New features or improvements | FortiOS Release Notes (2023)

596988

Support automatic vCPU hot-add and hot-remove up to the limit of license entitlements after activating an S-Series license or a Flex VM license. This extension eliminates the need to run theRun cpu add <integer>Command or reboot if the FortiGate VM has a lower number of vCPUs allocated than the licensed number of vCPUs.

727383

Add GUI support for IPv6 addresses in the Internet Service Database (ISDB) and allow them to be configured in firewall policies.

745172

The information area, located in the right margin of many GUI pages, has been enhanced to display the top three contextually appropriate questions as hyperlinks belowHot Questions on FortiAnswersHeadline.

• Clicking on a link takes the user to the relevant question and answer on the FortiAnswers website.
• The number of replies, votes and views is displayed for each question.
• click on theSee moreThe link takes the user to the relevant topic page on FortiAnswers.

The existing documentation related links have been renamed:

• TheDocumentationSection header is renamed toonline guide.
• TheOnline helpLink will be renamed toRelevant Documentation.

750073

The/api/v2/monitor/ips/session/performanceThe REST API can be used to query FortiGate for its IPS session information.

753177

View IoT devices with known vulnerabilities on theSecurity Fabric > Asset Identity CenterPageAttachmentlist view. When you hover over the number of vulnerabilities, aView IoT vulnerabilitiesTooltip, there it isView IoT vulnerabilitiesTable containing theVulnerability ID,Typ,heaviness,Reference,Description, AndPatch-Signatur-ID. Each entry in theReferenceColumn contains the CVE number and a link to the CVE details.

TheSecurity Fabric > Security Assessment > Security Statusreport includesFortiGuard IoT Detection SubscriptionAndFortiGuard IoT vulnerabilityChecks. TheFortiGuard IoT Detection SubscriptionThe assessment test is passed if theSystem >FortiGuardside shows that theIoT Discovery Serviceis licensed. TheFortiGuard IoT vulnerabilityAssessment check fails when IoT vulnerabilities are found.

To detect IoT vulnerabilities, FortiGate must have a valid IoT Detection Service license, device detection must be configured on a LAN interface used by IoT devices, and a firewall policy must be configured with an application control sensor.

763752

Add GUI support forip6-delegated-prefix-iaid.

766646

Improve thoseSecurity Fabric > Fabric ConnectorsPage to display a high-level overview of the enabled fabric components and their interconnection. TheSystem > Fabric ManagementPage can be used to enroll and authorize Security Fabric devices instead of using the Security Fabric network topology gutter that has been removed from theSecurity Fabric > Fabric Connectorsbook page.

Changes include:

• Refine Security Fabric configuration settings to select the Security Fabric role.
• Merge relevant connectorsConnectors for core network securityAndSecurity Fabric Connectorssections.
  • TheConnectors for core network securitysection contains theSecurity-Fabric-Setup,LAN edge devices,logging and analysis, AndFortiClient EMSCards.
  • TheSecurity Fabric Connectorssection contains theCentral Administration,sandbox, AndSupported connectorsCards.

766811

Add support for the SSLVPN client to add source ranges for routing over an SSL interface.

config vpn ssl client edit <name> set ipv4-subnets <subnets> set ipv6-subnets <subnets> nextend

config vpn ssl web portal edit <name> set client-src-range {enable | disable}set ip-mode {range | Benutzergruppe | DHCP | no-ip} nextend

767570

Add the Fabric Overlay Orchestrator, an easy-to-use GUI wizard in FortiOS that simplifies the process of configuring a self-orchestrated SD-WAN overlay within a single security fabric without requiring any additional tools or licenses. Currently, the Fabric Overlay Orchestrator supports a single-hub architecture and builds on an existing Security Fabric configuration. This feature configures the root FortiGate as an SD-WAN overlay hub and configures the downstream FortiGates (first level children) as spokes. After configuring the fabric overlay, you can proceed to configure the SD-WAN deployment by configuring the SD-WAN rules.

