FortiOS v4.0 MR1 Release Notes

Release Notesv4.0 MR1

01-410-84420-20090828

FortiGate® Multi-Threat Security System

Release Notes FortiOS v4.0 MR1

Table of Contents 1 FortiOS v4.0 MR1 .............................................................................................................................................. 1

1.1 Summary of Enhancements Provided by v4.0 MR1 ................................................................................... 1 2 Special Notices .................................................................................................................................................... 3

2.1 General ........................................................................................................................................................ 3 2.2 Configuration Files Backups ....................................................................................................................... 3 2.3 External Modem Support ............................................................................................................................ 3 2.4 SSL-VPN Notes .......................................................................................................................................... 3 2.5 Logging to FortiAnalyzer using AMC Hard Disk ...................................................................................... 4 2.6 AV Scanning Of Archived Files ................................................................................................................. 4 2.7 WCCP Multi-VDom Support ...................................................................................................................... 4 2.8 Endpoint Control ......................................................................................................................................... 4 2.9 Identity Based Policy .................................................................................................................................. 4 2.10 Supported Character Sets .......................................................................................................................... 5 2.11 ASM-SAS Module Support ...................................................................................................................... 5 2.12 AntiSpam Engine Support ......................................................................................................................... 5 2.13 Wireless Control Support for FWF-80CM ............................................................................................... 5 2.14 FortiGuard support for IPv6 ...................................................................................................................... 5

3 Upgrade Information ........................................................................................................................................... 6 3.1 Upgrading from FortiOS v3.00 MR6/MR7 ................................................................................................ 6 3.2 Upgrading from FortiOS v4.0 ..................................................................................................................... 9

4 Downgrading to FortiOS v3.00 ......................................................................................................................... 12 5 Fortinet Product Integration and Support ......................................................................................................... 13

5.1 FortiManager Support ............................................................................................................................... 13 5.2 FortiAnalyzer Support ............................................................................................................................... 13 5.3 FortiClient Support .................................................................................................................................... 13 5.4 Fortinet Server Authentication Extension (FSAE) Support ...................................................................... 13 5.5 AV Engine and IPS Engine Support ......................................................................................................... 13 5.6 3G MODEM Support ................................................................................................................................ 13 5.7 AMC Module Support ............................................................................................................................... 14 5.8 SSL-VPN Support ..................................................................................................................................... 15

5.8.1 SSL-VPN Standalone Client ............................................................................................................. 15 5.8.2 SSL-VPN Web Mode ........................................................................................................................ 15

5.9 SSL-VPN Host Compatibility List ............................................................................................................ 15 6 Resolved Issues in FortiOS v4.0 MR1 .............................................................................................................. 17

6.1 Command Line Interface (CLI) ................................................................................................................ 17 6.2 Web User Interface ................................................................................................................................... 17 6.3 System ....................................................................................................................................................... 17 6.4 High Availability ....................................................................................................................................... 18 6.5 Router ........................................................................................................................................................ 18 6.6 Firewall ..................................................................................................................................................... 18 6.7 VPN ........................................................................................................................................................... 18 6.8 Web Filter .................................................................................................................................................. 19 6.9 Data Leak Prevention ................................................................................................................................ 19 6.10 Instant Message ....................................................................................................................................... 19 6.11 Endpoint Control ..................................................................................................................................... 20 6.12 Log & Report .......................................................................................................................................... 20

i August 28, 2009


6.13 FSAE (FortiGate) .................................................................................................................................... 20 7 Known Issues in FortiOS v4.0 MR1 ................................................................................................................. 21

7.1 Command Line Interface (CLI) ................................................................................................................ 21 7.2 Web User Interface ................................................................................................................................... 21 7.3 System ....................................................................................................................................................... 22 7.4 High Availability ....................................................................................................................................... 22 7.5 Firewall ..................................................................................................................................................... 23 7.6 Antivirus .................................................................................................................................................... 23 7.7 IPS ............................................................................................................................................................. 24 7.8 Data Leak Prevention ................................................................................................................................ 24 7.9 Instant Message ......................................................................................................................................... 24 7.10 Peer-to-Peer (P2P) ................................................................................................................................... 25 7.11 Application Control ................................................................................................................................. 25 7.12 VPN ......................................................................................................................................................... 25 7.13 WAN Optimization ................................................................................................................................. 25 7.14 Log & Report .......................................................................................................................................... 26

8 Image Checksums ............................................................................................................................................. 27 9 Appendix A – P2P Clients and Supported Configurations ............................................................................... 28 10 Appendix B – Knowledge Base Articles ....................................................................................................... 29 11 Appendix C – Sample SQL Report Configuration for WAN Optimization .................................................. 30

Change Log

Date Change Description

2009-08-24 Initial Release.

2009-08-25 Removed ASM-SAS Module Support for FGT-3600A, FGT-3016B, FGT-620B, and FGT-310B models.Added bug 108672 to Known Issues section.

2009-08-28 Added bug 101070 to Resolved Issues section.

© Copyright 2009 Fortinet Inc. All rights reserved.Release Notes FortiOS™ v4.0. MR1.

TrademarksCopyright© 2009 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.

Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com

ii August 28, 2009

https://suppport.fortinet.com/


1 FortiOS v4.0 MR1This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR1 B0178 release. The following outlines the release status for several models.

Model FortiOS v4.0 MR1 Release Status

FGT-3810AFGT-5001AFGT-3016B

This model is released on a special branch based off of FortiOS v4.0 MR1 –fg_4-1_fortinpu_rel/build_tag_5032. As such, the build number in the System > Status page and theoutput from the "get system status" CLI command displays 5032 as the build number. Toconfirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 178.

Note: The ASM-CE4, ADM-XE2, and RTM-XD2 modules are supported on these FortiGate models.

FGT-30B, FGT-50B, FWF-50B, FGT-60B,

FWF-60B, FGT-100A, FGT-110C, FGT-200A, FGT-224B, FGT-300A, FGT-310B, FGT-311B,

FGT-310B-DC, FGT-400A, FGT-500A, FGT-620B, FGT-620B-

DC, FGT-800, FGT-800F, FGT-1000A, FGT-1000A-

FA2, FGT-3600, FGT-3600A, FGT-5001,

FGT-5001-FA2, and FGT-5005-FA2.

All models are supported on the regular v4.0 MR1 branch.

Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR1 release.

1.1 Summary of Enhancements Provided by v4.0 MR1The following is a brief list of the new features added in FortiOS v4.0 MR1.

