FortiGate Multi-Threat Security System

Release Notes
v4.0 MR1 Patch Release 10
01-4110-84420-20110617

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

Table of Contents
1 FortiOS v4.0 MR1 - Patch Release 10................................................................................................................1 2 Special Notices....................................................................................................................................................2 2.1 General........................................................................................................................................................2 3 Upgrade Information...........................................................................................................................................3 3.1 Upgrading from FortiOS v3.00 MR6/MR7................................................................................................ 3 3.2 Upgrading from FortiOS v4.0.....................................................................................................................6 4 Downgrading to FortiOS v3.00...........................................................................................................................9 5 Fortinet Product Integration and Support......................................................................................................... 10 5.1 Fortinet Server Authentication Extension (FSAE) Support......................................................................10 5.2 AV Engine and IPS Engine Support.........................................................................................................10 5.3 SSL-VPN Support.....................................................................................................................................10 5.3.1 SSL-VPN Standalone Client............................................................................................................. 10 5.4 Web Browser Support for SSL-VPN........................................................................................................11 6 Resolved Issues in FortiOS v4.0 MR1 - Patch Release 10...............................................................................12 6.1 System.......................................................................................................................................................12 6.2 High Availability.......................................................................................................................................12 6.3 Router........................................................................................................................................................13 6.4 Firewall..................................................................................................................................................... 13 6.5 Web Proxy.................................................................................................................................................13 6.6 VPN...........................................................................................................................................................13 6.7 Log & Report............................................................................................................................................ 13 6.8 FSAE.........................................................................................................................................................13 7 Image Checksums............................................................................................................................................. 14

Change Log Date 2011-06-17 Initial Release. Change Description

Copyright 2011 Fortinet Inc. All rights reserved. Release Notes FortiOS v4.0. MR1 - Patch Release 10. Trademarks Copyright 2011 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600. Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

FortiOS v4.0 MR1 - Patch Release 10

This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR1 B0217- Patch Release 10 release. The following outlines the release status for several models. Model FortiOS v4.0 MR1 - Patch Release 10 Release Status

FGT-30B, FWF-30B, FGT-50B, FWF-50B, All models are supported on the regular v4.0 MR1 - Patch Release 10 branch. FGT-51B, FGT-60B, FWF-60B, FGT-80C, FGT-80CM, FGT-82C, FGT-100A, FGT110C, FGT-111C, FGT-200A, FGT-224B, FGT-300A, FGT-310B, FGT-311B, FGT310B-DC, FGT-400A, FGT-500A, FGT620B, FGT-620B-DC, FGT-800, FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-1000A LENC, FGT-1240B, FGT-3016B, FGT-3600, FGT-3600A,FGT-3810A,FGT-5001A,FGT5001, FGT-5001-FA2, and FGT-5005-FA2. FGT-200B FGT-200B-POE The officially released image for this model is based off of FortiOS v4.0 MR1 - Patch Release 10fg_4-1_200b/build_tag_5818 and is located in the same directory as the models supported on the regular FortiOS v4.0 MR1 branch. The build number for this images in the System > Status page and the output from the "get system status" CLI command displays 5818. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 217. FWF-80CM FWF-81CM The officially released images for these models are based off of FortiOS v4.0 MR1 Patch Release 10fg_4-1_80cm_rework/build_tag_6840 and is located in the same directory as the models supported on the regular FortiOS v4.0 MR1 branch. The build number for these images in the System > Status page and the output from the "get system status" CLI command displays 6840. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 217.

Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR1 release.

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

Special Notices

2.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings. IMPORTANT! Monitor Settings for Web User Interface Access Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly. Web Browser Support Microsoft Internet ExplorerTM 7.0/8.0 and FireFox 3.0x are fully supported.

BEFORE any upgrade [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading. AFTER any upgrade [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens. [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

