Professional Documents
Culture Documents
FortiOS v3 00 MR7 Release Notes Patch Release 5 PDF
FortiOS v3 00 MR7 Release Notes Patch Release 5 PDF
Security System
Release Notes
FortiOS™ v3.00 MR7
Patch Release 5
Rev. 1.0
Table of Contents
1 FortiOS v3.00 MR7 Release – Patch Release 5.........................................................................................................................1
1.1 General................................................................................................................................................................................2
1.2 Single Hard Drive Support for FGT-111C..........................................................................................................................2
1.3 File Transfer Limitation......................................................................................................................................................2
1.4 FortiClient v4.0 Support......................................................................................................................................................2
2 Fortinet Product Integration and Support...................................................................................................................................3
2.1 SSL-VPN Client Support....................................................................................................................................................3
3 Resolved Issues in FortiOS MR7 – Patch Release 5..................................................................................................................4
3.1 System.................................................................................................................................................................................4
3.2 Firewall................................................................................................................................................................................4
3.3 VPN.....................................................................................................................................................................................4
3.4 Web Filter............................................................................................................................................................................4
3.5 VOIP....................................................................................................................................................................................5
3.6 FSAE...................................................................................................................................................................................5
4 Known Issues in FortiOS v3.00 MR7 – Patch Release 5...........................................................................................................6
4.1 Firewall................................................................................................................................................................................6
5 Upgrade Information..................................................................................................................................................................7
5.1 Upgrading from FortiOS v2.50...........................................................................................................................................7
5.2 Upgrading from FortiOS v2.80...........................................................................................................................................7
5.3 Upgrading from FortiOS v3.00 MR5 and MR6................................................................................................................11
5.4 Downgrading to FortiOS v3.00.........................................................................................................................................16
5.5 Downgrading to FortiOS v2.80.........................................................................................................................................16
5.6 Downgrading to FortiOS v2.50.........................................................................................................................................16
6 Image Checksums.....................................................................................................................................................................17
Change Log
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Registered customers with valid support contracts may enter their support tickets at the Fortinet Customer Support site:
https://support.fortinet.com
This model is released on a special branch based off of MR7 B0741 Patch Release 5 –
fg300_mr7_110c/build_tag_5418. As such, the build number in the System > Status page and the
output from the "get system status" CLI command displays 5418 as the build number. To
confirm that you are running the proper build, the output from the "get system status" CLI
command has a "Branch point:" field. This should read 741.
FGT-5001A-SW Note: Same firmware image is used for FGT-5001A-SW and FGT-5001A-DW models.
FGT-5001A-DW
This model is released on a special branch based off of MR7 B0741 Patch Release 5 –
fg300_mr7_5001a_sw/build_tag_5414. As such, the build number in the System > Status page and the
output from the "get system status" CLI command displays 5414 as the build number. To
confirm that you are running the proper build, the output from the "get system status" CLI
command has a "Branch point:" field. This should read 741.
FGT-51B Note: The FGT-50B-HD has been renamed to FGT-51B. The image file name also has been renamed
to "FGT_51B-v300-build0741-FORTINET.out" and is used on both the existing FGT-50B-
HD model and the FGT-51B model. Once the image is loaded, both the "get system status"
CLI output and the web UI reference the FGT-51B.
This model is released on a special branch based off of MR7 B0741 Patch Release 5 – fg300_mr7_51b/
build_tag_5416. As such, the build number in the System > Status page and the output from the "get
system status" CLI command displays 5416 as the build number. To confirm that you are
running the proper build, the output from the "get system status" CLI command has a "Branch
point:" field. This should read 741.
FGT-80C This model is released on a special branch based off of MR7 B0741 Patch Release 5 –
FGT-80CM fg300_mr7_80C/build_tag_5417. As such, the build number in the System > Status page and the
FWF-80CM output from the "get system status" CLI command displays 5417 as the build number. To
confirm that you are running the proper build, the output from the "get system status" CLI
command has a "Branch point:" field. This should read 741.
All Other Models All other models are supported on the regular MR7 branch.
1.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.
IMPORTANT!
Monitor Settings for Web User Interface Access:
• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the
Web UI to be viewed properly.
• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages)
prior to upgrading.
• [WebUI display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure
proper display of the Web UI screens.
• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones
currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as
soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.
Description: The FortiGates FTP proxy does not bind to listen port on PORT command.
Models Affected: All
Bug ID: 82013 Status: Fixed in MR7 – Patch Release 5.