768062

Add support for using FortiMonitor to detect link quality based on sending probes behind the FortiGate for selected applications to measure additional metrics such as Network Transmission Time (NTT), Server Response Time (SRT), and Application Errors (app_err).

config system sdwan config health-check edit <name> set detect-mode agent-based next end config service edit <id> set agent-exclusive {enable | disable} nächstes Ende

768458

Add the ability to multi-process the wireless daemon (cw_acd) by allowing users whoacd process number. The number varies by model based on the number of FortiAPs it is allowed to manage.

config wireless-controller global set acd-process-count <integer>end

768966

Prior to this enhancement, certificate-based authentication against Active Directory LDAP (AD LDAP) only supported the UserPrincipleName (UPN) as a unique identifier in the Subject Alternative Name (SAN) field in peer user certificates. This extension extends the use case to cover the RFC 822 name (corporate email address) defined in the certificate's SAN extension to contain the unique identifier used to identify a user in AD Match LDAP. In addition, the DNS defined in the user certificate can be used as a unique identifier.

773551

The Antivirus (AV) exception list allows users to exclude known safe files that our AV signature and AV engine scan incorrectly determined to be malicious. Configuring an antivirus exception list in the CLI allows users to specify file hashes in MD5, SHA1, or SHA256 for matching. If there is a match, FortiGate ignores the AV scan verdict, so the corresponding UTM behavior defined in the AV profile is not executed. The exclusion list does not apply to Outbreak Prevention, Machine Learning, FortiNDR, or FortiSandbox inline scan results.

774766

Add toServer CertificateAndserver-ca-certSymantec Endpoint Protection Manager (SEPM) SDN connector options that allow users to specify a certificate or set of certificates that FortiGate trusts when connecting to the SEPM server.

config system sdn-connector edit <name> set server-cert <remote_certificate> set server-ca-cert <remote_or_CA_certificate> nextend

780571

Add toLogs sent dailyDiagram for remote logging sources (FortiAnalyzer, FortiGate Cloud and FortiAnalyzer Cloud) to theLogging and Analysis Fabric Connectormap within theSecurity Fabric > Fabric Connectorsside and todashboardas a widget for a selected remote logging source.

795829

Allow the application of virtual patching to traffic destined for FortiGate by applying IPS signatures to the local in interface using local in policies. Attacks targeting GUI and SSH management access, for example, can be mitigated using IPS signatures pushed by FortiGuard, virtually patching these vulnerabilities.

config firewall local-in-policy edit <id> set virtual-patch {enable | deaktivieren} nextend

801495

Allow device statistics (bytes and packets) to be displayed on FortiGate when a FortiSwitch NAC policy is enabled. Statistics are collected per device/MAC address connected to FortiSwitch.

# Diagnose switch controller telemetry show mac-stats switch <serial number>

802001

Add command to clean old configurations except serial number and FortiManager IP insystem.central-management.

# Perform factory reset for central management

804870

Add support to get the packets using the client-side interface address instead of using the server-side interface address.

config system interface edit <name> config ipv6 set dhcp6-relay-source-interface {enable | disable} end nextend

805565

add theGUI proxy inspectionsetting belowConfigure system settings, which is enabled on most models except for low-end platforms with 2GB RAM or less. If this setting is disabled:

• Only proxy-based profiles such asICAP,Web Application Firewall,video filter, AndZero Trust Network Accessare disabled (grayed out) on theSystem > Feature Visibilitybook page.

• Therange of functionsField is disabled for UTM profiles. Only flow-based features are displayed.

• Firewall policy pages do not have an option to select aflow basedorProxy basedInspection mode.

• Proxy-based UTM profiles cannot be selected within policy configurations or other scopes.

Note the following exceptions:

• If the proxy feature set is enabled via the CLI or inherited from the upgrade, it can be viewed in the GUI.

• If proxy-based inspection mode is enabled via the CLI or inherited from the upgrade, it can be viewed in the GUI firewall policy pages.

805867

Increase the number of NAC devices supported to 48x the maximum number of FortiSwitch units supported on this FortiGate model.

806993

Support ZTNA policy access control of unmanageable and unknown devices in the ZTNA application gateway by using theEMS_ALL_UNMANAGEABLE_CLIENTSAndEMS_ALL_UNKNOWN_CLIENTSlocal tags with dynamic address.

Improve diagnostic commands:

• UseDiagnose firewall dynamic addressto display the IP addresses of the associated clientsEMS_ALL_UNMANAGEABLE_CLIENTSAndEMS_ALL_UNKNOWN_CLIENTSdynamic addresses.
• UseDiagnose user device memory device memory listto view tags of devices identified by FortiGate device discovery.

Improve ZTNA traffic logs:

• Theems connection(CLI) orEMS connection(GUI) field is used for client connection status with EMS server; possible values ​​of unknown, offline or online.
• TheClient device manageable(CLI) orClient device manageable(GUI) field is used for device management status.

