Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 7.4.1 FortiOS Release Notes
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Changes in CLI

Changes in CLI

Bug ID

Description

896333

You can use the diagnose span-sniffer packet command to sniff traffic on internal FortiGate 6000 or 7000 interfaces in the same way as using the diagnose sniffer packet command to sniff traffic on data or management interfaces. The diagnose span-sniffer packet syntax is similar to the diagnose sniffer packet command syntax. Internal FortiGate 6000 or 7000 interfaces includes internal switch ports (for example, sw:1-P1, sw:7-P4) and the DP processor (dp).

Command syntax for the packet sniffer part of the command is:

diagnose span-sniffer packet <interface> <filter> <verbose> <count> <timestamp> <frame-size>

The <filter> option does not work for internal switch (sw:) interfaces. You can work around this problem by using the default filter (which is "") and using grep to display the information you are looking for.

For example, use the following command to see echo request packets:

diagnose span-sniffer packet dp "" 4 | grep echo

913040

The config vpn ssl settings option tunnel-addr-assigned-method is now available again in the FortiGate 6000 and 7000 CLI. This option had been removed in a previous release because setting this option to first-available and configuring multiple IP pools was found to reduce FortiGate 6000 and 7000 SSL VPN load balancing performance. However, some users may want the ability to use multiple IP pools for their SSL VPN configuration, even if performance is reduced. So the change has been reverted.

924384

Rename the exclude-signatures setting's industrial option to ot.

config ips global
    set exclude-signatures {none | ot}
end

924745

Support a new FGCP cluster upgrade mode that allows manual control over the cluster member that is being upgraded. HA members can temporarily run in a multi-version cluster (MVC) while administrators perform tests to confirm traffic can pass through the upgraded member smoothly.

The syntax for the existing upgrade mode has been changed.

7.4.0 and earlier:

config system ha
    set uninterruptible-upgrade {enable | disable}
end

7.4.1 and later:

config system ha
    set upgrade-mode {simultaneous | uninterruptible | local-only | secondary-only}
end

In local-only and secondary-only modes, the specific cluster member is upgraded and sessions are synchronized to it. Administrators can manually switch over to the newly upgraded member to test traffic while the cluster operates in MVC. When testing is complete, administrators can manually upgrade the old primary unit.
Previous
Next

Changes in CLI

Bug ID

Description

896333

You can use the diagnose span-sniffer packet command to sniff traffic on internal FortiGate 6000 or 7000 interfaces in the same way as using the diagnose sniffer packet command to sniff traffic on data or management interfaces. The diagnose span-sniffer packet syntax is similar to the diagnose sniffer packet command syntax. Internal FortiGate 6000 or 7000 interfaces includes internal switch ports (for example, sw:1-P1, sw:7-P4) and the DP processor (dp).

Command syntax for the packet sniffer part of the command is:

diagnose span-sniffer packet <interface> <filter> <verbose> <count> <timestamp> <frame-size>

The <filter> option does not work for internal switch (sw:) interfaces. You can work around this problem by using the default filter (which is "") and using grep to display the information you are looking for.

For example, use the following command to see echo request packets:

diagnose span-sniffer packet dp "" 4 | grep echo

913040

The config vpn ssl settings option tunnel-addr-assigned-method is now available again in the FortiGate 6000 and 7000 CLI. This option had been removed in a previous release because setting this option to first-available and configuring multiple IP pools was found to reduce FortiGate 6000 and 7000 SSL VPN load balancing performance. However, some users may want the ability to use multiple IP pools for their SSL VPN configuration, even if performance is reduced. So the change has been reverted.

924384

Rename the exclude-signatures setting's industrial option to ot.

config ips global
    set exclude-signatures {none | ot}
end

924745

Support a new FGCP cluster upgrade mode that allows manual control over the cluster member that is being upgraded. HA members can temporarily run in a multi-version cluster (MVC) while administrators perform tests to confirm traffic can pass through the upgraded member smoothly.

The syntax for the existing upgrade mode has been changed.

7.4.0 and earlier:

config system ha
    set uninterruptible-upgrade {enable | disable}
end

7.4.1 and later:

config system ha
    set upgrade-mode {simultaneous | uninterruptible | local-only | secondary-only}
end

In local-only and secondary-only modes, the specific cluster member is upgraded and sessions are synchronized to it. Administrators can manually switch over to the newly upgraded member to test traffic while the cluster operates in MVC. When testing is complete, administrators can manually upgrade the old primary unit.
Previous
Next