Fortigate Multi-Threat Security System: Release Notes

FortiGate® Multi-Threat Security System
Release Notes
v4.0 MR2
01-420-84420-20100331
Release Notes FortiOS v4.0 MR2
Table of Contents
1 FortiOS v4.0 MR2.............................................................................................................................................. 1
1.1 Summary of Enhancements Provided by v4.0 MR2...................................................................................1
2 Special Notices....................................................................................................................................................3
2.1 General........................................................................................................................................................3
2.2 Configuration Files Backups.......................................................................................................................3
2.3 External Modem Support............................................................................................................................3
2.4 SSL-VPN Notes..........................................................................................................................................3
2.5 Logging to FortiAnalyzer using AMC Hard Disk...................................................................................... 4
2.6 AV Scanning Of Archived Files................................................................................................................. 4
2.7 WCCP Multi-VDom Support......................................................................................................................4
2.8 Endpoint Control.........................................................................................................................................4
2.9 Supported Character Sets............................................................................................................................ 4
2.10 ASM-SAS Module Support...................................................................................................................... 5
2.11 AntiSpam Engine Support.........................................................................................................................5
2.12 FortiGuard support for IPv6......................................................................................................................5
2.13 STP Support for WAN2 Interface.............................................................................................................5
2.14 HMAC Offload Setting Change................................................................................................................5
2.15 STP Packet Support on FGT-110C and FGT-111C..................................................................................5
2.16 FortiGuard Service is Enabled By Default................................................................................................6
2.17 AntiVirus and IPS Update.........................................................................................................................6
3 Upgrade Information...........................................................................................................................................7
3.1 Upgrading from FortiOS v3.00 MR7..........................................................................................................7
3.2 Upgrading from FortiOS v4.0.....................................................................................................................7
3.3 Upgrading from FortiOS v4.0 MR1............................................................................................................9
4 Downgrading to FortiOS v3.00.........................................................................................................................11
5 Fortinet Product Integration and Support......................................................................................................... 12
5.1 FortiManager Support...............................................................................................................................12
5.2 FortiAnalyzer Support...............................................................................................................................12
5.3 FortiClient Support....................................................................................................................................12
5.4 Fortinet Server Authentication Extension (FSAE) Support......................................................................12
5.5 AV Engine and IPS Engine Support.........................................................................................................12
5.6 3G MODEM Support................................................................................................................................12
5.7 AMC Module Support...............................................................................................................................13
5.8 SSL-VPN Support.....................................................................................................................................14
5.8.1 SSL-VPN Standalone Client............................................................................................................. 14
5.8.2 SSL-VPN Web Mode........................................................................................................................15
5.9 SSL-VPN Host Compatibility List............................................................................................................15
6 Resolved Issues in FortiOS v4.0 MR2..............................................................................................................17
6.1 Command Line Interface (CLI)................................................................................................................ 17
6.2 Web User Interface................................................................................................................................... 17
6.3 System.......................................................................................................................................................17
6.4 High Availability.......................................................................................................................................18
6.5 Firewall..................................................................................................................................................... 18
6.6 IPS.............................................................................................................................................................19
6.7 VPN...........................................................................................................................................................19
6.8 Web Filter..................................................................................................................................................19
i March 31, 2010

6.9 Data Leak Prevention................................................................................................................................19

6.10 Instant Message.......................................................................................................................................19
6.11 WAN Optimization.................................................................................................................................20
6.12 Log & Report.......................................................................................................................................... 20
6.13 FSAE Collector Agent............................................................................................................................ 20
7 Known Issues in FortiOS v4.0 MR2.................................................................................................................22
7.1 Command Line Interface (CLI)................................................................................................................ 22
7.2 Web User Interface................................................................................................................................... 22
7.3 System.......................................................................................................................................................22
7.4 High Availability.......................................................................................................................................23
7.5 Firewall..................................................................................................................................................... 23
7.6 Antivirus....................................................................................................................................................24
7.7 IPS.............................................................................................................................................................24
7.8 Web Filter..................................................................................................................................................24
7.9 Data Leak Prevention................................................................................................................................24
7.10 Instant Message.......................................................................................................................................24
7.11 Application Control.................................................................................................................................25
7.12 VPN.........................................................................................................................................................25
7.13 Log & Report.......................................................................................................................................... 25
7.14 FSAE Collector Agent............................................................................................................................ 26
7.15 FSAE Windows DC Agent..................................................................................................................... 26
7.16 Wi-Fi ...................................................................................................................................................... 26
8 Image Checksums............................................................................................................................................. 27
9 Appendix A – P2P Clients and Supported Configurations...............................................................................28
10 Appendix B – Knowledge Base Articles.......................................................................................................29
Change Log
Date Change Description
2010-03-31 Initial Release.
© Copyright 2010 Fortinet Inc. All rights reserved.

