Add GUI support for configuring IPv6 settings for IPv6 MAC address, SNMP, DHCPv6 server and client, DHCPv6 SLAAC, and prefix delegation. Updates include:

• When IPv6 is enabled, a user can view, edit, and create IPv6 host entries.
• General IPv6 options can be set on the Interface page, including the ability to configure SLAAC and DHCPv6.
• Ability to retrieve IPv6 information for a DHCPv6 client similar to the existing DHCP support for IPv4.
• IPv6 MAC is available form the address creation context menu.

Add a new LAG implementation so each session uses the same NP6 and XAUI for ingress and egress direction to avoid the fast path congestion (the default value is disable).

config system npu
    set lag-out-port-select {enable | disable}
end

Add a new algorithm in the NPU driver to the bond algorithm list (AGG_ALGORITHM_NPU).

Support HTTP2 in proxy mode by adding the ability to inspect HTTP2 via ALPN.

config firewall ssl-ssh-profile
    edit <name>
        set supported-alpn {http1-1 | http2 | all | none}
    next
end

Allow denied sessions to be offloaded by the NPU when session-denied traffic is also enabled. This enables sessions to be offloaded for packets that are denied by the firewall policy, which can help reduce CPU usage.

config system npu
    session-denied-offload {enable | disable}
end

Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed:

config system virtual-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end

config system physical-switch
    edit <name>
        config port
            edit <name>
                set speed <option>
                set status {up | down}
            next
        end
    next
end

Add security rating test to check if two-factor authentication is enabled for each active SSL VPN and IPsec user.

Add new setting to enable auto provisioning of FortiSwitch firmware upon authorization. On FortiGate models with a disk, up to four images of the same FortiSwitch model can be uploaded. On FortiGate models without a disk, one image of the same FortiSwitch model can be uploaded.

Add a specific auth-timeout field in the SSL VPN monitor.

In scenarios where the FortiGate is sandwiched by load-balancers and SSL processing is offloaded on the external load-balancers, the FortiGate can perform scanning on the unencrypted traffic by specifying the ssl-offloaded option in the protocol options profile. This was previously supported in proxy mode only, but now it is also supported in flow mode.

Add settings to enable flow control and pause metering. Pause metering allows the FortiSwitch to apply flow control to ingress traffic when the queue is congested and to resume once it is cleared.

On supported managed switch ports, the FortiGate allows the port to be configured with a forward error correction (FEC) state of Clause 74 FC-FEC for 25 Gbps ports, or Clause 91 RS-FEC for 100 Gbps ports.

config switch-controller managed-switch
    edit <serial number>
        config ports
            edit <name>
                set fec-state {disabled | cl74 | cl91}
            next
        end
    next
end

Add RADIUS CoA support for SSL-VPN. After receiving a Disconnect Request(40) from a RADIUS server, the SSL VPN daemon will search related sessions according to user name and RADIUS server name to log off the specific user (including web and tunnel session).

When a device first connects to a switch port, or when a device goes from offline to online, the FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy. Optimizations made to the process shortens the time it takes for a new device to be recognized and assigned to the VLAN.

Add dual stack IPv4/IPv6 support for SSL VPN servers, which enables a client to establish a dual stack tunnel that allows IPv4 and IPv6 traffic to pass through.

config vpn ssl settings
    set dual-stack-tunnel {enable | disable}
end

In web mode, users can access IPv4 and IPv6 bookmarks in the portal. A new attribute, prefer-ipv6-dns, is added to prefer querying IPv6 DNS first.

Make the following enhancements to the antiphishing profile:

• Allow username and password field patterns to be fetched from FortiGuard.
• Add DNS support for domain controller IP fetching.
• Add support to specify a source IP or port for the fetching domain controller.
• Add LDAP server as a credential source.
• Block or log valid usernames regardless of password match.
• Add literal custom patterns type for username and password.

Port policy configurations are moved out of NAC policies into a standalone dynamic port policy configuration. Physical ports now have a choice of thee access modes: static, dynamic (default), and NAC. In dynamic mode, a Dynamic Port Policy profile can be assigned, allowing devices matching defined criteria to apply specific port properties based on LLDP, QoS, 802.1X, or VLAN policies. NAC policies, provide more criteria to match devices and assign them to an appropriate VLAN.

OpenSSL updated to 1.1.1j for security fixes.

Add XAuth User to VPN chart in the PDF report.

FortiClient EMS with fabric authorization and silent approval capabilities will be able to approve the root FortiGate in a Security Fabric once, then silently approve remaining downstream FortiGates in the Fabric. Similarly, in an HA scenario, approval only needs to be made once to the HA primary unit. The remaining cluster members will be approved silently.

In 6.2, stream-based AV scan was added in proxy mode for HTTP(S). This is now supported for FTP(S), SFTP, and SCP. The stream-based scan optimizes memory utilization for large archive files like ZIP, TAR.GZ, and so on by decompressing the files on the fly and scanning files as they are extracted. Smaller files can also be scanned directly on the proxy-based WAD daemon, improving traffic throughput.

Enhance freestyle log filtering so that users can specify more powerful filters. The config free-style setting is added to log filters for each log device. For example:

config log memory filter
    config free-style
        edit 1
           set category {event | virus | webfilter | attack | spam | anomaly | voip | dlp | app-ctrl | waf | gtp | dns | ssh | ssl | file-filter | icap}
           set filter <string>
           set filter-type include
        next
    end
end

The filter string can be a legal regular filter string. For example, ((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60).

