FortiOS 6.2.2 Release Notes (2023)

Table of contents

Changelog 5

This guide provides release information for FortiOS 6.2.2 build 1010.

For FortiOS documentation, seeflying tower document library.

Supported models

FortiOS 6.2.2 supports the following models.

Special branch support model

The following models were released on a special branch of FortiOS 6.2.2. To confirm that you are running the correct build, run the CLI command Get System Status and check that the branch point field shows 1010.

• Common Vulnerabilities and Exposures l New Fortinet Cloud Services l FortiGuard Security Rating Service l FortiGate Hardware Limitations l CAPWAP Traffic Offload
• FortiClient (Mac OS X) SSL VPN Requirements l Use of dedicated management interfaces (mgmt1 and mgmt2) l NP4lite platform l Remove tab option from GUI l Mobile token authentication

Common Vulnerabilities and Exposures

FortiOS 6.2.1 is no longer vulnerable to the issue described in the following link -https://fortiguard.com/psirt/FG-IR-19144.

New Fortinet Cloud Services

FortiOS 6.2.0 introduces several new cloud-based services listed below. The new service requires an update to FortiCare and Fortinet's FortinetOne single sign-on (SSO) service. These updates will be available in the middle of the second quarter of 2019.

• Override Controller VPN
• FortiGuard Cloud-Assist SD-WAN interface bandwidth monitoring l FortiManager Cloud l FortiAnalyzer Cloud

FortiGuard Security Rating Service

Not all FortiGate models support running the FortiGuard Security Rating Service as the fabric "root" device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet security fabric managed by a supported FortiGate model: l FGR-30D l FGR-35D l FGT-30E l FGT-30E-MI

Special Note 8

l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E l FWF-50E-2R l FWF-51E

FortiGate hardware limitations

FortiOS 5.4.0 reports issues with FG-92D modelsSpecial Notices > High Availability in FG-92D Interface Modepart of the release notes. These issues related to using ports 1 through 14 include:

• PPPoE fails, HA cannot be formed. l IPv6 packets are discarded. l The FortiSwitch fails to be discovered. l Depending on the network topology, spanning tree loops may occur.

FG-92D does not support STP. These issues were improved in FortiOS 5.4.1, but introduced a new command enabled by default with some side effects:

Configure the global setting hw-switch-ether-filter

When the command is enabled:

• Allow ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets. l BPDUs are discarded, so no STP loop occurs. l PPPoE packets are lost. l IPv6 packets are discarded. l The FortiSwitch device is not found. l Depending on the network topology, HA may not be formed.

When the command is disabled:

• All packet types are allowed, but depending on the network topology, may cause an STP loop.

Special Note

CAPWAP traffic offload

CAPWAP traffic will not be offloaded if the ingress and egress traffic ports are on different NP6 chips. It will only be offloaded if both ingress and egress ports belong to the same NP6 chip. The following models are affected: l FG-900D l FG-1000D l FG-2000E l FG-2500E

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

Using the dedicated management interface (mgmt1andmgmt2)

For best stability, use the management port (mgmt1andmgmt2) are used for management traffic only. Do not use the management port for general user traffic.

NP4lite platform

FortiOS 6.2 and later do not support the NP4lite platform.

Remove label option from GUI

The Tags option has been removed from the GUI. This includes the following:

L'sSystem > TabsThe page is deleted. L'sLabelsection removed from all pagesLabelpart. L'sLabelColumns are removed from all column selections.

Mobile Token Authentication

Mobile token authentication does not work with SSL VPN on SOC3 platforms.

Affected models include FG-60E, FG-60E-POE, FG-61E, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-100E, FG100EF, FG-101E, FG -140E, FWF-60E, FWF-61E.

antivirus software

l In previous versions, scan mode controlled which features were displayed based on compatibility with [quick | ] for proxies and streams. full] mode (now [default | legacy]).

This release ignores this behavior, making the antivirus profile scan mode agnostic. This means that all AV options will be displayed regardless of the scan mode setting of the AV profile. Enforcement is handled by the kernel based on firewall policies using AV. If the inspection mode is Proxy or Streaming, unsupported AV features will not take effect. l In this version, AntiVirus can perform SSH detection.

FOC

The apn option under apn-shaper now accepts multiple apn or apngroup.

