Enable CPU hot plug-in kernel configuration with execute cpu show and execute cpu add.

For DFS-approved countries, add 160 MHz Channel Bonding support for FortiAP U421EV, U422EV, and U423EV models (edit [FAPU421EV-default | FAPU422EV-default | FAPU423EV-default]).

Add virtual switch feature for FG-140E and FG-140E-POE.

Support for SSL VPN sign on using certificate and remote (LDAP or RADIUS) username/password authentication.

Support VMWare tag filters in ESXi SDN connectors. Support obtaining and filtering of addresses by distributed port group names when a VM is attached to a distributed virtual switch.

Decouple the memory size limit from the private VM license.

Monitor API to check SLBC cluster checksum status. New API added - monitor/system/config-sync/status.

Introduce 802.11ax support for FortiAP-U431F and FortiAP-U433F:

• Tri-radio support
• Radio mode 11ax support
• Dual 5G and single 5G mode support
• HE (high efficiency)/160 MHz bandwidth/TWT support

Support for link aggregation LACP on entry level FortiGate is extended to all two-digit entry level box for the following models:

FGR-30D, FGR-35D, FG-30E, FG-30E-MI, FG-30E-MN, FG-50E, FG‑51E, FG-52E, FG-60E, FG‑60E-POE, FG-61E, FG‑80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-92D, FWF-30E, FWF-30E-MI, FWF-30E-MN, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E

IPv6 is supported in communication between the following:

• Collector agent and FortiGate
• Collector agent and DC_agent
• Collector agent and terminal server agent

Support SSH (SCP/SFTP) file UTM scan.

config ssh-filter profile
    edit [Profile Name]
        set block x11 shell exec port-forward tun-forward sftp scp unknown <==added
        set log x11 shell exec port-forward tun-forward sftp scp unknown <==added
        set default-command-log disable
            config file-filter <==added
                set status enable <==added
                set log enable <==added
                set scan-archive-contents enable <==added
                    config entries <==added
                        edit [Entry] <==added
                            set comment '' <==added
                            set action block <==added
                            set direction any <==added
                            set password-protected any <==added
                            set file-type "msoffice" <==added
                        next
                    end
            end
    next
end

Move SAML configuration to the Security Fabric menu.

• Move the SAML settings page to a slide with an Advanced Options button on the Security Fabric Settings page.
• On the Security Fabric Settings page and SAML SSO configuration slide, show SAML toggle and some basic fields: default login page and default login profile for SP, IdP certificate. This way, the workflow to enable downstream SSO can be done from the root FortiGate. The backend will auto-configure the SP.
• Show a warning message box in the topology tree when the FortiGate does not have SSO configured if the root is the IdP. The Configure button is orange and matches the warning message box.

SR-IOV support for FortiGate on Azure/Hyper-V platforms (VM64-HV, Azure, AzureOnDemand). SR-IOV speeds up Azure networking performance around 4X, so there is more bandwidth and free CPU for other purposes. Normally only first packet along any L4 flow goes to the NetVSC slow path and all others go through the SR-IOV fast path.

Support connector to ClearPass.

• This feature allows the FortiGate to integrate with ClearPass by providing an API to ClearPass so that it can push endpoint healthy/unhealthy states in real-time over to their firewalls for use in policies. The integration allows for about 3-5 second updates between ClearPass and the FortiGate.
• CLI changes: add a sub-type for dynamic firewall address.

Support FSSO for dynamic addresses and support ClearPass endpoint connector (via FortiManager).

CLI changes:

• Add command to show FSSO dynamic address from authd daemon:

  diagnose debug authd fsso show-address

• Make diagnose firewall dynamic commands to accept one optional parameter as address name:

  diagnose firewall dynamic list

  diagnose firewall dynamic address

• Add FSSO subtype for firewall address:

  config firewall address
      edit <name>
          set sub-type fsso
      next
  end

GUI changes:

• Address dialog page
  • New subtype field to select between FSSO and Fabric Connector
  • New FSSO group field to select address group
• Address list page
• Tooltip for new FSSO dynamic address supports resolved address
• Detail column shows the address groups for the address

Support SAML method in firewall and SSL VPN authentications.

