1

2
Organizations are facing five key challenges

Work from anywhere:

• According to Ladders, 25% of all professional jobs in North America will be
remote by the end of 2022, and remote opportunities will continue to increase
through 2023.
• Organizations need to know that the devices connecting to their networks are
safe and appropriate.
• They require visibility and consistent enterprise-grade security for these remote
networks while not violating employee privacy, especially for the other users and
devices connected to their home network.

Network edge:
• Applications and data are no longer contained within the corporate data center.
Instead, they reside across distributed networks and the billions of edges created
by IoT and mobile end-user devices.
• Today, the perimeter is everywhere, creating created a perfect storm of
complexity for managing cybersecurity and network infrastructures
• Legacy network security cannot protect today’s distributed workforce and multi-
cloud environments.

3
• organizations invest in modern networking technologies (SD-WAN/5G) to provide
faster access to local networks while also enabling direct internet access to multi-
cloud/SaaS applications (LAN/WLAN).

Application journey:
Edge computing moves applications and data closer to users and devices and by
year end, 2023, 50% of large enterprises will have a documented edge
computing strategy, compared to less than 5% in 2020.

However, the costs of doing so include increased deployment, operational, and

security complexity along with an even greater loss of visibility as organizations
struggle to monitor regional and local clouds on top of the hybrid and multi-cloud
environments they already in place
Organizations must deliver secured digital experiences across their complete
application journey roadmaps

Sophisticated threats:
Today’s cyber threat landscape continues to accelerate, both in volume and
sophistication, increasing the demand for high levels of automation as well as AI and
ML models

To address these challenges, Fortinet delivers a multi-phase approach to cyber

security including the prevention threats, while continuing to inspect for and detect
intrusion or attack in progress. It is followed by a quick response to cyber events
coordinated across the distributed cybersecurity mesh to contain and mitigate
attacks.

Fortinet also provides continuously updated prevention with actionable threat

intelligence, integrated artificial intelligence, and other advanced technologies
provided by our global threat research labs that span the attack surface and kill chain
stages. This allows continuous monitoring to be handled centrally while providing
correlated data and single-pane visibility to enable a fast and efficient response
process.

Operational technology:
In the past, the OT’s network was isolated from the enterprise and lacked security by
design because of the impact that some security technologies can have on sensitive
OT systems.

Today, the digitization of operational processes has led to productivity, efficiency,

responsiveness, and overall profitability gains. However, while technological and
organizational convergences between IT and OT have dramatically impacted OT
networks and how they are managed and protected, new digital controls and
connected systems have opened new threat vectors.

3
Fortinet's OT segmentation strategy combines the power of the Security Fabric, with
its leading microsegmentation and policy enforcement technologies, with strategic
partnerships with top OT developers, including leading visibility and automation and
control vendors

3
We are seeing three major cybersecurity trends:

• A more sophisticated threat landscape with an accelerations of advanced threats.

• The convergence of networking and security which Fortinet refers to as Security-
driven networking
• The move towards consolidation of security vendors and solutions to reduce
complexity and accelerate responsiveness to threats

4
5-8 slides that look at Fortinet specifically. This can include overviews of specific products
as well as results from third-party testing. The Security Fabric and Gartner Cybersecurity
Mesh Architecture slides have been included in the template as most workshops should
include them.

5
6
The Fortinet Security Fabric platform is built on a cybersecurity MESH architecture
– similar to what Gartner announced recently - “an architectural approach to create
a collaborative ecosystem of security tools operating beyond the traditional
perimeter.”

The Security Fabric provides a suite of best-of-breed solutions, organically built

from the ground up to provide the best integration in the industry.

The Security Fabric enables organizations to achieve operational efficiencies

through consistent policies and automation, deep visibility across all their full
deployments whether on the network on in the cloud, and the ability to interoperate
with a broad ecosystem of networking and security solutions.

7
Cybersecurity Mesh Architecture (CSMA) is an architectural approach proposed by Gartner
that promotes interoperability between distinct security products to achieve a more
consolidated security posture.

We believe that the Fortinet Security Fabric exemplifies this concept. The Security Fabric:
• Reduces operational complexity while ensuring compliance
• Emphasizes interoperability as well as analytics, intelligence, centralized management,
and automation
• Integrates with a broad ecosystem of technologies and vendors

8
FortiOS 7.2 addresses and elevates the complex challenges disrupting today’s digital
acceleration efforts. These include:
• Ineffective security intelligence with no real-time impact makes it impossible to keep
ahead of never-seen-before automated attacks.
• Inability to coordinate security across an ever-expanding attack surface and evolving
attack cycles creates exploitable security gaps.
• Silos between networking and security create operational and security deficiencies and
heighten risk. This is especially challenging as IT and OT networks continue to converge.
• Distributed security postures make effective and consistent detection, prevention, and
response in real time nearly impossible.

With over 300 new features spanning the entire Fortinet portfolio, FortiOS 7.2 uniquely
empowers organizations to run their businesses without compromising performance,
protection, or putting the brakes on innovation. It enables you to establish a consistent and
dynamic security posture so users and devices can securely access applications and
services from any location regardless of where they are deployed. It also continuously
assesses risk and automatically adjusts enforcement end-to-end for any interaction from
anywhere. And to expand our portfolio, this release also introduces several new NGFW
models that enhance critical performance across today’s hybrid networks.

9
10
This enhancement removes the previous Network > Packet Capture page and replaces it
with the Network > Diagnostics > Packet Capture page. The new page streams the capture
in real-time. It allows users to select a packet and view its header and payload information
in real-time. Once completed, packets can be filtered by various fields or through the
search bar. The capture can be saved as a PCAP file for further analysis.

In the CLI, some options under config firewall sniffer have been removed.

11
Debug flows can now be executed from the GUI using the Network > Diagnostics > Debug
Flow page. Debug flow output is displayed in real-time until it is stopped. The completed
output can be filtered by time, message, or function. The output can be exported as a CSV
file.

12
The IP Address Lookup button has been added to allow users to look up IP address
information from the Internet Service Database and GeoIP Database. Returned IP address
information includes the reverse IP address/domain lookup, location, reputation, and other
internet service information.

In the Top FortiSandbox Files FortiView monitor, users can select a submitted file and drill
down to view its static and dynamic file analysis. The full FortiSandbox report can be
downloaded in PDF format. This feature works with FortiGate Cloud Sandbox, FortiSandbox
Cloud, and FortiSandbox appliance. FortiSandbox must be running version 3.2.1 and later.

13
14
We are uniquely positioned with this new inline sandbox feature.
Our Fortigate can now stop unknown files at the firewall level, send it for sandbox analysis
and only release a file to the user if there is a good verdict.
Malware will be dropped and not delivered to the user.

