FortiOS v4.0 MR3 Patch Release 6 Release Notes

FortiOS v4.
0 MR3 Patch Release 6

Release Notes
March 14, 2012 01-436-164736-20120314 Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Visit these links for more information and documentation for your Fortinet product: Technical Documentation - http://docs.fortinet.com Knowledge Base - http://kb.fortinet.com Customer Service & Support - https://support.fortinet.com Training Services - http://training.fortinet.com
Table of Contents
Change Log .............................................................................................. 3 FortiOS v4.0 MR3 ..................................................................................... 4

Summary of Enhancements ............................................................................. 5
FortiOS Carrier v4.0 MR3 ........................................................................ 6 Special Notices ........................................................................................ 7

General ............................................................................................................. 7
Monitor Settings for Web User Interface Access ................................................... Web Browser Support ............................................................................................ BEFORE any upgrade............................................................................................. AFTER any upgrade................................................................................................ 7 7 7 7
Installation Information ........................................................................... 8

Upgrading from FortiOS v4.0 MR3 ................................................................... 8 Upgrading from FortiOS v4.0 MR2 ................................................................... 8
FortiOS v4.0 MR2 ................................................................................................... DDNS...................................................................................................................... DNS server.............................................................................................................. Ping server.............................................................................................................. Central-management.............................................................................................. SNMP community................................................................................................... Modem settings...................................................................................................... AMC slot settings ................................................................................................... Wireless radio settings ........................................................................................... Web filter overrides................................................................................................. Firewall policy settings ........................................................................................... URL filter ................................................................................................................. FortiGuard log filter................................................................................................. FortiGuard log setting............................................................................................. 8 8 8 8 8 9 9 9 9 9 9 9 9 9
Upgrading from FortiOS v4.0 MR1 ................................................................... 9 Downgrading to FortiOS v4.0 MR1 ................................................................ 10
Product Integration and Support ......................................................... 11

FortiManager Support .................................................................................... FortiAnalyzer Support ..................................................................................... FortiClient Support ......................................................................................... FortiAP Support .............................................................................................. Fortinet Single Sign On (FSSO) Support ........................................................ FortiExplorer Support ..................................................................................... AV Engine and IPS Engine Support................................................................ Module Support .............................................................................................. 11 11 11 11 12 12 12 12
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
Table of Contents
SSL-VPN Support........................................................................................... 13
SSL-VPN Standalone Client ................................................................................. 13 SSL-VPN Web Mode ............................................................................................ 14 SSL-VPN Host Compatibility List ......................................................................... 14
Explicit Web Proxy Browser Support ............................................................. 15
Resolved Issues ..................................................................................... 16

