FortiGate Multi-Threat Security System

Release Notes FortiOS v3.00 MR7 Patch Release 9 Rev. 1.1

August 27, 2010

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

Table of Contents
1 FortiOS v3.00 MR7 Patch Release 9.......................................................................................................................................1 1.1 General................................................................................................................................................................................3 1.2 Single Hard Drive Support for FGT-111C..........................................................................................................................3 1.3 File Transfer Limitation......................................................................................................................................................3 1.4 FortiClient v4.0 Support......................................................................................................................................................4 2 Known Issues in FortiOS MR7 Patch Release 9.....................................................................................................................5 2.1 VPN.....................................................................................................................................................................................5 2.2 Log & Report.......................................................................................................................................................................5 3 Resolved Issues in FortiOS MR7 Patch Release 9..................................................................................................................6 3.1 Web User Interface..............................................................................................................................................................6 3.2 System.................................................................................................................................................................................6 3.3 High Availability.................................................................................................................................................................7 3.4 Firewall................................................................................................................................................................................7 3.5 VPN.....................................................................................................................................................................................7 3.6 Web Filter............................................................................................................................................................................7 4 Upgrade Information..................................................................................................................................................................8 4.1 Upgrading from FortiOS v2.50...........................................................................................................................................8 4.2 Upgrading from FortiOS v2.80...........................................................................................................................................8 4.3 Upgrading from FortiOS v3.00 MR5 and MR6................................................................................................................12 4.4 Downgrading to FortiOS v3.00.........................................................................................................................................17 4.5 Downgrading to FortiOS v2.80.........................................................................................................................................17 4.6 Downgrading to FortiOS v2.50.........................................................................................................................................17 5 Image Checksums.....................................................................................................................................................................18 Change Log Revision 1.0 1.1 Initial Release. Added bug 114610 to the Known Issues section. Change Description

Copyright 2010 Fortinet Inc. All rights reserved. Release Notes FortiOS v3.00 MR7 Patch Release 9. Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders. Registered customers with valid support contracts may enter their support tickets at the Fortinet Customer Support site: https://support.fortinet.com

August 27, 2010

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

1 FortiOS v3.00 MR7 Patch Release 9

This document outlines resolved issues of FortiOS v3.00 MR7 B0753 Patch Release 9 firmware for the Fortinet FortiGate Multi-threat Security System. Please reference the full version of the FortiOS v3.00 MR7 release notes for new features and known issues. The following outlines the release status for each model. Model FGT-310B FGT-3810A FGT-3600A FGT-3016B FortiOS v3.00 MR7 Release Status The officially released images for these models are based off of MR7 Patch Release 9 B0753 fg300_mr7_amc_bypass/build_5562 and is located in the same directory as the models supported on the regular FortiOS v3.00 MR7 branch. The build number for these images in the System > Status page and the output from the "get system status" CLI command displays 5562. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753. FGT-620B FGT-620B-DC The officially released images for these models are based off of MR7 Patch Release 9 B0753 fg300_mr7_620b/build_tag_5564 and is located in the same directory as the models supported on the regular FortiOS v3.00 MR7 branch. The build number for these images in the System > Status page and the output from the "get system status" CLI command displays 5564. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753. FGT-110C The officially released image for this model is based off of MR7 Patch Release 9 B0753 fg300_mr7_110c/build_tag_5566 and is located in the same directory as the models supported on the regular FortiOS v3.00 MR7 branch. The build number for this images in the System > Status page and the output from the "get system status" CLI command displays 5566. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753. FGT-111C Note: The FGT-110C-HD has been renamed to FGT-111C. The image file name also has been renamed to "FGT_111C-v300-build0753-FORTINET.out" and is used on both the existing FGT-110C-HD model and the FGT-111C model. Once the image is loaded, both the "get system status" CLI output and the web UI reference the FGT-111C. The officially released image for this model is based off of MR7 Patch Release 9 B0753 fg300_mr7_110c/build_tag_5566 and is located in the same directory as the models supported on the regular FortiOS v3.00 MR7 branch. The build number for this images in the System > Status page and the output from the "get system status" CLI command displays 5566. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753. FGT-5001A-SW FGT-5001A-DW Note: Same firmware image is used for FGT-5001A-SW and FGT-5001A-DW models. The officially released images for these models are based off of MR7 Patch Release 9 B0753 fg300_mr7_5001a_sw/build_tag_5557 and is located in the same directory as the models supported on the regular MR7 branch. The build number for these images in the System > Status page and the output from the "get system

August 27, 2010

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9 status" CLI command displays 5557. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753.