Release Notes FortiOS™ v4.0 MR2.
Trademarks
Copyright© 2010 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the
identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.
Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support
tickets via the support site:
https://support.fortinet.com
ii March 31, 2010

1 FortiOS v4.0 MR2

This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR2 B0272 release. The
following outlines the release status for several models.
Model FortiOS v4.0 MR2 Release Status
FGT-30B, FWF-30B, FGT-50B, FGT-51B, FWF- All models are supported on the regular v4.0 MR2 branch.
50B, FGT-60B, FWF-60B, FGT-80C, FGT-80CM,
FWF-80CM, FWF-81CM, FGT-82C, FGT-100A,
FGT-110C, FGT-111C, FGT-200A, FGT-200B,
FGT-200B-POE, FGT-224B, FGT-300A, FGT-
310B, FGT-311B, FGT-310B-DC, FGT-400A,
FGT-500A, FGT-620B, FGT-620B-DC, FGT-800,
FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-
1000A-LENC, FGT-1240B, FGT3016B, FGT-
3600, FGT-3600A, FGT-3810A, FGT-5001A,
FGT-5001, FGT-5001-FA2, and FGT-5005-FA2.
Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR2 release.
1.1 Summary of Enhancements Provided by v4.0 MR2

The following is a brief list of the new features added in FortiOS v4.0 MR2.
• New Web UI Design

• Supports Dynamic Proxy Allocation
• IS-IS Routing Protocol Support
• WCCP Client Support
• Explicit Proxy Improvements
• HA Management Port Reservation
• SSL Proxy Exemption by FortiGuard Category
• Web 2.0 Log Viewer
• Introduced 'grep' Capability in the CLI
• Supports sFlow (Client)
• Supports FortiGuard Widget on the Dashboard
• Local Content Archive Support
• Introduces Report Module Feature
• HA Sub-second Failover Support
• Enhanced Support for BGP Routing
• Introduction of Web Filtering Quota
• Supports ELBC Synchronization
• Endpoint Control - Extension to Endpoint Application Detection
• Dashboard Widget Extensions
• Supports L2TP with IPSec
• Skype Control Improvement
• Supports VRRP and Link Failure Control
• Per-IP Bandwidth Dashboard Widget
• Improved Client Certificate Handling for SSL Inspection
• Maximum Concurrent Users for Explicit Proxy
• Full SIP Feature Support
• FSAE Support Polling Domain Controllers
1 March 31, 2010

• Improved DC Agent Distribution (MSI)

• Storage Health Monitor Feature
• Improved Disk I/O Scalability
• Protection Profile Re-work
• Supports Web Cache Exempt List
• Introduction of Network Scan Feature
• Introduction of Network Monitoring Feature
• Supports Password Renewal for LDAP or RADIUS Users
• Disk Management
• Supports Extreme AV Database
• Introduction of Flow-based AntiVirus Feature
• Supports Diagnostic Command Lock-down
• Configuration Revision History and Templates
• Enhanced Customizable Web UI Feature
• Introduces Support for Statefull SCTP Firewall
2 March 31, 2010

2 Special Notices
2.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.
IMPORTANT!
Monitor Settings for Web User Interface Access
• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to
be viewed properly.
Web Browser Support
• Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.
BEFORE any upgrade
• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to
upgrading.
AFTER any upgrade
• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper
display of the Web UI screens.
• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently
available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible
after upgrading. Consult the FortiGate User Guide for detailed procedures.
2.2 Configuration Files Backups

Configuration files that are backed up in FortiOS v4.0 MR2 without the encryption option are saved in clear text and are not
compressed. It is recommended that you enable encryption for security reasons on the authentication certificates used in VPNs, SSL-
VPNs, and administrative access.
2.3 External Modem Support

Configuration of modems on FortiGate models that only support external modems can be performed only through CLI in FortiOS
v4.0 MR2.
2.4 SSL-VPN Notes

The following is a special notice related to the SSL-VPN implementation.
• The "RDP to Host" option web mode can accept a keyboard layout setting as a parameter when the client connects to a
server.
• In the "RDP to Host" field type:
• <IP address or FQDN of the server> -m <language>
• <language> is one of the following:
• ar Arabic
3 March 31, 2010

• da Danish
• de German
• en-gb English - Great Britain
• en-us English - US
• es Spanish
• fi Finnish
• fr French
• fr-be Belgian French
• fr-ca French (Canada)
• fr-ch French (Switzerland)
• hr Croatian
• it Italian
• ja Japanese
• lt Lithuanian
• lv Latvian
• mk Macedonian
• no Norwegian
• pl Polish
• pt Portuguese
• pt-br Brazilian Portuguese
• ru Russian
• sl Slovenian
• sv Sedanese
• tk Turkmen
• tr Turkish
2.5 Logging to FortiAnalyzer using AMC Hard Disk

If logging to a FortiAnalyzer is enabled and "Log to AMC Hard Disk & Upload to FortiAnalyzer" option is enabled, all logs are
stored on AMC Hard Disk before being sent to FortiAnalyzer. In the event of an AMC hard disk failure, all logs stored on the hard
disk waiting to be sent to the FortiAnalyzer may be lost.
2.6 AV Scanning Of Archived Files

The decompression nesting levels for archived files being scanned by the AV engine can now be configured through the CLI. The
default decompression level is set to 12.
2.7 WCCP Multi-VDom Support

WCCPv2 is a per-vdom feature, hence the WCCP configuration and web cache should reside on the same VDom. The FortiGate does
not support scenarios where WCCPv2 settings are distributed on different VDoms.
2.8 Endpoint Control

Endpoint Control check feature cannot be used with load balance VIP.
2.9 Supported Character Sets

The following lists are the supported character sets by the web filter and steamfitter features.
• Japanese
• jisx0201
• jisx0208
• jisx0212
4 March 31, 2010

• sjis
• euc_jp
• ISO 2022_jp
• ISO 2022_jp1
• ISO 2022_jp2
• ISO 2022_jp3
• Chinese
• gb2312
• euc_cn
• ces_gbk
• ces_big5
• hz
• Korean
• ksc5601_ex
• euc_kr
• Thai
• tis620
• cp874
• Latin (French, German, Spanish and Italian)
• ISO 8859_1
• cp1252
• Serbian, Macedonian, Bulgarian and Russian
• cp1251
2.10 ASM-SAS Module Support

