Upload
raul-rincon
View
178
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Fortios 5.2.0
Citation preview
FortiOS v5.2.0 (Beta 4)Release Notes
FortiOS v5.2.0 (Beta 4) Release Notes (Build 564)
April 30, 2014
01-520-234298-20140430
Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and
FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other
Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All
other product or company names may be trademarks of their respective owners. Performance
and other metrics contained herein were attained in internal lab tests under ideal conditions,
and actual performance and other resultsmay vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents
any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or
implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will
perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be
binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the
same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants,
representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves
the right to change, modify, transfer, or otherwise revise this publication without notice, and the
most current version of the publication shall be applicable.
Technical Documentation docs.fortinet.com
Fortinet Video Libarary video.fortinet.com
Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback [email protected]
Table of Contents
Change Log....................................................................................................... 5
New Features in FortiOS v5.2.0 (Beta 4)......................................................... 6
FortiView usability improvements ............................................................................ 6
IPSec VPN ............................................................................................................... 6
Virtual WAN link load balancing and link monitoring ............................................... 7
Authentication.......................................................................................................... 7
Endpoint Control...................................................................................................... 7
Firewall..................................................................................................................... 8
VoIP.......................................................................................................................... 8
FortiOS Carrier ......................................................................................................... 8
Logging & Reporting ................................................................................................ 9
Tablesize ................................................................................................................ 10
Application Control ................................................................................................ 10
Misc ....................................................................................................................... 11
Web Filtering.......................................................................................................... 11
Wireless ................................................................................................................. 12
New Features in FortiOS v5.2.0 (Beta 3)................................................................ 13
New Features in FortiOS v5.2.0 (Beta 2)................................................................ 18
New Features in FortiOS v5.2.0 (Beta 1)................................................................ 20
Supported Models .......................................................................................... 26
FortiGate ................................................................................................................ 26
FortiWiFi................................................................................................................. 26
FortiGate VM.......................................................................................................... 26
FortiSwitch............................................................................................................. 26
Product Integration and Support .................................................................. 27
Web browser support ............................................................................................ 27
FortiManager and FortiAnalyzer support ............................................................... 27
FortiClient support (Windows, Mac OS X, iOS and Android)................................. 27
FortiAP support...................................................................................................... 28
FortiSwitch support ............................................................................................... 28
FortiController support........................................................................................... 28
Virtualization software support .............................................................................. 28
Fortinet Single Sign-On (FSSO) support................................................................ 29
FortiExplorer support (Microsoft Windows, Mac OS X and iOS)........................... 29
FortiExtender support ............................................................................................ 29
AV Engine and IPS Engine support ....................................................................... 29
Page 3
Language support.................................................................................................. 29
Module support...................................................................................................... 30
SSL VPN support................................................................................................... 31
Explicit web proxy browser support ...................................................................... 33
Resolved Issues.............................................................................................. 34
Resolved issues from FortiOS v5.2.0 (Beta 3) ....................................................... 34
Other resolved issues in FortiOS v5.2.0 (Beta 4) ................................................... 34
Known Issues.................................................................................................. 36
Known issues with FortiOS v5.2.0 (Beta 4)............................................................ 36
Known issues from FortiOS v5.2.0 (Beta 3) ........................................................... 36
Known issues from FortiOS v5.2.0 (Beta 2) ........................................................... 36
Known issues from FortiOS v5.2.0 (Beta 1) ........................................................... 36
Appendix A: About FortiGate VMs ................................................................ 38
FortiGate VM model information............................................................................ 38
FortiGate VM firmware........................................................................................... 38
Citrix XenServer limitations.................................................................................... 39
Open Source Xen limitations ................................................................................. 39
Table of Contents Page 4 FortiOS v5.2.0 (Beta 4) Release Notes
Change Log
Date Change Description
April 30, 2014 Removed GUI instructions and a CLI command from the description of
application control information gathering improvements in “Application
Control” on page 10.
Added FEX-100A and corrected the build number in the section
“FortiExtender support” on page 29.
April 29, 2014 Initial release.
Page 5
New Features in FortiOS v5.2.0 (Beta 4)
This section describes new features in FortiOS v5.2.0 (Beta 4) build 564. Each feature
description includes a bug number from Fortinet’s internal bug tracking system.
• FortiView usability improvements
• IPSec VPN
• Virtual WAN link load balancing and link monitoring
• Authentication
• Endpoint Control
• Firewall
• VoIP
• FortiOS Carrier
• Logging & Reporting
• Tablesize
• Application Control
• Misc
• Web Filtering
• Wireless
• New Features in FortiOS v5.2.0 (Beta 3)
• New Features in FortiOS v5.2.0 (Beta 2)
• New Features in FortiOS v5.2.0 (Beta 1)
FortiView usability improvements
• A number of improvements to FortiView usability and functionality. You will notice changes
throughout the FortiView GUI pages. (237570, 236537, 236834, 239168, 237914, 238539,
237405)
IPSec VPN
• Prioritized DH group configuration/negotiation. (234056)
In FOS 5.2, the default DH group has changed from 5 to 14, to provide sufficient protection
for stronger cipher suites that include AES and SHA2. Because of this change, both IKEv1
and IKEv2 now allow up to 3 DH groups to be configured in the phase 1 and phase 2
settings, while preserving the ordering since the initiator always begins by using the first
group in the list. The default DH group in the configuration has been updated to include
group 14 and 5, in that order. You can add and remove other groups and the order they
appear in the configuration is the order in which they are negotiated.
The IKEv1 protocol does not natively provide for DH group negotiation in Aggressive Mode
and Quick Mode. As a result, when multiple DH groups are used with IKEv1 Aggressive
Mode or Quick Mode, delays in tunnel establishment can occur and so it is recommended to
continue to configure matching DH groups on both peers whenever possible.
New Features in FortiOS v5.2.0 (Beta 4) Page 6 FortiOS v5.2.0 (Beta 4) Release Notes
Virtual WAN link load balancing and link monitoring
• New measured volume (measured bandwidth usage distribution) method for virtual WAN link
load balancing. (235214)
A new virtual WAN link load balancing option that balances traffic between the interface
members of the virtual WAN link so that all of the interfaces get the same volume of traffic.
You can also add a volume ratio for each WAN link. The higher the volume ratio the higher
the amount of traffic sent to that link.
• Allow multiple source and destination addresses and address ranges for services in virtual
WAN link load balancing. (234106, 233357)
• Link Health Monitor added to System > Monitor > Link Monitor. (235801, 235801, 233916,
233602)
This feature displays status of all virtual WAN link ports as well as the number of sessions,
bandwidth, and link quality for each port in the virtual WAN link.
Authentication
• Improved the efficiency of how user authentication with multiple groups is processed by
FortiOS. (218909)
The following command can be used to test authentication of a user account with
multiple authentication servers.
diagnose test authserver user <username> <password> <group1> <group2>...
Endpoint Control
• Endpoint license changes. (231328)
New Endpoint licenses are now available in FortiOS 5.2. Information about the status of the
current license can be found in the FortiClient section of the License Information widget.
The following licenses will be available:
• Desktop models and FortiGate-VM00: 200 clients
• 1U models, FortiGate-VM01 and FortiGate-VM02: 2,000 clients
• 2U models and FortiGate-VM04: 8,000 clients
• 3U models, FortiGate-ATCA, and FortiGate-VM08: 20,000 clients
Because the new licenses are for one year, the activation method has changed. New
licenses are purchased similarly to a FortiGuard service, with no further registration of the
license required. The device can then be registered with the FortiGate unit.
If the device does not have access to Internet, you can download the license key from
support site and manually upload it to your FortiGate. The license will be for that specific
device and will have an license expiry date.
While the older licenses from FortiOS 5.0 will still be supported, they will have the following
limitations:
• The On-net/Off-net feature will not be supported.
• Logging options will only appear in the CLI.
• FortiAnalyzer Support for logging and reporting will be limited.
• You will not be able to enter any v5.0 license keys.
