From 926d98e6f8309203a74fb9d58dddbdf44c7c4c73 Mon Sep 17 00:00:00 2001
From: John Poland <jdpoland@gmail.com>
Date: Thu, 13 Nov 2025 20:46:12 -0500
Subject: [PATCH] fortigate Thu Nov 13 08:46:12 PM EST 2025

---
 configs/fortigate/global/certificate.cfg      |   5 +
 configs/fortigate/global/dlp.cfg              |  35 ++-
 configs/fortigate/global/endpoint-control.cfg |   4 +
 configs/fortigate/global/firewall.cfg         | 216 +++++++++++++
 configs/fortigate/global/ips.cfg              |   6 +-
 configs/fortigate/global/system.cfg           | 285 +++++++++++++++---
 configs/fortigate/global/virtual-patch.cfg    |   4 +
 configs/fortigate/global/webfilter.cfg        |   5 +-
 configs/fortigate/vdom_Policy/casb.cfg        |   8 +
 configs/fortigate/vdom_Policy/dlp.cfg         |  35 ++-
 configs/fortigate/vdom_Policy/firewall.cfg    |  83 ++---
 configs/fortigate/vdom_Policy/ips.cfg         |   6 +-
 .../vdom_Policy/switch-controller.cfg         |  13 +-
 configs/fortigate/vdom_Policy/system.cfg      |  13 +-
 .../fortigate/vdom_Policy/virtual-patch.cfg   |   4 +
 configs/fortigate/vdom_Policy/vpn.cfg         |   6 +
 configs/fortigate/vdom_Policy/webfilter.cfg   |  11 +-
 configs/fortigate/vdom_TEST/casb.cfg          |   8 +
 configs/fortigate/vdom_TEST/dlp.cfg           |  35 ++-
 configs/fortigate/vdom_TEST/firewall.cfg      |  85 +++---
 configs/fortigate/vdom_TEST/ips.cfg           |  11 +-
 .../fortigate/vdom_TEST/switch-controller.cfg |  13 +-
 configs/fortigate/vdom_TEST/system.cfg        |  12 +-
 configs/fortigate/vdom_TEST/virtual-patch.cfg |   4 +
 configs/fortigate/vdom_TEST/voip.cfg          |   2 +
 configs/fortigate/vdom_TEST/vpn.cfg           |   6 +
 configs/fortigate/vdom_TEST/webfilter.cfg     |  11 +-
 configs/fortigate/vdom_root/casb.cfg          |   8 +
 configs/fortigate/vdom_root/dlp.cfg           | 103 ++++++-
 configs/fortigate/vdom_root/firewall.cfg      |  83 ++---
 configs/fortigate/vdom_root/ips.cfg           |  23 +-
 configs/fortigate/vdom_root/log.cfg           |   1 -
 .../fortigate/vdom_root/switch-controller.cfg |  13 +-
 configs/fortigate/vdom_root/system.cfg        |  12 +-
 configs/fortigate/vdom_root/virtual-patch.cfg |   4 +
 configs/fortigate/vdom_root/voip.cfg          |   2 +
 configs/fortigate/vdom_root/vpn.cfg           |   8 +-
 configs/fortigate/vdom_root/webfilter.cfg     |  11 +-
 configs/fortigate/vdom_scsd/casb.cfg          |   8 +
 configs/fortigate/vdom_scsd/dlp.cfg           |  35 ++-
 configs/fortigate/vdom_scsd/firewall.cfg      | 114 ++++---
 configs/fortigate/vdom_scsd/ips.cfg           |  17 +-
 configs/fortigate/vdom_scsd/log.cfg           |   1 -
 configs/fortigate/vdom_scsd/router.cfg        |   1 +
 .../fortigate/vdom_scsd/switch-controller.cfg |  13 +-
 configs/fortigate/vdom_scsd/system.cfg        |  13 +-
 configs/fortigate/vdom_scsd/user.cfg          |   2 +-
 configs/fortigate/vdom_scsd/virtual-patch.cfg |   4 +
 configs/fortigate/vdom_scsd/voip.cfg          |   4 +
 configs/fortigate/vdom_scsd/vpn.cfg           |  17 +-
 configs/fortigate/vdom_scsd/webfilter.cfg     |  11 +-
 51 files changed, 1068 insertions(+), 366 deletions(-)
 create mode 100644 configs/fortigate/global/virtual-patch.cfg
 create mode 100644 configs/fortigate/vdom_Policy/casb.cfg
 create mode 100644 configs/fortigate/vdom_Policy/virtual-patch.cfg
 create mode 100644 configs/fortigate/vdom_TEST/casb.cfg
 create mode 100644 configs/fortigate/vdom_TEST/virtual-patch.cfg
 create mode 100644 configs/fortigate/vdom_root/casb.cfg
 create mode 100644 configs/fortigate/vdom_root/virtual-patch.cfg
 create mode 100644 configs/fortigate/vdom_scsd/casb.cfg
 create mode 100644 configs/fortigate/vdom_scsd/virtual-patch.cfg

diff --git a/configs/fortigate/global/certificate.cfg b/configs/fortigate/global/certificate.cfg
index 78136ba..25de1de 100644
--- a/configs/fortigate/global/certificate.cfg
+++ b/configs/fortigate/global/certificate.cfg
@@ -16,6 +16,11 @@ config certificate local
         set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
         set source factory
     next
+    edit "Fortinet_GUI_Server"
+        set password ENC *HIDDEN*
+        set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
+        set source factory
+    next
     edit "Fortinet_SSL_RSA1024"
         set password ENC *HIDDEN*
         set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
diff --git a/configs/fortigate/global/dlp.cfg b/configs/fortigate/global/dlp.cfg
index c775348..21d7f2a 100644
--- a/configs/fortigate/global/dlp.cfg
+++ b/configs/fortigate/global/dlp.cfg
@@ -1,6 +1,37 @@
-config dlp sensor
+config dlp data-type
+    edit "g-edm-keyword"
+        set pattern ".+"
+        set transform "/\\b\\0\\b/i"
+    next
+    edit "g-keyword"
+        set pattern "built-in"
+    next
+    edit "g-regex"
+        set pattern "built-in"
+    next
+    edit "g-hex"
+        set pattern "built-in"
+    next
+    edit "g-mip-label"
+        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
+        set transform "built-in"
+    next
+    edit "g-credit-card"
+        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
+        set verify "builtin)credit-card"
+        set look-back 20
+        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
+    next
+    edit "g-ssn-us"
+        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
+        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
+        set look-back 12
+        set transform "\\b\\1-\\2-\\3\\b"
+    next
+end
+config dlp profile
     edit "g-default"
-        set comment "Default sensor."
+        set comment "Default profile."
     next
     edit "g-sniffer-profile"
         set comment "Log a summary of email and web traffic."
diff --git a/configs/fortigate/global/endpoint-control.cfg b/configs/fortigate/global/endpoint-control.cfg
index 0ff72a7..b4a4b70 100644
--- a/configs/fortigate/global/endpoint-control.cfg
+++ b/configs/fortigate/global/endpoint-control.cfg
@@ -14,4 +14,8 @@ config endpoint-control fctems
     next
     edit 5
     next
+    edit 6
+    next
+    edit 7
+    next
 end
diff --git a/configs/fortigate/global/firewall.cfg b/configs/fortigate/global/firewall.cfg
index 7d65636..0f85db3 100644
--- a/configs/fortigate/global/firewall.cfg
+++ b/configs/fortigate/global/firewall.cfg
@@ -5189,6 +5189,222 @@ config firewall internet-service-name
     edit "Microsoft-Azure.Front.Door.MicrosoftSecurity"
         set internet-service-id 328080
     next
+    edit "Microsoft-Azure.Connectors"
+        set internet-service-id 327980
+    next
+    edit "Microsoft-Azure.Front.Door"
+        set internet-service-id 327993
+    next
+    edit "Microsoft-Azure.Service.Bus"
+        set internet-service-id 328007
+    next
+    edit "Microsoft-Azure.Microsoft.Defender"
+        set internet-service-id 328009
+    next
+    edit "Microsoft-Azure.Resource.Manager"
+        set internet-service-id 328013
+    next
+    edit "Microsoft-Azure.Arc.Infrastructure"
+        set internet-service-id 328014
+    next
+    edit "Microsoft-Azure.Storage"
+        set internet-service-id 328015
+    next
+    edit "Microsoft-Azure.ATP"
+        set internet-service-id 328016
+    next
+    edit "Microsoft-Azure.Traffic.Manager"
+        set internet-service-id 328017
+    next
+    edit "Microsoft-Azure.Windows.Admin.Center"
+        set internet-service-id 328018
+    next
+    edit "Microsoft-Azure.KeyVault"
+        set internet-service-id 328021
+    next
+    edit "Microsoft-Azure.Databricks"
+        set internet-service-id 328034
+    next
+    edit "Microsoft-Azure.Event.Hub"
+        set internet-service-id 328035
+    next
+    edit "Microsoft-Azure.Power.Platform"
+        set internet-service-id 328043
+    next
+    edit "Amazon-AWS.EBS"
+        set internet-service-id 393470
+    next
+    edit "Amazon-AWS.Cloud9"
+        set internet-service-id 393471
+    next
+    edit "Amazon-AWS.DynamoDB"
+        set internet-service-id 393472
+    next
+    edit "Amazon-AWS.Route53"
+        set internet-service-id 393473
+    next
+    edit "Amazon-AWS.S3"
+        set internet-service-id 393474
+    next
+    edit "Amazon-AWS.Kinesis.Video.Streams"
+        set internet-service-id 393475
+    next
+    edit "Amazon-AWS.Global.Accelerator"
+        set internet-service-id 393476
+    next
+    edit "Amazon-AWS.EC2"
+        set internet-service-id 393477
+    next
+    edit "Amazon-AWS.API.Gateway"
+        set internet-service-id 393478
+    next
+    edit "Amazon-AWS.Chime.Voice.Connector"
+        set internet-service-id 393479
+    next
+    edit "Amazon-AWS.Connect"
+        set internet-service-id 393480
+    next
+    edit "Amazon-AWS.CloudFront"
+        set internet-service-id 393481
+    next
+    edit "Amazon-AWS.CodeBuild"
+        set internet-service-id 393482
+    next
+    edit "Amazon-AWS.Chime.Meetings"
+        set internet-service-id 393483
+    next
+    edit "Amazon-AWS.AppFlow"
+        set internet-service-id 393484
+    next
+    edit "Salesforce-Hyperforce"
+        set internet-service-id 655738
+    next
+    edit "Fortinet-FortiMonitor"
+        set internet-service-id 1245558
+    next
+    edit "Tor-Tor.Node"
+        set internet-service-id 2818432
+    next
+    edit "OVHcloud-OVH.Telecom"
+        set internet-service-id 13828461
+    next
+    edit "Zero.Networks-Zero.Networks"
+        set internet-service-id 17891679
+    next
+    edit "EGI-EGI.Hosting.Service"
+        set internet-service-id 18022753
+    next
+    edit "ONYPHE-Scanner"
+        set internet-service-id 18088102
+    next
+    edit "Proofpoint-Proofpoint"
+        set internet-service-id 18153828
+    next
+    edit "Heimdal-Heimdal.Security"
+        set internet-service-id 18284902
+    next
+    edit "Yealink-Yealink.Meeting"
+        set internet-service-id 18350439
+    next
+    edit "Secomea-Secomea"
+        set internet-service-id 18415976
+    next
+    edit "CallTower-CT.Cloud"
+        set internet-service-id 18481513
+    next
+    edit "OpenAI-OpenAI.Bot"
+        set internet-service-id 18547052
+    next
+    edit "OpenAI-GPT.Actions"
+        set internet-service-id 18547073
+    next
+    edit "Alpemix-Alpemix"
+        set internet-service-id 18612590
+    next
+    edit "M247-M247.Hosting.Service"
+        set internet-service-id 18678127
+    next
+    edit "Quintex-Quintex.Hosting.Service"
+        set internet-service-id 18743664
+    next
+    edit "Aeza-Aeza.Hosting.Service"
+        set internet-service-id 18809201
+    next
+    edit "Amanah-Amanah.Hosting.Service"
+        set internet-service-id 18874738
+    next
+    edit "ByteDance-Lark"
+        set internet-service-id 18940275
+    next
+    edit "KnowBe4-KnowBe4"
+        set internet-service-id 19005812
+    next
+    edit "Keeper-Keeper.Security"
+        set internet-service-id 19071349
+    next
+    edit "NinjaOne-NinjaOne"
+        set internet-service-id 19136887
+    next
+    edit "Modat-Scanner"
+        set internet-service-id 19202214
+    next
+    edit "Make-Make.Platform"
+        set internet-service-id 19267963
+    next
+    edit "Cloudzy-Cloudzy.Hosting.Service"
+        set internet-service-id 19333501
+    next
+    edit "Nokia-Deepfield.Genome.Crawler"
+        set internet-service-id 19399038
+    next
+    edit "Neat-Neat.Cloud"
+        set internet-service-id 19464575
+    next
+    edit "Brightree-Brightree"
+        set internet-service-id 19530114
+    next
+    edit "PagerDuty-PagerDuty"
+        set internet-service-id 19595651
+    next
+    edit "JFrog-JFrog"
+        set internet-service-id 19661188
+    next
+    edit "Tailscale-Tailscale"
+        set internet-service-id 19726725
+    next
+    edit "Gamma-Horizon"
+        set internet-service-id 19792265
+    next
+    edit "Automox-Automox"
+        set internet-service-id 19857802
+    next
+    edit "Pulseway-Pulseway.RMM"
+        set internet-service-id 19923339
+    next
+    edit "3xK-3xK.Hosting.Service"
+        set internet-service-id 19988876
+    next
+    edit "ASEM-UBIQUITY"
+        set internet-service-id 20054413
+    next
+    edit "Dialpad-Dialpad"
+        set internet-service-id 20119950
+    next
+    edit "iboss-iboss.Cloud"
+        set internet-service-id 20185487
+    next
+    edit "Redstor-Redstor"
+        set internet-service-id 20251025
+    next
+    edit "Anthropic-Claude"
+        set internet-service-id 20382099
+    next
+    edit "NETLOCK-NETLOCK"
+        set internet-service-id 20578711
+    next
+    edit "Aircall-Aircall"
+        set internet-service-id 20906400
+    next
 end
 config firewall internet-service-definition
 end
