Security Fabric

l Configuration Change trigger that appears in the Trigger tab:

l Editing the Configuration Change trigger:

l IP Ban action that appears in the Action tab:

FortiOS 7.4.0 New Features Guide 851

Fortinet Inc.
Security Fabric

l Editing the IP Ban action:

Clicking the Create New button on the Trigger and Action tabs (or clicking Create within the Create Automation Stitch
page) only displays dynamic options where multiple settings need to be configured.

FortiOS 7.4.0 New Features Guide 852

Fortinet Inc.
Security Fabric

l Create New Automation Trigger page:

l Create New Automation Action page:

FortiOS 7.4.0 New Features Guide 853

Fortinet Inc.
Security Fabric

Creating a trigger from the System Events page

A FortiOS Event Log trigger can be created using the shortcut on the System Events > Logs page. In this example, a
trigger is created for a FortiGate update succeeded event log.

To configure a FortiOS Event Log trigger from the System Events page:

1. Go to Log & Report > System Events and select the Logs tab.
2. Select a log for a successful FortiGate update, then right-click and select Create Automation Trigger.

FortiOS 7.4.0 New Features Guide 854

Fortinet Inc.
Security Fabric

The Create New Automation Trigger pane opens to configure the FortiOS Event Log settings.
3. Enter a name (such as trigger-update). The Event field is already populated with FortiGate update succeeded.

4. Optionally in the Field filter(s) field, click the + to add multiple field filters. The configured filters must match in order
for the stitch to be triggered.
5. Click OK. The trigger is now listed on the Security Fabric > Automation > Trigger page.

FortiOS 7.4.0 New Features Guide 855

Fortinet Inc.
Security Fabric

Using the FortiCare email address in Email actions

The FortiCare email address can be used in an Email action by enabling the Send to FortiCare email field. When
enabled, FortiOS will automatically include the email address associated with the FortiCare Support entitlement. This is
the FortiCloud email address visible on the System > FortiGuard page under the FortiCare Support license information.

If Send to FortiCare email is enabled, other email addresses can still be included in the action.

To configure an Email action with a FortiCare email address in the GUI:

1. Go to Security Fabric > Automation and select the Action tab.

2. Click Create New and select Email.
3. Enter the following:

Name FortiCare Email Notification

Description Send a custom email notification to the FortiCare email address registered on
this device.

Send to FortiCare email Enable

Subject %%log.logdesc%%

Body %%log%%

FortiOS 7.4.0 New Features Guide 856

Fortinet Inc.
 Security Fabric

4. Click OK.

To configure an Email action with a FortiCare email address in the CLI:

config system automation-action

edit "FortiCare Email Notification"
set description "Send a custom email notification to the FortiCare email address
registered on this device."
set action-type email
set forticare-email enable
set email-subject "%%log.logdesc%%"
next
end

Asset Identity Center

This section includes information about Asset Identity Center related new features:
l Configure Purdue Levels for Fabric devices 7.4.2 on page 857

Configure Purdue Levels for Fabric devices - 7.4.2

This information is also available in the FortiOS 7.4 Administration Guide:

l OT asset visibility and network topology

FortiOS now supports configurable Purdue levels for Fortinet Inc. Fabric devices, specifically FortiGates, managed
FortiSwitches, and FortiAPs. This means that users have the flexibility to adjust the Purdue levels of these devices
according to their specific needs and preferences, enhancing the adaptability and functionality of their Fabric devices.
The default Purdue Level for these devices is 3.

FortiOS 7.4.0 New Features Guide 857

Fortinet Inc.
Security Fabric

To configure the Purdue Level in the GUI:

1. Go to Security Fabric > Asset Identity Center.

2. Select OT View.
3. Click Unlock View.
4. Drag and drop the FortiGate, managed FortiSwitch, or FortiAP to the desired Purdue Level.

5. Optionally, click Lock View to revert to the locked view.

To configure the FortiGate Purdue Level in the CLI:

config system global

set purdue-level <level 1 - 5.5>
end

To configure the managed FortiSwitch Purdue Level in the CLI:

config switch-controller managed-switch

edit "<managed FortiSwitch name>"
set purdue-level <level 1 - 5.5>
next
end

To configure the FortiAP Purdue Level in the CLI:

config wireless-controller wtp

edit "<WTP ID>"
set purdue-level <level 1 - 5.5>
next
end

FortiOS 7.4.0 New Features Guide 858

Fortinet Inc.
 Log and report

Log and report

This section includes information about logging and reporting related new features:
l Logging on page 859

Logging

This section includes information about logging related new features:

l Support switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable 7.4.1 on page 859
l Introduce new log fields for long-live sessions 7.4.2 on page 863

Support switching to an alternate FortiAnalyzer if the main FortiAnalyzer is

unavailable - 7.4.1

This information is also available in the FortiOS 7.4 Administration Guide:

l Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable

FortiOS supports switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable. Once the connectivity is
restored, it will automatically fall back to the primary FortiAnalyzer.

This feature can be used in multi VDOM mode when FortiAnalyzer override settings are
configured.

To configure switching to an alternate FortiAnalyzer when the main FortiAnalyzer is unavailable:

1. Configure primary and alternate FortiAnalyzer servers:

config log fortianalyzer setting
set status enable
set server "172.16.200.250"

FortiOS 7.4.0 New Features Guide 859

Fortinet Inc.
Log and report

set alt-server "172.16.200.251"

set fallback-to-primary enable
set serial "FAZ-VMTM22000000" "FAZ-VMTM23000003"
end

2. Verify the primary and alternate FortiAnalyzer server IPs:

# diagnose test application fgtlogd 1
vdom-admin=1
mgmt=vdom1

fortilog:
faz: global , enabled
server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.250,
realtime=3, ssl=1, state=connected
server_log_status=Log is allowed.,
src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
required_entitlement=none, region=ca-west-1,
logsync_enabled:1, logsync_conn_id:65535, seq_no:0
disconnect_jiffies:0
status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_
verified=Y
SNs: last sn update:11 seconds ago.
Sn list:
(FAZ-VMTM22000000,age=11s) (FAZ-VMTM23000003,age=12s)
queue: qlen=0.
filter: severity=6, sz_exclude_list=0
traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh
ssl file-filter icap sctp-filter virtual-patch
subcategory:
traffic: forward local multicast sniffer ztna
virus:all subcategories are enabled.
webfilter:all subcategories are enabled.
ips:all subcategories are enabled.
emailfilter:all subcategories are enabled.
anomaly:all subcategories are enabled.
voip:all subcategories are enabled.
dlp:all subcategories are enabled.
app-ctrl:all subcategories are enabled.
waf:all subcategories are enabled.
dns:all subcategories are enabled.
ssh:all subcategories are enabled.
ssl:all subcategories are enabled.
file-filter:all subcategories are enabled.
icap:all subcategories are enabled.
sctp-filter:all subcategories are enabled.
virtual-patch:all subcategories are enabled.

server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514

oftp-state=connected
primary oftp status:null
probe oftp status:null, 442

The 172.16.200.250 server is currently active and acting as the primary FortiAnalyzer.
3. Make the primary FortiAnalyzer server go down. The FortiGate will automatically connect to the alternate
FortiAnalyzer server.
4. Verify the FortiAnalyzer server status information:

FortiOS 7.4.0 New Features Guide 860

Fortinet Inc.
Log and report

# diagnose test application fgtlogd 1

vdom-admin=1
mgmt=vdom1

fortilog:
faz: global , enabled
server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.251,
realtime=3, ssl=1, state=connected
server_log_status=Log is allowed.,
src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
required_entitlement=none, region=ca-west-1,
logsync_enabled:1, logsync_conn_id:65535, seq_no:0
disconnect_jiffies:0
status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_
verified=Y
SNs: last sn update:30 seconds ago.
Sn list:
(FAZ-VMTM22000000,age=30s) (FAZ-VMTM23000003,age=31s)
queue: qlen=0.
filter: severity=6, sz_exclude_list=0
traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh
ssl file-filter icap sctp-filter virtual-patch
subcategory:
traffic: forward local multicast sniffer ztna
virus:all subcategories are enabled.
webfilter:all subcategories are enabled.
ips:all subcategories are enabled.
emailfilter:all subcategories are enabled.
anomaly:all subcategories are enabled.
voip:all subcategories are enabled.
dlp:all subcategories are enabled.
app-ctrl:all subcategories are enabled.
waf:all subcategories are enabled.
dns:all subcategories are enabled.
ssh:all subcategories are enabled.
ssl:all subcategories are enabled.
file-filter:all subcategories are enabled.
icap:all subcategories are enabled.
sctp-filter:all subcategories are enabled.
virtual-patch:all subcategories are enabled.