FortiOS v4 supports ASM-SAS module on the following models:
• FGT-5001A
• FGT-3810A
2.11 AntiSpam Engine Support

AS engine and AS heuristic rule set updates from the FortiGuard system will be supported in a future release for FortiOS.
2.12 FortiGuard support for IPv6

FortiGuard does not support the URL rating of IPv6 addresses. URL's that DNS resolve to an IPv6 address do have a supported rating
and filtering.
2.13 STP Support for WAN2 Interface

The stpforward option under the wan2 interface has been removed for FGT-110C and FGT-111C (bug 100596).
2.14 HMAC Offload Setting Change

The default setting for the hmac-offload command has been changed to enable. This may violate ICSA compliance.
Therefore, users who require their FortiGate device to be ICSA compliant should disable this option.
2.15 STP Packet Support on FGT-110C and FGT-111C

The stpforward option under FortiGate-110C and FortiGate-111C interface only supports PVST+ and rapid PVST+ packets. All
other STP protocols are not forwarded.
5 March 31, 2010

2.16 FortiGuard Service is Enabled By Default

The Fortiguard service is now enabled as long as it is being used in a firewall profile. FortiGate may encounter intermittent traffic
problems if the FortiGuard service is enabled and a valid DNS server is not configured. It is recommended that the 'force-off'
option is enabled under 'config system fortiguard' if no valid DNS server is configured.
2.17 AntiVirus and IPS Update

The scheduled update configuration under which FortiGuard AV and IPS updates are requested by a FortiGate device running
FortiOS v4.0 MR2 has changed. The FortiGate device requests AV and IPS updates only if a protection profile with AV or IPS
scanning is enabled and is used in a firewall policy.
6 March 31, 2010

3 Upgrade Information
3.1 Upgrading from FortiOS v3.00 MR7

Direct upgrading from FortiOS v3.00 MR7 Patch Release 9 to v4.0 MR2 is not supported. Fortinet recommends the following
upgrade path:
FortiOS v3.00 MR7P9 (or later)

↓
v4.0.4 B0113 (or later)
↓
v4.0 MR2 B0272 GA
After every upgrade, ensure that the build number and branch point match the image that was loaded.
3.2 Upgrading from FortiOS v4.0

FortiOS v4.0 MR2 officially supports upgrade from the FortiOS v4.0 Patch Release 4 or later. See the upgrade path below. The
arrows indicate "upgrade to".
[FortiOS v4.0]
The upgrade is supported from FortiOS v4.0.4 B0113 or later.
v4.0.4 B0113 (or later)

↓
v4.0 MR2 B0272 GA
[Network Interface Configuration]

If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after
upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR2 the ips-sniffer-mode setting will be changed to
disable.
[Webfilter Banned Word and Exempt Word List]

FortiOS v4.0 MR1 merged the web filter banned and exempt word list into one list under "config webfilter content".
Upon upgrading to v4.0 MR2, ONLY the banned word list is retained. For example:
In FortiOS v4.0.4
config webfilter bword

edit 1
config entries
edit "badword1"
set status enable
next
edit "badword2"
set status enable
next
end
set name "BannedWordList"
next
end
7 March 31, 2010

config webfilter exmword

edit 1
config entries
edit "goodword1"
set status enable
next
edit "goodword2"
set status enable
next
end
set name "ExemptWordList"
next
end
After upgrading to FortiOS v4.0 MR2
config webfilter content

edit 1
config entries
edit "badword1"
set status enable
next
edit "badword2"
set status enable
next
end
next
end
Before upgrading, backup your configuration, parse the webfilter exempt list entries, and merge them into the webfilter content list
after the upgrade.
After merging the exempt list from v4.0.4 to the webfilter content list
config webfilter content

edit 1
config entries
edit "goodword1"
set status enable
next
edit "goodword2"
set action exempt
set status enable
next
edit "badword1"
set status enable
next
edit "badword2"
set action exempt
set status enable
next
end
next
8 March 31, 2010

end
[VoIP Settings]
FortiOS v4.0 MR2 has functionality to archive message and files as caught by the Data Leak Prevention feature, which includes some
VoIP messages. However, some scenarios have an implication configuration retention on the upgrading. Consider the following:
• FortiGate in v4.0.4 has two protection profiles: PP1 and PP2.

• PP1 contains
o DLP sensor: DLP1
o Application control list: APP1 which archives SIP messages
• PP2 contains
o DLP sensor: DLP1
o Application control list: APP2 which has content-summary enabled for SIMPLE
Upon upgrading to FortiOS v4.0 MR2, the VoIP settings are not moved into the DLP archive feature.
[NNTP DLP Archive]

NNTP content archive settings will be lost after upgrading to FortiOS v4.0 MR2.
[EmailFilter Banned Word Setting]

The "set spam-bword-table X" setting under "config firewall profile" will be lost after upgrading from FortiOS
v4.0.4 to FortiOS v4.0 MR2.
[HTTPS Invalid Certificate Setting]

The HTTPS "allow-invalid-server-cert" setting under "config firewall profile" will be lost after upgrading from FortiOS
v4.0.4 to FortiOS v4.0 MR2.
3.3 Upgrading from FortiOS v4.0 MR1

FortiOS v4.0 MR2 officially supports upgrade from the FortiOS v4.0 MR1 Patch Release 4 or later. See the upgrade path below. The
arrows indicate "upgrade to".
[FortiOS v4.0 MR1]

The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 B0196 Patch Release 4 or later.
v4.0 MR1 Patch Release 4 B0196 (or later)

