Use API endpoint domain name from instance metadata to support FortiOS VM OCI DRCC region.

Support the AWS T4g instance family with the FG-ARM64-AWS firmware image. Support the AWS C6a and C6in instance families with the FG-VM64-AWS firmware image.

Support Saudi Cloud Computing Company (SCCC) and alibabacloud.sa domain (a standalone cloud backed by AliCloud).

Support deploying VMware FortiGate VMs directly as a Zero Trust Application Gateway using the OVF template (.vapp). ZTNA related parameters such as EMS server, external and internal interface IPs, and application server mapping can be configured during OVF deployment. ZTNA policies, authentication schemes, rules, and user groups are also bootstrapped.

Support the new AWS C7gn instance family with the FG-ARM64-AWS firmware image.

Upgrade the AWS ENA network interface driver to 2.8.3.

Support UEFI Preferred boot mode on AWS FortiGate VM models with instance types that support --boot-mode uefi-preferred.

In the Top FortiSandbox Files FortiView monitor, it is possible to drill down on a submitted file, and view its static and dynamic file analysis. It is possible to download the full FortiSandbox report in PDF format. This feature works with FortiGate Cloud Sandbox, FortiSandbox Cloud, and FortiSandbox appliance. FortiSandbox must be running version 3.2.1 or later.

Support retrieving and displaying DHCP option 82 data from managed FortiSwitches.

diagnose switch-controller switch-info option82-mapping snooping {ascii | hex} <managed_switch_serial_number> <vlan> [port]

The serial number and VLAN are required, the port is optional.

Managed FortiSwitches must be running FortiSwitch 7.2.2 or later, and the managed FortiSwitches must be configured with DHCP option 82 settings.

Support DHCP option 82 configuration options in the switch controller settings including circuit ID, remote ID, and other general settings used for DHCP snooping on managed FortiSwitches.

config switch-controller global
    set dhcp-option82-format {ascii | legacy}
    set dhcp-option82-circuit-id {intfname vlan hostname mode description}
    set dhcp-option82-remote-id {hostname ip mac}
    set dhcp-snoop-client-req {forward-untrusted | drop-untrusted}
    set dhcp-snoop-client-db-exp <integer>
    set dhcp-snoop-db-per-port-learn-limit <integer>
end

Managed FortiSwitches must be running FortiSwitch 7.2.2 or later.

Allow a managed FortiSwitch ID to be edited and store the device serial number as a new read-only field.

config switch-controller managed-switch
    edit <id>
        set sn <serial_number>
    next
end

The device ID can be configured to a maximum of 16 alphanumeric characters, including dashes (-) and underscores (_).

Some related config, execute, and diagnose commands have been modified to configure and display user-definable FortiSwitch IDs accordingly. The system data and daemons have been modified to use the new switch serial number field to ensure the existing switch controller and dependent features still work.

Increase the number of supported NAC devices to 48 times the maximum number of FortiSwitch units supported on that FortiGate model.

In managed FortiSwitch switch controller CLI commands, allow a user-configurable access control list (ACL) per port on a managed FortiSwitch to control user/system access to particular resources:

config switch-controller acl ingress
    edit <id>
        config action
            set drop {enable | disable}
        end
        config classifier
            set dst-ip-prefix <ip_netmask>
            set src-mac <MAC_address>
        end
    next
end

config switch-controller acl group
    edit <name>
        set ingress <id>
    next
end

config switch-controller managed-switch
    edit <switch_id>
        config ports
            edit <name>
                set acl-group <name>
            next
        end
    next
end

The user-configurable ACL will be assigned to ACL group 3 in FortiSwitch. Since the range of group identifiers varies among FortiSwitch platforms, platforms that do not support group 3 may not be supported. The user-configurable ACL may conflict with an ACL implemented by other managed FortiSwitch features.

Add the ability to perform multi-processing for the wireless daemon that handles all WPA authentication requests (wpad_ac) by allowing users to specify the wpad-process-count. The count varies by model based on the number of FortiAPs it is allowed to manage.

config wireless-controller global
    set wpad-process-count <integer>
end

Wi-Fi 5G Hz UNII-3 channels (149, 153, 157, 161, and 165) are allowed in European countries and region code E countries (with a few exceptions).