New Features in FortiOS v5.2.0 (Beta 4) Page 7 FortiOS v5.2.0 (Beta 4) Release Notes
Firewall
• Simplifying and optimizing NAC-quarantine (First phase, more changes in future FortiOS
versions). (232211,126666,137528)
In the first phase of simplifying NAC quarantine all ban types have been removed except
IPv4 or IPv6 source IP address. In addition NAC quarantine features are now handled by the
kernel so the config user ban command has been removed.
For DLP sensors the only NAC quarantine option is quarantine-ip to quarantine all traffic
from the IP address.
For antivirus profiles the only NAC quarantine option is quar-src-ip to quarantine all
traffic from the source IP.
For IPS sensors, the only NAC quarantine option is attacker to block attacker's IP.
For IPv4 DoS-policies, the only NAC quarantine option is attacker to block attacker's IP.
For IPv6 DoS-policies, the only NAC quarantine option is attacker to block attacker's IP.
VoIP
• Change default SIP behavior to proxy VoIP ALG. (237213)
Previous versions of FortiOS used the SIP session helper for all SIP sessions. You had to
remove the SIP session helper from the configuration for SIP traffic to use the SIP ALG.
Now, by default all SIP traffic is now processed by the SIP ALG. You can change the default
setting using the following command:
config system settingsset default-voip-alg-mode {proxy-based | kernel-helper-based}
end
The default is proxy-based which means the SIP ALG is used. If set to
kernel-helper-based the SIP session helper is used.
If a SIP session is accepted by a firewall policy with a VoIP profile, the session is processed
using the SIP ALG even if default-voip-alg-mode is set to kernel-helper-based.
If a SIP session is accepted by a firewall policy that does not include a VoIP profile:
• If default-voip-alg-mode is set to proxy-based SIP traffic is processed by the SIP
ALG using the default VoIP profile.
• If default-voip-alg-mode is set to kernel-helper-based SIP traffic is processed
by the SIP session helper. If the SIP session help has been removed then no SIP
processing takes place.
FortiOS Carrier
• Add support for per-stream rate limiting of GTP traffic and the ability to apply rate limiting
separately for GTPv0 and GTPv1. (236999,183334)
New Features in FortiOS v5.2.0 (Beta 4) Page 8 FortiOS v5.2.0 (Beta 4) Release Notes
In addition FortiOS Carrier now indicates the GTP version in rate limiting log messages and
writes a rate limiting warning log message when a packet exceeds the rate limiting
threshold.
config firewall gtpedit my-gtp-profile
set rate-limit-mode {per-profile | per-stream}set warning-threshold {0 - 99}
config {message-rate-limit-v0 | message-rate-limit-v1 | message-rate-limit-v2}
set create-pdp-request <rate-limit>set delete-pdp-request <rate-limit>set echo-request <rate-limit>
endend
• New GTPv0 and GTPv1 per APN rate limiting. (227151)
This requirement is intended to fulfill the business model of M2M (mobile 2 mobile) providers
who leverage cellular wireless networks to provide tailored data services to a non-telco
organization. For example, vending machines for a soft drink company can send inventory
data and receive advertising updates via cellular data.
Since M2M providers cross multiple wireless carriers, and have multiple customers they
actually deploy unique Access Point Names (APNs) per customer, unfortunately they don't
have very large address space, so they are forced to overload many APNs on a single IP
address.
The problem occurs when there is a network issue that takes some customers offline (for a
variety of reasons) and the affected cellular devices don't behave "well" resulting in a flood
of APN negotiations that may affect other customers on the same IP address.
This enhancement extends the GTP current rate limiting capability to examine the APN in the
pdp-create-context field and optionally apply rate-limiting based on the associated
profile.
You can use following CLI command to set rate limits per APN:
config firewall gtp-profile...
set rate-limit-mode per-apnconfig per-apn-shaper
edit entry1set apn <APN-name>set version <version>set rate-limit <limit>
endend
Logging & Reporting
• FortiOS now writes separate log messages for local in deny actions for unicast traffic and
local in deny actions for multicast traffic. (231272)
Split previous log local-in-deny function into two functions, which are local-in-deny-unicast
and local-in-deny-broadcast functions.
• When a FortiOS component crashes, FortiOS now generates an event log message with
information about the crash, similar to a shortened crash log. (238137)
New Features in FortiOS v5.2.0 (Beta 4) Page 9 FortiOS v5.2.0 (Beta 4) Release Notes
• New command to enable reports. Using this command you can also choose whether to
include sniffer log messages in Report results. (224804)
Use the following command to enable producing a report that uses both sniffer logs and
forward traffic logs:
config report settingset status enableset report-source sniffer-traffic forward traffic
end
Tablesize
• The number of object tags has been increased and the number is managed by the tablesize
system.object-tag. (234899)
The actual numbers for each model will appear in the FortiOS 5.2 Max Values Table.
Application Control
• Application Control Usability Improvements and 5-Point-Risk Rating. (224969, 233847,
238980)
The following changes have been made to improve usability in the web-based manager:
• Application sensors and filters pages are now created on a single page, found at Security
Profiles > Application Control.
• A drop down menu appears when you right-click on a category, allowing the action for
that category to be changed.
• Filter criteria, such as popularity, technology, and risk, have been removed.
• New application sensors can only be created by category and application.
A new rating system is used for all pages related to application control, including the
application list, the application filters list, traffic logs, the FortiView Applications dashboard,
and the FortiView All Sessions dashboard. The rating system is as follows:
• Application control information gathering improvements. (240161)
Risk Level Description Example
Critical Applications that are used to conceal activity
to evade detection.
Tor, SpyBoss
High Applications that can cause data leakage, or
prone to vulnerabilities or downloading
malware.
Remote Desktop, File
Sharing, P2P
Medium Applications that can be misused. VoIP, Instant Messaging,
File Storage, WebEx,
Gmail
Elevated Applications are used for personal
communications or can lower productivity.
Gaming, Facebook,
Youtube
Low Business Related Applications or other
harmless applications.
Windows Updates
New Features in FortiOS v5.2.0 (Beta 4) Page 10 FortiOS v5.2.0 (Beta 4) Release Notes
Application control can now extract the following information and record it in application
control and traffic log messages:
• Information about user logins and file transfers for cloud applications.
• Video names for many popular video streaming including YouTube, NetFlix, Vevo,
Dailymotion, Veoh, Hulu, Vube, Metacafe, LiveLeak, Break, and Ustream.
• The following new fields have been added to both the application control log and to
traffic logs: clouduser, cloudaction, filename, and filesize.
A new custom IPS and application control signature option, --deep_ctrl, has been
added.
The following new diagnose commands have also been added:
• diagnose ips debug dac info
• diagnose ips debug dac clear
• diagnose ips debug enable dac
Misc
• By default the vulnerability scanner is not displayed on the GUI. (239815)
To add the vulnerability scanner go to System > Config > Features and turn on this feature.
• Hardware-switch interface Switch Port Analyzer (SPAN) feature. (234051)
The Switch Port Analyzer (SPAN) feature is now available for hardware switch interfaces on
FortiGate models with built-in hardware switches (for example, the FortiGate-100D, 140D,
and 200D etc.). The SPAN feature (also called port mirroring) allows you to send a copy of
the packets received or sent by one interface to another. So, for example, you could send all
traffic received by the WAN interface to another interface and connect a sniffer to that other
interface to monitor the traffic on the WAN interface.
To enable SPAN on a hardware switch, go to System > Network > Interfaces and edit a
hardware switch interface. By default the system may have a hardware switch interface
called lan. You can also create a new hardware switch interface.
Select the SPAN checkbox. Select a source port from which traffic will be mirrored. Select
the destination port to which the mirrored traffic is sent. Select to mirror traffic received,
traffic sent, or both.
You can also use the following CLI command to enable SPAN on the lan hardware switch
and mirror traffic received by port6 to port10:
config system virtual-switchedit lan
set span enable set span-source-port port6set span-dest-port port10set span-direction Rx
end end
Web Filtering
• Web Filter - HTTP Referrer Field Check/Verify (236709)
You can now add a referrer to URL filters. If a referer is specified, the hostname in the referer
field of the HTTP require will be compared for any entry that contains the matching URL. If
the referer matches, then the specified action will be performed by proxy.
