fortios v5.0 patch release 1 release notes

FortiOS v5.0 Patch Release 1Release Notes

FortiOS v5.0 Patch Release 1 Release Notes

December 21, 2012

01-501-190082-20121221

Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are

registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks

of Fortinet. All other product or company names may be trademarks of their respective owners.

Performance metrics contained herein were attained in internal lab tests under ideal conditions,

and performance may vary. Network variables, different network environments and other

conditions may affect performance results. Nothing herein represents any binding commitment

by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the

extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a

purchaser that expressly warrants that the identified product will perform according to the

performance metrics herein. For absolute clarity, any such warranty will be limited to

performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in

full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise

this publication without notice, and the most current version of the publication shall be

applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

http://docs.fortinet.com

http://kb.fortinet.com

https://support.fortinet.com

http://training.fortinet.com

http://www.fortiguard.com/

mailto:[email protected]?Subject=Technical%20Documentation%20Feedback

Table of Contents

Change Log....................................................................................................... 6

Introduction....................................................................................................... 7Supported models ................................................................................................... 7

FortiGate ............................................................................................................ 7

FortiWiFi ............................................................................................................. 7

FortiGate Virtual Machine .................................................................................. 7

FortiSwitch ......................................................................................................... 7

Supported virtualization software ............................................................................ 7

Summary of enhancements..................................................................................... 8

FortiOS v5.0 Patch Release 1 ............................................................................ 8

Special Notices................................................................................................. 9General..................................................................................................................... 9

Important ................................................................................................................. 9

Monitor settings for Web-based Manager access............................................. 9

Before any upgrade ........................................................................................... 9

After any upgrade .............................................................................................. 9

WAN Optimization ................................................................................................... 9

MAC address filter list.............................................................................................. 9

Spam Filter profile.................................................................................................. 10

Spam Filter Black/White List.................................................................................. 10

DLP rule settings.................................................................................................... 10

ID-based firewall policy ......................................................................................... 10

FortiGate 100D upgrade and downgrade limitations............................................. 11

Upgrade Information ...................................................................................... 12Upgrading from FortiOS v5.0.0 GA........................................................................ 12

Captive portal................................................................................................... 12

Reports ............................................................................................................ 16

SSL-VPN web portal ........................................................................................ 16

Virtual switch and the FortiGate 100D ............................................................. 16

Upgrading from FortiOS v4.0 MR3 ........................................................................ 16

Table size limits................................................................................................ 16

SQL logging upgrade limitation ....................................................................... 17

SSL deep-scan ................................................................................................ 17

Profile protocol options.................................................................................... 18

Downgrading to previous FortiOS version............................................................. 20

Product Integration and Support .................................................................. 21Supported web browsers ...................................................................................... 21

FortiClient support ................................................................................................. 21

Fortinet Single Sign-On (FSSO) support................................................................ 21

FortiExplorer support (Windows/Mac OS X/iOS)................................................... 21

AV Engine and IPS Engine support ....................................................................... 21

FortiAP support...................................................................................................... 22

FortiSwitch support ............................................................................................... 22

Module support...................................................................................................... 22

SSL-VPN support .................................................................................................. 23

SSL-VPN standalone client.............................................................................. 23

SSL-VPN web mode ........................................................................................ 24

SSL-VPN host compatibility list ....................................................................... 24

Explicit Web Proxy browser support ..................................................................... 25

Resolved Issues.............................................................................................. 26Antispam.......................................................................................................... 26

Antivirus ........................................................................................................... 26

CLI.................................................................................................................... 26

Client reputation............................................................................................... 27

Device visibility................................................................................................. 27

DLP .................................................................................................................. 27

Endpoint control............................................................................................... 27

Firewall ............................................................................................................. 28

FortiGate VM.................................................................................................... 29

GTP .................................................................................................................. 29

High Availability................................................................................................ 30

IPS.................................................................................................................... 31

IPsec VPN ........................................................................................................ 31

Log & Report.................................................................................................... 31

Routing............................................................................................................. 33

Source visibility ................................................................................................ 34

SSL-VPN.......................................................................................................... 34

System ............................................................................................................. 35

Upgrade ........................................................................................................... 37

VoIP.................................................................................................................. 38

WAN optimization and webproxy .................................................................... 38

Web-based Manager ....................................................................................... 38

Web Filter......................................................................................................... 40

WiFi .................................................................................................................. 41

Fortinet Technologies Inc. FortiOS v5.0 Patch Release 1 Release Notes

http://www.fortinet.com/

Known Issues.................................................................................................. 42Antivirus ........................................................................................................... 42

Firewall ............................................................................................................. 42

FSSO................................................................................................................ 42

High Availability................................................................................................ 42

IPS.................................................................................................................... 42

IPsec VPN ........................................................................................................ 43

Log & Report.................................................................................................... 43

SSL-VPN.......................................................................................................... 43

System ............................................................................................................. 43

Web-based Manager ....................................................................................... 43

WiFi .................................................................................................................. 44

Upgrade ........................................................................................................... 44

Limitations....................................................................................................... 45Add Device Access List ......................................................................................... 45

Image Checksum............................................................................................ 46



Change Log

Date Change Description

2012-12-21 Initial release.

Introduction

This document provides installation instructions, integration, support, and resolved/known

issues in FortiOS v5.0 Patch Release 1 build 0147.

Supported models

The following models are supported on FortiOS v5.0 Patch Release 1.

FortiGate

FG-20C, FG-20C-ADSL-A, FG-40C, FG-60C, FG-60C-PoE, FG-80C, FG-80CM, FG-100D,

FG-110C, FG-111C, FG-200B, FG-200B-PoE, FG-300C, FG-310B, FG-310B-DC, FG-311B,

FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800C, FG-1000C, FG-1240B, FG-3016B,

FG-3040B, FG-3140B, FG-3240C, FG-3810A, FG-3950B, FG-3951B, FG-5001A, FG-5001B,

and FG-5101C.

FortiWiFi

FWF-20C, FWF-20C-ADSL-A, FWF-40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A,

FWF-80CM, and FWF-81CM.

FortiGate Virtual Machine

FG-VM32 and FG-VM64.

FortiSwitch

FS-5203B

Supported virtualization software

The following virtualization software is supported on FortiOS v5.0 Patch Release 1.