diff --git a/configs/fortigate/global/ips.cfg b/configs/fortigate/global/ips.cfg
index f8de5cc..a5580dd 100644
--- a/configs/fortigate/global/ips.cfg
+++ b/configs/fortigate/global/ips.cfg
@@ -3,7 +3,7 @@ config ips sensor
         set comment "Prevent critical attacks."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -11,7 +11,7 @@ config ips sensor
         set comment "Monitor IPS attacks."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -19,7 +19,7 @@ config ips sensor
         set comment "Default configuration for offloading WiFi traffic."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
diff --git a/configs/fortigate/global/system.cfg b/configs/fortigate/global/system.cfg
index d78b2b5..34b6858 100644
--- a/configs/fortigate/global/system.cfg
+++ b/configs/fortigate/global/system.cfg
@@ -2,14 +2,16 @@ config system global
     set admin-server-cert "Fortinet_Factory"
     set admintimeout 59
     set alias "FortiGate-2601F"
+    set gui-auto-upgrade-setup-warning disable
     set gui-device-latitude "43.02974913459805"
     set gui-device-longitude "-76.14486694335938"
     set hostname "noc-fortigate-a"
     set management-port-use-admin-sport disable
     set remoteauthtimeout 120
     set revision-backup-on-logout enable
+    set sslvpn-web-mode enable
     set switch-controller enable
-    set timezone 12
+    set timezone "US/Eastern"
     set vdom-mode multi-vdom
 end
 config system accprofile
@@ -25,6 +27,10 @@ config system accprofile
         set utmgrp read-write
         set wanoptgrp read-write
         set wifi read-write
+        set cli-get enable
+        set cli-show enable
+        set cli-exec enable
+        set cli-config enable
     next
     edit "NOC_Dashboard"
         set comments "For displaying info in Operations area"
@@ -40,7 +46,10 @@ config system accprofile
         set wanoptgrp read
         set wifi read
         set admintimeout-override enable
-        set system-diagnostics disable
+        set cli-get enable
+        set cli-show enable
+        set cli-exec enable
+        set cli-config enable
         set admintimeout 0
     next
     edit "Read_Only"
@@ -55,6 +64,10 @@ config system accprofile
         set utmgrp read
         set wanoptgrp read
         set wifi read
+        set cli-get enable
+        set cli-show enable
+        set cli-exec enable
+        set cli-config enable
     next
 end
 config system npu
@@ -150,26 +163,22 @@ config system interface
         set type physical
         set alias "HA Port 1"
         set snmp-index 1
-        set speed 10000auto
     next
     edit "port2"
         set vdom "root"
         set type physical
         set alias "HA Port 2"
         set snmp-index 2
-        set speed 10000auto
     next
     edit "port3"
         set vdom "root"
         set type physical
         set snmp-index 3
-        set speed 10000auto
     next
     edit "port4"
         set vdom "root"
         set type physical
         set snmp-index 4
-        set speed 10000auto
     next
     edit "port5"
         set vdom "scsd"
@@ -187,13 +196,11 @@ config system interface
         set vdom "root"
         set type physical
         set snmp-index 7
-        set speed 10000auto
     next
     edit "port8"
         set vdom "root"
         set type physical
         set snmp-index 8
-        set speed 10000auto
     next
     edit "port9"
         set vdom "TEST"
@@ -201,7 +208,6 @@ config system interface
         set type physical
         set alias "LAN_Test"
         set snmp-index 9
-        set speed 10000auto
     next
     edit "port10"
         set vdom "TEST"
@@ -209,43 +215,36 @@ config system interface
         set type physical
         set alias "WAN_Test"
         set snmp-index 10
-        set speed 10000auto
     next
     edit "port11"
         set vdom "root"
         set type physical
         set snmp-index 11
-        set speed 10000auto
     next
     edit "port12"
         set vdom "root"
         set type physical
         set snmp-index 12
-        set speed 10000auto
     next
     edit "port13"
         set vdom "root"
         set type physical
         set snmp-index 13
-        set speed 10000auto
     next
     edit "port14"
         set vdom "root"
         set type physical
         set snmp-index 14
-        set speed 10000auto
     next
     edit "port15"
         set vdom "root"
         set type physical
         set snmp-index 15
-        set speed 10000auto
     next
     edit "port16"
         set vdom "root"
         set type physical
         set snmp-index 16
-        set speed 10000auto
     next
     edit "port17"
         set vdom "scsd"
@@ -457,23 +456,6 @@ config system interface
         set alias "SSL VPN interface"
         set snmp-index 42
     next
-    edit "naf.scsd"
-        set vdom "scsd"
-        set type tunnel
-        set src-check disable
-        set snmp-index 57
-    next
-    edit "l2t.scsd"
-        set vdom "scsd"
-        set type tunnel
-        set snmp-index 58
-    next
-    edit "ssl.scsd"
-        set vdom "scsd"
-        set type tunnel
-        set alias "SSL VPN interface"
-        set snmp-index 45
-    next
     edit "naf.Policy"
         set vdom "Policy"
         set type tunnel
@@ -508,6 +490,23 @@ config system interface
         set alias "SSL VPN interface"
         set snmp-index 47
     next
+    edit "naf.scsd"
+        set vdom "scsd"
+        set type tunnel
+        set src-check disable
+        set snmp-index 57
+    next
+    edit "l2t.scsd"
+        set vdom "scsd"
+        set type tunnel
+        set snmp-index 58
+    next
+    edit "ssl.scsd"
+        set vdom "scsd"
+        set type tunnel
+        set alias "SSL VPN interface"
+        set snmp-index 45
+    next
     edit "npu0_vlink0"
         set vdom "root"
         set type physical
@@ -532,9 +531,9 @@ config system interface
         set tcp-mss 1379
         set remote-ip 169.254.69.217 255.255.255.252
         set snmp-index 48
+        set interface "outside lag"
         set mtu-override enable
         set mtu 1427
-        set interface "outside lag"
     next
     edit "SCHC"
         set vdom "scsd"
@@ -550,9 +549,9 @@ config system interface
         set tcp-mss 1379
         set remote-ip 169.254.54.77 255.255.255.252
         set snmp-index 59
+        set interface "outside lag"
         set mtu-override enable
         set mtu 1427
-        set interface "outside lag"
     next
     edit "inside lag"
         set vdom "scsd"
@@ -597,9 +596,9 @@ config system interface
         set tcp-mss 1379
         set remote-ip 169.254.242.193 255.255.255.252
         set snmp-index 63
+        set interface "outside lag"
         set mtu-override enable
         set mtu 1427
-        set interface "outside lag"
     next
     edit "Highstreet"
         set vdom "scsd"
@@ -609,9 +608,9 @@ config system interface
         set tcp-mss 1379
         set remote-ip 169.254.117.221 255.255.255.252
         set snmp-index 65
+        set interface "outside lag"
         set mtu-override enable
         set mtu 1427
-        set interface "outside lag"
     next
     edit "Highstreet_2"
         set vdom "scsd"
@@ -622,9 +621,9 @@ config system interface
         set tcp-mss 1379
         set remote-ip 169.254.13.85 255.255.255.252
         set snmp-index 66
+        set interface "outside lag"
         set mtu-override enable
         set mtu 1427
-        set interface "outside lag"
     next
     edit "DPS"
         set vdom "scsd"
@@ -763,11 +762,9 @@ config system dns
 end
 config system replacemsg-image
     edit "logo_fnet"
-        set image-type gif
         set image-base64 ''
     next
     edit "logo_fguard_wf"
-        set image-type gif
         set image-base64 ''
     next
     edit "logo_v3_fguard_app"
@@ -802,6 +799,8 @@ config system replacemsg http "https-untrusted-cert-block"
 end
 config system replacemsg http "https-blocklisted-cert-block"
 end
+config system replacemsg http "https-ech-block"
+end
 config system replacemsg http "switching-protocols-block"
 end
 config system replacemsg http "http-antiphish-block"
@@ -822,7 +821,43 @@ config system replacemsg webproxy "http-err"
 end
 config system replacemsg webproxy "auth-ip-blackout"
 end
-config system replacemsg webproxy "ztna-block"
+config system replacemsg webproxy "ztna-invalid-cert"
+end
+config system replacemsg webproxy "ztna-empty-cert"
+end
+config system replacemsg webproxy "ztna-manageable-empty-cert"
+end
+config system replacemsg webproxy "ztna-no-api-gwy-matched"
+end
+config system replacemsg webproxy "ztna-cant-find-real-srv"
+end
+config system replacemsg webproxy "ztna-fqdn-dns-failed"
+end
+config system replacemsg webproxy "ztna-ssl-bookmark-failed"
+end
+config system replacemsg webproxy "ztna-no-policy-matched"
+end
+config system replacemsg webproxy "ztna-matched-deny-policy"
+end
+config system replacemsg webproxy "ztna-client-cert-revoked"
+end
+config system replacemsg webproxy "ztna-denied-by-matched-tags"
+end
+config system replacemsg webproxy "ztna-denied-no-matched-tags"
+end
+config system replacemsg webproxy "ztna-no-dev-info"
+end
+config system replacemsg webproxy "ztna-dev-is-offline"
+end
+config system replacemsg webproxy "ztna-dev-is-unmanageable"
+end
+config system replacemsg webproxy "ztna-auth-fail"
+end
+config system replacemsg webproxy "casb-block"
+end
+config system replacemsg webproxy "swp-empty-cert"
+end
+config system replacemsg webproxy "swp-manageable-empty-cert"
 end
 config system replacemsg ftp "ftp-explicit-banner"
 end
@@ -842,7 +877,11 @@ config system replacemsg spam "smtp-spam-feip"
 end
 config system replacemsg spam "smtp-spam-helo"
 end
-config system replacemsg spam "smtp-spam-emailblock"
+config system replacemsg spam "smtp-spam-emailblock-to"
+end
+config system replacemsg spam "smtp-spam-emailblock-from"
+end
+config system replacemsg spam "smtp-spam-emailblock-subject"
 end
 config system replacemsg spam "smtp-spam-mimeheader"
 end
@@ -962,6 +1001,8 @@ config system replacemsg utm "appblk-html"
 end
 config system replacemsg utm "ipsblk-html"
 end
+config system replacemsg utm "virpatchblk-html"
+end
 config system replacemsg utm "ipsfail-html"
 end
 config system replacemsg utm "exe-text"
@@ -1014,11 +1055,26 @@ config system replacemsg utm "file-size-html"
 end
 config system replacemsg utm "client-file-size-html"
 end
+config system replacemsg utm "inline-scan-timeout-html"
+end
+config system replacemsg utm "inline-scan-timeout-text"
+end
+config system replacemsg utm "inline-scan-error-html"
+end
+config system replacemsg utm "inline-scan-error-text"
+end
+config system replacemsg utm "icap-block-text"
+end
+config system replacemsg utm "icap-error-text"
+end
+config system replacemsg utm "icap-http-error"
+end
 config system replacemsg icap "icap-req-resp"
 end
 config system replacemsg automation "automation-email"
 end
 config system snmp sysinfo
+    set append-index enable
 end
 config system central-management
     set type fortiguard
@@ -1031,10 +1087,6 @@ config system vdom-property
         set description "property limits for vdom root"
         set snmp-index 1
     next
-    edit "scsd"
-        set description "property limits for vdom scsd"
-        set snmp-index 2
-    next
     edit "Policy"
         set description "property limits for vdom Policy"
         set snmp-index 4
@@ -1043,18 +1095,25 @@ config system vdom-property
         set description "property limits for vdom TEST"
         set snmp-index 3
     next
+    edit "scsd"
+        set description "property limits for vdom scsd"
+        set snmp-index 2
+    next
 end
-config system cluster-sync
+config system standalone-cluster
+    config cluster-peer
+    end
 end
 config system fortiguard
     set fortiguard-anycast disable
     set protocol udp
     set port 53
     set update-server-location usa
+    set auto-firmware-upgrade disable
     set sdns-server-ip "208.91.112.220" "173.243.140.53" "210.7.96.53" 
 end
 config system email-server
-    set server "notification.fortinet.net"
+    set server "fortinet-notifications.com"
     set port 465
     set security smtps
 end
@@ -1176,7 +1235,7 @@ config system ntp
     end
 end
 config system ftm-push
-    set server-cert "Fortinet_Factory"
+    set server-cert "Fortinet_GUI_Server"
 end
 config system automation-trigger
     edit "Network Down"
@@ -1211,6 +1270,76 @@ config system automation-trigger
     edit "Security Rating Notification"
         set event-type security-rating-summary
     next
+    edit "Local Cert Expired Notification"
+        set description "Default automation trigger configuration for when a local certificate is near expiration."
