FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.2 > New features in FortiOS 5.2.2

New features in FortiOS 5.2.2

This chapter provides a brief introduction to the following features that were added to FortiOS 5.2.2. See the release notes for a complete list of new features/resolved issues in this release.

Add allocator API and counters to scanunit

Add a new memory management wrapper and statistics framework for scanunit to improve memory accounting.

CLI changes

Add diagnose sys scanunit stats command.


diagnose sys scanunit stats <option>


Option Description
list List all statistics.
all List all statistics.
clear Clear all statistics.

Add diagnose sys scanunit filter command.


diagnose sys scanunit filter <option>


Option Description
list Display the current filter.
clear Clear the current filter.
negate Negate the specified filter parameter.
vd Index of virtual domain. -1 matches all.
worker Index of worker. -1 matches all.

Add diagnose sys scanunit log filter command.


diagnose sys scanunit log filter <option>


Option Description
list Display the current scanunit log filter.
clear Clear the current scanunit log filter.
negate Negate the specified filter parameter.
vd Index of virtual domain. -1 matches all.
worker Index of worker. -1 matches all.

Add diagnose sys scanunit restart command.


diagnose sys scanunit restart

Add tooltips for application categories

Implementation of a tool tip for application category which are available in FortiView > applications ,and under Log & Report > traffic log. For known categories, it provides a short description for the application category - this comes from FortiGuard app categories description. For unknown categories, the traffic has been scanned but the traffic pattern does not match any signature.

Add broadcast/multicast suppression for local bridge mode ssid on the FAP side

CLI changes

Add broadcast/multicast suppression for different packet type.


conf wireless-controller vap

edit <vap_name>

set broadcast-suppression <option>



Option Description
dhcp-up Suppress broadcast uplink DHCP messages.
dhcp-down Suppress broadcast downlink DHCP messages.
arp-known Suppress broadcast ARP for known wireless clients.
arp-unknown Suppress broadcast ARP for unknown wireless clients.
arp-reply Suppress broadcast ARP reply from wireless clients.
netbios-ns Suppress NetBIOS name services packets with UDP port 137.
netbios-ds Suppress NetBIOS datagram services packets with UDP port 138.
ipv6 Suppress IPv6 packets.

Add hardware switch feature and SPAN functionality to 30D, 60, and 90D. Move POE ports out of Internal switch to independent interfaces.

Added virtual switch commands.


config system virtual-switch

edit lan

set physical-switch sw0

config port

edit port1


edit port2





Disable performance statistics Logging

A new CLI option sys-perf-log-interval was added into config system global section


config system global

set sys-perf-log-interval <value>



value is performance statistics logging interval (1 - 15 min, 0 = disable).

The default value of sys-perf-log-interval attribute is 5 minutes.

This attribute only affects the log to FortiAnalyser and/or Syslog, no perf-stats log goes to disk or FortiCloud no matter what the value is.

Improvements to firmware upload GUI dialog

A few items to consider for firmware upgrades:

  • Maintain the upgrade path on FortiGuard with recommended version information.
  • Allow user to easily upgrade to the recommended version.
  • Show progress of downloading the image and upgrading, shows progress bar.
GUI changes

On the status page if a new update is available on the FortiGuard server then the next recommended update is displayed.

The admin can click the upgrade link and optionally backup the config before confirming the upgrade.

The dialog can display the progress of the update. Once the update is being installed the browser should probe the FortiGate until it has completed the reboot, then automatically refresh the browser to go to the login screen.

Similarly when going to the upgrade page if the user chooses to upgrade from the FortiGuard Network then the recommended firmware is set in the firmware version box (if any). If no firmware is recommended then "up to date" can be displayed. Note that there may be several firmware options available but he chooser should be set to the recommended version automatically, not just the latest version available. This information should be obtained from the upgrade path package from FortiGuard.

Once the update is complete and reboot starts the browser should try to probe the FortiGate until to responds then redirect to the login page once it is available again.

Reimplementation of the session list as a part of FortiView to improve functionality and usability

New options has been added to enable/disable inclusion of unscanned traffic in FortiView application charts and to enable/disable inclusion of local traffic in FortiView real-time charts.

