FortiOS 7.4.0 New - Features - Guide751 800
Uploaded by
Pt BuddhakirdFortiOS 7.4.0 New - Features - Guide751 800
Uploaded by
Pt BuddhakirdSystem
Automatic firmware upgrade enhancements - 7.4.1
This information is also available in the FortiOS 7.4 Administration Guide:
l Enabling automatic firmware updates
Several automatic firmware upgrade enhancements are added:
l Automatic patch upgrades are available in the FortiGate Setup wizard.
l Automatic patch upgrades can be enabled or disabled from System > Firmware & Registration.
l By default, entry-level FortiGates (lower than 100 series) have automatic firmware upgrades enabled.
l FortiGates belonging to a Security Fabric or FortiGates under management by a FortiManager cannot enable
automatic firmware upgrade.
On FortiOS 7.4.2 and FortiOS 7.4.3, automatic firmware upgrade only allows upgrading to a
Mature build. For information about firmware maturity, see Firmware maturity levels.
To configure automatic firmware upgrades from the GUI:
1. Log in to the FortiGate GUI and click Begin.
2. Select Enable automatic patch upgrades for v7.4 (default setting).
3. Edit the upgrade and installation settings as needed (Upgrade schedule, Delay by number of days, Install during
specified time), then click Save and continue.
FortiOS 7.4.0 New Features Guide 751
Fortinet Inc.
System
If Disable automatic patch upgrades is selected, this can be changed later from the
System > Firmware & Registration page by clicking the Disable automatic patch upgrades
notification.
4. The Enable Automatic Patch Upgrades dialog opens. Select I acknowledge and click OK to proceed.
The FortiGate will be updated based on the configured schedule when a new patch is available.
5. An email is sent to alert the administrator that the firmware upgrade schedule has changed.
6. Once a patch is detected, an email is sent to alert the administrator that a new image installation is scheduled.
7. After the image installation is completed, an email is sent to alert the administrator that the federated upgrade is
complete.
To view the default firmware upgrade settings:
1. Verify the FortiGuard firmware update settings:
show full system fortiguard | grep firmware
set auto-firmware-upgrade enable
unset auto-firmware-upgrade-day
set auto-firmware-upgrade-delay 3
set auto-firmware-upgrade-start-hour 2
set auto-firmware-upgrade-end-hour 4
2. Verify the patch update schedule:
# diagnose test application forticldd 13
Scheduled push image upgrade: no
Scheduled Config Restore: no
Scheduled Script Restore: no
Automatic image upgrade: Enabled.
Next upgrade check scheduled at (local time) Wed Jul 26 03:26:33 2023
If the FortiGate is part of a Fabric or managed by FortiManager, the Automatic image
upgrade option is set to disabled.
# diagnose test application forticldd 13
...
Automatic image upgrade: disabled.
FortiOS 7.4.0 New Features Guide 752
Fortinet Inc.
System
To verify the update schedule after a new patch is detected:
# diagnose test application forticldd 13
...
Automatic image upgrade: Enabled.
Next upgrade check scheduled at (local time) Fri Jul 21 13:50:15 2023
New image 7.4.2b2600(07004000FIMG0019704002) installation is scheduled to
start at Sat Jul 22 13:03:56 2023
end by Sat Jul 22 14:00:00 2023
Sample email after configuring automatic firmware upgrades:
From: [email protected] <[email protected]>
Sent: Tuesday, July 25, 2023 11:08 AM
To: ********** <*****@fortinet.com>
Subject: Automatic firmware upgrade schedule changed
date=2023-07-25 time=11:07:34 devid="FG81EPTK19000000" devname="FortiGate-81E-POE"
eventtime=1690308454221334719 tz="-0700" logid="0100032263" type="event" subtype="system"
level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system"
msg="System patch-level auto-upgrade regular check enabled."
Sample email after a new image installation is scheduled:
From: [email protected] <[email protected]>
Sent: Friday, July 21, 2023 1:17 PM
To: ********** <*****@fortinet.com>
Subject: Automatic firmware upgrade schedule changed
date=2023-07-21 time=13:16:50 devid="FG81EPTK19000000" devname="FortiGate-81E-POE"
eventtime=1689970609076391174 tz="-0700" logid="0100032263" type="event" subtype="system"
level="notice" vd="root" logdesc="Automatic firmware upgrade schedule changed" user="system"
msg="System patch-level auto-upgrade new image installation scheduled between local time Sat
Jul 22 13:03:56 2023 and local time Sat Jul 22 14:00:00 2023."
Sample event logs after the federated upgrade is complete:
date=2023-07-22 time=13:55:37 eventtime=1689972938126416979 tz="-0700" logid="0100032138"
type="event" subtype="system" level="critical" vd="root" logdesc="Device rebooted"
ui="sfupgraded" action="reboot" msg="User rebooted the device from sfupgraded. The reason is
'upgrade firmware'"
date=2023-07-22 time=13:55:37 eventtime=1689972938126337130 tz="-0700" logid="0100032202"
type="event" subtype="system" level="critical" vd="root" logdesc="Image restored"
ui="sfupgraded" action="restore-image" status="success" msg="User restored the image from
sfupgraded (v7.4.1,build2425 -> v7.4.2,build2426)"
Sample email after the federated upgrade is complete:
From: [email protected] <[email protected]>
Sent: Friday, July 22, 2023 2:00 PM
To: ********** <*****@fortinet.com>
Subject: A federated upgrade was completed by the root FortiGate
date=2023-07-22 time=14:00:09 devid="FG81EPTK19000000" devname="FortiGate-81E-POE"
FortiOS 7.4.0 New Features Guide 753
Fortinet Inc.
System
eventtime=1689973183346851869 tz="-0700" logid="0100022094" type="event" subtype="system"
level="information" vd="root" logdesc="A federated upgrade was completed by the root
FortiGate" msg="Federated upgrade complete" version="7.4.2"
Introduce selected availability (SA) version and label - 7.4.1
This information is also available in the FortiOS 7.4 Administration Guide:
l Selected availability (SA) versions
A selected availability (SA) version and label identifies special builds that are provided to customers to use for a long
time. The SA version uses an odd number as the minor version and a four digit number for the patch version. The
SA version and label are visible in the GUI and CLI.
SA builds are dual-signed by the Fortinet CA and a third-party CA.
In the following example, special build 0107 is based on FortiOS 7.4.0 build 8016 and is labeled v7.5.0107 build8016
(SA).
To view the SA version and label in the GUI:
1. Go to Dashboard > Status > System Information. The Firmware option displays the SA version and label of
v7.5.0107 build8016 (SA).
2. On the top-right of the banner, click <administrator name>, such as admin. The SA version and label is displayed.
FortiOS 7.4.0 New Features Guide 754
Fortinet Inc.
System
3. On the top-left corner of the banner, click the FortiGate name. A tooltip displays the SA version and label.
To view the SA version and label in the CLI:
# get system status
Version: FortiGate-2600F v7.4.0,build8016,230711 (SA)
SA Version: v7.5.0107,build8016
Security Level: 0
Firmware Signature: certified
...
The SA Version is displayed as v7.5.0107, build8016.
View batch transaction commands through the REST API - 7.4.1
The commands of an uncommitted batch transaction can be viewed through the REST API from an API client with the
transaction-show option. Previously administrators could only view commands of a batch transaction through the
CLI.
Example
In this example, use the REST API to change the admin timeout of the FortiGate. Before committing the change, check
the cached commands to view the pending changes. After committing the change, you cannot view the commands
because the transaction is complete.
To view batch transaction commands with the REST API:
1. From an API client, start a transaction with FortiGate.
In this example, the transaction ID is 1.
user@test:~$ curl -k -X 'POST' 'https://<ip address>/api/v2/cmdb?action=transaction-
start&vdom=vdom1&access_token=j8Gcs836dQsqbrd9637Qs770s0f13Q' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"timeout": 60
}'
response:
{
FortiOS 7.4.0 New Features Guide 755
Fortinet Inc.
System
"http_method":"POST",
"revision":"df4217a73f57e09b766605b683fb5caf",
"revision_changed":false,
"results":{
"transaction-id":1
},
"vdom":"vdom1",
"action":"transaction-start",
"status":"success",
"http_status":200,
"serial":"<serial number>",
"version":"v7.4.2",
"build":2484
2. Change the admin timeout on the FortiGate for the started transaction.
For transaction ID 1, the admintimeout is set to 123.
user@test:~$ curl -k -X 'PUT' 'https://<ip address>/api/v2/cmdb/system/global?access_
token=j8Gcs836dQsqbrd9637Qs770s0f13Q' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-H 'X-TRANSACTION-ID: 1' \
-d '{
"admintimeout": 123
}'
response:
{
"http_method":"PUT",
"revision":"c8263664d73eeff0e47db5e142fa5306",
"revision_changed":false,
"status":"success",
"http_status":200,
"vdom":"vdom1",
"path":"system",
"name":"global",
"serial":"<serial number>",
"version":"v7.4.2",
"build":2484
}
3. Before committing the commands, check the cached commands.
The transaction-show results for transaction ID 1 show the uncommitted changes to admintimeout of 123.
user@test:~$ curl -k -X 'GET' 'https://<ip address>/api/v2/cmdb?action=transaction-
show&transaction-id=1&access_token=j8Gcs836dQsqbrd9637Qs770s0f13Q' \
-H 'accept: application/json'
response:
{
"http_method":"GET",
"revision":"df4217a73f57e09b766605b683fb5caf",
"results":[
" config global",
" config system global",
FortiOS 7.4.0 New Features Guide 756
Fortinet Inc.
System
" set admintimeout 123",
" end",
" end"
],
"vdom":"vdom1",
"action":"transaction-show",
"status":"success",
"http_status":200,
"serial":"<serial number>",
"version":"v7.4.2",
"build":2484
4. Commit transaction ID 1:
user@test:~$ curl -k -X 'POST' 'https://<ip address>/api/v2/cmdb?action=transaction-
commit&vdom=vdom1?access_token=j8Gcs836dQsqbrd9637Qs770s0f13Q' -H 'accept:
application/json' -H 'Content-Type: application/json' -d '{
"transaction-id": 1
}'
response:
{
"http_method":"POST",
"revision":"df4217a73f57e09b766605b683fb5caf",
"revision_changed":false,
"status":"success",
"http_status":200,
"vdom":"vdom1",
"action":"transaction-commit",
"serial":"<serial number>",
"version":"v7.4.2",
"build":2484
}
5. Check the commands for transaction 1. An error is returned as expected because transaction 1 is complete. No
cached commands are available to be viewed.
user@test:~$ curl -k -X GET' 'https://<ip address>/api/v2/cmdb?action=transaction-
show&transaction-id=1&access_token=j8Gcs836dQsqbrd9637Qs770s0f13Q' -H 'accept:
application/json'
response:
{
"http_method":"GET",
"revision":"df4217a73f57e09b766605b683fb5caf",
"error":-651,
"status":"error",
"http_status":500,
"vdom":"vdom1",
"action":"transaction-show",
"serial":"<serial number>",
"version":"v7.4.2",
"build":2484
}
FortiOS 7.4.0 New Features Guide 757
Fortinet Inc.
