New features or enhancements
More detailed information is available in the New Features Guide.
Bug ID |
Description |
---|---|
442996 |
Add GUI support for configuring IPv6 settings for IPv6 MAC address, SNMP, DHCPv6 server and client, DHCPv6 SLAAC, and prefix delegation. Updates include:
|
489956 |
Add a new LAG implementation so each session uses the same NP6 and XAUI for ingress and egress direction to avoid the fast path congestion (the default value is config system npu set lag-out-port-select {enable | disable} end Add a new algorithm in the NPU driver to the bond algorithm list (AGG_ALGORITHM_NPU). |
497049 |
Support HTTP2 in proxy mode by adding the ability to inspect HTTP2 via ALPN. config firewall ssl-ssh-profile edit <name> set supported-alpn {http1-1 | http2 | all | none} next end |
520385 |
Allow denied sessions to be offloaded by the NPU when session-denied traffic is also enabled. This enables sessions to be offloaded for packets that are denied by the firewall policy, which can help reduce CPU usage. config system npu session-denied-offload {enable | disable} end |
566452 |
Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed: config system virtual-switch edit <name> config port edit <name> set speed <option> set status {up | down} next end next end config system physical-switch edit <name> config port edit <name> set speed <option> set status {up | down} next end next end |
566967 |
Add security rating test to check if two-factor authentication is enabled for each active SSL VPN and IPsec user. |
609692 |
Add new setting to enable auto provisioning of FortiSwitch firmware upon authorization. On FortiGate models with a disk, up to four images of the same FortiSwitch model can be uploaded. On FortiGate models without a disk, one image of the same FortiSwitch model can be uploaded. |
611992 |
Add a specific |
618359 |
In scenarios where the FortiGate is sandwiched by load-balancers and SSL processing is offloaded on the external load-balancers, the FortiGate can perform scanning on the unencrypted traffic by specifying the |
621725 |
Add settings to enable flow control and pause metering. Pause metering allows the FortiSwitch to apply flow control to ingress traffic when the queue is congested and to resume once it is cleared. |
621728 |
On supported managed switch ports, the FortiGate allows the port to be configured with a forward error correction (FEC) state of Clause 74 FC-FEC for 25 Gbps ports, or Clause 91 RS-FEC for 100 Gbps ports. config switch-controller managed-switch edit <serial number> config ports edit <name> set fec-state {disabled | cl74 | cl91} next end next end |
622053 |
Add RADIUS CoA support for SSL-VPN. After receiving a |
622547 |
When a device first connects to a switch port, or when a device goes from offline to online, the FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy. Optimizations made to the process shortens the time it takes for a new device to be recognized and assigned to the VLAN. |
628133 |
Add dual stack IPv4/IPv6 support for SSL VPN servers, which enables a client to establish a dual stack tunnel that allows IPv4 and IPv6 traffic to pass through. config vpn ssl settings set dual-stack-tunnel {enable | disable} end In web mode, users can access IPv4 and IPv6 bookmarks in the portal. A new attribute, |
630468 |
Make the following enhancements to the antiphishing profile:
|
633543 |
Port policy configurations are moved out of NAC policies into a standalone dynamic port policy configuration. Physical ports now have a choice of thee access modes: static, dynamic (default), and NAC. In dynamic mode, a Dynamic Port Policy profile can be assigned, allowing devices matching defined criteria to apply specific port properties based on LLDP, QoS, 802.1X, or VLAN policies. NAC policies, provide more criteria to match devices and assign them to an appropriate VLAN. |
634006 |
OpenSSL updated to 1.1.1j for security fixes. |
635344 |
Add XAuth User to VPN chart in the PDF report. |
636804 |
FortiClient EMS with fabric authorization and silent approval capabilities will be able to approve the root FortiGate in a Security Fabric once, then silently approve remaining downstream FortiGates in the Fabric. Similarly, in an HA scenario, approval only needs to be made once to the HA primary unit. The remaining cluster members will be approved silently. |
637108 |
In 6.2, stream-based AV scan was added in proxy mode for HTTP(S). This is now supported for FTP(S), SFTP, and SCP. The stream-based scan optimizes memory utilization for large archive files like ZIP, TAR.GZ, and so on by decompressing the files on the fly and scanning files as they are extracted. Smaller files can also be scanned directly on the proxy-based WAD daemon, improving traffic throughput. |
637552 |
Enhance freestyle log filtering so that users can specify more powerful filters. The config free-style setting is added to log filters for each log device. For example: config log memory filter config free-style edit 1 set category {event | virus | webfilter | attack | spam | anomaly | voip | dlp | app-ctrl | waf | gtp | dns | ssh | ssl | file-filter | icap} set filter <string> set filter-type include next end end The filter string can be a legal regular filter string. For example, |