• vSphere 4.0, 4.1, and 5.0

See http://docs.fortinet.com/fgt.html for additional documentation on FortiOS v5.0 Patch

Release 1.



http://docs.fortinet.com/fgt.html

Summary of enhancements

FortiOS v5.0 Patch Release 1

The following is a list of enhancements in FortiOS v5.0 Patch Release 1:

• Add new drill-downs for the top sessions widget

• Add new Endpoint Control feature activities in the log

• Add PING server on FG-20C/FWF-20C devices

• Add support for IKEv2 configuration payload

• Addition of sort and filter functions for Web-based Manager pages

• Allow the identity base policy to spill over

• Device policy improvements

• Disk log settings returned

• Endpoint control: FortiClient logging (GUI)

• Endpoint registration over SSL-VPN tunnel mode

• Extend SIP helper for MSRP supporting MSRP NAT

• FortiClient endpoint control over IPsec VPN support

• FortiCloud certificate activation

• FortiSwitch Controller on FG-100D

• HA support for BYOD feature

• One-time schedule alert expiration

• Separate SSL/SSH deep inspection profile

• Schedule the rogue AP background scan

• Simplified client reputation configuration

• Support USB encrypted configuration file

• Support WiFi DFS models for Japan/Korea

• WIDS profile Web-based Manager support

Not all features/enhancements listed below are supported on all models.



Special Notices

General

The TFTP boot process erases all current firewall configuration and replaces it with the factory

default settings.

Important

Monitor settings for Web-based Manager access

Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for

all the objects in the Web-based Manager to be viewed properly.

Before any upgrade

Save a copy of your FortiGate unit configuration (including replacement messages) prior to

upgrading.

After any upgrade

If you are using the Web-based Manager, clear the browser cache prior to login on the FortiGate

to ensure the Web-based Manager screens are displayed properly.

The virus and attack definitions included with the image upgrade may be older than what

currently is available from FortiGuard. Fortinet recommends performing an Update Now (System

> Config > FortiGuard > AntiVirus and IPS Options) as soon as possible after upgrading.

Consult the FortiOS Handbook/FortiOS Carrier Handbook for detailed procedures.

WAN Optimization

In FortiOS 5.0, WAN Optimization is enabled in security policies and WAN Optimization rules are

no longer required. Instead of adding a security policy that accepts traffic to be optimized and

then creating WAN Optimization rules to apply WAN Optimization, in FortiOS v5.0 you create

security policies that accept traffic to be optimized and enable WAN Optimization in those

policies. WAN Optimization is applied by WAN Optimization profiles which are created

separately and added to WAN Optimization security policies.

MAC address filter list

The mac-filter command under the config wireless-controller vap setting is not

retained after upgrading to FortiOS v5.0 Patch Release 1. It is migrated into both config user device and config user device-access-list setting.



Spam Filter profile

The spam filter profile has been changed in FortiOS v5.0 Patch Release 1. The

spam-emaddr-table and spam-ipbwl-table have been merged into the

spam-bwl-table. The spam-bwl-table exists in the spam filter profile.

Spam Filter Black/White List

The config spamfilter emailbwl and config spamfilter ipbwl commands are

combined into config spamfilter bwl.

DLP rule settings

The config dlp rule command is removed in FortiOS v5.0 Patch Release 1. The DLP rule

settings have been moved to inside the DLP sensor.

ID-based firewall policy

If the user has enabled fail-through-unauthenticated in the identity-based policy, the

following logic will apply:

• For unauthenticated users: if none of the accepted policies are matched and an

identity-based policy has been hit, the normal authentication process will be triggered based

on specific settings.

• For authenticated users: if an identity-based policy is matched, then the traffic will be

controlled by this policy. If none of the sub-rules are matched, the traffic will get dropped.

To enable/disable fail-through-unauthenticated in the identity-based policy, enter the

following in the CLI:

config firewall policyedit <id>

set identity-based enableset fall-through-unauthenticated [disable|enable]next

end



FortiGate 100D upgrade and downgrade limitations

With the release of FortiOS v5.0.0 GA and later, the FortiGate 100D runs a 64-bit version of

FortiOS. This has introduced certain limitations on upgrading and downgrading firmware in an

HA environment.

When upgrading from a 32-bit FortiOS version to a 64-bit FortiOS version on FortiGate 100Ds

running in a HA environment with uninterruptable-upgrade enabled, the upgrade process

may fail on the primary device after the subordinate devices have been successfully upgraded.

To work around this situation, users may disable the uninterruptable-upgrade option to allow all

HA members to be successfully upgraded. Without the uninterruptable-upgrade feature

enabled, several minutes of service unavailability are to be expected.

Downgrading a FortiGate 100D from FortiOS v5.0.0 GA is not supported due to technical

limitations between 64-bit and 32-bit versions of FortiOS. The only procedure to downgrade

firmware is by using the TFTP server and BIOS menu to perform the downgrade. In this case the

configuration will need to be restored from a previously backed up version.



Upgrade Information

Upgrading from FortiOS v5.0.0 GA

FortiOS v5.0 Patch Release 1 build 0147 officially supports upgrade from FortiOS v5.0.0 GA.

Captive portal

The captive portal configuration has been altered in FortiOS v5.0 Patch Release 1 and upon

upgrading the previous configuration may be lost or changed. Review the following

configuration examples before upgrading.

Endpoint control

The following examples detail an endpoint control configuration to allow all compliant Windows

and Mac OS X computers network access. All non-compliant computers will be sent to the

captive portal.

Example FortiOS v5.0.0 GA configuration:

edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset identity-based enableset identity-from deviceset nat enable

config identity-based-policyedit 1

set schedule "always"set dstaddr "all"set service "ALL"set devices "windows-pc" "mac"set endpoint-compliance enable

nextedit 2

set schedule "always"set dstaddr "all"set service "ALL"set devices allset action captureset devices "windows-pc" "mac"set captive-portal forticlient-compliance-enforcement

nextend

next



In FortiOS v5.0 Patch Release 1, the configuration has changed. Notice that sub-policy 2 has

been removed. The new set forticlient-compliance-enforcement-portal enable

and set forticlient-compliance-devices windows-pc mac CLI commands have

been added to the master policy.

Example FortiOS v5.0 Patch Release 1 configuration:

edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset forticlient-compliance-enforcement-portal enableset forticlient-compliance-devices windows-pc macset identity-based enableset identity-from deviceset nat enable


set schedule "always"set dstaddr "abc"set service "ALL"set devices "windows-pc" "mac"set endpoint-compliance enable

nextend

next

After the upgrade, you may experience a configuration loss with the removal of sub-policy 2. If

this occurs, you have to enter the following CLI commands:

set forticlient-compliance-enforcement-portal enableset forticlient-compliance-devices windows-pc mac

Device detection

The following examples detail a device detection configuration to allow Android, Blackberry,

and iPhone devices network access. The captive portal is used to optionally learn the device

type, or send back a replacement message if device type cannot be determined.


edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset identity-based enableset identity-from deviceset nat enable


set schedule "always"set dstaddr "all"



set service "ALL"set devices "android-phone" "blackberry-phone" "ip-phone"

nextedit 2

set schedule "always"set dstaddr "all"set service "ALL"set devices allset action captureset captive-portal device-detection

nextend

next

In FortiOS v5.0 Patch Release 1, the configuration has been changed. Notice that sub-policy 2

has been removed. The new set device-detection-portal enable CLI command has

been added to the master policy.


edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset device-detection-portal enableset identity-based enableset identity-from deviceset nat enable


set schedule "always"set dstaddr "abc"set service "ALL"set devices "android-phone" "blackberry-phone" "ip-phone"

nextend

next


this occurs, you have to enter the following CLI command:

set device-detection-portal enable

Email collection

The following examples details an email collection configuration which would allow all devices

for which an email-address has been collected network access. Any device which has not had

an email collected would be directed to the captive portal.


edit 3set srcintf "internal"set dstintf "wan1"



set srcaddr "all"set action acceptset identity-based enableset identity-from deviceset nat enable


set schedule "always"set dstaddr "all"set service "ALL"set devices email-collection

nextedit 2

set schedule "always"set dstaddr "all"set service "ALL"set devices allset action captureset captive-portal email-collection

nextend

next

In FortiOS v5.0 Patch Release 1, the configuration has been changed. Notice that sub-policy 2

has been removed and the new set email-collection-portal enable has been added

to the master policy.


edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset email-collection-portal enableset identity-based enableset identity-from deviceset nat enable


set schedule "always"set dstaddr "abc"set service "ALL"set devices all

nextend

next


this occurs, you have to enter the following CLI command:

set email-collection-portal enable



Reports

Before you run a report after upgrading to v5.0 Patch Release 1, you must enter the following

CLI commands on console:

execute report-config resetThis will reset report templates to the factory default.All changes to the default report will be lost!Do you want to continue? (y/n)yReport configuration was reset to the factory default.

execute report recreate-dbThis will recreate the report database from the log database.Do you want to continue? (y/n)yRequest to recreate report database is successfully sent.

SSL-VPN web portal

For FortiGate 60C variants and lower models only one SSL-VPN web portal is retained after

upgrading to FortiOS v5.0 Patch Release 1.

Virtual switch and the FortiGate 100D

The name Virtual Switch is used by different objects on the Web-based Manager and the CLI.

On the Web-based Manager Virtual Switch refers to an interface type and is used for the

FortiSwitch Controller feature. This instance of Virtual Switch maps to the CLI command

config switch-controller vlan.

The second instance of Virtual Switch in the CLI, config system virtual-switch is used

to configure the hardware switch. This command maps to the Web-based Manager Hardware

Switch interface type.

Upgrading from FortiOS v4.0 MR3

FortiOS v5.0 Patch Release 1 build 0147 officially supports upgrade from FortiOS v4.0 MR3

Patch Release 10 or later.

Table size limits

FortiOS v5.0 Patch Release 1 has changed the maximum allowable limits on some objects. As a

result, the configuration for some objects may be lost. These include:

• dlp sensor

• firewall vip

• application list

• dlp sensor filter

• ips sensor



SQL logging upgrade limitation

For the following units, after upgrading to FortiOS v5.0 Patch Release 1 SQL logging will be

retained based on the total size of the RAM available on the device. Logs will use up to

maximum of 10% of the RAM, once passed that threshold any new logs will start to overwrite

the older logs. The historical report generation will also be affected based on the SQL logs that

are available for query.

FG-100D and FG-300C

SSL deep-scan

New SSL/SSH inspection option is introduced to include all SSL protocols. The protocol status

in SSL/SSH inspection will default to disable for the SSL protocols. The SSL/SSH inspection

should be modified to enable the SSL protocols wherever inspection is required.

Before upgrade

• The AntiVirus, Web Filter, and Antispam profiles had separate protocol settings for the SSL

and non-SSL protocols.

• For HTTPS deep-scanning to be done, deep-scan needed to be enabled for HTTPS in the

UTM proxy options.

After upgrade

• The settings for the SSL protocols in the AntiVirus, Web Filter, and Antispam profiles have

been removed. Instead, the non-SSL options will apply to both the SSL and non-SSL

versions of each protocol. The SSL/SSH inspection options now includes an enable/disable

option for each protocol. This is used to control which protocols are scanned and which SSL

enabled protocols are decrypted.

• To use HTTPS non-deep (SSL handshake) inspection, HTTPS needs to be enabled in the

SSL/SSH inspection options. A Web Filter profile with https-url-scan enabled needs to

be applied in the policy with the SSL/SSH inspection options. The Web Filter profile option

changes the inspection mode to non-deep scan. AV will not be performed if this option is

enabled. The Web Filter profile option does not apply if SSL inspect-all is enabled in the

SSL/SSH inspection options.

Behavior

• After upgrade, all the SSL related settings in the AntiVirus, Web Filter, and Antispam profiles

will be lost. The non-SSL settings will be retained and applied to the related SSL protocols if

they are enabled in the SSL/SSH inspection options. The protocol status in the SSL/SSH

inspection options will default to enable for the non-SSL protocols and will default to disable

for the SSL protocols. The SSL/SSH inspection options should be modified to enable the

SSL protocols wherever inspection is required.

• Any profiles requiring non-deep HTTPS inspection will need to be modified to include a Web

Filter profile and SSL/SSH inspection options with the settings as described above. The

original HTTPS deep-scan settings will be lost upon upgrade.



Profile protocol options

Deep inspection status configurations are not retained for FTPS/IMAPS/POP3S/SMTPS after

upgrading from FortiOS v4.3 MR3.

Example FortiOS v4.3 MR3 configuration:

config firewall profile-protocol-optionsedit "default"

set comment "all default services"config http

set port 80set port 8080set options no-content-summaryunset post-lang

endconfig https

set port 443set port 8443set options allow-invalid-server-certunset post-langset deep-scan enable

endconfig ftp

set port 21set options no-content-summary splice

endconfig ftps

set port 990set options no-content-summary spliceunset post-lang

endconfig imap

set port 143set options fragmail no-content-summary

endconfig imaps


endconfig pop3


endconfig pop3s


endconfig smtp

set port 25



set options fragmail no-content-summary spliceendconfig smtps

set port 465set options fragmail no-content-summary splice

endconfig nntp

set port 119set options no-content-summary splice

endnext

end


config firewall profile-protocol-optionsedit "default"

set comment "all default services"config http

set ports 80 8080set options no-content-summaryunset post-lang

endconfig ftp

set ports 21set options no-content-summary splice

endconfig imap

set ports 143set options fragmail no-content-summary

endconfig mapi


endconfig pop3


endconfig smtp

set ports 25set options fragmail no-content-summary splice

endconfig nntp

set ports 119set options no-content-summary splice

endconfig dns

set ports 53



endnext

end

config firewall deep-inspection-optionsedit "default"

set comment "all default services"config https

set ports 443 8443set allow-invalid-server-cert enable

endconfig ftps

set ports 990set status disable

endconfig imaps


endconfig pop3s


endconfig smtps


endnext

end

Downgrading to previous FortiOS version

Downgrading to previous FortiOS versions results in configuration loss on all models. Only the

following settings are retained:

• operation modes

• interface IP/management IP

• route static table

• DNS settings

• VDOM parameters/settings

• admin user account

• session helpers

• system access profiles.



