Professional Documents
Culture Documents
Release Notes
v4.0 MR1 Patch Release 10
01-4110-84420-20110617
Release Notes
Table of Contents
1 FortiOS v4.0 MR1 - Patch Release 10................................................................................................................1 2 Special Notices....................................................................................................................................................2 2.1 General........................................................................................................................................................2 3 Upgrade Information...........................................................................................................................................3 3.1 Upgrading from FortiOS v3.00 MR6/MR7................................................................................................ 3 3.2 Upgrading from FortiOS v4.0.....................................................................................................................6 4 Downgrading to FortiOS v3.00...........................................................................................................................9 5 Fortinet Product Integration and Support......................................................................................................... 10 5.1 Fortinet Server Authentication Extension (FSAE) Support......................................................................10 5.2 AV Engine and IPS Engine Support.........................................................................................................10 5.3 SSL-VPN Support.....................................................................................................................................10 5.3.1 SSL-VPN Standalone Client............................................................................................................. 10 5.4 Web Browser Support for SSL-VPN........................................................................................................11 6 Resolved Issues in FortiOS v4.0 MR1 - Patch Release 10...............................................................................12 6.1 System.......................................................................................................................................................12 6.2 High Availability.......................................................................................................................................12 6.3 Router........................................................................................................................................................13 6.4 Firewall..................................................................................................................................................... 13 6.5 Web Proxy.................................................................................................................................................13 6.6 VPN...........................................................................................................................................................13 6.7 Log & Report............................................................................................................................................ 13 6.8 FSAE.........................................................................................................................................................13 7 Image Checksums............................................................................................................................................. 14
Copyright 2011 Fortinet Inc. All rights reserved. Release Notes FortiOS v4.0. MR1 - Patch Release 10. Trademarks Copyright 2011 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600. Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com
Release Notes
This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR1 B0217- Patch Release 10 release. The following outlines the release status for several models. Model FortiOS v4.0 MR1 - Patch Release 10 Release Status
FGT-30B, FWF-30B, FGT-50B, FWF-50B, All models are supported on the regular v4.0 MR1 - Patch Release 10 branch. FGT-51B, FGT-60B, FWF-60B, FGT-80C, FGT-80CM, FGT-82C, FGT-100A, FGT110C, FGT-111C, FGT-200A, FGT-224B, FGT-300A, FGT-310B, FGT-311B, FGT310B-DC, FGT-400A, FGT-500A, FGT620B, FGT-620B-DC, FGT-800, FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-1000A LENC, FGT-1240B, FGT-3016B, FGT-3600, FGT-3600A,FGT-3810A,FGT-5001A,FGT5001, FGT-5001-FA2, and FGT-5005-FA2. FGT-200B FGT-200B-POE The officially released image for this model is based off of FortiOS v4.0 MR1 - Patch Release 10fg_4-1_200b/build_tag_5818 and is located in the same directory as the models supported on the regular FortiOS v4.0 MR1 branch. The build number for this images in the System > Status page and the output from the "get system status" CLI command displays 5818. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 217. FWF-80CM FWF-81CM The officially released images for these models are based off of FortiOS v4.0 MR1 Patch Release 10fg_4-1_80cm_rework/build_tag_6840 and is located in the same directory as the models supported on the regular FortiOS v4.0 MR1 branch. The build number for these images in the System > Status page and the output from the "get system status" CLI command displays 6840. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 217.
Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR1 release.
Release Notes
Special Notices
2.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings. IMPORTANT! Monitor Settings for Web User Interface Access Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly. Web Browser Support Microsoft Internet ExplorerTM 7.0/8.0 and FireFox 3.0x are fully supported.
BEFORE any upgrade [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading. AFTER any upgrade [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens. [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.
