New features or enhancements
More detailed information is available in the New Features Guide.
Cloud
See Public and private cloud in the New Features Guide for more information.
Feature ID |
Description |
---|---|
979375 |
FIPS-CC cipher mode is silently enabled when configured using cloud-init for AWS. |
995867 |
FortiGate-VM is officially certified on AliCloud Apsara Stack. |
997374 |
High availability (HA) failover is now supported for IPv6 networks on GCP. The NextHopInstance route table attribute is used during an HA failover event. |
1029721 |
FortiOS Azure SDN connector moves private IP on the trusted NIC during A/P HA failover. |
1031828 |
Introduce GraphQL bulk query to FortiGate on Azure to reduce the number of API queries going out to Azure and as a result, reducing the time taken to resolve SDN connector Dynamic objects in a large environment. Configure the Spoke_1 (AZ) # show config firewall address edit "AZ" set uuid 6b18eb16-7069-51ef-c174-58f82ee3d1b2 set type dynamic set sdn "6899_AutoScale_1" next end Spoke_1 (AZ) # set filter <key1=value1> [& <key2=value2>] [| <key3=value3>] Available filter keys are: <Vm><Tag.><Size><Location><SecurityGroup> <Vnet><Subnet><ResourceGroup><ApplicationSecurityGroup><Vmss><Subscription> <LoadBalancer><ApplicationGateway> <ServiceTag><Region> <K8S_Cluster><K8S_Namespace><K8S_ServiceName><K8S_NodeName> <K8S_PodName><K8S_Region><K8S_Zone><K8S_Label.> |
1071411 |
Azure SDN connectors support GraphQLbluk queries. |
1081155 |
FortiGate-VM supports the AWS r8g instance family. |
LAN Edge
See LAN Edge in the New Features Guide for more information.
Feature ID |
Description |
---|---|
919714 |
Users can now use FortiSwitch event log IDs as triggers for automation stitches. This allows for automated actions like console alerts, script execution, and email notifications in response to events, such as switch group modifications or location changes. This boosts automation and system management efficiency. |
947945 |
FortiOS WiFi controller allows customers to generate MPSK keys using the FortiGuest self-registration portal. This addition empowers customers to independently create and assign MPSK keys to their devices, streamlining the process and enhancing security. |
952124 |
Users connected to a WiFi Access Point in a FortiExtender can now access the internet, even when the FortiGate is in LAN-extension mode. This ensures seamless internet connectivity for WiFi clients using the FortiGate LAN-extension interface. |
975075 |
The FortiAP K series now supports IEEE 802.11be, also known as Wi-Fi 7, for these models: FAP-441K, FAP-443K, FAP-241K and FAP-243K. This expands device compatibility, boosts network performance, and enhances user experience. |
975545 |
Support for Dynamic Access Control List (DACL) on the 802.1x ports of managed switches. This allows customers to use RADIUS attributes to configure DACLs, enabling traffic control on a per-user session or per-port basis for switch ports directly connected to user clients. |
976646 |
FortiOS extends captive portal support to newer wireless authentication methods, such as OWE and WPA3-SAE varieties. This ensures that users can benefit from the most advanced and secure authentication methods available. |
983561 |
Enhanced memory optimization in FortiGate-managed FAPs by introducing controls to limit data from rogue APs, station capabilities, rogue stations, and Bluetooth devices. This prevents rapid memory increase and enhances CAPWAP stability. |
990058 |
FortiOS supports managing the USB port status on compatible FortiAP models. conf wireless-controller wtp-profile edit <name> set usb-port {enable | disable} next end |
997048 |
FortiOS supports beacon protection, improving Wi-Fi security by protecting beacon frames. This helps devices connect to legitimate networks, reducing attack risks. config wireless-controller vap edit <name> set beacon-protection {enable | disable} next end |
999971 |
Supports receiving the NAS-Filter-Rule attribute after successful WiFi 802.1X authentication. These rules can be forwarded to FortiAP to create dynamic Access Control Lists (dACLs) for the WiFi station, enhancing network access control and security. |
1006398 |
Enhanced device matching logic based on DPP policy priority. Users can utilize the CLI to dictate the retention duration of matched devices for dynamic port or NAC policies, providing greater control over device management. |
1006607 |
FortiOS WiFi controllers MPSK feature now includes both WPA2-Personal and WPA3-SAE security modes. This provides customers with more versatile security options, leveraging the MPSK feature with the latest WPA3-SAE security mode. |
1012115 |
Support fast failover for FortiExtender. This enhancement ensures that FortiGate can swiftly recover data sessions in the event of a failover, reducing downtime and enhancing reliability. |
