FortiOS v4.0 MR3 Patch Release 11 Release Notes

FortiOS v4.
0 MR3 Patch Release 11

Release Notes
FortiOS v4.0 MR3 Patch Release 11 Release Notes

November 21, 2012
01-4311-188206-20121121
Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.
Technical Documentation
docs.fortinet.com
Knowledge Base
kb.fortinet.com
Customer Service & Support
support.fortinet.com
Training Services
training.fortinet.com
FortiGuard
fortiguard.com
Document Feedback
techdocs@fortinet.com
Table of Contents
Change Log....................................................................................................... 6
Introduction....................................................................................................... 7
Supported models ...................................................................................................
FortiGate ............................................................................................................
FortiWiFi .............................................................................................................
FortiGate Virtual Machine ..................................................................................
FortiSwitch .........................................................................................................
7
7
7
7
7
Supported virtualization software ............................................................................ 7

Summary of enhancements ..................................................................................... 8
FortiOS Carrier.................................................................................................. 9
Supported models ................................................................................................... 9
FortiCarrier models ............................................................................................ 9
Special Notices ............................................................................................... 10

General................................................................................................................... 10
Important ...............................................................................................................
Monitor settings for Web-based Manager access...........................................
Before any upgrade .........................................................................................
After any upgrade ............................................................................................
10
10
10
10
FortiGate 1240B upgrade and downgrade limitations........................................... 10
Upgrade Information ...................................................................................... 11

Upgrading from FortiOS v4.0 MR3 ........................................................................
Historical reports upgrade limitation................................................................
SQL logging upgrade limitation .......................................................................
FortiGate 100D.................................................................................................
11
11
11
11
Upgrading from FortiOS v4.0 MR2 ........................................................................

DDNS ...............................................................................................................
DNS server.......................................................................................................
Ping server .......................................................................................................
Central-management .......................................................................................
SNMP community ............................................................................................
Modem settings ...............................................................................................
AMC slot settings.............................................................................................
Wireless radio settings.....................................................................................
Web filter overrides ..........................................................................................
Firewall policy settings.....................................................................................
URL filter ..........................................................................................................
FortiGuard log filter ..........................................................................................
FortiGuard log setting ......................................................................................
12
12
12
12
12
12
12
12
12
13
13
13
13
13
Page 3
Upgrading from FortiOS v4.0 MR1 ........................................................................ 13

Downgrading to FortiOS v4.0 MR1........................................................................ 13
Product Integration and Support .................................................................. 14

Supported web browsers ...................................................................................... 14
FortiManager support ............................................................................................ 14
FortiAnalyzer support............................................................................................. 14
FortiClient support ................................................................................................. 14
FortiAP support...................................................................................................... 14
Fortinet Single Sign-On (FSSO) support................................................................ 15
FortiExplorer support ............................................................................................. 15
AV Engine and IPS Engine support ....................................................................... 15
Module support...................................................................................................... 15
SSL-VPN support ..................................................................................................
SSL-VPN standalone client..............................................................................
SSL-VPN web mode ........................................................................................
SSL-VPN host compatibility list .......................................................................
16
16
17
17
Explicit Web Proxy browser support ..................................................................... 18
Resolved Issues.............................................................................................. 19
Data Leak Prevention.......................................................................................
ELBC ................................................................................................................
Email Filter .......................................................................................................
Firewall .............................................................................................................
High Availability................................................................................................
IPsec VPN ........................................................................................................
Log & Report....................................................................................................
Routing.............................................................................................................
SSL-VPN ..........................................................................................................
System .............................................................................................................
VoIP..................................................................................................................
WAN Optimization & Web Proxy......................................................................
Web-based Manager .......................................................................................
Web Filter.........................................................................................................
WiFi ..................................................................................................................
Fortinet Technologies Inc.
Page 4
19
19
19
19
20
20
21
21
21
22
23
24
24
25
25
Known Issues.................................................................................................. 26
Endpoint Control..............................................................................................
High Availability................................................................................................
IPsec VPN ........................................................................................................
Log & Report....................................................................................................
SSL-VPN ..........................................................................................................
System .............................................................................................................
Upgrade ...........................................................................................................
Web-based Manager .......................................................................................
Web Filter.........................................................................................................
WiFi ..................................................................................................................
26
26
26
26
26
27
27
27
28
28
Limitations....................................................................................................... 29
Citrix XenServer limitations.................................................................................... 29
Open Source Xen limitations ................................................................................. 29
Image Checksum............................................................................................ 30
Page 5
Change Log
Date
Change Description
2012-11-21
Initial release.
2012-11-22
Added FAP-112B, FAP-223B, and FAP-320B to Product Integration and Support chapter.
Page 6
Introduction
This document provides installation instructions and addresses issues and caveats in FortiOS
v4.0 MR3 Patch Release 11 build 0646.
Supported models
The following models are supported on FortiOS v4.0 MR3 Patch Release 11.
FortiGate
FG-20C, FG-20C-ADSL-A, FG-30B, FG-40C, FG-50B, FG-51B, FG-60B, FG-60C,
FG-60C-PoE, FG-80C, FG-80CM, FG-82C, FG-100A, FG-100D, FG-110C, FG-111C, FG-200A,
FG-200B, FG-200B-PoE, FG-224B, FG-300A, FG-300C, FG-310B, FG-310B-DC, FG-311B,
FG-400A, FG-500A, FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800, FG-800C, FG-800F,
FG-1000A, FG-1000A-FA2, FG-1000A-LENC, FG-1000C, FG-1240B, FG-3016B, FG-3040B,
FG-3140B, FG-3600, FG-3600A, FG-3810A, FG-3950B, FG-3951B, FG-5001, FG-5001A,
FG-5001B, FG-5001FA2, FG-5002FB2, FG-5005FA2, FG-5101C, and FG-One.
FortiWiFi
FWF-20C, FWF-20C-ADSL-A, FWF-30B, FWF-40C, FWF-50B, FWF-60B, FWF-60C,
FWF-60CM, FWF-60CX-ADSL-A, FWF-80CM, and FWF-81CM.
FortiGate Virtual Machine

