Support Intel Sapphire Rapids (C3) instance types in GCP.

When integrating with Cisco ACI using a direct connection SDN connector, allow the ability to filter on the endpoint security group (ESG) when defining and resolving a dynamic address.

Support inter-VLAN routing by a managed FortiSwitch. The FortiGate can program FortiSwitch to do the Layer 3 routing of trusted traffic between specific VLANs. In this case, the traffic flows are trusted by the user and do not need to be inspected by the FortiGate.

Enhance wireless client mode support on FortiWiFi 80F series models. When wireless client mode is successfully configured and the FortiWiFi local radio has connected to a third-party SSID, this local radio can also concurrently work in AP mode to provide service to wireless clients.

Support GUI Security Rating recommendations for multi-chassis link aggregation groups (MCLAGs) up to three tiers, which is an improvement over the previous limitation of only one tier. This allows for more comprehensive security management and configuration of MCLAGs.

Support automatically allowing and blocking intra-VLAN traffic based on FortiLink connectivity status. This feature introduces configuration options to control switch controller access VLAN traffic behavior when the connection to FortiLink is lost. This enables customers to have the option to allow intra-VLAN traffic under the access VLAN on all affected FortiLink until the FortiLink connection is re-established.

Enhance the security of the Security Fabric by supporting authentication and encryption on all Fabric links wherever possible. This protects communication between FortiGate and FortiSwitch devices from unauthorized access and tampering, ensuring its security and integrity. It is supported on FortiLink over L2 and L3 Fabrics to ensure zero touch support.

Simplify BLE iBeacon provisioning whereby the BLE major ID can be set in WTP and WTP group settings (in addition to being set in the BLE profile settings), and the BLE minor ID can be set in the WTP settings (in addition to being set in the BLE profile settings).

config wireless-controller wtp
    edit <id>
        set ble-major-id <integer>
        set ble-minor-id <integer>
    next
end

config wireless-controller wtp-group
    edit <name>
        set ble-major-id <integer>
        set wtps <wtp-id1>, <wtp-id2>, ...
    next
end

The BLE major ID defined in the WTP settings overrides the BLE major ID defined in the WTP group settings and the BLE major ID defined in the BLE profile settings.

The BLE major ID defined in the WTP group settings overrides the BLE major ID defined in the BLE profile settings.

The BLE minor ID defined in the WTP settings overrides the BLE minor ID defined in the BLE profile settings.

FortiOS can synchronize the FortiOS interface description with the VLAN description on the FortiSwitch. Previously, only the FortiOS interface name could be synchronized as the VLAN description on the FortiSwitch, and it was limited to 15 characters. This enhancement extends the VLAN description length on the FortiSwitch from 15 characters to a new maximum of 64 characters.

config switch-controller global
    set vlan-identity {name | description}
end

Support new changes to the Precision Time Protocol (PTP) configuration on FortiSwitch. This allows FortiOS to manage PTP configuration changes on the FortiSwitch side while maintaining support for previous PTP configuration options.

Before this enhancement, users could be assigned to VLANs dynamically according to the Tunnel-Private-Group-Id RADIUS attribute returned from the Access-Accept message, matching based on a VLAN name table defined under the virtual AP where the VLAN name supported a single VLAN ID. This enhancement allows multiple VLAN IDs to be configured per name tag, up to a maximum of eight VLAN IDs. Once wireless clients connect to the SSID, the FortiGate wireless controller can assign the VLAN ID by a round-robin method from the pool to ensure optimal utilization of VLAN resources.

Support the selection of channels per frequency band for wireless foreground scans when a radio is in monitor mode. This optimizes the wireless foreground scanning operation since only selected channels are scanned.

config wireless-controller wids-profile
    edit <name>
        set ap-scan enable
        set ap-scan-channel-list-2G-5G <channel-1> <channel-2> ... <channel-x>        
        set ap-scan-channel-list-6G <channel-1> <channel-2> ... <channel-y>       
    next
end

Enhance wireless client mode support on FortiWiFi 80F, 60F, and 40F series models that allows the local radio to connect with a WPA2/WPA3-Enterprise SSID and support PEAP and EAP-TLS authentication methods.

config wifi-networks
    edit <id>
        set wifi-security wpa-enterprise
        set wifi-eap-type {both | tls | peap}
        set wifi-username <string>
        set wifi-client-certificate <client_certificate>
        set wifi-private-key <client_certificate>
    next
end

The username, client certificate, and private key settings are applicable when connecting to a WPA2/WPA3-Enterprise SSID with EAP-TLS.