FortiSwitch Controller

• FortiLink interfaces are enabled by default on FortiGate E-series platforms.
• On FG-100E and later, an empty FortiLink aggregate interface (fortilink) is created by default. If aggregated interfaces are not supported, create hardware switch interfaces instead.
• For FortiGate models below FG-100E, an empty FortiLink hardware switch interface (fortilink) is created by default. If hardware switch interfaces are not supported, create aggregated interfaces instead.
• With the FortiLink interface enabled, the CLI displays an error message when attempting to change the FortiGate to TP mode.

default behavior

firewall

• When applying ISDB as source in policy, only IP and protocol will be matched, source port will be ignored. l If the protocols are the same, Internet-service-addition will override the default port of internet-service ID. l The firewall policy supports wildcard-fqdn objects of FQDN type.
• This release supports srcaddr/dstaddr/internet-service/internet-service-src negate in merge policies.
• All properties of the FABRIC_DEVICE object (except IP address and type) can be modified from the CLI, but not from the GUI.

Records and Reports

l In previous versions, FortiGate only sent event logs to FAZ-Cloud. In this release, FortiGate sends event logs and UTM logs to FAZ-Cloud.

changel FG-300E and FG-301E add VLAN switching function.

system

• API users must have at least one trusted host IP address. l Display the diagnostic sys nmi-watchdog command only on platforms with the "nmi" button.
• Setting the mgmt interface to be dedicated to management adds three cases. l When no trusted host is set, all IPv4 and IPv6 addresses can be accessed. l When only IPv4 addresses are set as trust hosts, IPv6 addresses cannot be logged in.
• When only IPv6 addresses are set as trust hosts, IPv4 addresses cannot be logged in.
• There is no mgmt option when the GRE tunnel interface is set to dedicated for management. l If there is no physical interface in the VDOM, allow the VDOM admin to create a loopback interface.
• The trust-ip option in the config system interface always overrides the trusthost option in the config system admin.

antivirus software

Add SSH inspection. This is only compatible with proxy checks.

endpoint control

Add fortiems-cloud option under FSSO user.

Add property fortinetone-cloud-authentication to endpoint control fctems.

Added sub-second sampling under GTP.

firewall

Added HTTPS as a health check type for the VIP load balance monitor.

Remove set type wildcard-fqdn from firewall address and set wildcard-fqdn。

Added CLI commands to support address and service denial in merge policies.

agent

In the protocol options configuration file, add the ssl-offloaded command under each protocol.

traffic shaping

Add a new global CLI table to define traffic classes. This is a mapping between class IDs and names. Class IDs from shaping policies, shaping profiles, and traffic shapers require data sources from this CLI table.

Records and Reports

Added CLI allowing user to configure socket priority and maximum log rate per remote log device.

Similar settings apply to config log fortiguard settings and config log syslogd settings.

Add test command option in CLI.

SSH

Add file transfer scanning via SSH (SCP and SFTP).

SSL VPN

Remove citrix and portforward from apptype in the three entries of the SSL VPN network bookmark.

system

Added description in system security area.

Increased maximum number of DNS servers supported in DHCP server from 3 to 4.

virtual machine

Removed vdom-modemulti-vdom option for cloud-based on-demand FGT-VM.

Remove safety rating from FGT_VMX and FGT_SVM.

Enable CPU hotplugging in kernel configuration.

Collect EIP from cloud-VMS (Azure, AWS, GCP, AliCloud and OCI).

Wireless Controller

Add portal type external authentication when captive portal is enabled on local bridge VAP.

Moved darrp-optimize and darrp-optimize-schedules configuration from global level to VDOM level.

When external portal is selected, add the external-web-format setting under the captive-portal VAP.

Add new WTP profiles FAPU431F-default and FAPU433F-default.

Added 160 MHz channel bonding support for FortiAP U421EV/U422EV/U423EV models for DFS approved countries.

Added MPSK schedule, which allows to set the validity period of MPSK.

Add GRE&L2TP support in WiFi.

antivirus software

Change AV scan mode from [quick|full] to [default|legacy]. Default is set to default.

Records and Reports

Changed the default value of some configuration options under the fortianalyzer-cloud filter from disabled to enabled.

Changes to default values

system

After creating a new VDOM, add the default certificates for ssl-cert and ssl-ca-cert under web-proxy settings.

Wireless Controller

Change the default LLDP setting in wtp-profile from disabled to enabled.

The default channel utilization setting in wtp-profile was changed from disabled to enabled.

Increased normal WTP capacity from 1024 to 2048 on high-end FortiGates.

