FortiOS v4.0 MR2 Patch Release 10 Release Notes

5/21/2018 FortiOS v4.0 MR2 Patch Release 10 Release Notes

1/23

FortiOS v4.0 MR2 Patch Release 10

Release Notes


2/23

December 09, 201101-4210-84420-20111209

Copyright 2011 Fortinet, Inc. All rights reserved. Contents and terms are subject to

change by Fortinet without prior notice. No part of this publication may be reproduced in

any form or by any means or used to make any derivative such as translation,

transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the

United States Copyright Act of 1976.

Trademarks

ABACAS, APSecure, Dynamic Threat Prevention System (DTPS), FortiAnalyzer,

FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiDB, FortiGate, FortiGate Unified

Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus,FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiMail, FortiManager, Fortinet,

FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiScan, FortiShield,

FortiVoIP, FortiWeb, and FortiWiFi are trademarks of Fortinet, Inc. in the United States

and/or other countries. The names of actual companies and products mentioned herein

may be the trademarks of their respective owners.

Performance metrics contained herein were attained in internal lab tests under ideal

conditions. Network variables, different network environments and other conditions may

affect performance results, and Fortinet disclaims all warranties, whether express or

implied, except to the extent Fortinet enters a binding contract with a purchaser that

expressly warrants that the identified product will perform according to the performance

metrics herein. For absolute clarity, any such warranty will be limited to performance in

the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full anyguarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this

publication without notice, and the most current version of the publication shall be

applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.

Support will be provided to customers who have purchased a valid support contract. All

registered customers with valid support contracts may enter their support tickets via the

support site: https://support.fortinet.com.

Visit these links for more information and documentation for your Fortinet product:

Technical Documentation - http://docs/fortinet.com

Knowledge Base - http://kb.fortinet.com

Technical Support - https://support.fortinet.com

Training Services - http://training.fortinet.com
https://support.fortinet.com/https://support.fortinet.com/https://support.fortinet.com/http://docs/fortinet.comhttp://kb.fortinet.com/http://support.fortinet.com/http://training.fortinet.com/http://training.fortinet.com/http://support.fortinet.com/http://kb.fortinet.com/http://docs/fortinet.comhttps://support.fortinet.com/https://support.fortinet.com/


3/23

FortiOS v4.0 MR2 Patch Release 10 Release Notes

01-4210-84420-20111209

http://docs.fortinet.com/ Feedback

Table of Contents

Introduction .............................................................................................. 1

Special Notices ........................................................................................ 3General ............................................................................................................. 3

Monitor Settings for Web User Interface Access ....................................... 3

Web Browser Support ................................................................................ 3

BEFORE any upgrade................................................................................. 3

AFTER any upgrade.................................................................................... 3

Installation Information ........................................................................... 5Upgrading from FortiOS v4.0 ........................................................................... 5

FortiOS v4.0................................................................................................ 5

Network Interface Configuration................................................................. 5

WebFilter Banned Word and Exempt Word List......................................... 5VoIP Settings .............................................................................................. 7

NNTP DLP Archive...................................................................................... 7

Upgrading from FortiOS v4.0 MR1 ................................................................... 7

FortiOS v4.0 MR1 ....................................................................................... 7

DLP Rule..................................................................................................... 7

System Autoupdate Settings ...................................................................... 7

Downgrading to FortiOS v4.0 MR1 .................................................................. 8

Product Integration and Support ........................................................... 9Fortinet Single Sign On (FSSO) Support .......................................................... 9

AV Engine and IPS Engine Support.................................................................. 9SSL-VPN Support............................................................................................. 9

SSL-VPN Standalone Client ....................................................................... 9

FortiAP Support .............................................................................................. 10

Resolved Issues ..................................................................................... 11Command Line Interface .......................................................................... 11

Web User Interface ................................................................................... 11

System...................................................................................................... 11

High Availability......................................................................................... 12

Firewall...................................................................................................... 12

Web Proxy ................................................................................................ 12VPN........................................................................................................... 12

WAN Optimization .................................................................................... 13

Log and Report......................................................................................... 13

Known Issues......................................................................................... 15System...................................................................................................... 15

Image Checksums ................................................................................. 17
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttp://docs.fortinet.com/surveyredirect.htmlhttp://docs.fortinet.com/


4/23

2


5/23


01-4210-84420-20111209


1. Introduction

This document provides installation instructions, and addresses issues and caveats in

FortiOS v4.0 MR2 build B0338 Patch Release 10.

