FortiOS v4.0 MR3 Patch Release 12 Release Notes

FortiOS v4.
0 MR3 Patch Release 12

Release Notes
FortiOS v4.0 MR3 Patch Release 12 Release Notes

May 13, 2013
01-4312-195080-20130513
Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.
Technical Documentation
docs.fortinet.com
Knowledge Base
kb.fortinet.com
Customer Service & Support
support.fortinet.com
Training Services
training.fortinet.com
FortiGuard
fortiguard.com
Document Feedback
techdocs@fortinet.com
Table of Contents
Change Log....................................................................................................... 6
Introduction....................................................................................................... 7
Supported models ...................................................................................................
FortiGate ............................................................................................................
FortiWiFi .............................................................................................................
FortiGate VM......................................................................................................
FortiSwitch .........................................................................................................
7
7
7
7
8
Summary of enhancements ..................................................................................... 8
FortiOS Carrier.................................................................................................. 9
Supported models ................................................................................................... 9
FortiCarrier ......................................................................................................... 9
Special Notices ............................................................................................... 10

TFTP boot process ................................................................................................ 10
Monitor settings for Web-based Manager access ................................................ 10
Before any upgrade ............................................................................................... 10
After any upgrade .................................................................................................. 10
FortiGate 1240B upgrade and downgrade limitations........................................... 10
Upgrade Information ...................................................................................... 11

Upgrading from FortiOS v4.0 MR3 ........................................................................
Disk logging .....................................................................................................
Historical reports upgrade limitation................................................................
SQL logging upgrade limitation .......................................................................
FortiGate 100D.................................................................................................
FortiGate 3240C...............................................................................................
11
11
11
12
12
12
Upgrading from FortiOS v4.0 MR2 ........................................................................

DDNS ...............................................................................................................
DNS server.......................................................................................................
Ping server .......................................................................................................
Central management........................................................................................
SNMP community ............................................................................................
Modem settings ...............................................................................................
AMC slot settings.............................................................................................
Wireless radio settings.....................................................................................
Web filter overrides ..........................................................................................
Firewall policy settings.....................................................................................
URL filter ..........................................................................................................
FortiGuard log filter ..........................................................................................
FortiGuard log setting ......................................................................................
12
12
13
13
13
13
13
13
13
13
13
13
14
14
Page 3
Downgrading to previous FortiOS versions ........................................................... 14
Product Integration and Support .................................................................. 15

Web browser support ............................................................................................ 15
FortiManager support ............................................................................................ 15
FortiAnalyzer support............................................................................................. 15
FortiClient support ................................................................................................. 15
FortiAP support...................................................................................................... 15
Virtualization software support .............................................................................. 16
Fortinet Single Sign-On (FSSO) support................................................................ 16
FortiExplorer support (Microsoft Windows/Mac OS X).......................................... 16
AV Engine and IPS Engine support ....................................................................... 16
Language support.................................................................................................. 17
Module support...................................................................................................... 17
SSL VPN support...................................................................................................
SSL VPN standalone client ..............................................................................
SSL VPN web mode ........................................................................................
SSL VPN host compatibility list .......................................................................
19
19
19
20
Explicit web proxy browser support ...................................................................... 21
Resolved Issues.............................................................................................. 22
Antivirus ...........................................................................................................
Data Leak Prevention.......................................................................................
Email Filter .......................................................................................................
Firewall .............................................................................................................
FortiCarrier .......................................................................................................
FortiGate VM....................................................................................................
High Availability................................................................................................
IPsec VPN ........................................................................................................
Logging and Reporting ....................................................................................
Routing.............................................................................................................
SSL VPN ..........................................................................................................
System .............................................................................................................
Upgrade ...........................................................................................................
WAN Optimization and Web Proxy ..................................................................
Web-based Manager .......................................................................................
Web Filter.........................................................................................................
Wireless............................................................................................................
22
22
22
23
23
23
24
24
25
25
25
26
28
28
28
28
29
Known Issues.................................................................................................. 30
Firewall .............................................................................................................
IPsec VPN ........................................................................................................
Logging and Reporting ....................................................................................
SSL VPN ..........................................................................................................
VoIP..................................................................................................................
Web-based Manager .......................................................................................
Table of Contents
Page 4
30
30
30
30
30
31
Limitations....................................................................................................... 32
Citrix Xen server limitations ................................................................................... 32
Open source Xen limitations .................................................................................. 32
Image Checksum............................................................................................ 33
Appendix A: FortiGate VM ............................................................................. 34
FortiGate VM model information............................................................................ 34
FortiGate VM firmware........................................................................................... 35
Table of Contents
Page 5
Change Log
Date
Change Description
2013-02-12
Initial release.
2013-02-18
Added FG-20C, FWF-20C, FG-20C-ADSL-A, FWF-20C-ADSL-A, FG-60C-POE, and

