New features or enhancements
More detailed information is available in the New Features Guide.
Cloud
See Public and private cloud in the New Features Guide for more information.
Feature ID |
Description |
---|---|
855561 |
Use API endpoint domain name from instance metadata to support FortiOS VM OCI DRCC region. |
860965 |
Support the AWS T4g instance family with the FG-ARM64-AWS firmware image. Support the AWS C6a and C6in instance families with the FG-VM64-AWS firmware image. |
868592 |
Support Saudi Cloud Computing Company (SCCC) and alibabacloud.sa domain (a standalone cloud backed by AliCloud). |
881186 |
Support deploying VMware FortiGate VMs directly as a Zero Trust Application Gateway using the OVF template (.vapp). ZTNA related parameters such as EMS server, external and internal interface IPs, and application server mapping can be configured during OVF deployment. ZTNA policies, authentication schemes, rules, and user groups are also bootstrapped. |
881898 |
Support the new AWS C7gn instance family with the FG-ARM64-AWS firmware image. |
888303 |
Upgrade the AWS ENA network interface driver to 2.8.3. |
894654 |
Support UEFI Preferred boot mode on AWS FortiGate VM models with instance types that support |
926152 |
Support AWS Snowball Edge (SBE) devices, which are compute and storage resources at the Edge with limited connection or air-gapped entirely. |
GUI
See GUI in the New Features Guide for more information.
Feature ID |
Description |
---|---|
761507 |
In the Top FortiSandbox Files FortiView monitor, it is possible to drill down on a submitted file, and view its static and dynamic file analysis. It is possible to download the full FortiSandbox report in PDF format. This feature works with FortiGate Cloud Sandbox, FortiSandbox Cloud, and FortiSandbox appliance. FortiSandbox must be running version 3.2.1 or later. |
766712 |
Improve the FortiOS user experience by adding more integration of support resources for troubleshooting. Online guides, FortiOS documentation, and additional support can be accessed straight from the help menu. The FortiAnswers community can be accessed within the FortiOS interface by clicking on the link at the bottom of the global search results. |
Hyperscale
Feature ID |
Description |
---|---|
836653 |
On FortiGates licensed for hyperscale firewall features, the following diagnose commands display summary information for IPv4 or IPv6 hardware sessions. # diagnose sys npu-session list-brief # diagnose sys npu-session list-brief6 |
LAN Edge
See LAN Edge in the New Features Guide for more information.
Feature ID |
Description |
---|---|
541626 |
Support retrieving and displaying DHCP option 82 data from managed FortiSwitches.
The serial number and VLAN are required, the port is optional. Managed FortiSwitches must be running FortiSwitch 7.2.2 or later, and the managed FortiSwitches must be configured with DHCP option 82 settings. |
541631 |
Support DHCP option 82 configuration options in the switch controller settings including circuit ID, remote ID, and other general settings used for DHCP snooping on managed FortiSwitches. config switch-controller global set dhcp-option82-format {ascii | legacy} set dhcp-option82-circuit-id {intfname vlan hostname mode description} set dhcp-option82-remote-id {hostname ip mac} set dhcp-snoop-client-req {forward-untrusted | drop-untrusted} set dhcp-snoop-client-db-exp <integer> set dhcp-snoop-db-per-port-learn-limit <integer> end Managed FortiSwitches must be running FortiSwitch 7.2.2 or later. |
769722 |
Allow a managed FortiSwitch ID to be edited and store the device serial number as a new read-only field. config switch-controller managed-switch edit <id> set sn <serial_number> next end The device ID can be configured to a maximum of 16 alphanumeric characters, including dashes (-) and underscores (_). Some related |
805867 |
Increase the number of supported NAC devices to 48 times the maximum number of FortiSwitch units supported on that FortiGate model. |
844011 |