638352 |
To avoid large number of new IKEv2 negotiations from starving other SAs from progressing to established states, the following enhancements have been made to the IKE daemon:
The IKE embryonic limit can now be configured in the CLI. config system global set ike-embryonic-limit <integer> end |
640763 |
Users can configure advanced BGP and OSPF routing options in the GUI. A new Routing Objects page allows users to configure Route Map, Access List, Prefix List, AS Path List, and Community List from the GUI. The Dashboard > Network routing monitor now displays BGP Neighbors, BGP Paths, and OSPF Neighbors. |
641077 |
After authorizing a FortiAP, administrators can also register the FortiAP to FortiCloud directly from the FortiGate GUI. |
641524 |
Add interface selection for IPS TLS protocol active probing. config ips global config tls-active-probe set interface-selection-method {auto | sdwan | specify} set interface <interface> set vdom <VDOM> set source-ip <IPv4 address> set source-ip6 <IPv6 address> end end |
644218 |
The host protection engine (HPE) has been enhanced to add monitoring and logging capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and configure intervals and multipliers for the frequency when event logs and attack logs are generated. These logs and monitors help administrators analyze the frequency of attack types and fine-tune the desired packet rates in the HPE shaper. config monitoring npu-hpe set status {enable | disable} set interval <integer> set multipliers <m1>, <m2>, ... <m12> end The interval is set in seconds (1 - 60, default = 1). The multiplies are twelve integers ranging from 1 - 255, the default is An event log is generated after every (interval × multiplier) seconds for any HPE type when drops occur for that HPE type. An attack log is generated after every (4 × multiplier) number of continuous event logs. |
644235 |
Support reference to any action results in chained actions of automation stitches. |
647800 |
AWS and Azure now support FIPS ciphers mode. |
648595 |
A custom IKE port can be specified to replace the default UDP/500 port for IKE negotiation. config system settings set ike-port <1024 - 65535> end |
648602 |
When creating a Cisco ACI direct connector, configuring multiple IPs allows the FortiGate to connect to the server in a round-robin fashion. Only one server will be active and the remaining will serve as backups if the active one fails. |
649903 |
When a FortiClient endpoint is managed by EMS, logged in user and domain information is shared with FortiOS via the EMS connector. This information is used to fetch additional attributes over the Exchange connector to produce more complete user information for the user store. |
649933 |
Security rating notifications are shown on the settings page, which has configuration issues as determined by the security rating. Users can open the recommendation to see which configuration item needs to be fixed. This frees users from going back and forth between the Security Rating page and the settings page. Notifications appear either in the gutter, the footer, or as a mutable. Notifications can be dismissed. |
650416 |
On IBM VPC Cloud, users can deploy their BYOL FortiGate VMs in unicast HA. HA failover triggers routing changes and floating IP reassignment on the IBM Cloud automatically via the API. |
651866 |
FortiSwitch events now have their own category on the Events log page. |
652003 |
In a tenant VDOM, allow |
652503 |
By configuring the service chain and service index, NSX-T east-west traffic can be redirected to a designated FortiGate VDOM. config nsxt setting set liveness {enable | disable} set service <service name> end config nsxt service-chain edit <ID> set name <chain name> config service-index edit <forward index> set reverse-index <value> set name <index name> set vd <VDOM> next end next end The default value for |
653386 |
This feature enables the FortiGate to be configured as an SSL VPN client. A new SSL type interface is added to support the SSL VPN client configuration. When the SSL VPN client connection is established, the SSL VPN client will dynamically add a route to the subnets returned by the SSL VPN server. Subsequently, you can define policies to allow users behind the FortiGate acting as SSL VPN clients to be tunneled through SSL VPN to the destinations on the SSL VPN server. |
654032 |
The route tag is a mechanism to map a BGP community string to a specific tag. The string may correspond to a specific network that a BGP router advertised. Using this tag, an SD-WAN service rule can be used to define specific handling of traffic to that network. In this enhancement, IPv6 route tags are now supported. |
654619 |
With the video filter profile, users can filter YouTube videos by channel ID for a more granular override of a single channel, user, or video. The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection. |
655388 |
When units are out-of-sync in an HA cluster, the GUI will now compare the HA checksums and display the tables that caused HA to be out-of-sync. This can be visualized in the HA monitor page and the HA Status widget. |
655942 |
Add new commands |
656039 |
