Producent zabezpieczeń sieciowych Fortinet zaprezentował najnowszą wersję systemu FortiOS w wersji 7.6.5. Znajdziemy w nim wiele nowości i poprawek wcześniej występujących błędów. Można zauważyć, że szczególną uwagę zwrócono na działanie zapory sieciowej gdzie występowały problemy z obciążeniem oraz zwiększonym zużyciem pamięci oraz rozłączaniem sesji klienta. Dobrą informacją dla osób posiadających urządzenia z 2 GB pamięci RAM są zmiany w konfiguracji w firewall.service.custom po uaktualnieniu z wersji 7.4.x do wersji 7.6.0–7.6.4. Więcej szczegółów dotyczących aktualizacji można znaleźć w artykule poniżej.
Rozwiązane problemy:
GUI
| Feature ID | Description |
|---|---|
| 1183975 | The FortiGate setup wizard includes options to configure a gateway to establish internet connectivity, which is required for successful registration with FortiCare. Additionally, for air-gapped environments, the wizard allows users to upload an offline license file directly, enabling successful registration even when the device cannot reach FortiCare. This enhancement resolves setup-blocking issues and improves deployment flexibility. |
| 1186780 | Security Rating tooltips now include a footer button to view all insights for a configuration object, plus individual controls to hide specific insights directly from the tooltip. Hidden insights are still indicated, improving visibility and user control. |
LAN Edge
| Feature ID | Description |
|---|---|
| 1078408 | FortiAP now supports management over IPv6. This enhancement enables seamless integration into modern, IPv6-based network environments. It improves scalability, simplifies configuration in large deployments, and ensures compliance with evolving regulatory and infrastructure standards |
| 1095618 | DARRP channel selection can be handled by FortiAIOps when available, which collects radio data from FortiGate via REST APIs and recommends optimal channels to reduce interference. This shift enables smarter, centralized Wi-Fi tuning in high-density environments like campuses. |
| 1139482 | Added support for WPA2/WPA3-Enterprise and WPA3-SAE authentication in client mode on FWF G-series models, enabling secure and flexible network authentication. |
| 1150610 | FortiAPs can now automatically request certificates from EST or SCEP servers configured in the wtp-profile, eliminating the need for manual CA uploads via TFTP. This streamlines 802.1X WAN deployments and simplifies certificate renewal. |
| 1185065 | FortiAP-K models now support Multi-Link Operation (MLO) as part of Wi-Fi 7, enabling simultaneous data transmission across multiple bands (2.4, 5, and 6 GHz) for improved performance and efficiency. |
| 1185772 | Default soft-switch interfaces and open SSIDs have been removed across FortiWiFi platforms to enhance security and simplify network design. For 4xF/6xF/G-series models, the default WiFi VAP remains in tunnel mode with preconfigured IP, DHCP, and firewall policies for easy setup. On 8xF-2R models, WiFi VAPs now operate in bridge mode, integrating with the hardware switch so clients receive DHCP from the internal interface and benefit from firewall policy control. |
| 1187026 | Mesh leaf FAP settings can now be configured directly through the GUI, enabling faster, more intuitive setup of mesh connections. |
| 1187056 | When customers run an older FortiOS version that does not support a newly released FortiAP model, the AP will now be classified as FAP MVP, a generic Wi-Fi 7 2×2 dual-band profile. This provides limited management and visibility until the user upgrades to a FortiOS release that fully supports the AP mode. |
| 1217645 | Previously, virtual switches in a software switch could not enable 802.1X authentication. Now, this restriction is removed802.1X can be enabled when the software switchs intra-switch-policy is set to explicit, allowing secure dynamic VLAN control and traffic regulation. |
Log & Report
| Feature ID | Description |
|---|---|
| 1170883 | In Log Settings > Global settings under Preferences, when Resolved hostnames is enabled, provide the following options:
If both are enabled from CLI, then On log creation takes precedence. |
Network
| Feature ID | Description |
|---|---|
| 1124535 | FortiGate now provides control over whether domains from delegated IPv6 prefixes are included in DNS Search List (DNSSL) options sent via Router Advertisements. This feature improves flexibility in managing domain propagation for downstream clients.
config ip6-delegated-prefix-list
edit <id>
set dnssl-service {enable | disable}
next
end
|
Policy & Objects
| Feature ID | Description |
|---|---|
| 1078303 | FQDN address groups within the ISDB, previously supported in firewall policies, can now also be applied to NGFW policies. |
| 1169071 | Manually override and disable passive learning of FQDN addresses by disabling the following command on the firewall address object:
config firewall address
edit <address>
set passive-fqdn-learning {disable | enable}
next
end
By default, the setting is enabled. |
SD-WAN
| Feature ID | Description |
|---|---|
| 1135850 | Added IPv6 support for HTTP and TWAMP protocols in SD-WAN health-checks. Added `probe-response` in ipv6-allowaccess of interface settings.
