49
FortiOS v5.0 Patch Release 1 Release Notes

FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

  • Upload
    others

  • View
    22

  • Download
    0

Embed Size (px)

Citation preview

Page 1: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

FortiOS v5.0 Patch Release 1Release Notes

Page 2: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

FortiOS v5.0 Patch Release 1 Release Notes

April 12, 2013

01-501-190082-20130412

Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are

registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks

of Fortinet. All other product or company names may be trademarks of their respective owners.

Performance metrics contained herein were attained in internal lab tests under ideal conditions,

and performance may vary. Network variables, different network environments and other

conditions may affect performance results. Nothing herein represents any binding commitment

by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the

extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a

purchaser that expressly warrants that the identified product will perform according to the

performance metrics herein. For absolute clarity, any such warranty will be limited to

performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in

full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise

this publication without notice, and the most current version of the publication shall be

applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

Page 3: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Table of Contents

Change Log....................................................................................................... 6

Introduction....................................................................................................... 7Supported models ................................................................................................... 7

FortiGate ............................................................................................................ 7

FortiWiFi ............................................................................................................. 7

FortiGate VM...................................................................................................... 7

FortiSwitch ......................................................................................................... 7

Summary of enhancements..................................................................................... 8

FortiOS v5.0 Patch Release 1 ............................................................................ 8

Special Notices................................................................................................. 9TFTP boot process .................................................................................................. 9

Monitor settings for Web-based Manager access .................................................. 9

Before any upgrade ................................................................................................. 9

After any upgrade .................................................................................................... 9

WAN Optimization ................................................................................................... 9

MAC address filter list.............................................................................................. 9

Spam filter profile................................................................................................... 10

Spam filter black/white list..................................................................................... 10

DLP rule settings.................................................................................................... 10

ID-based firewall policy ......................................................................................... 10

FortiGate 100D upgrade and downgrade limitations............................................. 11

Upgrade Information ...................................................................................... 12Upgrading from FortiOS v5.0.0.............................................................................. 12

Captive portal................................................................................................... 12

Reports ............................................................................................................ 16

SSL VPN web portal ........................................................................................ 16

Virtual switch and the FortiGate 100D ............................................................. 16

Upgrading from FortiOS v4.0 MR3 ........................................................................ 16

Table size limits................................................................................................ 17

SQL logging upgrade limitation ....................................................................... 17

SSL deep-scan ................................................................................................ 17

Profile protocol options.................................................................................... 18

Downgrading to previous FortiOS versions........................................................... 20

Product Integration and Support .................................................................. 21Web browser support ............................................................................................ 21

FortiManager support ............................................................................................ 21

FortiAnalyzer support............................................................................................. 21

Page 3

Page 4: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

FortiClient support ................................................................................................. 21

FortiAP support...................................................................................................... 21

FortiSwitch support ............................................................................................... 21

Virtualization software support .............................................................................. 22

Fortinet Single Sign-On (FSSO) support................................................................ 22

FortiExplorer (Microsoft Windows/Mac OS X) support.......................................... 22

FortiExplorer (iOS) support .................................................................................... 22

AV Engine and IPS Engine support ....................................................................... 22

Language support.................................................................................................. 22

Module support...................................................................................................... 23

SSL VPN support................................................................................................... 24

SSL VPN standalone client .............................................................................. 24

SSL VPN web mode ........................................................................................ 25

SSL VPN host compatibility list ....................................................................... 25

Explicit web proxy browser support ...................................................................... 26

Resolved Issues.............................................................................................. 27Antispam.......................................................................................................... 27

Antivirus ........................................................................................................... 27

CLI.................................................................................................................... 27

Client Reputation ............................................................................................. 28

Device Visibility ................................................................................................ 28

DLP .................................................................................................................. 28

Endpoint Control .............................................................................................. 28

Firewall ............................................................................................................. 29

FortiGate VM.................................................................................................... 30

GTP .................................................................................................................. 30

High Availability................................................................................................ 31

IPS.................................................................................................................... 32

IPsec VPN ........................................................................................................ 32

Logging and Reporting .................................................................................... 32

Routing............................................................................................................. 34

Source Visibility................................................................................................ 35

SSL VPN .......................................................................................................... 35

System ............................................................................................................. 36

Upgrade ........................................................................................................... 38

VoIP.................................................................................................................. 39

WAN Optimization and Web Proxy.................................................................. 39

Web-based Manager ....................................................................................... 39

Web Filtering .................................................................................................... 41

Wireless............................................................................................................ 42

Table of Contents Page 4 FortiOS v5.0 Patch Release 1 Release Notes

Page 5: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Known Issues.................................................................................................. 43Antivirus ........................................................................................................... 43

Firewall ............................................................................................................. 43

FSSO................................................................................................................ 43

High Availability................................................................................................ 43

IPS.................................................................................................................... 44

IPsec VPN ........................................................................................................ 44

Logging and Reporting .................................................................................... 44

SSL VPN .......................................................................................................... 44

System ............................................................................................................. 44

Web-based Manager ....................................................................................... 45

Wireless............................................................................................................ 45

Upgrade ........................................................................................................... 45

Limitations....................................................................................................... 46Add device access list ........................................................................................... 46

Image Checksum............................................................................................ 47

Appendix A: FortiGate VM ............................................................................. 48FortiGate VM system requirements ....................................................................... 48

FortiGate VM firmware........................................................................................... 48

Table of Contents Page 5 FortiOS v5.0 Patch Release 1 Release Notes

Page 6: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Change Log

Date Change Description

2012-12-21 Initial release.

2013-01-30 Document updates. Removed duplicate bug entries. Added bug 194309 to known issues.

2013-02-07 Added FG-60D/FWF-60D special branch support information.

2013-02-13 Added FortiManager and FortiAnalyzer support information.

2013-02-26 Minor update to product integration and support chapter.

2013-04-12 Minor update to upgrade information chapter.

Page 6

Page 7: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Introduction

This document provides a summary of new features, support information, installation

instructions, integration, resolved and known issues in FortiOS v5.0 Patch Release 1 build 0147.

Supported models

The following models are supported on FortiOS v5.0 Patch Release 1.

FortiGate

FG-20C, FG-20C-ADSL-A, FG-40C, FG-60C, FG-60C-POE, FG-80C, FG-80CM, FG-100D,

FG-110C, FG-111C, FG-200B, FG-200B-POE, FG-300C, FG-310B, FG-310B-DC, FG-311B,

FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800C, FG-1000C, FG-1240B, FG-3016B,

FG-3040B, FG-3140B, FG-3240C, FG-3810A, FG-3950B, FG-3951B, FG-5001A, FG-5001B,

and FG-5101C.

FortiWiFi

FWF-20C, FWF-20C-ADSL-A, FWF-40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A,

FWF-80CM, and FWF-81CM.

FortiGate VM

FG-VM32 and FG-VM64.

FortiSwitch

FS-5203B.

See http://docs.fortinet.com/fgt.html for additional documentation on FortiOS v5.0.

FG-60D and FWF-60D

These models are released on a special branch based off of FortiOS v5.0 Patch Release 1. As

such, the build number found in the System > Dashboard > Status page and the output from the

get system status CLI command displays 4108 as the build number.

To confirm that you are running the proper build, the output from the get system status CLI

command has a Branch point field that should read 0147.

Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes

Page 8: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Summary of enhancements

FortiOS v5.0 Patch Release 1

The following is a list of enhancements in FortiOS v5.0 Patch Release 1:

• Added new drill-downs for the top sessions widget

• Added new endpoint control feature activities in the log

• Added PING server on FG-20C/FWF-20C devices

• Added support for IKEv2 configuration payload

• Added sort and filter functions for Web-based Manager pages

• Device policy improvements

• Disk log settings returned

• Endpoint control: FortiClient logging

• Endpoint registration over SSL VPN tunnel mode

• Extend SIP helper for MSRP supporting MSRP NAT

• FortiClient endpoint control over IPsec VPN support

• FortiCloud certificate activation

• FortiSwitch controller on FG-100D

• HA support for BYOD feature

• One-time schedule alert expiration

• Separate SSL/SSH deep inspection profile

• Schedule the rogue AP background scan

• Simplified client reputation configuration

• Support USB encrypted configuration file

• Support WiFi DFS models for Japan/Korea

• WIDS profile Web-based Manager support

Not all features/enhancements listed below are supported on all models.