FG-VM32, and FG-VM-64
FG-VM64-XEN
This model is released on a special branch based off of FortiOS v4.0 MR3 Patch Release 11. As
such, the build number found in the System > Dashboard > Status page and the output from the
get system status CLI command displays 5920 as the build number.
To confirm that you are running the proper build, the output from the get system status CLI
command has a Branch point field that should read 0646.
FortiSwitch
FS-5203B
Supported virtualization software

The following virtualization software is supported on FortiOS v4.0 MR3 Patch Release 11.
vSphere 4.0, 4.1, vSphere 5.0
Citrix XenServer 5.6sp2/6.0
Open Source Xen 3.4.3
Open Source Xen 4.1
Page 7
See Limitations on page 29 for more information.

See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v4.0 MR3.
Summary of enhancements
The following is a list of enhancements in FortiOS v4.0 MR3 Patch Release 11:
Added upload log schedule option in the Web-based Manager.
Display platform information in the Web-based Manager.
Page 8
FortiOS Carrier
This chapter provides platform support information for FortiOS Carrier v4.0 MR3 Patch Release
11 build 0646.
Supported models
The following models are supported on FortiOS Carrier v4.0 MR3 Patch Release 11.
FortiCarrier models
FCR-3810A, FCR-3950B, FCR-3951B, FCR-5001, FCR-5001A, FCR-5001B, FCR-5001FA2,
and FCR-5005FA2.
Firmware image filenames begin with FK.
See http://docs.fortinet.com/fgt.html for additional documents on FortiCarrier v4.0 MR3.
Page 9
Special Notices
General
The TFTP boot process erases all current firewall configuration and replaces it with the factory
default settings.
Important
Monitor settings for Web-based Manager access
Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for
all the objects in the Web-based Manager to be viewed properly.
Before any upgrade

Save a copy of your FortiGate unit configuration (including replacement messages) prior to
upgrading.
After any upgrade

If you are using the Web-based Manager, clear the browser cache prior to login on the FortiGate
to ensure the Web-based Manager screens are displayed properly.
The Virus and Attack definitions included with an image upgrade may be older than ones
currently available from the Fortinet's FortiGuard Distribution Server. Fortinet recommends
performing an Update Now (System > Config > FortiGuard > AntiVirus and IPS Options) as soon
as possible after upgrading. Consult the FortiOS Handbook/FortiOS Carrier Handbook for
detailed procedures.
FortiGate 1240B upgrade and downgrade limitations