Product Integration and Support

Supported web browsers

• Microsoft Internet Explorer 8 and 9

• Mozilla FireFox 15.0 and 16.0

• Google Chrome 22.0

FortiClient support

FortiOS v5.0 Patch Release 1 is supported by the following:

• FortiClient for Windows build 0194

• FortiClient for Mac OS X build 0081

Fortinet Single Sign-On (FSSO) support

FortiOS v5.0 Patch Release 1 is supported by FSSO v4.0 MR3 B0129 for the following:

• Microsoft Windows Server 2003 R2 32-bit


• Microsoft Windows Server 2008 32-bit

• Microsoft Windows Server 2008 Server 64-bit


• Novell eDirectory 8.8

IPv6 is not currently supported by FSSO.

FortiExplorer support (Windows/Mac OS X/iOS)

FortiOS v5.0 Patch Release 1 is supported by FortiExplorer 2.1.1038 for Windows and Mac OS

X.

FortiOS v5.0 Patch Release 1 is supported by FortiExplorer v1.0.3.0109 for iOS.

AV Engine and IPS Engine support

FortiOS v5.0 Patch Release 1 is supported by AV Engine 5.00032 and IPS Engine 2.00043.



FortiAP support

FortiOS v5.0 Patch Release 1 supports the following FortiAP models:

FAP-11C, FAP-112B, FAP-210B, FAP-220B, FAP-221B, FAP-222B, FAP-223B, and

FAP-320B

The FortiAP device must be running FortiAP v5.0.0 GA build 0021 or later.

FortiSwitch support

FortiOS v5.0 Patch Release 1 supports the following FortiSwitch models:

FS-348B

The FortiSwitch device must be running FortiSwitch v1.00 Patch Release 2 build 4030.

Module support

FortiOS v5.0 Patch Release 1 supports Advanced Mezzanine Card (AMC), Fortinet Mezzanine

Card (FMC), Rear Transition Module (RTM), and Fortinet Storage Module (FSM) removable

modules. These modules are not hot swappable. The FortiGate unit must be turned off before a

module is inserted or removed.

Table 1: Supported modules

AMC/FMC/FSM/RTM Module FortiGate Platform

Storage Module

500GB HDD Single-Width AMC (ASM-S08)

FG-310B, FG-620B, FG-621B, FG-3016B,

FG-3810A, FG-5001A

Storage Module

64GB SSD Fortinet Storage Module (FSM-064)

FG-200B, FG-311B, FG-1240B,

FG-3040B, FG-3140B, FG-3951B

Accelerated Interface Module

4xSFP Single-Width AMC (ASM-FB4)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A


2x10-GbE XFP Double-Width AMC (ADM-XB2)

FG-3810A, FG-5001A


8xSFP Double-Width AMC (ADM-FB8)

FG-3810A, FG-5001A

Bypass Module

2x1000 Base-SX Single-Width AMC (ASM-FX2)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A

Bypass Module

4x10/100/1000 Base-T

Single-Width AMC (ASM-CX4)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A

Security Processing Module

2x10/100/1000 SP2

Single-Width AMC (ASM-CE4)

FG-1240B, FG-3810A, FG-3016B,

FG-5001A



SSL-VPN support

SSL-VPN standalone client

FortiOS v5.0 Patch Release 1 supports the SSL-VPN tunnel client standalone installer build

2281 for the following:

• Windows in .exe and .msi format

• Linux in .tar.gz format

• Mac OS X 10.7 in .dmg format


2x10-GbE XFP SP2

Double-Width AMC (ADM-XE2)

FG-3810A, FG-5001A


4x10-GbE SFP+

Double-Width AMC (ADM-XD4)

FG-3810A, FG-5001A


8xSFP SP2

Double-Width AMC (ADM-FE8)

FG-3810A

Rear Transition Module

10-GbE backplane fabric (RTM-XD2)

FG-5001A

Security Processing Module (ASM-ET4) FG-310B, FG-311B

Rear Transition Module

10-GbE backplane fabric (RTM-XB2)

FG-5001A


2x10-GbE SFP+ (FMC-XG2)

FG-3950B, FG-3951B


2x10-GbE SFP+ (FMC-XD2)

FG-3950B, FG-3951B


20xSFP (FMC-F20)

FG-3950B, FG-3951B


20x10/100/1000 (FMC-C20)

FG-3950B, FG-3951B

Security Processing Module (FMC-XH0) FG-3950B

Table 1: Supported modules (continued)



• Virtual Desktop in .jar format for Windows 7.

SSL-VPN web mode

The following table lists the operating systems and browsers supported by SSL-VPN web

mode.

SSL-VPN host compatibility list

The following tables list the AntiVirus and Firewall client software packages that are supported..

Table 2: Supported operating systems

Windows Linux Mac OS X

Windows 7 32-bit CentOS 5.6 Mac OS X 10.7 (Lion)

Windows 7 64-bit

Virtual Desktop Support

Windows 7 32-bit Service

Pack 1

Table 3: Supported browsers and operating systems

Operating System Browser

Windows 7 32-bit Service Pack 1 Internet Explorer 8, Internet Explorer 9, and

Firefox 12

Windows 7 64-bit Service Pack 1 Internet Explorer 8, Internet Explorer 9, and

Firefox 12

CentOS 5.6 Firefox 3.6

Mac OS X 10.7 (Lion) Safari 5.1

Table 4: Supported Windows XP AntiVirus and Firewall software

Product AntiVirus Firewall

Symantec Endpoint Protection v11

Kaspersky AntiVirus 2009

McAfee Security Center v8.1

Trend Micro Internet Security Pro

F-Secure Internet Security 2009

Table 5: Supported Windows 7 32-bit and 64-bit AntiVirus and Firewall software


CA Internet Security Suite Plus Software

AVG Internet Security 2011



Explicit Web Proxy browser support

The following browsers are supported by the Explicit Web Proxy feature:

• Internet Explorer 8 and 9

• Mozilla Firefox 15.0 and 16.0

F-Secure Internet Security 2011

Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360™ Version 4.0

Norton™ Internet Security 2011

Panda Internet Security 2011

Sophos Security Suite

Trend Micro Titanium Internet Security

ZoneAlarm Security Suite

Symantec Endpoint Protection Small

Business Edition 12.0

Table 5: Supported Windows 7 32-bit and 64-bit AntiVirus and Firewall software (continued)




Resolved Issues

The resolved issues listed below do not list every bug that has been corrected with this release.

For inquires about a particular bug, please contact Customer Support.