FGT-51B

Note: The FGT-50B-HD has been renamed to FGT-51B. The image file name also has been renamed to "FGT_51B-v300-build0753-FORTINET.out" and is used on both the existing FGT-50B-HD model and the FGT-51B model. Once the image is loaded, both the "get system status" CLI output and the web UI reference the FGT-51B. The officially released image for this model is based off of MR7 Patch Release 9 B0753 fg300_mr7_51b/build_tag_5560 and is located in the same directory as the models supported on the regular FortiOS v3.00 MR7 branch. The build number for this images in the System > Status page and the output from the "get system status" CLI command displays 5560. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753.

FGT-80C FGT-80CM FWF-80CM FWF-81CM

Note: Only FWF-80CM and FWF-81CM Rev. 1 hardware is supported by FortiOS v3.00 MR7. The officially released images for these models are based off of MR7 Patch Release 9 B0753 fg300_mr7_80C/build_tag_5563 and is located in the same directory as the models supported on the regular MR7 branch. The build number for these images in the System > Status page and the output from the "get system status" CLI command displays 5563. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753.

FGT-311B

The officially released image for this model is based off of MR7 Patch Release 9 B0753 fg300_mr7_311b/build_tag_5558 and is located in the same directory as the models supported on the regular FortiOS v3.00 MR7 branch. The build number for this images in the System > Status page and the output from the "get system status" CLI command displays 5558. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753.

FGT-310B-DC

The officially released image for this model is based off of MR7 Patch Release 9 B0753 fg300_mr7_310b_dc/build_tag_5559 and is located in the same directory as the models supported on the regular FortiOS v3.00 MR7 branch. The build number for this images in the System > Status page and the output from the "get system status" CLI command displays 5559. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753.

FWF-30B

The officially released image for this model is based off of MR7 Patch Release 9 B0753 fg300_mr7_fw30b/build_tag_5556 and is located in the same directory as the models supported on the regular FortiOS v3.00 MR7 branch. The build number for this images in the System > Status page and the output from the "get system status" CLI command displays 5556. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753.

FGT-82C

The officially released image for this model is based off of MR7 Patch Release 9 B0753 fg300_mr7_82c/build_tag_5561 and is located in the same directory as the models supported on the

August 27, 2010

Fortinet Inc regular FortiOS v3.00 MR7 branch.

Release Notes FortiOS v3.00 MR7 Patch Release 9

The build number for this images in the System > Status page and the output from the "get system status" CLI command displays 5561. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753. FGT-1240B The officially released image for this model is based off of MR7 Patch Release 9 B0753 fg300_mr7_1240b/build_tag_5565 and is located in the same directory as the models supported on the regular FortiOS v3.00 MR7 branch. The build number for this images in the System > Status page and the output from the "get system status" CLI command displays 5565. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 753. All Other Models All other models are supported on the regular MR7 branch.

1.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

IMPORTANT!
Monitor Settings for Web User Interface Access:

Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly.

BEFORE any upgrade,

[FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading.

AFTER any upgrade,

[WebUI display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens. [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.

1.2 Single Hard Drive Support for FGT-111C

The FortiGate-111C contains two hard drive bays but supports only one hard drive at one time.

1.3 File Transfer Limitation

Large WMP streaming video may fail to load when antivirus 'File Filter' feature is enabled. Decreasing the httpoversizelimit value to 2 or lower can be used as a workaround to this limitation.

August 27, 2010

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

1.4 FortiClient v4.0 Support

With the FortiClient check feature enabled in the firewall policy and FortiClient 3.0.x installed on the FortiGate device, endpoint clients with a higher FortiClient version, (such as v4.0) are not recognized by the FortiGate device and are asked to download FortiClient 3.0.x installer.

August 27, 2010

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

2 Known Issues in FortiOS MR7 Patch Release 9

The known issues listed below does not list every bug that has been corrected with this release. For inquires about a particular bug, contact Customer Support.

2.1 VPN
Description: Our SSL VPN web portal code does not allow enough flexibility for specific/complex URL access' therefore certain applications may not be fully supported via the SSL web portal. Bug ID: 114610 Status: To be fixed in a future release.

