fortigate multi-threat security system · 2.2 configuration files backups ... attained in internal...

Release Notesv4.0 MR2

01-420-84420-20100331

FortiGate® Multi-Threat Security System

Release Notes FortiOS v4.0 MR2

Table of Contents 1 FortiOS v4.0 MR2 .............................................................................................................................................. 1

1.1 Summary of Enhancements Provided by v4.0 MR2 ................................................................................... 1 2 Special Notices .................................................................................................................................................... 3

2.1 General ........................................................................................................................................................ 3 2.2 Configuration Files Backups ....................................................................................................................... 3 2.3 External Modem Support ............................................................................................................................ 3 2.4 SSL-VPN Notes .......................................................................................................................................... 3 2.5 Logging to FortiAnalyzer using AMC Hard Disk ...................................................................................... 4 2.6 AV Scanning Of Archived Files ................................................................................................................. 4 2.7 WCCP Multi-VDom Support ...................................................................................................................... 4 2.8 Endpoint Control ......................................................................................................................................... 4 2.9 Supported Character Sets ............................................................................................................................ 4 2.10 ASM-SAS Module Support ...................................................................................................................... 5 2.11 AntiSpam Engine Support ......................................................................................................................... 5 2.12 FortiGuard support for IPv6 ...................................................................................................................... 5 2.13 STP Support for WAN2 Interface ............................................................................................................. 5 2.14 HMAC Offload Setting Change ................................................................................................................ 5 2.15 STP Packet Support on FGT-110C and FGT-111C .................................................................................. 5 2.16 FortiGuard Service is Enabled By Default ................................................................................................ 6 2.17 AntiVirus and IPS Update ......................................................................................................................... 6

3 Upgrade Information ........................................................................................................................................... 7 3.1 Upgrading from FortiOS v3.00 MR7 .......................................................................................................... 7 3.2 Upgrading from FortiOS v4.0 ..................................................................................................................... 7 3.3 Upgrading from FortiOS v4.0 MR1 ............................................................................................................ 9

4 Downgrading to FortiOS v3.00 ......................................................................................................................... 11 5 Fortinet Product Integration and Support ......................................................................................................... 12

5.1 FortiManager Support ............................................................................................................................... 12 5.2 FortiAnalyzer Support ............................................................................................................................... 12 5.3 FortiClient Support .................................................................................................................................... 12 5.4 Fortinet Server Authentication Extension (FSAE) Support ...................................................................... 12 5.5 AV Engine and IPS Engine Support ......................................................................................................... 12 5.6 3G MODEM Support ................................................................................................................................ 12 5.7 AMC Module Support ............................................................................................................................... 13 5.8 SSL-VPN Support ..................................................................................................................................... 14

5.8.1 SSL-VPN Standalone Client ............................................................................................................. 14 5.8.2 SSL-VPN Web Mode ........................................................................................................................ 15

5.9 SSL-VPN Host Compatibility List ............................................................................................................ 15 6 Resolved Issues in FortiOS v4.0 MR2 .............................................................................................................. 17

6.1 Command Line Interface (CLI) ................................................................................................................ 17 6.2 Web User Interface ................................................................................................................................... 17 6.3 System ....................................................................................................................................................... 17 6.4 High Availability ....................................................................................................................................... 18 6.5 Firewall ..................................................................................................................................................... 18 6.6 IPS ............................................................................................................................................................. 19 6.7 VPN ........................................................................................................................................................... 19 6.8 Web Filter .................................................................................................................................................. 19

i March 31, 2010


6.9 Data Leak Prevention ................................................................................................................................ 19 6.10 Instant Message ....................................................................................................................................... 19 6.11 WAN Optimization ................................................................................................................................. 20 6.12 Log & Report .......................................................................................................................................... 20 6.13 FSAE Collector Agent ............................................................................................................................ 20

7 Known Issues in FortiOS v4.0 MR2 ................................................................................................................. 22 7.1 Command Line Interface (CLI) ................................................................................................................ 22 7.2 Web User Interface ................................................................................................................................... 22 7.3 System ....................................................................................................................................................... 22 7.4 High Availability ....................................................................................................................................... 23 7.5 Firewall ..................................................................................................................................................... 23 7.6 Antivirus .................................................................................................................................................... 24 7.7 IPS ............................................................................................................................................................. 24 7.8 Web Filter .................................................................................................................................................. 24 7.9 Data Leak Prevention ................................................................................................................................ 24 7.10 Instant Message ....................................................................................................................................... 24 7.11 Application Control ................................................................................................................................. 25 7.12 VPN ......................................................................................................................................................... 25 7.13 Log & Report .......................................................................................................................................... 25 7.14 FSAE Collector Agent ............................................................................................................................ 26 7.15 FSAE Windows DC Agent ..................................................................................................................... 26 7.16 Wi-Fi ...................................................................................................................................................... 26

8 Image Checksums ............................................................................................................................................. 27 9 Appendix A – P2P Clients and Supported Configurations ............................................................................... 28 10 Appendix B – Knowledge Base Articles ....................................................................................................... 29

Change Log Date Change Description

2010-03-31 Initial Release.

© Copyright 2010 Fortinet Inc. All rights reserved.Release Notes FortiOS™ v4.0 MR2.

TrademarksCopyright© 2010 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.

Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com

ii March 31, 2010

https://suppport.fortinet.com/


1 FortiOS v4.0 MR2This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR2 B0272 release. The following outlines the release status for several models.