Table 1outlines the release status for several FortiGate models.

Table 1: Supported Platforms

FortiGate Models FortiOS v4.0 MR2 Patch Release 10

FG-30B, FWF-30B, FG-50B, FG-51B,

FWF-50B, FG-60B, FWF-60B, FG-80C,

FG-80CM, FWF-80CM, FWF-81CM, FG-

82C, FG-100A, FG-110C, FG-111C, FG-

200A, FG-200B, FG-200B-POE, FG-224B,

FG-300A, FG-310B, FG-311B, FGFG-

310B-DC, FG-400A, FG-500A, FG-620B,

FG-620B-DC, FG-621B, FG-800, FG-800F,FG-1000A, FG-1000A-FA2, FG-1000A-

LENC, FG-1240B, FG-3016B, FG-3040B,

FG-3140B, FG-3600, FG-3600A, FG-

3810A, FG-3950B, FG-3951B, FG-5001,

FG-5001A, FG-5001B, FG-5001FA2, and

FG-5005FA2.

All models are supported on the regular v4.0 MR2

- Patch Release 10.

FG-60C, FWF-60C, FWF-60CM, FWF-

60CX-ADSL-A

This model is released on a special branch based

off of FortiOS v4.0 MR2 - Patch Release 10: fg_4-

2_60c/build_tag_5894. As such, the build number

found at System > Dashboard > Statusand the

output from the get system statusCLI

command displays 5894as the build number. To

confirm that you are running the proper build, the

output from the get system statusCLIcommand has a Branch point:field that

should read 338.

FG-VM This model is released on a special branch based


2_vmware_esx/build_tag_5891. As such, the

build number found at System > Dashboard >

Statusand the output from the get system

statusCLI command displays 5891as the build

number. To confirm that you are running the

proper build, the output from the get system

statusCLI command has a Branch point:

field that should read 338.


6/23

Introductio

FortiOS v4.0 MR2 Patch Release 10 Release Note

2 01-4210-84420-2011120

http://docs.fortinet.com/ Feedbac

See http://docs.forticare.com/fgt.htmlfor additional documents on FortiOS v4.0 MR2.

FG-ONE This model is released on a special branch based


2_one/build_tag_5892. As such, the build number

found at System > Dashboard > Statusand the


command displays 5892as the build number. Toconfirm that you are running the proper build, the


command has a Branch point:field that

should read 338.

FG-300C This model is released on a special branch based


2_300c/build_tag_4055. As such, the build

number found at System > Dashboard > Status

and the output from the get system status

CLI command displays 4055as the build number.

To confirm that you are running the proper build,

the output from the get system statusCLI

command has a Branch point:field that

should read 338.

Table 1: Supported Platforms (Continued)


7/23


01-4210-84420-20111209


2. Special Notices

General

The Trivial File Transfer Protocol (TFTP) boot process erases all current firewall

configuration and replaces it with the factory default settings.

IMPORTANT!

Monitor Settings

for Web User

Interface Access

Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This

allows for all the objects in the Web UI to be viewed properly.

Web Browser

Support

Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.

BEFORE any

upgrade

FortiGate Configuration:

Save a copy of your FortiGate unit configuration (including replacement messages)

prior to upgrading.

AFTER any

upgrade

WebUI Display:

If you are using the Web UI, clear the browser cache prior to logging in to the FortiGate

unit to ensure proper display of the Web UI screens.