server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514

oftp-state=connected
probe oftp status:null, 38

The 172.16.200.251 server is currently active and acting as the primary FortiAnalyzer.
5. Restore the connection to the 172.16.200.250 server. The FortiGate will automatically reconnect to this
FortiAnalyzer server.
6. Verify the FortiAnalyzer server status information:
# diagnose test application fgtlogd 1
vdom-admin=1
mgmt=vdom1

fortilog:
faz: global , enabled

FortiOS 7.4.0 New Features Guide 861

Fortinet Inc.
Log and report

server=172.16.200.250, alt-server=172.16.200.251, active-server=172.16.200.250,

realtime=3, ssl=1, state=connected
server_log_status=Log is allowed.,
src=, mgmt_name=FGh_Log_vdom1_172.16.200.250, reliable=0, sni_prefix_type=none,
required_entitlement=none, region=ca-west-1,
logsync_enabled:1, logsync_conn_id:65535, seq_no:0
disconnect_jiffies:0
status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_
verified=Y
SNs: last sn update:11 seconds ago.
Sn list:
(FAZ-VMTM22000000,age=58s) (FAZ-VMTM23000003,age=59s)
queue: qlen=0.
filter: severity=6, sz_exclude_list=0
traffic virus webfilter ips emailfilter anomaly voip dlp app-ctrl waf dns ssh
ssl file-filter icap sctp-filter virtual-patch
subcategory:
traffic: forward local multicast sniffer ztna
virus:all subcategories are enabled.
webfilter:all subcategories are enabled.
ips:all subcategories are enabled.
emailfilter:all subcategories are enabled.
anomaly:all subcategories are enabled.
voip:all subcategories are enabled.
dlp:all subcategories are enabled.
app-ctrl:all subcategories are enabled.
waf:all subcategories are enabled.
dns:all subcategories are enabled.
ssh:all subcategories are enabled.
ssl:all subcategories are enabled.
file-filter:all subcategories are enabled.
icap:all subcategories are enabled.
sctp-filter:all subcategories are enabled.
virtual-patch:all subcategories are enabled.

server: global, id=0, ready=1, name=172.16.200.250 addr=172.16.200.250:514

oftp-state=connected
primary oftp status:null
probe oftp status:null, 530

The 172.16.200.250 server is currently active and acting as the primary FortiAnalyzer again.

To manually switch from the primary to alternate FortiAnalyzer (and vice-versa):

# execute log {fortianalyzer | fortianalyzer2 | fortianalyzer3} manual-failover

If the primary server is still up, the behavior resulting from running this command is based on the fallback-to-
primary setting configured in the global FortiAnalyzer log settings.
l If fallback-to-primary is enabled (default), running execute log fortianalyzer manual-failover
will switch to the alternate FortiAnalyzer, but it will switch back to the primary since it is not actually down.
l If fallback-to-primary is disabled, running execute log fortianalyzer manual-failover will switch
to the alternate FortiAnalyzer, and it will not switch back to the primary.

FortiOS 7.4.0 New Features Guide 862

Fortinet Inc.
 Log and report

Introduce new log fields for long-live sessions - 7.4.2

This information is also available in the FortiOS 7.4 Administration Guide:

l Log fields for long-lived sessions

Logging of long-live session statistics can be enabled or disabled in traffic logs.

config log setting
set long-live-session-stat {enable | disable}
end

When enabled, traffic logs include the following fields of statistics for long-live sessions:

Duration delta Displays the time in seconds between the last session log and the current session
(durationdelta) log.

Sent packet delta Displays the number of sent packets.

(sentpktdelta) When the number of packets reported in the sentpktdelta field matches the
number of bytes reported in the sentpkt field, it shows no missing logs.

Received packet delta Displays the number of received packets.

(rcvdpktdelta) When the number of packets reported in the rcvdpktdelta field matches the
number of bytes reported in the rcvdpkt field, it shows no missing logs.

The long-live session fields enhance the granularity and accuracy of traffic longs to aid troubleshooting and analysis.

Example

In this example, logging is enabled for long-live session statistics. Log ID 20 includes the new fields for long-live
sessions.

To log long-live session statistics:

1. Enable logging of long-live session statistics:

config log setting
set long-live-session-stat enable
end

2. View information in the logs:

In the following example, log fields are filtered for log ID 0000000020 to displays the new fields of data.
The sentpkt field displays 205 bytes, and the rcvdpkt field displays 1130 bytes. The new fields
(sentpktdelta=205 and rcvdpktdelta=1130) display the same number of packets, which shows no logs
have been lost. The durationdelta shows 120 seconds between the last session log and the current session
log.
# execute log filter device Disk

# execute log filter category 0

# execute log filter field subtype forward

FortiOS 7.4.0 New Features Guide 863

Fortinet Inc.
Log and report

# execute log filter field logid 0000000020

# execute log display

1 logs found.

1 logs returned.

1: date=2023-12-07 time=14:19:59 eventtime=1701987599439429340 tz="-0800"

logid="0000000020" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.22 srcport=53540 srcintf="wan2" srcintfrole="undefined"
dstip=172.16.200.55 dstport=80 dstintf="wan1" dstintfrole="undefined"
srccountry="Reserved" dstcountry="Reserved" sessionid=296 proto=6 action="accept"
policyid=1 policytype="policy" poluuid="e538d622-53eb-51ee-8adc-f8fbb0f22fdd"
policyname="B-out" service="HTTP" trandisp="snat" transip=172.16.200.2 transport=53540
duration=120 sentbyte=10855 rcvdbyte=1397640 sentpkt=205 rcvdpkt=1130 appcat="unscanned"
sentdelta=10855 rcvddelta=1397640 durationdelta=120 sentpktdelta=205 rcvdpktdelta=1130

FortiOS 7.4.0 New Features Guide 864

Fortinet Inc.
Cloud

Cloud

This section includes information about cloud-related new features:

l Public and private cloud on page 865

Public and private cloud

This section includes information about public and private cloud-related new features:
l Support the AWS t4g, c6a, and c6in instance families on page 866
l VMware ESXi FortiGate-VM as ZTNA gateway on page 866
l Support the new AWS c7gn instance family on page 871
l Support SCCC backed by AliCloud on page 871
l Upgrade AWS ENA network interface driver to 2.8.3 on page 872
l Support UEFI-Preferred boot mode on AWS FortiGate-VM models on page 872
l OCI DRCC support on page 874
l Support multiple compartments and regions with single OCI SDN connector on page 874
l Add Cisco ACI ESG support for direct connector 7.4.1 on page 874
l Add OVF template support for VMware ESXi 8 7.4.1 on page 877
l GCP support for C3 machine type 7.4.1 on page 878
l AWS support for local zones 7.4.1 on page 878
l AWS SBE support 7.4.1 on page 878
l GCP support for C3A and C3D machine type 7.4.2 on page 878
l Add FortiFlex GUI option 7.4.2 on page 878
l AliCloud support for c7, c7a, and g5ne instance families 7.4.2 on page 879
l AliCloud support change route table with IPv4 gateway for HA 7.4.2 on page 880
l AWS SDN Connector support for alternate resources 7.4.2 on page 880
l Integrate FortiGate Azure vWAN solution with Azure Monitor to capture health metrics 7.4.2 on page 880
l Customizing the FortiFlex license token activation retry parameters 7.4.2 on page 882
l GCP support for confidential computing 7.4.3 on page 883
l Support the AWS c7i and c7a instance families 7.4.4 on page 884
l AWS silent fips-cipher enablement 7.4.4 on page 884
l Azure FortiGate-VM vWAN NVA support for PAYG metered billing 7.4.4 on page 884
l GCP SDN connector to support IPv6 route table update via NextHopInstance 7.4.4 on page 892
l Support for AliCloud Apsara Stack 7.4.4 on page 892
l Azure SDN connector moves private IP address on trusted NIC during A-P HA failover 7.4.5 on page 892
l Azure SDN connector relay through FortiManager support 7.4.5 on page 901
l GCP SDN connector relay through FortiManager support 7.4.5 on page 901
l OCI SDN connector IPv6 A-P HA failover support 7.4.5 on page 901
l Azure SDN connector GraphQL bulk query support 7.4.5 on page 908

FortiOS 7.4.0 New Features Guide 865

Fortinet Inc.
 Cloud

l OCI SDN connector IPv6 address object support 7.4.5 on page 908
l Azure marketplace support for ARM64 instances 7.4.5 on page 908
l KVM Red Hat Enterprise Linux 9.4 support 7.4.5 on page 908
l AliCloud GWLB support 7.4.6 on page 908

Support the AWS t4g, c6a, and c6in instance families

FortiGate-VM supports the AWS t4g instance family using the FGT-ARM64-AWS image. FortiGate-VM supports the
AWS c6a and c6in instance family using the FGT-VM64-AWS image. See Instance type support.