+        set event-type local-cert-near-expiry
+    next
+    edit "Compromised Host"
+        set description "An incident of compromise has been detected on a host endpoint."
+    next
+    edit "Any Security Rating Notification"
+        set description "A security rating summary report has been generated."
+        set event-type security-rating-summary
+    next
+    edit "AV & IPS DB update"
+        set description "The antivirus and IPS database has been updated."
+        set event-type virus-ips-db-updated
+    next
+    edit "Configuration Change"
+        set description "An administrator\'s session that changed a FortiGate\'s configuration has ended."
+        set event-type config-change
+    next
+    edit "Conserve Mode"
+        set description "A FortiGate has entered conserve mode due to low memory."
+        set event-type low-memory
+    next
+    edit "High CPU"
+        set description "A FortiGate has high CPU usage."
+        set event-type high-cpu
+    next
+    edit "License Expiry"
+        set description "A FortiGate license is near expiration."
+        set event-type license-near-expiry
+        set license-type any
+    next
+    edit "Anomaly Logs"
+        set description "An anomalous event has occurred."
+        set event-type anomaly-logs
+    next
+    edit "IPS Logs"
+        set description "An IPS event has occurred."
+        set event-type ips-logs
+    next
+    edit "SSH Logs"
+        set description "A SSH event has occurred."
+        set event-type ssh-logs
+    next
+    edit "Traffic Violation"
+        set description "A traffic policy has been violated."
+        set event-type traffic-violation
+    next
+    edit "Virus Logs"
+        set description "A virus event has occurred."
+        set event-type virus-logs
+    next
+    edit "Webfilter Violation"
+        set description "A webfilter policy has been violated."
+        set event-type webfilter-violation
+    next
+    edit "Admin Login"
+        set description "A FortiOS event with specified log ID has occurred."
+        set event-type event-log
+        set logid 32001
+    next
+    edit "Local Certificate Expiry"
+        set description "A local certificate is near expiration."
+        set event-type local-cert-near-expiry
+    next
+    edit "Auto Firmware upgrade"
+        set description "Automatic firmware upgrade."
+        set event-type event-log
+        set logid 22094 22095 32263
+    next
 end
 config system automation-action
     edit "Network Down_email"
@@ -1240,6 +1369,54 @@ config system automation-action
     edit "Compromised Host Quarantine_quarantine-forticlient"
         set action-type quarantine-forticlient
     next
+    edit "Reboot FortiGate"
+        set description "Default automation action configuration for rebooting this FortiGate unit."
+        set action-type system-actions
+        set system-action reboot
+        set minimum-interval 300
+    next
+    edit "Shutdown FortiGate"
+        set description "Default automation action configuration for shuting down this FortiGate unit."
+        set action-type system-actions
+        set system-action shutdown
+    next
+    edit "Backup Config Disk"
+        set description "Default automation action configuration for backing up the configuration on disk."
+        set action-type system-actions
+        set system-action backup-config
+    next
+    edit "Access Layer Quarantine"
+        set description "Quarantine the MAC address on access layer devices (FortiSwitch and FortiAP)."
+        set action-type quarantine
+    next
+    edit "FortiClient Quarantine"
+        set description "Use FortiClient EMS to quarantine the endpoint device."
+        set action-type quarantine-forticlient
+    next
+    edit "FortiNAC Quarantine"
+        set description "Use FortiNAC to quarantine the endpoint device."
+        set action-type quarantine-fortinac
+    next
+    edit "IP Ban"
+        set description "Ban the IP address specified in the automation trigger event."
+        set action-type ban-ip
+    next
+    edit "FortiExplorer Notification"
+        set description "Send a notification to FortiExplorer mobile application."
+        set action-type fortiexplorer-notification
+    next
+    edit "Email Notification"
+        set description "Send a custom email notification to the FortiCare email address registered on this device."
+        set action-type email
+        set forticare-email enable
+        set email-subject "%%log.logdesc%%"
+    next
+    edit "CLI Script - System Status"
+        set description "Execute a CLI script to return the system status."
+        set action-type cli-script
+        set script "get system status"
+        set accprofile "super_admin_readonly"
+    next
 end
 config system automation-stitch
     edit "Network Down"
@@ -1317,6 +1494,16 @@ config system automation-stitch
             next
         end
     next
+    edit "Firmware upgrade notification"
+        set description "Automatic firmware upgrade notification."
+        set trigger "Auto Firmware upgrade"
+        set condition-logic or
+        config actions
+            edit 1
+                set action "Email Notification"
+            next
+        end
+    next
 end
 config system federated-upgrade
     set status disabled
diff --git a/configs/fortigate/global/virtual-patch.cfg b/configs/fortigate/global/virtual-patch.cfg
new file mode 100644
index 0000000..938bacc
--- /dev/null
+++ b/configs/fortigate/global/virtual-patch.cfg
@@ -0,0 +1,4 @@
+config virtual-patch profile
+    edit "g-default"
+    next
+end
diff --git a/configs/fortigate/global/webfilter.cfg b/configs/fortigate/global/webfilter.cfg
index 60160c2..621a516 100644
--- a/configs/fortigate/global/webfilter.cfg
+++ b/configs/fortigate/global/webfilter.cfg
@@ -488,7 +488,7 @@ config webfilter search-engine
     next
     edit "g-yandex"
         set hostname "yandex\\..*"
-        set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
+        set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
         set query "text="
         set safesearch url
         set safesearch-str "&family=yes"
@@ -547,16 +547,19 @@ config webfilter search-engine
         set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
         set query "variables="
         set safesearch translate
+        set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
     next
     edit "g-google-translate-1"
         set hostname "translate\\.google\\..*"
         set url "^\\/translate"
         set query "u="
         set safesearch translate
+        set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
     next
     edit "g-google-translate-2"
         set hostname ".*\\.translate\\.goog"
         set url "^\\/"
         set safesearch translate
+        set safesearch-str "case::google-translate"
     next
 end
diff --git a/configs/fortigate/vdom_Policy/casb.cfg b/configs/fortigate/vdom_Policy/casb.cfg
new file mode 100644
index 0000000..f52aa72
--- /dev/null
+++ b/configs/fortigate/vdom_Policy/casb.cfg
@@ -0,0 +1,8 @@
+config casb saas-application
+end
+config casb user-activity
+end
+config casb profile
+    edit "default"
+    next
+end
diff --git a/configs/fortigate/vdom_Policy/dlp.cfg b/configs/fortigate/vdom_Policy/dlp.cfg
index 2d8781f..c10714a 100644
--- a/configs/fortigate/vdom_Policy/dlp.cfg
+++ b/configs/fortigate/vdom_Policy/dlp.cfg
@@ -1,3 +1,34 @@
+config dlp data-type
+    edit "g-credit-card"
+        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
+        set verify "builtin)credit-card"
+        set look-back 20
+        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
+    next
+    edit "g-edm-keyword"
+        set pattern ".+"
+        set transform "/\\b\\0\\b/i"
+    next
+    edit "g-hex"
+        set pattern "built-in"
+    next
+    edit "g-keyword"
+        set pattern "built-in"
+    next
+    edit "g-mip-label"
+        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
+        set transform "built-in"
+    next
+    edit "g-regex"
+        set pattern "built-in"
+    next
+    edit "g-ssn-us"
+        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
+        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
+        set look-back 12
+        set transform "\\b\\1-\\2-\\3\\b"
+    next
+end
 config dlp filepattern
     edit 1
         set name "builtin-patterns"
@@ -70,9 +101,9 @@ config dlp sensitivity
     edit "Warning"
     next
 end
-config dlp sensor
+config dlp profile
     edit "g-default"
-        set comment "Default sensor."
+        set comment "Default profile."
     next
     edit "g-sniffer-profile"
         set comment "Log a summary of email and web traffic."
diff --git a/configs/fortigate/vdom_Policy/firewall.cfg b/configs/fortigate/vdom_Policy/firewall.cfg
index 1a2987f..4cfe829 100644
--- a/configs/fortigate/vdom_Policy/firewall.cfg
+++ b/configs/fortigate/vdom_Policy/firewall.cfg
@@ -1,4 +1,12 @@
 config firewall address
+    edit "EMS_ALL_UNKNOWN_CLIENTS"
+        set type dynamic
+        set sub-type ems-tag
+    next
+    edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
+        set type dynamic
+        set sub-type ems-tag
+    next
     edit "none"
         set subnet 0.0.0.0 255.255.255.255
     next
@@ -217,6 +225,22 @@ config firewall service category
     next
 end
 config firewall service custom
+    edit "ALL"
+        set category "General"
+        set protocol IP
+    next
+    edit "FTP"
+        set category "File Access"
+        set tcp-portrange 21
+    next
+    edit "FTP_GET"
+        set category "File Access"
+        set tcp-portrange 21
+    next
+    edit "FTP_PUT"
+        set category "File Access"
+        set tcp-portrange 21
+    next
     edit "DNS"
         set category "Network Services"
         set tcp-portrange 53
@@ -280,22 +304,6 @@ config firewall service custom
         set category "File Access"
         set tcp-portrange 445
     next
-    edit "FTP"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "FTP_GET"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "FTP_PUT"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "ALL"
-        set category "General"
-        set protocol IP
-    next
     edit "ALL_TCP"
         set category "General"
         set tcp-portrange 1-65535
@@ -330,7 +338,6 @@ config firewall service custom
         set protocol-number 50
     next
     edit "AOL"
-        set visibility disable
         set tcp-portrange 5190-5194
     next
     edit "BGP"
@@ -342,11 +349,9 @@ config firewall service custom
         set udp-portrange 67-68
     next
     edit "FINGER"
-        set visibility disable
         set tcp-portrange 79
     next
     edit "GOPHER"
-        set visibility disable
         set tcp-portrange 70
     next
     edit "H323"
@@ -359,7 +364,6 @@ config firewall service custom
         set udp-portrange 500 4500
     next
     edit "Internet-Locator-Service"
-        set visibility disable
         set tcp-portrange 389
     next
     edit "IRC"
@@ -372,7 +376,6 @@ config firewall service custom
         set udp-portrange 1701
     next
     edit "NetMeeting"
-        set visibility disable
         set tcp-portrange 1720
     next
     edit "NFS"
@@ -381,7 +384,6 @@ config firewall service custom
         set udp-portrange 111 2049
     next
     edit "NNTP"
-        set visibility disable
         set tcp-portrange 119
     next
     edit "NTP"
@@ -407,19 +409,16 @@ config firewall service custom
     next
     edit "TIMESTAMP"
         set protocol ICMP
-        set visibility disable
         set icmptype 13
         unset icmpcode
     next
     edit "INFO_REQUEST"
         set protocol ICMP
-        set visibility disable
         set icmptype 15
         unset icmpcode
     next
     edit "INFO_ADDRESS"
         set protocol ICMP
-        set visibility disable
         set icmptype 17
         unset icmpcode
     next
@@ -433,15 +432,12 @@ config firewall service custom
         set tcp-portrange 1723
     next
     edit "QUAKE"
-        set visibility disable
         set udp-portrange 26000 27000 27910 27960
     next
     edit "RAUDIO"
-        set visibility disable
         set udp-portrange 7070
     next
     edit "REXEC"
-        set visibility disable
         set tcp-portrange 512
     next
     edit "RIP"
@@ -449,11 +445,9 @@ config firewall service custom
         set udp-portrange 520
     next
     edit "RLOGIN"
-        set visibility disable
         set tcp-portrange 513:512-1023
     next
     edit "RSH"
-        set visibility disable
         set tcp-portrange 514:512-1023
     next
     edit "SCCP"
@@ -483,7 +477,6 @@ config firewall service custom
         set udp-portrange 514
     next
     edit "TALK"
-        set visibility disable
         set udp-portrange 517-518
     next
     edit "TELNET"
@@ -495,23 +488,18 @@ config firewall service custom
         set udp-portrange 69
     next
     edit "MGCP"
-        set visibility disable
         set udp-portrange 2427 2727
     next
     edit "UUCP"
-        set visibility disable
         set tcp-portrange 540
     next
     edit "VDOLIVE"
-        set visibility disable
         set tcp-portrange 7000-7010
     next
     edit "WAIS"
-        set visibility disable
         set tcp-portrange 210
     next
     edit "WINFRAME"
-        set visibility disable
         set tcp-portrange 1494 2598
     next
     edit "X-WINDOWS"
@@ -520,7 +508,6 @@ config firewall service custom
     next
     edit "PING6"
         set protocol ICMP6
-        set visibility disable
         set icmptype 128
         unset icmpcode
     next
@@ -563,11 +550,9 @@ config firewall service custom
         set udp-portrange 1812 1813
     next
     edit "RADIUS-OLD"
-        set visibility disable
         set udp-portrange 1645 1646
     next
     edit "CVSPSERVER"
-        set visibility disable
         set tcp-portrange 2401
         set udp-portrange 2401
     next
@@ -586,12 +571,10 @@ config firewall service custom
         set udp-portrange 554
     next
     edit "MMS"
-        set visibility disable
         set tcp-portrange 1755
         set udp-portrange 1024-5000
     next
     edit "NONE"
-        set visibility disable
         set tcp-portrange 0
     next
     edit "webproxy"
@@ -639,6 +622,16 @@ config firewall shaper traffic-shaper
         set maximum-bandwidth 1024
     next
 end
+config firewall proxy-address
+    edit "IPv4-address"
+        set type host-regex
+        set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
+    next
+    edit "IPv6-address"
+        set type host-regex
+        set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
+    next
+end
 config firewall schedule recurring
     edit "always"
         set day sunday monday tuesday wednesday thursday friday saturday
@@ -747,6 +740,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status certificate-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -771,6 +765,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
     next
     edit "deep-inspection"
@@ -778,6 +773,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status deep-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -806,6 +802,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
         config ssl-exempt
             edit 1
@@ -941,6 +938,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status deep-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -969,6 +967,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
         config ssl-exempt
             edit 1
@@ -1103,6 +1102,7 @@ config firewall ssl-ssh-profile
         set comment "Read-only profile that does no inspection."