Introduction Page 8 FortiOS v5.0 Patch Release 1 Release Notes

Page 9: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Special Notices

TFTP boot process

The TFTP boot process erases all current firewall configuration and replaces it with the factory

default settings.

Monitor settings for Web-based Manager access

Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for

all the objects in the Web-based Manager to be viewed properly.

Before any upgrade

Save a copy of your FortiGate configuration prior to upgrading. To backup your FortiGate

configuration, go to System > Dashboard > Status. On the System Information widget select

Backup under System Configuration and save the configuration file to your local hard drive.

After any upgrade

If you are using the Web-based Manager, clear your browser cache prior to login on the

FortiGate to ensure the Web-based Manager screens are displayed properly.

The virus and attack definitions included with a firmware upgrade may be older than ones

currently available from the FortiGuard Distribution Server (FDS). Fortinet recommends

performing an Update Now (System > Config > FortiGuard > AntiVirus and IPS Options) after

upgrading. Consult the FortiOS v5.0 Handbook or FortiOS v5.0 Carrier Handbook for detailed

procedures.

WAN Optimization

In FortiOS 5.0, WAN Optimization is enabled in security policies and WAN Optimization rules are

no longer required. Instead of adding a security policy that accepts traffic to be optimized and

then creating WAN Optimization rules to apply WAN Optimization, in FortiOS v5.0 you create

security policies that accept traffic to be optimized and enable WAN Optimization in those

policies. WAN Optimization is applied by WAN Optimization profiles which are created

separately and added to WAN Optimization security policies.

MAC address filter list

The mac-filter CLI command under the config wireless-controller vap setting is

not retained after upgrading to FortiOS v5.0 Patch Release 1. It is migrated into both config user device and config user device-access-list setting.

Special Notices Page 9 FortiOS v5.0 Patch Release 1 Release Notes

Page 10: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Spam filter profile

The spam filter profile has been changed in FortiOS v5.0 Patch Release 1. The

spam-emaddr-table and spam-ipbwl-table have been merged into the

spam-bwl-table. The spam-bwl-table exists in the spam filter profile.

Spam filter black/white list

The config spamfilter emailbwl and config spamfilter ipbwl commands are

combined into config spamfilter bwl.

DLP rule settings

The config dlp rule command is removed in FortiOS v5.0 Patch Release 1. The DLP rule

settings have been moved inside the DLP sensor.

ID-based firewall policy

If you have enabled fail-through-unauthenticated in the identity-based policy, the

following logic will apply:

• For unauthenticated users: if none of the accepted policies are matched and an

identity-based policy has been hit, the normal authentication process will be triggered based

on specific settings.

• For authenticated users: if an identity-based policy is matched, the traffic will be controlled

by this policy. If none of the sub-rules are matched, the traffic will get dropped.

To enable/disable fail-through-unauthenticated in the identity-based policy, enter the

following CLI command:

config firewall policyedit <id>

set identity-based enableset fall-through-unauthenticated [disable|enable]next

end

Special Notices Page 10 FortiOS v5.0 Patch Release 1 Release Notes

Page 11: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

FortiGate 100D upgrade and downgrade limitations

With the release of FortiOS v5.0.0 and later, the FortiGate 100D will run a 64-bit version of

FortiOS. This has introduced certain limitations on upgrading firmware in a high availability (HA)

environment and downgrading.

When performing an upgrade from a 32-bit FortiOS version to a 64-bit FortiOS version and the

FortiGate 100Ds are running in a HA environment with the uninterruptable-upgrade option

enabled, the upgrade process may fail on the primary device after the subordinate devices have

been successfully upgraded. To work around this situation, users may disable the

uninterruptable-upgrade option to allow all HA members to be successfully upgraded. Without

the uninterruptable-upgrade feature enabled, several minutes of service unavailability are to be

expected.

Downgrading a FortiGate 100D from FortiOS v5.0.0 is not supported due to technical limitations

between 64-bit and 32-bit versions of FortiOS. The only procedure to downgrade firmware is by

using the TFTP server and BIOS menu to perform the downgrade. In this case the configuration

will need to be restored from a previously backed up version.

Special Notices Page 11 FortiOS v5.0 Patch Release 1 Release Notes

Page 12: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Upgrade Information

Upgrading from FortiOS v5.0.0

FortiOS v5.0 Patch Release 1 build 0147 officially supports upgrade from FortiOS v5.0.0.

Captive portal

The captive portal configuration has changed in FortiOS v5.0 Patch Release 1 and upon

upgrading the previous configuration may be lost or changed. Review the following

configuration examples before upgrading.

Endpoint control

The following examples detail an endpoint control configuration to allow all compliant Windows

and Mac OS X computers network access. All non-compliant computers will be sent to the

captive portal.

Example FortiOS v5.0.0 configuration:

edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset identity-based enableset identity-from deviceset nat enable

config identity-based-policyedit 1

set schedule "always"set dstaddr "all"set service "ALL"set devices "windows-pc" "mac"set endpoint-compliance enable

nextedit 2

set schedule "always"set dstaddr "all"set service "ALL"set devices allset action captureset devices "windows-pc" "mac"

Please review the Special Notices, Product Integration and Support, Known Issues, and

Limitations chapters prior to upgrading. For more information on upgrading your FortiOS

device, see the FortiOS 5.0 Handbook at http://docs.fortinet.com.

Upgrade Information Page 12 FortiOS v5.0 Patch Release 1 Release Notes

Page 13: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

set captive-portal forticlient-compliance-enforcementnext

endnext

The new set forticlient-compliance-enforcement-portal enable and set forticlient-compliance-devices windows-pc mac CLI commands have been added

to the master policy. Sub-policy 2 has been removed.

Example FortiOS v5.0 Patch Release 1 configuration:

edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset forticlient-compliance-enforcement-portal enableset forticlient-compliance-devices windows-pc macset identity-based enableset identity-from deviceset nat enable

config identity-based-policyedit 1

set schedule "always"set dstaddr "abc"set service "ALL"set devices "windows-pc" "mac"set endpoint-compliance enable

nextend

next

After the upgrade, you may experience a configuration loss with the removal of sub-policy 2. If

this occurs, you have to enter the following CLI commands:

set forticlient-compliance-enforcement-portal enableset forticlient-compliance-devices windows-pc mac

Device detection

The following examples detail a device detection configuration to allow Android, Blackberry,

and iPhone devices network access. The captive portal is used to optionally learn the device

type, or send back a replacement message if device type cannot be determined.

Example FortiOS v5.0.0 configuration:

edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset identity-based enableset identity-from deviceset nat enable

config identity-based-policy

Upgrade Information Page 13 FortiOS v5.0 Patch Release 1 Release Notes

Page 14: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

edit 1set schedule "always"set dstaddr "all"set service "ALL"set devices "android-phone" "blackberry-phone" "ip-phone"

nextedit 2

set schedule "always"set dstaddr "all"set service "ALL"set devices allset action captureset captive-portal device-detection

nextend

next

The new set device-detection-portal enable CLI command has been added to the

master policy. Sub-policy 2 has been removed.

Example FortiOS v5.0 Patch Release 1 configuration:

edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset device-detection-portal enableset identity-based enableset identity-from deviceset nat enable

config identity-based-policyedit 1

set schedule "always"set dstaddr "abc"set service "ALL"set devices "android-phone" "blackberry-phone" "ip-phone"

nextend

next

After the upgrade, you may experience a configuration loss with the removal of sub-policy 2. If

this occurs, you have to enter the following CLI command:

set device-detection-portal enable

Email collection

The following examples detail an email collection configuration which would allow all devices

for which an email-address has been collected network access. Any device which has not had

an email collected would be directed to the captive portal.

