fortios v4.0 mr3 patch release 11 release...

FortiOS v4.0 MR3 Patch Release 11Release Notes

FortiOS v4.0 MR3 Patch Release 11 Release Notes

November 21, 2012

01-4311-188206-20121121

Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are

registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks

of Fortinet. All other product or company names may be trademarks of their respective owners.

Performance metrics contained herein were attained in internal lab tests under ideal conditions,

and performance may vary. Network variables, different network environments and other

conditions may affect performance results. Nothing herein represents any binding commitment

by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the

extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a

purchaser that expressly warrants that the identified product will perform according to the

performance metrics herein. For absolute clarity, any such warranty will be limited to

performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in

full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise

this publication without notice, and the most current version of the publication shall be

applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

http://docs.fortinet.com

http://kb.fortinet.com

https://support.fortinet.com

http://training.fortinet.com

http://www.fortiguard.com/

mailto:[email protected]?Subject=Technical%20Documentation%20Feedback

Table of Contents

Change Log....................................................................................................... 6

Introduction....................................................................................................... 7Supported models ................................................................................................... 7

FortiGate ............................................................................................................ 7

FortiWiFi ............................................................................................................. 7

FortiGate Virtual Machine .................................................................................. 7

FortiSwitch ......................................................................................................... 7

Supported virtualization software ............................................................................ 7

Summary of enhancements..................................................................................... 8

FortiOS Carrier.................................................................................................. 9Supported models ................................................................................................... 9

FortiCarrier models ............................................................................................ 9

Special Notices............................................................................................... 10General................................................................................................................... 10

Important ............................................................................................................... 10

Monitor settings for Web-based Manager access........................................... 10

Before any upgrade ......................................................................................... 10

After any upgrade ............................................................................................ 10

FortiGate 1240B upgrade and downgrade limitations........................................... 10

Upgrade Information ...................................................................................... 11Upgrading from FortiOS v4.0 MR3 ........................................................................ 11

Historical reports upgrade limitation................................................................ 11

SQL logging upgrade limitation ....................................................................... 11

FortiGate 100D................................................................................................. 11

Upgrading from FortiOS v4.0 MR2 ........................................................................ 12

DDNS ............................................................................................................... 12

DNS server....................................................................................................... 12

Ping server ....................................................................................................... 12

Central-management ....................................................................................... 12

SNMP community ............................................................................................ 12

Modem settings ............................................................................................... 12

AMC slot settings............................................................................................. 12

Wireless radio settings..................................................................................... 12

Web filter overrides .......................................................................................... 13

Firewall policy settings..................................................................................... 13

URL filter .......................................................................................................... 13

FortiGuard log filter .......................................................................................... 13

FortiGuard log setting ...................................................................................... 13

Upgrading from FortiOS v4.0 MR1 ........................................................................ 13

Downgrading to FortiOS v4.0 MR1........................................................................ 13

Product Integration and Support .................................................................. 14Supported web browsers ...................................................................................... 14

FortiManager support ............................................................................................ 14

FortiAnalyzer support............................................................................................. 14

FortiClient support ................................................................................................. 14

FortiAP support...................................................................................................... 14

Fortinet Single Sign-On (FSSO) support................................................................ 15

FortiExplorer support ............................................................................................. 15

AV Engine and IPS Engine support ....................................................................... 15

Module support...................................................................................................... 15

SSL-VPN support .................................................................................................. 16

SSL-VPN standalone client.............................................................................. 16

SSL-VPN web mode ........................................................................................ 17

SSL-VPN host compatibility list ....................................................................... 17

Explicit Web Proxy browser support ..................................................................... 18

Resolved Issues.............................................................................................. 19Data Leak Prevention....................................................................................... 19

ELBC................................................................................................................ 19

Email Filter ....................................................................................................... 19

Firewall ............................................................................................................. 19

High Availability................................................................................................ 20

IPsec VPN ........................................................................................................ 20

Log & Report.................................................................................................... 21

Routing............................................................................................................. 21

SSL-VPN.......................................................................................................... 21

System ............................................................................................................. 22

VoIP.................................................................................................................. 23

WAN Optimization & Web Proxy...................................................................... 24

Web-based Manager ....................................................................................... 24

Web Filter......................................................................................................... 25

WiFi .................................................................................................................. 25

Fortinet Technologies Inc. FortiOS v4.0 MR3 Patch Release 11 Release Notes

http://www.fortinet.com/

Known Issues.................................................................................................. 26Endpoint Control .............................................................................................. 26

High Availability................................................................................................ 26

IPsec VPN ........................................................................................................ 26

Log & Report.................................................................................................... 26

SSL-VPN.......................................................................................................... 26

System ............................................................................................................. 27

Upgrade ........................................................................................................... 27

Web-based Manager ....................................................................................... 27

Web Filter......................................................................................................... 28

WiFi .................................................................................................................. 28

Limitations....................................................................................................... 29Citrix XenServer limitations.................................................................................... 29

Open Source Xen limitations ................................................................................. 29

Image Checksum............................................................................................ 30



Change Log

Date Change Description

2012-11-21 Initial release.