Support MIMO mode configuration in the wireless-controller wtp-profile on all radios for FortiAP F and G series, and FortiAP-U EV and F series. The MIMO mode configuration setting is added under the radio configuration when creating or editing a wtp-profile, and its value range is confined within each AP platform and radio's MIMO specifications (default, 1x1, 2x2, 3x3, 4x4, and 8x8).

config wireless-controller wtp-profile
    edit <name>
        config radio-<number>
            set mimo-mode <supported_modes_depend_on_FAP_platform>
        end
    next
end

Add GUI support for WPA3-SAE security mode for FortiAP wireless mesh backhaul SSID with WAP3 SAE security mode where the Hash-to-Element (H2E) only option is enforced.

Support switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable. Once the connectivity is restored, it will automatically fall back to the primary FortiAnalyzer.

Add GUI support for configuring the FortiGate controller and FortiGate connector for the FortiGate LAN extension feature.

Support DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) for transparent and local-in DNS modes. Connections can be established faster than with DNS over TLS (DoT) or DNS over HTTPS (DoH). Additionally, the FortiGate is now capable of handling the QUIC/TLS handshake and performing deep inspection for HTTP3 and QUIC traffic.

Support network troubleshooting with Connectivity Fault Management (CFM). With CFM, administrators can easily diagnose and resolve issues in Ethernet networks. CFM provides tools for monitoring, testing, and verifying the connectivity and performance of network segments.

The "Happy Eyeballs" (also named fast fallback) algorithm, as outlined in RFC 8305, is supported for explicit web proxy. This feature operates by attempting to connect to a web server that is available at multiple IPv4 and IPv6 addresses, either sequentially or simultaneously. As a result, the web server can be connected with reduced user-visible delay, which enhances the overall browsing experience.

Add GUI support for interfaces with a LAN role, wireless network interfaces, and FortiExtender LAN extension interfaces to receive an IP address from an IPAM server without any additional configuration at the interface level from the IPAM Settings tab (Network > IPAM). IPAM also detects and resolves any IP conflicts that may occur on the interfaces that it manages. If Auto-resolve conflicts is disabled in the IPAM settings, the Reallocate IP option from the tooltip can be used to manually reallocate the IP address.

Support overriding the IPv4 DHCP relay Option 82 Circuit ID, IPv6 Option 18 Interface ID, IPv4 DHCP relay source IP, and IPv6 DHCP relay source IP.

This allows users to have more control over the configuration of their DHCP relay settings and ensures that their network is operating according to their specific needs.

config system interface
    edit <name>
        set dhcp-relay-service enable
        set dhcp-relay-source-ip <IPv4_adress>
        set dhcp-relay-circuit-id <string>
        config ipv6
            set dhcp6-relay-service enable
            set dhcp6-relay-source-ip <IPv6_address>
            set dhcp6-relay-interface-id <string>
        end
    next
end

Support IPv6 on the cellular interface of FG-40F-3G4G devices.

config system lte-modem
    set pdptype {IPv4 | IPv6 | IPv4v6}
end

Support DNS local database lookup for explicit proxy. This allows the explicit proxy to perform DNS lookups using a local database, providing faster and more efficient resolution of domain names. Users can experience improved performance and reduced latency when accessing websites and online services through the explicit proxy.

config system dns-database
    edit <name>
        set view {public | shadow | proxy}
    next
end

Support airplane mode to enable/disable LTE and BLE RF emissions on FGR-70F-3G4G.

config system global
    set airplane-mode {enable | disable}
end

Airplane mode is disabled by default, which means that LTE and BLE are enabled by default. Airplane mode must be configured in the CLI, followed by a reboot to ensure both LTE and BLE functions are disabled on the next bootup. Once airplane mode is enabled, it will keep LTE and BLE RF signals silent during normal operation of the FortiGate.

A specific BIOS version is required to ensure LTE and BLE modules are completely RF silent during the bootup process.