Add option in dtls-policy for ipsec-vpn-sn under config wireless-controller wtp-profile, which automatically establishes an IPsec VPN tunnel between the FortiGate and FortiAP that carries CAPWAP data packets and includes the FortiAP serial number within this tunnel.

config wireless-controller wtp-profile
    edit <name>
        set dtls-policy {clear-text | dtls-enabled | ipsec-vpn | ipsec-vpn-sn}
    next
end

The local radio of FortiWiFi-8xF, 6xF, and 40F models when operating in client mode is now capable of connecting with a third-party SSID using WPA3-SAE or OWE security mode. This provides a more secure and robust wireless connection, ensuring data integrity and privacy.

config system interface
    edit <name>
        config wifi-networks
            edit <id>
                set wifi-ssid <string>
                set wifi-security {wpa3-sae | owe}
                set wifi-passphrase <password>
            next
        end
    next
end

FortiAP 431G and 433G models operating in single 5G mode can make use of the UNII-4 frequency band, 5.85 GHz - 5.925 GHz. Additional channels 169, 173, and 177 are provided to the user in the 5 GHz radio.

The wtp-profile of FAP-432F, FAP-433F, FAP-U432F, and FAP-U433F models can set external antenna parameters when the corresponding external antenna is installed.

config wireless-controller wtp-profile
    edit <name>
        config radio-1
            set optional-antenna {none | FANT-04ABGN-0606-O-R | FANT-04ABGN-0606-P-R}
        end
    next
end

Add support for enforcing a maximum number of FortiExtender devices in LAN extension mode per FortiGate platform. Support for enforcing a maximum number of FortiExtender devices in WAN extension mode per FortiGate platform was added in a previous version of FortiOS.

Add CLI support for WPA3-SAE security mode for FortiAP wireless mesh backhaul SSIDs:

config wireless-controller vap
    edit <name>
        set mesh-backhaul enable
        set ssid <string>
        set security wpa3-sae
        set pmf enable
        set sae-h2e-only enable
        set schedule <string>
        set sae-password <password>
    next
end

Add support for Wi-Fi 6E FortiAP devices to configure mesh connections on 6 GHz bands using WPA3-SAE with H2E only enabled.

When a FortiExtender is configured as a FortiGate LAN extension and has two uplinks to the FortiGate access controller (AC), add the ability to perform a fast fail over of the CAPWAP LAN extension control channel. Two CAPWAP sessions are established between the FortiGate and the FortiExtender: one is active,the other is in standby and when the active uplink goes down, CAPWAP changes to use the other uplink quickly. When the previously active uplink comes back up, CAPWAP continues to use the previously standby uplink used for the failover event as the control channel.

To display the active and standby sessions for the CAPWAP LAN extension control channel:

• On the FortiGate, use get extender session-info where the active session is marked as lan-extension and the standby session is marked as secondary.
• On the FortiExtender, use get extender status where the active and standby sessions and the uplink ports are displayed when both uplinks are up, and where the active session and the uplink port is displayed when a single uplink is up.

Add support for FAP-234G management.

Enable VLAN switch for FG-81F-POE.

Add Multiprotocol Border Gateway Protocol Ethernet Virtual Private Network (MP-BGP EVPN) support for VXLAN, which allows for learning MAC addresses in a way that is more suitable for large deployments than flood-and-learn.

MP-BGP EVPN is a standards-based control plane that supports the distribution of attached host MAC and IP addresses using MP-BGP, namely, using the EVPN address family and MAC addresses treated as routing entries in BGP. As a control plane that is separate from the data plane, MP-BGP EVPN avoids flood-and-learn in the network, and the wide use of BGP as an external gateway protocol on the internet proves its ability to scale well with large deployments.