VMware ESXi FortiGate-VM as ZTNA gateway

FortiOS supports deploying a VMware ESXi FortiGate-VM directly as a zero trust application gateway using the OVF
template (.vapp). You can configure zero trust network access (ZTNA)-related parameters such as the EMS server,
external and internal interface IP addresses, and the application server mapping during OVF deployment. The
deployment also bootstraps ZTNA policy, authentication scheme, rules, and user group configurations.
This enhancement introduces a new FortiGate-VM64-ZTNA-vapp.ovf file. With this file, you can configure all ZTNA-
related parameters and the FGT-VM64 instance can act as a ZTNA gateway after bootstrapping. The file supports using
FortiClient Cloud or on-premise EMS.

The example deployment is as follows:

l The FortiGate is deployed with the aforementioned addressing scheme.
l FortiClient Cloud is used.
l 10.6.30.67 is used for the HTTPS access proxy external IP address.
l The web sever 10.1.100.22 is configured for server mapping.
l A local user, mylocaluser, is created on the FortiGate and added to ztna_group.
l ztna_group is allowed ZTNA to the protected web server via basic authentication.
l This deployment does not use ZTNA tags for security posture check.

To deploy VMware ESXi FortiGate-VM as ZTNA gateway:

1. Download the OVF package:

a. In the Fortinet Customer Service & Support site, go to Support > Downloads > VM Images.
b. From the Select Platform dropdown list, select VMWare ESXi.
c. Download the file labeled as New deployment of FortiGate for VMware FGT_VM64-v7.4.0.F-buildXXXX-
FORTINET.out.ovf.zip.
d. Extract the zip file and locate the FortiGate-VM64-ZTNA.vapp.ovf file.

FortiOS 7.4.0 New Features Guide 866

Fortinet Inc.
Cloud

2. In vSphere, create a new FGT-VM64 instance using the FortiGate-VM64-ZTNA.vapp.ovf file. You can configure the
VM license file and all ZTNA-related parameters.

3. After the FGT-VM64 boots up, go to Security Fabric > Fabric Connectors.

FortiOS 7.4.0 New Features Guide 867

Fortinet Inc.
Cloud

4. Verify EMS. EMS authorizes the FortiGate.

You can run diagnose debug cloudinit show to view the cloudinit information after the FortiGate boots up:
FortiGate-VM # diagnose debug cloudinit show
>> Checking metadata source ovf
>> Cloudinit downloading the license:http://10.6.30.218/temp1.lic
>> Cloudinit download the license successfully
>> Found metadata source: ovf
>> Trying to install vmlicense ...
>> Run config script
>> FortiGate-VM $ config system global
>> FortiGate-VM (global) $ set gui-theme mariner
>> FortiGate-VM (global) $ set admintimeout 60
>> FortiGate-VM (global) $ end
>> FortiGate-VM $ config system admin
>> FortiGate-VM (admin) $ edit admin
>> FortiGate-VM (admin) $ config gui-dashboard

FortiOS 7.4.0 New Features Guide 868

Fortinet Inc.
Cloud

>> FortiGate-VM (gui-dashboard) $ edit 0

>> FortiGate-VM (0) $ set name "FortiView ZTNA Servers"
>> FortiGate-VM (0) $ set vdom root
>> FortiGate-VM (0) $ set layout-type standalone
>> FortiGate-VM (0) $ set csf disable
>> FortiGate-VM (0) $ config widget
>> FortiGate-VM (widget) $ edit 1
>> FortiGate-VM (1) $ set type fortiview
>> FortiGate-VM (1) $ set width 1
>> FortiGate-VM (1) $ set height 1
>> FortiGate-VM (1) $ set csf-device all
>> FortiGate-VM (1) $ set fortiview-type ztnaServer
>> FortiGate-VM (1) $ set fortiview-sort-by bytes
>> FortiGate-VM (1) $ set fortiview-timeframe 5min
>> FortiGate-VM (1) $ set fortiview-visualization table
>> FortiGate-VM (1) $ end
>> FortiGate-VM (0) $ end
>> FortiGate-VM (admin) $ end
>> FortiGate-VM $ config system settings
>> FortiGate-VM (settings) $ set gui-implicit-policy disable
>> FortiGate-VM (settings) $ set gui-dos-policy disable
>> FortiGate-VM (settings) $ set gui-dynamic-routing disable
>> FortiGate-VM (settings) $ set gui-threat-weight disable
>> FortiGate-VM (settings) $ set gui-file-filter disable
>> FortiGate-VM (settings) $ set gui-application-control disable
>> FortiGate-VM (settings) $ set gui-endpoint-control disable
>> command parse error before 'gui-endpoint-control'
>> Command fail. Return code -61
>> FortiGate-VM (settings) $ set gui-vpn disable
>> FortiGate-VM (settings) $ set gui-wireless-controller disable
>> FortiGate-VM (settings) $ set gui-traffic-shaping disable
>> FortiGate-VM (settings) $ set gui-webfilter disable
>> FortiGate-VM (settings) $ set gui-dnsfilter disable
>> FortiGate-VM (settings) $ set allow-subnet-overlap enable
>> FortiGate-VM (settings) $ end
>> FortiGate-VM $ config user local
>> FortiGate-VM (local) $ edit mylocaluser
>> FortiGate-VM (mylocaluser) $ set type password
>> FortiGate-VM (mylocaluser) $ set passwd <password>
>> FortiGate-VM (mylocaluser) $ next
>> FortiGate-VM (local) $ end
>> FortiGate-VM $ config user group
>> FortiGate-VM (group) $ edit ztna_group
>> FortiGate-VM (ztna_group) $ set member mylocaluser
>> FortiGate-VM (ztna_group) $ next
>> FortiGate-VM (group) $ end
>> FortiGate-VM $ config firewall address
>> FortiGate-VM (address) $ edit webserver1
>> FortiGate-VM (webserver1) $ set subnet 10.1.100.22 255.255.255.255
>> FortiGate-VM (webserver1) $ next
>> FortiGate-VM (address) $ end
>> FortiGate-VM $ config firewall vip
>> FortiGate-VM (vip) $ edit MyApplicationServer
>> FortiGate-VM (MyApplicationServer) $ set type access-proxy
>> FortiGate-VM (MyApplicationServer) $ set extip 10.6.30.67
>> FortiGate-VM (MyApplicationServer) $ set extintf port1
>> FortiGate-VM (MyApplicationServer) $ set server-type https

FortiOS 7.4.0 New Features Guide 869

Fortinet Inc.
Cloud

>> FortiGate-VM (MyApplicationServer) $ set extport 9443

>> FortiGate-VM (MyApplicationServer) $ set ssl-certificate Fortinet_SSL
>> FortiGate-VM (MyApplicationServer) $ next
>> FortiGate-VM (vip) $ end
>> FortiGate-VM $ config firewall access-proxy
>> FortiGate-VM (access-proxy) $ edit MyApplicationServer
>> FortiGate-VM (MyApplicationServer) $ set vip MyApplicationServer
>> FortiGate-VM (MyApplicationServer) $ config api-gateway
>> FortiGate-VM (api-gateway) $ edit 1
>> FortiGate-VM (1) $ config realservers
>> FortiGate-VM (realservers) $ edit 1
>> FortiGate-VM (1) $ set ip 10.1.100.22
>> FortiGate-VM (1) $ next
>> FortiGate-VM (realservers) $ end
>> FortiGate-VM (1) $ next
>> FortiGate-VM (api-gateway) $ end
>> FortiGate-VM (MyApplicationServer) $ next
>> FortiGate-VM (access-proxy) $ end
>> FortiGate-VM $ config firewall proxy-policy
>> FortiGate-VM (proxy-policy) $ edit 1
>> FortiGate-VM (1) $ set name ZTNA-Web-Server
>> FortiGate-VM (1) $ set proxy access-proxy
>> FortiGate-VM (1) $ set access-proxy MyApplicationServer
>> FortiGate-VM (1) $ set srcintf port1
>> FortiGate-VM (1) $ set srcaddr all
>> FortiGate-VM (1) $ set dstaddr webserver1
>> FortiGate-VM (1) $ set action accept
>> FortiGate-VM (1) $ set schedule always
>> FortiGate-VM (1) $ set logtraffic all
>> FortiGate-VM (1) $ set groups ztna_group
>> FortiGate-VM (1) $ next
>> FortiGate-VM (proxy-policy) $ end
>> FortiGate-VM $ config authentication scheme
>> FortiGate-VM (scheme) $ edit ZTNA
>> FortiGate-VM (ZTNA) $ set method basic
>> FortiGate-VM (ZTNA) $ set user-database local-user-db
>> FortiGate-VM (ZTNA) $ next
>> FortiGate-VM (scheme) $ end
>> FortiGate-VM $ config authentication rule
>> FortiGate-VM (rule) $ edit ZTNA
>> FortiGate-VM (ZTNA) $ set srcintf port1
>> FortiGate-VM (ZTNA) $ set srcaddr all
>> FortiGate-VM (ZTNA) $ set ip-based disable
>> FortiGate-VM (ZTNA) $ set active-auth-method ZTNA
>> FortiGate-VM (ZTNA) $ next
>> FortiGate-VM (rule) $ end
>> FortiGate-VM $ config endpoint-control fctems
>> FortiGate-VM (fctems) $ edit 1
>> FortiGate-VM (1) $ set name ems-cloud
>> FortiGate-VM (1) $ set status enable
>> FortiGate-VM (1) $ set fortinetone-cloud-authentication enable
>> FortiGate-VM (1) $ next
>> The configuration will not be effective unless server certificate is verified.
>> You can get and verify server certificate by the following command:
>> "execute fctems verify 1" (ems table id)
>> FortiGate-VM (fctems) $ end
>> Finish running config script

