March 14, 2012 01-436-164736-20120314 Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Visit these links for more information and documentation for your Fortinet product: Technical Documentation - http://docs.fortinet.com Knowledge Base - http://kb.fortinet.com Customer Service & Support - https://support.fortinet.com Training Services - http://training.fortinet.com
Table of Contents
Upgrading from FortiOS v4.0 MR1 ................................................................... 9 Downgrading to FortiOS v4.0 MR1 ................................................................ 10
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
Table of Contents
SSL-VPN Support........................................................................................... 13
SSL-VPN Standalone Client ................................................................................. 13 SSL-VPN Web Mode ............................................................................................ 14 SSL-VPN Host Compatibility List ......................................................................... 14
Limitations .............................................................................................. 26
Citrix XenServer Limitations ........................................................................... 26 Open Source Xen Limitations ......................................................................... 26
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
Change Log
Change Description Initial Release Fixed reported issues with Release Notes document Added bug number 164736 to the known issues chapter
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
This document provides installation instructions and addresses issues and caveats in FortiOS v4.0 MR3 Patch Release 6 build 0521. Table 1 outlines the release status for these models. Table 2 lists the supported virtualization platforms for this release.
Table 1: Supported Platforms FortiGate Models FortiOS v4.0 MR3 Patch Release 6
FG-20C, FWF-20C, FG-30B, FWF-30B, FG-40C, FWF-40C, All models are supported FG-50B, FG-51B, FWF-50B, FG-60B, FWF-60B, FG-60C, on the regular v4.0 MR3 FWF-60C, FWF-60CM, FWF-60CX-A, FG-80C, FG-80CM, Patch Release 6 branch. FWF-80CM, FWF-81CM, FG-82C, FG-100A, FG-100D, FG-110C, FG-111C, FG-200A, FG-200B, FG-200B-POE, FG-224B, FG-300A, FG-300C, FG-310B, FG-310B-DC, FG-311B, FG-400A, FG-500A, FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800, FG-800F, FG-1000A, FG-1000A-FA2, FG-1000A-LENC, FG-1000C, FG-1240B, FG-3016B, FG-3040B, FG-3140B, FG-3600, FG-3600A, FG-3810A, FG-3950B, FG-3951B, FG-5001, FG-5001A, FG-5001B, FG-5001FA2, FG-5002FB2, FG-5005FA2, FSW-5203B, FG-ONE, FG-VM and FG-VM64.
Table 2: Supported Virtualization Platforms Virtualization Platform VMware VI 3.5, vSphere 4.0/4.1, vSphere 5.0 Citrix XenServer 5.6sp2/6.0 Open Source Xen 3.4.3 Open Source Xen 4.1 FortiOS v4.0 MR3 Patch Release 6 All models are supported by the regular v4.0 MR3 Patch Release 6 branch. See Limitations on page 26 for more information.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
Summary of Enhancements
Summary of Enhancements
The following is a list of the new features added in FortiOS v4.0 MR3 Patch Release 6: Logging performance enhancement to allow traffic logging speed to match up with CPS Double IPSec performance with aes256-sha256 on the FortiGate-60C Improve IPSec session set up rate Upgrade FortiOS Apache Web Server Verizon Wireless 4G LTE USB Modem Novatel 551L support New Endpoint feature updates (max license) Timezone added for Uruguay FortiExplorer support for the FortiGate-1000C-DC and FortiGate-600C-DC, version 1.5, build 1363 WAN Optimization: Improvements to CIFS Optimization Module location information added in ARM kernel crash log Web-based Manager filtering improvements FortiGate-100D NPI branch merged to v4.0 MR3 Implemented Application breakdown feature Support OSPF auto-cost for interfaces with bandwidth over 65Gbps FortiSwitch-5203B support for the non-maskable interrupt (NMI) and comlog features Internet Explorer 8 SSL compatibility with inspection and offload features Support for the Resolve User Names Using FSSO Agent option for implicit deny ID based policy AV Engine upgraded to 4.392. Log system events of process startup/shutdown
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
This chapter provides platform support information for FortiOS Carrier v4.0 MR3 Patch Release 6 build 0521. Table 3 outlines the release status for these models.