2012-11-22 Added FAP-112B, FAP-223B, and FAP-320B to Product Integration and Support chapter.

Introduction

This document provides installation instructions and addresses issues and caveats in FortiOS

v4.0 MR3 Patch Release 11 build 0646.

Supported models

The following models are supported on FortiOS v4.0 MR3 Patch Release 11.

FortiGate

FG-20C, FG-20C-ADSL-A, FG-30B, FG-40C, FG-50B, FG-51B, FG-60B, FG-60C,

FG-60C-PoE, FG-80C, FG-80CM, FG-82C, FG-100A, FG-100D, FG-110C, FG-111C, FG-200A,

FG-200B, FG-200B-PoE, FG-224B, FG-300A, FG-300C, FG-310B, FG-310B-DC, FG-311B,

FG-400A, FG-500A, FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800, FG-800C, FG-800F,

FG-1000A, FG-1000A-FA2, FG-1000A-LENC, FG-1000C, FG-1240B, FG-3016B, FG-3040B,

FG-3140B, FG-3600, FG-3600A, FG-3810A, FG-3950B, FG-3951B, FG-5001, FG-5001A,

FG-5001B, FG-5001FA2, FG-5002FB2, FG-5005FA2, FG-5101C, and FG-One.

FortiWiFi

FWF-20C, FWF-20C-ADSL-A, FWF-30B, FWF-40C, FWF-50B, FWF-60B, FWF-60C,

FWF-60CM, FWF-60CX-ADSL-A, FWF-80CM, and FWF-81CM.

FortiGate Virtual Machine

FG-VM32, and FG-VM-64

FortiSwitch

FS-5203B

Supported virtualization software

The following virtualization software is supported on FortiOS v4.0 MR3 Patch Release 11.

• vSphere 4.0, 4.1, vSphere 5.0

• Citrix XenServer 5.6sp2/6.0

• Open Source Xen 3.4.3

• Open Source Xen 4.1

FG-VM64-XEN

This model is released on a special branch based off of FortiOS v4.0 MR3 Patch Release 11. As

such, the build number found in the System > Dashboard > Status page and the output from the

get system status CLI command displays 5920 as the build number.

To confirm that you are running the proper build, the output from the get system status CLI

command has a Branch point field that should read 0646.



See “Limitations” on page 29 for more information.

See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v4.0 MR3.

Summary of enhancements

The following is a list of enhancements in FortiOS v4.0 MR3 Patch Release 11:

• Added upload log schedule option in the Web-based Manager.

• Display platform information in the Web-based Manager.


http://docs.fortinet.com/fgt.html


FortiOS Carrier

This chapter provides platform support information for FortiOS Carrier v4.0 MR3 Patch Release

11 build 0646.

Supported models

The following models are supported on FortiOS Carrier v4.0 MR3 Patch Release 11.

FortiCarrier models

FCR-3810A, FCR-3950B, FCR-3951B, FCR-5001, FCR-5001A, FCR-5001B, FCR-5001FA2,

and FCR-5005FA2.

Firmware image filenames begin with FK.

See http://docs.fortinet.com/fgt.html for additional documents on FortiCarrier v4.0 MR3.



http://docs.fortinet.com/fgt.html

Special Notices

General

The TFTP boot process erases all current firewall configuration and replaces it with the factory

default settings.

Important

Monitor settings for Web-based Manager access

Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for

all the objects in the Web-based Manager to be viewed properly.

Before any upgrade

Save a copy of your FortiGate unit configuration (including replacement messages) prior to

upgrading.

After any upgrade

If you are using the Web-based Manager, clear the browser cache prior to login on the FortiGate

to ensure the Web-based Manager screens are displayed properly.

The Virus and Attack definitions included with an image upgrade may be older than ones

currently available from the Fortinet's FortiGuard Distribution Server. Fortinet recommends

performing an Update Now (System > Config > FortiGuard > AntiVirus and IPS Options) as soon

as possible after upgrading. Consult the FortiOS Handbook/FortiOS Carrier Handbook for

detailed procedures.

