FortiGate Multi-Threat Security System

Release Notes
v4.0 MR3 Patch Release 3
01-433-84420-20111110

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

Table of Contents
1 FortiOS v4.0 MR3 Patch Release 3................................................................................................................. 1 1.1 Summary of Enhancements Provided by v4.0 MR3 Patch Release 3.........................................................1 2 Special Notices....................................................................................................................................................2 2.1 General........................................................................................................................................................2 3 Upgrade Information...........................................................................................................................................3 3.1 Upgrading from FortiOS v4.0 MR2............................................................................................................3 3.2 Upgrading from FortiOS v4.0 MR1............................................................................................................4 4 Downgrading to FortiOS v4.0.0..........................................................................................................................7 5 Fortinet Product Integration and Support........................................................................................................... 8 5.1 FortiManager Support.................................................................................................................................8 5.2 FortiAnalyzer Support.................................................................................................................................8 5.3 FortiClient Support......................................................................................................................................8 5.4 FortiAP Support.......................................................................................................................................... 8 5.5 Fortinet Single Sign On (FSSO) Support....................................................................................................8 5.6 FortiExplorer Support................................................................................................................................. 8 5.7 AV Engine and IPS Engine Support............................................................................................................9 5.8 Module Support...........................................................................................................................................9 5.9 SSL-VPN Support.....................................................................................................................................10 5.9.1 SSL-VPN Standalone Client............................................................................................................. 10 5.9.2 SSL-VPN Web Mode.........................................................................................................................11 5.10 SSL-VPN Host Compatibility List..........................................................................................................11 5.11 Explicit Web Proxy Browser Support..................................................................................................... 12 6 Resolved Issues in FortiOS v4.0 MR3 - Patch Release 3.................................................................................14 6.1 Command Line Interface (CLI)................................................................................................................ 14 6.2 Web User Interface....................................................................................................................................14 6.3 System.......................................................................................................................................................14 6.4 High Availability....................................................................................................................................... 16 6.5 Router........................................................................................................................................................16 6.6 Firewall Policy.......................................................................................................................................... 16 6.7 Antivirus....................................................................................................................................................16 6.8 Web Filter..................................................................................................................................................16 6.9 Instant Message.........................................................................................................................................17 6.10 Voice Over IP (VoIP)...............................................................................................................................17 6.11 WAN Optimization..................................................................................................................................17 6.12 VPN.........................................................................................................................................................17 6.13 WiFi.........................................................................................................................................................18 6.14 Log & Report.......................................................................................................................................... 18 6.15 GTP&Dynamic Profile............................................................................................................................18 6.16 Vulnerability............................................................................................................................................18 7 Known Issues in FortiOS v4.0 MR3 - Patch Release 3.................................................................................... 19 7.1 Web UI...................................................................................................................................................... 19 7.2 WiFi...........................................................................................................................................................19 8 Image Checksums............................................................................................................................................. 20

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

Change Log Date 2011-11-09 2011-11-10 Initial Release. Changed FortiAnalyzer compatibility support information in Section 5 and added bug 151594 into Section 6. Change Description

Copyright 2011 Fortinet Inc. All rights reserved. Release Notes FortiOS v4.0 MR3 Patch Release 3. Trademarks Copyright 2011 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600. Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com

ii

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

iii

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

1 FortiOS v4.0 MR3 Patch Release 3

This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR3 B0496 - Patch Release 3 release. The following outlines the release status for several models. Model FortiOS v4.0 MR3 Patch Release 3 Status

FGT-30B, FWF-30B, FGT-50B, FGT-51B, FWF- All models are supported on the regular v4.0 MR3-- Patch Release 3 branch. 50B, FGT-60B, FWF-60B, FGT-60C, FWF-60C, FWF-60CM, FWF-60CX-A, FGT-80C, FGT80CM, FWF-80CM, FWF-81CM, FGT-82C, FGT100A, FGT-110C, FGT-111C, FGT-200A, FGT200B, FGT-200B-POE, FGT-224B, FGT-300A, FGT-300C, FGT-310B, FGT-311B, FGT-310B-DC, FGT-400A, FGT-500A, FGT-620B, FGT-620B-DC, FGT-621B, FGT-800, FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-1000A-LENC, FGT-1240B, FGT-3016B, FGT-3040B, FGT-3140B, FGT-3600, FGT-3600A, FGT-3810A, FGT-3950B, FGT3951B, FGT-5001A, FGT-5001, FGT-5001B, FGT5001FA2, FGT-5002FB2, FGT-5005FA2, FGTONE, FGT-VM and FGT-VM64. Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR3 Patch Release 3.