Release Notes
Upgrade Information
Release Notes
port18 port16 Note: After the release of FortiOS v3.00 MR6 firmware a new revision of the FGT-3016B included a name change to two ports on the left side of the faceplate. Previously, they were labeled 1 and 2. Now they are called MGMT 1 MGMT 2. However, the BIOS still refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2. [System Settings] In FortiOS v4.0.0, the p2p-rate-limit setting under 'config system settings' has been removed, therefore any related configuration is lost upon upgrading from FortiOS MR6/MR7 to FortiOS v4.0 MR1 - Patch Release 10. [Router Access-list] All configuration under 'config router access-list' may be lost after upgrading from FortiOS v3.0.0 MR6/MR7 to FortiOS v4.0 MR1 - Patch Release 10. [Identity Based Policy] Firewall policy authentication has been reworked in FortiOS v4. Any firewall policy that requires authentication is now known as an Identity Based Policy. Previously, a separate authentication firewall policy had to be created for different schedules, services, and traffic shaping settings but in FortiOS v4 all firewall authentication settings are configured in the Identity Based Policy section of a firewall policy. If no traffic matches any of the Identity Based Policies, the traffic is subjected to an implicit DENY ALL. For example: In FortiOS v3.00 MR6/MR7 config firewall policy edit 1 set action accept set groups grp1 grp2 set service HTTP ... next edit 2 set action accept set service TELNET next ... end After upgrading to FortiOS v4.0 MR1 - Patch Release 10 config firewall policy edit 1 set action accept set identity-based enable config identity-based-policy edit 1 set groups grp1 grp2 set service HTTP
end next edit 2 set action accept set service TELNET end next
In FortiOS v4.0 MR1 - Patch Release 10, the TELNET policy is never hit because of the implicit DENY ALL at the bottom of Identity Based Policy. To correct the behaviour, you must move the non-Identity Based Policy (TELNET policy) above the Identity Based Policy. Reorganized policy in FortiOS v4.0 MR1 - Patch Release 10 config firewall policy edit 2 set action accept set service TELNET next edit 1 set action accept set identity-based enable config identity-based-policy edit 1 set groups grp1 grp2 set service HTTP next end next end [IPv6 Tunnel ] All configuration under 'config system ipv6-tunnel' may be lost after upgrading from FortiOS v3.0.0 MR7 to FortiOS v4.0 MR1 - Patch Release 10. [User Group] In FortiOS v3.00 a protection profile can be assigned to an user group from web UI, but in FortiOS v4.0 it can only be assigned from CLI. [Zone Configuration] In FortiOS v3.00 a Zone name could be up to 32 characters but in v4 it has changed to up to 15 characters. Any Zone names in FortiOS v3.00 with more than 15 characters will be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 10. [IPv6 Vlan Interfaces] Vlan interface with ipv6-address configured will be lost after upgrading from FortiOS v3.00 to FortiOS v4.0 MR1 - Patch Release 10. [VIP Settings] 'set http-ip-header' setting under VIP configuration will inadvertently get set to disable after upgrading from FortiOS v3.00 MR6/MR7 to FortiOS v4.0 MR1 - Patch Release 10. [FDS Push-update Settings] The address and port settings under 'config system autoupdate push-update' may be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 10.
Release Notes
[Content Archive Summary] The content archive summary related configuration will be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 10. [RTM Interface Configuration] Upon upgrading from FortiOS v3.00 MR6/MR7 to v4.0 MR1, the RTM interface and some of the configuration that uses RTM objects are not retained. In FortiOS v3.00, RTM objects used upper-case letters, such as "RTM/1". FortiOS v4.0 MR1 - Patch Release 10 uses lower-case letters for RTM objects. [SSL-VPN Bookmarks] Some SSLVPN bookmarks may be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 10. [Web Filter Exempt List] FortiOS v4.0 MR1 - Patch Release 10 merged the web content block and web content exempt list into one list. Upon upgrading to v4.0 MR1, ONLY the web content block list is retained. [IPS DoS Sensor Configuration] When upgrading from FortiOS v3.00 MR6/MR7 to FortiOS v4.0 MR1, the IPS DoS Sensor configuration in v3.00 is not converted to corresponding DoS policy. Hence, the DoS Sensor related configuration may be lost. [Antivirus Service on Non-Standard Port] Upon upgrading from FortiOS v3.00 MR6/MR7 to v4.0 MR1, the settings for AntiVirus scanning on non-standard ports is not retained.
