Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
0 Patch Release 1
Release Notes
FortiOS v5.0 Patch Release 1 Release Notes December 21, 2012 01-501-190082-20121221 Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Technical Documentation Knowledge Base Customer Service & Support Training Services FortiGuard Document Feedback
Table of Contents
Change Log....................................................................................................... 6 Introduction....................................................................................................... 7
Supported models ................................................................................................... FortiGate ............................................................................................................ FortiWiFi ............................................................................................................. FortiGate Virtual Machine .................................................................................. FortiSwitch ......................................................................................................... 7 7 7 7 7
Supported virtualization software ............................................................................ 7 Summary of enhancements ..................................................................................... 8 FortiOS v5.0 Patch Release 1 ............................................................................ 8
WAN Optimization ................................................................................................... 9 MAC address filter list.............................................................................................. 9 Spam Filter profile.................................................................................................. 10 Spam Filter Black/White List.................................................................................. 10 DLP rule settings.................................................................................................... 10 ID-based firewall policy ......................................................................................... 10 FortiGate 100D upgrade and downgrade limitations............................................. 11
Page 3
FortiClient support ................................................................................................. 21 Fortinet Single Sign-On (FSSO) support................................................................ 21 FortiExplorer support (Windows/Mac OS X/iOS)................................................... 21 AV Engine and IPS Engine support ....................................................................... 21 FortiAP support...................................................................................................... 22 FortiSwitch support ............................................................................................... 22 Module support...................................................................................................... 22 SSL-VPN support .................................................................................................. SSL-VPN standalone client.............................................................................. SSL-VPN web mode ........................................................................................ SSL-VPN host compatibility list ....................................................................... 23 23 24 24
Resolved Issues.............................................................................................. 26
Antispam .......................................................................................................... Antivirus ........................................................................................................... CLI.................................................................................................................... Client reputation............................................................................................... Device visibility................................................................................................. DLP .................................................................................................................. Endpoint control............................................................................................... Firewall ............................................................................................................. FortiGate VM.................................................................................................... GTP .................................................................................................................. High Availability................................................................................................ IPS.................................................................................................................... IPsec VPN ........................................................................................................ Log & Report.................................................................................................... Routing............................................................................................................. Source visibility ................................................................................................ SSL-VPN .......................................................................................................... System ............................................................................................................. Upgrade ........................................................................................................... VoIP.................................................................................................................. WAN optimization and webproxy .................................................................... Web-based Manager ....................................................................................... Web Filter......................................................................................................... WiFi .................................................................................................................. 26 26 26 27 27 27 27 28 29 29 30 31 31 31 33 34 34 35 37 38 38 38 40 41
Page 4
Known Issues.................................................................................................. 42
Antivirus ........................................................................................................... Firewall ............................................................................................................. FSSO................................................................................................................ High Availability................................................................................................ IPS.................................................................................................................... IPsec VPN ........................................................................................................ Log & Report.................................................................................................... SSL-VPN .......................................................................................................... System ............................................................................................................. Web-based Manager ....................................................................................... WiFi .................................................................................................................. Upgrade ........................................................................................................... 42 42 42 42 42 43 43 43 43 43 44 44
Limitations....................................................................................................... 45
Add Device Access List ......................................................................................... 45
Image Checksum............................................................................................ 46
Page 5
Change Log
Date 2012-12-21 Change Description Initial release.
Page 6
Introduction
This document provides installation instructions, integration, support, and resolved/known issues in FortiOS v5.0 Patch Release 1 build 0147.
Supported models
The following models are supported on FortiOS v5.0 Patch Release 1.
FortiGate
FG-20C, FG-20C-ADSL-A, FG-40C, FG-60C, FG-60C-PoE, FG-80C, FG-80CM, FG-100D, FG-110C, FG-111C, FG-200B, FG-200B-PoE, FG-300C, FG-310B, FG-310B-DC, FG-311B, FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800C, FG-1000C, FG-1240B, FG-3016B, FG-3040B, FG-3140B, FG-3240C, FG-3810A, FG-3950B, FG-3951B, FG-5001A, FG-5001B, and FG-5101C.
FortiWiFi
FWF-20C, FWF-20C-ADSL-A, FWF-40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A, FWF-80CM, and FWF-81CM.