With the release of FortiOS v4.0 MR3 Patch Release 2 and later, the FortiGate 1240B will run a
64-bit version of FortiOS. This has introduced certain limitations on upgrading firmware in a high
availability (HA) environment, and downgrading.
When performing an upgrade from a 32-bit FortiOS version to a 64-bit FortiOS version, and the
FortiGate 1240Bs are running in a HA environment with the uninterruptable-upgrade option
enabled, the upgrade process may fail on the primary device after the subordinate devices have
been successfully upgraded. To work around this situation, users may disable the
uninterruptable-upgrade option to allow all HA members to be successfully upgraded. Without
the uninterruptable-upgrade feature enabled, several minutes of service unavailability are to be
expected.
Downgrading a FortiGate 1240B from FortiOS v4.0 MR3 Patch Release 2 is not supported due
to technical limitations between 64-bit and 32-bit versions of FortiOS. The only procedure to
downgrade firmware is by using the TFTP server and BIOS menu to perform the downgrade. In
this case the configuration will need to be restored from a previously backed up version.
Page 10
Upgrade Information
Upgrading from FortiOS v4.0 MR3
FortiOS v4.0 MR3 Patch Release 11 build 0646 officially supports upgrade from FortiOS v4.0
MR3 GA or later.
Historical reports upgrade limitation

For the following units, historical reports from previous builds will not be retained after
upgrading to FortiOS v4.0 MR3 Patch Release 11:
FG-20C, FWF-20C, FG-40C, FWF-40C, FG-60C, FWF-60C, FWF-60CM,
FWF-60CX-ADSL-A, FG-80C, FWF-81CM
Workaround: Download the historical reports to a local PC hard drive before performing the
upgrade.
SQL logging upgrade limitation

For the following units, after upgrading to FortiOS v4.0 MR3 Patch Release 11, SQL logging will
be retained based on the total size of the RAM available on the device. Logs will use up to
maximum of 10% of the RAM, once passed that threshold, any new logs will start to overwrite
the older logs. The historical report generation will also be affected based on the SQL logs that
are available for query.
FG-100D, FG-300C
FortiGate 100D
FortiOS v4.0 MR3 Patch Release 11 supports the FortiGate 100D platform. Included with this
model is a special purpose management port that operates on its own virtual domain (VDOM).
An issue exists with this feature whereby FortiCare registration fails when initiated from the
FortiGate device if this port is connected to the Internet and thus FortiGuard and FortiCare.
Upgrading the FortiOS image from its factory default image (build 4083) to FortiOS v4.0 MR2
Patch Release 12 or later does not switch the management VDOM. You must change the
management VDOM from the default setting to the root VDOM.
To do this, use the following CLI commands:
config system global
set management-vdom root
end
end
Page 11

Please upgrade to the latest v4.0 MR2 patch release prior to upgrading to v4.0 MR3 Patch
Release 11. For more information, see the latest FortiOS v4.0 MR2 patch release notes.
After every upgrade, ensure that the build number and branch point match the image that was
loaded.
DDNS
DDNS configurations under interface are moved to global mode config system ddns
after upgrading to FortiOS v4.0 MR2 Patch Release 12.
DNS server
dns-query recursive/non-recursive option under specific interfaces are moved to the
system level per VDOM mode, and config system dns-server can be used to configure
the option after upgrading to FortiOS v4.0 MR2 Patch Release 12.
Ping server
gwdetect related configurations under specific interfaces are moved under router per VDOM
mode, and config router gwdetect can be used to configure the option after upgrading to
FortiOS v4.0 MR2 Patch Release 12.
Central-management
set auto-backup disable and set authorized-manager-only enable
configurations under config system central-management are removed after upgrading to
SNMP community
A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to
Modem settings
wireless-custom-vendor-id and wireless-custom-product-id are moved from
config system modem to config system 3g-modem custom after upgrading to FortiOS
v4.0 MR2 Patch Release 12.
AMC slot settings

The default value of ips-weight under config system amc-slot will be changed from
balanced to less-fw after upgrading to FortiOS v4.0 MR2 Patch Release 12.
Wireless radio settings

Wireless radio settings, except for SSID, Security Mode, and Authentication settings, will be lost
after upgrading.
Page 12
Web filter overrides

The contents of Web Filter overrides will be lost after upgrading from FortiOS v4.0 MR2 Patch
Release 4 build 0313 to FortiOS v4.0 MR2 Patch Release 12.
Firewall policy settings

If the source interface or destination interface is set as the amc-XXX interface, the default value
of ips-sensor under config firewall policy is changed from all_default to
default after upgrading to FortiOS v4.0 MR2 Patch Release 12.
URL filter
The action options in the urlfilter configuration have been changed from Allow, Pass,
Exempt, and Block to Allow, Monitor, Exempt, and Block. The Allow action will not report
log in FortiOS v4 MR3 Patch Release 1. The Monitor action will act as the function that allows
log reporting. The Pass action in FortiOS v4.0 MR2 has been merged with Exempt in FortiOS
v4.0 MR3 Patch Release 1, and the CLI command has been changed from set action pass
to set exempt pass.
FortiGuard log filter

The settings of config log fortiguard filter are removed after upgrading to FortiOS
v4.0 MR2 Patch Release 12.
FortiGuard log setting

The options quotafull and use-hdd in config log fortiguard setting are removed
upon upgrading to FortiOS v4.0 MR2 Patch Release 12.

