FortiGate Multi-Threat Security Systemimg2.timg.co.il/forums/1_155923264.pdf · 20-9-2011 · Release Notes FortiOS v4.0 MR3 - Patch Release 2 ... 6 Resolved Issues in FortiOS v4.0

Release Notesv4.0 MR3

Patch Release 2

01-432-84420-20110920

FortiGate® Multi-Threat Security System

Release Notes FortiOS v4.0 MR3 - Patch Release 2

Table of Contents 1 FortiOS v4.0 MR3 – Patch Release 2 ................................................................................................................. 1

1.1 Summary of Enhancements Provided by v4.0 MR3 Patch Release 2 ......................................................... 1 2 Special Notices .................................................................................................................................................... 3

2.1 General ........................................................................................................................................................ 3 2.2 SQL Logging adjustments ........................................................................................................................... 3

2.2.1 SQL Logging Disabled on some models ............................................................................................. 3 2.2.2 Default SQL Database Size ................................................................................................................ 4 2.2.3 Database Query Limitation .................................................................................................................. 4

2.3 WiFi CA Certificate Rename ...................................................................................................................... 4 2.4 FortiClient Connect Rename ....................................................................................................................... 4

3 Upgrade Information ........................................................................................................................................... 5 3.1 Upgrading from FortiOS v4.0 MR2 ............................................................................................................ 5 3.2 Upgrading from FortiOS v4.0 MR1 ............................................................................................................ 6

4 Downgrading to FortiOS v4.0.0 .......................................................................................................................... 9 5 Fortinet Product Integration and Support ......................................................................................................... 10

5.1 FortiManager Support ............................................................................................................................... 10 5.2 FortiAnalyzer Support ............................................................................................................................... 10 5.3 FortiClient Support .................................................................................................................................... 10 5.4 FortiAP Support ........................................................................................................................................ 10 5.5 Fortinet Single Sign On (FSSO) Support .................................................................................................. 10 5.6 FortiExplorer Support ............................................................................................................................... 10 5.7 AV Engine and IPS Engine Support ......................................................................................................... 10 5.8 Module Support ......................................................................................................................................... 11 5.9 SSL-VPN Support ..................................................................................................................................... 12

5.9.1 SSL-VPN Standalone Client ............................................................................................................. 12 5.9.2 SSL-VPN Web Mode ........................................................................................................................ 13

5.10 SSL-VPN Host Compatibility List .......................................................................................................... 13 5.11 Explicit Web Proxy Browser Support ..................................................................................................... 14

6 Resolved Issues in FortiOS v4.0 MR3 - Patch Release 2 ................................................................................. 15 6.1 Command Line Interface (CLI) ................................................................................................................ 15 6.2 Web User Interface ................................................................................................................................... 15 6.3 System ....................................................................................................................................................... 15 6.4 High Availability ....................................................................................................................................... 17 6.5 Router ........................................................................................................................................................ 17 6.6 Firewall ..................................................................................................................................................... 17 6.7 IPS ............................................................................................................................................................. 18 6.8 Web Filter .................................................................................................................................................. 18 6.9 Web Proxy ................................................................................................................................................. 18 6.10 Antispam ................................................................................................................................................. 18 6.11 Data Leak Prevention .............................................................................................................................. 18 6.12 Voice Over IP (VoIP) .............................................................................................................................. 18 6.13 VPN ......................................................................................................................................................... 18 6.14 WAN Optimization ................................................................................................................................. 19 6.15 Log & Report .......................................................................................................................................... 20 6.16 Wi-Fi ...................................................................................................................................................... 20 6.17 GTP&Dynamic Profile ............................................................................................................................ 20

i September 20, 2011


7 Known Issues in FortiOS v4.0 MR3 ................................................................................................................. 21 7.1 System ....................................................................................................................................................... 21 7.2 WAN Optimization ................................................................................................................................... 21 7.3 Log & Report ............................................................................................................................................ 21 7.4 WiFi ........................................................................................................................................................... 21

8 Image Checksums ............................................................................................................................................. 22

Change Log Date Change Description

2011-09-20 Initial Release.

© Copyright 2011 Fortinet Inc. All rights reserved.Release Notes FortiOS™ v4.0 MR3 Patch Release 2.

