Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiOS Release Notes

    Home FortiGate / FortiOS 6.2.1 FortiOS Release Notes
    6.2.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.14
    5.6.13
    5.6.12
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.13
    5.4.12
    5.4.11
    5.4.10
    5.4.9
    5.4.8
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.15
    5.2.14
    5.2.13
    5.2.12
    5.2.11
    5.2.10
    5.2.9
    5.2.8
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.14
    5.0.13
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2

    Changes in default behavior

    Changes in default behavior

    Firewall

    Remove dependency of ssl-ssh-profile on utm-status under firewall policy (531885).

    Previous releases

    6.2.1 release

    You must enable utm-status under firewall policy before configuring ssl-ssh-profile.

    You can configure ssl-ssh-profile by itself. When you upgrade, this configuration is added to the existing firewall policy.

    Log & Report

    Starting from the 6.2.1 release, exe log list displays the result of the current log device.

    Previous releases

    6.2.1 release

    exe log list only lists the disk log file.

    exe log list lists the log file from the current log device (disk/memory).

    exe log list shows the memory log file in exe log filter device memory.

    exe log list shows the disk log file in exe log filter device disk.

    Separate policy and address log-uuid options into two individual options.

    Previous releases

    6.2.1 release

    		 
    config system global
   set log-uuid [policy-only | extended | disable]
end 
    config system global
   set log-uuid-policy [enable | disable]
   set log-uuid-address [enable | disable]
end

    System

    Starting from the 6.2.1 release, Global admin can only back up but not restore the configuration file.

    Previous releases

    6.2.1 release

    Super admin: can back up and restore configuration file.

    Global admin: can back up and restore configuration file.

    VDOM admin: can back up and restore VDOM configuration file with full Admin and Maintenance permission.

    Super admin: can back up and restore configuration file.

    Global admin: can only back up configuration file.

    VDOM admin: can back up and restore VDOM configuration file with full Admin and Maintenance permission.

    Devices configured under security-exempt-list are void after upgrading to 6.2.1.

    FortiOS 6.2.1 removes any use of device enforcement from various FortiGate features.

    Previous releases

    6.2.1 release

    		 
    config user device-category    <==removed
config user device-access-list <==removed
config user device-group       <==removed

config user security-exempt-list
   edit [List Name]
      config rule
         edit [Rule ID]
            set devices [Device or group name] <==removed
            set srcaddr [Address or group name]
         next
      end
   next
end

config system interface
   edit [Interface]
      set ip [IP address and subnet mask]
      set device-access-list [Access list name] <==removed
      set device-identification-active-scan [enable | disable] <==removed
   next
end

config firewall policy
   edit [Policy ID]
      set name [Policy name]
      set device [Device or group name] <==removed
   next
end

config firewall policy6
   edit [Policy ID]
      set name [Policy name]
      set device [Device or group name] <==removed
   next
end
    		 
    config user security-exempt-list
   edit [List Name]
      config rule
         edit [Rule ID]
            set srcaddr [Address or group name]
         next
      end
   next
end

config system interface
   edit [Interface]
      set ip [IP address and subnet mask]
   next
end

config firewall policy
   edit [Policy ID]
      set name [Policy name]
   next
end

config firewall policy6
   edit [Policy ID]
      set name [Policy name]
   next
end

    WiFi Controller

    The VAP schedule is changed from accepting only a recurring schedule to accepting all types of firewall schedule: recurring schedule, one-time schedule, and schedule group.

    Previous releases

    6.2.1 release

    		 

    config wireless-controller vap
    edit "wifi-t-1"
        set schedule "group1"
    next
end

    The LED schedule is changed from accepting only a recurring schedule to accepting all types of firewall schedule: recurring schedule, one-time schedule, and schedule group.

    Previous releases

    6.2.1 release

    		 

    config wireless-controller wtp-profile
    edit "FAP321C-default"
        set led-schedules "group1"
    next
end

    The ble-profile setting in wtp-profile is now configurable for the FAP-321E platform.