Upgrading from FortiOS v4.0 MR1 is not supported. Please upgrade to FortiOS v4.0 MR3 Patch
Release 5 prior to upgrading to v4.0 MR3 Patch Release 11. For more information, see the
FortiOS v4.0 MR3 Patch Release 5 Release Notes.
Downgrading to FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1 (or later) results in configuration loss on ALL models. Only
the following settings are retained:
operation modes
interface IP/management IP
route static table
DNS settings
VDOM parameters/settings
admin user account
session helpers
system access profiles.
Page 13
Product Integration and Support

Supported web browsers
Microsoft Internet Explorer 8, and 9
Mozilla FireFox 15.0, and 16.0
FortiManager support
FortiOS v4.0 MR3 Patch Release 11 is supported by FortiManager v4.0 MR3 Patch Releases 6
and later.
FortiAnalyzer support
FortiOS v4.0 MR3 Patch Release 11 is supported by FortiAnalyzer v4.0 MR3.
If you are using a FortiAnalyzer unit running FortiAnalyzer v4.0 MR2, you must upgrade it to
FortiAnalyzer v4.0 MR3. FortiAnalyzer units running FortiAnalyzer v4.0 MR2 will not function
correctly with FortiOS v4.0 MR3 Patch Release 11.
FortiClient support
FortiOS v4.0 MR3 Patch Release 11 is fully compatible with FortiClient v4.0 MR2 Patch Release
3 and later for the following operating systems:
Microsoft Windows XP 32-bit
Microsoft Windows Vista 32-bit
Microsoft Windows Vista 64-bit
Microsoft Windows 7 32-bit
Microsoft Windows 7 64-bit
FortiAP support
FortiOS v4.0 MR3 Patch Release 11 supports the following FortiAP models:
FAP-112B, FAP-210B, FAP-220A, FAP-220B, FAP-221B, FAP-222B, FAP-223B, FAP-320B
The FortiAP devices must be running FortiAP v4.0 MR3 or later.
Page 14
Fortinet Single Sign-On (FSSO) support

FortiOS v4.0 MR3 Patch Release 11 is supported by FSSO v4.0 MR3 build 0129 for the
following:
Microsoft Windows Server 2003 R2 32-bit
Microsoft Windows Server 2008 32-bit
Microsoft Windows Server 2008 64-bit
Novell eDirectory 8.8.
IPv6 currently is not supported by FSSO.
FortiExplorer support
FortiOS v4.0 MR3 Patch Release 11 is supported by FortiExplorer v2.0 build1022.
AV Engine and IPS Engine support

FortiOS v4.0 MR3 Patch Release 11 is supported by AV Engine v4.0 MR3 build 0398 and IPS
Engine v1.0 build 0247.
Module support
FortiOS v4.0 MR3 Patch Release 11 supports Advanced Mezzanine Card (AMC), Fortinet
Mezzanine Card (FMC), Rear Transition Modules (RTM), and Fortinet Storage Module (FSM)
removable modules. These modules are not hot swappable. The FortiGate unit must be turned
off before the module is inserted or removed.
Table 1 outlines supported modules.
Table 1: Supported modules
AMC/FMC/FSM/RTM Modules
FortiGate Model
Storage Module
500GB HDD Single-Width AMC (ASM-S08)
FG-310B, FG-620B, FG-621B, FG-3016B,

FG-3600A, FG-3810A, FG-5001A-SW
Storage Module
64GB SSD Fortinet Storage Module (FSM-064)
FG-200B, FG-311B, FG-1240B,

FG-3040B, FG-3140B, FG-3951B
Accelerated Interface Module

4xSFP Single-Width AMC (ASM-FB4)
FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3600A,
FG-3810A, FG-5001A-SW

2x10-GbE XFP Double-Width AMC (ADM-XB2)
FG-3810A, FG-5001A-DW

8xSFP Double-Width AMC (ADM-FB8)
FG-3810A, FG-5001A-DW
Bypass Module
2x1000 Base-SX Single-Width AMC (ASM-FX2)
FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3600A,
FG-3810A, FG-5001A-SW
Page 15
Table 1: Supported modules (continued)

