Professional Documents
Culture Documents
FortiOS v4.0 MR3 Patch Release 11 Release Notes
FortiOS v4.0 MR3 Patch Release 11 Release Notes
Technical Documentation
docs.fortinet.com
Knowledge Base
kb.fortinet.com
support.fortinet.com
Training Services
training.fortinet.com
FortiGuard
fortiguard.com
Document Feedback
techdocs@fortinet.com
Table of Contents
Change Log....................................................................................................... 6
Introduction....................................................................................................... 7
Supported models ...................................................................................................
FortiGate ............................................................................................................
FortiWiFi .............................................................................................................
FortiGate Virtual Machine ..................................................................................
FortiSwitch .........................................................................................................
7
7
7
7
7
FortiOS Carrier.................................................................................................. 9
Supported models ................................................................................................... 9
FortiCarrier models ............................................................................................ 9
10
10
10
10
11
11
11
11
12
12
12
12
12
12
12
12
12
13
13
13
13
13
Page 3
16
16
17
17
Resolved Issues.............................................................................................. 19
Data Leak Prevention.......................................................................................
ELBC ................................................................................................................
Email Filter .......................................................................................................
Firewall .............................................................................................................
High Availability................................................................................................
IPsec VPN ........................................................................................................
Log & Report....................................................................................................
Routing.............................................................................................................
SSL-VPN ..........................................................................................................
System .............................................................................................................
VoIP..................................................................................................................
WAN Optimization & Web Proxy......................................................................
Web-based Manager .......................................................................................
Web Filter.........................................................................................................
WiFi ..................................................................................................................
Page 4
19
19
19
19
20
20
21
21
21
22
23
24
24
25
25
Known Issues.................................................................................................. 26
Endpoint Control..............................................................................................
High Availability................................................................................................
IPsec VPN ........................................................................................................
Log & Report....................................................................................................
SSL-VPN ..........................................................................................................
System .............................................................................................................
Upgrade ...........................................................................................................
Web-based Manager .......................................................................................
Web Filter.........................................................................................................
WiFi ..................................................................................................................
26
26
26
26
26
27
27
27
28
28
Limitations....................................................................................................... 29
Citrix XenServer limitations.................................................................................... 29
Open Source Xen limitations ................................................................................. 29
Image Checksum............................................................................................ 30
Page 5
Change Log
Date
Change Description
2012-11-21
Initial release.
2012-11-22
Added FAP-112B, FAP-223B, and FAP-320B to Product Integration and Support chapter.
Page 6
Introduction
This document provides installation instructions and addresses issues and caveats in FortiOS
v4.0 MR3 Patch Release 11 build 0646.
Supported models
The following models are supported on FortiOS v4.0 MR3 Patch Release 11.
FortiGate
FG-20C, FG-20C-ADSL-A, FG-30B, FG-40C, FG-50B, FG-51B, FG-60B, FG-60C,
FG-60C-PoE, FG-80C, FG-80CM, FG-82C, FG-100A, FG-100D, FG-110C, FG-111C, FG-200A,
FG-200B, FG-200B-PoE, FG-224B, FG-300A, FG-300C, FG-310B, FG-310B-DC, FG-311B,
FG-400A, FG-500A, FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800, FG-800C, FG-800F,
FG-1000A, FG-1000A-FA2, FG-1000A-LENC, FG-1000C, FG-1240B, FG-3016B, FG-3040B,
FG-3140B, FG-3600, FG-3600A, FG-3810A, FG-3950B, FG-3951B, FG-5001, FG-5001A,
FG-5001B, FG-5001FA2, FG-5002FB2, FG-5005FA2, FG-5101C, and FG-One.
FortiWiFi
FWF-20C, FWF-20C-ADSL-A, FWF-30B, FWF-40C, FWF-50B, FWF-60B, FWF-60C,
FWF-60CM, FWF-60CX-ADSL-A, FWF-80CM, and FWF-81CM.
FortiSwitch
FS-5203B
Page 7
Summary of enhancements
The following is a list of enhancements in FortiOS v4.0 MR3 Patch Release 11:
Added upload log schedule option in the Web-based Manager.
Display platform information in the Web-based Manager.
Page 8
FortiOS Carrier
This chapter provides platform support information for FortiOS Carrier v4.0 MR3 Patch Release
11 build 0646.
