New features or enhancements
More detailed information is available in the New Features Guide.
Bug ID |
Description |
---|---|
239809 |
Remove sticky clients by maintaining good SNR clients in BSS. Low SNR-based clients shall be deauthenticated and not allowed in BSS until SNR improves for these. config wireless-controller vap edit weak-signal-vap set probe-resp-suppression enable|disable set probe-resp-threshold set radio-sensitivity enable|disable set radio-2g-threshold set radio-5g-threshold set sticky-client-remove enable|disable <==added set sticky-client-2g-threshold <==added set sticky-client-5g-threshold <==added end end |
437116 |
For DFS-approved countries, add 160 MHz channel bonding support for FortiAP U421EV, U422EV, and U423EV models config wireless-controller wtp-profile edit [ FAPU421EV-default | FAPU422EV-default | FAPU423EV-default ] config radio-2 set band 802.11ac set channel-bonding 160MHz end next end |
456803 |
Add virtual switch feature for FG-140E and FG-140E-POE. |
457153 |
Support SSL VPN sign on using certificate and remote (LDAP or RADIUS) username/password authentication. |
520828 |
Support VMWare tag filters in ESXi SDN connectors. Support obtaining and filtering of addresses by distributed port group names when a VM is attached to a distributed virtual switch. |
529340 |
Decouple the memory size limit from the private VM license. |
529445 |
In config wireless-controller wids-profile edit <WIDS-profile-name> set ap-scan enable set ap-scan-threshold "-80" next end The range of |
532168 |
Support proxy traffic after TCP three-way handshake from client to original server for a specific port. CLI changes:
|
553382 |
REST API to support transaction operation. |
538760 |
Monitor API to check SLBC cluster checksum status. New API added - monitor/system/config-sync/status. |
544704 |
Introduce 802.11ax support for FortiAP-U431F and FortiAP-U433F:
|
550911 |
Consolidate Monitor and FortiView pages. FortiView and Monitor entries have been removed from the navigation bar. Most of the pages under them now show up as widgets in several newly added default dashboards. Exceptions being:
|
553372 |
Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labeled Fabric Connection. If either CAPWAP or FortiTelemetry were enabled on a particular interface, the new fabric option will be enabled after upgrading. |
557614 |
FortiGate support for NSX-T v2.4: East/West traffic. |
558464 |
Move SAML configuration to the Security Fabric menu.
|
560138 |
External IP list (threat feed) object support added to security policy. |
562394 |
Add support for EMS cloud.
|
568528 |
Add IPv4 source guard to the switch controller. Added CLI command to push
|
569708 |
Support FSSO for dynamic addresses and support ClearPass endpoint connector (via FortiManager). CLI changes:
GUI changes:
|
570207 |
Support SAML method in firewall and SSL VPN authentications. CLI changes:
|
571639 |
Policy route changes:
SD-WAN interfaces:
SD-WAN rules:
Performance SLA:
|
571642 |
SD-WAN rule correlation improvement. |
573176 |
Support destination MAC addresses in the sniffer traffic log. |
573568 |
For FortiGate Azure HA, change public IP and routing table entries allocated in different resource groups. In an Azure HA scenario, EIP and route tables failover are specified in the SDN connector configuration. A new attribute, If the CLI changes:
|
573993 |
Add UTM log for FortiAnalyzer cloud-based subscription. CLI changes:
Most options within The exception is the |
574376 |
Consolidate IPv4 and IPv6 policy configuration. CLI changes:
GUI changes:
|
575770 |
Increase IPS custom signature length to 4096. |
576381 |
Automatically disable NPU offloading if the session interface has |
576938 |
Add IKE HA support for combined FGSP (L3 cluster) and FGCP (L2 cluster). This corrects the synchronization between FGCP and FGSP clusters in order to guarantee a real ability to failover IPsec tunnels. |
577000 |
FortiGate debugger Chrome extension support. The extension improves the quality of GUI bug reports. The extension communicates with FortiOS and allows users to perform a capture. The capture includes (but is not limited to) the following:
|
577730 |
Authentication support for upstream/chained proxy in transparent mode. |
578099 |
FortiAP profile support for FortiAP-231E NPI model. CLI changes:
GUI changes:
API changes:
|
578643 |
The feature extends the quarantine function on the FortiSwitch by allowing a device to be quarantined but remain with the VLAN where it was detected. The option to quarantine devices to a VLAN remains available. |
578643 |
GUI changes in OCVPN to map user workflow habit. |
579484 |
Limit OCVPN spoke to only join existing overlay. |
579899 |
Monitoring DHCP Pool via SNMP query and trap.