To avoid large number of new IKEv2 negotiations from starving other SAs from progressing to established states, the following enhancements have been made to the IKE daemon:

• Prioritize established SAs.
• Offload groups 20 and 21 to CP9.
• Optimize the default embryonic limits for mid- and high-end platforms.

The IKE embryonic limit can now be configured in the CLI.

config system global
    set ike-embryonic-limit <integer>
end

Users can configure advanced BGP and OSPF routing options in the GUI. A new Routing Objects page allows users to configure Route Map, Access List, Prefix List, AS Path List, and Community List from the GUI. The Dashboard > Network routing monitor now displays BGP Neighbors, BGP Paths, and OSPF Neighbors.

After authorizing a FortiAP, administrators can also register the FortiAP to FortiCloud directly from the FortiGate GUI.

Add interface selection for IPS TLS protocol active probing.

config ips global
    config tls-active-probe
        set interface-selection-method {auto | sdwan | specify}
        set interface <interface>
        set vdom <VDOM>
        set source-ip <IPv4 address>
        set source-ip6 <IPv6 address>
    end
end

The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper.

config monitoring npu-hpe
    set status {enable | disable}
    set interval <integer>
    set multipliers <m1>, <m2>, ... <m12>
end

The interval is set in seconds (1 - 60, default = 1). The multiplies are twelve integers ranging from 1 - 255, the default is 4, 4, 4, 4, 8, 8, 8, 8, 8, 8, 8, 8.

An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. An attack log is generated after every (4 × multiplier) number of continuous event logs.

Support reference to any action results in chained actions of automation stitches.

AWS and Azure now support FIPS ciphers mode.

A custom IKE port can be specified to replace the default UDP/500 port for IKE negotiation.

config system settings
    set ike-port <1024 - 65535>
end

When creating a Cisco ACI direct connector, configuring multiple IPs allows the FortiGate to connect to the server in a round-robin fashion. Only one server will be active and the remaining will serve as backups if the active one fails.

When a FortiClient endpoint is managed by EMS, logged in user and domain information is shared with FortiOS via the EMS connector. This information is used to fetch additional attributes over the Exchange connector to produce more complete user information for the user store.

Security rating notifications are shown on the settings page, which has configuration issues as determined by the security rating. Users can open the recommendation to see which configuration item needs to be fixed. This frees users from going back and forth between the Security Rating page and the settings page. Notifications appear either in the gutter, the footer, or as a mutable. Notifications can be dismissed.

On IBM VPC Cloud, users can deploy their BYOL FortiGate VMs in unicast HA. HA failover triggers routing changes and floating IP reassignment on the IBM Cloud automatically via the API.

FortiSwitch events now have their own category on the Events log page.

In a tenant VDOM, allow lldp-profile and lldp-status to be configurable on a leased switch port.

By configuring the service chain and service index, NSX-T east-west traffic can be redirected to a designated FortiGate VDOM.

config nsxt setting
    set liveness {enable | disable}
    set service <service name>
end
config nsxt service-chain
    edit <ID>
        set name <chain name>
        config service-index
            edit <forward index>
                set reverse-index <value>
                set name <index name>
                set vd <VDOM>
            next
        end
    next
end

The default value for reverse-index is 1. The vd setting is required.

This feature enables the FortiGate to be configured as an SSL VPN client. A new SSL type interface is added to support the SSL VPN client configuration. When the SSL VPN client connection is established, the SSL VPN client will dynamically add a route to the subnets returned by the SSL VPN server. Subsequently, you can define policies to allow users behind the FortiGate acting as SSL VPN clients to be tunneled through SSL VPN to the destinations on the SSL VPN server.

The route tag is a mechanism to map a BGP community string to a specific tag. The string may correspond to a specific network that a BGP router advertised. Using this tag, an SD-WAN service rule can be used to define specific handling of traffic to that network. In this enhancement, IPv6 route tags are now supported.

With the video filter profile, users can filter YouTube videos by channel ID for a more granular override of a single channel, user, or video. The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection.

When units are out-of-sync in an HA cluster, the GUI will now compare the HA checksums and display the tables that caused HA to be out-of-sync. This can be visualized in the HA monitor page and the HA Status widget.

Add new commands execute telnet-options and execute ssh-options to allow administrators to set the source interface and address for their connection.

Allow SD-WAN duplication rules to specify SD-WAN service rules to trigger packet duplication. This allows SD-WAN duplication to occur based on an SD-WAN rule instead of the source, destination, or service parameters in the duplication rule.

In an application control list, the exclusion option allows users to specify a list of applications they wish to exclude from an entry filtered by category, technology, or others.

config application list
    edit <list>
        config entries
            edit 1
                set category <ID>
                set exclusion <signature ID> ... <signature ID>
            next
        end
    next
end

When an SSL inspection profile is configured to protect the SSL server, multiple sites can potentially be deployed on the same protected server IP. This change adds support for multiple SSL certificates to attach to a SSL profile, allowing inspection based on matching SNI in the certificate.

Add four new SNMP OIDs for polling the number of packets and bytes that conform to traffic shaping, or are discarded by traffic shaping.

New REST API POST /api/v2/monitor/vpn/ike/clear?mkey=<gateway_name> will bring down IKE SAs tunnel the same way as diagnose vpn ike gateway clear.