In managed FortiSwitch switch controller CLI commands, allow a user-configurable access control list (ACL) per port on a managed FortiSwitch to control user/system access to particular resources: config switch-controller acl ingress edit <id> config action set drop {enable | disable} end config classifier set dst-ip-prefix <ip_netmask> set src-mac <MAC_address> end next end config switch-controller acl group edit <name> set ingress <id> next end config switch-controller managed-switch edit <switch_id> config ports edit <name> set acl-group <name> next end next end The user-configurable ACL will be assigned to ACL group 3 in FortiSwitch. Since the range of group identifiers varies among FortiSwitch platforms, platforms that do not support group 3 may not be supported. The user-configurable ACL may conflict with an ACL implemented by other managed FortiSwitch features. |
852280 |
Add the ability to perform multi-processing for the wireless daemon that handles all WPA authentication requests (wpad_ac) by allowing users to specify the config wireless-controller global set wpad-process-count <integer> end |
852998 |
Wi-Fi 5G Hz UNII-3 channels (149, 153, 157, 161, and 165) are allowed in European countries and region code E countries (with a few exceptions). |
860247 |
Add option in config wireless-controller wtp-profile edit <name> set dtls-policy {clear-text | dtls-enabled | ipsec-vpn | ipsec-vpn-sn} next end |
866172 |
The local radio of FortiWiFi-8xF, 6xF, and 40F models when operating in client mode is now capable of connecting with a third-party SSID using WPA3-SAE or OWE security mode. This provides a more secure and robust wireless connection, ensuring data integrity and privacy. config system interface edit <name> config wifi-networks edit <id> set wifi-ssid <string> set wifi-security {wpa3-sae | owe} set wifi-passphrase <password> next end next end |
866173 |
FortiAP 431G and 433G models operating in single 5G mode can make use of the UNII-4 frequency band, 5.85 GHz - 5.925 GHz. Additional channels 169, 173, and 177 are provided to the user in the 5 GHz radio. |
866174 |
The config wireless-controller wtp-profile edit <name> config radio-1 set optional-antenna {none | FANT-04ABGN-0606-O-R | FANT-04ABGN-0606-P-R} end next end |
867444 |
Add support for enforcing a maximum number of FortiExtender devices in LAN extension mode per FortiGate platform. Support for enforcing a maximum number of FortiExtender devices in WAN extension mode per FortiGate platform was added in a previous version of FortiOS. |
869610 |
Add CLI support for WPA3-SAE security mode for FortiAP wireless mesh backhaul SSIDs: config wireless-controller vap edit <name> set mesh-backhaul enable set ssid <string> set security wpa3-sae set pmf enable set sae-h2e-only enable set schedule <string> set sae-password <password> next end Add support for Wi-Fi 6E FortiAP devices to configure mesh connections on 6 GHz bands using WPA3-SAE with H2E only enabled. |
877392 |
When a FortiExtender is configured as a FortiGate LAN extension and has two uplinks to the FortiGate access controller (AC), add the ability to perform a fast fail over of the CAPWAP LAN extension control channel. Two CAPWAP sessions are established between the FortiGate and the FortiExtender: one is active,the other is in standby and when the active uplink goes down, CAPWAP changes to use the other uplink quickly. When the previously active uplink comes back up, CAPWAP continues to use the previously standby uplink used for the failover event as the control channel. To display the active and standby sessions for the CAPWAP LAN extension control channel:
|
884375 |
Add support for FAP-234G management. |
901451 |
Add Miracast service option in |
Log & Report
Feature ID |
Description |
---|---|
780571 |
Add Logs Sent Daily chart for remote logging sources (FortiAnalyzer, FortiGate Cloud, and FortiAnalyzer Cloud) to the Logging & Analytics Fabric Connector card within the Security Fabric > Fabric Connectors page and to the Dashboard as a widget for a selected remote logging source. |
Network
See Network in the New Features Guide for more information.