↓
v4.0 MR2 B0272 GA
[DLP Rule]
A DLP rule with subprotocol setting set to 'sip simple sccp' will be lost upon upgrading to FortiOS v4.0 MR2.
[HTTPS Invalid Certificate Setting]

The HTTPS "allow-invalid-server-cert" setting under "config firewall profile" will be lost after upgrading from FortiOS
v4.0 MR1 Patch Release 3 B0194 to FortiOS v4.0 MR2 B0272.
[AlertMail Setting]
The "set local-disk-usage-warning enable " setting under "config alertemail settings" will get reset to
disable after upgrading to FortiOS v4.0 MR2.
[System Autoupdate Settings]
9 March 31, 2010

The settings under "config system autoupdate schedule" will get set to default values after upgrading to FortiOS v4.0
MR2.
10 March 31, 2010

4 Downgrading to FortiOS v3.00

Downgrading to FortiOS v3.00 results in configuration loss on ALL models. Only the following settings are retained:
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDom parameters/settings
• admin user account
• session helpers
• system access profiles
11 March 31, 2010

5 Fortinet Product Integration and Support

5.1 FortiManager Support
FortiOS v4.0 MR2 is supported by FortiManager v4.0 MR2.
5.2 FortiAnalyzer Support

FortiOS v4.0 MR2 is supported by FortiAnalyzer v4.0 MR2.
5.3 FortiClient Support

FortiOS v4.0 MR2 is supported by FortiClient v4.0 MR2 for the following:
• 32-bit version of Microsoft Windows XP

• 32-bit version of Microsoft Windows Vista
• 64-bit version of Microsoft Windows Vista
• 32-bit version of Microsoft Windows 7
• 64-bit version of Microsoft Windows 7
5.4 Fortinet Server Authentication Extension (FSAE) Support

FortiOS v4.0 MR2 is supported by FSAE v3.00 B058 (FSAE collector agent 3.5.058) for the following:
• 32-bit version of Microsoft Windows 2003 R1 Server

• Novell E-directory 8.8.
IPv6 currently is not supported by FSAE.
5.5 AV Engine and IPS Engine Support

FortiOS v4.0 MR2 is supported by AV Engine 3.00013 and IPS Engine 1.00161.
5.6 3G MODEM Support

The following models and service providers were tested.
Service Provider 3G Card Identification (IMEI) Datacard Firmware

Canada
Telus ZTE MY39 - P650M1V1.0.2_Telus_060331
Rogers Option Globetrotter Qualcomm 3G GX0202 352115011023553 1.10.8Hd
Rogers Huawei E220 358191017138137 11.110.05.00.00
Rogers Sierra AirCard 595 - p1906000,5077
APAC
E-Mobile NEC Infrontia Corporation D01NE - -
E-Mobile NEC Infrontia Corporation D02NE - -
12 March 31, 2010

Service Provider 3G Card Identification (IMEI) Datacard Firmware

E-Mobile Longcheer Holdings Limited D11LC 353780020859740 LQA0012.1.2_M533A
AMER
Telecom Sierra Compass 597 - Rev 1.0 (2), p2314500,4012
Optus Huawei E169 358109021556466 11.314.17.00.00
Hutchison/3 Huawei E220 358191017339891 11.117.09.00.100
Telecom Sierra 597E - p2102900,4012
Vodafone Huawei E220 354136020989038 11.117.09.04.00
Soul/TPG Huawei E220 358193016941644 11.117.08.00.00
Telstra Option GE0202 356812010493268 2.5.2Hd
Telstra Sierra 880E 356812010493268 F1_0_0_9AP
C:/WS/FW/F1_0_0_9AP/MSM7
200R3/SRC/AMSS
Telstra Sierra AC501/Sierra 880E+ 358248020068162 K2_0_7_1BAP
C:/WS/FW/K2_0_7_1BAP/MSM
6290/SRC
Telstra Sierra AC875 352822010757236 H2_0_6_0ACAP
C:/WS/FW/H2_0_6_0ACAP/MS
M6280/SRC
Telstra Sierra USB 306 359475020397478 M2_0_4_0AP
C:/WS/FW/M2_0_4_0AP/MDM
8200/SRC/AMSS
Telecom New Sierra Compass 885 35992013540914 1_0_1_17AP
Zealand C:/WS/FW/J1_0_1_17AP/MSM7
200A/SRC/AMSS
AT&T Sierra Wireless AC881 354218012004149 F1_0_0_4AP
C:/WS/FW/F1_0_0_4AP/MSM7
200R3/SRC/AMSS
Bell Mobility Novatel / Ovation U727 ESN: 0x5B80428F m6800B-RAPTOR65_B-126
5.7 AMC Module Support

FortiOS v4.0 MR2 supports AMC removable modules. These modules are not hot swappable. The FortiGate must be turned off
before the module is inserted or removed.
AMC Modules FortiGate Support

Internal Hard Drive (ASM-S08) FGT-310B
FGT-620B
FGT-3016B
FGT-3600A
FGT-3810A
FGT-5001A-SW
Single Width 4-port 1Gbps Ethernet interface (ASM-FB4) FGT-310B
FGT-311B
FGT-620B
13 March 31, 2010

