Mark endpoint records and host tags as out of synchronization when failure timeout occurs for the EMS APIs, report/fct/sysinfo and report/fct/host_tags. The out-of-sync threshold (in seconds, 10 - 3600) can be configured from the CLI.

config endpoint fctems
    edit <name>
        set out-of-sync-threshold <integer>
    next
end

When the admin-restrict-local setting is enabled under config system global, local administrators cannot be used until all remote authentication servers are down. In this enhancement, the FortiGate only checks all remote authentication servers that are applied in config system admin are down, instead of all remote servers configured on the FortiGate, before allowing local administrators to log in.

Rename FortiAI to FortiNDR in the GUI and CLI to align with the FortiNDR rebranding. In addition, previous CLI-only settings for sending files to FortiNDR for inspection are now configurable from the AntiVirus profile page in the GUI.

Support WiFi 6 Release 2 security enhancements by adding support for Hash-to-Element (H2E) only and Simultaneous Authentication of Equals Public Key (SAE-PK) for FortiAP models that support WPA3-SAE security modes.

config wireless-controller vap
    edit <name>
        set ssid <ssid>
        set security wpa3-sae
        set sae-h2e-only {enable | disable}
    next
end

config wireless-controller vap
    edit <name>
        set ssid <ssid>
        set security wpa3-sae
        set sae-pk {enable | disable}
        set sae-private-key <private_key>
    next
end

Add attribute under config switch-controller igmp-snooping to configure the query-interval under FortiLink, and add a check to ensure the query-interval is less than the aging-time interval.

In addition to per-tunnel IPsec failover for FGSP peers, FGCP over FGSP is also supported. For additional redundancy, an FGCP cluster on one site may form FGSP peering with FGCP clusters on other sites. The FGCP over FGSP peers can still synchronize IPsec SAs and act as the primary gateway for individual tunnels for the same dialup servers. When failover happens within an FGCP cluster, tunnel traffic will fail over to the other FGCP cluster member. When an FGCP cluster fails, tunnel traffic will fail over to the other FGSP peer.

Add support for multitenant FortiClient EMS deployments that have the Manage Multiple Customer Sites setting enabled with multiple sites. Since a FortiClient EMS site is no longer unique using its serial number alone, the FortiGate configuration for FortiClient EMS connectors and related diagnostic commands have been enhanced to distinguish EMS sites using serial number and tenant ID:

• Update config endpoint-control fctems to predefine five FortiClient EMS Fabric connectors that are referred to using numerical IDs from 1 to 5. Administrators can configure the status and name settings, and to display the tenant ID retrieved from FortiClient EMS sites with Manage Multiple Customer Sites enabled.

  A single tenant EMS server or the default site on a multitenant EMS server has a tenant ID consisting of all zeros (00000000000000000000000000000000).

• Update the FortiClient EMS Fabric connector to retrieve specific ZTNA tags from each configured FortiClient EMS site.

• Update diagnose endpoint record list to return the EMS tenant id field retrieved from each respective FortiClient EMS server.

• Update ZTNA and EMS debug commands to accept the EMS serial number and tenant ID as parameters.

  # diagnose endpoint lls-comm send ztna find-uid <uid> <EMS_serial_number> <EMS_tenant_id>

  # diagnose wad dev query-by uid <uid> <EMS_serial_number> <EMS_tenant_id>

FortiClient 7.0.3 and later is required to use this feature.

During FGSP per-tunnel failover for IPsec, the same IPsec dialup server configured on each FGSP member may establish tunnels with dialup clients as the primary gateway. The IPsec SAs are synchronized to all other FGSP peers that have FGSP synchronization for IPsec enabled. Other FGSP members may establish a tunnel with other clients on the same dialup server and synchronize their SAs to other peers.

Upon the failure of the FGSP member that is the primary gateway for a tunnel, the upstream router will fail over the tunnel traffic to another FGSP member. The other FGSP member will move from standby to the primary gateway for that tunnel and continue to forward traffic.

config vpn ipsec phase1-interface
    edit <name>
        set fgsp-sync {enable | disable}
    next
end

In conjunction with support for FGSP per-tunnel failover for IPsec, configuring DPD (dead peer detection) on an FGSP member is now permitted. This allows a failed FGSP member to send out DPD probes during failover to detect the unreachable remote peer and flush the corresponding tunnels.

Support custom replacement message groups for each ZTNA virtual host. The %%ZTNA_DETAIL_TAG%% variable can be used in replacement messages.

config firewall access-proxy-virtual-host
    edit <name>
        set host <string>
        set replacemsg-group <string>
    next
end

In proxy mode antivirus profiles, add option under HTTP to customize the action for files with unknown content encoding (default = block).

config antivirus profile
    edit <name>
        set feature-set proxy
        config http
            set unknown-content-encoding {block | inspect | bypass}
        end
    next
end

This enhancement builds on the AWS SDN connector, which uses the AWS security token service (STS) to connect to multiple AWS accounts concurrently. To enhance security, the SDN connector supports the use of an External ID, which allows the target account owner to permit the role to be assumed by the source account only under specific circumstances.

Remove the threat level threshold option from compromised host automation triggers in the GUI and CLI.

Allow FG-ARM64-AWS to work in Graviton3 c7g and c6gn instance types.

Add option to exclude the first and last IP of a NAT64 IP pool. This setting is enabled by default.

config firewall ippool
    edit <name>
        set nat64 enable
        set subnet-broadcast-in-ippool {enable | disable}
    next
end

Add TPM support for FG-VM64 platforms. Hypervisors with software TPM emulator packages installed will be able to support the TPM feature on FortiOS. This is currently supported on KVM and QEMU.

Add option to set the IP fragment memory threshold manually (in MB, 32 - 2047, default = 32). A large memory threshold can reduce the number of ReasmFails due to the large number of fragment packets.

config system global
    set ip-fragment-mem-thresholds <integer>
end

Allow FortiGate-VMs for OCI to work on ARM-based Oracle Cloud Ampere A1 Compute instances.

Add options to filter WAD log messages by process type or process ID, and print WAD log messages by default when the session is unknown.

# diagnose wad filter process-type <integer>

# diagnose wad filter process-id <integer>

When running diagnose wad filter list , the process type and process id are visible in the output.