Model FortiOS v4.0 MR2 Release Status

FGT-30B, FWF-30B, FGT-50B, FGT-51B, FWF-50B, FGT-60B, FWF-60B, FGT-80C, FGT-80CM, FWF-80CM, FWF-81CM, FGT-82C, FGT-100A, FGT-110C, FGT-111C, FGT-200A, FGT-200B, FGT-200B-POE, FGT-224B, FGT-300A, FGT-310B, FGT-311B, FGT-310B-DC, FGT-400A,

FGT-500A, FGT-620B, FGT-620B-DC, FGT-800, FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-1000A-LENC, FGT-1240B, FGT3016B, FGT-3600, FGT-3600A, FGT-3810A, FGT-5001A,

FGT-5001, FGT-5001-FA2, and FGT-5005-FA2.

All models are supported on the regular v4.0 MR2 branch.

Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR2 release.

1.1 Summary of Enhancements Provided by v4.0 MR2The following is a brief list of the new features added in FortiOS v4.0 MR2.

• New Web UI Design• Supports Dynamic Proxy Allocation• IS-IS Routing Protocol Support• WCCP Client Support• Explicit Proxy Improvements• HA Management Port Reservation• SSL Proxy Exemption by FortiGuard Category• Web 2.0 Log Viewer• Introduced 'grep' Capability in the CLI• Supports sFlow (Client)• Supports FortiGuard Widget on the Dashboard• Local Content Archive Support• Introduces Report Module Feature• HA Sub-second Failover Support• Enhanced Support for BGP Routing• Introduction of Web Filtering Quota• Supports ELBC Synchronization• Endpoint Control - Extension to Endpoint Application Detection• Dashboard Widget Extensions• Supports L2TP with IPSec• Skype Control Improvement • Supports VRRP and Link Failure Control • Per-IP Bandwidth Dashboard Widget• Improved Client Certificate Handling for SSL Inspection• Maximum Concurrent Users for Explicit Proxy• Full SIP Feature Support• FSAE Support Polling Domain Controllers

1 March 31, 2010

http://docs.forticare.com/fgt.html


• Improved DC Agent Distribution (MSI) • Storage Health Monitor Feature• Improved Disk I/O Scalability• Protection Profile Re-work• Supports Web Cache Exempt List• Introduction of Network Scan Feature• Introduction of Network Monitoring Feature• Supports Password Renewal for LDAP or RADIUS Users• Disk Management • Supports Extreme AV Database• Introduction of Flow-based AntiVirus Feature• Supports Diagnostic Command Lock-down• Configuration Revision History and Templates• Enhanced Customizable Web UI Feature• Introduces Support for Statefull SCTP Firewall

2 March 31, 2010


2 Special Notices

2.1 GeneralThe TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

IMPORTANT!

Monitor Settings for Web User Interface Access

• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly.

Web Browser Support

• Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.

BEFORE any upgrade

• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading.

AFTER any upgrade

• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens.

• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.

2.2 Configuration Files BackupsConfiguration files that are backed up in FortiOS v4.0 MR2 without the encryption option are saved in clear text and are not compressed. It is recommended that you enable encryption for security reasons on the authentication certificates used in VPNs, SSL-VPNs, and administrative access.

2.3 External Modem SupportConfiguration of modems on FortiGate models that only support external modems can be performed only through CLI in FortiOS v4.0 MR2.

2.4 SSL-VPN NotesThe following is a special notice related to the SSL-VPN implementation.

• The "RDP to Host" option web mode can accept a keyboard layout setting as a parameter when the client connects to a server.

• In the "RDP to Host" field type:• <IP address or FQDN of the server> -m <language>• <language> is one of the following:

• ar Arabic

3 March 31, 2010


• da Danish• de German• en-gb English - Great Britain• en-us English - US• es Spanish• fi Finnish• fr French• fr-be Belgian French• fr-ca French (Canada)• fr-ch French (Switzerland)• hr Croatian• it Italian• ja Japanese• lt Lithuanian• lv Latvian• mk Macedonian• no Norwegian• pl Polish• pt Portuguese• pt-br Brazilian Portuguese• ru Russian• sl Slovenian• sv Sedanese• tk Turkmen• tr Turkish

2.5 Logging to FortiAnalyzer using AMC Hard DiskIf logging to a FortiAnalyzer is enabled and "Log to AMC Hard Disk & Upload to FortiAnalyzer" option is enabled, all logs are stored on AMC Hard Disk before being sent to FortiAnalyzer. In the event of an AMC hard disk failure, all logs stored on the hard disk waiting to be sent to the FortiAnalyzer may be lost.

2.6 AV Scanning Of Archived FilesThe decompression nesting levels for archived files being scanned by the AV engine can now be configured through the CLI. The default decompression level is set to 12.

2.7 WCCP Multi-VDom SupportWCCPv2 is a per-vdom feature, hence the WCCP configuration and web cache should reside on the same VDom. The FortiGate does not support scenarios where WCCPv2 settings are distributed on different VDoms.

2.8 Endpoint ControlEndpoint Control check feature cannot be used with load balance VIP.

2.9 Supported Character SetsThe following lists are the supported character sets by the web filter and steamfitter features.

• Japanese• jisx0201• jisx0208• jisx0212

4 March 31, 2010


• sjis• euc_jp• ISO 2022_jp• ISO 2022_jp1• ISO 2022_jp2• ISO 2022_jp3

• Chinese• gb2312• euc_cn• ces_gbk• ces_big5• hz

• Korean• ksc5601_ex• euc_kr

• Thai• tis620• cp874

• Latin (French, German, Spanish and Italian)• ISO 8859_1• cp1252

• Serbian, Macedonian, Bulgarian and Russian• cp1251

2.10 ASM-SAS Module SupportFortiOS v4 supports ASM-SAS module on the following models:

• FGT-5001A• FGT-3810A

2.11 AntiSpam Engine SupportAS engine and AS heuristic rule set updates from the FortiGuard system will be supported in a future release for FortiOS.