|
580048 |
NetFlow using HA reserved management interface. |
580889 |
DPDK support on FortiOS VM platform. |
581409 |
Allow administrators the ability to modify some configuration options of automatically generated VLANs by the switch controller. These changes are applied at the time of VLAN creation. |
581412 |
Add automated detection and recommendations to configuration and conditions observed in the switch controller and FortiSwitch network. Administrators may accept the recommendations and have them automatically applied. |
581742 |
Provide an integrated FortiGate network access control (NAC) function to the FortiAP and FortiSwitch networks by using a shared set of NAC policies. The NAC policy can be applied based on data from the user device list. |
582241 |
Add antiphishing feature. The initial implementation adds functionality into WAD by parsing incoming HTTP requests, looking for known credentials, and if there is a match, performing the configured action. |
582691 |
Extend SSL and certificate options in config firewall ssl-ssh-profile edit "custom-deep-inspection" set comment "Customizable deep inspection profile." config ssl set inspect-all disable end config https set ports 443 set status deep-inspection set proxy-after-tcp-handshake disable set client-certificate bypass set unsupported-ssl-cipher allow <==added set unsupported-ssl-negotiation allow <==added set expired-server-cert block <==added set revoked-server-cert block <==added set untrusted-server-cert allow set cert-validation-timeout allow <==added set cert-validation-failure block <==added set sni-server-cert-check enable end next end |
583851 |
Add new config wireless-controller vap edit br-vap set dhcp-option82-insertion enable set dhcp-option82-circuit-id-insertion style-3 <==added next end |
587870 |
Add config router route-map edit <name> config rule edit <id> set match-vrf Match VRF ID. <==added next end next end Add config router bgp config vrf-leak added edit <id> added config target added edit <id> added set route-map <==added set interface <==added next end next end end Add clear route execute router clear bgp all vrf-leak execute router clear bgp all soft vrf-leak |
588083 |
Support MAC and weight in device identification signatures to improve IoT detection. All device identification signatures have been updated to:
|
589374 |
Add client DHCP options. config system interface edit wan1 set mode dhcp .... config client-options edit 1 set code 60 set type {hex | string | ip | fqdn} set value|ip "xxxxxx" next end next end |
591567 |
Support for additional SHA2 algorithms with SNMPv3. |
592214 |
Support UTM inspection on asymmetric traffic in FGSP where traffic returning to the session owner is encapsulated in UDP via the peer interface. As a result, the |
592220 |
WiFi client IPv6 traffic is supported by tunnel mode and local bridge mode SSID. Add new IPv6 suppression rule under VAP configuration. config wireless-controller vap edit vap-ipv6 set ipv6-rules drop-icmp6ra drop-icmp6rs drop-llmnr6 drop-icmp6mld2 drop-dhcp6s drop-dhcp6c ndp-proxy drop-ns-dad drop-ns-nondad next end |
593148 |
Update interface-related pages to use AngularJS and muTable. Interfaces list:
Interfaces dialog:
CLI changes:
|
593216 |
In order to more accurately detect Internet of Things (IoT), a new FortiGuard service provides a large database of device IoT identification. Devices detected on the local FortiGate and via FortiAP and FortiSwitch networks can be queried with the FortiGuard IoT device database to provide enhanced identification. |
593262 |
Add prompt in CLI when creating a new VDOM. |
593694 |
This backend implementation allows the root FortiGate in a Security Fabric to store historic user and device information in a database on its disk. |
596870 |
Add kernel support for the IEEE 802.1ad (QinQ) feature. In the past, 802.1Q specification allowed a single VLAN header to be inserted into an Ethernet frame. This new feature allows one more VLAN tag to be inserted into a single frame. |
597159 |
Enable autoscale feature in KVM platforms for use in OpenStack. |
597685 |
Starting from FortiOS 6.2.3 and 6.4.0, a single annually contracted SKU contains both VM base and one of the FC service bundles. It is BYOL (bring-your-own-license) and supports VMware ESXi, KVM, Hyper-V, Xen, AWS, Azure, Azure Stack, GCP, OCI, Alibaba Cloud, Rackspace, VMware NSX-T, and Nutanix. |
599826 |
Replace FSSO with REST API for EMS connector. |
599925 |
Add option to enable/disable DFS zero wait functionality for 5 GHz radio on FAP-U platforms. config wireless-controller wtp-profile edit "FAPU431F-default" config platform set type U431F end set handoff-sta-thresh 30 config radio-1 set band 802.11ax-5G set zero-wait-dfs [enable | disable] <==added, default is enable end config radio-2 set band 802.11ax end config radio-3 set mode monitor end next end |
600474 |