CLI changes:

• Add new CLI setting for SAML user:

  config user saml
      edit *
      set ?
          cert Certificate to sign SAML messages.
          *entity-id SP entity ID.
          *single-sign-on-url SP single sign-on URL.
          single-logout-url SP single logout URL.
          *idp-entity-id IDP entity ID.
          *idp-single-sign-on-url IDP single sign-on URL.
          idp-single-logout-url IDP single logout url.
          *idp-cert IDP Certificate name.
          user-name User name in assertion statement.
          group-name Group name in assertion statement.
      next
  end

Support destination MAC addresses in the sniffer traffic log.

Add UTM log for FortiAnalyzer cloud-based subscription.

CLI changes:

• Default FortiAnalyzer Cloud filters set to enable

  config log fortianalyzer-cloud filter

Most options within config log fortianalyzer-cloud filter defaulted to disable and could not be changed. Now, they default to enable and can be changed. License-based restrictions still apply, but the configuration can be used to refine the logs being sent to FortiAnalyzer Cloud.

The exception is the dlp-archive option, which is still set to disable and cannot be changed.

Add portal-type external-auth when captive-portal is enabled on local-bridge VAP.

config wireless-controller vap
   edit "wifi.fap.02"
      set ssid "bridge-captive"
      set local-bridging enable
      set security captive-portal
      set portal-type external-auth <==added
      set external-web "170.00.00.000/portal/index.php"
      set radius-server "peap"
   next
end

Increase IPS custom signature length to 4096.

FortiGate debugger Chrome extension support.

The extension improves the quality of GUI bug reports. The extension communicates with FortiOS and allows users to perform a capture. The capture includes (but is not limited to) the following:

• Screen recording
• Device metadata
• Client (browser) metadata
• HTTP network logs
• JavaScript console logs
• Various daemon logs
• Client memory and CPU usage
• Device memory and CPU usage

Add https as a type of health check for the VIP load balance monitor.

config firewall ldb-monitor
    edit [Monitor Name]
        set type ?
            ping PING health monitor.
            tcp TCP-connect health monitor.
            http HTTP-GET health monitor.
            https HTTP-GET health monitor with SSL. <==added
    next
end

Remove vdom-modemulti-vdom option for cloud-based ondemand FGT-VM.

config sys global
   set vdom-mode ?
      no-vdom Disable split/multiple VDOMs mode.
      split-vdom Enable split VDOMs mode.
      multi-vdom Enable multiple VDOMs mode. <==removed
end

Remove set type wildcard-fqdn and set wildcard-fqdn <string> from firewall address.

config firewall address
   edit [Address]
      set type wildcard-fqdn     <==removed
      set wildcard-fqdn <string> <==removed
   next
end

Add CLI allowing user to configure socket priority and maximum log rate per remote log device.

Similar setting apply to config log fortiguard setting and config log syslogd setting.

config log fortianalyzer setting
   set priority [default | low]              <==added
   set max-log-rate [Log Rate, unit is MBps] <==added
end

config log fortianalyzer override-setting
   set priority [default | low]              <==added
   set max-log-rate [Log Rate, unit is MBps] <==added
end

Add CLI commands to support address and service negate in consolidated policy.

config firewall consolidated policy
  edit [Policy ID]
     set srcaddr-negate [enable | disable]    <==added
     set dstaddr-negate [enable | disable]    <==added
     set service-negate [enable | disable]    <==added
     set internet-service-negate [enable | disable]        <==added
     set internet-service-src-negate [enable | disable] <==added
  next
end

Remove security rating from FGT_VMX and FGT_SVM.