System
Separate the SSHD host key from the administration server certificate - 7.4.2
This information is also available in the FortiOS 7.4 Administration Guide:
l Separating the SSHD host key from the administration server certificate
Separating the SSHD host key from the administration server certificate addresses the issue where the administration
server key tends to overwrite one of the key files, which can lead to complications. This resolves the problem where the
SSH module regenerates the host key files after a factory reset. This action previously prompted a warning message
when an older SSH client attempted to log in to the FortiGate using SSH.
config system global
set ssh-hostkey-override {enable | disable}
set ssh-hostkey-password <password>
set ssh-hostkey <encrypted_private_key>
end
The ssh-hostkey-algo option under config system global supports ECDSA 384 and ECDSA 256, allowing the
SSHD to accommodate the most commonly used host key algorithms.
To configure SSH host key override in SSHD:
1. Using the ssh-keygen tool, generate the host key (ecdsa-sha2-nistp384 is used in this example).
2. Configure the SSH host key override settings:
config system global
set ssh-hostkey-override enable
set ssh-hostkey-algo ecdsa-sha2-nistp384
set ssh-hostkey-password **********
set ssh-hostkey <encrypted_private_key>
end
3. On a PC, attempt to log in to the FortiGate with the defined ecdsa-sha2-nistp384 algorithm:
root@PC05:~# ssh [email protected]
The authenticity of host '172.16.200.1 (172.16.200.1)' can't be established.
ECDSA key fingerprint is SHA256:mcrMXSjtN/YjY3zQgZpxk77ezxPVGGGOL/GUOG8Oijs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.200.1' (ECDSA) to the list of known hosts.
4. Verify the server host key algorithms:
root@PC05:~# nmap -sV --script ssh2-enum-algos 172.16.200.1
Starting Nmap 7.01 ( https://nmap.org ) at 2023-11-07 15:47 PST
Nmap scan report for FGT_A (172.16.200.1)
Host is up (0.00013s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (8)
| diffie-hellman-group14-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group-exchange-sha256
FortiOS 7.4.0 New Features Guide 758
Fortinet Inc.
System
| [email protected]
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| server_host_key_algorithms: (1)
| ecdsa-sha2-nistp384
| encryption_algorithms: (3)
FortiOS REST API enhances FortiManager interaction with FortiExtender - 7.4.2
The FortiOS REST API enables FortiManager firmware upgrade templates for FortiExtender modems to:
l Query the modem firmware version utilized by FortiExtender.
l Direct FortiExtender to install modem firmware updates from FortiCloud.
This feature enhances the interaction between FortiGate, FortiManager, and FortiExtender to ensure that FortiExtender
firmware is always up-to-date.
The following prerequisites are required to use this feature:
l FortiExtender must be registered in FortiCloud.
l FortiExtender firmware version must be 7.4 on build 231 or later.
l FortiExtender must be connected to the internet.
l FortiExtender is managed by FortiGate, its status is Online, and the FortiExtender IP address is shown in FortiGate
interfaces.
Example
In this example, a FortiManager administrator creates a firmware upgrade template for FortiExtender modem and
assigns the template to the managed FortiGate with attached FortiExtender. When the FortiManager administrator uses
the template to initiate an upgrade to the FortiExtender modem firmware, the template uses the FortiOS REST API to:
l Query the FortiGate for the current modem firmware version of the attached FortiExtender and the firmware
versions available for FortiExtender on FortiCloud
l Direct FortiExtender to install a specific version of firmware from FortiCloud.
To use FortiManager to update FortiExtender modem firmware:
1. In FortiManager create a firmware upgrade template for FortiExtender modem and assign it to the managed
FortiGate with attached FortiExtender. For details, see the FortiManager 7.4 New Features.
2. In FortiManager, use the template to initiate a FortiExtender modem firmware upgrade. The template uses the
FortiOS REST API to query FortiExtender for the current modem firmware version.
https://<ip address>/api/v2/monitor/extender-controller/extender/modem-
firmware?serial=<number>
{
"http_method":"GET",
"results":{
"available":[
"FEM_EM06A-22-1-1"
],
FortiOS 7.4.0 New Features Guide 759
Fortinet Inc.
System
"current":"FEM_EM06A-22-1-1"
},
"vdom":"root",
"path":"extender-controller",
"name":"extender",
"action":"modem-firmware",
"status":"success",
"serial":"<number>",
"version":"v7.4.2",
"build":2566
}
After receiving the API call, the following FortiOS command is run to provide the current and available FortiExtender
firmware versions to FortiManager:
execute extender query-forticloud-mdmpkg-image all <serial number>
Local Modem Package:
FEM_07A-22-1-0-AMERICA
Versions on Cloud:
FEM_07A-22-2-0-AMERICA
3. After receiving the response from FortiGate, the FortiManager template automatically uses the FortiOS REST API
to direct FortiExtender to download a specific firmware version from FortiCloud and install it.
POST /api/v2/monitor/extender-controller/extender/upgrade-modem-firmware
{
"serial": <fext_serial>,
"firmware-name": <name>
}
After receiving the API call, the following FortiOS command is run to download a specific firmware version from
FortiCloud and install it to FortiExtender.
execute extender install-forticloud-mdm-package FEM_07A-22-2-0-AMERICA <serial number>
After the command is run on FortiGate, you can also use the FortiExtender console to view the progress of
downloading and installing the modem firmware version.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 229M 100 229M 0 0 2575k 0 0:01:31 0:01:31 --:--:-- 2744k
[MDM FW upgrade]: Decompress package...
Archive: /tmp/upfile.zip
inflating: SWI9X50C_01.14.20.00_VERIZON_002.058_000.nvu
inflating: SWI9X50C_01.14.13.00.cwe
inflating: SWI9X50C_01.14.20.00.cwe
inflating: SWI9X50C_01.14.13.00_ATT_002.062_000.nvu
inflating: SWI9X50C_01.14.03.00_US-CELLULAR_002.011_001.nvu
inflating: SWI9X50C_01.14.13.00_GENERIC_002.048_000.nvu
inflating: SWI9X50C_01.14.03.00_TMO_002.005_004.nvu
inflating: SWI9X50C_01.14.03.00_TELUS_001.013_003.nvu
inflating: SWI9X50C_01.14.03.00.cwe
inflating: carrier_profile.conf
Starting modem firmware upgrade!
FortiOS 7.4.0 New Features Guide 760
Fortinet Inc.
System
CLI system permissions - 7.4.2
Users now have the capability to exercise more granular control over CLI commands. This feature allows administrators
to customize access to CLI commands based on their role, access level, or seniority, thereby enhancing both security
and efficiency.
To configure CLI command access in administrative profiles:
config system accprofile
edit <name>
set cli-diagnose {enable | disable}
set cli-get {enable | disable}
set cli-show {enable | disable}
set cli-exec {enable | disable}
set cli-config {enable | disable}
next
end
This command allows the administrator to configure the administrator profiles by enabling specific CLI commands as
needed. The default setting for all the CLI command options is disable.
To edit an administrator profile, you must be logged in to an account with sufficient privileges,
or as a super_admin user.
By default, the FortiGate has an administrator account that uses the super_admin profile. See
Administrator profiles for more information.
Memory usage reduced on FortiGate models with 2 GB RAM - 7.4.2
This information is also available in the FortiOS 7.4 Administration Guide:
l Fortinet Security Fabric
As part of improvements to reduce memory usage on FortiGate models with 2 GB RAM:
l FortiGate models with 2 GB RAM can be the root of the Security Fabric topology with a maximum of five
downstream devices.
l FortiGate models can authorize a limited number of FortiExtender devices:
l Two FortiExtenders for FortiGate 40F and 60E series devices and their variants
l Six FortiExtenders for FortiGate 60F, 80E, and 90E series devices and their variants
l The memory footprint is reduced when running daemons, including Proxy/WAD, IPS engine, automation, and
logging.
l The dynamic routing daemon only runs when required by the FortiGate configuration.
Models with reduced memory usage are the FortiGate 40F, 60E, 60F, 80E, and 90E series devices and their variants.
FortiOS 7.4.4 introduces additional changes for FortiGate models with 2 GB RAM. See Proxy-related features no longer
supported on FortiGate 2 GB RAM models 7.4.4 on page 500 for more information.
FortiOS 7.4.0 New Features Guide 761
Fortinet Inc.
System
Prevent firmware upgrade depending on the current firmware license's expiration
date - 7.4.2
This information is also available in the FortiOS 7.4 Administration Guide:
l Prevent FortiGates with an expired support contract from upgrading to a major or minor
firmware release
In FortiOS 7.4.2 and above, enforcement of an active FortiGate firmware license to allow firmware upgrades has been
improved. Enforcement is based on the expiry date of the current firmware license compared to the release date of the
first GA release of a major version. For example, for FortiOS 7.4.x firmware upgrades, enforcement is based on the
expiry date of the current support contract compared to the release date of FortiOS 7.4.0 GA.
Therefore, upgrades between major, minor, and patch versions are only allowed if the firmware license is valid relative to
the release date of the first GA release of a major version. If the firmware license expiry date is earlier than the firmware
first GA major release date, then the firmware upgrade to that version will not be allowed. See the following Example on
page 763.
In the System > Firmware & Registration page, until the support contract is renewed, FortiGuard upgrades will be
unavailable; namely, the Confirm and Backup Config button will be grayed out. However, you will be able to view the
FortiGate firmware images available on FortiGuard using Latest, All Upgrades, and All Downgrades tabs and this
functionality will be restored upon support contract renewal.
Downgrades from one major version to another are not blocked because the FortiGate should have had a firmware
expiry date that is later than the release date of the older firmware major version.
For example, if the firmware license expiry date was March 25, 2024, the FortiGate is currently running 7.4.2 and you
wanted to downgrade to 7.2.7, since the release date of 7.2.0 GA was March 31, 2022 then this firmware downgrade
would be allowed. The firmware license expiry date is later than the release date of the older firmware major version,
7.2.0 GA.
This new feature is an expansion of 7.4.0 and 7.4.1 new features. See Prevent FortiGates with
an expired support contract from upgrading to a major or minor firmware release on page 747
and Prevent firmware upgrades when the support contract is expired using the GUI 7.4.1 on
page 749 for more information on upgrading to major and minor versions.
FortiOS 7.4.0 New Features Guide 762
Fortinet Inc.