2.12 FortiGuard support for IPv6FortiGuard does not support the URL rating of IPv6 addresses. URL's that DNS resolve to an IPv6 address do have a supported rating and filtering.

2.13 STP Support for WAN2 InterfaceThe stpforward option under the wan2 interface has been removed for FGT-110C and FGT-111C (bug 100596).

2.14 HMAC Offload Setting ChangeThe default setting for the hmac-offload command has been changed to enable. This may violate ICSA compliance. Therefore, users who require their FortiGate device to be ICSA compliant should disable this option.

2.15 STP Packet Support on FGT-110C and FGT-111CThe stpforward option under FortiGate-110C and FortiGate-111C interface only supports PVST+ and rapid PVST+ packets. All other STP protocols are not forwarded.

5 March 31, 2010


2.16 FortiGuard Service is Enabled By Default The Fortiguard service is now enabled as long as it is being used in a firewall profile. FortiGate may encounter intermittent traffic problems if the FortiGuard service is enabled and a valid DNS server is not configured. It is recommended that the 'force-off' option is enabled under 'config system fortiguard' if no valid DNS server is configured.

2.17 AntiVirus and IPS UpdateThe scheduled update configuration under which FortiGuard AV and IPS updates are requested by a FortiGate device running FortiOS v4.0 MR2 has changed. The FortiGate device requests AV and IPS updates only if a protection profile with AV or IPS scanning is enabled and is used in a firewall policy.

6 March 31, 2010


3 Upgrade Information

3.1 Upgrading from FortiOS v3.00 MR7Direct upgrading from FortiOS v3.00 MR7 Patch Release 9 to v4.0 MR2 is not supported. Fortinet recommends the following upgrade path:

FortiOS v3.00 MR7P9 (or later)↓

v4.0.4 B0113 (or later)↓

v4.0 MR2 B0272 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

3.2 Upgrading from FortiOS v4.0FortiOS v4.0 MR2 officially supports upgrade from the FortiOS v4.0 Patch Release 4 or later. See the upgrade path below. The arrows indicate "upgrade to".

[FortiOS v4.0]The upgrade is supported from FortiOS v4.0.4 B0113 or later.

v4.0.4 B0113 (or later)↓

v4.0 MR2 B0272 GA


[Network Interface Configuration]If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR2 the ips-sniffer-mode setting will be changed to disable.

[Webfilter Banned Word and Exempt Word List]FortiOS v4.0 MR1 merged the web filter banned and exempt word list into one list under "config webfilter content". Upon upgrading to v4.0 MR2, ONLY the banned word list is retained. For example:

In FortiOS v4.0.4

config webfilter bword edit 1 config entries edit "badword1" set status enable next edit "badword2" set status enable next end set name "BannedWordList" nextend

7 March 31, 2010


config webfilter exmword edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set status enable next end set name "ExemptWordList" nextend

After upgrading to FortiOS v4.0 MR2

config webfilter content edit 1 config entries edit "badword1" set status enable next edit "badword2" set status enable next end set name "BannedWordList" nextend

Before upgrading, backup your configuration, parse the webfilter exempt list entries, and merge them into the webfilter content list after the upgrade.

After merging the exempt list from v4.0.4 to the webfilter content list

config webfilter content edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set action exempt set status enable next edit "badword1" set status enable next edit "badword2" set action exempt set status enable next end set name "BannedWordList" next

8 March 31, 2010


end

[VoIP Settings]

FortiOS v4.0 MR2 has functionality to archive message and files as caught by the Data Leak Prevention feature, which includes some VoIP messages. However, some scenarios have an implication configuration retention on the upgrading. Consider the following:

• FortiGate in v4.0.4 has two protection profiles: PP1 and PP2.• PP1 contains

o DLP sensor: DLP1 o Application control list: APP1 which archives SIP messages

• PP2 contains o DLP sensor: DLP1 o Application control list: APP2 which has content-summary enabled for SIMPLE

Upon upgrading to FortiOS v4.0 MR2, the VoIP settings are not moved into the DLP archive feature.

[NNTP DLP Archive]NNTP content archive settings will be lost after upgrading to FortiOS v4.0 MR2.

[EmailFilter Banned Word Setting]The "set spam-bword-table X" setting under "config firewall profile" will be lost after upgrading from FortiOS v4.0.4 to FortiOS v4.0 MR2.

[HTTPS Invalid Certificate Setting]The HTTPS "allow-invalid-server-cert" setting under "config firewall profile" will be lost after upgrading from FortiOS v4.0.4 to FortiOS v4.0 MR2.

3.3 Upgrading from FortiOS v4.0 MR1FortiOS v4.0 MR2 officially supports upgrade from the FortiOS v4.0 MR1 Patch Release 4 or later. See the upgrade path below. The arrows indicate "upgrade to".

[FortiOS v4.0 MR1]The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 B0196 Patch Release 4 or later.

v4.0 MR1 Patch Release 4 B0196 (or later)↓

v4.0 MR2 B0272 GA


[DLP Rule]A DLP rule with subprotocol setting set to 'sip simple sccp' will be lost upon upgrading to FortiOS v4.0 MR2.