Supported models
The following models are supported on FortiOS Carrier v4.0 MR3 Patch Release 11.
FortiCarrier models
FCR-3810A, FCR-3950B, FCR-3951B, FCR-5001, FCR-5001A, FCR-5001B, FCR-5001FA2,
and FCR-5005FA2.
Firmware image filenames begin with FK.
See http://docs.fortinet.com/fgt.html for additional documents on FortiCarrier v4.0 MR3.
Page 9
Special Notices
General
The TFTP boot process erases all current firewall configuration and replaces it with the factory
default settings.
Important
Monitor settings for Web-based Manager access
Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for
all the objects in the Web-based Manager to be viewed properly.
Page 10
Upgrade Information
Upgrading from FortiOS v4.0 MR3
FortiOS v4.0 MR3 Patch Release 11 build 0646 officially supports upgrade from FortiOS v4.0
MR3 GA or later.
FortiGate 100D
FortiOS v4.0 MR3 Patch Release 11 supports the FortiGate 100D platform. Included with this
model is a special purpose management port that operates on its own virtual domain (VDOM).
An issue exists with this feature whereby FortiCare registration fails when initiated from the
FortiGate device if this port is connected to the Internet and thus FortiGuard and FortiCare.
Upgrading the FortiOS image from its factory default image (build 4083) to FortiOS v4.0 MR2
Patch Release 12 or later does not switch the management VDOM. You must change the
management VDOM from the default setting to the root VDOM.
To do this, use the following CLI commands:
config system global
set management-vdom root
end
end
Page 11
DDNS
DDNS configurations under interface are moved to global mode config system ddns
after upgrading to FortiOS v4.0 MR2 Patch Release 12.
DNS server
dns-query recursive/non-recursive option under specific interfaces are moved to the
system level per VDOM mode, and config system dns-server can be used to configure
the option after upgrading to FortiOS v4.0 MR2 Patch Release 12.
Ping server
gwdetect related configurations under specific interfaces are moved under router per VDOM
mode, and config router gwdetect can be used to configure the option after upgrading to
FortiOS v4.0 MR2 Patch Release 12.
Central-management
set auto-backup disable and set authorized-manager-only enable
configurations under config system central-management are removed after upgrading to
FortiOS v4.0 MR2 Patch Release 12.
SNMP community
A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to
FortiOS v4.0 MR2 Patch Release 12.
Modem settings
wireless-custom-vendor-id and wireless-custom-product-id are moved from
config system modem to config system 3g-modem custom after upgrading to FortiOS
v4.0 MR2 Patch Release 12.
Page 12
URL filter
The action options in the urlfilter configuration have been changed from Allow, Pass,
Exempt, and Block to Allow, Monitor, Exempt, and Block. The Allow action will not report
log in FortiOS v4 MR3 Patch Release 1. The Monitor action will act as the function that allows
log reporting. The Pass action in FortiOS v4.0 MR2 has been merged with Exempt in FortiOS
v4.0 MR3 Patch Release 1, and the CLI command has been changed from set action pass
to set exempt pass.
Page 13
FortiManager support
FortiOS v4.0 MR3 Patch Release 11 is supported by FortiManager v4.0 MR3 Patch Releases 6
and later.
FortiAnalyzer support
FortiOS v4.0 MR3 Patch Release 11 is supported by FortiAnalyzer v4.0 MR3.
If you are using a FortiAnalyzer unit running FortiAnalyzer v4.0 MR2, you must upgrade it to
FortiAnalyzer v4.0 MR3. FortiAnalyzer units running FortiAnalyzer v4.0 MR2 will not function
correctly with FortiOS v4.0 MR3 Patch Release 11.
FortiClient support
FortiOS v4.0 MR3 Patch Release 11 is fully compatible with FortiClient v4.0 MR2 Patch Release
3 and later for the following operating systems:
Microsoft Windows XP 32-bit
Microsoft Windows Vista 32-bit
Microsoft Windows Vista 64-bit
Microsoft Windows 7 32-bit
Microsoft Windows 7 64-bit
FortiAP support
FortiOS v4.0 MR3 Patch Release 11 supports the following FortiAP models:
FAP-112B, FAP-210B, FAP-220A, FAP-220B, FAP-221B, FAP-222B, FAP-223B, FAP-320B
The FortiAP devices must be running FortiAP v4.0 MR3 or later.