Table 3: Supported Platforms FortiCarrier Models FCR-3810A, FCR-3950B, FCR-3951B, FCR-5001A, and FCR-5001B. Firmware image filenames begin with FK. FortiOS Carrier v4.0 MR3 Patch Release 6 All models are supported on the regular v4.0 MR3 Patch Release 6 branch.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
3. Special Notices
General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.
IMPORTANT!
Monitor Settings Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This for Web User allows for all the objects in the Web-based Manager to be viewed properly. Interface Access Web Browser Microsoft Internet Explorer 8.0 and Mozilla FireFox 3.5 or later are fully supported. Support BEFORE any Save a copy of your FortiGate unit configuration (including replacement messages) upgrade prior to upgrading. AFTER any If you are using the Web-based Manager, clear the browser cache prior to login on the upgrade FortiGate to ensure the Web-based Manager screens are displayed properly.
The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an Update Now as soon as possible after upgrading. Consult the FortiOS Handbook/FortiOS Carrier Handbook for detailed procedures.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
4. Installation Information
FortiOS v4.0 MR2 The upgrade is supported from FortiOS v4.0 MR2 Patch Release build 0313 or later.
v4.0 MR2 Patch Release 4 build 0313 (or later)
v4.0 MR3 Patch Release 6 build 0521 After every upgrade, ensure that the build number and branch point match the image that was loaded.
DDNS DDNS configurations under interface are moved to global mode config system
ddns after upgrading to FortiOS v4.0 MR3 Patch Release 6.
Ping server gwdetect related configurations under specific interfaces are moved under router per
VDOM mode, and config router gwdetect can be used to configure the option after upgrading to FortiOS v4.0 MR3 Patch Release 6.
Central- set auto-backup disable and set authorized-manager-only enable management configurations under config system central-management are removed after
upgrading to FortiOS v4.0 MR3 Patch Release 6.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
Installation Information
SNMP A 32 bits network mask will be added to an IP address of SNMP host upon upgrading community to FortiOS v4.0 MR3 Patch Release 6. Modem settings wireless-custom-vendor-id and wireless-custom-product-id are moved
from config system modem to config system 3g-modem custom after upgrading to FortiOS v4.0 MR3 Patch Release 6.
AMC slot settings The default value of ips-weight under config system amc-slot will be changed
from balanced to less-fw after upgrading to FortiOS v4.0 MR3 Patch Release 6.
Wireless radio Wireless radio settings, except for SSID, Security Mode, and Authentication settings, settings will be lost after upgrading. Web filter The contents of web filter overrides will be lost after upgrading from FortiOS v4.0 MR2 overrides Patch Release 4 build 0313 to FortiOS v4.0 MR3 Patch Release 6. Firewall policy If the source interface or destination interface is set as the amc-XXX interface, the settings default value of ips-sensor under config firewall policy is changed from
all_default to default after upgrading to FortiOS v4.0 MR3 Patch Release 6.
URL filter The action options in the urlfilter configuration have been changed from Allow,
Pass, Exempt, and Block to Allow, Monitor, Exempt, and Block. The Allow action will not report log in FortiOS v4 MR3 Patch Release 1. The Monitor action will act as the function that allows log reporting. The Pass action in FortiOS v4.0 MR2 has been merged with Exempt in FortiOS v4.0 MR3 Patch Release 1, and the CLI command has been changed from set action pass to set exempt pass.
FortiGuard log The settings of config log fortiguard filter are removed after upgrading to filter FortiOS v4.0 MR3 Patch Release 6. FortiGuard log The options quotafull and use-hdd in config log fortiguard setting are setting removed upon upgrading to FortiOS v4.0 MR3 Patch Release 6.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
Installation Information
10
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
FortiManager Support
FortiOS v4.0 MR3 Patch Release 6 is supported by FortiManager v4.0 MR3 Patch Releases 2 and later.
