Professional Documents
Culture Documents
Release Notes
v4.0 MR2
01-420-84420-20100331
Release Notes FortiOS v4.0 MR2
Table of Contents
1 FortiOS v4.0 MR2.............................................................................................................................................. 1
1.1 Summary of Enhancements Provided by v4.0 MR2...................................................................................1
2 Special Notices....................................................................................................................................................3
2.1 General........................................................................................................................................................3
2.2 Configuration Files Backups.......................................................................................................................3
2.3 External Modem Support............................................................................................................................3
2.4 SSL-VPN Notes..........................................................................................................................................3
2.5 Logging to FortiAnalyzer using AMC Hard Disk...................................................................................... 4
2.6 AV Scanning Of Archived Files................................................................................................................. 4
2.7 WCCP Multi-VDom Support......................................................................................................................4
2.8 Endpoint Control.........................................................................................................................................4
2.9 Supported Character Sets............................................................................................................................ 4
2.10 ASM-SAS Module Support...................................................................................................................... 5
2.11 AntiSpam Engine Support.........................................................................................................................5
2.12 FortiGuard support for IPv6......................................................................................................................5
2.13 STP Support for WAN2 Interface.............................................................................................................5
2.14 HMAC Offload Setting Change................................................................................................................5
2.15 STP Packet Support on FGT-110C and FGT-111C..................................................................................5
2.16 FortiGuard Service is Enabled By Default................................................................................................6
2.17 AntiVirus and IPS Update.........................................................................................................................6
3 Upgrade Information...........................................................................................................................................7
3.1 Upgrading from FortiOS v3.00 MR7..........................................................................................................7
3.2 Upgrading from FortiOS v4.0.....................................................................................................................7
3.3 Upgrading from FortiOS v4.0 MR1............................................................................................................9
4 Downgrading to FortiOS v3.00.........................................................................................................................11
5 Fortinet Product Integration and Support......................................................................................................... 12
5.1 FortiManager Support...............................................................................................................................12
5.2 FortiAnalyzer Support...............................................................................................................................12
5.3 FortiClient Support....................................................................................................................................12
5.4 Fortinet Server Authentication Extension (FSAE) Support......................................................................12
5.5 AV Engine and IPS Engine Support.........................................................................................................12
5.6 3G MODEM Support................................................................................................................................12
5.7 AMC Module Support...............................................................................................................................13
5.8 SSL-VPN Support.....................................................................................................................................14
5.8.1 SSL-VPN Standalone Client............................................................................................................. 14
5.8.2 SSL-VPN Web Mode........................................................................................................................15
5.9 SSL-VPN Host Compatibility List............................................................................................................15
6 Resolved Issues in FortiOS v4.0 MR2..............................................................................................................17
6.1 Command Line Interface (CLI)................................................................................................................ 17
6.2 Web User Interface................................................................................................................................... 17
6.3 System.......................................................................................................................................................17
6.4 High Availability.......................................................................................................................................18
6.5 Firewall..................................................................................................................................................... 18
6.6 IPS.............................................................................................................................................................19
6.7 VPN...........................................................................................................................................................19
6.8 Web Filter..................................................................................................................................................19
Change Log
Date Change Description
Trademarks
Copyright© 2010 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the
identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.
Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support
tickets via the support site:
https://support.fortinet.com
FGT-30B, FWF-30B, FGT-50B, FGT-51B, FWF- All models are supported on the regular v4.0 MR2 branch.
50B, FGT-60B, FWF-60B, FGT-80C, FGT-80CM,
FWF-80CM, FWF-81CM, FGT-82C, FGT-100A,
FGT-110C, FGT-111C, FGT-200A, FGT-200B,
FGT-200B-POE, FGT-224B, FGT-300A, FGT-
310B, FGT-311B, FGT-310B-DC, FGT-400A,
FGT-500A, FGT-620B, FGT-620B-DC, FGT-800,
FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-
1000A-LENC, FGT-1240B, FGT3016B, FGT-
3600, FGT-3600A, FGT-3810A, FGT-5001A,
FGT-5001, FGT-5001-FA2, and FGT-5005-FA2.
Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR2 release.
2 Special Notices
2.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.