Page 14
FortiExplorer support
FortiOS v4.0 MR3 Patch Release 11 is supported by FortiExplorer v2.0 build1022.
Module support
FortiOS v4.0 MR3 Patch Release 11 supports Advanced Mezzanine Card (AMC), Fortinet
Mezzanine Card (FMC), Rear Transition Modules (RTM), and Fortinet Storage Module (FSM)
removable modules. These modules are not hot swappable. The FortiGate unit must be turned
off before the module is inserted or removed.
Table 1 outlines supported modules.
Table 1: Supported modules
AMC/FMC/FSM/RTM Modules
FortiGate Model
Storage Module
500GB HDD Single-Width AMC (ASM-S08)
Storage Module
64GB SSD Fortinet Storage Module (FSM-064)
FG-3810A, FG-5001A-DW
FG-3810A, FG-5001A-DW
Bypass Module
2x1000 Base-SX Single-Width AMC (ASM-FX2)
Page 15
FG-3810A, FG-5001A-DW
FG-3810A, FG-5001A-DW
FG-3810A
FG-5001A-DW
FG-310B, FG-311B
FG-5001A-DW
FG-3950B, FG-3951B
FG-3950B, FG-3951B
FG-3950B, FG-3951B
FG-3950B, FG-3951B
FG-3950B
SSL-VPN support
SSL-VPN standalone client
FortiOS v4.0 MR3 Patch Release 11 supports the SSL-VPN tunnel client standalone installer
build 2277 for the following:
Windows in .exe and .msi format
Linux in .tar.gz format
Virtual Desktop in .jar format for Windows 7
Mac OS X 10.7 in .dmg format
Page 16
Linux
Mac OS X
CentOS 5.6
Lion 10.7
AntiVirus
Firewall
AntiVirus
Firewall
Page 17
AntiVirus
Firewall
Page 18
Resolved Issues
The resolved issues listed below do not list every bug that has been corrected with this release.
For inquires about a particular bug, please contact Customer Support.
Description
177167
proxyworker daemon may crash when doing both AntiVirus and DLP on
POP3 traffic.
184739
ELBC
Table 7: Resolved ELBC issues
Bug ID
Description
161340
179754
Email Filter
Table 8: Resolved Email Filter issues
Bug ID
Description
173123
Firewall
Table 9: Resolved Firewall issues
Bug ID
Description
146110
174309
175677
176209
SSL proxy rewrites server certificate for explicit FTPS connection even if FTPS
is disabled in the AntiVirus profile.
178178
Page 19
Description
178548
178968
183546
183870
SSL deep scan does not support >= TLSv1.1, causing a handshake failure.
184675
High Availability
Table 10: Resolved High Availability issues
Bug ID
Description
157903
174198
180794
181271
181455
182307
Session is lost and marked as dirty after primary unit fails back from initial
fail-over.
182442
187006
Cluster that is built on FortiGate with hard disks might lose members.
187516
ospf6d and bgpd daemon crashes may happen with certain configurations.
IPsec VPN
Table 11: Resolved IPsec VPN issues
Bug ID
Description
150359
L2TP-IPsec - LT2P packets are dropped once decrypted from IPsec tunnel.
170816
FortiGate 300C setup redundancy IPsec over port3 and port4, when port3
down, port4 does not work.
178732
178935
ike daemon crash with segmentation fault in IPsec with many split tunnels.
Page 20
Description
166236
180761
180985
184136
Routing
Table 13: Resolved Routing issues
Bug ID
Description
165401
166438
Delay in BGP (v4 & v6) updates being accepted into FIB.
172276
183537
SSL-VPN
Table 14: Resolved SSL-VPN issues
Bug ID
Description
174264
SSL-VPN tunnel can not be connected in web mode in Firefox through proxy
server.
177607
Problem accessing the Lotus Domino web mail from the SSL-VPN web mode
portal.
179847
Some embedded Java scripts using Sharepoint are not rewritten through
SSL-VPN Web portal.
180589
181139
182056
183794
The Host Check function did not properly validate the client's system when
running the periodic Host Check set for 300.
183823
184054
185397
The SSL-VPN daemon crashed under SSL-VPN stress plus routing change.