FortiGate 1240B upgrade and downgrade limitations

With the release of FortiOS v4.0 MR3 Patch Release 2 and later, the FortiGate 1240B will run a

64-bit version of FortiOS. This has introduced certain limitations on upgrading firmware in a high

availability (HA) environment, and downgrading.

When performing an upgrade from a 32-bit FortiOS version to a 64-bit FortiOS version, and the

FortiGate 1240Bs are running in a HA environment with the uninterruptable-upgrade option

enabled, the upgrade process may fail on the primary device after the subordinate devices have

been successfully upgraded. To work around this situation, users may disable the

uninterruptable-upgrade option to allow all HA members to be successfully upgraded. Without

the uninterruptable-upgrade feature enabled, several minutes of service unavailability are to be

expected.

Downgrading a FortiGate 1240B from FortiOS v4.0 MR3 Patch Release 2 is not supported due

to technical limitations between 64-bit and 32-bit versions of FortiOS. The only procedure to

downgrade firmware is by using the TFTP server and BIOS menu to perform the downgrade. In

this case the configuration will need to be restored from a previously backed up version.



Upgrade Information

Upgrading from FortiOS v4.0 MR3

FortiOS v4.0 MR3 Patch Release 11 build 0646 officially supports upgrade from FortiOS v4.0

MR3 GA or later.

Historical reports upgrade limitation

For the following units, historical reports from previous builds will not be retained after

upgrading to FortiOS v4.0 MR3 Patch Release 11:

FG-20C, FWF-20C, FG-40C, FWF-40C, FG-60C, FWF-60C, FWF-60CM,

FWF-60CX-ADSL-A, FG-80C, FWF-81CM

Workaround: Download the historical reports to a local PC hard drive before performing the

upgrade.

SQL logging upgrade limitation

For the following units, after upgrading to FortiOS v4.0 MR3 Patch Release 11, SQL logging will

be retained based on the total size of the RAM available on the device. Logs will use up to

maximum of 10% of the RAM, once passed that threshold, any new logs will start to overwrite

the older logs. The historical report generation will also be affected based on the SQL logs that

are available for query.

FG-100D, FG-300C

FortiGate 100D

FortiOS v4.0 MR3 Patch Release 11 supports the FortiGate 100D platform. Included with this

model is a special purpose management port that operates on its own virtual domain (VDOM).

An issue exists with this feature whereby FortiCare registration fails when initiated from the

FortiGate device if this port is connected to the Internet and thus FortiGuard and FortiCare.

Upgrading the FortiOS image from its factory default image (build 4083) to FortiOS v4.0 MR2

Patch Release 12 or later does not switch the management VDOM. You must change the

management VDOM from the default setting to the root VDOM.

To do this, use the following CLI commands:

config system globalset management-vdom root

endend




Please upgrade to the latest v4.0 MR2 patch release prior to upgrading to v4.0 MR3 Patch

Release 11. For more information, see the latest FortiOS v4.0 MR2 patch release notes.

After every upgrade, ensure that the build number and branch point match the image that was

loaded.

DDNS

DDNS configurations under interface are moved to global mode config system ddns

after upgrading to FortiOS v4.0 MR2 Patch Release 12.

DNS server

dns-query recursive/non-recursive option under specific interfaces are moved to the

system level per VDOM mode, and config system dns-server can be used to configure

the option after upgrading to FortiOS v4.0 MR2 Patch Release 12.

Ping server

gwdetect related configurations under specific interfaces are moved under router per VDOM

mode, and config router gwdetect can be used to configure the option after upgrading to

FortiOS v4.0 MR2 Patch Release 12.

Central-management

set auto-backup disable and set authorized-manager-only enable

configurations under config system central-management are removed after upgrading to


SNMP community

A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to


Modem settings

wireless-custom-vendor-id and wireless-custom-product-id are moved from

config system modem to config system 3g-modem custom after upgrading to FortiOS

v4.0 MR2 Patch Release 12.

AMC slot settings

The default value of ips-weight under config system amc-slot will be changed from

balanced to less-fw after upgrading to FortiOS v4.0 MR2 Patch Release 12.

Wireless radio settings

Wireless radio settings, except for SSID, Security Mode, and Authentication settings, will be lost

after upgrading.



Web filter overrides

The contents of Web Filter overrides will be lost after upgrading from FortiOS v4.0 MR2 Patch

Release 4 build 0313 to FortiOS v4.0 MR2 Patch Release 12.

Firewall policy settings

If the source interface or destination interface is set as the amc-XXX interface, the default value

of ips-sensor under config firewall policy is changed from all_default to

default after upgrading to FortiOS v4.0 MR2 Patch Release 12.