System
Example
In this example, the release dates of major versions are as follows:
l 7.4.0 GA release on May 8, 2023
l 7.6.0 GA release on March 31, 2024
l 7.8.0 GA release on March 31, 2025
This example is using fictitious GA release dates of future versions for illustrative purposes
only. These dates do not indicate the official FortiOS release schedule.
The following table demonstrates whether you can upgrade the target FortiGate firmware version depending on the
current firmware license expiry date.
Firmware license expiry date Is a FortiGate firmware upgrade allowed to the target
version?
7.4.x 7.6.x 7.8.x
March 31, 2025 or later Yes Yes Yes
March 25, 2025 Yes Yes No
March 25, 2024 Yes No No
May 2, 2023 No No No
Updated default email notification server - 7.4.4
This information is also available in the FortiOS 7.4 Administration Guide:
l Email alerts
The FortiOS default email server has been changed from notification.fortinet.net to fortinet-notifications.com.
The reply-to value for the source email is automatically updated to [email protected] for all
servers, including custom servers. For custom servers, if a username is configured, then MAIL FROM is set to the
username, but if no username is configured, then MAIL FROM is the same as MAIL TO. You cannot customize the
reply-to value when configuring a custom email server in the CLI.
This default server is only available to registered devices with an active FortiCare support contract. If no FortiCare
support contract is recognized, a warning is displayed in System > Settings for SMTP Server.
FortiOS 7.4.0 New Features Guide 763
Fortinet Inc.
System
If you try to apply changes in System > Settings without a registered FortiCare support contract, another warning will
display and require confirmation before you can proceed.
Configure TCP NPU session delay globally - 7.4.5
The TCP NPU session delay can be applied globally, eliminating the need to set this command for each firewall policy.
config system global
set delay-tcp-npu-session {enable | disable}
end
For more information about this feature, see Configure TCP NPU session delay globally.
Automatic firmware upgrade control - 7.4.5
This information is also available in the FortiOS 7.4 Administration Guide:
l Enabling automatic firmware upgrades
FortiOS 7.4.0 New Features Guide 764
Fortinet Inc.
System
In FortiOS 7.4.5 and later, automatic firmware upgrades are enabled by default on all FortiGate models, including
FortiGate VMs. Previously, automatic firmware upgrades were enabled by default only on entry-level models and
disabled by default on all other models. Now with automatic upgrades enabled by default on all FortiGate models, the
system will automatically upgrade to the latest firmware version, unless you manually disable the feature.
When you log in to the FortiOS GUI for the first time after upgrading to version 7.4.5, you must acknowledge that
automatic firmware upgrades are enabled. You can edit or disable the automatic firmware upgrade settings in the GUI or
CLI.
Automatic firmware upgrades are disabled for FortiGates in the following situations:
l FortiGates centrally managed by FortiManager
l FortiGates in a Security Fabric
In addition, automatic firmware upgrades are not applied to FortiGates operating as a
secondary unit in a high availability cluster, even when automatic firmware upgrades are
enabled.
To acknowledge automatic firmware upgrades in the GUI after upgrade:
1. After upgrading to FortiOS 7.4.5 or later, log in to the GUI. The Enable Automatic Patch Upgrades dialog is
displayed.
2. Select I acknowledge and click OK to continue the login process.
To edit the automatic firmware upgrade settings in the GUI:
1. Go to System > Firmware & Registration. The Automatic patch upgrades enabled button is displayed.
If automatic patch upgrades are disabled, the Automatic patch upgrades disabled button is displayed.
2. Click the Automatic patch upgrades enabled or Automatic patch upgrades disabled button to open the Automatic
Patch Upgrades pane.
FortiOS 7.4.0 New Features Guide 765
Fortinet Inc.
System
3. Edit the settings, and click OK.
For example, edit the schedule for automatic upgrades, or select Disable automatic patch upgrades to turn off the
feature.
To edit automatic firmware upgrade settings in the CLI:
config system fortiguard
set auto-firmware-upgrade enable
set auto-firmware-upgrade-delay <number of days>
set auto-firmware-upgrade-start-hour <start hour>
set auto-firmware-upgrade-end-hour <end hour>
end
To disable automatic firmware upgrades in the CLI:
config system fortiguard
set auto-firmware-upgrade disable
end
High availability
This section includes information about HA related new features:
l FGCP HA between FortiGates of the same model with different AC and DC PSUs on page 767
l FGCP multi-version cluster upgrade 7.4.1 on page 776
l Enhance IPv6 VRRP state control 7.4.2 on page 781
l Single FortiGuard license for FortiGate A-P HA cluster 7.4.6 on page 783
FortiOS 7.4.0 New Features Guide 766
Fortinet Inc.
System
FGCP HA between FortiGates of the same model with different AC and DC PSUs
This information is also available in the FortiOS 7.4 Administration Guide:
l FGCP HA between FortiGates of the same model with different AC and DC PSUs
To improve power redundancy, FGCP HA clusters can support forming HA between units of the same model but with
different AC PSU and DC PSU power supplies. This enables redundancy in a situation where power is completely lost on
the AC grid, but traffic can fail over to a cluster member running on an independent DC grid.
The cluster members must be the same model with the same firmware installed, and must have the same hardware
configuration other than the PSU.
In the following examples, there is an FGCP cluster with AC and DC PSU members: a FortiGate 1800F-DC (primary)
and FortiGate 1800F (secondary).
Basic configuration
To configure the FGCP cluster in the GUI:
1. On the primary FortiGate (FG-1800F-DC), go to System > HA.
2. Configure the following settings:
Mode Active-Passive
Device priority 128
Group ID 0
Group name Example_cluster
Password Enter a password.
FortiOS 7.4.0 New Features Guide 767
Fortinet Inc.
System
Session pickup Enable this setting.
Monitor interfaces Click the + to add port5 and port6.
Heartbeat interfaces Click the + to add ha1 and ha2.
3. Click OK.
4. On the secondary FortiGate (FG-1800F), go to System > HA.
5. Configure the following settings:
Mode Active-Passive
Device priority 127
Group ID 0
Group name Example_cluster
Password Enter a password.
Session pickup Enable this setting.
Monitor interfaces Click the + to add port5 and port6.
Heartbeat interfaces Click the + to add ha1 and ha2.
6. Click OK.
7. Verify that the cluster status is Synchronized.
To configure the FGCP cluster in the CLI:
1. Configure the primary FortiGate (FG-1800F-DC):
config system ha
set group-name "Example_cluster"
set mode a-p
set password **********
set hbdev "ha2" 0 "ha1" 0
set session-pickup enable
set override disable
set monitor "port5" "port6"
end
2. Configure the secondary FortiGate (FG-1800F):
config system ha
set group-name "Example_cluster"
set mode a-p
set password **********
set hbdev "ha2" 0 "ha1" 0
FortiOS 7.4.0 New Features Guide 768
Fortinet Inc.
System
set session-pickup enable
set override disable
set priority 127
set monitor "port5" "port6"
end
3. Verify the cluster status on the primary FortiGate:
# get system ha status
HA Health Status: OK
Model: FortiGate-1800F
Mode: HA A-P
Group Name: Example_cluster
Group ID: 0
Debug: 0
Cluster Uptime: 0 days 0:56:11
Cluster state change time: 2023-05-29 19:11:14
Primary selected using:
<2023/05/29 19:11:14> vcluster-1: FG180FTK*******1 is selected as the primary
because its uptime is larger than peer member FG180FTK*******2.
<2023/05/29 18:59:45> vcluster-1: FG180FTK*******2 is selected as the primary
because its uptime is larger than peer member FG180FTK*******1.
<2023/05/29 18:59:45> vcluster-1: FG180FTK*******1 is selected as the primary
because its override priority is larger than peer member FG180FTK*******2.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
Configuration Status:
FG180FTK*******1(updated 4 seconds ago): in-sync
FG180FTK*******1 chksum dump: 95 4e 92 c3 39 75 8e 0e db 83 8d b7 b2 b1 9f 04
FG180FTK*******2(updated 5 seconds ago): in-sync
FG180FTK*******2 chksum dump: 95 4e 92 c3 39 75 8e 0e db 83 8d b7 b2 b1 9f 04
System Usage stats:
FG180FTK*******1(updated 4 seconds ago):
sessions=4, npu-sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/99%,
memory=22%
FG180FTK*******2(updated 5 seconds ago):
sessions=0, npu-sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/99%,
memory=22%
HBDEV stats:
FG180FTK*******1(updated 4 seconds ago):
ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=18367581/33512/0/0,
tx=9563450/16609/0/0
ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=11543018/22166/0/0,
tx=12359673/22151/0/0
FG180FTK*******2(updated 5 seconds ago):
ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=19133123/35087/0/0,
tx=10685583/18475/0/0
ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=17011332/25876/0/0,
tx=11919050/24991/0/0
MONDEV stats:
FG180FTK*******1(updated 4 seconds ago):
port5: physical/1000full, up, rx-bytes/packets/dropped/errors=988220/13742/0/0,
tx=106998000/73260/0/0
port6: physical/1000full, up, rx-
bytes/packets/dropped/errors=107084264/73624/0/0, tx=953158/13611/0/0
FG180FTK*******2(updated 5 seconds ago):
port5: physical/1000full, up, rx-bytes/packets/dropped/errors=38194/128/0/0,
FortiOS 7.4.0 New Features Guide 769
Fortinet Inc.
System
tx=0/0/0/0
port6: physical/1000full, up, rx-bytes/packets/dropped/errors=99019/448/0/0,
tx=0/0/0/0
Primary : FortiGate-1800F , FG180FTK*******1, HA cluster index = 1
Secondary : FortiGate-1800F , FG180FTK*******2, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Primary: FG180FTK*******1, HA operating index = 0
Secondary: FG180FTK*******2, HA operating index = 1
4. Verify the cluster status on the secondary FortiGate:
# get system ha status
HA Health Status: OK
Model: FortiGate-1800F
Mode: HA A-P
Group Name: Example_cluster
Group ID: 0
Debug: 0
Cluster Uptime: 0 days 0:56:53
Cluster state change time: 2023-05-29 19:11:14
Primary selected using:
<2023/05/29 19:11:14> vcluster-1: FG180FTK*******1 is selected as the primary
because its uptime is larger than peer member FG180FTK*******2.
<2023/05/29 18:59:45> vcluster-1: FG180FTK*******2 is selected as the primary
because its uptime is larger than peer member FG180FTK*******1.
<2023/05/29 18:55:03> vcluster-1: FG180FTK*******2 is selected as the primary
because it's the only member in the cluster.
<2023/05/29 18:54:57> vcluster-1: FG180FTK*******2 is selected as the primary
because SET_AS_SECONDARY flag is set on peer member FG180FTK*******1.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
...