New Features in FortiOS v5.2.0 (Beta 4) Page 11 FortiOS v5.2.0 (Beta 4) Release Notes
The referrer can also be set in the web-based manager, but only if advanced webfilter
features has been enabled using the following command:
config system globalset gui-webfilter-advanced enable
end
After this command is used, a new column will be created in Security Profiles > Web Filter >
Static URL Filter to set the referrer.
The command set referrer-host has been added to the CLI. The CLI has also changed so
that URL filters are now identified by their IDs, and the URL values can be set under each
entry.
config webfilter urlfilteredit <ID>
config entriesedit 1
set url <url> set referrer-host <url> set type {simple | regex | wildcard} set action {block | allow | monitor | exempt} set status {enable | disable}
end end
• Restrict access to Google Corporate Accounts only. (235247)
A new option has to webfiltering to restrict Google access to Google's corporate accounts.
This allows you to block access to some Google accounts and services while allowing
access to corporate Google accounts.
To use this option, go to Security Profiles > Web Filter and select Restrict to Corporate
Google Accounts Only under Proxy Options. You can then add the appropriate Google
domains that will be allowed.
If you wish to configure these options in the CLI, you must have the URL filter refer to a
web-proxy profile that used the Modifying HTTP Request Headers feature described below.
This command is only visible when the action is set to either allow or monitor.
Wireless
• Radius Accounting for WiFi. (232224)
RADIUS accounting is now supported for wireless networks, allowing RADIUS accounting
messages to be sent that contain a wireless user's name and IP address.
If an accounting server has been enabled for RADIUS, the wireless client information will be
sent to it.
• Captive Portal (235329, 237512, 234510, 234508, 232671, 238009, 237996, 237751,
237576, 234569, 238478, 238008, 237734, 237476, 237742)
New Configuration Options
The following options can now be configured for captive portals that use wireless interfaces:
• Security exempt list name: security-exempt-list <name>
• URL redirection after disclaimer/authentication: security-redirect-url <url>
• Captive portal type: portal-type {auth | email-collect}
WPA Personal Security + Captive Portal
New Features in FortiOS v5.2.0 (Beta 4) Page 12 FortiOS v5.2.0 (Beta 4) Release Notes
A new option has also been added that uses WPA Personal security as well as a captive
portal. This option also allows groups to be imported from the policy.
• Wireless Captive Portal Updates. (239746, 239143, 239790, 239836)
New Features in FortiOS v5.2.0 (Beta 3)
FortiView
• New FortiView pages: - Web Sites and Threats. (235514)
Web Sites displays a chart showing the most commonly visited websites. You can drill down
to view details about each access to each site.
Threats lists the most commonly received threats and the users who either sent or received
them.
Antivirus
• Flow-based virus scanning displays a virus found message. (228916)
Flow-based virus scanning can usually display a virus found message in the user’s web
browser when an infected file is found:
• The message can be displayed immediately if the infected file fits into one server
response packet
• If the infected file is larger than one server response packet, the URL of the virus found
message is put into a cache and the block page is displayed the next time this URL is
accessed. In this case the user’s browser will appear to hang and if they refresh their
browser the virus found message is displayed.
Firewall
• Captive Portal updates: (234289).
When configuring a captive portal you can select a user group or set it to use the user
groups added to the firewall policy that accepted the user connection.
Standard authentication replacement messages are now also used for captive portals.
New WiFi interface captive-portal options:
config wireless-controller vapedit "wifi"
set security captive-portalset security-exempt-list "exempt_list_01"set security-redirect-url "http://www.fortinet.com"set portal-type auth [|email-collect]
end
Use the exempt list to list MAC addresses and IP addresses that are exempt from
authenticating with the captive portal.
• Support certificate replacement in SSL/SSH inspection profiles that use SSL
certificate-inspection mode. (232850)
When SSL certificate-inspection mode is chosen in an SSL/SSH Inspection profile, if a web
page is blocked the FortiOS uses a replacement message to display a web page indicating
that the page was blocked. The FortiGate now uses the CA currently in use for that session
for SSL handshake before displaying the replacement message page. Previously, FortiOS
used a pre-defined certificate for the replacement message which would result in a browser
warning message.
New Features in FortiOS v5.2.0 (Beta 4) Page 13 FortiOS v5.2.0 (Beta 4) Release Notes
• Select the certificate used by the FortiGate authentication system for HTTPS authentication.
(233020)
You can now select the CA certificate that the authentication system uses when asking a
user to authenticate using HTTPS. Use the following command to select the CA certificate to
use. It can be any CA certificate loaded into the FortiGate configuration. You can only
specify one certificate and it is used for all HTTPS authentication requests:
config user settingset auth-ca-cert <certificate-name>
end
• Server load balancing virtual IP support for replacing the X-Forwarded-For header to with a
new header with a user-configurable name. (230831)
By default, if http-ip-header is enabled in a virtual-server configuration then as HTTP(S)
traffic flows through a virtual server FortiOS either adds an X-Forward-For header with the
client's original IP address or updates any existing X-Forwarded-For header with the client's
IP address. Some servers want the client's original IP address but do not want to use
X-Forwarded-For and instead want a configurable name to be used. The new attribute
http-ip-header-name allows this name to be defined.
If defined then any existing X-Forwarded-For header is removed and a new header with the
given name is added containing the client IP address.
config firewall vip set type server-load-balanceset http-ip-header-name <header-name>
Consider a simple virtual server:
config firewall vipedit ssl
set type server-load-balanceset server-type https
By default it has a http-ip-header option which is disabled:
set ?...http-multiplex Enable/disable multiplex HTTP requests/responses
over a single TCP connection.http-ip-header Add an additional HTTP header containing client's
original IP addressoutlook-web-access Enable/disable adding HTTP header indicating
SSL offload for Outlook Web Access server....
If enabled:
set http-ip-header enable
New Features in FortiOS v5.2.0 (Beta 4) Page 14 FortiOS v5.2.0 (Beta 4) Release Notes
then now the http-ip-header-name option is visible:
set ?...http-multiplex Enable/disable multiplex HTTP requests/responses
over a single TCP connection.http-ip-header Add an additional HTTP header containing client's
original IP addresshttp-ip-header-name Name of HTTP header containing client's IP
address, if empty X-Forwarded-For is used.outlook-web-access Enable/disable adding HTTP header indicating
SSL offload for Outlook Web Access server.....
By default it is empty and X-Forwarded-For will be used:
get...srcintf-filter:http-ip-header : enablehttp-ip-header-name :monitor :...
If a new value is defined:
set http-ip-header-name X-Billing-Addressget...http-ip-header : enablehttp-ip-header-name : X-Billing-Addressmonitor :color : 0...
then that will be used instead of X-Forwarded-For.
• Support modifying HTTP request headers in proxy. (235247)
FortiCarrier
• Improvements to GTP logging to make searching GTP sessions easier and more accurate.
(221888, 222684, 232058)
• Three new CLI commands are added to GTP profile for gtpu logging.
gtpu-forwarded-log and gtpu-denied-log control whether to record a log entry for
forwarded and dropped packets or not, respectively. gtpu-log-freq controls the log
frequency for gtpu packets. The log frequency value is per number of packets. For example
set gtpu-log-freq 10 means the FortiGate unit should record a log entry for every 10
packets.
IPsec
• Allow more control over adding routes to dialup (dynamic) IPsec VPN configurations.
(231749)
New Features in FortiOS v5.2.0 (Beta 4) Page 15 FortiOS v5.2.0 (Beta 4) Release Notes
You can enable add-route in any dialup (dynamic) policy-based or interface-based phase
1 configuration. This option functions the same way the add-route option used for dynamic
interface-based phase 1’s with mode-cfg enabled. This option adds a route to the FortiGate
unit’s routing information base when the dynamic tunnel is negotiated. You can use the
distance and priority options to set the distance and priority of this route. If this results
in a route with the lowest distance it is added to the FortiGate unit’s forwarding information
base.