URL filter

The action options in the urlfilter configuration have been changed from Allow, Pass,

Exempt, and Block to Allow, Monitor, Exempt, and Block. The Allow action will not report

log in FortiOS v4 MR3 Patch Release 1. The Monitor action will act as the function that allows

log reporting. The Pass action in FortiOS v4.0 MR2 has been merged with Exempt in FortiOS

v4.0 MR3 Patch Release 1, and the CLI command has been changed from set action pass

to set exempt pass.

FortiGuard log filter

The settings of config log fortiguard filter are removed after upgrading to FortiOS

v4.0 MR2 Patch Release 12.

FortiGuard log setting

The options quotafull and use-hdd in config log fortiguard setting are removed

upon upgrading to FortiOS v4.0 MR2 Patch Release 12.


Upgrading from FortiOS v4.0 MR1 is not supported. Please upgrade to FortiOS v4.0 MR3 Patch

Release 5 prior to upgrading to v4.0 MR3 Patch Release 11. For more information, see the

FortiOS v4.0 MR3 Patch Release 5 Release Notes.

Downgrading to FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1 (or later) results in configuration loss on ALL models. Only

the following settings are retained:

• operation modes

• interface IP/management IP

• route static table

• DNS settings

• VDOM parameters/settings

• admin user account

• session helpers

• system access profiles.



Product Integration and Support

Supported web browsers

• Microsoft Internet Explorer 8, and 9

• Mozilla FireFox 15.0, and 16.0

FortiManager support

FortiOS v4.0 MR3 Patch Release 11 is supported by FortiManager v4.0 MR3 Patch Releases 6

and later.

FortiAnalyzer support

FortiOS v4.0 MR3 Patch Release 11 is supported by FortiAnalyzer v4.0 MR3.

If you are using a FortiAnalyzer unit running FortiAnalyzer v4.0 MR2, you must upgrade it to

FortiAnalyzer v4.0 MR3. FortiAnalyzer units running FortiAnalyzer v4.0 MR2 will not function

correctly with FortiOS v4.0 MR3 Patch Release 11.

FortiClient support

FortiOS v4.0 MR3 Patch Release 11 is fully compatible with FortiClient v4.0 MR2 Patch Release

3 and later for the following operating systems:

• Microsoft Windows XP 32-bit

• Microsoft Windows Vista 32-bit

• Microsoft Windows Vista 64-bit

• Microsoft Windows 7 32-bit

• Microsoft Windows 7 64-bit

FortiAP support

FortiOS v4.0 MR3 Patch Release 11 supports the following FortiAP models:

FAP-112B, FAP-210B, FAP-220A, FAP-220B, FAP-221B, FAP-222B, FAP-223B, FAP-320B

The FortiAP devices must be running FortiAP v4.0 MR3 or later.



Fortinet Single Sign-On (FSSO) support

FortiOS v4.0 MR3 Patch Release 11 is supported by FSSO v4.0 MR3 build 0129 for the

following:

• Microsoft Windows Server 2003 R2 32-bit


• Microsoft Windows Server 2008 32-bit

• Microsoft Windows Server 2008 64-bit


• Novell eDirectory 8.8.

IPv6 currently is not supported by FSSO.

FortiExplorer support

FortiOS v4.0 MR3 Patch Release 11 is supported by FortiExplorer v2.0 build1022.

AV Engine and IPS Engine support

FortiOS v4.0 MR3 Patch Release 11 is supported by AV Engine v4.0 MR3 build 0398 and IPS

Engine v1.0 build 0247.

Module support

FortiOS v4.0 MR3 Patch Release 11 supports Advanced Mezzanine Card (AMC), Fortinet

Mezzanine Card (FMC), Rear Transition Modules (RTM), and Fortinet Storage Module (FSM)

removable modules. These modules are not hot swappable. The FortiGate unit must be turned

off before the module is inserted or removed.

Table 1 outlines supported modules.

Table 1: Supported modules

AMC/FMC/FSM/RTM Modules FortiGate Model

Storage Module

500GB HDD Single-Width AMC (ASM-S08)

FG-310B, FG-620B, FG-621B, FG-3016B,

FG-3600A, FG-3810A, FG-5001A-SW

Storage Module

64GB SSD Fortinet Storage Module (FSM-064)

FG-200B, FG-311B, FG-1240B,

FG-3040B, FG-3140B, FG-3951B

Accelerated Interface Module

4xSFP Single-Width AMC (ASM-FB4)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3600A,

FG-3810A, FG-5001A-SW


2x10-GbE XFP Double-Width AMC (ADM-XB2)

FG-3810A, FG-5001A-DW


8xSFP Double-Width AMC (ADM-FB8)