Upgrade Information

3.1 Upgrading from FortiOS v3.00 MR6/MR7

FortiOS v4.0 MR1 - Patch Release 10 officially supports upgrade from the most recent Patch Release in MR6 or MR7. See the upgrade path below. The arrows indicate "upgrade to". [MR6] The upgrade is supported from FortiOS v3.00 B0678 Patch Release 6 or later. MR6 B0678 Patch Release 6 (or later) v4.0 MR1 - Patch Release 10 B0217GA After every upgrade, ensure that the build number and branch point match the image that was loaded. [MR7] The upgrade is supported from FortiOS v3.00 B0753 Patch Release 9 or later. MR7 B0753 Patch Release 9 (or later) v4.0 MR1 - Patch Release 10 B0217GA After every upgrade, ensure that the build number and branch point match the image that was loaded. [Log Settings Changes] In FortiOS v4, the option to configure a rule under 'config log trafficfilter' has been removed, therefore any related configuration is lost upon upgrading from FortiOS MR6 to FortiOS v4.0 MR1 - Patch Release 10. [FG-3016B Upgrade] Interface names on the FGT-3016B have been changed in FortiOS v4 to match the port names on the face plate. After upgrading from FortiOS v3.0 MR6 to FortiOS v4.0 MR1 - Patch Release 10, all port names in the FortiGate configuration are changed as per the following port mapping. Old port names before upgrading port1 port2 port3 port4 port5 port6 port7 port8 port9 port10 port11 New port names after upgrading mgmt1 mgmt2 port1 port2 port3 port4 port5 port6 port7 port8 port9

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

port12 port13 port14 port15 port16 port17

port10 port11 port12 port13 port14 port15

port18 port16 Note: After the release of FortiOS v3.00 MR6 firmware a new revision of the FGT-3016B included a name change to two ports on the left side of the faceplate. Previously, they were labeled 1 and 2. Now they are called MGMT 1 MGMT 2. However, the BIOS still refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2. [System Settings] In FortiOS v4.0.0, the p2p-rate-limit setting under 'config system settings' has been removed, therefore any related configuration is lost upon upgrading from FortiOS MR6/MR7 to FortiOS v4.0 MR1 - Patch Release 10. [Router Access-list] All configuration under 'config router access-list' may be lost after upgrading from FortiOS v3.0.0 MR6/MR7 to FortiOS v4.0 MR1 - Patch Release 10. [Identity Based Policy] Firewall policy authentication has been reworked in FortiOS v4. Any firewall policy that requires authentication is now known as an Identity Based Policy. Previously, a separate authentication firewall policy had to be created for different schedules, services, and traffic shaping settings but in FortiOS v4 all firewall authentication settings are configured in the Identity Based Policy section of a firewall policy. If no traffic matches any of the Identity Based Policies, the traffic is subjected to an implicit DENY ALL. For example: In FortiOS v3.00 MR6/MR7 config firewall policy edit 1 set action accept set groups grp1 grp2 set service HTTP ... next edit 2 set action accept set service TELNET next ... end After upgrading to FortiOS v4.0 MR1 - Patch Release 10 config firewall policy edit 1 set action accept set identity-based enable config identity-based-policy edit 1 set groups grp1 grp2 set service HTTP

June 17, 2011

Release Notes next

FortiOS v4.0 MR1 - Patch Release 10

end next edit 2 set action accept set service TELNET end next

In FortiOS v4.0 MR1 - Patch Release 10, the TELNET policy is never hit because of the implicit DENY ALL at the bottom of Identity Based Policy. To correct the behaviour, you must move the non-Identity Based Policy (TELNET policy) above the Identity Based Policy. Reorganized policy in FortiOS v4.0 MR1 - Patch Release 10 config firewall policy edit 2 set action accept set service TELNET next edit 1 set action accept set identity-based enable config identity-based-policy edit 1 set groups grp1 grp2 set service HTTP next end next end [IPv6 Tunnel ] All configuration under 'config system ipv6-tunnel' may be lost after upgrading from FortiOS v3.0.0 MR7 to FortiOS v4.0 MR1 - Patch Release 10. [User Group] In FortiOS v3.00 a protection profile can be assigned to an user group from web UI, but in FortiOS v4.0 it can only be assigned from CLI. [Zone Configuration] In FortiOS v3.00 a Zone name could be up to 32 characters but in v4 it has changed to up to 15 characters. Any Zone names in FortiOS v3.00 with more than 15 characters will be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 10. [IPv6 Vlan Interfaces] Vlan interface with ipv6-address configured will be lost after upgrading from FortiOS v3.00 to FortiOS v4.0 MR1 - Patch Release 10. [VIP Settings] 'set http-ip-header' setting under VIP configuration will inadvertently get set to disable after upgrading from FortiOS v3.00 MR6/MR7 to FortiOS v4.0 MR1 - Patch Release 10. [FDS Push-update Settings] The address and port settings under 'config system autoupdate push-update' may be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 10.