With this new feature we closed the attack surface on the network layer as we already do
on mail and endpoint. We are unique in the market and can offer real protection vs Fast
detection with ML technology on the Firewall.
Palo will try to influence our customers with ML based threat detection on the Firewall. But
they aren’t able to block all unknown files.
They improved the detection with more static analysis and other tech on the Firewall
but let the “unknown” through to the user if ML wasn’t detecting.

Unknown are send to their Wildfire Cloud for analysis and verdict comes back after the
potential malware was delivered

We Stop malware vs. playing hide and seek with malware that was delivered to the user.

15
The Fabric Management page allows administrators to manage the firmware running on
each FortiGate, FortiAP, and FortiSwitch in the Security Fabric. A Fabric Upgrade can be
performed immediately or during a scheduled time. Administrators can choose a firmware
from FortiGuard for the Fabric member to download directly to upgrade. This page also
allows administrators the ability to authorize and register Fabric devices, and view the
FortiCare registration status and device type. Donut charts that display summaries of the
device types and firmware status.

Starting with FortiOS 7.2.0, released FortiOS firmware images use tags to indicate the
following maturity levels:
• The Feature tag indicates that the firmware release includes new features.
• The Mature tag indicates that the firmware release includes no new, major features.

When performing a Fabric upgrade or non-Fabric upgrade under System > Fabric
Management and choosing a firmware that requires multiple builds in the upgrade path,
the FortiGate can follow the upgrade path to complete the upgrade automatically. This can
be performed immediately or during a scheduled time.

16
17
The FortiGate will automatically connect to [Link], and then discover the
specific region and server to connect to based on which region the customer selected to
deploy their FortiSandbox Cloud instance. FortiSandbox Cloud 4.0.0 (or later) is required for
this functionality. The FortiGate must have a FortiCloud premium account license and a
FortiSandbox Cloud VM license.

Primary and secondary HA members can be registered to FortiCare at the same time from
the primary unit. The secondary unit will register through the HA proxy.

18
19
For SD-WAN most of the new features are focused on simplified operations with
automation and orchestration, fast and scalable roll-out with zero-touch provisioning, and
new application visibility

From the management perspective you will see more and more functions unified with best
practices and templates built-in.
This isn’t new for Fortinet but you can call it true AI-Ops!

Again something we have in the security fabric for years, and now being hyped by palo and
others.

20
21
22
To Free up SOC teams and let them focus on major issues, SOC-as-a-Service let the
customer offload all tier-one analysis to Fortinet's global team of experts.
This attached service is conveniently priced at a fixed cost for NGFW deployments.

The new Outbreak detection service for SIEM and Analyzer will help customer respond
faster to outbreak attacks
through immediate alerts and threat hunting scripts
To automatically identify, detect and remediate

23
24
There are simply to many new features launched that apply to the fortigate, but also to the
other FortiOS products.

Next to the inline sandbox and other new fortiguard services a few features highlighted
here. Support for HTTP/3 which is used by many popular sites. We can do SSL deep
inspection to close potential security gaps
Check the release notes for all improvements and new features we’ve introduced.

25
Within the ZTNA pilar you will find more enhancements (SASE and Identity) but lets focus
on ZTNA for now.

The ZTNA policies are now unified in a single NGFW+ZTNA policy, another big step in
convergence.
Provisioning made easy by enhancements of the ZTNA service portal
and as discussed earlier, Inline CASB will be supported soon.

26
In NGFW mode, administrators can configure a security policy in learn mode to monitor
traffic that passes through the source and destination interfaces. All traffic is allowed
between the interfaces and logged. The learn mode uses a special prefix in
the policymode and profile fields in traffic and UTM logs for use by FortiAnalyzer and the
Policy Analyzer Management Extension Application (MEA) that is available with
FortiManager.

The following limitations apply when learn mode is enabled in a security policy:
• Only interfaces with device-identification enable can be used as source interfaces in a
security policy with learning mode enabled
• Incoming and outgoing interfaces do not support any
• Internet service is not supported
• NAT46 and NAT64 are not supported
• Users and groups are not supported
• Some negate options are not supported

27
Two options, Policy change summary and Policy expiration, are added to Workflow
Management. Policy change summary enforces an audit trail for changes to firewall
policies. Policy expiration allows administrators to set a date for the firewall policy to be
disabled.

There are three states for the Policy change summary:

• Disable: users will not be prompted to add a summary when editing a policy.
• Required: the Policy change summary will be enabled and will require users to add a
summary when editing or creating a firewall policy.
• Optional: the Policy change summary will be enabled but users can leave the summary
empty, if preferred, when editing or creating a firewall policy.

There are three states for Policy expiration:

• Disable: the firewall policy will not expire. This is the default setting for Policy expiration.
• Default: the firewall policy will expire after the default number of days.
• Specify: the firewall policy will expire at a set date and time.

The default value for Policy expiration is 30 days. This number can be changed in the CLI or
in System > Settings in the GUI to any value between zero and 365 days. If the default value
is set to zero, the Default state will disable the Policy expiration.

28
29
Like on SD-WAN our engineering put a lot of effort in simplification of roll-out and
operations.
This in combination with more integration use case like the segmentation use described on
the right-hand side.

30
FortiOS 7.2 includes improvements for channel selection for both 2.4GHz and 5GHz
wireless radios. For 2.4GHz, you can select two default channel plans—Three Channels and
Four Channels—to automatically configure non-overlapping channels. For 5.0GHz, a new
slide-in page with improved visualization is added to help users select channels.

31
The following enhancements have been made in the GUI for managed FortiSwitch units:

• The port health is now reported on the Diagnostics and Tools pane. Go to WiFi & Switch
Controller > Managed FortiSwitches, right-click a FortiSwitch unit in topology view or
list view, and select Diagnostics and Tools. When there are error frames, the port health
is shown as Poor. When there are no error frames, the port health is shown as Good.
The Diagnostics and Tools pane also now reports fan and power supply unit (PSU) status
in the General pane and has a new Clients tab that lists FortiClient users of the selected
FortiSwitch device.

• The new Legend button in the General pane displays the Health Thresholds pane, which
lists the thresholds for the Good, Fair, and Poor ratings of the general health, port
health, and MC-LAG health.

• You can now clear port counters by going to the WiFi & Switch Controller > FortiSwitch
Ports page, right-clicking a port, and selecting Clear port counters.

32
33
FortiOS 7.2 includes a number of improvements for FortiSwitch management.

You can now use asterisks as a wildcard character when you pre-authorize FortiSwitch
devices. Using a FortiSwitch template, you can name the managed switch and configure the
ports. When the FortiSwitch device is turned on and discovered by the FortiGate device,
the wildcard serial number is replaced by the actual serial number and the settings in the
FortiSwitch template are applied to the discovered FortiSwitch device.