Description: Radius authentication starts failing abruptly after running for some time.
Models Affected: All
Bug ID: 85424 Status: Fixed in MR7 – Patch Release 5.
Description: The FortiGate unit with hardware driven by NP2 driver may randomly crash or hang.
Models Affected: All
Bug ID: 93986 Status: Fixed in MR7 – Patch Release 5.
3.2 Firewall
Description: Some firewall addresses may be lost after restoring FortiGate's configuration file.
Models Affected: All
Bug ID: 91963 Status: Fixed in MR7 – Patch Release 5.
Description: Firewall policy is lost after upgrading from FortiOS MR5 to MR7, if the action for the policy is unset before
upgrading.
Models Affected: All
Bug ID: 84953 Status: Fixed in MR7 – Patch Release 5.
3.3 VPN
Description: User cannot access OWA properly from SSLVPN web portal.
Models Affected: All
Bug ID: 91937, 92273 Status: Fixed in MR7 – Patch Release 5.
Description: IPSec daemon (iked) memory usage increases due to memory leak.
Models Affected: All
Bug ID: 92920 Status: Fixed in MR7 – Patch Release 5.
Description: IPSec daemon (iked) may crash in an event of HA failover if XAUTH is enabled.
Models Affected: All
Bug ID: 93770 Status: Fixed in MR7 – Patch Release 5.
Description: The 'Keep connection alive' option in SSLVPN stand-alone application may cause client software to reconnect
automatically. If the password is one time only, SSLVPN client may cause user accounts to get locked with reconnect.
Models Affected: All
Bug ID: 85170 Status: Fixed in MR7 – Patch Release 5.
filtering.
Models Affected: All
Bug ID: 92641 Status: Fixed in MR7 – Patch Release 5.
3.5 VOIP
Description: Any SIP message carried by UDP that is greater than 2048 bytes long is dropped by the SIP proxy.
Models Affected: All
Bug ID: 90854 Status: Fixed in MR7 – Patch Release 5.
3.6 FSAE
Description: IPchange feature for FSAE does not work with multiple FSAE servers.
Models Affected: All
Bug ID: 90849 Status: Fixed in MR7 – Patch Release 5.
5 Upgrade Information
5.1 Upgrading from FortiOS v2.50
Upgrades from FortiOS v2.50 to FortiOS v3.00 directly is NOT supported. Upgrade to at least FortiOS v2.80 MR11 prior to
upgrading to FortiOS v3.00 MR7 Patch Release 5. Refer to the FortiOS v2.80 MR11 release notes for upgrade procedures.
The following are caveats when upgrading from FortiOS v2.80 MR11 to FortiOS v3.00 MR7 Patch Release 5.
• Identify which "lost" IPS group you currently have configured in FortiOS v2.80 from the list found in Appendix A.
• Note the signatures settings that are contained in the FortiOS v2.80 group, and identify in the table the equivalent
FortiOS v3.00 group(s) that contains the signature.
• Repeat step 1-2 for each "lost" group.
• After upgrading to FortiOS v3.00 MR7 Patch Release 5, for each group lost, manually configure the equivalent
signature settings under the FortiOS v3.00 group(s).
[IPSec VIP]
FortiOS v2.80 supports VIPs configured on a config vpn ipsec vip, which essentially is a proxy ARP. There is no
such command in FortOS v3.00, but rather is replaced by the config system proxy-arp command. The upgrade
scripts do not support this in FortiOS v3.00 MR7 Patch Release 5. You will need to reconfigure any FortiOS v2.80 IPSec
VIPs to use the system proxy-arp command in FortiOS v3.00. The command is valid on a per VDom basis in NAT
mode. The following is an example CLI configuration.
• Web Filtering
• Web Content Block
• Web URL Block List
• Web URL Exempt List
• Spam Filtering
• IP Address
• RBL & ORDBL
• Email Address
• MIME Headers
• Banned Word
FortiOS v3.00 has a feature whereby CLI commands can be imported from a file - see Section 3.2.11: Bulk CLI
Configuration Importing. If the FortiOS v2.80 lists are converted to FortiOS v3.00 CLI commands and saved in a text file,
the file can be imported using the Bulk CLI Import. Refer to Appendix B: Mapping FortiOS v2.80 Web Filtering and Spam
Filtering Lists to FortiOS v3.00 CLI Commands for help on creating a text to import these lists.