Feature ID |
Description |
---|---|
764122 |
Enable VLAN switch for FG-81F-POE. |
784626 |
Add Multiprotocol Border Gateway Protocol Ethernet Virtual Private Network (MP-BGP EVPN) support for VXLAN, which allows for learning MAC addresses in a way that is more suitable for large deployments than flood-and-learn. MP-BGP EVPN is a standards-based control plane that supports the distribution of attached host MAC and IP addresses using MP-BGP, namely, using the EVPN address family and MAC addresses treated as routing entries in BGP. As a control plane that is separate from the data plane, MP-BGP EVPN avoids flood-and-learn in the network, and the wide use of BGP as an external gateway protocol on the internet proves its ability to scale well with large deployments. MP-BGP EVPN supports the following features:
|
812329 |
Support DVLAN mode 802.1ad and 802.1Q on NP7 platforms over a virtual wire pair, which provides better performance and packet processing. |
829476 |
Support secure explicit web proxy with HTTPS connections between web clients and the FortiGate. config web-proxy explicit set secure-web-proxy {disable | enable | secure} set secure-web-proxy-cert <certificate1> <certificate2> ... set ssl-dh-bits {768 | 1024 | 1536 | 2048} end |
838346 |
Add the subscriber RSSO user and authentication server information associated with PBA sessions logs to the corresponding PBA creation event logs since these details are helpful for identifying users in CGNAT applications. |
844004 |
Interfaces with a LAN role, wireless network interfaces ( config system ipam set status {enable | disable} set automatic-conflict-resolution {enable | disable} set manage-lan-addresses {enable | disable} set manage-lan-extension-addresses {enable | disable} set manage-ssid-addresses {enable | disable} end When a config system interface edit <name> set ip-managed-by-fortiipam {enable | disable | inherit-global} next end |
846399 |
Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved. |
858436 |
BGP conditional advertisement allows the router to advertise a route only when certain conditions are met. Add capability on the FortiGate to cross-check prefixes and make conditional advertisements between IP address families, namely, to conditionally advertise an IPv6 prefix when an IPv4 prefix is present, or vice-versa. A global option is added in the BGP configuration settings. config router bgp set cross-family-conditional-adv {enable | disable} end The |
860256 |
Support configuring DHCP relays on interfaces with secondary IP addresses. The FortiGate will track the number of unanswered DHCP requests for a client on the interface's primary IP. After three unanswered DHCP requests, the FortiGate will forward DHCP requests to DHCP relays configured under the secondary IP using the secondary IP address as the source. After three unanswered DHCP requests, the FortiGate will return to using the primary IP and restart the process. This feature is configured by setting DHCP relay targets under both the primary and secondary IP may be the same or unique. If smart relay is not configured, all requests are forwarded using the primary IP address on the interface. |
861745 |
Add GUI support for multiple DDNS interfaces. The visibility of DDNS entries in the GUI is no longer tied to the requirement of using the FortiGuard DNS server. |
868091 |
The DHCP shared subnet feature allows the FortiGate to act as a DHCP server that assigns IP ranges in different subnets to requests coming from the same DHCP relay agent. For example, clients on the same interface or VLAN requesting IP addresses from the DHCP relay will have their requests relayed to the FortiGate. The FortiGate may have more than one server and pool associated with the relay agent, and it assigns IP addresses from the second server when the first one is exhausted. config system dhcp server edit <id> set shared-subnet {enable | disable} set relay-agent <IP_address> next end |
875169 |
Add capability for the FortiGate to manage the broadcast flag for its DHCP client. This feature is enabled by default. config system interface edit <name> set mode dhcp set dhcp-broadcast-flag {enable | disable} next end |
875468 |
Enhance logging for explicit proxy traffic to improve troubleshooting the HTTP proxy status for each HTTP transaction:
|
876182 |
FortiGates have the ability to signal the LAG interface status to the peer devices when available links fall below the number of |
888378 |
On FortiGates with a cellular modem and dual SIM support, support real-time switching to passive SIM when any of the following issues arise with the active SIM:
config system lte-modem config sim-switch set by-sim-state {enable | disable} set by-connection-state {enable | disable} set by-link-monitor {enable | disable} set link-monitor <string> set sim-switch-log-alert-interval <integer> set sim-switch-log-alert-threshold <integer> set modem-disconnection-time <integer> end end |
Operational Technology
See Operational Technology in the New Features Guide for more information.
