DOCUMENT LIBRARY

FortiOS Release Notes

Home FortiGate / FortiOS 6.4.7 FortiOS Release Notes

6.4.7

New features or enhancements

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID	Description
477886	Allow ingress and egress ports to be configured so the PRP trailer is not stripped when PRP packets come in or go out. config system npu set prp-port-in <port> set prp-port-out <port> end
489956	Add LAG implementation so each session uses the same NP6 and XAUI for ingress and egress directions to avoid fast path congestion (this setting is disabled by default). config system npu set lag-out-port-select {enable \| disable} end Add algorithm in NPU driver for distribution, `AGG_ALGORITHM_NPU`.
566452	Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed: config system virtual-switch edit <name> config port edit <name> set speed <option> set status {up \| down} next end next end config system physical-switch edit <name> config port edit <name> set speed <option> set status {up \| down} next end next end
641524	Add interface selection for IPS TLS protocol active probing. config ips global config tls-active-probe set interface-selection-method {auto \| sdwan \| specify} set interface <interface> set vdom <VDOM> set source-ip <IPv4 address> set source-ip6 <IPv6 address> end end
663468	Support hardware switch on FG-300E, FG-400E, and FG-1100E models.
667285	When configuring a NAC policy, it is sometimes useful to manually specify a MAC address to match the device. Wildcards in the MAC address are supported by specifying the * character.
685910	Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.
691337	Allow a GCP SDN connector to have multiple projects attached to it. Previously, GCP SDN connectors could only be associated with one project, a limit of 256 SDN connectors, and users could only add a maximum 256 projects to the FortiGate. A single GCP SDN connection can now have thousands of projects attached to it. Add support for dynamic address filters based on project name and zones: config system sdn-connector edit <name> set type gcp config gcp-project-list edit <name> set gcp-zone-list <name_1> <name_2> ... <name_n> next end next end GUI changes: Add buttons to switch between Simple and Advanced project configurations. The simple configuration displays a single text field to add one project to the GCP SDN connector. The advanced configuration displays a mutable table for users to add multiple projects to the GCP SDN connectors. Adding projects displays a slide-out pane to specify the project name and zones. A confirmation slide-out pane appears when switching from advanced to simple to warn about projects being deleted from the GCP SDN connector. A tooltip on the GCP SDN connector card shows the list of projects, and the filter list of GCP dynamic addresses shows the project and zones.
692529	Enhance MAC authentication bypass so that the MAC authentication status is recorded in authd. The MAC authentication is retired in 10 seconds and is always sent to the portal for HTTP authentication sessions.
699456	Increase the generated RSA key bits from 1024 to 2048.
700073	Add a default-action into `youtube-channel-filter` configuration to apply a default action to all channels when there is no match. config videofilter youtube-channel-filter edit <id> set default-action {block \| monitor \| allow} set log {enable \| disable} next end The default settings are `monitor` for `default-action`, and `disable` for `log`.
717907	Add option in CLI to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost. config user fsso edit <name> set logon-timeout <integer> next end The `logon-timeout` is measured in minutes (1 - 2880, default = 5).
720371	New ciphers have been added in FIPS ciphers mode on FortiGate VMs so that cloud instances running this mode can form IPsec tunnels with hardware models running FIPS-CC mode. Added to IPsec phase 1: aes128-sha256 aes128-sha384 aes128-sha512 aes256-sha256 aes256-sha384 aes256-sha512 Added to IPsec phase 2: aes128-sha256 aes128-sha384 aes128-sha512 aes256-sha256 aes256-sha384 aes256-sha512
726268	Previously, `estimated-downstream-bandwidth` and `ingress-shaping-profile` needed to be configured to use the ingress traffic shaping feature work. Now, `estimated-downstream-bandwidth` changed to `inbandwidth`.

Previous

Next

New features or enhancements

New features or enhancements

More detailed information is available in the New Features Guide.

Bug ID	Description
477886	Allow ingress and egress ports to be configured so the PRP trailer is not stripped when PRP packets come in or go out. config system npu set prp-port-in <port> set prp-port-out <port> end
489956	Add LAG implementation so each session uses the same NP6 and XAUI for ingress and egress directions to avoid fast path congestion (this setting is disabled by default). config system npu set lag-out-port-select {enable \| disable} end Add algorithm in NPU driver for distribution, `AGG_ALGORITHM_NPU`.
566452	Support hardware switch on FG-400E and FG-1100E models. The following commands have been removed: config system virtual-switch edit <name> config port edit <name> set speed <option> set status {up \| down} next end next end config system physical-switch edit <name> config port edit <name> set speed <option> set status {up \| down} next end next end
641524	Add interface selection for IPS TLS protocol active probing. config ips global config tls-active-probe set interface-selection-method {auto \| sdwan \| specify} set interface <interface> set vdom <VDOM> set source-ip <IPv4 address> set source-ip6 <IPv6 address> end end
663468	Support hardware switch on FG-300E, FG-400E, and FG-1100E models.
667285	When configuring a NAC policy, it is sometimes useful to manually specify a MAC address to match the device. Wildcards in the MAC address are supported by specifying the * character.
685910	Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.
691337	Allow a GCP SDN connector to have multiple projects attached to it. Previously, GCP SDN connectors could only be associated with one project, a limit of 256 SDN connectors, and users could only add a maximum 256 projects to the FortiGate. A single GCP SDN connection can now have thousands of projects attached to it. Add support for dynamic address filters based on project name and zones: config system sdn-connector edit <name> set type gcp config gcp-project-list edit <name> set gcp-zone-list <name_1> <name_2> ... <name_n> next end next end GUI changes: Add buttons to switch between Simple and Advanced project configurations. The simple configuration displays a single text field to add one project to the GCP SDN connector. The advanced configuration displays a mutable table for users to add multiple projects to the GCP SDN connectors. Adding projects displays a slide-out pane to specify the project name and zones. A confirmation slide-out pane appears when switching from advanced to simple to warn about projects being deleted from the GCP SDN connector. A tooltip on the GCP SDN connector card shows the list of projects, and the filter list of GCP dynamic addresses shows the project and zones.
692529	Enhance MAC authentication bypass so that the MAC authentication status is recorded in authd. The MAC authentication is retired in 10 seconds and is always sent to the portal for HTTP authentication sessions.
699456	Increase the generated RSA key bits from 1024 to 2048.
700073	Add a default-action into `youtube-channel-filter` configuration to apply a default action to all channels when there is no match. config videofilter youtube-channel-filter edit <id> set default-action {block \| monitor \| allow} set log {enable \| disable} next end The default settings are `monitor` for `default-action`, and `disable` for `log`.
717907	Add option in CLI to manage how long authenticated FSSO users on the FortiGate will remain on the list of authenticated FSSO users when a network connection to the collector agent is lost. config user fsso edit <name> set logon-timeout <integer> next end The `logon-timeout` is measured in minutes (1 - 2880, default = 5).
720371	New ciphers have been added in FIPS ciphers mode on FortiGate VMs so that cloud instances running this mode can form IPsec tunnels with hardware models running FIPS-CC mode. Added to IPsec phase 1: aes128-sha256 aes128-sha384 aes128-sha512 aes256-sha256 aes256-sha384 aes256-sha512 Added to IPsec phase 2: aes128-sha256 aes128-sha384 aes128-sha512 aes256-sha256 aes256-sha384 aes256-sha512
726268	Previously, `estimated-downstream-bandwidth` and `ingress-shaping-profile` needed to be configured to use the ingress traffic shaping feature work. Now, `estimated-downstream-bandwidth` changed to `inbandwidth`.

Previous

Next