FortiOS v4.0 MR2 Patch Release 10 Release Notes

FortiOS v4.
0 MR2 Patch Release 10

Release Notes
December 09, 2011 01-4210-84420-20111209 Copyright 2011 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Trademarks
ABACAS, APSecure, Dynamic Threat Prevention System (DTPS), FortiAnalyzer, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiDB, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiMail, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiScan, FortiShield, FortiVoIP, FortiWeb, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600. Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com.
Visit these links for more information and documentation for your Fortinet product: Technical Documentation - http://docs/fortinet.com Knowledge Base - http://kb.fortinet.com Technical Support - https://support.fortinet.com Training Services - http://training.fortinet.com
Table of Contents
Introduction .............................................................................................. 1 Special Notices ........................................................................................ 3

General ............................................................................................................. Monitor Settings for Web User Interface Access ....................................... Web Browser Support ................................................................................ BEFORE any upgrade................................................................................. AFTER any upgrade.................................................................................... Upgrading from FortiOS v4.0 ........................................................................... FortiOS v4.0 ................................................................................................ Network Interface Configuration................................................................. WebFilter Banned Word and Exempt Word List......................................... VoIP Settings .............................................................................................. NNTP DLP Archive...................................................................................... Upgrading from FortiOS v4.0 MR1 ................................................................... FortiOS v4.0 MR1 ....................................................................................... DLP Rule ..................................................................................................... System Autoupdate Settings ...................................................................... Downgrading to FortiOS v4.0 MR1 .................................................................. 3 3 3 3 3 5 5 5 5 7 7 7 7 7 7 8
Installation Information ........................................................................... 5
Product Integration and Support ........................................................... 9

Fortinet Single Sign On (FSSO) Support .......................................................... 9 AV Engine and IPS Engine Support.................................................................. 9 SSL-VPN Support............................................................................................. 9 SSL-VPN Standalone Client ....................................................................... 9 FortiAP Support .............................................................................................. 10
Resolved Issues ..................................................................................... 11

Command Line Interface .......................................................................... Web User Interface ................................................................................... System ...................................................................................................... High Availability......................................................................................... Firewall...................................................................................................... Web Proxy ................................................................................................ VPN ........................................................................................................... WAN Optimization .................................................................................... Log and Report ......................................................................................... 11 11 11 12 12 12 12 13 13
Known Issues ......................................................................................... 15

System ...................................................................................................... 15
Image Checksums ................................................................................. 17

FortiOS v4.0 MR2 Patch Release 10 Release Notes 01-4210-84420-20111209 http://docs.fortinet.com/ Feedback
1. Introduction
This document provides installation instructions, and addresses issues and caveats in FortiOS v4.0 MR2 build B0338 Patch Release 10. Table 1 outlines the release status for several FortiGate models.
Table 1: Supported Platforms
FortiGate Models
FortiOS v4.0 MR2 Patch Release 10
FG-30B, FWF-30B, FG-50B, FG-51B, All models are supported on the regular v4.0 MR2 FWF-50B, FG-60B, FWF-60B, FG-80C, - Patch Release 10. FG-80CM, FWF-80CM, FWF-81CM, FG82C, FG-100A, FG-110C, FG-111C, FG200A, FG-200B, FG-200B-POE, FG-224B, FG-300A, FG-310B, FG-311B, FGFG310B-DC, FG-400A, FG-500A, FG-620B, FG-620B-DC, FG-621B, FG-800, FG-800F, FG-1000A, FG-1000A-FA2, FG-1000ALENC, FG-1240B, FG-3016B, FG-3040B, FG-3140B, FG-3600, FG-3600A, FG3810A, FG-3950B, FG-3951B, FG-5001, FG-5001A, FG-5001B, FG-5001FA2, and FG-5005FA2. FG-60C, FWF-60C, FWF-60CM, FWF60CX-ADSL-A This model is released on a special branch based off of FortiOS v4.0 MR2 - Patch Release 10: fg_42_60c/build_tag_5894. As such, the build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5894 as the build number. To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point: field that should read 338. This model is released on a special branch based off of FortiOS v4.0 MR2 - Patch Release 10: fg_42_vmware_esx/build_tag_5891. As such, the build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5891 as the build number. To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point: field that should read 338.
FG-VM
Introduction
Table 1: Supported Platforms (Continued) FG-ONE This model is released on a special branch based off of FortiOS v4.0 MR2 - Patch Release 10: fg_42_one/build_tag_5892. As such, the build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5892 as the build number. To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point: field that should read 338. This model is released on a special branch based off of FortiOS v4.0 MR2 - Patch Release 10: fg_42_300c/build_tag_4055. As such, the build number found at System > Dashboard > Status and the output from the get system status CLI command displays 4055 as the build number. To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point: field that should read 338.
FG-300C
See http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR2.
2. Special Notices
General
The Trivial File Transfer Protocol (TFTP) boot process erases all current firewall configuration and replaces it with the factory default settings.
IMPORTANT!
Monitor Settings Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This for Web User allows for all the objects in the Web UI to be viewed properly. Interface Access Web Browser Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported. Support BEFORE any FortiGate Configuration: upgrade Save a copy of your FortiGate unit configuration (including replacement messages)
prior to upgrading.
AFTER any WebUI Display: upgrade If you are using the Web UI, clear the browser cache prior to logging in to the FortiGate
unit to ensure proper display of the Web UI screens. Update the AV/IPS definitions: The AV/IPS signature included with an image upgrade may be older than ones currently available from Fortinet's FortiGuard system. Fortinet recommends performing an update as soon as possible after upgrading. Consult the FortiOS Handbook for detailed procedures on upgrading your AV/IPS signature.
3. Installation Information
Upgrading from FortiOS v4.0