FWF-60CX-ADSL-A to disk logging upgrade notice. Added 196235 and 196962 to known
issues chapter.
2013-02-21
Added FG-VM-XEN support information.
2013-02-26
Minor update to product integration and support chapter.
2013-03-14
Corrected resolved issue bug ID. Added bug ID 198417 to known issues chapter.
2013-03-19
Corrected typographic error.
2013-04-02
Added 198883 to known issues chapter.
2013-04-15
Added FG-3240C upgrade information.
2013-04-29
Corrected Skype CLI syntax.
2013-05-13
Corrected FSSO support information.
Page 6
Introduction
This document provides a summary of enhancements, support information, installation
instructions, integration, resolved and known issues in FortiOS v4.0 MR3 Patch Release 12
build 0656.
Supported models
FortiOS v4.0 MR3 Patch Release 12 supports the following models.
FortiGate
FG-20C, FG-20C-ADSL-A, FG-30B, FG-40C, FG-50B, FG-51B, FG-60B, FG-60C,
FG-60C-POE, FG-80C, FG-80CM, FG-82C, FG-100A, FG-100D, FG-110C, FG-111C, FG-200A,
FG-200B, FG-200B-POE, FG-224B, FG-300A, FG-300C, FG-310B, FG-310B-DC, FG-311B,
FG-400A, FG-500A, FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800, FG-800C, FG-800F,
FG-1000A, FG-1000A-FA2, FG-1000A-LENC, FG-1000C, FG-1240B, FG-3016B, FG-3040B,
FG-3140B, FG-3600, FG-3600A, FG-3810A, FG-3950B, FG-3951B, FG-5001, FG-5001A,
FG-5001B, FG-5001FA2, FG-5002FB2, FG-5005FA2, FG-5101C, and FG-ONE.
FG-3240C
This model is released on a special branch based off of FortiOS v4.0 MR3 Patch Release 12. As
such, the build number found in the System > Dashboard > Status page and the output from the
get system status CLI command displays 6901 as the build number.
To confirm that you are running the proper build, the output from the get system status CLI
command has a Branch point field that should read 0656.
FortiWiFi
FWF-20C, FWF-20C-ADSL-A, FWF-30B, FWF-40C, FWF-50B, FWF-60B, FWF-60C,
FWF-60CM, FWF-60CX-ADSL-A, FWF-80CM, and FWF-81CM.
FortiGate VM
FG-VM32 and FG-VM64.
FG-VM64-XEN
This model is released on a special branch based off of FortiOS v4.0 MR3 Patch Release 12. As
such, the build number found in the System > Dashboard > Status page and the output from the
get system status CLI command displays 5924 as the build number.
To confirm that you are running the proper build, the output from the get system status CLI
command has a Branch point field that should read 0656.
Introduction
Page 7
FortiSwitch
FS-5203B.
See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v4.0 MR3.
Summary of enhancements
The following is a list of enhancements in FortiOS v4.0 MR3 Patch Release 12:
Added a CLI command to set the Skype client public IP addresses used for decrypting
Skype traffic. The IP addresses are parsed by the IPS engine to decrypt the Skype protocol.
To configure use the following CLI syntax:
config ips global
set skype-client-public-ipaddr <IP_address,IP_address>
end
Added a CLI command to view logs from FortiCloud on the Web-based Manager. To
configure use the following CLI syntax:
config log gui
set log-device forticloud
end
FortiCloud activation on Web-based Manager for FG-600C and FG-800C
Introduction
Page 8
FortiOS Carrier
This chapter provides platform support information for FortiOS Carrier v4.0 MR3 Patch Release
12 build 0656.
Supported models
FortiOS Carrier v4.0 MR3 Patch Release 12 supports the following models.
FortiCarrier
FCR-3810A, FCR-3950B, FCR-3951B, FCR-5001, FCR-5001A, FCR-5001B, FCR-5001FA2,
and FCR-5005FA2.
Firmware image filenames begin with FK.
See http://docs.fortinet.com/fgt.html for additional documents on FortiCarrier v4.0 MR3.
FortiOS Carrier
Page 9
Special Notices
TFTP boot process
The TFTP boot process erases all current firewall configuration and replaces it with the factory
default settings.
Monitor settings for Web-based Manager access

Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for
all the objects in the Web-based Manager to be viewed properly.
Before any upgrade

Save a copy of your FortiGate unit configuration prior to upgrading. To backup your FortiGate
unit configuration go to System > Dashboard > Status. On the System Information widget select
Backup under System Configuration. Save the configuration file to your local hard drive.
After any upgrade

If you are using the Web-based Manager, clear your browser cache prior to login on the
FortiGate to ensure the Web-based Manager screens are displayed properly.
The virus and attack definitions included with an image upgrade may be older than ones
currently available from the FortiGuard Distribution Server. Fortinet recommends performing an
Update Now (System > Config > FortiGuard > Antivirus and IPS Options) after upgrading.
Consult the FortiOS 4.0 MR3 Handbook or FortiOS Carrier 4.0 MR3 Handbook for detailed
procedures.
FortiGate 1240B upgrade and downgrade limitations