IMPORTANT!
• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to
be viewed properly.
• Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.
• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to
upgrading.
• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper
display of the Web UI screens.
• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently
available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible
after upgrading. Consult the FortiGate User Guide for detailed procedures.
• The "RDP to Host" option web mode can accept a keyboard layout setting as a parameter when the client connects to a
server.
• In the "RDP to Host" field type:
• <IP address or FQDN of the server> -m <language>
• <language> is one of the following:
• ar Arabic
• da Danish
• de German
• en-gb English - Great Britain
• en-us English - US
• es Spanish
• fi Finnish
• fr French
• fr-be Belgian French
• fr-ca French (Canada)
• fr-ch French (Switzerland)
• hr Croatian
• it Italian
• ja Japanese
• lt Lithuanian
• lv Latvian
• mk Macedonian
• no Norwegian
• pl Polish
• pt Portuguese
• pt-br Brazilian Portuguese
• ru Russian
• sl Slovenian
• sv Sedanese
• tk Turkmen
• tr Turkish
• Japanese
• jisx0201
• jisx0208
• jisx0212
• sjis
• euc_jp
• ISO 2022_jp
• ISO 2022_jp1
• ISO 2022_jp2
• ISO 2022_jp3
• Chinese
• gb2312
• euc_cn
• ces_gbk
• ces_big5
• hz
• Korean
• ksc5601_ex
• euc_kr
• Thai
• tis620
• cp874
• Latin (French, German, Spanish and Italian)
• ISO 8859_1
• cp1252
• Serbian, Macedonian, Bulgarian and Russian
• cp1251
• FGT-5001A
• FGT-3810A
3 Upgrade Information
After every upgrade, ensure that the build number and branch point match the image that was loaded.
[FortiOS v4.0]
The upgrade is supported from FortiOS v4.0.4 B0113 or later.
After every upgrade, ensure that the build number and branch point match the image that was loaded.
In FortiOS v4.0.4
Before upgrading, backup your configuration, parse the webfilter exempt list entries, and merge them into the webfilter content list
after the upgrade.
After merging the exempt list from v4.0.4 to the webfilter content list
end
[VoIP Settings]
FortiOS v4.0 MR2 has functionality to archive message and files as caught by the Data Leak Prevention feature, which includes some
VoIP messages. However, some scenarios have an implication configuration retention on the upgrading. Consider the following:
Upon upgrading to FortiOS v4.0 MR2, the VoIP settings are not moved into the DLP archive feature.
After every upgrade, ensure that the build number and branch point match the image that was loaded.
[DLP Rule]
A DLP rule with subprotocol setting set to 'sip simple sccp' will be lost upon upgrading to FortiOS v4.0 MR2.
[AlertMail Setting]
The "set local-disk-usage-warning enable " setting under "config alertemail settings" will get reset to
disable after upgrading to FortiOS v4.0 MR2.
The settings under "config system autoupdate schedule" will get set to default values after upgrading to FortiOS v4.0
MR2.
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDom parameters/settings
• admin user account
• session helpers
• system access profiles
Description: httpsd backtrace error message may get displayed on the console when accessing Endpoint NAC > Monitor web UI
page.
Bug ID: 114873
Status: Fixed in v4.0 MR2.
6.3 System
Description: The FortiGate-110C may randomly encounter kernel panic.
Bug ID: 114759
Models Affected: FGT-110C
Status: Fixed in v4.0 MR2.
Description: The FortiGate may unexpectedly enter conserve mode, even when the memory and cpu usage is low.
Bug ID: 118011
Status: Fixed in v4.0 MR2.
Description: In rare occasions the FortiGate may encounter kernel panic and freeze.
Bug ID: 119777
Status: Fixed in v4.0 MR2.
Description: In rare occasions a kernel bug may cause the FortiGate to unexpectedly freeze with no console output.
Bug ID: 118435
Status: Fixed in v4.0 MR2.
Description: SMTP connection may abruptly get disconnected when multiple invalid email addresses are pipelined into SMTP proxy.
Bug ID: 109102
Status: Fixed in v4.0 MR2.
Description: SIP VIP with port forwarding enabled may not translate the destination port correctly.