FortiSwitch
FS-5203B
Page 7
Summary of enhancements
FortiOS v5.0 Patch Release 1
The following is a list of enhancements in FortiOS v5.0 Patch Release 1:
Add new drill-downs for the top sessions widget Add new Endpoint Control feature activities in the log Add PING server on FG-20C/FWF-20C devices Add support for IKEv2 configuration payload Addition of sort and filter functions for Web-based Manager pages Allow the identity base policy to spill over Device policy improvements Disk log settings returned Endpoint control: FortiClient logging (GUI) Endpoint registration over SSL-VPN tunnel mode Extend SIP helper for MSRP supporting MSRP NAT FortiClient endpoint control over IPsec VPN support FortiCloud certificate activation FortiSwitch Controller on FG-100D HA support for BYOD feature One-time schedule alert expiration Separate SSL/SSH deep inspection profile Schedule the rogue AP background scan Simplified client reputation configuration Support USB encrypted configuration file Support WiFi DFS models for Japan/Korea WIDS profile Web-based Manager support
Page 8
Special Notices
General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.
Important
Monitor settings for Web-based Manager access
Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all the objects in the Web-based Manager to be viewed properly.
WAN Optimization
In FortiOS 5.0, WAN Optimization is enabled in security policies and WAN Optimization rules are no longer required. Instead of adding a security policy that accepts traffic to be optimized and then creating WAN Optimization rules to apply WAN Optimization, in FortiOS v5.0 you create security policies that accept traffic to be optimized and enable WAN Optimization in those policies. WAN Optimization is applied by WAN Optimization profiles which are created separately and added to WAN Optimization security policies.
Page 9
Page 10
Page 11
Upgrade Information
Upgrading from FortiOS v5.0.0 GA
FortiOS v5.0 Patch Release 1 build 0147 officially supports upgrade from FortiOS v5.0.0 GA.
Captive portal
The captive portal configuration has been altered in FortiOS v5.0 Patch Release 1 and upon upgrading the previous configuration may be lost or changed. Review the following configuration examples before upgrading.
Endpoint control
The following examples detail an endpoint control configuration to allow all compliant Windows and Mac OS X computers network access. All non-compliant computers will be sent to the captive portal. Example FortiOS v5.0.0 GA configuration: edit 3 set srcintf "internal" set dstintf "wan1" set srcaddr "all" set action accept set identity-based enable set identity-from device set nat enable config identity-based-policy edit 1 set schedule "always" set dstaddr "all" set service "ALL" set devices "windows-pc" "mac" set endpoint-compliance enable next edit 2 set schedule "always" set dstaddr "all" set service "ALL" set devices all set action capture set devices "windows-pc" "mac" set captive-portal forticlient-compliance-enforcement next end next
Page 12
In FortiOS v5.0 Patch Release 1, the configuration has changed. Notice that sub-policy 2 has been removed. The new set forticlient-compliance-enforcement-portal enable and set forticlient-compliance-devices windows-pc mac CLI commands have been added to the master policy. Example FortiOS v5.0 Patch Release 1 configuration: edit 3 set srcintf "internal" set dstintf "wan1" set srcaddr "all" set action accept set forticlient-compliance-enforcement-portal enable set forticlient-compliance-devices windows-pc mac set identity-based enable set identity-from device set nat enable config identity-based-policy edit 1 set schedule "always" set dstaddr "abc" set service "ALL" set devices "windows-pc" "mac" set endpoint-compliance enable next end next After the upgrade, you may experience a configuration loss with the removal of sub-policy 2. If this occurs, you have to enter the following CLI commands: set forticlient-compliance-enforcement-portal enable set forticlient-compliance-devices windows-pc mac
Device detection
The following examples detail a device detection configuration to allow Android, Blackberry, and iPhone devices network access. The captive portal is used to optionally learn the device type, or send back a replacement message if device type cannot be determined. Example FortiOS v5.0.0 GA configuration: edit 3 set srcintf "internal" set dstintf "wan1" set srcaddr "all" set action accept set identity-based enable set identity-from device set nat enable config identity-based-policy edit 1 set schedule "always" set dstaddr "all"
Page 13
set service "ALL" set devices "android-phone" "blackberry-phone" "ip-phone" next edit 2 set schedule "always" set dstaddr "all" set service "ALL" set devices all set action capture set captive-portal device-detection next end next In FortiOS v5.0 Patch Release 1, the configuration has been changed. Notice that sub-policy 2 has been removed. The new set device-detection-portal enable CLI command has been added to the master policy. Example FortiOS v5.0 Patch Release 1 configuration: edit 3 set srcintf "internal" set dstintf "wan1" set srcaddr "all" set action accept set device-detection-portal enable set identity-based enable set identity-from device set nat enable config identity-based-policy edit 1 set schedule "always" set dstaddr "abc" set service "ALL" set devices "android-phone" "blackberry-phone" "ip-phone" next end next After the upgrade, you may experience a configuration loss with the removal of sub-policy 2. If this occurs, you have to enter the following CLI command: set device-detection-portal enable