Update the AV/IPS definitions:

The AV/IPS signature included with an image upgrade may be older than ones cur-rently available from Fortinet's FortiGuard system. Fortinet recommends performing

an update as soon as possible after upgrading. Consult the FortiOS Handbookfor

detailed procedures on upgrading your AV/IPS signature.
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttp://docs.fortinet.com/fgt40mr3.htmlhttp://docs.fortinet.com/fgt40mr3.htmlhttp://docs.fortinet.com/fgt40mr3.htmlhttp://docs.fortinet.com/surveyredirect.htmlhttp://docs.fortinet.com/http://docs.fortinet.com/fgt40mr3.htmlhttp://docs.fortinet.com/fgt40mr3.html


8/23

4


9/23


01-4210-84420-20111209


3. Installation Information

Upgrading from FortiOS v4.0

FortiOS v4.0 MR2 Patch Release 10 officially supports upgrade from the FortiOS v4.0

Patch Release 4 or later. See the upgrade path below. The arrows indicate "upgrade

to".

FortiOS v4.0 The upgrade is supported from FortiOS v4.0.4 B0113 or later.

v4.0.4 B0113 (or later)

v4.0 MR2 Patch Release 10 B0338

After every upgrade, ensure that the build number and branch point match the image

that was loaded.

Network

Interface

Configuration

If a network interface has ips-sniffer-modeoption set to enable, and that interface

is being used by a firewall policy, then after upgrading from FortiOS v4.0.0, or any sub-

sequent patch, to FortiOS v4.0 MR2 Patch Release 10, the ips-sniffer-modeset-

ting will be changed to disable.

WebFilter Banned

Word and Exempt

Word List

FortiOS v4.0 MR1 merged the web filter banned and exempt word list into one list

under config webfilter content. After you upgrade to v4.0 MR2, only the

banned word list is retained. For example:

In FortiOS v4.0.4:

config webfilter bword

edit 1config entries

edit "badword1"

set status enable

next

edit "badword2"

set status enable

next

end

set name "BannedWordList"

next

end

config webfilter exmwordedit 1

config entries

edit "goodword1"

set status enable

next

edit "goodword2"

set status enable


10/2

Upgrading from FortiOS v4.0 Installation Informatio


6 01-4210-84420-2011120


next

end

set name "ExemptWordList"

next

end

After upgrading to FortiOS v4.0 MR2:config webfilter content

edit 1

config entries

edit "badword1"

set status enable

next

edit "badword2"

set status enable

next

end


next

end

Before upgrading: backup your configuration, and parse the webfilter exempt list

entries. Then merge them into the webfilter content list after the upgrade.

After merging the exempt list from v4.0.4 to the webfilter content list:

config webfilter content

edit 1

config entries

edit "goodword1"

set status enable

next

edit "goodword2"set action exempt

set status enable

next

edit "badword1"

set status enable

next

edit "badword2"

set action exempt

set status enable

next

end


nextend


11/2

Installation Information Upgrading from FortiOS v4.0 MR


01-4210-84420-20111209


VoIP Settings FortiOS v4.0 MR2 has the functionality to archive messages and files caught by theData Leak Prevention (DLP) feature, which includes some VoIP messages. However,

some scenarios have an implication configuration retention on the upgrading. Consider

the following:

FortiGate in v4.0.4 has two protection profiles: PP1 and PP2.

PP1 contains: DLP sensor: DLP1

Application control list: APP1 which archives SIP messages

PP2 contains:

DLP sensor: DLP1

Application control list: APP2 which has content-summary enabled for SIMPLE

Upon upgrading to FortiOS v4.0 MR2 Patch Release 10, the VoIP settings are not

moved into the DLP archive feature.

NNTP DLPArchiveNNTP content archive settings will be lost after upgrading to FortiOS v4.0 MR2 PatchRelease 10.

Upgrading from FortiOS v4.0 MR1

FortiOS v4.0 MR2 Patch Release 10 officially supports upgrade from the FortiOS v4.0

MR1 Patch Release 4 or later. See the upgrade path below. The arrows indicate

"upgrade to".

FortiOS v4.0 MR1 The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 B0196 Patch

Release 4 or later.

v4.0 MR1 Patch Release 4 B0196 (or later)

v4.0 MR2 Patch Release 10 B0338

After every upgrade, ensure that the build number and branch point match the image

that was loaded.

DLP Rule A DLP rule with subprotocol setting set to 'sip simple sccp' will be lost upon upgradingto FortiOS v4.0 MR2 Patch Release 10.