Allow SD-WAN duplication rules to specify SD-WAN service rules to trigger packet duplication. This allows SD-WAN duplication to occur based on an SD-WAN rule instead of the source, destination, or service parameters in the duplication rule. |
657598 |
In an application control list, the config application list edit <list> config entries edit 1 set category <ID> set exclusion <signature ID> ... <signature ID> next end next end |
657812 |
When an SSL inspection profile is configured to protect the SSL server, multiple sites can potentially be deployed on the same protected server IP. This change adds support for multiple SSL certificates to attach to a SSL profile, allowing inspection based on matching SNI in the certificate. |
658096 |
Add four new SNMP OIDs for polling the number of packets and bytes that conform to traffic shaping, or are discarded by traffic shaping. |
658206 |
New REST API |
658525 |
The limit of BGP paths that can be selected and advertised has increased to 255 (originally 8). |
658904 |
When defining an automation stitch with an email action, users can enable replacement message and customize their message using a standard template. |
659105 |
Add a toggle to return node IP addresses only in dynamic firewall addresses for Kubernetes SDN connectors. |
659127 |
Add support to deploy FortiGate-VMs that are paravirtualized with SR-IOV and DPDK/vNP on OCI shapes that use Mellanox network cards. |
659346 |
Add additional information such as DHCP server MAC, gateway, subnet, and DNS to wireless DHCP logs. |
659994 |
In firewall sniffer mode, you can record traffic logs each time a source or destination address matches an IP address on an external threat feed. |
660250 |
Add global option config system global set fortiipam-integration {enable | disable} end |
660273 |
By default, the FortiGate uses the outbound interface's IP to communicate with a FortiSwitch managed over layer 3. The |
660283 |
Add system event logs for the execution of CLI commands. When |
660295 |
Provide specific SNMP objects (OIDs) that allow the status of the mobile network connection to be monitored. |
660596 |
Because pre-standard POE devices are uncommon in the field, |
660624 |
When enabling the Security Fabric on the root FortiGate, the following FortiAnalyzer GUI behavior has changed:
|
660653 |
The Wi-Fi Alliance Agile Multiband Operation (MBO) feature enables better use of Wi-Fi network resources in roaming decisions and improves overall performance. This enhancement allows the FortiGate to push the MBO configuration to managed APs, which adds the MBO information element to the beacon and probe response for 802.11ax. |
661105 |
By using |
661131 |
Enabling IGMP snooping on an SSID allows the wireless controller to detect which FortiAPs have IGMP clients. The wireless controller will only forward a multicast stream to the FortiAP where there is a listener for the multicast group. |
661252 |
Add object synchronization improvements:
|
662437 |
When a FortiSwitch upgrade is stuck due to connectivity issues, the following command allows the process to be cancelled.
|
663206 |
When an AliCloud SDN connector is configured, dynamic address objects can support Kubernetes filters based on cluster, service, node, pod, and more. |
663258 |
When a user disconnects from an SSL VPN tunnel, it is sometimes not desirable for the released IP to be immediately used up in the current first available IP assignment method. A new option is added in the CLI to set the tunnel address assignment method to either first available (default) or round-robin. config vpn ssl settings set tunnel-addr-assigned-method {first-available | round-robin} end |
663468 |
Support hardware switch on FG-300E, FG-400E, and FG-1100E models. |
663530 |
IoT background scanning is disabled by default. Users can enable this option on the FortiLink Interface page in the GUI or with the |
663585 |
FortiVoice can be added to the Security Fabric on the root FortiGate. |
663877 |
Add Application Bandwidth widget:
|
664312 |
Integrate Broadcom bnxt_en 1.10.1 driver to drive new vfNIC to replace 1.9.2 version. The following new cards are supported:
|
664826 |
When multi-VDOM mode is enabled, the threat feed external connector can be defined in global or within a VDOM. Global threat feeds can be used in any VDOMs, but are not editable within the VDOM. FortiGuard category and domain name based external feeds have added a category number field to identify the threat feed. |
665186 |
Add Security Rating test, Activate FortiCloud Services, to check whether FortiCloud services can be activated for FortiAnalyzer Cloud, FortiManager Cloud, FortiClient EMS Cloud, and FortiSandbox Cloud. If the account has a valid subscription to a service or cloud appliance, but the Fabric connection to it on the FortiGate is not enabled, then the test fails. |
665695 |
An HA failover can be triggered when memory utilization exceeds the threshold for a specific amount of time. config system ha set memory-based-failover {enable | disable} set memory-failover-threshold <0 - 95> set memory-failover-monitor-period <1 - 300> set memory-failover-sample-rate <1 - 60> set memory-failover-flip-timeout <6 - 2147483647> end |
665735 |