With the release of FortiOS v4.0 MR3 Patch Release 2 and later, the FortiGate 1240B will run a
64-bit version of FortiOS. This has introduced certain limitations on upgrading firmware in a high
availability (HA) environment and downgrading.
When performing an upgrade from a 32-bit FortiOS version to a 64-bit FortiOS version and the
FortiGate 1240Bs are running in a HA environment with the uninterruptable-upgrade
option enabled, the upgrade process may fail on the primary device after the subordinate
devices have been successfully upgraded. To work around this situation, users may disable the
option to allow all HA members to be successfully upgraded. Without the feature enabled,
several minutes of service unavailability should be expected.
Downgrading a FortiGate 1240B from FortiOS v4.0 MR3 Patch Release 2 is not supported due
to technical limitations between 64-bit and 32-bit versions of FortiOS. The only procedure to
downgrade firmware is by using the TFTP server and BIOS menu to perform the downgrade. In
this case the configuration will need to be restored from a previously backed up version.
Special Notices
Page 10
Upgrade Information
Upgrading from FortiOS v4.0 MR3
FortiOS v4.0 MR3 Patch Release 12 build 0656 officially supports upgrade from FortiOS v4.0
MR3 Patch Release 11.
Please review the Special Notices, Product Integration and Support, Known Issues, and
Limitations chapters prior to upgrading. For more information on upgrading your FortiOS
device, see the FortiOS 4.0 MR3 Handbook at http://docs.fortinet.com.
Disk logging
For optimal performance of your FortiGate unit, disk logging will be disabled during upgrade to
FortiOS v4.0 MR3 Patch Release 12. Fortinet recommends you enable logging to FAMS
(FortiCloud) on this unit to use the extended logging and reporting capabilities. This change
affects the following models:
FG-20C, FWF-20C
FG-20C-ADSL-A, FWF-20C-ADSL-A
FG-40C, FWF-40C
FG-60C, FWF-60C, FG-60C-POE, FWF-60CM, FWF-60CX-ADSL-A
FG-80C, FWF-80C, FG-80CM, FWF-80CM
FG-100D (PN: P09340-04 or earlier)
FG-300C (PN: P09616-04 or earlier)
FG-200B without SSD installed
A limitation in the code specific to the FG-80C, FG-80CM, FWF-80C, and FWF-80CM prevents
a message from being displayed warning users that disk logging has been disabled upon
upgrading to FortiOS v4.0 MR3 Patch Release 12. If you were using FortiCloud prior to
upgrading, the settings are retained and the service continues to operate.
Historical reports upgrade limitation

For the following units, historical reports from previous builds will not be retained after
upgrading to FortiOS v4.0 MR3 Patch Release 12:
FG-20C, FWF-20C
FG-40C, FWF-40C
FG-60C, FWF-60C
FG-80C
FWF-60CM
FWF-60CX-ADSL-A
FWF-81CM
Upgrade Information
Page 11
Workaround: Download the historical reports to a local hard drive before performing the
upgrade.
SQL logging upgrade limitation

For the following units, after upgrading to FortiOS v4.0 MR3 Patch Release 12 SQL logging will
be retained based on the total size of the RAM available on the device. Logs will use up to
maximum of 10% of the devices RAM and once passed that threshold, any new logs will start
to overwrite the older logs. The historical report generation will also be affected based on the
SQL logs that are available for query.
FG-100D
FG-300C
FortiGate 100D
FortiOS v4.0 MR3 Patch Release 12 supports the FortiGate 100D platform. Included with this
model is a special purpose management port that operates on its own virtual domain (VDOM).
An issue exists with this feature whereby FortiCare registration fails when initiated from the
FortiGate device if this port is connected to the Internet and thus FortiGuard and FortiCare.
Upgrading the FortiOS image from its factory default image (build 4083) to FortiOS v4.0 MR2
Patch Release 12 or later does not switch the management VDOM. You must change the
management VDOM from the default setting to the root VDOM.
To do this, use the following CLI commands:
config system global
set management-vdom root
end
end
FortiGate 3240C
FortiOS v4.0 MR3 Patch Release 12 build 6901 for the FortiGate 3240C officially supports
upgrade from FortiOS v4.0 MR3 Patch Release 6 build 4231.
Upgrading from FortiOS v4.0 MR2

Please upgrade to the latest FortiOS v4.0 MR2 patch release prior to upgrading to v4.0 MR3
Patch Release 12. For more information, see the respective FortiOS v4.0 MR2 Patch Release
Notes.
Please review the Special Notices, Product Integration and Support, Known Issues, and
Limitations chapters prior to upgrading. For more information on upgrading your FortiOS
device, see the FortiOS 4.0 MR3 Handbook at http://docs.fortinet.com.
DDNS
DDNS configurations under interface are moved to global mode config system ddns
after upgrading.
Upgrade Information
Page 12
DNS server
The dns-query recursive/non-recursive option under specific interfaces are moved to
the system level per VDOM mode and config system dns-server can be used to
configure the option after upgrading.
Ping server
The gwdetect related configurations under specific interfaces are moved under router per
VDOM mode and config router gwdetect can be used to configure the option after
upgrading.
Central management
The set auto-backup disable and set authorized-manager-only enable
configurations under config system central-management are removed after upgrading.
SNMP community
A 32-bit network mask will be added to an IP address of SNMP host after upgrading.
Modem settings
The wireless-custom-vendor-id and wireless-custom-product-id are moved from
config system modem to config system 3g-modem custom after upgrading.
AMC slot settings

The default value of ips-weight under config system amc-slot will be changed from
balanced to less-fw after upgrading.
Wireless radio settings

Wireless radio settings excluding SSID, Security Mode, and authentication settings, will be lost
after upgrading.
Web filter overrides

The contents of web filter overrides will be lost after upgrading from FortiOS v4.0 MR2 Patch
Release 4 build 0313 to FortiOS v4.0 MR2 Patch Release 14.
Firewall policy settings