         config https
             set status disable
+            set quic bypass
             set unsupported-ssl-version allow
         end
         config ftps
@@ -1127,6 +1127,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic bypass
         end
     next
 end
diff --git a/configs/fortigate/vdom_Policy/ips.cfg b/configs/fortigate/vdom_Policy/ips.cfg
index f8de5cc..a5580dd 100644
--- a/configs/fortigate/vdom_Policy/ips.cfg
+++ b/configs/fortigate/vdom_Policy/ips.cfg
@@ -3,7 +3,7 @@ config ips sensor
         set comment "Prevent critical attacks."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -11,7 +11,7 @@ config ips sensor
         set comment "Monitor IPS attacks."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -19,7 +19,7 @@ config ips sensor
         set comment "Default configuration for offloading WiFi traffic."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
diff --git a/configs/fortigate/vdom_Policy/switch-controller.cfg b/configs/fortigate/vdom_Policy/switch-controller.cfg
index 2cc8def..92d7da8 100644
--- a/configs/fortigate/vdom_Policy/switch-controller.cfg
+++ b/configs/fortigate/vdom_Policy/switch-controller.cfg
@@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
         set framevid-apply enable
         set radius-timeout-overwrite disable
         set authserver-timeout-vlan disable
+        set dacl disable
     next
 end
 config switch-controller security-policy local-access
@@ -170,6 +171,8 @@ config switch-controller storm-control-policy
     next
 end
 config switch-controller auto-config policy
+    edit "pse"
+    next
     edit "default"
     next
     edit "default-icl"
@@ -208,12 +211,12 @@ config switch-controller switch-profile
     edit "default"
     next
 end
-config switch-controller ptp settings
-    set mode disable
-end
-config switch-controller ptp policy
+config switch-controller ptp profile
+    edit "default"
+    next
+end
+config switch-controller ptp interface-policy
     edit "default"
-        set status enable
     next
 end
 config switch-controller remote-log
diff --git a/configs/fortigate/vdom_Policy/system.cfg b/configs/fortigate/vdom_Policy/system.cfg
index e9f7e06..220c37c 100644
--- a/configs/fortigate/vdom_Policy/system.cfg
+++ b/configs/fortigate/vdom_Policy/system.cfg
@@ -6,6 +6,7 @@ config system settings
     set comments "Test VDOM for Policy-based"
     set ngfw-mode policy-based
     set h323-direct-model enable
+    set default-app-port-as-service disable
 end
 config system replacemsg-group
     edit "default"
@@ -33,8 +34,8 @@ config system sdwan
         next
         edit "Default_Office_365"
             set server "www.office.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
@@ -60,8 +61,8 @@ config system sdwan
         next
         edit "Default_Google Search"
             set server "www.google.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
@@ -74,8 +75,8 @@ config system sdwan
         next
         edit "Default_FortiGuard"
             set server "fortiguard.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
diff --git a/configs/fortigate/vdom_Policy/virtual-patch.cfg b/configs/fortigate/vdom_Policy/virtual-patch.cfg
new file mode 100644
index 0000000..938bacc
--- /dev/null
+++ b/configs/fortigate/vdom_Policy/virtual-patch.cfg
@@ -0,0 +1,4 @@
+config virtual-patch profile
+    edit "g-default"
+    next
+end
diff --git a/configs/fortigate/vdom_Policy/vpn.cfg b/configs/fortigate/vdom_Policy/vpn.cfg
index 8be82c5..c7cb0df 100644
--- a/configs/fortigate/vdom_Policy/vpn.cfg
+++ b/configs/fortigate/vdom_Policy/vpn.cfg
@@ -16,6 +16,11 @@ config vpn certificate local
         set range global
         set source factory
     next
+    edit "Fortinet_GUI_Server"
+        set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
+        set range global
+        set source factory
+    next
     edit "Fortinet_SSL_RSA1024"
         set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
         set range global
@@ -294,6 +299,7 @@ config vpn ssl web portal
     next
 end
 config vpn ssl settings
+    set banned-cipher SHA1 SHA256 SHA384
     set servercert "Fortinet_Factory"
     set port 443
 end
diff --git a/configs/fortigate/vdom_Policy/webfilter.cfg b/configs/fortigate/vdom_Policy/webfilter.cfg
index bfef10d..dc5844a 100644
--- a/configs/fortigate/vdom_Policy/webfilter.cfg
+++ b/configs/fortigate/vdom_Policy/webfilter.cfg
@@ -56,17 +56,20 @@ config webfilter search-engine
         set url "^\\/translate"
         set query "u="
         set safesearch translate
+        set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
     next
     edit "g-google-translate-2"
         set hostname ".*\\.translate\\.goog"
         set url "^\\/"
         set safesearch translate
+        set safesearch-str "case::google-translate"
     next
     edit "g-twitter"
         set hostname "twitter\\.com"
         set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
         set query "variables="
         set safesearch translate
+        set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
     next
     edit "g-vimeo"
         set hostname ".*vimeo.*"
@@ -83,7 +86,7 @@ config webfilter search-engine
     next
     edit "g-yandex"
         set hostname "yandex\\..*"
-        set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
+        set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
         set query "text="
         set safesearch url
         set safesearch-str "&family=yes"
@@ -116,12 +119,6 @@ config webfilter search-engine
         set url "www.youtube.com/youtubei/v1/navigator"
         set safesearch yt-scan
     next
-    edit "translate"
-        set hostname "translate\\.google\\..*"
-        set url "^\\/translate\\?"
-        set query "u="
-        set safesearch translate
-    next
     edit "yt-video"
         set url "www.youtube.com/watch"
         set safesearch yt-video
diff --git a/configs/fortigate/vdom_TEST/casb.cfg b/configs/fortigate/vdom_TEST/casb.cfg
new file mode 100644
index 0000000..f52aa72
--- /dev/null
+++ b/configs/fortigate/vdom_TEST/casb.cfg
@@ -0,0 +1,8 @@
+config casb saas-application
+end
+config casb user-activity
+end
+config casb profile
+    edit "default"
+    next
+end
diff --git a/configs/fortigate/vdom_TEST/dlp.cfg b/configs/fortigate/vdom_TEST/dlp.cfg
index 2d8781f..c10714a 100644
--- a/configs/fortigate/vdom_TEST/dlp.cfg
+++ b/configs/fortigate/vdom_TEST/dlp.cfg
@@ -1,3 +1,34 @@
+config dlp data-type
+    edit "g-credit-card"
+        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
+        set verify "builtin)credit-card"
+        set look-back 20
+        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
+    next
+    edit "g-edm-keyword"
+        set pattern ".+"
+        set transform "/\\b\\0\\b/i"
+    next
+    edit "g-hex"
+        set pattern "built-in"
+    next
+    edit "g-keyword"
+        set pattern "built-in"
+    next
+    edit "g-mip-label"
+        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
+        set transform "built-in"
+    next
+    edit "g-regex"
+        set pattern "built-in"
+    next
+    edit "g-ssn-us"
+        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
+        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
+        set look-back 12
+        set transform "\\b\\1-\\2-\\3\\b"
+    next
+end
 config dlp filepattern
     edit 1
         set name "builtin-patterns"
@@ -70,9 +101,9 @@ config dlp sensitivity
     edit "Warning"
     next
 end
-config dlp sensor
+config dlp profile
     edit "g-default"
-        set comment "Default sensor."
+        set comment "Default profile."
     next
     edit "g-sniffer-profile"
         set comment "Log a summary of email and web traffic."
diff --git a/configs/fortigate/vdom_TEST/firewall.cfg b/configs/fortigate/vdom_TEST/firewall.cfg
index f46e62f..0a88c82 100644
--- a/configs/fortigate/vdom_TEST/firewall.cfg
+++ b/configs/fortigate/vdom_TEST/firewall.cfg
@@ -1,4 +1,12 @@
 config firewall address
+    edit "EMS_ALL_UNKNOWN_CLIENTS"
+        set type dynamic
+        set sub-type ems-tag
+    next
+    edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
+        set type dynamic
+        set sub-type ems-tag
+    next
     edit "none"
         set subnet 0.0.0.0 255.255.255.255
     next
@@ -248,6 +256,22 @@ config firewall service category
     next
 end
 config firewall service custom
+    edit "ALL"
+        set category "General"
+        set protocol IP
+    next
+    edit "FTP"
+        set category "File Access"
+        set tcp-portrange 21
+    next
+    edit "FTP_GET"
+        set category "File Access"
+        set tcp-portrange 21
+    next
+    edit "FTP_PUT"
+        set category "File Access"
+        set tcp-portrange 21
+    next
     edit "DNS"
         set category "Network Services"
         set tcp-portrange 53
@@ -311,22 +335,6 @@ config firewall service custom
         set category "File Access"
         set tcp-portrange 445
     next
-    edit "FTP"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "FTP_GET"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "FTP_PUT"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "ALL"
-        set category "General"
-        set protocol IP
-    next
     edit "ALL_TCP"
         set category "General"
         set tcp-portrange 1-65535
@@ -361,7 +369,6 @@ config firewall service custom
         set protocol-number 50
     next
     edit "AOL"
-        set visibility disable
         set tcp-portrange 5190-5194
     next
     edit "BGP"
@@ -373,11 +380,9 @@ config firewall service custom
         set udp-portrange 67-68
     next
     edit "FINGER"
-        set visibility disable
         set tcp-portrange 79
     next
     edit "GOPHER"
-        set visibility disable
         set tcp-portrange 70
     next
     edit "H323"
@@ -390,7 +395,6 @@ config firewall service custom
         set udp-portrange 500 4500
     next
     edit "Internet-Locator-Service"
-        set visibility disable
         set tcp-portrange 389
     next
     edit "IRC"
@@ -403,7 +407,6 @@ config firewall service custom
         set udp-portrange 1701
     next
     edit "NetMeeting"
-        set visibility disable
         set tcp-portrange 1720
     next
     edit "NFS"
@@ -412,7 +415,6 @@ config firewall service custom
         set udp-portrange 111 2049
     next
     edit "NNTP"
-        set visibility disable
         set tcp-portrange 119
     next
     edit "NTP"
@@ -438,19 +440,16 @@ config firewall service custom
     next
     edit "TIMESTAMP"
         set protocol ICMP
-        set visibility disable
         set icmptype 13
         unset icmpcode
     next
     edit "INFO_REQUEST"
         set protocol ICMP
-        set visibility disable
         set icmptype 15
         unset icmpcode
     next
     edit "INFO_ADDRESS"
         set protocol ICMP
-        set visibility disable
         set icmptype 17
         unset icmpcode
     next
@@ -464,15 +463,12 @@ config firewall service custom
         set tcp-portrange 1723
     next
     edit "QUAKE"
-        set visibility disable
         set udp-portrange 26000 27000 27910 27960
     next
     edit "RAUDIO"
-        set visibility disable
         set udp-portrange 7070
     next
     edit "REXEC"
-        set visibility disable
         set tcp-portrange 512
     next
     edit "RIP"
@@ -480,11 +476,9 @@ config firewall service custom
         set udp-portrange 520
     next
     edit "RLOGIN"
-        set visibility disable
         set tcp-portrange 513:512-1023
     next
     edit "RSH"
-        set visibility disable
         set tcp-portrange 514:512-1023
     next
     edit "SCCP"
@@ -514,7 +508,6 @@ config firewall service custom
         set udp-portrange 514
     next
     edit "TALK"
-        set visibility disable
         set udp-portrange 517-518
     next
     edit "TELNET"
@@ -526,23 +519,18 @@ config firewall service custom
         set udp-portrange 69
     next
     edit "MGCP"
-        set visibility disable
         set udp-portrange 2427 2727
     next
     edit "UUCP"
-        set visibility disable
         set tcp-portrange 540
     next
     edit "VDOLIVE"
-        set visibility disable
         set tcp-portrange 7000-7010
     next
     edit "WAIS"
-        set visibility disable
         set tcp-portrange 210
     next
     edit "WINFRAME"
-        set visibility disable
         set tcp-portrange 1494 2598
     next
     edit "X-WINDOWS"
@@ -551,7 +539,6 @@ config firewall service custom
     next
     edit "PING6"
         set protocol ICMP6
-        set visibility disable
         set icmptype 128
         unset icmpcode
     next
@@ -594,11 +581,9 @@ config firewall service custom
         set udp-portrange 1812 1813
     next
     edit "RADIUS-OLD"
-        set visibility disable
         set udp-portrange 1645 1646
     next
     edit "CVSPSERVER"
-        set visibility disable
         set tcp-portrange 2401
         set udp-portrange 2401
     next
@@ -617,12 +602,10 @@ config firewall service custom
         set udp-portrange 554
     next
     edit "MMS"
-        set visibility disable
         set tcp-portrange 1755
         set udp-portrange 1024-5000
     next
     edit "NONE"
-        set visibility disable
         set tcp-portrange 0
     next
     edit "webproxy"
@@ -670,6 +653,16 @@ config firewall shaper traffic-shaper
         set maximum-bandwidth 1024
     next
 end
+config firewall proxy-address
+    edit "IPv4-address"
+        set type host-regex
+        set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
+    next
+    edit "IPv6-address"
+        set type host-regex
+        set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
+    next
+end
 config firewall schedule recurring
     edit "always"
         set day sunday monday tuesday wednesday thursday friday saturday
@@ -791,6 +784,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status certificate-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -815,6 +809,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
     next
     edit "deep-inspection"
@@ -822,6 +817,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status deep-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -850,6 +846,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
         config ssl-exempt
             edit 1
@@ -985,6 +982,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status deep-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -1013,6 +1011,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
         config ssl-exempt
             edit 1
@@ -1147,6 +1146,7 @@ config firewall ssl-ssh-profile
         set comment "Read-only profile that does no inspection."