FG-3810A, FG-5001A-DW

Bypass Module

2x1000 Base-SX Single-Width AMC (ASM-FX2)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3600A,

FG-3810A, FG-5001A-SW



SSL-VPN support

SSL-VPN standalone client

FortiOS v4.0 MR3 Patch Release 11 supports the SSL-VPN tunnel client standalone installer

build 2277 for the following:

• Windows in .exe and .msi format

• Linux in .tar.gz format

• Virtual Desktop in .jar format for Windows 7

• Mac OS X 10.7 in .dmg format

Bypass Module

4x10/100/1000 Base-T

Single-Width AMC (ASM-CX4)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3600A,

FG-3810A, FG-5001A-SW

Security Processing Module

2x10/100/1000 SP2

Single-Width AMC (ASM-CE4)

FG-1240B, FG-3810A, FG-3016B,

FG-5001A-SW


2x10-GbE XFP SP2

Double-Width AMC (ADM-XE2)

FG-3810A, FG-5001A-DW


4x10-GbE SFP+

Double-Width AMC (ADM-XD4)

FG-3810A, FG-5001A-DW


8xSFP SP2

Double-Width AMC (ADM-FE8)

FG-3810A

Rear Transition Module

10-GbE backplane fabric (RTM-XD2)

FG-5001A-DW

Security Processing Module (ASM-ET4) FG-310B, FG-311B

Rear Transition Module

10-GbE backplane fabric (RTM-XB2)

FG-5001A-DW


2x10-GbE SFP+ (FMC-XG2)

FG-3950B, FG-3951B


2x10-GbE SFP+ (FMC-XD2)

FG-3950B, FG-3951B


20xSFP (FMC-F20)

FG-3950B, FG-3951B


20x10/100/1000 (FMC-C20)

FG-3950B, FG-3951B

Security Processing Module (FMC-XH0) FG-3950B

Table 1: Supported modules (continued)



Table 2 lists the supported operating systems.

SSL-VPN web mode

FortiOS v4.0 MR3 Patch Release 11 supports the following browsers for SSL-VPN web mode:

• Internet Explorer 8.0

• Internet Explorer 9.0

• Firefox 13.0

• Firefox 3.6

• Safari 5.1

SSL-VPN host compatibility list

The following tables list the AntiVirus and Firewall client software packages that are supported.

Table 3 lists supported Windows XP AntiVirus and Firewall software.

Table 4 lists supported Windows 7 32-bit AntiVirus and Firewall software.

Table 2: Supported operating systems

Windows Linux Mac OS X

Windows XP 32-bit SP3 CentOS 5.6 Lion 10.7

Windows 7 32-bit SP1


Virtual Desktop Support


Table 3: Supported Windows XP AntiVirus and Firewall software

Product AntiVirus Firewall

Symantec Endpoint Protection v11

Kaspersky AntiVirus 2009

McAfee Security Center v8.1

Trend Micro Internet Security Pro

F-Secure Internet Security 2009

Table 4: Supported Windows 7 32-bit AntiVirus and Firewall software


CA Internet Security Suite Plus Software

AVG Internet Security 2011


Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360™ Version 4.0

Norton™ Internet Security 2011

Panda Internet Security 2011

Sophos Security Suite

Trend Micro Titanium Internet Security



Table 5 lists supported Windows 7 64-bit AntiVirus and Firewall software.

Explicit Web Proxy browser support

The following browsers are supported by the Explicit Web Proxy feature:

• Microsoft Internet Explorer 7.0

• Microsoft Internet Explorer 8.0

• Mozilla Firefox 3.x

ZoneAlarm Security Suite

Symantec Endpoint Protection Small Business

Edition 12.0

Table 5: Supported Windows 7 64-bit AntiVirus and Firewall software


CA Internet Security Suite Plus Software

AVG Internet Security 2011


Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360™ Version 4.0

Norton™ Internet Security 2011

Panda Internet Security 2011

Sophos Security Suite

Trend Micro Titanium Internet Security

ZoneAlarm Security Suite

Symantec Endpoint Protection Small Business

Edition 12.0

Table 4: Supported Windows 7 32-bit AntiVirus and Firewall software (continued)



Resolved Issues

The resolved issues listed below do not list every bug that has been corrected with this release.

For inquires about a particular bug, please contact Customer Support.

Data Leak Prevention

ELBC

Email Filter

Firewall

Table 6: Resolved Data Leak Prevention issues

Bug ID Description

177167 proxyworker daemon may crash when doing both AntiVirus and DLP on

POP3 traffic.