If the source interface or destination interface is set as the amc-XXX interface, the default value
of ips-sensor under config firewall policy is changed from all_default to
default after upgrading.
URL filter
The action options in the urlfilter configuration have been changed from Allow, Pass,
Exempt, and Block to Allow, Monitor, Exempt, and Block. The Allow action will not
generate a log entry in FortiOS v4 MR3 Patch Release 1 and later. The Monitor action will act
as the function that allows log reporting. The Pass action in FortiOS v4.0 MR2 has been merged
Upgrade Information
Page 13
with Exempt in FortiOS v4.0 MR3 Patch Release 1 and the CLI command has been changed
from set action pass to set exempt pass.
FortiGuard log filter

The settings of config log fortiguard filter are removed after upgrading.
FortiGuard log setting

The options quotafull and use-hdd in config log fortiguard setting are removed
upon upgrading.
Downgrading to previous FortiOS versions

Downgrading to previous FortiOS versions results in configuration loss on all models. Only the
following settings are retained:
operation modes
interface IP/management IP
route static table
DNS settings
VDOM parameters/settings
admin user account
session helpers
system access profiles.
Upgrade Information
Page 14
Product Integration and Support

Web browser support
FortiOS v4.0 MR3 Patch Release 12 supports the following web browsers:
Microsoft Internet Explorer versions 8 and 9
Mozilla Firefox versions 15, 16, and 17
Other web browsers may function correctly, but are not supported by Fortinet.
FortiManager support
FortiOS v4.0 MR3 Patch Release 12 is supported by FortiManager v4.0 MR3 Patch Release 7 or
later.
FortiAnalyzer support
FortiOS v4.0 MR3 Patch Release 12 is supported by FortiAnalyzer v4.0 MR3 Patch Release 6 or
later.
If you are using a FortiAnalyzer unit running FortiAnalyzer v4.0 MR2, you must upgrade it to
FortiAnalyzer v4.0 MR3. FortiAnalyzer units running FortiAnalyzer v4.0 MR2 will not function
correctly with FortiOS v4.0 MR3 Patch Release 12.
FortiClient support
FortiOS v4.0 MR3 Patch Release 12 is fully compatible with FortiClient v4.0 MR2 Patch Release
8 or later and FortiClient v4.0 MR3 Patch Release 5 or later for the following operating systems:
Microsoft Windows 7 (32-bit & 64-bit)
Microsoft Windows Vista (32-bit & 64-bit)
Microsoft Windows XP (32-bit)
Other operating systems may function correctly, but are not supported by Fortinet.
FortiAP support
FortiOS v4.0 MR3 Patch Release 12 supports the following FortiAP models:
FAP-112B, FAP-210B, FAP-220A, FAP-220B, FAP-221B, FAP-222B, FAP-223B, and
FAP-320B
The FortiAP devices must be running FortiAP v4.0 MR3 Patch Release 9 or later.
Page 15
Virtualization software support

FortiOS v4.0 MR3 Patch Release 12 supports the following virtualization software:
VMware ESX/ESXi versions 4.0, 4.1, 5.0 and 5.1
Citrix XenServer 5.6 Service Pack 2 and 6.0
Open Source Xen 3.4.3 and 4.1
See Limitations on page 32 for more information.
Fortinet Single Sign-On (FSSO) support

FortiOS v4.0 MR3 Patch Release 12 is supported by FSSO v4.0 MR3 build 0129 for the
following:
Microsoft Windows Server 2012 Standard Edition
Microsoft Windows Server 2008 32-bit
Microsoft Windows Server 2008 64-bit
Microsoft Windows Server 2008 R2 64-bit
Novell eDirectory 8.8
FSSO does not currently support IPv6.
Other server environments may function correctly. but are not supported by Fortinet.
FortiExplorer support (Microsoft Windows/Mac OS X)

FortiOS v4.0 MR3 Patch Release 12 is supported by FortiExplorer v2.0.1022 or later.
AV Engine and IPS Engine support

FortiOS v4.0 MR3 Patch Release 12 is supported by AV Engine v4.398 and IPS Engine v2.127
or later.
Page 16
Language support
The following table lists FortiOS language support information.
Table 1: FortiOS language support
Language
Web-based Manager
Documentation
English
French
Portuguese (Brazil)
Spanish (Spain)
Korean
Chinese (Simplified)
Chinese (Traditional)
Japanese
To change the FortiGate language setting, go to System > Admin > Settings, in View Settings >
Language select the desired language on the drop-down menu.
Module support
FortiOS v4.0 MR3 Patch Release 12 supports Advanced Mezzanine Card (AMC), Fortinet
Mezzanine Card (FMC), Rear Transition Modules (RTM), and Fortinet Storage Module (FSM)
removable modules. These modules are not hot swappable. The FortiGate unit must be turned
off before a module is inserted or removed.
The following table lists supported modules and FortiGate models.
Table 2: Supported modules and FortiGate models
AMC/FMC/FSM/RTM Modules
FortiGate Model
Storage Module
500GB HDD Single-Width AMC (ASM-S08)
FG-310B, FG-620B, FG-621B, FG-3016B,

FG-3600A, FG-3810A, FG-5001A-SW
Storage Module
64GB SSD Fortinet Storage Module (FSM-064)
FG-200B, FG-311B, FG-1240B,

