Escolar Documentos
Profissional Documentos
Cultura Documentos
Technical Documentation
docs.fortinet.com
Knowledge Base
kb.fortinet.com
support.fortinet.com
Training Services
training.fortinet.com
FortiGuard
fortiguard.com
Document Feedback
techdocs@fortinet.com
Table of Contents
Change Log....................................................................................................... 6
Introduction....................................................................................................... 7
Supported models ...................................................................................................
FortiGate ............................................................................................................
FortiWiFi .............................................................................................................
FortiGate VM......................................................................................................
FortiSwitch .........................................................................................................
7
7
7
7
8
FortiOS Carrier.................................................................................................. 9
Supported models ................................................................................................... 9
FortiCarrier ......................................................................................................... 9
11
11
11
12
12
12
12
12
13
13
13
13
13
13
13
13
13
13
14
14
Page 3
19
19
19
20
Resolved Issues.............................................................................................. 22
Antivirus ...........................................................................................................
Data Leak Prevention.......................................................................................
Email Filter .......................................................................................................
Firewall .............................................................................................................
FortiCarrier .......................................................................................................
FortiGate VM....................................................................................................
High Availability................................................................................................
IPsec VPN ........................................................................................................
Logging and Reporting ....................................................................................
Routing.............................................................................................................
SSL VPN ..........................................................................................................
System .............................................................................................................
Upgrade ...........................................................................................................
WAN Optimization and Web Proxy ..................................................................
Web-based Manager .......................................................................................
Web Filter.........................................................................................................
Wireless............................................................................................................
22
22
22
23
23
23
24
24
25
25
25
26
28
28
28
28
29
Known Issues.................................................................................................. 30
Firewall .............................................................................................................
IPsec VPN ........................................................................................................
Logging and Reporting ....................................................................................
SSL VPN ..........................................................................................................
VoIP..................................................................................................................
Web-based Manager .......................................................................................
Table of Contents
Page 4
30
30
30
30
30
31
Limitations....................................................................................................... 32
Citrix Xen server limitations ................................................................................... 32
Open source Xen limitations .................................................................................. 32
Image Checksum............................................................................................ 33
Appendix A: FortiGate VM ............................................................................. 34
FortiGate VM model information............................................................................ 34
FortiGate VM firmware........................................................................................... 35
Table of Contents
Page 5
Change Log
Date
Change Description
2013-02-12
Initial release.
2013-02-18
2013-02-21
2013-02-26
2013-03-14
Corrected resolved issue bug ID. Added bug ID 198417 to known issues chapter.
2013-03-19
2013-04-02
2013-04-15
2013-04-29
2013-05-13
Page 6
Introduction
This document provides a summary of enhancements, support information, installation
instructions, integration, resolved and known issues in FortiOS v4.0 MR3 Patch Release 12
build 0656.
Supported models
FortiOS v4.0 MR3 Patch Release 12 supports the following models.
FortiGate
FG-20C, FG-20C-ADSL-A, FG-30B, FG-40C, FG-50B, FG-51B, FG-60B, FG-60C,
FG-60C-POE, FG-80C, FG-80CM, FG-82C, FG-100A, FG-100D, FG-110C, FG-111C, FG-200A,
FG-200B, FG-200B-POE, FG-224B, FG-300A, FG-300C, FG-310B, FG-310B-DC, FG-311B,
FG-400A, FG-500A, FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800, FG-800C, FG-800F,
FG-1000A, FG-1000A-FA2, FG-1000A-LENC, FG-1000C, FG-1240B, FG-3016B, FG-3040B,
FG-3140B, FG-3600, FG-3600A, FG-3810A, FG-3950B, FG-3951B, FG-5001, FG-5001A,
FG-5001B, FG-5001FA2, FG-5002FB2, FG-5005FA2, FG-5101C, and FG-ONE.
FG-3240C
This model is released on a special branch based off of FortiOS v4.0 MR3 Patch Release 12. As
such, the build number found in the System > Dashboard > Status page and the output from the
get system status CLI command displays 6901 as the build number.