184739 Email file pattern filter does not work correctly.

Table 7: Resolved ELBC issues

Bug ID Description

161340 Session lost after new blade joined the ELBC cluster.

179754 Web-based Manager widgets breaks configuration sync, and may lead to

traffic outage.

Table 8: Resolved Email Filter issues

Bug ID Description

173123 FortiGate cannot encode additional UTF-8 tag to mail subject properly.

Table 9: Resolved Firewall issues

Bug ID Description

146110 Increase maximum concurrent connections for proxy worker.

174309 SSL proxy always catches SSL connection and decrypts it.

175677 The destination to IP in IP pool may fail.

176209 SSL proxy rewrites server certificate for explicit FTPS connection even if FTPS

is disabled in the AntiVirus profile.

178178 DCE-RPC helper does not create expectation for IRemoteActivation

IOXIDResolver method.




High Availability

IPsec VPN

178548 FortiGate sends TACACS+ authorization query with Minor Version equal to 1

instead of 0 in packet header.

178968 Session setup rate is 32% less than build 0505.

183546 SSL process with high memory.

183870 SSL deep scan does not support >= TLSv1.1, causing a handshake failure.

184675 Sessions not passing traffic until reset.

Table 10: Resolved High Availability issues

Bug ID Description

157903 Increase of Group-IDs for FGCP HA cluster.

174198 GTP tunnels are not synchronized between HA master and slave.

180794 HA Split Brain occurs when error detected on FSM Module.

181271 HATALK daemon consumes 99% CPU utilization.

181455 When rebooting standby device, master device is affected.

182307 Session is lost and marked as dirty after primary unit fails back from initial

fail-over.

182442 Slave unit cannot successfully sync IPS decoder settings.

187006 Cluster that is built on FortiGate with hard disks might lose members.

187516 ospf6d and bgpd daemon crashes may happen with certain configurations.

Table 11: Resolved IPsec VPN issues

Bug ID Description

150359 L2TP-IPsec - LT2P packets are dropped once decrypted from IPsec tunnel.

170816 FortiGate 300C setup redundancy IPsec over port3 and port4, when port3

down, port4 does not work.

178732 IPsec SA rekeying affecting BGP.

178935 ike daemon crash with segmentation fault in IPsec with many split tunnels.

Table 9: Resolved Firewall issues (continued)

Bug ID Description



Log & Report

Routing

SSL-VPN

Table 12: Resolved Log & Report issues

Bug ID Description

166236 Reliable syslog connection is reset if SEQ message is received.

180761 Attack name is missing in anomaly logs.

180985 Missing interface information into DoS attack logs on XLR interface.

184136 UTM logs shows wrong interface.

Table 13: Resolved Routing issues

Bug ID Description

165401 IPv6 routes learned via BGP not added to routing table.

166438 Delay in BGP (v4 & v6) updates being accepted into FIB.

172276 OSPF one way traffic over IPsec and NP4.

183537 OSPFv2 slow convergence for Summary/Type-3 routes.

Table 14: Resolved SSL-VPN issues

Bug ID Description

174264 SSL-VPN tunnel can not be connected in web mode in Firefox through proxy

server.

177607 Problem accessing the Lotus Domino web mail from the SSL-VPN web mode

portal.

179847 Some embedded Java scripts using Sharepoint are not rewritten through

SSL-VPN Web portal.

180589 SSL-VPN Java applet (version 10.7.x) is not working with Mac OS X.

181139 Cannot open JSP object in SSL-VPN web mode.

182056 User less remained Framed-IP prevents RADIUS authentication.

183794 The Host Check function did not properly validate the client's system when

running the periodic Host Check set for 300.

183823 The product accepted/used and invalid CRL for client certificate

authentication/validation.

184054 SSL-VPN certificate setting change cannot take effect sometimes under

stress.

185397 The SSL-VPN daemon crashed under SSL-VPN stress plus routing change.



System

185404 Remote web access portal upload hang intermittently.

185455 SSL-VPN daemon memory leaking under stress test.

185658 SSL-VPN daemon high CPU usage.

Table 15: Resolved System issues

Bug ID Description

127295 CLI reports error when aggregate/redundant interfaces are deleted.

156726 HTTPS SSL deep-scan download stalls at 99%.

161010 DNS PTR requests are forwarded to the wrong name server.

164367 proxyworker daemon may crash with signal 7.

166440 Missed MSISDN entries never timeout in miglogd cache and it caused the

memory usage kept going up.

171443 Application List traffic shaper not applied on XH0 and XG2.

172302 diagnose system ntp status command not working properly.

172780 diagnose test app radius 3 output truncated.

