High availability (HA) failover is now supported for IPv6 networks on GCP. The NextHopInstance route table attribute is used during an HA failover event.

FortiGate-VM on IBMCloud supports virtual network interfaces. This interface type is selected by default.

The Advanced Threat Protection Statistics security widget has been enhanced to provide per-VDOM functionality, more data source options, and enhanced user interactivity. It now uses FortiView stats for data, allows timeframe selection, offers expanded views with antivirus logs, and supports log device settings. This provides users with more detailed and customizable threat protection statistics.

Enhancement to IPsec GUI. The process of creating and editing IPsec tunnels is now more logical. The wizard supports setting the IKE version for both Hub and Spoke and Site-to-Site configurations, along with other transport-related fields for Site-to-Site tunnels. Additionally, security posture tags can be added to FortiClient Remote Access tunnels. These updates aim to make the process more intuitive and efficient.

The Security Rating Display & Integrations have been enhanced for a more streamlined user experience. The Security Rating page now showcases Security Controls and Vulnerabilities tabs, with reorganized and categorized controls for improved navigation. Details on PSIRT Advisory/Outbreak detection are now presented in a dedicated card. A new feature, Security Rating Insights, provides immediate access to crucial security information. Simply hover over any tested object to reveal a tooltip with more information about any non-conformance to best practices or industry standards. Additionally, Security Rating checks are now run on-demand when relevant configuration changes are made, addressing previous performance issues. An overview of Security Rating Insights on each page offers a quick filter for items failing certain criteria.

The FortiOS GUI has been enhanced to display a more modern style, including new icons, updated widget and button shapes, and increased spacing between fields and content. Tables have been adjusted to reduce the width to enclose the table within the page, update the table design, and hide action buttons, such as Edit and Delete, until an entry checkbox is selected. Furthermore, when creating and editing entries in the GUI, the configuration fields now display in a pane instead of a new page.

Improvements to device upgrade. This enhancement streamlines the upgrade process for all supported devices, including FortiGates, FortiAPs, FortiSwitches, and FortiExtenders. It offers a unified and consistent approach, empowering customers to manage and monitor the upgrade progression effortlessly through an intuitive interface. Moreover, it simplifies the upgrade journey, ensuring a smooth and seamless user experience.

FOS supports QinQ for the switch controller, allowing MSSPs to manage multiple clients networks by having a unique customer VLAN for each client and each client can have its own, self-managed 4K VLAN range in their virtual domain. This ensures better segregation and control over network traffic.

Users can now use FortiSwitch event log IDs as triggers for automation stitches. This allows for automated actions like console alerts, script execution, and email notifications in response to events, such as switch group modifications or location changes. This boosts automation and system management efficiency.

FortiOS WiFi controller allows customers to generate MPSK keys using the FortiGuest self-registration portal. This addition empowers customers to independently create and assign MPSK keys to their devices, streamlining the process and enhancing security.

Users connected to a WiFi Access Point in a FortiExtender can now access the internet, even when the FortiGate is in LAN-extension mode. This ensures seamless internet connectivity for WiFi clients using the FortiGate LAN-extension interface.

The FortiOS WiFi controller has been enhanced to support both TCP and TLS protocols for Radius communication during the 802.1X authentication of WiFi stations. This solves an issue for customers who require stable and secure authentication processes, particularly in complex network infrastructures where UDP might not be sufficient.

Added GUI support for wireless data rates and sticky client removal thresholds. This provides a more intuitive and efficient management of client thresholds and rate controls, enhancing the user experience for accessibility and ease of use.

The FortiAP K series now supports IEEE 802.11be, also known as Wi-Fi 7, for these models: FAP-441K, FAP-443K, FAP-241K, and FAP-243K. This expands device compatibility, boosts network performance, and enhances user experience.

FortiOS extends captive portal support to newer wireless authentication methods, such as OWE and WPA3-SAE varieties. This ensures that users can benefit from the most advanced and secure authentication methods available.

Support OpenRoaming Standards for FortiAP. This boosts Wi-Fi management and user experience by automating guest Wi-Fi onboarding, enabling secure roaming between Wi-Fi and LTE/5G networks, and providing businesses with insightful customer analytics.