FG-3040B, FG-3140B, FG-3951B
Accelerated Interface Module

4xSFP Single-Width AMC (ASM-FB4)
FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3600A,
FG-3810A, FG-5001A-SW

2x10-GbE XFP Double-Width AMC (ADM-XB2)
FG-3810A, FG-5001A-DW

8xSFP Double-Width AMC (ADM-FB8)
FG-3810A, FG-5001A-DW
Page 17
Table 2: Supported modules and FortiGate models (continued)

Bypass Module
2x1000 Base-SX Single-Width AMC (ASM-FX2)
FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3600A,
FG-3810A, FG-5001A-SW
Bypass Module
4x10/100/1000 Base-T
Single-Width AMC (ASM-CX4)
FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3600A,
FG-3810A, FG-5001A-SW
Security Processing Module

2x10/100/1000 SP2
Single-Width AMC (ASM-CE4)
FG-1240B, FG-3810A, FG-3016B,

FG-5001A-SW

2x10-GbE XFP SP2
Double-Width AMC (ADM-XE2)
FG-3810A, FG-5001A-DW

4x10-GbE SFP+
Double-Width AMC (ADM-XD4)
FG-3810A, FG-5001A-DW

8xSFP SP2
Double-Width AMC (ADM-FE8)
FG-3810A
Rear Transition Module

10-GbE backplane fabric (RTM-XD2)
FG-5001A-DW
Security Processing Module (ASM-ET4)
FG-310B, FG-311B
Rear Transition Module

10-GbE backplane fabric (RTM-XB2)
FG-5001A-DW

2x10-GbE SFP+ (FMC-XG2)
FG-3950B, FG-3951B

2x10-GbE SFP+ (FMC-XD2)
FG-3950B, FG-3951B

20xSFP (FMC-F20)
FG-3950B, FG-3951B

20x10/100/1000 (FMC-C20)
FG-3950B, FG-3951B
Security Processing Module (FMC-XH0)
FG-3950B
Page 18
SSL VPN support

SSL VPN standalone client
FortiOS v4.0 MR3 Patch Release 12 supports the SSL VPN tunnel client standalone installer
build 2281 for the following:
Microsoft Windows XP, Windows 7, and Windows 8 in .exe and .msi format
Linux CentOS and Ubuntu in .tar.gz format
Virtual Desktop in .jar format for Microsoft Windows 7
Mac OS X v10.7 Lion in .dmg format.
Table 3: Supported operating systems
Operating System Support
Microsoft Windows 8 64-bit
Linux CentOS 5.6
Microsoft Windows 7 32-bit SP1
Ubuntu 12.0.4
Mac OS X v10.7 Lion

Microsoft Windows XP 32-bit SP3
Virtual Desktop Support
Other operating systems may function correctly, but are not supported by Fortinet.
SSL VPN web mode

The following web browsers are supported by FortiOS v4.0 MR3 Patch Release 12 for the SSL
VPN web mode feature:
Mozilla Firefox version18
Apple Safari version 6
Page 19
SSL VPN host compatibility list

The following tables list the antivirus and firewall client software packages that are supported.
Table 4: Supported Microsoft Windows XP antivirus and firewall software
Product
Antivirus
Firewall
Symantec Endpoint Protection v11
Kaspersky Antivirus 2009
McAfee Security Center v8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009
Table 5: Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product
Antivirus
Firewall
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360 Version 4.0
Norton Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business

Edition 12.0
CA Internet Security Suite Plus Software

AVG Internet Security 2011
Page 20
Table 6: Supported Microsoft Windows 7 64-bit antivirus and firewall software

Product
Antivirus
Firewall
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360 Version 4.0
Norton Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business

Edition 12.0
CA Internet Security Suite Plus Software

AVG Internet Security 2011
Explicit web proxy browser support

The following web browsers are supported on FortiOS v4.0 MR3 Patch Release 12 for the
explicit web proxy feature:
Mozilla Firefox versions 17 and 18
Page 21
Resolved Issues
The resolved issues tables listed below do not list every bug that has been corrected with
FortiOS v4.0 MR3 Patch Release 12 build 0656. For inquires about a particular bug, please
contact Customer Service & Support.
Antivirus
Table 7: Resolved antivirus issues
Bug ID
Description
181320
The av-failopen setting will cause the FortiGate not to scan any traffic when
booting up.
Data Leak Prevention

Table 8: Resolved data leak prevention issues
Bug ID
Description
178125
The SMTP body filter prevents a banned/blocked word from passing through the
firewall in an SMTP message.
179575
FTP DLP rules are affecting FTPS; FTPS rules have no effect.
180010
The Samba client daemon only starts when the FortiGate is configured in NAT
mode, transparent mode connections to Samba fail.
Email Filter
Table 9: Resolved email filter issues
Resolved Issues
Bug ID
Description
154340
The proxyworker process crashes with signal 7 errors on emails.
170139
The antispam ASE caused the scanunitd daemon to crash.
174190
scanunitd daemon usage issue, CPU is at 99% until aborted by the alarm clock
when parsing a specific email.
174918
Arabic mixed with non-Arabic font for email attachments are not inspected. The
MIME parser is not correctly decoding.
184017
The scanunitd daemon crashed.
Page 22
Firewall
Table 10: Resolved firewall issues
Bug ID
Description
151096
LDAPS authenticated user was unexpectedly cached.
156828
FTP upload traffic does not work when antivirus scanning is enabled.
161883
IM cannot block file transfer by MSN 2011 on Windows 7 with block-file enabled.
178932
Problems when enabling the SCCP VoIP profile.
184375
Uploads are interrupted by FortiGate devices with the load balancer feature
enabled.
184809,
190973
VSD process usage issue, high CPU.
187549
DCE-RPC high ports not allowed when using Microsoft System Center Operations
Manager (SCOM) 2012.
189828
RADIUS accounting should include extra fields (NAS IP Address/Framed IP