The user device store allows user and device data collected from different daemons to be centralized for quicker access and performance: diagnose user-device-store device memory list diagnose user-device-store device memory query mac <value> diagnose user-device-store device memory query ip <value> diagnose user-device-store device disk list diagnose user-device-store device disk query <SQL WHERE clause> |
666902 |
With the new IPsec kernel design, the route tree is not available in the IPsec tunnel list used to select tunnels by the next hop. A tunnel ID is automatically generated and used to link routes with the IPsec tunnel. The IPsec tunnel ID is normally the remote gateway of the tunnel. For tunnels with the same remote gateway, the tunnel ID is randomly assigned (10.0.0.x) and will be different from the remote gateway. The tunnel ID ( A route also has a tunnel ID, which coincides with the route gateway. When a route directs traffic to an IPsec interface and there are multiple VPN connections (usually dialup VPNs), if they have the same remote gateway, then the tunnel ID is automatically assigned. Note that the route next hop of an IPsec VPN tunnel is only a tunnel identifier, not the real route next hop IP, which is different than the ordinary route next hop. |
666941 |
When configuring EMS Cloud in the Security Fabric, it is only allowed to be configured when the FortiGate is registered to FortiCloud and the EMS Cloud entitlement is verified. |
667181 |
Connection to FortiSandbox Cloud, which allows users to create an instance of FortiSandbox on FortiCloud, can now be easily configured from the Fabric Connectors page. In the Cloud Sandbox Settings, choose between connecting to FortiGate Cloud Sandbox or FortiSandbox Cloud. The connection to FortiSandbox Cloud will automatically use the cloud user ID of the FortiGate to connect to the right FortiSandbox Cloud account. |
667285 |
When configuring a NAC policy, it is sometimes useful to manually specify a MAC address to match the device. Wildcards in the MAC address are supported by specifying the * character. |
667774 |
The AV engine AI malware detection model integrates into regular AV scanning to help detect potentially malicious Windows Portable Executables (PEs) in order to mitigate zero-day attacks. Previously, this type of detection was handled by heuristics that analyze file behavior. With AV Engine AI, the module is trained by FortiGuard AV against many malware samples to identify file features that make up the malware. The AV Engine AI package is downloaded by FortiOS from FortiGuard via FortiGuard updates. Devices with an active AV subscription can download this package. The setting is enabled by default at a per-VDOM level: config antivirus settings set machine-learning-detection enable end |
668362 |
Support multiple LDAP server configurations for Kerberos keytab and agentless NTLM domain controller in multiple forest deployments. |
668487 |
In NGFW policy mode, application groups can be defined with the following filters: risk, protocols, vendor, technology, behavior, and popularity. |
668991 |
Security Fabric rating reports can now be generated in multi-VDOM mode, against all VDOMs. The Security Rating is visible under Global scope. |
669033 |
Backend update to support a TCP connection pool to maintain local-out TCP connections to the external ICAP server. |
669158 |
The SD-WAN Network Monitor service now supports running a speed test based on a schedule. The test results are automatically updated in the interface |
669487 |
Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiGate's transparent web proxy to an upstream web proxy to avoid overwhelming the proxy server. Traffic can be selected by specifying the proxy address, which can be based on a FortiGuard URL category. |
669942 |
In the scenario where session synchronization is down between two FGSP members that results in a split-brain situations, the IKE monitor provides a mechanism to maintain the integrity of state tables and primary/secondary roles for each gateway. It continues to provide fault tolerance by keeping track of the timestamp of the latest received traffic, and it uses the ESP sequence number jump ahead value to preserve the sequence number per gateway. Once the link is up, the cluster resolves the role and synchronizes the session and IKE data. During this process, if the IKE fails over from one unit to another, the tunnel will remain valid due to the IKE session and role being out of sync, and the ESP anti-replay detection. |
670058 |
Conventionally, public cloud FortiGate deployments require four NICs (external data processing, internal data processing, heartbeat/synchronization, and HA management). The HA heartbeat and management have been merged into the same interface, so only three NICs are required. |
670067 |
To accommodate the new web filter categories, Child Abuse is renamed as Child Sexual Abuse. A new category 96, Terrorism, has been added to FortiOS and FortiGuard servers. |
670089 |
A secure SSL connection from the FortiGate to the ICAP server can be configured as follows: config icap server edit "server" set secure enable set ssl-cert <certificate> next end |
670345 |
Support Strict-Transport-Security in HTTPS redirect. |
670568 |
