FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.2 > New features in FortiOS 5.2.1

New features in FortiOS 5.2.1

This chapter provides a brief introduction to the following features that were added to FortiOS 5.2.1. See the release notes for a complete list of new features/resolved issues in this release.

Include bandwidth and setup rate statistics in the event log

Bandwidth and setup rate statistics are vital for customer’s units health reports.

The advantage of these parameters are:

  • Improves performance on FAZ. Simple query small logs makes FAZ build reports faster and have more idle time for other reports.
  • Reduces amount of logs send to FAZ.
  • Uses less disk space on FAZ for the same report type.

Allow export of collected emails

This feature adds a new monitor page called Collected Email Addresses under User & Device > Monitor menu, it is essentially a filter on the device list for devices that have an email address associated with them.

The feature allows the administrator to export the list to a CSV file which can then be used for marketing or analysis purposes.

Ssl-ssh-profile is no longer mandatory when utm profiles are enabled

When UTM profiles are enabled in a security policy, you can set or unset ssl-ssh profile.


config firewall policy

edit 1

set ssl-ssh profile <test>



Disallow multiple destination interfaces on an IPsec firewall policy

When a firewall policy is set to action IPsec, multiple Outgoing Interface should not be allowed.

Since multiple destination interfaces on an IPsec policy aren't necessary, the CLI and GUI was updated to explicitly disallow it.

Add a new diag test command for fnbamd

The following command was added to show authentication session statistics:


diagnose test application fnbamd 1

Sample output

diagnose test application fnbamd 1

Pending sessions:       0

Max session reached:    0


requests:          5000

sessions:                   5000

released:                   5000


requests:         74

sessions:          0

released:         0


requests:          0

sessions:                   0

released:          0

Add deregister all option in diagnose endpoint control registration

When there is a long list of registered endpoint needed to be deregistered, the following command was added to do so:

diagnose endpoint registration deregister all

Redirect kernel messages to non-console terminals

To be able to see kernel messages from ssh or telnet which needed when customer unit is accessible remotely, the following command has been added:

diagnose debug application kmiglogd <Integer>

<Integer> is the debug level. For example, 1 would be the maximum log level in kernel to be shown.

Add FortiExtender supported 3G/4G modem list

A new 3G/4G modem list is introduced that contain the list of supported modems for both FortiGate and FortiExtender.

GUI changes

Under the System > Network > Modem page, click Configure Modem link under the External Modem section to see the list for FortiGate and FortiExtender.

Under the System > Network > FortiExtender page, click Configure Settings and click Supported Modems link under Modem Settings section to show the supported FortiExtender modem list. This will jump back to the page under System > Network > Modem page, click Configure Modem link.


The following new diagnose command was added to show the list of supported FortiExtender modems:

diagnose extender modem-list

Add a new option for STP forwarding

Due to STP forwarding problem in one-arm transparent mode firewall, a new option: replace nothing (rpl-nothing) has been added when configuring stpforward-mode.


config system interface

edit wan1

set stpforward enable

set stpforward-mode rpl-nothing



Suppress probe response based on threshold in wireless controller vap

The wireless controller vap supports probe response suppression (probe-resp-suppression) and probe response threshold (probe-resp-threshold).


config wireless-controller vap

edit “SSID”

set probe-resp-suppression enable|disable

set probe-resp-threshold <value>



probe-resp-threshold range is [-20,-95]dBm, and the default is -80dBm if enabled.

Move global antivirus service settings into profile-protocol-options

The global antivirus service settings moved into profile-protocol-options (options included: uncompsizelimit, uncompnestlimit, scan-bzip2, and block-page-status-code). HTTP and HTTPS combined into HTTP, uncompsizelimit changed to uncompressed-oversize-limit and uncompnestlimit to uncompressed-nest-limit. scan-bzip2 set to enabled by default and an appropriate help text added.

On upgrade, the options from antivirus service are moved into the corresponding entries in each profile-protocol-options.

CLI changes

The following options are moved from global antivirus service to firewall profile-protocol-options: uncompsizelimit, uncompnestlimit, scan-bzip2, and block-page-status-code moved.

The following options are removed: ftp, ftps, http, https, imap, imaps, nntp, pop3, pop3s, smtp, and smtps.

The following help test was added:

uncompressed-oversize-limit Maximum in-memory uncompressed size that can be scanned.

uncompressed-nest-limit Maximum uncompress nest level that can be scanned.

scan-bzip2 Enable/disable scanning of BZip2 compressed files.

block-page-status-code Return code of blocked HTTP pages (non-FortiGuard only).

Add Ekahau Blink Protocol support and reorganization for station-locate

We used to have a config command to report station position for retail analytic server under config wireless-controller wtp-profile > radio > station-locate. A new feature ekahua-blink-mode has been added.

These features are all location based service (LBS) related and they moved to a sub-config under wtp-profile, and they are per wtp-profile configuration.

On upgrade, the options from antivirus service are moved into the corresponding entries in each profile-protocol-options.


config wireless-controller wtp-profile

edit <wtp-profile-name>

config lbs

set ekahau-blink-mode Enable/disable

set ekahau-tag <xx:xx:xx:xx:xx:xx>

set erc-server-ip <any_ip>

set erc-server-port <integer>



<xx:xx:xx:xx:xx:xx> mac address.