You can also enable add-route in any policy-based or interface-based phase 2
configuration that is associated with a dialup (dynamic) phase 1. In the phase 2, add-route
can be enabled, disabled or set to use the same route as the phase 1.
• Allow multiple interfaces for IKE/IPsec VPN policies. (230415)
You can add multiple incoming and outgoing interfaces to policy-based IPsec VPN firewall
policies (Action set to IPsec).
• Allow IKE authentication against group in policy. (231690)
You can add Source Users to policy-based IPsec VPN firewall policies (Action set to IPsec).
If no users or user groups are added to the Phase 1, the Source Users in the policy are can
authenticate with the IPsec VPN.
Logging & Reporting
• Improvements to reporting. (233366, 233181, 232327)
The report available on the FortiGate unit (under Log & Report > Report) has been improved
with better threat related charts and application and bandwidth related charts.
Routing
• BGP neighbor groups. (237029)
This feature allows a large number of neighbors to be configured automatically based on a
range of neighbors' source addresses.
Start by adding a BGP neighbor group:
config router bgpconfig neighbor-group
edit <neighbor-group-name>set remote-as 100 ...
(All options for BGP neighbor are supported except password.)
end
Then add a BGP neighbor range:
config router bgpconfig neighbor-range
edit 1set prefix 192.168.1.0/24set max-neighbor-num 100set neighbor-group <neighbor-group-name>
end
System
• Select a custom language for an SSL VPN web portal and for the Guest Management page
for administrators who can only provision guest accounts. (227415)
New Features in FortiOS v5.2.0 (Beta 4) Page 16 FortiOS v5.2.0 (Beta 4) Release Notes
To enable custom language support:
config system globalset gui-custom-language enable
end
Go to System > Admin > Administrators and add an administrator. When you select Restrict
to Provision Guest Accounts you can also select the language that appears on the Guest
Management GUI page for that administrator.
Go to VPN > SSL > Portals to add an SSL VPN portal. When configuring the portal you can
select the language that appears on the portal.
FortiOS comes with a number of languages that you can apply to an SSL VPN portal and the
Guest Management GUI page. You can also add you own language by going to System >
Config > Advanced > Language and uploading a new language template. Here you can also
view and download a sample language template that you can use to create your own
custom language file.
• Support configuring DHCP advanced options in the GUI. (228329)
When editing the DHCP configuration on an interface you can select Advanced to configure
the following:
• Set the interface to DHCP relay mode
• Send an NTP server IP address to DHCP clients
• Set the time zone of the DHCP client
• Set advanced DHCP options such as time such as Host Name (DHCP option 12), Boot
file size (DHCP option 13). You can set an option from the list or enter the DHCP option
number.
• FortiGate units support the Novatel U679 (Bell) LTE modem. (225531)
• GUI support for hardware switch features. (233756)
You can manually allocate VLANs on virtual switch interfaces from the GUI. To enable this
feature, enter the following CLI command:
config system globalset virtual-switch-vlan enable
end
Then from the GUI go to System > Network > Interfaces > Create New. Set the Type to VLAN
Switch, set a VLAN ID, and add switch ports as Physical Interface Members. To be able to
add switch ports you must first remove them from the lan interface.
• Enable taking an aggregate interface down if a configured number of physical interfaces in
the aggregate are not connected. (229624)
config system interfaceedit agg-int
set type aggregateset min-links 3set min-links-down {operational | administrative}
Where min-links is the minimum number of links to be up before the aggregate is down
and min-links-down specifies whether to set the aggregate to be operationally down or
administratively down when more than min-links are down.
• License widget updates and registration wizard replacement. (233166, 235855, 235853)
• Change factory default values for FortiClient on-net status and FortiClient access. (237035)
New Features in FortiOS v5.2.0 (Beta 4) Page 17 FortiOS v5.2.0 (Beta 4) Release Notes
Webfilter
• When FortiGuard Web Filtering displays authentication and override pages you can
configure the FortiGate unit to send the pages using HTTPS instead of HTTP. This is a
FortiGuard web filtering configuration set once for FortiGuard. (187272, 231380)
The following new options are available
config webfilter fortiguard set ovrd-auth-https {disable | enable} (Web Filtering override)
set warn-auth-https {disable | enable} (Web Filtering authentication)
end
Wireless
• Support split tunnelling for FortiAPs. Split tunneling allows you to optimize WiFi traffic flow
by keeping local traffic off of the WiFi controller. Instead local traffic is handled by the FortiAP
unit. Basically, with split tunneling, a remote user associates with a single SSID, not multiple
SSIDs, to access corporate resources (for example, a mail server) and local resources (for
example, a local printer). The remote AP examines ACLs to distinguish between corporate
traffic destined for the controller and local traffic. Traffic which matches the AP ACL rules are
switched locally and NAT operation is performed changing the client’s source IP address to
the AP’s interface IP address which is routable at the local site/network. The rest of the
packets are centrally switched over data tunnel. (234937)
Enable split tunnelling for an SSID by editing an SSID (go to Wireless > WiFi Network > SSID)
and selecting Split Tunneling. You must also add Split Tunnelling Subnets to FortiAP profiles
or to managed FortiAPs. The Split tunnelling subnets are the local traffic subnets and would
usually match the subnet connected to the FortiAP.
• FortiAP CLI Console Access (230588)
If login-enable is enabled in a FortiAP configuration, from the FortiOS Managed FortiAPs
page you can log into the FortiAP’s CLI.
New Features in FortiOS v5.2.0 (Beta 2)
FortiOS Carrier
• Add support for tunnel create/modify/delete across GTP version 1 & 2 (226037)
• GTP Logging Improvements (229210, 229562)
IPSec VPN
• Add support for IKE mode config to use a remote DHCP server to assign the client IP
address. (177415)
Logging & Report
• 5-Point-Risk Rating for Applications (229368)
Routing
• Allow ECMP to use both source and destination addresses. (230398)
• Added support for BGP conditional advertisement. (228722)
New Features in FortiOS v5.2.0 (Beta 4) Page 18 FortiOS v5.2.0 (Beta 4) Release Notes
SSL VPN
• SSLVPN Updates (225885, 231869)
Device Visibility
• Extended device visibility to detect devices based on traffic that does not flow through the
FortiGate but which the FortiGate does see. This includes: (219483)
• Traffic that hits an interface with “set ips-sniffer-mode enable”
• Broadcast and multicast traffic
Firewall
• Preserve Class of Service (CoS) Bits (216290)
• Support UUID for VIP/VIP6/VIP46/VIP64/VIPGRP/VIPGRP6/VIPGRP46/VIPGRP64. (224622)
• Link Load Balance (LLB) -- Link quality based distribution. (228868)
• Add Source-IP, Destination-IP, and Username to the replacement messages. (176238)
• WLAN External Web authentication support (195254)
• Add more information to block page for flow-based web filtering (227974)
• SSL Inspection - server certificate upload (proxy) (193400)
HA
• RFC 6311 IKE Message ID sync support allow IKEv2 to re-negotiate send and receive
message ID counters after HA fail over. (212653)
• HA for DHCP/PPPoE. (227196)
• HA override wait-time to cause the cluster to wait to renegotiate after a unit joins a cluster
and if override is enabled. (232111)
config system haset override-wait-time <time>
end
IPS
• Generate sniffer log. (224702)
• IPS Packet Capture Improvements. (113088, 230501, 165013, 195280, 230530, 230469,
230486, 229211)
System
• Add DHCP Server ‘on-net’ property. (227770)
• Add support for LLDP transmission. (224654)
• Implementing Link monitor (223683)
• Scheduled FDN upgrade flexibility (208394)
• SNMP trap & alert message for USB modem unplugged (228450)
GUI (web-based manager) usability changes
• Interface list improvements. (178943, 228616)
New Features in FortiOS v5.2.0 (Beta 4) Page 19 FortiOS v5.2.0 (Beta 4) Release Notes
• DHCP related GUI improvements. (221932)
• LDAP query inside ID policy. (193045)
• IPv6 address range support on GUI. (182243)
• FortiView Updates (228044, 230777, 228071, 227052, 227600, 227844)
• Move explicit proxy policy to a separate table (232684)
• Per VDOM CPU and memory usage widget (220121)
• System Resource Widget Updates (197167, 221055, 218711, 228286)
• Link Health Check GUI support. (230051, 232611, 226034, 225744, 226366, 233602)
• The FortiClient Vulnerability Scan module is enabled in the FortiClient Profile from the CLI. To
enable Vulnerability Scan, enter the following CLI commands:
config endpoint-control profileedit <profile-name>
config forticlient-winmac-settingsset forticlient-vuln-scan {enable | disable}set forticlient-vuln-scan-schedule {daily | weekly |
monthly}set forticlient-vuln-scan-on-registration {enable |
disable}set forticlient-ui-options {av | wf | af | vpn | vs}
endend
When setting the forticlient-ui-options, you must include all the modules that you want to
enable in the FortiClient console.