TrademarksCopyright© 2011 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.

Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com

ii September 20, 2011

https://suppport.fortinet.com/


1 FortiOS v4.0 MR3 – Patch Release 2This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR3 B0482 - Patch Release 2 release. The following outlines the release status for several models.

Model FortiOS v4.0 MR3 Patch Release 2 Status

FGT-30B, FWF-30B, FGT-50B, FGT-51B, FWF-50B, FGT-60B, FWF-60B, FGT-60C, FWF-60C,

FWF-60CM, FWF-60CX-A, FGT-80C, FGT-80CM, FWF-80CM, FWF-81CM, FGT-82C, FGT-100A, FGT-110C, FGT-111C, FGT-200A, FGT-200B, FGT-200B-POE, FGT-224B, FGT-300A, FGT-310B, FGT-311B, FGT-310B-DC, FGT-400A, FGT-500A, FGT-620B, FGT-620B-DC, FGT-621B, FGT-800, FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-1000A-LENC, FGT-

1240B, FGT-3016B, FGT-3040B, FGT-3140B, FGT-3600, FGT-3600A, FGT-3810A, FGT-3950B, FGT-3951B, FGT-5001A, FGT-5001, FGT-5001B,

FGT-5001FA2, FGT-5002FB2, FGT-5005FA2, FGT-ONE, FGT-VM and FGT-VM64.

All models are supported on the regular v4.0 MR3-- Patch Release 2 branch.

Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR3 Patch Release 2.

1.1 Summary of Enhancements Provided by v4.0 MR3 Patch Release 2The following is a brief list of the new features added in FortiOS v4.0 MR3 Patch Release 2.

• 64bit FortiOS Support on FGT-1240B• Access to Packet Capture via Web UI• AES and TKIP Support on WiFi Encryption Simultaneously• Cascading XLR and NPU for DoS Protection• ELBC v3 Merge• Enhancements on Application Monitor Section under “UTM Profiles >Monitor”• Extension of Dynamic Profile• FortiClient Software Licensing Re-definition• FortiGate-VM 15-day Trail Evaluation License and Upgrade• Improvements of Usability on New Firewall Policy Configurations via Web UI• Increase Firewall Address Table Size for FGT-110C, FGT-200A, FGT-200B and FGT-80C series• Increase Static Route Entries Table Size for FGT-310B and FGT-300C• Load Balancing Support on FMG-XG2 Card • Offload Information Column Added to Session Widget at Dashboard• Pre-defined Service Group • Wan-optimization Peer Monitoring• Web Cache Monitoring

1 September 20, 2011

http://docs.forticare.com/fgt.html




2 Special Notices

2.1 GeneralThe TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

IMPORTANT!

Monitor Settings for Web User Interface Access

• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly.

Web Browser Support

• Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.

BEFORE any upgrade

• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading.

AFTER any upgrade

• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens.

• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.

2.2 SQL Logging adjustmentsDue to concerns on system performance as well as optimization of logging to meet high standard, minor impact to major functions at extreme condition, there are some adjustments on SQL Logging settings and configurations. Listed as below,

2.2.1 SQL Logging Disabled on some modelsSQL Logging is disabled by default on some models because of slow I/O performance of hard drive. These models are FGT-82C, FGT-310B, FGT-310B-DC, FGT-620B, FGT-620B-DC, FGT-3016B, FGT-3600A, FGT3810A and FGT-5001A. Logging is changed back to be text-based and as such, report function will be affected. Users still can enable SQL logging by using following commands under CLI but it will be users discretion whether SQL logging shall be turned on or not.

Config system global set sql-logging [enable|disable]

end



2.2.2 Default SQL Database Size All models that support SQL logging are to be set a default size of SQL database to gain best system performance. For the models that support SSD, default database size is set to 10G in single VDom environment. For the models that support Flash drives, default size of database is set to 1.5G. Users may change the size manually depends on their own environment.

2.2.3 Database Query Limitation

This section applies to FortiGate models that support SQL logging ONLY.