Bug ID: 108480
Status: Fixed in v4.0 MR2.
Description: The FortiGate may encounter kernel panic when IPv6 icmp6 neighbor solicitation request happen on the wrong
interface.
Bug ID: 117816
Status: Fixed in v4.0 MR2.
Description: The FGT-1240B sometimes does not recognize that FTP session is still active when traffic is passing through NP4
interfaces.
Bug ID: 118196
Models Affected: FGT-1240B
Status: Fixed in v4.0 MR2.
Description: SNMP traps with link-local address of '169.254.0.1' are generated when traps are forwarded from HA slave to Master.
Bug ID: 118381
Status: Fixed in v4.0 MR2.
Description: vsd daemon may randomly crash when under heavy load.
Bug ID: 90877
Status: Fixed in v4.0 MR2.
Description: The 'Top Viruses Graph' chart does not work on Virtual Cluster 2.
Bug ID: 96566
Status: Fixed in v4.0 MR2.
6.5 Firewall
Description: If a server requires client-side certificate and SSL inspection feature is enabled then the connection will be blocked by
the FortiGate. SSL Inspection should not play man-in-the-middle for sessions which uses client certificate.
Bug ID: 87297
Status: Fixed in v4.0 MR2.
Description: sslvpnd may crash if a firewall address being used in SSL portal is renamed.
Bug ID: 115301
Status: Fixed in v4.0 MR2.
Description: per-ip-shaper feature may not work when id-based policy is enabled.
Bug ID: 114277
Status: Fixed in v4.0 MR2.
6.6 IPS
Description: IPS Sensor may not work when 'Quarantine Attackers (to Banned Users List)' option is enabled.
Bug ID: 113641
Status: Fixed in v4.0 MR2.
6.7 VPN
Description: FortiClient may not be able to connect to the FortiGate dialup IPSec interface when using certificate.
Bug ID: 115456
Status: Fixed in v4.0 MR2.
Description: SSLVPN virtual desktop may fail to launch after installing Microsoft security update (KB955759)
Bug ID: 120473
Status: Fixed in v4.0 MR2.
Description: In rare occasions all SSLVPN users may unexpectedly get disconnected.
Bug ID: 119201
Status: Fixed in v4.0 MR2.
Description: User cannot login into the SSL-VPN portal if the policy is using FQDN as the source address.
Bug ID: 87339
Status: Fixed in v4.0 MR2.
Description: SSL-VPN user defined bookmarks may be lost if the FortiGate is rebooted.
Bug ID: 112318
Status: Fixed in v4.0 MR2.
Description: The FortiGate may block traffic from going through an policy-based IPSec tunnel on an NP2 interface if the fastpath
setting is set to enable.
Bug ID: 122553
Status: Fixed in v4.0 MR2.
Description: The following table lists the known issues with each of the IMs supported by FortiOS v4.0 MR2.
Models Affected: All
Bug ID: See table
Description: All default SQL reports are lost after changing opmode from NAT to TP.
Models Affected: FGT-3600A
Bug ID: 108188
Status: Fixed in v4.0 MR2.
Description: "Buffer to hard disk and upload" feature may not work when archiving to FAMS.
Bug ID: 108522
Status: Fixed in v4.0 MR2.
Description: Users can be deleted from the 'Ignore User List' by selecting users and clicking the OK button.
Bug ID: 115432
Description: The FSAE collector agent may not receive user logon events when the warning dialog box is open.
Bug ID: 115430
Status: Fixed in v4.0 MR2.
Description: Some administrators are unable to see logon users and monitored DC's in the FSAE Collector Agent.
Bug ID: 112364
Status: Fixed in v4.0 MR2.
Description: FSAE collector agent does not wait long enough for response from the remote workstation or DC.
Bug ID: 120354
Status: Fixed in v4.0 MR2.
Description: The collector agent service may stop when the apply button is clicked twice on the FSAE config web UI page.
Bug ID: 120678
Status: Fixed in v4.0 MR2.
Description: Dns query may fail if the hostname is longer than 15 characters.
Bug ID: 112753
Status: Fixed in v4.0 MR2.