• Supports Log Storage in SQL Format• Supports IKEv2• Supports Multiple FortiAnalyzer and/or Syslog Devices Per-VDom• Supports IPv6 Dynamic Routing• Introduction of Per-VDom Dashboard• SNMPv3 Encryption & Authentication• Supports Enhanced DHCP over IPSec as IKE Configuration Method• Enhanced DNS Server• Introduction of Strict Password Options• Safe Search Feature for Web Filtering• IPv6 Extensions• DLP International Character Sets• Web Content Block/Exempt List Merge• Schedule Groups• Traffic Shaping Extensions• Support for Replacement Message Groups

1 August 28, 2009

http://docs.forticare.com/fgt.html


• SSL-VPN Enhancements• Supports Reliable Syslog• Supports Multiple Schedule Objects per Firewall Policy• LDAP Authentication Improvements• Enhanced Application Control Statistics• Supports IPv6 AV scanning and Management Access• Supports Reporting based on SQL Logs• Supports Cookie-based Overrides on FortiCarrier Platforms• Supports SIP over IPv6• DLP Archive • SIP Enhancements• Log Reduction & Optimization• Supports Wireless Controller • Easy FortiCare and FortiGuard Services Registration and Renewal• Endpoint Control Enhancements• Supports Per-VDom Replacement Messages• Alert Message Console Enhancements• Interface Status Detection for Gateway Load Balancing• Dynamic Profile Enhancements for FortiCarrier Platforms

2 August 28, 2009


2 Special Notices

2.1 GeneralThe TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

IMPORTANT!

Monitor Settings for Web User Interface Access

• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly.

Web Browser Support

• Microsoft Internet ExplorerTM 6.0/7.0 and FireFox 3.0x are fully supported.

BEFORE any upgrade

• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading.

AFTER any upgrade

• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens.

• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.

2.2 Configuration Files BackupsConfiguration files that are backed up in FortiOS v4.0 MR1 without the encryption option are saved in clear text and are not compressed. It is recommended that you enable encryption for security reasons on the authentication certificates used in VPNs, SSL-VPNs, and administrative access.

2.3 External Modem SupportConfiguration of modems on FortiGate models that only support external modems can be performed only through CLI in FortiOS v4.0 MR1.

2.4 SSL-VPN NotesThe following is a special notice related to the SSL-VPN implementation.

• The "RDP to Host" option web mode can accept a keyboard layout setting as a parameter when the client connects to a server.

• In the "RDP to Host" field type:• <IP address or FQDN of the server> -m <language>• <language> is one of the following:

• ar Arabic

3 August 28, 2009


• da Danish• de German• en-gb English - Great Britain• en-us English - US• es Spanish• fi Finnish• fr French• fr-be Belgian French• fr-ca French (Canada)• fr-ch French (Switzerland)• hr Croatian• it Italian• ja Japanese• lt Lithuanian• lv Latvian• mk Macedonian• no Norwegian• pl Polish• pt Portuguese• pt-br Brazilian Portuguese• ru Russian• sl Slovenian• sv Sedanese• tk Turkmen• tr Turkish

2.5 Logging to FortiAnalyzer using AMC Hard DiskIf logging to a FortiAnalyzer is enabled and "Log to AMC Hard Disk & Upload to FortiAnalyzer" option is enabled, all logs are stored on AMC Hard Disk before being sent to FortiAnalyzer. In the event of an AMC hard disk failure, all logs stored on the hard disk waiting to be sent to the FortiAnalyzer may be lost.

2.6 AV Scanning Of Archived FilesThe decompression nesting levels for archived files being scanned by the AV engine can now be configured through the CLI. The default decompression level is set to 12.

2.7 WCCP Multi-VDom SupportWCCPv2 is a per-vdom feature, hence the WCCP configuration and web cache should reside on the same VDom. The FortiGate does not support scenarios where WCCPv2 settings are distributed on different VDoms.

2.8 Endpoint ControlEndpoint Control check feature cannot be used with load balance VIP.

2.9 Identity Based PolicyFirewall policy authentication has been reworked in FortiOS v4. Any firewall policy that requires authentication is now known as an Identity Based Policy. You can assign a different schedule, service, protection profile, and traffic shaping to different user groups in one main firewall policy.

4 August 28, 2009


2.10 Supported Character SetsThe following lists are the supported character sets by the web filter and steamfitter features.

• Japanese• jisx0201• jisx0208• jisx0212• sjis• euc_jp• ISO 2022_jp• ISO 2022_jp1• ISO 2022_jp2• ISO 2022_jp3

• Chinese• gb2312• euc_cn• ces_gbk• ces_big5• hz

• Korean• ksc5601_ex• euc_kr

• Thai• tis620• cp874

• Latin (French, German, Spanish and Italian)• ISO 8859_1• cp1252

• Serbian, Macedonian, Bulgarian and Russian• cp1251

2.11 ASM-SAS Module SupportFortiOS v4 supports ASM-SAS module on the following models:

• FGT-5001A• FGT-3810A

2.12 AntiSpam Engine SupportAS engine and AS heuristic rule set updates from the FortiGuard system will be supported in a future release for FortiOS.

2.13 Wireless Control Support for FWF-80CMThe FortiOS v4.0 MR1 wireless controller feature is not supported on FWF-80CM.

2.14 FortiGuard support for IPv6FortiGuard does not support the URL rating of IPv6 addresses. URL's that DNS resolve to an IPv6 address do have a supported rating and filtering.

5 August 28, 2009


3 Upgrade Information

3.1 Upgrading from FortiOS v3.00 MR6/MR7FortiOS v4.0 MR1 officially supports upgrade from the most recent Patch Release in MR6 or MR7. See the upgrade path below. The arrows indicate "upgrade to".

[MR6]The upgrade is supported from FortiOS v3.00 B0678 Patch Release 6 or later.

MR6 B0678 Patch Release 6 (or later)↓

v4.0 MR1 B0178 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[MR7]The upgrade is supported from FortiOS v3.00 B0744 Patch Release 6 or later.

MR7 B0744 Patch Release 6 (or later)↓

v4.0 MR1 B0178 GA


[Log Settings Changes]In FortiOS v4, the option to configure a rule under 'config log trafficfilter' has been removed, therefore any related configuration is lost upon upgrading from FortiOS MR6 to FortiOS v4.0 MR1.

[FG-3016B Upgrade]Interface names on the FGT-3016B have been changed in FortiOS v4 to match the port names on the face plate. After upgrading from FortiOS v3.0 MR6 to FortiOS v4.0 MR1, all port names in the FortiGate configuration are changed as per the following port mapping.

Old port names before upgrading New port names after upgrading

port1 mgmt1

port2 mgmt2

port3 port1

port4 port2

port5 port3

port6 port4

port7 port5

port8 port6

port9 port7

port10 port8

port11 port9

6 August 28, 2009


port12 port10

port13 port11

port14 port12

port15 port13

port16 port14

port17 port15

port18 port16Note: After the release of FortiOS v3.00 MR6 firmware a new revision of the FGT-3016B included a name change to two ports on the left side of the faceplate. Previously, they were labeled 1 and 2. Now they are called MGMT 1 MGMT 2. However, the BIOS still refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2.