Due to performance concern during query in a large database, latest 200K records will be searched at first as a temporary solution. If searched result returns more than 50 records, users may use “refresh” button on left corner or next page button to conduct second search. If searched result returns less than 50 records, then users may not be able to do further search in database via Web UI. To workaround this situation, users can conduct searching by using following commands under CLI.

execute log filter device [disk|fortianalyzer] execute log filter [category|field|......]

execute log display

A better solution will be release in 4.3.3.

2.3 WiFi CA Certificate RenameWiFi CA certificate has been renamed from Fortinet_Wifi_CA to PositiveSSL_CA.

2.4 FortiClient Connect RenameThe name “FortiClient Connect” will be renamed back to “FortiClient” and the rest aspects of FortiClient Connect will remain the same.



3 Upgrade Information

3.1 Upgrading from FortiOS v4.0 MR2FortiOS v4.0 MR3 - Patch Release 2 officially supports upgrade from the FortiOS v4.0 MR2 Patch Release 4 or later. See the upgrade path below.

[FortiOS v4.0 MR2]The upgrade is supported from FortiOS v4.0 MR2 Patch Release 4 B0313 or later.

v4.0 MR2 Patch Release 4 B0313 (or later)↓

v4.0 MR3 Patch Release 2 B0482 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[DDNS]DDNS config under interface are moved to global mode “config system ddns” after upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[DNS Server] “dns-query recursive/non-recursive” option under specific interface are moved to system level per VDom mode and “config system dns-server” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[Ping Server]“gwdetect” related configurations under specific interface has been moved to under router per VDom mode. “config router gwdetect” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[Central-management]“set auto-backup disable” and “set authorized-manager-only enable” configurations under “config system central-management” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[SNMP community]A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[Modem Settings]“wireless-custom-vendor-id”and “wireless-custom-product-id” are moved from “config system modem” to “config system 3g-modem custom” upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[AMC slot settings]The default value of ips-weight under config system amc-slot will be changed from balanced to less-fw after upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[Wireless radio settings]wireless radio settings except SSID, Security Mode, Authentication settings will be lost after upgrade. Workaround is put into Special Notice Section.

[Web filter overrides]The contents of web filter overrides will be lost after upgrading from FortiOS v4.0 MR2 Patch Release 4 B0313 to FortiOS v4.0 MR3 - Patch Release 2.

[Firewall policy settings]



If the source interface or destination interface set as amc-XXX interface, the default value of ips-sensor under config firewall policy will changed from all_default to default after upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[URL Filter]The “action” options in urlfilter configuration have been changed from “Allow, Pass, Exempt, Block” to “Allow, Monitor, Exempt, Block”. Action “Allow” will not report log in v4.3.1. New action “Monitor” will act the function as allow with reporting log. Action “Pass” in v4.2 has been merged to “Exempt” in v4.3.1 and the CLI command has been changed from “set action pass” to “set exempt pass”.

[FortiGuard Log Filter]The settings of “config log fortiguard filter” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[FortiGuard Log Setting]The options “quotafull” and “use-hdd” in “config log fortiguard setting” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

3.2 Upgrading from FortiOS v4.0 MR1FortiOS v4.0 MR3 - Patch Release 2 officially supports upgrade from the FortiOS v4.0 MR1 Patch Release 9 or later. See the upgrade path below.

[FortiOS v4.0 MR1]The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 B0213 Patch Release 9 or later.

v4.0 MR1 Patch Release 9 B0213 (or later)↓

v4.0 MR3 Patch Release 2 B0482 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[Network Interface Configuration]If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR3 - Patch Release 2 the ips-sniffer-mode setting will be changed to disable.

[Traffic shaping]The Unit of guaranteed-bandwidth,inbandwidth, outbandwidth and maximum-bandwidth of traffic shaping has been changed from kilo-bytes/sec to kilo-bits/sec after upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[System Autoupdate Settings]The default values of config system autoupdate schedule will be changed from disable to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[DHCP Server]The name of DHCP Server are replaced with entry number. The “start-ip” and “end-ip” are changed to “config ip-range” under DHCP Server after upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[DDNS]DDNS config under interface are moved to global mode “config system ddns” after upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[DNS Server]