2.2 Log & Report

Description: Buffered logs for the Fortianalyzer may be lost if the buffer size exceeds 2 GB. Models Affected: All Bug ID: 114407 Status: To be fixed in a future release.

August 27, 2010

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

3 Resolved Issues in FortiOS MR7 Patch Release 9

3.1 Web User Interface
Description: User may not be able to access Firewall > Policy web UI page after upgrading to to MR7P8. Some httpsd crash output may be displayed on the FortiGate console. Models Affected: All Bug ID: 118921 Status: Fixed in MR7 Patch Release 9. Description: The 'insert policy before' option in the web UI does not work when adding a new firewall policy. Models Affected: All Bug ID: 111243 Status: Fixed in MR7 Patch Release 9.

3.2 System
Description: LDAP regular bind request may contain truncated user distinguished name. Models Affected: All Bug ID: 100382 Status: Fixed in MR7 Patch Release 9. Description: The rx/tx stats for ports using Broadcom tg3 driver rolls over at 2^32 and start counting from 0 again. Models Affected: All Bug ID: 109873 Status: Fixed in MR7 Patch Release 9. Description: Some redundant interface related issues in TP mode were fixed. Models Affected: All Bug ID: 117347 Status: Fixed in MR7 Patch Release 9. Description: Added H323 support for Avaya phone system. Models Affected: All Bug ID: 93450 Status: Fixed in MR7 Patch Release 9. Description: FortiGate incorrectly forwards L2 multicast packets where the source and destination interface is same. Models Affected: All Bug ID: 115421 Status: Fixed in MR7 Patch Release 9. Description: AV update for the extended database may fail to update to the flash if the size of the update packet is bigger than the size of 3rd partition. Models Affected: All Bug ID: 116673 Status: Fixed in MR7 Patch Release 9. Description: AMC FB4 ports may start to loop traffic internally when under heavy traffic load. Models Affected: All Bug ID: 111391 Status: Fixed in MR7 Patch Release 9. Description: FortiOS SSL ASIC driver bug causes performance problem for FortiManager DPM when FortiOS is communicating with the FortiManager. Models Affected: All Bug ID: 115534 Status: Fixed in MR7 Patch Release 9. Description: The FortiGate-3810A randomly encounters a kernel crash. Models Affected: FGT-3810A Bug ID: 114010 Status: Fixed in MR7 Patch Release 9.

August 27, 2010

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

Description: nsmd daemon may crash causing temporary traffic interruption. Models Affected: All Bug ID: 114933 Status: Fixed in MR7 Patch Release 9.

3.3 High Availability

Description: The SNMP response for an SNMP query to the Master and Slave FortiGate may have different source IP address. Models Affected: All Bug ID: 116838 Status: Fixed in MR7 Patch Release 9.

3.4 Firewall
Description: Firewall policy authentication for FSAE users may unexpectedly time out even when traffic is passing through the FortiGate. Models Affected: All Bug ID: 117692 Status: Fixed in MR7 Patch Release 9. Description: Virtual server HTTP health check fails when the HTTP header of a web server response is segmented. Models Affected: All Bug ID: 116608 Status: Fixed in MR7 Patch Release 9.

3.5 VPN
Description: sslvpnd daemon may crash because of memory corruption. Models Affected: All Bug ID: 110635, 111845 Status: Fixed in MR7 Patch Release 9.

3.6 Web Filter

Description: Improve urlfilter performance by increasing the size of queues to and from urlfilter daemon. Models Affected: All Bug ID: 113702 Status: Fixed in MR7 Patch Release 9. Description: The FortiGate unexpectedly shows a redirect message after successful FSAE authentication. Models Affected: All Bug ID: 89671 Status: Fixed in MR7 Patch Release 9.

August 27, 2010

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

4 Upgrade Information 4.1 Upgrading from FortiOS v2.50

Upgrades from FortiOS v2.50 to FortiOS v3.00 directly is NOT supported. Upgrade to at least FortiOS v2.80 MR11 prior to upgrading to FortiOS v3.00 MR7 Patch Release 9. Refer to the FortiOS v2.80 MR11 release notes for upgrade procedures.