FortiOS 7.4.0 New Features Guide 870

Fortinet Inc.
 Cloud

Support the new AWS c7gn instance family

FortiGate-VM supports the new AWS c7gn instance family using the FGT-ARM64-AWS image. See Instance type
support.

Support SCCC backed by AliCloud

FortiOS 7.4.0 supports Saudi Cloud Computing Company (SCCC) and the domain alibabacloud.sa, a standalone cloud
that AliCloud backs. This includes support for the SCCC region, me-central-1. You can create FortiGate-VM custom,
standalone, and high availability images on AliCloud SCCC.
As SCCC is a separate region from other AliCloud regions, it requires a different user account.
Fortinet images are not available on SCCC marketplace. You deploy FortiGate-VMs on SCCC manually by uploading to
object storage and creating a custom image.
The following shows the GUI for an on-demand instance deployed on SCCC:

The following shows the GUI for a bring your own license instance deployed on SCCC:

FortiOS 7.4.0 New Features Guide 871

Fortinet Inc.
 Cloud

The following shows CLI commands which use the SCCC region me-central-1 to configure a SDN connector to SCCC:
config system sdn-connector
edit "myali"
set type alicloud
set access-key "LTAxxxxxxxxxxxxxfQR"
set secret-key xxxxxxxxxxxx
set region "me-central-1" <====now FGT-ALI support this new region id "me-central-1"
for Aliyun SCCC
next
end

Upgrade AWS ENA network interface driver to 2.8.3

FortiOS 7.4.0 upgrades the FortiGate-VM AWS ENA network interface driver from 2.6.1g to 2.8.3. The AWS ENA driver
2.8.3 introduces performance and stability optimizations over the previously used 2.6.1 driver. It also prepares
FortiGate-VM for new features that newer instance types include.
You can confirm the ENA driver version by running the get hardware nic port1 command:
Name: port1
Driver: ena
Version: 2.8.3g

Support UEFI-Preferred boot mode on AWS FortiGate-VM models

When deployed on instance types that support --boot-mode uefi-preferred, FortiGate-VM on AWS supports
UEFI-Preferred boot mode. You can label AMI images as UEFI-Preferred and boot with UEFI when the instance type
supports UEFI.

FortiOS 7.4.0 New Features Guide 872

Fortinet Inc.
Cloud

You can register a FortiGate-VM64-AWS custom image with the --boot-mode uefi-preferred option.

If the instance type only supports legacy BIOS boot mode, the FortiGate-VM64-AWS boots in BIOS mode even if it is
labelled as --boot-mode uefi-preferred. For example, the t2.small instance type does not support UEFI-
Preferred boot mode.

If the instance type supports legacy BIOS and UEFI boot modes, the FortiGate-VM64-AWS boots in UEFI mode if it is
labelled as --boot-mode uefi-preferred. For example, the c6a.large instance type supports legacy BIOS and
UEFI boot modes.

FortiOS 7.4.0 New Features Guide 873

Fortinet Inc.
 Cloud

OCI DRCC support

FortiGate-VM is supported in OCI Dedicated Region Cloud@Customer (DRCC). For more information, see Dedicated
Region Cloud@Customer.

Support multiple compartments and regions with single OCI SDN connector

FortiOS 7.4.0 introduces the ability to set multiple regions and multiple compartments for a single OCI SDN connector.
This reduces the number of SDN connectors needed for any given OCI environment that uses multiple regions and
multiple compartments. You can combine a configuration that previously required multiple SDN connectors into a single
SDN connector.

Add Cisco ACI ESG support for direct connector - 7.4.1

When integrating with Cisco ACI using a direct connection SDN connector, you can filter on the endpoint security group
(ESG) when defining and resolving a dynamic address. The following shows a Cisco ACI tenant with an ESG in the
Cisco ACI-side GUI:

FortiOS 7.4.0 New Features Guide 874

Fortinet Inc.
Cloud

To configure a Cisco ACI SDN connector using the ESG filter using the GUI:

1. In FortiOS, go to Security Fabric > External Connectors.

2. Configure a Cisco ACI SDN connector. Ensure that the connector status is up.
3. Go to Policy & Objects > Addresses.
4. Create a dynamic firewall address. From the Sub Type dropdown list, select Fabric Connector Address.
5. From the SDN Connector dropdown list, select the Cisco ACI SDN connector.
6. From the Filter dropdown list, specify an ESG filter as desired.

FortiOS 7.4.0 New Features Guide 875

Fortinet Inc.
Cloud

7. Save the address. The resolved dynamic address can show up in dynamic firewall address configuration and is the
same as the IP address configured on the Cisco ACI side.

To configure a Cisco ACI SDN connector using the ESG filter using the CLI:

1. Configure a Cisco ACI SDN connector:

config system sdn-connector
edit "aci_direct_van"
set type aci-direct
set verify-certificate disable
set server-list "10.59.8.35"
set username "admin"
set password xxxxxx
next
end

2. Ensure that the connector status is up.

diagnose system sdn status aci_direct_van
SDN Connector Type Status
-------------------------------------------------------------
aci_direct_van aci-direct Up

3. Create a dynamic firewall address, specifying an ESG filter as desired:

config firewall address
edit "aci_esg_add"
set uuid 7b199716-1450-51ee-22bb-12b344f6b1cf
set type dynamic
set sdn "aci_direct_van"
set color 17
set filter "Esg=lzou-esg-ip"
next
end

The resolved dynamic address can show up in dynamic firewall address configuration and is the same as the IP
address configured on the Cisco ACI side:
config firewall address
edit "aci_esg_add"
set uuid 7b199716-1450-51ee-22bb-12b344f6b1cf
set type dynamic
set sdn "aci_direct_van"
set color 17
set filter "Esg=lzou-esg-ip"
config list
edit "10.0.3.12"
next
end

FortiOS 7.4.0 New Features Guide 876

Fortinet Inc.
 Cloud

next
end

Add OVF template support for VMware ESXi 8 - 7.4.1

This feature introduces compatibility between the FortiGate-VM64.ovf and FortiGate-VM65.vapp.ovf templates with
VMware ESXi 8, virtual hardware version 20. The following shows that you can boot up FortiGate-VM64.vapp.ovf on
vSphere 8.0 from both VMware ESXi and VCSA, which is compatible with VMware ESXi 8 virtual hardware version 20.

The following shows the FortiOS GUI:

FortiOS 7.4.0 New Features Guide 877

Fortinet Inc.
 Cloud

GCP support for C3 machine type - 7.4.1

FortiGate-VM supports the GCP C3 machine type family. See Machine type support.

AWS support for local zones - 7.4.1

FortiGate-VM supports certain local zones with instance types c5d.2xlarge, c5d.4xlarge, and c5d.12xlarge. See Region
support.

AWS SBE support - 7.4.1

FortiOS 7.4.1 supports AWS Snowball Edge (SBE) devices, which are compute and storage resources at the edge that
have a limited connection or are entirely air gapped. See Deploying FortiGate-VM on SBE.

GCP support for C3A and C3D machine type - 7.4.2

FortiGate-VM supports the GCP C3A and C3D machine types. See Machine type support.

