Professional Documents
Culture Documents
Release Notes
v4.0 MR3 Patch Release 3
01-433-84420-20111110
Release Notes
Table of Contents
1 FortiOS v4.0 MR3 Patch Release 3................................................................................................................. 1 1.1 Summary of Enhancements Provided by v4.0 MR3 Patch Release 3.........................................................1 2 Special Notices....................................................................................................................................................2 2.1 General........................................................................................................................................................2 3 Upgrade Information...........................................................................................................................................3 3.1 Upgrading from FortiOS v4.0 MR2............................................................................................................3 3.2 Upgrading from FortiOS v4.0 MR1............................................................................................................4 4 Downgrading to FortiOS v4.0.0..........................................................................................................................7 5 Fortinet Product Integration and Support........................................................................................................... 8 5.1 FortiManager Support.................................................................................................................................8 5.2 FortiAnalyzer Support.................................................................................................................................8 5.3 FortiClient Support......................................................................................................................................8 5.4 FortiAP Support.......................................................................................................................................... 8 5.5 Fortinet Single Sign On (FSSO) Support....................................................................................................8 5.6 FortiExplorer Support................................................................................................................................. 8 5.7 AV Engine and IPS Engine Support............................................................................................................9 5.8 Module Support...........................................................................................................................................9 5.9 SSL-VPN Support.....................................................................................................................................10 5.9.1 SSL-VPN Standalone Client............................................................................................................. 10 5.9.2 SSL-VPN Web Mode.........................................................................................................................11 5.10 SSL-VPN Host Compatibility List..........................................................................................................11 5.11 Explicit Web Proxy Browser Support..................................................................................................... 12 6 Resolved Issues in FortiOS v4.0 MR3 - Patch Release 3.................................................................................14 6.1 Command Line Interface (CLI)................................................................................................................ 14 6.2 Web User Interface....................................................................................................................................14 6.3 System.......................................................................................................................................................14 6.4 High Availability....................................................................................................................................... 16 6.5 Router........................................................................................................................................................16 6.6 Firewall Policy.......................................................................................................................................... 16 6.7 Antivirus....................................................................................................................................................16 6.8 Web Filter..................................................................................................................................................16 6.9 Instant Message.........................................................................................................................................17 6.10 Voice Over IP (VoIP)...............................................................................................................................17 6.11 WAN Optimization..................................................................................................................................17 6.12 VPN.........................................................................................................................................................17 6.13 WiFi.........................................................................................................................................................18 6.14 Log & Report.......................................................................................................................................... 18 6.15 GTP&Dynamic Profile............................................................................................................................18 6.16 Vulnerability............................................................................................................................................18 7 Known Issues in FortiOS v4.0 MR3 - Patch Release 3.................................................................................... 19 7.1 Web UI...................................................................................................................................................... 19 7.2 WiFi...........................................................................................................................................................19 8 Image Checksums............................................................................................................................................. 20
Release Notes
Change Log Date 2011-11-09 2011-11-10 Initial Release. Changed FortiAnalyzer compatibility support information in Section 5 and added bug 151594 into Section 6. Change Description
Copyright 2011 Fortinet Inc. All rights reserved. Release Notes FortiOS v4.0 MR3 Patch Release 3. Trademarks Copyright 2011 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600. Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com
ii
Release Notes
iii
Release Notes
FGT-30B, FWF-30B, FGT-50B, FGT-51B, FWF- All models are supported on the regular v4.0 MR3-- Patch Release 3 branch. 50B, FGT-60B, FWF-60B, FGT-60C, FWF-60C, FWF-60CM, FWF-60CX-A, FGT-80C, FGT80CM, FWF-80CM, FWF-81CM, FGT-82C, FGT100A, FGT-110C, FGT-111C, FGT-200A, FGT200B, FGT-200B-POE, FGT-224B, FGT-300A, FGT-300C, FGT-310B, FGT-311B, FGT-310B-DC, FGT-400A, FGT-500A, FGT-620B, FGT-620B-DC, FGT-621B, FGT-800, FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-1000A-LENC, FGT-1240B, FGT-3016B, FGT-3040B, FGT-3140B, FGT-3600, FGT-3600A, FGT-3810A, FGT-3950B, FGT3951B, FGT-5001A, FGT-5001, FGT-5001B, FGT5001FA2, FGT-5002FB2, FGT-5005FA2, FGTONE, FGT-VM and FGT-VM64. Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR3 Patch Release 3.