1.1 Summary of Enhancements Provided by v4.0 MR3 Patch Release 3

The following is a brief list of the new features added in FortiOS v4.0 MR3 Patch Release 3.

FortiGuard Web Filter Category Update Multiple Email Fields Logging Report in PDF and Web Format Up to 100 VDoms Support for 1240B

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

2 Special Notices
2.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings. IMPORTANT! Monitor Settings for Web User Interface Access Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly.

Web Browser Support Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.

BEFORE any upgrade [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading.

AFTER any upgrade [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens. [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

3 Upgrade Information
3.1 Upgrading from FortiOS v4.0 MR2
FortiOS v4.0 MR3 - Patch Release 3 officially supports upgrade from the FortiOS v4.0 MR2 Patch Release 4 or later. See the upgrade path below. [FortiOS v4.0 MR2] The upgrade is supported from FortiOS v4.0 MR2 Patch Release 4 B0313 or later. v4.0 MR2 Patch Release 4 B0313 (or later) v4.0 MR3 Patch Release 3 B0496 GA After every upgrade, ensure that the build number and branch point match the image that was loaded. [DDNS] DDNS config under interface are moved to global mode config system ddns after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [DNS Server] dns-query recursive/non-recursive option under specific interface are moved to system level per VDom mode and config system dns-server can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Ping Server] gwdetect related configurations under specific interface has been moved to under router per VDom mode. config router gwdetect can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Central-management] set auto-backup disable and set authorized-manager-only enable configurations under config system central-management are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [SNMP community] A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Modem Settings] wireless-custom-vendor-idand wireless-custom-product-id are moved from config system modem to config system 3g-modem custom upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [AMC slot settings] The default value of ips-weight under config system amc-slot will be changed from balanced to less-fw after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Wireless radio settings] wireless radio settings except SSID, Security Mode, Authentication settings will be lost after upgrade. Workaround is put into Special Notice Section. [Web filter overrides] The contents of web filter overrides will be lost after upgrading from FortiOS v4.0 MR2 Patch Release 4 B0313 to FortiOS v4.0 MR3 - Patch Release 3. [Firewall policy settings]

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

If the source interface or destination interface set as amc-XXX interface, the default value of ips-sensor under config firewall policy will changed from all_default to default after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [URL Filter] The action options in urlfilter configuration have been changed from Allow, Pass, Exempt, Block to Allow, Monitor, Exempt, Block. Action Allow will not report log in v4.3.1. New action Monitor will act the function as allow with reporting log. Action Pass in v4.2 has been merged to Exempt in v4.3.1 and the CLI command has been changed from set action pass to set exempt pass. [FortiGuard Log Filter] The settings of config log fortiguard filter are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [FortiGuard Log Setting] The options quotafull and use-hdd in config log fortiguard setting are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

3.2 Upgrading from FortiOS v4.0 MR1

FortiOS v4.0 MR3 - Patch Release 3 officially supports upgrade from the FortiOS v4.0 MR1 Patch Release 9 or later. See the upgrade path below. [FortiOS v4.0 MR1] The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 B0213 Patch Release 9 or later. v4.0 MR1 Patch Release 9 B0213 (or later) v4.0 MR3 Patch Release 3 B0496 GA After every upgrade, ensure that the build number and branch point match the image that was loaded. [Network Interface Configuration] If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR3 - Patch Release 3 the ips-sniffer-mode setting will be changed to disable. [Traffic shaping] The Unit of guaranteed-bandwidth,inbandwidth, outbandwidth and maximum-bandwidth of traffic shaping has been changed from kilo-bytes/sec to kilo-bits/sec after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [System Autoupdate Settings] The default values of config system autoupdate schedule will be changed from disable to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [DHCP Server] The name of DHCP Server are replaced with entry number. The start-ip and end-ip are changed to config iprange under DHCP Server after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [DDNS] DDNS config under interface are moved to global mode config system ddns after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [DNS Server]