diagnose security-rating version <==removed

Collect EIP from cloud-VMS (Azure, AWS, GCP, AliCloud, and OCI).

pcui-cloudinit-test # execute <?>
update-eip Update external IP. <==added

config sys interface
   edit [Name]
      set eip                  <==added
   next
end

conf sys global
end

Add external-web-format setting under captive-portal VAP when external portal is selected.

config wireless-controller vap
   edit guestwifi
      set ssid "GuestWiFi"
      set security captive-portal
      set external-web "http://170.00.00.000/portal/index.php"
      set selected-usergroups "Guest-group"
      set intra-vap-privacy enable
      set schedule "always"
      set external-web-format auto-detect <==added
   next
end

Add MPSK schedule that allows setting valid period for MPSK.

config wireless-controller vap
  edit [SSID Interface Name]
      set mpsk enable
      config mpsk-key
          edit [MPSK Entry Name]
              set passphrase 11111111
              set mpsk-schedules "always" <==added
          next
      end
  next
end

There is no mgmt option in GRE tunnel interface when it is set to dedicated to management.

With mgmt interface set to dedicated to management, added three kinds of cases:

• When no trust host is set, all IPv4 and IPv6 addresses have access.
• When only IPv4 addresses are set to trust host, IPv6 address cannot log in.
• When only IPv6 addresses are set to trust host, IPv4 address cannot log in.

FortiLink interface is on by default on FortiGate E series platform.

• On FG-100E and higher, create an empty FortiLink aggregate interface (fortilink) by default. If aggregate interface is not supported, create a hardware switch interface instead.
• For FortiGate models below FG-100E, create an empty FortiLink hardware switch interface (fortilink) by default. If hardware switch interface is not supported, create aggregate interface instead.

Only show diagnose sys nmi-watchdog command on platforms that have NMI button.

When the FortiLink interface is enabled, CLI displays an error message when trying to change the FortiGate to TP mode.

After creating a new VDOM, add default certificates for ssl-cert and ssl-ca-cert under web-proxy setting.

show web-proxy global
config web-proxy global
    set ssl-cert 'Fortinet_Factory'   <==changed
    set ssl-ca-cert 'Fortinet_CA_SSL' <==changed
    set proxy-fqdn "default.fqdn"
end

Change default LLDP setting in wtp-profile from disable to enable.

config wireless-controller wtp-profile
    edit [FAP-Profile]
        set lldp enable <==changed
    end
end

Special archive files are blocked by CIFS profile despite there being no options set to block them in AV.

Advanced Threat Protection Statistics widget clean file count is incorrect.

DLP cannot detect attached zip files when receiving emails via MAPI over HTTP.

DLP is not activated when FTPS traffic is encrypted/decrypted by F5, and cleartext traffic goes through the FortiGate.

DLP sensors and DLP options in firewall policy and profile groups are removed.

DNS request to a second DNS server with same Transaction ID is discarded when DNS Filter is enabled on a policy.

Application control causing NAT hairpin traffic to be dropped.

Workaround: Create a new firewall policy from scratch and the default application control can be applied again.

On multiple FortiView sub-menus, the Quarantine Host option is no longer available.

FortiView All Sessions page: tooltip of geography IP show 'undefined'.

The MMS profiles pages have been removed from the FortiOS Carrier GUI.

Workaround: You can configure MMS profiles from the CLI using the config firewall mms-profile command.

GUI on FG-3800D with 5.6.3 is very slow - configuration with numerous policies.

While accessing the FortiGate page, PC browser memory usage keeps spiking and finally PC hangs.

GUI should not log out if there is 401 error on downstream device.

Interface page keep loading when VDOM admin have netgrp permission.

DNS server GUI calculates latency numbers incorrectly for the web filter service.

Routing monitor network filter does not filter subnets after upgrading.

Context menu of AP Group has unsupported actions enabled after change view on Managed FortiAPs page.

Some app-category cannot be listed on security policy editing page and get JS error.