Upgrade Information Page 14 FortiOS v5.0 Patch Release 1 Release Notes

Page 15: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Example FortiOS v5.0.0 configuration:

edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset identity-based enableset identity-from deviceset nat enable

config identity-based-policyedit 1

set schedule "always"set dstaddr "all"set service "ALL"set devices email-collection

nextedit 2

set schedule "always"set dstaddr "all"set service "ALL"set devices allset action captureset captive-portal email-collection

nextend

next

The new set email-collection-portal enable CLI command has been added to the

master policy. Sub-policy 2 has been removed.

Example FortiOS v5.0 Patch Release 1 configuration:

edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset email-collection-portal enableset identity-based enableset identity-from deviceset nat enable

config identity-based-policyedit 1

set schedule "always"set dstaddr "abc"set service "ALL"set devices all

nextend

next

Upgrade Information Page 15 FortiOS v5.0 Patch Release 1 Release Notes

Page 16: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

After the upgrade, you may experience a configuration loss with the removal of sub-policy 2. If

this occurs, you have to enter the following CLI command:

set email-collection-portal enable

Reports

Before you run a report after upgrading to v5.0 Patch Release 1, you must enter the following

CLI commands:

execute report-config resetThis will reset report templates to the factory default.All changes to the default report will be lost!Do you want to continue? (y/n)yReport configuration was reset to the factory default.

execute report recreate-dbThis will recreate the report database from the log database.Do you want to continue? (y/n)yRequest to recreate report database is successfully sent.

SSL VPN web portal

For FortiGate 60C variants and lower models only one SSL VPN web portal is retained after

upgrading to FortiOS v5.0 Patch Release 1.

Virtual switch and the FortiGate 100D

The name Virtual Switch is used by different objects on the Web-based Manager and the CLI.

On the Web-based Manager Virtual Switch refers to an interface type and is used for the

FortiSwitch controller feature. This instance of Virtual Switch maps to the CLI command

config switch-controller vlan.

The second instance of Virtual Switch in the CLI, config system virtual-switch is used

to configure the hardware switch. This command maps to the Web-based Manager hardware

switch interface type.

Upgrading from FortiOS v4.0 MR3

FortiOS v5.0 Patch Release 1 build 0147 officially supports upgrade from FortiOS v4.0 MR3

Patch Release 10 or later.

Please review the Special Notices, Product Integration and Support, Known Issues, and

Limitations chapters prior to upgrading. For more information on upgrading your FortiOS

device, see the FortiOS 5.0 Handbook at http://docs.fortinet.com.

Upgrade Information Page 16 FortiOS v5.0 Patch Release 1 Release Notes

Page 17: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Table size limits

FortiOS v5.0 Patch Release 1 has changed the maximum allowable limits on some objects. As a

result, the configuration for some objects may be lost. These include:

• dlp sensor

• firewall vip

• application list

• dlp sensor filter

• ips sensor

For more information, see the Maximum Values Table for FortiOS 5.0 at http://docs.fortinet.com.

SQL logging upgrade limitation

For the following units, after upgrading to FortiOS v5.0 Patch Release 1 SQL logging will be

retained based on the total size of the RAM available on the device. Logs will use up to a

maximum of 10% of the RAM. Once passed that threshold, any new logs will overwrite older

logs. The historical report generation will also be affected based on the SQL logs that are

available for query.

• FG-100D

• FG-300C

SSL deep-scan

A new SSL/SSH inspection option has been added to include all SSL protocols. The protocol

status in SSL/SSH inspection will default to disable for the SSL protocols. The SSL/SSH

inspection should be modified to enable the SSL protocols wherever inspection is required.

Before upgrade

• The antivirus, web filter, and antispam profiles had separate protocol settings for the SSL

and non-SSL protocols.

• For HTTPS deep-scanning to be done, deep-scan needed to be enabled for HTTPS in the

UTM proxy options.

After upgrade

• The settings for the SSL protocols in the antivirus, web filter, and antispam profiles have

been removed. Instead, the non-SSL options will apply to both the SSL and non-SSL

versions of each protocol. The SSL/SSH inspection options now includes an enable/disable

option for each protocol. This is used to control which protocols are scanned and which SSL

enabled protocols are decrypted.

• To use HTTPS non-deep (SSL handshake) inspection, HTTPS needs to be enabled in the

SSL/SSH inspection options. A web filter profile with https-url-scan enabled needs to

be applied in the policy with the SSL/SSH inspection options. The web filter profile option

changes the inspection mode to non-deep scan. AV will not be performed if this option is

enabled. The web filter profile option does not apply if SSL inspect-all is enabled in the

SSL/SSH inspection options.

Behavior

• After upgrade, all the SSL related settings in the antivirus, web filter, and antispam profiles

will be lost. The non-SSL settings will be retained and applied to the related SSL protocols if

they are enabled in the SSL/SSH inspection options. The protocol status in the SSL/SSH

Upgrade Information Page 17 FortiOS v5.0 Patch Release 1 Release Notes

Page 18: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

inspection options will default to enable for the non-SSL protocols and will default to disable

for the SSL protocols. The SSL/SSH inspection options should be modified to enable the

SSL protocols wherever inspection is required.

• Any profiles requiring non-deep HTTPS inspection will need to be modified to include a web

filter profile and SSL/SSH inspection options with the settings as described above. The

original HTTPS deep-scan settings will be lost upon upgrade.

Profile protocol options

Deep inspection status configurations are not retained for FTPS/IMAPS/POP3S/SMTPS after

upgrading from FortiOS v4.3 MR3.

Example FortiOS v4.3 MR3 configuration:

config firewall profile-protocol-optionsedit "default"

set comment "all default services"config http

set port 80set port 8080set options no-content-summaryunset post-lang

endconfig https

set port 443set port 8443set options allow-invalid-server-certunset post-langset deep-scan enable

endconfig ftp

set port 21set options no-content-summary splice

endconfig ftps

set port 990set options no-content-summary spliceunset post-lang

endconfig imap

set port 143set options fragmail no-content-summary

endconfig imaps

set port 993set options fragmail no-content-summary

endconfig pop3

set port 110set options fragmail no-content-summary

end

Upgrade Information Page 18 FortiOS v5.0 Patch Release 1 Release Notes

Page 19: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

config pop3sset port 995set options fragmail no-content-summary

endconfig smtp

set port 25set options fragmail no-content-summary splice

endconfig smtps

set port 465set options fragmail no-content-summary splice

endconfig nntp

set port 119set options no-content-summary splice

endnext

end

Example FortiOS v5.0 Patch Release 1 configuration:

config firewall profile-protocol-optionsedit "default"

set comment "all default services"config http

set ports 80 8080set options no-content-summaryunset post-lang

endconfig ftp

set ports 21set options no-content-summary splice

endconfig imap

set ports 143set options fragmail no-content-summary

endconfig mapi

set ports 135set options fragmail no-content-summary

endconfig pop3

set ports 110set options fragmail no-content-summary

endconfig smtp

set ports 25set options fragmail no-content-summary splice

endconfig nntp

Upgrade Information Page 19 FortiOS v5.0 Patch Release 1 Release Notes

Page 20: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

set ports 119set options no-content-summary splice

endconfig dns

set ports 53end

nextend

config firewall deep-inspection-optionsedit "default"

set comment "all default services"config https

set ports 443 8443set allow-invalid-server-cert enable

endconfig ftps

set ports 990set status disable

endconfig imaps

set ports 993set status disable

endconfig pop3s

set ports 995set status disable

endconfig smtps

set ports 465set status disable

endnext

end

Downgrading to previous FortiOS versions

Downgrading to previous FortiOS versions results in configuration loss on all models. Only the

following settings are retained:

• operation modes

• interface IP/management IP

• route static table

• DNS settings

• VDOM parameters/settings

• admin user account

• session helpers

• system access profiles.