Feature ID |
Description |
---|---|
851994 |
Add option to set/unset the config system interface edit <name> set default-purdue-level {1 | 1.5 | 2 | 2.5 | 3 | 3.5 | 4 | 5 | 5.5} next end By default, the |
Policy & Objects
See Policy and objects in the New Features Guide for more information.
Feature ID |
Description |
---|---|
740416 |
Improve the backend of the FortiOS GUI to speed up loading of a large number of policies. This is achieved by only loading the necessary data when needed, rather than loading all the data at once. This can significantly improve performance and reduce the time it takes to load a large number of policies. A new layout has also been added for the policy list with the option to choose between the new layout and the old layout. |
795814 |
The FortiGate has the ability to process Ethernet frames with both the Cisco Security Group Tag and VLAN tag. |
795908 |
Add scanunit support for learning mode. The scanunit provides a more powerful file detection mechanism through full-scanning in learning mode. This improves the accuracy of the IPS engine in detecting malicious files. |
823710 |
Supports the Port Control Protocol (PCP) by allowing the FortiGate to act as a PCP server and dynamically manage network addresses and port translations for PCP clients. The PCP server must be enabled with a pool ( |
838344 |
A route tag ( |
838363 |
Internet Service Database (ISDB) on-demand mode replaces the full-sized ISDB file with a much smaller file that is downloaded onto the flash drive. This file contains only the essential entries for Internet Services. When a service is used in a firewall policy, the FortiGate queries FortiGuard to download the IP addresses and stores them on the flash drive. The FortiGate also queries the local MAC Database (MADB) for corresponding MAC information. config system global set internet-service-database on-demand end |
838535 |
Support matching by destination port when matching a central NAT rule if the protocols are TCP, UDP, or SCTP. |
869833 |
Support address exclusion in firewall address groups for IPv6. config firewall addrgrp6 edit <name> set member <name1>, <name2>, ... set exclude {enable | disable} set exclude-member <name1>, <name2> ,... next end |
875307 |
Traffic shaping now supports the following:
|
875309 |
A port block allocation (PBA) IP pool for NAT64 traffic can be configured in the CLI. config firewall ippool edit <name> set type port-block-allocation set nat64 enable next end PBA support for NAT64 is supported for FortiGates with a hyperscale firewall license. This feature has been added to mainstream FortiOS to make it available to non-hyperscale customers, including customers running a VM version of FortiOS. Hyperscale firewall logging is designed for optimal performance and does not have the same detailed logging features as are available for non-hyperscale traffic. |
SD-WAN
See SD-WAN in the New Features Guide for more information.
Feature ID |
Description |
---|---|
838343 |
In an SD-WAN hub and spoke configuration where ADVPN is used, when a primary shortcut goes out of SLA, traffic switches to the backup shortcut. During idle timeout, sessions will prefer using the primary parent tunnel and try to establish a new primary shortcut. However, because it is out of SLA, traffic switches back to the backup shortcut, which causes unnecessary traffic interruption. Add the config system sdwan config service edit <id> set shortcut-stickiness {enable | disable} next end end |
841590 |
When using FortiMonitor to detect advanced SD-WAN application performance metrics, the FortiGate can log these statistics. These logs can be sent to FortiAnalyzer and FortiManager for review and reporting. The log sending frequency is measured in seconds (0 - 3600, default = 0). config system sdwan set app-perf-log-period <integer> end |
864074 |
Allow better control over the source IP for local-out traffic used by each egress interface by allowing a preferred source IP to be defined in the following scenarios.