1030088 |
The FortiAP sniffer includes improved packet detection, capturing all frame types across specified channel bandwidths ranging from 320 MHz to 20 MHz. This is vital for in-depth network analysis and troubleshooting, ensuring comprehensive wireless traffic examination for better network management and security. |
1043784 |
In FortiOS, the WiFi controller supported the MPSK feature on a WPA2-Personal SSID by applying an MPSK profile or enabling RADIUS MAC authentication. However, for a WPA3-SAE SSID, the MPSK feature was only supported through the application of an MPSK profile. This enhancement allows WPA3-SAE SSIDs to utilize RADIUS MAC authentication to implement the MPSK feature. |
Log & Report
See Logging in the New Features Guide for more information.
Feature ID |
Description |
---|---|
969386 |
FortiOS now adds an event timestamp and timezone information in the Log package header. |
Network
See Network in the New Features Guide for more information.
Feature ID |
Description |
---|---|
652281 |
Disable all proxy features on FortiGate models with 2 GB of RAM or less by default. Mandatory and basic mandatory category processes start on 2 GB memory platforms. Proxy dependency and multiple workers category processes start based on a configuration change on 2 GB memory platforms. |
733258 |
Support DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) for transparent and local-in DNS modes. Connections can be established faster than with DNS over TLS (DoT) or DNS over HTTPS (DoH). Additionally, the FortiGate is now capable of handling the QUIC/TLS handshake and performing deep inspection for HTTP3 and QUIC traffic. |
888417 |
Internal Switch Fabric (ISF) Hash Configuration Support for NP7 Platforms. This provides a new level of flexibility and control to NP7 platform users, allowing them to fine-tune network settings for optimal performance and security. These NP7 FortiGate models support this feature: FG-1800F, FG-2600F, FG-3500F, FG-4200F, and FG-4400F. Use the following command to configure NPU port mapping: config system npu-post config port-npu-map edit <interface-name> set npu-group <group-name> next end Use the following command to configure the load balancing algorithm used by the ISF to distribute traffic received by an interface to the interfaces of the NP7 processors in your FortiGate: config system interface edit <interface> set sw-algorithm {l2 | l3 | eh | default} next end |
961038 |
Added 2.5G and 5G speed options for the 10/1 GigE RJ45 interface on the FGT2600F platform. Also added an automatic option (the new default) that automatically adjusts the port speed. Existing port speed configurations will be maintained during the firmware upgrade. |
962341 |
Support Radius Vendor-Specific Attributes (VSA) for Captive Portal redirects. This provides a smoother user experience during Captive Portal redirects, especially in environments where vendor-specific attributes are heavily used such as corporate networks or public WiFi hotspots. |
963570 |
You can monitor ARP packets for a specific VLAN on a DHCP-snooping trusted port of a managed FortiSwitch unit and save the VLAN ID, MAC addresses, and IP addresses in the DHCP-snooping database. |
964518 |
Selective Subnet Assignment is now supported in IPAM. This ensures that the configured IPAM pool will not utilize any subnets listed in the exclude table, providing more control and flexibility over the configuration of IPAM pools. |
967653 |
FortiOS allows backup interval customization for DHCP leases during power cycles. This provides enhanced control and flexibility, ensuring lease preservation during events like outages or reboots. config system global set dhcp-lease-backup-interval < integer > end |
971109 |
The new dhcp-relay-allow-no-end-option supports DHCP packets without an end option, enhancing our systems adaptability to diverse network conditions. In the realm of DHCP packets, the end option signifies the end of valid information in the options field. However, there may be scenarios where this end option is absent. This enhancement is designed to manage such situations effectively. config system interface edit <interface> set dhcp-relay-allow-no-end-option {disable |enable} next end |
973573 |
You can now specify a tagged VLAN for users to be assigned to when the authentication server is unavailable. Previously, you could only specify an untagged VLAN. This feature is available with 802.1x MAC-based authentication. It is compatible with both Extensible Authentication Protocol (EAP) and MAC authentication bypass (MAB). |
976152 |
FortiOS includes support for source IP anchoring in dial-up IPsec Tunnels. This allows the gateway to match connections based on the IPv4/IPv6 gateway address parameters, such as the subnet, address range, or country. |