The limit of BGP paths that can be selected and advertised has increased to 255 (originally 8).

When defining an automation stitch with an email action, users can enable replacement message and customize their message using a standard template.

Add a toggle to return node IP addresses only in dynamic firewall addresses for Kubernetes SDN connectors.

Add support to deploy FortiGate-VMs that are paravirtualized with SR-IOV and DPDK/vNP on OCI shapes that use Mellanox network cards.

Add additional information such as DHCP server MAC, gateway, subnet, and DNS to wireless DHCP logs.

In firewall sniffer mode, you can record traffic logs each time a source or destination address matches an IP address on an external threat feed.

Add global option fortiipam-integration to control FortiIPAM. When enabled, ipamd will run and report to FortiIPAM to allow automatic IP address/subnet management.

config system global
    set fortiipam-integration {enable | disable}
end

By default, the FortiGate uses the outbound interface's IP to communicate with a FortiSwitch managed over layer 3. The switch-controller-source-ip option allows the switch controller to use the FortiLink fixed address instead.

Add system event logs for the execution of CLI commands. When cli-audit-log is enabled under system global, the execution of execute, config, show, get, and diagnose commands will trigger system event logs.

Provide specific SNMP objects (OIDs) that allow the status of the mobile network connection to be monitored.

Because pre-standard POE devices are uncommon in the field, poe-pre-standard-detection is set to disable by default. Upgrading from previous builds will carry forward the configured value.

When enabling the Security Fabric on the root FortiGate, the following FortiAnalyzer GUI behavior has changed:

• If a FortiAnalyzer appliance is enabled, then the dialog will be for the FortiAnalyzer connector.
• If a FortiAnalyzer appliance is disabled but FortiAnalyzer Cloud is enabled, then the dialog will be for the Cloud Logging connector.
• If neither the FortiAnalyzer appliance or FortiAnalyzer Cloud are enabled:
  • If the device has a FAZC (standard FortiAnalyzer Cloud subscription) or AFAC (premium subscription) entitlement, then the dialog will be for the Cloud Logging connector.
  • If the device does not have a FAZC or AFAC entitlement, then the dialog will be for the FortiAnalyzer connector.
• When FortiAnalyzer Cloud is enabled and the FortiAnalyzer appliance is disabled, then the Cloud Logging connector will not let you switch to the FortiGate Cloud FortiAnalyzer.

The Wi-Fi Alliance Agile Multiband Operation (MBO) feature enables better use of Wi-Fi network resources in roaming decisions and improves overall performance. This enhancement allows the FortiGate to push the MBO configuration to managed APs, which adds the MBO information element to the beacon and probe response for 802.11ax.

By using session-sync-dev to offload session synchronization processing to the kernel with various optimizations, four-member FGSP session synchronization can be supported to handle heavy loads.

Enabling IGMP snooping on an SSID allows the wireless controller to detect which FortiAPs have IGMP clients. The wireless controller will only forward a multicast stream to the FortiAP where there is a listener for the multicast group.

Add object synchronization improvements:

• Simplify the conflict resolution procedure so a multi-step wizard is no longer required. All conflicts appear in one table for all FortiGates in the Fabric and supported tables.
• Add an object diff feature to display the difference between FortiGate objects that are in conflict.
• Add new CLI command for the root FortiGate:

  config system csf
      set fabric-object-unification {default | local}
  end

  When set to default, objects will be synchronized in the Security Fabric. On downstream FortiGates, if configuration-sync is set to local, the synchronized objects from the root to downstream FortiGates is not applied locally. However, the device will still send the configuration to lower FortiGates.

• The fabric-object {enable | disable} command was added to the following tables:

  • firewall.address
  • firewall.address6
  • firewall.addrgrp
  • firewall.addrgrp6
  • firewall.service.category
  • firewall.service.group
  • firewall.service.custom
  • firewall.schedule.group
  • firewall.schedule.onetime
  • firewall.schedule.recurring

  Enabling fabric-object on the root starts synchronizing this object as a Fabric object to downstream devices. Disabling fabric-object makes the object local to the device.

• Add setting to define how many task worker process are created to handle synchronizations (1 - 4, default = 2). The worker processes dies if there is no task to perform after 60 seconds.

  config system csf
      set fabric-workers <integer>
  end

When a FortiSwitch upgrade is stuck due to connectivity issues, the following command allows the process to be cancelled.

# execute switch-controller switch-software cancel {all | sn | switch-group}

When an AliCloud SDN connector is configured, dynamic address objects can support Kubernetes filters based on cluster, service, node, pod, and more.

When a user disconnects from an SSL VPN tunnel, it is sometimes not desirable for the released IP to be immediately used up in the current first available IP assignment method. A new option is added in the CLI to set the tunnel address assignment method to either first available (default) or round-robin.

config vpn ssl settings
    set tunnel-addr-assigned-method {first-available | round-robin}
end

Support hardware switch on FG-300E, FG-400E, and FG-1100E models.

IoT background scanning is disabled by default. Users can enable this option on the FortiLink Interface page in the GUI or with the switch-controller-iot-scanning in the CLI.

FortiVoice can be added to the Security Fabric on the root FortiGate.

Add Application Bandwidth widget:

• It can be added to a dashboard to display bandwidth utilization for the top 50 applications.
• The favorites will be included even if they are not in the top 50.
• A firewall policy must have an application profile configured so the widget can capture information.
• A new CLI was added.