[System Settings]In FortiOS v4.0.0, the p2p-rate-limit setting under 'config system settings' has been removed, therefore any related configuration is lost upon upgrading from FortiOS MR6/MR7 to FortiOS v4.0 MR1.

[Router Access-list]All configuration under 'config router access-list' may be lost after upgrading from FortiOS v3.0.0 MR6/MR7 to FortiOS v4.0 MR1.

[Identity Based Policy]Firewall policy authentication has been reworked in FortiOS v4. Any firewall policy that requires authentication is now known as an Identity Based Policy. Previously, a separate authentication firewall policy had to be created for different schedules, services, and traffic shaping settings but in FortiOS v4 all firewall authentication settings are configured in the Identity Based Policy section of a firewall policy. If no traffic matches any of the Identity Based Policies, the traffic is subjected to an implicit DENY ALL. For example:

In FortiOS v3.00 MR6/MR7

config firewall policy edit 1 set action accept set groups grp1 grp2 set service HTTP ... next edit 2 set action accept set service TELNET next ...

end

After upgrading to FortiOS v4.0 MR1

config firewall policy edit 1 set action accept set identity-based enable config identity-based-policy edit 1 set groups grp1 grp2 set service HTTP

7 August 28, 2009


next end next edit 2 set action accept set service TELNET next

end

In FortiOS v4.0 MR1, the TELNET policy is never hit because of the implicit DENY ALL at the bottom of Identity Based Policy. To correct the behaviour, you must move the non-Identity Based Policy (TELNET policy) above the Identity Based Policy.

Reorganized policy in FortiOS v4.0 MR1

config firewall policy edit 2 set action accept set service TELNET next

edit 1 set action accept set identity-based enable config identity-based-policy edit 1 set groups grp1 grp2 set service HTTP next end next

end

[IPv6 Tunnel ]All configuration under 'config system ipv6-tunnel' may be lost after upgrading from FortiOS v3.0.0 MR7 to FortiOS v4.0 MR1.

[User Group]In FortiOS v3.00 a protection profile can be assigned to an user group from web UI, but in FortiOS v4.0 it can only be assigned from CLI.

[Zone Configuration]In FortiOS v3.00 a Zone name could be up to 32 characters but in v4 it has changed to up to 15 characters. Any Zone names in FortiOS v3.00 with more than 15 characters will be lost after upgrading to FortiOS v4.0 MR1.

[IPv6 Vlan Interfaces]Vlan interface with ipv6-address configured will be lost after upgrading from FortiOS v3.00 to FortiOS v4.0 MR1.

[VIP Settings]'set http-ip-header' setting under VIP configuration will inadvertently get set to disable after upgrading from FortiOS v3.00 MR6/MR7 to FortiOS v4.0 MR1.

[FDS Push-update Settings]The address and port settings under 'config system autoupdate push-update' may be lost after upgrading to FortiOS v4.0 MR1.

[Content Archive Summary]

8 August 28, 2009


The content archive summary related configuration will be lost after upgrading to FortiOS v4.0 MR1.

[RTM Interface Configuration]Upon upgrading from FortiOS v3.00 MR6/MR7 to v4.0 MR1, the RTM interface and some of the configuration that uses RTM objects are not retained. In FortiOS v3.00, RTM objects used upper-case letters, such as "RTM/1". FortiOS v4.0 MR1 uses lower-case letters for RTM objects.

[SSL-VPN Bookmarks]Some SSLVPN bookmarks may be lost after upgrading to FortiOS v4.0 MR1.

[Web Filter Exempt List]FortiOS v4.0 MR1 merged the web content block and web content exempt list into one list. Upon upgrading to v4.0 MR1, ONLY the web content block list is retained.

3.2 Upgrading from FortiOS v4.0FortiOS v4.0 MR1 officially supports upgrade from the most recent Patch Release in FortiOS v4.0.0. See the upgrade path below. The arrows indicate "upgrade to".

[FortiOS v4.0]The upgrade is supported from FortiOS v4.0.3 B0106 Patch Release 3 or later.

v4.0.3 B0106 Patch Release 3 (or later)↓

v4.0 MR1 B0178 GA


[Network Interface Configuration]If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR1 the ips-sniffer-mode setting will be changed to disable.

[Webfilter Banned Word and Exempt Word List]FortiOS v4.0 MR1 merged the web filter banned and exempt word list into one list under "config webfilter content". Upon upgrading to v4.0 MR1, ONLY the banned word list is retained. For example:

In FortiOS v4.0.3

config webfilter bword edit 1 config entries edit "badword1" set status enable next edit "badword2" set status enable next end set name "BannedWordList" nextend

config webfilter exmword edit 1 config entries

9 August 28, 2009


edit "goodword1" set status enable next edit "goodword2" set status enable next end set name "ExemptWordList" nextend

After upgrading to FortiOS v4.0 MR1

config webfilter content edit 1 config entries edit "badword1" set status enable next edit "badword2" set status enable next end set name "BannedWordList" nextend

Before upgrading, backup your configuration, parse the webfilter exempt list entries, and merge them into the webfilter content list after the upgrade.

After merging the exempt list from v4.0.3 to the webfilter content list

config webfilter content edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set action exempt set status enable next edit "badword1" set status enable next edit "badword2" set action exempt set status enable next end set name "BannedWordList" nextend

[VoIP Settings]

10 August 28, 2009


FortiOS v4.0 MR1 adds functionality to archive message and files as caught by the Data Leak Prevention feature, which includes some VoIP messages. However, some scenarios have an implication configuration retention on the upgrading. Consider the following:

• FortiGate in v4.0.3 has two protection profiles: PP1 and PP2.• PP1 contains

o DLP sensor: DLP1 o Application control list: APP1 which archives SIP messages

• PP2 contains o DLP sensor: DLP1 o Application control list: APP2 which has content-summary enabled for SIMPLE

Upon upgrading to FortiOS v4.0 MR1, the VoIP settings are not moved into the DLP archive feature.

[Management Tunnel Configuration]'config system management-tunnel' command has been removed in FortiOS v4.0 MR1. The management-tunnel settings has been integrated into central-management feature.

[NNTP DLP Archive]NNTP content archive settings will be lost after upgrading to FortiOS v4.0 MR1.