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

dns-query recursive/non-recursive option under specific interface are moved to system level per VDom mode and config system dns-server can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Ping Server] gwdetect related configurations under specific interface has been moved to under router per VDom mode. config router gwdetect can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Central-management] set auto-backup disable and set authorized-manager-only enable configurations under config system central-management are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [SNMP community] A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Modem Settings] wireless-custom-vendor-idand wireless-custom-product-id are moved from config system modem to config system 3g-modem custom upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [IPS DoS sensor log setting] The default log setting of an IPS DoS sensor is disable on FortiOS v4.0 MR3 - Patch Release 3. Whether the log stetting of an IPS DoS sensor is disable or enable on FortiOS v4.1.9 or any subsequent patch, after upgrading to FortiOS v4.0 MR3 - Patch Release 3, the setting will be set to disable. [IPS sensor log setting] The log setting of IPS sensors is enable by default on FortiOS v4.0 MR3 - Patch Release 3. If the log setting of an IPS sensor is disabled on FortiOS v4.1.9 or any subsequent patch, the value will be kept after upgrading to FortiOS v4.0 MR3 - Patch Release 3. If the log setting of an IPS sensor is enable or default on FortiOS v4.1.9 or any subsequent patch, the value will be changed to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [DLP Rule] A DLP rule with subprotocol setting set to sip simple sccp will be lost upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Web Filter & Spam Filter] The name webfilter-status and spamfilter-status have been change to webfilter-force-off and antispamforce-off. The default values is set to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 3. To use web filter and spam filter, users have to disable the two entries by using the following CLI command: config system fortiguard set webfilter-force-off disable set antispam-force-off disable end [URL Filter] The action options in urlfilter configuration have been changed from Allow, Pass, Exempt, Block to Allow, Monitor, Exempt, Block. Action Allow will not report log in v4.3.1. New action Monitor will act the function as allow with reporting log. Action Pass in v4.2 has been merged to Exempt in v4.3.1 and the CLI command has been changed from set action pass to set exempt pass. [FortiGuard Log Filter] The settings of config log fortiguard filter are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [FortiGuard Log Setting]

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

The options quotafull and use-hdd in config log fortiguard setting are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

4 Downgrading to FortiOS v4.0.0

Downgrading to FortiOS v4.0.0 GA (or later) results in configuration loss on ALL models. Only the following settings are retained: operation modes interface IP/management IP route static table DNS settings VDom parameters/settings admin user account session helpers system access profiles

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

5 Fortinet Product Integration and Support

5.1 FortiManager Support
FortiOS v4.0 MR3 - Patch Release 3 is supported by FortiManager v4.0 MR3.

5.2 FortiAnalyzer Support

FortiOS v4.0 MR3 is compatible with FortiAnalyzer devices running FortiAnalyzer v4.0 MR3. If you are using a FortiAnalyzer unit running FortiAnalyzer v4.0 MR2, you must upgrade it to FortiAnalyzer v4.0 MR3. FortiAnalyzer units running FortiAnalyzer v4.0 MR2 will not function correctly with FortiOS v4.0 MR3.

5.3 FortiClient Support

FortiOS v4.0 MR3 - Patch Release 3 is fully compatible with FortiClient v4.0 MR2 Patch 3. FortiOS v4.0 MR3 - Patch Release 3 is supported by FortiClient v4.0 MR3 for the following: 32-bit version of Microsoft Windows XP 32-bit version of Microsoft Windows Vista 64-bit version of Microsoft Windows Vista 32-bit version of Microsoft Windows 7 64-bit version of Microsoft Windows 7

5.4 FortiAP Support

FortiOS v4.0 MR3 - Patch Release 3 supports the following FortiAP models: FortiAP-210B FortiAP-220A FortiAP-220B FortiAP-222B

The FortiAP devices must be running FortiAP v4.0 MR3 and above.

5.5 Fortinet Single Sign On (FSSO) Support

FortiOS v4.0 MR3 - Patch Release 3 is supported by FSSO v4.3.0 B0108 for the following: 32-bit version of Microsoft Windows 2003 R2 Server 64-bit version of Microsoft Windows 2003 R2 Server 32-bit version of Microsoft Windows 2008 Server 64-bit version of Microsoft Windows 2008 Server 64-bit version of Microsoft Windows 2008 R2 Server Novell E-directory 8.8.

IPv6 currently is not supported by FSSO.

5.6 FortiExplorer Support

FortiOS v4.0 MR3 - Patch Release 3 is supported by FortiExplorer 1.3.1215.

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

5.7 AV Engine and IPS Engine Support

FortiOS v4.0 MR3 - Patch Release 3 is supported by AV Engine 4.00382 and IPS Engine 1.00241.