WAN Opt and Web Proxy
• Adding URL address type for explicit proxy (currently CLI only) (229215)
Web Filtering
• Add more information to block page replacement message for flow-based web filtering.
(227974)
• WCF/AS communications to FortiManager/FortiGuard using TCP port 80. (215828)
Wireless
• Add 802.11ac support on FOS side (228410, 222567)
• AP management Reorganization. (194194)
User Authentication
• External captive portal - redirect (233315)
New Features in FortiOS v5.2.0 (Beta 1)
FortiOS version numbering changes
• FortiOS firmware version numbering scheme now uses vMajor.minor.patch (label). For
example, this release is v5.2.0 (Beta 4) using the new numbering scheme. (225622)
New Features in FortiOS v5.2.0 (Beta 4) Page 20 FortiOS v5.2.0 (Beta 4) Release Notes
Dashboard and monitoring improvements (FortiView)
• New FortiView-style dashboard widgets. FortiView integrates realtime and historical
dashboard widgets into a single view that combines both realtime and historical data.
(227156)
• IPsec and SSL VPN Configuration and monitoring Improvements. (148967)
Antivirus
• Antivirus Profile GUI page improvements. (224928)
• Improved flow-based virus scanning catch rate. Flow-based virus scanning uses a new
mode, called full mode. Full mode’s virus catch rate is as good a proxy-based virus scanning
but with flow-based performance and latency. (216541)
Application Control and IPS
• One-arm sniffer virus scanning now uses a more effective virus scanning engine to improve
virus scanning catch rates and performance. (219507)
• GUI support for configuring rate-based IPS signatures. In any IPS sensor you can turn on a
selected list of rate-based signatures and adjust their Threshold, Duration, Track by setting,
Action and Block duration. In previous versions of FortiOS you had to either accept default
values for these settings or you had to adjust them from the CLI. (220056)
• Inline SSL inspection and support for application control of applications that use the SPDY
protocol. Inline SSL inspection supports flow based UTM features only. If using only
Flow-based features, then SSL inspection is also handled by IPS engine so it can leverage
hardware acceleration or benefit from the processing techniques to boost performance.
(222100)
• New replacement messages for Application Control of HTTP-based applications. (224924)
• Extend the functionality of XLP processors to accelerate IPv6 DoS policies. XLP processors
accelerate IPS on FortiGate models such as the FortiGate-5101C. (211082)
User and Device Authentication
• Configuring user and device authentication in firewall policies has been changed. To
configure authentication add users, user groups or device types to a firewall policy. (223766,
22470, 205414, 210791, 191152)
• Support using POP3/POP3S servers for remote server user authentication. Users can
authenticate using any normal authentication method supported by the FortiGate unit. The
FortiGate unit looks up their credentials on a POP3/POP3S server (instead of a remote LDAP
or RADIUS server). (197354)
• New option to limit the maximum number accounts per guest user portal. (214067)
• RADIUS single sign-on (RSSO) support for IPv6 identity-based policies. (213217)
• RSSO guest user group. Similar to FSSO guest user group. (179915)
• Improve device groups by adding a new printer category and allowing device groups to
reference device categories. (215319)
Endpoint Control
• FortiOS now supports syncing FortiClient registration information between FortiGate units
and VMs running 32-bit and 64-bit versions of FortiOS. Some older FortiGate units run 32-bit
FortiOS. Most new ones and all VMs run 64-bit FortiOS. (197228)
New Features in FortiOS v5.2.0 (Beta 4) Page 21 FortiOS v5.2.0 (Beta 4) Release Notes
• Turning off the FortiClient Configuration Deployment AntiVirus Protection option disables all
FortiClient antivirus functions on endpoints with FortiClient, including scheduled virus scans
and right-clicking on a file to scan it for viruses. (209419)
• On the FortiGate unit you can create URL filter lists that optionally include wildcards and
regular expressions and use endpoint control to implement them on endpoints with
FortiClient. (191397)
• Improvements to pushing FortiGuard Web Filtering Category settings to endpoints with
FortiClient. (226615)
Firewall
• Dynamic destination NAT using DNS queries. New dns-translation VIP type. The VIP
includes a mapped address range. For any session, the address that is mapped to is
retrieved using a DNS lookup. (190690)
• TCP maximum segment size (MSS) clamping for IPv6 security policies. New policy6
options tcp-mss-sender and set tcp-mss-receiver.(223959)
• New options to exempt traffic from SSL deep inspection. You can create exemptions for
FortiGuard categories and for IPv4 and IPv6 firewall addresses and address groups.
(215182)
• Improvements to how the Fortinet bar refreshes after a successful web page logout.
(225558)
• Generate new unique default SSL inspection CA and server certificates the first time they are
required. Previous versions of FortiOS all have the same default CA and sever certificates.
This new feature means that they will now be unique on each FortiGate unit. There are some
exceptions, for example in a HA cluster all FortiGate units need the same CA and server
certificates. You can also change them as required for load balancing and other
configurations. (181441)
Existing customers will not be affected by this change. FortiOS will not change the current
defaults on upgrade. But you can use the commands below to generate new ones.
The following command re-generates the default SSL inspection CA certificate.
execute vpn certificate local generate default-ssl-ca
The following command re-generates the default SSL inspection server certificate.
execute vpn certificate local generate default-ssl-serv-key
• Socks proxy UDP support. (225260)
HA
• New diagnose sys ha set-as-master {disable | enable} command. Set to
enable on a cluster unit that you always be the primary unit (master). If you set the
command to disable you can include a date and time on which the disable option takes
affect. (212075)
• HA now supports sending log messages and doing SNMP management from the HA
reserved management interface. (186613)
• Support VRRP groups. Include all relevant VRRP IDs and track the VRRP status to force all
the VRRP group members to keep the same state. In this way if one group member changes
state (for example, to BACKUP), all the other members in the same VRRP group will also
change their state to BACKUP. (215454)
New Features in FortiOS v5.2.0 (Beta 4) Page 22 FortiOS v5.2.0 (Beta 4) Release Notes
IPsec VPN
• New full function IPsec VPN wizard and other improvements to IPsec VPN configuration
web-based manager pages. The new wizard allows you to add all IPSec VPN configuration
objects from the wizard. No need to add IPsec VPN firewall policies. The wizard supports
interface-based IPsec VPN. (132055, 225947)
The following pages have been completely re-written:
• VPN Wizard including read-only tunnel templates (new)
• VPN gateway dialog/auto dialog (merged into vpn edit dialog)
• VPN IPsec Tunnels list page
• IPsec VPN phase 2 quick mode selector source and destination addresses can now be IPv6
firewall addresses and address groups. (133206)
• Add support for EAP authentication for IKEv2 IPsec VPNs. (208939)
• Support RSA certificate groups in IPsec VPN IKE phase 1 configurations. (190522)
• Implemented 3 new authentication methods for IKE as described by RFC 4754: ECDSA-256,
ECDSA-384, ECDSA-521. IKEv1 support requires both sides of the exchange to use the
same auth method. IKEv2 allows them to differ. (206110)
• Add support to IPsec VPN phase1s when IKE mode-cfg is enabled to allow multiple server
IPs to be defined and sent to the client if the client requests attribute 28681. (166524)
• IKEv2 Cookie Notification to prevent state and CPU exhaustion. See RFC 5996, Section 2.6,
IKE SA SPIs and Cookies. When the FortiGate unit detects that the number of half-open
IKEv2 SAs is above the threshold value, to preserve CPU and memory resources, the IPsec
VPN dialup server requires all future SA_INIT requests to include a valid cookie notification
payload that the server sends back. (222918)
Logging & Reporting
• Add log messages for Certification Revocation List (CRL) checking. The FortiGate unit
automatically updates CRL data according to the validation time stored in the CRL and the
configured update-interval, whichever comes first. If the update succeeds, log message
41987 is recorded. If the update fails, log message 41989 is recorded. (176611)
• Disable disk logging for FortiGate-3000 and 5000 series models. (227952)
Routing
• Support of OSPF fast hello. (210964)
• IPv6 Reverse Path Forwarding (RPF) checking. Check source address type and route to the
source address from the incoming interface. If the source address type is invalid or there is
no route to the source address from the incoming interface in the IPv6 routing table, or when
strict-src-check is set and the route is not the best, the packet will be dropped.