To confirm that you are running the proper build, the output from the get system status CLI
command has a Branch point field that should read 0656.
FortiWiFi
FWF-20C, FWF-20C-ADSL-A, FWF-30B, FWF-40C, FWF-50B, FWF-60B, FWF-60C,
FWF-60CM, FWF-60CX-ADSL-A, FWF-80CM, and FWF-81CM.
FortiGate VM
FG-VM32 and FG-VM64.
FG-VM64-XEN
This model is released on a special branch based off of FortiOS v4.0 MR3 Patch Release 12. As
such, the build number found in the System > Dashboard > Status page and the output from the
get system status CLI command displays 5924 as the build number.
To confirm that you are running the proper build, the output from the get system status CLI
command has a Branch point field that should read 0656.
Introduction
Page 7
FortiSwitch
FS-5203B.
See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v4.0 MR3.
Summary of enhancements
The following is a list of enhancements in FortiOS v4.0 MR3 Patch Release 12:
Added a CLI command to set the Skype client public IP addresses used for decrypting
Skype traffic. The IP addresses are parsed by the IPS engine to decrypt the Skype protocol.
To configure use the following CLI syntax:
config ips global
set skype-client-public-ipaddr <IP_address,IP_address>
end
Added a CLI command to view logs from FortiCloud on the Web-based Manager. To
configure use the following CLI syntax:
config log gui
set log-device forticloud
end
FortiCloud activation on Web-based Manager for FG-600C and FG-800C
Introduction
Page 8
FortiOS Carrier
This chapter provides platform support information for FortiOS Carrier v4.0 MR3 Patch Release
12 build 0656.
Supported models
FortiOS Carrier v4.0 MR3 Patch Release 12 supports the following models.
FortiCarrier
FCR-3810A, FCR-3950B, FCR-3951B, FCR-5001, FCR-5001A, FCR-5001B, FCR-5001FA2,
and FCR-5005FA2.
Firmware image filenames begin with FK.
See http://docs.fortinet.com/fgt.html for additional documents on FortiCarrier v4.0 MR3.
FortiOS Carrier
Page 9
Special Notices
TFTP boot process
The TFTP boot process erases all current firewall configuration and replaces it with the factory
default settings.
Special Notices
Page 10
Upgrade Information
Upgrading from FortiOS v4.0 MR3
FortiOS v4.0 MR3 Patch Release 12 build 0656 officially supports upgrade from FortiOS v4.0
MR3 Patch Release 11.
Please review the Special Notices, Product Integration and Support, Known Issues, and
Limitations chapters prior to upgrading. For more information on upgrading your FortiOS
device, see the FortiOS 4.0 MR3 Handbook at http://docs.fortinet.com.
Disk logging
For optimal performance of your FortiGate unit, disk logging will be disabled during upgrade to
FortiOS v4.0 MR3 Patch Release 12. Fortinet recommends you enable logging to FAMS
(FortiCloud) on this unit to use the extended logging and reporting capabilities. This change
affects the following models:
FG-20C, FWF-20C
FG-20C-ADSL-A, FWF-20C-ADSL-A
FG-40C, FWF-40C
FG-60C, FWF-60C, FG-60C-POE, FWF-60CM, FWF-60CX-ADSL-A
FG-80C, FWF-80C, FG-80CM, FWF-80CM
FG-100D (PN: P09340-04 or earlier)
FG-300C (PN: P09616-04 or earlier)
FG-200B without SSD installed
A limitation in the code specific to the FG-80C, FG-80CM, FWF-80C, and FWF-80CM prevents
a message from being displayed warning users that disk logging has been disabled upon
upgrading to FortiOS v4.0 MR3 Patch Release 12. If you were using FortiCloud prior to
upgrading, the settings are retained and the service continues to operate.
Upgrade Information
Page 11
Workaround: Download the historical reports to a local hard drive before performing the
upgrade.
FortiGate 100D
FortiOS v4.0 MR3 Patch Release 12 supports the FortiGate 100D platform. Included with this
model is a special purpose management port that operates on its own virtual domain (VDOM).