WiFi....................................................................................................................... Web Filter.............................................................................................................. Firewall.................................................................................................................. Web-based Manager ............................................................................................ Router ................................................................................................................... Log and Report..................................................................................................... VPN....................................................................................................................... System.................................................................................................................. SSL-VPN............................................................................................................... IPS ........................................................................................................................ FortiGate-60C Series ............................................................................................ High Availability .................................................................................................... Data Leak Prevention ........................................................................................... FortiOS Carrier...................................................................................................... GTP....................................................................................................................... FortiSwitch............................................................................................................ Other..................................................................................................................... System.................................................................................................................. Firewall.................................................................................................................. Logging and Reporting ......................................................................................... High Availability .................................................................................................... SSLVPN ................................................................................................................ Web-based Manager ............................................................................................ WiFi....................................................................................................................... FortiGate-60C Series ............................................................................................ 16 17 17 17 18 18 18 18 20 20 20 21 21 21 21 21 22 23 23 24 24 24 25 25 25
Known Issues ......................................................................................... 23
Limitations .............................................................................................. 26
Citrix XenServer Limitations ........................................................................... 26 Open Source Xen Limitations ......................................................................... 26
Image Checksums ................................................................................. 27
Change Log
Date 2012-03-14 2012-03-15 2012-03-21
Change Description Initial Release Fixed reported issues with Release Notes document Added bug number 164736 to the known issues chapter
1. FortiOS v4.0 MR3
This document provides installation instructions and addresses issues and caveats in FortiOS v4.0 MR3 Patch Release 6 build 0521. Table 1 outlines the release status for these models. Table 2 lists the supported virtualization platforms for this release.
Table 1: Supported Platforms FortiGate Models FortiOS v4.0 MR3 Patch Release 6
FG-20C, FWF-20C, FG-30B, FWF-30B, FG-40C, FWF-40C, All models are supported FG-50B, FG-51B, FWF-50B, FG-60B, FWF-60B, FG-60C, on the regular v4.0 MR3 FWF-60C, FWF-60CM, FWF-60CX-A, FG-80C, FG-80CM, Patch Release 6 branch. FWF-80CM, FWF-81CM, FG-82C, FG-100A, FG-100D, FG-110C, FG-111C, FG-200A, FG-200B, FG-200B-POE, FG-224B, FG-300A, FG-300C, FG-310B, FG-310B-DC, FG-311B, FG-400A, FG-500A, FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800, FG-800F, FG-1000A, FG-1000A-FA2, FG-1000A-LENC, FG-1000C, FG-1240B, FG-3016B, FG-3040B, FG-3140B, FG-3600, FG-3600A, FG-3810A, FG-3950B, FG-3951B, FG-5001, FG-5001A, FG-5001B, FG-5001FA2, FG-5002FB2, FG-5005FA2, FSW-5203B, FG-ONE, FG-VM and FG-VM64.
Table 2: Supported Virtualization Platforms Virtualization Platform VMware VI 3.5, vSphere 4.0/4.1, vSphere 5.0 Citrix XenServer 5.6sp2/6.0 Open Source Xen 3.4.3 Open Source Xen 4.1 FortiOS v4.0 MR3 Patch Release 6 All models are supported by the regular v4.0 MR3 Patch Release 6 branch. See Limitations on page 26 for more information.
See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v4.0 MR3.
FortiOS v4.0 MR3
Summary of Enhancements
Summary of Enhancements
The following is a list of the new features added in FortiOS v4.0 MR3 Patch Release 6: Logging performance enhancement to allow traffic logging speed to match up with CPS Double IPSec performance with aes256-sha256 on the FortiGate-60C Improve IPSec session set up rate Upgrade FortiOS Apache Web Server Verizon Wireless 4G LTE USB Modem Novatel 551L support New Endpoint feature updates (max license) Timezone added for Uruguay FortiExplorer support for the FortiGate-1000C-DC and FortiGate-600C-DC, version 1.5, build 1363 WAN Optimization: Improvements to CIFS Optimization Module location information added in ARM kernel crash log Web-based Manager filtering improvements FortiGate-100D NPI branch merged to v4.0 MR3 Implemented Application breakdown feature Support OSPF auto-cost for interfaces with bandwidth over 65Gbps FortiSwitch-5203B support for the non-maskable interrupt (NMI) and comlog features Internet Explorer 8 SSL compatibility with inspection and offload features Support for the Resolve User Names Using FSSO Agent option for implicit deny ID based policy AV Engine upgraded to 4.392. Log system events of process startup/shutdown
2. FortiOS Carrier v4.0 MR3
This chapter provides platform support information for FortiOS Carrier v4.0 MR3 Patch Release 6 build 0521. Table 3 outlines the release status for these models.
Table 3: Supported Platforms FortiCarrier Models FCR-3810A, FCR-3950B, FCR-3951B, FCR-5001A, and FCR-5001B. Firmware image filenames begin with FK. FortiOS Carrier v4.0 MR3 Patch Release 6 All models are supported on the regular v4.0 MR3 Patch Release 6 branch.
See http://docs.fortinet.com/fgt.html for additional documents on FortiOS Carrier v4.0 MR3.
3. Special Notices
General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.
IMPORTANT!
Monitor Settings Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This for Web User allows for all the objects in the Web-based Manager to be viewed properly. Interface Access Web Browser Microsoft Internet Explorer 8.0 and Mozilla FireFox 3.5 or later are fully supported. Support BEFORE any Save a copy of your FortiGate unit configuration (including replacement messages) upgrade prior to upgrading. AFTER any If you are using the Web-based Manager, clear the browser cache prior to login on the upgrade FortiGate to ensure the Web-based Manager screens are displayed properly.
The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an Update Now as soon as possible after upgrading. Consult the FortiOS Handbook/FortiOS Carrier Handbook for detailed procedures.
4. Installation Information
Upgrading from FortiOS v4.0 MR3

FortiOS v4.0 MR3 Patch Release 6 introduces support for the FortiGate-100D platform. Included with this model is a special purpose management port that operates on its own virtual domain (VDOM). An issue exists with this feature whereby FortiCare registration fails when initiated from the FortiGate device if this port is connected to the Internet and thus FortiGuard and FortiCare. Upgrading the FortiOS image from its factory default image (build 4083) to FortiOS v4.0 MR3 Patch Release 6 or later does not switch the management VDOM. You must change the management VDOM from the default setting to the root VDOM. To do this, use the following CLI commands: config sys global set management-vdom root end

FortiOS v4.0 MR3 Patch Release 6 officially supports upgrade from the FortiOS v4.0 MR2 Patch Release 4 or later. See the upgrade path below.
FortiOS v4.0 MR2 The upgrade is supported from FortiOS v4.0 MR2 Patch Release build 0313 or later.
v4.0 MR2 Patch Release 4 build 0313 (or later)
v4.0 MR3 Patch Release 6 build 0521 After every upgrade, ensure that the build number and branch point match the image that was loaded.
DDNS DDNS configurations under interface are moved to global mode config system
ddns after upgrading to FortiOS v4.0 MR3 Patch Release 6.
DNS server dns-query recursive/non-recursive option under specific interfaces are