Antispam

Antivirus

CLI

Table 6: Resolved antispam issues

Bug ID Description

154340 Proxy worker crashes with signal 7 on emails.

178515 The Hotmail general email log "to" and "cc" fields include double quotations.

185152 FortiGuard Spam IP address check does not work over SMTP and SMTPS.

189889 The scanunit process crashed when MMS endpoint BWL check was

enabled.

Table 7: Resolved antivirus issues

Bug ID Description

176174 ETDB is erased and set default_db as ex. (Build 0080)

184584 avengine scanmode issue on 64-bit platforms.

187648 ETDB version is 0 after update-av and FLDB update is unexpected. (Build

0127)

Table 8: Resolved CLI issues

Bug ID Description

185946 Lots of pop up errors from console. (Build 4890)

190782 A combination of PARSE_F_MULARG and PARSE_F_SKIP causes the CLI to

behave incorrectly.

191061 Create a new diag test command for fdsmgmtd.




Client reputation

Device visibility

DLP

Endpoint control

Table 9: Resolved client reputation issues

Bug ID Description

184435 diagnose client-reputation test related CLI comments do not work.

187627 Missing crscore/craction in the host-detail for a failed

connection/blocked policy.

187686 sql_db ioerror can cause a reputation data update to fail.

Table 10: Resolved device visibility issues

Bug ID Description

189181 Add a new pre-defined device group for Windows tablets.

Table 11: Resolved DLP issues

Bug ID Description

145588 The DLP log of a file pattern has the wrong file field with an HTTP POST

request.

175582 The Archive and DLP monitor is unresponsive when report by protocol

is selected.

187307 Check dlp file type filter is not selectable with message.

Table 12: Resolved endpoint control issues

Bug ID Description

187048 FortiGate devices renew the Endpoint License expiry time when FortiClient is

offline.

188259 Need to enforce disabling broadcast-forticlient-discovery when

listen-forticlient-connection is disabled.

190985,

190994

When copying and pasting a FortiClient configuration into

advanced-cfg-buffer, an application firewall rule list is required.

191040,

191052

Support multiple endpoints which have the same IP (from different VDOMS) in

Endpoint Control record table.

191092 Allow FortiClient license upgrade feature on FG-110C and FG-111C.

191345 FortiGate will deny the traffic from a registered FortiClient over SSL-VPN.



Firewall

Table 13: Resolved firewall issues

Bug ID Description

156726 HTTPS SSL deep-scan download stalls at 99%.

163589 Management login support for RADIUS Challenge-Response.

167304 Control concurrent user authentication in identity-based-policy.

174101 Move auth-lockout to VDOM and add enable/disable commands.

180372 Device policy and explicit proxy should be mutually exclusive in the

Web-based Manager and CLI.

183325 The multicast policy set protocol in CLI will not display any default values,

the Web-based Manager displays default values correctly.

184312 High CPU usage by proxyworker process, along with multiple signal 11

segmentation faults.

184375 Uploads are interrupted by FortiGate devices with the load balancer feature

enabled.

186588 DLP, AV, and Web Filter sometimes does not work when inspect-all is

enabled.

186836 Re-enabling the UTM status of a firewall policy can result in all UTM options

disappearing.

187125 Load balance health check monitor port change after reboot.

187131 Changing the members of a service group does not immediately affect a

policy.

187202 The TLS connection cannot be completed. A method is required to control for

TLS decryption.

187549 DCE-RPC high port assignment is not allowed when using Microsoft SCOM

2012.

188039 Firewall multicast policy source NAT does not work.

188975 In user visibility, Kerberos authentication takes higher priority than FSSO

authentication.

189067 Driver fix for traffic failure reported from production and IQC.

189876 Support the SSL next-proto-negotiation extension.

190636 The connection will be reset if a client requests TLSv1.2 but the server

chooses TLSv1.1 or below when SSL deep scan is enabled.

190776 Firewall policy can be set without service with the action IPsec or deny.

190990,

191585

System crashed showing ehci_hcd fatal errors.



FortiGate VM

GTP

191050 Handle HTTP connection upgrade in transparent proxy to support WebSocket

traffic.

191171,

191319

FortiSwitch-controller configuration bug fix.

191471 FCT-Access once enabled on an interface will implicitly open port 8010 on all

interfaces in the same VDOM.

191570 FSSO_Guest_User group does not work for ID-based policy.

191606 all service prot_type is not set.

151728,

174277, &

177976

UTM Web and Email monitor statistic recording.

Table 14: Resolved FortiGate VM issues

Bug ID Description

186173 FortiGate-VM64.hw07.vmxnet2.ovf and FortiGate-VM.hw07_vmxnet2.ovf

cannot support HA.

186809 The FortiClient license support for FG-VM01 should be 1000.

186809,

186810,

190416

Set VM license levels for limiting python processes and FortiClient licenses.

186810 FG-VM00 should not have the Enter License option for the FortiClient

Registration License.

190416 FG-VM is constantly in conserve mode.

Table 15: Resolved GTP issues

Bug ID Description

172442 MMS profile alert-int parameter missing.

Table 13: Resolved firewall issues (continued)

Bug ID Description



High Availability

Table 16: Resolved high availability issues

Bug ID Description

153089 Automatic backup configuration bug in HA mode.

156040 Redundant HA in-sync log messages.

185272 When displaying a log message in a slave event log, the slave clock is

adjusted to an invalid time.

185628 Part of the session information is not synchronized correctly under HA

Active-Active mode when a device based firewall policy is configured.

186053 All heartbeat links fail simultaneously, triggered by traffic.

186681 The VLAN interface has the HA MAC address on both cluster members, after

vcluster failover.

186788 Bulk CLI scripts cannot synchronize to a slave FortiGate if there is a comment

on the script.

187026 A new HA cluster slave cannot synchronize an IPsec VPN tunnel from it’s

master after synchronizing both sides.

187090 The slave log cannot be sent to a FortiAnalyzer when first forming the HA

cluster.

187091 The master does not forward the slave's log to FortiAnalyzer in a multi VDOM

environment when the new member has VDOMs configured.

187263 A FortiGate slave has cw_acd and cmdbsvr process crashes when

synchronizing it’s configuration.

187424 The configuration cannot synchronize between the master and slave.

187430 A FG-100D device configured as HA master experienced a kernel crash and

rebooted by itself.

187994 src-vis daemon crashes on the slave.

188912 Devices cannot get updates when configured in HA.

190223 Existing sessions hang after HA failover, when using FSSO authentication and

disclaimer.

190237 Changing firewall policy attributes does not cause the checksum to change.

191144 The HA management interface cannot be configured and the newcli daemon

crashed,

191692 The FortiGate device fails to send a FortiToken mobile activation code when a

unit is operating in HA.