[HTTPS Invalid Certificate Setting]The HTTPS "allow-invalid-server-cert" setting under "config firewall profile" will be lost after upgrading from FortiOS v4.0 MR1 Patch Release 3 B0194 to FortiOS v4.0 MR2 B0272.

[AlertMail Setting]The "set local-disk-usage-warning enable " setting under "config alertemail settings" will get reset to disable after upgrading to FortiOS v4.0 MR2.

[System Autoupdate Settings]

9 March 31, 2010


The settings under "config system autoupdate schedule" will get set to default values after upgrading to FortiOS v4.0 MR2.

10 March 31, 2010


4 Downgrading to FortiOS v3.00Downgrading to FortiOS v3.00 results in configuration loss on ALL models. Only the following settings are retained:

• operation modes• interface IP/management IP• route static table• DNS settings• VDom parameters/settings• admin user account• session helpers• system access profiles

11 March 31, 2010


5 Fortinet Product Integration and Support

5.1 FortiManager SupportFortiOS v4.0 MR2 is supported by FortiManager v4.0 MR2.

5.2 FortiAnalyzer SupportFortiOS v4.0 MR2 is supported by FortiAnalyzer v4.0 MR2.

5.3 FortiClient SupportFortiOS v4.0 MR2 is supported by FortiClient v4.0 MR2 for the following:

• 32-bit version of Microsoft Windows XP • 32-bit version of Microsoft Windows Vista • 64-bit version of Microsoft Windows Vista• 32-bit version of Microsoft Windows 7 • 64-bit version of Microsoft Windows 7

5.4 Fortinet Server Authentication Extension (FSAE) SupportFortiOS v4.0 MR2 is supported by FSAE v3.00 B058 (FSAE collector agent 3.5.058) for the following:

• 32-bit version of Microsoft Windows 2003 R1 Server • 64-bit version of Microsoft Windows 2003 R1 Server• 32-bit version of Microsoft Windows 2008 R1 Server • 64-bit version of Microsoft Windows 2008 R1 Server• 64-bit version of Microsoft Windows 2008 R2 Server• Novell E-directory 8.8.

IPv6 currently is not supported by FSAE.

5.5 AV Engine and IPS Engine SupportFortiOS v4.0 MR2 is supported by AV Engine 3.00013 and IPS Engine 1.00161.

5.6 3G MODEM SupportThe following models and service providers were tested.

Service Provider 3G Card Identification (IMEI) Datacard Firmware

Canada

Telus ZTE MY39 - P650M1V1.0.2_Telus_060331

Rogers Option Globetrotter Qualcomm 3G GX0202 352115011023553 1.10.8Hd

Rogers Huawei E220 358191017138137 11.110.05.00.00

Rogers Sierra AirCard 595 - p1906000,5077

APAC

E-Mobile NEC Infrontia Corporation D01NE - -

E-Mobile NEC Infrontia Corporation D02NE - -

12 March 31, 2010


Service Provider 3G Card Identification (IMEI) Datacard Firmware

E-Mobile Longcheer Holdings Limited D11LC 353780020859740 LQA0012.1.2_M533A

AMER

Telecom Sierra Compass 597 - Rev 1.0 (2), p2314500,4012

Optus Huawei E169 358109021556466 11.314.17.00.00

Hutchison/3 Huawei E220 358191017339891 11.117.09.00.100

Telecom Sierra 597E - p2102900,4012

Vodafone Huawei E220 354136020989038 11.117.09.04.00

Soul/TPG Huawei E220 358193016941644 11.117.08.00.00

Telstra Option GE0202 356812010493268 2.5.2Hd

Telstra Sierra 880E 356812010493268 F1_0_0_9AP C:/WS/FW/F1_0_0_9AP/MSM7

200R3/SRC/AMSS

Telstra Sierra AC501/Sierra 880E+ 358248020068162 K2_0_7_1BAP C:/WS/FW/K2_0_7_1BAP/MSM

6290/SRC

Telstra Sierra AC875 352822010757236 H2_0_6_0ACAP C:/WS/FW/H2_0_6_0ACAP/MS

M6280/SRC

Telstra Sierra USB 306 359475020397478 M2_0_4_0AP C:/WS/FW/M2_0_4_0AP/MDM

8200/SRC/AMSS

Telecom New Zealand

Sierra Compass 885 35992013540914 1_0_1_17AP C:/WS/FW/J1_0_1_17AP/MSM7

200A/SRC/AMSS

AT&T Sierra Wireless AC881 354218012004149 F1_0_0_4AP C:/WS/FW/F1_0_0_4AP/MSM7

200R3/SRC/AMSS

Bell Mobility Novatel / Ovation U727 ESN: 0x5B80428F m6800B-RAPTOR65_B-126

5.7 AMC Module SupportFortiOS v4.0 MR2 supports AMC removable modules. These modules are not hot swappable. The FortiGate must be turned off before the module is inserted or removed.