|
864130 |
Add support for traffic classification on SLA probes to ensure they are prioritized in times of congestion. The config system sdwan config health-check edit <name> set class-id <integer> next end end |
869198 |
Make the health check sensitive enough to detect small amounts of packet loss by decreasing the link monitor check interval and probe timeout minimum limit down to 20 ms, which will significantly impact VOD/voice. |
872934 |
When ADVPN is configured on a FortiGate spoke along with maximize bandwidth (SLA) or config system sdwan config service edit <id> set mode load-balance set dst <name> config sla edit <name> set id <integer> next end set priority-members <seq_num1>, <seq_num2>, ... set tie-break fib-best-match next end end |
879047 |
Steer multicast traffic by SD-WAN rules. When an SD-WAN member is out of SLA, multicast traffic can fail over to another member, and switch back when SLA recovers. To use this feature in SD-WAN: config router multicast config pim-sm-global set pim-use-sdwan {enable | disable} end end This feature does not support ADVPN. The following setting is added to disable the use of shortcuts. config system sdwan config service edit <id> set shortcut {enable | disable} next end end |
884773 |
In the SD-WAN with ADVPN use case, two spokes can communicate with each other on the control plane by an ADVPN shortcut. In order to separate the control traffic from data traffic, the IKE creates a dynamic selector for health check packets sent between the spokes. BGP traffic is also matched by this dynamic IKE selector. Therefore, when spokes establish BGP peering with other spokes, the BGP traffic does not count towards the data traffic and will not impact IPsec idle timeout and shortcut tunnel tear down. |
886108 |
VRFs and sources can be configured in SD-WAN IPv6 health checks. config system sdwan config health-check edit <name> set addr-mode ipv6 set vrf <vrf_id> set source6 <IPv6_address> next end end |
Security Fabric
See Security Fabric in the New Features Guide for more information.
Feature ID |
Description |
---|---|
785104 |
Add the ability to set multiple regions and compartments for a single OCI SDN connector. This reduces the number of SDN connectors needed for any given OCI environment that uses multiple regions and multiple compartments. |
799982 |
Support adding FortiClient EMS and FortiClient EMS Cloud on a per-VDOM basis. Enabling override is necessary to add an EMS server for each VDOM. config endpoint-control settings set override {enable | disable} end |
839877 |
FortiPolicy can be added to the Security Fabric. When FortiPolicy joins the Security Fabric and is authorized in the Security Fabric widget, it appears in the Fabric topology pages. A FortiGate can grant permission to FortiPolicy to perform firewall address and policy changes. Two security rating tests for FortiPolicy have been added to the Security Posture scorecard. |
856405 |
Add MAC Address external connector threat feed. A MAC address threat feed is a dynamic list that contains MAC addresses, MAC ranges, and MAC OUIs. The list is periodically updated from an external server and stored in text file format on an external server. After the FortiGate imports this list, it can be used as a source in firewall policies, proxy policies, and ZTNA rules. For policies in transparent mode or virtual wire pair policies, the MAC address threat feed can be used as a source or destination address. |
Security Profiles
See Security profiles in the New Features Guide for more information.
Feature ID |
Description |
---|---|
766158 |
Introduce a multi-tiered approach to determining the action taken on a video. The channel filter is checked first, and if the video's channel matches a configuration entry, the corresponding action is taken. If not, the FortiGuard category filter is checked and the corresponding action is taken if the video's category matches a configuration entry. If neither of these conditions are met, the default action specified in the video filter profile is used. Logging is also enabled by default. config videofilter profile edit <name> set default-action {allow | monitor | block} set log {enable | disable} next end |
780875 |
Support OT/IoT virtual patching on NAC policies by enabling the category as a Vulnerability and setting the match criteria based on severity. Devices that match the criteria can be assigned and isolated to a NAC VLAN. |
829478 |
Improve replacement message displayed for YouTube videos blocked by video filtering. When a user visits a video directly by URL, a full-page replacement message is displayed. When a user loads a video from YouTube, the page will load but the replacement message will display in the video frame. |
854704 |
FortiGate VMs with eight or more vCPUs can be configured to have a minimum of eight cores to be eligible to run the full extended database (DB). Any FortiGate VM with less than eight cores will receive a slim version of the extended DB. This slim-extended DB is a smaller version of the full extended DB, and it is designed for customers who prefer performance. |
System
See System in the New Features Guide for more information.