FortiAnalyzer Support
FortiOS v4.0 MR3 Patch Release 6 is supported by FortiAnalyzer v4.0 MR3. If you are using a FortiAnalyzer unit running FortiAnalyzer v4.0 MR2, you must upgrade it to FortiAnalyzer v4.0 MR3. FortiAnalyzer units running FortiAnalyzer v4.0 MR2 will not function correctly with FortiOS v4.0 MR3 Patch Release 6.
FortiClient Support
FortiOS v4.0 MR3 Patch Release 6 is fully compatible with FortiClient v4.0 MR2 Patch Release 3 and later. FortiOS v4.0 MR3 Patch Release 6 is supported by FortiClient v4.0 MR3 for the following: 32-bit version of Microsoft Windows XP 32-bit version of Microsoft Windows Vista 64-bit version of Microsoft Windows Vista 32-bit version of Microsoft 7 64-bit version of Microsoft 7
FortiAP Support
FortiOS v4.0 MR3 Patch Release 6 supports the following FortiAP models: FortiAP-210B FortiAP-220A FortiAP-220B FortiAP-221B FortiAP-222B The FortiAP devices must be running FortiAP v4.0 MR3 and above.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
11
FortiExplorer Support
FortiOS v4.0 MR3 Patch Release 6 is supported by FortiExplorer v1.5 GA build1363.
Module Support
FortiOS v4.0 MR3 Patch Release 6 supports AMC removable modules. These modules are not hot swappable. The FortiGate unit must be turned off before the module is inserted or removed.
Table 4: Supported Modules AMC Modules Internal Hard Drive (ASM-S08) Internal Hard Drive (FSM-064) Single Width 4-port 1Gbps Ethernet interface (ASM-FB4) Dual Width 2-port 10Gbps Ethernet interface (ADM-XB2) Dual Width 8-port 1Gbps Ethernet interface (ADM-FB8) Single Width 2-port Fiber 1Gbps bypass interface (ASM-FX2) FortiGate Support FG-310B, FG-620B, FG-621B, FG-3016B, FG-3600A, FG-3810A, FG-5001A-SW FG-200B, FG-311B, FG-1240B, FG-3040B, FG-3140B, FG-3951B FG-310B, FG-311B, FG-620B, FG-621B, FG-1240B, FG-3016B, FG-3600A, FG-3810A, FG-5001A-SW FG-3810A, FG-5001A-DW FG-3810A, FG-5001A-DW FG-310B, FG-311B, FG-620B, FG-621B, FG-1240B, FG-3016B, FG-3600A, FG-3810A, FG-5001A-SW
12
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
SSL-VPN Support
Table 4: Supported Modules (Continued) Single Width 4-port Ethernet bypass interface (ASM-CX4) AMC Security Processing Engine Module (ASM-CE4) AMC Security Processing Engine Module (ADM-XE2) AMC Security Processing Engine Module (ADM-XD4) AMC Security Processing Engine Module (ADM-FE8) Rear Transition Module (RTM-XD2) Four Port T1/E1 WAN Security Processing Module (ASM-ET4) Rear Transition Module (RTM-XB2) Fortinet Mezzanine Card (FMC-XG2) Fortinet Mezzanine Card (FMC-XD2) Fortinet Mezzanine Card (FMC-F20) Fortinet Mezzanine Card (FMC-C20) FG-310B, FG-311B, FG-620B, FG-621B, FG-1240B, FG-3016B, FG-3600A, FG-3810A, FG-5001A-SW FG-1240B, FG-3810A, FG-3016B, FG-5001A-SW FG-3810A, FG-5001A-DW FG-3810A, FG-5001A-DW FG-3810A FG-5001A-DW FG-310B, FG-311B FG-5001A-DW FG-3950B, FG-3951B FG-3950B, FG-3951B FG-3950B, FG-3951B FG-3950B, FG-3951B
SSL-VPN Support
SSL-VPN FortiOS v4.0 MR3 Patch Release 6 supports the SSL-VPN tunnel client standalone Standalone Client installer B2251 for the following:
Windows in .exe and .msi format Linux in .tar.gz format Mac OS X 10.6.x in .dmg format Virtual Desktop in .jar format for Windows 7, XP, and Vista Table 5 lists the supported operating systems.