4.2 Upgrading from FortiOS v2.80

Upgrade to FortiOS v2.80 MR11 prior to upgrading to FortiOS v3.00 MR7 Patch Release 9. Refer to the FortiOS v2.80 MR11 release notes for upgrade procedures. The following are caveats when upgrading from FortiOS v2.80 MR11 to FortiOS v3.00 MR7 Patch Release 9. [Deprecated IPS Groups] Certain IPS groups found in FortiOS v2.80 have been removed and their corresponding signatures merged into other IPS groups. As such, those IPS groups are lost when upgrading to FortiOS v3.00 MR7 Patch Release 9. To restore the lost group signature settings, perform the following steps:

Identify which "lost" IPS group you currently have configured in FortiOS v2.80 from the list found in Appendix A. Note the signatures settings that are contained in the FortiOS v2.80 group, and identify in the table the equivalent FortiOS v3.00 group(s) that contains the signature. Repeat step 1-2 for each "lost" group. After upgrading to FortiOS v3.00 MR7 Patch Release 9, for each group lost, manually configure the equivalent signature settings under the FortiOS v3.00 group(s).

[IPSec VIP] FortiOS v2.80 supports VIPs configured on a config vpn ipsec vip, which essentially is a proxy ARP. There is no such command in FortOS v3.00, but rather is replaced by the config system proxy-arp command. The upgrade scripts do not support this in FortiOS v3.00 MR7 Patch Release 9. You will need to reconfigure any FortiOS v2.80 IPSec VIPs to use the system proxy-arp command in FortiOS v3.00. The command is valid on a per VDom basis in NAT mode. The following is an example CLI configuration. config system proxy-arp edit 1 set ip 192.168.5.111 set interface "port1" next edit 2 set ip 192.168.5.110 set interface "port3" next end [FortiOS v2.80 PING Generators] PING generators in FortiOS v2.80 are able to bring up two tunnels automatically, but FortiOS v3.00 auto-negotiate command, which is disabled by default, replaces this functionality. The feature is available in the IPSec phase 2 configuration for both IPSec tunnels and IPSec interfaces. [Web Filter and Spam Filter Lists] In FortiOS v2.80, the following lists can be backed-up and restored, but in FortiOS v3.00, the lists are stored in the system configuration file and therefore, can not be restored.

August 27, 2010

Fortinet Inc Web Filtering Web Content Block Web URL Block List Web URL Exempt List Spam Filtering IP Address RBL & ORDBL Email Address MIME Headers Banned Word

Release Notes FortiOS v3.00 MR7 Patch Release 9

FortiOS v3.00 has a feature whereby CLI commands can be imported from a file - see Section 3.2.11: Bulk CLI Configuration Importing. If the FortiOS v2.80 lists are converted to FortiOS v3.00 CLI commands and saved in a text file, the file can be imported using the Bulk CLI Import. Refer to Appendix B: Mapping FortiOS v2.80 Web Filtering and Spam Filtering Lists to FortiOS v3.00 CLI Commands for help on creating a text to import these lists. [ActiveX, Cookie, and Java Applet Filter] In FortiOS v2.80, ActiveX, Cookie, and Java Applet filtering must be enabled in the Web Filter > Script Filter page and then in the protection profile under Web Filtering. FortiOS v3.00 has removed the necessity to enable this filtering under the Web Filter > Script Filter page. It now is accomplished only through the protection profile. On upgrading from FortiOS v2.80 to FortiOS v3.00, if any of ActiveX, Cookie, and Java Applet filtering are enabled under the Web Filter > Script Filter page, that setting will be reflected in every protection profile. [Static Routes without Device Setting Configured] In FortiOS v2.80, the device setting for a static route is optional. FortiOS v3.00 MR4 has made this setting mandatory. If the device setting is not configured, the static route is dropped upon upgrade to FortiOS v3.00 MR7 Patch Release 9. [Log Filtering Changes] In FortiOS v2.80, log filtering to a device, such as FortiAnalyzer, hard disk, or memory, is controlled on a global basis meaning, once log filtering is enabled for an event, any firewall policy that produces such an event results in a log message sent to that device. In FortiOS v3.00, log filtering is controlled in two ways: 1. 2. On a per-device basis config log <device> filter On a per-protection profile basis config firewall profile edit <profile name>