FortiGuard Web Filter Category Update Multiple Email Fields Logging Report in PDF and Web Format Up to 100 VDoms Support for 1240B
Release Notes
2 Special Notices
2.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings. IMPORTANT! Monitor Settings for Web User Interface Access Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly.
Web Browser Support Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.
BEFORE any upgrade [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading.
AFTER any upgrade [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens. [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.
Release Notes
3 Upgrade Information
3.1 Upgrading from FortiOS v4.0 MR2
FortiOS v4.0 MR3 - Patch Release 3 officially supports upgrade from the FortiOS v4.0 MR2 Patch Release 4 or later. See the upgrade path below. [FortiOS v4.0 MR2] The upgrade is supported from FortiOS v4.0 MR2 Patch Release 4 B0313 or later. v4.0 MR2 Patch Release 4 B0313 (or later) v4.0 MR3 Patch Release 3 B0496 GA After every upgrade, ensure that the build number and branch point match the image that was loaded. [DDNS] DDNS config under interface are moved to global mode config system ddns after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [DNS Server] dns-query recursive/non-recursive option under specific interface are moved to system level per VDom mode and config system dns-server can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Ping Server] gwdetect related configurations under specific interface has been moved to under router per VDom mode. config router gwdetect can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Central-management] set auto-backup disable and set authorized-manager-only enable configurations under config system central-management are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [SNMP community] A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Modem Settings] wireless-custom-vendor-idand wireless-custom-product-id are moved from config system modem to config system 3g-modem custom upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [AMC slot settings] The default value of ips-weight under config system amc-slot will be changed from balanced to less-fw after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Wireless radio settings] wireless radio settings except SSID, Security Mode, Authentication settings will be lost after upgrade. Workaround is put into Special Notice Section. [Web filter overrides] The contents of web filter overrides will be lost after upgrading from FortiOS v4.0 MR2 Patch Release 4 B0313 to FortiOS v4.0 MR3 - Patch Release 3. [Firewall policy settings]
Release Notes
If the source interface or destination interface set as amc-XXX interface, the default value of ips-sensor under config firewall policy will changed from all_default to default after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [URL Filter] The action options in urlfilter configuration have been changed from Allow, Pass, Exempt, Block to Allow, Monitor, Exempt, Block. Action Allow will not report log in v4.3.1. New action Monitor will act the function as allow with reporting log. Action Pass in v4.2 has been merged to Exempt in v4.3.1 and the CLI command has been changed from set action pass to set exempt pass. [FortiGuard Log Filter] The settings of config log fortiguard filter are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [FortiGuard Log Setting] The options quotafull and use-hdd in config log fortiguard setting are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.
Release Notes
dns-query recursive/non-recursive option under specific interface are moved to system level per VDom mode and config system dns-server can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Ping Server] gwdetect related configurations under specific interface has been moved to under router per VDom mode. config router gwdetect can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Central-management] set auto-backup disable and set authorized-manager-only enable configurations under config system central-management are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [SNMP community] A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Modem Settings] wireless-custom-vendor-idand wireless-custom-product-id are moved from config system modem to config system 3g-modem custom upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [IPS DoS sensor log setting] The default log setting of an IPS DoS sensor is disable on FortiOS v4.0 MR3 - Patch Release 3. Whether the log stetting of an IPS DoS sensor is disable or enable on FortiOS v4.1.9 or any subsequent patch, after upgrading to FortiOS v4.0 MR3 - Patch Release 3, the setting will be set to disable. [IPS sensor log setting] The log setting of IPS sensors is enable by default on FortiOS v4.0 MR3 - Patch Release 3. If the log setting of an IPS sensor is disabled on FortiOS v4.1.9 or any subsequent patch, the value will be kept after upgrading to FortiOS v4.0 MR3 - Patch Release 3. If the log setting of an IPS sensor is enable or default on FortiOS v4.1.9 or any subsequent patch, the value will be changed to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 3. [DLP Rule] A DLP rule with subprotocol setting set to sip simple sccp will be lost upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [Web Filter & Spam Filter] The name webfilter-status and spamfilter-status have been change to webfilter-force-off and antispamforce-off. The default values is set to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 3. To use web filter and spam filter, users have to disable the two entries by using the following CLI command: config system fortiguard set webfilter-force-off disable set antispam-force-off disable end [URL Filter] The action options in urlfilter configuration have been changed from Allow, Pass, Exempt, Block to Allow, Monitor, Exempt, Block. Action Allow will not report log in v4.3.1. New action Monitor will act the function as allow with reporting log. Action Pass in v4.2 has been merged to Exempt in v4.3.1 and the CLI command has been changed from set action pass to set exempt pass. [FortiGuard Log Filter] The settings of config log fortiguard filter are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3. [FortiGuard Log Setting]
Release Notes
The options quotafull and use-hdd in config log fortiguard setting are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.