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

[Content Archive Summary] The content archive summary related configuration will be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 10. [RTM Interface Configuration] Upon upgrading from FortiOS v3.00 MR6/MR7 to v4.0 MR1, the RTM interface and some of the configuration that uses RTM objects are not retained. In FortiOS v3.00, RTM objects used upper-case letters, such as "RTM/1". FortiOS v4.0 MR1 - Patch Release 10 uses lower-case letters for RTM objects. [SSL-VPN Bookmarks] Some SSLVPN bookmarks may be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 10. [Web Filter Exempt List] FortiOS v4.0 MR1 - Patch Release 10 merged the web content block and web content exempt list into one list. Upon upgrading to v4.0 MR1, ONLY the web content block list is retained. [IPS DoS Sensor Configuration] When upgrading from FortiOS v3.00 MR6/MR7 to FortiOS v4.0 MR1, the IPS DoS Sensor configuration in v3.00 is not converted to corresponding DoS policy. Hence, the DoS Sensor related configuration may be lost. [Antivirus Service on Non-Standard Port] Upon upgrading from FortiOS v3.00 MR6/MR7 to v4.0 MR1, the settings for AntiVirus scanning on non-standard ports is not retained.

3.2 Upgrading from FortiOS v4.0

FortiOS v4.0 MR1 - Patch Release 10 officially supports upgrade from the most recent Patch Release in FortiOS v4.0.0. See the upgrade path below. The arrows indicate "upgrade to". [FortiOS v4.0] The upgrade is supported from FortiOS v4.0.4 B0113 Patch Release 4 or later. v4.0.4 B0113 Patch Release 4 (or later) v4.0 MR1 - Patch Release 10 B0217GA After every upgrade, ensure that the build number and branch point match the image that was loaded. [Network Interface Configuration] If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR1 - Patch Release 10 the ips-sniffer-mode setting will be changed to disable. [Webfilter Banned Word and Exempt Word List] FortiOS v4.0 MR1 - Patch Release 10 merged the web filter banned and exempt word list into one list under "config webfilter content". Upon upgrading to v4.0 MR1, ONLY the banned word list is retained. For example: In FortiOS v4.0.4 config webfilter bword edit 1 config entries edit "badword1" set status enable next

June 17, 2011

Release Notes edit "badword2" set status enable next

FortiOS v4.0 MR1 - Patch Release 10

next end

end set name "BannedWordList"

config webfilter exmword edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set status enable next end set name "ExemptWordList" next end After upgrading to FortiOS v4.0 MR1 - Patch Release 10 config webfilter content edit 1 config entries edit "badword1" set status enable next edit "badword2" set status enable next end set name "BannedWordList" next end Before upgrading, backup your configuration, parse the webfilter exempt list entries, and merge them into the webfilter content list after the upgrade. After merging the exempt list from v4.0.4 to the webfilter content list config webfilter content edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set action exempt set status enable next edit "badword1" set status enable next

June 17, 2011

Release Notes edit "badword2" set action exempt set status enable next end set name "BannedWordList" end next

FortiOS v4.0 MR1 - Patch Release 10

[VoIP Settings] FortiOS v4.0 MR1 - Patch Release 10 adds functionality to archive message and files as caught by the Data Leak Prevention feature, which includes some VoIP messages. However, some scenarios have an implication configuration retention on the upgrading. Consider the following: FortiGate in v4.0.3 has two protection profiles: PP1 and PP2. PP1 contains o DLP sensor: DLP1 o Application control list: APP1 which archives SIP messages PP2 contains o DLP sensor: DLP1 o Application control list: APP2 which has content-summary enabled for SIMPLE

Upon upgrading to FortiOS v4.0 MR1 - Patch Release 10, the VoIP settings are not moved into the DLP archive feature. [Management Tunnel Configuration] 'config system management-tunnel' command has been removed in FortiOS v4.0 MR1 - Patch Release 10. The management-tunnel settings has been integrated into central-management feature.

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

Downgrading to FortiOS v3.00

operation modes interface IP/management IP route static table DNS settings VDom parameters/settings admin user account session helpers system access profiles

Downgrading to FortiOS v3.00 results in configuration loss on ALL models. Only the following settings are retained:

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

Fortinet Product Integration and Support

5.1 Fortinet Server Authentication Extension (FSAE) Support

FortiOS v4.0 MR1 - Patch Release 10 is supported by FSAE v3.00 B067 (FSAE collector agent 3.5.067) or later for the following:

32-bit version of Microsoft Windows 2003 R1 Server 64-bit version of Microsoft Windows 2003 R1 Server 32-bit version of Microsoft Windows 2008 R1 Server 64-bit version of Microsoft Windows 2008 R1 Server 64-bit version of Microsoft Windows 2008 R2 Server Novell E-directory 8.8.