FortiOS supports managing the USB port status on compatible FortiAP models.

conf wireless-controller wtp-profile
    edit <name>
        set usb-port {enable | disable}
    next
end

FortiOS supports beacon protection, improving Wi-Fi security by protecting beacon frames. This helps devices connect to legitimate networks, reducing attack risks.

config wireless-controller vap
    edit <name>
        set beacon-protection {enable | disable}
    next
end

There is added support for 802.11mc protocol in FortiAP, enabling FortiAP radio to operate in 802.11mc responder mode, allowing a mobile device to measure its distance to the AP using the Wi-Fi Round Trip Time (RTT) feature within 802.11mc.

conf wireless-controller wtp-profile
    edit FAP433G-default
        config radio-1
            set 80211mc [enable | disable]
        end
    next
end

The FortiAP device must be running firmware version 7.6.0 to support this feature.

Supports receiving the NAS-Filter-Rule attribute after successful WiFi 802.1X authentication. These rules can be forwarded to FortiAP to create dynamic Access Control Lists (dACLs) for the WiFi station, enhancing network access control and security.

The Bonjour profile supports micro-location, ensuring mDNS traffic originating from one location remains isolated from other locations. This bolsters both network management and security.

config wireless-controller bonjour-profile
    edit <name>
         set micro-location {enable | disable}
end

Enhanced device matching logic based on DPP policy priority. Users can now utilize the CLI to dictate the retention duration of matched devices for dynamic port or NAC policies, allowing greater control over device management.

FortiOS WiFi controllers MPSK feature now includes both WPA2-Personal and WPA3-SAE security modes. This provides customers with more versatile security options, leveraging the MPSK feature with the latest WPA3-SAE security mode.

Support for local LAN segregation for FortiAP. When enabled, both wired clients on the LAN port and wireless stations on the SSID remain within the same layer-2 bridge. However, their local traffic is segregated from the FAP's WAN side. This provides users with enhanced control over network traffic, improving security and network management.

config wireless-controller vap
    edit <name>
        set local-lan-partition {enable | disable}
    next
end

Support fast failover for FortiExtender. This enhancement ensures that FortiGate can swiftly recover data sessions in the event of a failover, reducing downtime and enhancing reliability.

Support Static RADIUS NAS-ID in Stand-Alone mode. This feature allows the FortiOS WiFi controller to push the nas-id-type setting to a managed FortiAP. Consequently, the FortiAP can adhere to this setting and include the NAS-Identifier value in Access-Request packets when authenticating a WiFi station with a remote RADIUS server. This enhancement provides more flexibility and control over the authentication process, thereby improving the overall network security.

The FortiAP sniffer includes improved packet detection, capturing all frame types across specified channel bandwidths ranging from 320 MHz to 20 MHz. This is vital for in-depth network analysis and troubleshooting, ensuring comprehensive wireless traffic examination for better network management and security.

Added support for VLANs over a FortiExtender configured as a LAN extension. VLAN support is configured on the FortiGate Access Controller using the GUI or using these CLI commands:

config extension-controller extender-profile
    edit <FortiExtender Profile>
        set extension lan-extension
        config lan-extension
            config downlinks
                edit <id>
                    set type port
                    set port <port>
                    set pvid <vlanid>
                next
            end
        end
    next
end

Where port is the VLAN interface added to the FortiExtender interface and vlanid is the desired VLAN ID.

FortiOS logs MAC address flapping events. The log provides comprehensive details about the event, such as the specific MAC address involved, the ports where the flapping occurred, and the exact time of the event. This enhancement assists network administrators in quickly identifying and addressing related issues, thereby enhancing network stability and performance.

Support the logging of the MessageId field. By logging the MessageId, FortiAnalyzer (FAZ) can effectively trace unwanted emails back to their origin, which is instrumental in network monitoring and analyzing email traffic. This is beneficial in intricate network setups where several FortiGates are integrated with FortiMail along the network's outbound trajectory, with FAZ for logging.

Introducing log messages for Packet Capture and TCP Dump Operations. A system event log is generated each time a packet capture operation is started or stopped using the GUI, and for the start and stop events of CLI sniffer operations. This enhancement provides users with a clear audit trail of packet capture and tcpdump activities, thereby improving transparency and control.