FortiOS v4.0 MR2 Patch Release 10 officially supports upgrade from the FortiOS v4.0 Patch Release 4 or later. See the upgrade path below. The arrows indicate "upgrade to".
FortiOS v4.0 The upgrade is supported from FortiOS v4.0.4 B0113 or later.
v4.0.4 B0113 (or later)
v4.0 MR2 Patch Release 10 B0338 After every upgrade, ensure that the build number and branch point match the image that was loaded.
Network If a network interface has ips-sniffer-mode option set to enable, and that interface Interface is being used by a firewall policy, then after upgrading from FortiOS v4.0.0, or any subConfiguration sequent patch, to FortiOS v4.0 MR2 Patch Release 10, the ips-sniffer-mode setting will be changed to disable.
WebFilter Banned FortiOS v4.0 MR1 merged the web filter banned and exempt word list into one list Word and Exempt under config webfilter content. After you upgrade to v4.0 MR2, only the Word List banned word list is retained. For example:
In FortiOS v4.0.4: config webfilter bword edit 1 config entries edit "badword1" set status enable next edit "badword2" set status enable next end set name "BannedWordList" next end config webfilter exmword edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set status enable
Upgrading from FortiOS v4.0
Installation Information
next end set name "ExemptWordList" next end After upgrading to FortiOS v4.0 MR2: config webfilter content edit 1 config entries edit "badword1" set status enable next edit "badword2" set status enable next end set name "BannedWordList" next end Before upgrading: backup your configuration, and parse the webfilter exempt list entries. Then merge them into the webfilter content list after the upgrade. After merging the exempt list from v4.0.4 to the webfilter content list: config webfilter content edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set action exempt set status enable next edit "badword1" set status enable next edit "badword2" set action exempt set status enable next end set name "BannedWordList" next end
Upgrading from FortiOS v4.0 MR1
VoIP Settings FortiOS v4.0 MR2 has the functionality to archive messages and files caught by the
Data Leak Prevention (DLP) feature, which includes some VoIP messages. However, some scenarios have an implication configuration retention on the upgrading. Consider the following: FortiGate in v4.0.4 has two protection profiles: PP1 and PP2. PP1 contains: DLP sensor: DLP1 Application control list: APP1 which archives SIP messages PP2 contains: DLP sensor: DLP1 Application control list: APP2 which has content-summary enabled for SIMPLE Upon upgrading to FortiOS v4.0 MR2 Patch Release 10, the VoIP settings are not moved into the DLP archive feature.
NNTP DLP NNTP content archive settings will be lost after upgrading to FortiOS v4.0 MR2 Patch Archive Release 10.
Upgrading from FortiOS v4.0 MR1