The Security Fabric can be enabled for a multi-VDOM environment, allowing access to all Fabric features including: Fabric topologies, security rating, and automation across the VDOM deployment. Users can navigate to downstream FortiGates directly from the root FortiGate via the new Fabric selection top-menu. VDOM cookies have been removed since they are no longer being used to identify the current selected VDOM. |
670677 |
When a BGP next hop requires recursive resolution, the default behavior is to consider all other routes except BGP routes. The following option, when enabled, allows the recursive next hop resolution to use BGP routes as well. config router bgp set recursive-next-hop {enable | disable} end |
671563 |
Add option to switch between Peer and Peer Group view on PKI user page. |
672573 |
FortiExtender and VPN tunnel interfaces now support NetFlow sampling. VPN tunnel interfaces can be IPsec, IP in IP, or GRE tunnels. NetFlow sampling is supported on NPU and non-NPU offloaded tunnels. |
673072 |
When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure HTTPS captive portal. Once authentication is done, the client can be redirected back to the original destination over HTTP. |
673205 |
In Dashboard > Users and Devices, administrators can use the FortiSwitch NAC VLANs widget to see which devices have been added to which VLANs by the NAC policy. A donut chart overview summarizes the number of devices in each VLAN. |
673371 |
Support ICMP type 13 at local interface. |
673590 |
Policy hit counters are now seven-day rolling counters. Instead of storing a single number for the hit count and byte count collected since the inception of each policy, seven numbers for the last seven days plus an active counter for the current day are stored. The past seven-day hit count is displayed on the policy list and policy dialog page. A seven-day bar chart for additional visualization of the statistics has been added. These changes help put the policy hit count comparison on the same footing. |
674653 |
To support per-packet load balancing on aggregate dial-up IPsec tunnels between sites, each spoke must configure a location ID. On the dial-up VPN hub, per-packet load balancing can be performed on tunnels in the IPsec aggregate with the same location ID. config system settings set location-id <IPv4 address> end |
674724 |
Once an incoming webhook connector is created in Microsoft Teams, this webhook URL can be used in an automation stitch under the action Microsoft Teams connector. config system automation-action edit <action name> set action-type microsoft-teams-notification next end |
674759 |
IPv6 multicast policies can be configured in the GUI by enabling IPv6 and Multicast Policy under System > Feature Visibility. |
675049 |
Add support for PRP (Parallel Redundancy Protocol) in NAT mode for a virtual wire pair. This preserves the PRP RCT (redundancy control trailer) while the packet is processed by the FortiGate. |
675200 |
Improve SOCKS/SSH proxy to support |
675401 |
Provide options for controlling concurrent TCP/UDP connections by introducing a connection quota in the per-IP shaper and a port quota in the fixed port range type IP pool. |
675958 |
A DNS health check monitor can be configured for server load balancing. The monitor uses TCP or UDP DNS as the probes. The request domain is matched against the configured IP address to verify the response. config firewall ldb-monitor edit <name> set type dns set port <string> set dns-protocol {udp | tcp} set dns-request-domain <string> set dns-match-ip <class_ip> next end |
676063 |
Add support for OCI IMDSv2 that offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and during instance deployments with bootstrap metadata. |
676260 |
FortiGates with a premium subscription (AFAC contract) for cloud-based central logging and analytics are able to send traffic logs to FortiAnalyzer Cloud, in addition to UTM logs and event logs. FortiGates with a standard FortiAnalyzer Cloud subscription (FAZC contract) can send UTM and event logs only. |
676484 |
When configuring the generic DDNS service provider as a DDNS server, the server type and address type can be set to IPv6. This allows the FortiGate to connect to an IPv6 DDNS server and provide the FortiGate's IPv6 interface address for updates. config system ddns edit <name> set ddns-server genericDDNS set server-type {ipv4 | ipv6} set ddns-server-addr <address> set addr-type ipv6 {ipv4 | ipv6} set monitor-interface <port> next end |
676549 |
The past seven-day hit count is displayed on the policy list page and the policy dialog page for IPv4 and IPv6 multicast policies. A seven-day bar chart for additional visualization of the statistics has been added. |
676577 |
Introduce FortiGuard updates for OUI files used to identify device vendors by MAC address. This database is used in WiFi and device detection. |
677334 |
Add support for MacOS Big Sur 11.1 in SSL VPN OS check. |
677684 |
In a Hub and Spoke SD-WAN topology with shortcuts created over ADVPN, a downed or recovered shortcut may affect which member is selected by a SD-WAN service strategy. The SD-WAN |
677750 |