Description: When creating a policy route from web UI, the destination port numbers are not saved if protocol number is set to zero.
Bug ID: 78402
Status: To be fixed in a future release.
Description: The web UI does not warn the user that an SMTP signature is too long and consequently truncates the signature
to 1000 characters.
Bug ID: 65422
Status: To be fixed in a future release.
Description: "Disclaimer and Redirect URL to" setting cannot be seen from web UI after "Identity Based
Policy" is disabled.
Bug ID: 108589
Status: To be fixed in a future release.
Description: All interfaces status is shown as up in the FortiGate's image on the dashboard.
Models Affected: FGT-110C
Bug ID: 115502
Status: To be fixed in a future release.
Description: The feature menu on the left side may get greyed out when a new dashboard is added.
Bug ID: 122208
Status: To be fixed in a future release.
Description: The column headings on the Firewall > Policy > Policy web UI page may get misaligned with the column values.
Bug ID: 117698
Status: To be fixed in a future release.
7.3 System
Description: If a FortiGate using ASM-CX4/FX2 module has multiple VDoms configured and at least one of the VDom is in TP
mode then user is allowed to enable amc bypass mode even if all ASM-CX4/FX2 interfaces are assigned to NAT VDom.
Bug ID: 91519
Status: To be fixed in a future release.
Description: ASM-FB4/FB8 interfaces with fiber SFP may not work when interface speed is set to 1000full.
Bug ID: 90674
Status: To be fixed in a future release.
Description: If a FortiGate using ASM-CX4/FX2 module has multiple VDoms configured and at least one of the VDom is in TP
mode then user is allowed to enable amc bypass mode even if all ASM-CX4/FX2 interfaces are assigned to NAT VDom.
Bug ID: 91519
Status: To be fixed in a future release.
Description: Traffic going through ASM-FX2 card keeps getting bypassed when ASM-CX4 card is used in slot1 and ASM-FX2 card
is used in slot2 and bypass-mode is set to disable.
Bug ID: 90017
Status: To be fixed in a future release.
Description: The master FortiGate's console may display '[ha_auth.c:200]: unsupported auth_sync type 16' error
message when upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR2.
Bug ID: 96380
Status: To be fixed in a future release.
Description: Sessions may get synced between master and slave members even when the 'session sync' option is disabled.
Bug ID: 112453
Status: To be fixed in a future release.
Description: The usage widget on the dashboard may not include statistics from the slave FortiGate.
Bug ID: 120478
Status: To be fixed in a future release.
Description: Slave FortiGate may fail to upgrade from FortiOS v4.1 B0194 to FortiOS v4.2 when 'uninterruptable-upgrade'
option is set to disable.
Bug ID: 121314
Status: To be fixed in a future release.
Description: The master unit in an A-A mode cluster stops load-balancing when a redundant link interface on the slave unit
is unplugged.
Bug ID: 58959
Status: To be fixed in a future release.
Description: Traffic count on firewall policy will get reset to zero after an HA failover.
Bug ID: 83105
Status: To be fixed in a future release.
7.5 Firewall
Description: Firewall protection profile may not work when in SSL offload mode.
Bug ID: 97704
Status: To be fixed in a future release.
Description: Traffic count on firewall policy will get reset to zero after an HA failover.
Bug ID: 83105
Status: To be fixed in a future release.
Description: File pattern list is not effective if the list exceeds 125 entries.
Bug ID: 90096
Status: To be fixed in a future release.
Description: User may be able to add firewall policy comment over the allowed limit by using double-byte-characters. This may
cause WebUI and configuration corruption.
Bug ID: 106964
Status: To be fixed in a future release.
Description: If a server requires client-side certificate and SSL inspection feature is enabled then the connection will be blocked by
the FortiGate. SSL Inspection should not play man-in-the-middle for sessions which uses client certificate.
Bug ID: 87297
Status: To be fixed in a future release.
7.6 Antivirus
Description: scanunit daemon may randomly crash.
Bug ID: 118706
Status: To be fixed in a future release.
Description: File pattern list is not effective if the list exceeds 125 entries.
Bug ID: 90096
Status: To be fixed in a future release.
Description: Antivirus > File Filter feature blocks file even if the URL is included in the WebFilter URL exempt list.