Secondary : FortiGate-1800F , FG180FTK*******2, HA cluster index = 0
Primary : FortiGate-1800F , FG180FTK*******1, HA cluster index = 1
number of vcluster: 1
vcluster 1: standby 169.254.0.2
Secondary: FG180FTK*******2, HA operating index = 1
Primary: FG180FTK*******1, HA operating index = 0
Testing synchronization in the cluster
Based on the preceding example, the interface and firewall policy configurations are changed on the primary FortiGate.
These configuration changes and sessions are synchronized to the secondary FortiGate. If the switch interface
connected to the primary's port5 is down (port2), this triggers the monitor interface to be down, and the PC1 traffic will fail
over to the secondary FortiGate.
To test configuration synchronization in the FGCP cluster:
1. Modify configurations on the primary FortiGate (FG-1800F-DC).
a. Edit the interface settings:
config system interface
edit "port5"
set ip 10.1.100.1 255.255.255.0
FortiOS 7.4.0 New Features Guide 770
Fortinet Inc.
System
set allowaccess ping https ssh http telnet
set alias "To_Client_PC"
config ipv6
set ip6-address 2000:10:1:100::1/64
set ip6-allowaccess ping https ssh http
end
next
edit "port6"
set ip 172.16.200.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set alias "To_Server"
config ipv6
set ip6-address 2000:172:16:200::1/64
set ip6-allowaccess ping https ssh http
end
next
end
b. Edit the firewall policy settings:
config firewall policy
edit 1
set name "to_server_policy"
set srcintf "port5"
set dstintf "port6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic-start enable
next
end
2. On the secondary FortiGate (FG-1800F), verify that the settings were synchronized.
a. Verify the interface settings:
show system interface
config system interface
...
edit "port5"
set vdom "root"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
set alias "To_Client_PC"
set snmp-index 9
config ipv6
set ip6-address 2000:10:1:100::1/64
set ip6-allowaccess ping https ssh http
end
next
edit "port6"
set vdom "root"
set ip 172.16.200.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
FortiOS 7.4.0 New Features Guide 771
Fortinet Inc.
System
set alias "To_Server"
set snmp-index 10
config ipv6
set ip6-address 2000:172:16:200::1/64
set ip6-allowaccess ping https ssh http
end
next
end
b. Verify the firewall policy settings:
show firewall policy
config firewall policy
edit 1
set name "to_server_policy"
set uuid 82a05e78-fe90-51ed-eb16-ee7bdea60de0
set srcintf "port5"
set dstintf "port6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic-start enable
next
end
c. Verify the HA checksum:
# diagnose sys ha checksum show
is_manage_primary()=0, is_root_primary()=0
debugzone
global: 4e 15 af c3 c6 87 32 f5 69 5c b7 33 b1 8b 27 12
root: 4a 52 e4 f1 6a 2b eb 7d 84 7d f1 48 50 93 fe d9
all: 95 4e 92 c3 39 75 8e 0e db 83 8d b7 b2 b1 9f 04
checksum
global: 4e 15 af c3 c6 87 32 f5 69 5c b7 33 b1 8b 27 12
root: 4a 52 e4 f1 6a 2b eb 7d 84 7d f1 48 50 93 fe d9
all: 95 4e 92 c3 39 75 8e 0e db 83 8d b7 b2 b1 9f 04
To test session synchronization in the FGCP cluster:
1. On PC1, verify the IP address and gateway:
root@pc1:~# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0c:29:a0:60:d6
inet addr:10.1.100.11 Bcast:10.1.100.255 Mask:255.255.255.0
...
root@pc1:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.100.1 0.0.0.0 UG 0 0 0 eth1
10.1.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.6.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
FortiOS 7.4.0 New Features Guide 772
Fortinet Inc.
System
2. Using Wget, initiate a large file download with HTTP that will maintain a long session:
root@pc1:~# wget http://172.16.200.55/big100MB.html --keep-session-cookies --limit-
rate=128k --progress=dot -S -r --delete-after
--2023-05-29 14:55:33-- http://172.16.200.55/big100MB.html
Connecting to 172.16.200.55:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Mon, 29 May 2023 21:55:41 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Thu, 01 Dec 2016 00:17:35 GMT
ETag: "6126784-5428dbf967ad3"
Accept-Ranges: bytes
Content-Length: 101869444
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Length: 101869444 (97M) [text/html]
Saving to: '172.16.200.55/big100MB.html'
0K .......... .......... .......... .......... .......... 0% 199K 8m18s
50K .......... .......... .......... .......... .......... 0% 100K 12m26s
100K .......... .......... .......... .......... .......... 0% 200K 11m3s
150K .......... .......... .......... .......... .......... 0% 100K 12m25s
200K .......... .......... .......... .......... .......... 0% 100K 13m14s
250K .......... .......... .......... .......... .......... 0% 200K 12m24s
3. On the primary FortiGate (FG-1800F-DC), check the session information:
# diagnose sys session filter dport 80
# diagnose sys session list
session info: proto=6 proto_state=01 duration=5 expire=3594 timeout=3600 flags=00000000
socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu synced log-start
statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=13->14/14->13 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.1.100.11:54752->172.16.200.55:80(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.55:80->10.1.100.11:54752(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=15767 auth_info=0 chk_client_info=0 vd=0
serial=00000d80 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=0/0, epid=133/132, ipid=132/133,
vlan=0x0000/0x0000
vlifid=132/133, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=12/12
total session: 1
4. On the secondary FortiGate (FG-1800F), check that the session is synchronized:
FortiOS 7.4.0 New Features Guide 773
Fortinet Inc.
System
# diagnose sys session filter dport 80
# diagnose sys session list
session info: proto=6 proto_state=01 duration=47 expire=3552 timeout=3600 flags=00000000
socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=dirty may_dirty npu syn_ses
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=13->14/14->13 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.1.100.11:54752->172.16.200.55:80(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.55:80->10.1.100.11:54752(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=00000d80 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0,
vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
total session: 1
To test failover in the FGCP cluster:
1. On the switch connected to port5 of the primary FortiGate, change port2's status to be down:
config switch physical-port
edit port2
set status down
next
end
2. Check the HA status on the primary FortiGate (FG-1800F-DC), which now becomes the secondary device:
# get system ha status
HA Health Status:
WARNING: FG180FTK*******1 has mondev down;
Model: FortiGate-1800F
Mode: HA A-P
Group Name: Example_cluster
Group ID: 0
Debug: 0
Cluster Uptime: 0 days 1:16:13
Cluster state change time: 2023-05-29 20:08:56
Primary selected using:
<2023/05/29 20:08:56> vcluster-1: FG180FTK*******2 is selected as the primary
because the value 0 of link-failure + pingsvr-failure is less than peer member
FG180FTK*******1.
<2023/05/29 19:11:14> vcluster-1: FG180FTK*******1 is selected as the primary
because its uptime is larger than peer member FG180FTK*******2.
<2023/05/29 18:59:45> vcluster-1: FG180FTK*******2 is selected as the primary
because its uptime is larger than peer member FG180FTK*******1.
<2023/05/29 18:59:45> vcluster-1: FG180FTK*******1 is selected as the primary
FortiOS 7.4.0 New Features Guide 774
Fortinet Inc.
System
because its override priority is larger than peer member FG180FTK*******2.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
...
Secondary : FortiGate-1800F , FG180FTK*******1, HA cluster index = 1
Primary : FortiGate-1800F , FG180FTK*******2, HA cluster index = 0
number of vcluster: 1
vcluster 1: standby 169.254.0.1
Secondary: FG180FTK*******1, HA operating index = 1
Primary: FG180FTK*******2, HA operating index = 0
3. Check the HA status on the new primary FortiGate (FG-1800F):
# get system ha status
HA Health Status:
WARNING: FG180FTK*******1 has mondev down;
Model: FortiGate-1800F
Mode: HA A-P
Group Name: Example_cluster
Group ID: 0
Debug: 0
Cluster Uptime: 0 days 1:19:9
Cluster state change time: 2023-05-29 20:08:56
Primary selected using:
<2023/05/29 20:08:56> vcluster-1: FG180FTK*******2 is selected as the primary
because the value 0 of link-failure + pingsvr-failure is less than peer member
FG180FTK*******1.
<2023/05/29 19:11:14> vcluster-1: FG180FTK*******1 is selected as the primary
because its uptime is larger than peer member FG180FTK*******2.
<2023/05/29 18:59:45> vcluster-1: FG180FTK*******2 is selected as the primary
because its uptime is larger than peer member FG180FTK*******1.
<2023/05/29 18:55:03> vcluster-1: FG180FTK*******2 is selected as the primary
because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
...
Primary : FortiGate-1800F , FG180FTK*******2, HA cluster index = 0
Secondary : FortiGate-1800F , FG180FTK*******1, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FG180FTK*******2, HA operating index = 0
Secondary: FG180FTK*******1, HA operating index = 1
4. On PC1, verify that the HTTP traffic remains uninterrupted:
...
74700K .......... .......... .......... .......... .......... 75% 100K 3m13s
74750K .......... .......... .......... .......... .......... 75% 200K 3m13s
74800K .......... .......... .......... .......... .......... 75% 100K 3m12s
74850K .......... .......... .......... .......... .......... 75% 200K 3m12s
74900K .......... .......... .......... .......... .......... 75% 100K 3m12s
74950K .......... .......... .......... .......... .......... 75% 100K 3m11s
75000K .......... .......... .......... .......... .......... 75% 200K 3m11s
75050K .......... .......... .......... .......... .......... 75% 100K 3m10s
75100K .......... .......... .......... .......... .......... 75% 200K 3m10s
75150K .......... .......... .......... .......... .......... 75% 100K 3m10s
FortiOS 7.4.0 New Features Guide 775
Fortinet Inc.
System
FGCP multi-version cluster upgrade - 7.4.1
This information is also available in the FortiOS 7.4 Administration Guide:
l FGCP multi-version cluster upgrade
The FGCP multi-version cluster (MVC) upgrade mode allows manual control over the cluster member that is being
upgraded. HA members can temporarily run in an MVC while administrators perform tests to confirm traffic can pass
through the upgraded member smoothly.
The syntax of the existing upgrade mode has been updated:
config system ha
set upgrade-mode {simultaneous | uninterruptible | local-only | secondary-only}
end
upgrade-mode Set the mode to upgrade a cluster.
{simultaneous | l simultaneous: all HA members upgrade at the same time (previously set
uninterruptible |
local-only | uninterruptible-upgrade disable).
secondary-only} l uninterruptible: secondary HA members are upgraded first, followed by
the primary member (previously set uninterruptible-upgrade
enable).
l local-only: only upgrade the local member in which the firmware is
uploaded.
l secondary-only: only upgrade the secondary members.
