FortiOS v4.0 MR2 Patch Release 13 Release Notes

FortiOS v4.0 MR2 Patch Release 13Release Notes

FortiOS v4.0 MR2 Patch Release 13 Release Notes

September 05, 2012

01-4213-180205-20120905

Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are

registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks

of Fortinet. All other product or company names may be trademarks of their respective owners.

Performance metrics contained herein were attained in internal lab tests under ideal conditions,

and performance may vary. Network variables, different network environments and other

conditions may affect performance results. Nothing herein represents any binding commitment

by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the

extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a

purchaser that expressly warrants that the identified product will perform according to the

performance metrics herein. For absolute clarity, any such warranty will be limited to

performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in

full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise

this publication without notice, and the most current version of the publication shall be

applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

http://docs.fortinet.com

http://kb.fortinet.com

https://support.fortinet.com

http://training.fortinet.com

http://www.fortiguard.com/

mailto:[email protected]?Subject=Technical%20Documentation%20Feedback

Table of Contents

Change Log....................................................................................................... 4

Introduction....................................................................................................... 5

FortiOS Carrier.................................................................................................. 7

Special Notices................................................................................................. 8General..................................................................................................................... 8

Important ................................................................................................................. 8

Monitor settings for Web-based Manager access............................................. 8

Supported web browsers .................................................................................. 8

Before any upgrade ........................................................................................... 8

After any upgrade .............................................................................................. 8

Upgrade Information ........................................................................................ 9Upgrading from FortiOS v4.0................................................................................... 9

FortiOS v4.0 ....................................................................................................... 9

Network interface configuration......................................................................... 9

WebFilter Banned Word and Exempt Word List................................................ 9

VoIP settings .................................................................................................... 11

NNTP DLP Archive........................................................................................... 11

Upgrading from FortiOS v4.0 MR1 ........................................................................ 11

FortiOS v4.0 MR1 ............................................................................................ 12

DLP rule ........................................................................................................... 12

System Autoupdate settings............................................................................ 12

IPS DoS sensor log setting .............................................................................. 12

Downgrading to FortiOS v4.0 MR1........................................................................ 12

Product Integration ........................................................................................ 13Fortinet Single Sign-On (FSSO) support................................................................ 13

AV Engine and IPS Engine support ....................................................................... 13

SSL-VPN support .................................................................................................. 13

SSL-VPN standalone client.............................................................................. 13

FortiAP support...................................................................................................... 14

Resolved Issues.............................................................................................. 15Resolved issues ............................................................................................... 15

Limitations....................................................................................................... 16Citrix XenServer limitations.................................................................................... 16

Open source Xen limitations.................................................................................. 16

Image Checksums.......................................................................................... 17

Page 3

Change Log

Date Change Description

2012-09-05 Initial release.

2012-09-07 Changed supported AV Engine and IPS Engine information.

2012-09-11 Added bug 173399 to Resolved Issues table.

Page 4

Introduction

This document provides installation instructions and addresses issues and caveats in FortiOS

v4.0 MR2 Patch Release 13 build 0349.

Table 1 outlines the release status for these models.

Table 1: Supported models

FortiGate Models v4.0 MR2 Patch Release 13

FG-30B, FG-50B, FG-51B, FG-60B,

FG-80C, FG-80CM, FG-82C, FG-100A,

FG-110C, FG-111C, FG-200A, FG-200B,

FG-200B-PoE, FG-224B, FG-300A,

FG-310B, FG-311B, FG-310B-DC,

FG-400A, FG-500A, FG-620B,

FG-620B-DC, FG-621B, FG-800,

FG-800F, FG-1000A, FG-1000A-FA2,

FG-1000A-LENC, FG-1240B, FG-3016B,

FG-3040B, FG-3140B, FG-3600,

FG-3600A, FG-3810A, FG-3950B,

FG-3951B, FG-5001, FG-5001A,

FG-5001B, FG-5001FA2, FG-5002FB2,

and FG-5005FA2

FWF-30B, FWF-50B, FWF-60B,

FWF-80CM, and FWF-81CM.

All models are supported on the regular v4.0 MR2

Patch Release 13 branch.

FG-60C, FWF-60C, FWF-60CM,

FWF-60CX-ADSL-A

This model is released on a special branch based

off of FortiOS v4.0 MR2 Patch Release 13:

fg_4-2_60c/build_tag_5918. As such, the

build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5918 as the build

number. To confirm that you are running the

proper build, the output from the get system status CLI command has a Branch point:

field that should read 0349.

FG-300C This model is released on a special branch based


fg_4-2_300c/build_tag_4244. As such, the





Fortinet Technologies Inc. Page 5 FortiOS v4.0 MR2 Patch Release 13 Release Notes

http://www.fortinet.com/

See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v4.0 MR2.