You can now add multiple managed FortiSwitch VLANs to a software switch using the GUI
or CLI.

You can now configure a link-aggregation group (LAG) on a software switch that is being
used for FortiLink.

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network
printers) that cannot respond to the 802.1x authentication request. With MAB enabled on
the port, the system will use the device MAC address as the user name and password for
authentication. If a link goes down, you can select whether the impacted devices must
reauthenticate. By default, reauthentication is disabled.

34
With this enhancement, dynamic discovery in FortiLink mode over a layer-3 network detects
FortiSwitch split ports and newer FortiSwitch models. Split ports on all supported FortiSwitch
models can be managed and displayed correctly on a FortiGate device.

Flap guard is configured and enabled on each port through the switch controller. The default
setting is disabled.

Administrators can now use the FortiSwitch profile to control whether users can log in with
the managed FortiSwitchOS console port.

You can now configure multiple flow-export collectors using the config collectors command.
For each collector, you can specify the collector IP address, the collector port number, and
the collector layer-4 transport protocol for exporting packets.

You can use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network.
After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the
FortiGate device can use the VXLAN interface to manage the FortiSwitch unit. Only the
management traffic uses the VXLAN tunnel; the FortiSwitch data traffic does not go through
the VXLAN tunnel to the FortiGate device.

34
You can configure NAC LAN segments in three places in the GUI:
• When you select a NAC VLAN in the WiFi & Switch Controller > NAC Policies page and
click Edit, the Edit NAC Settings page allows you to enable or disable NAC VLAN
segmentation and select the primary interface, onboarding VLAN, and segment VLANs
• The Network > Interfaces page shows each LAN segment VLAN as a child of the parent
NAC segment
• The VLAN segment buttons allow you to enable or disable VLAN segments in the New
Interface and Edit Interface pages

35
36
FortiAnalyzer reports can be viewed in the GUI on the Log & Report > FortiAnalyzer
Reports page. Administrators can generate, delete, and edit report schedules, and view and
download generated reports.

When the Security Fabric is enabled, only the root FortiGate can run, edit, and delete
FortiAnalyzer reports. Downstream FortiGate devices can only view the generated reports.

37
The Log & Report > Events page is now renamed System Events. The System Events page
includes:

• A Summary tab that displays the top five most frequent events in each type of event log
and a line chart to show aggregated events by each severity level. Clicking on a peak in
the line chart will display the specific event count for the selected severity level.
• A Details tab that displays individual, detailed log views for event type.

Clicking on an event in the Summary tab will automatically bring users to the Details tab
with the appropriate filters applied.

38
The Fortinet Security Fabric provides full protection across the entire digital infrastructure.
The network at the core of the Security Fabric enables multiple network security use cases,
including enterprise-level NGFW, internal segmentation, and SD-WAN. The Fabric
Management Center provides a single pane of glass, simplifying operations and enabling
automation of workflows. Complete visibility and control of all traffic and threats at every
point across the attack surface from the edge, at the core, and in hybrid and multi-cloud
environments. AI-driven breach prevention provides automated operations, orchestration,
and response.

The 2021 Security Fabric is:

• Broader with more products
• More integrated within the management center and security operations
• More automated with more workflows across all elements
• More Fabric-Ready Partners have joined the ecosystem

39
40
The SSL VPN monitor now includes duration and connection summary charts. The IPsec
monitor displays information about Phase 1 and Phase 2 tunnels. Both monitors also
identify users who have not enabled two-factor authentication.

41
The following GUI enhancements have been added:
• There are several new GUI themes and dark modes (dark matter, onyx, eclipse, graphite,
neutrino, retro)
• The CLI console tab name can be customized
• The full screen view option is replaced with an option to show or hide the navigation
menu
• VDOM selection is always visible when VDOM mode is enabled

GUI themes
To change the GUI theme, go to System > Settings. In the View Settings section, select a
theme from the drop-down list.

42
The Additional Information section in the right-side gutter of the GUI includes the
following buttons when applicable:

• API Preview: View all REST API requests being used by the page. Users can make
changes on the page that are reflected in the API request preview.
• Edit in CLI: Open a CLI console window to view and edit the setting in the CLI. If there
are multiple CLI settings on the page, the CLI console shows the first setting. This option
is applicable for edit pages.
• References: Open the object usage page to show which other configuration are
referencing the object. This option is applicable for edit object pages.

43
FortiGate can be configured to allow administrators to log in using FortiCloud single sign-on
(SSO). Both IAM and non-IAM users on the FortiCloud support portal are supported.
Non-IAM users must be the FortiCloud account that the FortiGate is registered to.

To configure an IAM user in FortiCloud

1. Log in to your FortiCloud account at [Link].
2. Click Services > IAM and click Add IAM user.

See Adding an IAM user in the FortiCloud Identity & Access Management (IAM) guide for
more information. The portal permissions for SupportSite, IAMPortal, and FortiOS SSO
must be configured to allow portal access for administrators.

To enable FortiCloud single sign-on on the FortiGate

1. Log in to the FortiGate and click System > Settings.
2. Enable FortiCloud Single Sign-On.
3. Click Apply.

44
45
The Security Fabric can be enabled in multi-VDOM environments. This allows access to all
of the Security Fabric features, including automation, security rating, and topologies, across
the VDOM deployment. Users can navigate to downstream FortiGate devices and VDOMs
directly from the root FortiGate using the Fabric selection menu. The logical topology
shows all of the configured VDOMs.

46
Enhance Security Fabric configuration for FortiSandbox Cloud
Creating an instance of FortiSandbox on FortiCloud can be configured from the Fabric
Connectors page in the GUI. In the Cloud Sandbox Settings, you can choose between
connecting to FortiGate Cloud or FortiSandbox Cloud. Connecting to FortiSandbox Cloud
will automatically use the cloud user ID of the FortiGate to connect to the correct
FortiSandbox Cloud account.

FortiWeb integration
A FortiWeb can be configured to join a Security Fabric through the root or downstream
FortiGate.

Once the FortiWeb joins the Fabric, the following features are available:
• View the FortiWeb on topology pages
• Create a dashboard Fabric Device widget to view FortiWeb data
• Configure single sign-on using SAML

FortiDeceptor and FortiAI

FortiDeceptor and FortiAI can be added to the Security Fabric so they appear in the
topology views and the dashboard widgets.

47
When managed clients are connected over a VPN, EMS collects user information about
these registered clients, such as the VPN connection information. The FortiGate can
synchronize this user information from EMS and display it in the FortiClient widget and
Logical Topology view to provide a detailed picture of clients and their associated VPN
interfaces.