FOS now offers the ability to set the source interface for syslog/netflow settings. This enhancement allows syslog and NetFlow to utilize the IP of the specified interface as source when sending the messages out. This enables changing the source IP easier, making the process more efficient and less time-consuming, especially when the customer is managing thousands of remote locations.

config log syslogd setting
    set status enable
    set source-ip-interface <name>
end
config system netflow
    config collectors
        edit <id>
            set source-ip-interface <name>
        next
    end
end

FortiOS now permits logs from non-management VDOMs to be sent to both global and vdom-override syslog servers. Previously, configuring an override syslog server under a non-management VDOM would halt the transmission of logs to the global syslog server. This ensures uninterrupted log transmission to the global server, enhancing the log management experience.

config syslog override-setting
    set use-management-vdom {enable | disable}
end

Supports the generation of duplicate IP logs. This enhances the system’s ability to detect and log IP conflicts, improving network management and troubleshooting for users.

config system global
    set ip-conflict-detection {enable | disable}
end

Disable all proxy features on FortiGate models with 2 GB of RAM or less by default. Mandatory and basic mandatory category processes start on 2 GB memory platforms. Proxy dependency and multiple workers category processes start based on a configuration change on 2 GB memory platforms.

FortiOS supports sending SNMP traps when a MAC is added, moved, or removed from a FortiSwitch port. This enhances FortiGate's network monitoring capabilities, enabling network administrators to monitor MAC address changes in real-time, strengthening overall network security.

Internal Switch Fabric (ISF) Hash Configuration Support for NP7 Platforms. This provides a new level of flexibility and control to NP7 platform users, allowing them to fine-tune network settings for optimal performance and security. These NP7 FortiGate models support this feature: FG-1800F, FG-2600F, FG-3500F, FG-4200F, and FG-4400F.

Use the following command to configure NPU port mapping:

config system npu-post
    config port-npu-map
        edit <interface-name>
            set npu-group <group-name>
        next
    next
end

Use the following command to configure the load balancing algorithm used by the ISF to distribute traffic received by an interface to the interfaces of the NP7 processors in your FortiGate:

config system interface
    edit <interface>
        set sw-algorithm {l2 | l3 | eh | default}
    next
end

Added GUI support for IPv6 address in explicit-web proxy forwarding server. This enhancement allows users to create and manage IPv6 forward-server more intuitively and efficiently, providing a more user-friendly experience.

The DHCPv6 server/client can accommodate multiple DHCP options. Support for Option 16, also known as the Vendor Class Option, is added for DHCPv6. This allows IP-Pools and Options assignment based on VCI Match for DHCPv6 server and client.

BGP prefixes can be configured utilizing firewall addresses (ipmask and interface-subnet types) and groups. This streamlines the configuration processing, allowing users to leverage their existing firewall addresses and groups when configuring BGP network prefixes.

Socks proxy now supports UTM scanning, authentication, and forward server, making it more versatile. This is beneficial for customers who require these functionalities for their operations.

You can now specify a tagged VLAN for users to be assigned to when the authentication server is unavailable. Previously, you could only specify an untagged VLAN. This feature is available with 802.1x MAC-based authentication. It is compatible with both Extensible Authentication Protocol (EAP) and MAC authentication bypass (MAB).

FortiOS allows the hello timer for the Virtual Router Redundancy Protocol (VRRP) to be configured in milliseconds. This timer dictates the rate at which VRRP advertisements are sent. With this enhanced control, users can ensure quick failover and high availability where necessary.

The OSPF protocol now allows for the customization of the Link State Advertisement (LSA) refresh interval, providing enhanced flexibility and control over the timing parameters within the network. Furthermore, OSPFs capabilities have been expanded to include fast link-down detection on VLAN interfaces, boosting the networks responsiveness and dependability.

config router ospf
    set lsa-refresh-interval <integer>
    config ospf-interface
        edit <name>
            set interface <string>
            set linkdown-fast-failover {enable | disable}
        next
    end
end

FortiOS supports Network Prefix Translation (NPTv6), ensuring end-to-end connectivity and one to one address mapping for address independence. This improves network scalability and facilitates efficient IPv6 network management.