Bypass Module
4x10/100/1000 Base-T
Single-Width AMC (ASM-CX4)
FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3600A,
FG-3810A, FG-5001A-SW
Security Processing Module

2x10/100/1000 SP2
Single-Width AMC (ASM-CE4)
FG-1240B, FG-3810A, FG-3016B,

FG-5001A-SW

2x10-GbE XFP SP2
Double-Width AMC (ADM-XE2)
FG-3810A, FG-5001A-DW

4x10-GbE SFP+
Double-Width AMC (ADM-XD4)
FG-3810A, FG-5001A-DW

8xSFP SP2
Double-Width AMC (ADM-FE8)
FG-3810A
Rear Transition Module

10-GbE backplane fabric (RTM-XD2)
FG-5001A-DW
Security Processing Module (ASM-ET4)
FG-310B, FG-311B
Rear Transition Module

10-GbE backplane fabric (RTM-XB2)
FG-5001A-DW

2x10-GbE SFP+ (FMC-XG2)
FG-3950B, FG-3951B

2x10-GbE SFP+ (FMC-XD2)
FG-3950B, FG-3951B

20xSFP (FMC-F20)
FG-3950B, FG-3951B

20x10/100/1000 (FMC-C20)
FG-3950B, FG-3951B
Security Processing Module (FMC-XH0)
FG-3950B
SSL-VPN support
SSL-VPN standalone client
FortiOS v4.0 MR3 Patch Release 11 supports the SSL-VPN tunnel client standalone installer
build 2277 for the following:
Windows in .exe and .msi format
Linux in .tar.gz format
Virtual Desktop in .jar format for Windows 7
Mac OS X 10.7 in .dmg format
Page 16
Table 2 lists the supported operating systems.

Table 2: Supported operating systems
Windows
Linux
Mac OS X
Windows XP 32-bit SP3
CentOS 5.6
Lion 10.7
Windows 7 32-bit SP1

Virtual Desktop Support
SSL-VPN web mode

FortiOS v4.0 MR3 Patch Release 11 supports the following browsers for SSL-VPN web mode:
Internet Explorer 8.0
Internet Explorer 9.0
Firefox 13.0
Firefox 3.6
Safari 5.1
SSL-VPN host compatibility list

The following tables list the AntiVirus and Firewall client software packages that are supported.
Table 3 lists supported Windows XP AntiVirus and Firewall software.
Table 3: Supported Windows XP AntiVirus and Firewall software
Product
AntiVirus
Firewall
Symantec Endpoint Protection v11
Kaspersky AntiVirus 2009
McAfee Security Center v8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009
Table 4 lists supported Windows 7 32-bit AntiVirus and Firewall software.

Table 4: Supported Windows 7 32-bit AntiVirus and Firewall software
Product
AntiVirus
Firewall
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360 Version 4.0
Norton Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
CA Internet Security Suite Plus Software

AVG Internet Security 2011
Page 17
Table 4: Supported Windows 7 32-bit AntiVirus and Firewall software (continued)

ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business

Edition 12.0
Table 5 lists supported Windows 7 64-bit AntiVirus and Firewall software.

Table 5: Supported Windows 7 64-bit AntiVirus and Firewall software
Product
AntiVirus
Firewall
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360 Version 4.0
Norton Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business

Edition 12.0
CA Internet Security Suite Plus Software

AVG Internet Security 2011
Explicit Web Proxy browser support

The following browsers are supported by the Explicit Web Proxy feature:
Microsoft Internet Explorer 7.0
Microsoft Internet Explorer 8.0
Mozilla Firefox 3.x
Page 18
Resolved Issues
The resolved issues listed below do not list every bug that has been corrected with this release.
For inquires about a particular bug, please contact Customer Support.
Data Leak Prevention

Table 6: Resolved Data Leak Prevention issues
Bug ID
Description
177167
proxyworker daemon may crash when doing both AntiVirus and DLP on
POP3 traffic.
184739
Email file pattern filter does not work correctly.
ELBC
Table 7: Resolved ELBC issues
Bug ID
Description
161340
Session lost after new blade joined the ELBC cluster.
179754
Web-based Manager widgets breaks configuration sync, and may lead to

traffic outage.
Email Filter
Table 8: Resolved Email Filter issues
Bug ID
Description
173123
FortiGate cannot encode additional UTF-8 tag to mail subject properly.
Firewall
Table 9: Resolved Firewall issues
Bug ID
Description
146110
Increase maximum concurrent connections for proxy worker.
174309
SSL proxy always catches SSL connection and decrypts it.
175677
The destination to IP in IP pool may fail.
176209
SSL proxy rewrites server certificate for explicit FTPS connection even if FTPS
is disabled in the AntiVirus profile.
178178
DCE-RPC helper does not create expectation for IRemoteActivation