48
This redesign simplifies the workflow for managing multiple chained actions and makes it
clearer which order the actions will be processed in.

The enhancements include:

• Add new flow for creating and managing automation stitches, triggers, and
actions
• Add tabs for Stitch, Trigger, and Action on the Automation page
• Improve the FortiOS Event Log trigger by allowing multiple log IDs and adding a
log field filter
• Add Any report type for the Security Rating Summary trigger
• Simplify the URI configuration for cloud actions
• Add JSON parameter support for Slack and Microsoft Teams notifications

49
Security Rating overlays
Security Rating notifications are shown on settings pages, which list configuration issues
determined by the Security Rating report. You can open the recommendations to see which
configuration items need to be fixed. This frees you from going back and forth between the
Security Rating page and the specific settings page. Notifications appear either in the
gutter, footer, or as a mutable.

There are overlay checks for the following test cases: duplicate policy objects, NTP is
synchronized, system uptime, local log disk space is full, and certificate expiry date.
Notifications can be dismissed in the GUI. Dismissed issues are unique for each
administrator. Hashes for dismissed notifications are saved in local storage. If a user clears
the local storage, all issues will show up again as not dismissed.

Add test to check for two-factor authentication

There is a new Security Rating test to check if two-factor authentication is enabled for each
active SSL VPN and IPsec user. This test is located in the Security Posture scorecard.

Add test to check for activated FortiCloud services

There is a new Security Rating test, Activate FortiCloud Services, that checks whether
FortiCloud services can be activated for FortiAnalyzer Cloud, FortiManager Cloud,

50
FortiClient EMS Cloud, and FortiSandbox Cloud. This test is located in the Fabric Coverage
scorecard. The test fails if the account has a valid subscription to a service or cloud appliance
but has not enabled the Fabric connection to it on the FortiGate. The test is exempt if there
are no licenses for FortiCloud services on the particular device.

50
51
Summarize source IP usage on the Local Out Routing page
The Local Out Routing page consolidates features where a source IP and an outgoing
interface attribute can be configured to route local-out traffic. The outgoing interface has a
choice of Auto, SD-WAN, or Specify to allow granular control over the interface in which to
route the local-out traffic. Local Out Routing must be enabled from System > Feature
Visibility. It also supports multi-VDOM mode.

Add option to select source interface and address for Telnet and SSH
The new commands execute telnet-options and execute ssh-options allow administrators
to set the source interface and address for their connection:
# execute telnet-options {interface <outgoing interface> | reset | source <source
interface IP> | view-settings}
# execute ssh-options {interface <outgoing interface> | reset | source <source
interface IP> | view-settings}

ECMP routes for recursive BGP next hop resolution

When there are multiple ECMP routes to a BGP next hop, all of them are considered for the
next hop recursive resolution. This ensures that the outgoing traffic can be load balanced.

BGP next hop recursive resolution using other BGP routes

52
By default, BGP routes are not considered when a BGP next hop requires recursive
resolution. They are considered when recursive-next-hop is enabled.

52
Add SNMP OIDs for shaping-related statistics
Four SNMP OIDs have been added for polling the number of packets and bytes that either
conform or discard by traffic shaping.

PRP handling in NAT mode with virtual wire pair

PRP (Parallel Redundancy Protocol) is supported in NAT mode for a virtual wire pair. This
preserves the PRP RCT (redundancy control trailer) while the packet is processed by the
FortiGate.

NetFlow on FortiExtender and tunnel interfaces

NetFlow sampling is supported on FortiExtender and VPN tunnel interfaces. VPN tunnel
interfaces can be IPsec, IP in IP, or GRE tunnels. NetFlow sampling is supported on both
NPU and non-NPU offloaded tunnels.

Integration with carrier CPE management tools

The following enhancements allow better integration with carrier CPE (customer premises
equipment) management tools:
• Add SNMP OIDs to collect the reason for a FortiGate reboot
• Add SNMP OIDs to collect traffic shaping profile and policy related configurations
• Add a description field on the modem interface that can be fetched over SNMP

53
• Bring a loopback or VLAN interface down when the link monitor fails
• Add DSCP and shaping class ID support on the link monitor probe
• Allow multiple link monitors with the same source and destination address, but different
ports or protocols

53
Explicit mode with DoT and DoH
DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in explicit mode, where the
FortiGate acts as an explicit DNS server that listens for DoT and DoH requests. Local-out
DNS traffic over TLS and HTTPS is also supported.

GUI page for OSPF settings

Users can configure advanced OSPF routing options on the Network > OSPF page.

GUI page for advanced dynamic routing settings

Users can configure advanced dynamic routing settings such as Route Maps and Prefix Lists
on the Network > Routing Objects page.

54
Speed-test enhancements to SD-WAN Network Monitor service
The SD-WAN network monitor service now supports running a speed test based on a
schedule. The test results are automatically updated in the interface measured-upstream-
bandwidth and measured-downstream-bandwidth fields. These fields do not impact the
interface inbound bandwidth, outbound bandwidth, estimated upstream bandwidth, or
estimated downstream bandwidth settings.

When the scheduled speed tests run, it is possible to temporarily bypass the bandwidth
limits set on the interface and configure custom maximum or minimum bandwidth limits.

Hold down time to support SD-WAN service recovery strategies

In a hub and spoke SD-WAN topology, with shortcuts created over ADVPN, a downed or
recovered shortcut can affect which member is selected by a SD-WAN service strategy.
When a downed shortcut tunnel recovers and the shortcut is added back into the service
strategy, the shortcut is held at a low priority until the hold down time has elapsed.

By default, the hold down time is zero seconds. It can be set to 0 - 10000000 seconds.

Passive WAN health measurement

SD-WAN passive WAN health measurement determines the health check measurements

55
using session information that is captured on firewall policies that have passive-wan-health-
measurement enabled by monitoring the real-life traffic.

Using passive WAN health measurement reduces the amount of configuration required and
decreases the traffic that is produced by health check monitor probes doing active
measurements. By default, active WAN health measurement is enabled and might not reflect
the real-life traffic performance.

55
Explicit proxy authentication over HTTPS
When a HTTP request requires authentication in explicit proxy, the authentication can be
redirected to a secure HTTPS captive portal. Once authentication is complete, the client can
be redirected back to the original destination over HTTP.

This feature protects the user's credentials by redirecting the client to a captive portal of
the FortiGate over HTTPS for authentication, where the user credentials are encrypted and
transmitted in HTTPS.

Example
A user visits a web site via HTTP through the explicit web proxy in a FortiGate device. The
user is required to authenticate by either basic or form IP-based authentication for the
explicit web proxy service. The user's credentials need to be transmitted over the networks
in a secured method over HTTPS rather than in plain text.