         config https
             set status disable
+            set quic bypass
             set unsupported-ssl-version allow
         end
         config ftps
@@ -1171,6 +1171,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic bypass
         end
     next
 end
@@ -1184,7 +1185,6 @@ config firewall policy
         set schedule "always"
         set service "ALL"
         set logtraffic disable
-        set match-vip enable
     next
     edit 4
         set name "Block_Countries_Out"
@@ -1195,7 +1195,6 @@ config firewall policy
         set schedule "always"
         set service "ALL"
         set logtraffic disable
-        set match-vip enable
     next
     edit 2
         set name "Webosphere"
diff --git a/configs/fortigate/vdom_TEST/ips.cfg b/configs/fortigate/vdom_TEST/ips.cfg
index cb43115..722dfbb 100644
--- a/configs/fortigate/vdom_TEST/ips.cfg
+++ b/configs/fortigate/vdom_TEST/ips.cfg
@@ -3,7 +3,7 @@ config ips sensor
         set comment "Prevent critical attacks."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -11,7 +11,7 @@ config ips sensor
         set comment "Monitor IPS attacks."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -19,7 +19,7 @@ config ips sensor
         set comment "Default configuration for offloading WiFi traffic."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -28,7 +28,7 @@ config ips sensor
         set scan-botnet-connections block
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
                 set action block
             next
         end
@@ -37,3 +37,6 @@ config ips sensor
         set comment "This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI"
     next
 end
+config ips settings
+    set proxy-inline-ips disable
+end
diff --git a/configs/fortigate/vdom_TEST/switch-controller.cfg b/configs/fortigate/vdom_TEST/switch-controller.cfg
index 2cc8def..92d7da8 100644
--- a/configs/fortigate/vdom_TEST/switch-controller.cfg
+++ b/configs/fortigate/vdom_TEST/switch-controller.cfg
@@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
         set framevid-apply enable
         set radius-timeout-overwrite disable
         set authserver-timeout-vlan disable
+        set dacl disable
     next
 end
 config switch-controller security-policy local-access
@@ -170,6 +171,8 @@ config switch-controller storm-control-policy
     next
 end
 config switch-controller auto-config policy
+    edit "pse"
+    next
     edit "default"
     next
     edit "default-icl"
@@ -208,12 +211,12 @@ config switch-controller switch-profile
     edit "default"
     next
 end
-config switch-controller ptp settings
-    set mode disable
-end
-config switch-controller ptp policy
+config switch-controller ptp profile
+    edit "default"
+    next
+end
+config switch-controller ptp interface-policy
     edit "default"
-        set status enable
     next
 end
 config switch-controller remote-log
diff --git a/configs/fortigate/vdom_TEST/system.cfg b/configs/fortigate/vdom_TEST/system.cfg
index 9401113..7ac3feb 100644
--- a/configs/fortigate/vdom_TEST/system.cfg
+++ b/configs/fortigate/vdom_TEST/system.cfg
@@ -40,8 +40,8 @@ config system sdwan
         next
         edit "Default_Office_365"
             set server "www.office.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
@@ -67,8 +67,8 @@ config system sdwan
         next
         edit "Default_Google Search"
             set server "www.google.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
@@ -81,8 +81,8 @@ config system sdwan
         next
         edit "Default_FortiGuard"
             set server "fortiguard.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
diff --git a/configs/fortigate/vdom_TEST/virtual-patch.cfg b/configs/fortigate/vdom_TEST/virtual-patch.cfg
new file mode 100644
index 0000000..938bacc
--- /dev/null
+++ b/configs/fortigate/vdom_TEST/virtual-patch.cfg
@@ -0,0 +1,4 @@
+config virtual-patch profile
+    edit "g-default"
+    next
+end
diff --git a/configs/fortigate/vdom_TEST/voip.cfg b/configs/fortigate/vdom_TEST/voip.cfg
index e9ec5b1..bc94a96 100644
--- a/configs/fortigate/vdom_TEST/voip.cfg
+++ b/configs/fortigate/vdom_TEST/voip.cfg
@@ -1,6 +1,8 @@
 config voip profile
     edit "default"
         set comment "Default VoIP profile."
+        config sip
+        end
     next
     edit "strict"
         config sip
diff --git a/configs/fortigate/vdom_TEST/vpn.cfg b/configs/fortigate/vdom_TEST/vpn.cfg
index 8be82c5..c7cb0df 100644
--- a/configs/fortigate/vdom_TEST/vpn.cfg
+++ b/configs/fortigate/vdom_TEST/vpn.cfg
@@ -16,6 +16,11 @@ config vpn certificate local
         set range global
         set source factory
     next
+    edit "Fortinet_GUI_Server"
+        set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
+        set range global
+        set source factory
+    next
     edit "Fortinet_SSL_RSA1024"
         set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
         set range global
@@ -294,6 +299,7 @@ config vpn ssl web portal
     next
 end
 config vpn ssl settings
+    set banned-cipher SHA1 SHA256 SHA384
     set servercert "Fortinet_Factory"
     set port 443
 end
diff --git a/configs/fortigate/vdom_TEST/webfilter.cfg b/configs/fortigate/vdom_TEST/webfilter.cfg
index 247c24d..55d8b83 100644
--- a/configs/fortigate/vdom_TEST/webfilter.cfg
+++ b/configs/fortigate/vdom_TEST/webfilter.cfg
@@ -511,17 +511,20 @@ config webfilter search-engine
         set url "^\\/translate"
         set query "u="
         set safesearch translate
+        set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
     next
     edit "g-google-translate-2"
         set hostname ".*\\.translate\\.goog"
         set url "^\\/"
         set safesearch translate
+        set safesearch-str "case::google-translate"
     next
     edit "g-twitter"
         set hostname "twitter\\.com"
         set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
         set query "variables="
         set safesearch translate
+        set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
     next
     edit "g-vimeo"
         set hostname ".*vimeo.*"
@@ -538,7 +541,7 @@ config webfilter search-engine
     next
     edit "g-yandex"
         set hostname "yandex\\..*"
-        set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
+        set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
         set query "text="
         set safesearch url
         set safesearch-str "&family=yes"
@@ -571,12 +574,6 @@ config webfilter search-engine
         set url "www.youtube.com/youtubei/v1/navigator"
         set safesearch yt-scan
     next
-    edit "translate"
-        set hostname "translate\\.google\\..*"
-        set url "^\\/translate\\?"
-        set query "u="
-        set safesearch translate
-    next
     edit "yt-video"
         set url "www.youtube.com/watch"
         set safesearch yt-video
diff --git a/configs/fortigate/vdom_root/casb.cfg b/configs/fortigate/vdom_root/casb.cfg
new file mode 100644
index 0000000..f52aa72
--- /dev/null
+++ b/configs/fortigate/vdom_root/casb.cfg
@@ -0,0 +1,8 @@
+config casb saas-application
+end
+config casb user-activity
+end
+config casb profile
+    edit "default"
+    next
+end
diff --git a/configs/fortigate/vdom_root/dlp.cfg b/configs/fortigate/vdom_root/dlp.cfg
index 2b06ed4..4487674 100644
--- a/configs/fortigate/vdom_root/dlp.cfg
+++ b/configs/fortigate/vdom_root/dlp.cfg
@@ -1,3 +1,81 @@
+config dlp data-type
+    edit "g-credit-card"
+        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
+        set verify "builtin)credit-card"
+        set look-back 20
+        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
+    next
+    edit "g-edm-keyword"
+        set pattern ".+"
+        set transform "/\\b\\0\\b/i"
+    next
+    edit "g-hex"
+        set pattern "built-in"
+    next
+    edit "g-keyword"
+        set pattern "built-in"
+    next
+    edit "g-mip-label"
+        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
+        set transform "built-in"
+    next
+    edit "g-regex"
+        set pattern "built-in"
+    next
+    edit "g-ssn-us"
+        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
+        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
+        set look-back 12
+        set transform "\\b\\1-\\2-\\3\\b"
+    next
+end
+config dlp dictionary
+    edit "SSN-Sensor-r1d"
+        config entries
+            edit 1
+                set type "g-regex"
+                set pattern "WebEx"
+            next
+        end
+    next
+    edit "def-cc-dict"
+        config entries
+            edit 1
+                set type "g-credit-card"
+            next
+        end
+    next
+    edit "def-ssn-dict"
+        config entries
+            edit 1
+                set type "g-ssn-us"
+            next
+        end
+    next
+end
+config dlp sensor
+    edit "SSN-Sensor-r1s"
+        config entries
+            edit 1
+                set dictionary "SSN-Sensor-r1d"
+            next
+        end
+    next
+    edit "def-cc-sensor"
+        config entries
+            edit 1
+                set dictionary "def-cc-dict"
+            next
+        end
+    next
+    edit "def-ssn-sensor"
+        config entries
+            edit 1
+                set dictionary "def-ssn-dict"
+            next
+        end
+    next
+end
 config dlp filepattern
     edit 1
         set name "builtin-patterns"
@@ -70,9 +148,9 @@ config dlp sensitivity
     edit "Warning"
     next
 end
-config dlp sensor
+config dlp profile
     edit "g-default"
-        set comment "Default sensor."
+        set comment "Default profile."
     next
     edit "g-sniffer-profile"
         set comment "Log a summary of email and web traffic."
@@ -89,11 +167,13 @@ config dlp sensor
     next
     edit "Credit-Card"
         set feature-set proxy
-        config filter
+        config rule
             edit 1
                 set name "Credit-Card-Filter"
                 set severity high
                 set proto smtp pop3 imap http-get http-post mapi
+                set filter-by sensor
+                set sensor "def-cc-sensor"
                 set action log-only
             next
             edit 2
@@ -101,17 +181,18 @@ config dlp sensor
                 set severity high
                 set type message
                 set proto smtp pop3 imap http-post mapi
+                set filter-by sensor
+                set sensor "def-cc-sensor"
                 set action log-only
             next
         end
     next
     edit "Large-File"
         set feature-set proxy
-        config filter
+        config rule
             edit 1
                 set name "Large-File-Filter"
                 set proto smtp pop3 imap http-get http-post mapi
-                set filter-by file-size
                 set file-size 5120
                 set action log-only
             next
@@ -120,28 +201,30 @@ config dlp sensor
     edit "SSN-Sensor"
         set comment "Match SSN numbers but NOT WebEx invite emails."