<any_ip> Any ip

<integer> input integer value.

Implement diagnose command to test flash SSD

A new diagnose command has been implemented to test the disk.


diagnose disktest <option>

Option can be the following:

device Specify which device to test.

block The block size of each read/write operation.

time The limit of test time of each cycles. Default is no limit.

size The limit of test size of each cycles. Default is no limit.

run Run test with specified cycles. Default is infinite cycles.

Online help improvements

A video links to some help topics has been added in the FortiOS GUI header bar.

Add iprope check trace in flow trace

Previously flow trace shows only accepted or denied policy information. Sometimes, policy tracking is also important and knowing which policies are checked, and what is the result for the checking might be helpful.


diagnose debug flow show iprope {enable|disable}

enable to enable trace iprope match.
disable to disable trace iprope match.

Log id-fields reference improvements

This improvement is to make a complete reference for each log id with its corresponding fields in FortiOS.

CLI changes

Add new endpoint and ha subcategories into config log eventfilter


config log eventfilter

set endpoint Enable/disable

set ha Enable/disable


GUI changes

Add subtype log filter options named Endpoint and HA under Event Log

Add diagnose debug admin error-log command

Since the last failed admin login is recorded, this new command shows details about the failed admin login attempt.


diagnose debug admin error-log

Sample output

The recent admin user failed login details:

error code        :       -100

method                :       ssh

login name          :        test

cmdb name         :        null

login vdom            :        root

current vdom          :       root

override vdom     :       null

login profile         :        null

override profile :       null

login time          :                  2014-08-29 11:01:57

Improve hasync debug

Add diag test application hasync to control hasync debug finely.


diag test application hasync [1-19,50-53]


Value Description
1 Dump all states of debug switches.
2 Turn off all debug switches.
3 Toggle debug switch of hsync core.
4 Toggle debug switch of ha-diff.
5 Toggle debug switch of FIB.
6 Toggle debug switch of route6.
7 Toggle debug switch of BYOD.
8 Toggle debug switch of endpoint_compliance.
9 Toggle debug switch of NEB.
10 Toggle debug switch of zebos.
11 Toggle debug switch of haconf.
12 Toggle debug switch of proxy.
13 Toggle debug switch of time.
14 Toggle debug switch of snmp.
15 Toggle debug switch of gtp.
16 Toggle debug switch of auth.
17 Toggle debug switch of IPsec.
18 Toggle debug switch of fdb.
19 Toggle debug switch of arp.
50 Dump ha sync statistics.
51 Dump FIB information.
52 Dump extfile's signature.
53 Recalculate external files signature.

Improve interface list and switch mode

This features introduces grouping interfaces by interface type and adds switch to toggle between VLAN Switch Mode and regular Hardware Switch Mode.

GUI changes
  • A Group By Type toggle switch has been added in the interfaces page under System > Network > Interfaces.
  • A VLAN Switch Mode toggle switch has been added in the interfaces page under System > Network > Interfaces. This VLAN Switch Mode toggle switch shows a confirmation dialog when clicked before toggling the system setting.
  • A mini faceplate for Hardware Switch Mode and VLAN Switch Mode has been added in the member column under System > Network > Interfaces.

Wizard improvement

The Wizard has been improved to provide instruction page to explain how to set up FortiClient for IPsec and SSLVPN and permit to set up FortiCloud connection on Wizard so that logs will be sent to FortiCloud.

GUI changes
  • Add instruction module to generate page explaining how to set up FortiClient for IPsec and SSLVPN depending on the VPN that is configured.
  • Add a Wizard Summary Page.
  • Allow FortiOS Setup wizard to set up FortiCloud.

Allow VIP with port forwarding to permit ICMP

When a VIP is defined with port forwarding enabled, ICMP (PING) to the mapped IP can be allowed.


config firewall vip

edit "VIP"

set extip

set extintf "wan1"

set portforward enable

set mappedip

set protocol icmp



The command set protocol has icmp option now to make the firewall forward ICMP to the host specified by mappedip while the mappedport and extport attributes are skipped.

Support captive portal for block notification page

The main requirement of this feature is to present a block notification page if the web access is denied by a firewall policy.

Add diagnose log clear-kernel-state command

This command has been added to clear log statistics in kernel in order to improve disk log session setup rate.


diagnose log clear-kernel-stats

Apply new LDAP Tree Browser design to the User Wizard and User Group page

Previously, the LDAP browser shows LDAP containers and LDAP entries within the same tree. When there are many LDAP entries available, it becomes harder for users to select, filter, search different types of LDAP objects.

This new feature now divides the LDAP Browser into two major parts:

  • A tree to show the container.
  • Tables to show different type of LDAP object entries.

New Join and try requests to FortiCloud for low-end models

These new join and try requests are for low-end models only such as: FG-30D, FWF-30D, FG-60D, FWF-60D, FG-70D, FG-80D, FG-90D, and FWF-90D.


exec fortiguard-log join

exec fortiguard-log try <FortiCloud_id> <Password>