Selectively forward web requests to a transparent web proxy

Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiGate transparent
web proxy to an upstream web proxy to avoid overwhelming the proxy server. Traffic can
be selected by specifying the proxy address (set webproxy-forward-server), which can be
based on a FortiGuard URL category.

56
57
Allow administrators to define password policy with minimum character change
In previous FortiOS versions, password policies were restricted to only enable or disable a
minimum of four new characters in new password. Administrators can now set a minimum
number of unique characters in the new password that do not exist in the old password.
This setting overrides the password reuse option if both are enabled.

Enhance host protection engine

The host protection engine (HPE) has been enhanced to add monitoring and logging
capabilities when the HPE is triggered. Users can enable or disable HPE monitoring, and
configure intervals and multipliers for the frequency when event logs and attack logs are
generated. These logs and monitors help administrators analyze the frequency of attack
types and fine-tune the desired packet rates in the HPE shaper.

ACME certificate support

The Automated Certificate Management Environment (ACME), as defined in RFC 8555, is
used by the public Let's Encrypt certificate authority ([Link] to provide
free SSL server certificates. The FortiGate can be configured to use certificates that are
managed by Let's Encrypt and other certificate management services that use the ACME
protocol. The server certificates can be used for secure administrator log in to the
FortiGate.

58
FGSP four-member session synchronization and redundancy
By using session-sync-dev to offload session synchronization processing to the kernel, four-
member session synchronization can be supported to handle heavy loads.

In this topology, there are three FGSP peer groups for each FortiGate. Sessions are
synchronized between each FortiGate and its peer groups. Redundancy is achieved by using
two dedicated session sync device links for each peer setup. There are a total of six peer IPs
for each session synchronization device link in each FGSP peer. When one link is fails,
session synchronization is not affected.

For optimization, sync-packet-balance is enabled to distribute synchronization packets

processing to multiple CPUs. The session synchronization process is offloaded to the kernel,
and sessions are synchronized over layer 2 over the connected interfaces (set session-sync-
dev "port5" "port6"). Jumbo frame MTU 9216 is configured on each session
synchronization device link to reduce the number of overall packets; however, setting MTU
to 9216 is entirely optional.

59
Layer 3 unicast standalone configuration synchronization between peers
Unicast standalone configurations are now supported on layer 3, allowing peers to be
synchronized in cloud environments that do not support layer 2 networking. Configuring a
unicast gateway allows peers to be in different subnets.

Improved link monitoring and HA failover time

When a link monitor fails, only the routes specified in the link monitor are removed from
the routing table, instead of all the routes with the same interface and gateway. If no route
is specified, then all of the routes are removed. Only IPv4 routes are supported.

On supported models, the HA heartbeat interval unit can be changed from the default,
100ms, to 10ms.
This allows for a failover time of less than 50ms, depending on the configuration and the
network.

HA monitor shows tables that are out of synchronization

When units are out of synchronization in an HA cluster, the GUI will compare the HA
checksums and display the tables that caused HA to be out of synchronization. This can be
visualized on the HA monitor page and in the HA status widget.

60
HA failover due to memory utilization
An HA failover can be triggered when memory utilization exceeds the threshold for a specific
amount of time.
Memory utilization is checked at the configured sample rate (memory-failover-sample-rate).
If the memory usage is above the threshold every time that it is sampled for the entire
monitor period, then a failover is triggered.

60
Immediate download update option
The FortiGuard Accept push updates option has been removed. On 2U models and larger
(excluding VMs), the Immediately download updates option is now available. This allows
the FortiGate to form a secure persistent connection with FortiGuard to get notifications of
new updates. Once notified, the FortiGate downloads the updates immediately.

The option can be enabled when the FortiGuard are servers are connected in anycast
mode. Once there is updated information on subscribed contracts or object versions for the
FortiGate, FortiGuard sends a notification to the FortiGate via a HTTPS connection. The
FortiGate uses a daemon to wait for this information, then the FortiGate makes another
connection to the FortiGuard server to download the updates.

Add option to automatically update schedule frequency

The default auto-update schedule for FortiGuard packages has been updated. Previously,
the frequency was a reoccurring random interval within two hours. Starting in 7.0, the
frequency is automatic, and the update interval is calculated based on the model and
percentage of valid subscriptions. The update interval is within one hour.

Update OUI files from FortiGuard

FortiGuard updates for OUI files are used to identify device vendors by the MAC address.

61
This database is used in Wi-Fi and device detection.

61
Zero Trust Network Access introduction
Zero Trust Network Access (ZTNA) is an access control method that uses client device
identification, authentication, and zero-trust tags to provide role-based application access.
It gives administrators the flexibility to manage network access for on-net local users and
off-net remote users. Access to applications is granted only after device verification,
authenticating the user’s identity, authorizing the user, and then performing context based
posture checks using zero-trust tags.

Traditionally, a user and a device have different sets of rules for on-net access and off-net
VPN access to company resources. With a distributed workforce and access that spans
company networks, data centers, and cloud, managing the rules can become complex. User
experience is also affected when multiple VPNs are needed to get to various resources.

Two Modes: Full ZTNA and IP/MAC filtering

Full ZTNA allows users to securely access resources through a SSL encrypted access proxy.
This simplifies remote access by eliminating the use of VPNs.

IP/MAC filtering requires VPNs for remote users, but ZTNA tags provide an additional factor
for identification to implement role-based zero trust network access.

62
63
FortiClient endpoints provide the following information to FortiClient EMS when they
register to the EMS:
• Device information (network details, operating system, model, and others)
• Logged on user information
• Security posture (On-net/Off-net, antivirus software, vulnerability status, and others)

It also requests and obtains a client device certificate from the EMS ZTNA Certificate
Authority (CA), which the client uses to identify itself to the FortiGate.

FortiClient EMS issues and signs the client certificate with the FortiClient UID, certificate
serial number, and EMS serial number. The certificate is then synchronized to the FortiGate.
EMS also shares its EMS ZTNA CA certificate with the FortiGate, so that the FortiGate can
use it to authenticate the clients.

FortiClient EMS uses zero-trust tagging rules to tag endpoints based on the information
that it has on each endpoint. The tags are also shared with the FortiGate.

FortiGate maintains a continuous connection to the EMS server to synchronize endpoint

device information, including primarily: FortiClient UID, client certificate SN, EMS SN,
device credentials (user/domain), and nNetwork details (IP and MAC addresses, routing to

64
the FortiGate).

When a device's information changes, such as when a client moves from on-net to off-net, or
their security posture changes, EMS is updated with the new device information and then
updates the FortiGate. The FortiGate WAD daemon can use this information when
processing ZTNA traffic.