MP-BGP EVPN supports the following features:

• Route type 2 (MAC/IP advertisement route) and route type 3 (inclusive multicast Ethernet tag route)

• Intra-subnet communication

• Single-homing use cases

• VLAN-based service, namely, there is only one broadcast domain per EVPN instance (EVI). This is due to the current VXLAN design that supports a single VNI for a VXLAN interface.

• EVPN running on IPv4 unicast VXLAN

• Egress replication for broadcast, unknown unicast, and multicast (BUM) traffic

• VXLAN MAC learning from traffic

• IP address local learning

• ARP suppression

Support DVLAN mode 802.1ad and 802.1Q on NP7 platforms over a virtual wire pair, which provides better performance and packet processing.

Support secure explicit web proxy with HTTPS connections between web clients and the FortiGate.

config web-proxy explicit
    set secure-web-proxy {disable | enable | secure}
    set secure-web-proxy-cert <certificate1> <certificate2> ...
    set ssl-dh-bits {768 | 1024 | 1536 | 2048}
end

Add the subscriber RSSO user and authentication server information associated with PBA sessions logs to the corresponding PBA creation event logs since these details are helpful for identifying users in CGNAT applications.

Interfaces with a LAN role, wireless network interfaces (vap-switch type), and FortiExtender LAN extension interfaces (lan-extension type) can now receive an IP address from an IPAM server without any additional configuration at the interface level in the CLI. IPAM also detects and resolves any IP conflicts that may occur on the interfaces that it manages.

config system ipam
    set status {enable | disable}
    set automatic-conflict-resolution {enable | disable}
    set manage-lan-addresses {enable | disable}
    set manage-lan-extension-addresses {enable | disable}
    set manage-ssid-addresses {enable | disable}
end

When a manage- option is enabled, any interface that meets the specified criteria will automatically receive an IP address from IPAM. However, if this option is disabled, interfaces that meet the criteria will not be configured by IPAM. All manage- options are disabled by default. The central FortiIPAM configuration can be overridden at the interface level.

config system interface
    edit <name>
        set ip-managed-by-fortiipam {enable | disable | inherit-global}
    next 
end

Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved.

BGP conditional advertisement allows the router to advertise a route only when certain conditions are met. Add capability on the FortiGate to cross-check prefixes and make conditional advertisements between IP address families, namely, to conditionally advertise an IPv6 prefix when an IPv4 prefix is present, or vice-versa. A global option is added in the BGP configuration settings.

config router bgp
    set cross-family-conditional-adv {enable | disable}
end

The condition-routemap setting can be configured with IPv4 and IPv6 route maps concurrently as conditions. IPv4 and IPv6 BGP conditional advertisement is already supported in previous versions of FortiOS.

Support configuring DHCP relays on interfaces with secondary IP addresses. The FortiGate will track the number of unanswered DHCP requests for a client on the interface's primary IP. After three unanswered DHCP requests, the FortiGate will forward DHCP requests to DHCP relays configured under the secondary IP using the secondary IP address as the source. After three unanswered DHCP requests, the FortiGate will return to using the primary IP and restart the process.

This feature is configured by setting dhcp-smart-relay within a specific port under config system interface, and setting secip-relay-ip within the config secondaryip settings of that port.

DHCP relay targets under both the primary and secondary IP may be the same or unique. If smart relay is not configured, all requests are forwarded using the primary IP address on the interface.

Add GUI support for multiple DDNS interfaces. The visibility of DDNS entries in the GUI is no longer tied to the requirement of using the FortiGuard DNS server.

The DHCP shared subnet feature allows the FortiGate to act as a DHCP server that assigns IP ranges in different subnets to requests coming from the same DHCP relay agent. For example, clients on the same interface or VLAN requesting IP addresses from the DHCP relay will have their requests relayed to the FortiGate. The FortiGate may have more than one server and pool associated with the relay agent, and it assigns IP addresses from the second server when the first one is exhausted.

config system dhcp server
    edit <id>
        set shared-subnet {enable | disable}
        set relay-agent <IP_address>
    next
end

Add capability for the FortiGate to manage the broadcast flag for its DHCP client. This feature is enabled by default.

config system interface
    edit <name>
        set mode dhcp
        set dhcp-broadcast-flag {enable | disable}
    next
end

Enhance logging for explicit proxy traffic to improve troubleshooting the HTTP proxy status for each HTTP transaction:

• Support monitoring HTTP header requests and responses in the UTM web filter log. This requires an SSL deep inspection profile to be configured in the corresponding firewall policy.