A new CLI option allows users to choose to discard or permit IPv4 SCTP packets with zero checksums on the NP7 platform.

config system npu
    config fp-anomaly
        set sctp-csum-err {allow | drop | trap-to-host}
    end
end

Users can upgrade their LTE modem firmware directly from the FortiGuard. This eliminates the need for manual downloading and uploading and provides users flexibility to schedule the upgrade.

FortiOS now incorporates Netflow sampling support. This enhancement enables the FortiGate to maintain a count of the packets or bytes that have been sampled for a particular interface. If the packet count for a session surpasses the threshold set by the netflow-sample-rate for either transmitted or received traffic on a NetFlow-enabled interface, a NetFlow report is exported. This process effectively reduces the load on the collector.

config system interface
    edit <name>
        set netflow-sampler {tx | rx | both}
        set netflow-sample-rate <integer>
        set netflow-sampler-id <integer>
    next
end

Enhancement to Packet Capture Functionality. This feature adds the capability to store packet capture criteria, allowing for the re-initiation of packet captures multiple times using the same parameters such as interface, filters, and more, thereby streamlining packet capture management. Additionally, this feature incorporates diagnostic commands to list, initiate, terminate, and remove GUI packet captures, enhancing the level of control users have over their packet capture operations.

There is added support for UDP-Lite (IP protocol number 136) traffic in the traffic log and session log output, CLI configuration of IPv4 and IPv6 policy routes, custom session TTL, custom firewall service settings, and GUI configuration of custom firewall services on the Policy & Objects > Services page. UDP-Lite traffic is supported by HA session synchronization for connectionless sessions when enabled and strict header checking when enabled to silently drop UDP-Lite packets with invalid header format or wrong checksum errors.

FortiOS allows multiple remote Autonomous Systems (AS) to be assigned to a single BGP neighbor group using AS path lists. This enhancement offers increased flexibility and efficiency in managing BGP configurations, especially in intricate network environments.

Supports the inclusion of a group set in PIM join/prune messages, per RFC 4601. FortiGate can send PIM join/prune messages containing a group set, reducing the number of messages sent to the router. This improvement addresses the issue of router overload in extensive multicast environments, ensuring greater stability and efficiency in network operations.

When a FortiGate is acting as an IPv4 BGP neighbor and using stateful DHCPv6, it learns BGP routes with the IPv6 next-hop belonging to an on-link prefix, and this prefix is advertised using RA. By default, a learned kernel route (currently only RA routes) has a distance of 255 and does not interfere with current route selection. To make the RA route usable by BGP, using a new CLI command set kernel-route-distance, set the distance to less than 255 such as 254 or below:

config router setting

set kernel-route-distance <1-255> (with default of 255)

end

If there are other user space routes with the same prefix, the best route will be chosen based on distance.

FOS includes a filtering mechanism for netflow sampling. User can apply exclusion filters to their netflow sampling based on various criteria such as source IP, source port, destination IP, destination port, and IP protocol. The addition of this feature enhances the relevance of the data collected, streamlines data management processes, and minimizes superfluous network traffic.

config system netflow
    config exclusion-filters
        edit <id>
            set source-ip  <IP_address>
            set destination-ip <IP_address>
            set source-port <port>
            set destination-port <port>
            set protocol <protocol_ID>
    next
end

FOS now supports being configured as a recursive DNS resolver. As a resolver, the FortiGate can directly interact with root name servers, Top-Level Domain (TLD) name servers, and finally authoritative name servers to resolve DNS queries.

Furthermore, FortiOS also adds support for prioritizing root name servers. You may choose root servers from the list of default servers, or you can configure your own custom root name server.

FTP Session-Helper Support for 464XLAT Environment. This enhancement enables FortiOS to support both passive and active modes in a 464XLAT environment.

Allow customers to use interface names, not just IP addresses, for defining source IPs in RADIUS, LDAP, and DNS configurations. This caters to dynamic IP changes, such as those governed by SD-WAN rules. FortiOS will use the interfaces current IP as the source IP, enhancing network flexibility and resolving potential connectivity issues.