The local-only and secondary-only upgrade options are advanced configurations that
should only be used to temporarily put the HA cluster in MVC operation mode. While in this
operation, states and sessions (such as the session table and routing table) are synchronized,
but configuration changes are not synchronized between cluster members in different builds. If
more than two members are in the cluster, the configurations between members in the same
builds will be synchronized. The configurations for the entire cluster will be synchronized once
the upgrade process has completed.
How it works
In local-only and secondary-only modes, the specific cluster member is upgraded and sessions are
synchronized to it. The following tables show which members are upgraded based on the mode and where the upgrade
is initiated.
local-only
Upgrade method Outcome Recommendation
Initiate the upload or upgrade on the primary. The primary member is Not recommended.
upgraded.
FortiOS 7.4.0 New Features Guide 776
Fortinet Inc.
System
local-only
Upgrade method Outcome Recommendation
Initiate the upload or upgrade on the The secondary member where Recommended when selecting a
secondary member. the image is uploaded is specific HA member to upgrade.
upgraded.
secondary-only
Upgrade method Outcome Recommendation
Initiate the upload or upgrade on the primary. All non-primary members are Recommended for scenarios
upgraded. where there is more than one
secondary HA member.
Initiate the upload or upgrade on the The secondary member where Same result as initiating an
secondary member. the image is uploaded is upgrade on a secondary member
upgraded. in local-only mode.
This can apply to any HA clusters with two or more members. Administrators can initiate an upgrade on a secondary
member by using its CLI console or accessing the device's GUI from its HA management interface.
Initially, when you prepare an HA cluster in A-P mode for upgrade, traffic passes through the primary unit (Node-A) as
the secondary unit (Node-B) sits on standby.
After the upgrade is completed on a secondary unit, states and sessions are synchronized. The members are now
operating in MVC mode; however, traffic continues to pass through Node-A.
Administrators can manually trigger failover to make Node-B the new primary when ready. This can be done by resetting
the HA uptime or changing device priorities, whichever method is desired. Traffic now passes through Node-B.
FortiOS 7.4.0 New Features Guide 777
Fortinet Inc.
System
The upgraded system (Node-B) can be tested to verify that traffic can pass smoothly. If verification fails, administrators
can trigger a failover to fail back to Node-A to avoid any downtime.
If verification is successful, administrators can manually trigger an upgrade on Node-A to bring the HA member up to the
same version as Node-B to complete the HA upgrade procedure. This can be performed by accessing Node-A’s GUI
from its HA management interface or using its CLI console.
Example 1: upgrade a single secondary member using the local-only upgrade option
In this example, three HA members are running in an FGCP A-P HA cluster.
The member FGVM02TM22027808 is acting as the primary and forwarding traffic. The member FGVM02TM22027810
is chosen for upgrade.
The cluster is originally running build 2456. The secondary unit is upgraded to build 2461. Fictitious build numbers are
used in this example to demonstrate functionality of the feature.
To configure the HA cluster:
config system ha
set group-id 260
set group-name "hagroup"
set mode a-p
set hbdev "port3" 0
set session-pickup enable
set upgrade-mode local-only
end
FortiOS 7.4.0 New Features Guide 778
Fortinet Inc.
System
To perform the upgrade:
1. On the secondary member (FGVM02TM22027810), log in to the CLI console.
2. Execute a TFTP upgrade:
FGVM02TM22027810 # execute restore image tftp
/home/Images/FortiOS/v7.00/images/build2461/FGT_VM64-v7-build2461-FORTINET.out
172.16.100.71
This operation will replace the current firmware version!
Do you want to continue? (y/n)y
Please wait...
Connect to ftp server 172.16.100.71 ...
Get image from ftp server OK.
Verifying the signature of the firmware image.
Please wait for system to restart.
3. After the upgrade is complete, verify the version running on the secondary member:
FGVM02TM22027810 # get system status
Version: FortiGate-VM64 v7.4.1,build2461,230828 (interim)
…
4. On the primary unit, verify that HA is still formed between the three members:
FGVM02TM22027808 # diagnose sys ha dump-by group
<hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2
(work)/1692750721/1693262149
HA information.
group-id=260, group-name='hagroup'
has_no_aes128_gcm_sha256_member=0
gmember_nr=3
'FGVM02TM22027808': ha_ip_idx=2, hb_packet_version=10, last_hb_jiffies=0, linkfails=0,
weight/o=0/0, support_aes128_gcm_sha256=1
'FGVM02TM22027809': ha_ip_idx=1, hb_packet_version=12, last_hb_jiffies=51142842,
linkfails=3, weight/o=0/0, support_aes128_gcm_sha256=1
hbdev_nr=1: port3(mac=000c..de, last_hb_jiffies=51142842, hb_lost=0),
'FGVM02TM22027810': ha_ip_idx=0, hb_packet_version=4, last_hb_jiffies=51142858,
linkfails=3, weight/o=0/0, support_aes128_gcm_sha256=1
hbdev_nr=1: port3(mac=000c..1a, last_hb_jiffies=51142858, hb_lost=0),
vcluster_nr=1
vcluster-1: start_time=1692750718(2023-08-22 17:31:58), state/o/chg_time=2(work)/2
(work)/1692750721(2023-08-22 17:32:01)
pingsvr_flip_timeout/expire=3600s/0s
mondev: port1(prio=50,is_aggr=0,status=1) port7(prio=50,is_aggr=0,status=1)
port8(prio=50,is_aggr=0,status=1)
'FGVM02TM22027808': ha_prio/o=0/0, link_failure=0, pingsvr_failure=0,
flag=0x00000001, mem_failover=0, uptime/reset_cnt=510868/0
'FGVM02TM22027809': ha_prio/o=1/1, link_failure=0, pingsvr_failure=0,
flag=0x00000000, mem_failover=0, uptime/reset_cnt=510857/0
'FGVM02TM22027810': ha_prio/o=2/2, link_failure=0, pingsvr_failure=0,
flag=0x00000000, mem_failover=0, uptime/reset_cnt=0/0
FortiOS 7.4.0 New Features Guide 779
Fortinet Inc.
System
5. Fail over the HA cluster so that the secondary member, FGVM02TM22027810, becomes the primary. Since
override is not enabled and the HA primary is determined by uptime, you can reset the HA uptime on the units that
were not upgraded:
# diagnose sys ha reset-uptime
6. Once verification on the upgraded member is successful, repeat step 2 to perform upgrades on the remaining units.
Example 2: upgrade multiple secondary members using the secondary-only upgrade
option
Using the same topology as example 1, the three HA cluster members are originally running build 2456. Both secondary
units are upgraded using the secondary-only upgrade option. Fictitious build numbers are used in this example to
demonstrate functionality of the feature.
To configure the HA cluster:
config system ha
set group-id 260
set group-name "hagroup"
set mode a-p
set hbdev "port3" 0
set session-pickup enable
set upgrade-mode secondary-only
end
To perform the upgrade:
1. On the primary unit (FGVM02TM22027808), log in to the CLI console.
2. Execute a TFTP upgrade:
FGVM02TM22027808 # execute restore image tftp
/home/Images/FortiOS/v7.00/images/build2461/FGT_VM64-v7-build2461-FORTINET.out
172.16.100.71
3. After the upgrade is complete, verify the version running on the secondary members.
a. Member 1:
FGVM02TM22027809 # get system status
Version: FortiGate-VM64 v7.4.1,build2461,230828 (interim)
…
b. Member 2:
FGVM02TM22027810 # get system status
Version: FortiGate-VM64 v7.4.1,build2461,230828 (interim)
…
4. On the primary unit, verify that HA is still formed between the three members:
FGVM02TM22027808 # diagnose sys ha dump-by group
HA information.
group-id=260, group-name='hagroup'
has_no_aes128_gcm_sha256_member=0
gmember_nr=3
FortiOS 7.4.0 New Features Guide 780
Fortinet Inc.
System
'FGVM02TM22027808': ha_ip_idx=2, hb_packet_version=19, last_hb_jiffies=0, linkfails=0,
weight/o=0/0, support_aes128_gcm_sha256=1
'FGVM02TM22027809': ha_ip_idx=1, hb_packet_version=4, last_hb_jiffies=51358055,
linkfails=3, weight/o=0/0, support_aes128_gcm_sha256=1
hbdev_nr=1: port3(mac=000c..de, last_hb_jiffies=51358055, hb_lost=0),
'FGVM02TM22027810': ha_ip_idx=0, hb_packet_version=5, last_hb_jiffies=51358057,
linkfails=3, weight/o=0/0, support_aes128_gcm_sha256=1
hbdev_nr=1: port3(mac=000c..1a, last_hb_jiffies=51358057, hb_lost=0),
vcluster_nr=1
vcluster-1: start_time=1692750718(2023-08-22 17:31:58), state/o/chg_time=2(work)/2
(work)/1692750721(2023-08-22 17:32:01)
pingsvr_flip_timeout/expire=3600s/0s
mondev: port1(prio=50,is_aggr=0,status=1) port7(prio=50,is_aggr=0,status=1)
port8(prio=50,is_aggr=0,status=1)
'FGVM02TM22027808': ha_prio/o=0/0, link_failure=0, pingsvr_failure=0,
flag=0x00000001, mem_failover=0, uptime/reset_cnt=512775/0
'FGVM02TM22027809': ha_prio/o=2/2, link_failure=0, pingsvr_failure=0,
flag=0x00000000, mem_failover=0, uptime/reset_cnt=0/0
'FGVM02TM22027810': ha_prio/o=1/1, link_failure=0, pingsvr_failure=0,
flag=0x00000000, mem_failover=0, uptime/reset_cnt=1/0
Enhance IPv6 VRRP state control - 7.4.2
This information is also available in the FortiOS 7.4 Administration Guide:
l Ignore VRRP default route
State control for IPv6 Virtual Router Redundancy Protocol (VRRP) is enhanced. Previously, the VRRP state would be
Primary as long as any route, including the default route, could reach the IPv6 VRRP destination. Now administrators
can choose whether to exclude the default route from the calculation of available routes to the IPv6 VRRP destination to
better manage and control the VRRP states.
config system interface
edit < name >
config ipv6
config vrrp6
edit < id >
set ignore-default-route {enable | disable}
next
end
end
end
set ignore-default-route Set the default route to be ignored:
{enable | disable} l enable: Ignore the default route when checking the VRRP destination.
l disable: Include the default route when checking the VRRP destination.
FortiOS 7.4.0 New Features Guide 781
Fortinet Inc.
System
Example
In this example, the IPv6 VRRP destination (vrdst6) is set with an IPv6 address of 2000:172:22:20::22, and
ignore-default-route is enabled for the destination. As long as non-default routes exist to the VRRP destination,
the VRRP state is Primary. When only the default route to the VRRP destination exists, the VRRP state changes to
Backup.