The per-device filters control whether or not log messages are sent to the device. The per-protection profile filters control whether or not matching traffic through a protection profile results in a log message sent to the device. Upon upgrade from FortiOS v2.80 to FortiOS v3.00, only the per-device log filters are retained - protection profile is altered to accomodate logging, except for log-web-ftgd-err, which is enabled by default. After upgrading, review the firewall policies that require logging to be enabled. [VDom Licensing] FortiOS v2.80 supports additional virtual domains by way a FortiOS image that contains a hardcoded number of VDoms in it. FortiOS v3.00 uses a VDom license key to upgrade the number of VDoms on high-end models FGT-3000 and up. Upon upgrading from FortiOS v2.80, the VDoms and all of their associated configuration are retained, but in the event of a factory reset and a configuration restore, the FortiGate will fail to add all of the VDoms. If you are running FortiOS v2.80 with more than the default number of VDoms, follow these steps when upgrading to FortiOS v3.00: 1. 2. 3. Backup configuration for FortiOS v2.80. Upgrade to FortiOS v3.00. Backup configuration for FortiOS v3.00. 9

August 27, 2010

Fortinet Inc 4. 5.

Release Notes FortiOS v3.00 MR7 Patch Release 9

Contact Customer Support to obtain a FortiOS v3.00 VDom license key. If you are running an HA cluster, you need a license key for each unit in the cluster. In the event the configuration needs to be reloaded, the VDom license key needs to be configured first.

Another scenario occurs with FortiOS v2.80 and upgrading with a image that contains additional VDoms. Below are the necessities for this scenario to occur:

FortiGate is running FortiOS v2.80 with additional VDoms, such 25 VDoms Not all VDoms are configured, for example only 15

After upgrading to FortiOS v3.00 MR4, if the FortiGate does not let you add 16th VDom. You must contact Customer Support to obtain a FortiOS v3.00 VDom license key, install it, and then add additional VDoms. [Alert E-mail Replacement Messages] Alert E-mail was modified in FortiOS v3.00 MR4. The FortiGate generates and formats its own message for the alert e-mail. Thus any modified alert e-mail replacement messages are not retained upon upgrade to FortiOS v3.00 MR4. [Alert E-mail Filter] The Alert E-mail filter feature has been changed in FortiOS v3.00 MR4. Now, alert e-mails are sent based on category or thresholds. See Section 4.14.4 Alert E-mail Enhancement. [Administrative Users] In FortiOS v2.80, an admin user is a global setting, not a per-VDom and thus does not belong to a management VDom. After upgrading to FortiOS v3.00 MR7, all v2.80 administrative users are assigned to the root VDom by default. If the management VDom is not assigned to the root VDom, then administrative users, except for the default "admin" user, will fail to login to the management VDom after upgrading. [Policy Routing] Both "input-device" and "output-device" are mandatory attributes from FortiOS v3.00 MR2. However, "output-device" is not a mandatory attribute in FortiOS v2.80, therefore, policy routes with out "output-device" configured are lost after upgrading to FortiOS v3.00 MR4 or later. [VLANs Under WLAN Interfaces] FortiOS v3.00 MR7 does not support VLANs under the WLAN interface and thus any configuration settings referring to the VLANs, as well as the VLANs themselves, are lost upon upgrade to FortiOS v3.00 MR4 or later. [IPSec Related Settings] Following parameters in a phase1 policy based IPSec tunnel are not retained upon upgrade from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 9: config vpn ipsec phase1 set dpd [enable|disable] set dpd-idleworry <integer> set dpd-idlecleanup <integer> Following parameters in a phase2 policy based IPSec tunnel are not retained upon upgrade from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 9: config vpn ipsec phase2 set bindtoif <interface name> set internetbrowsing <interface name>