On FortiGates with a cellular modem and dual SIM support, improve real-time switching to passive SIM when LTE modem traffic exceeds a specified data plan limit for a specified billing period. The SIM switch time occurs shortly after a data plan overage event occurs.

config system lte-modem
    set data-usage-tracking enable
    config sim-switch
        set by-data-plan enable
    end
    config data-plan
        edit <id>
            set target-sim-slot {SIM-slot-1 | SIM-slot-2}
            set data-limit <integer>
            set data-limit-alert <integer>
            set billing-period {monthly | weekly | daily}
            set billing-date <integer>
            set billing-weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
            set billing-hour <integer>
            set overage {enable | disable}
            set iccid <SIM_ICCID>
            set delay-switch-time <HH:MM>
        next
    end
end

Remove support for the outdated SSL 3.0 protocol, and set the default minimum SSL support to TLS 1.2 for all modules under FIPS-CC mode. Additionally, all modules now support the latest TLS 1.3 protocol, which provides enhanced security for data transmission.

Webpages can display Cross-Origin Resource Sharing (CORS) content in an explicit proxy environment when using session-based, cookie-enabled, and captive portal assisted authentication. This ensures that webpages are displayed correctly and improves the user experience.

config authentication rule
    edit <name>
        set web-auth-cookie enable
        set cors-stateful {enable | disable}
        set cors-depth <integer>
    next
end

An explicit web proxy can forward HTTPS requests to a web server without the need for an HTTP CONNECT message. The FortiGate explicit web proxy can be configured to detect the HTTPS scheme in the request line of a plain text HTTP request and forward it as an HTTPS request to the web server. This allows applications that cannot use the CONNECT message for sending an HTTPS request to communicate with the web server through an explicit web proxy.

config firewall proxy-policy
    edit <id>
        set detect-https-in-http-request {enable | disable}
    next
end

Support interfaces belonging to non-management VDOMs to be the source IP of the DNS conditional forwarding server. When vdom-dns is disabled, only the IP of the interfaces in the management VDOM can be configured as the source IP. When vdom-dns is enabled, only the IP of the interfaces in the current VDOM can be configured as the source IP.

Support the transparent conditional DNS forwarder and add IPv6 support for the conditional DNS forwarder.

The transparent conditional DNS forwarder allows the FortiGate to intercept and reroute DNS queries for specific domains to a specific DNS server. This provides greater control over DNS requests, especially when the administrator is not managing the DNS server configuration of the client devices. This can improve network efficiency and performance by resolving IPs local to the client's PCs rather than IPs local to the central DNS server.

The inter-VDOM link is capable of acquiring an IP address from the DHCP server. This allows for more seamless network integration.

The enhanced Policy match tool retains all the functionality of its predecessor (Policy lookup) and adds the ability to return a new policy match results page based on the provided parameters. Policy match results now include web filter profile information (if a web filter is applied) and the ability to use identity-based policy matching. From the Matched Policy section in the match results, administrators can redirect to the policy list or edit the policy. The gutter area in the Policy Match Tool pane displays the top 10 recent matches. This feature provides a more comprehensive and user-friendly way to diagnose and manage policies.

The diagnose firewall iprope lookup command has been updated to specify additional parameters, including policy type (policy or proxy), and a new parameter for identity-based policy matching. The policy match feature will be activated if more than six parameters are specified in the existing diagnose command.

# diagnose firewall iprope lookup <source_ip> <source_port> <destination_ip> <destination_port> <protocol> <device> <policy_type> [<auth_type>] [<user/group>] [<server>]

Support dynamic addresses in security policies in NGFW policy mode. The FABRIC_DEVICE address (a dynamic address consisting of several types of Fabric devices including FortiManager, FortiAnalyzer, FortiClient EMS, FortiMail, FortiAP, and FortiSwitch), can be used as the source or destination address in security policies.

The diagnose ips pme fabric-address list command can be used to check what address is set in the security policy after FABRIC_DEVICE is used in the address.

Support using the ssh-filter-profile in proxy policies using an access proxy. This allows users to have greater control over the contents of SSH traffic passing through the access proxy. With the ability to define and apply custom SSH filter profiles, users can specify which types of SSH traffic are allowed or blocked, providing improved security and flexibility when managing SSH connections through the access proxy.

config firewall proxy-policy
    edit <id>
        set proxy access-proxy
        set action accept
        set utm-status enable
        set access-proxy <name>
        set ssh-filter-profile <string>
    next
end

Active sessions can be refreshed for specific protocols and port ranges per VDOM in a specified direction. This option can help prevent potential denial of service (DoS) attacks by controlling the direction of traffic that refreshes existing sessions.

config system session-ttl
    config port
        edit <id>
            set protocol <integer>
            set timeout <timeout_value>
            set refresh-direction {both | outgoing | incoming}
        next
    end
end

The following updates and improvements have been made to the policy list page:

• When a single row is selected, display a menu with accompanying descriptive text below it. The More dropdown in this menu contains the same items as the right-click context menu.
• When multiple rows are selected, the inline menu disappears and the top menu bar changes to display buttons applicable to multi-selection.
• Update the top-right view options to a dropdown containing three options.
• Add a tooltip to the view option to indicate that selecting By Sequence will result in the fastest loading time if the table size is greater than 10 thousand.