The Local Out Routing page consolidates features where a source IP and an outgoing interface attribute can be configured to route local out traffic. The outgoing interface has a choice of Auto, SD-WAN, or Specify to allow granular control over the interface in which to route the local out traffic. Local Out Routing must be enabled from System > Feature Visibility, and it supports multi-VDOM mode. |
677784 |
Add commands to debug traffic statistics for traffic monitor interfaces ( # diagnose debug traffic {interface | peek | history} |
678015 |
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate. Once the FortiWeb joins the Fabric, the following features are available:
|
678783 |
Add option for users to set a non-default SD-WAN member zone for OCVPN IPsec interfaces. The config vpn ocvpn ... set sdwan enable set sdwan-zone {virtual-wan-link | <zone> | ...} ... end |
679175 |
Add config system email-server set interface-select-method {auto | sdwan | specify} set interface <interface> end |
679245 |
This enhancement allows a FortiGate to use the WISPr-Bandwidth-Max-Down and WISPr-Bandwidth-Max-Up dynamic RADIUS VSAs (vendor-specific attributes) to control the traffic rates permitted for a certain device. The FortiGate can apply different traffic shaping to different users who authenticate with RADIUS based on the returned RADIUS VSA values. When the same user logs in from an additional device, the RADIUS server will send a CoA (change of authorization) message to update the bandwidth values to 1/N of the total values, where N is the number of logged in devices from the same user. config firewall policy edit 1 set dynamic-shaping {enable | disable} next end |
680599 |
Increase the ICMP rate limit to allow more ICMP error message to be sent by the FortiGate per second. The ICMP rate limit has changed from 1 second (100 jiffies) to 10 milliseconds (1 jiffy). |
680622 |
Allow option to configure a lowest unit of heartbeat interval of 10 ms, compared to the default of 100 ms. config system ha set hb-interval-in-milliseconds {100ms | 10ms} end |
681600 |
Add support for syslog RFC 5424 format, which can be enabled when the syslog mode is UDP or reliable. config log syslogd setting set format {default | csv | cef | RFC5424} end |
682106 |
If a FortiCloud account has a FortiManager Cloud account level subscription (ALCI), a FortiGate registered to the FortiCloud account can recognize it and enable FortiManager Cloud central management. |
682246 |
SAML user authentication is supported for explicit web proxies and transparent web proxies with the FortiGate acting as a SAML SP. SAML is supported as a new authentication method for an authentication scheme that requires using a captive portal. config authentication scheme edit <name> set method saml set saml-server <server> set saml-timeout <seconds> set user-database <database> next end In the SAML user settings, two digest methods are supported for its certificate signing algorithms. config user saml edit <name> set digest-method {sha1 | sha256} next end By default, the |
682470 |
Add |
682480 |
Flow-based SIP inspection is now done by the IPS engine. Proxy ALG features that are supported in flow mode include blocking scenarios, rate limitation, and malformed header detection. Inspection mode is selected at the firewall policy level. |
683647 |
The following enhancements allow better integration with carrier CPE (customer premises equipment) management tools:
|
683791 |
From the CLI, users are allowed to enable malware threat feeds and outbreak prevention without performing an AV scan. In the GUI and CLI, users can choose to use all malware thread feeds, or specify the ones they want to use. New replacement message for external block lists have been added. config antivirus profile edit <name> config http set av-scan {disable | block | monitor} set outbreak-prevention {disable | block | monitor} set external-blocklist {disable | block | monitor} set quarantine {enable | disable} end set outbreak-prevention-archive-scan {enable | disable} set external-blocklist-archive-scan {enable | disable} set external-blocklist-enable-all {enable | disable} set external-blocklist <source> next end Note that the |
684133 |
Support site-to-site IPsec VPN in an asymmetric routing scenario with a loopback interface as a VPN bound interface. config vpn ipsec phase1-interface edit <name> set interface "loopback" set loopback-asymroute {enable | disable} next end |
684236 |
In NGFW policy mode, a security policy can be configured in learn mode to monitor traffic that passes through the source and destination interfaces. These traffic and UTM logs use a special prefix in the |
686019 |
FortiGate can be configured to allow administrators to log in using FortiCloud single sign-on. Both IAM and non-IAM users on the FortiCloud support portal are supported. Non‑IAM users must be the FortiCloud account that the FortiGate is registered to. When enabled, the FortiGate login page will display options to Sign in with FortiCloud or sign in with regular administrator username. |
687282 |
When FortiGuard DDNS is configured as a DDNS server, the server type and address type can be set to IPv6. This allows the FortiGate to connect to FortiGuard over IPv6 and provide the FortiGate's IPv6 interface address for updates. |
689140 |
FortiAI can be added to the Security Fabric so it appears in the topology views and the dashboard widgets. |