64
Filters for application control groups in NGFW mode
When defining application groups in NGFW policy mode, the following group filters are
now available:
protocols, risk, vendor, technology, behavior, popularity, and category.

65
DNS health check monitor for server load balancing
A DNS health check monitor can be configured for server load balancing. The monitor uses
TCP or UDP DNS as the probes. The request domain is matched against the configured IP
address to verify the response. The DNS health check monitor does not support IPv6.

Carrier-grade NAT
Users can control concurrent TCP/UDP connections through a connection quota in the per-
IP shaper, and can control the port quota in the fixed port range IP pool.

Allow multiple virtual wire pairs in a virtual wire pair policy

This enhancement allows users to create a virtual wire pair policy that includes different
virtual wire pairs (VWPs). This reduces overhead to create multiple similar policies for each
VWP. This feature is supported in NGFW profile and policy mode.

In NGFW policy mode, multiple VWPs can be configured in a Security Virtual Wire Pair
Policy, and Virtual Wire Pair SSL Inspection & Authentication policy. The VWP settings
must have wildcard VLAN enabled. When configuring a policy in the CLI, the VWP members
must be entered in srcintf and dstintf as pairs.

On the Firewall Virtual Wire Pair Policy, Security Virtual Wire Pair Policy, and Virtual Wire

66
Pair SSL Inspection & Authentication pages, there is a drop-down list to view policies with
an individual VWP or all VWPs. If All VWPs is selected, the Interface Pair View is disabled.
The list displays all policies with an individual VWP or multiple VWPs.

66
Record central NAT and DNAT hit count
Daily hit counts for central NAT and DNAT can be displayed in the CLI for IPv4 and IPv6.

MAC address wildcard in firewall address

Wildcard MAC addresses can be used in firewall address so users can easily use pattern
matching, like vendor prefix, to define a group of addresses. The MAC address range is now
defined by specifying a <start>-<end> in a single field separated by a space, instead of
defining a start-mac and end-mac. Multiple addresses can be defined in a single line.

67
68
Stream-based antivirus scan in proxy mode for FTP, SFTP, and SCP
Stream-based antivirus scanning optimizes memory utilization for large archive files by
decompressing the files on the fly and scanning the files as they are extracted. File types
can be determined after scanning a few KB, without buffering the entire file. Viruses can be
detected even if they are hiding in the middle or end of a large archive. When scanning
smaller files, traffic throughput is improved by scanning the files directly on the proxy
based WAD daemon, without invoking scanunit.

Stream-based scanning is the default scan mode when an antivirus is in proxy mode. To
disable steam-based scanning, the scan mode can be set to legacy mode, and archive will
only be scanned after the entire file has been received.

Configure threat feed and outbreak prevention without an antivirus scan

In the CLI, users can enable malware threat feeds and outbreak prevention without
performing an antivirus scan. In GUI and CLI, users can choose to use all malware thread
feeds or specify the ones that they want to use. Replacement messages have been updated
for external block lists.

AI-based malware detection

This model integrates into regular antivirus scanning to help detect potentially malicious

69
Windows Portable Executables (PEs) in order to mitigate zero-day attacks. Previously, this
type of detection was handled by heuristics that analyzed file behavior. With antivirus engine
AI, the module is trained by FortiGuard antivirus against many malware samples to identify
file features that make up the malware. The antivirus engine AI package can be downloaded
by FortiOS via FortiGuard on devices with an active antivirus subscription.

Malware threat feed from EMS

A FortiGate can pull malware threat feeds from FortiClient EMS, which in turn receives
malware hashes detected by FortiClient. The malware hash can be used in an antivirus
profile when scanning is enabled with block or monitor actions. This feature is currently only
supported in proxy mode.

69
DNP3 is used in industrial solutions over serial ports, USB ports, printers, and so on. The
DNP3 application signature dissector supports detecting DNP3 traffic that is encapsulated
by the RealPort protocol ([Link]). RealPort encapsulation allows transportation of the
underlying protocols over TCP/IP.

The FortiGate industrial signatures must be enabled to use RealPort.DNP3 signatures

70
FortiGuard web filter categories to block child sexual abuse and terrorism
Web filter categories 83 (child sexual abuse, formerly child abuse) and 96 (terrorism) can
be used to enforce blocking and logging the Internet Watch Foundation (IWF) and Counter-
Terrorism Internet Referral Unit (CTIRU) list, respectively.

Enhance web filter antiphishing profile

The following enhancements have been made to the antiphishing profile:
• Allow username and password field patterns to be fetched from FortiGuard
• Add DNS support for domain controller IP fetching
• Add support to specify a source IP or port for the fetching domain controller
• Add LDAP server as a credential source (only the OpenLDAP server is supported)
• Block or log valid usernames regardless of password match
• Add literal custom patterns type for username and password

71
HTTP/2 support in proxy mode SSL inspection
Security profiles in proxy mode can perform SSL inspection on HTTP/2 traffic that is secured
by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

Define multiple certificates in an SSL profile in replace mode

Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting
SSL Server). This allows multiple sites to be deployed on the same protected server
IP address, and inspection based on matching the SNI in the certificate.

When the FortiGate receives the client and server hello messages, it will compare the SNI
and CN with the certificate list in the SSL profile, and use the matched certificate as a
replacement. If there is no matched server certificate in the list, then the first server
certificate in the list is used as a replacement.

72
Support secure ICAP clients
A secure SSL connection from the FortiGate to the ICAP server can be configured.

Add TCP connection pool for connections to ICAP server

A TCP connection pool can maintain local-out TCP connections to the external ICAP server
due to a backend update in FortiOS. TCP connections will not be terminated once data has
been exchanged with the ICAP server but instead are reused in the next ICAP session to
maximize efficiency.

Use case
An ICAP profile can be used as a UTM profile in an explicit web proxy policy, as client visits
web servers through this proxy policy. Once the WAD is initialized, when a HTTP request is
sent from the client to the server through the FortiGate with an ICAP profile applied to the
matched proxy policy, a TCP connection is established between the FortiGate and the ICAP
server to exchange data.

When an ICAP session is finished, the TCP connection is kept in the WAD connection pool.
When another ICAP session needs to be established, the WAD will check if there are any
idle connections available in the connection pool. If an idle connection is available, then it
will be reused; otherwise, a new TCP connection is established for the ICAP session. This

73
process can be checked in the WAD debug log.

WAD traffic dispatcher

Incoming WAD traffic can be directly distributed to the workers. This enhancement also
allows source addresses to be exempt from proxy affinity, so that traffic from the same
source and different server can be distributed to workers in a round-robin configuration.

73
Video filtering
With the video filter profile, you can filter YouTube videos by channel ID for a more granular
override of a single channel, user, or video. The video filter profile is currently supported in
proxy-based policies and requires SSL deep inspection.