Upgrade Information Page 20 FortiOS v5.0 Patch Release 1 Release Notes

Page 21: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Product Integration and Support

Web browser support

FortiOS v5.0 Patch Release 1 supports the following web browsers:

• Microsoft Internet Explorer versions 8 and 9

• Mozilla Firefox versions 15, 16, and 17

• Google Chrome version 22

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager support

FortiOS v5.0 Patch Release 1 is supported by FortiManager v5.0 Patch Release 1 or later.

FortiAnalyzer support

FortiOS v5.0 Patch Release 1 is supported by FortiAnalyzer v5.0 Patch Release 1 or later.

FortiClient support

FortiOS v5.0 Patch Release 1 is supported by the following FortiClient software versions:

• FortiClient (Windows) v5.0.0 build 0194 or later

• FortiClient (Mac OS X) v5.0.0 build 0081 or later

FortiAP support

FortiOS v5.0 Patch Release 1 supports the following FortiAP models:

FAP-11C, FAP-112B, FAP-210B, FAP-220B, FAP-221B, FAP-222B, FAP-223B, and

FAP-320B

The FortiAP device must be running FortiAP v5.0.0 build 0021 or later.

FortiSwitch support

FortiOS v5.0 Patch Release 1 supports the following FortiSwitch models:

FS-348B

The FortiSwitch device must be running FortiSwitch v1.0 Patch Release 2 build 4030 or later.

Product Integration and Support Page 21 FortiOS v5.0 Patch Release 1 Release Notes

Page 22: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Virtualization software support

FortiOS v5.0 Patch Release 1 supports the VMware ESX / ESXi 4.0, 4.1, 5.0, and v5.1. See

FortiGate VM for more information.

Fortinet Single Sign-On (FSSO) support

FortiOS v5.0 Patch Release 1 is supported by FSSO v4.0 MR3 build 0129 for the following

operating systems:

• Microsoft Windows Server 2012 Enterprise Edition R2 64-bit

• Microsoft Windows Server 2008 32-bit

• Microsoft Windows Server 2008 Server 64-bit

• Microsoft Windows Server 2008 R2 64-bit

• Microsoft Windows Server 2003 R2 32-bit

• Microsoft Windows Server 2003 R2 64-bit

• Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExplorer (Microsoft Windows/Mac OS X) support

FortiOS v5.0 Patch Release 1 is supported by FortiExplorer v2.1 build 1038 or later. See the

FortiExplorer v2.1 build 1038 Release Notes for more information.

FortiExplorer (iOS) support

FortiOS v5.0 Patch Release 1 is supported by FortiExplorer (iOS) v1.0 build 0109 or later. See

the FortiExplorer (iOS) v1.0 build 0109 Release Notes for more information.

AV Engine and IPS Engine support

FortiOS v5.0 Patch Release 1 is supported by AV Engine v5.0.0032 and IPS Engine v2.0.0043.

Language support

FortiOS v5.0 Patch Release 1 is localized for the following languages:

Language Web-based Manager Documentation

English

French -

Portuguese (Brazil) -

Spanish (Spain) -

Korean -

Product Integration and Support Page 22 FortiOS v5.0 Patch Release 1 Release Notes

Page 23: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

To change the FortiGate language setting, go to System > Admin > Settings, in View Settings >

Language select the desired language on the drop-down menu.

Module support

FortiOS v5.0 Patch Release 1 supports Advanced Mezzanine Card (AMC), Fortinet Mezzanine

Card (FMC), Rear Transition Module (RTM), and Fortinet Storage Module (FSM) removable

modules. These modules are not hot swappable. The FortiGate unit must be turned off before a

module is inserted or removed.

Chinese (Simplified) -

Chinese (Traditional) -

Japanese -

Language Web-based Manager Documentation

Table 1: Supported modules and FortiGate models

AMC/FMC/FSM/RTM Module FortiGate Model

Storage Module

500GB HDD Single-Width AMC (ASM-S08)

FG-310B, FG-620B, FG-621B, FG-3016B,

FG-3810A, FG-5001A

Storage Module

64GB SSD Fortinet Storage Module (FSM-064)

FG-200B, FG-311B, FG-1240B,

FG-3040B, FG-3140B, FG-3951B

Accelerated Interface Module

4xSFP Single-Width AMC (ASM-FB4)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A

Accelerated Interface Module

2x10-GbE XFP Double-Width AMC (ADM-XB2)

FG-3810A, FG-5001A

Accelerated Interface Module

8xSFP Double-Width AMC (ADM-FB8)

FG-3810A, FG-5001A

Bypass Module

2x1000 Base-SX Single-Width AMC (ASM-FX2)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A

Bypass Module

4x10/100/1000 Base-T

Single-Width AMC (ASM-CX4)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A

Security Processing Module

2x10/100/1000 SP2

Single-Width AMC (ASM-CE4)

FG-1240B, FG-3810A, FG-3016B,

FG-5001A

Security Processing Module

2x10-GbE XFP SP2

Double-Width AMC (ADM-XE2)

FG-3810A, FG-5001A

Security Processing Module

4x10-GbE SFP+

Double-Width AMC (ADM-XD4)

FG-3810A, FG-5001A

Product Integration and Support Page 23 FortiOS v5.0 Patch Release 1 Release Notes

Page 24: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

SSL VPN support

SSL VPN standalone client

FortiOS v5.0 Patch Release 1 supports the SSL VPN tunnel client standalone installer build

2281 for the following operating systems:

• Microsoft Windows XP, Windows 7, and Windows 8 in .exe and .msi format

• Linux CentOS and Ubuntu in .tar.gz format

• Mac OS X v10.7 Lion in .dmg format

• Virtual Desktop in .jar format for Microsoft Windows 7

Other operating systems may function correctly, but are not supported by Fortinet.

Security Processing Module

8xSFP SP2

Double-Width AMC (ADM-FE8)

FG-3810A

Rear Transition Module

10-GbE backplane fabric (RTM-XD2)

FG-5001A

Security Processing Module (ASM-ET4) FG-310B, FG-311B

Rear Transition Module

10-GbE backplane fabric (RTM-XB2)

FG-5001A

Security Processing Module

2x10-GbE SFP+ (FMC-XG2)

FG-3950B, FG-3951B

Accelerated Interface Module

2x10-GbE SFP+ (FMC-XD2)

FG-3950B, FG-3951B

Accelerated Interface Module

20xSFP (FMC-F20)

FG-3950B, FG-3951B

Accelerated Interface Module

20x10/100/1000 (FMC-C20)

FG-3950B, FG-3951B

Security Processing Module (FMC-XH0) FG-3950B

Table 1: Supported modules and FortiGate models (continued)

Table 2: Supported operating systems

Operating System Support

Microsoft Windows 8 64-bit Linux CentOS 5.6 Mac OS X v10.7 Lion

Microsoft Windows 7 64-bit Linux Ubuntu 12.0.4

Microsoft Windows 7 32-bit

Microsoft Windows XP SP3

Virtual Desktop Support

Microsoft Windows 7 32-bit SP1

Product Integration and Support Page 24 FortiOS v5.0 Patch Release 1 Release Notes

Page 25: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web

mode.

Other operating systems and web browsers may function correctly, but are not supported by

Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Table 3: Supported operating systems and web browsers

Operating System Web Browser

Microsoft Windows 7 32-bit SP1 Microsoft Internet Explorer versions 8, 9, and 10

Mozilla Firefox version 12

Microsoft Windows 7 64-bit SP1 Microsoft Internet Explorer versions 8, 9 and 10

Mozilla Firefox version 12

Linux CentOS 5.6 and Ubuntu 12.0.4 Mozilla Firefox version 3.6

Mac OS X v10.7 Lion Apple Safari version 6

Table 4: Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall

Symantec Endpoint Protection v11

Kaspersky Antivirus 2009

McAfee Security Center v8.1

Trend Micro Internet Security Pro

F-Secure Internet Security 2009

Table 5: Supported Microsoft Windows 7 32-bit and 64-bit antivirus and firewall software

Product Antivirus Firewall

CA Internet Security Suite Plus Software

AVG Internet Security 2011

F-Secure Internet Security 2011

Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360™ Version 4.0

Norton™ Internet Security 2011

Panda Internet Security 2011

Product Integration and Support Page 25 FortiOS v5.0 Patch Release 1 Release Notes

Page 26: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Explicit web proxy browser support

The following web browsers are supported by FortiOS v5.0 Patch Release 1 for the explicit web

proxy feature:

• Microsoft Internet Explorer versions 8 and 9

• Mozilla Firefox versions 15 and 16

Other web browsers may function correctly, but are not supported by Fortinet.