(201427)
SSL VPN
• Add replacement messages for SSL VPN host security check. (217743)
• SSL VPN configuration has been changed. SSL VPNs are configured by creating an SSL
VPN interface that includes all SSL VPN settings. Once the interface has been created you
add it to security policies just like any other interface. (205414)
New Features in FortiOS v5.2.0 (Beta 4) Page 23 FortiOS v5.2.0 (Beta 4) Release Notes
System
• Add IPv6 Geographic IP address database. Correct country flags now appear in reports and
other displays for data about IPv6 addresses. (212135)
• ECDSA certificate support. FortiGate units can import and generate ECDSA certificates.
ECDSA certificates can be used for SSL VPN and HTTPS GUI access. (197950)
• Support Netflow V9.0. (167405)
• Object UUID (RFC 4122) support. Add a UUID attribute to some firewall objects so that log
messages can contain these UUIDs; which are used by FortiManager and FortiAnalyzer.
SHA-1 will be used for hash calculation. (212946)
• Configure ignoring the DF bit and fragmenting IPv4 traffic. (166479)
• Add FortiExtender support to FortiOS. (218132)
• Add FortiGate Traffic Priority (TOS/DSCP) feature. (214151)
• PPPOE support of RFC2516 service and AC name. (213945)
• Increase the maximum number of available VIPs. (217943)
• SNMPv3 AES 256bit support. (166488)
• Add Class of Service (CoS) Support (216290)
• Add min-links support to interface aggregation. (187533)
• Ability to ignore DF bit and fragment IPv4 traffic. (166479)
• Add one option to disable login-time feature. (215274)
• New option added to Administrator Profiles to allow or block access to packet capture
options. (213943)
• Enable autocomplete in the Replacement Message editor. (168804)
WAN Optimization and Explicit Web Proxy
• Move explicit proxy and WAN Optimization policies to a separate configuration path.
(226395)
In Beta 1 you cannot configure WAN Optimization or explicit web proxy policies from the GUI
(web-based manager). GUI support should be added in time for GA. Instead you must use
the following CLI command:
config firewall explicit-proxy-policyedit 0
set proxy {web | ftp | wanopt}etc...
• Added support for authentication IP-blackout for the explicit web proxy. (205706)
• Transparent web proxy. Also called reflect IP or true IP. When enabled, web proxy packets
exiting the FortiGate unit have their source IP address set to the original client source IP
address instead of the IP address of the exiting FortiGate interface. Enable this feature in a
web proxy firewall policy by entering set transparent enable. (209731)
• Support policy based profile to add/remove HTTP headers. (206173)
• To improve explicit web proxy performance, FortiOS now distributes explicit web proxy
processing to multiple CPU cores. By default web proxy traffic is handled by half of the CPU
cores in a FortiGate unit. So if your FortiGate unit has 4 CPU cores, by default two of them
can be used for explicit web proxy traffic. You can use the following command to increase or
decrease the number of CPU cores that are used. (138794)
config system globalset wad-worker-count <number>
end
New Features in FortiOS v5.2.0 (Beta 4) Page 24 FortiOS v5.2.0 (Beta 4) Release Notes
Where <number> is from 1 to the total number of CPU cores in your FortiGate unit.
GUI (web-based manager) usability changes
• Simplification of Firewall Objects and Security Profiles menu structures. (219151, 157554)
• Use a more sophisticated API for displaying names (for example, application names) in
FortiOS. (204942)
• Cloning, a feature available for easily creating a copy of a configuration object is now
available for more configuration objects. (221971)
• Add the ability to drag objects such as addresses, schedules and profiles between policies
on the policy list. (217610)
• Banned User List improvements. (219310)
• Improve Web-based manager field validation. Also, when an incorrect value is added to a
page retain validated settings instead of requiring them all to be re-added. (191487)
• Add a Search Box on IPS profile and Application List web-based manager pages. (226434)
• Added the ability to display CPU usage, memory usage and new session per second for
each VDOM. The information appears on the VDOM list page. You can use the following
command to get this information from the CLI: diagnose system vd stats (220121)
Web Filtering
• Improvements to HTTPS Web Filtering (without Deep Inspection). (214079)
• New default SSL inspection profile certificate-inspection: Only the SSL handshake is
inspected for the purpose of web filtering. https-url-scan option removed from webfilter
profile. In an SSL inspection profile the SSL inspect-all option and the https status option
now have three states: {disable | certificate-inspection | deep-inspection} . The status option
for the other protocols now uses deep-inspection instead of enabled.
Wifi
• Add WiFi FortiAP spectrum analysis graphs. (217437)
• Wireless Extensions for Spectrum Analysis. (208870)
New Features in FortiOS v5.2.0 (Beta 4) Page 25 FortiOS v5.2.0 (Beta 4) Release Notes
Supported Models
The following models are supported by FortiOS v5.2.0 (Beta 4) build 564.
FortiGate
FG-20C, FG-20C-ADSL-A, FG-30D, FG-40C, FG-60C, FG-60C-POE, FG-60D, FG-70D,
FG-80C, FG-80CM, FG-90D, FGT-90D-POE, FG-100D, FG-110C, FG-111C, FG-140D,
FG-140D-POE, FG-140D-POE-T1, FG-200B, FG-200B-POE, FG-200D, FG-240D,
FG-280D-POE, FG-300C, FG-310B, FG-310B-DC, FG-311B, FG-600C, FG-620B,
FG-620B-DC, FG-621B, FG-800C, FG-1000C, FG-1240B, FG-3016B, FG-3040B, FG-3140B,
FG-3240C, FG-3600C, FG-3810A, FG-3950B, FG-3951B, FG-5001A, FG-5001B, FG-5001C,
and FG-5101C.
FortiWiFi
FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-40C, FWF-60C, FWF-60CM,
FWF-60CX-ADSL-A, FWF-60D, FWF-80CM, FWF-81CM, FWF-90D, and FWF-90D-POE.
FortiGate VM
FG-VM32, FG-VM64, and FG-VM64-XEN, FG-VM64-KVM, and FG-VM64-HV
FortiSwitch
FS-5203B
Supported Models Page 26 FortiOS v5.2.0 (Beta 4) Release Notes
Product Integration and Support
Web browser support
FortiOS v5.2.0 (Beta 4) build 564 supports the latest versions of the following web browsers:
• Microsoft Internet Explorer version 10, 11
• Mozilla Firefox version 28
• Google Chrome version 33
• Apple Safari version 7
Other web browsers may function correctly, but are not supported by Fortinet.
FortiManager and FortiAnalyzer support
See the FortiManager and FortiAnalyzer Release Notes.
FortiClient support (Windows, Mac OS X, iOS and Android)
FortiOS v5.2.0 (Beta 4) is supported by the following FortiClient software versions:
• FortiClient (Windows) v5.2.0 (Beta 2)
• Windows 8.1 (32-bit and 64-bit)
• Windows 8 (32-bit and 64-bit)
• Windows 7 (32-bit and 64-bit)
• Windows Vista (32-bit and 64-bit)
• Windows XP (32-bit)
• FortiClient (Mac OS X) v5.2.0 (Beta 2)
• Mac OS X v10.9 Mavericks
• Mac OS X v10.8 Mountain Lion
• Mac OS X v10.7 Lion
• Mac OS X v10.6 Snow Leopard
• FortiClient (iOS) v5.0.2.