In the GUI, tags in proxy policies (Policy & Objects > ZTNA > ZTNA Rules) and tags are visible on different pages (Policy & Objects > ZTNA > ZTNA Tags,Dashboard > FortiClientwidgets andSecurity Fabric > Asset Identity Center).

812120

Support non-English keyboards for SSL VPN web mode with VNC by using thevnc-Keyboard layoutoptions forConfigure bookmarksunderVPN-SSL-Webportal,VPN SSL web user bookmark, AndVPN SSL Web User Groups Bookmarks. Server and client must have the same keyboard layout.

The available options are:Standard,And(Danish),nl(Dutch),en-uk(English United Kingdom),en-uk-ext(English, UK extended),fi(Finnish),fr(French),fr-be(French, Belgium),fr-ca-mul(French, Canadian multilingual standard),von(Deutsch),de-ch(German, Switzerland),Es(Italian),es-142(Italian 142),Point(Portuguese),pt-br-abnt2(Portuguese-Brazilian ABNT2),NO(Norwegian),gd(Scottish Gaelic),es(Spanish),sv(Swedish) andus-intl(United States international).

812993

Support blocking a detected FortiExtender device on a FortiGate configured as a FortiExtender controllerrejection statusin the GUI andSet legitimate lockin CLI.

config extension-controller extender edit <name> set id <string> set authorised disable nextend

813333

Allow configuration fromInterface-Select-MethodeAndQuell-IPfor TACACS+ accounting server.

814796

Remove the Threat Level Threshold option from triggers for compromised host automation in the GUI and CLI.

818343

HTTP2 connection merging and simultaneous multiplexing allows multiple HTTP2 requests to share the same TLS connection if the destination IP is the same and the hostnames in the certificate are compatible. This is supported for ZTNA, Virtual Server Load Balancing and Explicit Proxy.

819508

A FortiGate can allow single sign-on (SSO) from FortiCloud and FortiCloud IAM users with administrator profiles inherited from FortiCloud or overridden locally by FortiGate. Similarly, users accessing FortiGate remotely from FortiGate Cloud can have their permissions inherited or overridden by FortiGate.

819583

Add guards to Node.JS log generation and push logs totmpfsto avoid problems in economy mode. Node.JS logs last only one calendar day and store up to 5MB of logs. As soon as this limit is exceeded, the log file is deleted and a new file is created. Added a delete option to the Node.JS debug command.

# Diagnose nodejs logs {list | show <arg> | view all | delete <arg>}

820902

Add option to exclude the first and last IP of a NAT64 IP pool. This setting is enabled by default.

config firewall ippool edit <name> set nat64 enable set subnet-broadcast-in-ippool {enable | deaktivieren} nextend

820989

Improve device detection of a router or proxy:

• Reintroduce the concept of router discovery based on device type change detection.
• When scanning HTTP traffic, do not perform signature verification if the headers containOver,Forwarded,X-Forwarded-For,X-Forwarded-Host, orX-Forwarded-Proto.
• Change the rules for TTL-based router discovery.

822249

Add under DHCP relay parametersconfig vpn ssl-WebportalSo, user groups can get different range IP addresses from the DHCP server.

config vpn ssl web portal edit <name> set dhcp-ra-giaddr <gateway_IP_address> set dhcp6-ra-linkaddr <IPv6_link_address> nextend

822423

Added option to support minimum and maximum version restrictions for user agent.

config firewall proxy-address edit <name> set type {src-advanced | ua} set ua <browser> set ua-min-ver <string> set ua-max-ver <string> nextd

823374

Route destinations from the extended BGP community can be matched in route maps. This can be applied in a scenario where the BGP route reflector receives routes from many VRFs and instead of reflecting all routes from all VRFs, users only want to reflect routes based on a specific extended community route destination.

config router extcommunity-list edit <name> set type {default | advanced} edit configuration rule <id> set action {deny | permit} set type {rt | soo} set match <extended_community_specifications> set regexp <ordered_list_of_attributes> next end nextend

config router route-map edit <name> config rule edit <id> set match-extcommunity <list> set match-extcommunity-exact {enable | deaktivieren} next end nextend

823702

Allow VLAN subinterfaces such as regular 802.1Q and 802.1ad (QinQ) to be members of a virtual circuit pair.

