Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.2.4 FortiOS Release Notes
6.2.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

New features or enhancements

New features or enhancements

Bug ID

Description

578099

FortiAP profile support for FortiAP-231E NPI model.

CLI changes:

  • Added wtp-profile support for FAP-231E NPI platform.
  • Multimode: single 5G and dual 5G same as U43xF with minor differences:
    • Single 5G
      • Radio 1 operates at 2.4 GHz
      • Radio 2 operates at 5 GHz
      • Radio 3 set to monitor mode
        • Dual 5G
          • Radio 1 operates at 5 GHz and uses the higher spectrum of channels ( >= 64 )
          • Radio 2: operates at 5 GHz and uses the lower spectrum of channels ( < 64)
          • Radio 3: can be set to AP mode
  • New wtp-profile platform property ddscan.
  • FortiGate will configure DFS channels on FAP-231E with region code E, I, V, Y, and D.
  • Default mode for 3-radio AP models set to single 5G .

GUI changes:

  • Added GUI support for FAP-231E platform:
    • New GUI option, Dedicated scan, which is counterpart of ddscan platform property.
    • When dedicated scan is enabled:
      • Monitor mode becomes exclusive to radio 3
      • No AP mode for radio 3, even in dual 5G
      • No WIDS profile setting for radio 1 and 2

API changes:

  • /api/v2/monitor/wifi/ap_platforms
    • Radio property changed from object to array to accommodate for multimode platforms. First element is single 5G, and second is dual 5G platform radio configuration. For non-multimode platforms, array is of length 1.

588083

Support MAC and weight in device identification signatures to improve IoT detection. All device identification signatures have been updated to:

  • Allow the MAC address of the device to be part of the key for a signature so it can be used to allow to signatures that would otherwise be identical to be separated by MAC address, and allow them to identify the correct device.
  • Allow every signature to have a weight (0-255) that is used as a component of the new rules, which determines when the result of one signature should override the result of another signature.

599925

Add option to enable/disable DFS zero-wait functionality on FAP-U platforms (the default is enable).

config wireless-controller wtp-profile
    edit "FAPU431F-default"
        config platform
            set type U431F
        end
        set handoff-sta-thresh 30
        config radio-1
            set band 802.11ax-5G
            set zero-wait-dfs disable
        end
        config radio-2
            set band 802.11ax
        end
        config radio-3
            set mode monitor
        end
    next
end

600474

Add local-standalone that can be enabled on local-bridge mode VAP with external captive portal type.

config wireless-controller vap
    edit "lo-sd-cap"
        set ssid "local-stand-cap"
        set security captive-portal
        set external-web "https://172.18.56.163/portal/index.php"
        set radius-server "peap"
        set local-standalone enable
        set local-bridging enable
        set portal-type external-auth
    next
end

605709

Add new profiles for FAP-431F and FAP-433F NPI platforms.

config wireless-controller wtp-profile
    edit "FAP433F-default"
        config platform
            set type 433F
            set ddscan enable
        end
        set handoff-sta-thresh 55
        config radio-1
            set band 802.11ax,n,g-only
        end
        config radio-2
            set band 802.11ax-5G
        end
        config radio-3
            set mode monitor
        end
    next
    edit "FAP431F-default"
        config platform
            set type 431F
            set ddscan enable
        end
        set handoff-sta-thresh 55
        config radio-1
            set band 802.11ax,n,g-only
        end
        config radio-2
            set band 802.11ax-5G
        end
        config radio-3
            set mode monitor
        end
    next
end

609167

FortiGate will assign a report index for each managed FAP so the FAP can send client, rogue AP, and rogue station information in order. This avoids a burst in CPU usage to deal with report from all FAPs at the same time. This is not a visible functionality. It is a back end optimization feature.

610596

Users can define IPv6 MAC addresses and apply them in a firewall policy, virtual wire pair policy, and other policy types.

612176

Support setting DiffServ code for SD-WAN health check probe packets. When an SD-WAN health check packet is sent out, the differentiated services code point (DSCP) can be set with a CLI command (set diffservcode, range 000000–111111).

config system virtual-wan-link
    config health-check
        edit h1
            ...
            set diffservcode Differentiated services code point (DSCP) in the IP header of the probe packet.
            ...
        next
    end
end

618812

Use RADIUS accounting information from authenticated RSSO users to populate source and destination user fields in traffic logs.