Bug ID: 114513
Status: To be fixed in a future release.
7.7 IPS
Description: IPS traffic cannot be offloaded to interfaces on ASM-CE4, ADM-XE2, or ADM-FE8 modules.
Models Affected: All models using ASM-CE4, ADM-XE2, or ADM-FE8 module.
Bug ID: 122411
Status: To be fixed in a future release.
Description: The following table lists the known issues with each of the IMs supported by FortiOS v4.0 MR2.
Models Affected: All
Bug ID: See table
7.12 VPN
Description: SSL-VPN TELNET and SSH applet only supports ISO/IEC 8859-1 encoding. Characters with other encodings may
freeze the applet.
Bug ID: 90642
Status: To be fixed in a future release.
Description: Traffic selector negotiation may fail if selectors are not exactly matched on the two peers.
Bug ID: 112350
Status: To be fixed in a future release.
Description: SSLVPN web mode may not be able to connect to OWA 2003 using IE8 browser.
Bug ID: 120766
Status: To be fixed in a future release.
Description: SQL report quota does not support 'diskfull override' setting.
Bug ID: 116801
Status: To be fixed in a future release.
Description: The log setting under 'config ips DoS' inadvertently gets set to enable after a FortiGate is rebooted.
Bug ID: 118824
Status: To be fixed in a future release.
Description: Content archiving of NNTP files is not supported in FortiOS v3.00 MR6 even though the option appears as
grayed out implying it may be enabled through another configured option.
Bug ID: 44510
Status: To be fixed in a future release.
Description: Traffic logs cannot be viewed in raw format when SQL disk logging is enabled.
Bug ID: 122215
Status: To be fixed in a future release.
7.16 Wi-Fi
Description: The FortiWiFi-60B may fail to detect access point running 802.11a band when the mode is changed from AP to SCAN.
Models Affected: FWF-60B
Bug ID: 120127
Status: To be fixed in a future release.
8 Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com).
After login, click on the "Firmware Images Checksum Code" link in the left frame.
Note: As some P2P clients use encrypted connections, the FortiGate may not succeed in blocking the traffic from traversing the
firewall.
Skype Kazaa BearShare Shareaza BitComet eMule Azureus LimeWire iMesh DC++ Winny
3.8 3.2.7 7.0 4.1 1.0.7 0.49b 4.0.0.2 4.18.8 8.0 0707 728
Standard Ports
Direct Internet Connection
Pass N/A N/A OK OK OK OK OK OK OK OK OK
Block N/A N/A OK OK OK OK OK OK OK OK OK
Rate Limit N/A N/A Bug ID: OK OK Bug ID: OK Bug ID: 77852 OK N/A OK
86147 86452
Standard Ports
Proxy Internet Connection
Pass N/A N/A OK N/A N/A OK OK OK N/A N/A N/A
Block N/A N/A OK N/A N/A OK OK OK N/A N/A N/A
Rate Limit N/A N/A OK N/A N/A Bug ID: OK OK N/A N/A N/A
86452
Non-standard Ports
Direct Internet Connection
Pass OK OK N/A OK OK OK OK OK OK N/A N/A
Block Bug ID: 37845 OK N/A OK OK OK OK OK OK N/A N/A
Rate Limit N/A OK N/A OK OK Bug ID: OK Bug ID: 77852 OK N/A N/A
86452
Non-standard Ports
Proxy Internet Connection
Pass OK OK N/A N/A N/A OK OK OK N/A N/A N/A
Block Bug ID: 37845 OK N/A N/A N/A OK OK OK N/A N/A N/A
Rate Limit N/A OK N/A N/A N/A Bug ID: OK Bug ID: 77852 N/A N/A N/A
86452
• An article on "Communication between FortiManager v4.0 and FortiGate" can be access through the following link:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30157
• An article on "FortiGate and FortiOS support for 802.3ad " can be access through the following link:
http://kb.fortinet.com/kb/viewdocument.do?externalId=11640&sliceId=1&docType=kc&dialogID=5039610&cmd=dis-
playKC&docTypeID=DT_KCARTICLE_1_1&stateId=0+0+5037649&highlight=on