moved to the system level per VDOM mode, and config system dns-server can be used to configure the option after upgrading to FortiOS v4.0 MR3 Patch Release 6.
Ping server gwdetect related configurations under specific interfaces are moved under router per
VDOM mode, and config router gwdetect can be used to configure the option after upgrading to FortiOS v4.0 MR3 Patch Release 6.
Central- set auto-backup disable and set authorized-manager-only enable management configurations under config system central-management are removed after
upgrading to FortiOS v4.0 MR3 Patch Release 6.
Installation Information
SNMP A 32 bits network mask will be added to an IP address of SNMP host upon upgrading community to FortiOS v4.0 MR3 Patch Release 6. Modem settings wireless-custom-vendor-id and wireless-custom-product-id are moved
from config system modem to config system 3g-modem custom after upgrading to FortiOS v4.0 MR3 Patch Release 6.
AMC slot settings The default value of ips-weight under config system amc-slot will be changed
from balanced to less-fw after upgrading to FortiOS v4.0 MR3 Patch Release 6.
Wireless radio Wireless radio settings, except for SSID, Security Mode, and Authentication settings, settings will be lost after upgrading. Web filter The contents of web filter overrides will be lost after upgrading from FortiOS v4.0 MR2 overrides Patch Release 4 build 0313 to FortiOS v4.0 MR3 Patch Release 6. Firewall policy If the source interface or destination interface is set as the amc-XXX interface, the settings default value of ips-sensor under config firewall policy is changed from
all_default to default after upgrading to FortiOS v4.0 MR3 Patch Release 6.
URL filter The action options in the urlfilter configuration have been changed from Allow,
Pass, Exempt, and Block to Allow, Monitor, Exempt, and Block. The Allow action will not report log in FortiOS v4 MR3 Patch Release 1. The Monitor action will act as the function that allows log reporting. The Pass action in FortiOS v4.0 MR2 has been merged with Exempt in FortiOS v4.0 MR3 Patch Release 1, and the CLI command has been changed from set action pass to set exempt pass.
FortiGuard log The settings of config log fortiguard filter are removed after upgrading to filter FortiOS v4.0 MR3 Patch Release 6. FortiGuard log The options quotafull and use-hdd in config log fortiguard setting are setting removed upon upgrading to FortiOS v4.0 MR3 Patch Release 6.

Please upgrade to the latest v4.0 MR2 patch release prior to upgrading to v4.0 MR3 Patch Release 6. For more information, see the latest v4.0 MR2 Release Notes.
Downgrading to FortiOS v4.0 MR1
Installation Information
Downgrading to FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1 (or later) results in configuration loss on ALL models. Only the following settings are retained: operation modes interface IP/management IP route static table DNS settings VDOM parameters/settings admin user account session helpers system access profiles.
10
5. Product Integration and Support
FortiManager Support
FortiOS v4.0 MR3 Patch Release 6 is supported by FortiManager v4.0 MR3 Patch Releases 2 and later.
FortiAnalyzer Support
FortiOS v4.0 MR3 Patch Release 6 is supported by FortiAnalyzer v4.0 MR3. If you are using a FortiAnalyzer unit running FortiAnalyzer v4.0 MR2, you must upgrade it to FortiAnalyzer v4.0 MR3. FortiAnalyzer units running FortiAnalyzer v4.0 MR2 will not function correctly with FortiOS v4.0 MR3 Patch Release 6.
FortiClient Support
FortiOS v4.0 MR3 Patch Release 6 is fully compatible with FortiClient v4.0 MR2 Patch Release 3 and later. FortiOS v4.0 MR3 Patch Release 6 is supported by FortiClient v4.0 MR3 for the following: 32-bit version of Microsoft Windows XP 32-bit version of Microsoft Windows Vista 64-bit version of Microsoft Windows Vista 32-bit version of Microsoft 7 64-bit version of Microsoft 7
FortiAP Support
FortiOS v4.0 MR3 Patch Release 6 supports the following FortiAP models: FortiAP-210B FortiAP-220A FortiAP-220B FortiAP-221B FortiAP-222B The FortiAP devices must be running FortiAP v4.0 MR3 and above.
11
Fortinet Single Sign On (FSSO) Support
Product Integration and Support
Fortinet Single Sign On (FSSO) Support

FortiOS v4.0 MR3 Patch Release 6 is supported by FSSO v4.0 MR3 build 0108 for the following: 32-bit version of Microsoft Windows 2003 R2 Server 64-bit version of Microsoft Windows 2003 R2 Server 32-bit version of Microsoft Windows 2008 Server 64-bit version of Microsoft Windows 2008 Server 64-bit version of Microsoft Windows 2008 R2 Server Novell E-directory 8.8. IPv6 currently is not supported by FSSO.
FortiExplorer Support
FortiOS v4.0 MR3 Patch Release 6 is supported by FortiExplorer v1.5 GA build1363.
AV Engine and IPS Engine Support