11 August 28, 2009


4 Downgrading to FortiOS v3.00Downgrading to FortiOS v3.00 results in configuration loss on ALL models. Only the following settings are retained:

• operation modes• interface IP/management IP• route static table• DNS settings• VDom parameters/settings• admin user account• session helpers• system access profiles

12 August 28, 2009


5 Fortinet Product Integration and Support

5.1 FortiManager SupportFortiOS v4.0 MR1 is supported by FortiManager v4.0 MR1.

5.2 FortiAnalyzer SupportFortiOS v4.0 MR1 is supported by FortiAnalyzer v4.0 MR1.

5.3 FortiClient SupportFortiOS v4.0 MR1 is supported by FortiClient v4.0 MR1 for the following:

• 32-bit version of Microsoft XP • 32-bit version of Microsoft Vista • 64-bit version of Microsoft Vista

5.4 Fortinet Server Authentication Extension (FSAE) SupportFortiOS v4.0 MR1 is supported by FSAE v3.00 B047 (FSAE collector agent 3.5.047) for the following:

• 32-bit version of Microsoft Windows 2003 Server • 64-bit version of Microsoft Windows 2003 Server• 32-bit version of Microsoft Windows 2008 Server • 64-bit version of Microsoft Windows 2008 Server• Novell E-directory 8.8.

IPv6 currently is not supported by FSAE.

5.5 AV Engine and IPS Engine SupportFortiOS v4.0 MR1 is supported by AV Engine 3.00013 and IPS Engine 1.00127.

5.6 3G MODEM SupportThe following models and service providers were tested.

Service Provider 3G Card Identification (IMEI) Datacard Firmware

Canada

Telus ZTE MY39 - P650M1V1.0.2_Telus_060331

Rogers Option Globetrotter Qualcomm 3G GX0202 352115011023553 1.10.8Hd

Rogers Huawei E220 358191017138137 11.110.05.00.00

Rogers Sierra AirCard 595 - p1906000,5077

APAC

E-Mobile NEC Infrontia Corporation D01NE - -

E-Mobile NEC Infrontia Corporation D02NE - -

E-Mobile Longcheer Holdings Limited D11LC 353780020859740 LQA0012.1.2_M533A

AMER

13 August 28, 2009


Service Provider 3G Card Identification (IMEI) Datacard Firmware

Telecom Sierra Compass 597 - Rev 1.0 (2), p2314500,4012

Optus Huawei E169 358109021556466 11.314.17.00.00

Hutchison/3 Huawei E220 358191017339891 11.117.09.00.100

Telecom Sierra 597E - p2102900,4012

Vodafone Huawei E220 354136020989038 11.117.09.04.00

Soul/TPG Huawei E220 358193016941644 11.117.08.00.00

5.7 AMC Module SupportFortiOS v4.0 MR1 supports AMC removable modules. These modules are not hot swappable. The FortiGate must be turned off before the module is inserted or removed.

AMC Modules FortiGate Support

Internal Hard Drive (ASM-S08) FGT-310BFGT-620BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Single Width 4-port 1Gbps Ethernet interface (ASM-FB4) FGT-310BFGT-620BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Dual Width 2-port 10Gbps Ethernet interface (ADM-XB2) FGT-3810AFGT-5001A-DW

Dual Width 8-port 1Gbps Ethernet interface (ADM-FB8) FGT-3810AFGT-5001A-DW

Single Width 2-port Fiber 1Gbps bypass interface (ASM-FX2) FGT-310BFGT-620BFGT-3016BFGT-3600AFGT-3810A

Single Width 4-port Ethernet bypass interface (ASM-CX4) FGT-310BFGT-620B FGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

AMC Security Processing Engine Module (ASM-CE4) FGT-3810AFGT-3016B

AMC Security Processing Engine Module (ADM-XE2) FGT-3810AFGT-5001A-DW

Rear Transition Module (RTM-XD2) FGT-5001A-DW

14 August 28, 2009


AMC Modules FortiGate Support

to supportRTM-XD2

5.8 SSL-VPN Support

5.8.1 SSL-VPN Standalone ClientFortiOS v4.0 MR1 supports the SSL-VPN tunnel client standalone installer B2069 for the following:

• Windows in .exe and .msi format• Linux in .tar.gz format• Mac OS X in .dmg format• Virtual Desktop in .jar format for Windows XP and Vista

The following Operating Systems were tested.

Windows Linux Mac OS X

Windows XP 32-bit SP2 CentOS 5.2 (2.6.18-el5) Leopard 10.5

Windows XP 64-bit SP1 Ubuntu 8.0.4 (2.6.24-23)

Windows Vista 32-bit SP1


Virtual Desktop Support

Windows XP 32-bit SP2


5.8.2 SSL-VPN Web ModeThe following browsers and operating systems were tested with SSL-VPN web mode.

Operating System Browser

Windows XP 32-bit SP2 IE6, IE7, and FF 3.0

Windows XP 64-bit SP1 IE7 and FF 3.0

Windows Vista 32-bit SP1 IE7, IE8, and FF 3.0

Windows Vista 64-bit SP1 IE7 and FF 3.0

CentOS 5.2 (2.6.18-el5) FF 1.5 and FF 3.0

Ubuntu 8.0.4 (2.6.24-23) FF 3.0

Mac OS X Leopard 10.5 Safari 3.2

5.9 SSL-VPN Host Compatibility ListThe following Antivirus and Firewall client software packages were tested.

15 August 28, 2009


Product Antivirus Firewall

Windows XP

Symantec Endpoint Protection v11 √ √

Kaspersky Antivirus 2009 √ Ҳ

McAfee Security Center v8.1 √ √

Trend Micro Internet Security Pro √ √

F-Secure Internet Security 2009 √ √

16 August 28, 2009


6 Resolved Issues in FortiOS v4.0 MR1The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about aparticular bug, contact Customer Support.

6.1 Command Line Interface (CLI)Description: No log entry is generated when a file over the uncompsizelimit is passed through the FortiGate. Bug ID: 85425Status: Fixed in v4.0 MR1.

6.2 Web User InterfaceDescription: IPS packet log viewer displays errors when trying to examine packets.Bug ID: 100644Status: Fixed in v4.0 MR1.

Description: SSL-VPN web UI page does not get translated to french language correctly.Bug ID: 78640Status: Fixed in v4.0 MR1.

Description: UTM > Application Control > Statistics web UI poage does not get translated to korean language correctly.Bug ID: 93020Status: Fixed in v4.0 MR1.

6.3 SystemDescription: The FortiGate doesn not ignore broadcast flag in DHCPDISCOVER or DHCPREQUEST messages.Bug ID: 99765Status: Fixed in v4.0 MR1.

Description: WAN-Optimization and Load Balance SSL Offloading does not support 4096-bit certificate.Bug ID: 91535Status: Fixed in v4.0 MR1.

Description: Wan2 interface of the FortiGate-111C does not receive STP packets.Bug ID: 100596Status: Fixed in v4.0 MR1.Models Affected: FGT-111C and FGT-110C

Description: ICMP type3 code 4 message is dropped by the FortiGate.Bug ID: 97746Status: Fixed in v4.0 MR1.