AMC Modules FortiGate Support

Internal Hard Drive (ASM-S08) FGT-310BFGT-620BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Single Width 4-port 1Gbps Ethernet interface (ASM-FB4) FGT-310BFGT-311BFGT-620B

13 March 31, 2010


AMC Modules FortiGate Support

FGT-1240BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Dual Width 2-port 10Gbps Ethernet interface (ADM-XB2) FGT-3810AFGT-5001A-DW

Dual Width 8-port 1Gbps Ethernet interface (ADM-FB8) FGT-3810AFGT-5001A-DW

Single Width 2-port Fiber 1Gbps bypass interface (ASM-FX2) FGT-310BFGT-311BFGT-620BFGT-1240BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Single Width 4-port Ethernet bypass interface (ASM-CX4) FGT-310BFGT-311BFGT-620B

FGT-1240B FGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

AMC Security Processing Engine Module (ASM-CE4) FGT-1240BFGT-3810AFGT-3016B

FGT-5001A-SW

AMC Security Processing Engine Module (ADM-XE2) FGT-3810AFGT-5001A-DW

Rear Transition Module (RTM-XD2) FGT-5001A-DWto supportRTM-XD2

Four Port T1/E1 WAN Security Processing Module (ASM-ET4)

FGT-310BFGT-311B

Rear Transition Module (RTM-XB2) FGT-5001A-DW to supportRTM-XB2

5.8 SSL-VPN Support

5.8.1 SSL-VPN Standalone ClientFortiOS v4.0 MR2 supports the SSL-VPN tunnel client standalone installer B2082 for the following:

• Windows in .exe and .msi format

14 March 31, 2010


• Linux in .tar.gz format• Mac OS X in .dmg format• Virtual Desktop in .jar format for Windows 7, XP, and Vista

The following Operating Systems were tested.

Windows Linux Mac OS X

Windows XP 32-bit SP2 CentOS 5.2 (2.6.18-el5) Leopard 10.5

Windows XP 64-bit SP1 Ubuntu 8.0.4 (2.6.24-23)

Windows Vista 32-bit SP1


Windows 7 32-bit

Windows 7 64-bit

Virtual Desktop Support

Windows XP 32-bit SP2


Windows 7 32-bit

5.8.2 SSL-VPN Web ModeThe following browsers and operating systems were tested with SSL-VPN web mode.

Operating System Browser

Windows XP 32-bit SP2 IE7, IE8, and FF 3.6

Windows XP 64-bit SP1 IE7 and FF 3.6

Windows Vista 32-bit SP1 IE7, IE8, and FF 3.6

Windows Vista 64-bit SP1 IE7 and FF 3.6

Windows 7 32-bit IE8 and FF 3.6

Windows 7 64-bit IE8 and FF 3.6

CentOS 5.2 (2.6.18-el5) FF 1.5 and FF 3.0

Ubuntu 8.0.4 (2.6.24-23) FF 3.0

Mac OS X Leopard 10.5 Safari 4.1

5.9 SSL-VPN Host Compatibility ListThe following Antivirus and Firewall client software packages were tested.

Product Antivirus Firewall

Windows XP

Symantec Endpoint Protection v11 √ √

Kaspersky Antivirus 2009 √ Ҳ

15 March 31, 2010


Product Antivirus Firewall

McAfee Security Center v8.1 √ √

Trend Micro Internet Security Pro √ √

F-Secure Internet Security 2009 √ √

16 March 31, 2010


6 Resolved Issues in FortiOS v4.0 MR2The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about aparticular bug, contact Customer Support.

6.1 Command Line Interface (CLI)Description: "set preempt disable" VRRP setting may not take effect.Bug ID: 115436Status: Fixed in v4.0 MR2.

6.2 Web User InterfaceDescription: The FortiGate's image on the dashboard does not show connected ADM module.Bug ID: 111624Status: Fixed in v4.0 MR2.Models Affected: FGT-5001A-DW

Description: httpsd backtrace error message may get displayed on the console when accessing Endpoint NAC > Monitor web UI page.Bug ID: 114873Status: Fixed in v4.0 MR2.

6.3 SystemDescription: The FortiGate-110C may randomly encounter kernel panic.Bug ID: 114759Models Affected: FGT-110CStatus: Fixed in v4.0 MR2.

Description: vsd daemon may randomly crash. Bug ID: 90877Status: Fixed in v4.0 MR2.

Description: The FortiGate may unexpectedly enter conserve mode, even when the memory and cpu usage is low.Bug ID: 118011Status: Fixed in v4.0 MR2.

Description: In rare occasions the FortiGate may encounter kernel panic and freeze.Bug ID: 119777Status: Fixed in v4.0 MR2.

Description: In rare occasions a kernel bug may cause the FortiGate to unexpectedly freeze with no console output.Bug ID: 118435Status: Fixed in v4.0 MR2.

Description: SMTP connection may abruptly get disconnected when multiple invalid email addresses are pipelined into SMTP proxy.Bug ID: 109102Status: Fixed in v4.0 MR2.

Description: SIP VIP with port forwarding enabled may not translate the destination port correctly.Bug ID: 108480Status: Fixed in v4.0 MR2.

17 March 31, 2010


Description: The FortiGate may encounter kernel panic when IPv6 icmp6 neighbor solicitation request happen on the wrong interface.Bug ID: 117816Status: Fixed in v4.0 MR2.

Description: The FGT-1240B sometimes does not recognize that FTP session is still active when traffic is passing through NP4 interfaces.Bug ID: 118196Models Affected: FGT-1240BStatus: Fixed in v4.0 MR2.

Description: The FortiGate ignores DHCP offer from Raven X router.Bug ID: 120369Status: Fixed in v4.0 MR2.

Description: SNMP traps with link-local address of '169.254.0.1' are generated when traps are forwarded from HA slave to Master.Bug ID: 118381Status: Fixed in v4.0 MR2.

Description: vsd daemon may randomly crash when under heavy load.Bug ID: 90877Status: Fixed in v4.0 MR2.

6.4 High AvailabilityDescription: Flash memory usage on the slave FortiGate may unexpectedly rise close to 100% because of an unusually large temporary file.Bug ID: 121526Status: Fixed in v4.0 MR2.

Description: WebFilter override feature may not work in HA virtual cluster 2.Bug ID: 120614Status: Fixed in v4.0 MR2.

