Upload
niwdek3
View
206
Download
3
Tags:
Embed Size (px)
Citation preview
FortiOS v4.0 MR2 Patch Release 13 Release Notes
September 05, 2012
01-4213-180205-20120905
Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.
Technical Documentation docs.fortinet.com
Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback [email protected]
Table of Contents
Change Log....................................................................................................... 4
Introduction....................................................................................................... 5
FortiOS Carrier.................................................................................................. 7
Special Notices................................................................................................. 8General..................................................................................................................... 8
Important ................................................................................................................. 8
Monitor settings for Web-based Manager access............................................. 8
Supported web browsers .................................................................................. 8
Before any upgrade ........................................................................................... 8
After any upgrade .............................................................................................. 8
Upgrade Information ........................................................................................ 9Upgrading from FortiOS v4.0................................................................................... 9
FortiOS v4.0 ....................................................................................................... 9
Network interface configuration......................................................................... 9
WebFilter Banned Word and Exempt Word List................................................ 9
VoIP settings .................................................................................................... 11
NNTP DLP Archive........................................................................................... 11
Upgrading from FortiOS v4.0 MR1 ........................................................................ 11
FortiOS v4.0 MR1 ............................................................................................ 12
DLP rule ........................................................................................................... 12
System Autoupdate settings............................................................................ 12
IPS DoS sensor log setting .............................................................................. 12
Downgrading to FortiOS v4.0 MR1........................................................................ 12
Product Integration ........................................................................................ 13Fortinet Single Sign-On (FSSO) support................................................................ 13
AV Engine and IPS Engine support ....................................................................... 13
SSL-VPN support .................................................................................................. 13
SSL-VPN standalone client.............................................................................. 13
FortiAP support...................................................................................................... 14
Resolved Issues.............................................................................................. 15Resolved issues ............................................................................................... 15
Limitations....................................................................................................... 16Citrix XenServer limitations.................................................................................... 16
Open source Xen limitations.................................................................................. 16
Image Checksums.......................................................................................... 17
Page 3
Change Log
Date Change Description
2012-09-05 Initial release.
2012-09-07 Changed supported AV Engine and IPS Engine information.
2012-09-11 Added bug 173399 to Resolved Issues table.
Page 4
Introduction
This document provides installation instructions and addresses issues and caveats in FortiOS
v4.0 MR2 Patch Release 13 build 0349.
Table 1 outlines the release status for these models.
Table 1: Supported models
FortiGate Models v4.0 MR2 Patch Release 13
FG-30B, FG-50B, FG-51B, FG-60B,
FG-80C, FG-80CM, FG-82C, FG-100A,
FG-110C, FG-111C, FG-200A, FG-200B,
FG-200B-PoE, FG-224B, FG-300A,
FG-310B, FG-311B, FG-310B-DC,
FG-400A, FG-500A, FG-620B,
FG-620B-DC, FG-621B, FG-800,
FG-800F, FG-1000A, FG-1000A-FA2,
FG-1000A-LENC, FG-1240B, FG-3016B,
FG-3040B, FG-3140B, FG-3600,
FG-3600A, FG-3810A, FG-3950B,
FG-3951B, FG-5001, FG-5001A,
FG-5001B, FG-5001FA2, FG-5002FB2,
and FG-5005FA2
FWF-30B, FWF-50B, FWF-60B,
FWF-80CM, and FWF-81CM.
All models are supported on the regular v4.0 MR2
Patch Release 13 branch.
FG-60C, FWF-60C, FWF-60CM,
FWF-60CX-ADSL-A
This model is released on a special branch based
off of FortiOS v4.0 MR2 Patch Release 13:
fg_4-2_60c/build_tag_5918. As such, the
build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5918 as the build
number. To confirm that you are running the
proper build, the output from the get system status CLI command has a Branch point:
field that should read 0349.
FG-300C This model is released on a special branch based
off of FortiOS v4.0 MR2 Patch Release 13:
fg_4-2_300c/build_tag_4244. As such, the
build number found at System > Dashboard > Status and the output from the get system status CLI command displays 4244 as the build
number. To confirm that you are running the
proper build, the output from the get system status CLI command has a Branch point:
field that should read 0349.