Automatic LTE Connection Establishment. This enhancement automates the process of LTE connection establishment. When a SIM card is inserted, FortiOS (FOS) can obtain the Mobile Country Code (MCC) and Mobile Network Code (MNC) from the service providers radio tower. FOS then uses these codes to look up the appropriate APN for the SIM card in a predefined table and automatically creates a wireless profile. This eliminates the need for manual configuration by the user, simplifying the process of establishing an LTE connection.

FortiOS allows internet service as source addresses in the local-in policy. This allows more flexibility and control in managing local traffic, enhancing network security and efficiency.

MAP-E has been enhanced to support multiple VNE interfaces within the same VDOM, allowing for a more versatile network setup.

Users can configure custom port ranges for both Port Block Allocation (PBA) and Fixed Port Range (FPR) types of IPPools. This provides users with the flexibility to specify port ranges from 1024 to 65535, enhancing user control and adaptability in network configurations.

config firewall ippool
    edit <name>
        set type {fixed-port-range | port-block-allocation}
        set startport <integer>
        set endport <integer>
    next
end

Support for NAT64 has been added within the Fixed-Port-Range IP pool. Internal IPv6 ranges can be configurated in the NAT64 Fixed Port Range IP pool. This addition is significant because it allows for prefix-based restrictions, providing greater control and security over network traffic management.

Support HTTP Transaction Logging. This enables HTTP transaction details in a new type of traffic log when HTTP traffic is routed through a proxy, ensuring comprehensive logging of HTTP interactions for improved monitoring and analysis.

Introducing the 7-Day Policy Hit Counter for NGFW Policies. This feature offers a rolling tally of the number of times a policy has been triggered over the previous seven days. Users are empowered with a more comprehensive and dynamic insight into their policy usage patterns over time, enhancing user experience and promoting efficient resource management.

Enhancements have been added to improve overall ADVPN 2.0 operation for SD-WAN, including:

• The local spoke directly sends a shortcut-query to a remote spoke to trigger a shortcut after ADVPN 2.0 path management makes a path decision.

• ADVPN 2.0 path management can trigger multiple shortcuts for load-balancing SD-WAN rules. Traffic can be load-balanced over these multiple shortcuts to use as much of the available WAN bandwidth as possible without wasting idle links if they are healthy. The algorithm to calculate multiple shortcuts for the load-balancing service considers transport group and in-SLA status for both local and remote parent overlays.

• Spokes can automatically deactivate all shortcuts connecting to the same spoke when user traffic is not observed for a specified time interval. This is enabled by configuring a shared idle timeout setting in the IPsec VPN Phase 1 interface settings for the associated overlays.

Allows IPv6 Multicast traffic to be steered by SD-WAN rules. In the event of an SD-WAN member falling out of SLA, the multicast traffic is designed to failover to another member. Once the original member recovers and meets the SLA again, the multicast traffic will switch back, ensuring optimal network performance and reliability.

config router multicast6
    config pim-sm-global
        set pim-use-sdwan {enable | disable}
    end
end

Embed SD-WAN SLA status (within SLA or out of SLA) for IPsec overlays and matching SLA priorities in ICMP probes for the best path selection that works with BGP on loopback designs. It consists of these parts:

1. Embed Spokes SLA status (within SLA or out of SLA) for IPsec overlays in the ICMP probes that Spokes send to Hub when Spokes config health-check entries are configured with embed-measured-health enabled, the new CLI command sla-id-redistribute <id> configured with the <id> of the SLA setting, and the SLA setting is matched.

2. Embed Spokes within SLA and out of SLA priorities when new CLI commands set priority-in-sla and set priority-out-sla are configured in Spokes config members for IPsec overlays.

3. On the Hub, if the set detect-mode remote is configured and the Hubs health check sla-id-redistribute matches an SLA setting with set link-cost-factor remote, then the received SLA status is used to mark the SLA status of the IPSec tunnel, and the matching SLA priority is applied to the routes associated with the IPSec overlay where the ICMP packet comes in.

This feature also supports the Spoke-initiated speed test case, where the test link is set out of SLA and the out-of-SLA priority is sent to the Hub, which causes traffic to use other routes during the speed test.

To ease the migration process, in case many Spokes are deployed, the Hub can work in a hybrid mode where if set sla-id-redistribute is not configured on the Spoke the Hub would use its own SLA settings to determine the route priority.