Description: The 'Top Viruses Graph' chart does not work on Virtual Cluster 2.Bug ID: 96566Status: Fixed in v4.0 MR2.

6.5 FirewallDescription: If a server requires client-side certificate and SSL inspection feature is enabled then the connection will be blocked by the FortiGate. SSL Inspection should not play man-in-the-middle for sessions which uses client certificate.Bug ID: 87297Status: Fixed in v4.0 MR2.

Description: sslvpnd may crash if a firewall address being used in SSL portal is renamed.Bug ID: 115301Status: Fixed in v4.0 MR2.

Description: per-ip-shaper feature may not work when id-based policy is enabled.Bug ID: 114277Status: Fixed in v4.0 MR2.

18 March 31, 2010


6.6 IPSDescription: IPS Sensor may not work when 'Quarantine Attackers (to Banned Users List)' option is enabled.Bug ID: 113641Status: Fixed in v4.0 MR2.

6.7 VPNDescription: FortiClient may not be able to connect to the FortiGate dialup IPSec interface when using certificate.Bug ID: 115456Status: Fixed in v4.0 MR2.

Description: SSLVPN virtual desktop may fail to launch after installing Microsoft security update (KB955759)Bug ID: 120473Status: Fixed in v4.0 MR2.

Description: In rare occasions all SSLVPN users may unexpectedly get disconnected.Bug ID: 119201Status: Fixed in v4.0 MR2.

Description: User cannot login into the SSL-VPN portal if the policy is using FQDN as the source address. Bug ID: 87339Status: Fixed in v4.0 MR2.

Description: SSL-VPN user defined bookmarks may be lost if the FortiGate is rebooted.Bug ID: 112318Status: Fixed in v4.0 MR2.

Description: The FortiGate may block traffic from going through an policy-based IPSec tunnel on an NP2 interface if the fastpath setting is set to enable.Bug ID: 122553Status: Fixed in v4.0 MR2.

6.8 Web FilterDescription: Disabling web cache may affect FortiGuard availability.Bug ID: 115584Status: Fixed in v4.0 MR2.

6.9 Data Leak PreventionDescription: DLP archive for SCCP does not work.Bug ID: 100458Status: Fixed in v4.0 MR2.

6.10 Instant MessageThe following IMs and their versions were tested in FortiOS v4.0 MR2. As some IM clients use encrypted connections, the FortiGate may not succeed in blocking the traffic from traversing the firewall.

IM Client Versions Comment

AIM 7.0.11.2 This IM version uses SSL communication and FortiGate can only Block or Allow it using firewall policy.

AIM Classic 5.9.6089 none

19 March 31, 2010



ICQ 7.0 Build 1211 none

Yahoo! Messenger 9.0.0.2162 none

MSN 2009 14.0.8089.726 none

Description: The following table lists the known issues with each of the IMs supported by FortiOS v4.0 MR2.Models Affected: AllBug ID: See table

Clients Affected Versions Description/Models Affected/Status/BugID

ICQ 6.5 Build 1042

Description: DLP archive does not work for ICQ voice chat.Status: Fixed in v4.0 MR2.Bug ID: 99538

6.11 WAN OptimizationDescription: wad proxy may cause high memory usage because of memory leak. Bug ID: 97742Status: Fixed in v4.0 MR2.

Description: The FortiGate web-cache 'always-revalidate' option may not work.Bug ID: 115459Status: Fixed in v4.0 MR2.

6.12 Log & ReportDescription: No event log entry is added when a HA cluster fails to synchronized.Bug ID: 114713Status: Fixed in v4.0 MR2.

Description: All default SQL reports are lost after changing opmode from NAT to TP.Models Affected: FGT-3600ABug ID: 108188Status: Fixed in v4.0 MR2.

Description: "Buffer to hard disk and upload" feature may not work when archiving to FAMS.Bug ID: 108522Status: Fixed in v4.0 MR2.

Description: IM logs incorrectly shows app_list=N/A.Bug ID: 89911Status: Fixed in v4.0 MR2.

6.13 FSAE Collector AgentDescription: eDirectory agent version 3.5.47 may randomly crash.Bug ID: 114359Status: Fixed in v4.0 MR2.

Description: Users can be deleted from the 'Ignore User List' by selecting users and clicking the OK button.Bug ID: 115432

20 March 31, 2010


Status: Fixed in v4.0 MR2.

Description: The FSAE collector agent may not receive user logon events when the warning dialog box is open.Bug ID: 115430Status: Fixed in v4.0 MR2.

Description: Some administrators are unable to see logon users and monitored DC's in the FSAE Collector Agent.Bug ID: 112364Status: Fixed in v4.0 MR2.

Description: FSAE collector agent does not wait long enough for response from the remote workstation or DC.Bug ID: 120354Status: Fixed in v4.0 MR2.

Description: The collector agent service may stop when the apply button is clicked twice on the FSAE config web UI page.Bug ID: 120678Status: Fixed in v4.0 MR2.

Description: Dns query may fail if the hostname is longer than 15 characters. Bug ID: 112753Status: Fixed in v4.0 MR2.

21 March 31, 2010


7 Known Issues in FortiOS v4.0 MR2This section lists the known issues of this release, but is NOT a complete list. For enquiries about a particular bug notlisted here, contact Customer Support.

7.1 Command Line Interface (CLI)Description: 'diagnose firewall statistics show' command may not show accurate stats.Bug ID: 92569Status: To be fixed in a future release.