5.8 Module Support

FortiOS v4.0 MR3 - Patch Release 3 supports AMC removable modules. These modules are not hot swappable. The FortiGate must be turned off before the module is inserted or removed. AMC Modules Internal Hard Drive (ASM-S08) FortiGate Support FGT-310B FGT-620B FGT-621B FGT-3016B FGT-3600A FGT-3810A FGT-5001A-SW FGT-200B FGT-311B FGT-1240B FGT-3040B FGT-3140B FGT-3951B FGT-310B FGT-311B FGT-620B FGT-621B FGT-1240B FGT-3016B FGT-3600A FGT-3810A FGT-5001A-SW FGT-3810A FGT-5001A-DW FGT-3810A FGT-5001A-DW FGT-310B FGT-311B FGT-620B FGT-621B FGT-1240B FGT-3016B FGT-3600A FGT-3810A FGT-5001A-SW FGT-310B FGT-311B FGT-620B FGT-621B FGT-1240B FGT-3016B FGT-3600A

Internal Hard Drive (FSM-064)

Single Width 4-port 1Gbps Ethernet interface (ASM-FB4)

Dual Width 2-port 10Gbps Ethernet interface (ADM-XB2) Dual Width 8-port 1Gbps Ethernet interface (ADM-FB8) Single Width 2-port Fiber 1Gbps bypass interface (ASM-FX2)

Single Width 4-port Ethernet bypass interface (ASM-CX4)

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

AMC Modules

FortiGate Support FGT-3810A FGT-5001A-SW

AMC Security Processing Engine Module (ASM-CE4)

FGT-1240B FGT-3810A FGT-3016B FGT-5001A-SW FGT-3810A FGT-5001A-DW FGT-3810A FGT-5001A-DW FGT-3810A FGT-5001A-DW FGT-310B FGT-311B FGT-5001A-DW FGT-3950B FGT-3951B FGT-3950B FGT-3951B FGT-3950B FGT-3951B FGT-3950B FGT-3951B

AMC Security Processing Engine Module (ADM-XE2) AMC Security Processing Engine Module (ADM-XD4) AMC Security Processing Engine Module (ADM-FE8) Rear Transition Module (RTM-XD2) Four Port T1/E1 WAN Security Processing Module (ASM-ET4) Rear Transition Module (RTM-XB2) Fortinet Mezzanine Card (FMC-XG2) Fortinet Mezzanine Card (FMC-XD2) Fortinet Mezzanine Card (FMC-F20) Fortinet Mezzanine Card (FMC-C20)

5.9 SSL-VPN Support 5.9.1 SSL-VPN Standalone Client

FortiOS v4.0 MR3 - Patch Release 3 supports the SSL-VPN tunnel client standalone installer B2148 for the following: Windows in .exe and .msi format Linux in .tar.gz format Mac OS X in .dmg format Virtual Desktop in .jar format for Windows 7, XP, and Vista

The following Operating Systems are supported. Windows Windows XP 32-bit SP2 Windows XP 64-bit SP1 Windows Vista 32-bit SP1 Windows Vista 64-bit SP1 Windows 7 32-bit Linux Ubuntu 8.0.4 (2.6.24-23) Mac OS X

CentOS 5.2 (2.6.18-el5) Leopard 10.6.3

10

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

Windows 7 64-bit Virtual Desktop Support Windows XP 32-bit SP2 Windows Vista 32-bit SP1 Windows 7 32-bit

5.9.2 SSL-VPN Web Mode

The following browsers and operating systems are supported by SSL-VPN web mode. Operating System Windows XP 32-bit SP2 Windows XP 64-bit SP1 Windows Vista 32-bit SP1 Windows Vista 64-bit SP1 Windows 7 32-bit Windows 7 64-bit CentOS 5.2 (2.6.18-el5) Ubuntu 8.0.4 (2.6.24-23) Mac OS X Leopard 10.5 Browser IE7, IE8, IE9 and FF 3.6 IE7, IE9 and FF 3.6 IE7, IE8, IE9 and FF 3.6 IE7, IE9 and FF 3.6 IE8 , IE9 and FF 3.6 IE8, IE9 and FF 3.6 FF 1.5 and FF 3.0 FF 3.0 Safari 4.1

5.10 SSL-VPN Host Compatibility List

The following Antivirus and Firewall client software packages are supported. Product Symantec Endpoint Protection v11 Kaspersky Antivirus 2009 McAfee Security Center v8.1 Trend Micro Internet Security Pro F-Secure Internet Security 2009 Antivirus Windows XP Firewall

Product CA Internet Security Suite Plus Software

Antivirus

Firewall

Windows 7 (32bit)