DNS filter handled by IPS engine in flow mode

In FortiOS 6.4, the DNS proxy daemon handles the DNS filter in flow and proxy mode
policies. Starting in 7.0, the IPS engine handles the DNS filter in flow mode policies and
queries the FortiGuard web filter server for FortiGuard categories. In proxy mode, the DNS
proxy daemon handles the DNS filter and queries the FortiGuard SDNS server for
FortiGuard categories.

DNS inspection with DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) in are supported in DNS inspection. Prior to
7.0, DoT and DoH traffic silently passes through the DNS proxy. In 7.0. the WAD is able to
handle DoT and DoH, and redirect DNS queries to the DNS proxy for further inspection.

Flow-based SIP inspection

Flow-based SIP inspection is done by the IPS engine. This optimizes memory and CPU usage
when VoIP profiles with SIP inspection are configured with other security profiles in a flow-

74
based firewall policy, because inspection is done entirely by the IPS engine. Proxy ALG
features that are supported in flow mode include blocking scenarios, rate-limitation, and
malformed header detection. The inspection mode is selected in the firewall policy.

74
75
Configurable IKE port
Some ISPs block UDP port 500, preventing an IPsec VPN from being established. To
accommodate this, the IKE and IKE NAT-T ports can be changed. For an IP-level VPN
between a device and a VPN server, this can be useful to avoid issues caused by
intermediate devices, such as UDP ports 500 or 4500 being blocked.

To set the IKE ports:

config system settings
set ike-port <integer>
set ike-natt-port <integer>
end

IPsec global IKE embryonic limit

When trying to establish thousands of tunnels simultaneously, a situation can arise where
new negotiations starve other SAs from progressing to an established state in IKEv2.
Enhancements to the IKE daemon includes prioritizing established SAs, offloading groups
20 and 21 to CP9, and optimizing the default embryonic limits for mid- and high-end
platforms. The IKE embryonic limit is now configurable from the CLI.

76
On dial-up tunnels, IPsec packets can sometimes be dropped by the network due to
congestion, causing retries and hence traffic delay. To support packet duplication on
dial-up IPsec tunnels between sites, each spoke must be configured with a location ID. On
the hub, packet duplication is performed on the tunnels in the IPsec aggregate that have
the same location ID.

77
The FortiGate can be configured as an SSL VPN client, using an SSLN VPN tunnel interface
type. When an SSL VPN client connection is established, the client dynamically adds a route
to the subnets that are returned by the SSL VPN server. Policies can be defined to allow
users that are behind the client to be tunnelled through SSL VPN to destinations on the SSL
VPN server.

FortiOS can be configured as an SSL VPN server that allows IP-level connectivity in tunnel
mode, and can act as an SSL VPN client that uses the protocol used by the FortiOS SSL VPN
server. This allows hub-and-spoke topologies to be configured with FortiGates as both the
SSL VPN hub and spokes.

For an IP-level VPN between a device and a VPN server, this can be useful to avoid issues
caused by intermediate devices blocking IPsec. It is also useful as it allows SSL encrypted
delivery of traffic in one tunnel, without having to install SSL clients on all of the “home”
devices, which has extra overhead and creates a tunnel for each client.

78
79
When a FortiClient endpoint is managed by FortiClient EMS, logged in user and domain
information is shared with FortiOS through the EMS connector. This information can be
joined with the Exchange connector to produce more complete user information in the
user store.

80
Security Assertion Markup Language (SAML) user authentication is supported for explicit
web proxies and transparent web proxies with the FortiGate acting as a SAML SP. SAML is
supported as a new authentication method for an authentication scheme that requires
using a captive portal.

81
82
Configure Agile Multiband Operation
The Wi-Fi Alliance Agile Multiband Operation (MBO) feature enables better use of Wi-Fi
network resources in roaming decisions and improves overall performance. This
enhancement allows the FortiGate to push the MBO configuration to managed APs, which
adds the MBO information element to the beacon and probe response for 802.11ax.

Captive portal authentication when bridged via software switch

In a scenario where a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with
other interfaces via a software switch, captive portal authentication on the SSID or VLAN
sub-interface is now allowed. Users accessing the SSID will be redirected to the captive
portal for authentication.

DHCP address enforcement

DHCP address enforcement ensures that clients who connect must complete the DHCP
process to obtain an IP address; otherwise, they are disconnected from the SSID. This
prevents users with static addresses that may conflict with the DHCP address scheme, or
users that fail to obtain a DHCP IP assignment, to connect to the network.

Station mode on FortiAP radios to initiate tests against other APs

This enhancement allows service assurance management (SAM) mode to be configured

83
from the CLI, where a radio is designated to operate as a client and perform tests against
another AP. Ping and iPerf tests can run on an interval, and the results are captured in the
Wi-Fi event logs. This allows the FortiGate to verify and assure an existing Wi-Fi network can
provide acceptable services.

Increase maximum number of supported VLANs

VLAN pooling in SSIDs allow you to load-balance users into various VLANs. To service larger
deployments, FortiGate 2U and high-end models support up to 64 VLANs.

83
Add RADIUS MAC delimiter options
In the wireless controller settings, options have been added to specify the delimiter used
for various RADIUS attributes for RADIUS MAC authentication and accounting which allows
configuration of FortiOS to match a pre-existing RADIUS server.
Radio transmit power range in dBm
The radio transmit power can be configured in dBm or as a percentage in FortiAP profiles
and override settings.

84
The wireless controller supports NAC profiles that on-board wireless clients into the default
VLAN. NAC policies match clients based on device properties, user groups, or EMS tags, and
then assign the clients to specific VLANs. VLAN sub interfaces are based on the VAP
interfaces that are used for the VLAN assignment.

When a wireless client first connects, it is assigned to the default VLAN per the NAC profile.
After the client information is captured, if it matches a NAC policy, the client is
disconnected and, when it reconnects, assigned to the VLAN that is specified by the SSID
policy.

The device properties that can be matched include: MAC address, hardware vendor, type,
family, operating system, hardware version, software version, host, user, and source.

85
The widget shows a pie chart of the assigned FortiSwitch NAC VLANs.
When expanded to the full screen, the widget shows a full list of devices grouped by VLAN,
NAC policy, or last seen.
The widget is added to the Users & Devices dashboard after a dashboard reset or can be
manually added to a dashboard.
It can also be accessed by going to WiFi & Switch Controller > NAC Policies and clicking View
Matched Devices.
The expanded view of the widget shows Assigned VLAN and Last Seen pie charts and a full
device list.
The list can be organized By VLAN, By NAC Policy, or By Policy Type.

