In a video filter profile, when the FortiGuard category-based filter and YouTube channel override are used together, by default a video will be blocked if it matches either category or YouTube channel and the action is set to block. This enhancement enables the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled.

FortiGate models with the CP9 SPU receive the IPS full extended database (DB), and the other physical FortiGate models receive a slim version of the extended DB. This slim-extended DB is a smaller version of the full extended DB, and it is designed for customers who prefer performance.

Add support for Apple French keyboard layout for RDP in SSL web portal, user bookmark, and user group bookmark settings (set keyboard-layout fr-apple).

Allow a two-hour grace period for FortiFlex to begin passing traffic upon retrieving a license from FortiCare without VM entitlement verification from FortiGuard.

Add four SNMP OIDs for polling critical port block allocations (PBAs) IP pool statistics including:

• Total PBAs: fgFwIppStatsTotalPBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.9)

• In use PBAs: fgFwIppStatsInusePBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.10)

• Expiring PBAs: fgFwIppStatsExpiringPBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.11)

• Free PBAs: fgFwIppStatsFreePBAs (1.3.6.1.4.1.12356.101.5.3.2.1.1.12)

Add options to disable using the FortiGuard IP address rating for SSL exemptions and proxy addresses.

config firewall ssl-ssh-profile
    edit <name>
        set ssl-exemption-ip-rating {enable | disable}
    next
end

config firewall profile-protocol-options
    edit <name>
        config http
            set address-ip-rating {enable | disable}
        end
    next
end

By default, the ssl-exemption-ip-rating and address-ip-rating options are enabled. If both a website domain and its IP address return different categories after being rated by FortiGuard, then the IP address category takes precedence when evaluating SSL exemptions associated with the SSL inspection profile and proxy addresses associated with the proxy protocol options profile.

When the categories associated with the website domain and IP address are different, using these options to disable the FortiGuard IP rating ensures that the FortiGuard domain category takes precedence when evaluating the above objects.

By default, the connection from the ZTNA access proxy to the backend servers uses the IP of the outgoing interface as the source. This enhancement enables customers to use an IP pool as the source IP, or use the client's original IP as the source IP. This allows ZTNA to support more sessions without source port conflict.

config firewall proxy-policy
   edit <id>
      set type access-proxy
      set poolname <ip_pool>
      set transparent {enable | disable}
   next
end

Optimized FGSP Peer Communication. Each FGSP peer receives information only once, regardless of multiple links. A primary link handles all communications, with backup links for redundancy. If the primary link fails, a backup takes over, enhancing resource use and system performance.

Add support for NTurbo port SSL mirror traffic on NP7.

Optimize URL categorization to match the longest pattern.

• Add a length comparison of matched URL patterns.

• For local categories, the category ID of the longest matched pattern will be chosen (URL patterns are unique).

• For external resources, the all Category IDs of the longest matched patterns will be returned (the same URL pattern probably exists in multiple external lists).

Ensure that session synchronization happens correctly in the FGCP over FGSP topology.

1. When the session synchronization filter is applied on FGSP, the filter will only affect sessions synchronized between the FGSP peers.

2. When virtual clustering is used, sessions synchronized between each virtual cluster can also be synchronized to FGSP peers. The peers' sync_vd must all be in the same HA vcluster.

FortiOS has been enhanced with support for round-robin mode and Receive Packet Steering (RPS) on the IPsec interface. This ensures that the encrypted and decrypted IPsec packets are evenly distributed across all available CPUs, addressing the issue of uneven CPU usage.

Allow interface-select-method and interface to be configured for FortiClient EMS Fabric connectors.

The FortiGate explicit web proxy supports the Cross-Origin Resource Sharing (CORS) protocol, which allows the FortiGate to process a CORS preflight request and an actual CORS request properly, in addition to a simple CORS request when using session-based, cookie-enabled, and captive portal-enabled SAML authentication. This allows a FortiGate explicit web proxy user with this specific configuration to properly view a web page requiring CORS with domains embedded in it other than its own domain.

Update libssh2 to support DH parameters larger than 2048.

To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication can be enabled under the user ldap object definition. This enhancement reduces the number of the AD users returned by allowing the use of a group filter to synchronize only the users who meet the group filter criteria.

Add command to clean up old configurations, except for serial number and FortiManager IP, in system.central-management.

# execute factoryreset-for-central-management