1. On a per-device basis
config log <device> filter
The per-device filters control whether or not log messages are sent to the device. The per-protection profile filters control
whether or not matching traffic through a protection profile results in a log message sent to the device. Upon upgrade from
FortiOS v2.80 to FortiOS v3.00, only the per-device log filters are retained - protection profile is altered to accomodate
logging, except for log-web-ftgd-err, which is enabled by default. After upgrading, review the firewall policies that
require logging to be enabled.
[VDom Licensing]
FortiOS v2.80 supports additional virtual domains by way a FortiOS image that contains a hardcoded number of VDoms in
it. FortiOS v3.00 uses a VDom license key to upgrade the number of VDoms on high-end models FGT-3000 and up. Upon
upgrading from FortiOS v2.80, the VDoms and all of their associated configuration are retained, but in the event of a factory
reset and a configuration restore, the FortiGate will fail to add all of the VDoms. If you are running FortiOS v2.80 with more
than the default number of VDoms, follow these steps when upgrading to FortiOS v3.00:
4. Contact Customer Support to obtain a FortiOS v3.00 VDom license key. If you are running an HA cluster, you need
a license key for each unit in the cluster.
5. In the event the configuration needs to be reloaded, the VDom license key needs to be configured first.
Another scenario occurs with FortiOS v2.80 and upgrading with a image that contains additional VDoms. Below are the
necessities for this scenario to occur:
After upgrading to FortiOS v3.00 MR4, if the FortiGate does not let you add 16th VDom. You must contact Customer
Support to obtain a FortiOS v3.00 VDom license key, install it, and then add additional VDoms.
[Administrative Users]
In FortiOS v2.80, an admin user is a global setting, not a per-VDom and thus does not belong to a management VDom. After
upgrading to FortiOS v3.00 MR7, all v2.80 administrative users are assigned to the root VDom by default. If the
management VDom is not assigned to the root VDom, then administrative users, except for the default "admin" user, will fail
to login to the management VDom after upgrading.
[Policy Routing]
Both "input-device" and "output-device" are mandatory attributes from FortiOS v3.00 MR2. However, "output-device" is not
a mandatory attribute in FortiOS v2.80, therefore, policy routes with out "output-device" configured are lost after upgrading
to FortiOS v3.00 MR4 or later.
Following parameters in a phase2 policy based IPSec tunnel are not retained upon upgrade from FortiOS v2.80 to FortiOS
v3.00 MR7 Patch Release 5:
config vpn ipsec phase2
set bindtoif <interface name>
set internetbrowsing <interface name>
From FortiOS v3.00 MR4, this no longer is accepted and therefore, the upgrade from FortiOS v2.80 to FortiOS v3.00 MR7
Patch Release 5 results in loss of configuration.
Choosing a user group that is type NOT equal to firewall when configuring PPTP, results in loss of configuration when
upgrading from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 5.
If you are upgrading from a release prior to MR5, please upgrade to MR5 or MR6 before upgrading to MR7 Patch Release 5.
Please refer to the corresponding release notes for the proper upgrade path to MR5 or MR6.
[FG-3016B Upgrade]
Interface names on the FGT-3016B have been changed in FortiOS v300 MR7 to match the port names on the face plate.
After upgrading to MR7 Patch Release 5, all port names in the FortiGate configuration are changed as per the following port
mapping.
Old port names before upgrading New port names after upgrading
port1 mgmt1
port2 mgmt2
port3 port1
port4 port2
port5 port3
port6 port4
port7 port5
port8 port6
port9 port7
port10 port8
port11 port9
port12 port10
port13 port11
port14 port12
port15 port13
port16 port14
port17 port15
port18 port16
Note: A new revision of the FGT-3016B included a name change to two ports on the left side of the faceplate and in the
FortiOS v3.00 MR7 firmware. Previously, they were labelled 1 and 2. Now they are called MGMT 1 MGMT 2. However,
the BIOS still refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2.
Previously, if a firewall profile has "high critical" signatures enabled, during the upgrade a sensor is created with one
IPS filter in which the severity "high critical" is selected. This sensor is add to the firewall profile. For each severity
combination, a sensor is created. If the user changes the default signature settings, then these signatures are added to all of
those sensors as an IPS override. For example:
Following sections are removed when upgrading from v3.00 MR5 and MR6 to MR7 Patch Release 5:
config ips anomaly *
config ips group *
config system autoupdate ips
Following command are removed when upgrading from v3.00 MR5 and MR6 to MR7 Patch Release 5:
config system global
set local-anomaly [enable|disable]
“config ips custom” which was a global setting in FortiOS v3.00 MR4 and MR5 are copied into every VDom when
upgrading to v3.00 MR7 Patch Release 5.