“dns-query recursive/non-recursive” option under specific interface are moved to system level per VDom mode and “config system dns-server” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[Ping Server]“gwdetect” related configurations under specific interface has been moved to under router per VDom mode. “config router gwdetect” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[Central-management]“set auto-backup disable” and “set authorized-manager-only enable” configurations under “config system central-management” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[SNMP community]A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[Modem Settings]“wireless-custom-vendor-id”and “wireless-custom-product-id” are moved from “config system modem” to “config system 3g-modem custom” upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[IPS DoS sensor log setting]The default log setting of an IPS DoS sensor is disable on FortiOS v4.0 MR3 - Patch Release 2. Whether the log stetting of an IPS DoS sensor is disable or enable on FortiOS v4.1.9 or any subsequent patch, after upgrading to FortiOS v4.0 MR3 - Patch Release 2, the setting will be set to disable.

[IPS sensor log setting]The log setting of IPS sensors is enable by default on FortiOS v4.0 MR3 - Patch Release 2. If the log setting of an IPS sensor is disabled on FortiOS v4.1.9 or any subsequent patch, the value will be kept after upgrading to FortiOS v4.0 MR3 - Patch Release 2. If the log setting of an IPS sensor is enable or default on FortiOS v4.1.9 or any subsequent patch, the value will be changed to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[DLP Rule]A DLP rule with subprotocol setting set to sip simple sccp will be lost upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[Web Filter & Spam Filter]The name webfilter-status and spamfilter-status have been change to webfilter-force-off and antispam-force-off. The default values is set to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 2. To use web filter and spam filter, users have to disable the two entries by using the following CLI command:

config system fortiguard set webfilter-force-off disable set antispam-force-off disableend

[URL Filter]The “action” options in urlfilter configuration have been changed from “Allow, Pass, Exempt, Block” to “Allow, Monitor, Exempt, Block”. Action “Allow” will not report log in v4.3.1. New action “Monitor” will act the function as allow with reporting log. Action “Pass” in v4.2 has been merged to “Exempt” in v4.3.1 and the CLI command has been changed from “set action pass” to “set exempt pass”.

[FortiGuard Log Filter]The settings of “config log fortiguard filter” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.

[FortiGuard Log Setting]



The options “quotafull” and “use-hdd” in “config log fortiguard setting” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 2.



4 Downgrading to FortiOS v4.0.0Downgrading to FortiOS v4.0.0 GA (or later) results in configuration loss on ALL models. Only the following settings are retained:

• operation modes• interface IP/management IP• route static table• DNS settings• VDom parameters/settings• admin user account• session helpers• system access profiles



5 Fortinet Product Integration and Support

5.1 FortiManager SupportFortiOS v4.0 MR3 - Patch Release 2 is supported by FortiManager v4.0 MR3.

5.2 FortiAnalyzer SupportFortiOS v4.0 MR3 - Patch Release 2 is supported by FortiAnalyzer v4.0 MR3.

5.3 FortiClient SupportFortiOS v4.0 MR3 - Patch Release 2 is fully compatible with FortiClient v4.0 MR2 Patch 3.

FortiOS v4.0 MR3 - Patch Release 2 is supported by FortiClient v4.0 MR3 for the following:

• 32-bit version of Microsoft Windows XP • 32-bit version of Microsoft Windows Vista • 64-bit version of Microsoft Windows Vista• 32-bit version of Microsoft Windows 7 • 64-bit version of Microsoft Windows 7

5.4 FortiAP SupportFortiOS v4.0 MR3 - Patch Release 2 supports the following FortiAP models:

• FortiAP-210B• FortiAP-220A• FortiAP-220B• FortiAP-222B

The FortiAP devices must be running FortiAP v4.0 MR3 and above.

5.5 Fortinet Single Sign On (FSSO) SupportFortiOS v4.0 MR3 - Patch Release 2 is supported by FSSO v4.3.0 B0108 for the following:

• 32-bit version of Microsoft Windows 2003 R2 Server • 64-bit version of Microsoft Windows 2003 R2 Server• 32-bit version of Microsoft Windows 2008 Server • 64-bit version of Microsoft Windows 2008 Server• 64-bit version of Microsoft Windows 2008 R2 Server• Novell E-directory 8.8.

IPv6 currently is not supported by FSSO.