Table 5: Supported operating systems Windows Windows XP 32-bit SP3 Windows XP 64-bit SP1 Windows Vista 32-bit SP1 Windows Vista 64-bit SP1 Windows 7 32-bit Windows 7 64-bit Virtual Desktop Support Windows XP 32-bit SP2 Windows Vista 32-bit SP1 Windows 7 32-bit Linux CentOS 5.2 (2.6.18-el5) Ubuntu 8.0.4 (2.6.24-23) Mac OS X Leopard 10.6.x
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
13
SSL-VPN Support
SSL-VPN Web Table 6 lists the browsers and operating systems supported by SSL-VPN web mode. Mode
Table 6: Supported browsers and operating systems Operating System Windows XP 32-bit SP2 Windows XP 64-bit SP1 Windows Vista 32-bit SP1 Windows Vista 64-bit SP1 Windows 7 32-bit Windows 7 64-bit CentOS 5.2 (2.6.18-el5) Ubuntu 8.0.4 (2.6.24-23) Mac OS X Leopard 10.6.x Browsers Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Firefox 3.6 Internet Explorer 7, Internet Explorer 9, and Firefox 3.6 Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Firefox 3.6 Internet Explorer 7, Internet Explorer 9, and Firefox 3.6 Internet Explorer 8, Internet Explorer 9, and Firefox 3.6 Internet Explorer 8, Internet Explorer 9, and Firefox 3.6 Firefox 1.5 and Firefox 3.0 Firefox 3.0 Safari 4.1
SSL-VPN Host The following tables list the Antivirus and Firewall client software packages that are Compatibility List supported.
Table 7 lists supported Windows XP Antivirus and Firewall software.
Table 7: Supported Windows XP Antivirus and Firewall software Product Symantec Endpoint Protection v11 Kaspersky Antivirus 2009 McAfee Security Center v8.1 Trend Micro Internet Security Pro F-Secure Internet Security 2009 Antivirus Firewall
14
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
Table 8: Supported Windows 7 32-bit Antivirus and Firewall software (Continued) Norton Internet Security 2011 Panda Internet Security 2011 Sophos Security Suite Trend Micro Titanium Internet Security ZoneAlarm Security Suite Symantec Endpoint Protection Small Business Edition 12.0
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
15
6. Resolved Issues
The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Customer Support. The resolved issues include: WiFi Web Filter Firewall Web-based Manager Router Log and Report VPN System SSL-VPN IPS FortiGate-60C Series High Availability Data Leak Prevention FortiOS Carrier GTP FortiSwitch
WiFi
Table 10: Resolved WiFi Issues Bug ID 159002 159732 160634 161622 161773 162527 163660 163712 Description The capwap daemon cannot retrieve the VDOM index (vfid) from dialup IPSec interfaces. FortiManager cannot get wireless-controller virtual AP (VAP) configuration. Wifi VAP configuration in non-root VDOM cannot be synced. Wireless client is unable to connect to the second VAP. Band 802.11a can not work on local radio. FortiWifi local radio should not be limited by tablesize. VAP/soft-switch cannot be deleted. The wtp-profile platform type can not be saved.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
16
Resolved Issues
Web Filter
Table 11: Resolved Web Filter Issues Bug ID 145904 158996 159961 160240 Description Resume download should be blocked when rangeblock is enabled in Web Filter. The FortiGuard override URL is incorrect when using deep inspection and CN contains wildcard character. Sites that go through Google Translate bypass FortiGuard Web Filtering. Long URLs in the Web Filter local override rating do not work.