Email collection
The following examples details an email collection configuration which would allow all devices for which an email-address has been collected network access. Any device which has not had an email collected would be directed to the captive portal. Example FortiOS v5.0.0 GA configuration: edit 3 set srcintf "internal" set dstintf "wan1"
Fortinet Technologies Inc. Page 14 FortiOS v5.0 Patch Release 1 Release Notes
set srcaddr "all" set action accept set identity-based enable set identity-from device set nat enable config identity-based-policy edit 1 set schedule "always" set dstaddr "all" set service "ALL" set devices email-collection next edit 2 set schedule "always" set dstaddr "all" set service "ALL" set devices all set action capture set captive-portal email-collection next end next In FortiOS v5.0 Patch Release 1, the configuration has been changed. Notice that sub-policy 2 has been removed and the new set email-collection-portal enable has been added to the master policy. Example FortiOS v5.0 Patch Release 1 configuration: edit 3 set srcintf "internal" set dstintf "wan1" set srcaddr "all" set action accept set email-collection-portal enable set identity-based enable set identity-from device set nat enable config identity-based-policy edit 1 set schedule "always" set dstaddr "abc" set service "ALL" set devices all next end next After the upgrade, you may experience a configuration loss with the removal of sub-policy 2. If this occurs, you have to enter the following CLI command: set email-collection-portal enable
Page 15
Reports
Before you run a report after upgrading to v5.0 Patch Release 1, you must enter the following CLI commands on console: execute report-config reset This will reset report templates to the factory default. All changes to the default report will be lost! Do you want to continue? (y/n)y Report configuration was reset to the factory default. execute report recreate-db This will recreate the report database from the log database. Do you want to continue? (y/n)y Request to recreate report database is successfully sent.
Page 16
SSL deep-scan
New SSL/SSH inspection option is introduced to include all SSL protocols. The protocol status in SSL/SSH inspection will default to disable for the SSL protocols. The SSL/SSH inspection should be modified to enable the SSL protocols wherever inspection is required.
Before upgrade
The AntiVirus, Web Filter, and Antispam profiles had separate protocol settings for the SSL and non-SSL protocols. For HTTPS deep-scanning to be done, deep-scan needed to be enabled for HTTPS in the UTM proxy options.
After upgrade
The settings for the SSL protocols in the AntiVirus, Web Filter, and Antispam profiles have been removed. Instead, the non-SSL options will apply to both the SSL and non-SSL versions of each protocol. The SSL/SSH inspection options now includes an enable/disable option for each protocol. This is used to control which protocols are scanned and which SSL enabled protocols are decrypted. To use HTTPS non-deep (SSL handshake) inspection, HTTPS needs to be enabled in the SSL/SSH inspection options. A Web Filter profile with https-url-scan enabled needs to be applied in the policy with the SSL/SSH inspection options. The Web Filter profile option changes the inspection mode to non-deep scan. AV will not be performed if this option is enabled. The Web Filter profile option does not apply if SSL inspect-all is enabled in the SSL/SSH inspection options.
Behavior
After upgrade, all the SSL related settings in the AntiVirus, Web Filter, and Antispam profiles will be lost. The non-SSL settings will be retained and applied to the related SSL protocols if they are enabled in the SSL/SSH inspection options. The protocol status in the SSL/SSH inspection options will default to enable for the non-SSL protocols and will default to disable for the SSL protocols. The SSL/SSH inspection options should be modified to enable the SSL protocols wherever inspection is required. Any profiles requiring non-deep HTTPS inspection will need to be modified to include a Web Filter profile and SSL/SSH inspection options with the settings as described above. The original HTTPS deep-scan settings will be lost upon upgrade.
Page 17
set options fragmail no-content-summary splice end config smtps set port 465 set options fragmail no-content-summary splice end config nntp set port 119 set options no-content-summary splice end next end
Page 19
end next end config firewall deep-inspection-options edit "default" set comment "all default services" config https set ports 443 8443 set allow-invalid-server-cert enable end config ftps set ports 990 set status disable end config imaps set ports 993 set status disable end config pop3s set ports 995 set status disable end config smtps set ports 465 set status disable end next end
Page 20
FortiClient support
FortiOS v5.0 Patch Release 1 is supported by the following: FortiClient for Windows build 0194 FortiClient for Mac OS X build 0081
Page 21
FortiAP support
FortiOS v5.0 Patch Release 1 supports the following FortiAP models: FAP-11C, FAP-112B, FAP-210B, FAP-220B, FAP-221B, FAP-222B, FAP-223B, and FAP-320B The FortiAP device must be running FortiAP v5.0.0 GA build 0021 or later.