Upgrade NGFW VDOM from v6.2.0, security policy should support virtual-wan-link interface.

After OSPF change via GUI, password for virtual-link will completely disappear and must be re-entered.

AP comments do not appear on the columns for Managed AP page.

IPS sensor not configurable in GUI with Firefox.

GUI response is very slow when accessing Route-Monitor page in GUI.

Editing policies inline can result in previously selected policies being changed.

GUI shifts central management type to FortiManager after clicking Apply to enable FortiManager Cloud.

Log search index files are never deleted when the log disk is out of space.

Port Link speed option is missing on the FortiGate GUI after upgrading the managed FortiSwitch to 6.2.1.

Local category for g-default, g-wifi-default web filter profiles should not be displayed.

Firewall User Monitor shows "Failed to retrieve info" and no entries if session-based proxy authentication is used.

After adding few Web Rating Overrides via GUI to an already existing long list of URIs, Web Rating Overrides page is not loaded and keeps spinning.

Some long VDOM name configurations are changed and failed to be in sync after rebooting.

HA A-A local FQDN not resolving on secondary unit.

Incorrect image checksum when upgrading via the GUI.

Unable to sync the local gateway in FGSP.

Crash occurs when changing the standalone mode for A-A and A-P in config system ha.

IPS engine 5.009 crashes when updated new FFDB has different size from the old one.

When ipsec phase1-interface name length is 15 (maximum), in dynamic mode with net-device disabled, the client should be able to dial in.

PKI certificates with OU and/or DC as subject fail for PKI user filters.

mode-cfg IP is missing from the routing table.

When SNI is exempt in an SSL profile, and the SNI does not match the CN, the FortiGate closes the session and does not perform deep inspection.

Certificate blocklist not working correctly in proxy mode.

When strict SNI check is enabled, FortiGate with certificate inspection cannot block session if SNI does not match CN.

In WAD conserve mode 5.6.8, max_blocks value is high on some workers.

For FortiGate with client certificate inspect mode, traffic will trigger WAD crash.

Fail to connect https://drive.google.com by TLS 1.3.

FTP proxy traffic is blocked for FSSO guest users.

In Proxy inspection with Application control and certificate inspection, TLS error for certain web pages, in EDGE browser only.

WAD might leak memory during SSL session ticket resumption.

WAD application crashing in v6.2.1.

SSL decryption breaks App store and Google Play store traffic even though both sites are exempted in the decryption profile.

SD-WAN interface bandwidth not honoring its parent's interface estimated bandwidth.

Time stamps missing in routing debugs.

Gradual memory increase with full BGP table.

VRF configuration in WWAN interface has no effect after rebooting.

BGP confederation router sending incorrect AS to neighbor-group routers.

VRRP on LAG cannot forward packet after vrrp-virtual-mac is enabled.

SSL VPN FortiClient login with FAC user FTM two-factor fail because it times out too fast.

SSL VPN web portal login history is not displayed if logs are stored in FortiAnalyzer.

Web application is not loading through SSL VPN portal.

When SSL VPN receives multiple HTTPS post requests under web filter, read_request_data_f loops even when client is stopped, which causes the SSL VPN process to use 99% of CPU.

SSL VPN bad password attempt causes excessive bind requests against LDAP and lockout of accounts.

SSL VPN web mode has trouble loading internal web application.

A web application accessed through SSL VPN web mode triggers Error 500 on Java server.

Invalid HTTP Request when SMB via SSL VPN bookmark is executed with MS Server 2016, but works fine with MS server 2008R2.

FortiSIEM web GUI does not load on web portal.

SSL bookmark is not loading SAP portal information.

Web mode fails for SharePoint page.

Citrix bookmarks should be disabled in SSL VPN portal.

SSL VPN web mode logon page should not show Skip button for remote user with Force password change on next logon.

Office365 applications through SSL VPN bookmarks.

Downloading PDF file through SSL VPN portal.