AMC Modules FortiGate Support

FGT-1240B
FGT-3016B
FGT-3600A
FGT-3810A
FGT-5001A-SW
Dual Width 2-port 10Gbps Ethernet interface (ADM-XB2) FGT-3810A
FGT-5001A-DW
Dual Width 8-port 1Gbps Ethernet interface (ADM-FB8) FGT-3810A
FGT-5001A-DW
Single Width 2-port Fiber 1Gbps bypass interface (ASM-FX2) FGT-310B
FGT-311B
FGT-620B
FGT-1240B
FGT-3016B
FGT-3600A
FGT-3810A
FGT-5001A-SW
Single Width 4-port Ethernet bypass interface (ASM-CX4) FGT-310B
FGT-311B
FGT-620B
FGT-1240B
FGT-3016B
FGT-3600A
FGT-3810A
FGT-5001A-SW
AMC Security Processing Engine Module (ASM-CE4) FGT-1240B
FGT-3810A
FGT-3016B
FGT-5001A-SW
AMC Security Processing Engine Module (ADM-XE2) FGT-3810A
FGT-5001A-DW
Rear Transition Module (RTM-XD2) FGT-5001A-DW
to support
RTM-XD2
Four Port T1/E1 WAN Security Processing Module (ASM- FGT-310B
ET4) FGT-311B
Rear Transition Module (RTM-XB2) FGT-5001A-DW
to support
RTM-XB2
5.8 SSL-VPN Support
5.8.1 SSL-VPN Standalone Client

FortiOS v4.0 MR2 supports the SSL-VPN tunnel client standalone installer B2082 for the following:
• Windows in .exe and .msi format
14 March 31, 2010

• Linux in .tar.gz format

• Mac OS X in .dmg format
• Virtual Desktop in .jar format for Windows 7, XP, and Vista
The following Operating Systems were tested.
Windows Linux Mac OS X

Windows XP 32-bit SP2 CentOS 5.2 (2.6.18-el5) Leopard 10.5
Windows XP 64-bit SP1 Ubuntu 8.0.4 (2.6.24-23)
Windows Vista 32-bit SP1
Windows 7 32-bit
Windows 7 64-bit
Virtual Desktop Support
Windows XP 32-bit SP2
Windows 7 32-bit
5.8.2 SSL-VPN Web Mode

The following browsers and operating systems were tested with SSL-VPN web mode.
Operating System Browser

Windows XP 32-bit SP2 IE7, IE8, and FF 3.6
Windows XP 64-bit SP1 IE7 and FF 3.6
Windows Vista 32-bit SP1 IE7, IE8, and FF 3.6
Windows Vista 64-bit SP1 IE7 and FF 3.6
Windows 7 32-bit IE8 and FF 3.6
Windows 7 64-bit IE8 and FF 3.6
CentOS 5.2 (2.6.18-el5) FF 1.5 and FF 3.0
Ubuntu 8.0.4 (2.6.24-23) FF 3.0
Mac OS X Leopard 10.5 Safari 4.1
5.9 SSL-VPN Host Compatibility List

The following Antivirus and Firewall client software packages were tested.
Product Antivirus Firewall

Windows XP
Symantec Endpoint Protection v11 √ √
Kaspersky Antivirus 2009 √ Ҳ
15 March 31, 2010

Product Antivirus Firewall

McAfee Security Center v8.1 √ √
Trend Micro Internet Security Pro √ √
F-Secure Internet Security 2009 √ √
16 March 31, 2010

6 Resolved Issues in FortiOS v4.0 MR2

The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about a
particular bug, contact Customer Support.
6.1 Command Line Interface (CLI)

Description: "set preempt disable" VRRP setting may not take effect.
Bug ID: 115436
Status: Fixed in v4.0 MR2.
6.2 Web User Interface

Description: The FortiGate's image on the dashboard does not show connected ADM module.
Bug ID: 111624
Models Affected: FGT-5001A-DW
Description: httpsd backtrace error message may get displayed on the console when accessing Endpoint NAC > Monitor web UI
page.
Bug ID: 114873
6.3 System
Description: The FortiGate-110C may randomly encounter kernel panic.
Bug ID: 114759
Models Affected: FGT-110C
Description: vsd daemon may randomly crash.

Bug ID: 90877
Description: The FortiGate may unexpectedly enter conserve mode, even when the memory and cpu usage is low.
Bug ID: 118011
Description: In rare occasions the FortiGate may encounter kernel panic and freeze.
Bug ID: 119777
Description: In rare occasions a kernel bug may cause the FortiGate to unexpectedly freeze with no console output.
Bug ID: 118435
Description: SMTP connection may abruptly get disconnected when multiple invalid email addresses are pipelined into SMTP proxy.
Bug ID: 109102
Description: SIP VIP with port forwarding enabled may not translate the destination port correctly.
Bug ID: 108480
17 March 31, 2010

Description: The FortiGate may encounter kernel panic when IPv6 icmp6 neighbor solicitation request happen on the wrong
interface.
Bug ID: 117816
Description: The FGT-1240B sometimes does not recognize that FTP session is still active when traffic is passing through NP4
interfaces.
Bug ID: 118196
Models Affected: FGT-1240B
Description: The FortiGate ignores DHCP offer from Raven X router.

Bug ID: 120369
Description: SNMP traps with link-local address of '169.254.0.1' are generated when traps are forwarded from HA slave to Master.
Bug ID: 118381
Description: vsd daemon may randomly crash when under heavy load.
Bug ID: 90877
6.4 High Availability

Description: Flash memory usage on the slave FortiGate may unexpectedly rise close to 100% because of an unusually large
temporary file.
Bug ID: 121526
Description: WebFilter override feature may not work in HA virtual cluster 2.