Integrate Broadcom bnxt_en 1.10.1 driver to drive new vfNIC to replace 1.9.2 version. The following new cards are supported:

• [BCM57508] = { "Broadcom BCM57508 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

• [BCM57504] = { "Broadcom BCM57504 NetXtreme-E 10Gb/25Gb/50Gb/100Gb/200Gb Ethernet" }

• [BCM57502] = { "Broadcom BCM57502 NetXtreme-E 10Gb/25Gb/50Gb Ethernet" }

• [BCM57508_NPAR] = { "Broadcom BCM57508 NetXtreme-E Ethernet Partition" }

• [BCM57504_NPAR] = { "Broadcom BCM57504 NetXtreme-E Ethernet Partition" }

• [BCM57502_NPAR] = { "Broadcom BCM57502 NetXtreme-E Ethernet Partition" }

• [BCM58812] = { "Broadcom BCM58812 NetXtreme-S 2x50G Ethernet" }

• [BCM58814] = { "Broadcom BCM58814 NetXtreme-S 2x100G Ethernet" }

• [BCM58818] = { "Broadcom BCM58818 NetXtreme-S 2x200G Ethernet" }

• [NETXTREME_E_P5_VF] = { "Broadcom BCM5750X NetXtreme-E Ethernet Virtual Function" }

When multi-VDOM mode is enabled, the threat feed external connector can be defined in global or within a VDOM. Global threat feeds can be used in any VDOMs, but are not editable within the VDOM. FortiGuard category and domain name based external feeds have added a category number field to identify the threat feed.

Add Security Rating test, Activate FortiCloud Services, to check whether FortiCloud services can be activated for FortiAnalyzer Cloud, FortiManager Cloud, FortiClient EMS Cloud, and FortiSandbox Cloud. If the account has a valid subscription to a service or cloud appliance, but the Fabric connection to it on the FortiGate is not enabled, then the test fails.

An HA failover can be triggered when memory utilization exceeds the threshold for a specific amount of time.

config system ha
    set memory-based-failover {enable | disable}
    set memory-failover-threshold <0 - 95>
    set memory-failover-monitor-period <1 - 300>
    set memory-failover-sample-rate <1 - 60>
    set memory-failover-flip-timeout <6 - 2147483647>
end

The user device store allows user and device data collected from different daemons to be centralized for quicker access and performance:

diagnose user-device-store device memory list

diagnose user-device-store device memory query mac <value>

diagnose user-device-store device memory query ip <value>

diagnose user-device-store device disk list

diagnose user-device-store device disk query <SQL WHERE clause>

With the new IPsec kernel design, the route tree is not available in the IPsec tunnel list used to select tunnels by the next hop. A tunnel ID is automatically generated and used to link routes with the IPsec tunnel. The IPsec tunnel ID is normally the remote gateway of the tunnel. For tunnels with the same remote gateway, the tunnel ID is randomly assigned (10.0.0.x) and will be different from the remote gateway. The tunnel ID (tun_id) is visible when running diagnose vpn ike gateway list and diagnose vpn tunnel list.

A route also has a tunnel ID, which coincides with the route gateway. When a route directs traffic to an IPsec interface and there are multiple VPN connections (usually dialup VPNs), if they have the same remote gateway, then the tunnel ID is automatically assigned.

Note that the route next hop of an IPsec VPN tunnel is only a tunnel identifier, not the real route next hop IP, which is different than the ordinary route next hop.

When configuring EMS Cloud in the Security Fabric, it is only allowed to be configured when the FortiGate is registered to FortiCloud and the EMS Cloud entitlement is verified.

Connection to FortiSandbox Cloud, which allows users to create an instance of FortiSandbox on FortiCloud, can now be easily configured from the Fabric Connectors page. In the Cloud Sandbox Settings, choose between connecting to FortiGate Cloud Sandbox or FortiSandbox Cloud. The connection to FortiSandbox Cloud will automatically use the cloud user ID of the FortiGate to connect to the right FortiSandbox Cloud account.

When configuring a NAC policy, it is sometimes useful to manually specify a MAC address to match the device. Wildcards in the MAC address are supported by specifying the * character.

The AV engine AI malware detection model integrates into regular AV scanning to help detect potentially malicious Windows Portable Executables (PEs) in order to mitigate zero-day attacks. Previously, this type of detection was handled by heuristics that analyze file behavior. With AV Engine AI, the module is trained by FortiGuard AV against many malware samples to identify file features that make up the malware. The AV Engine AI package is downloaded by FortiOS from FortiGuard via FortiGuard updates. Devices with an active AV subscription can download this package.

The setting is enabled by default at a per-VDOM level:

config antivirus settings
    set machine-learning-detection enable
end

Support multiple LDAP server configurations for Kerberos keytab and agentless NTLM domain controller in multiple forest deployments.

In NGFW policy mode, application groups can be defined with the following filters: risk, protocols, vendor, technology, behavior, and popularity.

Security Fabric rating reports can now be generated in multi-VDOM mode, against all VDOMs. The Security Rating is visible under Global scope.

Backend update to support a TCP connection pool to maintain local-out TCP connections to the external ICAP server.

The SD-WAN Network Monitor service now supports running a speed test based on a schedule. The test results are automatically updated in the interface measured-upstream-bandwidth and measured-downstream-bandwidth fields. When the scheduled speed tests run, it is possible to temporarily bypass the bandwidth limits set on the interface and configure custom maximum or minimum bandwidth limits. These configurations are optional.

Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiGate's transparent web proxy to an upstream web proxy to avoid overwhelming the proxy server. Traffic can be selected by specifying the proxy address, which can be based on a FortiGuard URL category.

In the scenario where session synchronization is down between two FGSP members that results in a split-brain situations, the IKE monitor provides a mechanism to maintain the integrity of state tables and primary/secondary roles for each gateway. It continues to provide fault tolerance by keeping track of the timestamp of the latest received traffic, and it uses the ESP sequence number jump ahead value to preserve the sequence number per gateway. Once the link is up, the cluster resolves the role and synchronizes the session and IKE data. During this process, if the IKE fails over from one unit to another, the tunnel will remain valid due to the IKE session and role being out of sync, and the ESP anti-replay detection.

Conventionally, public cloud FortiGate deployments require four NICs (external data processing, internal data processing, heartbeat/synchronization, and HA management). The HA heartbeat and management have been merged into the same interface, so only three NICs are required.

To accommodate the new web filter categories, Child Abuse is renamed as Child Sexual Abuse. A new category 96, Terrorism, has been added to FortiOS and FortiGuard servers.

A secure SSL connection from the FortiGate to the ICAP server can be configured as follows:

config icap server
    edit "server"
        set secure enable
        set ssl-cert <certificate>
    next
end

Support Strict-Transport-Security in HTTPS redirect.

The Security Fabric can be enabled for a multi-VDOM environment, allowing access to all Fabric features including: Fabric topologies, security rating, and automation across the VDOM deployment. Users can navigate to downstream FortiGates directly from the root FortiGate via the new Fabric selection top-menu.

VDOM cookies have been removed since they are no longer being used to identify the current selected VDOM.

When a BGP next hop requires recursive resolution, the default behavior is to consider all other routes except BGP routes. The following option, when enabled, allows the recursive next hop resolution to use BGP routes as well.

config router bgp
    set recursive-next-hop {enable | disable}
end

Add option to switch between Peer and Peer Group view on PKI user page.

FortiExtender and VPN tunnel interfaces now support NetFlow sampling. VPN tunnel interfaces can be IPsec, IP in IP, or GRE tunnels. NetFlow sampling is supported on NPU and non-NPU offloaded tunnels.

When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure HTTPS captive portal. Once authentication is done, the client can be redirected back to the original destination over HTTP.

In Dashboard > Users and Devices, administrators can use the FortiSwitch NAC VLANs widget to see which devices have been added to which VLANs by the NAC policy. A donut chart overview summarizes the number of devices in each VLAN.

Support ICMP type 13 at local interface.

Policy hit counters are now seven-day rolling counters. Instead of storing a single number for the hit count and byte count collected since the inception of each policy, seven numbers for the last seven days plus an active counter for the current day are stored. The past seven-day hit count is displayed on the policy list and policy dialog page. A seven-day bar chart for additional visualization of the statistics has been added. These changes help put the policy hit count comparison on the same footing.

To support per-packet load balancing on aggregate dial-up IPsec tunnels between sites, each spoke must configure a location ID. On the dial-up VPN hub, per-packet load balancing can be performed on tunnels in the IPsec aggregate with the same location ID.

config system settings
    set location-id <IPv4 address>
end

Once an incoming webhook connector is created in Microsoft Teams, this webhook URL can be used in an automation stitch under the action Microsoft Teams connector.

config system automation-action
    edit <action name>
        set action-type microsoft-teams-notification
    next
end

IPv6 multicast policies can be configured in the GUI by enabling IPv6 and Multicast Policy under System > Feature Visibility.

Add support for PRP (Parallel Redundancy Protocol) in NAT mode for a virtual wire pair. This preserves the PRP RCT (redundancy control trailer) while the packet is processed by the FortiGate.

Improve SOCKS/SSH proxy to support internet-service.

Provide options for controlling concurrent TCP/UDP connections by introducing a connection quota in the per-IP shaper and a port quota in the fixed port range type IP pool.

A DNS health check monitor can be configured for server load balancing. The monitor uses TCP or UDP DNS as the probes. The request domain is matched against the configured IP address to verify the response.

config firewall ldb-monitor
    edit <name>
        set type dns
        set port <string>
        set dns-protocol {udp | tcp}
        set dns-request-domain <string>
        set dns-match-ip <class_ip>
    next
end

Add support for OCI IMDSv2 that offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and during instance deployments with bootstrap metadata.

FortiGates with a premium subscription (AFAC contract) for cloud-based central logging and analytics are able to send traffic logs to FortiAnalyzer Cloud, in addition to UTM logs and event logs. FortiGates with a standard FortiAnalyzer Cloud subscription (FAZC contract) can send UTM and event logs only.

When configuring the generic DDNS service provider as a DDNS server, the server type and address type can be set to IPv6. This allows the FortiGate to connect to an IPv6 DDNS server and provide the FortiGate's IPv6 interface address for updates.

config system ddns
    edit <name>
        set ddns-server genericDDNS
        set server-type {ipv4 | ipv6}
        set ddns-server-addr <address>
        set addr-type ipv6 {ipv4 | ipv6}
        set monitor-interface <port>
    next
end

The past seven-day hit count is displayed on the policy list page and the policy dialog page for IPv4 and IPv6 multicast policies. A seven-day bar chart for additional visualization of the statistics has been added.