Sophos Security Suite

Trend Micro Titanium Internet Security

ZoneAlarm Security Suite

Symantec Endpoint Protection Small

Business Edition 12.0

Table 5: Supported Microsoft Windows 7 32-bit and 64-bit antivirus and firewall software

Product Antivirus Firewall

Product Integration and Support Page 26 FortiOS v5.0 Patch Release 1 Release Notes

Page 27: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Resolved Issues

The resolved issues tables listed below do not list every bug that has been corrected with

FortiOS v5.0 Patch Release 1 build 0147. For inquires about a particular bug, please contact

Customer Service & Support.

Antispam

Antivirus

CLI

Table 6: Resolved antispam issues

Bug ID Description

154340 The proxyworker process crashed with signal 7 errors on emails.

178515 The Hotmail general email log to and cc fields include double quotations.

185152 FortiGuard Spam IP address check does not work over SMTP and SMTPS.

189889 The scanunit process crashed when MMS endpoint BWL feature was

enabled.

Table 7: Resolved antivirus issues

Bug ID Description

176174 The extended database is erased and set default_db as ex.

184584 avengine scanmode issue on 64-bit platforms.

187648 The extended database version is 0 after update-av and FLDB update is

unexpected.

Table 8: Resolved CLI issues

Bug ID Description

185946 Many pop up errors observed on console.

190782 A combination of PARSE_F_MULARG and PARSE_F_SKIP causes the CLI to

behave incorrectly.

191061 Created a new diag test command for fdsmgmtd.

Resolved Issues Page 27 FortiOS v5.0 Patch Release 1 Release Notes

Page 28: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Client Reputation

Device Visibility

DLP

Endpoint Control

Table 9: Resolved client reputation issues

Bug ID Description

184435 diagnose client-reputation test related CLI comments do not work.

187627 Missing crscore/craction in the host-detail for a failed connection and

blocked policy.

187686 sql_db ioerror can cause a reputation data update to fail.

Table 10: Resolved device visibility issues

Bug ID Description

189181 Added a new pre-defined device group for Windows tablets.

Table 11: Resolved DLP issues

Bug ID Description

145588 The DLP log of a file pattern has the wrong file field with an HTTP POST

request.

175582 The Archive and DLP monitor is unresponsive when report by protocol

is selected.

187307 Check dlp file type filter is not selectable.

Table 12: Resolved endpoint control issues

Bug ID Description

187048 FortiGate devices renew the Endpoint License expiry time when FortiClient is

offline.

188259 Need to enforce disabling broadcast-forticlient-discovery when

listen-forticlient-connection is disabled.

190985,

190994

When copying and pasting a FortiClient configuration into

advanced-cfg-buffer, an application firewall rule list is required.

191040,

191052

Support multiple endpoints which have the same IP (from different VDOMS) in

the endpoint control record table.

191092 Allow FortiClient license upgrade feature on FG-110C and FG-111C.

191345 FortiGate will deny the traffic from a registered FortiClient over a SSL VPN

connection.

Resolved Issues Page 28 FortiOS v5.0 Patch Release 1 Release Notes

Page 29: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Firewall

Table 13: Resolved firewall issues

Bug ID Description

156726 HTTPS SSL deep-scan downloads stall at 99%.

163589 Management login support for RADIUS Challenge-Response.

167304 Control concurrent user authentication in identity-based-policy.

174101 Moved auth-lockout to VDOM and added enable/disable CLI

commands.

180372 Device policy and explicit proxy should be mutually exclusive in the

Web-based Manager and CLI.

183325 The multicast policy set protocol in CLI will not display any default values,

the Web-based Manager displays default values correctly.

184312 The proxyworker process experiences high CPU with multiple signal 11

segmentation faults.

184375 Uploads are interrupted by FortiGate devices with the load balancer feature

enabled.

186588 DLP, AV, and web filter sometimes do not work when inspect-all is

enabled.

186836 Re-enabling the UTM status of a firewall policy can result in all UTM options

disappearing.

187125 Load balance health check monitor port change after reboot.

187131 Changing the members of a service group does not immediately take effect in

a policy.

187202 The TLS connection cannot be completed. A method is required to control for

TLS decryption.

187549 DCE-RPC high port assignment is not allowed when using Microsoft SCOM

2012.

188039 Firewall multicast policy source NAT does not work.

188975 In user visibility, Kerberos authentication takes higher priority than FSSO

authentication.

189067 Driver fix for traffic failure reported from production and IQC.

189876 Support the SSL next-proto-negotiation extension.

190636 The connection will be reset if a client requests TLSv1.2 but the server

chooses TLSv1.1 or below when SSL deep scan is enabled.

190776 A firewall policy can be set without defining service when the action is set as

IPsec or deny.

Resolved Issues Page 29 FortiOS v5.0 Patch Release 1 Release Notes

Page 30: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

FortiGate VM

GTP

190990,

191585

System crashed with ehci_hcd fatal errors.

191050 Handle HTTP connection upgrade in transparent proxy to support WebSocket

traffic.

191171,

191319

FortiSwitch-controller configuration bug fix.

191471 Once FortiClient access is enabled on an interface, it will implicitly open port

8010 on all interfaces in the same VDOM.

191570 FSSO_Guest_User group does not work for ID-based policy.

191606 all service prot_type is not set.

151728,

174277, &

177976

UTM web and email monitor statistics are incorrectly recorded.

Table 14: Resolved FortiGate VM issues

Bug ID Description

186173 FortiGate-VM64.hw07.vmxnet2.ovf and FortiGate-VM.hw07_vmxnet2.ovf

cannot support HA.

186809 The FortiClient license support for FG-VM01 should be 1000.

186809,

186810,

190416

Set VM license levels for limiting Python processes and FortiClient licenses.

186810 FG-VM00 should not have the Enter License option for FortiClient Registration

License.

190416 FG-VM frequently experiences conserve mode.

Table 15: Resolved GTP issues

Bug ID Description

172442 The MMS profile alert-int parameter is missing.

Table 13: Resolved firewall issues (continued)

Bug ID Description

Resolved Issues Page 30 FortiOS v5.0 Patch Release 1 Release Notes

Page 31: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

High Availability

Table 16: Resolved high availability issues

Bug ID Description

153089 Automatic backup configuration bug in HA mode.

156040 Redundant HA in-sync log messages.

185272 When displaying a log message in a slave event log, the slave clock is

adjusted to an invalid time.

185628 Part of the session information is not synchronized correctly under HA

Active-Active mode when a device based firewall policy is configured.

186053 All heartbeat links fail simultaneously, triggered by traffic.

186681 The VLAN interface has the HA MAC address on both cluster members, after

virtual cluster failover.

186788 Bulk CLI scripts cannot synchronize to a slave FortiGate if there is a comment

on the script.

187026 A new HA cluster slave cannot synchronize an IPsec VPN tunnel from its

master after synchronizing both sides.

187090 The slave log cannot be sent to a FortiAnalyzer when first forming the HA

cluster.

187091 The master does not forward the slave's log to FortiAnalyzer in a multi VDOM

environment when the new member has VDOMs configured.

187263 A FortiGate slave has cw_acd and cmdbsvr process crashes when

synchronizing it’s configuration.

187424 The configuration cannot synchronize between the master and slave.

187430 A FG-100D device configured as HA master experienced a kernel crash and

rebooted by itself.