Feature ID |
Description |
---|---|
739200 |
When using For security updates, allow a FortiGate with an expired support contract to perform a firmware upgrade to a higher patch build such as from FortiOS 7.4.0 to 7.4.1. |
749989 |
FortiGates, FortiSwitches, FortiAPs, and FortiExtenders can download an EOS (end of support) package automatically from FortiGuard during the bootup process or by using manual commands. Based on the downloaded EOS package files, when a device passes the EOS date, a warning message is displayed in the device's tooltip, and the device is highlighted in the GUI. The End-of-Support security rating check rule audits the EOS of FortiGates and Fabric devices. This allows administrators to have clear visibility of their Security Fabric, and help prevent any security gaps or vulnerabilities that may arise due to any devices that are past their hardware EOS date. |
754765 |
Add FortiConverter option in the FortiOS GUI. This provides an integrated solution for migrating configurations to a new or older FortiGate appliance directly from the FortiGate itself, without the need to access the FortiConverter portal. |
836287 |
Support adding YAML to the file name when backing up the config as YAML, and detecting file format when restoring the configuration. The In the GUI, the File format field has been removed from the Restore system Configuration page. |
852279 |
Add FortiGuard DLP service that offers a database with categorized predefined DLP data type patterns such as:
When enabled, the DLP database (DLDB) is downloaded to the FortiGate and its predefined patterns can configured in DLP profiles. config system fortiguard set update-dldb {enable | disable} end |
852284 |
Add config system dns set set fqdn-max-refresh <integer> end |
854405 |
Add amperage and wattage sensors for PSU power consumption. The new sensors can be shown from the REST API, GUI, SNMP, and CLI. |
855520 |
Harden REST API and GUI access. |
868163 |
Implement real-time file system integrity checking in order to:
|
868164 |
Implement BIOS-level signature and file integrity checking by enforcing each FortiOS GA firmware image, AV engine files, and IPS engine files to be dually-signed by the Fortinet CA and a third-party CA. The BIOS verifies that each file matches their secure hash as indicated by their certificates. Users are warned when there is a failed integrity check, and the system may be prevented from booting depending on the severity and the BIOS security level. |
875306 |
Add new command to compute the SHA256 file hashes for each file in a directory. # diagnose sys filesystem hash |
882815 |
Local system administrator usernames are required to follow these naming conventions:
The new rules are enforced for new administrator users and when renaming existing administrator users. |
894191 |
Improve GUI memory consumption for FortiGates with 2 GB of RAM or less. |
User & Authentication
See Authentication in the New Features Guide for more information.
Feature ID |
Description |
---|---|
843996 |
Add support for RADSEC clients in order to secure the communication channel over TLS for all RADIUS traffic, including RADIUS authentication and RADIUS accounting over port 2083. This enhancement also adds support for TCP connections, which use port 1812 for authentication and port 1813 for accounting. config user radius edit <name> set transport-protocol {udp | tcp | tls} set ca-cert <string> set client-cert <string> set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2} set server-identity-check {enable | disable} next end |
857597 |
Simplify the activation of FortiToken Cloud trials by allowing administrators to activate free trials directly in the FortiGate GUI. This can be performed while enabling two-factor authentication within a user or administrator configuration, or from the System > FortiGuard page. |
VPN
See IPsec and SSL VPN in the New Features Guide for more information.