IPS

IPsec VPN

Log & Report

Table 17: Resolved IPS issues

Bug ID Description

170316 The proxyworker process will crash under SSH protocol fuzzing.

184016 IPS DoS log is different for an XLP offload with the CPU processed.

190637 Do not show fail open if IPS is busy due to signature or configuration change.

Table 18: Resolved IPsec VPN issues

Bug ID Description

176133 NPU offload does not work with IPsec VPN IPv6.

178665 L2TP over IPsec client cannot ping to internal network if the FortiGate has

PPPoE WAN connection.

182017 A FortiGate PPTP client using PAP fails.

182910 The IPsec monitor shows the wrong user name for a dialup VPN with RSA

aggressive mode.

183382 Invalid ESP packets are regularly generated.

183638 VPN DDNS gateway cache conflicts causing high IKED CPU usage.

184463 IPv6 traffic is lost when passed through an IPsec VPN with NP4 fast-path

enabled.

186975 Enabling transparent mode npu-offload in IPsec phase1 could not force

traffic to offload.

190405 IKEv2 DPD failure which brings down the tunnel when the peer was still

reachable.

190752 iPhone 5 IPsec VPN connection issues.

190763 L2TP over IPSec issue with Chrome OS.

191229 Delete notify sent issue when IPsec SA hard expires.

Table 19: Resolved log & report issues

Bug ID Description

121065 log-disk-quota in global resource and vdom-property can be set

smaller than the sum of quota in log disk setting. (Build 0101)

153210 ICMP6 is logged as others in the traffic log.



161048 When the schedule is set to weekly, Traffic History by Bandwidth/Sessions are

empty.

163808 Cannot show the value of NIDS_EVENT in alertmail. (Build 0105)

168405 The quarantine archive tab loads in the Web-based Manager.

169215 Cannot send a slave log to FortiCloud.

172636 Logging of HTTP POST command blocking in Web Filtering.

173614 The spam filter log subject field is blank.

178128 Add the subject field to the DLP log.

181291 The log quota of VDOMs can exceed the size of the disk.

181391 If keeping bps as the unit, the correct number should be 8 times the current

number.

183447 Add extended-utm-log to VoIP.

184465 The modem event log has the wrong format.

184875 The Web-based Manager should show the VOIP log.

185209 The traffic log is generated when utm-incident-traffic-log and

log-traffic are both disabled.

185916 The ID field name in the DHCP log should be changed.

185949 No IPS incidents are in the traffic log; the report and client reputations do not

have the related charts.

186280 A false alertmail email is sent out when HA status changes is enabled.

186362 Cannot add custom charts.

186918 Alertmail shows Failed to send alert email in logs, but the message has

actually been sent.

187003 There is no invalid log for failed connection attempt cause; it fails to track the

related client reputation.

187505 The reportd daemon has a signal 11 crash when a report is run manually.

187567 The IPMC-sensor log has illegal characters and the system log cannot be

displayed in the Web-based Manager.

188002 Logs still use daylight savings time.

188038 The scheduled upload for dlp-archive does not work.

188117 DLP archive upload to FortiAnalyzer does not work when the upload option is

store-and-upload.

Table 19: Resolved log & report issues (continued)

Bug ID Description



Routing

188126 The log is deleted and there is a false emergency event log when usage is very

low.

188144 The Top web users by bandwidth chart needs to be re-sized.

188199 There should be an event log when a scheduled update succeeds.

188326 The FG-100D receives a Failed to create statement for INSERT INTO apps

error message after formatlogdisk.

188420,

190116

Generate an event log entry when connecting to a modem successfully.

188734 Traffic log is inconsistent after test AV sample. (Build 0131)

188854 UTM incident traffic logs are confusing when they match multiple UTM

profiles. This causes the report and reputation to be incorrect.

188958 The miglogd daemon crashed when handling an abnormal log file. (Build

0130)

189785 Need to add crscore/craction to the traffic logs sent to FortiAnalyzer.

190519 Show FortiCloud log upload progress. (Build 0137)

190553 DLP PDF font handling issue from Ubuntu PDF generator.

190913 forticldd daemon usage issue, CPU is at 99%.

191106 Purge disk log after 7 days by default.

191245 Pause before attempting to connect to FortiCloud after an unsuccessful

attempt.

Table 20: Resolved routing issues

Bug ID Description

176314 OSPF Hello uses a 32-bit netmask even if the tunnel interface IP has a smaller

bitmask.

182783 The gateway of static route is its own address and should not be allowed or

not be shown in routing table.

184378 The password function of IPv6 BGP neighbor does not work.

185808 PIM-SSM Multicast stream is PRUNED while other IGMPv3 receivers are still

present.

188201 A four byte AS number is shown as '-1' in aggregate routes 'aggregated by'.

188470,

188480

Delete the detectserver option of fail-detect-option in transparent mode and

add host name check for gwdetect server name.

Table 19: Resolved log & report issues (continued)

Bug ID Description



Source visibility

SSL-VPN

188645 IPv6 address on FWF-60CM interface cannot be pingable when the routing

path is asymmetric. (Build 0128)

190671 Make regexp "^$" work for locally originated BGP routes.

Table 21: Resolved source visibility issues

Bug ID Description

185512 The KDC-REQ user name is not recorded when user visibility is enabled.

Table 22: Resolved SSL-VPN issues

Bug ID Description

133510 No SSL-VPN tunnel plugin is available for 64-bit web browsers.

181139 Cannot open a JSP object in SSL web mode.

182464 The SSL-VPN tunnel widget does not work in the web mode portal on

Windows 8 with Internet Explorer 10.

183875 There is an SMB/CIFS operation error in the SSL-VPN web portal.

184140 The RDP login screen is not displayed in full screen mode with SSL-VPN in

web mode.

184285 Add the FortiClient download widget to the SSL-VPN web portal.

185359 Failed to create an SSL-VPN policy with the wizard because sslvpn-portal is

not set.

187320 When a user logs out of SSL-VPN web mode from Fortinet bar they are

redirected to an incorrect page.

187822 The SSL-VPN portal idle timeout does not work with Fortinet Bar enabled.

188048 The web mode SSL-VPN daemon crashes when the firewall policy address

type is FQDN.

188083 The SSL daemon crashes when accessing the FortiGate Web-based Manager

in web mode.

188730 The portal message setting is inconsistent for default and newly added

SSL-VPN portals.

189246 PING6 for unreachable destination caused SSL-VPN portal to hang.

Table 20: Resolved routing issues (continued)

Bug ID Description



System

190106,

190336

Minor issues with the downloading SSL-VPN plugins from FDS.

191068 SSL-VPN could not be accessed for newly created VDOM.

Table 23: Resolved system issues

Bug ID Description

138324 The FortiToken drift value exceeds 254.

139978 Old acknowledged/deleted messages repeatedly show up in other message

widgets on the dashboard.

150876 The duplex information on the FWF-60B displays incorrectly.

159921 There are no IPS fail-open status logs.

159974 FortiGate FSSO polling can not get all IP addresses if a workstation has

multiple ethernet cards.