FortiOS v4.0 MR2 Patch Release 10 officially supports upgrade from the FortiOS v4.0 MR1 Patch Release 4 or later. See the upgrade path below. The arrows indicate "upgrade to".
FortiOS v4.0 MR1 The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 B0196 Patch
Release 4 or later. v4.0 MR1 Patch Release 4 B0196 (or later)
v4.0 MR2 Patch Release 10 B0338 After every upgrade, ensure that the build number and branch point match the image that was loaded.
DLP Rule A DLP rule with subprotocol setting set to 'sip simple sccp' will be lost upon upgrading
to FortiOS v4.0 MR2 Patch Release 10.
System The settings under System > Maintenance > FortiGuard will get set to default values Autoupdate after upgrading to FortiOS v4.0 MR2 Patch Release 10. Settings
Downgrading to FortiOS v4.0 MR1
Downgrading to FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1 results in configuration loss on ALL models. Only the following settings are retained: operation modes interface IP/management IP route static table DNS settings VDom parameters/settings admin user account session helpers system access profiles.
4. Product Integration and Support
Fortinet Single Sign On (FSSO) Support

FortiOS v4.0 MR2 Patch Release 10 is supported by FSSO (formerly FSAE) v4.3.0 B0108 for the following: 32-bit version of Microsoft Windows 2003 R2 Server 64-bit version of Microsoft Windows 2003 R2 Server 32-bit version of Microsoft Windows 2008 Server 64-bit version of Microsoft Windows 2008 Server 64-bit version of Microsoft Windows 2008 R2 Server Novell E-directory 8.8. IPv6 currently is not supported by FSSO.
AV Engine and IPS Engine Support

FortiOS v4.0 MR2 Patch Release 10 is supported by AV Engine 4.00254 and IPS Engine 1.00229.
SSL-VPN Support
SSL-VPN FortiOS v4.0 MR2 Patch Release 10 supports the SSL-VPN tunnel client standalone Standalone Client installer B2148 for the following:
Windows in .exe and .msi format Linux in .tar.gz format Mac OS X in .dmg format Virtual Desktop in .jar format for Windows 7, XP, and Vista Table 2 lists the supported operating systems.
FortiAP Support
Product Integration and Support
Table 2: Supported operating systems Windows Windows XP 32-bit SP3 Windows XP 64-bit SP1 Windows Vista 32-bit SP1 Windows Vista 64-bit SP1 Windows 7 32-bit Windows 7 64-bit Virtual Desktop Support Windows XP 32-bit SP2 Windows Vista 32-bit SP1 Windows 7 32-bit Linux CentOS 5.2 (2.6.18-el5) Ubuntu 10.0.4 Mac OS X Leopard 10.5
FortiAP Support
The following table lists which FortiAP devices and FortiOS operating systems are supported in FortiOS v4.0 MR2 build B0338 Patch Release 10.
Table 3: Supported Models Model FAP-210B FAP-220A FAP-220B FAP-222B FortiOS v4.0 MR2 For wireless controller support in FortiOS v4.0 MR2 the following firmware image is required: fg_4-2_fortiap/build_tag_3080. The build number for these images in the System > Status page and the output from the "get system status" CLI commanddisplays 3080. To confirm that you are running the proper build, the output from the "get system status" CLI command hasa "Branch point" field. This should read 338. This firmware image is available under the following directory in the Firmware Images page of the Customer Support site after you login: FortiAP/v4.00/4.0MR2/MR2_Patch_10/Wireless_controller/ or FortiAP/v4.00/4.0MR3/MR3_Patch_3/Wireless_controller/ These models are supported on the regular v4.0 MR3 branch FortiAP v4.0 MR3 Patch Release 3
10
5. Resolved Issues
The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Customer Support. The resolved issues include: Command Line Interface Web User Interface System High Availability Firewall Web Proxy VPN WAN Optimization Log and Report
Command Line Table 4: Resolved CLI Issues Interface

Bug ID 154306 Description A set of batch commands may take a longer time than expected to complete.
Web User Table 5: Resolved Web User Interface Issues Interface