Fortinet Technologies Inc. Page 5 FortiOS v4.0 MR2 Patch Release 13 Release Notes
See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v4.0 MR2.
FortiGate-VM This model is released on a special branch based
off of FortiOS v4.0 MR2 Patch Release 13:
fg_4-2_vmware_esx/build_tag_5919. As
such, the build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5919 as
the build number. To confirm that you are running
the proper build, the output from the get system status CLI command has a Branch point:
field that should read 0349.
FortiGate-One This model is released on a special branch based
off of FortiOS v4.0 MR2 Patch Release 13:
fg_4-2_one/build_tag_5917. As such, the
build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5917 as the build
number. To confirm that you are running the
proper build, the output from the get system status CLI command has a Branch point:
field that should read 0349.
Table 1: Supported models (continued)
FortiGate Models v4.0 MR2 Patch Release 13
Fortinet Technologies Inc. Page 6 FortiOS v4.0 MR2 Patch Release 13 Release Notes
FortiOS Carrier
This chapter provides platform support information for FortiOS Carrier v4.0 MR2 Patch Release
13 build 0349.
Table 2 outlines the release status for these models.
See http://docs.fortinet.com/fgt.html for additional documents on FortiCarrier v4.0 MR2.
Table 2: Supported models
FortiCarrier Models FortiOS Carrier v4.0 MR2 Patch Release 13
FCR-3810A, FCR-3950B, FCR-3951B,
FCR-5001A, and FCR-5001B.
Firmware image filenames begin with FK.
All models are supported on the regular v4.0 MR2
Patch Release 13 branch.
Fortinet Technologies Inc. Page 7 FortiOS v4.0 MR2 Patch Release 13 Release Notes
Special Notices
General
The TFTP boot process erases all current firewall configuration and replaces it with the factory
default settings.
Important
Monitor settings for Web-based Manager access
Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for
all the objects in the Web-based Manager to be viewed properly.
Supported web browsers
• Microsoft Internet Explorer 8.0 and 9.0
• Mozilla FireFox 13.0 and 14.0
Before any upgrade
Save a copy of your FortiGate unit configuration (including replacement messages) prior to
upgrading.
After any upgrade
If you are using the Web-based Manager, clear the browser cache prior to login on the FortiGate
to ensure the Web-based Manager screens are displayed properly.
The Virus and Attack definitions included with an image upgrade may be older than ones
currently available from the Fortinet's FortiGuard Distribution Server. Fortinet recommends
performing an Update Now (System > Config > FortiGuard > AntiVirus and IPS Options) as soon
as possible after upgrading. Consult the FortiOS Handbook/FortiOS Carrier Handbook for
detailed procedures.
Fortinet Technologies Inc. Page 8 FortiOS v4.0 MR2 Patch Release 13 Release Notes
Upgrade Information
Upgrading from FortiOS v4.0
FortiOS v4.0 MR2 Patch Release 13 officially supports upgrade from the FortiOS v4.0 Patch
Release 4 or later. See the upgrade path below.
FortiOS v4.0
The upgrade is supported from FortiOS v4.0.4 build 0113 or later.
v4.0.4 build 0113 (or later)
↓v4.0 MR2 Patch Release 13 build 0349
After every upgrade, ensure that the build number and branch point match the image that was
loaded.
Network interface configuration
If a network interface has ips-sniffer-mode option set to enable, and that interface is being
used by a firewall policy, then after upgrading from FortiOS v4.0.x, or any subsequent patch, to
FortiOS v4.0 MR2 Patch Release 13, the ips-sniffer-mode setting will be changed to
disable.
WebFilter Banned Word and Exempt Word List
FortiOS v4.0 MR1 merged the web filter banned and exempt word list into one list under
config webfilter content. After you upgrade to v4.0 MR2, only the banned word list is
retained. For example:
In FortiOS v4.0.4:
config webfilter bwordedit 1
config entriesedit "badword1"
set status enablenextedit "badword2"
set status enablenext
endset name "BannedWordList"
nextend
Fortinet Technologies Inc. Page 9 FortiOS v4.0 MR2 Patch Release 13 Release Notes
config webfilter exmwordedit 1
config entriesedit "goodword1"
set status enablenextedit "goodword2"
set status enablenext
endset name "ExemptWordList"
nextend
After upgrading to FortiOS v4.0 MR2:
config webfilter contentedit 1
config entriesedit "badword1"
set status enablenextedit "badword2"
set status enablenext
endset name "BannedWordList"
nextend
Before upgrading: backup your configuration, and parse the webfilter exempt list entries. Then
merge them into the webfilter content list after the upgrade.
Fortinet Technologies Inc. Page 10 FortiOS v4.0 MR2 Patch Release 13 Release Notes
After merging the exempt list from v4.0.4 to the webfilter content list:
config webfilter contentedit 1
config entriesedit "goodword1"
set status enablenextedit "goodword2"
set action exemptset status enable
nextedit "badword1"
set status enablenextedit "badword2"
set action exemptset status enable
nextend
set name "BannedWordList"next
end
VoIP settings
FortiOS v4.0 MR2 has the functionality to archive messages and files caught by the Data Leak
Prevention (DLP) feature, which includes some VoIP messages. However, some scenarios have
an implication configuration retention on the upgrading. Consider the following:
FortiGate in v4.0.4 has two protection profiles: PP1 and PP2.
• PP1 contains:
• DLP sensor: DLP1
• Application control list: APP1 which archives SIP messages
• PP2 contains:
• DLP sensor: DLP1
• Application control list: APP2 which has content-summary enabled for SIMPLE
Upon upgrading to FortiOS v4.0 MR2 Patch Release 13, the VoIP settings are not moved into
the DLP archive feature.
NNTP DLP Archive
NNTP content archive settings will be lost after upgrading to FortiOS v4.0 MR2 Patch Release
13.
Upgrading from FortiOS v4.0 MR1
FortiOS v4.0 MR2 Patch Release 13 officially supports upgrade from the FortiOS v4.0 MR1
Patch Release 4 or later. See the upgrade path below.
Fortinet Technologies Inc. Page 11 FortiOS v4.0 MR2 Patch Release 13 Release Notes
FortiOS v4.0 MR1
The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 build 0196 or later.
v4.0 MR1 Patch Release 4 build 0196 (or later)
↓v4.0 MR2 Patch Release 13 build 0349
After every upgrade, ensure that the build number and branch point match the image that was
loaded.
DLP rule
A DLP rule with subprotocol setting set to 'sip simple sccp' will be lost upon upgrading to
FortiOS v4.0 MR2 Patch Release 13.
System Autoupdate settings
The settings under System > Maintenance > FortiGuard will get set to default values after
upgrading to FortiOS v4.0 MR2 Patch Release 13.
IPS DoS sensor log setting
The default log setting of an IPS DoS sensor is disable on FortiOS v4.0 MR2 Patch Release 2 or
later. Whether the log setting of an IPS DoS sensor is disable or enable on FortiOS v4.0 MR1
Patch Release 9 or any subsequent patch, after upgrading to FortiOS v4.0 MR2 Patch Release
2 or later, the setting will be set to disable.
Downgrading to FortiOS v4.0 MR1
Downgrading to FortiOS v4.0 MR1 results in configuration loss on all models. Only the following
settings are retained:
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDOM parameters/settings
• admin user account
• session helpers
• system access profiles.
Fortinet Technologies Inc. Page 12 FortiOS v4.0 MR2 Patch Release 13 Release Notes
Product Integration
Fortinet Single Sign-On (FSSO) support
FortiOS v4.0 MR2 Patch Release 13 is supported by FSSO (formerly FSAE) v4.3.0 build 0117 for
the following:
• Microsoft Windows Server 2003 R2 32-bit
• Microsoft Windows Server 2003 R2 64-bit
• Microsoft Windows Server 2008 Server 32-bit
• Microsoft Windows Server 2008 64-bit
• Microsoft Windows Server 2008 R2 64-bit
• Novell sDirectory 8.8.
IPv6 currently is not supported by FSSO.
AV Engine and IPS Engine support
FortiOS v4.0 MR2 Patch Release 13 is supported by AV Engine 4.00254 and IPS Engine
1.00247.
SSL-VPN support
SSL-VPN standalone client
FortiOS v4.0 MR2 Patch Release 13 supports the SSL-VPN tunnel client standalone installer
build 2270 for the following:
• Windows in .exe and .msi format
• Linux in .tar.gz format
• Mac OS in .dmg format
• Virtual Desktop in .jar format for Windows 7, XP, and Vista
FortiOS v4.0 MR2 Patch Release 13 also supports AV Engine 4.00398 and IPS Engine 1.00250.
When connected to FDS, the AV Engine and IPS Engine will be updated.
Fortinet Technologies Inc. Page 13 FortiOS v4.0 MR2 Patch Release 13 Release Notes
Table 3 lists the supported operating systems.
FortiAP support
The following table lists which FortiAP devices and FortiOS operating systems are supported in
FortiOS v4.0 MR2 Patch Release 13 build 0349.
Table 4 outlines supported models
Table 3: Supported operating systems
Windows Linux Mac OS X
Windows XP 32-bit SP 3 CentOS 5.6 Lion 10.7
Windows 7 32-bit SP 1
Windows 7 64-bit SP 1
Virtual Desktop Support
Windows 7 32-bit SP 1
Table 4: Supported models
FortiAP Model FortiAP v4.0 MR3 Patch Release 7
FortiAP 210B These models are supported on the regular v4.0 MR3 branch.
FortiAP 220A
FortiAP 221B
FortiAP 222B
FortiOS v4.0 MR2 For wireless controller support in FortiOS v4.0 MR2 the following
firmware image is required:
fg_4-2_fortiap/build_tag_6670.
The build number for these images in the System > Status page and
the output from the get system status CLI command displays
6670 To confirm that you are running the proper build, the output from
the get system status CLI command has a Branch point: field. This
should read 0349.
This firmware image is available under the following directory in the
Firmware Images page of the Customer Support site after you login:
FortiAP/v4.00/4.0MR2/MR2_Patch_13/Wireless_controller/
Fortinet Technologies Inc. Page 14 FortiOS v4.0 MR2 Patch Release 13 Release Notes
Resolved Issues
The resolved issues listed below do not list every bug that has been corrected with this release.
For inquires about a particular bug, please contact Customer Service & Support.
Resolved issues
Table 5: Resolved issues
Bug ID Description
173399 Ports on certain models may inadvertently shutdown after the system has
been running for 248 days. Please see Customer Service Bulletin
CSB-120813-1.
175110 Firewall Policy is not installed properly when applied via FortiManager.
Fortinet Technologies Inc. Page 15 FortiOS v4.0 MR2 Patch Release 13 Release Notes
Limitations
This section outlines the limitations in FortiOS v4.0 MR2 Patch Release 13.
Citrix XenServer limitations
The following limitations apply to Citrix XenServer installations:
• XenTools installation is not supported.
• FortiGate-VM can be imported or deployed in only the following three formats:
• XVA (recommended)
• VHD
• OVF
• The XVA format comes preconfigured with default configurations for VM name, vCPU,
memory, and vNIC. Other formats will require manual configuration before the first power on
process.
Open source Xen limitations
When using Ubuntu 11.10, Xen 4.1.0, and libvir 0.9.2, importing issues may arise when using
the qcow2 format and existing HDA issues.
Fortinet Technologies Inc. Page 16 FortiOS v4.0 MR2 Patch Release 13 Release Notes
Image Checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the
Customer Service & Support website located at https://support.fortinet.com. After logging in,
click on Download > Firmware Image Checksum, enter the image file, including the extension,
and select Get Checksum Code.
Figure 1: Customer Service & Support image checksum tool
End of Release Notes
Fortinet Technologies Inc. Page 17 FortiOS v4.0 MR2 Patch Release 13 Release Notes