FortiOS can now email CLI script action output results in an attachment when the output exceeds 64K characters.

The external resource entry limit is now global. Additionally, file size restrictions now adjust according to the device model. This allows for a more flexible and optimized use of resources, tailored to the specific capabilities and requirements of different device models.

FortiGate EMS connector settings now supports configuring FortiClient Cloud access key within the GUI.

FortiOS allows the application of threat feed connectors as source addresses in central SNAT. This enhancement allows for more dynamic and responsive network security configuration.

FortiOS antivirus now supports Microsoft OneNote files through its CDR feature. FortiGate sanitizes these files by removing active content, such as hyperlinks and embedded media, while preserving the text. This feature provides an additional tool for network administrators to protect users from malicious documents.

GUI support for Exact Data Match (EDM) for Data Loss Prevention. This optimizes data management and minimizes false positives.

FortiOS Carrier has enhanced its management capabilities for GTPv0 traffic. This provides the flexibility to either allow or restrict GTPv0 traffic, ensuring a more secure and adaptable strategy for managing their GTPv0 traffic.

This option is set to deny by default, blocking all GTTPv0 traffic when creating a new GTP profile.

You can allow or block all GTPv0 traffic in a GTP profile using this command:

config firewall gtp
    edit <name>
        set gtpv0 {allow | deny}
    next
end

Add support to control TLS connections that utilize Encrypted Client Hello (ECH), with options to block, allow, or force the client to switch to a non-ECH TLS connection by modifying DoH responses. This increases control and flexibility for managing TLS connections.

Support DNS Filtering for Proxy Policy. This enhancement added the ability to apply DNS Filtering to proxy policies. This addition enhances security by providing an extra layer of protection for clients operating behind a proxy. This is particularly beneficial in scenarios where client applications are configured to use DoH and DoT protocols and require the added security of DNS Filtering.

FortiOS offers stream-based scanning for HTML and Javascript files in flow mode. This allows the AV engine to determine the necessary amount of file payload to buffer and to scan the partial buffer in certain instances, eliminating the need to cache the entire file and potentially leading to an improvement in memory usage.

Improvements to the webfilter UTM logs allow the incorporation of endpoint device data, including hostname and MAC address, enhancing network activity insights.

config log setting
    set extended-utm-log {enable | disable}
end

Enhancement to the FortiGuard-managed DLP dictionaries. Users now have the flexibility to select a FortiGuard dictionary with varying confidence levels based on their specific needs. High level offers maximum precision, medium-level balances match quantity and precision, and low level captures most matches with the potential for false positives. This feature aims to balance data traffic precision and volume, enhancing the user experience.

Support the Zstandard (zstd) compression algorithm for web content. This enhancement enables FortiOS to decode, scan, and forward zstd-encoded web content in a proxy-based policy. The content can then be passed or blocked based on the UTM profile settings. This ensures a seamless and secure browsing experience.

In this enhancement, a hash of all executable binary files and shared libraries are taken during image build time. The file containing these hashes, called the executable hash, is also hashed and as a result signed. The signature for this hash is verified during bootup to ensure integrity of the file. After validation, the hashes of all executable and share libraries can be loaded into memory for real-time protection.

Introducing Domain Fronting Protection for both explicit proxy and proxy-based firewall policies. This feature empowers FortiGate to confirm if the domain of the request matches the actual host domain in the HTTP header. Security is enhanced by preventing unauthorized access that could result from domain mismatches.

config firewall profile-protocol-options
    edit protocol
        config http
            set domain-fronting {allow | block | monitor}
        next
    end
end

DNS over TLS (DoT) and DNS over HTTPS (DoH) are now supported in DNS inspection for both proxy and flow mode.

Added GUI support for GTPv2 options for FortiOS Carrier. There are now separate filters for GTPv0/v1 and GTPv2, along with individualized settings for managing their message rate limits. Furthermore, support for an IE allow list configuration has been added. This feature grants users more precise control over GTP profiles, enhancing the overall usability.

Previously, when auto-upgrade was disabled, users would receive a warning advising them to execute exec federated-upgrade cancel in order to remove any scheduled upgrades. However, with the new update, the system is now capable of autonomously canceling any pending upgrades, eliminating the need for manual user action.