Add FortiFlex GUI option - 7.4.2

7.4.2 adds GUI support for applying a FortiFlex token on the FortiGate VM License page for the following VM instance
type:

FortiOS 7.4.0 New Features Guide 878

Fortinet Inc.
 Cloud

l Newly deployed or expired FortiGate-VM instances. After logging into the FortiOS GUI, a FortiFlex token option is
available when the license popup appears:

l Already licensed FortiGate-VM instances. You can go to this page from the Virtual Machine dashboard widget or
from System > FortiGuard. FortiFlex token option is available for migrating into FortiFlex:

AliCloud support for c7, c7a, and g5ne instance families - 7.4.2

FortiGate-VM supports the following AliCloud instance types that belong to the c7, c7a, and g5ne network-optimized
instance families:
l ecs.g5ne.large
l ecs.g5ne.xlarge
l ecs.g5ne.2xlarge
l ecs.g5ne.4xlarge
l ecs.g5ne.8xlarge
l ecs.g5ne.16xlarge

FortiOS 7.4.0 New Features Guide 879

Fortinet Inc.
 Cloud

l ecs.g5ne.18xlarge
l ecs.c7.large
l ecs.c7.xlarge
l ecs.c7.2xlarge
l ecs.c7.3xlarge
l ecs.c7.4xlarge
l ecs.c7.6xlarge
l ecs.c7.8xlarge
l ecs.c7.16xlarge
l ecs.c7.32xlarge
l ecs.c7a.large
l ecs.c7a.xlarge
l ecs.c7a.2xlarge
l ecs.c7a.4xlarge
l ecs.c7a.8xlarge
l ecs.c7a.16xlarge
l ecs.c7a-nps1.8xlarge
l ecs.c7a.32xlarge
See Instance type support.

AliCloud support change route table with IPv4 gateway for HA - 7.4.2

FortiGate supports high availability (HA) failover scenarios behind AliCloud IPv4 gateway. For information on how to set
up and configure IPv4 gateway on your AliCloud virtual private cloud, see IPv4 gateway overview.

AWS SDN Connector support for alternate resources - 7.4.2

The FortiOS AWS SDN connector supports querying AWS for resource elastic IP addresses based on resource
attributes such as the owner ID, resource descriptions, and tags. See SDN connector support for alternate resources.

Integrate FortiGate Azure vWAN solution with Azure Monitor to capture health
metrics - 7.4.2

This information is also available in the Azure vWAN SD-WAN NGFW Deployment Guide:
l Integration with Azure Monitor to capture health metrics

When configuring the FortiGate-VM as a Network Virtual Appliance (NVA) as part of the Azure vWAN solution, FortiGate
can make API calls and send health metrics to Azure for integration with Azure Monitor.

FortiOS 7.4.0 New Features Guide 880

Fortinet Inc.
Cloud

Example

Once Azure Virtual WAN is configured, administrators can add the FortiGate vWAN virtual hub to Azure Monitor within
Azure. This allows Azure to receive metrics from the FortiGate and display them in the Monitor console. For information
about configuring FortiGate vWAN, see Azure vWAN SD-WAN NGFW Deployment Guide.

To add FortiGate vWAN virtual hub to Azure Monitor:

1. Go to the Azure Portal, and log in.

2. On the left navigation bar, click Monitor. The Monitor | Overview page is displayed.

3. On the Monitor | Overview page, click Metrics.

4. Click Select a scope, choose your Virtual WAN Virtual Hub object, and click Apply.
In this example the Virtual WAN Virtual Hub object named Wyoming is selected.
For more information about the fields, see Analyze metrics with Azure Monitor metrics explorer on the Microsoft site.

FortiOS 7.4.0 New Features Guide 881

Fortinet Inc.
 Cloud

5. On the Monitor | Metrics page, a line chart displays the metrics for your settings.

Customizing the FortiFlex license token activation retry parameters - 7.4.2

This information is also available in the FortiOS 7.4 Administration Guide:

l VM license

FortiOS supports the customization of the retries for FortiFlex license token activation. The token activation number of
retries and the interval between each attempt can be configured using the following commands, respectively:
execute vm-license-options count <integer>
execute vm-license-options interval <interval length in seconds>

If the vm-license-options count is set to zero, the token activation will retry indefinitely
until success.

To define the FortiFlex token activation parameters:

1. Set the number of retries allowed:

execute vm-license-options count 4

2. Set the retry interval:

execute vm-license-options interval 5

3. Activate the license. The FortiFlex license token will be requested four times, with an interval of five seconds in
between, as set.
l If the license cannot be verified within the set amount of retries, the download will fail:
# execute vm-license F4FC697D65428013FAKE

This operation will reboot the system !

Do you want to continue? (y/n)y

Requesting FortiCare license token: *******, proxy:(null)

Requesting FortiCare license token: *******, proxy:(null)

FortiOS 7.4.0 New Features Guide 882

Fortinet Inc.
 Cloud

Requesting FortiCare license token: *******, proxy:(null)

Requesting FortiCare license token: *******, proxy:(null)
Failed to download VM license.

l If the license can be verified within the set number of retries, the VM license will be successfully installed:
# execute vm-license 227602862F7E6E9XXXX

This operation will reboot the system !

Do you want to continue? (y/n)y

Requesting FortiCare license token: *******, proxy:(null)

VM license install succeeded. Rebooting firewall.

FortiFlex token activation parameters can also be defined in an ISO file using the mime user-data.

To define the parameters in an ISO file:

1. Create a config drive ISO with a MIME file:

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="license.txt
"LICENSE-TOKEN: 334ADF7B49F2FEC1XXXX INTERVAL: 5 COUNT: 4

See Cloud-init using config drive for more information.

2. Attach the ISO config drive at boot time. See Cloud-init for more information.
3. Boot up the VM and verify the token activation parameters:
# diagnose debug cloudinit show
>> Found config drive /dev/sr0
>> Successfully mount config drive
>> MIME parsed preconfig script
>> MIME parsed VM token
>> MIME parsed config script
>> Found metadata source: config drive
>> Run preconfig script
>> FortiGate-VM64 conf sys global
…
>> Trying to install vmlicense ...
>> License-token:334ADF7B49F2FEC1XXXX INTERVAL:5 COUNT:4
>> Run config script

GCP support for confidential computing - 7.4.3

FortiOS 7.4.3 and later versions support confidential computing or confidential VM on Google Cloud Platform.
See:
l Confidential computing (Google Cloud Compute Engine)
l Confidential computing (Google Cloud SDK)

FortiOS 7.4.0 New Features Guide 883

Fortinet Inc.
 Cloud

Support the AWS c7i and c7a instance families - 7.4.4

FortiGate-VM supports the AWS c7i and c7a instance family using the FGT-VM64-AWS image. See Instance type
support.

AWS silent fips-cipher enablement - 7.4.4

FIPS-CC cipher mode is silently enabled when configured via cloud-init. See Cloud-init.

Azure FortiGate-VM vWAN NVA support for PAYG metered billing - 7.4.4

Azure virtual WAN (vWAN) network virtual appliance (NVA) deployments support the FGT_VM64_AZURE pay as you
go (PAYG) licensing model.

To deploy a PAYG FortiGate-VM for Azure vWAN NVA deployment:

1. Configure the required resources in Azure:

a. In the Azure CLI, run the following to create a resource group, vWAN, and hub:
az account set --subscription BYOL-DevOps
LOC="westcentralus"
RG="6899_PMDB26235_vWAN_PAYG"
VWAN="ALPHA"
VHUB="PAYG"
CIDR="172.31.0.0/24"

az group create --name $RG --location $LOC

az network vwan create --resource-group $RG --name $VWAN
az network vhub create --resource-group $RG --vwan $VWAN --name $VHUB --address-
prefix $CIDR

{
"id": "/subscriptions/<subscription ID>/resourceGroups/vWAN_PAYG",
"location": "westcentralus",
"managedBy": null,
"name": "vWAN_PAYG",
"properties": {
"provisioningState": "Succeeded"
},
"tags": {
"CreatedOnDate": "2024-04-08T21:23:43.4609191Z"
},
"type": "Microsoft.Resources/resourceGroups"
}

{
"allowBranchToBranchTraffic": true,
"allowVnetToVnetTraffic": null,
"disableVpnEncryption": false,
"etag": "W/\"abcdefg\"",
"id": "/subscriptions/<subscription ID>/resourceGroups/vWAN_
PAYG/providers/Microsoft.Network/virtualWans/ALPHA",