FortiOS v4.0 MR3 Patch Release 6 is supported by AV Engine v4.0 MR3 build 0392 and IPS Engine v1.0 build 0245.
Module Support
FortiOS v4.0 MR3 Patch Release 6 supports AMC removable modules. These modules are not hot swappable. The FortiGate unit must be turned off before the module is inserted or removed.
Table 4: Supported Modules AMC Modules Internal Hard Drive (ASM-S08) Internal Hard Drive (FSM-064) Single Width 4-port 1Gbps Ethernet interface (ASM-FB4) Dual Width 2-port 10Gbps Ethernet interface (ADM-XB2) Dual Width 8-port 1Gbps Ethernet interface (ADM-FB8) Single Width 2-port Fiber 1Gbps bypass interface (ASM-FX2) FortiGate Support FG-310B, FG-620B, FG-621B, FG-3016B, FG-3600A, FG-3810A, FG-5001A-SW FG-200B, FG-311B, FG-1240B, FG-3040B, FG-3140B, FG-3951B FG-310B, FG-311B, FG-620B, FG-621B, FG-1240B, FG-3016B, FG-3600A, FG-3810A, FG-5001A-SW FG-3810A, FG-5001A-DW FG-3810A, FG-5001A-DW FG-310B, FG-311B, FG-620B, FG-621B, FG-1240B, FG-3016B, FG-3600A, FG-3810A, FG-5001A-SW
12
SSL-VPN Support
Table 4: Supported Modules (Continued) Single Width 4-port Ethernet bypass interface (ASM-CX4) AMC Security Processing Engine Module (ASM-CE4) AMC Security Processing Engine Module (ADM-XE2) AMC Security Processing Engine Module (ADM-XD4) AMC Security Processing Engine Module (ADM-FE8) Rear Transition Module (RTM-XD2) Four Port T1/E1 WAN Security Processing Module (ASM-ET4) Rear Transition Module (RTM-XB2) Fortinet Mezzanine Card (FMC-XG2) Fortinet Mezzanine Card (FMC-XD2) Fortinet Mezzanine Card (FMC-F20) Fortinet Mezzanine Card (FMC-C20) FG-310B, FG-311B, FG-620B, FG-621B, FG-1240B, FG-3016B, FG-3600A, FG-3810A, FG-5001A-SW FG-1240B, FG-3810A, FG-3016B, FG-5001A-SW FG-3810A, FG-5001A-DW FG-3810A, FG-5001A-DW FG-3810A FG-5001A-DW FG-310B, FG-311B FG-5001A-DW FG-3950B, FG-3951B FG-3950B, FG-3951B FG-3950B, FG-3951B FG-3950B, FG-3951B
SSL-VPN Support
SSL-VPN FortiOS v4.0 MR3 Patch Release 6 supports the SSL-VPN tunnel client standalone Standalone Client installer B2251 for the following:
Windows in .exe and .msi format Linux in .tar.gz format Mac OS X 10.6.x in .dmg format Virtual Desktop in .jar format for Windows 7, XP, and Vista Table 5 lists the supported operating systems.
Table 5: Supported operating systems Windows Windows XP 32-bit SP3 Windows XP 64-bit SP1 Windows Vista 32-bit SP1 Windows Vista 64-bit SP1 Windows 7 32-bit Windows 7 64-bit Virtual Desktop Support Windows XP 32-bit SP2 Windows Vista 32-bit SP1 Windows 7 32-bit Linux CentOS 5.2 (2.6.18-el5) Ubuntu 8.0.4 (2.6.24-23) Mac OS X Leopard 10.6.x
13
SSL-VPN Support
SSL-VPN Web Table 6 lists the browsers and operating systems supported by SSL-VPN web mode. Mode
Table 6: Supported browsers and operating systems Operating System Windows XP 32-bit SP2 Windows XP 64-bit SP1 Windows Vista 32-bit SP1 Windows Vista 64-bit SP1 Windows 7 32-bit Windows 7 64-bit CentOS 5.2 (2.6.18-el5) Ubuntu 8.0.4 (2.6.24-23) Mac OS X Leopard 10.6.x Browsers Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Firefox 3.6 Internet Explorer 7, Internet Explorer 9, and Firefox 3.6 Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Firefox 3.6 Internet Explorer 7, Internet Explorer 9, and Firefox 3.6 Internet Explorer 8, Internet Explorer 9, and Firefox 3.6 Internet Explorer 8, Internet Explorer 9, and Firefox 3.6 Firefox 1.5 and Firefox 3.0 Firefox 3.0 Safari 4.1
SSL-VPN Host The following tables list the Antivirus and Firewall client software packages that are Compatibility List supported.
Table 7 lists supported Windows XP Antivirus and Firewall software.
Table 7: Supported Windows XP Antivirus and Firewall software Product Symantec Endpoint Protection v11 Kaspersky Antivirus 2009 McAfee Security Center v8.1 Trend Micro Internet Security Pro F-Secure Internet Security 2009 Antivirus Firewall
Table 8 lists supported Windows 7 32-bit Antivirus and Firewall software.