187994 The src-vis daemon crashes on the slave.

188912 Devices cannot get updates when configured in HA.

190223 Existing sessions hang after HA failover when using FSSO authentication with

a disclaimer.

190237 Changing firewall policy attributes does not cause the checksum to change.

191144 The HA management interface cannot be configured and the newcli daemon

crashed,

191692 The FortiGate device fails to send a FortiToken mobile activation code when a

unit is operating in HA.

Resolved Issues Page 31 FortiOS v5.0 Patch Release 1 Release Notes

Page 32: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

IPS

IPsec VPN

Logging and Reporting

Table 17: Resolved IPS issues

Bug ID Description

170316 The proxyworker process will crash under SSH protocol fuzzing.

184016 IPS DoS log is different for an XLP offload with the CPU processed.

190637 Do not show fail open if IPS is busy due to signature or configuration change.

Table 18: Resolved IPsec VPN issues

Bug ID Description

176133 NPU offload does not work with IPsec VPN IPv6.

178665 L2TP over IPsec client cannot ping to internal network if the FortiGate has

PPPoE WAN connection.

182017 A FortiGate PPTP client using PAP fails.

182910 The IPsec monitor shows the wrong user name for a dialup VPN with RSA

aggressive mode.

183382 Invalid ESP packets are regularly generated.

183638 VPN DDNS gateway cache conflicts causing high IKED CPU usage.

184463 IPv6 traffic is dropped when traversing an IPsec VPN with NP4 fast-path

enabled.

186975 Enabling transparent mode npu-offload in IPsec phase1 could not force

traffic to offload.

190405 IKEv2 dead peer detection failure brings down the tunnel even though the

peer was still reachable.

190752 iPhone 5 IPsec VPN connection issues.

190763 L2TP over IPSec issue with Chrome OS.

191229 Delete notify sent issue when IPsec SA hard expires.

Table 19: Resolved logging and reporting issues

Bug ID Description

121065 log-disk-quota in global resource and vdom-property can be set

smaller than the sum of quota in log disk setting.

153210 ICMP6 is logged as others in the traffic log.

Resolved Issues Page 32 FortiOS v5.0 Patch Release 1 Release Notes

Page 33: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

161048 When the schedule is set to weekly, Traffic History by Bandwidth/Sessions

logs are empty.

163808 Cannot show the value of NIDS_EVENT in alertmail.

168405 The quarantine archive tab loads in the Web-based Manager.

169215 Cannot send a slave log to FortiCloud.

172636 Logging of HTTP POST command blocking in web filtering.

173614 The spam filter log subject field is blank.

178128 Add the subject field to the DLP log.

181291 The log quota of VDOMs can exceed the size of the disk.

181391 If keeping bps as the unit, the correct number should be eight times the

current number.

183447 Added extended-utm-log to VoIP.

184465 The modem event log has the wrong format.

184875 The Web-based Manager should show the VoIP log.

185209 The traffic log is generated when utm-incident-traffic-log and

log-traffic are both disabled.

185916 The ID field name in the DHCP log should be changed.

185949 No IPS incidents are in the traffic log; the report and client reputations do not

have the related charts.

186280 A false alertmail email is sent out when HA status changes is enabled.

186362 Cannot add custom charts.

186918 Alertmail shows Failed to send alert email in logs, but the message has been

sent.

187003 There is no invalid log for failed connection attempt cause; it fails to track the

related client reputation.

187505 The reportd daemon crashed with signal 11 errors when a report is run

manually.

187567 The IPMC-sensor log has illegal characters and the system log cannot be

displayed in the Web-based Manager.

188002 Logs still use daylight savings time.

188038 The scheduled upload for dlp-archive does not work.

188117 DLP archive upload to FortiAnalyzer does not work when the upload option is

store-and-upload.

Table 19: Resolved logging and reporting issues (continued)

Bug ID Description

Resolved Issues Page 33 FortiOS v5.0 Patch Release 1 Release Notes

Page 34: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Routing

188126 The log is deleted and there is a false emergency event log when usage is very

low.

188144 The Top web users by bandwidth chart needs to be resized.

188199 There should be an event log when a scheduled update succeeds.

188326 The FG-100D receives a Failed to create statement for INSERT INTO apps

error message after formatlogdisk.

188420,

190116

Generate an event log entry when connecting to a modem successfully.

188734 Traffic log is inconsistent after test AV sample.

188854 UTM incident traffic logs are confusing when they match multiple UTM

profiles. This causes the report and reputation to be incorrect.

188958 The miglogd daemon crashed when handling an abnormal log file.

189785 Need to add crscore/craction to the traffic logs sent to FortiAnalyzer.

190519 Show FortiCloud log upload progress.

190553 DLP PDF font handling issue from Ubuntu PDF generator.

190913 forticldd daemon usage issue, CPU is at 99%.

191106 Purge disk log after 7 days by default.

191245 Pause before attempting to connect to FortiCloud after an unsuccessful

attempt.

Table 20: Resolved routing issues

Bug ID Description

176314 OSPF Hello uses a 32-bit netmask even if the tunnel interface IP has a smaller

bitmask.

182783 The gateway of static route is its own address and should not be allowed or

not be shown in routing table.

184378 The password function of IPv6 BGP neighbor does not work.

185808 PIM-SSM Multicast stream is pruned while other IGMPv3 receivers are still

present.

188201 A four byte AS number is shown as '-1' in aggregate routes aggregated by.

188470,

188480

Delete the detectserver option of fail-detect-option in transparent mode and

add host name check for gwdetect server name.

Table 19: Resolved logging and reporting issues (continued)

Bug ID Description

Resolved Issues Page 34 FortiOS v5.0 Patch Release 1 Release Notes

Page 35: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Source Visibility

SSL VPN

188645 An IPv6 address on FWF-60CM interface cannot be pinged when the routing

path is asymmetric.

190671 Since there is no ASPATH object created for locally originated BGP routes,

regular expression "^$" will not match such routes in FortiGate.

Table 21: Resolved source visibility issues

Bug ID Description

185512 The KDC-REQ user name is not recorded when user visibility is enabled.

Table 22: Resolved SSL VPN issues

Bug ID Description

133510 No SSL VPN tunnel plugin is available for 64-bit web browsers.

181139 Cannot open a JSP object in SSL web mode.

182464 The SSL VPN tunnel widget does not work in the web mode portal on

Windows 8 with Internet Explorer 10.

183875 There is an SMB/CIFS operation error in the SSL VPN web portal.

184140 The RDP login screen is not displayed in full screen mode with SSL VPN in

web mode.

184285 Add the FortiClient download widget to the SSL VPN web portal.

185359 Failed to create an SSL VPN policy with the wizard because sslvpn-portal is

not set.

187320 When a user logs out of SSL VPN web mode from Fortinet bar they are

redirected to an incorrect page.

187822 The SSL VPN portal idle timeout does not work with Fortinet Bar enabled.

188048 The web mode SSL VPN daemon crashes when the firewall policy address

type is FQDN.

188083 The SSL daemon crashes when accessing the FortiGate Web-based Manager

in web mode.

188730 The portal message setting is inconsistent for default and newly added SSL

VPN portals.

189246 PING6 for unreachable destination caused SSL VPN portal to hang.

Table 20: Resolved routing issues (continued)

Bug ID Description

Resolved Issues Page 35 FortiOS v5.0 Patch Release 1 Release Notes

Page 36: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

System

190106,

190336

Minor issues with the downloading SSL VPN plugins from FDS.

191068 SSL VPN could not be accessed for newly created VDOM.

Table 23: Resolved system issues

Bug ID Description

138324 The FortiToken drift value exceeds 254.

139978 Old acknowledged/deleted messages repeatedly show up in other message

widgets on the dashboard.

150876 The duplex information on the FWF-60B displays incorrectly.

159921 There are no IPS fail-open status logs.

159974 FortiGate FSSO polling can not get all IP addresses if a workstation has

multiple ethernet cards.