Introduce FortiGuard updates for OUI files used to identify device vendors by MAC address. This database is used in WiFi and device detection.

Add support for MacOS Big Sur 11.1 in SSL VPN OS check.

In a Hub and Spoke SD-WAN topology with shortcuts created over ADVPN, a downed or recovered shortcut may affect which member is selected by a SD-WAN service strategy. The SD-WAN hold-down-time ensures that when a downed shortcut tunnel comes back up and the shortcut is added back into the service strategy equation, the shortcut is held to low priority until the hold-down-time has passed.

The Local Out Routing page consolidates features where a source IP and an outgoing interface attribute can be configured to route local out traffic. The outgoing interface has a choice of Auto, SD-WAN, or Specify to allow granular control over the interface in which to route the local out traffic. Local Out Routing must be enabled from System > Feature Visibility, and it supports multi-VDOM mode.

Add commands to debug traffic statistics for traffic monitor interfaces (interface), interface traffic in real-time data (peek), and to dump interface traffic history data (history):

# diagnose debug traffic {interface | peek | history}

A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate. Once the FortiWeb joins the Fabric, the following features are available:

• View the FortiWeb on topology pages.

• Create a dashboard Fabric Device widget to view FortiWeb data.

• Configure single sign-on using SAML.

Add option for users to set a non-default SD-WAN member zone for OCVPN IPsec interfaces. The sdwan-zone option is only available if SD-WAN is enabled. sdwan-zone references the entries in the SD-WAN configuration, and the default is virtual-wan-link.

config vpn ocvpn
    ... 
    set sdwan enable
    set sdwan-zone {virtual-wan-link | <zone> | ...}
    ...
end

Add interface-select option for email-server.

config system email-server
    set interface-select-method {auto | sdwan | specify}
    set interface <interface>
end

This enhancement allows a FortiGate to use the WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up dynamic RADIUS VSAs (vendor-specific attributes) to control the traffic rates permitted for a certain device. The FortiGate can apply different traffic shaping to different users who authenticate with RADIUS based on the returned RADIUS VSA values. When the same user logs in from an additional device, the RADIUS server will send a CoA (change of authorization) message to update the bandwidth values to 1/N of the total values, where N is the number of logged in devices from the same user.

config firewall policy
    edit 1
        set dynamic-shaping {enable | disable}
    next
end

Increase the ICMP rate limit to allow more ICMP error message to be sent by the FortiGate per second. The ICMP rate limit has changed from 1 second (100 jiffies) to 10 milliseconds (1 jiffy).

Allow option to configure a lowest unit of heartbeat interval of 10 ms, compared to the default of 100 ms.

config system ha
    set hb-interval-in-milliseconds {100ms | 10ms}
end

Add support for syslog RFC 5424 format, which can be enabled when the syslog mode is UDP or reliable.

config log syslogd setting
    set format {default | csv | cef | RFC5424}
end

If a FortiCloud account has a FortiManager Cloud account level subscription (ALCI), a FortiGate registered to the FortiCloud account can recognize it and enable FortiManager Cloud central management.

SAML user authentication is supported for explicit web proxies and transparent web proxies with the FortiGate acting as a SAML SP. SAML is supported as a new authentication method for an authentication scheme that requires using a captive portal.

config authentication scheme
    edit <name>
        set method saml
        set saml-server <server>
        set saml-timeout <seconds>
        set user-database <database>
    next
end

In the SAML user settings, two digest methods are supported for its certificate signing algorithms.

config user saml
    edit <name>
        set digest-method {sha1 | sha256}
    next
end

By default, the digest-method is set to sha1. For applications requiring SHA256, set the digest-method to sha256.

Add srcaddr-negate, dstaddr-negate, and service-negate to local-in policy.

Flow-based SIP inspection is now done by the IPS engine. Proxy ALG features that are supported in flow mode include blocking scenarios, rate limitation, and malformed header detection. Inspection mode is selected at the firewall policy level.

The following enhancements allow better integration with carrier CPE (customer premises equipment) management tools:

• Add SNMP OIDs to collect the reason for a FortiGate reboot.

• Add SNMP OIDs to collect traffic shaping profile and policy related configurations.

• Add a description field on the modem interface that can be fetched over SNMP.

• Bring a loopback or VLAN interface down when the link monitor fails.

• Add DSCP and shaping class ID support on the link monitor probe.

• Allow multiple link monitors with the same source and destination address, but different ports or protocols.

From the CLI, users are allowed to enable malware threat feeds and outbreak prevention without performing an AV scan. In the GUI and CLI, users can choose to use all malware thread feeds, or specify the ones they want to use. New replacement message for external block lists have been added.

config antivirus profile
    edit <name>
        config http
            set av-scan {disable | block | monitor}
            set outbreak-prevention {disable | block | monitor}
            set external-blocklist {disable | block | monitor}
            set quarantine {enable | disable}
        end
        set outbreak-prevention-archive-scan {enable | disable}
        set external-blocklist-archive-scan {enable | disable}
        set external-blocklist-enable-all {enable | disable}
        set external-blocklist <source>
    next
end

Note that the external-blocklist <source> option is hidden if external-blocklist-enable-all is enabled.