[Spam Filter]
The sections “config spamfilter bword | emailbwl | ipbwl | ipstrust | mhaeder” which were
global settings in FortiOS v3.00 MR5 are copied into every VDom when upgrade to v3.00 MR7 Patch Release 5. Section
“config spamfilter rbl” becomes “config spamfilter dnsbl” after upgrading to FortiOS v3.00 MR7 Patch
Release 5 and this section is copied into every VDom.
[Web Filter]
The sections “config webfilter bword | exmword | ftgd-local-cat | ftgd-local-rating |
ftgd-ovrd | ftgd-ovrd-user | urlfilter” which were global settings in FortiOS v3.00 MR5 are copied into
every VDom after upgrading to v3.00 MR7 Patch Release 5.
[FortiManager]
Section “config system fm” in FortiOS v3.00 MR5 and MR6 may be lost after upgrading to MR7 Patch Release 5,
under this circumstance, you need to reset the FortiManager parameters under “config system fortimanager”
section:
config system fortimanager
set ip 192.168.100.100
set vdom root
end
[User Setting]
There were three parameters which under system global settings on FortiOS v3.00 MR5 are moved into a new section call
“config user setting” which under per-VDom settings. They are:
set auth-cert <cert-name>
set auth-secure-http [enable|disable]
set auth-timeout <integer by minutes>
set auth-type [ftp | http | https | telnet ]
[NTP Configuration]
The following NTP related configuration commands have been moved under "config system ntp" in MR7 Patch
Release 5:
config ntpserver
set ntpsync
set syncinterval
[Report Configuration]
"Report Config" feature has been reworked in FortiOS v3.00 MR7 Patch Release 5 to support FortiAnalyzer Report Engine
v2. "config log report" command has been removed in FortiOS v3.00 MR7 Patch Release 5. All configuration under
"config log report" may be lost upon upgrading to FortiOS v3.00 MR7 Patch Release 5.
[User Peers]
User peers that are configured without a certificate authority (ca) or a subject are not retained upon upgrading to FortiOS
v3.00 MR7 Patch Release 5. In MR7, at least one of these fields may be a mandatory setting.
[FortiGuard Configuration]
The default setting for "central-mgmt-auto-backup" command has been changed to enable in FortiOS v3.00 MR7
Patch Release 5.
[Firewall Policy]
"auth-path", "auth-cert" and "auth-redirect-addr" settings may be lost upon upgrading to FortiOS v3.00
MR7 Patch Release 5 if authentication group is not selected in the firewall policy.
[System IPv6]
The section "config system ipv6-tunnel" is moved under "config system sit-tunnel" upon upgrading
to v3.00 MR7 Patch Release 5.
[Global Setting]
The section "allow-interface-subnet-overlap" which was under global settings in FortiOS v3.00 MR5 and
MR6 is copied into every VDom under "config system settings" after upgrading to v3.00 MR7 Patch Release 5.
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDom parameters/settings
• admin user account
• session helpers
• system access profiles
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDom parameters/settings
• admin user account
• session helpers
• system access profiles
The FGT1000A-FA2 does not support downgrade to FortiOS v2.80. With the introduction of the FortiClient Check feature,
the flash card has a different partition layout than that in FortiOS v2.80.