To ignore the default route when checking the IPv6 VRRP destination:
1. Enable the default route to be ignored for IPv6 VRRP.
In the following example, the IPv6 VRRP destination (vrdst6) is set with an IPv6 address of
2000:172:22:20::22, and ignore-default-route is enabled for the destination.
config system interface
edit "port2"
config ipv6
set vrrp-virtual-mac6 enable
set vrip6_link_local fe80::926c:acff:2222:2222
config vrrp6
edit 100
set vrgrp 100
set vrip6 2000:10:1:100::222
set priority 200
set vrdst6 2000:172:22:20::22
set ignore-default-route enable
next
end
end
next
end
2. Check the route for IPv6 VRRP destination.
The following example, the routing table shows an active route through port1 to the IPv6 VRRP destination of
2000:172:22:20::22. The active route is not a default route.
# get router info6 routing-table 2000:172:22:20::22
Routing entry for 2000:172:22:20::/80
Known via "static", distance 10, metric 0
Last update 00:00:15 ago
via 2000:172:16:200::55, port1
3. Check VRRP group information for IPv6.
In the following example, the VRRP state is Primary because non-default routes to the IPv6 VRRP destination
exist as shown in the previous step.
# get router info6 vrrp
Interface: port2, primary IPv6 address: 2000:10:1:100::1
link-local IPv6 address: fe80::96f3:92ff:fe15:1ecd
Virtual link-local IPv6 address: fe80::926c:acff:2222:2222
UseVMAC: 1, SoftSW: 0, EmacVlan: 0 BrPortIdx: 0, PromiscCount: 1
HA mode: primary (0:0:1)
VRT primary count: 1
VRID: 100 version: 3
vrip: 2000:10:1:100::222, priority: 200, state: PRIMARY
adv_interval: 1, preempt: 1, ignore_dft: 0, start_time: 3
FortiOS 7.4.0 New Features Guide 782
Fortinet Inc.
System
primary_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:02:64
vrdst: 2000:172:22:20::22
vrgrp: 100
4. Delete the non-default routes to the IPv6 VRRP destination (vrdst6), and check the routes again.
In the following example, the routing table shows only the default route (::/0) is available to the IPv6
VRRP destination of 2000:172:22:20::22.
# get router info6 routing-table 2000:172:22:20::22
Routing entry for ::/0
Known via "static", distance 10, metric 0, best
Last update 02:02:09 ago
* via 2000:172:16:200::254, port1
5. Check VRRP group information for IPv6.
In the following example, the VRRP state is Backup because only the default route is available to the IPv6
VRRP destination as shown in the previous step.
#get router info6 vrrp
Interface: port2, primary IPv6 address: 2000:10:1:100::1
link-local IPv6 address: fe80::96f3:92ff:fe15:1ecd
Virtual link-local IPv6 address: fe80::926c:acff:2222:2222
UseVMAC: 1, SoftSW: 0, EmacVlan: 0 BrPortIdx: 0, PromiscCount: 0
HA mode: primary (0:0:1)
VRT primary count: 0
VRID: 100 version: 3
vrip: 2000:10:1:100::222, priority: 0, state: BACKUP
adv_interval: 1, preempt: 1, ignore_dft: 1, start_time: 3 but
primary_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:02:64
vrdst: 2000:172:22:20::22
vrgrp: 100
Single FortiGuard license for FortiGate A-P HA cluster - 7.4.6
FortiGate A-P HA cluster now supports sharing a single FortiGuard service license for both cluster units for the following
models:
l 40F and variants
l 60F and variants
l 70F and variants
l 80F and variants
l 100F and variants
When a customer purchases two units with the HA SKU (such as 2 x FG-40F-HA), they can further purchase a single
order of the following subscriptions:
l Enterprise Protection
l Unified Threat Protection (UTP)
l Advanced Threat Protection (ATP)
The two FortiGate serial numbers will be associated together on FortiCare to create one virtual serial number (vSN). If
multiple pairs of devices are ordered, each pair will be together in its own box to help identify the associated devices. The
FortiOS 7.4.0 New Features Guide 783
Fortinet Inc.
System
aforementioned services will then be registered to the vSN. A la carte SKUs are not supported, and cannot be registered
to the vSN.
This is supported on FortiOS 7.2.9, 7.4.6 and 7.6.1 and above for supported models.
Deploying the FortiGates in HA to support vSN requires two steps:
1. Register the FortiGate and associated service contract
2. Provision the FortiGate HA configurations either through FortiGate Cloud or manually
For information about RMAing the HA cluster, see RMA the FortiGate virtual HA on page 787.
To register the FortiGates and associated contract:
1. Log in to the FortiCloud support portal.
2. In the Dashboard, click Register Now to register a device and contract.
3. In the Registration field, enter the one of the FortiGate's serial numbers. Do not enter the service contract
registration code, license certificate number, or asset transfer token.
4. Set the end user type, then click Next.
5. Enter the FortiCloud key from the FortiGate in the FortiCloud Key field, and the Registration Code from the service
entitlement document in the Contract field.
6. Configure the remaining settings as needed then click Next.
7. Check the HA vSN and the serial number of the second device, then click Next.
8. Review the configuration, then click Done to complete the registration.
FortiOS 7.4.0 New Features Guide 784
Fortinet Inc.
System
The vSN is registered in Asset Management with service entitlement. The individual FortiGates cannot be
managed.
All FortiGates in an HA cluster should be registered to the same FortiCare account.
To configure the FortiGates in HA using FortiGate Cloud:
1. In the FortiGate Cloud portal, provision the FortiGate:
a. In the FortiCloud support portal, go to Services > FortiGate Cloud to open the portal.
b. Go to Assets > Asset list and click Add FortiGate.
c. Select the FortiGate vSN from the inventory table and click Provision > Provision to FortiGate Cloud.
2. Unpack the boxes and connect the HA interfaces back to back using the highest physical port number that is not a
fabric port (portA and portB) as indicated:
Model HA interface
FortiGate 40F series port3
FortiGate 60F series port5
FortiGate 70F series port4 and/or 5
FortiGate 80F series port5 and/or 6
FortiGate 100F series ha1 and/or ha2
Some models have 2 HA interfaces. In these cases, both interfaces will be provisioned by FortiGate Cloud as
heartbeat interfaces, but one or both of the interfaces can be connected. It is recommended to connect 2 heartbeat
interfaces whenever possible for redundancy.
3. Connect the WAN interface to an upstream gateway that is providing DHCP service.
4. Connect internal interfaces to an internal switch as required.
5. Power on both FortiGates.
Shortly after, the boxes will receive the vSN and their HA configuration from FortiGate Cloud, as follows:
FortiOS 7.4.0 New Features Guide 785
Fortinet Inc.
System
config system ha
set group-id <id>
set group-name <group-name>
set mode a-p
set password ********
set hbdev <HA interface 1> <priority 1> [HA interface 2] [priority 2]
set override disable
set logical-sn enable
end
To configure the FortiGates in HA manually using the CLI:
1. Unpack the two boxes, and connect to each unit through the CLI or the default management interface.
2. Configure the following basic HA settings on each unit:
config system ha
set mode a-p
set group-id <id>
set group-name <group-name>
set password ********
set hbdev <HA interface 1> <priority 1> [HA interface 2] [priority 2]
set logical-sn enable
end
3. Connect the HA interfaces back to back using your preferred interfaces.
4. Power on both FortiGates.
Shortly after, the boxes will receive the vSN.
To verify the HA status and vSN (or Logical Serial) after the HA cluster registration is complete:
1. In the GUI, go to the System > HA page.
2. In the CLI use these commands:
# get system ha status
HA Health Status: OK
Model: FortiGate-80F
Mode: HA A-P
Group Name: Branch1-HA
Group ID: 100
Debug: 0
Cluster Uptime: 0 days 2h:33m:2s
Cluster state change time: 2024-11-19 13:57:31
Primary selected using:
<2024/11/19 13:57:31> vcluster-1: FGT80FTK22023xxx is selected as the primary
because its override priority is larger than peer member FGT80FTK20000xxx.
<2024/11/19 11:26:06> vcluster-1: FGT80FTK22023xxx is selected as the primary
because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
Configuration Status:
FGT80FTK22023xxx(updated 1 seconds ago): in-sync
FGT80FTK22023xxx chksum dump: 0e 4c b5 56 80 be bf 20 8e e5 ad d5 59 ea 5d b3
FGT80FTK20000xxx(updated 0 seconds ago): out-of-sync
FGT80FTK20000xxx chksum dump: d1 31 59 fc 0b 91 12 ca 92 69 62 d2 9f b7 a3 c3
System Usage stats:
FortiOS 7.4.0 New Features Guide 786
Fortinet Inc.
System
FGT80FTK22023xxx(updated 1 seconds ago):
sessions=18, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=26%
FGT80FTK20000xxx(updated 0 seconds ago):
sessions=4, average-cpu-user/nice/system/idle=6%/0%/6%/87%, memory=24%
HBDEV stats:
FGT80FTK22023xxx(updated 1 seconds ago):
internal3: physical/1000auto, up, rx-
bytes/packets/dropped/errors=1492065/22100/0/0, tx=20442845/47022/0/0
FGT80FTK20000xxx(updated 0 seconds ago):
internal3: physical/1000auto, up, rx-
bytes/packets/dropped/errors=24954361/57802/0/0, tx=1804396/27277/0/0
number of member: 2
80FASAAA , FGT80FTK22023xxx, HA cluster index = 0
FGT-D , FGT80FTK20000xxx, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FGT80FTK22023xxx, HA operating index = 0
Secondary: FGT80FTK20000xxx, HA operating index = 1
Logical Serial Number: FGT80FHA24090xxx
# diagnose system ha dump-by debug-zone
HA information.
is_manage_primary=1,manage_vd=root,ip=169.254.0.1,num=2,nvcluster=1,jiffies=938038.
logical serial number is FGT80FHA24090xxx,
local serial number is FGT80FTK22023xxx,
member's serial number is FGT80FTK20000xxx
3. Furthermore, the service contract will be associated with the vSN and can be viewed on the System > FortiGuard
page.
Do not change the HA mode from A-P to A-A when logical-sn is enabled. This will result in
the FortiGate losing its vSN. Disabling logical-sn will also result in losing the vSN. As a
result, service entitlements will no longer be registered to the HA cluster.
RMA the FortiGate virtual HA
In the event that one of the FortiGate HA units requires an RMA, the RMA transfer can be completed from the FortiCloud
support portal.
To RMA a FortiGate HA unit:
1. Go to the Products > Product List and click the HA vSN.
2. In the Registration widget click RMA Transfer.
3. Continue the RMA process as needed.
SNMP
This section includes information about SNMP related new features:
FortiOS 7.4.0 New Features Guide 787
Fortinet Inc.