August 27, 2010

10

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

[System DHCP Exclude Range] In FortiOS v2.80 MR11 and MR12, "system dhcp exclude_range" is a standalone section to indicate the IP address that should be exempted from DHCP address pool. In FortiOS v3.00 MR7 Patch Release 9, this feature is implement by setting a "config exclude-range" section under "config system dhcp server". Upgrading from FortiOS v2.80 to FortiOS v3.00 MR7 copies these settings to every DHCP server settings: config system dhcp server config exclude-range edit 1 set start-ip 192.168.1.100 set end-ip 192.168.1.200 next [Firewall Profiles/Schedule] In FortiOS v2.80, the firewall profile and firewall onetime/recurring schedule are global settings . Starting from FortiOS v3.00 MR5, these settings were moved to per-VDom, the upgrade from FortiOS v2.80 to FortiOS v3.00 MR7 copies this configuration to every VDom. [Firewall Service Custom] In v280, firewall service custom is a global settings , start from FortiOS v300 MR5, these settings were moved to per-VDom, the upgrade from v280 to FortiOS v300 MR7 will copy this section to every Vdom. [IPSec DPD Setting] The DPD parameter in a phase1 policy based IPSec tunnel is lost upon upgrade from FortiOS v2.80 to FortiOS v3.00 MR7. [IPS Predefined Signatures] The severities of the predefined IPS signatures have been set to recommended levels and can not be altered. Upon upgrading from FortiOS v3.00 MR3 or earlier to FortiOS v3.00 MR4 or later, the severities are reset to the recommended values. [IPSec Manual Keys in a VDom Configuration] IPSec tunnels configured in a non-root VDom that use manual keys are not retained upon upgrade if the tunnel was not referenced by a firewall policy. [Static Routes without Device Setting Configured] In FortiOS v2.80, the device setting for a static route is optional. FortiOS v3.00 MR2 has made this setting mandatory. If the device setting is not configured, the static route is dropped upon upgrade. [HA Monitor Interfaces WLAN] The WLAN interface can not be used as a monitored interface as of FortiOS v3.00 MR4, therefore, upgrading from FortiOS v2.80 to FortiOS v3.00 MR4 or later results in this configuration being lost. [SSL-VPN Firewall Policies Without Groups] A SSL-VPN firewall policy configured without a group is lost after upgrading to FortiOS v3.00 MR7 Patch Release 9. [VPN IPSec Phase1 with Type DDNS] Prior to FortiOS v3.00 MR4, the following IPSec Phase 1 configuration was accepted by the FortiGate even though the configuration was invalid: config vpn ipsec phase1 set type ddns set peertype one set peerid aaa From FortiOS v3.00 MR4, this no longer is accepted and therefore, the upgrade from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 9 results in loss of configuration. [VPN PPTP Non-Firewall User Group] August 27, 2010 11

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

Choosing a user group that is type NOT equal to firewall when configuring PPTP, results in loss of configuration when upgrading from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 9. [DDNS Server vavic.com] The DDNS service for "vavic.com" changed for FortiOS v3.00 MR5. The domain is retrieved automatically based on the user's account. Thus, upgrading from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 9 will cause loss of configuration for this setting. [Firewall IP Pools with Class D IP Addresses] Firewall IP pools using a Class D IP address are lost upon upgrading to FortiOS v3.00 MR7 Patch Release 9, since the configuration is now verified to be below 224.0.0.0. [Firewall VPN Policies Sharing the Same Manual Key] In FortiOS v2.80, VPN tunnels can be shared across firewall policies, but in FortiOS v3.00 VPN tunnels are assigned to an interface and because the upgrade script assigns the VPN tunnel to one interface, subsequent policies using the VPN tunnel are lost. [Oversize File Limit] After upgrading to FortiOS v3.00 MR7 Patch Release 9 from FortiOS v2.80 MR12 all oversize file limit value may change to zero.

4.3 Upgrading from FortiOS v3.00 MR5 and MR6

Upgrading from FortiOS v3.00 MR5 and MR6 to FortiOS v3.00 MR7 is supported. MR7 Patch Release 9 officially supports upgrade from the most recent Patch Release in MR5 and MR6. If you are upgrading from a release prior to MR5, please upgrade to MR5 or MR6 before upgrading to MR7 Patch Release 9. Please refer to the corresponding release notes for the proper upgrade path to MR5 or MR6. [FG-3016B Upgrade] Interface names on the FGT-3016B have been changed in FortiOS v300 MR7 to match the port names on the face plate. After upgrading to MR7 Patch Release 9, all port names in the FortiGate configuration are changed as per the following port mapping. Old port names before upgrading port1 port2 port3 port4 port5 port6 port7 port8 port9 port10 August 27, 2010 New port names after upgrading mgmt1 mgmt2 port1 port2 port3 port4 port5 port6 port7 port8 12