Page 21
Description
185404
185455
185658
System
Table 15: Resolved System issues
Bug ID
Description
127295
156726
161010
164367
166440
Missed MSISDN entries never timeout in miglogd cache and it caused the
memory usage kept going up.
171443
172302
172780
173514
Source MAC address changed from vcluster2 MAC to vcluster1 MAC by using
aggregate interface.
174691
174990
175529
cmdbsvr keep CPU usage 94% and last 22 minutes to upload Bulk CLI
Command File.
176234
176242
176499
176606
176836
176951
176972
177215
ICMPv6 packets which are tool big are sent even though packet size < MTU.
Page 22
Description
177326
177462
177528
177555
178018
178981
179096
179438
179449
179614
180673
181423
181939
182301
Build 0521: FortiGate allows more than one ICMP port unreachable packet
through.
182417
Kernel NULL pointer error and auto reboot if we open jumbo supporting on
FortiGate 800C.
183608
183821
184906
185083
185384
185434
VoIP
Table 16: Resolved VoIP issues
Bug ID
Description
180504
Page 23
Description
182964
183006
Specific web page not fully loaded when explicit proxy with ActiveX filter is
used.
176363
180932
162330
Web-based Manager
Table 18: Resolved Web-based Manager issues
Bug ID
Description
118058
150876
154191
Moving around web filtering monitor page or refresh cause conserve mode.
163974
The Override Category in the second entry (id=141) could not be displayed in
the Web-based Manager.
168946
170730
171928
172661
173130
Pull-down menu does not show up correctly when a firewall policy is created
with a certain administrator profile.
176364
176471
178033
180234
180351
Page 24
Description
180964
181112
Web Filter
Table 19: Resolved Web Filter issues
Bug ID
Description
158996
185529
WiFi
Table 20: Resolved WiFi issues
Bug ID
Description
157663
176615
177811
RADIUS does not failover to secondary server for an extended time period.
179246
181802
181841
FortiOS v4.0 MR3 default WTP profiles for FortiAP112B, and 320B should not
have channels.
182678
Page 25
Known Issues
The known issues listed below does not list every bug that has been reported with this release.
For inquires about a particular bug, please contact Customer Service & Support.
Endpoint Control
Table 21: Known Endpoint Control issues
Bug ID
Description
184536
High Availability
Table 22: Known High Availability issues
Bug ID
Description
184915
186053
IPsec VPN
Table 23: Known IPsec VPN issues
Bug ID
Description
182893
IPsec VPN traffic seems to work only one way when fastpath is enabled.
183638
Description
183778
SSL-VPN
Table 25: Known SSL-VPN issues
Bug ID
Description
178431
SSL-VPN daemon may crash while browsing very long URLs in web portal.
179445
Page 26
Description
179847
Some embedded Java scripts using Sharepoint not be rewritten through SSL
Web portal.
179881
Remote Desktop session via SSL Web portal is not in full screen using
1366*768 screen resolution.
182443
SSL-VPN daemon may crash when certain traffic traverses the tunnel.
System
Table 26: Known System issues
Bug ID
Description
171261
175326
176202
VLAN interface not stick with software switch interface after reboot.
179613
181712
LACP (1G links) causes line flapping (Cisco switch side only).
185432
188544
188769
ICMPv6 ping traffic is not blocked when there is no firewall policy on interface.
188772
Upgrade
Table 27: Known Upgrade issues
Bug ID
Description
188860
Web-based Manager
Table 28: Known Web-based Manager issues
Bug ID
Description
171226
186030
189029
Page 27
Web Filter
Table 29: Known Web Filter issues
Bug ID
Description
178127
Web Filter block failures for specially crafted packets, single byte.
188607
WiFi
Table 30: Known WiFi issues
Bug ID
Description
183513
186562
FortiWiFi 80CM, virtual AP intermittently stops working and displays that the
configuration failed.
Page 28
Limitations
This section outlines the limitations in FortiOS v4.0 MR3 Patch Release 11.
Page 29
Image Checksum
The MD5 checksums for all Fortinet software and firmware releases are available at the
Customer Service & Support website located at https://support.fortinet.com. After logging in,
click on Download > Firmware Image Checksum, enter the image file, including the extension,
and select Get Checksum Code.
Figure 1: Customer Service & Support image checksum tool
Page 30