Table 8: Supported Windows 7 32-bit Antivirus and Firewall software Product CA Internet Security Suite Plus Software AVG Internet Security 2011 F-Secure Internet Security 2011 Kaspersky Internet Security 2011 McAfee Internet Security 2011 Norton 360 Version 4.0 Antivirus Firewall
14
Explicit Web Proxy Browser Support
Table 8: Supported Windows 7 32-bit Antivirus and Firewall software (Continued) Norton Internet Security 2011 Panda Internet Security 2011 Sophos Security Suite Trend Micro Titanium Internet Security ZoneAlarm Security Suite Symantec Endpoint Protection Small Business Edition 12.0
Table 8 lists supported Windows 7 64-bit Antivirus and Firewall software.

Table 9: Supported Windows 7 64-bit Antivirus and Firewall software Product CA Internet Security Suite Plus Software AVG Internet Security 2011 F-Secure Internet Security 2011 Kaspersky Internet Security 2011 McAfee Internet Security 2011 Norton 360 Version 4.0 Norton Internet Security 2011 Panda Internet Security 2011 Sophos Security Suite Trend Micro Titanium Internet Security ZoneAlarm Security Suite Symantec Endpoint Protection Small Business Edition 12.0 Antivirus Firewall
Explicit Web Proxy Browser Support

The following browsers are supported by the Explicit Web Proxy feature: Internet Explorer 7 Internet Explorer 8 Firefox 3.x
15
6. Resolved Issues
The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Customer Support. The resolved issues include: WiFi Web Filter Firewall Web-based Manager Router Log and Report VPN System SSL-VPN IPS FortiGate-60C Series High Availability Data Leak Prevention FortiOS Carrier GTP FortiSwitch
WiFi
Table 10: Resolved WiFi Issues Bug ID 159002 159732 160634 161622 161773 162527 163660 163712 Description The capwap daemon cannot retrieve the VDOM index (vfid) from dialup IPSec interfaces. FortiManager cannot get wireless-controller virtual AP (VAP) configuration. Wifi VAP configuration in non-root VDOM cannot be synced. Wireless client is unable to connect to the second VAP. Band 802.11a can not work on local radio. FortiWifi local radio should not be limited by tablesize. VAP/soft-switch cannot be deleted. The wtp-profile platform type can not be saved.
16
Resolved Issues
Web Filter
Table 11: Resolved Web Filter Issues Bug ID 145904 158996 159961 160240 Description Resume download should be blocked when rangeblock is enabled in Web Filter. The FortiGuard override URL is incorrect when using deep inspection and CN contains wildcard character. Sites that go through Google Translate bypass FortiGuard Web Filtering. Long URLs in the Web Filter local override rating do not work.
Firewall
Table 12: Resolved Firewall Issues Bug ID 154479 159061 159757 160319 161480 162102 162152 163336 Description LDAP authentication fails even though a Success result is received in the bindResponse. VSD crashes whenever trying to gracefully start a stopped virtual server. AV enabled causes slow downloads of some YouTube videos. Duplicate sessions (same IP address and ports) causes dropped packets if created less than timewait-timer sec after the first one is closed. Avoid AV scanning on video/x-flv streaming. Improved SSL inspection performance. Fixed virtual-server crash if virtual server cannot be located. Firewall address does not work when mixed with other type address.
Web-based Table 13: Resolved Web-based Manager Issues Manager