IOXIDResolver method.
Page 19
Table 9: Resolved Firewall issues (continued)

Bug ID
Description
178548
FortiGate sends TACACS+ authorization query with Minor Version equal to 1

instead of 0 in packet header.
178968
Session setup rate is 32% less than build 0505.
183546
SSL process with high memory.
183870
SSL deep scan does not support >= TLSv1.1, causing a handshake failure.
184675
Sessions not passing traffic until reset.
High Availability
Table 10: Resolved High Availability issues
Bug ID
Description
157903
Increase of Group-IDs for FGCP HA cluster.
174198
GTP tunnels are not synchronized between HA master and slave.
180794
HA Split Brain occurs when error detected on FSM Module.
181271
HATALK daemon consumes 99% CPU utilization.
181455
When rebooting standby device, master device is affected.
182307
Session is lost and marked as dirty after primary unit fails back from initial
fail-over.
182442
Slave unit cannot successfully sync IPS decoder settings.
187006
Cluster that is built on FortiGate with hard disks might lose members.
187516
ospf6d and bgpd daemon crashes may happen with certain configurations.
IPsec VPN
Table 11: Resolved IPsec VPN issues
Bug ID
Description
150359
L2TP-IPsec - LT2P packets are dropped once decrypted from IPsec tunnel.
170816
FortiGate 300C setup redundancy IPsec over port3 and port4, when port3
down, port4 does not work.
178732
IPsec SA rekeying affecting BGP.
178935
ike daemon crash with segmentation fault in IPsec with many split tunnels.
Page 20
Log & Report

Table 12: Resolved Log & Report issues
Bug ID
Description
166236
Reliable syslog connection is reset if SEQ message is received.
180761
Attack name is missing in anomaly logs.
180985
Missing interface information into DoS attack logs on XLR interface.
184136
UTM logs shows wrong interface.
Routing
Table 13: Resolved Routing issues
Bug ID
Description
165401
IPv6 routes learned via BGP not added to routing table.
166438
Delay in BGP (v4 & v6) updates being accepted into FIB.
172276
OSPF one way traffic over IPsec and NP4.
183537
OSPFv2 slow convergence for Summary/Type-3 routes.
SSL-VPN
Table 14: Resolved SSL-VPN issues
Bug ID
Description
174264
SSL-VPN tunnel can not be connected in web mode in Firefox through proxy
server.
177607
Problem accessing the Lotus Domino web mail from the SSL-VPN web mode
portal.
179847
Some embedded Java scripts using Sharepoint are not rewritten through
SSL-VPN Web portal.
180589
SSL-VPN Java applet (version 10.7.x) is not working with Mac OS X.
181139
Cannot open JSP object in SSL-VPN web mode.
182056
User less remained Framed-IP prevents RADIUS authentication.
183794
The Host Check function did not properly validate the client's system when
running the periodic Host Check set for 300.
183823
The product accepted/used and invalid CRL for client certificate

authentication/validation.
184054
SSL-VPN certificate setting change cannot take effect sometimes under

stress.
185397
The SSL-VPN daemon crashed under SSL-VPN stress plus routing change.
Page 21
Table 14: Resolved SSL-VPN issues (continued)

Bug ID
Description
185404
Remote web access portal upload hang intermittently.
185455
SSL-VPN daemon memory leaking under stress test.
185658
SSL-VPN daemon high CPU usage.
System
Table 15: Resolved System issues
Bug ID
Description
127295
CLI reports error when aggregate/redundant interfaces are deleted.
156726
HTTPS SSL deep-scan download stalls at 99%.
161010
DNS PTR requests are forwarded to the wrong name server.
164367
proxyworker daemon may crash with signal 7.
166440
Missed MSISDN entries never timeout in miglogd cache and it caused the
memory usage kept going up.
171443
Application List traffic shaper not applied on XH0 and XG2.
172302
diagnose system ntp status command not working properly.
172780
diagnose test app radius 3 output truncated.
173514
Source MAC address changed from vcluster2 MAC to vcluster1 MAC by using
aggregate interface.
174691
FortiGate misses application list setting by system reboot.
174990
Speed up aggregate failover detection.
175529
cmdbsvr keep CPU usage 94% and last 22 minutes to upload Bulk CLI
Command File.
176234
Changing configuration makes FortiGate 3040B crash/reboot.
176242
CPU utilization peaks of cmdbsvr and iked processes after configuration

changes affecting user traffic.
176499
Error counter value for interfaces on CE4 module.
176606
Group-object-filter of LDAP group match can not work.
176836
Giant packet which data-size >2122 cannot be precessed by XH0 interface.
176951
No DoS attack log when XG2 is in NPU-Cascade mode.
176972
FortiGate send destination MAC 00:00:00:00:00:00 packet, when IP Pool

receive sessionless TCP packet.
177215
ICMPv6 packets which are tool big are sent even though packet size < MTU.
Page 22
Table 15: Resolved System issues (continued)