Description: FQDN object resolution is truncated to 32 characters in DNS packets.Bug ID: 94087Status: Fixed in v4.0 MR1.

Description: Authentication daemon (authd) may crash if keepalive is enabled and the original URL is longer than 127 characters.Bug ID: 96601Status: Fixed in v4.0 MR1.

Description: merged_daemons may cause memory leak when LDAP user authentication is configured.Bug ID: 98457

17 August 28, 2009


Status: Fixed in v4.0 MR1.

6.4 High AvailabilityDescription: 'Top Viruses' and 'Top Attacks' widget does not work on Virtual Cluster 2's master FortiGate.Bug ID: 96566Status: Fixed in v4.0 MR1.

Description: Slave FortiGate's console may show unexpected sync messages while syncing with the master.Bug ID: 90341Status: Fixed in v4.0 MR1.

Description: HA slave cannot sync firewall address with associated interface set to an IPSec interface.Bug ID: 97029Status: Fixed in v4.0 MR1.

Description: The output of some commands, like 'get system status', are not correct when retrieving information from another member using 'exe ha manage'.Bug ID: 56258Status: Fixed in v4.0 MR1.

6.5 RouterDescription: IPv6 static route cannot be added to kernel if route is configured before ipv6 interface address configuration.Bug ID: 90495Status: Fixed in v4.0 MR1.

Description: IPv6 static routes exists in kernel even if gateway is unable to route.Bug ID: 90473Status: Fixed in v4.0 MR1.

6.6 FirewallDescription: User is unable to access web pages, hosted on Zope server, when traffic is going through FortiGate's http proxy.Bug ID: 78246Status: Fixed in v4.0 MR1.

Description: If a policy has authentication disclaimer and shaper enabled then the session is authenticated by the shaper is not applied.Bug ID: 100747Status: Fixed in v4.0 MR1.

Description: FortiGate inadvertently deletes third party cookies if they happen to be on the same line as the FortiGate servercookie.Bug ID: 101070Status: Fixed in v4.0 MR1.

6.7 VPNDescription: Renaming an IPSec phase1-interface entry may cause partial loss of firewall policy and network configuration.Bug ID: 94373Status: Fixed in v4.0 MR1.

Description: SSL host third-party antivirus check plug-in does not detect AVG antivirus scanner.

18 August 28, 2009


Bug ID: 89356Status: Fixed in v4.0 MR1.

Description: Multicast forwarding does not work in SSL-VPN tunnel mode.Bug ID: 97233Status: Fixed in v4.0 MR1.

Description: SSL-Proxy CA certificate cannot be exported via CLI or web UI.Bug ID: 94595Status: Fixed in v4.0 MR1.

Description: Linux based SSL-VPN client saves password in plain text.Bug ID: 96357Status: Fixed in SSL-VPN client B2069.

Description: SSL-VPN web mode does not allow HTTP login on 2 units simultaneously.Bug ID: 93974Status: Fixed in v4.0 MR1.

6.8 Web FilterDescription: The webfilter banned word option does not list Russian as a supported language option for the cyrillic language encoding.Bug ID: 73616Status: Fixed in v4.0 MR1.

6.9 Data Leak PreventionDescription: There is no valid range of value defined for quarantine-expiry setting under ips sensor.Bug ID: 89091Status: Fixed in v4.0 MR1.

Description: DLP does not block emails encoded with non UTF-8 charset.Bug ID: 85945Status: Fixed in v4.0 MR1.

Description: Content-summary to FortiAnalyzer may spike ftpd cpu usage to 99%.Bug ID: 96520Status: Fixed in v4.0 MR1.

6.10 Instant MessageThe following IMs and their versions were tested in FortiOS v4.1 MR1. As some IM clients use encrypted connections, the FortiGate may not succeed in blocking the traffic from traversing the firewall.

IM Client Versions Comment

AIM 6.8.14.6 This IM version uses SSL communication and FortiGate can only Block or Allow it using firewall policy.

AIM Classic 5.9.6089 none

ICQ 6.5 Build 1042 none

Yahoo! Messenger 9.0.0.2162 none

MSN Live Messenger 8.5.1302.1018 none

19 August 28, 2009


Description: The following table lists the known issues with each of the IMs supported by FortiOS v4.0 MR1.Models Affected: AllBug ID: See table

Clients Affected Versions Description/Models Affected/Status/BugID

MSN Live Messenger (MSN2009)

14.0.8050 Description: IM proxy cannot block or log file transfers for users using MSN Live messenger 14.0.8050.Status: Fixed in v4.0 MR1.Bug ID: 88310

6.11 Endpoint ControlDescription: Endpoint Control does not have its own authentication timeout settings and has to use global auth-timeout settings under 'user setting'.Bug ID: 89552Status: Fixed in v4.0 MR1.

Description: If the difference between the time on the FortiGate and the PC is more than one minute then FortiGate will block all traffic from that PC.Bug ID: 91471Status: Fixed in v4.0 MR1.

6.12 Log & ReportDescription: Download link for full FTP archived files is missing.Bug ID: 107638Status: Fixed in v4.0 MR1.

Description: Alert email is not sent in an event of FDS update.Bug ID: 94152Status: Fixed in v4.0 MR1.

Description: A false "Connect to FortiAnalyzer" and "Disconnect from FortiAnalyzer" log is shown when logging to FortiAnalyzer is enabled and a vdom is deleted.Bug ID: 90686Status: Fixed in v4.0 MR1.

Description: Logging does not work for 'Rouge AP' and 'Wireless Controller' features. Bug ID: 82934Status: Fixed in v4.0 MR1.

6.13 FSAE (FortiGate)Description: A redirect warning message is shown on the user's browser after successful FSAE authentication.Bug ID: 89671Status: Fixed in v4.0 MR1.

Description: NTLM authentication to multiple FSAE agents does not work.Bug ID: 99850Status: Fixed in v4.0 MR1.

20 August 28, 2009


7 Known Issues in FortiOS v4.0 MR1This section lists the known issues of this release, but is NOT a complete list. For enquiries about a particular bug notlisted here, contact Customer Support.

7.1 Command Line Interface (CLI)Description: FortiGate's console may show "sys_fsae.c:390:[296]" error message when a FSAE server entry under User > Directory Service page is refreshed from web UI.Bug ID: 87310Status: To be fixed in a future release.

Description: 'get report database schema' command does not show the full schema for the SQL database.Bug ID: 107209 Status: To be fixed in a future release.

7.2 Web User InterfaceDescription: When creating a policy route from web UI, the destination port numbers are not saved if protocol number is set to zero.Bug ID: 78402Status: To be fixed in a future release.