Bug ID: 120614
Description: The 'Top Viruses Graph' chart does not work on Virtual Cluster 2.
Bug ID: 96566
6.5 Firewall
Description: If a server requires client-side certificate and SSL inspection feature is enabled then the connection will be blocked by
the FortiGate. SSL Inspection should not play man-in-the-middle for sessions which uses client certificate.
Bug ID: 87297
Description: sslvpnd may crash if a firewall address being used in SSL portal is renamed.
Bug ID: 115301
Description: per-ip-shaper feature may not work when id-based policy is enabled.
Bug ID: 114277
18 March 31, 2010

6.6 IPS
Description: IPS Sensor may not work when 'Quarantine Attackers (to Banned Users List)' option is enabled.
Bug ID: 113641
6.7 VPN
Description: FortiClient may not be able to connect to the FortiGate dialup IPSec interface when using certificate.
Bug ID: 115456
Description: SSLVPN virtual desktop may fail to launch after installing Microsoft security update (KB955759)
Bug ID: 120473
Description: In rare occasions all SSLVPN users may unexpectedly get disconnected.
Bug ID: 119201
Description: User cannot login into the SSL-VPN portal if the policy is using FQDN as the source address.
Bug ID: 87339
Description: SSL-VPN user defined bookmarks may be lost if the FortiGate is rebooted.
Bug ID: 112318
Description: The FortiGate may block traffic from going through an policy-based IPSec tunnel on an NP2 interface if the fastpath
setting is set to enable.
Bug ID: 122553
6.8 Web Filter

Description: Disabling web cache may affect FortiGuard availability.
Bug ID: 115584
6.9 Data Leak Prevention

Description: DLP archive for SCCP does not work.
Bug ID: 100458
6.10 Instant Message

The following IMs and their versions were tested in FortiOS v4.0 MR2. As some IM clients use encrypted connections, the FortiGate
may not succeed in blocking the traffic from traversing the firewall.
IM Client Versions Comment

AIM 7.0.11.2 This IM version uses SSL communication and FortiGate can only Block or Allow it using
firewall policy.
AIM Classic 5.9.6089 none
19 March 31, 2010


ICQ 7.0 Build 1211 none
Yahoo! Messenger 9.0.0.2162 none
MSN 2009 14.0.8089.726 none
Description: The following table lists the known issues with each of the IMs supported by FortiOS v4.0 MR2.
Models Affected: All
Bug ID: See table
Clients Affected Versions Description/Models Affected/Status/BugID

ICQ 6.5 Build Description: DLP archive does not work for ICQ voice chat.
1042 Status: Fixed in v4.0 MR2.
Bug ID: 99538
6.11 WAN Optimization

Description: wad proxy may cause high memory usage because of memory leak.
Bug ID: 97742
Description: The FortiGate web-cache 'always-revalidate' option may not work.

Bug ID: 115459
6.12 Log & Report

Description: No event log entry is added when a HA cluster fails to synchronized.
Bug ID: 114713
Description: All default SQL reports are lost after changing opmode from NAT to TP.
Models Affected: FGT-3600A
Bug ID: 108188
Description: "Buffer to hard disk and upload" feature may not work when archiving to FAMS.
Bug ID: 108522
Description: IM logs incorrectly shows app_list=N/A.

Bug ID: 89911
6.13 FSAE Collector Agent

Description: eDirectory agent version 3.5.47 may randomly crash.
Bug ID: 114359
Description: Users can be deleted from the 'Ignore User List' by selecting users and clicking the OK button.
Bug ID: 115432
20 March 31, 2010

Description: The FSAE collector agent may not receive user logon events when the warning dialog box is open.
Bug ID: 115430
Description: Some administrators are unable to see logon users and monitored DC's in the FSAE Collector Agent.
Bug ID: 112364
Description: FSAE collector agent does not wait long enough for response from the remote workstation or DC.
Bug ID: 120354
Description: The collector agent service may stop when the apply button is clicked twice on the FSAE config web UI page.
Bug ID: 120678
Description: Dns query may fail if the hostname is longer than 15 characters.
Bug ID: 112753
21 March 31, 2010

7 Known Issues in FortiOS v4.0 MR2

This section lists the known issues of this release, but is NOT a complete list. For enquiries about a particular bug not
listed here, contact Customer Support.
7.1 Command Line Interface (CLI)

Description: 'diagnose firewall statistics show' command may not show accurate stats.
Bug ID: 92569
Status: To be fixed in a future release.
7.2 Web User Interface

Description: The Firewall policy disclaimer checkbox cannot be checked when using IE8 browser.
Bug ID: 121950
Description: When creating a policy route from web UI, the destination port numbers are not saved if protocol number is set to zero.
Bug ID: 78402
Description: The web UI does not warn the user that an SMTP signature is too long and consequently truncates the signature
to 1000 characters.
Bug ID: 65422
Description: "Disclaimer and Redirect URL to" setting cannot be seen from web UI after "Identity Based
Policy" is disabled.
Bug ID: 108589
Description: All interfaces status is shown as up in the FortiGate's image on the dashboard.
Models Affected: FGT-110C
Bug ID: 115502
Description: The feature menu on the left side may get greyed out when a new dashboard is added.
Bug ID: 122208
Description: The column headings on the Firewall > Policy > Policy web UI page may get misaligned with the column values.
Bug ID: 117698
7.3 System
Description: If a FortiGate using ASM-CX4/FX2 module has multiple VDoms configured and at least one of the VDom is in TP
mode then user is allowed to enable amc bypass mode even if all ASM-CX4/FX2 interfaces are assigned to NAT VDom.
Bug ID: 91519
Description: ASM-FB4/FB8 interfaces with fiber SFP may not work when interface speed is set to 1000full.
Bug ID: 90674
22 March 31, 2010