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

port11 port12 port13 port14 port15 port16 port17 port18

port9 port10 port11 port12 port13 port14 port15 port16

Note: A new revision of the FGT-3016B included a name change to two ports on the left side of the faceplate and in the FortiOS v3.00 MR7 firmware. Previously, they were labelled 1 and 2. Now they are called MGMT 1 MGMT 2. However, the BIOS still refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2. [FortiManager Acting as a FortiGuard Server] If your FortiManager is being used as an on-site FortiGuard server (providing IPS and AV updates), then you MUST upgrade the FortiManager to MR7 before upgrading the FortiGates to ensure no service disruption. [Firewall IP Pools with Class D IP Addresses] Firewall IP pools using a Class D IP address are lost upon upgrading to FortiOS v3.00 MR7 Patch Release 9, since the configuration is now verified to be below 224.0.0.0. [IPS Related Settings] In FortiOS v3.00 MR6, introduced a significant change to the way IPS is configured. Previously, if a firewall profile has "high critical" signatures enabled, during the upgrade a sensor is created with one IPS filter in which the severity "high critical" is selected. This sensor is add to the firewall profile. For each severity combination, a sensor is created. If the user changes the default signature settings, then these signatures are added to all of those sensors as an IPS override. For example: Prior to FortiOS v3.00 MR6 config firewall profile edit test1 set ips-signature info low medium high critical next edit test2 set ips-signature high critical next end config ips group abc config rule xyz123 set status enable set action drop set id 1234567 end config rule xyz456 August 27, 2010 13

Fortinet Inc set status enable set action pass set id 7654321

Release Notes FortiOS v3.00 MR7 Patch Release 9

end end

FortiOS v3.00 MR7 configuration config firewall profile edit test1 set ips-sensor-status enable set ips-sensor fw_prof_upg_test1 next edit test2 set ips-sensor-status enable set ips-sensor fw_prof_upg_test2 next end config ips sensor edit fw_prof_upg_test1 config filter edit 1 set severity info low medium high critical next end config override edit 1234567 set status enable set action block next edit 7654321 set status enable set action pass next end next edit fw_prof_upg_test2 config filter edit 1 set severity high critical next end config override edit 1234567 set status enable set action block next edit 7654321 set status enable set action pass next end next end

August 27, 2010

14

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

Following sections are removed when upgrading from v3.00 MR5 and MR6 to MR7 Patch Release 9: config ips anomaly * config ips group * config system autoupdate ips Following command are removed when upgrading from v3.00 MR5 and MR6 to MR7 Patch Release 9: config system global set local-anomaly [enable|disable] config ips global set ip-protocol [enable|disable] config ips custom which was a global setting in FortiOS v3.00 MR4 and MR5 are copied into every VDom when upgrading to v3.00 MR7 Patch Release 9. [IM and P2P] The sections config imp2p aim-user | icq-user | yahoo-user | msn-user | old-version | policy which were global settings in FortiOS v3.00 MR5 are copied into every VDom after upgrading to v3.00 MR7 Patch Release 9. [Spam Filter] The sections config spamfilter bword | emailbwl | ipbwl | ipstrust | mhaeder which were global settings in FortiOS v3.00 MR5 are copied into every VDom when upgrade to v3.00 MR7 Patch Release 9. Section config spamfilter rbl becomes config spamfilter dnsbl after upgrading to FortiOS v3.00 MR7 Patch Release 9 and this section is copied into every VDom. [Web Filter] The sections config webfilter bword | exmword | ftgd-local-cat | ftgd-local-rating | ftgd-ovrd | ftgd-ovrd-user | urlfilter which were global settings in FortiOS v3.00 MR5 are copied into every VDom after upgrading to v3.00 MR7 Patch Release 9. [FortiManager] Section config system fm in FortiOS v3.00 MR5 and MR6 may be lost after upgrading to MR7 Patch Release 9, under this circumstance, you need to reset the FortiManager parameters under config system fortimanager section: config system fortimanager set ip 192.168.100.100 set vdom root end [User Setting] There were three parameters which under system global settings on FortiOS v3.00 MR5 are moved into a new section call config user setting which under per-VDom settings. They are: set auth-cert <cert-name> set auth-secure-http [enable|disable] set auth-timeout <integer by minutes> set auth-type [ftp | http | https | telnet ] [SNMP Interface Index] Since FortiOS v3.00 MR6 added a new SSL interface (ssl.root). Upgrading from FortiOS v3.00 MR5 to MR7 Patch Release 9 increases the SNMP interface index of interface because the ssl.root interface is added just after the physical interfaces in the list. [NTP Configuration]