Description: The 'Top Viruses' and 'Top Attacks' widget in the System > Status web UI page in Simplified Chinese and Traditional Chinese language using FireFox 2.0 browser may not display the heading properly.Bug ID: 78344Status: To be fixed in a future release. Description: The web UI does not warn the user that an SMTP signature is too long and consequently truncates the signatureto 1000 characters.Bug ID: 65422Status: To be fixed in a future release.

Description: "Disclaimer and Redirect URL to" setting cannot be seen from web UI after "Identity Based Policy" is disabled.Bug ID: 108589Status: To be fixed in a future release.

Description: System > Network > Interface web UI page does not display link status for wlan interface.Bug ID: 78221Status: To be fixed in a future release.

Description: The System > Network > Interface web UI page displays incorrect MTU value after override is disabled.Bug ID: 70688Status: To be fixed in a future release.

Description: Web UI shows an error when an user group is created with the same name as a pki user.Bug ID: 90499Status: To be fixed in a future release.

Description: Auto refresh does not work for UTM > Application Control > Statistics page.Bug ID: 91846Status: To be fixed in a future release.

21 August 28, 2009


Description: "aps_chk_rolebased_perm_i: entry not found -> no access" error message may be displayed on the FortiGate's console when a VDom admin logs in via web UI. This bug does not affect the login permission of the user or impede the functionality of the FortiGate.Bug ID: 108651Status: To be fixed in a future release.

7.3 SystemDescription: If a FortiGate using ASM-CX4/FX2 module has multiple VDoms configured and at least one of the VDom is in TP mode then user is allowed to enable amc bypass mode even if all ASM-CX4/FX2 interfaces are assigned to NAT VDom.Bug ID: 91519Status: To be fixed in a future release.

Description: ASM-FB4/FB8 interfaces with fiber SFP may not work when interface speed is set to 1000full.Bug ID: 90674Status: To be fixed in a future release.

Description: Traffic going through ASM-FX2 card keeps getting bypassed when ASM-CX4 card is used in slot1 and ASM-FX2 card is used in slot2 and bypass-mode is set to disable.Bug ID: 90017Status: To be fixed in a future release. Description: "Dashboard Statistics" settings in protection profile are selected by default and can cause performance issues when antivirus is not enabled.Bug ID: 84234Status: To be fixed in a future release.

Description: "Run image without saving" option may fail when tftp burning an image to FortiGate from BIOS menu. Bug ID: 91310Status: To be fixed in a future release.

Description: vsd daemon may randomly crash when under heavy load.Bug ID: 90877Status: To be fixed in a future release.

Description: The MAC address of the next hop stored in NP2 session is not updated when software ARP cache entry is updated.Bug ID: 99645Status: To be fixed in a future release.

Description: FTP proxy closes the connection if a multiline response happens in more than one packet.Bug ID: 94779Status: To be fixed in a future release.

Description: FGT-51B cannot detect Vodafone Huawei K3520 USB modem.Bug ID: 97350Status: To be fixed in a future release.Models Affected: FGT-51B

7.4 High AvailabilityDescription: The master unit in an A-A mode cluster stops load-balancing when a redundant link interface on the slave unitis unplugged.Bug ID: 58959Status: To be fixed in a future release.

22 August 28, 2009


Description: The master FortiGate's console may display '[ha_auth.c:200]: unsupported auth_sync type 16' error message when upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR1.Bug ID: 96380Status: To be fixed in a future release.

Description: In HA A-A mode, FTP session helper may fail to translate the client IP address to the NATed IP address causing the slave FortiGate to drop FTP traffic.Bug ID: 98337Status: To be fixed in a future release.

Description: In an HA cluster a member without AMC module can become master, over a member with an AMC module, if it has a higher priority.Bug ID: 91001Status: To be fixed in a future release.

7.5 FirewallDescription: Protection profile is not effective when in SSL offload mode. Bug ID: 97704Status: To be fixed in a future release.

Description: Per-IP traffic shaper feature is not supported on NP2 interfaces.Bug ID: 98144Status: To be fixed in a future release.

Description: Live streaming radio traffic from www.live365.com does not pass through the FortiGate if http proxy is enabled.Bug ID: 70963Status: To be fixed in a future release.

Description: Traffic count on firewall policy will get reset to zero after an HA failover. Bug ID: 83105Status: To be fixed in a future release.

Description: Firewall protection profile may not work when in SSL offload mode.Bug ID: 97704Status: To be fixed in a future release.

Description: HTTP POST data may be lost if firewall authentication timeout in middle of a session.Bug ID: 76311Status: To be fixed in a future release.Workaround: Enable auth-keepalive

7.6 AntivirusDescription: The FortiGate fails to block HTTP POST operations when the protection profile is configured to block bannedwords.Bug ID: 61940Status: To be fixed in a future release.

Description: File pattern list is not effective if the list exceeds 125 entries.Bug ID: 90096Status: To be fixed in a future release.

Description: If a server requires client-side certificate and SSL inspection feature is enabled then the connection will be blocked by the FortiGate. SSL Inspection should not play man-in-the-middle for sessions which uses client certificate.

23 August 28, 2009


Bug ID: 87297Status: To be fixed in a future release.

7.7 IPSDescription: Offloaded traffic to ASM-CE4, ADM-XE2, and RTM-XD2 modules may not get scanned by IPS engine.Bug ID: 108714Status: To be fixed in a future release.Models Affected: FGT-3016B, FGT3810A, and FGT-5001A.

Description: Some traffic may be dropped by ASM-CE4, ADM-XE2, and RTM-XD2 modules if IPS scanning is enabled.Bug ID: 108685Status: To be fixed in a future release.Models Affected: FGT-3016B, FGT3810A, and FGT-5001A.

7.8 Data Leak PreventionDescription: DLP archive for SCCP does not work.Bug ID: 100458Status: To be fixed in a future release.

7.9 Instant MessageThe following IMs and their versions were tested in FortiOS v4.0 MR1. As some IM clients use encrypted connections, the FortiGate may not succeed in blocking the traffic from traversing the firewall.

IM Client Versions Comment

AIM 6.8.14.6 This IM version uses SSL communication and FortiGate can only Block or Allow it using firewall policy.

AIM Classic 5.9.6089 none

ICQ 6.5 Build 1042 none

Yahoo! Messenger 9.0.0.2162 none

MSN Live Messenger 8.5.1302.1018 none

Description: The following table lists the known issues with each of the IMs supported by FortiOS v4.0 MR1.Models Affected: AllBug ID: See table

Clients Affected Versions Description/Models Affected/Status/BugID

ICQ 6.5 Build 1042 Description: The FortiGate fails to block ICQ login when HTTP proxy is used.Status: To be fixed in a future release.Bug ID: 100946

ICQ 6.5 Build 1042 Description: DLP archive does not work for ICQ voice chat.Status: To be fixed in a future release.Bug ID: 99538

24 August 28, 2009


7.10 Peer-to-Peer (P2P)Description: IPS Engine 1.00092 has made improvements to the blocking functionality of Skype. However, the Skype protocol can be blocked for only a short period.Bug ID: 37845Status: To be fixed in a future release.