• FortiClient (Android) v5.2.0.
Product Integration and Support Page 27 FortiOS v5.2.0 (Beta 4) Release Notes
FortiAP support
FortiOS v5.2.0 (Beta 4) supports the following FortiAP models:
FAP-11C, FAP-14C, FAP-28C, FAP-112B, FAP-210B, FAP-220B, FAP-221B, FAP-221C,
FAP-222B, FAP-223B, FAP-320B, and FAP-320C
The FortiAP device must be running FortiAP v5.0 Patch Release 7 build 0064 or later.
FortiSwitch support
FortiOS v5.2.0 (Beta 4) supports the following FortiSwitch models:
FS-28C, FS-324B-POE, FS-348B, and FS-448B
The FortiSwitch device must be running FortiSwitchOS v2.0 Patch Release 3 build 0018 or later.
FortiOS v5.2.0 (Beta 4) supports the following FortiSwitch-5000 series models:
FS-5003B, FS-5003A
The FortiSwitch-5000 device must be running FortiSwitchOS v5.0 Patch Release 3 build 0020
or later.
FortiController support
FortiOS v5.2.0 (Beta 4) supports the following FortiController models:
FCTL-5103B
The FCTL-5103B is supported by the FG-5001B and FG-5001C. The FortiController device
must be running FortiSwitch-5000 OS v5.0 Patch Release 3 build 0020 or later.
Virtualization software support
FortiOS v5.2.0 (Beta 4) supports the following virtualization software:
• VMware ESX versions 4.0 and 4.1
• VMware ESXi versions 4.0, 4.1, 5.0, 5.1 and 5.5
• Citrix XenServer versions 5.6 Service Pack 2 and 6.0 or later
• Open Source Xen versions 3.4.3 and 4.1 or later
• Microsoft Hyper-V Server 2008 R2 and 2012
• KVM - CentOS 6.4 (qemu 0.12.1) or later
See “About FortiGate VMs” on page 38 for more information.
FAP-221C and FAP-320C
These models are released on a special branch based off of FAP v5.0 Patch Release 6. The
branch point reads 060. The FAP-221C firmware has build number 4049. The FAP-320C
firmware has build number 4050.
Product Integration and Support Page 28 FortiOS v5.2.0 (Beta 4) Release Notes
Fortinet Single Sign-On (FSSO) support
FortiOS v5.2.0 (Beta 4) is supported by FSSO v4.0 MR3 B0153 for the following operating
systems:
• Microsoft Windows Server 2012 R2
• Microsoft Windows Server 2012 Standard Edition
• Microsoft Windows Server 2008 R2 64-bit
• Microsoft Windows Server 2008 (32-bit and 64-bit)
• Microsoft Windows Server 2003 R2 (32-bit and 64-bit)
• Novell eDirectory 8.8
FSSO does not currently support IPv6.
Other server environments may function correctly, but are not supported by Fortinet.
FortiExplorer support (Microsoft Windows, Mac OS X and iOS)
FortiOS v5.2.0 (Beta 4) is supported by FortiExplorer v2.4 build 1068 or later. See the
FortiExplorer v2.3 build 1052 Release Notes for more information.
FortiOS v5.2.0 (Beta 4) is supported by FortiExplorer (iOS) v1.0.4 build 0118 or later. See the
FortiExplorer (iOS) v1.0.4 build 0118 Release Notes for more information.
The FortiGate-70D has not been fully tested with this version of FortiExplorer.
FortiExtender support
FortiOS v5.2.0 (Beta 4) is supported by FortiExtender models FEX-20B, FEX-100A, and
FEX-100B running FEX v1.0 build 019.
AV Engine and IPS Engine support
FortiOS v5.2.0 (Beta 4) is supported by AV Engine v5.146 and IPS Engine v3.030.
Language support
The following table lists FortiOS language support information.
Table 1: FortiOS language support
Language Web-based Manager Documentation
English
French -
Portuguese (Brazil) -
Spanish (Spain) -
Korean -
Product Integration and Support Page 29 FortiOS v5.2.0 (Beta 4) Release Notes
To change the FortiGate language setting, go to System > Admin > Settings, in View Settings >
Language select the desired language from the drop-down menu.
Module support
FortiOS v5.2.0 (Beta 4) supports Advanced Mezzanine Card (AMC), Fortinet Mezzanine Card
(FMC), Rear Transition Module (RTM), and Fortinet Storage Module (FSM) removable modules.
These modules are not hot swappable. The FortiGate unit must be turned off before a module is
inserted or removed.
Chinese (Simplified) -
Chinese (Traditional) -
Japanese -
Table 1: FortiOS language support
Language Web-based Manager Documentation
Table 2: Supported modules and FortiGate models
AMC/FMC/FSM/RTM Module FortiGate Model
Storage Module
500GB HDD Single-Width AMC (ASM-S08)
FG-310B, FG-620B, FG-621B, FG-3016B,
FG-3810A, FG-5001A
Storage Module
64GB SSD Fortinet Storage Module (FSM-064)
FG-200B, FG-311B, FG-1240B,
FG-3040B, FG-3140B, FG-3951B
Accelerated Interface Module
4xSFP Single-Width AMC (ASM-FB4)
FG-310B, FG-311B, FG-620B, FG-621B,
FG-1240B, FG-3016B, FG-3810A,
FG-5001A
Accelerated Interface Module
2x10-GbE XFP Double-Width AMC (ADM-XB2)
FG-3810A, FG-5001A
Accelerated Interface Module
8xSFP Double-Width AMC (ADM-FB8)
FG-3810A, FG-5001A
Bypass Module
2x1000 Base-SX Single-Width AMC (ASM-FX2)
FG-310B, FG-311B, FG-620B, FG-621B,
FG-1240B, FG-3016B, FG-3810A,
FG-5001A
Bypass Module
4x10/100/1000 Base-T
Single-Width AMC (ASM-CX4)
FG-310B, FG-311B, FG-620B, FG-621B,
FG-1240B, FG-3016B, FG-3810A,
FG-5001A
Security Processing Module
2x10/100/1000 SP2
Single-Width AMC (ASM-CE4)
FG-1240B, FG-3810A, FG-3016B,
FG-5001A
Security Processing Module
2x10-GbE XFP SP2
Double-Width AMC (ADM-XE2)
FG-3810A, FG-5001A
Product Integration and Support Page 30 FortiOS v5.2.0 (Beta 4) Release Notes
SSL VPN support
SSL VPN standalone client
FortiOS v5.2.0 (Beta 4) supports the SSL VPN tunnel client standalone installer build 2300 for
the following operating systems:
• Microsoft Windows 8.1 (32-bit & 64-bit), 8 (32-bit & 64-bit), 7 (32-bit & 64-bit), and XP SP3 in
.exe and .msi formats
• Linux CentOS and Ubuntu in .tar.gz format
• Mac OS X v10.9, 10.8 and 10.7 in .dmg format
• Virtual Desktop in .jar format for Microsoft Windows 7 SP1 (32-bit)
Other operating systems may function correctly, but are not supported by Fortinet.
Security Processing Module
4x10-GbE SFP+
Double-Width AMC (ADM-XD4)
FG-3810A, FG-5001A
Security Processing Module
8xSFP SP2
Double-Width AMC (ADM-FE8)
FG-3810A
Rear Transition Module
10-GbE backplane fabric (RTM-XD2)
FG-5001A
Security Processing Module (ASM-ET4) FG-310B, FG-311B
Rear Transition Module
10-GbE backplane fabric (RTM-XB2)
FG-5001A
Security Processing Module
2x10-GbE SFP+ (FMC-XG2)
FG-3950B, FG-3951B
Accelerated Interface Module
2x10-GbE SFP+ (FMC-XD2)
FG-3950B, FG-3951B
Accelerated Interface Module
20xSFP (FMC-F20)
FG-3950B, FG-3951B
Accelerated Interface Module
20x10/100/1000 (FMC-C20)
FG-3950B, FG-3951B
Security Processing Module (FMC-XH0) FG-3950B
Table 2: Supported modules and FortiGate models (continued)
Product Integration and Support Page 31 FortiOS v5.2.0 (Beta 4) Release Notes
SSL VPN web mode
The following table lists the operating systems and web browsers supported by SSL VPN web
mode.