977097 |
A new CLI option allows users to choose to discard or permit IPv4 SCTP packets with zero checksums on the NP7 platform. config system npu config fp-anomaly set sctp-csum-err {allow | drop | trap-to-host} end end |
978974 |
Users can upgrade their LTE modem firmware directly from the FortiGuard. This eliminates the need for manual downloading and uploading and provides users flexibility to schedule the upgrade. |
985285 |
Enhancement to Packet Capture Functionality. This feature adds the capability to store packet capture criteria, allowing for the re-initiation of packet captures multiple times using the same parameters such as interface, filters, and more, thereby streamlining packet capture management. Additionally, this feature incorporates diagnostic commands to list, initiate, terminate, and remove GUI packet captures, enhancing the level of control users have over their packet capture operations. |
990096 |
FortiOS allows multiple remote Autonomous Systems (AS) to be assigned to a single BGP neighbor group using AS path lists. This enhancement offers increased flexibility and efficiency in managing BGP configurations, especially in intricate network environments. |
1032512 |
Support including denied multicast sessions in the session table. This feature allows the creation of sessions for denied multicast traffic, enabling subsequent packets to be directly matched and dropped, reducing CPU usage and improving performance. config system setting set ses-denied-multicast-traffic {disable | enable} end |
1049910 |
FortiGate now supports inspecting 802.1ah packets within a virtual wire pair configuration. This enhancement enables deep packet inspection and UTM scanning. By leveraging this capability, FortiGate can effectively analyze and inspect the 802.1ah header, perform the necessary inspection, and then re-add the header, ensuring robust protection against a wide range of cyber threats. |
Operational Technology
See Operational Technology in the New Features Guide for more information.
Feature ID |
Description |
---|---|
952000 |
Support for Modbus Serial to Modbus TCP has been added. All FortiGate rugged models equipped with a Serial RS-232 (DB9/ RJ45) interface can perform real-time monitoring, control, and coordination across your network. Industrial automation users can now transfer Modbus data more efficiently, reducing the need for extra devices and streamlining operations. |
972541 |
Support for IEC 60870-5-101 Serial to IEC 60870-5-104 TCP/IP transport has been added. All FortiGate rugged models equipped with a Serial RS-232 (DB9/ RJ45) interface can now perform telecontrol, teleprotection, and associated telecommunications for electric power systems over network access. |
Policy & Objects
See Policy and objects in the New Features Guide for more information.
Feature ID |
Description |
---|---|
807549 |
FortiOS supports NPU offloading for shaping ingress traffic on NP7 and SOC5 models. This enhances system performance and efficiency, especially when there is a high volume of incoming traffic. NPU offloading for shaping ingress traffic is not supported by NP6 and SOC4 FortiGate models. |
865786 |
This feature combines the policy name and ID into a unified Policy column, ensuring the ID and name are consistently visible. It also introduces the ability to move policies using their ID, simplifying management when handling large policy tables that may include hundreds of policies. |
961309 |
The src-vip-filter in VIP now allows src-filter to be used as the destination filter for reverse SNAT rules, in addition to its traditional role in forward DNAT rules. This dual functionality simplifies bidirectional NAT, enhancing IP address mapping and translation efficiency. config firewall vip edit <name> set src-filter <IP> set extip <IP> set mappedip <IP> set extintf <string> set nat-source-vip enable set src-vip-filter enable next end |
966992 |
FortiOS now supports a configurable interim log for PBA NAT logging. This enables continuous access to PBA event logs during an ongoing session, providing comprehensive logging throughout the session's lifespan. config firewall ippool edit <name> set type port-block-allocation set pba-interim-log <integer> next end |
967654 |
FortiOS allows internet service as source addresses in the local-in policy. This provides more flexibility and control in managing local traffic, improving network security and efficiency. |
977005 |
FortiOS supports DSCP Marking for Self-generated traffic, enabling the FortiGate to operate as a fully functional CPE device capable of directly connecting to the provider's network without needing a CPE router. This enhancement reduces user costs and complexity. |
SD-WAN
See SD-WAN in the New Features Guide for more information.