SSL VPN web mode web forward not working for video camera system after upgrade to 6.0.4.

In firmware 6.2.0, RDWeb (Windows Server 2016) via SSL web portal does not work.

McAfee ESM 11 display issues in SSL VPN web portal.

For FG-200E, after upgrading from 6.0.4 to 6.2.0, SSL VPN HTTPS bBookmark does not load (Secure Connection Failed).

With SSL VPN web mode unable to get dropdown menu from internal web page.

FortiMail login page with SSL VPN portal not displaying correctly.

interface subnet object not available in SSL VPN split-tunneling-routing-address.

SharePoint 2019 page access fails using web mode.

SSL VPN web mode SSO doesn't work for some site like FAc login.

The referer header is not correct, and some files are not loaded properly.

Connection to internal portal freezes when using SSL VPN web bookmark.

Redirect in bookmark is not loading.

Object from CARL source not showing through SSL VPN web mode.

SSL VPN users create multiple connections.

When using LDAP-integrated certificate authentication, getting connected takes too long. It does not connect until the session expires.

In SSL VPN web mode, videos on internal website won't display.

SSL VPN still allows password expired users to change password and get access.

SSL VPN banned-cipher SHA256 not completely working.

In SSL VPN web mode, RDP disconnects when copying long text from remote to local.

SSL VPN RDP SSO bookmark does not send domain name for domain users.

Internal website using java is not accessed using SSL VPN web mode.

Internal website not working through SSL VPN web mode.

SSL VPN tunnel mode can only add split tunneling of user's policy with groups and its users in different SSL VPN policies.

Error for proxy ssh database through SSL VPN.

CMAT application through SSL VPN not working properly.

SSL VPN web mode does not work properly for the website using JavaScript.

NextCloud through SSL VPN behaving strangely.

Cannot access sub-menus from the internal main website through the bookmark when using SSL VPN web mode.

Local portal adzh-srop-nidm02.intern.cube.ch needs more than 10 min. to load via SSL VPN bookmark.

Unable to access Qlik Sense URL via SSL VPN web mode .

SSL web portal CSP v3 compatibility issue.

Cannot establish SSL VPN connection using FortiClient for macOS when os-check is enabled and action is allow.

TX packet drops on ssl.root interface.

Subpages on internal websites are not working via SSL VPN web mode (Tunnel mode is OK).

In some lower-end FortiGates, the threshold of available memory is not calculated correctly for entering SSL VPN conserve mode. Threshold should be 10% of total memory when the memory is larger than 512 MB and less than 2 GB.

Synology DSM login page is not displayed when accessed via SSL VPN bookmark or connection tool.

SSL VPN connection is being dropped intermittently.

The SSL VPN web mode webserver link is not rewritten correctly after login.

SSL VPN daemon crashes when logging in several times with RADIUS user that is related to a framed IP address.

SSL web mode VPN portal freezing when opening some websites using JavaScript.

The EOASIS website is not displayed properly using SSL VPN web mode.

SSL VPN web mode not redirecting URL as expected after successful login.

Accessing http://nlyte.ote.gr/nlyte/ configured with bookmark name 'NLYTE' not getting authentication page.

Anti-replay check fails when crossing NP6 with IPS enabled on FG-2500E.

On a FortiGate trusted by FortiAnalyzer via certificate, the FortiGate loses the connection to FortiAnalyzer if it returns an invalid SN (old FortiAnalyzer VM license or bad FortiAnalyzer certificate).

Memory (SKB) which is no longer needed is not released in NP6 and NP6lite drivers (100E, 140E, 3600D, 3800D).

Sometimes FG-5001E image is not able to sync with the 5913C blade.

CPU goes to 100% when modifying members of an addrgrp object.

Add support for # character in SNMP community name.

PoE ports no longer deliver power.

Using DHCP to acquire addresses for mode-config with certificates fails to send DHCP request.

Dnsproxy is killed every 2 seconds and has crash error.