New feature added so config wireless-controller vap edit "lo-sd-cap" set ssid "local-stand-cap" set security captive-portal set external-web "https://172.18.56.163/portal/index.php" set radius-server "peap" set local-standalone enable <==added set local-bridging enable set portal-type external-auth next end |
601214 |
Support ADVPN peer-to-peer shortcuts through NAT. This solution provides hole punching support for RFC 4787 compliant NATs that use endpoint independent mapping. For a given source IP/port, the NAT mapping observed by the hub does not change when communicating with other endpoints, such as spoke-to-spoke shortcuts. |
603145 |
GUI change:
CLI changes:
|
603216 |
Allow SD-WAN monitor to work on ADVPN shortcut. With this enhancement, SD-WAN can monitor link quality of the shortcut VPN between spoke-to-spoke. The SD-WAN service rules among spokes can accurately rely on SLA performance to determine which link to use. CLI changes:
|
604813 |
Add config wireless-controller apcfg-profile <==added edit [Profile Name] <==added next end config wireless-controller wtp-profile edit "FAP423E-default" config platform set type 423E end set apcfg-profile "FAP423E-apcfg" <==added next end This feature is currently only applicable on FAP-W2/S models with the latest 6.4 firmware. |
605339 |
Add encryption option for FGSP. |
605577 |
Support 24 interfaces in FG-VM. |
605709 |
New profiles added for NPI platforms, FAP-431F and FAP-433F. config wireless-controller wtp-profile edit "FAP433F-default" config platform set type 433F <==new type set ddscan enable end set handoff-sta-thresh 55 config radio-1 set band 802.11ax,n,g-only end config radio-2 set band 802.11ax-5G end config radio-3 set mode monitor end next edit "FAP431F-default" config platform set type 431F <==new type set ddscan enable end set handoff-sta-thresh 55 config radio-1 set band 802.11ax,n,g-only end config radio-2 set band 802.11ax-5G end config radio-3 set mode monitor end next end |
607855 |
New subscription service for IoT device identification. |
608856 |
For FortiAPs managed by the FortiGate, a new layer-3 access control list (ACL) can be applied to the bridge or tunnel mode SSID. This is supported on 6.4.0 FortiAP-S and FortiAP-W2, and 5.4.3 FortiAP-C platforms. config wireless-controller access-control-list <==added edit "ACL-1" config layer3-ipv4-rules edit 10 set dstaddr 172.16.200.44/255.255.255.255 set action deny next edit 20 set protocol 1 set action deny next edit 30 set dstport 21 set action deny next end next end config wireless-controller vap edit "wifi.fap.01" set ssid "starr-ssid.fap.01" set passphrase xxxxxxxx set local-bridging enable set access-control-list "ACL-1" <==added next end |
609167 |
FortiGate will assign a report index for each managed FAP, so the FAP can send client, rogue AP, and rogue station information in order. This can prevent the burst CPU usage to deal with reports from all FAPs at the same time. This is not a visible functionality. It is a backend optimization feature. |
610146 |
Add provision for FortiAP unit to upgrade to designated firmware version that has been stored on the FortiGate, while upgrading by image download after it joined. config wireless-controller wtp edit "FP423E3X16000020" set admin enable set firmware-provision "6.4.0412" <==added set wtp-profile "FAP423E-default" config radio-1 end config radio-2 end next end With this change, a FortiGate with a built-in disk can hold up to four versions of firmware for each FAP model instead of one as before. A FortiGate without built-in disk can hold one version as before. |
610191 |
This change includes multiple behavior changes to both the CLI and GUI:
|
611391 |
Allow config system interface edit ipsec-tunnel-1 set type tunnel set mtu-override enable/disable <==added set mtu 1400 <==added next end |
612176 |
Support diffserv code setting for SD-WAN health check probe packet. When SD-WAN health check packet is sent out, the differentiated services code point (DSCP) can be set with the config system virtual-wan-link config health-check edit h1 .... set diffservcode <6-bits binary, range 000000–111111> next end next end |
615615 |
The purpose of the VLAN probe tool is to help customers to decide whether or not there is a WiFi problem when they cannot reach the internet. The FortiGate and FortiAP work together to scan all available VLANs to help customers to find the real internet issue. |
615982 |
Simplify the Security Fabric > Settings page. The Security Fabric Settings page has been renamed to Fabric Connectors and all the settings under it now show up as separate cards. The Fabric Connectors menu entry is renamed and shows up as External Connectors.
|
617574 |
A new slide page is created when drilling down a WiFi station from WiFi & Switch Controller > WiFi Clients page to view a detailed summary of the station, including signal health and logs. |