Feature ID |
Description |
---|---|
987765 |
Enhancements have been added to improve overall ADVPN 2.0 operation for SD-WAN, including:
|
1016452 |
To ensure FortiGate spoke traffic remains uninterrupted when configuration is orchestrated from the SD-WAN Overlay-as-a-Service (OaaS), there is added support for an OaaS agent on the FortiGate. The OaaS agent communicates with the OaaS controller in FortiCloud, validates and compares FortiOS configuration, and applies FortiOS configuration to the FortiGate as a transaction when it has been orchestrated from the OaaS portal. If any configuration change fails to be applied, the OaaS agent rolls back all configuration changes that were orchestrated. Secure communication between the OaaS agent and the OaaS controller is achieved using the FGFM management tunnel. The new CLI command |
Security Fabric
See Security Fabric in the New Features Guide for more information.
Feature ID |
Description |
---|---|
789237 |
FortiOS supports customizing the source IP address and the outgoing interface for communication with the upstream FortiGate in the Security Fabric. config system csf set source-ip <class_ip> set upstream-interface-select-method {auto | sdwan | specify} end |
943352 |
Users can apply a FortiVoice tag dynamic address to a NAC policy. config user nac-policy edit <name> set category fortivoice-tag set fortivoice-tag <string> next end |
972642 |
The external resource entry limit is now global. Additionally, file size restrictions now adjust according to the device model. This allows for a more flexible and optimized use of resources, tailored to the specific capabilities and requirements of different device models. |
1007937 |
Support the Zstandard (zstd) compression algorithm for web content. This enhancement enables FortiOS to decode, scan, and forward zstd-encoded web content in a proxy-based policy. The content can then be passed or blocked based on the UTM profile settings. This ensures a seamless and secure browsing experience. |
1012620 |
A FortiGate full fabric upgrade now performs upgrades by groups in the following order:
|
1034551 |
OCI SDN connectors support IPv6 address objects. |
1039849 |
OCI SDN connectors support IPv6 for dynamic firewall addresses and high availability failover. |
Security Profiles
See Security profiles in the New Features Guide for more information.
Feature ID |
Description |
---|---|
886575 |
FortiOS extends Search Engine support to Flow-based Web Filter Profiles. This introduces several features, including: Safe Search, Restrict YouTube Access, and Restrict Vimeo Access. |
937178 |
FortiOS antivirus supports XLSB, OpenOffice, and RTF files through its CDR feature. This allows FortiGate to sanitize these files by removing active content, such as hyperlinks and embedded media, while preserving the text. It also provides an additional tool for network administrators to protect users from malicious documents. |
939342 |
GUI support for Exact Data Match (EDM) for Data Loss Prevention. This improves the user experience during configuration and optimizes data management. |
968303 |
Add support to control TLS connections that utilize Encrypted Client Hello (ECH), with options to block, allow, or force the client to switch to a non-ECH TLS connection by modifying DoH responses. This increases control and flexibility for managing TLS connections. |
System
See System in the New Features Guide for more information.