Remove top sessions dashboard widget.


config log gui-display

set fortiview-unscanned-apps enable/disable // inclusion of unscanned traffic in FortiView application charts.

fortiview-local-traffic enable/disable // inclusion of local-in traffic in FortiView realtime charts.


Add GUI option to control the TLS versions for web administration

Introduce GUI settings to allow admin control the TLS v1.x versions for GUI HTTPS..


config system global

set gui-https-tls-version <option>



Option Description
tlsv1-0 TLS 1.0.
tlsv1-1 TLS 1.1.
tlsv1-2 TLS 1.2.

Cloud Wifi Support

FortiCloud customer account ID can be specified.


config wireless-controller setting

set account-id <string>


Merge FWF/FGT-60D-3G4G and FGR-60D

Moved lte modem command from system global to system lte-modem, and added APN, authentication, redundant, extra-init, network type commands.

CLI changes

config system lte-modem

set status enable/disable

set extra-init STRING

set authtype none/pap/chap


set mode standalone/redundant

set net-type CDMA-1x/EV-DO/LTE/Auto //Only available for F*60DC, since the feature only works for Novatel e362 module right now.

set holddown-timer sec


Added diagnose sys lte-modem command


diagnose sys lte-modem info

Sample output

LTE Modem configuration enabled!

LTE Modem device initialized.

Manufacturer: Novatel Wireless Incorporated

Model: E362 WWAN

MEID: 99000094761891

USB Modem Interface: up

SIM State: Valid

ICCID: 89148000000229083036

Signal Strength: 3

Network Type: LTE

Network Cfg: Automatic

APN: vzwinternet

Authen Type: none

Extra Init String:

Interface mode: standalone

Holddown Time: 30

GUI changes

GUI is almost the same, the difference is, when LTE Modem is plugged in but not connected, the same info items(vendor/model/iccid/meid etc) are still displayed, this gives more information to users.

Add FAP-224D/222C/25D/214B/21D/24D/112D/223C/321C support

CLI changes

config wireless-controller wtp-profile

edit <profile_name>

config platform

set type


25D FAP25D

222C FAP222C

224D FAP224D

214B FK214B

21D FAP21D

24D FAP24D

112D FAP112D

223C FAP223C

321C FAP321C



GUI changes

New platform FAP-224D/222C/25D/214B/21D/24D/112D/223C/321C can be selected in wtp profiles.

Add support for more than 32k FortiClient configuration distribution through EC-NAC

A new child table has been added to store advanced configuration greater than 32k


config endpoint-control profile

edit <profile_name>

config forticlient-winmac-settings

config extra-buffer-entries

edit entry_id

set buffer <string>






Add a warning when using deep SSL inspection mode on security policy and SSL profile pages

A help text has been added when enabling SSL deep inspection.

GUI changes

Add an information bubble on the firewall policy page, as well as in the SSL profile page when enabling or selecting deep inspection.

Add a video link via videos menu to both of the above pages to link to a new video that instructs users how to install these certificates throughout the network.

Improve FSSO group GUI

Apply new LDAP Browser to FSSO GUI pages allowing creating and updating FSSO group from the firewall policy page.

GUI changes

In the firewall policy edit dialog, clicking on the Create Users/Groups button on the bottom of the Source User(s) drop-down list will launch the Wizard.

This is an extended version of the Users/Groups Creation Wizard which has extra option to create FSSO group. Clicking on FSSO will show the process of creating and/or updating FSSO group.

This new LDAP browser design has been applied to the Single Sign-On edit page.

Add Log Rate stats to System Resources widget

Log rate of disk and FortiAnalyser are shown in the System Resources widget when they were enabled.

Add a command to export logs on local disk to external USB

CLI changes

Add a command to backup all log files to USB drive.


execute backup disk alllogs usb


Add a command to backup specific log file(s) to USB drive.


execute backup disk log usb <string> //Choose log: traffic, event, ips, virus, webfilter, spam, dlp, voip, app-ctrl, anomaly, netscan

Improve FortiView performance and add System Events, Admin Logins, and VPN

GUI changes

Three new menu items has been added under FortiView

  • System Events
  • Admin Logins
  • VPN

Integrate vmtools for FortiGate VMWare platforms

Open-vm-tools project is used as basis for new daemon.

CLI changes

Add a command to debug vmtools.


diagnose debug application vmtools <integer>