New hyperscale feature to control the rate at which NP7 processors generate ICMPv4 and ICMPv6 error packets to prevent excessive CPU usage. This feature is enabled by default, and you can use the following options to change the configuration if required for your network conditions:

config system npu
    config icmp-error-rate-ctrl
        set icmpv4-error-rate-limit {disable | enable}
        set icmpv4-error-rate <packets-per-second>
        set icmpv4-error-bucket-size <token-bucket-size>
        set icmpv6-error-rate-limit {disable | enable}
        set icmpv6-error-rate <packets-per-second>
        set icmpv6-error-bucket-size <token-bucket-size>
    next
end

FGSP Support for Packet Forwarding Control Protocol (PFCP) in the FOS Carrier. FortiCarriers robustness and reliability is bolstered by ensuring consistent PFCP session information across all FGSP peers. It also facilitates the smooth synchronization of PFCP session information to newly integrated peers. This feature improves the systems scalability by enabling effortless integration of new peers into the FGSP cluster, and augments network flexibility and efficiency through the support for asymmetric routing.

GUI support added to control the use of CLI commands in administrator profiles.

Support for synchronizing RSSO (Radius Single Sign-On) authenticated user logon information between FGSP peers. This ensures a consistent user experience across all FGSP peers.

FortiGate now supports 3 methods of VMAC definition to increase the number of HA virtual MAC addresses beyond the number HA group-ids. These methods are:

1. Manual VMAC per interface

2. Auto VMAC assignment

3. Group-id based assignment (existing)

Manual VMAC can be configured on a physical, EMAC or FortiExtender interface, which will override other VMAC assignment options.

Auto VMAC assignment utilizes the hardware MAC address of the primary unit with the locally administered bit (U/L bit) changed to 1. For example, 00:xx:xx:xx:xx:xx becomes 02:xx:xx:xx:xx:xx. This option is only supported on physical interfaces.

config system ha
    set auto-virtual-mac-interface <interface list>
end
config system interface
    set virtual-mac <mac address>
end

Dynamic Source Port for GTP-U Packets is now supported on NP7 Platforms. This feature establishes two sessions for bidirectional traffic, regardless of the source ports. By reducing the number of sessions, it significantly decreases memory usage. This is particularly beneficial for customers handling high volumes of GTP-U traffic, offering a memory-efficient and streamlined solution.

config system global
    set gtpu-dynamic-source-port {enable | disable}
end

Session Failover is now supported for asymmetric traffic. FortiGate can now continue sessions on the active FGSP peer if the original FGSP peer, which initially received the sessions first packet, becomes unavailable. Once the original FGSP peer is back online, the session will switch back to it. This enhancement ensures continuity and reliability of the network sessions, even in the event of a device failure.

Streamlines timezone updates with a downloadable database. Previously, the IANA timezone database was embedded within the image, necessitating a FOS image upgrade for any updates. Now, it is conveniently downloadable from the FortiGuard server, enabling FortiGate to automatically refresh its timezone database seamlessly. This advancement eliminates customers' need to wait for the next image release to access new or updated timezones.

An FGCP HA split-brain scenario may occur when heartbeat interfaces are down or there is extreme latency or congestion, leading to the secondary unit promoting itself to primary. To prevent this situation, this enhancement introduces the backup heartbeat interface which is a dedicated interface used only when a secondary unit detects no heartbeats from the primary through the regular heartbeat interfaces.

config system ha
    set backup-hbdev <interface list>
end

FortiOS can restrict local admin logins through the console when the remote authentication server is reachable. This provides more extensive control over local admin logins, improving the system's security.

config system global
    set admin-restrict-local {all | non-console-only | disable}
end

This enhancement enables SNMP clients to query the BIOS security level of a FortiGate using the new OID 1.3.6.1.4.1.12356.101.4.1.38.

Security enhancement for closed-network VM licenses. The CMS signature is now verified immediately after the license is loaded. This ensures the license is from Forticare and confirms the authenticity of its contents and contracts, enhancing license integrity and customer trust.

Configuration files are now encrypted in the eCryptfs file system when a system reboots or shuts down, and decrypted when the system boots up and is required to load the configs to CMDB. The eCryptfs encryption key is generated and stored on the TPM the same way as the private-data-encryption key, if TPM is supported on the device model. Otherwise, it is generated by CSPRNG and stored on disk.