161876 The FG-600C gets a power supply 2 failure event log when the optional power

supply is not installed.

172299 Ports 9-12 flap when connected to an Arista 7124SX switch.

175326 FortiGate responds to ARP requests on 192.168.0.1 on MGMT1 interface.

175520 FortiToken Mobile: current solution supports the root VDOM only.

178435 FQDN in the firewall will only grab the TTL value of an A record.

179382 The filters in interface > One-arm sniffer sometimes cannot accept or delete

configurations.

179952 Stop quarantine and archive when in the conserve mode.

181367 Support larger replacement messages.

181426 After moving an interface into a newly created VDOM, the FortiGate unit still

sends broadcasts in the old VDOM.

182835 The FG-200B port cannot detect FG-3016B link status.

183546 SSL process high memory issue.

183664 The PPPoE interface set defaultgw disable cannot remove the gateway.

183727 The FIPS-CC Alarms for user-auth-failure/lockout-threshold stops

working.

184182 The CLI command diagnose test guest list reports null at the end of

output.

Table 22: Resolved SSL-VPN issues (continued)

Bug ID Description



184206 Russian FSTEK certification requirement for image checksum.

184314 Add/remove of physical Interface to 802.3ad aggregation brings the

aggregate port down.

184699 The configuration is changed after the first reboot of a firmware upgrade.

184932 Unable to administratively Down or Up a tunnel interface via the CLI in the

config global section.

185422 The modem default route is not installed when a modem is in the non-root

VDOM.

185580 FortiGate devices should be in the pending state when switching accounts

from an old account.

185606 There is an SNMP problem when using 250 VDOMs.

185909 The FG-111C switch works abnormally with FortiOS 5.0.

186100 The server probe does not support PPPoE devices.

186116 The FG-100D LENC cannot update from the FDS.

186448 Cannot login to the FortiCloud portal automatically when a FortiGate device is

managed by FortiManager.

186523 FortiToken activation fails on particular FDS servers.

186530 When configuring two-factor authentication, some super_admin users cannot

see the token.

186540 Setting the speed to 100half/10half does not take effect for 1G copper

interfaces.

186672 Multi-VDOM admin's VDOM list sequences affect which token can be used in

two-factor login.

186738 The SNMP trap for IPsec should contain the tunnel name.

186797 The Miglogd daemon uses high CPU when the syslogd2 server is defined.

187002 There is a cmdbsvr segfault when changing firewall policy in the

Web-based Manager.

187274 DDNS stops working.

187327 The CLI hangs when the CLI displays More and Ctrl+C is pressed.

187498 Merging daemons causes a signal 11 Crash.

187519 The speed LED on a shared NIC port is not lit on the FG-800C.

187878 Removing the secondary IP disconnects the admin session.

Table 23: Resolved system issues (continued)

Bug ID Description



Upgrade

187972 When restoring a multi-VDOM configuration, a configuration error occurs at

reboot.

187975 Verify the DNS response code for the AAAA record (RFC 4074) when A record

exist.

188016 Unable to delete the default firewall address.

188169 Mass MMS communication sockets are not removed after usage.

188544 The diagnose sys session6 filter command shows src twice.

188772 The diagnose system top command for CPU usage is not correct.

188844 Time Zone is incorrectly displayed. (Build 0128)

189189 FortiClient licenses should be kept after an upgrade.

189261 The authd and wad socket pipe fills up the /tmp directory.

190116 There is an unknown field name error message during PPPoE interface

configuration.

190185 The update daemon uses up all the fd and stops working.

190292 Move reboot/shutdown to resource widget, update sysres widget.

190848 Unable to create a DHCP server on DHCP interface. (Build 0139)

191215 FG-1000C fails to change MGMT1 IP because subnets overlap, even though

the subnets do not overlap.

191522 Unable to log in to FortiGate via SSH.

Table 24: Resolved upgrade issues

Bug ID Description

162779 Received Could not load host key: /tmp/ssh_host_rsa_key

message after upgrading the FG-3140B from v4.0 build 0513 to v5.0 build

0023.

180843 A cluster of two FG-40C devices upgraded from v4.0 MR3 Patch Release 6

does not work.

183837 Upgrade unsuccessful due to too many entries in all tables of

.firewall.service.category.

186008 When upgrading from build 0639 to build 0119, HTTPS deep scan does not

upgrade properly.

Table 23: Resolved system issues (continued)

Bug ID Description



VoIP

WAN optimization and webproxy

Web-based Manager

188354 After upgrading from v4.0 MR3, ports from profile-protocol-options are not

added to the iprope list.

189209 After upgrading from v4.0 MR3 to v5.0, the endpoint-profile should be set as

default.

Table 25: Resolved VoIP issues

Bug ID Description

178932 Problems encountered when enabling the SCCP VoIP profile.

Table 26: Resolved WAN optimization and webproxy issues

Bug ID Description

173668 The user monitor page reports incorrectly for Web-proxy users authenticated

via FSSO.

185273 WAN Optimization Byte cache is not used in the reverse direction after a

coldstart transfer.

185755 While testing explicit web proxy features, a segfault was observed.

187887 In explicit web-proxy, the traffic quota does not expire for HTTPS traffic.

188901 File upload fails (HTTP POST) through explicit proxy on specific websites.

189072 The webproxy firewall policy is lost for special schedule settings.

190746 The WAD daemon crashes for HTTP 0.9 traffic if DLP scan is enabled.

Table 27: Resolved Web-based Manager issues

Bug ID Description

149638 Show policy negates the status on the Web-based Manager.

152072 The pre- and post-login warning messages for admin log in have issues.

154191 Moving or refreshing the Web Filtering monitor page causes the device go into

conserve mode.

167572 After changing the language, parts of the Web-based Manager still use the

original language.

167836 Editing IPsec VPN v6 phase1 will result in an Invalid gateway address

message.

Table 24: Resolved upgrade issues (continued)

Bug ID Description



Multiple Fixes for a large number of Web-based Manager bugs.

Bug ID: 169314, 171703, 177692, 178755, 182799, 184117, 186760, 187703,

188286, 188405, 189201, 189799, 190308, 190322, 190461, 190493, 190506,

190728, 190772, 190794, 190796, 190867, 190871, 191005, 191480

171928,

185622

httpsd daemon crash in some monitoring pages.

173130 The pull-down menu does not show up correctly when a firewall policy is

created with a certain administrator profile.

176568 Unable to clear the secondary-server configuration of a RADIUS server from

the Web-based Manager.

179645 NAT, shaper, and WAN Optimization settings should be hidden when the

policy action is set to deny.

180177 UTM endpoint control client installers have a directory traversal vulnerability.

182051 The insert section does not work from the Web-based Manager.

182659 Once a firewall address is associated to an interface, it can not be reverted

back to any from the Web-based Manager.