5.6 FortiExplorer SupportFortiOS v4.0 MR3 - Patch Release 2 is supported by FortiExplorer 1.3.1211.

5.7 AV Engine and IPS Engine SupportFortiOS v4.0 MR3 - Patch Release 2 is supported by AV Engine 4.00370 and IPS Engine 1.00238.



5.8 Module SupportFortiOS v4.0 MR3 - Patch Release 2 supports AMC removable modules. These modules are not hot swappable. The FortiGate must be turned off before the module is inserted or removed.

AMC Modules FortiGate Support

Internal Hard Drive (ASM-S08) FGT-310BFGT-620BFGT-621BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Internal Hard Drive (FSM-064) FGT-200BFGT-311BFGT-1240BFGT-3040BFGT-3140BFGT-3951B

Single Width 4-port 1Gbps Ethernet interface (ASM-FB4) FGT-310BFGT-311BFGT-620BFGT-621BFGT-1240BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Dual Width 2-port 10Gbps Ethernet interface (ADM-XB2) FGT-3810AFGT-5001A-DW

Dual Width 8-port 1Gbps Ethernet interface (ADM-FB8) FGT-3810AFGT-5001A-DW

Single Width 2-port Fiber 1Gbps bypass interface (ASM-FX2) FGT-310BFGT-311BFGT-620BFGT-621BFGT-1240BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Single Width 4-port Ethernet bypass interface (ASM-CX4) FGT-310BFGT-311BFGT-620BFGT-621B

FGT-1240B FGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

AMC Security Processing Engine Module (ASM-CE4) FGT-1240B



AMC Modules FortiGate Support

FGT-3810AFGT-3016B

FGT-5001A-SW

AMC Security Processing Engine Module (ADM-XE2) FGT-3810AFGT-5001A-DW

AMC Security Processing Engine Module (ADM-XD4) FGT-3810AFGT-5001A-DW

AMC Security Processing Engine Module (ADM-FE8) FGT-3810A

Rear Transition Module (RTM-XD2) FGT-5001A-DW

Four Port T1/E1 WAN Security Processing Module (ASM-ET4) FGT-310BFGT-311B

Rear Transition Module (RTM-XB2) FGT-5001A-DW

Fortinet Mezzanine Card (FMC-XG2) FGT-3950BFGT-3951B

Fortinet Mezzanine Card (FMC-XD2) FGT-3950BFGT-3951B

Fortinet Mezzanine Card (FMC-F20) FGT-3950BFGT-3951B

Fortinet Mezzanine Card (FMC-C20) FGT-3950BFGT-3951B

5.9 SSL-VPN Support

5.9.1 SSL-VPN Standalone ClientFortiOS v4.0 MR3 - Patch Release 2 supports the SSL-VPN tunnel client standalone installer B2147 for the following:

• Windows in .exe and .msi format• Linux in .tar.gz format• Mac OS X in .dmg format• Virtual Desktop in .jar format for Windows 7, XP, and Vista

The following Operating Systems are supported.

Windows Linux Mac OS X

Windows XP 32-bit SP2 CentOS 5.2 (2.6.18-el5) Leopard 10.6.3

Windows XP 64-bit SP1 Ubuntu 8.0.4 (2.6.24-23)

Windows Vista 32-bit SP1


Windows 7 32-bit

Windows 7 64-bit

Virtual Desktop Support



Windows XP 32-bit SP2


Windows 7 32-bit

5.9.2 SSL-VPN Web ModeThe following browsers and operating systems are supported by SSL-VPN web mode.

Operating System Browser

Windows XP 32-bit SP2 IE7, IE8, IE9 and FF 3.6

Windows XP 64-bit SP1 IE7, IE9 and FF 3.6

Windows Vista 32-bit SP1 IE7, IE8, IE9 and FF 3.6

Windows Vista 64-bit SP1 IE7, IE9 and FF 3.6

Windows 7 32-bit IE8 , IE9 and FF 3.6

Windows 7 64-bit IE8, IE9 and FF 3.6

CentOS 5.2 (2.6.18-el5) FF 1.5 and FF 3.0

Ubuntu 8.0.4 (2.6.24-23) FF 3.0

Mac OS X Leopard 10.5 Safari 4.1

5.10 SSL-VPN Host Compatibility ListThe following Antivirus and Firewall client software packages are supported.

Product Antivirus Firewall

Windows XP

Symantec Endpoint Protection v11 √ √

Kaspersky Antivirus 2009 √ Ҳ

McAfee Security Center v8.1 √ √

Trend Micro Internet Security Pro √ √

F-Secure Internet Security 2009 √ √


Windows 7 (32bit)