11

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

Product AVG Internet Security 2011 F-Secure Internet Security 2011 Kaspersky Internet Security 2011 McAfee Internet Security 2011 Norton 360 Version 4.0 Norton Internet Security 2011 Panda Internet Security 2011 Sophos Security Suite Trend Micro Titanium Internet Security ZoneAlarm Security Suite Symantec Endpoint Protection Small Business Edition 12.0

Antivirus

Firewall

Product CA Internet Security Suite Plus Software AVG Internet Security 2011 F-Secure Internet Security 2011 Kaspersky Internet Security 2011 McAfee Internet Security 2011 Norton 360 Version 4.0 Norton Internet Security 2011 Panda Internet Security 2011 Sophos Security Suite Trend Micro Titanium Internet Security ZoneAlarm Security Suite Symantec Endpoint Protection Small Business Edition 12.0

Antivirus

Firewall

Windows 7 (64bit)

5.11 Explicit Web Proxy Browser Support

The following browsers are supported by Explicit Web Proxy feature. Supported Browser Internet Explorer 7

12

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

Internet Explorer 8 FireFox 3.x

13

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

6 Resolved Issues in FortiOS v4.0 MR3 - Patch Release 3

The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about a particular bug, contact Customer Support.

6.1 Command Line Interface (CLI)

Description: CLI command show might not work when an administrator was associated with a customized profile. Bug ID: 151975 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Users might fail to register/unregister FortiGate device from FortiManager via CLI after upgrade. Bug ID: 154113, 154494 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.2 Web User Interface

Description: Administrator was forced to logout when a disabled VDom was selected. Bug ID: 138568 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Users may fail to create a FSSO group when IE9 was used. Bug ID: 153005 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: A VLAN interface might disappear on Web UI when it was chosen to be HA management interface. Bug ID: 152064 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Option wildcard was set by default when a firewall address was configured incorrectly. Bug ID: 152396 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: A read-only administrator might not be associated with its privileges correctly via Web UI. Bug ID: 151194 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.3 System
Description: All settings on the web page under system->Admin->Settings on Web UI were reset when FortiGate was registered to FortiManager or when FortiGate was unregistered from FortiManager. Bug ID: 153007 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Logs may not be sent to Syslog server when server is configured with IPv6 address. Bug ID: 148199 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: A change in firewall policy might take one or two seconds to be effect when thousands of firewall policies have been setup. Bug ID: 152401, 152822 Status: Fixed in v4.0 MR3 - Patch Release 3.

14

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

Description: FortiGuard Web Filter might be inactive for several milliseconds when a firewall policy was changed. Bug ID: 144971 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Improvements on debugging broadcast flow. Bug ID: 152397, 152398 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Management session shall be kept when run CLI command diagnose sys session clear. Bug ID: 149957 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Redundant modem might not work when its monitor interface had never been connected. Bug ID: 152709 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Framed-IP entries might still exist when massive dial-up IPSec tunnels were disconnected. Bug ID: 152090 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: 1G speed option might be missing when npu-cascade-cluster was enabled on FGT-3140B. Model Affected: FortiGate-3140B Bug ID: 153552 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: A NPU interface might not be changed to another VDom when NPU fastpath was disabled. Model Affected: FortiGate models that support NPU interfaces Bug ID: 153200 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Some of multiple simultaneous administrative logins might fail and might prevent CLI commands from executing. Bug ID: 150826 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Increase table size for DNS server. Bug ID: 152735 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Fix on high memory usage issue caused by SSL proxy daemon and DLP archive daemon. Bug ID: 149497, 150744 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: SSL proxy may catch SMTP TLS connections even when SMTPS was disabled in anti-virus settings. Bug ID: 153146 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Fix on CPU spike issue when anti-virus and IPS are enabled simultaneous on FortiGate-3140B. Model Affected: FortiGate-3140B Bug ID: 154832 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: The status of an aggregate port should reflect the status of negotiation than status of the physical links. Bug ID: 153346

15

November 10, 2011

Release Notes Status: Fixed in v4.0 MR3 - Patch Release 3.