183435 Show the comment text, instead of just a note icon.

183453 The OK button does not save authentication settings in the web-proxy policy.

185173 The FWF-20C LAN + WiFi Setting wizard page displays an Invalid IP Range

message incorrectly. (Build 0114)

185981 Application icons are incorrect in widgets, traffic logs, and application control

lists.

187041 The OS signature was shown on device page when the mouse hovers over the

device.

187083 A mobile token in activated status incorrectly has provision in the right click

menu.

187465 The DoS policy page will display in a messy manner after setting the column

ID in the policy page.

187493 Implicit firewall rules can be moved.

187699 Add policy drag & drop function back into the policy global view.

187826 With some specific wildcard addresses, the Web-based Manager firewall

address page cannot be loaded.

188036,

190446,

190627

Widen columns for user/IP and recreate tables if table structure is not up to

date.

Table 27: Resolved Web-based Manager issues (continued)

Bug ID Description



Web Filter

188398 Implicit user identity policy rules' action is shown incorrectly in the Web-based

Manager.

188636 When switching the DLP sensor to the default profile, the Web-based

Manager shows HTTP error 400.

190026 There are HTTP 500 errors on firewall policies, UTM options, and DNS pages

with specific configurations.

190026,

190149

Non-utf8 characters cause Web-based Manager issues.

190149 There is an internal server error when editing a policy that contains special

characters.

190292 Move the reboot and shutdown commands to the resource widget.

191057 Missing group in SSL-VPN traffic log caused Web-based Manager parser

error.

Table 28: Resolved web filter issues

Bug ID Description

158996 The FortiGuard override URL is incorrect when using deep inspection and a

CN that contains wildcard characters.

160110 The monitor action of urlfilter should not exempt the block action of

FortiGuard.

164917,

187714

Fix safe search enable issue.

165025 When the customize block page is enabled, the header HTTP/1.1 403 ... is lost

in the HTTP package.

172865 For flow-based Web Filters, FortiGate devices cannot exempt SSL websites

belonging to the bank category when deep-scan is enabled.

178351 When the local category is set to block, the category action cannot be

disabled.

178351 In the ftgd-wf setting of a Web Filter profile, enable is renamed and takes a

new role.

179265 CN based HTTPS Web URL Filtering does not work well under external proxy

environments when exempt is configured as all.

180684 Web Filter quota resets incorrectly when the quota is edited.

185181 Browser-based FortiGuard Web Filtering override does not work.

186815 Websites could not be overriden to Unrated category by FortiGate local rating.

Table 27: Resolved Web-based Manager issues (continued)

Bug ID Description



WiFi

188607 FortiGuard service is intermittently unavailable. A restart of the urlfilter is

required to recover.

189954,

189987

Redirect on HTTPS safe search and DLP PDF scan on SSN and CC.

Table 29: Resolved WiFi issues

Bug ID Description

131373 WPA on virtual AP devices does not work if the physical WLAN is set to WPA2.

168555 Captive portal FQDN does not work on WiFi interfaces.

177422 There is a problem with the HP slate tablet related to 802.11n MSDU frame

aggregation.

182204 Manual and auto suppression do not work.

186152 The FWF-20C-ADSL-A has an incorrect wireless default configuration.

186562 Virtual AP intermittently stops working. Display the configuration also failed.

188644 Unable to create more than 508 SSIDs with RADIUS security.

188805 The WPA daemon is crashing, causing all Virtual APs to be reconfigured.

189354 Ap-bgscan scheduling does not work.

Table 28: Resolved web filter issues (continued)

Bug ID Description



Known Issues

The known issues listed below does not list every bug that has been reported with this release.

For inquires about a particular bug, please contact Customer Service & Support.

Antivirus

Firewall

FSSO

High Availability

IPS

Table 30: Known antivirus issues

Bug ID Description

191950 Files being downloaded while AV is enabled may experience an interruption.

Table 31: Known firewall issues

Bug ID Description

186428 The Web-based Manager fails to allow adding a tag for a firewall address.

191184 VLAN IDs and their assignment to a corresponding NPU may result in the

interface not processing ARP requests properly.

Table 32: Known FSSO issues

Bug ID Description

186536 The status of the FSSO polling agent in the Web-based Manager is not shown

correctly.

Table 33: Known high availability issues

Bug ID Description

192192 Enabling standalone-config-sync may fail to synchronize sessions.

Table 34: Known IPS issues

Bug ID Description

171443 An application list traffic shaper fails to be applied on an FMC-XH0 and

FMC-XG2 card.




IPsec VPN

Log & Report

SSL-VPN

System

Web-based Manager

Table 35: Known IPsec VPN issues

Bug ID Description

192347 The FortiGate device may drop sessions with NP4/IPsec offload in a hub and

spoke or spoke to spoke traffic topology.

Table 36: Known log & report issues

Bug ID Description

183778 DoS logs do not contain the interface-policy ID.

191808 The FortiGate device fails to generate logs for application control with explicit

proxy.

Table 37: Known SSL-VPN issues

Bug ID Description

185658 The SSL-VPN daemon may experience high CPU.

191725 An SSL-VPN may fail to renew passwords as authenticated by LDAPS.

Table 38: Known system issues

Bug ID Description

190141 The configuration fails to accept DHCPv6 server domain names beginning

with digits.

Table 39: Known Web-based Manager issues

Bug ID Description

188785 The Web-based Manager displays only one channel in the Client Monitor

when bonding is configured.

188936 The Web-based Manager fails to allow usernames with special characters in

an identity-based policy.



WiFi

Upgrade

Table 40: Known WiFi issues

Bug ID Description

184014 WiFi clients connected to FortiAP may experience high latency towards the

wireless controller.

Table 41: Known upgrade issues

Bug ID Description

192391 New created device based policy cannot retain original policy UTM related

settings after enabling Endpoint Registration.



Limitations

This section outlines the limitations in FortiOS v5.0 Patch Release 1.

Add Device Access List

If the device-access-list has the action as deny. You will need to explicitly define a device

in order to allow it to work.

For instance,

config user deviceedit "win"

set mac 01:02:03:04:05:06next

end

config user device-access-listedit "wifi"

set default-action denyconfig device-list

edit 1set action acceptset device "windows-pc" <------------- predefined

device-categorynextedit 2

set action acceptset device "win" <------------- custom device

nextend

nextend

As a result, the predefined device-category entry 1 will not get access. Only the custom

device entry 2 would be able to get access.



Image Checksum

The MD5 checksums for all Fortinet software and firmware releases are available at the

Customer Service & Support website located at https://support.fortinet.com. After logging in,

click on Download > Firmware Image Checksum, enter the image file, including the extension,

and select Get Checksum Code.

Figure 1: Customer Service & Support image checksum tool

End of Release Notes




fortios v5.0 patch release 1 release notes

Documents

fortinet names

extent fortinet

patch release

performance metrics

release notesfortios

release notesdecember

performance results

ideal conditions