• Support logging the explicit web proxy forward server name using set log-forward-server, which is disabled by default.

  config web-proxy global
      set log-forward-server {enable | disable}
  end

• Support logging TCP connection failures in the traffic log when a client initiates a TCP connection to a remote host through the FortiGate and the remote host is unreachable.

FortiGates have the ability to signal the LAG interface status to the peer devices when available links fall below the number of min-links configured on the FortiGate.

Improve the backend of the FortiOS GUI to speed up loading of a large number of policies. This is achieved by only loading the necessary data when needed, rather than loading all the data at once. This can significantly improve performance and reduce the time it takes to load a large number of policies. A new layout has also been added for the policy list with the option to choose between the new layout and the old layout.

The FortiGate has the ability to process Ethernet frames with both the Cisco Security Group Tag and VLAN tag.

Add scanunit support for learning mode. The scanunit provides a more powerful file detection mechanism through full-scanning in learning mode. This improves the accuracy of the IPS engine in detecting malicious files.

Supports the Port Control Protocol (PCP) by allowing the FortiGate to act as a PCP server and dynamically manage network addresses and port translations for PCP clients. The PCP server must be enabled with a pool (config system pcp-server). In the firewall policy, enable either pcp-outbound or pcp-inbound mode and assign the pool.

A route tag (route-tag) firewall address object can include IPv4 or IPv6 addresses associated with a BGP route tag number, and is updated dynamically with BGP routing updates. The route tag firewall address object allows for a more dynamic and flexible configuration that does not require manual intervention to dynamic routing updates. This address object can be used wherever a firewall address can be used, such as in a firewall policy, a router policy, or an SD-WAN service rule.

Internet Service Database (ISDB) on-demand mode replaces the full-sized ISDB file with a much smaller file that is downloaded onto the flash drive. This file contains only the essential entries for Internet Services. When a service is used in a firewall policy, the FortiGate queries FortiGuard to download the IP addresses and stores them on the flash drive. The FortiGate also queries the local MAC Database (MADB) for corresponding MAC information.

config system global
    set internet-service-database on-demand
end

Support matching by destination port when matching a central NAT rule if the protocols are TCP, UDP, or SCTP.

Support address exclusion in firewall address groups for IPv6.

config firewall addrgrp6
    edit <name>
        set member <name1>, <name2>, ...
        set exclude {enable | disable}
        set exclude-member <name1>, <name2> ,...
    next
end

Traffic shaping now supports the following:

• Local-in and local-out traffic matching: the FortiGate can apply shaping policies to local traffic entering or leaving the firewall interface based on source and destination IP addresses, ports, protocols, and applications.
• VLAN COS matching on shaping policy: the FortiGate can use the class of service (COS) value of VLAN packets as a matching criterion for shaping policies. This enables the FortiGate to prioritize traffic based on the COS value assigned by the switch or router.
• Multi-stage VLAN COS marking: the FortiGate can configure the traffic shaper to dynamically change the COS value of outgoing VLAN packets based on the shaper profile. This allows the FortiGate to mark traffic with different COS values at different stages of the shaping process.

In an SD-WAN hub and spoke configuration where ADVPN is used, when a primary shortcut goes out of SLA, traffic switches to the backup shortcut. During idle timeout, sessions will prefer using the primary parent tunnel and try to establish a new primary shortcut. However, because it is out of SLA, traffic switches back to the backup shortcut, which causes unnecessary traffic interruption.