IPv6 currently is not supported by FSAE. Note: FSAE images can be downloaded from the Customer Support site at the following link: ftp://support.fortinet.com/FortiGate/v4.00/4.0MR1/MR1/FSAE/

5.2 AV Engine and IPS Engine Support

FortiOS v4.0 MR1 Patch Release 10 is supported by AV Engine 3.00013 and IPS Engine 1.00169.

5.3 SSL-VPN Support

5.3.1 SSL-VPN Standalone Client
FortiOS v4.0 MR1 - Patch Release 10 supports the SSL-VPN tunnel client standalone installer B2084 for the following: Windows in .exe and .msi format Linux in .tar.gz format Mac OS X in .dmg format Virtual Desktop in .jar format for Windows XP and Vista

The following Operating Systems were tested. Windows Windows XP 32-bit SP2 Windows XP 64-bit SP1 Windows Vista 32-bit SP1 Windows Vista 64-bit SP1 Windows 7 32-bit Windows 7 64-bit Virtual Desktop Support Windows XP 32-bit SP2 Windows Vista 32-bit SP1 Windows 7 32-bit Linux CentOS 5.2 (2.6.18-el5) Ubuntu 8.0.4 (2.6.24-23) Mac OS X Leopard 10.5

10

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

5.4 Web Browser Support for SSL-VPN

The following web browsers were tested: Internet Explorer 7.0 Inetrnet Explorer 8.0 FireFox 3.x

11

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

Resolved Issues in FortiOS v4.0 MR1 - Patch Release 10

The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about a particular bug, contact Customer Support.

6.1 System
Description: SMTP daemon process crashes regularly if DLP sensors for spam are enabled but no rule is configured. Bug ID: 126522 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: It might take much longer to reboot FortiGate-5005FA2. Model Affected: FortiGate-5005FA2 Bug ID: 141455 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: CPU usage might spike when IPSec configurations were changed. Bug ID: 133858 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: Process NSM might cause CPU spike when numbers of IPSec tunnels interfaces were created. Bug ID: 128725 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: Framed IP address may not be released properly when Radius authentication method is used and PPTP VPN has been disconnected. Bug ID: 138060 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: FortiGate might drop RST packet rarely during TCP handshake. Bug ID: 144569 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: An error message ' pid-32 lock_mlog()-504 shmget()failed: No such file or directory ' could be printed out on console occasionally during reboot after IPS or Antivirus package was updated. Bug ID: 120785 Status: Fixed in v4.0 MR1 - Patch Release 10.

6.2 High Availability

Description: The master unit may inadvertently use an unusual virtual MAC address on VLAN interfaces. Bug ID: 136830 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: Administrators may fail to access FortiGate through an aggregation port after a reboot in a TP mode HA cluster environment and error message can not set mac address(16). may be displayed via console. Bug ID: 1 31995, 141910 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: FortiGate-5001A unexpectedly freeze in an A-A cluster environment. Model Affected: FortiGate-5001A Bug ID: 144537 Status: Fixed in v4.0 MR1 - Patch Release 10.

12

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

6.3 Router
Description: RIP settings may be lost on some interfaces when numbers of interfaces are configured in RIP. Bug ID: 139243 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: Some BGP peers may fail to be established occasionally when hundreds of BGP peers are configured. Bug ID: 141301 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: Improvements of algorithm on OSPF route calculation. Bug ID: 136838, 138572, 138585 Status: Fixed in v4.0 MR1 - Patch Release 10.

6.4 Firewall
Description: TCP split-handshake attack is not blocked by FortiGate with default settings. Bug ID: 139367 Status: Fixed in v4.0 MR1 - Patch Release 10.

6.5 Web Proxy

Description: Web Proxy may keep crashing when the protection profile was removed from the designated firewall policy. Bug ID: 139551 Status: Fixed in v4.0 MR1 - Patch Release 10.

6.6 VPN
Description: Memory usage unexpectedly increased when IPSec configurations were changed. Bug ID: 136528 Status: Fixed in v4.0 MR1 - Patch Release 10.

6.7 Log & Report

Description: Improvements and corrections on FTP content log. Bug ID: 141501, 139241, 131630 Status: Fixed in v4.0 MR1 - Patch Release 10.

6.8 FSAE
Description: Users may fail to be removed from LDAP group on FortiGate. Bug ID: 142680 Status: Fixed in v4.0 MR1 - Patch Release 10.

13

June 17, 2011

Release Notes

FortiOS v4.0 MR1 - Patch Release 10

Image Checksums

The MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com). After login, click on the "Firmware Images Checksum Code" link in the left frame.

(End of Release Notes.)

14

June 17, 2011