FortiOS allows the delay-tcp-npu-session enable option to be applied globally, eliminating the need to set the command for each firewall policy, conserving resources.

config system global
    set delay-tcp-npu-session {enable | disable}
end

FortiOS supports the Ethernet Statistics Group for Remote Network Monitoring (RMON), which provides detailed statistics about the traffic that passes through the Ethernet interface, such as drop events and collisions.

The print tablesize command has been updated to show object usage, aiding administrators in monitoring limits and improving system management.

Support for interface selection method for SNMP traps. This enhancement enables SNMP traps to leverage SD-WAN rules. This feature is especially advantageous in larger SD-WAN environments, where routing SNMP traps via the most efficient SD-WAN path has previously posed a challenge.

This enhancement requires the kernel to verify the signed hashes of important file-system and object files during bootup. This prevents unauthorized changes to file-systems to be mounted, and other unauthorized objects to be loaded into user space on boot-up. If the signed hash verification fails, the system will halt.

FortiOS allows users to specify the sequence that authentication methods are executed in when both 802.1x and MAC Authentication Bypass (MAB) are enabled. Users can prioritize one method over the other based on their specific network security requirements.

Support for client certificate validation and EMS tag matching has been added to the explicit proxy policy, improving user experience and security.

Support for SCIM server on FortiGate. This enhancement allows FortiGate to communicate with an IdP using the SCIM 2.0 protocol, enabling automatic provisioning of users and groups on FortiGate.

Support is added for a customizable password reuse threshold applicable to both system and user password policies. This empowers users to determine the frequency of password reuse, bolstering password management and enhancing security.

Expand the range of protocols that can trigger RADIUS authentication, now including DNS and ICMP queries. This improvement provides our customers with a more flexible solution.

Incorporates a global installation of the OpenSSL FIPS provider at startup. This enhancement ensures that any OpenSSL application is automatically compliant with FIPS regulations. Additionally, the system now defaults to the more secure TLS1.2 and TLS1.3 protocols. Furthermore, only Diffie-Hellman parameters of 2048 bits or higher are permitted. This ensures a robust security posture and aligns with industry standards.

In IPsec dial-up VPN config, an option is added to enforce ZTNA security posture tag matching before establishing an IKEv2 VPN tunnel. The following settings have been added:

config vpn ipsec phase1-interface
    edit <name>
        set ike-version 2
        set remote-gw-match {any | ipmask | iprange | geography | ztna}
        set remote-gw-ztna-tags <IPv4 ZTNA posture tags>
    next
end

When set remote-gw-match ztna is enabled, remote-gw-ztna-tags can be configured.

FortiOS now offers the capability for users to enable automatic selection mechanism for the IPSec tunneling protocol. IKE will initially employ UDP encapsulation. If UDP establishment does not succeed within the set threshold, the transport layer protocol seamlessly switches to TCP to ensure optimal performance and reliability.

config vpn ipsec phase1-interface
    edit <name>
        set ike-version 2
        set transport {auto | udp | tcp}
        set auto-transport-threshold <integer>
    next
end

FortiOS now supports session resumptions for IPSec tunnel version 2. This enhances the user experience by maintaining the tunnel in an idle state, allowing uninterrupted usage even after a client resumes from sleep or when connectivity is restored after a disruption. It also removes the necessity for re-authentication when reconnecting, making the process more efficient.

With this enhancement, FortiGate can share ZTNA information such as ZTNA VIP address and application specifics like application address and port via the EMS connector. On FortiClient EMS, the configured ZTNA TCP and SaaS applications are pulled into the ZTNA application catalog. These apps can be applied to ZTNA Destinations without any additional configurations.

Support for UDP traffic destinations is added for ZTNA. On a supported FortiClient endpoint (7.4.1 and above), when UDP traffic to a destination is detected, FortiClient will form a UDP connection over QUIC to the FortiGate ZTNA gateway. After authentication, security posture check and authorization, a connection with the destination will be formed and the end to end UDP traffic will pass through.

config firewall vip
    edit < ZTNA VIP >
        set type access-proxy
        set h3-support {enable | disable}
    next
end