7.2 Web User InterfaceDescription: The Firewall policy disclaimer checkbox cannot be checked when using IE8 browser.Bug ID: 121950Status: To be fixed in a future release.

Description: When creating a policy route from web UI, the destination port numbers are not saved if protocol number is set to zero.Bug ID: 78402Status: To be fixed in a future release.

Description: The web UI does not warn the user that an SMTP signature is too long and consequently truncates the signatureto 1000 characters.Bug ID: 65422Status: To be fixed in a future release.

Description: "Disclaimer and Redirect URL to" setting cannot be seen from web UI after "Identity Based Policy" is disabled.Bug ID: 108589Status: To be fixed in a future release.

Description: All interfaces status is shown as up in the FortiGate's image on the dashboard.Models Affected: FGT-110CBug ID: 115502Status: To be fixed in a future release.

Description: The feature menu on the left side may get greyed out when a new dashboard is added.Bug ID: 122208Status: To be fixed in a future release.

Description: The column headings on the Firewall > Policy > Policy web UI page may get misaligned with the column values.Bug ID: 117698Status: To be fixed in a future release.

7.3 SystemDescription: If a FortiGate using ASM-CX4/FX2 module has multiple VDoms configured and at least one of the VDom is in TP mode then user is allowed to enable amc bypass mode even if all ASM-CX4/FX2 interfaces are assigned to NAT VDom.Bug ID: 91519Status: To be fixed in a future release.

Description: ASM-FB4/FB8 interfaces with fiber SFP may not work when interface speed is set to 1000full.Bug ID: 90674Status: To be fixed in a future release.

22 March 31, 2010


Description: If a FortiGate using ASM-CX4/FX2 module has multiple VDoms configured and at least one of the VDom is in TP mode then user is allowed to enable amc bypass mode even if all ASM-CX4/FX2 interfaces are assigned to NAT VDom.Bug ID: 91519Status: To be fixed in a future release.

Description: Traffic going through ASM-FX2 card keeps getting bypassed when ASM-CX4 card is used in slot1 and ASM-FX2 card is used in slot2 and bypass-mode is set to disable.Bug ID: 90017Status: To be fixed in a future release.

7.4 High AvailabilityDescription: The master unit in an A-A mode cluster stops load-balancing when a redundant link interface on the slave unitis unplugged.Bug ID: 58959Status: To be fixed in a future release.

Description: The master FortiGate's console may display '[ha_auth.c:200]: unsupported auth_sync type 16' error message when upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR2.Bug ID: 96380Status: To be fixed in a future release.

Description: Sessions may get synced between master and slave members even when the 'session sync' option is disabled.Bug ID: 112453Status: To be fixed in a future release.

Description: The usage widget on the dashboard may not include statistics from the slave FortiGate.Bug ID: 120478Status: To be fixed in a future release.

Description: Slave FortiGate may fail to upgrade from FortiOS v4.1 B0194 to FortiOS v4.2 when 'uninterruptable-upgrade' option is set to disable.Bug ID: 121314Status: To be fixed in a future release.

Description: The master unit in an A-A mode cluster stops load-balancing when a redundant link interface on the slave unitis unplugged.Bug ID: 58959Status: To be fixed in a future release.

Description: Traffic count on firewall policy will get reset to zero after an HA failover. Bug ID: 83105Status: To be fixed in a future release.

7.5 FirewallDescription: Firewall protection profile may not work when in SSL offload mode.Bug ID: 97704Status: To be fixed in a future release.

Description: Traffic count on firewall policy will get reset to zero after an HA failover. Bug ID: 83105Status: To be fixed in a future release.

23 March 31, 2010


Description: File pattern list is not effective if the list exceeds 125 entries.Bug ID: 90096Status: To be fixed in a future release.

Description: User may be able to add firewall policy comment over the allowed limit by using double-byte-characters. This may cause WebUI and configuration corruption.Bug ID: 106964Status: To be fixed in a future release.

Description: If a server requires client-side certificate and SSL inspection feature is enabled then the connection will be blocked by the FortiGate. SSL Inspection should not play man-in-the-middle for sessions which uses client certificate.Bug ID: 87297Status: To be fixed in a future release.

7.6 AntivirusDescription: scanunit daemon may randomly crash. Bug ID: 118706Status: To be fixed in a future release.

Description: File pattern list is not effective if the list exceeds 125 entries.Bug ID: 90096Status: To be fixed in a future release.

Description: Antivirus > File Filter feature blocks file even if the URL is included in the WebFilter URL exempt list.Bug ID: 114513Status: To be fixed in a future release.

7.7 IPSDescription: IPS traffic cannot be offloaded to interfaces on ASM-CE4, ADM-XE2, or ADM-FE8 modules.Models Affected: All models using ASM-CE4, ADM-XE2, or ADM-FE8 module.Bug ID: 122411Status: To be fixed in a future release.

7.8 Web FilterDescription: The FortiGuard override feature may not work after upgrading from FortiOS v4.1 Patch Release 4 B0196 to FortiOS v4.2.Bug ID: 122332Status: To be fixed in a future release.Workaround: Reboot the FortiGate

7.9 Data Leak PreventionDescription: DLP (HTTP proxy) may cause problems for an application doing pipelined HTTP requests.Bug ID: 120936Status: To be fixed in a future release.

7.10 Instant MessageThe following IMs and their versions were tested in FortiOS v4.0 MR2. As some IM clients use encrypted connections, the FortiGate may not succeed in blocking the traffic from traversing the firewall.

24 March 31, 2010



AIM 7.0.11.2 This IM version uses SSL communication and FortiGate can only Block or Allow it using firewall policy.