Feature ID |
Description |
---|---|
827018 |
Update the SSL VPN web portal page layout with Neutrino styling:
|
827464 |
The FortiGate device ID is carried by the IKEv2 message NOTIFY payload when it is configured. config vpn ipsec phase1-interface edit <name> set dev-id-notification enable set dev-id <string> next end |
857394 |
Enhance the FortiGate with a Key Management Interoperability Protocol (KMIP) client that sends KMIP requests to locate the KMS server, creates keys if they do not exist on the KMS server, and retrieves keys from the Key Management Services (KMS) server for use as IPsec security association (SA) keys for IKEv2 only. The FortiGate acting as the responder will try to locate keys on the KMS server first. If they do not exist, the FortiGate requests to create new keys on KMS server. The responder sends the keys names to the FortiGate acting as the initiator using IKE messages, and the initiator locates and retrieve keys from KMS server using the keys names. The config vpn kmip-server edit <name> config server-list edit <id> set server <server_IP> set cert <string> next end set username <username_defined_on_KMS_server> set password <password> next end config vpn ipsec phase1-interface edit <name> set kms <server_ID> next end The following diagnostic commands have been added: # get vpn ike kms-keys # diagnose debug application kmipd -1 # execute kmip <parameter> |
862145 |
Allow SSL VPN web mode users to log in to the web portal and be redirected to a custom landing page. The new landing page accepts SSO credentials and SSO from form data. This allows administrators to streamline web application access for their users. The custom redirected portal can also listen for a logout URL so that when users log out from the web application, they are also logged out from the SSL VPN web connection. Settings can be configured on the VPN > SSL-VPN Portals page when creating or editing a portal entry. In the Web Mode section, set Landing page to Custom. |
865022 |
Update the SSL VPN web login page and portal with Fortinet corporate styling. Fortinet branding elements are incorporated into each theme. Some changes include:
|
866412 |
Add user group information to the Dashboard > SSL-VPN Monitor page. |
868222 |
Support IPv6 source IP address for communications to the OCSP server. config vpn certificate ocsp-server edit <name> set source-ip <IPv4/IPv6_address> next end |
881903 |
Adjust the DTLS heartbeat parameters for SSL VPN. This improves the success rate of establishing a DTLS tunnel in networks with congestion or jitter. config vpn ssl settings set dtls-heartbeat-idle-timeout <integer> set dtls-heartbeat-interval <integer> set dtls-heartbeat-fail-count <integer> end The default value for these attributes is 3 seconds, which is also the minimum allowable value. The maximum allowable value for these attributes is 10 seconds. |
884772 |
Securely exchange serial numbers between FortiGates connected with IPsec VPN. This feature is supported in IKEv2, IKEv1 main mode, and IKEv1 aggressive mode. The exchange is only performed with participating FortiGates that have enabled the |
886564 |
This enhancement changes to the Internet Key Exchange (IKE) protocol to bolster the security measures and improve the performance of IPsec VPN. The three key changes include EMS SN Verification, IPsec SAML-based authentication, and IPsec Split DNS. |
ZTNA
See Zero Trust Network Access in the New Features Guide for more information.
Feature ID |
Description |
---|---|
829475 |
All entry-level FortiGates (lower than 100 series) have ZTNA, proxy, explicit proxy, WANOpt, and web cache disabled by default. The following setting controls the proxy features. config system global set proxy-and-explicit-proxy enable | disable} end |
841165 |
When configuring a firewall policy for IP- or MAC-based access control that uses different EMS tag types (such as ZTNA tags and classification tags), a logical AND can be used for matching. By separating each tag type into primary and secondary groups, the disparate tag types will be matched with a logical AND operator. |
864995 |
In order to allow FortiClient EMS to share FortiClient information based on IP subnet mask, the FortiGate must send its interface IP and netmask to EMS. This enhancement allows the FortiGate to include its IP and netmask information in the gateway MAC request. |