An issue exists with this feature whereby FortiCare registration fails when initiated from the
FortiGate device if this port is connected to the Internet and thus FortiGuard and FortiCare.
Upgrading the FortiOS image from its factory default image (build 4083) to FortiOS v4.0 MR2
Patch Release 12 or later does not switch the management VDOM. You must change the
management VDOM from the default setting to the root VDOM.
To do this, use the following CLI commands:
config system global
set management-vdom root
end
end
FortiGate 3240C
FortiOS v4.0 MR3 Patch Release 12 build 6901 for the FortiGate 3240C officially supports
upgrade from FortiOS v4.0 MR3 Patch Release 6 build 4231.
Please review the Special Notices, Product Integration and Support, Known Issues, and
Limitations chapters prior to upgrading. For more information on upgrading your FortiOS
device, see the FortiOS 4.0 MR3 Handbook at http://docs.fortinet.com.
DDNS
DDNS configurations under interface are moved to global mode config system ddns
after upgrading.
Upgrade Information
Page 12
DNS server
The dns-query recursive/non-recursive option under specific interfaces are moved to
the system level per VDOM mode and config system dns-server can be used to
configure the option after upgrading.
Ping server
The gwdetect related configurations under specific interfaces are moved under router per
VDOM mode and config router gwdetect can be used to configure the option after
upgrading.
Central management
The set auto-backup disable and set authorized-manager-only enable
configurations under config system central-management are removed after upgrading.
SNMP community
A 32-bit network mask will be added to an IP address of SNMP host after upgrading.
Modem settings
The wireless-custom-vendor-id and wireless-custom-product-id are moved from
config system modem to config system 3g-modem custom after upgrading.
URL filter
The action options in the urlfilter configuration have been changed from Allow, Pass,
Exempt, and Block to Allow, Monitor, Exempt, and Block. The Allow action will not
generate a log entry in FortiOS v4 MR3 Patch Release 1 and later. The Monitor action will act
as the function that allows log reporting. The Pass action in FortiOS v4.0 MR2 has been merged
Upgrade Information
Page 13
with Exempt in FortiOS v4.0 MR3 Patch Release 1 and the CLI command has been changed
from set action pass to set exempt pass.
Upgrade Information
Page 14
FortiManager support
FortiOS v4.0 MR3 Patch Release 12 is supported by FortiManager v4.0 MR3 Patch Release 7 or
later.
FortiAnalyzer support
FortiOS v4.0 MR3 Patch Release 12 is supported by FortiAnalyzer v4.0 MR3 Patch Release 6 or
later.
If you are using a FortiAnalyzer unit running FortiAnalyzer v4.0 MR2, you must upgrade it to
FortiAnalyzer v4.0 MR3. FortiAnalyzer units running FortiAnalyzer v4.0 MR2 will not function
correctly with FortiOS v4.0 MR3 Patch Release 12.
FortiClient support
FortiOS v4.0 MR3 Patch Release 12 is fully compatible with FortiClient v4.0 MR2 Patch Release
8 or later and FortiClient v4.0 MR3 Patch Release 5 or later for the following operating systems:
Microsoft Windows 7 (32-bit & 64-bit)
Microsoft Windows Vista (32-bit & 64-bit)
Microsoft Windows XP (32-bit)
Other operating systems may function correctly, but are not supported by Fortinet.
FortiAP support
FortiOS v4.0 MR3 Patch Release 12 supports the following FortiAP models:
FAP-112B, FAP-210B, FAP-220A, FAP-220B, FAP-221B, FAP-222B, FAP-223B, and
FAP-320B
The FortiAP devices must be running FortiAP v4.0 MR3 Patch Release 9 or later.
Page 15
Page 16
Language support
The following table lists FortiOS language support information.
Table 1: FortiOS language support
Language
Web-based Manager
Documentation
English
French
Portuguese (Brazil)
Spanish (Spain)
Korean
Chinese (Simplified)
Chinese (Traditional)
Japanese
To change the FortiGate language setting, go to System > Admin > Settings, in View Settings >
Language select the desired language on the drop-down menu.
