FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.2 > New features in FortiOS 5.2.4

New features in FortiOS 5.2.4

This chapter lists new features added to FortiOS 5.2.4:

Enter the following command to enable split ports for port1 and port2:

config system global

set split-port port23 port26


When you enter this command the FortiGate reboots and when it starts up the ports are split. The GUI and CLI would show these split ports as port1/1, port1/2, port1/3, ... port2/4.

  • The diagnose hardware device disk command now includes the the MAX SSD Disk field, which shows the number of functioning SSD disks installed in the FortiGate. (271115)
  • The correct checksum and file-size information, provided by the AV engine, is now added to anti-virus log messages. (261885)
  • FGCP high availability supports BFD enabled BGP graceful restart after an HA failover. (255574)
  • You can add a TFTP server address and a file name to a DHCP server configuration on one FortiGate to contain information that can be used by other FortiGates to download firmware updates from that TFTP server. This feature was added in a previous release but has been improved for FortiOS 5.2.4. (270160)

Use the following command to add a TFTP server IP address of and firmware image filename image.out to a FortiGate DHCP server:

config system dhcp server

edit 0


set tftp-server

set filename image.out



Then on a second FortiGate you can use the following command to cause the second FortiGate to retrieve the TFTP server IP address and firmware image filename and then download the firmware image and updgrade its firmware. In this example, the wan1 interface of the second FortiGate must be able to connect to the DHCP server of the original FortiGate.

execute restore config dhcp wan1

  • The default FortiGuard IPS and AV database update interval is now every 2 hours. Previously it was daily. (278772)

The new default configuration is:

config system autoupdate schedule

set status enable

set frequency every

set time 2:60


where when frequency is set to every and time is hh:mm. If mm is 60 the update occurs at a random time within the final hour of the frequency. So a time of 2:60 means the update will occur some time in the second hour.

  • WiFi logging improvements. (211695 )

Improved FortiWiFi local radio tx/rx statistics support.

Band and channel_bonding fields added to oper-channel wireless event log.

AP field is now accurately added to event log messages when radio settings are changed.

Radio number(radioid) field added to wireless client activity event log.

  • The extended IPS database is enabled by default for models with multiple CP8 content processors (300D/500D/1000D/1200D/1500D/3700D/3700DX/3810D/5001D). (238338 )
  • A new block-security-risks default webfilter profile has been added. In this profile FortiGuard Categories is selected,the Security Risk category is blocked, the Unrated catagory is set to warning and Rate URLs by Domain and IP Address is enabled. (278767)
  • Changes to disk logging and WAN Optimization depending on the FortiGate hard disk configuration (adjustments/refinements to the changes made in 5.2.3). (266032)

When you upgrade your FortiGate unit to FortiOS 5.2.4:

  • If your FortiGate unit has one hard disk, WAN Optimization settings will only be available from the CLI.
  • If your FortiGate unit has two hard disks, WAN Optimization settings will be available from the GUI and CLI.
  • WAN Optimization is not available if your FortiGate unit does not have a hard disk.

The FortiOS 5.2.4 Feature/Platform Matrix shows WAN Optimization support by FortiGate model.

  • For multi-hop EBGP peers, the nexthop is modified by the route-map-out setting. (183637)
  • On FortiGate models that support it, the Fortinet_Factory certificate is now 2048 bits and uses SHA2. (284419)
  • Explicit web proxy authentication performance improvements to prevent authenticated users from being blocked. (276065)
  • Geography firewall addresses can now be added to explicit web proxy policies from the GUI and CLI. (281461)
  • Add options for strict OCSP and strict CRL certificate checking (0258979)
    The new command options are:

config vpn certificate setting

set strict-crl-check {disable | enable}

set strict-ocsp-check {disable | enable}


Enable strict-crl-check to enable strict mode CRL checking. If strict checking is not enabled and a certificate is found to be on a CRL list, the certificate can be used and a warning log message is written. If strict checking is enabled then all authentication actions that use this certificate fail in addition to the warning message being recorded.

Enable strict-ocsp-check to enable strict mode OCSP checking. If strict checking is not enabled and an OCSP server responds with “cert status unknown” the certificate can be used and a warning log message is written. If strict checking is enabled then all authentication actions that use this certificate fail in addition to the warning message being written.