Changes in default behavior
AntiVirus
- In previous releases, the scan mode controls which features are displayed based on their compatibility with proxy and flow's
[quick | full]
mode (now[default | legacy]
).This release disregards this behavior, making antivirus profile scan-mode agnostic. This means that all AV options are displayed regardless of the AV profile's scan-mode setting. Enforcement is handled by the kernel based on the firewall policy using AV. Unsupported AV features do not take effect if inspection mode is proxy or flow.
- In this release, AntiVirus can do SSH inspection.
FOC
apn
option under apn-shaper
now accepts multiple apn
or apngroup
.
Previous releases |
6.2.2 release |
---|---|
config gtp apn edit "apn1" set apn "internet" next edit "apn2" set apn "intranet" next end config gtp apngrp edit "apngrp1" set member "apn1" next end config gtp apn-shaper edit 1 next end |
config gtp apn edit "apn1" set apn "internet" next edit "apn2" set apn "intranet" next end config gtp apngrp edit "apngrp1" set member "apn1" next end config gtp apn-shaper edit 1 set apn "apn2" "apngrp1" <==changed next end |
FortiSwitch Controller
- FortiLink interface is on by default on FortiGate E series platform.
- On FG-100E and higher, create an empty FortiLink aggregate interface (fortilink) by default. If aggregate interface is not supported, create a hardware switch interface instead.
- For FortiGate models below FG-100E, create an empty FortiLink hardware switch interface (fortilink) by default. If hardware switch interface is not supported, create aggregate interface instead.
- When the FortiLink interface is enabled, CLI displays an error message when trying to change the FortiGate to TP mode.
Firewall
- Only IP and Protocol are matched and source port is ignored when ISDB is applied as source in policy.
- Internet-service-addition will overwrite default ports of internet-service ID if protocols are the same.
- Firewall policy supports
wildcard-fqdn
object with FQDN type. - This release supports
srcaddr/dstaddr/internet-service/internet-service-src
negate in consolidated policy. - All attributes for FABRIC_DEVICE object, except for IP address and type, can be modified from CLI but not from GUI.
Log & Report
- In previous releases, FortiGate only sends event log to FAZ-Cloud. In this release, FortiGate sends both event log and UTM log to FAZ-Cloud.
Switch
- Add VLAN switch feature to FG-300E and FG-301E.
System
- API user must have at least one trust host IP Address.
- Only show
diagnose sys nmi-watchdog
command on platforms that have "nmi" button. - With mgmt interface set to dedicated to management, added three kinds of cases.
- When no trust host is set, all IPv4 and IPv6 addresses have access.
- When only IPv4 addresses are set to trust host, IPv6 address cannot log in.
- When only IPv6 addresses are set to trust host, IPv4 address cannot log in.
- There is no mgmt option in GRE tunnel interface when it is set to dedicated to management.
- Allow VDOM admin to create loopback interface if no physical interface in VDOM.
- The
trust-ip
option inconfig system interface
always overridetrusthost
option inconfig system admin
. - When
vdom-dns
is disabled in non-management, the system DNS is used in the DHCP server by default.