next end
config webfilter exmword edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set status enable next end set name "ExemptWordList" next end After upgrading to FortiOS v4.0 MR1 - Patch Release 10 config webfilter content edit 1 config entries edit "badword1" set status enable next edit "badword2" set status enable next end set name "BannedWordList" next end Before upgrading, backup your configuration, parse the webfilter exempt list entries, and merge them into the webfilter content list after the upgrade. After merging the exempt list from v4.0.4 to the webfilter content list config webfilter content edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set action exempt set status enable next edit "badword1" set status enable next
Release Notes edit "badword2" set action exempt set status enable next end set name "BannedWordList" end next
[VoIP Settings] FortiOS v4.0 MR1 - Patch Release 10 adds functionality to archive message and files as caught by the Data Leak Prevention feature, which includes some VoIP messages. However, some scenarios have an implication configuration retention on the upgrading. Consider the following: FortiGate in v4.0.3 has two protection profiles: PP1 and PP2. PP1 contains o DLP sensor: DLP1 o Application control list: APP1 which archives SIP messages PP2 contains o DLP sensor: DLP1 o Application control list: APP2 which has content-summary enabled for SIMPLE
Upon upgrading to FortiOS v4.0 MR1 - Patch Release 10, the VoIP settings are not moved into the DLP archive feature. [Management Tunnel Configuration] 'config system management-tunnel' command has been removed in FortiOS v4.0 MR1 - Patch Release 10. The management-tunnel settings has been integrated into central-management feature.
Release Notes
Downgrading to FortiOS v3.00 results in configuration loss on ALL models. Only the following settings are retained:
Release Notes
32-bit version of Microsoft Windows 2003 R1 Server 64-bit version of Microsoft Windows 2003 R1 Server 32-bit version of Microsoft Windows 2008 R1 Server 64-bit version of Microsoft Windows 2008 R1 Server 64-bit version of Microsoft Windows 2008 R2 Server Novell E-directory 8.8.
IPv6 currently is not supported by FSAE. Note: FSAE images can be downloaded from the Customer Support site at the following link: ftp://support.fortinet.com/FortiGate/v4.00/4.0MR1/MR1/FSAE/
The following Operating Systems were tested. Windows Windows XP 32-bit SP2 Windows XP 64-bit SP1 Windows Vista 32-bit SP1 Windows Vista 64-bit SP1 Windows 7 32-bit Windows 7 64-bit Virtual Desktop Support Windows XP 32-bit SP2 Windows Vista 32-bit SP1 Windows 7 32-bit Linux CentOS 5.2 (2.6.18-el5) Ubuntu 8.0.4 (2.6.24-23) Mac OS X Leopard 10.5
10
Release Notes
11
Release Notes
The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about a particular bug, contact Customer Support.
6.1 System
Description: SMTP daemon process crashes regularly if DLP sensors for spam are enabled but no rule is configured. Bug ID: 126522 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: It might take much longer to reboot FortiGate-5005FA2. Model Affected: FortiGate-5005FA2 Bug ID: 141455 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: CPU usage might spike when IPSec configurations were changed. Bug ID: 133858 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: Process NSM might cause CPU spike when numbers of IPSec tunnels interfaces were created. Bug ID: 128725 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: Framed IP address may not be released properly when Radius authentication method is used and PPTP VPN has been disconnected. Bug ID: 138060 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: FortiGate might drop RST packet rarely during TCP handshake. Bug ID: 144569 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: An error message ' pid-32 lock_mlog()-504 shmget()failed: No such file or directory ' could be printed out on console occasionally during reboot after IPS or Antivirus package was updated. Bug ID: 120785 Status: Fixed in v4.0 MR1 - Patch Release 10.
12
Release Notes
6.3 Router
Description: RIP settings may be lost on some interfaces when numbers of interfaces are configured in RIP. Bug ID: 139243 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: Some BGP peers may fail to be established occasionally when hundreds of BGP peers are configured. Bug ID: 141301 Status: Fixed in v4.0 MR1 - Patch Release 10. Description: Improvements of algorithm on OSPF route calculation. Bug ID: 136838, 138572, 138585 Status: Fixed in v4.0 MR1 - Patch Release 10.
6.4 Firewall
Description: TCP split-handshake attack is not blocked by FortiGate with default settings. Bug ID: 139367 Status: Fixed in v4.0 MR1 - Patch Release 10.
6.6 VPN
Description: Memory usage unexpectedly increased when IPSec configurations were changed. Bug ID: 136528 Status: Fixed in v4.0 MR1 - Patch Release 10.
6.8 FSAE
Description: Users may fail to be removed from LDAP group on FortiGate. Bug ID: 142680 Status: Fixed in v4.0 MR1 - Patch Release 10.
13
Release Notes
Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com). After login, click on the "Firmware Images Checksum Code" link in the left frame.
14