Add the shortcut-stickiness option to keep existing sessions on the established ADVPN shortcuts while they remain in SLA instead of switching to a new link every idle timeout. New sessions will be routed by the primary shortcut if it is in SLA.

config system sdwan
    config service
        edit <id>
            set shortcut-stickiness {enable | disable}
        next
    end
end

When using FortiMonitor to detect advanced SD-WAN application performance metrics, the FortiGate can log these statistics. These logs can be sent to FortiAnalyzer and FortiManager for review and reporting. The log sending frequency is measured in seconds (0 - 3600, default = 0).

config system sdwan
    set app-perf-log-period <integer>
end

Allow better control over the source IP for local-out traffic used by each egress interface by allowing a preferred source IP to be defined in the following scenarios.

• Static route configuration:

  config router static
      edit <id>
          set preferred-source <IP_address>
      next
  end

• SD-WAN member configuration:

  config system sdwan
      config members
          edit <id>
              set preferred-source <IP_address>
          next
      end
  end

• Route map configuration (so that a BGP route can support a preferred source):

  config router route-map
      edit <name>
          config rule
              edit <id>
                  set set-ip-prefsrc <IP_address>
              next
          end
      next
  end

Add support for traffic classification on SLA probes to ensure they are prioritized in times of congestion. The class-id is a data source (2 - 15) that is defined in the shaping policy profile.

config system sdwan
    config health-check
        edit <name>
            set class-id <integer>
        next
    end
end

Make the health check sensitive enough to detect small amounts of packet loss by decreasing the link monitor check interval and probe timeout minimum limit down to 20 ms, which will significantly impact VOD/voice.

When ADVPN is configured on a FortiGate spoke along with maximize bandwidth (SLA) or load-balance mode in the CLI, then spoke-to-spoke traffic is load balanced between multiple ADVPN shortcuts only when a shortcut is within the configured SLA conditions. The SD-WAN rule must be configured with set mode load-balance and set tie-break fib-best-match.

config system sdwan
    config service
        edit <id>
            set mode load-balance
            set dst <name>
            config sla
                edit <name>
                    set id <integer>
                next
            end
            set priority-members <seq_num1>, <seq_num2>, ...
            set tie-break fib-best-match
        next
    end
end

Steer multicast traffic by SD-WAN rules. When an SD-WAN member is out of SLA, multicast traffic can fail over to another member, and switch back when SLA recovers.

To use this feature in SD-WAN:

config router multicast
    config pim-sm-global
        set pim-use-sdwan {enable | disable}
    end
end

This feature does not support ADVPN. The following setting is added to disable the use of shortcuts.

config system sdwan
    config service
        edit <id>
            set shortcut {enable | disable}
        next
    end
end

In the SD-WAN with ADVPN use case, two spokes can communicate with each other on the control plane by an ADVPN shortcut. In order to separate the control traffic from data traffic, the IKE creates a dynamic selector for health check packets sent between the spokes. BGP traffic is also matched by this dynamic IKE selector. Therefore, when spokes establish BGP peering with other spokes, the BGP traffic does not count towards the data traffic and will not impact IPsec idle timeout and shortcut tunnel tear down.

Add the ability to set multiple regions and compartments for a single OCI SDN connector. This reduces the number of SDN connectors needed for any given OCI environment that uses multiple regions and multiple compartments.

Support adding FortiClient EMS and FortiClient EMS Cloud on a per-VDOM basis. Enabling override is necessary to add an EMS server for each VDOM.

config endpoint-control settings
    set override {enable | disable}
end

FortiPolicy can be added to the Security Fabric. When FortiPolicy joins the Security Fabric and is authorized in the Security Fabric widget, it appears in the Fabric topology pages. A FortiGate can grant permission to FortiPolicy to perform firewall address and policy changes. Two security rating tests for FortiPolicy have been added to the Security Posture scorecard.

Introduce a multi-tiered approach to determining the action taken on a video. The channel filter is checked first, and if the video's channel matches a configuration entry, the corresponding action is taken. If not, the FortiGuard category filter is checked and the corresponding action is taken if the video's category matches a configuration entry. If neither of these conditions are met, the default action specified in the video filter profile is used. Logging is also enabled by default.

config videofilter profile
    edit <name>
        set default-action {allow | monitor | block}
        set log {enable | disable}
    next
end

Support OT/IoT virtual patching on NAC policies by enabling the category as a Vulnerability and setting the match criteria based on severity. Devices that match the criteria can be assigned and isolated to a NAC VLAN.