Address/Called Station ID/Timestamp).
192195
Traffic is dropped by the NP4 processer with the traffic shaping feature enabled.
193096
VSD daemon crashes while handling 50 concurrent sessions.
193099
VSD daemon stops handling connections and CPU usage is at 99%.
193497
Some IPv6 sessions cannot be displayed when using the CLI command diagnose
system session6 list.
FortiCarrier
Table 11: Resolved FortiCarrier issues
Bug ID
Description
188169
Mass MMS communication sockets are not removed after use.
FortiGate VM
Table 12: Resolved FortiGate VM issues
Resolved Issues
Bug ID
Description
186173
The Fortigate-VM64.hw07.vmxnet2.ovf and Fortigate-VM.hw07_vmxnet2.ovf VM

versions cannot support HA.
Page 23
High Availability
Table 13: Resolved high availability issues
Bug ID
Description
156040
Redundant HA in-sync log messages.
174187
FortiGate slave experiences a cw_acd and cmdbsvr crash when synchronizing

configuration; attempts to access VDOM settings before the VDOM is created.
184052
High latency and sessions being dropped during HA failover (active-active).
185272
When displaying a log message in a slave event log, the slave clock is adjusted to
an invalid time.
186053
All heartbeat links fail simultaneously, triggered by traffic.
186520
HA configuration synchronization fails.
188912
Devices cannot get updates when configured in HA.
190237
Changing firewall policy attributes does not cause the checksum to change.
190567
Blades becoming unresponsive in a four blade active-active cluster.
192178
HA master fails to remove the slave's VLAN interface and IPsec VPN interface
which results in IPsec VPN failures.
194610
A FortiGate slave will fail to send logs to FortiAnalyzer if the management VDOM ID
on the master and slave is different.
IPsec VPN
Table 14: Resolved IPsec VPN issues
Resolved Issues
Bug ID
Description
178665
L2TP over IPsec client cannot ping to the internal network if the FortiGate has a
PPPoE WAN connection.
180980
Unable to get an IP address via L2TP over IPsec tunnel when using Chrome OS.
182017
A FortiGate PPTP client using PAP fails.
182910
The IPsec monitor shows the wrong user name for a dialup VPN with RSA
aggressive mode.
183382
Invalid ESP packets are regularly generated.
190405
IKEv2 DPD failure which brings down the tunnel when the peer was still reachable.
190598
IPsec hub and spoke issue when the session is not NP offloaded.
193049
Invalid ESP errors for dialup clients.
Page 24
Logging and Reporting

Table 15: Resolved logging and reporting issues
Bug ID
Description
153422
The IPv6 traffic log sent to a syslog server does not match the log in memory.
177175
Incorrect value for source interface field in a traffic log file for denied traffic.
177242
Filter log by time field, improperly affected time zone setting.
177399
The attack ID for IM/P2P applications is displayed incorrectly in the log as 0.
182615
IP address range filter does not work properly.
183538
FortiGate does not send cpu-memory-usage log to a FortiAnalyzer after restoring

a backup configuration.
186797
Miglogd daemon usage issue, high CPU when syslogd2 server is defined.
186918
Alertmail shows Failed to send alert email in logs, but the message has actually
been sent.
191663
The vpn.Last10.User.SSL.Login and vpn.Top10.User.SSL.Volume.last24h reports

do not show correct information or the report is empty.
191687
Configuration change events are not forwarded to the syslog server.
192869
Under certain conditions the fdslogd daemon can over utilize CPU resources.
Routing
Table 16: Resolved routing issues
Bug ID
Description
185808
PIM-SSM multicast stream is pruned while other IGMPv3 receivers are still present.
193990
The AS-CONFED-SEQ attribute is incorrectly sent when using route-map to

prepend as-path.
SSL VPN
Table 17: Resolved SSL VPN issues
Resolved Issues
Bug ID
Description
180878
Incorrect traffic statistics are displayed in SSL VPN tunnel mode on Windows 8.
182464
The SSL VPN tunnel widget does not work in the web mode portal using Internet
Explorer version 10 on Windows 8.
183019
In Windows Active Directory protocol, the attribute memberOf does not include
primary group, although it is considered as a user's super-group. If the
customer specifies this primary group as the match condition, the authentication
will fail.
Page 25
Table 17: Resolved SSL VPN issues (continued)