625080

Support IPv6 with vNP/DPDK on FortiGate-VM to improve the performance of firewall and flow UTMs, allowing for greater throughput.
Previous
Next

New features or enhancements

Bug ID

Description

578099

FortiAP profile support for FortiAP-231E NPI model.

CLI changes:

  • Added wtp-profile support for FAP-231E NPI platform.
  • Multimode: single 5G and dual 5G same as U43xF with minor differences:
    • Single 5G
      • Radio 1 operates at 2.4 GHz
      • Radio 2 operates at 5 GHz
      • Radio 3 set to monitor mode
        • Dual 5G
          • Radio 1 operates at 5 GHz and uses the higher spectrum of channels ( >= 64 )
          • Radio 2: operates at 5 GHz and uses the lower spectrum of channels ( < 64)
          • Radio 3: can be set to AP mode
  • New wtp-profile platform property ddscan.
  • FortiGate will configure DFS channels on FAP-231E with region code E, I, V, Y, and D.
  • Default mode for 3-radio AP models set to single 5G .

GUI changes:

  • Added GUI support for FAP-231E platform:
    • New GUI option, Dedicated scan, which is counterpart of ddscan platform property.
    • When dedicated scan is enabled:
      • Monitor mode becomes exclusive to radio 3
      • No AP mode for radio 3, even in dual 5G
      • No WIDS profile setting for radio 1 and 2

API changes:

  • /api/v2/monitor/wifi/ap_platforms
    • Radio property changed from object to array to accommodate for multimode platforms. First element is single 5G, and second is dual 5G platform radio configuration. For non-multimode platforms, array is of length 1.

588083

Support MAC and weight in device identification signatures to improve IoT detection. All device identification signatures have been updated to:

  • Allow the MAC address of the device to be part of the key for a signature so it can be used to allow to signatures that would otherwise be identical to be separated by MAC address, and allow them to identify the correct device.
  • Allow every signature to have a weight (0-255) that is used as a component of the new rules, which determines when the result of one signature should override the result of another signature.

599925

Add option to enable/disable DFS zero-wait functionality on FAP-U platforms (the default is enable).

config wireless-controller wtp-profile
    edit "FAPU431F-default"
        config platform
            set type U431F
        end
        set handoff-sta-thresh 30
        config radio-1
            set band 802.11ax-5G
            set zero-wait-dfs disable
        end
        config radio-2
            set band 802.11ax
        end
        config radio-3
            set mode monitor
        end
    next
end

600474

Add local-standalone that can be enabled on local-bridge mode VAP with external captive portal type.

config wireless-controller vap
    edit "lo-sd-cap"
        set ssid "local-stand-cap"
        set security captive-portal
        set external-web "https://172.18.56.163/portal/index.php"
        set radius-server "peap"
        set local-standalone enable
        set local-bridging enable
        set portal-type external-auth
    next
end

605709

Add new profiles for FAP-431F and FAP-433F NPI platforms.

config wireless-controller wtp-profile
    edit "FAP433F-default"
        config platform
            set type 433F
            set ddscan enable
        end
        set handoff-sta-thresh 55
        config radio-1
            set band 802.11ax,n,g-only
        end
        config radio-2
            set band 802.11ax-5G
        end
        config radio-3
            set mode monitor
        end
    next
    edit "FAP431F-default"
        config platform
            set type 431F
            set ddscan enable
        end
        set handoff-sta-thresh 55
        config radio-1
            set band 802.11ax,n,g-only
        end
        config radio-2
            set band 802.11ax-5G
        end
        config radio-3
            set mode monitor
        end
    next
end

609167

FortiGate will assign a report index for each managed FAP so the FAP can send client, rogue AP, and rogue station information in order. This avoids a burst in CPU usage to deal with report from all FAPs at the same time. This is not a visible functionality. It is a back end optimization feature.

610596

Users can define IPv6 MAC addresses and apply them in a firewall policy, virtual wire pair policy, and other policy types.

612176

Support setting DiffServ code for SD-WAN health check probe packets. When an SD-WAN health check packet is sent out, the differentiated services code point (DSCP) can be set with a CLI command (set diffservcode, range 000000–111111).

config system virtual-wan-link
    config health-check
        edit h1
            ...
            set diffservcode Differentiated services code point (DSCP) in the IP header of the probe packet.
            ...
        next
    end
end

618812

Use RADIUS accounting information from authenticated RSSO users to populate source and destination user fields in traffic logs.

625080

Support IPv6 with vNP/DPDK on FortiGate-VM to improve the performance of firewall and flow UTMs, allowing for greater throughput.
Previous
Next