CA Internet Security Suite Plus Software

√ √

AVG Internet Security 2011 Ҳ Ҳ





Kaspersky Internet Security 2011 √ √

McAfee Internet Security 2011 √ √

Norton 360™ Version 4.0 √ √

Norton™ Internet Security 2011 √ √

Panda Internet Security 2011 √ √

Sophos Security Suite √ √

Trend Micro Titanium Internet Security

√ √

ZoneAlarm Security Suite √ √

Symantec Endpoint Protection Small Business Edition 12.0

√ √


Windows 7 (64bit)

CA Internet Security Suite Plus Software

√ √

AVG Internet Security 2011 Ҳ Ҳ


Kaspersky Internet Security 2011 √ √

McAfee Internet Security 2011 √ √

Norton 360™ Version 4.0 √ √

Norton™ Internet Security 2011 √ √

Panda Internet Security 2011 √ √

Sophos Security Suite √ √

Trend Micro Titanium Internet Security

√ √

ZoneAlarm Security Suite √ √

Symantec Endpoint Protection Small Business Edition 12.0

√ √

5.11 Explicit Web Proxy Browser SupportThe following browsers are supported by Explicit Web Proxy feature.

Supported Browser

Internet Explorer 7

Internet Explorer 8

FireFox 3.x



6 Resolved Issues in FortiOS v4.0 MR3 - Patch Release 2The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about aparticular bug, contact Customer Support.

6.1 Command Line Interface (CLI)Description: Users might fail to change the type to be “fortiguard” under “config system central-management”.Bug ID: 144293Status: Fixed in v4.0 MR3 - Patch Release 2.

6.2 Web User InterfaceDescription: Users might fail to create a SSL VPN portal via Web UI on FortiOS 4.3.1 and were forced to be logout from Web UI when “cancel” button was clicked.Bug ID: 148081, 148126Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: ICAP related options on Web UI shall be removed when explicit proxy is enabled in a firewall policy.Bug ID: 148181Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Spam email statistic was not correctly display in “Log and Archive Statistics” widget.Bug ID: 147968Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: SSL VPN portal in Asian languages might not be properly displayed. Bug ID: 149740Status: Fixed in v4.0 MR3 - Patch Release 2.

6.3 SystemDescription: NTLM authentication may not work properly with web browser Safari.Bug ID: 146835Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: UDP sessions may be dropped unexpectedly when “udp-idel-timer” is set to be less than 40 seconds.Model Affected: FortiGate models that support NP4 interfacesBug ID: 146171Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A SIP sessions may fail to pass FortiGate when the session have been time out on FortiGate side.Bug ID: 144622Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A FortiGate initiated PPPoA ADSL connection may be disconnected periodically on FWF-60CX-ADSL-A.Model Affected: FWF-60CX-ADSL-ABug ID: 144571Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Captive portal may not work properly when the VAP interface is a zone-member and auth-secure-http is enabled in config user settings. Bug ID: 147684



Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Proxyworker process may cause memory usage spike when SMTP connection is slow and large amount of SMTP traffic is being scanned. Bug ID: 148197Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: To change configuration when FortiGate is in conserve mode might cause part of configuration lost.Bug ID: 148165Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A replacement image might not be correct shown via SSL VPN.Bug ID: 148087Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: An IPSec interface might failed to be assigned an IP address when it was bound to a VLAN interface.Bug ID: 148781Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A PPTP user may fail to connect a DHCP enabled interface when the interface is in its renewal period.Bug ID: 143926Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: IPS packet logs might not readable after download on 64bit FortiGate models. Model Affected: 64-bit FortiGate modelsBug ID: 148797Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A session might stop to be properly NATed when authentication was enabled in firewall policy and existing gw-detect option was removed on outgoing interface.Bug ID: 143265Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: FortiGuard override ports settings were lost after reboot.Bug ID: 151077Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Proxyworker daemon may spike CPU for a while randomly.Bug ID: 144186Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: FortiGate may send neighbor solicitation with source address from destination interface when replied IPv6 ICMP request. Bug ID: 147314Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: FortiGate may fail to respond to SNMP query when FortiGate has been running for over 310 days.Bug ID: 150356Status: Fixed in v4.0 MR3- Patch Release 2.