Bug ID
Description
177326
Unable to store FortiToken in configuration file.
177462
SNMP reports if HCInOctets statistics in 32 bit.
177528
Fix XG2 cards hang issue.
177555
Secondary-IP entry number inconsistency.
178018
NP2 (ADM-FB8) port flapping during high CPU.
178981
Forticron seems to have high memory.
179096
SNMPv3 engineboot counter is not incremental after reboot.
179438
FortiGate 3950B stopped forwarding traffic after sometime in operation.
179449
GTP firewall memory leak.
179614
WAD daemon crashed when debug with filter enabled.
180673
During DoS targa2 attack on FortiGate 20C, unit becomes unresponsive.
181423
FortiGate 5101C fabric channel does not pass traffic.
181939
Interface configuration randomly lost.
182301
Build 0521: FortiGate allows more than one ICMP port unreachable packet
through.
182417
Kernel NULL pointer error and auto reboot if we open jumbo supporting on
FortiGate 800C.
183608
Use virtual time for watchdog in snmpd.
183821
FortiGate improperly gave the reason of invalid password when the

administrator provides an incorrect account name.
184906
snmpd consumes all available UNIX socket descriptors and subsequently

crashes.
185083
Packet capture cannot start again when finished.
185384
Some hosts behave like a black hole randomly during scan.
185434
Software switch does not pass traffic after reboot
VoIP
Table 16: Resolved VoIP issues
Bug ID
Description
180504
No audio on incoming call to PBX which has call forwarding enabled.
Page 23
WAN Optimization & Web Proxy

Table 17: Resolved WAN Optimization & Web Proxy issues
Bug ID
Description
182964
Fix WAD crash when cache object is invalidated by HTTP POST.
183006
Specific web page not fully loaded when explicit proxy with ActiveX filter is
used.
176363
FortiGate WCCP router fails to forward traffic from client to webcache in

middle of large file transfer.
180932
Cookie based web authentication does not work when authentication

username is certain length.
162330
Website is blocked when enable Web Filter with ftgd-disable(license expired)

in web proxy policy.
Web-based Manager
Table 18: Resolved Web-based Manager issues
Bug ID
Description
118058
Cannot filter policy on count field.
150876
Duplex information on FortiWiFi 60B displays incorrectly.
154191
Moving around web filtering monitor page or refresh cause conserve mode.
163974
The Override Category in the second entry (id=141) could not be displayed in
the Web-based Manager.
168946
config restore password pre-filled with garbage causes restore to fail.
170730
Mismatch CLI and Web-based Manager display after configuring set

quarantine-log enable and set log enable on DoS Sensor.
171928
Visiting Email Monitor causes FortiGate to enter conserve mode.
172661
Web-based Manager Top 10 sessions display two or three items of same

source address.
173130
Pull-down menu does not show up correctly when a firewall policy is created
with a certain administrator profile.
176364
Web-based Manager has a problem to disable secondary-IP for VLAN

interface.
176471
get wireless-controller wlchanlistlic outputs XMLl source

codes.
178033
UTM features cannot be displayed by using the newest Chrome version.
180234
Unit Operation shows minus number on interface packet counts.
180351
FortiGate SSL-VPN manage Web-based Manager remote memory corruption.
Page 24
Table 18: Resolved Web-based Manager issues (continued)

Bug ID
Description
180964
FortiGate Web-based Manager SSL-VPN configuration memory corruption.
181112
FortiGate Web-based Manager cannot be shown in Windows 8 Internet