Add route tags to static routes.

config router static
    edit <seq-num>
        set tag <id>
    next
end

Add password field to BGP neighbor group to be used for the neighbor range.

config router bgp
    config neighbor-group
        edit <name>
            set password <password>
        next
    end
end

Improve the current SD-WAN neighbor plus route-map-out-preferable design to support the multi-PoP multi-hub large scale architecture. In cases where multiple PoPs containing multiple hubs exist, incoming and outgoing traffic to a spoke needs to be preferred over a primary PoP as long as a minimum number of SD-WAN members in the zone meets SLA. When the criteria is not met, then traffic will switch over to a secondary PoP.

The following options are added:

• minimum-sla-meet-members setting in SD-WAN zone configurations
• zone-mode setting in SD-WAN service configurations
• service-id attribute in SD-WAN neighbor configurations
• sla-stickness attribute in SD-WAN service configurations
• Allow the neighbor-group to be configured under SD-WAN neighbor configurations

The maximize bandwidth (load-balance) strategy used prior to FortiOS 7.4.1 is now known as the load balancing strategy. This strategy can be configured under the manual mode and the lowest cost (SLA) strategies.

• When the load balancing strategy is configured under the manual mode strategy, SLA targets are not used.
• When the load balancing strategy is configured under the lowest cost (SLA) strategy, SLA targets are used.

Improve the client-side settings of the SD-WAN network bandwidth monitoring service to increase the flexibility of the speed tests, and to optimize the settings to produce more accurate measurements. The changes include:

• Support UDP speed tests.
• Support multiple TCP connections to the server instead of a single connection.
• Measure the latency to speed test servers and select the server with the smallest latency to perform the test.
• Support the auto mode speed test, which selects either UDP or TCP testing automatically based on the latency threshold.

When a customer using SD-WAN with ADVPN has numerous IPv4 and IPv6 routes per spoke and there are many spokes in the topology, it is more suitable to deploy an IPv4- and IPv6-supported solution without a route reflector that involves an active dynamic BGP neighbor triggered by an ADVPN shortcut. This solution allows a spoke FortiGate to form a BGP neighbor with another spoke FortiGate only after the shortcut tunnel between them has been established. The spoke only learns routes from its BGP neighbors.

The following IPv4 and IPv6 BGP configuration settings are required:

• The hub FortiGate should be configured with neighbor-group and neighbor-range/neighbor-range6.
• Each spoke FortiGate should be configured with neighbor-group and neighbor-range/neighbor-range6 (like the hub), and more importantly, each spoke should be configured with set passive disable to ensure spokes are able to initiate dynamic BGP connections between each other.
• The hub FortiGate should have route reflection disabled (by default) where each neighbor-group setting should have set route-reflector-client disable.

Support using SD-WAN interfaces as source interface for authentication rules.

Update FortiVoice Fabric connector:

• Display FortiVoice endpoint details in the device tooltips (FortiView monitor and log pages). Users can view the display name and extension number of each FortiFone, making it easier to identify and manage endpoint phones.
• When a FortiVoice-supplied MAC or IP address is used in a firewall policy, automatically create a FortiVoice tag (MAC/IP) dynamic address on the FortiGate that contains all the provisioned FortiFones registered with FortiVoice. The dynamic address can be used in firewall policies to restrict rules to authorized FortiFones only.

Add CIS security control mappings to the Security Rating page. Users can view ratings by CIS compliance and view the description for each CIS control. The FortiGate must have a valid Attack Surface Security Rating license to view security ratings grouped by CIS.

OT virtual patching is a method for mitigating vulnerability exploits against OT devices by applying patches virtually on the FortiGate. In short, when a virtual patching profile is enabled on a firewall policy, the IPS engine will use the MAC address of the device to verify whether known vulnerabilities and mitigation rules are associated with it. If there is, then the IPS engine will apply mitigation rules to traffic for that device.