System
l Add SNMP trap for memory usage on FortiGates 7.4.2 on page 788
l Add SNMP trap for PSU power restore 7.4.2 on page 790
l Enabling the INDEX extension 7.4.4 on page 791
Add SNMP trap for memory usage on FortiGates - 7.4.2
This information is also available in the FortiOS 7.4 Administration Guide:
l Important SNMP traps
Both free memory usage and freeable memory of FortiGate devices can be monitored through the Simple Network
Management Protocol (SNMP).
SNMP object identifier (OID) entries are available in Fortinet MIB files to show the percentage of free memory usage and
freeable memory in an SNMP manager:
l 1.3.6.1.4.1.12356.101.4.1.36 .fgSysFreeMemUsage
l 1.3.6.1.4.1.12356.101.4.1.37 .fgSysFreeableMemUsage
The following commands are available to configure memory thresholds to trigger SNMP traps:
config system snmp sysinfo
set trap-free-memory-threshold <integer>
set trap-freeable-memory-threshold <integer>
end
set trap-free-memory- Use an integer from 1 to 100 (default 5) to identify what percentage of free
threshold <integer> memory usage will trigger an SNMP trap.
SNMP traps are sent when the free memory is lower than the specified threshold.
For example, the free memory threshold is set to 5, and SNMP traps are sent
when free memory is lower than 5%.
set trap-freeable-memory- Use an integer from 1 to 100 (default 60) to identify what percentage of freeable
threshold <integer> memory will trigger an SNMP trap.
SNMP traps are sent when the freeable memory is higher than the specified
threshold. For example, the freeable memory threshold is set to 60, and
SNMP traps are sent when freeable memory is higher than 60%.
Example
In this example, the SNMP agent is configured to monitor FortiGate memory and send traps. The trap-free-memory-
threshold is set to 10, and the trap-freeable-memory-threshold is set to 50. SNMP traps are triggered for
both thresholds because:
l The free memory on the FortiGate is 9%, which is lower than the threshold of 10.
l The freeable memory on the FortiGate is 56%, which is higher than the threshold of 50.
FortiOS 7.4.0 New Features Guide 788
Fortinet Inc.
System
This example describes how to use the new commands to configure SNMP agents. It does not
describe how to fully configure SNMP. For information about configuring SNMP, see the
FortiOS 7.4 Administration Guide:
l Basic configuration
To configure SNMP for monitoring memory usage on FortiGates:
1. Configure the SNMP agent to monitor FortiGate memory usage and freeable memory.
In this example, the trap-free-memory-threshold is set to 10, and the trap-freeable-memory-
threshold is set to 50.
config system snmp sysinfo
set status enable
set engine-id <string for local SNMP engine ID>
set description <string>
set contact-info <string>
set location <string>
set trap-high-cpu-threshold 60
set trap-free-memory-threshold 10
set trap-freeable-memory-threshold 50
end
2. Verify that the SNMP manager can successfully query and receive a response on the current memory status of the
FortiGate.
In the following example, the free memory on the FortiGate is reported as 9%, and the freeable memory on the
FortiGate is reported as 56%.
# snmpwalk -v2c -c REGR-SYS 172.16.200.1 1.3.6.1.4.1.12356.101.4.1.36
FORTINET-FORTIGATE-MIB::fgSystemInfo.36.0 = Gauge32: 9
fosqa@pc05:~$ snmpwalk -v2c -c REGR-SYS 172.16.200.1 1.3.6.1.4.1.12356.101.4.1.37
FORTINET-FORTIGATE-MIB::fgSystemInfo.37.0 = Gauge32: 56
3. Use the SNMP manager to monitor memory usage on the FortiGate.
Following is an example of the SNMP trap messages sent when thresholds are surpassed for freeable memory and
free memory usage on FortiGates:
2023-12-08 19:53:14 172.16.200.1(via UDP: [172.16.200.1]:162->[172.16.200.55]:162) TRAP,
SNMP v1, community REGR-SYS
FORTINET-FORTIGATE-MIB::fgModel.1001 Enterprise Specific Trap (102) Uptime: 1
day, 9:49:42.35
FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG101FTK20006858 SNMPv2-
MIB::sysName.0 = STRING: FGT_A FORTINET-CORE-MIB::fnGenTrapMsg = STRING: freeable
memory percentage is too high
2023-12-08 19:56:33 <UNKNOWN> [UDP: [172.16.200.1]:162->[172.16.200.55]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (12198187) 1 day, 9:53:01.87 SNMPv2-
MIB::snmpTrapOID.0 = OID: FORTINET-CORE-MIB::fnTrapMemThreshold FORTINET-CORE-
MIB::fnSysSerial.0 = STRING: FG101FTK20006858 SNMPv2-MIB::sysName.0 = STRING: FGT_A
FORTINET-CORE-MIB::fnGenTrapMsg = STRING: free memory percentage is too low
FortiOS 7.4.0 New Features Guide 789
Fortinet Inc.
System
Add SNMP trap for PSU power restore - 7.4.2
An SNMP trap has been added for when power is restored to the power supply unit (PSU) on a FortiGate. When the PSU
regains power after an outage, an SNMP trap should be triggered. This enhances the monitoring capabilities of the
FortiGate.
In the GUI, the snmp-event::power-supply-failure event has been renamed to snmp-
event::power-supply. In the CLI, the power-supply-failure event option has been
renamed to power-supply.
Example
In this example, the power-supply event is applied in the SNMP community configuration. The SNMP trap messages
are observed when the PSU cable is disconnected and reconnected.
To configure the SNMP community:
config system snmp community
edit 1
set name "1"
config hosts
edit 1
set ip 1.1.1.1 255.255.255.255
next
end
set events power-supply
next
end
Sample log after the PSU cable is disconnected:
2: date=2023-11-06 time=11:34:03 eventtime=1699299242317192852 tz="-0800" logid="0100022106"
type="event" subtype="system" level="information" vd="vdom1" logdesc="Optional power supply
not detected" action="ipmc-sensor-monitor" status="failure" msg="PS2 Status not detected:
9.00"
Sample SNMP trap message after the PSU cable is disconnected:
2023-11-06 11:33:59 172.16.200.12(via UDP: [172.16.200.12]:162->[172.16.200.55]:162) TRAP,
SNMP v1, community REGR-SYS
FORTINET-FORTIGATE-MIB::fgt2601F Enterprise Specific Trap (106) Uptime: 0:25:56.56
FORTINET-CORE-MIB::fnSysSerial.0 = STRING: F2K61FTK22901112 SNMPv2-MIB::sysName.0 =
STRING: FGT_G FORTINET-CORE-MIB::fnGenTrapMsg = STRING: PS2 Status: not detected
2023-11-06 11:33:59 <UNKNOWN> [UDP: [172.16.200.12]:162->[172.16.200.55]:162]:
DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (155656) 0:25:56.56 SNMPv2-
MIB::snmpTrapOID.0 = OID: FORTINET-CORE-MIB::fnTrapPowerSupplyFORTINET-CORE-
FortiOS 7.4.0 New Features Guide 790
Fortinet Inc.
System
MIB::fnSysSerial.0 = STRING: F2K61FTK22901112 SNMPv2-MIB::sysName.0 = STRING: FGT_G
FORTINET-CORE-MIB::fnGenTrapMsg = STRING: PS2 Status: not detected
Sample log after the PSU cable is reconnected:
2: date=2023-11-06 time=11:28:52 eventtime=1699298932826382671 tz="-0800" logid="0100022115"
type="event" subtype="system" level="notice" vd="vdom1" logdesc="Power supply restored
notification" action="ipmc-sensor-monitor" status="success" msg="PS1 Status is normal"
Sample SNMP trap message after the PSU cable is reconnected:
2023-11-06 11:28:50 172.16.200.12(via UDP: [172.16.200.12]:162->[172.16.200.55]:162) TRAP,
SNMP v1, community REGR-SYS
FORTINET-FORTIGATE-MIB::fgt2601F Enterprise Specific Trap (106) Uptime: 0:20:47.07
FORTINET-CORE-MIB::fnSysSerial.0 = STRING: F2K61FTK22901112 SNMPv2-MIB::sysName.0 =
STRING: FGT_G FORTINET-CORE-MIB::fnGenTrapMsg = STRING: PS1 Status: restore
2023-11-06 11:28:50 <UNKNOWN> [UDP: [172.16.200.12]:162->[172.16.200.55]:162]:
DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (124707) 0:20:47.07 SNMPv2-
MIB::snmpTrapOID.0 = OID: FORTINET-CORE-MIB::fnTrapPowerSupplyFORTINET-CORE-
MIB::fnSysSerial.0 = STRING: F2K61FTK22901112 SNMPv2-MIB::sysName.0 = STRING: FGT_G
FORTINET-CORE-MIB::fnGenTrapMsg = STRING: PS1 Status: restore
Enabling the INDEX extension - 7.4.4
The INDEX extension can be enabled from the CLI to append VDOM or interface indexes in RFC tables.
config system snmp sysinfo
set append-index {enable | disable}
end
For more information about this feature, see Enabling the INDEX extension.
FortiGuard
This section includes information about FortiGuard related new features:
l FortiGuard DLP service on page 791
l Attack Surface Security Rating service 7.4.1 on page 794
l Operational Technology Security Service 7.4.1 on page 800
l Support automatic federated firmware updates of managed FortiAPs and FortiSwitches 7.4.1 on page 805
l Streamline timezone updates with a downloadable database 7.4.5 on page 808
FortiGuard DLP service
This information is also available in the FortiOS 7.4 Administration Guide:
l FortiGuard DLP pattern service
FortiOS 7.4.0 New Features Guide 791
Fortinet Inc.
System
The FortiGuard DLP service offers a database of predefined DLP patterns such as data types, dictionaries, and sensors.
Example include:
l Drivers licenses for various countries, various states in the USA, and various provinces in Canada
l Tax numbers for various countries
l Credit card numbers
l Bank statements
When enabled, the DLP database (DLDB) is downloaded to the FortiGate and its predefined patterns can be configured
in DLP profiles.
To configure DLP database updates:
config system fortiguard
set update-dldb {enable | disable}
end
To verify the database signature status:
# diagnose autoupdate versions
...
DLP Signature
---------
Version: 1.00010 signed
Contract Expiry Date: n/a
Last Updated using manual update on Fri Jan 27 15:25:00 2023
Last Update Attempt: Mon Jan 30 15:18:39 2023
Result: No Updates
Example
In this example, the administrator wants to look for data leakage of Canadian social insurance number (SIN) information
and block this traffic. A DLP profile is created that uses the predefined dictionary, fg-can-natl_id-sin-dic, to check for
Canadian Social Insurance Numbers (SINs).