Support site-to-site IPsec VPN in an asymmetric routing scenario with a loopback interface as a VPN bound interface.

config vpn ipsec phase1-interface
    edit <name> 
        set interface "loopback"
        set loopback-asymroute {enable | disable}
    next
end

In NGFW policy mode, a security policy can be configured in learn mode to monitor traffic that passes through the source and destination interfaces. These traffic and UTM logs use a special prefix in the policymode and profile fields so that the FortiAnalyzer and FortiManager Policy Analyzer can identify these logs to use for policy analysis.

FortiGate can be configured to allow administrators to log in using FortiCloud single sign-on. Both IAM and non-IAM users on the FortiCloud support portal are supported. Non‑IAM users must be the FortiCloud account that the FortiGate is registered to. When enabled, the FortiGate login page will display options to Sign in with FortiCloud or sign in with regular administrator username.

When FortiGuard DDNS is configured as a DDNS server, the server type and address type can be set to IPv6. This allows the FortiGate to connect to FortiGuard over IPv6 and provide the FortiGate's IPv6 interface address for updates.

FortiAI can be added to the Security Fabric so it appears in the topology views and the dashboard widgets.

When the detect server becomes unavailable in a link monitoring configuration, instead of removing all routes associated with the gateway and interface defined in the link monitor, only remove specific routes. These subnets can be specified in the link-monitor configuration.

config system link-monitor
    edit <id>
        set srcintf <interface>
        set server <server IP>
        set gateway-ip <gateway IP>
        set route <subnet 1> ... <subnet n>
    next
end

Adds support for Layer 3 unicast standalone config sync. This allows peers to be synchronized in cloud environments that do not support Layer 2 networking, which expands support for auto-scale scenarios. Configuring a unicast gateway allows peers to be in different subnets altogether (this is an optional setting).

config system ha
    set unicast-status enable
    set unicast-gateway <address>
    config unicast-peers
        edit 1
            set peer-ip <address>
        next
    ...
    end
end

Add dual stack IPv4/IPv6 support for FortiGate's SSL VPN client, which enables it to establish a dual stack tunnel to allow IPv4 and IPv6 traffic to pass through. Dual stack is enabled unconditionally, and will form dual stack tunnels when the server supports it.

The SD-WAN REST API for health-check and sla-log now exposes ADVPN shortcut information in its result. The child_intfs attribute returns the statistics for the corresponding shortcuts. The following command displays real-time SLA information for ADVPN shortcuts:

# diagnose sys sdwan sla-log <health check name> <sequence number> <child name>

Add UX enhancements:

• When selecting objects, the omni-select menu displays recently used items.

• Support nested object tooltips.

The radio transmit power can now be configured in dBm or as a percentage in FortiAP profiles and override settings.

Synchronize wildcard FQDN IPs to other autoscale members whenever a peer learns of a wildcard FQDN address.

FortiDeceptor can be added to the Security Fabric so it appears in the topology views and the dashboard widgets.

Firewall policies can be configured in full ZTNA or ZTNA IP/MAC filtering mode when you enable Zero Trust Network Access from the Feature Visibility menu. When configuring firewall policies in ZTNA IP/MAC filtering mode, ZTNA tags are used for access control. ZTNA tags are equivalent to FortiOS 6.4 EMS tags that were part of dynamic firewall addresses. In 7.0, ZTNA tags can be accessed from the Policy & Objects > ZTNA > ZTNA Tags tab.

DHCP address enforcement ensures that clients who connect must complete the DHCP process to obtain an IP address; otherwise, they are disconnected from the SSID. This prevents users with static addresses that may conflict with the DHCP address scheme, or users that fail to obtain a DHCP IP assignment to connect to the SSID.

Ensure EMS logs are recorded for dynamic address related events under Log & Report > Events > SDN Connector Events logs:

• Add EMS tag
• Update EMS tag
• Remove EMS tag

Wireless controller now supports NAC profiles to onboard wireless clients into default VLANs. It can also apply NAC policies to match clients based on device properties, user groups or EMS tags, and assign clients to specific VLANs. VLAN sub-interfaces based on the VAP interfaces are used for the VLAN assignment.

The performance of updates between the FortiGate and FortiClient EMS is improved by using WebSockets. On supported FortiClient EMS firmware, the FortiGate can open a WebSocket connection with EMS to register for notifications about system information, host tags, avatars, and vulnerabilities. When these tables are updated, EMS pushes notifications to the corresponding FortiGate. The FortiGate then fetches the updated information using the REST API.

Support pulling malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV is enabled with block or monitor actions.

Add DNS filtering support in flow inspection mode. In FortiOS 6.4, the DNS proxy daemon handles the DNS filter in flow and proxy mode policies. Starting in 7.0, the IPS engine handles the DNS filter in flow mode policies. All features previously supported in the DNS filter profile are supported in flow mode.

Add the following enhancements for voice-enterprise SSID:

• Support 802.11k neighbor report dual band.

• Enhance 802.11v BSS transition management by adding bstm-disassociation-imminent option, disassociation timer for low RSSI, and disassociation timer for AP load-balancing.

Improve the session in/out dev handling when the session is dirty, re-routing occurs, and so on. Avoid clearing the session in/out dev, and only update it when is changes.

Support file filter profile in a one-arm sniffer policy in the GUI and CLI.

GCP PAYG instances can obtain FortiCare generated licenses upon a new deployment, or by the command line (execute vm-license) when upgrading from previous firmware. The process generates Fortinet_Factory and Fortinet_Factory_Backup certificates that contain the common name (CN) of the FortiGate serial number to uniquely identify this FortiGate.