Bug ID
Description
184140
The RDP login screen is not displayed in full screen mode with SSL VPN in web
mode.
184522
Failed to access an SSL VPN bookmark on the Web-based Manager.
188139
An error message is displayed when a user logs in to a web mode SSL VPN with
PKI enabled.
189680
A SSL VPN portal with a 4096-bit RSA key size refuses the connection.
189800
Unable to connect to an SSL VPN unless using FortiClient v5.00
191068
A SSL VPN could not be accessed for a newly created VDOM.
191278
The FortiGate SSL VPN web portal will display an error message when editing or
creating an entry on an OWA email server calendar.
191672
OA page is incorrectly displayed in SSL VPN web proxy mode.
192344
Cross site scripting vulnerability on the SSL VPN portal.
193651
The SSL VPN daemon crashes when accessing a Citrix server in web mode.
System
Table 18: Resolved system issues
Resolved Issues
Bug ID
Description
161876
The FG-600C gets a power supply 2 failure event log error when the optional power
supply is not installed.
173548
Streaming query changes query VDOM to the current VDOM; cmdbsvr process
will crash if the VDOM is invalid.
175326
FortiGate responds to ARP requests on 192.168.0.1 on the MGMT1 interface.
176202
The VLAN interface is missing after a reboot.
178545
The average network usage is displayed incorrectly with XH0 modules.
183013
The field list cache being used for filtering log is not cleared after each log is
matched.
183191
The link change indicator from hardware link scan is not stable and can
sometimes be false indicator.
183983
Oversized ICMPv6 packets are being scanned and dropped.
184206
Russian FSTEK certification requirement for image checksum.
184314
Add/remove of a physical interface to 802.3ad aggregation brings the aggregate

port down.
184932
Unable to administratively bring down or bring up a tunnel interface via the CLI
under config global.
Page 26
Table 18: Resolved system issues (continued)
Resolved Issues
Bug ID
Description
185315
System hangs while console printed NMI watchdog messages.
185606
There is a SNMP problem when using 250 VDOMs.
186169
FG-5001A CPUs are not properly load-balanced.
186523
FortiToken activation fails on particular FortiGuard Distribution Servers (FDS).
187519
The speed LED on a shared NIC port is not lit on the FG-800C.
187878
Removing the secondary IP disconnects the admin session.
188544
The diagnose sys session6 filter CLI command shows src twice.
188772
The diagnose system top CLI command for CPU usage is not correct.
189061
Dedicated sniffer mode > scheduled updates does not work.
189120
For IPv6 traffic, NP4 does not support load balancing to four host queues and it
always sent to queue 0.
189304
Using the administrative status to bring down a port on a FG-1000C causes the
system to hang.
190016
Memory leak in the NP4/XLR/XLIP IPsec installation routine.
190142
A VLAN interface responds even though it is administratively down.
190160
A FG-3950B with sp-load-balance mode enabled only passed 1/3 of SP2 traffic
as the other two host channels were down.
190797
Configuration changes cannot be pushed to the controller daemon.
190829
RADIUS SSH authentication on a FG-100D one-arm IDS fails.
190990
The system crashed with a ehci_hcd fatal error message.
191112
Failed to import CRL which had expiry date after 2038.
191119
XLP driver issue that could cause the FG-5101C to crash with a kernel panic.
191231
System does not write the configuration to flash.
192347
Session is dropped unexpectedly with NP4 IPsec offloading.
192360
Memory statistics are incorrectly displayed in the CLI command diagnose

system top.
193169
ntpd daemon usage issue, CPU is at 99%.
195097
Does not print the RADIUS authentication initial process message.
195168
Allow users to switch FortiCloud accounts.
195753
cw_acd daemon memory leak issue occurs.
Page 27
Upgrade
Table 19: Resolved upgrade issues
Bug ID
Description
180537
Web pages reset after upgrading cluster to FortiOS v4.0 MR3 Patch Release 9
using TMG proxy.
190671
ASpath-list regex entry does not work after upgrading to build 0646.
WAN Optimization and Web Proxy

Table 20: Resolved WAN Optimization and Web Proxy issues
Bug ID
Description
181009
Nested groups break web/FTP explicit proxy.
190746
The WAD daemon crashes for HTTP .09 traffic if DLP scan is enabled.
190968
There is a WAD memory leak (default_cmem_object) after enabling HTTP WAN

Optimization.
Web-based Manager
Table 21: Resolved Web-based Manager issues
Bug ID
Description
150041
Signature entry in IPS sensor does not display the rule name.
156340
SSL renegotiation DoS attack for HTTPS.
174917
Unable to see archived IM messages in Log & Archive Access - IM Archive Access.
189029
No FortiToken is listed in the Web-based Manager when editing an administrator

with remote authentication enabled.
190694
Policy items are not displayed when accessing the FortiGate through a SSL VPN
portal.
191509
Allow the web filtering custom category to be disabled per-profile in the

Web-based Manager.
Web Filter
Table 22: Resolved web filter issues
Resolved Issues
Bug ID
Description
135343
FortiGuard quota counter is incremented even though the session is closed.
178127
Web filter block failures for specially crafted packets.
179265
CN based HTTPS web URL filtering does not work well on an external proxy
environment, when exempt is configured.
Page 28
Table 22: Resolved web filter issues (continued)