Description: Users may be able to create new VLAN interfaces falsely in one VDom when total amount of interfaces has reached limit.Bug ID: 147644Status: Fixed in v4.0 MR3- Patch Release 2.



Description: TCP traffic may fail to be offloaded when asymroute option is enabled in “config system settings” or anti-reply option is disabled in “config system global”.Model Affected: FortiGate models that support NPU interfacesBug ID: 148662Status: Fixed in v4.0 MR3- Patch Release 2.

6.4 High AvailabilityDescription: IPv6 routes on master were mistakenly synced to slave's IPv4 routing table.Bug ID: 146338Status: Fixed in v4.0 MR3 - Patch Release 2.

6.5 RouterDescription: Routing table may not be updated correctly when redundant IPSec tunnels are configured on a cold backup interface.Bug ID: 148186Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: BGP routing daemon may be crashed on Slave in a HA cluster or on new master when failover happens and can cause BGP peers can not be established.Bug ID: 149965Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Graceful restart process might not work properly when HA failover happened on a peer and reset-sessionless-tcp option is enabled.Bug ID: 151148Status: Fixed in v4.0 MR3 - Patch Release 2.

6.6 FirewallDescription: FortiGate might send multiple queries to an authentication server when a user belong to multiple groups that matched in Identity-based firewall policy and wrong credential was used. Bug ID: 138745Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Users may experience slow connection when use Java Applets to access to a virtual server that mapped to an Oracle server.Bug ID: 149232Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Unexpected duplicate address members were added when a firewall address group was created.Bug ID: 146059Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: VoIP Profile option was unexpectedly disappeared file was used and message was oversized than regular MTU.Bug ID: 150107Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Nested Firewall Address group failed to work properly when web proxy was enabled in a firewall policy. Bug ID: 146617Status: Fixed in v4.0 MR3 - Patch Release 2.



6.7 IPSDescription: Customized DoS sensor failed to match specific traffic properly.Bug ID: 150049Status: Fixed in v4.0 MR3 - Patch Release 2.

6.8 Web FilterDescription: Web Filter might not be able to block a website when HTTP Pipelining requests were sent.Bug ID: 137194Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Character “~” was not supported in Local Rating settings under UTM Web Filter.Bug ID: 149132Status: Fixed in v4.0 MR3 - Patch Release 2.

6.9 Web ProxyDescription: An user might fail to proceed to access a warning web site when a NTLM/FSSO firewall policy with explicit proxy enabled was matched.Bug ID: 146838Status: Fixed in v4.0 MR3 - Patch Release 2.

6.10 AntispamDescription: An email without CRLF after header and body may not be scanned properly by Antispam Filter.. Bug ID: 148195Status: Fixed in v4.0 MR3 - Patch Release 2.

6.11 Data Leak PreventionDescription: Multiple fixes on DLP bugs.Bug ID: 146159, 144124, 143425, 149519Status: Fixed in v4.0 MR3 - Patch Release 2.

6.12 Voice Over IP (VoIP)Description: A SCCP client might not work properly when VOIP profile was used and messages were oversized than regular MTU.Bug ID: 149115Status: Fixed in v4.0 MR3 - Patch Release 2.

6.13 VPNDescription: A IPSec VPN client may fail to connect to FortiGate when a PKCS7 certificate issued from a sub-CA is used.Bug ID: 141841Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A iPhone user may fail to connect to FortiGate when two type of IPSec tunnels are configured on the FortiGate simultaneously and FortiGate is running FOS 4.3. Bug ID: 145190Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: An IPSec tunnel that binds to an interface without a static IP might not fail-over to backup IPSec tunnel properly. Bug ID: 146458Status: Fixed in v4.0 MR3 - Patch Release 2.