Module support
FortiOS v4.0 MR3 Patch Release 12 supports Advanced Mezzanine Card (AMC), Fortinet
Mezzanine Card (FMC), Rear Transition Modules (RTM), and Fortinet Storage Module (FSM)
removable modules. These modules are not hot swappable. The FortiGate unit must be turned
off before a module is inserted or removed.
The following table lists supported modules and FortiGate models.
Table 2: Supported modules and FortiGate models
AMC/FMC/FSM/RTM Modules
FortiGate Model
Storage Module
500GB HDD Single-Width AMC (ASM-S08)
Storage Module
64GB SSD Fortinet Storage Module (FSM-064)
FG-3810A, FG-5001A-DW
FG-3810A, FG-5001A-DW
Page 17
Bypass Module
4x10/100/1000 Base-T
Single-Width AMC (ASM-CX4)
FG-3810A, FG-5001A-DW
FG-3810A, FG-5001A-DW
FG-3810A
FG-5001A-DW
FG-310B, FG-311B
FG-5001A-DW
FG-3950B, FG-3951B
FG-3950B, FG-3951B
FG-3950B, FG-3951B
FG-3950B, FG-3951B
FG-3950B
Page 18
Ubuntu 12.0.4
Page 19
Antivirus
Firewall
Antivirus
Firewall
Page 20
Antivirus
Firewall
Page 21
Resolved Issues
The resolved issues tables listed below do not list every bug that has been corrected with
FortiOS v4.0 MR3 Patch Release 12 build 0656. For inquires about a particular bug, please
contact Customer Service & Support.
Antivirus
Table 7: Resolved antivirus issues
Bug ID
Description
181320
The av-failopen setting will cause the FortiGate not to scan any traffic when
booting up.
Description
178125
The SMTP body filter prevents a banned/blocked word from passing through the
firewall in an SMTP message.
179575
FTP DLP rules are affecting FTPS; FTPS rules have no effect.
180010
The Samba client daemon only starts when the FortiGate is configured in NAT
mode, transparent mode connections to Samba fail.
Email Filter
Table 9: Resolved email filter issues
Resolved Issues
Bug ID
Description
154340
170139
174190
scanunitd daemon usage issue, CPU is at 99% until aborted by the alarm clock
when parsing a specific email.
174918
Arabic mixed with non-Arabic font for email attachments are not inspected. The
MIME parser is not correctly decoding.
184017
Page 22
Firewall
Table 10: Resolved firewall issues
Bug ID
Description
151096
156828
FTP upload traffic does not work when antivirus scanning is enabled.
161883
IM cannot block file transfer by MSN 2011 on Windows 7 with block-file enabled.
178932
184375
Uploads are interrupted by FortiGate devices with the load balancer feature
enabled.
184809,
190973
187549
DCE-RPC high ports not allowed when using Microsoft System Center Operations
Manager (SCOM) 2012.
189828
192195
Traffic is dropped by the NP4 processer with the traffic shaping feature enabled.
193096
193099
193497
Some IPv6 sessions cannot be displayed when using the CLI command diagnose
system session6 list.
FortiCarrier
Table 11: Resolved FortiCarrier issues
Bug ID
Description
188169
FortiGate VM
Table 12: Resolved FortiGate VM issues
Resolved Issues
Bug ID
Description
186173
Page 23
High Availability
Table 13: Resolved high availability issues
Bug ID
Description
156040
174187
184052
185272
When displaying a log message in a slave event log, the slave clock is adjusted to
an invalid time.
186053
186520
188912
190237
Changing firewall policy attributes does not cause the checksum to change.
190567
192178
HA master fails to remove the slave's VLAN interface and IPsec VPN interface
which results in IPsec VPN failures.
194610
A FortiGate slave will fail to send logs to FortiAnalyzer if the management VDOM ID
on the master and slave is different.
IPsec VPN
Table 14: Resolved IPsec VPN issues
Resolved Issues
Bug ID
Description
178665
L2TP over IPsec client cannot ping to the internal network if the FortiGate has a
PPPoE WAN connection.