FortiOS v4.0 MR3 - Patch Release 3

6.4 High Availability

Description: DHCP leases on a VAP interface are not synchronized between HA members. Bug ID: 153171 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Uninterrupted upgrade might fail when the dynamic profile option was used and system was running FOC firmware. Bug ID: 153972 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: ha-mgmt-interface-gateway might stop working when the speed setting was changed on the management interface. Bug ID: 154729 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.5 Router
Description: Handled by same NPU, passing traffic from a VLAN interface to physical interface might be stopped when the route fall back from backup link to primary link in BGP routing table. Model Affected: FortiGate models that support NPU interfaces Bug ID: 150444 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: BGP sessions were dropped randomly when new HA member joined the cluster that had hundreds VDoms. Bug ID: 152947 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.6 Firewall Policy

Description: Those sessions initiated from a VIP server might be dropped when strict-dirty-session option was enabled. Bug ID: 153843, 153151 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: A connection request to Load Balance server might be dropped prematurely when 100-continue response was sent by the server. Bug ID: 154867 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.7 Antivirus
Description: Virus affected files might not be blocked completely when files were uploaded with SilverLight. Bug ID: 134799 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: A client might fail to login to a FTP server with its VIP via FTPS protocol when anti-virus scanning option was on. Bug ID: 137058 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.8 Web Filter

Description: Users might fail to create a new local category via Web UI until at lease one local category had been created via CLI. Bug ID: 153196 Status: Fixed in v4.0 MR3 - Patch Release 3.

16

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

6.9 Instant Message

Description: Instant messages might be blocked by IPS engine accidentally and might not be logged properly by IMD daemon. Bug ID: 144194, 144695 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.10 Voice Over IP (VoIP)

Description: SIP proxy might not translate maddr parameter correctly in contact header. Bug ID: 137058 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.11 WAN Optimization

Description: wad daemon kept crashing when SSL option is enabled and client tried to access server by using HTTPS. Bug ID: 151100 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Traffic was not properly NATed when the WCCP server was unreachable. Bug ID: 151776 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Some web sites might not be accessed when IE8 or IE9 were used and Web Cache was enabled. Model Affected: FortiGate-200B and FortiGate-80C series models Bug ID: 153725 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: An user may be redirected to a wrong web site by Web Cache after a web site was accessed with its IP address. Bug ID: 151594 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.12 VPN
Description: Multiple fixes on difficulties of accessing some certain web sites via SSL VPN. Bug ID: 149489, 141231, 142302, 154310 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: IKE v2 SA might not work with RSA certificates. Bug ID: 154084 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Support more than 14,000 concurrent SSL VPN tunnels. Bug ID: 148546 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: CRL update might restart SSL VPN daemon and all SSL VPN tunnels were reset. Bug ID: 150059 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Multiple fixes on SSL VPN portal in Asia languages. Bug ID: 154642, 154646 Status: Fixed in v4.0 MR3 - Patch Release 3.

17

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

6.13 WiFi
Description: Fix and improvements on WiFi configurations. Bug ID: 152734 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.14 Log & Report

Description: System performance can not be persevered when log query is conducted in large database. Bug ID: 151084 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: An anonymous user may be logged in event logs when explicit web-proxy was enabled. Bug ID: 148180 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Some special characters in UTF-8 might not be displayed correctly in Email archive. Bug ID: 140300 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Alert emails might not send to the mail server with IPv6 address. Bug ID: 140300 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.15 GTP&Dynamic Profile

Description: Authentication and warning override might not work when web filter option was not enabled on the firewall policy. Bug ID: 154182 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.16 Vulnerability
Description: Fix on Clickjack possibility on TCP port 10443. Bug ID: 147966 Status: Fixed in v4.0 MR3 - Patch Release 3.

18

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

7 Known Issues in FortiOS v4.0 MR3 - Patch Release 3

This section lists the known issues of this release, but is NOT a complete list. For inquiries about a particular bug not listed here, contact Customer Support.

7.1 Web UI
Description: Web page was frozen when an user tried to run PDF report in IE9. Bug ID: 156208 Status: To be fixed in a future release. Description: Charts might display wrong number of bars and the number of bars can not be set under UTM Profiles-->Monitor->Application Monitor page. Bug ID: 156210 Status: To be fixed in a future release. Description: Accessible network option may not be configured when Split-Tunnel option is enabled under VPN-->IPsec-->Create FortiClient VPN page Bug ID: 156318 Status: To be fixed in a future release.

7.2 WiFi
Description: Express-card modem "Novatel Merlin X950D" can not be detected . Model Affected: FWF-60CM Bug ID: 152926 Status: To be fixed in a future release. Description: AES and TKIP can not be active the same time on FWF-80CM and FWF-81CM. Model Affected: FWF-80CM, FWF-81CM Bug ID: 152526 Status: To be fixed in a future release.

19

November 10, 2011

Release Notes

FortiOS v4.0 MR3 - Patch Release 3

8 Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com). After login, click on the "Firmware Images Checksum Code" link in the left frame.

(End of Release Notes.)

20

November 10, 2011