173514 Source MAC address changed from vcluster2 MAC to vcluster1 MAC by using

aggregate interface.

174691 FortiGate misses application list setting by system reboot.

174990 Speed up aggregate failover detection.

175529 cmdbsvr keep CPU usage 94% and last 22 minutes to upload Bulk CLI

Command File.

176234 Changing configuration makes FortiGate 3040B crash/reboot.

176242 CPU utilization peaks of cmdbsvr and iked processes after configuration

changes affecting user traffic.

176499 Error counter value for interfaces on CE4 module.

176606 Group-object-filter of LDAP group match can not work.

176836 Giant packet which data-size >2122 cannot be precessed by XH0 interface.

176951 No DoS attack log when XG2 is in NPU-Cascade mode.

176972 FortiGate send destination MAC 00:00:00:00:00:00 packet, when IP Pool

receive sessionless TCP packet.

177215 ICMPv6 packets which are tool big are sent even though packet size < MTU.

Table 14: Resolved SSL-VPN issues (continued)

Bug ID Description



VoIP

177326 Unable to store FortiToken in configuration file.

177462 SNMP reports if HCInOctets statistics in 32 bit.

177528 Fix XG2 cards hang issue.

177555 Secondary-IP entry number inconsistency.

178018 NP2 (ADM-FB8) port flapping during high CPU.

178981 Forticron seems to have high memory.

179096 SNMPv3 engineboot counter is not incremental after reboot.

179438 FortiGate 3950B stopped forwarding traffic after sometime in operation.

179449 GTP firewall memory leak.

179614 WAD daemon crashed when debug with filter enabled.

180673 During DoS targa2 attack on FortiGate 20C, unit becomes unresponsive.

181423 FortiGate 5101C fabric channel does not pass traffic.

181939 Interface configuration randomly lost.

182301 Build 0521: FortiGate allows more than one ICMP port unreachable packet

through.

182417 Kernel NULL pointer error and auto reboot if we open jumbo supporting on

FortiGate 800C.

183608 Use virtual time for watchdog in snmpd.

183821 FortiGate improperly gave the reason of invalid password when the

administrator provides an incorrect account name.

184906 snmpd consumes all available UNIX socket descriptors and subsequently

crashes.

185083 Packet capture cannot start again when finished.

185384 Some hosts behave like a black hole randomly during scan.

185434 Software switch does not pass traffic after reboot

Table 16: Resolved VoIP issues

Bug ID Description

180504 No audio on incoming call to PBX which has call forwarding enabled.

Table 15: Resolved System issues (continued)

Bug ID Description



WAN Optimization & Web Proxy

Web-based Manager

Table 17: Resolved WAN Optimization & Web Proxy issues

Bug ID Description

182964 Fix WAD crash when cache object is invalidated by HTTP POST.

183006 Specific web page not fully loaded when explicit proxy with ActiveX filter is

used.

176363 FortiGate WCCP router fails to forward traffic from client to webcache in

middle of large file transfer.

180932 Cookie based web authentication does not work when authentication

username is certain length.

162330 Website is blocked when enable Web Filter with ftgd-disable(license expired)

in web proxy policy.

Table 18: Resolved Web-based Manager issues

Bug ID Description

118058 Cannot filter policy on count field.

150876 Duplex information on FortiWiFi 60B displays incorrectly.

154191 Moving around web filtering monitor page or refresh cause conserve mode.

163974 The Override Category in the second entry (id=141) could not be displayed in

the Web-based Manager.

168946 config restore password pre-filled with garbage causes restore to fail.

170730 Mismatch CLI and Web-based Manager display after configuring set

quarantine-log enable and set log enable on DoS Sensor.

171928 Visiting Email Monitor causes FortiGate to enter conserve mode.

172661 Web-based Manager Top 10 sessions display two or three items of same

source address.

173130 Pull-down menu does not show up correctly when a firewall policy is created

with a certain administrator profile.

176364 Web-based Manager has a problem to disable secondary-IP for VLAN

interface.

176471 get wireless-controller wlchanlistlic outputs XMLl source

codes.

178033 UTM features cannot be displayed by using the newest Chrome version.

180234 Unit Operation shows minus number on interface packet counts.

180351 FortiGate SSL-VPN manage Web-based Manager remote memory corruption.



Web Filter

WiFi

180964 FortiGate Web-based Manager SSL-VPN configuration memory corruption.

181112 FortiGate Web-based Manager cannot be shown in Windows 8 Internet

Explorer 10.

Table 19: Resolved Web Filter issues

Bug ID Description

158996 FortiGuard override URL is incorrect when using deep inspection and CN

contains wildcard character.

