Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 7.2.8 FortiOS Release Notes
7.2.8
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

New features or enhancements

New features or enhancements

More detailed information is available in the New Features Guide.

Feature ID

Description

480717

Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2 ports.

685910

Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.

743804

Add a RADIUS option to allow the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign.

789237

FortiOS supports customizing the source IP address and the outgoing interface for communication with the upstream FortiGate in the Security Fabric:

config  system csf
    set source-ip <class_ip>
    set upstream-interface-select-method {auto | sdwan | specify}
end

838535

Support matching by destination port when matching a central NAT rule if the protocols are TCP, UDP, or SCTP.

846399

Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved.

883606

FortiOS allows customers to enable or disable the INDEX extension that appends the VDOM or interface index in RFC tables.

config system snmp sysinfo
    set append-index  {enable | disable }
end

884375

Add support for FAP-234G management.

886560

Support switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable. Once the connectivity is restored, it will automatically fall back to the primary FortiAnalyzer.

886564

This enhancement changes to the Internet Key Exchange (IKE) protocol to bolster the security measures and improve the performance of IPsec VPN. The three key changes include EMS SN Verification, IPsec SAML-based authentication, and IPsec Split DNS.

906370

Support EMS serial number checking per IPsec phase 1 interface.

config vpn ipsec phase1-interface
    edit <name>
        set ems-sn-check {enable | disable}
    next
end

915879

Add two FortiGuard web filter categories:

  • Artificial intelligence technology (category 100): sites that offer solutions, insights, and resources related to artificial intelligence (AI).

  • Cryptocurrency (category 101): sites that specialize in digital or virtual currencies that are secured by cryptography and operate on decentralized networks.

921914

Support autoconnect to IPsec VPN using Microsoft Entra ID. This enables seamless and secure connectivity for users accessing corporate resources by automatically establishing IPsec VPN connections based on Microsoft Entra ID logon session information.

930522

Remote access with read and write rights through FortiGate Cloud now requires a paid FortiGate Cloud subscription. The FortiGate can still be accessed in a read-only state with the free tier of FortiGate Cloud. Alternatively, you can access your FortiGate through its web interface.

Please contact your Fortinet Sales/Partner for details on purchasing a FortiGate Cloud Service subscription license for your FortiGate device.

931953

FortiOS supports Automatic Firmware Modification Attempt Reporting. This enhancement improves upon the Real-time file system integrity checking feature by implementing an automatic reporting mechanism in the event of an unauthorized firmware modification attempt.

934273

Support the BGP graceful restart helper-only mode. This ensures that during a FortiGate HA failover, the neighboring router that only supports BGP graceful restart helper mode retains its routes.

938066

FortiOS supports customizing retry times and intervals for token activation for FortiFlex/Flex-VM licenses.

execute vm-license-options count <integer>
execute vm-license-options interval <integer>

965990

FortiOS supports up to six NetFlow collectors. This enhancement extends to multi-VDOM environments where a maximum of six NetFlow collectors can be used globally or on a per-VDOMs basis.

976152

FortiOS supports source IP address anchoring in dial-up IPsec tunnels. This allows the gateway to match connections based on the IPv4/IPv6 gateway address parameters, such as the subnet, address range, or country.

977097

Choose whether to discard or permit IPv4 SCTP packets with zero checksum on the NP7 platform:

config system npu
    config fp-anomaly
        set sctp-csum-err {allow | drop | trap-to-host}
    next
end

979375

FIPS-CC cipher mode is silently enabled when configured using cloud-init for AWS.
Previous
Next

New features or enhancements

More detailed information is available in the New Features Guide.

Feature ID

Description

480717

Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2 ports.

685910

Add SoC4 driver support for the IEEE 802.1ad, which is also known as QinQ. When the OID is used up, it is forbidden to create a new QinQ interface.

743804

Add a RADIUS option to allow the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign.

789237

FortiOS supports customizing the source IP address and the outgoing interface for communication with the upstream FortiGate in the Security Fabric:

config  system csf
    set source-ip <class_ip>
    set upstream-interface-select-method {auto | sdwan | specify}
end

838535

Support matching by destination port when matching a central NAT rule if the protocols are TCP, UDP, or SCTP.

846399

Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved.

883606

FortiOS allows customers to enable or disable the INDEX extension that appends the VDOM or interface index in RFC tables.

config system snmp sysinfo
    set append-index  {enable | disable }
end

884375

Add support for FAP-234G management.

886560

Support switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable. Once the connectivity is restored, it will automatically fall back to the primary FortiAnalyzer.

886564

This enhancement changes to the Internet Key Exchange (IKE) protocol to bolster the security measures and improve the performance of IPsec VPN. The three key changes include EMS SN Verification, IPsec SAML-based authentication, and IPsec Split DNS.

906370

Support EMS serial number checking per IPsec phase 1 interface.

config vpn ipsec phase1-interface
    edit <name>
        set ems-sn-check {enable | disable}
    next
end

915879

Add two FortiGuard web filter categories:

  • Artificial intelligence technology (category 100): sites that offer solutions, insights, and resources related to artificial intelligence (AI).

  • Cryptocurrency (category 101): sites that specialize in digital or virtual currencies that are secured by cryptography and operate on decentralized networks.

921914

Support autoconnect to IPsec VPN using Microsoft Entra ID. This enables seamless and secure connectivity for users accessing corporate resources by automatically establishing IPsec VPN connections based on Microsoft Entra ID logon session information.

930522

Remote access with read and write rights through FortiGate Cloud now requires a paid FortiGate Cloud subscription. The FortiGate can still be accessed in a read-only state with the free tier of FortiGate Cloud. Alternatively, you can access your FortiGate through its web interface.

Please contact your Fortinet Sales/Partner for details on purchasing a FortiGate Cloud Service subscription license for your FortiGate device.

931953

FortiOS supports Automatic Firmware Modification Attempt Reporting. This enhancement improves upon the Real-time file system integrity checking feature by implementing an automatic reporting mechanism in the event of an unauthorized firmware modification attempt.

934273

Support the BGP graceful restart helper-only mode. This ensures that during a FortiGate HA failover, the neighboring router that only supports BGP graceful restart helper mode retains its routes.

938066

FortiOS supports customizing retry times and intervals for token activation for FortiFlex/Flex-VM licenses.

execute vm-license-options count <integer>
execute vm-license-options interval <integer>

965990

FortiOS supports up to six NetFlow collectors. This enhancement extends to multi-VDOM environments where a maximum of six NetFlow collectors can be used globally or on a per-VDOMs basis.

976152

FortiOS supports source IP address anchoring in dial-up IPsec tunnels. This allows the gateway to match connections based on the IPv4/IPv6 gateway address parameters, such as the subnet, address range, or country.

977097

Choose whether to discard or permit IPv4 SCTP packets with zero checksum on the NP7 platform:

config system npu
    config fp-anomaly
        set sctp-csum-err {allow | drop | trap-to-host}
    next
end

979375

FIPS-CC cipher mode is silently enabled when configured using cloud-init for AWS.
Previous
Next