The inline CASB security profile enables the FortiGate to perform granular control over SaaS applications directly on firewall policies. The supported controls include privilege control, safe search, tenant control, and UTM bypass. Administrators can also customize their own SaaS applications, matching conditions, and custom controls and actions. A firewall policy must use proxy-based inspection with a deep inspection SSL profile in order to apply inline CASB and scan the traffic payload.

Display application signatures in a hierarchical manner when defining application overrides in the GUI.

The FortiGate can forward additional domain-related information to the ICAP server. Once domain information is gathered from an external authentication server (such as LDAP or an FSSO collector agent), FortiOS incorporates this domain information in the format, WinNT://DOMAIN/Username, and forwards it to the ICAP server.

Add two FortiGuard web filter categories:

• Artificial intelligence technology (category 100): sites that offer solutions, insights, and resources related to artificial intelligence (AI).

• Cryptocurrency (category 101): sites that specialize in digital or virtual currencies that are secured by cryptography and operate on decentralized networks.

Support Enrollment over Secure Transport (EST) and the RFC 7030 standards when generating a new CSR request, performing automatic renewals, or manually regenerating a certificate. EST provides more security for automatic certificate management than Simple Certificate Enrollment Protocol (SCEP), which is commonly used for certificate enrollment.

# execute vpn certificate local generate est <options>

Introduce the new Firmware Virtual Patch (FMWP) database to support local-in virtual patching. To install the FMWP database, the FortiGate must have a valid Firmware (FMWR) license. The FMWP database can be viewed by running the diagnose autoupdate versions command.

Introduce the Operational Technology (OT) Security Service to help consolidate OT services under one license and to decouple the underlying definitions and packages from IoT ones. New OT-related services such as OT Detection Definitions and OT Virtual Patching Signatures used in the virtual patching profile are now licensed under the OT Security Service.

Allow the commands of a batch transaction to be viewed through the REST API from an API client.

FortiOS now includes a built-in entropy source, which eliminates the need for a physical USB entropy token when booting up in FIPS mode on any platform. This enhancement continues to meet the requirements of FIPS 140-3 Certification by changing the source of entropy to CPU jitter entropy.

Support log rotation for auto-script. Upon reaching its maximum size, the log file will seamlessly begin overwriting from the start, rather than halting the script.

Introduce selected availability (SA) versioning and labeling for special builds provided for customers that will remain on the build for a long duration. The SA versioning uses an odd number as the minor version, and a four-digit number for the patch version.

Add a RADIUS option to allow the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign.

Support the SAML ForceAuthn option. This option allows you to force a user to re-authenticate with their identity provider, even if they already have an active session. This can be useful in scenarios where sensitive information is being accessed, and an extra level of assurance is needed about the users identity. This setting is disabled by default.

config user saml
    edit <name>
        set reauth {enable | disable}
    next
end

Support local user password policies with enhanced complexity options. This allows customization of the local firewall user password policy with various settings, such as minimum length, character types, and password reuse. These settings are similar to the ones available for the system administrator password policy, which offers more security and flexibility than the previous local user password policy.

Support using the IP address as a Calling-Station-ID.

config user radius
    edit <name>
        set call-station-id-type {legacy | IP | MAC}
    next
end

Enhance IKE debug filtering:

• Reorganize ike-log-filter and ike-gateway-filter into two separate sub-commands.
• Rename the src-addr and dst-addr filter options to loc-addr and rem-addr to make the naming more precise.
• Add option to show the name of current executing functions in the IKE debug log (diagnose vpn ike log function-name {enable | disable}).
• Display VDOM name instead of VDOM index in the debug log to provide more readability.

Adjust the DTLS heartbeat parameters for SSL VPN. This improves the success rate of establishing a DTLS tunnel in networks with congestion or jitter.

config vpn ssl settings
    set dtls-heartbeat-idle-timeout <integer>
    set dtls-heartbeat-interval <integer>
    set dtls-heartbeat-fail-count <integer>
end

The default value for these attributes is 3 seconds, which is also the minimum allowable value. The maximum allowable value for these attributes is 10 seconds.

Securely exchange serial numbers between FortiGates connected with IPsec VPN. This feature is supported in IKEv2, IKEv1 main mode, and IKEv1 aggressive mode. The exchange is only performed with participating FortiGates that have enabled the exchange-fgt-device-id setting under config vpn ipsec phase1-interface.

Support EMS serial number checking per IPsec phase 1 interface.

config vpn ipsec phase1-interface
    edit <name>
        set ems-sn-check {enable | disable}
    next
end