Firewall
Table 12: Resolved Firewall Issues Bug ID 154479 159061 159757 160319 161480 162102 162152 163336 Description LDAP authentication fails even though a Success result is received in the bindResponse. VSD crashes whenever trying to gracefully start a stopped virtual server. AV enabled causes slow downloads of some YouTube videos. Duplicate sessions (same IP address and ports) causes dropped packets if created less than timewait-timer sec after the first one is closed. Avoid AV scanning on video/x-flv streaming. Improved SSL inspection performance. Fixed virtual-server crash if virtual server cannot be located. Firewall address does not work when mixed with other type address.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
17
Resolved Issues
Table 13: Resolved Web-based Manager Issues (Continued) 162091 162353 164528 164567 Web-based Manager hangs with Firefox and Internet Explorer with large list in the policy. Application control settings for IM category work incorrectly. IPS sensors cannot be edited on Web-based Manager. The quota category cannot be created when the monitor categories are more than 15 items.
Router
Table 14: Resolved Router Issues Bug ID 157362 158282 160888 161962 163111 164175 Description FortiGate-5001B retains route, identifying it as stale, well after BGP session is brought down. gwdetect does not work if the VLAN interface name contains spaces. VRRP virtual-mac does not work on 64-bit platforms. Unable to set the VRRP start-time to lower than 3*adv-interval. Router community-list changes since FortiOS v4.0 MR3 Patch Release 4. PIM-SM RP not reachable using BGP route.
Table 15: Resolved Log and Reports Issues Bug ID 154326 162413 162703 Description IPS DoS sensor does not indicate the sensor name in the attack log message. FortiWifi should fill its serial number in wireless logs for VPN. Fix the traffic log so it will have proper session number.
VPN
Table 16: Resolved VPN Issues Bug ID 155569 161791 163945 Description FortiGate Dial-up IPsec VPN in interface mode accepts IKE negotiation from unexpected port. IKEV2 with RSA Signature fails if the peer sends more than 1 CERTREQ in SA_INIT response. CP8 models show invalid ESP.
System
Table 17: Resolved System Issues Bug ID 148974 153247 153279 Description Rx and Tx counters for NP4 Aggregate interfaces are incorrect. IPv6-trusthost list is not enforced. Internal fix in CMDB.
18
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
Resolved Issues
Table 17: Resolved System Issues (Continued) 153809 154651 155630, 160247 155865 157094 157669 158854 159516 160542 160574 160610 160911 161019 161181 161482 161517 161626 161716 161720 161819 162028 162169 162214 162447 162817 162849 163243 164280 164302 164565 164771 165208 Fix stress case for a VSD that triggers hanging sessions and pinned the CPU when using proxyworker to scan content. Empty interface when disconnected during creation. Memory allocation issues. The feature f_dlp_fingerprint is missing in platform.xml. AMC port showing up even when no cable is plugged in. Options are lost in some models from the syntax files. Install VPN from FortiManager cannot add VPN interface to zone. CLI crash after q during show command. Unallocated memory usage. Clicking the Coverage Download button may cause the FortiGate to hang. Console access to the FortiGate-300C is sometimes lost if executing the command diag debug crash read after a stress test. diagnose npu np4 list shows wrong FortiGate model. CLI crashes when deleting VDOMs. Count column showing N/A after upgrade to v4.0 MR3 Patch Release 4 build 0511. FortiGate can restore an error config with some error config kept. Kernel panic on FortiWifi-80CM after upgrade. Priority change applied to one static route. The tcp-timewait-timer is not applied as expected with IPv6. Duplicate members in a user group prevents FortiManager configuration retrieval. FortiOS reboots when the exe wireless-controller reset-wtp all command is executed. The show