August 27, 2010

15

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

The following NTP related configuration commands have been moved under "config system ntp" in MR7 Patch Release 9: config ntpserver set ntpsync set syncinterval [DNS Server Override] The "dns-server-override" command is available only for interfaces that are configured in the management Vdom. [Switch Interface and Vlan Support in TP mode] As of FortiOS v3.00 MR7 vlan interface cannot be created under FortiGate switch interface in TP mode. (e.g. Internal interface on FGT60) Any vlan's under the switch interface will be lost after upgrading to MR7 Patch Release 9. [VPN PPTP Non-Firewall User Group] Choosing a user group which type is NOT equal to firewall when configuring PPTP, results in loss of configuration when upgrading from FortiOS v300 MR5 to FortiOS v3.00 MR7 Patch Release 9. [Report Configuration] "Report Config" feature has been reworked in FortiOS v3.00 MR7 Patch Release 9 to support FortiAnalyzer Report Engine v2. "config log report" command has been removed in FortiOS v3.00 MR7 Patch Release 9. All configuration under "config log report" may be lost upon upgrading to FortiOS v3.00 MR7 Patch Release 9. [User Peers] User peers that are configured without a certificate authority (ca) or a subject are not retained upon upgrading to FortiOS v3.00 MR7 Patch Release 9. In MR7, at least one of these fields may be a mandatory setting. [FortiGuard Configuration] The default setting for "central-mgmt-auto-backup" command has been changed to enable in FortiOS v3.00 MR7 Patch Release 9. [Firewall Policy] "auth-path", "auth-cert" and "auth-redirect-addr" settings may be lost upon upgrading to FortiOS v3.00 MR7 Patch Release 9 if authentication group is not selected in the firewall policy. [System IPv6] The section "config system ipv6-tunnel" is moved under "config system sit-tunnel" upon upgrading to v3.00 MR7 Patch Release 9. [Global Setting] The section "allow-interface-subnet-overlap" which was under global settings in FortiOS v3.00 MR5 and MR6 is copied into every VDom under "config system settings" after upgrading to v3.00 MR7 Patch Release 9. [VPN IPSec User Group Settings] In FortiOS v3.00 MR7 Patch Release 9 the user group settings have been changed to only reference firewall type user groups in XAuth and Peer group settings. VPN configuration may be lost upon upgrading to MR7 Patch Release 9, if non-firewall type user groups are used. [Fortinet Local Certificate] In FortiOS MR7, the "Fortinet_Local" rsa certificate has been removed, hence any settings using "Fortinet_Local" as a rsa certificate may be lost after upgrading to MR7 Patch Release 9. Instead of Fortinet_Local use Fortinet_Factory rsa certificate. [IPSec Quick Mode Selector] The IPSec Phase2 quick mode selector protocol settings are lost after upgrading from FortiOS v2.80 to FortiOS v3.00 Patch Release 2.

August 27, 2010

16

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

[FDS Push-update Settings] The address and port settings under 'config system autoupdate push-update' may be lost after upgrading to FortiOS v3.00 MR7. [System Modem Settings] 'config system modem' settings are lost after upgrading from FortiOS v3.00 MR6 to FortiOS v3.00 MR7 Patch Release 9. [FGT-224B Firewall Mode Support] FortiOS v3.00 MR7 supports the FGT-224B operating in firewall mode only.

4.4 Downgrading to FortiOS v3.00

Downgrading to FortiOS v3.00 results in configuration loss on ALL models. Only the following settings are retained:

operation modes interface IP/management IP route static table DNS settings VDom parameters/settings admin user account session helpers system access profiles

4.5 Downgrading to FortiOS v2.80

Downgrading to FortiOS v2.80 results in configuration loss on ALL models. Only the following settings are retained:

operation modes interface IP/management IP route static table DNS settings VDom parameters/settings admin user account session helpers system access profiles

The FGT1000A-FA2 does not support downgrade to FortiOS v2.80. With the introduction of the FortiClient Check feature, the flash card has a different partition layout than that in FortiOS v2.80.

4.6 Downgrading to FortiOS v2.50

Downgrading to FortiOS v2.50 results in loss of configuration on ALL models.

August 27, 2010

17

Fortinet Inc

Release Notes FortiOS v3.00 MR7 Patch Release 9

5 Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com). After login, click on the "Firmware Images Checksum Code" link in the left frame. (End of Release Notes.)

August 27, 2010

18