6 Image Checksums
b931d2cfbdd1a7924f838bceb527cfbc *FGT_3016B-v300-build0741-FORTINET.out
a343e8bf37acb793348e4469a88fa4b7 *FGT_310B-v300-build0741-FORTINET.out
26be85f79e2194ac86a8607d0d9e65c5 *FGT_3600A-v300-build0741-FORTINET.out
899dfb165af298f8f994f30a1a0491c6 *FGT_3810A-v300-build0741-FORTINET.out
d406492cdee88786be516fd366d23ad2 *FGT_620B-v300-build0741-FORTINET.out
3ed3b75e6fd193bd0a1c09ccbb582c72 *FGT_110C-v300-build0741-FORTINET.out
18f161e05bb198f2108592ec87480a9f *FGT_111C-v300-build0741-FORTINET.out
404d17860a1a1e956906a31503b8e365 *FGT_5001A-v300-build0741-FORTINET.out
840be8a903a83685fffe9a7d6c3469eb *FGT_51B-v300-build0741-FORTINET.out
1b4aa36dd3065c973a3d682a4cb6b703 *FGT_80C-v300-build0741-FORTINET.out
734bc216c333e5645c508127e3bf2f42 *FGT_80CM-v300-build0741-FORTINET.out
771c6e700e182575e74626b45216a5f6 *FWF_80CM-v300-build0741-FORTINET.out
c715bc57b4edd9bcc2243b04de15fd73 *FGT_100-v300-build0741-FORTINET.out
b36c85ab1390c2449bf2ee23b931ef2e *FGT_1000A-v300-build0741-FORTINET.out
6acf38adeb3d4bbedfd75a9fb61fc7b4 *FGT_1000AFA2-v300-build0741-FORTINET.out
d134e26238e18822a6ac4083973eac6e *FGT_1000A_LENC-v300-build0741-FORTINET.out
078344afc253527e030cc3f0a92ebd2c *FGT_100A-v300-build0741-FORTINET.out
5e7ee7a153e216a86cffd9b76dd9ed46 *FGT_1K-v300-build0741-FORTINET.out
a2470d664a05b9f16fa80438c92d10a0 *FGT_200-v300-build0741-FORTINET.out
54a6b4f36ff3ac423ba468614a2449da *FGT_200A-v300-build0741-FORTINET.out
1f1c716b72b0e96284144d3542490003 *FGT_224B-v300-build0741-FORTINET.out
a81b92ea8b47f88ca492f2c3bfa041a9 *FGT_300-v300-build0741-FORTINET.out
b91e413d6a1f7d5c8ee0f856ba7132af *FGT_3000-v300-build0741-FORTINET.out
118a9fe5e1ba4cddba3d2563dfce687e *FGT_300A-v300-build0741-FORTINET.out
51e6a0d999de65bd55adc9e2eb7537ae *FGT_30B-v300-build0741-FORTINET.out
cf1836287061dfa99d3545ed989b3b21 *FGT_3600-v300-build0741-FORTINET.out
3abddbfe284ee0bb752198ece1354c66 *FGT_400-v300-build0741-FORTINET.out
66578700da4357ecbc0892394629a046 *FGT_400A-v300-build0741-FORTINET.out
f8cef74f8ed261238588bde7e8e91f2e *FGT_500-v300-build0741-FORTINET.out
83337f59a94cf4ab9e78eedb137a82be *FGT_5001-v300-build0741-FORTINET.out
bad610c9d80a6dfdd74851e93625813e *FGT_5001FA2-v300-build0741-FORTINET.out
4f4a07d51bbc85e8ee7011944cb13876 *FGT_5002FB2-v300-build0741-FORTINET.out
8634c0891e486a1ab780d1b52c38863f *FGT_5005FA2-v300-build0741-FORTINET.out
f8d17ecfeb252eb93f60ac4c3de39c2b *FGT_500A-v300-build0741-FORTINET.out
88d396a610393daf4224acdd2ebd8544 *FGT_50A-v300-build0741-FORTINET.out
9dbe1f5ef75c6c7d993c662c668626e6 *FGT_50B-v300-build0741-FORTINET.out
9a18d02c5a51bd921796f46e688aa91d *FGT_60-v300-build0741-FORTINET.out
e3ab3884f80c3e4673bab943cab213ed *FGT_60ADSL-v300-build0741-FORTINET.out
3a2b93ab0c8cf24880848cd9736d672c *FGT_60B-v300-build0741-FORTINET.out
5224292cf119949363b408ee85619d71 *FGT_60M-v300-build0741-FORTINET.out
7c80bccd59bdfcb0e7f73b23572548e2 *FGT_800-v300-build0741-FORTINET.out
6ec6da93a636c0e83700d1cb683feb92 *FGT_800F-v300-build0741-FORTINET.out
d74c07ac087746774b63ddaffa7d5a2b *FWF_50B-v300-build0741-FORTINET.out
8d430e4e6017e2671dc57fa63630e37a *FWF_60-v300-build0741-FORTINET.out
f7be70ae93611a209fd06b6f503dc211 *FWF_60A-v300-build0741-FORTINET.out
2bfe9e63fadb1a3fdfeb8c2eab1a01a0 *FWF_60AM-v300-build0741-FORTINET.out
c0d6ead93f184bf667c6bafe9e397ea0 *FWF_60B-v300-build0741-FORTINET.out