689150 |
When the detect server becomes unavailable in a link monitoring configuration, instead of removing all routes associated with the gateway and interface defined in the link monitor, only remove specific routes. These subnets can be specified in the config system link-monitor edit <id> set srcintf <interface> set server <server IP> set gateway-ip <gateway IP> set route <subnet 1> ... <subnet n> next end |
689174 |
Adds support for Layer 3 unicast config system ha set unicast-status enable set unicast-gateway <address> config unicast-peers edit 1 set peer-ip <address> next ... end end |
689807 |
Add dual stack IPv4/IPv6 support for FortiGate's SSL VPN client, which enables it to establish a dual stack tunnel to allow IPv4 and IPv6 traffic to pass through. Dual stack is enabled unconditionally, and will form dual stack tunnels when the server supports it. |
690179 |
The SD-WAN REST API for health-check and sla-log now exposes ADVPN shortcut information in its result. The
|
690688 |
Add UX enhancements:
|
690691 |
The radio transmit power can now be configured in dBm or as a percentage in FortiAP profiles and override settings. |
690711 |
Synchronize wildcard FQDN IPs to other autoscale members whenever a peer learns of a wildcard FQDN address. |
690801 |
FortiDeceptor can be added to the Security Fabric so it appears in the topology views and the dashboard widgets. |
691254 |
Firewall policies can be configured in full ZTNA or ZTNA IP/MAC filtering mode when you enable Zero Trust Network Access from the Feature Visibility menu. When configuring firewall policies in ZTNA IP/MAC filtering mode, ZTNA tags are used for access control. ZTNA tags are equivalent to FortiOS 6.4 EMS tags that were part of dynamic firewall addresses. In 7.0, ZTNA tags can be accessed from the Policy & Objects > ZTNA > ZTNA Tags tab. |
691340 |
DHCP address enforcement ensures that clients who connect must complete the DHCP process to obtain an IP address; otherwise, they are disconnected from the SSID. This prevents users with static addresses that may conflict with the DHCP address scheme, or users that fail to obtain a DHCP IP assignment to connect to the SSID. |
691411 |
Ensure EMS logs are recorded for dynamic address related events under Log & Report > Events > SDN Connector Events logs:
|
691676 |
Wireless controller now supports NAC profiles to onboard wireless clients into default VLANs. It can also apply NAC policies to match clients based on device properties, user groups or EMS tags, and assign clients to specific VLANs. VLAN sub-interfaces based on the VAP interfaces are used for the VLAN assignment. |
691693 |
The performance of updates between the FortiGate and FortiClient EMS is improved by using WebSockets. On supported FortiClient EMS firmware, the FortiGate can open a WebSocket connection with EMS to register for notifications about system information, host tags, avatars, and vulnerabilities. When these tables are updated, EMS pushes notifications to the corresponding FortiGate. The FortiGate then fetches the updated information using the REST API. |
691902 |
Support pulling malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV is enabled with block or monitor actions. |
692272 |
Add DNS filtering support in flow inspection mode. In FortiOS 6.4, the DNS proxy daemon handles the DNS filter in flow and proxy mode policies. Starting in 7.0, the IPS engine handles the DNS filter in flow mode policies. All features previously supported in the DNS filter profile are supported in flow mode. |
693799 |
Add the following enhancements for
|
694102 |
Improve the session in/out dev handling when the session is dirty, re-routing occurs, and so on. Avoid clearing the session in/out dev, and only update it when is changes. |
694148 |
Support file filter profile in a one-arm sniffer policy in the GUI and CLI. |
694839 |
GCP PAYG instances can obtain FortiCare generated licenses upon a new deployment, or by the command line ( |
695259 |
Adds support for DNS over TLS (DoT) and DNS over HTTPS (DoH) in DNS inspection. Prior to 7.0, DoT and DoH traffic silently passes through DNS proxy. In 7.0, WAD is able to handle DoT and DoH, and redirect DNS queries to the DNS proxy for further inspection. config firewall ssl-ssh-profile edit "dot-deep" config dot set status deep-inspection set client-certificate bypass set unsupported-ssl-cipher allow set unsupported-ssl-negotiation allow set expired-server-cert block set revoked-server-cert block set untrusted-server-cert allow set cert-validation-timeout allow set cert-validation-failure block end next end |
695855 |
In the wireless controller settings, add options to specify the delimiter used for various RADIUS attributes for RADIUS MAC authentication and accounting. The options are hyphen, single-hyphen, colon, or none. config wireless-controller vap edit <name> set mac-username-delimiter {hyphen | single-hyphen | colon | none} set mac-password-delimiter {hyphen | single-hyphen | colon | none} set mac-calling-station-delimiter {hyphen | single-hyphen | colon | none} set mac-called-station-delimiter {hyphen | single-hyphen | colon | none} set mac-case MAC {uppercase | lowercase} next end |