Bug ID 122051 146092 153187 155813 156279 158063 158655 159897 160351 160403 161333 161827 162003 Description Entry not found while editing entries named with special characters &. The Test button does not work well for radius servers. Web-based Manager login show FortiGate is managed by FortiManager even when the FGFM tunnel isn't up. IPS packet archive is not displayed on Web-based Manager when SQL Attack logging is enabled. In the Local Override, URLs with the special character & are not allowed to be deleted or modified. Allow the admin password to be changed from the System > Admin > Administrators page. RADIUS test from Web-based Manager only uses default port 1812. Cloned firewall policy gets the global-label from the last policy in the table. The view detail page should be read only. Fixed input field hidden if the scrollbar is clicked. The last HTTP set-cookies header value is parsed incorrectly. Application control filter works incorrectly by IPS pkg 139. Multiple Web Vulnerabilities publicly reported against FortiGate Appliances.
17
Resolved Issues
Table 13: Resolved Web-based Manager Issues (Continued) 162091 162353 164528 164567 Web-based Manager hangs with Firefox and Internet Explorer with large list in the policy. Application control settings for IM category work incorrectly. IPS sensors cannot be edited on Web-based Manager. The quota category cannot be created when the monitor categories are more than 15 items.
Router
Table 14: Resolved Router Issues Bug ID 157362 158282 160888 161962 163111 164175 Description FortiGate-5001B retains route, identifying it as stale, well after BGP session is brought down. gwdetect does not work if the VLAN interface name contains spaces. VRRP virtual-mac does not work on 64-bit platforms. Unable to set the VRRP start-time to lower than 3*adv-interval. Router community-list changes since FortiOS v4.0 MR3 Patch Release 4. PIM-SM RP not reachable using BGP route.
Log and Report
Table 15: Resolved Log and Reports Issues Bug ID 154326 162413 162703 Description IPS DoS sensor does not indicate the sensor name in the attack log message. FortiWifi should fill its serial number in wireless logs for VPN. Fix the traffic log so it will have proper session number.
VPN
Table 16: Resolved VPN Issues Bug ID 155569 161791 163945 Description FortiGate Dial-up IPsec VPN in interface mode accepts IKE negotiation from unexpected port. IKEV2 with RSA Signature fails if the peer sends more than 1 CERTREQ in SA_INIT response. CP8 models show invalid ESP.
System
Table 17: Resolved System Issues Bug ID 148974 153247 153279 Description Rx and Tx counters for NP4 Aggregate interfaces are incorrect. IPv6-trusthost list is not enforced. Internal fix in CMDB.
18
Resolved Issues
Table 17: Resolved System Issues (Continued) 153809 154651 155630, 160247 155865 157094 157669 158854 159516 160542 160574 160610 160911 161019 161181 161482 161517 161626 161716 161720 161819 162028 162169 162214 162447 162817 162849 163243 164280 164302 164565 164771 165208 Fix stress case for a VSD that triggers hanging sessions and pinned the CPU when using proxyworker to scan content. Empty interface when disconnected during creation. Memory allocation issues. The feature f_dlp_fingerprint is missing in platform.xml. AMC port showing up even when no cable is plugged in. Options are lost in some models from the syntax files. Install VPN from FortiManager cannot add VPN interface to zone. CLI crash after q during show command. Unallocated memory usage. Clicking the Coverage Download button may cause the FortiGate to hang. Console access to the FortiGate-300C is sometimes lost if executing the command diag debug crash read after a stress test. diagnose npu np4 list shows wrong FortiGate model. CLI crashes when deleting VDOMs. Count column showing N/A after upgrade to v4.0 MR3 Patch Release 4 build 0511. FortiGate can restore an error config with some error config kept. Kernel panic on FortiWifi-80CM after upgrade. Priority change applied to one static route. The tcp-timewait-timer is not applied as expected with IPv6. Duplicate members in a user group prevents FortiManager configuration retrieval. FortiOS reboots when the exe wireless-controller reset-wtp all command is executed. The show command has error message if q is pressed. FortiGate-One printed unreadable system part number. Slow throughput on FortiGate-100A after upgrading from build 0338 to build 0513. Failed to create VIP when a wildcard VIP is involved. VCM package and Flow-DB are competing for space on flash. The command exec upload config tftp causes the CLI to crash. Invalid MAC address for tagged VLAN under software switch interface. Low Encryption (LENC) device; when edit Fortinet_CA, the certificate will be shown on both CLI and Web-based Manager. Aggregate/LACP interface does not come up after being brought down. FortiGate-621B is sending the wrong AV update request string. The quard daemon keeps crashing when the cache is full. Incorrect default setting of Mgmt-VDom on the FortiGate-100D.
19
Resolved Issues
SSL-VPN
Table 18: Resolved SSL-VPN Issues Bug ID 149764 152242 156054 157668 158400 159538 161551 161717 162200 Description Support DNS suffix in SSLVPN tunnel mode. SSLVPN user cannot login after communication outage between PC and FortiGate. SSLVPN login username length is less than 36 characters. SSLVPN local user cannot authenticate if SSLVPN fw policy for PKI user is enabled. FortiSSLVPNClient.exe command line version does not work. Citrix does not work via SSLVPN portal. SSLVPN 64bit host check fails to detect process. Sharepoint 2010 Excel services component not displayed through SSLVPN portal. Delete default SSLVPN web portal in Transparent VDOM.
IPS
Table 19: Resolved IPS Issues Bug ID 130900 154997 159618 159845 162095 164502 Description Gmail traffic is incorrectly recognized as Skype traffic. FMC-XG2 card DoS status is always disabled. IPS quarantine does not ban attacker if the expiry time exceed 357914 minutes. Blocking Facebook as vendor will also block Skype. Application control log does not report reset. IPS Engine crashes every 2 seconds when customer monitors using ActiveXperts.
FortiGate-60C Table 20: Resolved FortiGate-60C Series Issues Series