         set feature-set proxy
-        config filter
+        config rule
             edit 1
                 set name "SSN-Sensor-Filter"
                 set severity high
                 set type message
                 set proto smtp pop3 imap mapi
-                set filter-by regexp
-                set regexp "WebEx"
+                set filter-by sensor
+                set sensor "SSN-Sensor-r1s"
             next
             edit 2
                 set name "SSN-Sensor-Filter"
                 set severity high
                 set type message
                 set proto smtp pop3 imap mapi
-                set filter-by ssn
+                set filter-by sensor
+                set sensor "def-ssn-sensor"
                 set action log-only
             next
             edit 3
                 set name "SSN-Sensor-Filter"
                 set severity high
                 set proto smtp pop3 imap http-get http-post ftp mapi
-                set filter-by ssn
+                set filter-by sensor
+                set sensor "def-ssn-sensor"
                 set action log-only
             next
         end
diff --git a/configs/fortigate/vdom_root/firewall.cfg b/configs/fortigate/vdom_root/firewall.cfg
index 37519bf..d418caf 100644
--- a/configs/fortigate/vdom_root/firewall.cfg
+++ b/configs/fortigate/vdom_root/firewall.cfg
@@ -1,4 +1,12 @@
 config firewall address
+    edit "EMS_ALL_UNKNOWN_CLIENTS"
+        set type dynamic
+        set sub-type ems-tag
+    next
+    edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
+        set type dynamic
+        set sub-type ems-tag
+    next
     edit "none"
         set subnet 0.0.0.0 255.255.255.255
     next
@@ -217,6 +225,22 @@ config firewall service category
     next
 end
 config firewall service custom
+    edit "ALL"
+        set category "General"
+        set protocol IP
+    next
+    edit "FTP"
+        set category "File Access"
+        set tcp-portrange 21
+    next
+    edit "FTP_GET"
+        set category "File Access"
+        set tcp-portrange 21
+    next
+    edit "FTP_PUT"
+        set category "File Access"
+        set tcp-portrange 21
+    next
     edit "DNS"
         set category "Network Services"
         set tcp-portrange 53
@@ -280,22 +304,6 @@ config firewall service custom
         set category "File Access"
         set tcp-portrange 445
     next
-    edit "FTP"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "FTP_GET"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "FTP_PUT"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "ALL"
-        set category "General"
-        set protocol IP
-    next
     edit "ALL_TCP"
         set category "General"
         set tcp-portrange 1-65535
@@ -330,7 +338,6 @@ config firewall service custom
         set protocol-number 50
     next
     edit "AOL"
-        set visibility disable
         set tcp-portrange 5190-5194
     next
     edit "BGP"
@@ -342,11 +349,9 @@ config firewall service custom
         set udp-portrange 67-68
     next
     edit "FINGER"
-        set visibility disable
         set tcp-portrange 79
     next
     edit "GOPHER"
-        set visibility disable
         set tcp-portrange 70
     next
     edit "H323"
@@ -359,7 +364,6 @@ config firewall service custom
         set udp-portrange 500 4500
     next
     edit "Internet-Locator-Service"
-        set visibility disable
         set tcp-portrange 389
     next
     edit "IRC"
@@ -372,7 +376,6 @@ config firewall service custom
         set udp-portrange 1701
     next
     edit "NetMeeting"
-        set visibility disable
         set tcp-portrange 1720
     next
     edit "NFS"
@@ -381,7 +384,6 @@ config firewall service custom
         set udp-portrange 111 2049
     next
     edit "NNTP"
-        set visibility disable
         set tcp-portrange 119
     next
     edit "NTP"
@@ -407,19 +409,16 @@ config firewall service custom
     next
     edit "TIMESTAMP"
         set protocol ICMP
-        set visibility disable
         set icmptype 13
         unset icmpcode
     next
     edit "INFO_REQUEST"
         set protocol ICMP
-        set visibility disable
         set icmptype 15
         unset icmpcode
     next
     edit "INFO_ADDRESS"
         set protocol ICMP
-        set visibility disable
         set icmptype 17
         unset icmpcode
     next
@@ -433,15 +432,12 @@ config firewall service custom
         set tcp-portrange 1723
     next
     edit "QUAKE"
-        set visibility disable
         set udp-portrange 26000 27000 27910 27960
     next
     edit "RAUDIO"
-        set visibility disable
         set udp-portrange 7070
     next
     edit "REXEC"
-        set visibility disable
         set tcp-portrange 512
     next
     edit "RIP"
@@ -449,11 +445,9 @@ config firewall service custom
         set udp-portrange 520
     next
     edit "RLOGIN"
-        set visibility disable
         set tcp-portrange 513:512-1023
     next
     edit "RSH"
-        set visibility disable
         set tcp-portrange 514:512-1023
     next
     edit "SCCP"
@@ -483,7 +477,6 @@ config firewall service custom
         set udp-portrange 514
     next
     edit "TALK"
-        set visibility disable
         set udp-portrange 517-518
     next
     edit "TELNET"
@@ -495,23 +488,18 @@ config firewall service custom
         set udp-portrange 69
     next
     edit "MGCP"
-        set visibility disable
         set udp-portrange 2427 2727
     next
     edit "UUCP"
-        set visibility disable
         set tcp-portrange 540
     next
     edit "VDOLIVE"
-        set visibility disable
         set tcp-portrange 7000-7010
     next
     edit "WAIS"
-        set visibility disable
         set tcp-portrange 210
     next
     edit "WINFRAME"
-        set visibility disable
         set tcp-portrange 1494 2598
     next
     edit "X-WINDOWS"
@@ -520,7 +508,6 @@ config firewall service custom
     next
     edit "PING6"
         set protocol ICMP6
-        set visibility disable
         set icmptype 128
         unset icmpcode
     next
@@ -563,11 +550,9 @@ config firewall service custom
         set udp-portrange 1812 1813
     next
     edit "RADIUS-OLD"
-        set visibility disable
         set udp-portrange 1645 1646
     next
     edit "CVSPSERVER"
-        set visibility disable
         set tcp-portrange 2401
         set udp-portrange 2401
     next
@@ -586,12 +571,10 @@ config firewall service custom
         set udp-portrange 554
     next
     edit "MMS"
-        set visibility disable
         set tcp-portrange 1755
         set udp-portrange 1024-5000
     next
     edit "NONE"
-        set visibility disable
         set tcp-portrange 0
     next
     edit "webproxy"
@@ -639,6 +622,16 @@ config firewall shaper traffic-shaper
         set maximum-bandwidth 1024
     next
 end
+config firewall proxy-address
+    edit "IPv4-address"
+        set type host-regex
+        set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
+    next
+    edit "IPv6-address"
+        set type host-regex
+        set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
+    next
+end
 config firewall schedule recurring
     edit "always"
         set day sunday monday tuesday wednesday thursday friday saturday
@@ -747,6 +740,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status deep-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -775,6 +769,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
         config ssl-exempt
             edit 1
@@ -910,6 +905,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status deep-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -938,6 +934,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
         config ssl-exempt
             edit 1
@@ -1072,6 +1069,7 @@ config firewall ssl-ssh-profile
         set comment "Read-only profile that does no inspection."
         config https
             set status disable
+            set quic bypass
             set unsupported-ssl-version allow
         end
         config ftps
@@ -1096,6 +1094,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic bypass
         end
     next
     edit "certificate-inspection"
@@ -1103,6 +1102,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status certificate-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -1127,6 +1127,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
     next
 end
diff --git a/configs/fortigate/vdom_root/ips.cfg b/configs/fortigate/vdom_root/ips.cfg
index 250607a..20a1db7 100644
--- a/configs/fortigate/vdom_root/ips.cfg
+++ b/configs/fortigate/vdom_root/ips.cfg
@@ -3,7 +3,7 @@ config ips sensor
         set comment "Prevent critical attacks."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -11,7 +11,7 @@ config ips sensor
         set comment "Monitor IPS attacks."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -19,7 +19,7 @@ config ips sensor
         set comment "Default configuration for offloading WiFi traffic."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -43,12 +43,12 @@ config ips sensor
         set block-malicious-url enable
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
                 set status enable
                 set action block
             next
             edit 2
-                set severity low 
+                set severity low
             next
         end
     next
@@ -56,7 +56,7 @@ config ips sensor
         set comment "Protect against client-side vulnerabilities."
         config entries
             edit 1
-                set location client 
+                set location client
             next
         end
     next
@@ -64,8 +64,8 @@ config ips sensor
         set comment "Protect against email server-side vulnerabilities."
         config entries
             edit 1
-                set location server 
-                set protocol SMTP POP3 IMAP 
+                set location server
+                set protocol SMTP POP3 IMAP
             next
         end
     next
@@ -73,9 +73,12 @@ config ips sensor
         set comment "Protect against HTTP server-side vulnerabilities."
         config entries
             edit 1
-                set location server 
-                set protocol HTTP 
+                set location server
+                set protocol HTTP
             next
         end
     next
 end
+config ips settings
+    set proxy-inline-ips disable
+end
diff --git a/configs/fortigate/vdom_root/log.cfg b/configs/fortigate/vdom_root/log.cfg
index a21ea5a..104f7bc 100644
--- a/configs/fortigate/vdom_root/log.cfg
+++ b/configs/fortigate/vdom_root/log.cfg
@@ -82,5 +82,4 @@ config log setting
     set local-in-allow enable
     set local-in-deny-unicast enable
     set local-in-deny-broadcast enable
-    set local-out enable
 end
diff --git a/configs/fortigate/vdom_root/switch-controller.cfg b/configs/fortigate/vdom_root/switch-controller.cfg
index 2cc8def..92d7da8 100644
--- a/configs/fortigate/vdom_root/switch-controller.cfg
+++ b/configs/fortigate/vdom_root/switch-controller.cfg
@@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
         set framevid-apply enable
         set radius-timeout-overwrite disable
         set authserver-timeout-vlan disable
+        set dacl disable
     next
 end
 config switch-controller security-policy local-access
@@ -170,6 +171,8 @@ config switch-controller storm-control-policy
     next
 end
 config switch-controller auto-config policy
+    edit "pse"
+    next
     edit "default"
     next
     edit "default-icl"
@@ -208,12 +211,12 @@ config switch-controller switch-profile
     edit "default"
     next
 end
-config switch-controller ptp settings
-    set mode disable
-end
-config switch-controller ptp policy
+config switch-controller ptp profile
+    edit "default"
+    next
+end
+config switch-controller ptp interface-policy
     edit "default"
-        set status enable
     next
 end
 config switch-controller remote-log
diff --git a/configs/fortigate/vdom_root/system.cfg b/configs/fortigate/vdom_root/system.cfg
index f339824..9dea4ca 100644
--- a/configs/fortigate/vdom_root/system.cfg
+++ b/configs/fortigate/vdom_root/system.cfg
@@ -34,8 +34,8 @@ config system sdwan
     config health-check
         edit "Default_Office_365"
             set server "www.office.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
@@ -61,8 +61,8 @@ config system sdwan
         next
         edit "Default_Google Search"
             set server "www.google.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
@@ -75,8 +75,8 @@ config system sdwan
         next
         edit "Default_FortiGuard"
             set server "fortiguard.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
diff --git a/configs/fortigate/vdom_root/virtual-patch.cfg b/configs/fortigate/vdom_root/virtual-patch.cfg
new file mode 100644
index 0000000..938bacc
--- /dev/null
+++ b/configs/fortigate/vdom_root/virtual-patch.cfg
@@ -0,0 +1,4 @@
+config virtual-patch profile
+    edit "g-default"
+    next
+end
diff --git a/configs/fortigate/vdom_root/voip.cfg b/configs/fortigate/vdom_root/voip.cfg
index e9ec5b1..bc94a96 100644
--- a/configs/fortigate/vdom_root/voip.cfg
+++ b/configs/fortigate/vdom_root/voip.cfg
@@ -1,6 +1,8 @@
 config voip profile
     edit "default"
         set comment "Default VoIP profile."
+        config sip
+        end
     next
     edit "strict"
         config sip
diff --git a/configs/fortigate/vdom_root/vpn.cfg b/configs/fortigate/vdom_root/vpn.cfg
index c582ac0..c7cb0df 100644
--- a/configs/fortigate/vdom_root/vpn.cfg
+++ b/configs/fortigate/vdom_root/vpn.cfg
@@ -16,6 +16,11 @@ config vpn certificate local
         set range global
         set source factory
     next
+    edit "Fortinet_GUI_Server"
+        set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
+        set range global
+        set source factory
+    next
     edit "Fortinet_SSL_RSA1024"
         set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
         set range global
@@ -294,8 +299,7 @@ config vpn ssl web portal
     next
 end
 config vpn ssl settings
+    set banned-cipher SHA1 SHA256 SHA384
     set servercert "Fortinet_Factory"
     set port 443
 end
-config vpn ocvpn
-end
diff --git a/configs/fortigate/vdom_root/webfilter.cfg b/configs/fortigate/vdom_root/webfilter.cfg
index 25e99e0..b20d29b 100644
--- a/configs/fortigate/vdom_root/webfilter.cfg
+++ b/configs/fortigate/vdom_root/webfilter.cfg
@@ -1263,17 +1263,20 @@ config webfilter search-engine
         set url "^\\/translate"
         set query "u="
         set safesearch translate
+        set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
     next
     edit "g-google-translate-2"
         set hostname ".*\\.translate\\.goog"
         set url "^\\/"
         set safesearch translate
+        set safesearch-str "case::google-translate"
     next
     edit "g-twitter"
         set hostname "twitter\\.com"
         set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
         set query "variables="
         set safesearch translate
+        set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
     next
     edit "g-vimeo"
         set hostname ".*vimeo.*"
@@ -1290,7 +1293,7 @@ config webfilter search-engine
     next
     edit "g-yandex"
         set hostname "yandex\\..*"
-        set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
+        set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
         set query "text="
         set safesearch url
         set safesearch-str "&family=yes"
@@ -1323,12 +1326,6 @@ config webfilter search-engine
         set url "www.youtube.com/youtubei/v1/navigator"
         set safesearch yt-scan
     next
-    edit "translate"
-        set hostname "translate\\.google\\..*"
-        set url "^\\/translate\\?"