Other operating systems and web browsers may function correctly, but are not supported by
Fortinet.
SSL VPN host compatibility list
The following table lists the antivirus and firewall client software packages that are supported.
Table 3: Supported operating systems and web browsers
Operating System Web Browser
Microsoft Windows 7 32-bit SP1 Microsoft Internet Explorer versions 8, 9, 10 and
11
Mozilla Firefox version 26
Microsoft Windows 7 64-bit SP1 Microsoft Internet Explorer versions 8, 9, 10, and
11
Mozilla Firefox version 26
Linux CentOS version 5.6 and Ubuntu
version 12.0.4
Mozilla Firefox version 5.6
Mac OS X v10.7 Lion Apple Safari version 7
Table 4: Supported Windows XP antivirus and firewall software
Product Antivirus Firewall
Symantec Endpoint Protection v11
Kaspersky Antivirus 2009
McAfee Security Center v8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009
Table 5: Supported Windows 7 32-bit and 64-bit antivirus and firewall software
Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Product Integration and Support Page 32 FortiOS v5.2.0 (Beta 4) Release Notes
Explicit web proxy browser support
The following web browsers are supported by FortiOS v5.2.0 (Beta 4) for the explicit web proxy
feature:
• Microsoft Internet Explorer versions 8, 9, 10, and 11
• Mozilla Firefox version 27
• Apple Safari version 6.0
• Google Chrome version 34
Other web browsers may function correctly, but are not supported by Fortinet.
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small
Business Edition 12.0
Table 5: Supported Windows 7 32-bit and 64-bit antivirus and firewall software (continued)
Product Antivirus Firewall
Product Integration and Support Page 33 FortiOS v5.2.0 (Beta 4) Release Notes
Resolved Issues
This chapter describes issues with FortiOS v5.2.0 (beta 3 and previous) that have been resolved
for FortiOS v5.2.0 (Beta 4). If you would like to see a more complete list of resolved issues for
this release you can request one by emailing [email protected].
Resolved issues from FortiOS v5.2.0 (Beta 3)
The following issues from FortiOS v5.2.0 (Beta 3) have been resolved for FortiOS v5.2.0 (Beta 4).
Upgrade
• Customized charts lost in default layout after upgrade to 5.2.0 Beta 3. (236568)
Wanopt & Webproxy
• Webcache only runs on a single CPU in multi-CPU platforms. (228488)
Other resolved issues in FortiOS v5.2.0 (Beta 4)
HA
• Duplicates in HA global checksum triggers out of sync. (231808)
Firewall
• Adding multi-VDOM admin overrides trusted host restrictions on ping. (235944)
• One Way audio with SIP ALG. (231678)
• SSL worker is utilizing high CPU when deep scanning is enabled. (223330)
SSL VPN
• Cannot log into SSL-VPN Web portal after deleting vlan/policy then configuring same
vlan/policy again. (236992)
• SSLVPN is restarted with all users every time updated CRL is downloaded. (237009)
System
• SCP configuration restore command syntax not consistent with backup command. (237009)
• Removing restriction on having dots in intf names when packet capture is issued. (233289)
SSL-related
• OpenSSL in FortiOS has CVE-2014-0160. (237976)
Resolved Issues Page 34 FortiOS v5.2.0 (Beta 4) Release Notes
Resolved Issues Page 35 FortiOS v5.2.0 (Beta 4) Release Notes
Known Issues
This chapter lists some known issues with FortiOS v5.2.0 (Beta 4) build 564.
Known issues with FortiOS v5.2.0 (Beta 4)
• Application control cloud-based signatures do not appear. (239938)
Known issues from FortiOS v5.2.0 (Beta 3)
The following were known issues in FortiOS v5.2.0 (Beta 3) that continue to be known issues in
FortiOS v5.2.0 (Beta 4).
Upgrade
• The application control signature categories File.Sharing and Special have been removed
but are still visible on the GUI. (237471)
Web-based Manager
• When configuring a FortiAP profile from the GUI this list of Bands is incorrect. (237464)
Workaround: Use the CLI to configure the correct Band.
Known issues from FortiOS v5.2.0 (Beta 2)
The following were known issues in FortiOS v5.2.0 (Beta 2) that continue to be known issues in
FortiOS v5.2.0 (Beta 4).
Web-based Manager
• FortiView History views are only available for FG-100D and above (1U appliances and
above). This is by design. (232664)
Known issues from FortiOS v5.2.0 (Beta 1)
The following were known issues in FortiOS v5.2.0 (Beta 1) that continue to be known issues in
FortiOS v5.2.0 (Beta 3).
Antivirus
• On on some so low-end FortiGate models, the new full-mode flow-based antivirus scanning
mode cannot utilize the extended antivirus database. (223258)
Known Issues Page 36 FortiOS v5.2.0 (Beta 4) Release Notes
Web Filtering
• If you change a policy from proxy-based Web Filtering to flow-based Web Filtering, users
who receive HTTPS traffic may see an invalid certificate error message in their web browser.
This happens because of how proxy-based and flow-based HTTPS web filtering generates
CA certificates. (227441)
Work around: This issue is rare and will not be fixed. It should only happen if the policy is
changed while it is processing traffic. Users need to delete the CA Certificate on their
browsers and accept the new certificate.
Known Issues Page 37 FortiOS v5.2.0 (Beta 4) Release Notes
Appendix A: About FortiGate VMs
FortiGate VM model information
Five different FortiGate VM models are available, each with different levels of support for some
key features.
For more information see the FortiGate VM product datasheet available on the Fortinet web site,
http://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-VM01.pdf.
FortiGate VM firmware
Fortinet provides FortiGate VM firmware images for the following VM environments:
VMware
• .out: Download either the 32-bit or 64-bit firmware image to upgrade your existing
FortiGate VM installation.
• .ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation.
This package contains Open Virtualization Format (OVF) files for VMware and two Virtual
Machine Disk Format (VMDK) files used by the OVF file during deployment.
Xen
• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM
installation.
• .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation.
This package contains the QCOW2 file for Open Source Xen.
• .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation.
This package contains the Citrix Xen Virtual Appliance (XVA), Virtual Hard Disk (VHD), and
OVF files.
Table 6: FortiGate VM model
Support Feature VM-00 VM-01 VM-02 VM-04 VM-08
Virtual CPUs 1 1 1 or 2 1 to 4 1 to 8
Virtual Network Interfaces 2 to 10
Memory Requirements 1 GB 2 GB 4 GB 6 GB 12 GB
Storage 30 GB to 2 TB
VDOMs 1 10 25 50 250
CAPWAP Wireless Access Points 32 32 256 256 1024
Remote Wireless Access Points 32 32 256 256 3072
About FortiGate VMs Page 38 FortiOS v5.2.0 (Beta 4) Release Notes
Hyper-V
• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM
installation.
• .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This
package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012.
It also contains the file fortios.vhd in the Virtual Hard Disks folder that can be manually
added to the Hyper-V Manager.
KVM
• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM
installation.
• .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This
package contains qcow2 that can be used by qemu.
Citrix XenServer limitations
The following limitations apply to Citrix XenServer installations:
• XenTools installation is not supported.
• FortiGate VM can be imported or deployed in only the following three formats:
• XVA (recommended)
• VHD
• OVF
• The XVA format comes pre-configured with default configurations for VM name, virtual CPU,
memory, and virtual NIC. Other formats will require manual configuration before the first
power on process.
Open Source Xen limitations
When using Ubuntu version 11.10, Xen version 4.1.0, and libvir version 0.9.2, importing issues
may arise when using the QCOW2 format and existing HDA issues.
About FortiGate VMs Page 39 FortiOS v5.2.0 (Beta 4) Release Notes