Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.2.2 FortiOS Release Notes
6.2.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Changes in default behavior

Changes in default behavior

AntiVirus
  • In previous releases, the scan mode controls which features are displayed based on their compatibility with proxy and flow's [quick | full] mode (now [default | legacy]).

    This release disregards this behavior, making antivirus profile scan-mode agnostic. This means that all AV options are displayed regardless of the AV profile's scan-mode setting. Enforcement is handled by the kernel based on the firewall policy using AV. Unsupported AV features do not take effect if inspection mode is proxy or flow.

  • In this release, AntiVirus can do SSH inspection.
FOC

apn option under apn-shaper now accepts multiple apn or apngroup.

Previous releases

6.2.2 release

 
config gtp apn
   edit "apn1"
      set apn "internet"
   next
   edit "apn2"
      set apn "intranet"
   next
end

config gtp apngrp
   edit "apngrp1"
      set member "apn1"
   next
end

config gtp apn-shaper
   edit 1
   next
end
 
config gtp apn
   edit "apn1"
      set apn "internet"
   next
   edit "apn2"
      set apn "intranet"
   next
end

config gtp apngrp
   edit "apngrp1"
      set member "apn1"
   next
end

config gtp apn-shaper
   edit 1
      set apn "apn2" "apngrp1" <==changed
   next
end
FortiSwitch Controller
  • FortiLink interface is on by default on FortiGate E series platform.
    • On FG-100E and higher, create an empty FortiLink aggregate interface (fortilink) by default. If aggregate interface is not supported, create a hardware switch interface instead.
    • For FortiGate models below FG-100E, create an empty FortiLink hardware switch interface (fortilink) by default. If hardware switch interface is not supported, create aggregate interface instead.
  • When the FortiLink interface is enabled, CLI displays an error message when trying to change the FortiGate to TP mode.
Firewall
  • Only IP and Protocol are matched and source port is ignored when ISDB is applied as source in policy.
  • Internet-service-addition will overwrite default ports of internet-service ID if protocols are the same.
  • Firewall policy supports wildcard-fqdn object with FQDN type.
  • This release supports srcaddr/dstaddr/internet-service/internet-service-src negate in consolidated policy.
  • All attributes for FABRIC_DEVICE object, except for IP address and type, can be modified from CLI but not from GUI.
Log & Report
  • In previous releases, FortiGate only sends event log to FAZ-Cloud. In this release, FortiGate sends both event log and UTM log to FAZ-Cloud.
Switch
  • Add VLAN switch feature to FG-300E and FG-301E.
System
  • API user must have at least one trust host IP Address.
  • Only show diagnose sys nmi-watchdog command on platforms that have "nmi" button.
  • With mgmt interface set to dedicated to management, added three kinds of cases.
    • When no trust host is set, all IPv4 and IPv6 addresses have access.
    • When only IPv4 addresses are set to trust host, IPv6 address cannot log in.
    • When only IPv6 addresses are set to trust host, IPv4 address cannot log in.
  • There is no mgmt option in GRE tunnel interface when it is set to dedicated to management.
  • Allow VDOM admin to create loopback interface if no physical interface in VDOM.
  • The trust-ip option in config system interface always override trusthost option in config system admin.
  • When vdom-dns is disabled in non-management, the system DNS is used in the DHCP server by default.
Previous
Next

Changes in default behavior

AntiVirus
  • In previous releases, the scan mode controls which features are displayed based on their compatibility with proxy and flow's [quick | full] mode (now [default | legacy]).

    This release disregards this behavior, making antivirus profile scan-mode agnostic. This means that all AV options are displayed regardless of the AV profile's scan-mode setting. Enforcement is handled by the kernel based on the firewall policy using AV. Unsupported AV features do not take effect if inspection mode is proxy or flow.

  • In this release, AntiVirus can do SSH inspection.
FOC

apn option under apn-shaper now accepts multiple apn or apngroup.

Previous releases

6.2.2 release

 
config gtp apn
   edit "apn1"
      set apn "internet"
   next
   edit "apn2"
      set apn "intranet"
   next
end

config gtp apngrp
   edit "apngrp1"
      set member "apn1"
   next
end

config gtp apn-shaper
   edit 1
   next
end
 
config gtp apn
   edit "apn1"
      set apn "internet"
   next
   edit "apn2"
      set apn "intranet"
   next
end

config gtp apngrp
   edit "apngrp1"
      set member "apn1"
   next
end

config gtp apn-shaper
   edit 1
      set apn "apn2" "apngrp1" <==changed
   next
end
FortiSwitch Controller
  • FortiLink interface is on by default on FortiGate E series platform.
    • On FG-100E and higher, create an empty FortiLink aggregate interface (fortilink) by default. If aggregate interface is not supported, create a hardware switch interface instead.
    • For FortiGate models below FG-100E, create an empty FortiLink hardware switch interface (fortilink) by default. If hardware switch interface is not supported, create aggregate interface instead.
  • When the FortiLink interface is enabled, CLI displays an error message when trying to change the FortiGate to TP mode.
Firewall
  • Only IP and Protocol are matched and source port is ignored when ISDB is applied as source in policy.
  • Internet-service-addition will overwrite default ports of internet-service ID if protocols are the same.
  • Firewall policy supports wildcard-fqdn object with FQDN type.
  • This release supports srcaddr/dstaddr/internet-service/internet-service-src negate in consolidated policy.
  • All attributes for FABRIC_DEVICE object, except for IP address and type, can be modified from CLI but not from GUI.
Log & Report
  • In previous releases, FortiGate only sends event log to FAZ-Cloud. In this release, FortiGate sends both event log and UTM log to FAZ-Cloud.
Switch
  • Add VLAN switch feature to FG-300E and FG-301E.
System
  • API user must have at least one trust host IP Address.
  • Only show diagnose sys nmi-watchdog command on platforms that have "nmi" button.
  • With mgmt interface set to dedicated to management, added three kinds of cases.
    • When no trust host is set, all IPv4 and IPv6 addresses have access.
    • When only IPv4 addresses are set to trust host, IPv6 address cannot log in.
    • When only IPv6 addresses are set to trust host, IPv4 address cannot log in.
  • There is no mgmt option in GRE tunnel interface when it is set to dedicated to management.
  • Allow VDOM admin to create loopback interface if no physical interface in VDOM.
  • The trust-ip option in config system interface always override trusthost option in config system admin.
  • When vdom-dns is disabled in non-management, the system DNS is used in the DHCP server by default.
Previous
Next