823709

Added TPM support for FG-VM64 platforms. Hypervisors with software TPM emulator packages installed can support the TPM feature on FortiOS. This is currently supported by KVM and QEMU.

823917

Add option to manually set IP fragment storage threshold (in MB, 32 - 2047, default = 32). A large memory threshold can reduce the number of ReasmFails due to the large number of fragment packets.

config system global set ip-fragment-mem-thresholds <integer>end

825139

Added option to embed a base64 string instead of a plain text url for images on the block pages.

config webfilter fortiguard set embed-image {enable | disable} exit

825308

Allow FortiGate VMs for OCI to work on ARM-based Oracle Cloud Ampere A1 Compute instances.

825951

Add Dynamic ARP Inspection (DAI) capability to inspect ARP packets against static clients with static IP-MAC binding. Configurations can be pushed from the FortiGate switch controller to managed switches.

config switch-controller managed-switch edit <serial_number> config dhcp-snooping-static-client edit <name> set ip <IP_address> set vlan <vlan_ID> set mac <MAC_address> set port <port> next end nextend

827460

Allow users to specify cloud mode in user data during deployment to aCloud-Modus: cnfidentification in theGet system statusExit. This allows FortiManager to recognize the managed FortiGate as a FortiGate CNF device and disable certain settings.

829458

remove thatallow-quicpossibility from theoptionssetting belowConfigure application list. TheWEROption is also removed from theapplication sensorConfiguration page in the GUI. Since FortiOS fully supports HTTP3 over QUIC, there is no longer a need to block QUIC by default in the application control profile.

829628

Added option to match IPv4 mapped IPv6 URLs. This setting is disabled by default. If this option is enabled and the URL hostname of the URL filter entry is an IPv4 address, the URL filter list creates an additional entry with the associated IPv6 hostname URL. This is the same URL as the original URL, except that the hostname is replaced with the IPv6 address associated with the hostname.

config webfilter urlfilter edit <id> set ip4-mapped-ip6 {enable | disable} nextend

830527

Added option to set the VRFroute to a VPN interfacevpn-id-ipipEncapsulation. Previously, VRFs could only be set in static routes if the blackhole was enabled.

config router static edit <seq-num> set device "vpn1" set vrf 1 nextend

BFD is skipped when using the VPN interfacevpn-id-ipipEncapsulation.

831010

Supports wireless client mode on FortiWiFi 80F series models. If wireless client mode is successfully configured, a default static route toaplinkInterface is created automatically. Outbound traffic using this wireless client connection must have a firewall policy from the wired internal/LAN interface as the source interface to theaplinkinterface can be configured as the target interface.

831427

Add tolog-single-cpu-highoption belowConfigure system globally. If this option is enabled, CPU single core usage will be polled every three seconds, and any single CPU core usage above the CPU usage threshold will report an event log. If a core is reported, that core will not be checked again for the next 30 seconds.

config system global set log-single-cpu-high {enable | disable} exit

831492

Add support to allow individual FortiGates in the security fabric to have their own automation settings.

Configuration automation setting set fabric-sync {enable | disable} exit

832041

Add options to filter WAD log messages by process type or process ID, and by default print WAD log messages if the session is unknown.

# Diagnose the process type of wad filter <integer>

# Diagnose wad filter process id <integer>

When runningDiagnose wad filter list, Dieprocess typeAndProcess IDare visible in the output.

832435

Add support for PoE mode, power delivery, and priority switch port options on FortiSwitch via the switch controller for supported models.

config switch-controller managed-switch edit <switch-id> config ports edit <name> set poe-port-mode {ieee802-3af | ieee802-3at} PoE port priority {critical priority | high priority | low priority} poe-port-power {normal | forever | forever fast} next end nextend

833111

Add option to enable or disable rewritehostField in HTTP requests through a virtual server or Access Proxy before being sent to a real server.

config firewall vip edit <vip> set type server-load-balance config realservers edit <id> set translate-host {enable | deaktivieren} next end nextend

config firewall access-proxy edit <name> config api-gateway edit <id> config realservers edit <id> set translate-host {enable | disable} next end next end next end

834861

Add route tags to static routes.

config router static edit <seq-num> set tag <id> nexttend

Add a password field to the BGP neighbor group to be used for the neighbor realm.

config router bgp config Neighbor-group edit <name> set password <password> next endend

836287

Supports adding YAML to the filename when saving configuration as YAML and recognizing the file format when restoring configuration.

TheRun restore yaml-configcommand was removed andRun Restore Configurationshould be used.