Supported upgrade paths information can be found atflying tower customer Serve & support Place.

View information about supported upgrade paths:

1. gohttps://support.fortinet.com.
2. fromdownloadmenu, selectfirmware image.
3. check thatselect productyesFortis.
4. clickupgrade pathtab and select the following:

Liftcurrent productLiftCurrent FortiOS versionLiftUpgrade to FortiOS version

5. clickgo.

Device detection changes

In FortiOS 6.0.x, the device detection function consists of several independent subcomponents:

• Visibility - Detected information can be used for topology visibility and logging.
• FortiClient Endpoint Compliance - Information learned from FortiClient can be used to enforce compliance for these endpoints.
• Mac address-based device policies – Detected devices can be defined as custom devices and then used in device-based policies.

In 6.2, these features changed:

• Visibility - This feature is configured the same as in FortiOS 6.0, including FortiClient information. FortiClient Endpoint Compliance - A new fabric connector replaces it and brings it into line with all other endpoint connectors for Dynamic Policies. For more information, seeDynamic policy – client Express delivery (Connector)insideFortiOS 6.2.0 New Features Guide.
• Mac Address Based Policies – A new address type (Mac Address Range) has been introduced that can be used in general policies. The previous device policy feature could be implemented by manually defining MAC addresses and then adding them to the general policy table in 6.2. For more information, seeapple address based policyinsideFortiOS 6.2.0 New Features Guide.

If you were using device policies in 6.0.x, you will need to manually migrate those policies to the regular policy tables after upgrading. After upgrading to 6.2.0:

1. Create MAC-based firewall addresses for each device.
2. Apply the address to the general IPv4 policy table.

FortiClient Endpoint Telemetry License

Starting with FortiOS 6.2.0, the FortiClient endpoint telemetry license is deprecated. The FortiClient Compliance profiles under the Security Profiles menu have been removed, as has the Enforce FortiClient Compliance Check option under the per-interface configuration pages. Endpoints running FortiClient 6.2.0 are now only registered with FortiClient EMS 6.2.0, compliance is achieved by using compliance validation rules configured on FortiClient EMS 6.2.0, and enforced by using firewall policies. Therefore, there are two upgrade options:

• Customers using FortiGate units in FortiOS 6.0 only to enforce compliance must install FortiClient EMS 6.2.0 and purchase FortiClient Security Fabric agent licenses for their FortiClient EMS installations.
• Customers using FortiGate units with FortiClient EMS running 6.0 in FortiOS 6.0 must upgrade the FortiGate unit to FortiOS 6.2.0, the FortiClient to 6.2.0, and the FortiClient EMS to 6.2.0.

FortiClient 6.2.0 for MS Windows standard installer and zip package containing FortiClient.msi and language conversion and FortiClient 6.2.0 for macOS standard installer are included in FortiClient EMS 6.2.0.

Fortinet Security Architecture Upgrade

FortiOS 6.2.2 greatly increases interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.2.0 l FortiClient EMS 6.2.0 l FortiClient 6.2.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.9 and later

Upgrade the firmware for each product in the correct order. This keeps the network connected without using manual steps.

All FortiGate units must be upgraded to 6.2.2 if Security Fabric is enabled. When Security Fabric is enabled in FortiOS 6.2.2, all FortiGate units must be running FortiOS 6.2.2.

The minimum version of the TLS service changes automatically

To improve security, FortiOS 6.2.2 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used for communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.2.2 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit the global setting to use TLS v1.2 by default. You can override these settings.

• Email server (config system email-server) l Certificate (config vpn证书设置) l FortiSandbox (config system fortisandbox)
• FortiGuard (configure log fortiguard settings) l FortiAnalyzer (configure log fortianalyzer settings) l LDAP server (configure user ldap) l POP3 server (configure user pop3)

Downgrade to previous firmware version

Downgrading to a previous firmware version will result in loss of configuration for all models. Only keep the following settings:

l Mode of Operation l Interface IP/Management IP l Static Routing Table l DNS Settings l Admin User Account l Session Assistant l System Access Profile

Amazon AWS enhances network compatibility issues

There are compatibility issues with older AWS VM versions with this enhancement. After downgrading a 6.2.2 image to an older version, network connectivity is lost. Because AWS does not provide console access, you cannot restore a downgraded image.

