The following settings under config firewall vip/vip6 are hidden when NAT46/NAT64 is enabled:

• http-redirect
• http-multiplex
• max-embryonic-connections
• http-host
• http-host option for ldb-method

Previously, SSL certificate options for VIP access proxy configurations contained an option for CA certificates. A configuration using a CA certificate would cause a ERR_SSL_KEY_USAGE_INCOMPATIBLE error because it is not a server certificate.

Now, the CLI will filter out certificates that do not exist, are a CA certificate, or are not valid.

Previous configurations in which SSL certificate options get filtered are upgraded to use default the FORTINET_SSL certificate.

Change config vrf-leak/config vrf-leak to config vrf/config vrf6 and config target to config leak-target in BGP settings.

config router bgp
    config vrf
        edit <vrf>
            config leak-target
                edit <id>
                    set route-map <string>
                    set interface <string>
                next
            end
        next
    end
end

Increase the number of VRFs per VDOM from 32 to 64 to support large SD-WAN, VPN, and BGP deployments. Up to 64 VRFs can be configured per VDOM on devices that support 200 VDOMs.

The VRF ID range has changed to 0 - 63 in the following commands:

config system interface
    edit <name>
        set vrf <integer>
    next
end

config router {static | static6}
    edit <id>
        set vrf <integer>
    next
end

config router bgp
    config {vrf | vrf6}
        edit <integer>
        next
    end
end

The following diagnostic commands have been added:

# diagnose ip router bgp set-filter vrf <vrf_id>

# diagnose ip router bgp set-filter neighbor <neighbor_address>

# diagnose ip router bgp set-filter reset

# get router info filter show

# get router info filter vrf {vrf_id | all}

Add setting for IPv4 reachable time (previously only IPv6 was supported).

config system interface
    edit <name>
        set reachable-time <integer>
    next
end

The IPv4 reachable time is measured in milliseconds (30000 - 3600000, default = 30000).

Add support for up to 30 virtual clusters (previously, only two were supported). The vcluster2 and config secondary-vcluster settings have bee replaced.

 config system ha
    set vcluster-status enable
    config vcluster
        edit <id>
            ...
        next
    end
end

Allow IPv6 DNS server override to be set when DHCPv6 prefix delegation is enabled.

config system interface
    edit <name>
        config ipv6
            set ip6-mode static
            set dhcp6-prefix-delegation enable
            set ip6-dns-server-override enable
        end
    next
end

Enhance DLP with backend updates and CLI changes. The following configuration commands are added:

config dlp data-type
    edit <name>
        set pattern <regex_pattern>
        set verify <regex_pattern>
        set look-back <integer>
        set look-ahead <integer>
        set transform <string>
        set verify-transformed-pattern {enable | disable}
        set comment <string>
    next
end

config dlp dictionary
    edit <name>
        set match-type {match-all | match-any}
        set comment <string>
        config entries
            edit <id>
                set type {credit-card | hex | keyword | regex | ssn-us}
                set pattern <string>
                set ignore-case {enable | disable}
                set repeat {enable | disable}
                set status {enable | disable}
                set comment <string>
            next
        end
    next
end

config dlp sensor
    edit <name>
        set match-type {match-all | match-any | match-eval}
        set eval <string>
        set comment <string>
        config entries
            edit <id>
                set dictionary <dlp_dictionary>
                set count <integer>
                set status {enable | disable}
            next
        end
    next
end

config dlp profile
    edit <name>
        set feature-set proxy
        config rule
            edit <id>
                set proto <protocol> <protocol> ...
                set sensor <dlp_sensor>
                set action {allow | log-only | block | quarantine-ip}
            next
        end
    next
end

In config firewall policy and config firewall proxy-policy, the dlp-sensor option is renamed to dlp-profile.

In H.323 sessions, after RAS registration messages are sent, the FortiGate opens expectation sessions for call establishment. The h323-direct-model setting provides an option to enable or disable direct model, which enables or disables wide open expectation sessions.

config system settings
    set h323-direct-model {enable | disable}
end

The setting is disabled by default (the wide open pinhole will be closed); however when upgrading from an older version, the setting will be enabled to preserve the previous behavior.

Add option to enable Operational Technology (OT) features in the GUI.

config system settings
    set gui-ot {enable | disable}
end

The following options in the one-arm sniffer policy configuration are removed.

config firewall sniffer
    edit <id>
        set host <string>
        set port <string>
        set protocol <string>
        set vlan <string>
        set ipv6 {enable | disable}
        set non-ip {enable | disable}
        set max-packet-count <integer>
        set free-style {enable | disable}
        set free-style-filter <string>
    next
end

Add web-mode-snat setting in config vpn ssl settings to enable/disable the use of IP pools defined in a firewall policy while using web mode. This setting is disabled by default.

config vpn ssl settings
    set web-mode-snat {enable | disable}
end

When enabled, the IP pools should be added as secondary IPs in the SSL VPN interface.

Add auth-timeout setting in config wireless-controller timers to configure the waiting time after which a wireless client is considered to fail RADIUS authentication and times out (in seconds, 5 - 30, default = 5).

config wireless-controller timers
    set auth-timeout <integer>
end