161876 The FG-600C gets a power supply 2 failure event log when the optional power

supply is not installed.

172299 Ports 9-12 flap when connected to an Arista 7124SX switch.

175326 FortiGate responds to ARP requests on 192.168.0.1 on MGMT1 interface.

175520 FortiToken Mobile: current solution supports the root VDOM only.

178435 FQDN in the firewall will only grab the TTL value of an A record.

179382 The filters in interface > One-arm sniffer sometimes cannot accept or delete

configurations.

179952 Stop quarantine and archive when in the conserve mode.

181367 Support larger replacement messages.

181426 After moving an interface into a newly created VDOM, the FortiGate unit still

sends broadcasts in the old VDOM.

182835 The FG-200B port cannot detect FG-3016B link status.

183546 SSL process high memory issue.

183664 The PPPoE interface set defaultgw disable cannot remove the gateway.

183727 The FIPS-CC Alarms for user-auth-failure/lockout-threshold stops

working.

184182 The CLI command diagnose test guest list reports null at the end of

output.

Table 22: Resolved SSL VPN issues (continued)

Bug ID Description

Resolved Issues Page 36 FortiOS v5.0 Patch Release 1 Release Notes

Page 37: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

184206 Russian FSTEK certification requirement for image checksum.

184314 Add/remove of physical Interface to 802.3ad aggregation brings the

aggregate port down.

184699 The configuration is changed after the first reboot of a firmware upgrade.

184932 Unable to administratively Down or Up a tunnel interface via the CLI in the

config global section.

185422 The modem default route is not installed when a modem is in the non-root

VDOM.

185580 FortiGate devices should be in the pending state when switching accounts

from an old account.

185606 There is an SNMP problem when using 250 VDOMs.

185909 The FG-111C switch works abnormally with FortiOS v5.0.

186100 The server probe does not support PPPoE devices.

186116 The FG-100D LENC cannot update from the FDS.

186448 Cannot login to the FortiCloud portal automatically when a FortiGate device is

managed by FortiManager.

186523 FortiToken activation fails on particular FDS servers.

186530 When configuring two-factor authentication, some super_admin users cannot

see the token.

186540 Setting the speed to 100half/10half does not take effect for 1Gb copper

interfaces.

186672 Multi-VDOM admin's VDOM list sequences affect which token can be used in

two-factor login.

186738 The SNMP trap for IPsec should contain the tunnel name.

186797 The Miglogd daemon uses high CPU when the syslogd2 server is defined.

187002 There is a cmdbsvr segfault when changing firewall policy in the

Web-based Manager.

187274 DDNS stops working.

187327 The CLI hangs when the CLI displays More and CTRL+C is pressed.

187498 Merging daemons causes a signal 11 Crash.

187519 The speed LED on a shared NIC port is not lit on the FG-800C.

187878 Removing the secondary IP disconnects the admin session.

Table 23: Resolved system issues (continued)

Bug ID Description

Resolved Issues Page 37 FortiOS v5.0 Patch Release 1 Release Notes

Page 38: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Upgrade

187972 When restoring a multi-VDOM configuration, a configuration error occurs at

reboot.

187975 Verify the DNS response code for the AAAA record (RFC 4074) when a record

exist.

188016 Unable to delete the default firewall address.

188169 Mass MMS communication sockets are not removed after usage.

188544 The diagnose sys session6 filter command shows src twice.

188772 The diagnose system top command for CPU usage is incorrect.

188844 Time zone is incorrectly displayed.

189189 FortiClient licenses should be kept after an upgrade.

189261 The authd and wad socket pipe fills up the /tmp directory.

190116 There is an unknown field name error message during PPPoE interface

configuration.

190185 The update daemon uses up all the fd and stops working.

190848 Unable to create a DHCP server on DHCP interface.

191215 FG-1000C fails to change the MGMT1 interface IP because subnets overlap,

even though the subnets do not overlap.

191522 Unable to log into FortiGate via SSH.

Table 24: Resolved upgrade issues

Bug ID Description

162779 Received a Could not load host key: /tmp/ssh_host_rsa_key

message after upgrading a FG-3140B from v4.0 build 0513 to v5.0 build 0023.

180843 A cluster of two FG-40C devices upgraded from v4.0 MR3 Patch Release 6

does not work.

183837 Upgrade unsuccessful due to too many entries in all tables of

.firewall.service.category.

186008 When upgrading from build 0639 to build 0119, HTTPS deep scan does not

upgrade properly.

188354 After upgrading from v4.0 MR3, ports from profile-protocol-options

are not added to the iprope list.

189209 After upgrading from v4.0 MR3 to v5.0, the endpoint-profile should be

set as default.

Table 23: Resolved system issues (continued)

Bug ID Description

Resolved Issues Page 38 FortiOS v5.0 Patch Release 1 Release Notes

Page 39: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

VoIP

WAN Optimization and Web Proxy

Web-based Manager

Table 25: Resolved VoIP issues

Bug ID Description

178932 Problems were encountered when enabling the SCCP VoIP profile.

Table 26: Resolved WAN optimization and web proxy issues

Bug ID Description

173668 The user monitor page reports incorrectly for web proxy users authenticated

via FSSO.

185273 WAN Optimization byte cache is not used in the reverse direction after a cold

start transfer.

185755 While testing explicit web proxy features, a segfault was observed.

187887 In explicit web-proxy, the traffic quota does not expire for HTTPS traffic.

188901 File upload fails (HTTP POST) through explicit proxy on specific websites.

189072 The web proxy firewall policy is lost for special schedule settings.

190746 The WAD daemon crashes for HTTP 0.9 traffic if DLP scan is enabled.

Table 27: Resolved Web-based Manager issues

Bug ID Description

149638 Show policy negates the status on the Web-based Manager.

152072 The pre- and post-login warning messages for the admin login are incorrect.

154191 Moving or refreshing the Web Filtering monitor page causes the device to go

into conserve mode.

167572 After changing the language, parts of the Web-based Manager still use the

original language.

167836 Editing an IPsec VPN v6 phase1 will result in an Invalid gateway address

message.

Multiple Fixes for a large number of Web-based Manager bugs.

Bug ID: 169314, 171703, 177692, 178755, 182799, 184117, 186760, 187703,

188286, 188405, 189201, 189799, 190308, 190322, 190461, 190493, 190506,

190728, 190772, 190794, 190796, 190867, 190871, 191005, 191480

171928,

185622

httpsd daemon crash observed in some monitoring pages.

Resolved Issues Page 39 FortiOS v5.0 Patch Release 1 Release Notes

Page 40: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

173130 The pull-down menu does not show up correctly when a firewall policy is

created with a certain administrator profile.

176568 Unable to clear the secondary-server configuration of a RADIUS server from

the Web-based Manager.

179645 NAT, traffic shaper, and WAN Optimization settings should be hidden when the

policy action is set to deny.

180177 UTM endpoint control client installers have a directory traversal vulnerability.

182051 The insert section does not work from the Web-based Manager.

182659 Once a firewall address is associated to an interface, it can not be reverted

back to any from the Web-based Manager.

183435 Show the comment text, instead of just a note icon.

183453 The OK button does not save authentication settings in the web-proxy policy.

185173 The FWF-20C LAN + WiFi Setting wizard page displays an Invalid IP Range

message incorrectly. (Build 0114)

185981 Application icons are incorrect in widgets, traffic logs, and application control

lists.

187041 The OS signature is shown on device page when the mouse hovers over the

device.

187083 A mobile token in an activated status incorrectly has provision in the right click

menu.

187465 The DoS policy page will display incorrectly after setting the column ID in the

policy page.

187493 Implicit firewall rules can be moved.

187699 Add policy drag & drop function back into the policy global view.

187826 With some specific wildcard addresses, the Web-based Manager firewall

address page cannot be loaded.

188036,

190446,

190627

Widen columns for user/IP data and recreate tables if table structure is not up

to date.

188398 Implicit user identity policy rules' action is shown incorrectly in the Web-based

Manager.