Description: If a FortiGate using ASM-CX4/FX2 module has multiple VDoms configured and at least one of the VDom is in TP
mode then user is allowed to enable amc bypass mode even if all ASM-CX4/FX2 interfaces are assigned to NAT VDom.
Bug ID: 91519
Description: Traffic going through ASM-FX2 card keeps getting bypassed when ASM-CX4 card is used in slot1 and ASM-FX2 card
is used in slot2 and bypass-mode is set to disable.
Bug ID: 90017
7.4 High Availability

Description: The master unit in an A-A mode cluster stops load-balancing when a redundant link interface on the slave unit
is unplugged.
Bug ID: 58959
Description: The master FortiGate's console may display '[ha_auth.c:200]: unsupported auth_sync type 16' error
message when upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR2.
Bug ID: 96380
Description: Sessions may get synced between master and slave members even when the 'session sync' option is disabled.
Bug ID: 112453
Description: The usage widget on the dashboard may not include statistics from the slave FortiGate.
Bug ID: 120478
Description: Slave FortiGate may fail to upgrade from FortiOS v4.1 B0194 to FortiOS v4.2 when 'uninterruptable-upgrade'
option is set to disable.
Bug ID: 121314
Description: The master unit in an A-A mode cluster stops load-balancing when a redundant link interface on the slave unit
is unplugged.
Bug ID: 58959
Description: Traffic count on firewall policy will get reset to zero after an HA failover.
Bug ID: 83105
7.5 Firewall
Description: Firewall protection profile may not work when in SSL offload mode.
Bug ID: 97704
Description: Traffic count on firewall policy will get reset to zero after an HA failover.
Bug ID: 83105
23 March 31, 2010

Description: File pattern list is not effective if the list exceeds 125 entries.
Bug ID: 90096
Description: User may be able to add firewall policy comment over the allowed limit by using double-byte-characters. This may
cause WebUI and configuration corruption.
Bug ID: 106964
Description: If a server requires client-side certificate and SSL inspection feature is enabled then the connection will be blocked by
the FortiGate. SSL Inspection should not play man-in-the-middle for sessions which uses client certificate.
Bug ID: 87297
7.6 Antivirus
Description: scanunit daemon may randomly crash.
Bug ID: 118706
Description: File pattern list is not effective if the list exceeds 125 entries.
Bug ID: 90096
Description: Antivirus > File Filter feature blocks file even if the URL is included in the WebFilter URL exempt list.
Bug ID: 114513
7.7 IPS
Description: IPS traffic cannot be offloaded to interfaces on ASM-CE4, ADM-XE2, or ADM-FE8 modules.
Models Affected: All models using ASM-CE4, ADM-XE2, or ADM-FE8 module.
Bug ID: 122411
7.8 Web Filter

Description: The FortiGuard override feature may not work after upgrading from FortiOS v4.1 Patch Release 4 B0196 to FortiOS
v4.2.
Bug ID: 122332
Workaround: Reboot the FortiGate
7.9 Data Leak Prevention

Description: DLP (HTTP proxy) may cause problems for an application doing pipelined HTTP requests.
Bug ID: 120936
7.10 Instant Message

The following IMs and their versions were tested in FortiOS v4.0 MR2. As some IM clients use encrypted connections, the FortiGate
may not succeed in blocking the traffic from traversing the firewall.
24 March 31, 2010


AIM 7.0.11.2 This IM version uses SSL communication and FortiGate can only Block or Allow it using
firewall policy.
AIM Classic 5.9.6089 none
ICQ 7.0 Build 1211 none
Yahoo! Messenger 9.0.0.2162 none
MSN 2009 14.0.8089.726 none
Description: The following table lists the known issues with each of the IMs supported by FortiOS v4.0 MR2.
Models Affected: All
Bug ID: See table
Clients Affected Versions Description/Models Affected/Status/BugID

ICQ 6.5 Build 1042 Description: The FortiGate may fail to detect ICQ file transfer when only ICQ
is enabled in DLP rule.
Bug ID: 121701
ICQ 6.5 Build 1042 Description: The FortiGate fails to block ICQ login when HTTP proxy is used.
Bug ID: 100946
7.11 Application Control

Description: An application set to pass may still get blocked if a second 'block all application' rule is added to the same
list.
Bug ID: 91669
7.12 VPN
Description: SSL-VPN TELNET and SSH applet only supports ISO/IEC 8859-1 encoding. Characters with other encodings may
freeze the applet.
Bug ID: 90642
Description: Traffic selector negotiation may fail if selectors are not exactly matched on the two peers.
Bug ID: 112350
Description: SSLVPN web mode may not be able to connect to OWA 2003 using IE8 browser.
Bug ID: 120766
7.13 Log & Report

Description: The diskfull setting is not enforced for dlp archiving.
Bug ID: 120708
25 March 31, 2010

Description: SQL report quota does not support 'diskfull override' setting.
Bug ID: 116801
Description: The log setting under 'config ips DoS' inadvertently gets set to enable after a FortiGate is rebooted.
Bug ID: 118824
Description: Content archiving of NNTP files is not supported in FortiOS v3.00 MR6 even though the option appears as
grayed out implying it may be enabled through another configured option.
Bug ID: 44510
Description: Traffic logs cannot be viewed in raw format when SQL disk logging is enabled.
Bug ID: 122215
7.14 FSAE Collector Agent

Description: FSAE may not send logoff event when the user is moved from a monitored group.
Bug ID: 120741
7.15 FSAE Windows DC Agent