86
Forward error correction (FEC) settings on switch ports
Supported managed-switch ports can be configured with a FEC state of Clause 74 FC-FEC
for 25-Gbps ports and Clause 91 RS-FEC for 100-Gbps ports.

Cancel pending or downloading FortiSwitch upgrades

A FortiSwitch device in FortiLink mode can be upgraded using the FortiGate device. If a
connectivity issue occurs during the upgrade process and the FortiSwitch device loses
contact with the FortiGate device, the FortiSwitch upgrade status can get stuck at
upgrading. This can now be cancelled from the CLI.

Automatic provisioning of FortiSwitch firmware upon authorization

FortiSwitch firmware images can be automatically provisioned after authorization. After a
FortiSwitch unit is authorized by FortiLink, its firmware is upgraded to the version
provisioned by the administrator. On FortiGate models that have a hard disk, up to four
images for the same FortiSwitch model can be uploaded. For FortiGate models without a
hard disk, only one image can be uploaded for each FortiSwitch model.

Use wildcards in a MAC address in a NAC policy

When configuring a NAC policy, you can use the wildcard character (*) when manually
specifying a MAC address to match multiple devices.

87
Additional FortiSwitch recommendations in Security Rating
Three new tests have been added to the FortiSwitch recommendations in the Security
Fabric > Security Rating page to help optimize your network: check if the quarantine
bounce port option, the PoE status of the switch controller auto-config default policy, or if
PoE pre-standard detection for all user ports is enabled.

FortiGate NAC engine optimization

The FortiGate NAC engine is responsible for assigning the device to the right VLAN based
on the NAC policy when a device first connects to a switch port or when a device goes from
offline to online. This process has been optimized to shorten the amount of time it takes
for a new device to be recognized and assigned to the VLAN.

Before these optimizations, the process took approximately 65 seconds from the time the
device links to a switch port to matching the device to a NAC policy. After optimization, the
process takes a maximum of 16 seconds with a minimum nac-periodic-interval of 5
seconds.

PoE pre-standard detection disabled by default

Starting with this version, the factory default setting for PoE pre-standard detection is
disable for both managed and standalone FortiSwitch units. Depending on the FortiSwitch

88
model, you can manually change the poe-pre-standard-detection setting on the global level
or on the port level.

88
Cloud icon indicates that the FortiSwitch unit is managed over layer 3
A new cloud icon indicates when the FortiSwitch unit is being managed over layer 3. The
cloud icon is displayed in two places in the GUI. Go to WiFi & Switch Controller > Managed
FortiSwitch and select Topology.

GUI support for viewing and configuring shared FortiSwitch ports

You can now use the GUI to view and configure FortiSwitch ports that are shared between
VDOMs. To share FortiSwitch ports between VDOMs, you must use the CLI. One use case
for this feature is to have each VDOM dedicated to a separate tenant with a single
administrator managing all VDOMs.

Dynamic port profiles for FortiSwitch ports

Dynamic port policies allow you to specify rules that dynamically determine port policies.
After you create the FortiLink policy settings, you define the dynamic port policy rules.
When a rule matches the specified device patterns, the switch-controller actions control
the portʼs proper es.

When you add dynamic port policy rules to the FortiLink policy settings, the rules are
processed sequentially, from the first rule to the last rule. The last rule in the FortiLink
policy settings should indicate the default properties for any port that has been assigned

89
these FortiLink policy settings.

GUI updates for the switch controller

There have been GUI updates to the FortiSwitch Ports, FortiLink Interface, and FortiSwitch
NAC Policies pages to simplify the configuration of NAC policies. Previously, dynamic port
policies had to be configured using these pages. Now, configuring dynamic port polices is
under the Dynamic Port Policies tab on the FortiSwitch Port Policies page.

89
90
Add logs for the execution of CLI commands
The cli-audit-log option records the execution of CLI commands in system event logs (log ID
44548). In addition to execute and config commands, show, get, and diagnose commands
are recorded in the system event logs.
The cli-audit-log data can be recorded on memory or disk and can be uploaded to
FortiAnalyzer, FortiGate Cloud, or a syslog server.

Logging IP address threat feeds in sniffer mode

In sniffer mode, you can record traffic logs each time a source or destination address
matches an IP address on an external threat feed.

91
Collect only node IP addresses with Kubernetes SDN connectors
By default, Kubernetes SDN connectors return both pod and node IP addresses. Peer
Kubernetes SDN connectors can be configured to resolve dynamic firewall IP addresses to
only node IP addresses. Results can also be filtered by specific IP addresses.

Deploy FortiGate-VM A-P HA on IBM VPC Cloud (BYOL)

IBM VPC Cloud users can deploy their BYOL FortiGate-VMs in unicast HA. The HA failover
will automatically trigger routing changes and floating IP reassignment on the IBM Cloud
via API.

Update AliCloud SDN connector to support Kubernetes filters

When an AliCloud SDN connector is configured, dynamic address objects can support
Kubernetes filters.

92
The following GUI enhancements have been added for FortiCarrier:
• Add Message rate limit configurations in GTP profiles
• Add GTP Tunnel Rate and GTP Tunnels dashboard widgets
• Display IP pool utilization status in the IP Pools page
• Support two new REST APIs for retrieving GTP statistics

93
This section contains an overview of the presentation (if necessary) and also has the
information about the (ISC)2 credits and a slide about the Fortinet Training Institute.

94
FortiGate Security
In this interactive course, you will learn how to use basic FortiGate features, including
security profiles.

In interactive labs, you will explore firewall policies, security fabric, user authentication, SSL
VPN, and how to protect your network using security profiles such as IPS, antivirus, web
filtering, application control, and more. These administration fundamentals will provide you
with a solid understanding of how to implement basic network security.

FortiGate Infrastructure
In this interactive course, you will learn how to use advanced FortiGate networking and
security.

Topics include features commonly applied in complex or larger enterprise or MSSP

networks, such as advanced routing, transparent mode, redundant infrastructure, site-to-
site IPsec VPN, single sign-on (SSO), and diagnostics.

95
The Fortinet Training Institute offers a full range of instructor-led, product-based
training courses. Our NSE training program is one of the most robust in the industry
and provides training to our partners and customers.

The range of cybersecurity training available includes:

• Advanced training for security professionals
• Technical training for IT professionals
• Awareness training for teleworkers

For more information about the Fortinet Training Institute, go to

[Link]
.
Make sure you use the correct version of this slide for your workshop.

97
This section contains information for students about completing the Fast Track lab.

98
This diagram shows the environment for the lab exercise.

99
FortiFIED is the application used to navigate the Fast Track lab guide. When you connect to
FortiFIED, you must enter a name and select the appropriate scoring mode that will be
used to evaluate your performance during the lab.

100
101
102