188636 When switching the DLP sensor to the default profile, the Web-based

Manager shows HTTP error 400.

190026 There are HTTP 500 errors on firewall policies, UTM options, and DNS

pages with specific configurations.

Table 27: Resolved Web-based Manager issues (continued)

Bug ID Description

Resolved Issues Page 40 FortiOS v5.0 Patch Release 1 Release Notes

Page 41: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Web Filtering

190026,

190149

Non-utf8 characters cause Web-based Manager issues.

190149 There is an internal server error when editing a policy that contains special

characters.

190292 Move the reboot and shutdown commands to the resource widget.

191057 Missing group in SSL VPN traffic log caused Web-based Manager parser

error.

Table 28: Resolved web filtering issues

Bug ID Description

158996 The FortiGuard override URL is incorrect when using deep inspection and a

CN that contains wildcard characters.

160110 The monitor action of urlfilter should not exempt the block action of

FortiGuard.

164917,

187714

Fix safe search enable issue.

165025 When the customize block page is enabled, the header HTTP/1.1 403 ... is lost

in the HTTP package.

172865 For flow-based web filters, FortiGate devices cannot exempt SSL websites

belonging to the bank category when deep-scan is enabled.

178351 When the local category is set to block, the category action cannot be

disabled.

179265 CN based HTTPS web URL filtering does not work well in an external proxy

environment when exempt is configured as all.

180684 Web filter quota resets incorrectly when the quota is edited.

185181 Browser-based FortiGuard web filter override does not work.

186815 Websites could not be overriden to the Unrated category when using

FortiGate local ratings.

188607 FortiGuard service is intermittently unavailable. A restart of the urlfilter

process is required to recover.

189954,

189987

HTTPS redirect to proxy issue when safe search is enabled.

Table 27: Resolved Web-based Manager issues (continued)

Bug ID Description

Resolved Issues Page 41 FortiOS v5.0 Patch Release 1 Release Notes

Page 42: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Wireless

Table 29: Resolved wireless issues

Bug ID Description

131373 WPA on virtual AP devices does not work if the physical WLAN is set to WPA2.

168555 The captive portal FQDN does not work on WiFi interfaces.

177422 There is a problem with the HP tablet related to 802.11n MSDU frame

aggregation.

182204 Manual and auto suppression do not work.

186152 The FWF-20C-ADSL-A has an incorrect wireless default configuration.

186562 Virtual AP intermittently stops working. Displaying the configuration also

failed.

188644 Unable to create more than 508 SSIDs with RADIUS security.

188805 The WPA daemon is crashing, causing all virtual APs to be reconfigured.

189354 Ap-bgscan scheduling does not work.

Resolved Issues Page 42 FortiOS v5.0 Patch Release 1 Release Notes

Page 43: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Known Issues

The known issues tables listed below do not list every bug that has been reported with FortiOS

v5.0 Patch Release 1 build 0147. For inquires about a particular bug or to report a bug, please

contact Customer Service & Support.

Antivirus

Firewall

FSSO

High Availability

Table 30: Known antivirus issues

Bug ID Description

191950 Files being downloaded while AV is enabled may experience an interruption.

Table 31: Known firewall issues

Bug ID Description

186428 The Web-based Manager fails to allow user to add a tag for a firewall address.

191184 VLAN IDs and their assignment to a corresponding NPU may result in the

interface not processing ARP requests properly.

Table 32: Known FSSO issues

Bug ID Description

186536 The status of the FSSO polling agent in the Web-based Manager is not

displayed correctly.

Table 33: Known high availability issues

Bug ID Description

192192 Enabling standalone-config-sync may fail to synchronize sessions.

194309 HA uninterruptable upgrade does not work when upgrading from v4.0 MR3 to

v5.0.0.

Affected model: ARM platforms

Known Issues Page 43 FortiOS v5.0 Patch Release 1 Release Notes

Page 44: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

IPS

IPsec VPN

Logging and Reporting

SSL VPN

System

Table 34: Known IPS issues

Bug ID Description

171443 An application list traffic shaper fails to be applied on a FMC-XH0 and a

FMC-XG2 card.

Table 35: Known IPsec VPN issues

Bug ID Description

192347 The FortiGate device may drop sessions with NP4/IPsec offload in a hub and

spoke or spoke to spoke traffic topology.

Table 36: Known logging and reporting issues

Bug ID Description

183778 DoS logs do not contain the interface-policy ID.

191808 The FortiGate device fails to generate logs for application control with explicit

proxy.

Table 37: Known SSL VPN issues

Bug ID Description

185658 The SSL VPN daemon may experience high CPU.

191725 An SSL VPN may fail to renew passwords when authenticated by LDAPS.

Table 38: Known system issues

Bug ID Description

190141 The configuration fails to accept DHCPv6 server domain names beginning

with numbers.

Known Issues Page 44 FortiOS v5.0 Patch Release 1 Release Notes

Page 45: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Web-based Manager

Wireless

Upgrade

Table 39: Known Web-based Manager issues

Bug ID Description

188785 The Web-based Manager displays only one channel in the Client Monitor

when bonding is configured.

188936 The Web-based Manager fails to allow usernames with special characters in

an identity-based policy.

Table 40: Known wireless issues

Bug ID Description

184014 WiFi clients connected to a FortiAP may experience high latency towards the

wireless controller.

Table 41: Known upgrade issues

Bug ID Description

192391 A newly created device based policy cannot retain the original policy UTM

related settings after enabling Endpoint Registration.

Known Issues Page 45 FortiOS v5.0 Patch Release 1 Release Notes

Page 46: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Limitations

This section outlines the limitations in FortiOS v5.0 Patch Release 1.

Add device access list

If the device-access-list has the action set as deny, you will need to explicitly define a

device in order to allow it to work.

For instance,

config user deviceedit "win"

set mac 01:02:03:04:05:06next

end

config user device-access-listedit "wifi"

set default-action denyconfig device-list

edit 1set action acceptset device "windows-pc" <-------------the predefined

device-categorynextedit 2

set action acceptset device "win" <-------------the custom device

nextend

nextend

As a result, the predefined device-category entry 1 will not have network access. Only the

custom device entry 2 would be able to get network access.

Limitations Page 46 FortiOS v5.0 Patch Release 1 Release Notes

Page 47: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Image Checksum

The MD5 checksums for all Fortinet software and firmware releases are available at the

Customer Service & Support website located at https://support.fortinet.com. After logging in,

click on Download > Firmware Image Checksum, enter the image file including the extension,

and select Get Checksum Code.

Figure 1: Firmware image checksum tool

Image Checksum Page 47 FortiOS v5.0 Patch Release 1 Release Notes

Page 48: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support

Appendix A: FortiGate VM

FortiGate VM system requirements

The following table provides a detailed summary on FortiGate VM system requirements.

For more information see the FortiGate VM product datasheet available on the Fortinet web site,

http://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-VM01.pdf.

FortiGate VM firmware

Fortinet provides FortiOS VM firmware images in two formats:

• .out: Use this image for new and upgrades to physical appliance installations. Upgrades to

existing virtual machine installations are also distributed in this format.

• ovf.zip: Use this image for new VM installations. It contains a deployable Open

Virtualization Format (OVF) virtual machine package for VMware ESXi installations.

Table 42:FortiGate VM system requirements

Technical Specifications Requirement

Hypervisor Support VMware ESX / ESXi 4.0, 4.1, and 5.0

Virtual Machine Form Factor Open Virtualization Format (OVF)

Virtual CPUs Supported (Minimum / Maximum) 1 / 8

Virtual NICs Supported (Minimum / Maximum) 2 / 10

Storage Support (Minimum / Maximum) 30GB / 2TB

Memory Support (Minimum / Maximum) 512GB / 12GB (varies per VM level)

High Availability Support Yes

Page 48

Page 49: FortiOS Release Notes v5.0 · 2015-02-10 · Introduction Page 7 FortiOS v5.0 Patch Release 1 Release Notes Introduction This document provides a summary of new features, support