Changes in CLI

Changes in CLI

Bug ID	Description
750230	Add support for up to 30 virtual clusters (previously, only two were supported). The `vcluster2` and `config secondary-vcluster` settings have bee replaced. config system ha set vcluster-status enable config vcluster edit <id> ... next end end
773524	Add option to configure whether the banned IP list persists through a power cycle. config firewall global set banned-ip-persistency {disabled \| permanent-only \| all} end The `diagnose user quarantine <parameter>` command has changed to `diagnose user banned-ip <parameter>`.
789554	Consolidate the FGSP settings by moving the previous `config system cluster-sync` settings into a subtable under `config system standalone-cluster`. Old syntax: config system cluster-sync edit <id> set peervd <VDOM> set peerip <address> set syncvd <VDOM> config session-sync-filter ... end next end New syntax: config system standalone-cluster config cluster-peer edit <id> set peervd <VDOM> set peerip <address> set syncvd <VDOM> config session-sync-filter ... end next end end
795943	NetFlow collector and source IPs can be configured as an IPv4 or IPv6 address. This is supported in VDOM mode within global and VDOM configurations. config system netflow set collector-ip <IPv4/IPv6_adddress> set source-ip <IPv4/IPv6_adddress> end
798305	For non-hyperscale VDOMs, extend the maximum PBA timeout to 86400 seconds (3 - 86400, default = 30): config firewall ippool edit <name> set pba-timeout <integer> next end For CGNAT cases, extending the PBA timeout allows PBA logs to be generated less frequently on the FortiGate.
799832	For `webhook`, `aws-lambda`, `azure-function`, `google-cloud-function`, and `alicloud-function` automation actions, change the `headers` attribute to a `http-headers` configurable subtable (instead of a `PARSE_F_MEMBER` attribute) so the subtable entries are a key-value pair that can be variable sized strings. config system automation-action edit <name> set action-type {webhook \| aws-lambda \| azure-function \| google-cloud-function \| alicloud-function} config http-headers edit 1 set key <string> set value <string> next edit 2 set key <string> set value <string> next end next end
801707	Remove the `ike-monitor`, `ike-monitor-interval`, `ike-heartbeat-interval`, and `ike-use-rfc6311` settings from `config system cluster-sync`.
816604	Remove the `purge` command under `endpoint-control fctems`.

Changes in CLI

Bug ID

Description

750230

Add support for up to 30 virtual clusters (previously, only two were supported). The vcluster2 and config secondary-vcluster settings have bee replaced.

 config system ha
    set vcluster-status enable
    config vcluster
        edit <id>
            ...
        next
    end
end

773524

Add option to configure whether the banned IP list persists through a power cycle.

config firewall global
    set banned-ip-persistency {disabled | permanent-only | all}
end

The diagnose user quarantine <parameter> command has changed to diagnose user banned-ip <parameter>.

789554

Consolidate the FGSP settings by moving the previous config system cluster-sync settings into a subtable under config system standalone-cluster.

Old syntax:

config system cluster-sync
    edit <id>
        set peervd <VDOM>
        set peerip <address>
        set syncvd <VDOM>
        config session-sync-filter
            ...
        end
    next
end

New syntax:

config system standalone-cluster
    config cluster-peer
        edit <id>
            set peervd <VDOM>
            set peerip <address>
            set syncvd <VDOM>
            config session-sync-filter
                ...
            end
        next
    end
end

795943

NetFlow collector and source IPs can be configured as an IPv4 or IPv6 address. This is supported in VDOM mode within global and VDOM configurations.

config system netflow
    set collector-ip <IPv4/IPv6_adddress>
    set source-ip <IPv4/IPv6_adddress>
end

798305

For non-hyperscale VDOMs, extend the maximum PBA timeout to 86400 seconds (3 - 86400, default = 30):

config firewall ippool
    edit <name>
        set pba-timeout <integer>
    next
end

For CGNAT cases, extending the PBA timeout allows PBA logs to be generated less frequently on the FortiGate.

799832

For webhook, aws-lambda, azure-function, google-cloud-function, and alicloud-function automation actions, change the headers attribute to a http-headers configurable subtable (instead of a PARSE_F_MEMBER attribute) so the subtable entries are a key-value pair that can be variable sized strings.

config system automation-action
    edit <name>
        set action-type {webhook | aws-lambda | azure-function | google-cloud-function | alicloud-function}
        config http-headers
            edit 1
                set key <string>
                set value <string>
            next
            edit 2
                set key <string>
                set value <string>
            next
        end
    next
end

801707

Remove the ike-monitor, ike-monitor-interval, ike-heartbeat-interval, and ike-use-rfc6311 settings from config system cluster-sync.

816604

Remove the purge command under endpoint-control fctems.

FortiOS Release Notes

Changes in CLI

Changes in CLI