695972 |
Remove FortiGuard Accept push updates option. On 2U models and larger (excluding VMs), the Immediately download updates option has been added. This allows the FortiGate to form a secure persistent connection with FortiGuard to get notifications of new updates. Once notified, the FortiGate can download the updates immediately. |
695983 |
In a scenario where a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with other interfaces via a software switch, support is added to allow captive portal authentication on the SSID or VLAN sub-interface. This requires that |
698239 |
Introduce GUI support for configuring Zero Touch Network Access. ZTNA is a method of access control that utilizes zero-trust tags and various authentication methods to provide role-based application access. In full ZTNA mode, users can securely connect to the FortiGate access proxy over HTTPS to connect to protected resources. |
698462 |
Add the ability to perform SD-WAN passive WAN health measurement, which reduces the amount of configuration required and decreases the traffic that is produced by health check monitor probes doing active measurements. The passive and prefer-passive detection modes rely on session information captured in firewall policies with config system sdwan config health-check edit <name> set detect-mode {active | passive | prefer-passive} next end end config firewall policy edit <id> set passive-wan-health-measurement {enable | disable} next end |
699161 |
Allow service assurance management (SAM) mode to be configured from the CLI where a radio is designated to operate as a client and perform tests against another AP. Ping and iPerf tests can run on an interval and the results are captured in the Wi-Fi event logs. This allows the FortiGate to verify and assure an existing Wi-Fi network can provide acceptable services. |
699231 |
In ZTNA, the integration between FortiClient EMS and the FortiGate is extended so the device identity and device trust context is established through client certificates and other information shared between the three entities. When a FortiClient endpoint registers to FortiClient EMS, it requests and obtains a client device certificate signed by the EMS certificate authority. Information about the endpoint device and the certificate is synchronized to the FortiGate. When the endpoint attempts to connect to the access proxy, the client is prompted to provide its certificate, which is verified by the FortiGate to establish a trusted relationship. |
699232 |
In ZTNA, the FortiGate access proxy can apply SAML authentication to authenticate the client. The FortiGate will act as the SAML SP, while a SAML authenticator will serve as the IdP. In addition to verifying user and device identity using the client certificate, you can also authorize the user based on user credentials to establish a trust context before granting access to the protected resource. |
699233 |
Once the client certificate is obtained by the endpoint, and endpoint information is synchronized between the FortiGate and FortiClient EMS, the client is ready to establish a connection to the FortiGate access proxy. By default, client certificate authentication is enabled on the access proxy, so when the HTTPS request comes in, the FortiGate's WAD process will challenge the client to identify itself with its certificate. Based on the client response, WAD will allow or block further processing by the ZTNA proxy rule. |
699234 |
In ZTNA, a HTTPS access proxy functions as a reverse proxy on behalf of the web server it is protecting. It verifies user identity, device identity, and trust context before granting access to the protected resource. |
699235 |
In ZTNA, a TCP forwarding access proxy (TFAP) functions in two parts. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS. Then, it verifies user identity, device identity, and trust context before forwarding the TCP traffic to the protected resource. |
701185 |
Support DoT and DoH in explicit mode, where FortiGate acts as an explicit DNS server listening for DoT and DoH requests. Add support for local-out DNS traffic over TLS and HTTPS. |
701812 |
With the Fabric Connector Event trigger, any supported Fabric connector is able to trigger an automation stitch on the FortiGate based on a specific event defined on the Fabric connector. Currently, only FortiDeceptor 4.1 supports this trigger for the Insider Threat, Notify Ban, and Notify Unban events. |
701819 |
The DNP3 application signature dissector supports detecting DNP3 traffic that is encapsulated by the RealPort protocol (Net.CX). DNP3 is used in industrial solutions over serial ports, USB ports, printers, and so on. RealPort encapsulation allows transportation of the underlying protocols over TCP/IP. The FortiGate industrial signatures must be enabled to use RealPort.DNP3 signatures. |
705248 |
The new GUI retro theme showcases a style of FortiOS giving homage to FortiOS 3.0. To enable it, go to System > Settings. Under View Settings, for Theme, select FortiOS v3 Retro. |
706387 |
Support different sizes of the C5d instance type, which is currently the only C5 class instance available for AWS Outposts. Both FortiGate listings (BYOL and PAYG) are supported in the AWS marketplace. |