FortiOS 7.4.0 New Features Guide 884

Fortinet Inc.
Cloud

"location": "westcentralus",
"name": "ALPHA",
"office365LocalBreakoutCategory": "None",
"provisioningState": "Succeeded",
"resourceGroup": "vWAN_PAYG",
"tags": null,
"type": "Microsoft.Network/virtualWans",
"typePropertiesType": "Standard",
"virtualHubs": null,
"vpnSites": null
}
{
"addressPrefix": "172.31.0.0/24",
"allowBranchToBranchTraffic": false,
"etag": "W/\"abcdefg\"",
"hubRoutingPreference": "ExpressRoute",
"id": "/subscriptions/<subscription ID>/resourceGroups/vWAN_
PAYG/providers/Microsoft.Network/virtualHubs/PAYG",
"location": "westcentralus",
"name": "PAYG",
"provisioningState": "Succeeded",
"resourceGroup": "vWAN_PAYG",
"routeTable": {
"routes": []
},
"routingState": "Provisioning",
"type": "Microsoft.Network/virtualHubs",
"virtualHubRouteTableV2s": [],
"virtualRouterAsn": 65515,
"virtualRouterAutoScaleConfiguration": {
"minCapacity": 2
},
"virtualRouterIps": [],
"virtualWan": {
"id": "/subscriptions/<subscription ID>/resourceGroups/vWAN_
PAYG/providers/Microsoft.Network/virtualWans/ALPHA",
"resourceGroup": "vWAN_PAYG"
}
}
packet@ubuntu:~/tmp$
packet@ubuntu:~/tmp$ az network vhub show -g $RG -n $VHUB
{
"addressPrefix": "172.31.0.0/24",
"allowBranchToBranchTraffic": false,
"etag": "W/\"abcdefg\"",
"hubRoutingPreference": "ExpressRoute",
"id": "/subscriptions/<subscription ID>/resourceGroups/vWAN_
PAYG/providers/Microsoft.Network/virtualHubs/PAYG",
"location": "westcentralus",
"name": "PAYG",
"provisioningState": "Succeeded",
"resourceGroup": "vWAN_PAYG",
"routeTable": {
"routes": []
},

FortiOS 7.4.0 New Features Guide 885

Fortinet Inc.
Cloud

"routingState": "Provisioned",
"type": "Microsoft.Network/virtualHubs",
"virtualHubRouteTableV2s": [],
"virtualRouterAsn": 65515,
"virtualRouterAutoScaleConfiguration": {
"minCapacity": 2
},
"virtualRouterIps": [
"172.31.0.69",
"172.31.0.68"
],
"virtualWan": {
"id": "/subscriptions/<subscription ID>/resourceGroups/vWAN_
PAYG/providers/Microsoft.Network/virtualWans/ALPHA",
"resourceGroup": "vWAN_PAYG"
}
}
packet@ubuntu:~/tmp$

b. Azure takes up to 30 minutes to provision the required resources for vWAN and the virtual hub. Azure creates
routers and updates its firmware. Once Hub status displays as Succeeded, Router Version displays as Latest,
and Routing status displays as Provisioned, go to the Azure portal to provision FGT_VM64_AZURE PAYG as
an NVA.
2. Create a FortiGate-managed application for vWAN:
a. From the FortiGate Image SKU dropdown list, select Pay As you Go (PAYG).
b. From the Fortigate Image Version dropdown list, select latest. Configure other fields as desired, then click Next.

FortiOS 7.4.0 New Features Guide 886

Fortinet Inc.
Cloud

c. From the Virtual WAN Hub dropdown list, select the vWAN hub that you created earlier. Configure other fields
as desired, then click Next.
d. The external load balancer public IP SKU is standard and unavailable for customization. Click Next.
e. If desired, create tags. Click Next.
f. Agree to the terms and conditions, then click Create.
3. Deployment takes 10-15 minutes. Connect to the FGT_VM64_AZURE PAYG instances using the IP addresses in
the Public IP Address column for each hub and the FortiGate administrative username and FortiGate password that
you configured.

FortiOS 7.4.0 New Features Guide 887

Fortinet Inc.
Cloud

4. Configure static routes and verify that BGP neighbors are established between the FGT_VM64_AZURE
PAYG instances and Azure vWAN routers:
config router static
edit 1
set gateway 172.31.0.241
set device "port1"
next
edit 68
set dst 172.31.0.68/32
set gateway 172.31.0.225
set device "port2"
next
edit 69
set dst 172.31.0.69/32
set gateway 172.31.0.225
set device "port2"
next
end

fg-sdfw-cgixxtfyreom~000 (Interim)# get router info bgp neighbors | grep "BGP neighbor"
-A4
BGP neighbor is 172.31.0.68, remote AS 65515, local AS 64512, external link
BGP version 4, remote router ID 172.31.0.68
BGP state = Established, up for 1d02h26m
Last read 00:00:01, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
--
External BGP neighbor may be up to 255 hops away.
Local host: 172.31.0.230, Local port: 179
Foreign host: 172.31.0.68, Foreign port: 58626
Egress interface: 5
Nexthop: 172.31.0.230
--
BGP neighbor is 172.31.0.69, remote AS 65515, local AS 64512, external link
BGP version 4, remote router ID 172.31.0.69
BGP state = Established, up for 1d02h26m
Last read 00:00:20, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
--
External BGP neighbor may be up to 255 hops away.
Local host: 172.31.0.230, Local port: 179
Foreign host: 172.31.0.69, Foreign port: 58252
Egress interface: 5
Nexthop: 172.31.0.230

fg-sdfw-cgixxtfyreom~000 (Interim)#
fg-sdfw-cgixxtfyreom~000 (Interim)# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area

FortiOS 7.4.0 New Features Guide 888

Fortinet Inc.
Cloud

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [5/0] via 172.31.0.241, port1, [1/0]
S 168.63.129.16/32 [5/0] via 172.31.0.241, port1, [1/0]
S 169.254.169.254/32 [5/0] via 172.31.0.241, port1, [1/0]
B 172.31.0.0/24 [20/0] via 172.31.0.68 (recursive via 172.31.0.225, port2),
1d02h25m, [1/0]
[20/0] via 172.31.0.69 (recursive via 172.31.0.225, port2),
1d02h25m, [1/0]
S 172.31.0.68/32 [10/0] via 172.31.0.225, port2, [1/0]
S 172.31.0.69/32 [10/0] via 172.31.0.225, port2, [1/0]
C 172.31.0.224/28 is directly connected, port2
C 172.31.0.240/28 is directly connected, port1
B 172.31.1.0/24 [20/0] via 172.31.0.68 (recursive via 172.31.0.225, port2),
1d02h25m, [1/0]
[20/0] via 172.31.0.69 (recursive via 172.31.0.225, port2),
1d02h25m, [1/0]

fg-sdfw-cgixxtfyreom~000 (Interim)#

5. Verify vwan-payg-billing status and usage on the FGT_VM64_AZURE PAYG instances:

fg-sdfw-cgixxtfyreom~000 (Interim)# get system status
Version: FortiGate-VM64-AZURE v7.4.4,build4691,240329 (interim)
First GA patch build date: 230509
Security Level: 0
Firmware Signature: not-certified
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-ETDB: 6.00741(2015-12-01 02:30)
Proxy-APP-DB: 6.00741(2015-12-01 02:30)
FMWP-DB: 0.00000(2001-01-01 00:00)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2022-08-17 17:31)
OT-Detect-DB: 0.00000(2001-01-01 00:00)
OT-Patch-DB: 0.00000(2001-01-01 00:00)
OT-Threat-DB: 6.00741(2015-12-01 02:30)
IPS-Engine: 7.00527(2024-01-24 23:27)
Serial-Number: FGTAZRL12345
License Status: Valid
VM Resources: 2 CPU, 6971 MB RAM
Azure NVA: fg-sdfw-cgixxtfyreomy, Group ID = <group ID>

FortiOS 7.4.0 New Features Guide 889

Fortinet Inc.
Cloud

Azure NVA PAYG Billing: Valid

Log hard disk: Not available
Hostname: fg-sdfw-cgixxtfyreomy000000
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 2639
Release Version Information: interim
FortiOS x86-64: Yes
System time: Wed Apr 10 13:12:42 2024
Last reboot reason: warm reboot

fg-sdfw-cgixxtfyreom~000 (Interim)#
fg-sdfw-cgixxtfyreom~000 (Interim)# execute azure vwan-payg-billing status
NVA metering state:
last billing time: Wed Apr 10 12:02:33 2024
billing dimension: cpucore2
billing backlog: 0
traffic limited: No

fg-sdfw-cgixxtfyreom~000 (Interim)# execute azure vwan-payg-billing usage

offerId: fortigate_vwan_nva-beta
planId: mgdfgthybrid-beta
usageResourceId: /subscriptions/<subscription ID>/resourceGroups/vWAN_
PAYG/providers/Microsoft.Solutions/applications/managedApp

billingDimension: 1_cpucore2
-----------------------------
Usage Date: 2024-04-10 2024-04-09 2024-04-08
Recon Status: Submitted Submitted Submitted
submitted Count/Quantity: 20/20 24/24 2/2
processed Quantity: 0 0 0

billingDimension: cpucore2 (current instance)