Bug ID 155055 Description It might take longer to view Firewall > Policy pages in an HA environment.
System
Table 6: Resolved System Issues Bug ID 155925 153200 153346 152073 155860 149497 141164 149580 Description Unexpected crash occurred on FG-3950B when a VIP FTP server replied with its NAT IP address. An NPU interface might not be changed to another VDOM when NPU fastpath is disabled. The status of an aggregate port should reflect the status of the negotiation than the status of the physical links. An interface may not reply to ICMP request when it was removed from an aggregate interface. A VLAN interface might still accept traffic when the status was set to down. Fix on high memory usage issue caused by SSL proxy daemon. FortiGate might keep sending SYN packets to its BGP peer when the peer tried to originate a new connection but close it instantly. Time synchronization might stop when NTP setting was changed.
11
Resolved Issues
Table 6: Resolved System Issues 152947 154870 BGP daemon would sometimes crash when a failover happened on a HA cluster during a BGP graceful restart. The MSI-X load balance for XD2 was turned off, causing all NP4 interrupts to go to only one CPU.
High Availability
Table 7: Resolved HA Issues Bug ID 154729 147084 Description ha-mgmt-interface-gateway might stop working when the speed setting was changed on the management interface. Gratuitous ARP was kept sending by master under TP mode and could cause loop easily when units were upgrade from FortiOS v4.0 MR1.
Firewall
Table 8: Resolved Firewall Issues Bug ID 152224, 156926 Description An access redirected by load balance to a real server might be persistent when the server was failed or HTTP service was disabled if persistence option was enabled.
Web Proxy
Table 9: Resolved Web Proxy Issues Bug ID 156128 Description Directory listing of an FTP site may not work over Explicit Web Proxy.
VPN
Table 10: Resolved VPN Issues Bug ID 142302 148546 153719 155424 115358 Description Difficulties accessing some web sites via SSL VPN. After upgrading the release version, the boot image failed. IPSec VPN gateway route was not properly injected into routing table when the associated interface was configured to use PPPoE link. If a user took more than 30 seconds to provide his or her XAUTH credentials the XAUTH window disappeared. A PC that running Windows 7 or Vista might fail to do DNS resolution via SSL VPN tunnel when DNS server was not configured for SSL VPN on FortiGate and split-tunneling option was not enabled. A VPN client might connect to the wrong network when the same subnet was configured for VPN in different VDOMs. FortiGate devices running FortiOS v4.0 MR2 and v4.0 MR3 may have difficulty establishing an IPSec tunnel. Using SSL VPN, cookies are not marked as either secure or HTTP only.
140339 155243 156005
12
Resolved Issues
WAN Table 11: Resolved WAN Optimization Issues Optimization

Bug ID 153725 Description Some web sites might not be accessed when IE8 or IE9 were used and Web Cache was enabled. This affectes the FG-200B and FG-80C series models.
Log and Report
Table 12: Resolved Log and ReportIssues Bug ID 142853 155404 155204 Description A FortiGate might stop sending event logs to FortiAnalyzer or Syslog server after a reboot. After a master reboot, the logs from a cluster sent to the FortiAnalyzer unit were out of their designated secure tunnel. Duplicated entries can be seen on FortiGate when logs were retrieved from FortiAnalyzer.
13
14
6. Known Issues
This section lists the known issues of this release, but is not a complete list. For inquires about a particular bug, please contact Customer Support.
System
Table 13: Known System Issues Bug ID 158146 Description Miglogd daemon may crash when new members join an HA cluster or when failover happens. Status To be fixed in a future release.
15
16
7. Image Checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Fortinet Customer Support website located at https://support.fortinet.com. After logging in, click on Download > Firmware Image Checksum, enter the image file, including the extension, and select Get Checksum Code.
Figure 1: Fortinet customer support image checksum tool
(End of Release Notes) FortiOS v4.0 MR2 Patch Release 10 Release Notes 01-4210-84420-20111209 http://docs.fortinet.com/ Feedback
17
18

FortiOS v4.0 MR2 Patch Release 10 Release Notes

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiOS v4.0 MR2 Patch Release 10 Release Notes

Uploaded by

Copyright:

Available Formats

FortiOS v4.

0 MR2 Patch Release 10

Introduction .............................................................................................. 1 Special Notices ........................................................................................ 3

Installation Information ........................................................................... 5

Product Integration and Support ........................................................... 9

Resolved Issues ..................................................................................... 11

Known Issues ......................................................................................... 15

Image Checksums ................................................................................. 17

FortiOS v4.0 MR2 Patch Release 10

See http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR2.

Upgrading from FortiOS v4.0

Upgrading from FortiOS v4.0

Upgrading from FortiOS v4.0 MR1

Upgrading from FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1

4. Product Integration and Support

Fortinet Single Sign On (FSSO) Support

AV Engine and IPS Engine Support

Product Integration and Support

Command Line Table 4: Resolved CLI Issues Interface

Web User Table 5: Resolved Web User Interface Issues Interface

140339 155243 156005

WAN Table 11: Resolved WAN Optimization Issues Optimization

Log and Report

You might also like