command has error message if q is pressed. FortiGate-One printed unreadable system part number. Slow throughput on FortiGate-100A after upgrading from build 0338 to build 0513. Failed to create VIP when a wildcard VIP is involved. VCM package and Flow-DB are competing for space on flash. The command exec upload config tftp causes the CLI to crash. Invalid MAC address for tagged VLAN under software switch interface. Low Encryption (LENC) device; when edit Fortinet_CA, the certificate will be shown on both CLI and Web-based Manager. Aggregate/LACP interface does not come up after being brought down. FortiGate-621B is sending the wrong AV update request string. The quard daemon keeps crashing when the cache is full. Incorrect default setting of Mgmt-VDom on the FortiGate-100D.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
19
Resolved Issues
SSL-VPN
Table 18: Resolved SSL-VPN Issues Bug ID 149764 152242 156054 157668 158400 159538 161551 161717 162200 Description Support DNS suffix in SSLVPN tunnel mode. SSLVPN user cannot login after communication outage between PC and FortiGate. SSLVPN login username length is less than 36 characters. SSLVPN local user cannot authenticate if SSLVPN fw policy for PKI user is enabled. FortiSSLVPNClient.exe command line version does not work. Citrix does not work via SSLVPN portal. SSLVPN 64bit host check fails to detect process. Sharepoint 2010 Excel services component not displayed through SSLVPN portal. Delete default SSLVPN web portal in Transparent VDOM.
IPS
Table 19: Resolved IPS Issues Bug ID 130900 154997 159618 159845 162095 164502 Description Gmail traffic is incorrectly recognized as Skype traffic. FMC-XG2 card DoS status is always disabled. IPS quarantine does not ban attacker if the expiry time exceed 357914 minutes. Blocking Facebook as vendor will also block Skype. Application control log does not report reset. IPS Engine crashes every 2 seconds when customer monitors using ActiveXperts.
20
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
Resolved Issues
High Availability
Table 21: Resolved High Availability Issues Bug ID 149010 156040 159733 159840 161094 162173 163041 164295 Description HA device(interface) ready for Redundant/Aggregate interface are not logged. False HA sync due to license update. After a factory reset, the FortiGate-300C cannot sync with master. SNMPD watchdog timeout in HA cluster when the master reboot. Slave failed to sync with master after factory reset when master has more than 1 VDOM. Unable to send HA slave logs when source-ip had been set. HA sync of source visibility and VCM signatures. HA does not failover when monitored aggregate interface is down but one member is up.
Data Leak Table 22: Resolved Data Leak Prevention Issues Prevention
Bug ID 145289 148188 154305 155083 156634 160243 162012 Description DLP sensor - block regexp - MSN, ICQ does not block the file and dependency between AV and DLP. Match-percentage is not accurate in DLP doc fingerprint. DLP - field header - header pattern blocks ALL HTTP access. Arabic mixed with not-Arabic font for email attachment are not inspected. DLP fingerprinting has low performance. HTTP post file block that affect HTTP GET command. DLP fingerprint cannot scan source properly.
FortiOS Carrier
Table 23: Resolved FortiOS Carrier Issues Bug ID 163652 Description There is a miglogd memory leak when the FortiOS Carrier feature enabled.
GTP
Table 24: Resolved GTP Issues Bug ID 155284 Description GTP echo-responses are dropped by FortiOS Carrier.
FortiSwitch
Table 25: Resolved FortiSwitch Issues Bug ID 163655 Description The worker blade stopped sending the heartbeat to the FortiSwitch and the interface is no longer responsive to the ping requests.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
21
Resolved Issues
Other
Table 26: Other Resolved Issues Bug ID 141935 147247 Description Average Session Setup Rate (CPS) is calculated incorrectly. HTML and Javacript injection in Unit Operation widget.