-----------------------------
Usage Date: 2024-04-10 2024-04-09 2024-04-08
Recon Status: Submitted Submitted Submitted
submitted Count/Quantity: 20/20 24/24 2/2
processed Quantity: 0 0 0

fg-sdfw-cgixxtfyreom~000 (Interim)#

FortiOS 7.4.0 New Features Guide 890

Fortinet Inc.
Cloud

fg-sdfw-cgixxtfyreom~001 (Interim)# get system status

Version: FortiGate-VM64-AZURE v7.4.4,build4691,240329 (interim)
First GA patch build date: 230509
Security Level: 0
Firmware Signature: not-certified
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-ETDB: 6.00741(2015-12-01 02:30)
Proxy-APP-DB: 6.00741(2015-12-01 02:30)
FMWP-DB: 0.00000(2001-01-01 00:00)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2022-08-17 17:31)
OT-Detect-DB: 0.00000(2001-01-01 00:00)
OT-Patch-DB: 0.00000(2001-01-01 00:00)
OT-Threat-DB: 6.00741(2015-12-01 02:30)
IPS-Engine: 7.00527(2024-01-24 23:27)
Serial-Number: FGTAZR67890
License Status: Valid
VM Resources: 2 CPU, 6971 MB RAM
Azure NVA: fg-sdfw-cgixxtfyreomy, Group ID = <group ID>
Azure NVA PAYG Billing: Valid
Log hard disk: Not available
Hostname: fg-sdfw-cgixxtfyreomy000001
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 2639
Release Version Information: interim
FortiOS x86-64: Yes
System time: Wed Apr 10 13:17:06 2024
Last reboot reason: warm reboot

fg-sdfw-cgixxtfyreom~001 (Interim)#
fg-sdfw-cgixxtfyreom~001 (Interim)# execute azure vwan-payg-billing status
NVA metering state:

FortiOS 7.4.0 New Features Guide 891

Fortinet Inc.
 Cloud

last billing time: Wed Apr 10 12:02:35 2024

billing dimension: 1_cpucore2
billing backlog: 0
traffic limited: No

fg-sdfw-cgixxtfyreom~001 (Interim)# execute azure vwan-payg-billing usage

offerId: fortigate_vwan_nva-beta
planId: mgdfgthybrid-beta
usageResourceId: /subscriptions/<subscription ID>/resourceGroups/vWAN_
PAYG/providers/Microsoft.Solutions/applications/managedApp

billingDimension: 1_cpucore2 (current instance)

-----------------------------
Usage Date: 2024-04-10 2024-04-09 2024-04-08
Recon Status: Submitted Submitted Submitted
submitted Count/Quantity: 20/20 24/24 2/2
processed Quantity: 0 0 0

billingDimension: cpucore2
-----------------------------
Usage Date: 2024-04-10 2024-04-09 2024-04-08
Recon Status: Submitted Submitted Submitted
submitted Count/Quantity: 20/20 24/24 2/2
processed Quantity: 0 0 0

fg-sdfw-cgixxtfyreom~001 (Interim)#

GCP SDN connector to support IPv6 route table update via NextHopInstance - 7.4.4

High availability (HA) failover is now supported for IPv6 networks on GCP. The nextHopInstance route table attribute is
used upon an HA failover event. See GCP IPv6 Route Support with nextHopInstance.

Support for AliCloud Apsara Stack - 7.4.4

AliCloud has introduced Apsara Stack, which allows users or enterprises to deploy a public cloud stack in on-Premise
infrastructure and therefore scale AliCloud services seamlessly. FortiGate-VM is officially certified for Apsara Stack
support.

Azure SDN connector moves private IP address on trusted NIC during A-P HA
failover - 7.4.5

This feature introduces a floating private IP address on the trusted NIC (port2).
In earlier FortiOS versions, the SDN connector is leveraged to reassociate the public IP address from the old primary
instance untrust interface to the new primary instance untrust interface during active-passive high availability (A-P HA)

FortiOS 7.4.0 New Features Guide 892

Fortinet Inc.
Cloud

failover and change the next hop to redirect traffic to the new primary instance. In this scenario, you needed to manually
update user-defined routes (UDR) to redirect traffic to the trusted NIC on the new primary instance, which became
laborious and difficult to manage.
This feature allows you to avoid manually updating the UDRs after failover. Instead, you can configure all UDRs to use
the secondary floating IP address as the next hop. When failover occurs, the SDN connector switches the secondary
floating private IP address from the old primary instance to the new primary instance. You can achieve this by deleting
the secondary private IP interface and recreating it with the same IP address on the new primary instance. UDRs can
remain unchanged. Failover duration depends on the time taken to reassign the private IP address.
The following shows the topology for an example deployment:

The following instructions assume that you have already deployed FortiGate-VMs on Azure as an A-P HA cluster, with
the following ports configuration:

Port Description

port1 untrusted, to_Internet

port2 trusted

port3 HA-sync

port4 HA-mgmt

The SDN connector cannot update the elastic IP address (EIP) without valid authentication. For the SDN connector
authentication, you can configure one of the following:
l Azure SDN connector service principal configuration requirements
l Configuring an SDN connector using a managed identity
The following example uses managed identities.

To configure Azure SDN connector to move private IP address on trusted NIC during A-P HA failover:

1. Assign the contributor role to the HA cluster nodes with a scope. See Configure managed identities on Azure virtual
machines (VMs):
SCOPE="$(az group show -g $RG --query "id" -otsv)"
az vm identity assign --resource-group $RG --role Contributor --scope $SCOPE --name
VNET0-FGT-A
az vm identity assign --resource-group $RG --role Contributor --scope $SCOPE --name
VNET0-FGT-B

FortiOS 7.4.0 New Features Guide 893

Fortinet Inc.
Cloud

{
"role": "Contributor",
"scope": "/subscriptions/4f27b38c-ad3f-43d8-a9a3-
01182e5e2f9a/resourceGroups/6899_HA-A",
"systemAssignedIdentity": "4ae41c9a-146a-415b-b8f8-0a8fdffa6ad8",
"userAssignedIdentities": {}
}
{
"role": "Contributor",
"scope": "/subscriptions/4f27b38c-ad3f-43d8-a9a3-
01182e5e2f9a/resourceGroups/6899_HA-A",
"systemAssignedIdentity": "9bb34ee6-ae9b-42a1-8d9a-084133ba3b0f",
"userAssignedIdentities": {}
}

2. Verify that the SDN connector is configured and can update the EIP:
VNET0-FGT-B (Interim)# get system status
Version: FortiGate-VM64-AZURE v7.4.5,build2686,240806 (interim)
First GA patch build date: 230509
Security Level: 0
Firmware Signature: not-certified
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-ETDB: 6.00741(2015-12-01 02:30)
Proxy-APP-DB: 6.00741(2015-12-01 02:30)
FMWP-DB: 24.00071(2024-07-31 17:46)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2022-08-17 17:31)
OT-Detect-DB: 0.00000(2001-01-01 00:00)
OT-Patch-DB: 0.00000(2001-01-01 00:00)
OT-Threat-DB: 6.00741(2015-12-01 02:30)
IPS-Engine: 7.00539(2024-05-09 00:34)
Serial-Number: FGTAZRLF5HB4I_03
License Status: Valid
VM Resources: 4 CPU, 7978 MB RAM
Log hard disk: Available
Hostname: VNET0-FGT-B
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-p, primary
Cluster uptime: 47 minutes, 22 seconds
Cluster state change time: 2024-08-06 12:12:00

FortiOS 7.4.0 New Features Guide 894

Fortinet Inc.
Cloud

Branch point: 2686

Release Version Information: interim
FortiOS x86-64: Yes
System time: Tue Aug 6 12:39:13 2024
Last reboot reason: warm reboot