Description: IM, P2P & VoIP > Statistics > Summary page may not show accurate P2P usage statistics.Bug ID: 76943Status: To be fixed in a future release.

Description: P2P blocking and ratelimiting does not work for clients using EMULE (v0.40 or higher) to connect to both the eDonkey network and the Kad network.Bug ID: 84692Status: To be fixed in a future release.

7.11 Application ControlDescription: An application set to pass may still get blocked if a second 'block all application' rule is added to the same list.Bug ID: 91669Status: To be fixed in a future release.

7.12 VPNDescription: SSL-VPN login may fail if the usergroup name contains an "&" character.Bug ID: 97170Status: To be fixed in a future release.

Description: SSL-VPN TELNET and SSH applet only supports ISO/IEC 8859-1 encoding. Characters with other encodings may freeze the applet.Bug ID: 90642Status: To be fixed in a future release.

Description: User cannot login into the SSL-VPN portal if the policy is using FQDN as the source address. Bug ID: 87339Status: To be fixed in a future release.

Description: HTTPS deep scanning may consume excessive memory causing the FortiGate to go in conserve mode.Bug ID: 101447Status: To be fixed in a future release.

Description: User cannot specify a distance or priority for routes added dynamically for IPSec interface.Bug ID: 108672Status: To be fixed in a future release.

7.13 WAN OptimizationDescription: wad proxy may cause high memory usage because of memory leak. Bug ID: 97742Status: To be fixed in a future release.

Description: RDP traffic does not work when WANOPT is enabled.Bug ID: 101614Status: To be fixed in a future release.

25 August 28, 2009


Description: Maximum number of concurrent sessions cannot exceed 49,991 when wan optimization is enabled.Bug ID: 98118Status: To be fixed in a future release.

Description: wad proxy may crash when under heavy traffic.Bug ID: 95097Status: To be fixed in a future release.

Description: wad may crash after auto-detect mode for WANOPT rule is changed from passive to active.Bug ID: 95168Status: To be fixed in a future release.

7.14 Log & ReportDescription: The FortiGate does not use values for the user and group field in log message for SSL-VPN tunnel activity.The fields are filled with N/A.Bug ID: 58836Status: To be fixed in a future release.

Description: Content archiving of NNTP files is not supported in FortiOS v3.00 MR6 even though the option appears asgrayed out implying it may be enabled through another configured option.Bug ID: 44510Status: To be fixed in a future release.

Description: All default SQL reports are lost after changing opmode from NAT to TP.Models Affected: FGT-3600ABug ID: 108188Status: To be fixed in a future release.

Description: "Buffer to hard disk and upload" feature may not work when archiving to FAMS.Bug ID: 108522Status: To be fixed in a future release.

Description: Only super-admin can access log reports from FortiAnalyzer.Bug ID: 97730Status: To be fixed in a future release.

Description: IM logs incorrectly shows app_list=N/A.Bug ID: 89911Status: To be fixed in a future release.

26 August 28, 2009


8 Image Checksumsa119c63dce88671b09669989bdf5a3ff *FGT_1000A-v400-build0178-FORTINET.outb43bf168de19ef5cfa1ce256cbe60f93 *FGT_1000AFA2-v400-build0178-FORTINET.out24075821de01465a6485896d5b42b854 *FGT_1000A_LENC-v400-build0178-FORTINET.outf69876de07033be9e5b3a28e27b4423a *FGT_100A-v400-build0178-FORTINET.out7da66a2db3d0a3e0bce5621b3519818a *FGT_110C-v400-build0178-FORTINET.out43c487ba5fd1893a16cf10d417bb80bb *FGT_111C-v400-build0178-FORTINET.out6ca03c4b59abee57eeb55ac5df539b4c *FGT_200A-v400-build0178-FORTINET.out620fc7cc4b6fc9bf770239c45340635a *FGT_224B-v400-build0178-FORTINET.out5b21618eb3e0a2d809a7869ee6e4f1c7 *FGT_300A-v400-build0178-FORTINET.out57c6ccbab4c507f4e82ebecc18c98995 *FGT_30B-v400-build0178-FORTINET.out59be51e82d2c425fce7ebb0cb1f4b0f6 *FGT_310B-v400-build0178-FORTINET.out456fbd7de8003cd6a1aef462e50d5774 *FGT_310B_DC-v400-build0178-FORTINET.out9d040eaf9c741ee8bb45f2e0e22af5f3 *FGT_311B-v400-build0178-FORTINET.out333ea7cb53d5f939f71cfb9ae5245e8c *FGT_3600-v400-build0178-FORTINET.out61b720ba8f78c651d951c265bb3f55de *FGT_3600A-v400-build0178-FORTINET.out8ae3f48765b688885055478e3b9a07ff *FGT_400A-v400-build0178-FORTINET.out667fec4764fcc36e90afad9e83d68d6f *FGT_5001-v400-build0178-FORTINET.out956a0af001ea2d4173ce501c344a79bc *FGT_5001FA2-v400-build0178-FORTINET.out6f82cefc63d18afafe1956eb578957e1 *FGT_5005FA2-v400-build0178-FORTINET.out863ea9c967a1366e826a6489e80ef2d5 *FGT_500A-v400-build0178-FORTINET.outb5c2ce666582d758f3a82baea080fe23 *FGT_50B-v400-build0178-FORTINET.outa678bf3bc8217d4f76667bab1ff68723 *FGT_51B-v400-build0178-FORTINET.outf6b63ef0695cdc4acd3325f0a563df4a *FGT_60B-v400-build0178-FORTINET.out787ec2c00a3ddeb3708b4d8a940d00fc *FGT_620B-v400-build0178-FORTINET.out5d9c2811973e14888505ce9660300ee3 *FGT_620B_DC-v400-build0178-FORTINET.out2ccad6850d93e55e08feddf566fc8e02 *FGT_800-v400-build0178-FORTINET.out66463f7ce160f01ab5f7f9fef2eefbf1 *FGT_800F-v400-build0178-FORTINET.out0ef5b8f72dcdfd192ea2811655215a69 *FGT_80C-v400-build0178-FORTINET.out1547f61643db0ad8b86164c7d713e61a *FGT_80CM-v400-build0178-FORTINET.outefe16465485a027a1c44f51bc04ca5ad *FGT_82C-v400-build0178-FORTINET.out1e6538b33ef4c3d0a9dce008122f1a7c *FWF_30B-v400-build0178-FORTINET.out26e344ce7849c7dac17b996c5c9ff683 *FWF_50B-v400-build0178-FORTINET.out86d02f7fa3dfbff9e76f08601c11f6ee *FWF_60B-v400-build0178-FORTINET.outd464e01866ea7f47309f4164f33d574f *FWF_80CM-v400-build0178-FORTINET.out6cdc20b5dc40980db0a0bb4366c72760 *FGT_3016B-v400-build0178-FORTINET.out5c49e85525921dd537d45ad688073fd1 *FGT_3810A-v400-build0178-FORTINET.outd7583539855a221f46671a7e546529e8 *FGT_5001A-v400-build0178-FORTINET.out

27 August 28, 2009


9 Appendix A – P2P Clients and Supported ConfigurationsThe following table outlines the supported configurations and related issues with several P2P clients. N/A means either the application does not support the feature or it is not officially tested.