-        set query "u="
-        set safesearch translate
-    next
     edit "yt-video"
         set url "www.youtube.com/watch"
         set safesearch yt-video
diff --git a/configs/fortigate/vdom_scsd/casb.cfg b/configs/fortigate/vdom_scsd/casb.cfg
new file mode 100644
index 0000000..f52aa72
--- /dev/null
+++ b/configs/fortigate/vdom_scsd/casb.cfg
@@ -0,0 +1,8 @@
+config casb saas-application
+end
+config casb user-activity
+end
+config casb profile
+    edit "default"
+    next
+end
diff --git a/configs/fortigate/vdom_scsd/dlp.cfg b/configs/fortigate/vdom_scsd/dlp.cfg
index 2d8781f..c10714a 100644
--- a/configs/fortigate/vdom_scsd/dlp.cfg
+++ b/configs/fortigate/vdom_scsd/dlp.cfg
@@ -1,3 +1,34 @@
+config dlp data-type
+    edit "g-credit-card"
+        set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
+        set verify "builtin)credit-card"
+        set look-back 20
+        set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
+    next
+    edit "g-edm-keyword"
+        set pattern ".+"
+        set transform "/\\b\\0\\b/i"
+    next
+    edit "g-hex"
+        set pattern "built-in"
+    next
+    edit "g-keyword"
+        set pattern "built-in"
+    next
+    edit "g-mip-label"
+        set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
+        set transform "built-in"
+    next
+    edit "g-regex"
+        set pattern "built-in"
+    next
+    edit "g-ssn-us"
+        set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
+        set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
+        set look-back 12
+        set transform "\\b\\1-\\2-\\3\\b"
+    next
+end
 config dlp filepattern
     edit 1
         set name "builtin-patterns"
@@ -70,9 +101,9 @@ config dlp sensitivity
     edit "Warning"
     next
 end
-config dlp sensor
+config dlp profile
     edit "g-default"
-        set comment "Default sensor."
+        set comment "Default profile."
     next
     edit "g-sniffer-profile"
         set comment "Log a summary of email and web traffic."
diff --git a/configs/fortigate/vdom_scsd/firewall.cfg b/configs/fortigate/vdom_scsd/firewall.cfg
index 0be9875..edeef4e 100644
--- a/configs/fortigate/vdom_scsd/firewall.cfg
+++ b/configs/fortigate/vdom_scsd/firewall.cfg
@@ -1,4 +1,12 @@
 config firewall address
+    edit "EMS_ALL_UNKNOWN_CLIENTS"
+        set type dynamic
+        set sub-type ems-tag
+    next
+    edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
+        set type dynamic
+        set sub-type ems-tag
+    next
     edit "SSLVPN_TUNNEL_ADDR1"
         set type iprange
         set start-ip 10.212.134.200
@@ -2943,9 +2951,9 @@ config firewall addrgrp
         set color 6
     next
     edit "City_Side_VoIP_Park_Place_Group"
+        set allow-routing enable
         set member "City_Side_VoIP_1_Park_Place_A" "City_Side_VoIP_1_Park_Place_B"
         set color 28
-        set allow-routing enable
     next
     edit "SchoolTool_Cloud_Internal"
         set member "21JumpSt" "DataTools" "Fileserver03" "Nighttime_Inside" "Tableau" "DC01_A" "DC01_B" "DC01_C" "HVDC02" "HVDC03_A" "HVDC03_B" "DocHolliday" "SchoolTool webjs" "Elastic"
@@ -3024,10 +3032,10 @@ config firewall addrgrp
         set color 6
     next
     edit "City_Side_CGR_Group"
+        set allow-routing enable
         set member "City_Side_CGR_01" "City_Side_CGR_02"
         set comment "City Lights CGR Subnets on their side."
         set color 28
-        set allow-routing enable
     next
     edit "Access_Control_VLAN_72_Group"
         set member "Access_Control_40_Porter" "Access_Control_01_NOC" "Access_Control_02_ITC" "Access_Control_03_PSLA" "Access_Control_04_Nottingham" "Access_Control_06_Henninger" "Access_Control_07_Corcoran" "Access_Control_08_Clary" "Access_Control_09_Grant" "Access_Control_10_Levy"
@@ -3038,16 +3046,16 @@ config firewall addrgrp
         set comment "Microsoft to Barracuda Archivers"
     next
     edit "City_Side_VoIP_Group"
+        set allow-routing enable
         set member "City_Side_VoIP_30" "City_Side_VoIP_56" "City_Side_VoIP_61" "City_Side_VoIP_62" "City_Side_VoIP_63" "City_Side_VoIP_64" "City_Side_VoIP_65" "City_Side_VoIP_66" "City_Side_VoIP_67" "City_Side_VoIP_68" "City_Side_VoIP_72" "City_Side_VoIP_74" "City_Side_VoIP_75" "City_Side_VoIP_76" "City_Side_VoIP_77" "City_Side_VoIP_88" "City_Side_VoIP_132" "City_Side_VoIP_1_Park_Place_A" "City_Side_VoIP_1_Park_Place_B" "City_Side_VoIP_Router_A" "City_Side_VoIP_Router_B"
         set comment "City VoIP Group - except Parks and Water Recorder"
         set color 28
-        set allow-routing enable
     next
     edit "SPD_Side_Firewall_Group"
+        set allow-routing enable
         set member "SPD_Side_A" "SPD_Side_B"
         set comment "IP Range of SPD Side Firewalls"
         set color 2
-        set allow-routing enable
     next
     edit "Country Allow"
         set member "Microsoft 1"
@@ -3058,35 +3066,35 @@ config firewall addrgrp
         set color 20
     next
     edit "Genetec_Inside_Group"
+        set allow-routing enable
         set member "NVR-NOC" "NVR-FAILOVER" "NVR-RING1-CLAR" "NVR-RING1-CLAR2" "NVR-RING1-CORC" "NVR-RING1-CORC2" "NVR-RING2-DANF" "NVR-RING2-DANF2" "NVR-RING3-PSLA" "NVR-RING3-PSLA2" "NVR-RING4-BLOD" "NVR-RING4-FRAZ" "NVR-RING5-CENT" "NVR-RING6-EDSM" "NVR-RING6-HWSM" "NVR-RING6-HWSM2" "NVR-RING6-NOTT" "NVR-RING7-BELL" "NVR-RING7-GRAN" "NVR-RING7-GRAN2" "NVR-RING8-HENN" "NVR-RING8-HENN2" "NVR-RING8-HUNT" "Genetec-Dir" "Genetec-DirBU" "Genetec-Media" "Genetec-MRouter"
         set comment "District NVRs and Genetec Servers for SPD Federation"
         set color 2
-        set allow-routing enable
     next
     edit "MS_Teams_External_Group"
         set member "MS_Teams_External_A" "MS_Teams_External_B"
     next
     edit "SchoolTool_AWS_Internal"
-        set member "DataTools" "ST_Internal_2"
         set allow-routing enable
+        set member "DataTools" "ST_Internal_2"
     next
     edit "SchoolTool_AWS_External"
-        set member "ST_External_4" "ST_External_5" "ST_External_6" "ST_External_1" "ST_External_2" "ST_External_3"
         set allow-routing enable
+        set member "ST_External_4" "ST_External_5" "ST_External_6" "ST_External_1" "ST_External_2" "ST_External_3"
     next
     edit "HighStreet_Local"
         set member "DataTools" "Nighttime_Inside"
         set comment "Internal IPs for Highstreet Tunnel"
     next
     edit "DPS_local"
+        set allow-routing enable
         set member "DPS_local_subnet_1"
         set comment "VPN: DPS (Created by VPN wizard)"
-        set allow-routing enable
     next
     edit "DPS_remote"
+        set allow-routing enable
         set member "DPS_remote_subnet_1"
         set comment "VPN: DPS (Created by VPN wizard)"
-        set allow-routing enable
     next
     edit "Nutanix_CVM"
         set member "Patty_CT_NOC_CVM" "Pigpen_CT_NOC_CVM" "RedBaron_CT_NOC_CVM" "Sally_CT_NOC_CVM" "Schroeder	_CT_NOC_CVM"
@@ -3229,6 +3237,22 @@ config firewall service category
     next
 end
 config firewall service custom
+    edit "ALL"
+        set category "General"
+        set protocol IP
+    next
+    edit "FTP"
+        set category "File Access"
+        set tcp-portrange 21
+    next
+    edit "FTP_GET"
+        set category "File Access"
+        set tcp-portrange 21
+    next
+    edit "FTP_PUT"
+        set category "File Access"
+        set tcp-portrange 21
+    next
     edit "DNS"
         set category "Network Services"
         set tcp-portrange 53
@@ -3292,22 +3316,6 @@ config firewall service custom
         set category "File Access"
         set tcp-portrange 445
     next
-    edit "FTP"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "FTP_GET"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "FTP_PUT"
-        set category "File Access"
-        set tcp-portrange 21
-    next
-    edit "ALL"
-        set category "General"
-        set protocol IP
-    next
     edit "ALL_TCP"
         set category "General"
         set tcp-portrange 1-65535
@@ -3342,7 +3350,6 @@ config firewall service custom
         set protocol-number 50
     next
     edit "AOL"
-        set visibility disable
         set tcp-portrange 5190-5194
     next
     edit "BGP"
@@ -3354,11 +3361,9 @@ config firewall service custom
         set udp-portrange 67-68
     next
     edit "FINGER"
-        set visibility disable
         set tcp-portrange 79
     next
     edit "GOPHER"
-        set visibility disable
         set tcp-portrange 70
     next
     edit "H323"
@@ -3371,7 +3376,6 @@ config firewall service custom
         set udp-portrange 500 4500
     next
     edit "Internet-Locator-Service"
-        set visibility disable
         set tcp-portrange 389
     next
     edit "IRC"
@@ -3384,7 +3388,6 @@ config firewall service custom
         set udp-portrange 1701
     next
     edit "NetMeeting"
-        set visibility disable
         set tcp-portrange 1720
     next
     edit "NFS"
@@ -3393,7 +3396,6 @@ config firewall service custom
         set udp-portrange 111 2049
     next
     edit "NNTP"
-        set visibility disable
         set tcp-portrange 119
     next
     edit "NTP"
@@ -3419,19 +3421,16 @@ config firewall service custom
     next
     edit "TIMESTAMP"
         set protocol ICMP
-        set visibility disable
         set icmptype 13
         unset icmpcode
     next
     edit "INFO_REQUEST"
         set protocol ICMP
-        set visibility disable
         set icmptype 15
         unset icmpcode
     next
     edit "INFO_ADDRESS"
         set protocol ICMP
-        set visibility disable
         set icmptype 17
         unset icmpcode
     next
@@ -3445,15 +3444,12 @@ config firewall service custom
         set tcp-portrange 1723
     next
     edit "QUAKE"
-        set visibility disable
         set udp-portrange 26000 27000 27910 27960
     next
     edit "RAUDIO"
-        set visibility disable
         set udp-portrange 7070
     next
     edit "REXEC"
-        set visibility disable
         set tcp-portrange 512
     next
     edit "RIP"
@@ -3461,11 +3457,9 @@ config firewall service custom
         set udp-portrange 520
     next
     edit "RLOGIN"
-        set visibility disable
         set tcp-portrange 513:512-1023
     next
     edit "RSH"
-        set visibility disable
         set tcp-portrange 514:512-1023
     next
     edit "SCCP"
@@ -3495,7 +3489,6 @@ config firewall service custom
         set udp-portrange 514
     next
     edit "TALK"
-        set visibility disable
         set udp-portrange 517-518
     next
     edit "TELNET"
@@ -3507,23 +3500,18 @@ config firewall service custom
         set udp-portrange 69
     next
     edit "MGCP"
-        set visibility disable
         set udp-portrange 2427 2727
     next
     edit "UUCP"
-        set visibility disable
         set tcp-portrange 540
     next
     edit "VDOLIVE"
-        set visibility disable
         set tcp-portrange 7000-7010
     next
     edit "WAIS"
-        set visibility disable
         set tcp-portrange 210
     next
     edit "WINFRAME"
-        set visibility disable
         set tcp-portrange 1494 2598
     next
     edit "X-WINDOWS"
@@ -3532,7 +3520,6 @@ config firewall service custom
     next
     edit "PING6"
         set protocol ICMP6
-        set visibility disable
         set icmptype 128
         unset icmpcode
     next
@@ -3575,11 +3562,9 @@ config firewall service custom
         set udp-portrange 1812 1813
     next
     edit "RADIUS-OLD"
-        set visibility disable
         set udp-portrange 1645 1646
     next
     edit "CVSPSERVER"
-        set visibility disable
         set tcp-portrange 2401
         set udp-portrange 2401
     next
@@ -3598,12 +3583,10 @@ config firewall service custom
         set udp-portrange 554
     next
     edit "MMS"
-        set visibility disable
         set tcp-portrange 1755
         set udp-portrange 1024-5000
     next
     edit "NONE"
-        set visibility disable
         set tcp-portrange 0
     next
     edit "webproxy"
@@ -3958,6 +3941,16 @@ config firewall shaper traffic-shaper
         set maximum-bandwidth 1024
     next
 end
+config firewall proxy-address
+    edit "IPv4-address"
+        set type host-regex
+        set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
+    next
+    edit "IPv6-address"
+        set type host-regex
+        set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
+    next
+end
 config firewall schedule recurring
     edit "always"
         set day sunday monday tuesday wednesday thursday friday saturday
@@ -4401,6 +4394,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status certificate-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -4425,6 +4419,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
     next
     edit "deep-inspection"
@@ -4432,6 +4427,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status deep-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -4460,6 +4456,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
         config ssl-exempt
             edit 1
@@ -4595,6 +4592,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status deep-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -4623,6 +4621,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
         config ssl-exempt
             edit 1
@@ -4760,6 +4759,7 @@ config firewall ssl-ssh-profile
         set comment "Read-only profile that does no inspection."