    Previous releases

    6.2.1 release

    		 

    config wireless-controller wtp-profile
    edit "FAP321E-default"
        config platform
            set type 321E
        end
        set ble-profile "BLE-full" <==configurable
        set handoff-sta-thresh 55
        config radio-1
            set band 802.11n,g-only
        end
        config radio-2
            set band 802.11ac
        end
    next
end
    Previous
    Next

    Changes in default behavior

    Changes in default behavior

    Firewall

    Remove dependency of ssl-ssh-profile on utm-status under firewall policy (531885).

    Previous releases

    6.2.1 release

    You must enable utm-status under firewall policy before configuring ssl-ssh-profile.

    You can configure ssl-ssh-profile by itself. When you upgrade, this configuration is added to the existing firewall policy.

    Log & Report

    Starting from the 6.2.1 release, exe log list displays the result of the current log device.

    Previous releases

    6.2.1 release

    exe log list only lists the disk log file.

    exe log list lists the log file from the current log device (disk/memory).

    exe log list shows the memory log file in exe log filter device memory.

    exe log list shows the disk log file in exe log filter device disk.

    Separate policy and address log-uuid options into two individual options.

    Previous releases

    6.2.1 release

    		 
    config system global
   set log-uuid [policy-only | extended | disable]
end 
    config system global
   set log-uuid-policy [enable | disable]
   set log-uuid-address [enable | disable]
end

    System

    Starting from the 6.2.1 release, Global admin can only back up but not restore the configuration file.

    Previous releases

    6.2.1 release

    Super admin: can back up and restore configuration file.

    Global admin: can back up and restore configuration file.

    VDOM admin: can back up and restore VDOM configuration file with full Admin and Maintenance permission.

    Super admin: can back up and restore configuration file.

    Global admin: can only back up configuration file.

    VDOM admin: can back up and restore VDOM configuration file with full Admin and Maintenance permission.

    Devices configured under security-exempt-list are void after upgrading to 6.2.1.

    FortiOS 6.2.1 removes any use of device enforcement from various FortiGate features.

    Previous releases

    6.2.1 release

    		 
    config user device-category    <==removed
config user device-access-list <==removed
config user device-group       <==removed

config user security-exempt-list
   edit [List Name]
      config rule
         edit [Rule ID]
            set devices [Device or group name] <==removed
            set srcaddr [Address or group name]
         next
      end
   next
end

config system interface
   edit [Interface]
      set ip [IP address and subnet mask]
      set device-access-list [Access list name] <==removed
      set device-identification-active-scan [enable | disable] <==removed
   next
end

config firewall policy
   edit [Policy ID]
      set name [Policy name]
      set device [Device or group name] <==removed
   next
end

config firewall policy6
   edit [Policy ID]
      set name [Policy name]
      set device [Device or group name] <==removed
   next
end
    		 
    config user security-exempt-list
   edit [List Name]
      config rule
         edit [Rule ID]
            set srcaddr [Address or group name]
         next
      end
   next
end

config system interface
   edit [Interface]
      set ip [IP address and subnet mask]
   next
end

config firewall policy
   edit [Policy ID]
      set name [Policy name]
   next
end

config firewall policy6
   edit [Policy ID]
      set name [Policy name]
   next
end

    WiFi Controller

    The VAP schedule is changed from accepting only a recurring schedule to accepting all types of firewall schedule: recurring schedule, one-time schedule, and schedule group.

    Previous releases

    6.2.1 release

    		 

    config wireless-controller vap
    edit "wifi-t-1"
        set schedule "group1"
    next
end

    The LED schedule is changed from accepting only a recurring schedule to accepting all types of firewall schedule: recurring schedule, one-time schedule, and schedule group.

    Previous releases

    6.2.1 release

    		 

    config wireless-controller wtp-profile
    edit "FAP321C-default"
        set led-schedules "group1"
    next
end

    The ble-profile setting in wtp-profile is now configurable for the FAP-321E platform.

    Previous releases

    6.2.1 release

    		 

    config wireless-controller wtp-profile
    edit "FAP321E-default"
        config platform
            set type 321E
        end
        set ble-profile "BLE-full" <==configurable
        set handoff-sta-thresh 55
        config radio-1
            set band 802.11n,g-only
        end
        config radio-2
            set band 802.11ac
        end
    next
end
    Previous
    Next