FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.2 > New features in FortiOS 5.2.3

New features in FortiOS 5.2.3

This chapter provides a brief introduction to the following features that were added to FortiOS 5.2.3. See the release notes for a complete list of new features/resolved issues in this release.

Interfaces on some FortiGate models are set in one-arm sniffer mode by default

Fort example:

  • By default the FortiGate-300D port4 and port8 interfaces are in sniffer mode.
  • By default the FortiGate-500D port5, port6, port13, and port14 interfaces are in sniffer mode.
  • Other models may have similar default settings.

If you want to use these interfaces for other purposes you can change their mode from the GUI or CLI. From the GUI just go to System > Network > Interface, edit the interface and change its addressing mode as required.

Merge FGT-20C-ADSL and FWF-20C-ADSL

Add set wan enable to set one of the switch port as WAN port. By default, there is no WAN port for FWF-20C-ADSL and FGT-20C-ADSL.

CLI changes

Add set wan enable command.


config system global

set wan [enable|disable] //disable by default


This CLI command enables one of the switch port (LAN4 for 20C-ADSL) as wan port. In this way, a redundant WAN port is supported besides ADSL port.

By setting LAN4 into a switch port (set wan disable) or a dedicated WAN port (set wan enable), the two platforms can work in two modes:

  1. ADSL + LAN (LAN1,LAN2,LAN3,LAN4 as one switch)
  2. ADSL + LAN (LAN1,LAN2,LAN3 as one switch) plus WAN interface. Please note that:
  • The option to switch between the two modes can be CLI-only.
  • When switching between the 2 modes, a reboot is expected.
  • Set wan disable won't take effect if WAN interface is in use.

Log Viewer Improvements

Extends Faceted Search portion of FortiView to support complicated sorting.

Improves usability of log viewer bottom pane with flexbox and css animations.

Allows filtering of combined column's constituent parts.

GUI changes

Replaced column filter icon on header with faceted search bar. Bottom panel now behaves better and resizes smoothly.

Add AeroScout Inter-operabiliy testing


config wireless-controller wtp-profile

edit <wtp-profile>

config lbs

set aeroscount Enable/disable

set aeroscout-server-ip // IP address of AeroScout server.

set aeroscout-server-port <integer> // AeroScout server UDP listening port (1024 65535)

set aeroscout-mu-factor <integer> // AeroScout dilution factor for Mobile Unit (MU) mode (default = 20)

set aeroscout-mu-timeout <integer> // AeroScout dilution timeout (sec) for Mobile Unit (MU) mode (default = 5s)




Add "Last connection time" Column in FortiView > VPN

Users can sort by number of connections, duration and total bytes but cannot see the last time the user connected.

GUI changes

A Last connection time column has been added which can simply indicate the timestamps of the last VPN connection that was started for that user.

The user should be able to sort by last connection time.

FSSO agent support OU in group filters

Previously, in FSSO configuration GUI page, via LDAP browser, admin can select user/group filters to send to FSSO Agent. Now that FSSO Agent supports OU filter. So GUI is updated to allow admin to select OU from LDAP browser.

GUI Changes

When creating FSSO group from Users/Groups creation wizard, in the LDAP browser, there is a new tab named Organizational Unit next to Users and Groups tab. This new tab can also be seen in FSSO dialog.

Certificate GUI improvements

Some GUI changes include:

  • The table, under System > Certificates fit in one regular browser width by default, similar to Policy, Interface and other pages.
  • Wrap the text in the cells to keep the columns narrower.
  • Improve the columns displayed to include:
    • Who signed it (where applicable).
    • Expiry date.
  • Do not list certificates that do not exist on the FortiGate.

Improvement to WAN optimization feature

In some models WAN Optimization configuration can now be done from the CLI, you can still do GUI configuration after enabling GUI configuration from the CLI using following command:

config system global

set gui-wanopt-cache enable


For more information, refer to the 5.2.3 feature/platform matrix at the following link:

Add FortiAP LED dark support

Few customers want to keep their APs as discrete as possible, and want an option to run dark by turning off all LEDs.


config wireless-controller wtp-profile

edit "profile"

set led-state enable|disable



By default, led-state is set to enable.

FortiAP side:

cfg -a LED_STATE=0|1|2

0:LED is on, 1:LED is off, 2: LED is controlled by the controller (FortiGate).

By default, LED_STATE is set to 2. If it is set to 2, FortiAP will take led-state setting configured on the controller. If it is set to 0 or 1, FortiAP will ignore led-state setting configured on the controller.

Allow user to change VDOM operation mode more easily

Allow user to switch between NAT and TP mode without having to manually remove a large selection of configuration, this can be achieved using CLI and GUI.

Split 40G ports on some FortiGate models

On FortiGate models with 40G interfaces, such as the FortiGate-5001D and 3700D you can now split a single 40G interface into four 10G interfaces. Enabling split ports adjusts NP6 mapping.

Enter the following command to enable split ports for port1 and port2:

config system global

set split-port port1 port2


When you enter this command the FortiGate reboots and when it starts up the ports are split. The GUI and CLI would show these split ports as port1/1, port1/2, port1/3, ... port2/4.

Allow admin user to start/defer file system check if FGT was not shutdown properly

When FGT wasn't shutdown properly, we don't start the file system check yet as it may takes time. Instead, after admin user logins, a dialog is shown offering admin user to start file system check or defer later. If file system check is chosen, FGT will be rebooted and file system check is started.

Cloud Sandboxing

FortiStandbox Settings is accessible under System > Config > FortiSandbox, a new FortiSandbox Cloud option is available. When selected, it uses FortiCloud Account configured previously in the License Information widget.

Add a tooltip to remind users to activate FortiCloud to enable FortiSandbox cloud

FortiSandbox Cloud option is grayed out on the FortiSandbox settings page if FortiCloud account is not activated. Added a tooltip to remind users to activate FortiCloud to enable FortiSandbox cloud, also added a tool help element beside the FortiSandbox input that contains a helpful tips on how to enable FortiSandbox.

Add warn about factory default certificate

Default SSL-VPN server certificate has been changed from self-signed certificate to Fortinet_Factory certificate. When SSL-VPN is configured with a default certificate, show a warning on both the SSL-VPN settings dialog and the policy dialog, recommending the use a proper signed certificate for better security.

Deep Flow

This new inspection mode uses IPS scan similar to Flow mode to catch anything obvious covered by signatures, but passing a copy of anything over 64 bytes to the scanunit engine to collect the parts of the payload for proxy style analysis, while the chunks of payload are sent to the recipient just as if it were in flow mode.

Once the last chunk of the payload is received by the scanunit engine, it is analyzed. If it successfully passes analysis the last chunk is sent off to the recipient.

This method is characterized as being as secure and effective as proxy mode but faster then regular Flow mode.

When configuring Deep Flow, GUI and CLI shows this option as Flow but the functionality as described earlier.