Description: DC agent deployment may fail on low bandwidth (24kbps) link.
Bug ID: 111566
7.16 Wi-Fi
Description: The FortiWiFi-60B may fail to detect access point running 802.11a band when the mode is changed from AP to SCAN.
Models Affected: FWF-60B
Bug ID: 120127
26 March 31, 2010

8 Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com).
After login, click on the "Firmware Images Checksum Code" link in the left frame.
27 March 31, 2010

9 Appendix A – P2P Clients and Supported Configurations

The following table outlines the supported configurations and related issues with several P2P clients. N/A means either the
application does not support the feature or it is not officially tested.
Note: As some P2P clients use encrypted connections, the FortiGate may not succeed in blocking the traffic from traversing the
firewall.
Skype Kazaa BearShare Shareaza BitComet eMule Azureus LimeWire iMesh DC++ Winny
3.8 3.2.7 7.0 4.1 1.0.7 0.49b 4.0.0.2 4.18.8 8.0 0707 728
Standard Ports
Direct Internet Connection
Pass N/A N/A OK OK OK OK OK OK OK OK OK
Block N/A N/A OK OK OK OK OK OK OK OK OK
Rate Limit N/A N/A Bug ID: OK OK Bug ID: OK Bug ID: 77852 OK N/A OK
86147 86452
Standard Ports
Proxy Internet Connection
Pass N/A N/A OK N/A N/A OK OK OK N/A N/A N/A
Block N/A N/A OK N/A N/A OK OK OK N/A N/A N/A
Rate Limit N/A N/A OK N/A N/A Bug ID: OK OK N/A N/A N/A
86452
Non-standard Ports
Direct Internet Connection
Pass OK OK N/A OK OK OK OK OK OK N/A N/A
Block Bug ID: 37845 OK N/A OK OK OK OK OK OK N/A N/A
Rate Limit N/A OK N/A OK OK Bug ID: OK Bug ID: 77852 OK N/A N/A
86452
Non-standard Ports
Proxy Internet Connection
Pass OK OK N/A N/A N/A OK OK OK N/A N/A N/A
Block Bug ID: 37845 OK N/A N/A N/A OK OK OK N/A N/A N/A
Rate Limit N/A OK N/A N/A N/A Bug ID: OK Bug ID: 77852 N/A N/A N/A
86452
28 March 31, 2010

10 Appendix B – Knowledge Base Articles

• An article on "Traffic Types and TCP/UDP Ports used by Fortinet Products" can be accessed through the following link:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=10773
• An article on "Communication between FortiManager v4.0 and FortiGate" can be access through the following link:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30157
• An article on "FortiGate and FortiOS support for 802.3ad " can be access through the following link:
http://kb.fortinet.com/kb/viewdocument.do?externalId=11640&sliceId=1&docType=kc&dialogID=5039610&cmd=dis-
playKC&docTypeID=DT_KCARTICLE_1_1&stateId=0+0+5037649&highlight=on
(End of Release Notes.)
29 March 31, 2010

Fortigate Multi-Threat Security System: Release Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortigate Multi-Threat Security System: Release Notes

Uploaded by

Copyright:

Available Formats

FortiGate® Multi-Threat Security System

i March 31, 2010

6.9 Data Leak Prevention................................................................................................................................19

2010-03-31 Initial Release.

© Copyright 2010 Fortinet Inc. All rights reserved.

ii March 31, 2010

1 FortiOS v4.0 MR2

Model FortiOS v4.0 MR2 Release Status

1.1 Summary of Enhancements Provided by v4.0 MR2

• New Web UI Design

1 March 31, 2010

• Improved DC Agent Distribution (MSI)

2 March 31, 2010

Monitor Settings for Web User Interface Access

Web Browser Support

BEFORE any upgrade

AFTER any upgrade

2.2 Configuration Files Backups

2.3 External Modem Support

2.4 SSL-VPN Notes

3 March 31, 2010

2.5 Logging to FortiAnalyzer using AMC Hard Disk

2.6 AV Scanning Of Archived Files

2.7 WCCP Multi-VDom Support

2.8 Endpoint Control

2.9 Supported Character Sets

4 March 31, 2010

2.10 ASM-SAS Module Support

2.11 AntiSpam Engine Support

2.12 FortiGuard support for IPv6

2.13 STP Support for WAN2 Interface

2.14 HMAC Offload Setting Change

2.15 STP Packet Support on FGT-110C and FGT-111C

5 March 31, 2010

2.16 FortiGuard Service is Enabled By Default

2.17 AntiVirus and IPS Update

6 March 31, 2010

3.1 Upgrading from FortiOS v3.00 MR7

FortiOS v3.00 MR7P9 (or later)

3.2 Upgrading from FortiOS v4.0

v4.0.4 B0113 (or later)

[Network Interface Configuration]

[Webfilter Banned Word and Exempt Word List]

config webfilter bword

7 March 31, 2010

config webfilter exmword

After upgrading to FortiOS v4.0 MR2

config webfilter content

config webfilter content

8 March 31, 2010

• FortiGate in v4.0.4 has two protection profiles: PP1 and PP2.

[NNTP DLP Archive]

[EmailFilter Banned Word Setting]

[HTTPS Invalid Certificate Setting]

3.3 Upgrading from FortiOS v4.0 MR1

[FortiOS v4.0 MR1]

v4.0 MR1 Patch Release 4 B0196 (or later)

[HTTPS Invalid Certificate Setting]

[System Autoupdate Settings]

9 March 31, 2010

10 March 31, 2010

4 Downgrading to FortiOS v3.00

11 March 31, 2010