System

AutoupdateSettings

The settings under System > Maintenance > FortiGuardwill get set to default values

after upgrading to FortiOS v4.0 MR2 Patch Release 10.


12/2

Downgrading to FortiOS v4.0 MR1 Installation Informatio


8 01-4210-84420-2011120


Downgrading to FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1 results in configuration loss on ALL models. Only

the following settings are retained:

operation modes

interface IP/management IP

route static table

DNS settings

VDom parameters/settings

admin user account

session helpers

system access profiles.


13/2


01-4210-84420-20111209


4. Product Integration and Support

Fortinet Single Sign On (FSSO) Support

FortiOS v4.0 MR2 Patch Release 10 is supported by FSSO (formerly FSAE) v4.3.0

B0108 for the following:

32-bit version of Microsoft Windows 2003 R2 Server


32-bit version of Microsoft Windows 2008 Server

64-bit version of Microsoft Windows 2008 Server


Novell E-directory 8.8.

IPv6 currently is not supported by FSSO.

AV Engine and IPS Engine Support

FortiOS v4.0 MR2 Patch Release 10 is supported by AV Engine 4.00254 and IPS

Engine 1.00229.

SSL-VPN Support

SSL-VPN

Standalone Client

FortiOS v4.0 MR2 Patch Release 10 supports the SSL-VPN tunnel client standalone

installer B2148 for the following:

Windows in .exe and .msi format

Linux in .tar.gz format

Mac OS X in .dmg format

Virtual Desktop in .jar format for Windows 7, XP, and Vista

Table 2lists the supported operating systems.
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttp://-/?-http://-/?-http://docs.fortinet.com/surveyredirect.htmlhttp://docs.fortinet.com/


14/2

FortiAP Support Product Integration and Suppo


10 01-4210-84420-2011120


FortiAP Support

The following table lists which FortiAP devices and FortiOS operating systems are sup-

ported in FortiOS v4.0 MR2 build B0338 Patch Release 10.

Table 2: Supported operating systems

Windows Linux Mac OS X

Windows XP 32-bit SP3 CentOS 5.2 (2.6.18-el5) Leopard 10.5

Windows XP 64-bit SP1 Ubuntu 10.0.4

Windows Vista 32-bit SP1


Windows 7 32-bit

Windows 7 64-bit

Virtual Desktop Support

Windows XP 32-bit SP2


Windows 7 32-bit

Table 3: Supported Models

Model FortiAP v4.0 MR3 Patch Release 3

FAP-210B

These models are supported on the regular v4.0 MR3 branchFAP-220A

FAP-220B

FAP-222B

FortiOS v4.0 MR2 For wireless controller support in FortiOS v4.0 MR2 the following

firmware image is required:

fg_4-2_fortiap/build_tag_3080.

The build number for these images in the System > Statuspage and the

output from the "get system status" CLI commanddisplays 3080.

To confirm that you are running the proper build, the output from the

"get system status" CLI command hasa "Branch point" field. This

should read 338.

This firmware image is available under the following directory in the

Firmware Images page of the Customer Support site after you login:

FortiAP/v4.00/4.0MR2/MR2_Patch_10/Wireless_controller/

or

FortiAP/v4.00/4.0MR3/MR3_Patch_3/Wireless_controller/


15/2


01-4210-84420-20111209 1


5. Resolved Issues

The resolved issues listed below do not list every bug that has been corrected with this

release. For inquires about a particular bug, please contact Customer Support.

The resolved issues include:

Command Line Interface

Web User Interface

System

High Availability

Firewall

Web Proxy

VPN

WAN Optimization

Log and Report

Command Line

Interface

Web User

Interface

System

Table 4: Resolved CLI Issues

Bug ID Description

154306 A set of batch commands may take a longer time than expected to complete.

Table 5: Resolved Web User Interface Issues

Bug ID Description

155055 It might take longer to view Firewall > Policypages in an HA environment.

Table 6: Resolved System Issues

Bug ID Description

155925 Unexpected crash occurred on FG-3950B when a VIP FTP server replied with its

NAT IP address.

153200 An NPU interface might not be changed to another VDOM when NPU fastpath is

disabled.