180980
Unable to get an IP address via L2TP over IPsec tunnel when using Chrome OS.
182017
182910
The IPsec monitor shows the wrong user name for a dialup VPN with RSA
aggressive mode.
183382
190405
IKEv2 DPD failure which brings down the tunnel when the peer was still reachable.
190598
IPsec hub and spoke issue when the session is not NP offloaded.
193049
Page 24
Description
153422
The IPv6 traffic log sent to a syslog server does not match the log in memory.
177175
Incorrect value for source interface field in a traffic log file for denied traffic.
177242
177399
182615
183538
186797
Miglogd daemon usage issue, high CPU when syslogd2 server is defined.
186918
Alertmail shows Failed to send alert email in logs, but the message has actually
been sent.
191663
191687
192869
Under certain conditions the fdslogd daemon can over utilize CPU resources.
Routing
Table 16: Resolved routing issues
Bug ID
Description
185808
PIM-SSM multicast stream is pruned while other IGMPv3 receivers are still present.
193990
SSL VPN
Table 17: Resolved SSL VPN issues
Resolved Issues
Bug ID
Description
180878
Incorrect traffic statistics are displayed in SSL VPN tunnel mode on Windows 8.
182464
The SSL VPN tunnel widget does not work in the web mode portal using Internet
Explorer version 10 on Windows 8.
183019
In Windows Active Directory protocol, the attribute memberOf does not include
primary group, although it is considered as a user's super-group. If the
customer specifies this primary group as the match condition, the authentication
will fail.
Page 25
Description
184140
The RDP login screen is not displayed in full screen mode with SSL VPN in web
mode.
184522
188139
An error message is displayed when a user logs in to a web mode SSL VPN with
PKI enabled.
189680
A SSL VPN portal with a 4096-bit RSA key size refuses the connection.
189800
191068
191278
The FortiGate SSL VPN web portal will display an error message when editing or
creating an entry on an OWA email server calendar.
191672
192344
193651
The SSL VPN daemon crashes when accessing a Citrix server in web mode.
System
Table 18: Resolved system issues
Resolved Issues
Bug ID
Description
161876
The FG-600C gets a power supply 2 failure event log error when the optional power
supply is not installed.
173548
Streaming query changes query VDOM to the current VDOM; cmdbsvr process
will crash if the VDOM is invalid.
175326
176202
178545
183013
The field list cache being used for filtering log is not cleared after each log is
matched.
183191
The link change indicator from hardware link scan is not stable and can
sometimes be false indicator.
183983
184206
184314
184932
Unable to administratively bring down or bring up a tunnel interface via the CLI
under config global.
Page 26
Resolved Issues
Bug ID
Description
185315
185606
186169
186523
187519
The speed LED on a shared NIC port is not lit on the FG-800C.
187878
188544
The diagnose sys session6 filter CLI command shows src twice.
188772
The diagnose system top CLI command for CPU usage is not correct.
189061
189120
For IPv6 traffic, NP4 does not support load balancing to four host queues and it
always sent to queue 0.
189304
Using the administrative status to bring down a port on a FG-1000C causes the
system to hang.
190016
190142
190160
A FG-3950B with sp-load-balance mode enabled only passed 1/3 of SP2 traffic
as the other two host channels were down.
190797
190829
190990
191112
191119
XLP driver issue that could cause the FG-5101C to crash with a kernel panic.
191231
192347
192360
193169
195097
195168
195753
Page 27
Upgrade
Table 19: Resolved upgrade issues
Bug ID
Description
180537
Web pages reset after upgrading cluster to FortiOS v4.0 MR3 Patch Release 9
using TMG proxy.
190671
ASpath-list regex entry does not work after upgrading to build 0646.
Description
181009
190746
The WAD daemon crashes for HTTP .09 traffic if DLP scan is enabled.
190968
Web-based Manager
Table 21: Resolved Web-based Manager issues
Bug ID
Description
150041
Signature entry in IPS sensor does not display the rule name.