FortiGate-VM This model is released on a special branch based


fg_4-2_vmware_esx/build_tag_5919. As

such, the build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5919 as

the build number. To confirm that you are running

the proper build, the output from the get system status CLI command has a Branch point:


FortiGate-One This model is released on a special branch based


fg_4-2_one/build_tag_5917. As such, the





Table 1: Supported models (continued)

FortiGate Models v4.0 MR2 Patch Release 13


http://docs.fortinet.com/fgt.html


FortiOS Carrier

This chapter provides platform support information for FortiOS Carrier v4.0 MR2 Patch Release

13 build 0349.

Table 2 outlines the release status for these models.

See http://docs.fortinet.com/fgt.html for additional documents on FortiCarrier v4.0 MR2.


FortiCarrier Models FortiOS Carrier v4.0 MR2 Patch Release 13

FCR-3810A, FCR-3950B, FCR-3951B,

FCR-5001A, and FCR-5001B.

Firmware image filenames begin with FK.

All models are supported on the regular v4.0 MR2

Patch Release 13 branch.


http://docs.fortinet.com/fgt.html


Special Notices

General

The TFTP boot process erases all current firewall configuration and replaces it with the factory

default settings.

Important

Monitor settings for Web-based Manager access

Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for

all the objects in the Web-based Manager to be viewed properly.

Supported web browsers

• Microsoft Internet Explorer 8.0 and 9.0

• Mozilla FireFox 13.0 and 14.0

Before any upgrade

Save a copy of your FortiGate unit configuration (including replacement messages) prior to

upgrading.

After any upgrade

If you are using the Web-based Manager, clear the browser cache prior to login on the FortiGate

to ensure the Web-based Manager screens are displayed properly.

The Virus and Attack definitions included with an image upgrade may be older than ones

currently available from the Fortinet's FortiGuard Distribution Server. Fortinet recommends

performing an Update Now (System > Config > FortiGuard > AntiVirus and IPS Options) as soon

as possible after upgrading. Consult the FortiOS Handbook/FortiOS Carrier Handbook for

detailed procedures.



Upgrade Information

Upgrading from FortiOS v4.0

FortiOS v4.0 MR2 Patch Release 13 officially supports upgrade from the FortiOS v4.0 Patch

Release 4 or later. See the upgrade path below.

FortiOS v4.0

The upgrade is supported from FortiOS v4.0.4 build 0113 or later.

v4.0.4 build 0113 (or later)

↓v4.0 MR2 Patch Release 13 build 0349

After every upgrade, ensure that the build number and branch point match the image that was

loaded.

Network interface configuration

If a network interface has ips-sniffer-mode option set to enable, and that interface is being

used by a firewall policy, then after upgrading from FortiOS v4.0.x, or any subsequent patch, to

FortiOS v4.0 MR2 Patch Release 13, the ips-sniffer-mode setting will be changed to

disable.

WebFilter Banned Word and Exempt Word List

FortiOS v4.0 MR1 merged the web filter banned and exempt word list into one list under

config webfilter content. After you upgrade to v4.0 MR2, only the banned word list is

retained. For example:

In FortiOS v4.0.4:

config webfilter bwordedit 1

config entriesedit "badword1"

set status enablenextedit "badword2"

set status enablenext

endset name "BannedWordList"

nextend



config webfilter exmwordedit 1

config entriesedit "goodword1"

set status enablenextedit "goodword2"


endset name "ExemptWordList"

nextend

After upgrading to FortiOS v4.0 MR2:

config webfilter contentedit 1

config entriesedit "badword1"



endset name "BannedWordList"

nextend

Before upgrading: backup your configuration, and parse the webfilter exempt list entries. Then

merge them into the webfilter content list after the upgrade.



After merging the exempt list from v4.0.4 to the webfilter content list:

config webfilter contentedit 1

config entriesedit "goodword1"

set status enablenextedit "goodword2"

set action exemptset status enable

nextedit "badword1"


set action exemptset status enable

nextend

set name "BannedWordList"next

end

VoIP settings

FortiOS v4.0 MR2 has the functionality to archive messages and files caught by the Data Leak

Prevention (DLP) feature, which includes some VoIP messages. However, some scenarios have

an implication configuration retention on the upgrading. Consider the following:

FortiGate in v4.0.4 has two protection profiles: PP1 and PP2.

• PP1 contains:

• DLP sensor: DLP1

• Application control list: APP1 which archives SIP messages

• PP2 contains:

• DLP sensor: DLP1

• Application control list: APP2 which has content-summary enabled for SIMPLE

Upon upgrading to FortiOS v4.0 MR2 Patch Release 13, the VoIP settings are not moved into

the DLP archive feature.

NNTP DLP Archive

NNTP content archive settings will be lost after upgrading to FortiOS v4.0 MR2 Patch Release

13.

Upgrading from FortiOS v4.0 MR1

FortiOS v4.0 MR2 Patch Release 13 officially supports upgrade from the FortiOS v4.0 MR1

Patch Release 4 or later. See the upgrade path below.



FortiOS v4.0 MR1

The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 build 0196 or later.

v4.0 MR1 Patch Release 4 build 0196 (or later)

↓v4.0 MR2 Patch Release 13 build 0349

After every upgrade, ensure that the build number and branch point match the image that was

loaded.

DLP rule

A DLP rule with subprotocol setting set to 'sip simple sccp' will be lost upon upgrading to

FortiOS v4.0 MR2 Patch Release 13.

System Autoupdate settings

The settings under System > Maintenance > FortiGuard will get set to default values after

upgrading to FortiOS v4.0 MR2 Patch Release 13.

IPS DoS sensor log setting

The default log setting of an IPS DoS sensor is disable on FortiOS v4.0 MR2 Patch Release 2 or

later. Whether the log setting of an IPS DoS sensor is disable or enable on FortiOS v4.0 MR1

Patch Release 9 or any subsequent patch, after upgrading to FortiOS v4.0 MR2 Patch Release

2 or later, the setting will be set to disable.

Downgrading to FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1 results in configuration loss on all models. Only the following

settings are retained:

• operation modes

• interface IP/management IP

• route static table

• DNS settings

• VDOM parameters/settings

• admin user account

• session helpers

• system access profiles.



Product Integration

Fortinet Single Sign-On (FSSO) support

FortiOS v4.0 MR2 Patch Release 13 is supported by FSSO (formerly FSAE) v4.3.0 build 0117 for

the following:

• Microsoft Windows Server 2003 R2 32-bit


• Microsoft Windows Server 2008 Server 32-bit

• Microsoft Windows Server 2008 64-bit


• Novell sDirectory 8.8.

IPv6 currently is not supported by FSSO.

AV Engine and IPS Engine support

FortiOS v4.0 MR2 Patch Release 13 is supported by AV Engine 4.00254 and IPS Engine

1.00247.

SSL-VPN support

SSL-VPN standalone client

FortiOS v4.0 MR2 Patch Release 13 supports the SSL-VPN tunnel client standalone installer

build 2270 for the following:

• Windows in .exe and .msi format

• Linux in .tar.gz format

• Mac OS in .dmg format

• Virtual Desktop in .jar format for Windows 7, XP, and Vista

FortiOS v4.0 MR2 Patch Release 13 also supports AV Engine 4.00398 and IPS Engine 1.00250.

When connected to FDS, the AV Engine and IPS Engine will be updated.



Table 3 lists the supported operating systems.

FortiAP support

The following table lists which FortiAP devices and FortiOS operating systems are supported in

FortiOS v4.0 MR2 Patch Release 13 build 0349.

Table 4 outlines supported models

Table 3: Supported operating systems

Windows Linux Mac OS X

Windows XP 32-bit SP 3 CentOS 5.6 Lion 10.7

Windows 7 32-bit SP 1


Virtual Desktop Support



FortiAP Model FortiAP v4.0 MR3 Patch Release 7

FortiAP 210B These models are supported on the regular v4.0 MR3 branch.

FortiAP 220A

FortiAP 221B

FortiAP 222B

FortiOS v4.0 MR2 For wireless controller support in FortiOS v4.0 MR2 the following

firmware image is required:

fg_4-2_fortiap/build_tag_6670.

The build number for these images in the System > Status page and

the output from the get system status CLI command displays

6670 To confirm that you are running the proper build, the output from

the get system status CLI command has a Branch point: field. This

should read 0349.

This firmware image is available under the following directory in the

Firmware Images page of the Customer Support site after you login:

FortiAP/v4.00/4.0MR2/MR2_Patch_13/Wireless_controller/



Resolved Issues

The resolved issues listed below do not list every bug that has been corrected with this release.

For inquires about a particular bug, please contact Customer Service & Support.

Resolved issues

Table 5: Resolved issues

Bug ID Description

173399 Ports on certain models may inadvertently shutdown after the system has

been running for 248 days. Please see Customer Service Bulletin

CSB-120813-1.

175110 Firewall Policy is not installed properly when applied via FortiManager.




Limitations

This section outlines the limitations in FortiOS v4.0 MR2 Patch Release 13.

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

• XenTools installation is not supported.

• FortiGate-VM can be imported or deployed in only the following three formats:

• XVA (recommended)

• VHD

• OVF

• The XVA format comes preconfigured with default configurations for VM name, vCPU,

memory, and vNIC. Other formats will require manual configuration before the first power on

process.

Open source Xen limitations

When using Ubuntu 11.10, Xen 4.1.0, and libvir 0.9.2, importing issues may arise when using

the qcow2 format and existing HDA issues.



Image Checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the

Customer Service & Support website located at https://support.fortinet.com. After logging in,

click on Download > Firmware Image Checksum, enter the image file, including the extension,

and select Get Checksum Code.

Figure 1: Customer Service & Support image checksum tool

End of Release Notes




Documents

FortiOS v4.0 MR2 Patch Release 13 Release Notes