Release Notes
Release Notes
The FortiAP devices must be running FortiAP v4.0 MR3 and above.
Release Notes
Dual Width 2-port 10Gbps Ethernet interface (ADM-XB2) Dual Width 8-port 1Gbps Ethernet interface (ADM-FB8) Single Width 2-port Fiber 1Gbps bypass interface (ASM-FX2)
Release Notes
AMC Modules
FGT-1240B FGT-3810A FGT-3016B FGT-5001A-SW FGT-3810A FGT-5001A-DW FGT-3810A FGT-5001A-DW FGT-3810A FGT-5001A-DW FGT-310B FGT-311B FGT-5001A-DW FGT-3950B FGT-3951B FGT-3950B FGT-3951B FGT-3950B FGT-3951B FGT-3950B FGT-3951B
AMC Security Processing Engine Module (ADM-XE2) AMC Security Processing Engine Module (ADM-XD4) AMC Security Processing Engine Module (ADM-FE8) Rear Transition Module (RTM-XD2) Four Port T1/E1 WAN Security Processing Module (ASM-ET4) Rear Transition Module (RTM-XB2) Fortinet Mezzanine Card (FMC-XG2) Fortinet Mezzanine Card (FMC-XD2) Fortinet Mezzanine Card (FMC-F20) Fortinet Mezzanine Card (FMC-C20)
The following Operating Systems are supported. Windows Windows XP 32-bit SP2 Windows XP 64-bit SP1 Windows Vista 32-bit SP1 Windows Vista 64-bit SP1 Windows 7 32-bit Linux Ubuntu 8.0.4 (2.6.24-23) Mac OS X
10
Release Notes
Windows 7 64-bit Virtual Desktop Support Windows XP 32-bit SP2 Windows Vista 32-bit SP1 Windows 7 32-bit
Antivirus
Firewall
Windows 7 (32bit)
11
Release Notes
Product AVG Internet Security 2011 F-Secure Internet Security 2011 Kaspersky Internet Security 2011 McAfee Internet Security 2011 Norton 360 Version 4.0 Norton Internet Security 2011 Panda Internet Security 2011 Sophos Security Suite Trend Micro Titanium Internet Security ZoneAlarm Security Suite Symantec Endpoint Protection Small Business Edition 12.0
Antivirus
Firewall
Product CA Internet Security Suite Plus Software AVG Internet Security 2011 F-Secure Internet Security 2011 Kaspersky Internet Security 2011 McAfee Internet Security 2011 Norton 360 Version 4.0 Norton Internet Security 2011 Panda Internet Security 2011 Sophos Security Suite Trend Micro Titanium Internet Security ZoneAlarm Security Suite Symantec Endpoint Protection Small Business Edition 12.0
Antivirus
Firewall
Windows 7 (64bit)
12
Release Notes
13
Release Notes
6.3 System
Description: All settings on the web page under system->Admin->Settings on Web UI were reset when FortiGate was registered to FortiManager or when FortiGate was unregistered from FortiManager. Bug ID: 153007 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Logs may not be sent to Syslog server when server is configured with IPv6 address. Bug ID: 148199 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: A change in firewall policy might take one or two seconds to be effect when thousands of firewall policies have been setup. Bug ID: 152401, 152822 Status: Fixed in v4.0 MR3 - Patch Release 3.