185529 Web Filter authentication times out.

Table 20: Resolved WiFi issues

Bug ID Description

157663 WiFi channel bonding causes strange radio behavior.

176615 Suggest to remove channel settings from default WTP profiles.

177811 RADIUS does not failover to secondary server for an extended time period.

179246 WiFi Region Code "J" fails on the FortiWiFi 40C.

181802 Allow XSS characters in WiFi SSID names.

181841 FortiOS v4.0 MR3 default WTP profiles for FortiAP112B, and 320B should not

have channels.

182678 An SSID may fail on the FortiWiFi 40C.

Table 18: Resolved Web-based Manager issues (continued)

Bug ID Description



Known Issues

The known issues listed below does not list every bug that has been reported with this release.

For inquires about a particular bug, please contact Customer Service & Support.

Endpoint Control

High Availability

IPsec VPN

Log & Report

SSL-VPN

Table 21: Known Endpoint Control issues

Bug ID Description

184536 Endpoint control profile is configurable, but cannot be applied to the firewall

policy.

Table 22: Known High Availability issues

Bug ID Description

184915 HA not syncing added interfaces.

186053 All heartbeat links fail simultaneously, triggered by traffic.

Table 23: Known IPsec VPN issues

Bug ID Description

182893 IPsec VPN traffic seems to work only one way when fastpath is enabled.

183638 High CPU with iked 95%-99%.

Table 24: Known Log & Report issues

Bug ID Description

183778 Missing interface-policy ID field in DoS logs.

Table 25: Known SSL-VPN issues

Bug ID Description

178431 SSL-VPN daemon may crash while browsing very long URLs in web portal.

179445 SSL-VPN/Citrix does not work on Windows 7 Enterprise.




System

Upgrade

Web-based Manager

179847 Some embedded Java scripts using Sharepoint not be rewritten through SSL

Web portal.

179881 Remote Desktop session via SSL Web portal is not in full screen using

1366*768 screen resolution.

182443 SSL-VPN daemon may crash when certain traffic traverses the tunnel.

Table 26: Known System issues

Bug ID Description

171261 Local images not displayed in replacement messages.

175326 FortiGate response to ARP requests on 192.168.0.1 on MGMT1 interface.

176202 VLAN interface not stick with software switch interface after reboot.

179613 Port9 to Port13 of the FortiGate 3040B cannot negotiate Huawei Router

NE40.

181712 LACP (1G links) causes line flapping (Cisco switch side only).

185432 Traffic history for aggregate link is incorrect at the Web-based Manager.

188544 diagnose sys session6 filter shows source twice.

188769 ICMPv6 ping traffic is not blocked when there is no firewall policy on interface.

188772 diag sys top for CPU usage is not correct.

Table 27: Known Upgrade issues

Bug ID Description

188860 UTM profile cannot be displayed when there is no default profile.

Table 28: Known Web-based Manager issues

Bug ID Description

171226 If the policy ID exceeds 2147483647, a negative value is displayed on the

Web-based Manager.

186030 Credential information is kept into the query string.

189029 No FortiToken listed in the Web-based Manager when editing administrator

with remote authentication enabled.

Table 25: Known SSL-VPN issues (continued)

Bug ID Description



Web Filter

WiFi

Table 29: Known Web Filter issues

Bug ID Description

178127 Web Filter block failures for specially crafted packets, single byte.

188607 FortiGuard service intermittently is unavailable, and need restart urlfilter to recover.

Table 30: Known WiFi issues

Bug ID Description

183513 When DARRP is enabled, a FortiAP device intermittently may become

disconnected.

186562 FortiWiFi 80CM, virtual AP intermittently stops working and displays that the

configuration failed.



Limitations

This section outlines the limitations in FortiOS v4.0 MR3 Patch Release 11.

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

• XenTools installation is not supported.

• FortiGate-VM can be imported or deployed in only the following three formats:

• XVA (recommended)

• VHD

• OVF

• The XVA format comes pre-configured with default configurations for VM name, virtual CPU,

memory, and virtual NIC. Other formats will require manual configuration before the first

power on process.

Open Source Xen limitations

When using Ubuntu 11.10, Xen 4.1.0, and libvir 0.9.2, importing issues may arise when using

the qcow2 format and existing HDA issues.



Image Checksum

The MD5 checksums for all Fortinet software and firmware releases are available at the

Customer Service & Support website located at https://support.fortinet.com. After logging in,

click on Download > Firmware Image Checksum, enter the image file, including the extension,

and select Get Checksum Code.

Figure 1: Customer Service & Support image checksum tool

End of Release Notes




fortios v4.0 mr3 patch release 11 release...

Documents