Bug ID 141496 149446 149538 150913 154035 155385 160197 162629 163994 Description Put restrictions on the FortiGate-60C reset button. Change from PPPoA to PPPoE, fail override old default routes. If the username is longer than 26 characters there is a syntax error. The FortiGate-60CX cannot connect to PPPoA. Unable to login to the FG-60CX SSLVPN on PPPoA interface. The FortiGate-60CX cannot establish IPSEC tunnel using PPPoA. Wrong default routing on ADSL up/down. SSLVPN crashes during tunnel mode performance test. The FortiGate-600C IPSec VPN has an invalid ESP.
20
Resolved Issues
High Availability
Table 21: Resolved High Availability Issues Bug ID 149010 156040 159733 159840 161094 162173 163041 164295 Description HA device(interface) ready for Redundant/Aggregate interface are not logged. False HA sync due to license update. After a factory reset, the FortiGate-300C cannot sync with master. SNMPD watchdog timeout in HA cluster when the master reboot. Slave failed to sync with master after factory reset when master has more than 1 VDOM. Unable to send HA slave logs when source-ip had been set. HA sync of source visibility and VCM signatures. HA does not failover when monitored aggregate interface is down but one member is up.
Data Leak Table 22: Resolved Data Leak Prevention Issues Prevention
Bug ID 145289 148188 154305 155083 156634 160243 162012 Description DLP sensor - block regexp - MSN, ICQ does not block the file and dependency between AV and DLP. Match-percentage is not accurate in DLP doc fingerprint. DLP - field header - header pattern blocks ALL HTTP access. Arabic mixed with not-Arabic font for email attachment are not inspected. DLP fingerprinting has low performance. HTTP post file block that affect HTTP GET command. DLP fingerprint cannot scan source properly.
FortiOS Carrier
Table 23: Resolved FortiOS Carrier Issues Bug ID 163652 Description There is a miglogd memory leak when the FortiOS Carrier feature enabled.
GTP
Table 24: Resolved GTP Issues Bug ID 155284 Description GTP echo-responses are dropped by FortiOS Carrier.
FortiSwitch
Table 25: Resolved FortiSwitch Issues Bug ID 163655 Description The worker blade stopped sending the heartbeat to the FortiSwitch and the interface is no longer responsive to the ping requests.
21
Resolved Issues
Other
Table 26: Other Resolved Issues Bug ID 141935 147247 Description Average Session Setup Rate (CPS) is calculated incorrectly. HTML and Javacript injection in Unit Operation widget.
22
7. Known Issues
This section lists the known issues of this release, but is not a complete list. For inquires about a particular bug, please contact Customer Support. The known issues include: System Firewall Logging and Reporting High Availability SSLVPN Web-based Manager WiFi FortiGate-60C Series
System
Table 27: Known System Issues Bug ID 146579 161628 162260 163826 164292 164602 164769 165281 165309 165396 165398 165437 165445 Description There is no packet-log for application sensor on XLR_CE4 interface. IPS Sensor config is not transferred properly during upgrade. Entry not found message when an interface is added to a large zone list. Incorrect timezone for western Australia. When two admin users login on the FortiGate-40C from Web-based Manager, it can cause the CLI print unnecessary error message. BGP neighbor password is shown in clear text. The FortiGate-100D tftp burn image report file system sometimes has errors. Several merged signal 11 crashes observed. Sha256 traffic cannot be offloaded by XLR. Pre-defined firewall service groups are re-created after reboot. Src/dst id not correctly announced by hatalk for recv/send threshold. The redundant interface went down while cable unplugged from one if its member. forticron daemon crashes with signal 6 and 11 when there is a policy monitor used.
Firewall
Table 28: Known Firewall Issues Bug ID 159398 159403 Description Framed-ip entry is not released on logoff event for FortiToken/RADIUS authenticated users. FortiGate x86-64 incorrectly synchronize/calculate drift for FortiToken.
23
Known Issues
Table 28: Known Firewall Issues (Continued) 159409 When upgrading from FortiOS v4.0 MR3 Patch Release 1 to FortiOS v4.0 MR3 Patch Release 3, FortiToken changes status from active to new, exec activate fails. AV session not load balanced to slave if traffic went through VLAN on NP4 interfaces. SSL inspection does not work with Internet Explorer through FQDN when server require client certificate. Large file upload timeout with explicit proxy when uploading to box.com. SSL inspection did not verify certificate type also dropped the key usage info when resign the cert. Proxy breaks ASP websites using HTTP redirect. Sometimes YouTube video would break when WAN Optimization is enabled.
160531 161742 163606 165332 165614 165645
Logging and Table 29: Known Logging and Reporting Issues Reporting
Bug ID 159997 160264 161656 163226 163762 163843 165562 165608 Description Email subject/body still show daily report when schedule is weekly. miglogd high CPU if FortiAnalyzer is unreachable through proxy or VDOM-link. Local Report cannot be generated. No event log is shown when ha-mgmt-interface is down, but snmptrap is shown. Local disk quota breaks quard full content to FortiAnalyzer. Monitor firewall reports incorrect duration for the FSSO and explicit-proxy users. Top SSLVPN tunnel by bandwidth chart does not include ssl-tunnel mode data. FortiGate sends incorrect savings time to the FortiAnalyzer.
High Availability
Table 30: Known High Availability Issues Bug ID 163999 Description Cannot send slave alertmail without rebooting slaves.
SSLVPN
Table 31: Known SSLVPN Issues Bug ID 145644 160248 164778 Description SSLVPN RDPNative application does not work in web mode in Internet Explorer 7 (32bit) in Windows XP (64bit). PKI user can not login in ssl vpn tunnel mode through Linux ssl vpn client. File gets corrupted when downloaded through the SSL VPN SMB/CIFS web application.
24
Known Issues
Table 31: Known SSLVPN Issues (Continued) 165538 166143 Event logs has multiple entries for same user when logging in via SSLVPN. On MAC OS clients, the SSLVPN max session duration is 30 seconds.
Web-based Table 32: Known Web-based Manager Issues Manager