14
Release Notes
Description: FortiGuard Web Filter might be inactive for several milliseconds when a firewall policy was changed. Bug ID: 144971 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Improvements on debugging broadcast flow. Bug ID: 152397, 152398 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Management session shall be kept when run CLI command diagnose sys session clear. Bug ID: 149957 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Redundant modem might not work when its monitor interface had never been connected. Bug ID: 152709 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Framed-IP entries might still exist when massive dial-up IPSec tunnels were disconnected. Bug ID: 152090 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: 1G speed option might be missing when npu-cascade-cluster was enabled on FGT-3140B. Model Affected: FortiGate-3140B Bug ID: 153552 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: A NPU interface might not be changed to another VDom when NPU fastpath was disabled. Model Affected: FortiGate models that support NPU interfaces Bug ID: 153200 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Some of multiple simultaneous administrative logins might fail and might prevent CLI commands from executing. Bug ID: 150826 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Increase table size for DNS server. Bug ID: 152735 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Fix on high memory usage issue caused by SSL proxy daemon and DLP archive daemon. Bug ID: 149497, 150744 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: SSL proxy may catch SMTP TLS connections even when SMTPS was disabled in anti-virus settings. Bug ID: 153146 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Fix on CPU spike issue when anti-virus and IPS are enabled simultaneous on FortiGate-3140B. Model Affected: FortiGate-3140B Bug ID: 154832 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: The status of an aggregate port should reflect the status of negotiation than status of the physical links. Bug ID: 153346
15
6.5 Router
Description: Handled by same NPU, passing traffic from a VLAN interface to physical interface might be stopped when the route fall back from backup link to primary link in BGP routing table. Model Affected: FortiGate models that support NPU interfaces Bug ID: 150444 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: BGP sessions were dropped randomly when new HA member joined the cluster that had hundreds VDoms. Bug ID: 152947 Status: Fixed in v4.0 MR3 - Patch Release 3.
6.7 Antivirus
Description: Virus affected files might not be blocked completely when files were uploaded with SilverLight. Bug ID: 134799 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: A client might fail to login to a FTP server with its VIP via FTPS protocol when anti-virus scanning option was on. Bug ID: 137058 Status: Fixed in v4.0 MR3 - Patch Release 3.
16
Release Notes
6.12 VPN
Description: Multiple fixes on difficulties of accessing some certain web sites via SSL VPN. Bug ID: 149489, 141231, 142302, 154310 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: IKE v2 SA might not work with RSA certificates. Bug ID: 154084 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Support more than 14,000 concurrent SSL VPN tunnels. Bug ID: 148546 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: CRL update might restart SSL VPN daemon and all SSL VPN tunnels were reset. Bug ID: 150059 Status: Fixed in v4.0 MR3 - Patch Release 3. Description: Multiple fixes on SSL VPN portal in Asia languages. Bug ID: 154642, 154646 Status: Fixed in v4.0 MR3 - Patch Release 3.
17
Release Notes
6.13 WiFi
Description: Fix and improvements on WiFi configurations. Bug ID: 152734 Status: Fixed in v4.0 MR3 - Patch Release 3.
6.16 Vulnerability
Description: Fix on Clickjack possibility on TCP port 10443. Bug ID: 147966 Status: Fixed in v4.0 MR3 - Patch Release 3.
18
Release Notes
7.1 Web UI
Description: Web page was frozen when an user tried to run PDF report in IE9. Bug ID: 156208 Status: To be fixed in a future release. Description: Charts might display wrong number of bars and the number of bars can not be set under UTM Profiles-->Monitor->Application Monitor page. Bug ID: 156210 Status: To be fixed in a future release. Description: Accessible network option may not be configured when Split-Tunnel option is enabled under VPN-->IPsec-->Create FortiClient VPN page Bug ID: 156318 Status: To be fixed in a future release.
7.2 WiFi
Description: Express-card modem "Novatel Merlin X950D" can not be detected . Model Affected: FWF-60CM Bug ID: 152926 Status: To be fixed in a future release. Description: AES and TKIP can not be active the same time on FWF-80CM and FWF-81CM. Model Affected: FWF-80CM, FWF-81CM Bug ID: 152526 Status: To be fixed in a future release.
19
Release Notes
8 Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com). After login, click on the "Firmware Images Checksum Code" link in the left frame.
20