In the GUI is theDate Formatfield was removed from theRestore system configurationbook page.

836613

Add option for each FortiClient EMS connector (Vertrauen-ca-cn). This option is activated by default. When this option is enabled, the CA and CN information is stored with the connector, which allows FortiGate to automatically approve an updated certificate as long as it has the same CA and CN.

config endpoint-control fctems edit <id> set trust-ca-cn {enable | deaktivieren} nextend

836653

Add commands to list NPU session summary.

# diagnose sys npu-session list-brief

# diagnose sys npu-session list-brief6

836851

Improve DHCP:

• Increase the number of supported IP ranges from 3 to 10
• Supports DHCP option 77 for user class information
• Lease time adjustment support per IP range (CLI only)

838363

The Internet Service Database (ISDB) on-demand mode replaces the full-size ISDB file with a much smaller file that is downloaded to the flash drive. This file contains only the essential entries for internet services. When a service is used in a firewall policy, FortiGate prompts FortiGuard to download the IP addresses and saves them to the flash drive. The FortiGate also queries the local MAC database (MADB) for appropriate MAC information.

config system global set internet-service-database on-demandend

839877

FortiPolicy can be added to the security fabric. When FortiPolicy joins and is authorized in the Security Fabricsafety fabricWidget, it is displayed on the fabric topology pages. A FortiGate can grant FortiPolicy permission to make firewall address and policy changes. Added two security assessment tests for FortiPolicysecurity postureScorecard.

839951

Add FGT-ARM64 GCP image to support ARM64-based GCP VMs of the GCP Tau T2A instance family.

841928

In some scenarios where a system crash needs to be simulated, the following commands allow a super_admin admin to safely trigger a kernel crash using a SysRq key.

# Diagnose des Debug-Kernel-Sysrq-Status

# debug kernel sysrq {enable | deactivate}

# Diagnose debug kernel sysrq command crash

A kernel crash dump is output to the console. The FortiGate will reboot and recover with no loss of functionality. This is only supported on FortiGate VMs.

841934

Extend the FortiGate AWS SDN connector to resolve different AWS endpoint ENI IP addresses:

• Private API Gateway endpoints
• VPC endpoints for the Aurora Data API
• AWS PrivateLink for S3
• VPC endpoints for Lambdba

This adds support for dynamic policies in FortiGate CNF and resolves various AWS PrivateLink dynamic policy endpoints in typical deployments.

844039

When WAN-LAN operation and LAN port options are configured on FortiGate and FortiAP, FortiGate can display details about wired clients connected to the FortiAP LAN port in any of the following cases:

• LAN2 port on FortiAP models with LAN1 and LAN2 ports
• LAN port on FortiAP models with both LAN and WAN ports

The following configuration settings are required:

• The WAN-LAN operation must also be configuredset-one-port-mode one-landon the FortiAP profile of FortiGate andcfg -a WANLAN_MODE=WAN-LANwith the FortiAP CLI.
• The LAN connection mode can be configured with one of theport modeOptions (nat-to-one,Bridge to Van,Bridge to Ssid) underconfigure LANwithinConfigure WLAN controller wtp profile.

Wired client details are included in the FortiOS CLIDiagnose wireless controller wlac -c lan-sta, and in the FortiAP CLI withcw_diag -c k-lan-host.

849771

Supports Shielded and Confidential VM modes on Google Cloud, which use the UEFI VM image for secure boot and the data used is encrypted during processing.

855684

Allow users to configure the RADIUS NAS ID as a custom ID or the hostname. When deploying a wireless network with WPA-Enterprise and RADIUS authentication or using the RADIUS-MAC authentication feature, FortiGate can use the custom NAS ID in its access request.

config user radius edit <name> set nas-id-type {legacy | custom | hostname} set nas-id <string> nextend

858786

When configuring a CGN IP pool for a hyperscale firewall, exclude IP addresses in that IP pool from being used for source NAT (exclude). This allows users to remain secure and thwart attacks by ensuring that global IP addresses within a CGN IP pool under attack by external attackers are not reused by other Hyperscale Firewall users.

config firewall ippool edit <name> set type cgn-resource-allocation set startip <IPv4_address> set endip <IPv4_address> set excludeip <IPv4_address>, <IPv4_address>, <IPv4_address> ... nextend

This option is not currently supported with a dedicated CGN IP pool (whensetze cgn-fixedalloc enableconfigured).