156340
174917
Unable to see archived IM messages in Log & Archive Access - IM Archive Access.
189029
190694
Policy items are not displayed when accessing the FortiGate through a SSL VPN
portal.
191509
Web Filter
Table 22: Resolved web filter issues
Resolved Issues
Bug ID
Description
135343
178127
179265
CN based HTTPS web URL filtering does not work well on an external proxy
environment, when exempt is configured.
Page 28
Description
188607
189987
191120
The option to allow websites when a rating error occurs does not work as
expected.
Wireless
Table 23: Resolved wireless issues
Resolved Issues
Bug ID
Description
131373,
186562
169666
Change wireless channel generation method, and introduce the addition of country
code for wireless controller's wtp-profile.
177422
183807
192789
Page 29
Known Issues
The known issues tables listed below do not list every bug that has been reported with FortiOS
v4.0 MR3 Patch Release 12 build 0656. For inquires about a particular bug or to report a bug,
please contact Customer Service & Support.
Firewall
Table 24: Known firewall issues
Bug ID
Description
194548
Issues with source and destination subnet translation when using virtual IP range
and IP pool.
IPsec VPN
Table 25: Known IPsec VPN issues
Bug ID
Description
198417
IPsec connections traversing an NP interface may fail and cause the FortiGate
device to hang.
Description
183778
195724
SSL VPN
Table 27: Known SSL VPN issues
Bug ID
Description
179445
VoIP
Table 28: Known VoIP issues
Known Issues
Bug ID
Description
195540
Page 30
Web-based Manager
Table 29: Known Web-based Manager issues
Bug ID
Description
196235
The System Information widget has a Details link which displays a list of firmware.
Upgrading or downgrading the firmware from this page displays an Access denied
error message.
Workaround: Use the Update link in the System Information widget or update the
firmware using the CLI.
196962
Installing a new license file for a FG-VM displays an Access denied error message.
Workaround: Rebooting the system once prevents the error message from being
displayed a second time.
198883
Known Issues
Interface zone names or firewall addresses that have an ampersand (&) character
may not be viewable in the Web-based Manager.
Page 31
Limitations
This section outlines the limitations in FortiOS v4.0 MR3 Patch Release 12 build 0656.
Limitations
Page 32
Image Checksum
The MD5 checksums for all Fortinet software and firmware releases are available at the
Customer Service & Support website located at https://support.fortinet.com. After logging in,
click on Download > Firmware Image Checksum, enter the image file including the extension,
and select Get Checksum Code.
Figure 1: Firmware image checksum tool
Image Checksum
Page 33
Appendix A: FortiGate VM
FortiGate VM model information
The following table provides a detailed summary on FortiGate VM models.
Table 30:FortiGate VM model information
Technical
Specification
FGVM-00
Hypervisor Support
Virtual CPU
(Min / Max)
FGVM-01
FGVM-02
FGVM-04
FGVM-08
1/1
Virtual Network
Interfaces
(Min / Max)
1/2
1/4
1/8
2 / 10
Memory Support
(Min / Max)
Storage Support
(Min / Max)
VDOM Support
(Default / Max)
10 / 10
10 / 25
10 / 50
10 / 250
Wireless Access
Points Controlled
32
256
512
512
1,024
HA Support
Yes
For more information see the FortiGate VM product datasheet available on the Fortinet web site,
http://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-VM01.pdf.
FortiGate VM
Page 34
FortiGate VM firmware
Fortinet provides FortiGate VM firmware images for both VMware and Xen VM environments.
VMware
.out: Download either the 32-bit or 64-bit firmware image to upgrade your existing
FortiGate VM installation.
ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation.
This package contains Open Virtualization Format (OVF) files for VMware and two Virtual
Machine Disk Format (VMDK) files used by the OVF file during deployment.
Xen
.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This
package contains the QCOW2 file for Open Source Xen.
.out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This
package contains the Citrix Xen Virtual Appliance (XVA) and Virtual Hard Disk (VHD) files.
FortiGate VM
Page 35