When downgrading from 6.2.2 to an older version, the enhanced nic driver is not allowed to run. The following AWS instances are affected:

• C3 l C4 l R3
• I2 l M4 l D2

FortiLink Access Profile Settings

A new FortiLink local access profile controls access to FortiSwitch physical interfaces managed by FortiGate.

After upgrading FortiGate to 6.2.2, the interface allowaccess configuration on all managed FortiSwitches is overwritten by the default FortiGate local access profile. After upgrading to 6.2.2, you must manually add protocols to the localaccess configuration file.

configurationlocal accesscontour:

configure switch controller security policy local access edit [policy name] set mgmt-allowaccess https ping ssh set internal allow access https ping ssh

Next

end

Applylocal accessConfiguration file to managed FortiSwitch:

config switch-controller managed-switch edit [FortiSwitch serial number] set switch-profile [policy name] set access-profile [policy name]

Next

end

FortiGate VM with V license

This release allows split-vdom to be enabled for FortiGate VMs with a V-License.

enablesplit domain:

Configure the system global setting vdom-mode [no-vdom | split vdom]

end

FortiGate virtual machine firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

• .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
• .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 files for open source XenServer.
• .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

• .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
• .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 which can be used by qemu.

Microsoft Hyper-V

• .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
• .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the virtual hard disk folder, which can be manually added to the Hyper-V manager.

VMware ESX and ESXi

• .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
• .ovf.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains VMware's Open Virtualization Format (OVF) file and two Virtual Machine Disk Format (VMDK) files that the OVF file uses during deployment.

Firmware image checksum

MD5 checksums for all Fortinet software and firmware releases are available on the Customer Service and Support Portal,https://support.fortinet.com. After login selectDownload > Firmware Image Checksum, enter an image filename including the extension, and selectGet check code.

FortiGuard update server location settings

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is ANY. On VMs, the default is usa.

On virtual machines, update-server-location is set to usa after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later).

If necessary, set update-server-location to use the closest or low-latency FDS server.

Setting up FortiGuardupdate server location:

configure system fortiguard set update server location [US | any]

end

FortiView widget

The FortiView widget was rewritten in 6.2.2. FortiView widgets created in previous versions are removed in the upgrade.

The following table lists FortiOS 6.2.2 product integration and support information:

language support

The following table lists language support information.

language support

SSL VPN support

SSL VPN Standalone Client

The table below lists the SSL VPN Tunnel Client standalone installers for the following operating systems.

Operating system and installer

Other operating systems may work but are not supported by Fortinet.

SSL VPN network mode

The table below lists the supported operating systems and web browsers for SSL VPN network mode.

Supported operating systems and web browsers

Other operating systems and web browsers may work but are not supported by Fortinet.

SSL VPN Host Compatibility List

The following table lists supported antivirus and firewall client software packages.

Supported Microsoft Windows XP antivirus and firewall software

Supports Microsoft Windows 7 32-bit antivirus and firewall software

The following issues have been fixed in version 6.2.2. For inquiries regarding specific errors, please contactcustomerServe & support.

New or Enhanced Features

anti spam

antivirus software

application control

DNS filter

Data Leakage Prevention

explicit proxy

firewall

FortiView

GUI

ha

intrusion prevention

IPsec VPN

Records and Reports

agent

Rest API

routing

SSL VPN

switch controller

system

upgrade

Users and Devices

virtual machine

online telephone

WanOpt Web Filter

Wireless Controller

The following issues were found in version 6.2.2. To inquire about a specific bug or to report a bug, please contactcustomer Serve & support.

Data Leakage Prevention

GUI

ha

IPsec VPN

Proxy REST API

security structure

SSL VPN

switch controller

system

Users and Devices

virtual machine

Wireless Controller

Citrix XenServer Limitations

The following limitations apply to Citrix XenServer installations:

• XenTools installation is not supported.
• FortiGate-VM can only be imported or deployed in the following three formats:
• XVA (recommended)
• VHD l OVF
• The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration prior to the first power-on process.

Open Source XenServer Limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, there may be import issues using the QCOW2 format and existing HDA issues.

Having trouble configuring your Fortinet hardware or have some questions you need answered?Check out the Fortinet Guru Youtube channel! Want someone to handle it for you?Get some advice from Fortinet GURU!

Don't forget to visit the YouTube channel for the latest Fortinet training videos and Q&A sessions!
-FortinetGuru YouTube Channel
-FortiSwitch Training Videos

Cybersecurity videos and training are available through:CISO Security Training Video Office