Bug ID 154005 159261 159629 160129 160214 160887 163833 164627 164801 164847 165491 165520 165628 Description FortiGate-5203B cluster worker image upgrade via Web-based Manager interface caused master blade processes killed. Traffic.Dist.Network.Bandwidth.last24h chart does not display correct data. Web-based Manager log detail info display a different log. Load Balance Monitor graceful stop change the status to disable. Non-management VDOM disk management display a different log storage. The French language Web-based Manager does not display object references. Can configure Oversized file, but download is not blocked when deep-scan is not enabled. CLI print error message when click Web-based Manager ipsec monitor and reset statistics. Change mode button needs to be removed from root VDOM. Change Web Filter Profile name will crash httpsd. Incorrect disk management info on Web-based Manager. When accessing the Web-based Manager by hostname, user is unable to create/modify policy. If there are 32 IPS sensors, after upgrade from FortiOS v4.0 MR2 to FortiOS v4.0 MR3 Patch Release 5, not able to configure IPS sensor in Web-based Manager.
WiFi
Table 33: Known WiFi Issues Bug ID 158340 164861 Description WiFi speed becomes very slow when on-wire-scan is working. FortiAP intermittently get disconnected due to cmdbsvr in debug.
FortiGate-60C Table 34: Known FortiGate-60C Series Issues Series

Bug ID 156001 161172 164713 Description Disable WiFi Controller when FortiWifi-20C is in client mode. FortiWifi-20C Web-based Manager should remove WiFi page when wireless-mode is client or WTP. Sierra u597/u598 causing unit hang.
25
8. Limitations
This section outlines the limitations in FortiOS v4.0 MR3 Patch Release 6.
Citrix XenServer Limitations

The following limitations apply to Citrix XenServer installations: XenTools installation is not supported. FortiGate-VM can be imported or deployed in only the following three formats: XVA (recommended) VHD OVF The XVA format comes pre-configured with default configurations for VM name, vCPU, memory, and vNIC. Other formats will require manual configuration before the first power on process.
Open Source Xen Limitations

When using Ubuntu 11.10, Xen 4.1.0, and libvir 0.9.2, importing issues may arise when using the qcow2 format and existing HDA issues.
26
9. Image Checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Fortinet Customer Service & Support website located at https://support.fortinet.com. After logging in, click on Download > Firmware Image Checksum, enter the image file, including the extension, and select Get Checksum Code.
Figure 1: Fortinet customer support image checksum tool
(End of Release Notes) FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
27

FortiOS v4.0 MR3 Patch Release 6 Release Notes

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

FortiOS v4.0 MR3 Patch Release 6 Release Notes

Diunggah oleh

Hak Cipta:

Format Tersedia

FortiOS v4.

0 MR3 Patch Release 6

Change Log .............................................................................................. 3 FortiOS v4.0 MR3 ..................................................................................... 4

FortiOS Carrier v4.0 MR3 ........................................................................ 6 Special Notices ........................................................................................ 7

Installation Information ........................................................................... 8

Product Integration and Support ......................................................... 11

Explicit Web Proxy Browser Support ............................................................. 15

Resolved Issues ..................................................................................... 16

Known Issues ......................................................................................... 23

Image Checksums ................................................................................. 27

Date 2012-03-14 2012-03-15 2012-03-21

1. FortiOS v4.0 MR3

See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v4.0 MR3.

FortiOS v4.0 MR3

2. FortiOS Carrier v4.0 MR3

See http://docs.fortinet.com/fgt.html for additional documents on FortiOS Carrier v4.0 MR3.

Upgrading from FortiOS v4.0 MR3

Upgrading from FortiOS v4.0 MR2

DNS server dns-query recursive/non-recursive option under specific interfaces are

Upgrading from FortiOS v4.0 MR1

Upgrading from FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1

5. Product Integration and Support

Fortinet Single Sign On (FSSO) Support

Product Integration and Support

Fortinet Single Sign On (FSSO) Support

AV Engine and IPS Engine Support

Product Integration and Support

Product Integration and Support

Table 8 lists supported Windows 7 32-bit Antivirus and Firewall software.

Product Integration and Support

Explicit Web Proxy Browser Support

Table 8 lists supported Windows 7 64-bit Antivirus and Firewall software.

Explicit Web Proxy Browser Support

Web-based Table 13: Resolved Web-based Manager Issues Manager

Log and Report

FortiGate-60C Table 20: Resolved FortiGate-60C Series Issues Series

160531 161742 163606 165332 165614 165645

Web-based Table 32: Known Web-based Manager Issues Manager

FortiGate-60C Table 34: Known FortiGate-60C Series Issues Series

Citrix XenServer Limitations

Open Source Xen Limitations

Anda mungkin juga menyukai