Explorer 10.
Web Filter
Table 19: Resolved Web Filter issues
Bug ID
Description
158996
FortiGuard override URL is incorrect when using deep inspection and CN

contains wildcard character.
185529
Web Filter authentication times out.
WiFi
Table 20: Resolved WiFi issues
Bug ID
Description
157663
WiFi channel bonding causes strange radio behavior.
176615
Suggest to remove channel settings from default WTP profiles.
177811
RADIUS does not failover to secondary server for an extended time period.
179246
WiFi Region Code "J" fails on the FortiWiFi 40C.
181802
Allow XSS characters in WiFi SSID names.
181841
FortiOS v4.0 MR3 default WTP profiles for FortiAP112B, and 320B should not
have channels.
182678
An SSID may fail on the FortiWiFi 40C.
Page 25
Known Issues
The known issues listed below does not list every bug that has been reported with this release.
For inquires about a particular bug, please contact Customer Service & Support.
Endpoint Control
Table 21: Known Endpoint Control issues
Bug ID
Description
184536
Endpoint control profile is configurable, but cannot be applied to the firewall

policy.
High Availability
Table 22: Known High Availability issues
Bug ID
Description
184915
HA not syncing added interfaces.
186053
All heartbeat links fail simultaneously, triggered by traffic.
IPsec VPN
Table 23: Known IPsec VPN issues
Bug ID
Description
182893
IPsec VPN traffic seems to work only one way when fastpath is enabled.
183638
High CPU with iked 95%-99%.
Log & Report

Table 24: Known Log & Report issues
Bug ID
Description
183778
Missing interface-policy ID field in DoS logs.
SSL-VPN
Table 25: Known SSL-VPN issues
Bug ID
Description
178431
SSL-VPN daemon may crash while browsing very long URLs in web portal.
179445
SSL-VPN/Citrix does not work on Windows 7 Enterprise.
Page 26
Table 25: Known SSL-VPN issues (continued)

Bug ID
Description
179847
Some embedded Java scripts using Sharepoint not be rewritten through SSL
Web portal.
179881
Remote Desktop session via SSL Web portal is not in full screen using
1366*768 screen resolution.
182443
SSL-VPN daemon may crash when certain traffic traverses the tunnel.
System
Table 26: Known System issues
Bug ID
Description
171261
Local images not displayed in replacement messages.
175326
FortiGate response to ARP requests on 192.168.0.1 on MGMT1 interface.
176202
VLAN interface not stick with software switch interface after reboot.
179613
Port9 to Port13 of the FortiGate 3040B cannot negotiate Huawei Router

NE40.
181712
LACP (1G links) causes line flapping (Cisco switch side only).
185432
Traffic history for aggregate link is incorrect at the Web-based Manager.
188544
diagnose sys session6 filter shows source twice.
188769
ICMPv6 ping traffic is not blocked when there is no firewall policy on interface.
188772
diag sys top for CPU usage is not correct.
Upgrade
Table 27: Known Upgrade issues
Bug ID
Description
188860
UTM profile cannot be displayed when there is no default profile.
Web-based Manager
Table 28: Known Web-based Manager issues
Bug ID
Description
171226
If the policy ID exceeds 2147483647, a negative value is displayed on the

Web-based Manager.
186030
Credential information is kept into the query string.
189029
No FortiToken listed in the Web-based Manager when editing administrator

with remote authentication enabled.
Page 27
Web Filter
Table 29: Known Web Filter issues
Bug ID
Description
178127
Web Filter block failures for specially crafted packets, single byte.
188607
FortiGuard service intermittently is unavailable, and need restart urlfilter

to recover.
WiFi
Table 30: Known WiFi issues
Bug ID
Description
183513
When DARRP is enabled, a FortiAP device intermittently may become

disconnected.
186562
FortiWiFi 80CM, virtual AP intermittently stops working and displays that the
configuration failed.
Page 28
Limitations
This section outlines the limitations in FortiOS v4.0 MR3 Patch Release 11.
Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:
XenTools installation is not supported.
FortiGate-VM can be imported or deployed in only the following three formats:
XVA (recommended)
VHD
OVF
The XVA format comes pre-configured with default configurations for VM name, virtual CPU,
memory, and virtual NIC. Other formats will require manual configuration before the first
power on process.
Open Source Xen limitations

When using Ubuntu 11.10, Xen 4.1.0, and libvir 0.9.2, importing issues may arise when using
the qcow2 format and existing HDA issues.
Page 29
Image Checksum
The MD5 checksums for all Fortinet software and firmware releases are available at the
Customer Service & Support website located at https://support.fortinet.com. After logging in,
click on Download > Firmware Image Checksum, enter the image file, including the extension,
and select Get Checksum Code.
Figure 1: Customer Service & Support image checksum tool
End of Release Notes

Page 30

FortiOS v4.0 MR3 Patch Release 11 Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiOS v4.0 MR3 Patch Release 11 Release Notes

Uploaded by

Copyright:

Available Formats

FortiOS v4.

0 MR3 Patch Release 11