153346 The status of an aggregate port should reflect the status of the negotiation than

the status of the physical links.

152073 An interface may not reply to ICMP request when it was removed from anaggregate interface.

155860 A VLAN interface might still accept traffic when the status was set to down.

149497 Fix on high memory usage issue caused by SSL proxy daemon.

141164 FortiGate might keep sending SYN packets to its BGP peer when the peer tried

to originate a new connection but close it instantly.

149580 Time synchronization might stop when NTP setting was changed.
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttps://support.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttp://docs.fortinet.com/https://support.fortinet.com/


16/2

Resolved Issue


12 01-4210-84420-2011120


High Availability

Firewall

Web Proxy

VPN

152947 BGP daemon would sometimes crash when a failover happened on a HA cluster

during a BGP graceful restart.

154870 The MSI-X load balance for XD2 was turned off, causing all NP4 interrupts to go

to only one CPU.

Table 6: Resolved System Issues

Table 7: Resolved HA Issues

Bug ID Description

154729 ha-mgmt-interface-gatewaymight stop working when the speed setting

was changed on the management interface.

147084 Gratuitous ARP was kept sending by master under TP mode and could cause

loop easily when units were upgrade from FortiOS v4.0 MR1.

Table 8: Resolved Firewall Issues

Bug ID Description

152224,

156926

An access redirected by load balance to a real server might be persistent when

the server was failed or HTTP service was disabled if persistence option was

enabled.

Table 9: Resolved Web Proxy Issues

Bug ID Description

156128 Directory listing of an FTP site may not work over Explicit Web Proxy.

Table 10: Resolved VPN Issues

Bug ID Description

142302 Difficulties accessing some web sites via SSL VPN.

148546 After upgrading the release version, the boot image failed.

153719 IPSec VPN gateway route was not properly injected into routing table when the

associated interface was configured to use PPPoE link.

155424 If a user took more than 30 seconds to provide his or her XAUTH credentials the

XAUTH window disappeared.

115358 A PC that running Windows 7 or Vista might fail to do DNS resolution via SSL

VPN tunnel when DNS server was not configured for SSL VPN on FortiGate and

split-tunneling option was not enabled.

140339 A VPN client might connect to the wrong network when the same subnet was

configured for VPN in different VDOMs.

155243 FortiGate devices running FortiOS v4.0 MR2 and v4.0 MR3 may have difficulty

establishing an IPSec tunnel.

156005 Using SSL VPN, cookies are not marked as either secure or HTTP only.


17/2

Resolved Issues


01-4210-84420-20111209 1


WAN

Optimization

Log and Report

Table 11: Resolved WAN Optimization Issues

Bug ID Description

153725 Some web sites might not be accessed when IE8 or IE9 were used and Web

Cache was enabled. This affectes the FG-200B and FG-80C series models.

Table 12: Resolved Log and ReportIssues

Bug ID Description

142853 A FortiGate might stop sending event logs to FortiAnalyzer or Syslog server after

a reboot.

155404 After a master reboot, the logs from a cluster sent to the FortiAnalyzer unit were

out of their designated secure tunnel.

155204 Duplicated entries can be seen on FortiGate when logs were retrieved from

FortiAnalyzer.


18/23

14


19/2


01-4210-84420-20111209 1


6. Known Issues

This section lists the known issues of this release, but is not a complete list. For

inquires about a particular bug, please contact Customer Support.

SystemTable 13: Known System Issues

Bug ID Description Status

158146 Miglogddaemon may crash when new members join

an HA cluster or when failover happens.

To be fixed in a future

release.


20/2

16


21/2


01-4210-84420-20111209 1


7. Image Checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the

Fortinet Customer Support website located at https://support.fortinet.com. After

logging in, click on Download > Firmware Image Checksum, enter the image file,

including the extension, and select Get Checksum Code.

Figure 1: Fortinet customer support image checksum tool

(End of Release Notes)


22/2

18


23/2

FortiOS v4.0 MR2 Patch Release 10 Release Notes

Documents

Transcript of FortiOS v4.0 MR2 Patch Release 10 Release Notes