Improve replacement message displayed for YouTube videos blocked by video filtering. When a user visits a video directly by URL, a full-page replacement message is displayed. When a user loads a video from YouTube, the page will load but the replacement message will display in the video frame.

When using execute restore image tftp <filename-string> <tftp-server-ip>, prevent a FortiGate with an expired support contract from performing a firmware upgrade to a higher major version such as from FortiOS 6.0 to 7.0, or a firmware upgrade to a higher minor version such as from FortiOS 7.0 to 7.2.

For security updates, allow a FortiGate with an expired support contract to perform a firmware upgrade to a higher patch build such as from FortiOS 7.4.0 to 7.4.1.

FortiGates, FortiSwitches, FortiAPs, and FortiExtenders can download an EOS (end of support) package automatically from FortiGuard during the bootup process or by using manual commands. Based on the downloaded EOS package files, when a device passes the EOS date, a warning message is displayed in the device's tooltip, and the device is highlighted in the GUI.

The End-of-Support security rating check rule audits the EOS of FortiGates and Fabric devices. This allows administrators to have clear visibility of their Security Fabric, and help prevent any security gaps or vulnerabilities that may arise due to any devices that are past their hardware EOS date.

Add FortiConverter option in the FortiOS GUI. This provides an integrated solution for migrating configurations to a new or older FortiGate appliance directly from the FortiGate itself, without the need to access the FortiConverter portal.

Support adding YAML to the file name when backing up the config as YAML, and detecting file format when restoring the configuration.

The execute restore yaml-config command has been removed and execute restore config should be used.

In the GUI, the File format field has been removed from the Restore system Configuration page.

Add FortiGuard DLP service that offers a database with categorized predefined DLP data type patterns such as:

• Drivers licenses for various countries, various states in the USA, and various provinces in Canada
• Tax numbers for various countries
• Credit card numbers
• Bank statements

When enabled, the DLP database (DLDB) is downloaded to the FortiGate and its predefined patterns can configured in DLP profiles.

config system fortiguard
    set update-dldb {enable | disable}
end

Add fqdn-max-refresh setting to control the global upper limit of the FQDN refresh timer. FQDN entries with a TTL longer than the maximum refresh value will have their refresh timer reduced to this upper limit. The timer is measured in seconds (3600 - 86400, default = 3600).

config system dns
    set set fqdn-max-refresh <integer>
end

Add amperage and wattage sensors for PSU power consumption. The new sensors can be shown from the REST API, GUI, SNMP, and CLI.

Harden REST API and GUI access.

Implement real-time file system integrity checking in order to:

• Prevent unauthorized modification of important binaries.
• Detect unauthorized binaries and prevent them from running.

Implement BIOS-level signature and file integrity checking by enforcing each FortiOS GA firmware image, AV engine files, and IPS engine files to be dually-signed by the Fortinet CA and a third-party CA. The BIOS verifies that each file matches their secure hash as indicated by their certificates. Users are warned when there is a failed integrity check, and the system may be prevented from booting depending on the severity and the BIOS security level.

Add new command to compute the SHA256 file hashes for each file in a directory.

# diagnose sys filesystem hash

Local system administrator usernames are required to follow these naming conventions:

• Can include lower and upper case letters (a-z, A-Z), numbers (0-9), underscores (_), and dashes (-)
• Cannot start with a dash (-)
• Can end with dollar symbol ($)

The new rules are enforced for new administrator users and when renaming existing administrator users.

Add support for RADSEC clients in order to secure the communication channel over TLS for all RADIUS traffic, including RADIUS authentication and RADIUS accounting over port 2083. This enhancement also adds support for TCP connections, which use port 1812 for authentication and port 1813 for accounting.

config user radius
    edit <name>
        set transport-protocol {udp | tcp | tls}
        set ca-cert <string>
        set client-cert <string>
        set tls-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}        
        set server-identity-check {enable | disable}
    next
end

Update the SSL VPN web portal page layout with Neutrino styling:

• Update the top navigation bar. Users can now download and launch FortiClient.
• Allow the history and theme to be accessed from the user menu.
• Display the Quick Connection section at the top. Users can save the connection as a bookmark after launch.
• Separate bookmarks into Predefined and Personal tabs. Users can search through their bookmarks.
• Make a CLI console available for SSH and Telnet sessions.