Adds support for DNS over TLS (DoT) and DNS over HTTPS (DoH) in DNS inspection. Prior to 7.0, DoT and DoH traffic silently passes through DNS proxy. In 7.0, WAD is able to handle DoT and DoH, and redirect DNS queries to the DNS proxy for further inspection.

config firewall ssl-ssh-profile
    edit "dot-deep"
        config dot
            set status deep-inspection
            set client-certificate bypass
            set unsupported-ssl-cipher allow
            set unsupported-ssl-negotiation allow
            set expired-server-cert block
            set revoked-server-cert block
            set untrusted-server-cert allow
            set cert-validation-timeout allow
            set cert-validation-failure block
        end
    next
end

In the wireless controller settings, add options to specify the delimiter used for various RADIUS attributes for RADIUS MAC authentication and accounting. The options are hyphen, single-hyphen, colon, or none.

config wireless-controller vap
    edit <name>
        set mac-username-delimiter {hyphen | single-hyphen | colon | none}
        set mac-password-delimiter {hyphen | single-hyphen | colon | none}
        set mac-calling-station-delimiter {hyphen | single-hyphen | colon | none}
        set mac-called-station-delimiter {hyphen | single-hyphen | colon | none}
        set mac-case MAC {uppercase | lowercase}
    next
end

Remove FortiGuard Accept push updates option. On 2U models and larger (excluding VMs), the Immediately download updates option has been added. This allows the FortiGate to form a secure persistent connection with FortiGuard to get notifications of new updates. Once notified, the FortiGate can download the updates immediately.

In a scenario where a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with other interfaces via a software switch, support is added to allow captive portal authentication on the SSID or VLAN sub-interface. This requires that intra-switch-policy is set to explicit from the CLI when the switch interface is created. Users accessing the SSID will be redirected to the captive portal for authentication.

Introduce GUI support for configuring Zero Touch Network Access. ZTNA is a method of access control that utilizes zero-trust tags and various authentication methods to provide role-based application access. In full ZTNA mode, users can securely connect to the FortiGate access proxy over HTTPS to connect to protected resources.

Add the ability to perform SD-WAN passive WAN health measurement, which reduces the amount of configuration required and decreases the traffic that is produced by health check monitor probes doing active measurements. The passive and prefer-passive detection modes rely on session information captured in firewall policies with passive-wan-health-measurement enabled.

config system sdwan
    config health-check
        edit <name>
            set detect-mode {active | passive | prefer-passive}
        next
    end
end

config firewall policy
    edit <id>
        set passive-wan-health-measurement {enable | disable}
    next
end

Allow service assurance management (SAM) mode to be configured from the CLI where a radio is designated to operate as a client and perform tests against another AP. Ping and iPerf tests can run on an interval and the results are captured in the Wi-Fi event logs. This allows the FortiGate to verify and assure an existing Wi-Fi network can provide acceptable services.

In ZTNA, the integration between FortiClient EMS and the FortiGate is extended so the device identity and device trust context is established through client certificates and other information shared between the three entities. When a FortiClient endpoint registers to FortiClient EMS, it requests and obtains a client device certificate signed by the EMS certificate authority. Information about the endpoint device and the certificate is synchronized to the FortiGate. When the endpoint attempts to connect to the access proxy, the client is prompted to provide its certificate, which is verified by the FortiGate to establish a trusted relationship.

In ZTNA, the FortiGate access proxy can apply SAML authentication to authenticate the client. The FortiGate will act as the SAML SP, while a SAML authenticator will serve as the IdP. In addition to verifying user and device identity using the client certificate, you can also authorize the user based on user credentials to establish a trust context before granting access to the protected resource.

Once the client certificate is obtained by the endpoint, and endpoint information is synchronized between the FortiGate and FortiClient EMS, the client is ready to establish a connection to the FortiGate access proxy. By default, client certificate authentication is enabled on the access proxy, so when the HTTPS request comes in, the FortiGate's WAD process will challenge the client to identify itself with its certificate. Based on the client response, WAD will allow or block further processing by the ZTNA proxy rule.

In ZTNA, a HTTPS access proxy functions as a reverse proxy on behalf of the web server it is protecting. It verifies user identity, device identity, and trust context before granting access to the protected resource.

In ZTNA, a TCP forwarding access proxy (TFAP) functions in two parts. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS. Then, it verifies user identity, device identity, and trust context before forwarding the TCP traffic to the protected resource.

Support DoT and DoH in explicit mode, where FortiGate acts as an explicit DNS server listening for DoT and DoH requests. Add support for local-out DNS traffic over TLS and HTTPS.

With the Fabric Connector Event trigger, any supported Fabric connector is able to trigger an automation stitch on the FortiGate based on a specific event defined on the Fabric connector. Currently, only FortiDeceptor 4.1 supports this trigger for the Insider Threat, Notify Ban, and Notify Unban events.

The DNP3 application signature dissector supports detecting DNP3 traffic that is encapsulated by the RealPort protocol (Net.CX). DNP3 is used in industrial solutions over serial ports, USB ports, printers, and so on. RealPort encapsulation allows transportation of the underlying protocols over TCP/IP. The FortiGate industrial signatures must be enabled to use RealPort.DNP3 signatures.

The new GUI retro theme showcases a style of FortiOS giving homage to FortiOS 3.0. To enable it, go to System > Settings. Under View Settings, for Theme, select FortiOS v3 Retro.