Feature ID |
Description |
---|---|
480717 |
Add |
883606 |
FortiOS allows customers to enable or disable the INDEX extension, which appends a VDOM or an interface index in RFC tables. config system snmp sysinfo set append-index {enable | disable} end |
925233 |
Supports the separation of the SSHD host key and administration server certificate. This improvement introduces support for ECDSA 384 and ECDSA 256, allowing the SSHD to accommodate the most commonly used host key algorithms. config system global set ssh-hostkey-override {enable | disable} set ssh-hostkey-password <password> set ssh-hostkey <encrypted_private_key> end |
955835 |
Previously, when auto-upgrade was disabled, users would receive a warning advising them to execute exec federated-upgrade cancel in order to remove any scheduled upgrades. However, with the new update, the system is now capable of autonomously canceling any pending upgrades, eliminating the need for manual user action. |
957562 |
New feature to control the rate at which NP7 processors generate ICMPv4 and ICMPv6 error packets to prevent excessive CPU usage. This feature is enabled by default, and you can use the following options to change the configuration if required for your network conditions: config system npu config icmp-error-rate-ctrl set icmpv4-error-rate-limit {disable | enable} set icmpv4-error-rate <packets-per-second> set icmpv4-error-bucket-size <token-bucket-size> set icmpv6-error-rate-limit {disable | enable} set icmpv6-error-rate <packets-per-second> set icmpv6-error-bucket-size <token-bucket-size> next end |
971546 |
GUI support added to control the use of CLI commands in administrator profiles. |
988090 |
Streamlines timezone updates with a downloadable database. Previously, the IANA timezone database was embedded within the image, necessitating a FOS image upgrade for any updates. Now, it is conveniently downloadable from the FortiGuard server, enabling FortiGate to automatically refresh its timezone database seamlessly. This advancement eliminates customers' need to wait for the next image release to access new or updated timezones. |
1000368 |
FortiOS allows the delay-tcp-npu-session enable option to be applied globally, eliminating the need to set the command for each firewall policy, conserving resources. config system global set delay-tcp-npu-session {enable | disable} end |
1013511 |
This enhancement requires the kernel to verify the signed hashes of important file-system and object files during bootup. This prevents unauthorized changes to file-systems to be mounted, and other unauthorized objects to be loaded into user space on boot-up. If the signed hash verification fails, the system will halt. |
1061119 |
This enhancement reduces ipshelper CPU usage during the database update process, optimizing system performance and ensuring smoother operations. |
User & Authentication
See Authentication in the New Features Guide for more information.
Feature ID |
Description |
---|---|
951626 |
Support for client certificate validation and EMS tag matching has been added to the explicit proxy policy, improving user experience and security. |
973805 |
Added support to cache the client certificate as an authentication cookie, eliminating the need for repeated authentication. |
VPN
See IPsec and SSL VPN in the New Features Guide for more information.
Feature ID |
Description |
---|---|
951763 |
FortiOS supports a cross-validation mechanism for IPsec VPN, bolstering security and user authentication. This mechanism cross-checks whether the username provided by the client matches the identity field specified in the peer certificate. The identity field, which could be an Othername, RFC822Name, or CN, serves as a unique identifier for the client. |
972643 |
FortiOS supports the TCP Encapsulation of IKE and IPsec packets across multiple vendors. This cross-vendor interoperability ensures that users can maintain a secure and efficient network, while also having the flexibility to choose the hardware that aligns best with user requirements. |
979375 |
FIPS-CC cipher mode is silently enabled when configured using cloud-init for AWS. |
996136 |
FortiOS supports session resumptions for IPSec tunnel version 2. This enhances user experience by maintaining the tunnel in an idle state, allowing for uninterrupted usage even after a client resumes from sleep or when connectivity is restored after a disruption. It also removes the necessity for re-authentication when reconnecting, improving efficiency. |
1006448 |
Enhanced SSL VPN security by restricting and validating HTTP messages that are used only by web mode and tunnel mode. |
WiFi Controller
See Wireless in the New Features Guide for more information.
Bug ID |
Description |
---|---|
1029522 |
The FortiOS WiFi controller was initially limited to integrating with the Polestar BLE-based Real-Time Location Service (RTLS), making the configuration highly specific to that single system. This enhancement supports an additional BLE-RTLS system: Evresys, providing greater flexibility and adaptability. |
1044322 |
The FortiGate WiFi Controller now supports uploading the portal servers certificate to the FortiAP. This allows the FortiAP to use the same server certificate to secure the HTTPS POST actions. With the corresponding CA imported on users devices, authentication is smoother and free of security warnings, enhancing the user experience. |