         config https
             set status disable
+            set quic bypass
             set unsupported-ssl-version allow
         end
         config ftps
@@ -4784,6 +4784,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic bypass
         end
     next
     edit "custom-cert-inspection"
@@ -4791,6 +4792,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status certificate-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -4815,6 +4817,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
     next
     edit "SCSD custom-deep-inspection"
@@ -4822,6 +4825,7 @@ config firewall ssl-ssh-profile
         config https
             set ports 443
             set status deep-inspection
+            set quic inspect
             set unsupported-ssl-version allow
         end
         config ftps
@@ -4850,6 +4854,7 @@ config firewall ssl-ssh-profile
         end
         config dot
             set status disable
+            set quic inspect
         end
         config ssl-exempt
             edit 1
@@ -5015,7 +5020,6 @@ config firewall policy
         set schedule "always"
         set service "ALL"
         set logtraffic all
-        set match-vip enable
         set comments "Block specific countries"
     next
     edit 110
@@ -5027,7 +5031,6 @@ config firewall policy
         set schedule "always"
         set service "ALL"
         set logtraffic all
-        set match-vip enable
         set comments "Block specific countries"
     next
     edit 10020
@@ -5039,7 +5042,6 @@ config firewall policy
         set schedule "always"
         set service "ALL"
         set logtraffic all
-        set match-vip enable
         set comments "Block Known Attachers"
     next
     edit 10022
@@ -5051,7 +5053,6 @@ config firewall policy
         set schedule "always"
         set service "ALL"
         set logtraffic all
-        set match-vip enable
         set comments "Block Known Attachers"
     next
     edit 112
@@ -5844,6 +5845,7 @@ config firewall policy
         set schedule "always"
         set service "DNS"
         set logtraffic disable
+        set match-vip disable
         set comments "Deny SPD DNS"
     next
     edit 55
@@ -6564,18 +6566,15 @@ config firewall sniffer
         set interface "vpn-0fc50345"
         set host "172.30.45.35"
         set port "3389"
-        set max-packet-count 100
     next
     edit 4
         set interface "city_phones lag"
         set host "10.250.229.0/24"
-        set max-packet-count 2000
     next
     edit 6
         set interface "city_phones lag"
         set host "10.1.150.20"
         set port "8445"
-        set max-packet-count 50
     next
     edit 5
         set interface "vpn-0403e61"
@@ -6610,7 +6609,6 @@ config firewall sniffer
     edit 15
         set interface "RAP"
         set host "192.168.79.2"
-        set max-packet-count 10000
     next
     edit 16
         set interface "city_phones lag"
diff --git a/configs/fortigate/vdom_scsd/ips.cfg b/configs/fortigate/vdom_scsd/ips.cfg
index 25f90fe..2f80d2d 100644
--- a/configs/fortigate/vdom_scsd/ips.cfg
+++ b/configs/fortigate/vdom_scsd/ips.cfg
@@ -3,7 +3,7 @@ config ips sensor
         set comment "Prevent critical attacks."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -11,7 +11,7 @@ config ips sensor
         set comment "Monitor IPS attacks."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -19,7 +19,7 @@ config ips sensor
         set comment "Default configuration for offloading WiFi traffic."
         config entries
             edit 1
-                set severity medium high critical 
+                set severity medium high critical
             next
         end
     next
@@ -27,8 +27,8 @@ config ips sensor
         set block-malicious-url enable
         config entries
             edit 1
-                set location server 
-                set severity medium high critical 
+                set location server
+                set severity medium high critical
                 set action block
             next
         end
@@ -38,9 +38,12 @@ config ips sensor
         set scan-botnet-connections block
         config entries
             edit 1
-                set location client 
-                set severity medium high critical 
+                set location client
+                set severity medium high critical
             next
         end
     next
 end
+config ips settings
+    set proxy-inline-ips disable
+end
diff --git a/configs/fortigate/vdom_scsd/log.cfg b/configs/fortigate/vdom_scsd/log.cfg
index a21ea5a..104f7bc 100644
--- a/configs/fortigate/vdom_scsd/log.cfg
+++ b/configs/fortigate/vdom_scsd/log.cfg
@@ -82,5 +82,4 @@ config log setting
     set local-in-allow enable
     set local-in-deny-unicast enable
     set local-in-deny-broadcast enable
-    set local-out enable
 end
diff --git a/configs/fortigate/vdom_scsd/router.cfg b/configs/fortigate/vdom_scsd/router.cfg
index b187eaf..b41035b 100644
--- a/configs/fortigate/vdom_scsd/router.cfg
+++ b/configs/fortigate/vdom_scsd/router.cfg
@@ -202,6 +202,7 @@ config router static
         set dst 172.30.44.0 255.255.254.0
         set distance 253
         set blackhole enable
+        set vrf 0
     next
     edit 30
         set dst 10.11.0.0 255.255.240.0
diff --git a/configs/fortigate/vdom_scsd/switch-controller.cfg b/configs/fortigate/vdom_scsd/switch-controller.cfg
index 2cc8def..92d7da8 100644
--- a/configs/fortigate/vdom_scsd/switch-controller.cfg
+++ b/configs/fortigate/vdom_scsd/switch-controller.cfg
@@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
         set framevid-apply enable
         set radius-timeout-overwrite disable
         set authserver-timeout-vlan disable
+        set dacl disable
     next
 end
 config switch-controller security-policy local-access
@@ -170,6 +171,8 @@ config switch-controller storm-control-policy
     next
 end
 config switch-controller auto-config policy
+    edit "pse"
+    next
     edit "default"
     next
     edit "default-icl"
@@ -208,12 +211,12 @@ config switch-controller switch-profile
     edit "default"
     next
 end
-config switch-controller ptp settings
-    set mode disable
-end
-config switch-controller ptp policy
+config switch-controller ptp profile
+    edit "default"
+    next
+end
+config switch-controller ptp interface-policy
     edit "default"
-        set status enable
     next
 end
 config switch-controller remote-log
diff --git a/configs/fortigate/vdom_scsd/system.cfg b/configs/fortigate/vdom_scsd/system.cfg
index 006886d..afd8daa 100644
--- a/configs/fortigate/vdom_scsd/system.cfg
+++ b/configs/fortigate/vdom_scsd/system.cfg
@@ -6,6 +6,7 @@ config system settings
     set h323-direct-model enable
     set gui-voip-profile enable
     set gui-local-in-policy enable
+    set gui-sslvpn enable
     set gui-wireless-controller disable
     set gui-switch-controller disable
     set gui-dnsfilter disable
@@ -53,8 +54,8 @@ config system sdwan
         next
         edit "Default_Office_365"
             set server "www.office.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
@@ -80,8 +81,8 @@ config system sdwan
         next
         edit "Default_Google Search"
             set server "www.google.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
@@ -94,8 +95,8 @@ config system sdwan
         next
         edit "Default_FortiGuard"
             set server "fortiguard.com"
-            set protocol http
-            set interval 1000
+            set protocol https
+            set interval 120000
             set probe-timeout 1000
             set recoverytime 10
             config sla
diff --git a/configs/fortigate/vdom_scsd/user.cfg b/configs/fortigate/vdom_scsd/user.cfg
index b49d5de..ce55ebf 100644
--- a/configs/fortigate/vdom_scsd/user.cfg
+++ b/configs/fortigate/vdom_scsd/user.cfg
@@ -5509,7 +5509,7 @@ end
 config user local
     edit "jorge-mike"
         set type password
-        set passwd-time 2025-10-03 11:14:17
+        set passwd-time 2025-10-02 19:14:17
         set passwd ENC *HIDDEN*
     next
 end
diff --git a/configs/fortigate/vdom_scsd/virtual-patch.cfg b/configs/fortigate/vdom_scsd/virtual-patch.cfg
new file mode 100644
index 0000000..938bacc
--- /dev/null
+++ b/configs/fortigate/vdom_scsd/virtual-patch.cfg
@@ -0,0 +1,4 @@
+config virtual-patch profile
+    edit "g-default"
+    next
+end
diff --git a/configs/fortigate/vdom_scsd/voip.cfg b/configs/fortigate/vdom_scsd/voip.cfg
index 0edfb81..9f25da9 100644
--- a/configs/fortigate/vdom_scsd/voip.cfg
+++ b/configs/fortigate/vdom_scsd/voip.cfg
@@ -1,6 +1,8 @@
 config voip profile
     edit "default"
         set comment "Default VoIP profile."
+        config sip
+        end
     next
     edit "strict"
         config sip
@@ -37,5 +39,7 @@ config voip profile
     next
     edit "parks_sip"
         set comment "VoIP Profile for Parks SIP"
+        config sip
+        end
     next
 end
diff --git a/configs/fortigate/vdom_scsd/vpn.cfg b/configs/fortigate/vdom_scsd/vpn.cfg
index 7a27736..c4b35ec 100644
--- a/configs/fortigate/vdom_scsd/vpn.cfg
+++ b/configs/fortigate/vdom_scsd/vpn.cfg
@@ -20,6 +20,11 @@ config vpn certificate local
         set range global
         set source factory
     next
+    edit "Fortinet_GUI_Server"
+        set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
+        set range global
+        set source factory
+    next
     edit "Fortinet_SSL_RSA1024"
         set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
         set range global
@@ -337,56 +342,48 @@ config vpn ssl web portal
                     edit "Obiwan_RDP"
                         set apptype rdp
                         set host "10.1.48.202"
-                        set security any
                         set port 3389
                         set sso auto
                     next
                     edit "HanSolo_RDP"
                         set apptype rdp
                         set host "10.1.48.201"
-                        set security any
                         set port 3389
                         set sso auto
                     next
                     edit "C3PO_RDP"
                         set apptype rdp
                         set host "10.1.48.133"
-                        set security any
                         set port 3389
                         set sso auto
                     next
                     edit "Chewbacca_RDP"
                         set apptype rdp
                         set host "10.1.48.129"
-                        set security any
                         set port 3389
                         set sso auto
                     next
                     edit "Skywalker_RDP"
                         set apptype rdp
                         set host "10.1.48.63"
-                        set security any
                         set port 3389
                         set sso auto
                     next
                     edit "Yoda_RDP"
                         set apptype rdp
                         set host "10.1.48.103"
-                        set security any
                         set port 3389
                         set sso auto
                     next
                     edit "MANDO_RDP"
                         set apptype rdp
                         set host "10.1.40.72"
-                        set security any
                         set port 3389
                         set sso auto
                     next
                     edit "GROGU_RDP"
                         set apptype rdp
                         set host "10.1.40.224"
-                        set security any
                         set port 3389
                         set sso auto
                     next
@@ -545,14 +542,12 @@ config vpn ssl web portal
                     edit "411app"
                         set apptype rdp
                         set host "10.1.40.216"
-                        set security any
                         set port 3389
                         set sso auto
                     next
                     edit "411sql"
                         set apptype rdp
                         set host "10.1.40.225"
-                        set security any
                         set port 3389
                         set sso auto
                     next
@@ -644,6 +639,7 @@ config vpn ssl web portal
     next
 end
 config vpn ssl settings
+    set banned-cipher SHA1 SHA256 SHA384
     set servercert "StarCert-Expire03202026"
     set idle-timeout 3600
     set auth-timeout 36000
@@ -732,7 +728,6 @@ config vpn ssl web user-bookmark
             edit "My_PC"
                 set apptype rdp
                 set host "10.1.7.137"
-                set security any
                 set port 3389
                 set sso auto
             next
diff --git a/configs/fortigate/vdom_scsd/webfilter.cfg b/configs/fortigate/vdom_scsd/webfilter.cfg
index 247c24d..55d8b83 100644
--- a/configs/fortigate/vdom_scsd/webfilter.cfg
+++ b/configs/fortigate/vdom_scsd/webfilter.cfg
@@ -511,17 +511,20 @@ config webfilter search-engine
         set url "^\\/translate"
         set query "u="
         set safesearch translate
+        set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
     next
     edit "g-google-translate-2"
         set hostname ".*\\.translate\\.goog"
         set url "^\\/"
         set safesearch translate
+        set safesearch-str "case::google-translate"
     next
     edit "g-twitter"
         set hostname "twitter\\.com"
         set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
         set query "variables="
         set safesearch translate
+        set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
     next
     edit "g-vimeo"
         set hostname ".*vimeo.*"
@@ -538,7 +541,7 @@ config webfilter search-engine
     next
     edit "g-yandex"
         set hostname "yandex\\..*"
-        set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
+        set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
         set query "text="
         set safesearch url
         set safesearch-str "&family=yes"
@@ -571,12 +574,6 @@ config webfilter search-engine
         set url "www.youtube.com/youtubei/v1/navigator"
         set safesearch yt-scan
     next
-    edit "translate"
-        set hostname "translate\\.google\\..*"
-        set url "^\\/translate\\?"
-        set query "u="
-        set safesearch translate
-    next
     edit "yt-video"
         set url "www.youtube.com/watch"
         set safesearch yt-video