Note: As some P2P clients use encrypted connections, the FortiGate may not succeed in blocking the traffic from traversing the firewall.

Skype3.8

Kazaa3.2.7

BearShare7.0

Shareaza4.1

BitComet1.0.7

eMule 0.49b

Azureus4.0.0.2

LimeWire4.18.8

iMesh8.0

DC++0707

Winny728

Standard PortsDirect Internet Connection

Pass N/A N/A OK OK OK OK OK OK OK OK OK

Block N/A N/A OK OK OK OK OK OK OK OK OK

Rate Limit N/A N/A Bug ID: 86147

OK OK Bug ID: 86452

OK Bug ID: 77852 OK N/A OK

Standard PortsProxy Internet Connection

Pass N/A N/A OK N/A N/A OK OK OK N/A N/A N/A

Block N/A N/A OK N/A N/A OK OK OK N/A N/A N/A

Rate Limit N/A N/A OK N/A N/A Bug ID: 86452

OK OK N/A N/A N/A

Non-standard PortsDirect Internet Connection

Pass OK OK N/A OK OK OK OK OK OK N/A N/A

Block Bug ID: 37845 OK N/A OK OK OK OK OK OK N/A N/A

Rate Limit N/A OK N/A OK OK Bug ID: 86452

OK Bug ID: 77852 OK N/A N/A

Non-standard PortsProxy Internet Connection

Pass OK OK N/A N/A N/A OK OK OK N/A N/A N/A

Block Bug ID: 37845 OK N/A N/A N/A OK OK OK N/A N/A N/A

Rate Limit N/A OK N/A N/A N/A Bug ID: 86452

OK Bug ID: 77852 N/A N/A N/A

28 August 28, 2009


10 Appendix B – Knowledge Base Articles

• An article on "Traffic Types and TCP/UDP Ports used by Fortinet Products" can be accessed through the following link: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=10773

• An article on "Communication between FortiManager v4.0 and FortiGate" can be access through the following link: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30157

29 August 28, 2009


11 Appendix C – Sample SQL Report Configuration for WAN OptimizationThe following is a sample configuration for WAN optimization reports based on SQL logs.

config report chart edit "wanopt-bw-per-app-last24h" set dataset "wanopt-bandwidth-per-app-last24h" set graph-type bar config x-series set databind "field(1)" end config y-series set databind "field(3)" set extra-databind "field(2)" set extra-y enable set extra-y-legend "LAN" set y-legend "WAN" end set title "per apptype wanopt bandwidth summary" next edit "wanopt-lan-bw-per-app-last24h" set dataset "wanopt-lan-bw-per-app-last24h" set graph-type pie set style manual config category-series set databind "field(1)" end config value-series set databind "field(3)" end set title "Wanopt Lan Bandwidth" next edit "wanopt-bw-per-hour-last24h-tbl" set type table set dataset "wanopt-bandwidth-per-hour-last24h" config column edit 1 set detail-value "ctime(\'DD HH-MM\', field(1))" set header-value "Time" next edit 2 set detail-value "field(2)+\' MB\'" set header-value "LAN" next edit 3 set detail-value "field(3)+\' MB\'" set header-value "WAN" next edit 4 set detail-value "field(4)+\'%\'" set header-value "Reduction Rate" next end next

30 August 28, 2009


end

config report dataset edit "wanopt-bandwidth-per-hour-last24h" set query "select (timestamp-timestamp%3600) as hourstamp,sum(lan_in+lan_out) / 1000000.0 as lan, sum(wan_in+wan_out) / 1000000.0 as wan,max(coalesce((sum(lan_in+lan_out)-sum(wan_in+wan_out))*100.0/sum(lan_in+lan_out),0.0), 0.0) as reduce_rate from traffic_log where timestamp >=F_TIMESTAMP(\'now\',\'hour\',\'-23\') and subtype=\'wanopt-traffic\' group by hourstamp order by hourstamp desc" next edit "wanopt-bandwidth-per-app-last24h" set query "select (case (wanopt_app_type in ( select wanopt_app_type from traffic_log where subtype=\'wanopt-traffic\' and timestamp >= F_TIMESTAMP(\'now\',\'hour\',\'-23\') group by wanopt_app_type order by sum(lan_in+lan_out) desc limit 5) ) when 1 then wanopt_app_type else \'others\' end) as wanopt_app_type, sum(lan_in+lan_out)/1000000.0 as lan,sum(wan_in+wan_out)/1000000.0 as wan,max(coalesce((sum(lan_in+lan_out)-sum(wan_in+wan_out))*100.0/sum(lan_in+lan_out),0.0), 0.0) as reduce_rate from traffic_log where subtype=\'wanopt-traffic\' and timestamp >=F_TIMESTAMP(\'now\',\'hour\',\'-23\') group by wanopt_app_type order by lan desc" next edit "wanopt-lan-bw-per-app-last24h" set query "select (case (wanopt_app_type in ( select wanopt_app_type from traffic_log where subtype=\'wanopt-traffic\' and timestamp >= F_TIMESTAMP(\'now\',\'hour\',\'-23\') group by wanopt_app_type order by sum(lan_in+lan_out) desc limit 5) ) when 1 then wanopt_app_type else \'others\' end) as wanopt_app_type, sum(lan_in+lan_out)/1000000.0 as lan,max(coalesce((sum(lan_in+lan_out)*100.0/(select sum(lan_in+lan_out) from traffic_log where subtype=\'wanopt-traffic\' and timestamp >= F_TIMESTAMP(\'now\',\'hour\',\'-23\'))),0.0),0.0) as percentage from traffic_log where subtype=\'wanopt-traffic\' and timestamp >=F_TIMESTAMP(\'now\',\'hour\',\'-23\') group by wanopt_app_type order by lan desc" nextend

(End of Release Notes.)

31 August 28, 2009

Documents

FortiOS v4.0 MR1 Release Notes