The FortiGate device ID is carried by the IKEv2 message NOTIFY payload when it is configured.

config vpn ipsec phase1-interface
    edit <name>
        set dev-id-notification enable
        set dev-id <string>
    next
end

Enhance the FortiGate with a Key Management Interoperability Protocol (KMIP) client that sends KMIP requests to locate the KMS server, creates keys if they do not exist on the KMS server, and retrieves keys from the Key Management Services (KMS) server for use as IPsec security association (SA) keys for IKEv2 only.

The FortiGate acting as the responder will try to locate keys on the KMS server first. If they do not exist, the FortiGate requests to create new keys on KMS server. The responder sends the keys names to the FortiGate acting as the initiator using IKE messages, and the initiator locates and retrieve keys from KMS server using the keys names. The keylifeseconds parameter in phase 2 defines how often the FortiGate will try to synchronize local keys to those on the KMS server.

config vpn kmip-server
    edit <name>
        config server-list
            edit <id>
                set server <server_IP>
                set cert <string>
            next
        end
        set username <username_defined_on_KMS_server>
        set password <password>
    next
end

config vpn ipsec phase1-interface
    edit <name>
        set kms <server_ID>
    next
end

The following diagnostic commands have been added:

# get vpn ike kms-keys
# diagnose debug application kmipd -1
# execute kmip <parameter>

Allow SSL VPN web mode users to log in to the web portal and be redirected to a custom landing page. The new landing page accepts SSO credentials and SSO from form data. This allows administrators to streamline web application access for their users. The custom redirected portal can also listen for a logout URL so that when users log out from the web application, they are also logged out from the SSL VPN web connection.

Settings can be configured on the VPN > SSL-VPN Portals page when creating or editing a portal entry. In the Web Mode section, set Landing page to Custom.

Update the SSL VPN web login page and portal with Fortinet corporate styling. Fortinet branding elements are incorporated into each theme. Some changes include:

• The header displays the title of the portal with a new static subheader.
• Add quick access to RDP and VNC directly from the Quick Connection launch that prompts users for a username and password without requiring pre-configuration.
• Display at the most three entries per row in the bookmarks tabs.
• Rename some elements.
• Add new Security Fabric (default) and Jet Stream themes.

Add user group information to the Dashboard > SSL-VPN Monitor page.

Support IPv6 source IP address for communications to the OCSP server.

config vpn certificate ocsp-server
    edit <name>
        set source-ip <IPv4/IPv6_address>
    next
end

Adjust the DTLS heartbeat parameters for SSL VPN. This improves the success rate of establishing a DTLS tunnel in networks with congestion or jitter.

config vpn ssl settings
    set dtls-heartbeat-idle-timeout <integer>
    set dtls-heartbeat-interval <integer>
    set dtls-heartbeat-fail-count <integer>
end

The default value for these attributes is 3 seconds, which is also the minimum allowable value. The maximum allowable value for these attributes is 10 seconds.

Securely exchange serial numbers between FortiGates connected with IPsec VPN. This feature is supported in IKEv2, IKEv1 main mode, and IKEv1 aggressive mode. The exchange is only performed with participating FortiGates that have enabled the exchange-fgt-device-id setting under config vpn ipsec phase1-interface.

All entry-level FortiGates (lower than 100 series) have ZTNA, proxy, explicit proxy, WANOpt, and web cache disabled by default. The following setting controls the proxy features.

config system global
    set proxy-and-explicit-proxy enable | disable}
end

When configuring a firewall policy for IP- or MAC-based access control that uses different EMS tag types (such as ZTNA tags and classification tags), a logical AND can be used for matching. By separating each tag type into primary and secondary groups, the disparate tag types will be matched with a logical AND operator.