AIM Classic 5.9.6089 none

ICQ 7.0 Build 1211 none

Yahoo! Messenger 9.0.0.2162 none

MSN 2009 14.0.8089.726 none

Description: The following table lists the known issues with each of the IMs supported by FortiOS v4.0 MR2.Models Affected: AllBug ID: See table

Clients Affected Versions Description/Models Affected/Status/BugID

ICQ 6.5 Build 1042 Description: The FortiGate may fail to detect ICQ file transfer when only ICQ is enabled in DLP rule.Status: To be fixed in a future release.Bug ID: 121701

ICQ 6.5 Build 1042 Description: The FortiGate fails to block ICQ login when HTTP proxy is used.Status: To be fixed in a future release.Bug ID: 100946

7.11 Application ControlDescription: An application set to pass may still get blocked if a second 'block all application' rule is added to the same list.Bug ID: 91669Status: To be fixed in a future release.

7.12 VPNDescription: SSL-VPN TELNET and SSH applet only supports ISO/IEC 8859-1 encoding. Characters with other encodings may freeze the applet.Bug ID: 90642Status: To be fixed in a future release.

Description: Traffic selector negotiation may fail if selectors are not exactly matched on the two peers.Bug ID: 112350Status: To be fixed in a future release.

Description: SSLVPN web mode may not be able to connect to OWA 2003 using IE8 browser.Bug ID: 120766Status: To be fixed in a future release.

7.13 Log & ReportDescription: The diskfull setting is not enforced for dlp archiving.Bug ID: 120708Status: To be fixed in a future release.

25 March 31, 2010


Description: SQL report quota does not support 'diskfull override' setting.Bug ID: 116801Status: To be fixed in a future release.

Description: The log setting under 'config ips DoS' inadvertently gets set to enable after a FortiGate is rebooted. Bug ID: 118824Status: To be fixed in a future release.

Description: Content archiving of NNTP files is not supported in FortiOS v3.00 MR6 even though the option appears asgrayed out implying it may be enabled through another configured option.Bug ID: 44510Status: To be fixed in a future release.

Description: Traffic logs cannot be viewed in raw format when SQL disk logging is enabled.Bug ID: 122215Status: To be fixed in a future release.

7.14 FSAE Collector AgentDescription: FSAE may not send logoff event when the user is moved from a monitored group.Bug ID: 120741Status: To be fixed in a future release.

7.15 FSAE Windows DC AgentDescription: DC agent deployment may fail on low bandwidth (24kbps) link.Bug ID: 111566Status: To be fixed in a future release.

7.16 Wi-Fi Description: The FortiWiFi-60B may fail to detect access point running 802.11a band when the mode is changed from AP to SCAN.Models Affected: FWF-60BBug ID: 120127Status: To be fixed in a future release.

26 March 31, 2010


8 Image ChecksumsThe MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com). After login, click on the "Firmware Images Checksum Code" link in the left frame.

27 March 31, 2010


9 Appendix A – P2P Clients and Supported ConfigurationsThe following table outlines the supported configurations and related issues with several P2P clients. N/A means either the application does not support the feature or it is not officially tested.

Note: As some P2P clients use encrypted connections, the FortiGate may not succeed in blocking the traffic from traversing the firewall.

Skype3.8

Kazaa3.2.7

BearShare7.0

Shareaza4.1

BitComet1.0.7

eMule 0.49b

Azureus4.0.0.2

LimeWire4.18.8

iMesh8.0

DC++0707

Winny728

Standard PortsDirect Internet Connection

Pass N/A N/A OK OK OK OK OK OK OK OK OK

Block N/A N/A OK OK OK OK OK OK OK OK OK

Rate Limit N/A N/A Bug ID: 86147

OK OK Bug ID: 86452

OK Bug ID: 77852 OK N/A OK

Standard PortsProxy Internet Connection

Pass N/A N/A OK N/A N/A OK OK OK N/A N/A N/A

Block N/A N/A OK N/A N/A OK OK OK N/A N/A N/A

Rate Limit N/A N/A OK N/A N/A Bug ID: 86452

OK OK N/A N/A N/A

Non-standard PortsDirect Internet Connection

Pass OK OK N/A OK OK OK OK OK OK N/A N/A

Block Bug ID: 37845 OK N/A OK OK OK OK OK OK N/A N/A

Rate Limit N/A OK N/A OK OK Bug ID: 86452

OK Bug ID: 77852 OK N/A N/A

Non-standard PortsProxy Internet Connection

Pass OK OK N/A N/A N/A OK OK OK N/A N/A N/A

Block Bug ID: 37845 OK N/A N/A N/A OK OK OK N/A N/A N/A

Rate Limit N/A OK N/A N/A N/A Bug ID: 86452

OK Bug ID: 77852 N/A N/A N/A

28 March 31, 2010


10 Appendix B – Knowledge Base Articles

• An article on "Traffic Types and TCP/UDP Ports used by Fortinet Products" can be accessed through the following link: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=10773

• An article on "Communication between FortiManager v4.0 and FortiGate" can be access through the following link: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30157

• An article on "FortiGate and FortiOS support for 802.3ad " can be access through the following link: http://kb.fortinet.com/kb/viewdocument.do?externalId=11640&sliceId=1&docType=kc&dialogID=5039610&cmd=dis-playKC&docTypeID=DT_KCARTICLE_1_1&stateId=0+0+5037649&highlight=on

(End of Release Notes.)

29 March 31, 2010

fortigate multi-threat security system · 2.2 configuration files backups ... attained in internal...

Documents