22
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
7. Known Issues
This section lists the known issues of this release, but is not a complete list. For inquires about a particular bug, please contact Customer Support. The known issues include: System Firewall Logging and Reporting High Availability SSLVPN Web-based Manager WiFi FortiGate-60C Series
System
Table 27: Known System Issues Bug ID 146579 161628 162260 163826 164292 164602 164769 165281 165309 165396 165398 165437 165445 Description There is no packet-log for application sensor on XLR_CE4 interface. IPS Sensor config is not transferred properly during upgrade. Entry not found message when an interface is added to a large zone list. Incorrect timezone for western Australia. When two admin users login on the FortiGate-40C from Web-based Manager, it can cause the CLI print unnecessary error message. BGP neighbor password is shown in clear text. The FortiGate-100D tftp burn image report file system sometimes has errors. Several merged signal 11 crashes observed. Sha256 traffic cannot be offloaded by XLR. Pre-defined firewall service groups are re-created after reboot. Src/dst id not correctly announced by hatalk for recv/send threshold. The redundant interface went down while cable unplugged from one if its member. forticron daemon crashes with signal 6 and 11 when there is a policy monitor used.
Firewall
Table 28: Known Firewall Issues Bug ID 159398 159403 Description Framed-ip entry is not released on logoff event for FortiToken/RADIUS authenticated users. FortiGate x86-64 incorrectly synchronize/calculate drift for FortiToken.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
23
Known Issues
Table 28: Known Firewall Issues (Continued) 159409 When upgrading from FortiOS v4.0 MR3 Patch Release 1 to FortiOS v4.0 MR3 Patch Release 3, FortiToken changes status from active to new, exec activate fails. AV session not load balanced to slave if traffic went through VLAN on NP4 interfaces. SSL inspection does not work with Internet Explorer through FQDN when server require client certificate. Large file upload timeout with explicit proxy when uploading to box.com. SSL inspection did not verify certificate type also dropped the key usage info when resign the cert. Proxy breaks ASP websites using HTTP redirect. Sometimes YouTube video would break when WAN Optimization is enabled.
Logging and Table 29: Known Logging and Reporting Issues Reporting
Bug ID 159997 160264 161656 163226 163762 163843 165562 165608 Description Email subject/body still show daily report when schedule is weekly. miglogd high CPU if FortiAnalyzer is unreachable through proxy or VDOM-link. Local Report cannot be generated. No event log is shown when ha-mgmt-interface is down, but snmptrap is shown. Local disk quota breaks quard full content to FortiAnalyzer. Monitor firewall reports incorrect duration for the FSSO and explicit-proxy users. Top SSLVPN tunnel by bandwidth chart does not include ssl-tunnel mode data. FortiGate sends incorrect savings time to the FortiAnalyzer.
High Availability
Table 30: Known High Availability Issues Bug ID 163999 Description Cannot send slave alertmail without rebooting slaves.
SSLVPN
Table 31: Known SSLVPN Issues Bug ID 145644 160248 164778 Description SSLVPN RDPNative application does not work in web mode in Internet Explorer 7 (32bit) in Windows XP (64bit). PKI user can not login in ssl vpn tunnel mode through Linux ssl vpn client. File gets corrupted when downloaded through the SSL VPN SMB/CIFS web application.
24
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
Known Issues
Table 31: Known SSLVPN Issues (Continued) 165538 166143 Event logs has multiple entries for same user when logging in via SSLVPN. On MAC OS clients, the SSLVPN max session duration is 30 seconds.
WiFi
Table 33: Known WiFi Issues Bug ID 158340 164861 Description WiFi speed becomes very slow when on-wire-scan is working. FortiAP intermittently get disconnected due to cmdbsvr in debug.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
25
8. Limitations
This section outlines the limitations in FortiOS v4.0 MR3 Patch Release 6.
FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
26
9. Image Checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Fortinet Customer Service & Support website located at https://support.fortinet.com. After logging in, click on Download > Firmware Image Checksum, enter the image file, including the extension, and select Get Checksum Code.
Figure 1: Fortinet customer support image checksum tool
(End of Release Notes) FortiOS v4.0 MR3 Patch Release 6 Release Notes 01-436-164736-20120314 http://docs.fortinet.com/ Feedback
27