With LLDP, FortiGate serial number is sent in plain text.

GUI cannot save edits made on replacement messages in a VDOM. When using CLI, user gets logged out while editing.

FortiGate CSR traffic to SCEP srv generated from the root VDOM instead of the VDOM we create the CSR.

FortiGate can't extract the user principal name UPN from user certificate when certificate contains UPN and additional names.

FortiGate takes a long time to reboot when it has many firewall addresses used in many policies.

forticldd deamon resolved mgrctrl1.fortinet.com to wrong IP address.

FortiGate does not accept FortiManager created country code and causes address install fails.

authd4 crashes when deleting a VDOM or rebooting the FortiGate.

DNS servers acquired via PPPoE in non-management VDOMs are used for DHCP DNS server option 6.

Policies removed after an upgrade in NGFW Policy Mode: maximum number of entries has been reached.

Non-RSSO RADIUS server shows in FSSO GUI, which should only show RSSO RADIUS servers.

FQDN address objects resolution is failing when used in the captive web portal as walled garden rules.

Importing PKCS #12 certificate files on the System > Certificates page does not work (CLI works).

Copying and pasting the local certificate and private key in the FortiGate terminal session no longer works.

Application cloudinitd has signal 11 crash on FortiGate-VM64-GCP.

VPN tunnels not coming up after HA failover in GCP.

Azure SDN connector try querying invalid FQDN when using Azure Stack Integrated systems.

VM in Oracle cloud has 100% CPU usage in system space.

Kernel crashes when IPsec traffic is handled by the QAT device.

HA cluster multi AZ does not failover IPsec VPN in AWS with TGW.

OCI SDN connector gets HTTP response err:500 when enabling use-metadata-iam.

EMAC VLAN is not supported on VM.

FGT-VM with network driver vmxnet3 has lots of fragments when testing throughput.

In Azure SDN, the firewall address filter cannot fetch the secondary public and private IP addresses of the NICs.

FGTVM_OPC unable to failover the route properly during failover.

OpenStack PCI passthrough sub interface VLAN cannot received traffic.

In the Cluster setup, secondary unit can have different fingerprint for the OCI SDN connector, which can cause unit to fail to connect to OCI metatdata server properly.

EIP assigned to the secondary IP address on the OCI do not 't fail over during HA failover.

SIP ALG generates a VoIP session with wrong direction.

When central-management is NONE, include-default-servers setting is not honored by rating.

Block page images not loading for web sites protected by HSTS.

CLI diagnose debug urlfilter test-url <url> response is URL test cache miss even though the test-url is in the web filter rating cache.

Proxy-based web filter breaks WCCP traffic.

FortiWiFi working as client mode cannot see and connect to the hotspot SSID from iOS devices.

darrp-optimize-schedules configurations move to the global settings instead of VDOM.

When the NGFW mode is set to policy-based, FortiAPs cannot be managed when dtls-policy is ipsec-vpn.

WPA2-Enterprise SSID authentication cannot utilize the source IP setting in RADIUS server configuration.

FAPs detecting BSSIDs of others FAPs managed by the same WC as Fake-ap-on-air.

FAP cannot be managed by FortiGate when admin trusthost is configured.

hostapd (wpad_ac) crashed while removing RADIUS accounting servers.

Tunnel mode SSID packet loss seen from FAP-U24JEV and 800 connected APs.

FortiOS 6.2.2 is no longer vulnerable to the following CVE Reference:

• CVE-2019-9494
• CVE-2019-9495

FortiOS 6.2.2 is no longer vulnerable to the following CVE Reference:

• CVE-2019-6696

FortiOS 6.2.2 is no longer vulnerable to the following CVE Reference:

• CVE-2019-6697

FortiOS 6.2.2 is no longer vulnerable to the following CVE Reference:

• CVE-2019-15703

FortiOS 6.2.2 is no longer vulnerable to the following CVE Reference:

• CVE-2019-15706