Bug ID
Description
188607
FortiGuard service is intermittently unavailable. Restarting the urlfilter process

is required to recover.
189987
HTTPS redirect to proxy issue with safe search enabled.
191120
The option to allow websites when a rating error occurs does not work as
expected.
Wireless
Table 23: Resolved wireless issues
Resolved Issues
Bug ID
Description
131373,
186562
Wireless AP does not work if the physical WLAN is set to WPA2.
169666
Change wireless channel generation method, and introduce the addition of country
code for wireless controller's wtp-profile.
177422
WiFi issue with HP tablet related to 802.11n MSDU frame aggregation.
183807
Multiple enhancements for supporting a large number of FortiAPs and wireless

client connection fixes.
192789
A phone hot-spot could be detected as a rogue-ap-on-wire,

rogue-ap-detected, or rogue-ap-off-air when the hot-spot is disabled and
the phone user is using the WiFi client.
Page 29
Known Issues
The known issues tables listed below do not list every bug that has been reported with FortiOS
v4.0 MR3 Patch Release 12 build 0656. For inquires about a particular bug or to report a bug,
please contact Customer Service & Support.
Firewall
Table 24: Known firewall issues
Bug ID
Description
194548
Issues with source and destination subnet translation when using virtual IP range
and IP pool.
IPsec VPN
Table 25: Known IPsec VPN issues
Bug ID
Description
198417
IPsec connections traversing an NP interface may fail and cause the FortiGate
device to hang.
Logging and Reporting

Table 26: Known logging and reporting issues
Bug ID
Description
183778
FortiGate is not populating the interface-policy field into DoS logs.
195724
When browsing the traffic log the page failed to load.
SSL VPN
Table 27: Known SSL VPN issues
Bug ID
Description
179445
Unable to connect to Citrix application through SSL VPN on Windows 7 Enterprise.
VoIP
Table 28: Known VoIP issues
Known Issues
Bug ID
Description
195540
No audio for an incoming call forwarded to an internal extension which is then

forwarded to an outside number.
Page 30
Web-based Manager
Table 29: Known Web-based Manager issues
Bug ID
Description
196235
The System Information widget has a Details link which displays a list of firmware.
Upgrading or downgrading the firmware from this page displays an Access denied
error message.
Workaround: Use the Update link in the System Information widget or update the
firmware using the CLI.
196962
Installing a new license file for a FG-VM displays an Access denied error message.
Workaround: Rebooting the system once prevents the error message from being
displayed a second time.
198883
Known Issues
Interface zone names or firewall addresses that have an ampersand (&) character
may not be viewable in the Web-based Manager.
Page 31
Limitations
This section outlines the limitations in FortiOS v4.0 MR3 Patch Release 12 build 0656.
Citrix Xen server limitations

The following limitations apply to Citrix XenServer installations:
XenTools installation is not supported.
FortiGate VM can be imported or deployed in only the following three formats:
XVA (recommended)
VHD
OVF
The XVA format comes pre-configured with default configurations for VM name, virtual CPU,
memory, and virtual NIC. Other formats will require manual configuration before the first
power on process.
Open source Xen limitations

When using Ubuntu 11.10, Xen 4.1.0, and libvir 0.9.2, importing issues may arise when using
the QCOW2 format and existing HDA issues.
Limitations
Page 32
Image Checksum
The MD5 checksums for all Fortinet software and firmware releases are available at the
Customer Service & Support website located at https://support.fortinet.com. After logging in,
click on Download > Firmware Image Checksum, enter the image file including the extension,
and select Get Checksum Code.
Figure 1: Firmware image checksum tool
Image Checksum
Page 33
Appendix A: FortiGate VM
FortiGate VM model information
The following table provides a detailed summary on FortiGate VM models.
Table 30:FortiGate VM model information
Technical
Specification
FGVM-00
Hypervisor Support
Virtual CPU
(Min / Max)
FGVM-01
FGVM-02
FGVM-04
FGVM-08
VMware ESX / ESXi versions 4.0, 4.1, 5.0, and 5.1

Citrix XenServer versions 5.6 SP2 and 6.0
Open Source Xen versions 3.4.3 and 4.1
1/1
1/1
Virtual Network
Interfaces
(Min / Max)
1/2
1/4
1/8
2 / 10
Memory Support
(Min / Max)
512 MB / 512 MB 512 MB / 1 GB
Storage Support
(Min / Max)
512 MB / 3 GB 512 MB / 4 GB 512 MB / 12 GB

30 GB / 2 TB
VDOM Support
(Default / Max)
10 / 10
10 / 25
10 / 50
10 / 250
Wireless Access
Points Controlled
32
256
512
512
1,024
HA Support
Yes
For more information see the FortiGate VM product datasheet available on the Fortinet web site,
http://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-VM01.pdf.
FortiGate VM
Page 34
FortiGate VM firmware
Fortinet provides FortiGate VM firmware images for both VMware and Xen VM environments.
VMware
.out: Download either the 32-bit or 64-bit firmware image to upgrade your existing
FortiGate VM installation.
ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation.
This package contains Open Virtualization Format (OVF) files for VMware and two Virtual
Machine Disk Format (VMDK) files used by the OVF file during deployment.
Xen
.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This
package contains the QCOW2 file for Open Source Xen.
.out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This
package contains the Citrix Xen Virtual Appliance (XVA) and Virtual Hard Disk (VHD) files.
FortiGate VM
Page 35

FortiOS v4.0 MR3 Patch Release 12 Release Notes

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

FortiOS v4.0 MR3 Patch Release 12 Release Notes

Enviado por

Direitos autorais:

Formatos disponíveis

FortiOS v4.

0 MR3 Patch Release 12