To verify that the Canadian SIN data type is added to the list of predefined data types:
show dlp data-type
config dlp data-type
...
edit "fg-can-natl_id-proximity"
FortiOS 7.4.0 New Features Guide 792
Fortinet Inc.
System
set pattern "fortiguard dlp signature"
next
end
To configure the DLP profile in the GUI:
1. Configure the DLP sensor using the predefined dictionary from FortiGuard:
a. Go to Security Profiles > Data Leak Prevention, select the Sensors tab, and click Create New.
b. Enter a name (sin).
c. In the Sensor Entries section, click Create New.
d. Set the Dictionary to fg-can-natl_id-sin-dic and click OK.
e. Click OK to save the sensor.
2. Configure the DLP profile:
a. Go to Security Profiles > Data Leak Prevention, select the Profiles tab, and click Create New.
b. Enter a name (test).
c. In the Rules section, click Create New.
d. Configure the following settings:
Name test
Sensors sin
Severity Medium
Action Block
Type File
File type all_executables
Protocol SMTP, POP3, IMAP, HTTP-GET, HTTP-POST, FTP
FortiOS 7.4.0 New Features Guide 793
Fortinet Inc.
System
e. Click OK.
f. Click OK to save the profile.
To configure the DLP profile in the CLI:
1. Configure the DLP sensor using the predefined dictionary from FortiGuard:
config dlp sensor
edit "sin"
config entries
edit 1
set dictionary "fg-can-natl_id-sin-dic"
next
end
next
end
2. Configure the DLP profile:
config dlp profile
edit "test"
set feature-set proxy
config rule
edit 1
set name "test"
set proto smtp pop3 imap http-get http-post ftp
set filter-by sensor
set file-type 2
set sensor "sin"
set action block
next
end
next
end
Attack Surface Security Rating service - 7.4.1
The following table provides an overview of changes to the Security Rating service entitlement starting in 7.4.1:
FortiOS 7.4.0 New Features Guide 794
Fortinet Inc.
System
7.4.0 and earlier 7.4.1 and later
Security Rating entitlement Attack Surface Security Rating entitlement
Includes: Includes:
l PSIRT/Outbreak Package Definitions l Running all the built-in free and paid security rating
l Checking all the PSIRT/Outbreak rules in Security rules
Rating l Checking all the Outbreak rules in Security Rating
l Running all the built-in free and paid security rating l Displaying CIS compliance information
rules l IoT Detection Definitions
l IoT Query
Firmware entitlement Firmware entitlement*
Includes: Includes:
l Application Control Signatures l Application Control Signatures
l Device & OS Identification l Device & OS Identification
l Internet Service Database Definitions l Internet Service Database Definitions
l PSIRT Package Definitions
l Checking all PSIRT rules in Security Rating
IoT Detection service n/a
Includes:
l IoT Detection Definitions
l IoT Query
*
The list is not exhaustive and does not include services such as FortiGate Virtual Patch Signatures, Inline-CASB, and
SaaS Application Definitions.
Re-position the PSIRT packages into the Firmware entitlement
Starting in 7.4.1, PSIRT related packages and functionalities are re-positioned from the Security Rating entitlement into
the Firmware entitlement. This allows more customers with the basic Firmware entitlement to have access to the latest
PSIRT package updates, which can be executed under Security Fabric > Security Rating > Security Posture checks.
Devices with different entitlements can expect the following behaviors:
Entitlement Action
Firmware Attack Download PSIRT Run PSIRT Run built-in paid Run built-in free
(FMWR) Surface package from security rating security rating security rating
Security FortiGuard checks checks checks
Rating
(FGSA)
Yes No Yes Yes No Yes
Yes Yes Yes Yes Yes Yes
No No No No No Yes
No Yes No No Yes Yes
FortiOS 7.4.0 New Features Guide 795
Fortinet Inc.
System
Example 1: device with Firmware entitlement, but no Attack Surface Security Rating
entitlement
On the System > FortiGuard page, note that Firmware & General Updates is licensed, but Attack Surface Security Rating
is not.
PSIRT-related rules can be executed from the Security Fabric > Security Rating > Security Posture page.
Free built-in security rating rules can be run. Other paid rules cannot be run, which fall under the Unlicensed category.
FortiOS 7.4.0 New Features Guide 796
Fortinet Inc.
System
Example 2: device with both Firmware and Attack Surface Security Rating entitlements
In this scenario, all PSIRT, Outbreak, paid, and free rules can be run. There is no Unlicensed rule category.
Example 3: device with no Firmware or Attack Surface Security Rating entitlement
In this scenario, only free built-in rules can be run. Other rules are grouped under the Unlicensed category.
FortiOS 7.4.0 New Features Guide 797
Fortinet Inc.
System
Merge the IoT Detection service into the Attack Surface Security Rating service
Starting in 7.4.1, the IoT Detection service, which includes IoT Detection Definitions (APDB) and the IoT Query service
(IOTH), is merged into the Attack Surface Security Rating service (FGSA).
The following table provides a breakdown of the entitlements before and after upgrading:
Before upgrading After upgrading
Entitlement Licensed Entitlement Licensed
Security Rating Yes Yes
Attack Surface Security
Rating Yes, for IoT Detection
IoT Detection Yes
subcategory
Security Rating Yes Yes
Attack Surface Security
Rating Yes, for IoT Detection
IoT Detection No
subcategory
Security Rating No No
Attack Surface Security
Rating Yes, for IoT Detection
IoT Detection Yes
subcategory
Security Rating No No
Attack Surface Security
Rating No, for IoT Detection
IoT Detection No
subcategory
Example 1: device does not have an Attack Surface Security Rating entitlement
On the System > FortiGuard page, note that Attack Surface Security Rating is not licensed, and IoT Detection Definitions
was not downloaded.
FortiOS 7.4.0 New Features Guide 798
Fortinet Inc.
System
In the Dashboard > Status > Licenses widget, hovering over the Rating icon displays a tooltip that the status of Attack
Surface Security Rating is Not Licensed.
Example 2: device has an Attack Surface Security Rating entitlement
On the System > FortiGuard page, note that Attack Surface Security Rating is licensed, and IoT Detection Definitions is
downloaded.
To view the definitions and license information in the CLI:
1. Verify the IoT definition version and update status:
# diagnose autoupdate versions | grep IoT -A 6
IoT Detect Definitions
---------
Version: 25.00600 signed
Contract Expiry Date: n/a
Last Updated using manual update on Fri Jul 14 11:12:19 2023
Last Update Attempt: Fri Jul 14 11:12:19 2023
Result: Updates Installed
2. Verify the Attack Surface Security Rating (FGSA) license and IoT detection service object:
# diagnose test update info
…
System contracts:
…
FGSA,Thu Jun 13 17:00:00 2024
FortiOS 7.4.0 New Features Guide 799
Fortinet Inc.
System
…
Object versions:
…
07004000IOTD00105-00025.00600-2307121926
…
Operational Technology Security Service - 7.4.1
The Operational Technology (OT) Security Service is introduced to help consolidate OT services under one license and
to decouple the underlying definitions and packages from IoT ones. New OT-related services such as OT Detection
Definitions and OT Virtual Patching Signatures used in the virtual patching profile are now licensed under the OT
Security Service.
The following table provides an overview of the new Operational Technology (OT) Security Service entitlement:
7.4.0 and earlier 7.4.1 and later
Industrial Security Service entitlement Operational Technology (OT) Security Service
Includes: entitlement
l Industrial Attack Definitions Includes:
l OT Threat Definitions (renamed)
l OT Detection Definitions (new)
l OT Virtual Patching Signatures (new)
To view the entitlement information in the GUI:
1. Go to System > FortiGuard.
2. Expand the Operational Technology (OT) Security Service entry in the License Information table.
FortiOS 7.4.0 New Features Guide 800
Fortinet Inc.
You might also like
- FortiOS 7.4.0 New - Features - Guide801 850No ratings yetFortiOS 7.4.0 New - Features - Guide801 85050 pages
- FortiOS 7.4.0 New - Features - Guide401 450No ratings yetFortiOS 7.4.0 New - Features - Guide401 45050 pages
- FortiOS 7.4.0 New - Features - Guide551 600No ratings yetFortiOS 7.4.0 New - Features - Guide551 60050 pages
- FortiOS 7.4.0 New - Features - Guide451 500No ratings yetFortiOS 7.4.0 New - Features - Guide451 50050 pages
- FortiOS 7.4.0 New - Features - Guide701 750No ratings yetFortiOS 7.4.0 New - Features - Guide701 75050 pages
- FortiOS 7.4.0 New - Features - Guide51 100No ratings yetFortiOS 7.4.0 New - Features - Guide51 10050 pages
- FortiOS 7.4.0 New - Features - Guide201 250No ratings yetFortiOS 7.4.0 New - Features - Guide201 25050 pages
- Class X Information Technology Code402 - Unit4 - Important - QANo ratings yetClass X Information Technology Code402 - Unit4 - Important - QA8 pages
- Samsung UA55KU7000 55 Inch 139cm Smart Ultra HD LED LCD TV User ManualNo ratings yetSamsung UA55KU7000 55 Inch 139cm Smart Ultra HD LED LCD TV User Manual18 pages
- What Is A Network For Cambridge IGCSE ICTNo ratings yetWhat Is A Network For Cambridge IGCSE ICT18 pages
- How To Back Up & Restore Azure VMs With Veeam Azure BackupNo ratings yetHow To Back Up & Restore Azure VMs With Veeam Azure Backup33 pages
- Comprehensive Networking Guide CompTIA A+No ratings yetComprehensive Networking Guide CompTIA A+2 pages
- Setting Up An Azure Disaster Recovery Plan With Azure Site RecoveryNo ratings yetSetting Up An Azure Disaster Recovery Plan With Azure Site Recovery10 pages
- The Essential Guide To Hyper-V Windows 10 VMsNo ratings yetThe Essential Guide To Hyper-V Windows 10 VMs15 pages
- Low Latency Microwave: Fact, Fiction & FutureNo ratings yetLow Latency Microwave: Fact, Fiction & Future22 pages
- Container: Docker: Openstack Tutorial and Birthday Party 2016 Thammasat University, July 27-29, 2016No ratings yetContainer: Docker: Openstack Tutorial and Birthday Party 2016 Thammasat University, July 27-29, 20169 pages
- Itu-T Modem Recommendation: ITU-T Specification Are Known As V-Series, Which Include A Number Indicating The StandardNo ratings yetItu-T Modem Recommendation: ITU-T Specification Are Known As V-Series, Which Include A Number Indicating The Standard8 pages
- 3G Atm: International Conference On Current Trends in Engineering and Technology, ICCTET'13 421No ratings yet3G Atm: International Conference On Current Trends in Engineering and Technology, ICCTET'13 4213 pages