Description: A SSL VPN user may fail to be authenticated correctly by a RADIUS server when multiple SSL VPN firewall policies were configured. Bug ID: 144193Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A PPTP VPN tunnel may fail to be established when CBCP packet arrived before CHAP success packet. Bug ID: 146305Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A password renew web page may fail to be display via SSL VPN Web Portal. Bug ID: 138304Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: ICMP request may not work with IPv6 SSL VPN web mode. Bug ID: 142748Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: An user may fail to reconnect SSL VPN portal when VPN was idle-timeout and browser was closed.Bug ID: 143100Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A Web page might not be display correctly via SSL VPN web mode when Sockwave Flash contect is included in the page.Bug ID: 150271Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: An access to Ajax web applications was not supported via SSL VPN web mode.Bug ID: 142771Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A file larger than 1.3G may fail to be downloaded via SSL VPN web mode.Bug ID: 143762Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A client certificate may not be requested second time from FortiGate when a PKI user tried to re-login to SSL VPN portal.Bug ID: 147541Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A Windows7 client may fail to establish SSL VPN when Cipher Strengthen is set to “high” in firewall policy.Bug ID: 150403Status: Fixed in v4.0 MR3 - Patch Release 2.

6.14 WAN OptimizationDescription: A FortiGate may fail to establish connection with Citrix Branch Repeater.Bug ID: 142523, 144003Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Enabling Web Cache option may fail access to specific web sites. Bug ID: 150587Status: Fixed in v4.0 MR3 - Patch Release 2.



6.15 Log & ReportDescription: Improvements on Report function.Bug ID: 144921, 146245, 148868, 148949, 149283, 149284, 149287, 149433, 149595, 150523, 150631Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A web site that belong to a warning category was not logged properly in Web Filter logs. Bug ID: 144708Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: A chart in report may not display correctly after refresh on FortiGate 64bit models.Model Affected: FortiGate 64bit models Bug ID: 149212Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Field Service number in SSL VPN Web Mode traffic log was not logged correctly.Bug ID: 146500Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Emails that were encoded with Big 5 might not be display correctly under Content Archive.Bug ID: 129950Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Incorrect values were display via Web UI and CLI console when value is over 2G.Bug ID: 148420Status: Fixed in v4.0 MR3 - Patch Release 2.

6.16 Wi-Fi Description: Enabling Rogue AP On-Wire Scan option might cause WiFi connections to be dropped randomly. Bug ID: 133936Status: Fixed in v4.0 MR3 - Patch Release 2.

6.17 GTP&Dynamic ProfileDescription: Dynamic Profile failed to work properly when inspect all option was turned on.Bug ID: 149308Status: Fixed in v4.0 MR3 - Patch Release 2.

Description: Multiple fixes on GTP bugs.Bug ID: 148003, 148488,148987,148988,148989Status: Fixed in v4.0 MR3 - Patch Release 2.



7 Known Issues in FortiOS v4.0 MR3This section lists the known issues of this release, but is NOT a complete list. For inquiries about a particular bug notlisted here, contact Customer Support.

7.1 SystemDescription: All settings on the web page under system->Admin->Settings on Web UI were reset when FortiGate was registered to FortiManager or when FortiGate was unregistered from FortiManager. Bug ID: 153007Status: To be fixed in a future release.

7.2 WAN OptimizationDescription: wad daemon kept crashing when SSL option is enabled and client tried to access server by using HTTPS.Bug ID: 151100Workaround: Disable SSL option in WAN optimization configuration if HTTPS has to be used to access server from client.Status: To be fixed in a future release.

7.3 Log & ReportDescription: System performance can not be persevered when log query is conducting in large database.Bug ID: 151084Status: To be fixed in a future release.

7.4 WiFiDescription: Express-card modem "Novatel Merlin X950D" can not be detected .Model Affected: FWF-60CMBug ID: 152926Status: To be fixed in a future release.

Description: AES and TKIP can not be active the same time on FWF-80CM and FWF-81CM.Model Affected: FWF-80CM, FWF-81CMBug ID: 152526Status: To be fixed in a future release.



8 Image ChecksumsThe MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com). After login, click on the "Firmware Images Checksum Code" link in the left frame.

(End of Release Notes.)


Documents

FortiGate Multi-Threat Security Systemimg2.timg.co.il/forums/1_155923264.pdf · 20-9-2011 · Release Notes FortiOS v4.0 MR3 - Patch Release 2 ... 6 Resolved Issues in FortiOS v4.0