FGT_A: config system sdwan
config health-check
edit "ipv6_test"
set addr-mode ipv6
set server 2000:172:16:200::1
set protocol twamp
next
end
end
FGT_B: config system interface
edit "port3"
...
config ipv6
set ip6-address 2000:172:16:200::1/64
set ip6-allowaccess ping https ssh probe-response
end
next
end
config system probe-response
set mode twamp
end
|
| 1156116 | Enhancements to SD-WAN interface speed test to allow for dynamic QoS application and more resiliency for cloud speed test connections.
|
| 1187047 |
|
| 1187158 | This feature enables hubs to detect when a spoke is dead (no SLA probes over a configurable duration) and suppress routes to that spoke. A BGP route-map-out is used to match this suppression status, and adjusts the MED to inform BGP peers of the hub to direct traffic to the spoke through another hub.
config system sdwan
config health-check
edit
set update-bgp-route [enable/disable]
next
end
end
config router route-map
edit "suppress_dead_spoke"
config rule
edit 1
set match-suppress enable
set set-metric 999
next
edit 2
set set-metric 10
next
end
next
end
config router bgp
config neighbor
edit "172.31.0.129"
set attribute-unchanged med
set route-map-out "suppress_dead_spoke"
next
end
end
|
Security Profiles
| Feature ID | Description |
|---|---|
| 1166828 | In this enhancement, proxy-based inspection is brought back for email protocols on FortiGate models with 2 GB RAM. This covers the following services:
Firewall policies can once again support proxy-based inspection mode when users select one or more of the above services in the firewall policy. |
| 1178045 | Add CLI setting to configure the FortiSandbox inline mode block (ILB) timeout:
config antivirus profile
edit <name>
set fortisandbox-scan-timeout <30-180>
next
end
|
System
| Feature ID | Description |
|---|---|
| 1000357 | Improved Hyperscale FortiOS support for SNMP MIB OIDs to monitor IP and PBA usage in CGNAT IP pools. The newly supported fields include:
The fgFwIppStatsExpiringPBAs SNMP field is not supported by FortiOS 7.6.5. |
| 1006397 | Granular failure details for each device in a federated upgrade are now reported, allowing users to identify individual devices with specific failure reasons during the upgrade process. |
| 1123102 | Added support for FortiSASE Sovereign licensing bundles for FortiGate 91G and 901G. With this licensing applied, the GUI and CLI is restricted to read-only after the following CLI settings are configured:
config system sov-sase set status enable end After the CLI settings above are configured, all FortiGate configuration changes are managed from FortiSASE-Sovereign Portal. |
| 1133400 | Optimize memory usage on FortiGate models with 2GB or 4GB of RAM by:
Affected 2GB model families: 40F, 60F and 50G Affected 4GB model families: 70F, 80F and 70G |
| 1202253 | FortiGate expands HTTPS management interface capabilities by supporting quantum-resistant TLS algorithms, including hybrid key exchange and PQC certificates. This ensures secure administrative access while maintaining compatibility with non-PQC-capable clients. |
User & Authentication
| Feature ID | Description |
|---|---|
| 1216102 | When using SAML authentication in a web proxy, the timeout value of the sign-on URL in the auth query can be configured with the following setting:
config web-proxy global
set auth-sign-timeout <30-3600>
end
This allows the client a longer time to access the sign-on URL to the IdP. |
VPN
| Feature ID | Description |
|---|---|
| 1152420 | FortiOS now supports Post-Quantum Cryptography (PQC) for Agentless VPN. This enhancement introduces new CLI options for Agentless VPN, allowing you to select pure and hybrid PQC algorithms to prepare for future quantum computing threats. |
| 1195216 | FortiGate now supports TLS 1.3 hybrid Post-Quantum Cryptography (PQC) key exchanges in SSL deep inspection (flow mode), enabling secure traffic inspection. This enhancement ensures compatibility with modern browsers and PQC-enabled servers that utilize algorithms such as X25519MLKEM768. |
| 1205594 | IPsec VPN over UDP may now use port 443 for the IKE negotiation port.
config system settings
set ike-port 443
end
|
WiFi Controller
| Feature ID | Description |
|---|---|
| 1211127 | WiFi controllers now process the RADIUS Filter-ID attribute during 802.1X authentication to automatically map clients to existing user groups. This enhancement triggers the creation of WSSO firewall authentication entries, ensuring the correct firewall policies are applied immediately without requiring additional user login steps. |
| 1189709 | FWF models now secure the out-of-the-box experience by broadcasting a temporary, unique MAC-based SSID for only five minutes upon first power-up, replacing the static default. The initial login workflow now requires an admin password change and launches a WiFi Setup Wizard, which prompts administrators to either securely customize the WiFi Network or disable the WiFi Network entirely. |
Notatki producenta: FortiOS 7.6.5
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie