Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
FortiOS v5.0.0 GA Release Notes
November 01, 2012
01-500-184150-20121101
Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.
Technical Documentation docs.fortinet.com
Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback [email protected]
Table of Contents
Change Log....................................................................................................... 6
Introduction....................................................................................................... 7Supported models ................................................................................................... 7
FortiGate ............................................................................................................ 7
FortiWiFi ............................................................................................................. 7
FortiGate Virtual Machine .................................................................................. 7
FortiSwitch ......................................................................................................... 7
Supported virtualization software ............................................................................ 7
Summary of enhancements..................................................................................... 8
FortiOS v5.0.0 GA .............................................................................................. 8
FortiGuard override................................................................................................ 15
Special Notices............................................................................................... 16General................................................................................................................... 16
Important ............................................................................................................... 16
Monitor settings for Web-based Manager access........................................... 16
Before any upgrade ......................................................................................... 16
After any upgrade ............................................................................................ 16
WAN Optimization ................................................................................................. 16
SSL-VPN web portal.............................................................................................. 16
MAC address filter list............................................................................................ 17
Spam Filter profile.................................................................................................. 17
Spam Filter Black/White List.................................................................................. 17
DLP rule settings.................................................................................................... 17
ID-based firewall policy ......................................................................................... 17
SSL deep-scan ...................................................................................................... 17
FortiGate 100D upgrade and downgrade limitations............................................. 18
Upgrade Information ...................................................................................... 19Upgrading from FortiOS v5.0.0 beta release 7 ...................................................... 19
Reports ............................................................................................................ 19
Upgrading from FortiOS v4.0 MR3 ........................................................................ 19
Table size limits................................................................................................ 19
SQL logging upgrade limitation ....................................................................... 20
Downgrading to previous FortiOS versions........................................................... 20
Product Integration and Support .................................................................. 21Supported web browsers ...................................................................................... 21
Fortinet Single Sign-On (FSSO) support................................................................ 21
FortiExplorer support (Windows/Mac OS X).......................................................... 21
Page 3
FortiExplorer support (iOS) .................................................................................... 21
AV Engine and IPS Engine support ....................................................................... 21
FortiAP support...................................................................................................... 21
Module support...................................................................................................... 22
SSL-VPN support .................................................................................................. 23
SSL-VPN standalone client.............................................................................. 23
SSL-VPN web mode ........................................................................................ 24
SSL-VPN host compatibility list ....................................................................... 24
Explicit Web Proxy browser support ..................................................................... 25
Resolved Issues.............................................................................................. 26AntiVirus ........................................................................................................... 26
Client Reputation ............................................................................................. 26
Device Visibility ................................................................................................ 26
ELBC................................................................................................................ 26
Email Filter ....................................................................................................... 27
Endpoint Control .............................................................................................. 27
Firewall ............................................................................................................. 27
FortiCarrier ....................................................................................................... 28
FortiGate VM.................................................................................................... 28
High Availability................................................................................................ 28
IPsec VPN ........................................................................................................ 29
IPS.................................................................................................................... 29
Log & Report.................................................................................................... 29
Routing............................................................................................................. 30
SSL................................................................................................................... 30
SSL-VPN.......................................................................................................... 30
System ............................................................................................................. 31
Upgrade ........................................................................................................... 32
VoIP.................................................................................................................. 33
Vulnerability...................................................................................................... 33
WAN Optimization & Web Proxy...................................................................... 33
Web-based Manager ....................................................................................... 34
Web Filter......................................................................................................... 36
WiFi .................................................................................................................. 37
Fortinet Technologies Inc. Page 4 FortiOS v5.0.0 GA Release Notes
Known Issues.................................................................................................. 39Client Reputation ............................................................................................. 39
Device Visibility ................................................................................................ 39
Firewall ............................................................................................................. 39
High Availability................................................................................................ 39
IPsec VPN ........................................................................................................ 40
Log & Report.................................................................................................... 40
SSL-VPN.......................................................................................................... 40
System ............................................................................................................. 41
Web-based Manager ....................................................................................... 41
Upgrade ........................................................................................................... 41
Limitations....................................................................................................... 42Add Device Access List ......................................................................................... 42
Image Checksum............................................................................................ 43
Fortinet Technologies Inc. Page 5 FortiOS v5.0.0 GA Release Notes
Change Log
Date Change Description
2012-11-01 Initial release.
2012-11-02 Removed the following bugs: 185835, 185898, 186086, 187229, 184515, 186237, 186471,
187153, 183471, 180589, 187241, 184651, 186743, 187117, 187238, 174780, 175445,182014,
183818, 187001, 187124. Updated screen shot on page 15. Removed FG-3600A from table 3.
2012-11-07 Added a note to the summary of enhancements.
2012-11-14 Updated WAN Optimization special notice.
2012-11-22 Minor updates. No content has been added.
2012-12-28 Minor updates. No content has been added.
2013-01-04 Removed references to Xen virtualization software support.
Page 6
Introduction
This document provides a summary of new features, support information, installation
instructions, integration, resolved and known issues in FortiOS v5.0.0 GA build 0128.
Supported models
The following models are supported on FortiOS v5.0.0 GA.
FortiGate
FG-20C, FG-20C-ADSL-A, FG-40C, FG-60C, FG-60C-PoE, FG-80C, FG-80CM, FG-100D,
FG-110C, FG-111C, FG-200B, FG-200B-PoE, FG-300C, FG-310B, FG-310B-DC, FG-311B,
FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800C, FG-1000C, FG-1240B, FG-3016B,
FG-3040B, FG-3140B, FG-3810A, FG-3950B, FG-3951B, FG-5001A, FG-5001B, and
FG-5101C.
FortiWiFi
FWF-20C, FWF-20C-ADSL-A, FWF-40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A,
FWF-80CM, and FWF-81CM.
FortiGate Virtual Machine
FG-VM32 and FG-VM64.
FortiSwitch
FS-5203B
Supported virtualization software
The following virtualization software is supported on FortiOS v5.0.0 GA.
• vSphere 4.0, 4.1, and 5.0
See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v5.0.0 GA.
Fortinet Technologies Inc. Page 7 FortiOS v5.0.0 GA Release Notes
Summary of enhancements
FortiOS v5.0.0 GA
The following is a list of enhancements in FortiOS v5.0.0 GA:
• Ability to disable the console login
• Ability to setup RADIUS-based SSO (RSSO) using RADIUS Accounting from Web-based
Manager
• Added the Carrier feature to Virtual Machine with the new license model
• Added csum comparison support for FortiClient configuration distribution
• Added custom Application Control and IPS Signatures
• Added a download widget and history widget to the SSL-VPN portal
• Add Endpoint Control to the FG-40C/FWF-40C
• Added FortiClient advertisement option in Endpoint Control profile
• Added IPv6 IPS support to XLP firmware
• Added NAT/Route Device device type/category
• Added Web-based Manager support for multicast policy and multicast address.
• Added the option to format the boot device before a firmware update
• Added the option to log to a FortiManager
• Added support for Web Filter quota streaming
• Added support for GTP monitor mode
• Add text to the help/logout icons in SSL-VPN portal
• Additional pre-defined service groups; Web Access and Email Access
• Additional columns for the session list
• Allow setting a more general source filter after more specific filters
• Allow a virtual domain (VDOM) link to link transparent VDOM with NAT/Route VDOM
• AntiVirus and Web Filter Web-based Manager updates
• Application Control and IPS Web-based Manager improvements
• ARIA encryption support
• auth-lockout parameter was added to enable the authentication lockout function in
non-FIPS-CC mode
• Auto-IPsec restricted to desktop platforms
• Automatic reboot after kernel panic
• Automatic Rogue AP suppression
• Automatic TX power adjustment to prevent co-channel interference
• Better support for long hostnames in the CLI prompt
• Block botnet and phishing connections
• Bridge VLAN tagged local bridging SSID with physical port
Not all features/enhancements listed below are supported on all models.
Fortinet Technologies Inc. Page 8 FortiOS v5.0.0 GA Release Notes
• BYOD: Added replacement message for BYOD device capture portal and SIP User-Agent
scanning support
• BYOD: Endpoint Profile updates
• BYOD: FortiClient Endpoint profile
• BYOD: Phase 1 of the Bring Your Own Device feature set implemented
• BYOD: WiFi device monitor and enforcement
• CAPWAP data channel DTLS encryption support
• Central management configuration improvement
• Charts for search phrase
• Citrix agent support for Single Sign-On (SSO)
• CLI options to hide WAN Optimization and explicit proxy
• Click-able icon on FortiAP
• Client load balancing support (frequency handoff and AP handoff)
• Client reputation
• Client reputation in sniffer mode
• Configuration wizard included for all 1U models
• Consolidate IPS and vulnerability management services
• Content type scanning by FortiGuard category
• Corporate ID for endpoint registration and configuration deployment
• Cost column added to the OSPF Web-based Manager
• Create new IPsec site-to-site and dial up tunnels directly from the policy page
• Create short-cut or blocking entry using switch access control list
• Data Leak Prevention (DLP) filter improvements
• Dedicated interface for FortiAP
• Device based license for FortiCloud
• DFS support for Japan
• DFS channel support for FortiWiFi
• DHCPv6 relay
• DHCP and WiFi Web-based Manager clean-up
• Display options on Web-based Manager to show and hide certificates
• Display threat information from FortiGuard Encyclopedia
• DLP watermarking
• DNS service profile
• DOS policy improvements
• Dynamic comment field
• Dynamic profile redesign - HA synchronization component
• Dynamically cost of lag interface
• ELBCv3 enhancements
• ELBCv3 support for the FG-5101C
• Enable unit operation widget on FG-600C, FG-800C, and FG-1000C
• Endpoint control client installers
• Endpoint control feature enhancements
• Enhanced drill-down reports
Fortinet Technologies Inc. Page 9 FortiOS v5.0.0 GA Release Notes
• Enhanced SNMP based device monitoring
• Enhanced soft-switch feature: hardware switching
• Evasion attacks exploiting file-parsing vulnerabilities in AntiVirus products
• Explicit proxy and SSL decryption
• Explicit proxy integration with IPS and Application Control
• Extend SIP helper for MSRP support
• Facetime support
• Factory license feature
• Fake AP detection
• FortiCloud account activation
• FCCK header extended to include app signature version and vulnerability scan engine
version
• Flow-based Web Filter support for replacement message in HTTPS Web Filter
• FortiAP Web-based Manager
• FortiCarrier GTP extensions (Top3 #1390, #1413)
• FortiCarrier logging Improvements
• FortiClient limits in v5.0 (Endpoint Control)
• FortiClient registration password enforcement
• FortiClient ubiquitous authentication
• FortiCloud report pages and status widget updates
• FortiExplorer for iPhone (USB-A)
• FortiGate AAA
• FortiGuard DDNS
• FortiGuard license updates - DNS and dashboard changes
• FortiGuard message service
• Fortinet redundant UTM protocol (FRUP) on FG-100D
• Fortinet Single Sign-On (FSSO) polling enhancement
• FortiOS Apache web server upgrades
• FS-5203B inter-chassis HA support (A-P mode only)
• FortiToken soft token support
• GeoIP override
• Generalized TTL Security Mechanism (GTSM) support (RFC 5082)
• Global FortiGuard server override
• Global view menu implementation
• GTP profile name character limit increased to 63 characters
• Guest access provisioning
• Guest management feature enhancements
• Web-based Manager lite implementation
• HTTP-only authentication over HTTPS channel
• Increased default SSL-VPN worker number
• Increased limit on SSID to 64 for FG-100D and above
• Increased limit on URL filter, Web Profile, Group Profile, and Policy
• Increased VDOM limit on the FG-1000C and FG-1240B from 100 to 250
Fortinet Technologies Inc. Page 10 FortiOS v5.0.0 GA Release Notes
• Increased Router Policy limit
• IP fragment and NAT enhancements
• IP Pool fixed port range
• IPsec IKEv2 IDr is now configurable
• IPS/Application Control improvement
• IPS signatures clean-up
• IPS engine improvements
• IPv6 explicit proxy
• IPv6 MIBs
• IPv6 NAT: NAT66, NAT64, DNS64
• IPv6 Per-IP shaper
• IPv6 policy routing
• IPv6 route sync and BGP6 support to ELBCv3
• IPv6 session offloading and IPv4 trap session offloading
• IPv6 session pickup in HA mode
• IPv6 SSL proxy IPS inspection
• JSON API for token support
• LACP support on the FS-5203B
• Local bridge added to the FortiAP
• Local bridging SSID
• Local-in policy logging
• Log message organization
• Log search performance improved and SQL log database reduced
• Log speed improved
• Log viewer improvements
• Low end model feature updates (HA/Packet-Capture/AV-Quarantine/IPS-ETDB)
• Low end platform feature matrix
• MAC address logging
• MAC tunnel client to the FortiOS firmware image included
• Managed FortiAP context menu improvements
• Management port restriction on the FG-100D
• Maximum user authentication timeout value increased to 24 hours
• Messaging Application Programming Interface (MAPI) content scan
• Medium severity added to default IPS sensor
• Merge new AV engine v5
• Merge BGP AS-Path rewrite
• Merged Endpoint Control profile updates
• Merged FTCL-5103B related FortiOS side support
• Merged FS-5203B and content cluster solution
• Merged IPS Engine version 2
• Merged NPI branch for the FG-100D
• Merge UTM incidents into traffic log
• Move device identification options to Interface page
Fortinet Technologies Inc. Page 11 FortiOS v5.0.0 GA Release Notes
• Multicast policy enhancement (CLI)
• Multi-VDOM admin
• NAT64 acceleration (XLR/XLP)
• NAT64 in kernel/NP6
• NAT64 high availability (HA)
• Network visibility: destination hostname and geographic visibility
• Network visibility: user visibility
• New address type: Network Service
• New CLI command to set factory default except VDOM/interface settings
• New functionality added to FortiOS v4.0 MR3 based FIPS-CC branch
• New OID for HA master/slave status
• New setup wizard design
• NP4 accelerate inter-VDOM traffic
• One-arm sniffer improvement
• One-arm URL filtering
• Option to control show/hide replacement message groups
• Option to restrict the number of IP addresses that can be leased to the same MAC address
• OSPF6 support same link types as OSPF(IPv4)
• PDF report improvements
• Performance improvement by moving data path from user daemon to kernel
• Per VDOM and global limits on guest user accounts
• Policy edit merge
• Policy list enhancement
• Pre and post login warning message for the admin log in
• QoS support for traffic between the controller and FortiAP
• RADIUS based SSO revision - added a new RSSO user group and rename the dynamic
profile to RSSO
• RADIUS override support for multiple VDOM administrators
• Real-time geography updates
• Real-time sessions widget feature
• Rename DoS policy on the Web-based Manager
• Reorganized service items
• Restriction to virtual IP (VIP) on specific interfaces
• RF analysis feature
• RNG/RBG driver improvements
• Search engine configuration
• Secure OTP seed import
• Separate DoS policy from interface policy
• Set DHCP options to get TFTP server IP and config file name to restore the configurations
• Setting added to always drop fragmented packets and then log the action
• Simple VPN setup support added
• Simplify FG-20C, FWF-20C, FG-40, and FWF-40C
• SIP enhancements to add the original IP address in the SIP message header after NAT
Fortinet Technologies Inc. Page 12 FortiOS v5.0.0 GA Release Notes
• SIP over TLS inspection
• Sniffer improvements
• SNMP extensions for BGP
• SNMP implementation for Intelligent Platform Management Interface (IPMI) sensor
• SNMP trap for FortiAP or FortiSwitch up/down event
• Soft token activation feature added
• Some embedded java scripts using Sharepoint should not be rewritten through SSL Web
portal
• Support Sprint U602 3G/4G USB adapter, consolidate it with LTE support
• Support update for IPS XLR/XLP engine
• SSH handover support
• SSL CA certificate selection moved to each UTM proxy options
• SSL deep-scan configuration improvements
• SSL inspection support for IPS and Application Control
• SSL inspection performance improvements
• SSL-VPN authentication high availability (HA) failover support
• SSL-VPN extensions
• SSL-VPN Web-based Manager extensions
• SSO support for FTP and SMB added under SSL-VPN
• Standalone management VDOM
• Submit files detected as suspicious by AV engine to a FDS public server via email
• Supply FQDN in the captive portal
• Support Bidirectional Forwarding Detection (BFD) static neighbor
• Support cache-cookie option to set web cache behavior on cookie
• Support Citrix feature by FSSO module
• Support configuration from iOS devices through USB interface
• Support configuration synchronization in standalone mode
• Support DHCP Client for IPv6 addresses
• Support DHCP servers on the VDOM-link interface
• Support dynamic data chunking for WAN Optimization byte cache
• Support dynamic-profile for SSH proxy
• Support for adding X-Forwarded-Proto for SSL offload half mode
• Support for asymmetric traffic flows improvements
• Support Fortinet bar for standard web proxy/SSL proxy/Explicit proxy
• Support for IKE to bind to loop-back interface
• Support for secondary/backup remote authentication server
• Support for Softbank 3G modem 004z (ZTE WCDMA Technologies MSM)
• Support for new FAP-112B, FAP-223B, and FAP-320B
• Support for FG-5101C and FG-5103B
• Support GPRS tunneling protocol version 2 (GTPv2)
• Support HTTPS offload and HTTPS cache features
• Support Internet Content Adaptation Protocol (ICAP) in explicit Web Proxy
• Support IPS for IPv6 forwarding policy
Fortinet Technologies Inc. Page 13 FortiOS v5.0.0 GA Release Notes
• Support network visibility features for Client Reputation
• Support not sync config with FortiGate option on the FortiClient side
• Support per VLAN MTU setting
• Support RADIUS-based SSO
• Support server probes and remote request response in http-get and ping
• Support SMS contract activation
• Support SSH inspection
• Support SSL-VPN push configuration of DNS suffix
• Support SSO Polling Mode from FortiGate directly
• Support Spanning Tree Protocol (STP) for FortiGate Switch Mode interfaces
• Support user-based authentication
• Support user-based policy for FSSO
• Support Virtual Switch
• Support WAN Optimization and content scan in a single VDOM
• Support WAN Optimization per policy
• Switch access control list (ACL) short-cut extension
• Switch interfaces/interface list improvements
• Switch port extensions
• Token import feature on Web-based Manager
• Translate multicast frames to unicast frame
• Update Analytics widget
• User and Device menu
• UTM email filter feature improvements
• Virtual Hardware-Switch Improvements for FG-100D
• Visibility: new dashboard widgets
• VPN case for FortiClient registration and authentication
• WCCP L2 mode
• Web-based Manager filtering improvements
• Web-based Manager for IPv6 policy routing
• Web-based Manager interface clean up
• Web-based Manager options added for SSL-VPN, personal bookmarks, simplified routing,
and DLP
• Web-based Manager performance improvements
• Web-based Manager support for NP4 inter-VDOM links
• Web-based Manager support for standalone management VDOM
• Web Cache extensions
• WIDS Management flood detection
• WiFi Bridge SSID with physical port
• WiFi client mode usability improvements
• WiFi client mode usability back-end support
• WiFi encryption support
• WiFi improvements
• WiFi mesh support
Fortinet Technologies Inc. Page 14 FortiOS v5.0.0 GA Release Notes
• Wireless client load balance
• Wireless Intrusion Detection Systems (WIDS) support
• Wireless Sniffing support
• Wireless SSO
• XG2 Load Balance with DoS protection
• Yandex search engine safe search support
FortiGuard override
The Use FortiManager for All FortiGuard Communication option, under Admin > Central
Management allows the FortiGuard Servers to be directed to the FortiManager. When enabled,
all features will only communicate with the FortiGuard servers provided by the FortiManager.
See Figure 1.
Figure 1: FortiGuard Override Enable
Fortinet Technologies Inc. Page 15 FortiOS v5.0.0 GA Release Notes
Special Notices
General
The TFTP boot process erases all current firewall configuration and replaces it with the factory
default settings.
Important
Monitor settings for Web-based Manager access
Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for
all the objects in the Web-based Manager to be viewed properly.
Before any upgrade
Save a copy of your FortiGate unit configuration (including replacement messages) prior to
upgrading.
After any upgrade
If you are using the Web-based Manager, clear the browser cache prior to login on the FortiGate
to ensure the Web-based Manager screens are displayed properly.
The Virus and Attack definitions included with an image upgrade may be older than ones
currently available from the Fortinet's FortiGuard Distribution Server. Fortinet recommends
performing an Update Now (System > Config > FortiGuard > AntiVirus and IPS Options) as soon
as possible after upgrading. Consult the FortiOS Handbook/FortiOS Carrier Handbook for
detailed procedures.
WAN Optimization
In FortiOS 5.0, WAN Optimization is enabled in security policies and WAN Optimization rules are
no longer required. Instead of adding a security policy that accepts traffic to be optimized and
then creating WAN Optimization rules to apply WAN Optimization, in FortiOS v5.0.0 you create
security policies that accept traffic to be optimized and enable WAN Optimization in those
policies. WAN Optimization is applied by WAN Optimization profiles which are created
separately and added to WAN Optimization security policies.
SSL-VPN web portal
Only one SSL-VPN web portal is retained upon upgrading to v5.0.0 GA. If the web portal does
not exist after upgrade, the associated web portal configuration in a policy are not retained.
Fortinet Technologies Inc. Page 16 FortiOS v5.0.0 GA Release Notes
MAC address filter list
The mac-filter command under the config wireless-controller vap setting is not
retained upon upgrading to v5.0.0 GA. It is migrated into both config user device and config user device-access-list setting.
Spam Filter profile
The spam filter profile has been changed in v5.0.0 GA. The spam-emaddr-table and
spam-ipbwl-table have been merged into the spam-bwl-table. The spam-bwl-table
exists in the spam filter profile.
Spam Filter Black/White List
The config spamfilter emailbwl and config spamfilter ipbwl are combined into
config spamfilter bwl.
DLP rule settings
The config dlp rule CLI command is removed in v5.0.0 GA. The DLP rule settings have
been moved to inside the DLP sensor.
ID-based firewall policy
ID-based firewall policy will not use destination addresses as the behavior in FortiOS v4.0 MR3.
Work around
Need to re-arrange the sequence of the firewall policies that are below the identity based policy.
If any of the firewall policies that are below the identity based policy has the same source as the
identity based policy, those polices will not be hit. You would need to move those firewall
policies above the identity based policy.
SSL deep-scan
SSL Deep-scan configuration improvements.
Before upgrade
• The AntiVirus, Web Filter, and Antispam profiles had separate protocol settings for the SSL
and non-SSL protocols.
• For HTTPS deep-scanning to be done, deep-scan needed to be enabled for HTTPS in the
UTM proxy options.
After upgrade
• The settings for the SSL protocols in the AntiVirus, Web Filter, and Antispam profiles have
been removed. Instead, the non-SSL options will apply to both the SSL and non-SSL
versions of each protocol. The UTM proxy options now includes an enable/disable for each
Fortinet Technologies Inc. Page 17 FortiOS v5.0.0 GA Release Notes
protocol. This is used to control which protocols are scanned and which SSL enabled
protocols are decrypted.
• To use HTTPS non-deep (SSL handshake) inspection, HTTPS needs to be enabled in the
UTM proxy options. A Web Filter profile with https-url-scan enabled needs to be applied in
the policy with the UTM proxy options. The Web Filter profile option changes the inspection
mode to non-deep scan. AV will not be performed if this option is enabled. The Web Filter
profile option does not apply if SSL inspect-all is enabled in the UTM proxy options.
Behavior
• After upgrade, all the SSL related settings in the AntiVirus, Web Filter, and Antispam profiles
will be lost. The non-SSL settings will be retained and applied to the related SSL protocols if
they are enabled in the UTM proxy options. The protocol status in the UTM proxy options will
default to enable for the non-SSL protocols and will default to disable for the SSL protocols.
The UTM proxy options should be modified to enable the SSL protocols wherever inspection
is required.
• Any profiles requiring non-deep HTTPS inspection will need to be modified to include a Web
Filter profile and UTM proxy options with the settings as described above. The original
HTTPS deep-scan settings will be lost upon upgrade.
FortiGate 100D upgrade and downgrade limitations
With the release of FortiOS v5.0.0 GA and later, the FortiGate 100D will run a 64-bit version of
FortiOS. This has introduced certain limitations on upgrading firmware in a high availability (HA)
environment and downgrading.
When performing an upgrade from a 32-bit FortiOS version to a 64-bit FortiOS version and the
FortiGate 100Ds are running in a HA environment with the uninterruptable-upgrade option
enabled, the upgrade process may fail on the primary device after the subordinate devices have
been successfully upgraded. To work around this situation, users may disable the
uninterruptable-upgrade option to allow all HA members to be successfully upgraded. Without
the uninterruptable-upgrade feature enabled, several minutes of service unavailability are to be
expected.
Downgrading a FortiGate 100D from FortiOS v5.0.0 GA is not supported due to technical
limitations between 64-bit and 32-bit versions of FortiOS. The only procedure to downgrade
firmware is by using the TFTP server and BIOS menu to perform the downgrade. In this case the
configuration will need to be restored from a previously backed up version
Fortinet Technologies Inc. Page 18 FortiOS v5.0.0 GA Release Notes
Upgrade Information
Upgrading from FortiOS v5.0.0 beta release 7
FortiOS v5.0.0 GA build 0128 officially supports upgrade from FortiOS v5.0.0 beta release 7
build 0105.
Reports
Before you run a report after upgrading to v5.0.0 GA you must enter the following CLI
commands on console:
execute report-config resetThis will reset report templates to the factory default.All changes to the default report will be lost!Do you want to continue? (y/n)yReport configuration was reset to the factory default.
execute report recreate-dbThis will recreate the report database from the log database.Do you want to continue? (y/n)yRequest to recreate report database is successfully sent.
Upgrading from FortiOS v4.0 MR3
FortiOS v5.0.0 GA build 0128 officially supports upgrade from FortiOS v4.0 MR3 Patch Release
10 or later.
Table size limits
FortiOS v5.0.0 GA has changed the maximum allowable limits on some objects. As a result, the
configuration for some objects may be lost. These include:
• dlp sensor
• firewall vip
• application list
• dlp sensor filter
• ips sensor
For more information, see the Maximum Values Table for FortiOS 5.0 at http://docs.fortinet.com.
Fortinet Technologies Inc. Page 19 FortiOS v5.0.0 GA Release Notes
SQL logging upgrade limitation
For the following units after upgrading to FortiOS v5.0.0 GA, SQL logging will be retained based
on the total size of the RAM available on the device. Logs will use up to maximum of 10% of the
RAM. Once passed that threshold, any new logs will start to overwrite the older logs. The
historical report generation will also be affected based on the SQL logs that are available for
query.
FG-100D, FG-300C
Downgrading to previous FortiOS versions
Downgrading to previous FortiOS versions results in configuration loss on all models. Only the
following settings are retained:
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDOM parameters/settings
• admin user account
• session helpers
• system access profiles.
Fortinet Technologies Inc. Page 20 FortiOS v5.0.0 GA Release Notes
Product Integration and Support
Supported web browsers
• Microsoft Internet Explorer 8 and 9
• Mozilla FireFox 15.0 and 16.0
• Google Chrome 22.0
Fortinet Single Sign-On (FSSO) support
FortiOS v5.0.0 GA is supported by FSSO v4.0 MR3 build 0128 for the following:
• Microsoft Windows Server 2003 R2 32-bit
• Microsoft Windows Server 2003 R2 64-bit
• Microsoft Windows Server 2008 32-bit
• Microsoft Windows Server 2008 Server 64-bit
• Microsoft Windows Server 2008 R2 64-bit
• Novell eDirectory 8.8.
IPv6 currently is not supported by FSSO.
FortiExplorer support (Windows/Mac OS X)
FortiOS v5.0.0 GA is supported by FortiExplorer 2.0.1022.
FortiExplorer support (iOS)
FortiOS v5.0.0 GA is supported by FortiExplorer v1.0.3.0109.
AV Engine and IPS Engine support
FortiOS v5.0.0 GA is supported by AV Engine 5.00032 and IPS Engine 2.00043.
FortiAP support
FortiOS v5.0.0 GA supports the following FortiAP models:
FAP-112B, FAP-210B, FAP-220B, FAP-221B, FAP-222B, FAP-223B, and FAP-320B
The FortiAP device must be running FortiAP v5.0.0 build 0021 or later.
Fortinet Technologies Inc. Page 21 FortiOS v5.0.0 GA Release Notes
Module support
FortiOS v5.0.0 GA supports Advanced Mezzanine Card (AMC), Fortinet Mezzanine Card (FMC),
Rear Transition Modules (RTM), and Fortinet Storage Module (FSM) removable modules. These
modules are not hot swappable. The FortiGate unit must be turned off before the module is
inserted or removed.
Table 1: Supported modules
AMC/FMC/FSM/RTM Modules FortiGate Platform
Storage Module
500GB HDD Single-Width AMC (ASM-S08)
FG-310B, FG-620B, FG-621B, FG-3016B,
FG-3810A, and FG-5001A
Storage Module
64GB SSD Fortinet Storage Module (FSM-064)
FG-200B, FG-311B, FG-1240B,
FG-3040B, FG-3140B, and FG-3951B
Accelerated Interface Module
4xSFP Single-Width AMC (ASM-FB4)
FG-310B, FG-311B, FG-620B, FG-621B,
FG-1240B, FG-3016B, FG-3810A, and
FG-5001A
Accelerated Interface Module
2x10-GbE XFP Double-Width AMC (ADM-XB2)
FG-3810A and FG-5001A
Accelerated Interface Module
8xSFP Double-Width AMC (ADM-FB8)
FG-3810A and FG-5001A
Bypass Module
2x1000 Base-SX Single-Width AMC (ASM-FX2)
FG-310B, FG-311B, FG-620B, FG-621B,
FG-1240B, FG-3016B, FG-3810A, and
FG-5001A
Bypass Module
4x10/100/1000 Base-T
Single-Width AMC (ASM-CX4)
FG-310B, FG-311B, FG-620B, FG-621B,
FG-1240B, FG-3016B, FG-3810A, and
FG-5001A
Security Processing Module
2x10/100/1000 SP2
Single-Width AMC (ASM-CE4)
FG-1240B, FG-3810A, FG-3016B, and
FG-5001A
Security Processing Module
2x10-GbE XFP SP2
Double-Width AMC (ADM-XE2)
FG-3810A and FG-5001A
Security Processing Module
4x10-GbE SFP+
Double-Width AMC (ADM-XD4)
FG-3810A and FG-5001A
Security Processing Module
8xSFP SP2
Double-Width AMC (ADM-FE8)
FG-3810A
Rear Transition Module
10-GbE backplane fabric (RTM-XD2)
FG-5001A
Security Processing Module (ASM-ET4) FG-310B and FG-311B
Rear Transition Module
10-GbE backplane fabric (RTM-XB2)
FG-5001A
Fortinet Technologies Inc. Page 22 FortiOS v5.0.0 GA Release Notes
SSL-VPN support
SSL-VPN standalone client
FortiOS v5.0.0 GA supports the SSL-VPN tunnel client standalone installer build 2276 for the
following:
• Windows in .exe and .msi format
• Linux in .tar.gz format
• Mac OS X 10.7 in .dmg format
• Virtual Desktop in .jar format for Windows 7.
Security Processing Module
2x10-GbE SFP+ (FMC-XG2)
FG-3950B and FG-3951B
Accelerated Interface Module
2x10-GbE SFP+ (FMC-XD2)
FG-3950B and FG-3951B
Accelerated Interface Module
20xSFP (FMC-F20)
FG-3950B and FG-3951B
Accelerated Interface Module
20x10/100/1000 (FMC-C20)
FG-3950B and FG-3951B
Security Processing Module (FMC-XH0) FG-3950B
Table 1: Supported modules (continued)
Table 2: Supported operating systems
Windows Linux Mac OS X
Windows 7 32-bit CentOS 5.6 Mac OS X 10.7 (Lion)
Windows 7 64-bit
Virtual Desktop Support
Windows 7 32-bit Service
Pack 1
Fortinet Technologies Inc. Page 23 FortiOS v5.0.0 GA Release Notes
SSL-VPN web mode
The following table lists the browsers and operating systems supported by SSL-VPN web
mode.
SSL-VPN host compatibility list
The following tables list the AntiVirus and Firewall client software packages that are supported..
Table 3: Supported browsers and operating systems
Operating System Browser
Windows 7 32-bit Service Pack 1 Internet Explorer 8, Internet Explorer 9, and
Firefox 12
Windows 7 64-bit Service Pack 1 Internet Explorer 8, Internet Explorer 9, and
Firefox 12
CentOS 5.6 Firefox 3.6
Mac OS X 10.7 (Lion) Safari 5.1
Table 4: Supported Windows XP AntiVirus and Firewall software
Product AntiVirus Firewall
Symantec Endpoint Protection v11
Kaspersky AntiVirus 2009
McAfee Security Center v8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009
Table 5: Supported Windows 7 32-bit and 64-bit AntiVirus and Firewall software
Product AntiVirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
Fortinet Technologies Inc. Page 24 FortiOS v5.0.0 GA Release Notes
Explicit Web Proxy browser support
The following browsers are supported by the Explicit Web Proxy feature:
• Internet Explorer 8 and 9
• Mozilla Firefox 15.0 and 16.0
ZoneAlarm Security Suite
Symantec Endpoint Protection Small
Business Edition 12.0
Table 5: Supported Windows 7 32-bit and 64-bit AntiVirus and Firewall software (continued)
Product AntiVirus Firewall
Fortinet Technologies Inc. Page 25 FortiOS v5.0.0 GA Release Notes
Resolved Issues
The resolved issues listed below do not list every bug that has been corrected with this release.
For inquires about a particular bug, please contact Customer Support.
AntiVirus
Client Reputation
Device Visibility
ELBC
Table 6: Resolved antivirus issues
Bug ID Description
181320 AV-failopen setting will cause the FortiGate not to scan any traffic on boot.
185428 Critical remote code execution vulnerability in AV UPX parsing.
Table 7: Resolved client reputation issues
Bug ID Description
176289 Cannot enable client reputation on identity based policy.
179375 Client reputation cannot track DoS critical attack.
Table 8: Resolved device visibility issues
Bug ID Description
179298 Cannot enable device-identification on transparent mode interface.
180043 Wrong device number in device host-type-summary.
183568 device-access-list name under interface does not reflect the change of a
changed device-access-list name.
Table 9: Resolved ELBC issues
Bug ID Description
179754 Web-based Manager widgets break configuration sync and may lead to traffic
outage.
182248 ELBC service group worker report failed to find log info error when a new
blade joins.
Fortinet Technologies Inc. Page 26 FortiOS v5.0.0 GA Release Notes
Email Filter
Endpoint Control
Firewall
185986 ELBC-CC failover console HA error message should not apply.
185996 FortiGate slave worker failed to sync with master FS-5203B on ELBC content
cluster mode.
Table 10: Resolved email filter issues
Bug ID Description
172296 Email subject encoding is not converted correctly to UTF-8 when adding a
spam tag.
173123 FortiGate cannot encode additional UTF-8 tags to mail subject properly.
174918 Arabic mixed with not-Arabic font for email attachment are not inspected. The
MIME parser is not correctly decoding.
184739 Email file pattern filter does not work correctly.
Table 11: Resolved endpoint control issues
Bug ID Description
182563 Convert FortiGate application control action reset to Block on FortiClient.
Table 12: Resolved firewall issues
Bug ID Description
163000 Flow-AV does not work on SMB version2 protocol.
164367 Proxyworker crashed with signal 7.
174196 Traffic shaper not functioning correctly.
176209 SSL proxy rewrites server certificate for explicit FTPS connection even if FTPS
is disabled in AntiVirus profile.
178111 IKE IPv6 session is set to block after bringing down the interface of it’s peer.
178403 Flow-based spam over SMTP-SSL, POP3-SSL, IMAP-SSL detected by proxy.
179410 Scan extra data sent with mail MIME body.
181982 Central-NAT cannot be configured in transparent mode.
182570 Should not add the AntiVirus group in iprope if there is no AntiVirus profile
enabled.
Table 9: Resolved ELBC issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 27 FortiOS v5.0.0 GA Release Notes
FortiCarrier
FortiGate VM
High Availability
182581 FTPS failed to get file when AntiVirus is enabled.
182694 The SIP feature of geo-redundancy does not work.
182735 UTM inspect-all does not work.
183869 Expiry time failures.
183870 SSL deep scan does not support TLSv1.1 causing a handshake failure.
184582 FG-3140B IPv6 throughput extremely low.
184675 Sessions not passing traffic until reset.
Table 13: Resolved FortiCarrier issues
Bug ID Description
181977 Mass_mmsd daemon keeps crashing and message processing is very slow.
Table 14: Resolved FortiGate VM issues
Bug ID Description
166725 Update VM license purchase link.
182923 FG-VM00 should not have 10 VDOMs.
Table 15: Resolved high availability issues
Bug ID Description
177382 HA failed to sync between a FG-5101C and FS-5203B in content cluster
mode.
179226 End user had to re-login on SSL-VPN web mode when HA failover occurs.
180732 New slave failed to sync with master when the master has no SSL-VPN tunnel
address configuration.
180794 HA Split Brain occurs when error detected on FSM Module.
181271 HATALK daemon consumes 99% CPU utilization.
181455 When rebooting the standby device, the master device is affected.
181539 FS-5203B and FG-5001B failed in configuration sync.
Table 12: Resolved firewall issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 28 FortiOS v5.0.0 GA Release Notes
IPsec VPN
IPS
Log & Report
181574 VLAN interface MAC is not updated when underlying aggregate/redundant
MAC changes.
181972 FG-5101C report cannot sync configuration with master's in ELBC content
cluster mode.
182154 Factory reset device cannot sync with master due to replacement messages
in a multi-VDOM environment.
182307 Session is lost and marked as dirty after primary unit fails back from initial
fail-over.
185621 Traffic is not load balanced to slave under device_based firewall policy in HA
active-active mode without UTM enabled.
Table 16: Resolved IPsec VPN issues
Bug ID Description
168263 It would be better to make IPsec offloading work without the need of setting
local gateway.
178175 Incorrect Proxy ID quick mode selector after renaming an IPsec phase2
interface.
182576 IPsec VPN fails to delete IPsec SA in IPV6 mode.
Table 17: Resolved IPS issues
Bug ID Description
178598 Fix IPS daemon crash after deleting 500 VDOMs.
183251 CMDB crash when create/delete interface-policy.
Table 18: Resolved log & report issues
Bug ID Description
143357 Email subject in Japanese gets garbled in Log and Archive Statistics.
162847 Add Web-based Manager upload log schedule option.
169701 Disk log exceeds maximum limit 10885MB on FG-100D.
175311 Cannot restore report to default and message pops up.
177666 Log is not shown for multiple-IM entries in application control.
Table 15: Resolved high availability issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 29 FortiOS v5.0.0 GA Release Notes
Routing
SSL
SSL-VPN
180585 Sqldb crashed with signal 11.
181190 Failed to display log when log disk is full.
181270 execute log upload should be available under VDOM when override
fortianalyzer is store-and-upload.
181981 Log disk usage can exceed it’s quota.
182103 Missing source IP and destination IP value and app filed in some local traffic
log.
182477 AntiVirus archive writes the wrong status in log.
182934 Disk-logging performance decreased a lot than build 0094.
184024 Add new log field client_rep_score to traffic log.
Table 19: Resolved routing issues
Bug ID Description
174884 Change OSPF interface cost causes OSPF neighbor to re-establish.
183537 OSPFv2 slow convergence for Summary/Type-3 routes.
Table 20: Resolved SSL issues
Bug ID Description
182056 User less remained Framed-IP prevent the RADIUS authentication.
Table 21: Resolved SSL-VPN issues
Bug ID Description
150271 SSL-VPN web mode does not handle SWF Flash methods.
172878 Changing the SSL-VPN portal page layout from single-column to
double-column does not take effect.
175196 SSL-VPN Web mode connection issues to devices using SSH version 2.
177429 FortiOS did not resolve FQDN to IP before setting SSL split-tunnel route on
FortiClient.
180589 SSL-VPN Java applet (version 10.7.x) does not work with Mac OS X.
Table 18: Resolved log & report issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 30 FortiOS v5.0.0 GA Release Notes
System
183019 LDAP user fails to login to SSL-VPN with certain group match enabled.
183101 Java 1.7.0_07 does not work in SSL-VPN web mode in Firefox.
183794 The Host Check function did not properly validate the client's system when
running the periodic Host Check set for 300.
184054 sslvpn cert setting change cannot take effect when under stress.
185404 Remote web access portal upload hanged intermittently.
185455 sslvpnd daemon memory is leaking under stress test.
185658 sslvpnd daemon high CPU usage.
Table 22: Resolved system issues
Bug ID Description
150030 FWF-60CM mounted modem's flash disk which confused FortiOS.
163523 Newly created VLAN interface should be down in FIPS-CC mode.
169464 A lot of config-error-log errors after full configuration restored from USB drive
or Web-based Manager.
171083 Change Dynamic Start RADIUS server setting, does not take effect. Need to
restart the radiusd daemon.
171206 Table size updates.
171771 Low session sync performance on ELBCv3.
171927 FortiGate DHCP server cannot provide IP as per IP/mac binding list if the IP is
changed.
172738 Should disable email when enabling batch guest account creation.
173755 Remove dynamic profile implementation.
176951 No DoS attack log when XG2 is in NPU-Cascade mode.
177365 Cannot update the FG-5101C image from ELBC master's Web-based
Manager.
177500 Disabled user's authentication action is not logged.
179150 Console print out error message when enabling AV quarantine from
Web-based Manager.
179544 Keep RSSO RADIUS server parameter name consistency.
179729 Default profile 11n-only is missing after factory reset.
Table 21: Resolved SSL-VPN issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 31 FortiOS v5.0.0 GA Release Notes
Upgrade
180108 No alert-email for firewall authentication failure event.
180111 No alert-email for configuration change event.
181756 Explicit proxy performance improvement of NTLM authentication.
181780 The command execute interface dhcp6client-renew cannot work well after
clearing lease on server.
182379 Unable to handle kernel NULL pointer.
182508 Error message on CLI when enabling FIPS-CC.
182718 CLI create guest group should not allow set email disable when user-id is
email.
183048 Cannot activate FortiToken for FortiGate FIPS-CC mode.
183180 FIPS-CC mode FortiGate cannot restore image from flash.
183527 Some time zone values are wrongly set.
183586 IPS database fails to update to extended version.
183706 Enable Carrier license on FG-5101C.
183983 ICMPv6 packets which are too big are being scanned and dropped.
184733 FortiGate reboots with kernel dump message.
184906 Snmpd daemon consumes all available UNIX socket descriptors and
subsequently crashes.
185434 Software switch does not pass traffic after reboot.
186458 Add two more factory default profiles.
Table 23: Resolved upgrade issues
Bug ID Description
167806 SQL databases have errors and need to be rebuilt after upgrading from v4.0
build 0525.
171746 Fingerprint sensor becomes credit card sensor after upgrade from build 0637
to build 0099.
176129 DLP cannot change sensors which contain filter and rule properly after
upgrade from build 0637 to build 0099.
176199 DLP sensor log-only action becomes none action after upgrading.
176807 FW protocol option client reputation has no entries after upgrading from build
0632.
Table 22: Resolved system issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 32 FortiOS v5.0.0 GA Release Notes
VoIP
Vulnerability
WAN Optimization & Web Proxy
179185 After upgrading from v4.0 MR3 build 0637 to v5.0.0 build 0091, the Flow
Based Web Filter profile become proxy-based.
181631 FWF-60C upgrade to build 0101 reports decode VDOM license key.
181691 Address lost in multicast policy after upgrading from v4.0 MR3 Patch Release
10 to v5.0.0 build 0102.
182787 The setting of specific groups on remote server for user group is lost after
upgrading from v4.0 MR3 Patch Release 9 build 0637 to v5.0.0 build 0105.
182977 Sqldb process consumes 99% CPU after upgrading from v4.0 MR3 Patch
Release 10 to build 0105.
Table 24: Resolved VoIP issues
Bug ID Description
180504 No audio on incoming call to PBX which has call forwarding enabled.
Table 25: Resolved vulnerability issues
Bug ID Description
179219 Buffer overflow on lrat search string in URL causes the httpsd daemon to
crash.
182590 A memory corruption vulnerability in /system/network/intfchange URL.
182830 FortiGate Web-based Manager cmdb memory corruption when access URL
/api/cmdb?request=AA.
182839 FortiGate Web-based Manager intfchange secip parameter memory
corruption.
185425 FortiGate Web-based Manager Web Filter remote memory corruption
vulnerability.
Table 26: Resolved WAN Optimization & web proxy issues
Bug ID Description
172949 For the warning/authentication of Web Filter, could not automatically enter the
correct URL for HTTPS service.
182246 Explicit proxy ignores configured geographic IPs in proxy policy.
Table 23: Resolved upgrade issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 33 FortiOS v5.0.0 GA Release Notes
Web-based Manager
182618 SSL Deep Scan randomly invokes in explicit proxy mode with web content
filtering enabled.
182964 Fix WAD crash when cache object is invalidated by HTTP POST.
Table 27: Resolved Web-based Manager issues
Bug ID Description
118058 Cannot filter policy on count field.
144187 Updates to access profile configuration.
153342 Password change capability is different between CLI and Web-based
Manager.
160433 Editing a redundant interface and aggregate interface failed sometimes.
161433 Server refused to allocate pty.
162511 Cannot test connectivity for overridden FortiAnalyzer from Web-based
Manager.
163787 Increase sample size and rate for traffic history widget.
164359 Web-based Manager shows improper icmpcode when ICMP custom service
is configured as unset icmpcode.
165403 IPv6 Implicit policy incorrectly displayed and managed through Web-based
Manager.
165588 Suggest display link status for virtual-switch member on unit operation
widget.
168073 Cannot batch create After first login Expire type user from Web-based
Manager description.
170171 Web-based Manager cannot edit and delete custom Chinese firewall service
and service group.
170212 Row highlighting incorrect on replacement message list.
170615 New/edit firewall policy is too slow.
171459 The local-in policy is not correctly shown on Internet Explorer 9 when VDOMs
are enabled.
171695 FG-40C should remove Virtual Domain from session monitor column setting.
172096 Response error when set dlp sensor action to quarantine user.
172642 Change switch mode message should follow FortiGate switch interface name.
Table 26: Resolved WAN Optimization & web proxy issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 34 FortiOS v5.0.0 GA Release Notes
174120 Some Web-based Manager pages can only take 63 characters of comment
even 255 is listed.
174266 The httpsd daemon crashed when opening some monitor pages by accessing
FortiGate with IPv6.
174830 The change mode button should be removed since FG-20C only supports
switch mode.
174983 Transparent mode, IPsec vpn policy can not select vpn tunnel.
175445 Web-based Manager policy page shows SSID for Zone interface.
175765 TACACS+ server test function does not work on the Web-based Manager.
175917 The policy page shows an extra option with Profile Group enabled on policy.
176364 Web-based Manager has a problem to disable secondary-IP for VLAN
interface. (Build 0099)
176422 XSS Vulnerability in Report Sections.
176658 MAC address shall be able to added back when alias is set for a device in
BYOD
177114 VPN Tunnel names with an '&' sign can not be edited or deleted.
178138 It takes a long time to display historical System Resource widget.
178202 Display issue on address group page when the names of address members
are too short.
178746 Discover Assets icon should be removed from Vulnerability Scan Definition
page
178900 Need to increase the comment field size to 1024 for policy.
179093 Traffic shaper cannot be disabled in firewall policy at top level.
179959 Web-based Manager should support VLAN interface for device identification.
180040 A device can not be deleted from the Web-based Manager when no alias for
this device.
180120 Top destination IP address click session remove will display more destination
IP related sessions.
180196 Under interface mode, packet capture function does not work on internal
interface.
180222 Alias in BYOD shall be editable on Web-based Manager.
181307 Suggest Top Sessions by Source Address widget also include geographic
location information.
181361 Top widgets in Dashboard shows No matching entries found.
Table 27: Resolved Web-based Manager issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 35 FortiOS v5.0.0 GA Release Notes
Web Filter
182006 Clock in wizard does not display the current time and the time is not changed
when changing time zone.
182019 The right-click drop-down menu keeps loading.
182193 FortiToken can not be edited and deleted on the Web-based Manager.
182218 Firewall policy count is always zero though there are a lot of traffic goes
through.
182318 WiFi interface is missing SSID in policy list page and interface alias.
182402 The Create New button does not work on DLP sensor page.
182621 XSS vulnerability on several of the column filter value.
182623 Web-based Manager is not refreshed after applying log filter.
182685 Lost enhanced black background color on selected log entry after edit column
selector.
182750 Replacement message page can not be displayed, received an 500 Internal
Server Error.
182859 XSS vulnerability on FortiManager Send request string.
182908 Implicit deny policy is not shown.
184262 Incompatible information between widget and device page in BYOD.
184570 FortiGate Web-based Manager global_res many parameter memory
corruption.
184732 FortiGate Web-based Manager VDOM memory corruption.
185100 The default switch-vlan interface entry is missing.
185604 Unable to create VLAN interfaces on soft switch interface using the
Web-based Manager.
185764 Change display for FortiToken Mobile in License Information widget.
186175 FortiGate Web-based Manager Web Filter move remote memory corruption
vulnerability.
Table 28: Resolved web filter issues
Bug ID Description
165236 When FortiManager responds with a rating value 140, the FortiGate will deal
with the category as unrated(rating value=0).
171296 When the Web Filter service is expired, the FortiGate should not provide the
Web Filter service again.
Table 27: Resolved Web-based Manager issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 36 FortiOS v5.0.0 GA Release Notes
WiFi
180243,
182744,
163974,
180245
Remove FortiGuard disable option from Web Filter profile.
181059 In the Flow-based mode, the replacement message page could not be
displayed for HTTPS when a website is blocked.
181654 Fortinet Top Bar does not show Application Block and Web Quota messages.
182794 The action of authentication does not work due to an authd daemon crash.
182802 The feature per-user-bwl sometimes does not work.
182804 When enabling per-user-bwl in Web Filter and disabling per-user-bwl in
Global, the FortiGate will block all websites.
Table 29: Resolved WiFi issues
Bug ID Description
152811 Hide local-radio wtp entry on client-mode FortiWiFi.
160588 Many client-deleted-by-wtp events occur before the WiFi client is connected.
167332 VirtualAP interface should be created automatically when a VDOM is created.
168185 Cannot de-authenticate the WiFi guest provision account.
177347 Global wlac -c scan-clr-all cannot clear non-root VDOM scan results.
177422 Problem with HP slate tablet relate to 802.11n MSDU frame aggregation.
179090 FortiAP stops beaconing after enabling Auto TX power adjustment.
179466 Change unset band result to empty string and the default value.
180028 Wireless Single Sign-On (WSSO) does not work.
180602 FWF-40C (Client mode) cannot connect to FortiWiFi AC if channel changed
except reboot it or wait for over 10 minutes.
181005 A cw_acd daemon crash was observed in the crash log when running v4.0
MR3 Patch Release 7 build 0535 or v4.0 MR3 Patch Release 9 build 0637.
181124 The wtp-profile max-supported-mcs value should be adjusted according to
platform type.
181283 Client-mode FortiWiFi still connected to access point even after deleting
WiFi-network entries when disable auto-connect.
181802 Allow XSS characters in WiFi SSID names.
181978 SSID with 32 characters cannot work on FortiWiFi and FortiAP.
Table 28: Resolved web filter issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 37 FortiOS v5.0.0 GA Release Notes
182619 Disable VDOM change for SSID.
182678 One SSID stops working, other is fine. A reboot will fix the issue.
182824 Client-mode FortiWiFi can not connect access point steady with static_ip
mode.
182901 Client mode unable to connect to SSID.
182956 WSSO cannot work with Captive-Portal VAP.
183262 WSSO user list duplicate entries if the same group was selected in two more
id-policies.
183713 VirtualAP mac-filter should be removed.
Table 29: Resolved WiFi issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 38 FortiOS v5.0.0 GA Release Notes
Known Issues
The known issues listed below does not list every bug that has been reported with this release.
For inquires about a particular bug, please contact Customer Service & Support.
Client Reputation
Device Visibility
Firewall
High Availability
Table 30: Known client reputation issues
Bug ID Description
184496 Client reputation cannot track visiting local category.
Table 31: Known device visibility issues
Bug ID Description
186257 Block message does not work on WiFi devices when using thedevice
detection portal in BYOD.
Table 32: Known firewall issues
Bug ID Description
186588 DLP, AV, and Web Filter do not always work when inspect-all is enabled.
187123 The address field in a policy is not set when that address is set not to show.
187131 A change to the member of service group does not take effect on a policy
immediately.
187699 Under the Policy > Policy > Policy Web-based Manager page, drag and drop
re-ordering of firewall policies under Global View is unsupported. Cut and
copy is supported under Global View.
Table 33: Known high availability issues
Bug ID Description
169215 Cannot send slave log to FortiCloud.
185628 Part of session info is not synced correctly under HA Active-Active mode
when Device_based FW policy is configured.
185656 Sessions cannot pickup in HA environment under Device_based firewall
policy.
Fortinet Technologies Inc. Page 39 FortiOS v5.0.0 GA Release Notes
IPsec VPN
Log & Report
SSL-VPN
187090 Slave log cannot send to FortiAnalyzer when first forming HA.
187091 The master device does not forward slave's log to FortiAnalyzer.
Table 34: Known IPsec VPN issues
Bug ID Description
184503 IPsec VPN wget file over 3M fail when set keylife-type kbs and NP4 enable.
Table 35: Known log & report issues
Bug ID Description
161048 When schedule is set to weekly, Traffic History by Bandwidth/Sessions are
empty.
185209 A traffic log is generated when utm-incident-traffic-log and log-traffic are both
disabled.
185949 No IPS incidents in traffic log, thus report and client reputation do not have
related charts.
185952 The PDF content will show empty content page.
186808 Report has wrong categories in the default charts.
187003 No invalid log for failed connection attempt cause fail to track related client
reputation.
187078 Illegal character in neighbor-event log causes Web-based Manager parse
error.
Table 36: Known SSL-VPN issues
Bug ID Description
182464 SSL-VPN tunnel widget does not work in web mode portal in Windows 8
Internet Explorer 10.
Table 33: Known high availability issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 40 FortiOS v5.0.0 GA Release Notes
System
Web-based Manager
Upgrade
Table 37: Known system issues
Bug ID Description
170385 Unable to link at 1000full on all ports for FG-5001B.
185580 FortiGate should be in pending state when switching account from old
account.
185909 The FG-111C switch works abnormally in FortiOS v5.0.0 GA.
Table 38: Known Web-based Manager issues
Bug ID Description
174503 Multiple bookmark widgets will be created during creating multiple bookmarks
in one category.
180451 Select multiple policies does not work well.
183288 Cannot create central NAT entries from Web-based Manager.
183482 Missing archive tab in ips log gui.
185173 FWF-20C build 0114 wizard page LAN + WiFi Setting display Invalid IP Range
message incorrectly.
185359 Failed to create a SSL-VPN policy on Wizard because sslvpn-portal is not
set.
185390 Profile Protocol Options is set to default when creating identity-based IPv6
firewall policy.
185482 Web-based Manager does not fully support IPV6 device based policy.
186197 Wizard may become empty or stuck after Time Zone page on some platforms.
187083 Mobile token in activated status has provision in right click menu incorrectly.
187129 Device based policy page behaves abnormally with Internet Explorer 9.
187826 With some specific wildcard address, the Web-based Manager firewall
address page can not be loaded.
Table 39: Known upgrade issues
Bug ID Description
187104 After upgrading from v4.0 MR3 Patch Release 10, NTLM ID based policy does
not work.
Fortinet Technologies Inc. Page 41 FortiOS v5.0.0 GA Release Notes
Limitations
This section outlines the limitations in FortiOS v5.0.0 GA.
Add Device Access List
If the device-access-list has the action as deny. You will need to explicitly define a device
in order to allow it to work.
For instance,
config user deviceedit "win"
set mac 01:02:03:04:05:06next
end
config user device-access-listedit "wifi"
set default-action denyconfig device-list
edit 1set action acceptset device "windows-pc" <-------------the predefined
device-categorynextedit 2
set action acceptset device "win" <-------------the custom device
nextend
nextend
As a result, the predefined device-category entry 1 will not get access. Only the custom
device entry 2 would be able to get access.
Fortinet Technologies Inc. Page 42 FortiOS v5.0.0 GA Release Notes
Image Checksum
The MD5 checksums for all Fortinet software and firmware releases are available at the
Customer Service & Support website located at https://support.fortinet.com. After logging in
click on Download > Firmware Image Checksum, enter the image file including the extension
and select Get Checksum Code.
Figure 2: Customer Service & Support image checksum tool
End of Release Notes
Fortinet Technologies Inc. Page 43 FortiOS v5.0.0 GA Release Notes