VNET0-FGT-B (Interim)# show system sdn-connector

config system sdn-connector
edit "AzureSDN"
set type azure
set ha-status enable
set subscription-id "4f27b38c-ad3f-43d8-a9a3-01182e5e2f9a"
set resource-group "6899_HA-A"
config nic
edit "VNET0-FGT-B-Nic1"
config ip
edit "ipconfig1"
set public-ip "HA-A-PIP"
next
end
next
end
config route-table
edit "VNET0-RouteTable-ProtectedSubnet"
config route
edit "toDefault"
set next-hop "172.16.32.21"
next
end
next
end
next
end

VNET0-FGT-B (Interim)# diagnose sys sdn status

SDN Connector Type Status
-------------------------------------------------------------
AzureSDN azure Up

VNET0-FGT-B (Interim)# execute update-eip

NIC: 172.16.32.5, public IP: 20.191.71.72
NIC: 172.16.32.21
NIC: 172.16.32.37
NIC: 172.16.32.53, public IP: 13.66.252.150
port1: 172.16.32.5, eip: 20.191.71.72
port2: 172.16.32.20
EIP is updated successfully

3. On both HA nodes, configure the SDN connector as follows. The commands configure new options, peer-nic and
private-ip:

# config for VNET0-FGT-A

#
config system sdn-connector
edit "AzureSDN"

FortiOS 7.4.0 New Features Guide 895

Fortinet Inc.
Cloud

config nic
edit "VNET0-FGT-A-Nic2"
set peer-nic "VNET0-FGT-B-Nic2"
config ip
edit "ipconfig2"
set private-ip "172.16.32.22"
next
end
next
end
config route-table
edit "VNET0-RouteTable-ProtectedSubnet"
config route
edit "toDefault"
set next-hop "172.16.32.22"
next
end
next
end
next
end

# config for VNET0-FGT-B

#
config system sdn-connector
edit "AzureSDN"
config nic
edit "VNET0-FGT-B-Nic2"
set peer-nic "VNET0-FGT-A-Nic2"
config ip
edit "ipconfig2"
set private-ip "172.16.32.22"
next
end
next
end
config route-table
edit "VNET0-RouteTable-ProtectedSubnet"
config route
edit "toDefault"
set next-hop "172.16.32.22"
next
end
next
end
next
end

FortiOS 7.4.0 New Features Guide 896

Fortinet Inc.
Cloud

4. Add a secondary IP address, 172.16.32.22 in this example, to the HA nodes' port2:

config system interface
edit "port2"
set secondary-IP enable
config secondaryip
edit 1
set ip 172.16.32.22/28
set allowaccess ping
next
end
next
end

5. Run the following in the Azure CLI to associate a secondary IP address to port2:
az network nic ip-config create --resource-group $RG \
--nic-name VNET0-FGT-B-NIC2 --name ipconfig2 \
--private-ip-address 172.16.32.22
{
"etag": "W/\"c0249b51-62fe-4524-9676-4b58a167f244\"",
"id": "/subscriptions/4f27b38c-ad3f-43d8-a9a3-01182e5e2f9a/resourceGroups/6899_
HA-A/providers/Microsoft.Network/networkInterfaces/VNET0-FGT-B-
Nic2/ipConfigurations/ipconfig2",
"name": "ipconfig2",
"primary": false,
"privateIPAddress": "172.16.32.22",
"privateIPAddressVersion": "IPv4",
"privateIPAllocationMethod": "Static",
"provisioningState": "Succeeded",
"resourceGroup": "6899_HA-A",
"subnet": {
"id": "/subscriptions/4f27b38c-ad3f-43d8-a9a3-01182e5e2f9a/resourceGroups/6899_
HA-A/providers/Microsoft.Network/virtualNetworks/VNET0/subnets/InternalSubnet",
"resourceGroup": "6899_HA-A"
},
"type": "Microsoft.Network/networkInterfaces/ipConfigurations"
}

6. Verify the IP configurations on port2 of both nodes:

az network nic ip-config list -g $RG --nic-name VNET0-FGT-B-Nic2
[
{
"etag": "W/\"c0249b51-62fe-4524-9676-4b58a167f244\"",
"id": "/subscriptions/4f27b38c-ad3f-43d8-a9a3-01182e5e2f9a/resourceGroups/6899_
HA-A/providers/Microsoft.Network/networkInterfaces/VNET0-FGT-B-
Nic2/ipConfigurations/ipconfig1",
"name": "ipconfig1",
"primary": true,
"privateIPAddress": "172.16.32.21",
"privateIPAddressVersion": "IPv4",

FortiOS 7.4.0 New Features Guide 897

Fortinet Inc.
Cloud

"privateIPAllocationMethod": "Static",
"provisioningState": "Succeeded",
"resourceGroup": "6899_HA-A",
"subnet": {
"id": "/subscriptions/4f27b38c-ad3f-43d8-a9a3-
01182e5e2f9a/resourceGroups/6899_HA-
A/providers/Microsoft.Network/virtualNetworks/VNET0/subnets/InternalSubnet",
"resourceGroup": "6899_HA-A"
},
"type": "Microsoft.Network/networkInterfaces/ipConfigurations"
},
{
"etag": "W/\"c0249b51-62fe-4524-9676-4b58a167f244\"",
"id": "/subscriptions/4f27b38c-ad3f-43d8-a9a3-01182e5e2f9a/resourceGroups/6899_
HA-A/providers/Microsoft.Network/networkInterfaces/VNET0-FGT-B-
Nic2/ipConfigurations/ipconfig2",
"name": "ipconfig2",
"primary": false,
"privateIPAddress": "172.16.32.22",
"privateIPAddressVersion": "IPv4",
"privateIPAllocationMethod": "Static",
"provisioningState": "Succeeded",
"resourceGroup": "6899_HA-A",
"subnet": {
"id": "/subscriptions/4f27b38c-ad3f-43d8-a9a3-
01182e5e2f9a/resourceGroups/6899_HA-
A/providers/Microsoft.Network/virtualNetworks/VNET0/subnets/InternalSubnet",
"resourceGroup": "6899_HA-A"
},
"type": "Microsoft.Network/networkInterfaces/ipConfigurations"
}
]

7. In the Azure CLI, verify that the route toDefault next hop IP address is 172.16.32.22:
az network route-table route show -g $RG --route-table-name VNET0-RouteTable-
ProtectedSubnet
--name toDefault
{
"addressPrefix": "0.0.0.0/0",
"etag": "W/\"879c8971-1b10-4905-83fd-b63e1c8f76c7\"",
"hasBgpOverride": false,
"id": "/subscriptions/4f27b38c-ad3f-43d8-a9a3-01182e5e2f9a/resourceGroups/6899_HA-
A/providers/Microsoft.Network/routeTables/VNET0-RouteTable-
ProtectedSubnet/routes/toDefault",
"name": "toDefault",
"nextHopIpAddress": "172.16.32.22",
"nextHopType": "VirtualAppliance",
"provisioningState": "Succeeded",
"resourceGroup": "6899_HA-A",
"type": "Microsoft.Network/routeTables/routes"
}

FortiOS 7.4.0 New Features Guide 898

Fortinet Inc.
Cloud

8. Configure the following so that the endpoint can reach the internet:
config firewall policy
edit 100
set name "to_Internet"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end

config firewall vip

edit "172.16.33.4:80"
set mappedip "172.16.33.4"
set extintf "port1"
set portforward enable
set extport 80
set mappedport 80
next
edit "172.16.33.4:443"
set mappedip "172.16.33.4"
set extintf "port1"
set portforward enable
set extport 443
set mappedport 443
next
edit "172.16.33.4:65122"
set mappedip "172.16.33.4"
set extintf "port1"
set portforward enable
set extport 65122
set mappedport 22
next
edit "172.16.33.4:69"
set mappedip "172.16.33.4"
set extintf "port1"
set portforward enable
set protocol udp
set extport 69
set mappedport 69
next
end
config firewall vipgrp
edit "VIPs_on_Internal"
set interface "port1"

FortiOS 7.4.0 New Features Guide 899

Fortinet Inc.
Cloud

set member "172.16.33.4:443" "172.16.33.4:80" "172.16.33.4:65122"

"172.16.33.4:69"
next
end
config firewall policy
edit 200
set name "VIP"
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "VIPs_on_Internal"
set schedule "always"
set service "ALL"
next
end

config system interface

edit root_lo0
set vdom root
set type loopback
end
config firewall policy
edit 1000
set srcintf "root_lo0"
set dstintf "root_lo0"
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set file-filter-profile "default"
set ips-sensor "default"
set application-list "default"
next
end

9. Verify that the endpoint can reach the internet.

10. Trigger HA failover.
11. Verify that the endpoint can reach the internet after failover.

FortiOS 7.4.0 New Features Guide 900

Fortinet Inc.