FortiSwitch support
FortiOS v5.0 Patch Release 1 supports the following FortiSwitch models: FS-348B The FortiSwitch device must be running FortiSwitch v1.00 Patch Release 2 build 4030.
Module support
FortiOS v5.0 Patch Release 1 supports Advanced Mezzanine Card (AMC), Fortinet Mezzanine Card (FMC), Rear Transition Module (RTM), and Fortinet Storage Module (FSM) removable modules. These modules are not hot swappable. The FortiGate unit must be turned off before a module is inserted or removed. Table 1: Supported modules AMC/FMC/FSM/RTM Module Storage Module 500GB HDD Single-Width AMC (ASM-S08) Storage Module 64GB SSD Fortinet Storage Module (FSM-064) Accelerated Interface Module 4xSFP Single-Width AMC (ASM-FB4) Accelerated Interface Module 2x10-GbE XFP Double-Width AMC (ADM-XB2) Accelerated Interface Module 8xSFP Double-Width AMC (ADM-FB8) Bypass Module 2x1000 Base-SX Single-Width AMC (ASM-FX2) Bypass Module 4x10/100/1000 Base-T Single-Width AMC (ASM-CX4) Security Processing Module 2x10/100/1000 SP2 Single-Width AMC (ASM-CE4) FortiGate Platform FG-310B, FG-620B, FG-621B, FG-3016B, FG-3810A, FG-5001A FG-200B, FG-311B, FG-1240B, FG-3040B, FG-3140B, FG-3951B FG-310B, FG-311B, FG-620B, FG-621B, FG-1240B, FG-3016B, FG-3810A, FG-5001A FG-3810A, FG-5001A FG-3810A, FG-5001A FG-310B, FG-311B, FG-620B, FG-621B, FG-1240B, FG-3016B, FG-3810A, FG-5001A FG-310B, FG-311B, FG-620B, FG-621B, FG-1240B, FG-3016B, FG-3810A, FG-5001A FG-1240B, FG-3810A, FG-3016B, FG-5001A
Page 22
Table 1: Supported modules (continued) Security Processing Module 2x10-GbE XFP SP2 Double-Width AMC (ADM-XE2) Security Processing Module 4x10-GbE SFP+ Double-Width AMC (ADM-XD4) Security Processing Module 8xSFP SP2 Double-Width AMC (ADM-FE8) Rear Transition Module 10-GbE backplane fabric (RTM-XD2) Security Processing Module (ASM-ET4) Rear Transition Module 10-GbE backplane fabric (RTM-XB2) Security Processing Module 2x10-GbE SFP+ (FMC-XG2) Accelerated Interface Module 2x10-GbE SFP+ (FMC-XD2) Accelerated Interface Module 20xSFP (FMC-F20) Accelerated Interface Module 20x10/100/1000 (FMC-C20) Security Processing Module (FMC-XH0) FG-3810A, FG-5001A
FG-3810A, FG-5001A
FG-3810A
FG-5001A FG-310B, FG-311B FG-5001A FG-3950B, FG-3951B FG-3950B, FG-3951B FG-3950B, FG-3951B FG-3950B, FG-3951B FG-3950B
SSL-VPN support
SSL-VPN standalone client
FortiOS v5.0 Patch Release 1 supports the SSL-VPN tunnel client standalone installer build 2281 for the following: Windows in .exe and .msi format Linux in .tar.gz format Mac OS X 10.7 in .dmg format
Page 23
Virtual Desktop in .jar format for Windows 7. Table 2: Supported operating systems Windows Windows 7 32-bit Windows 7 64-bit Virtual Desktop Support Windows 7 32-bit Service Pack 1 Linux CentOS 5.6 Mac OS X Mac OS X 10.7 (Lion)
Table 5: Supported Windows 7 32-bit and 64-bit AntiVirus and Firewall software Product CA Internet Security Suite Plus Software AVG Internet Security 2011
Fortinet Technologies Inc. Page 24 FortiOS v5.0 Patch Release 1 Release Notes
AntiVirus
Firewall
Table 5: Supported Windows 7 32-bit and 64-bit AntiVirus and Firewall software (continued) Product F-Secure Internet Security 2011 Kaspersky Internet Security 2011 McAfee Internet Security 2011 Norton 360 Version 4.0 Norton Internet Security 2011 Panda Internet Security 2011 Sophos Security Suite Trend Micro Titanium Internet Security ZoneAlarm Security Suite Symantec Endpoint Protection Small Business Edition 12.0 AntiVirus Firewall
Page 25
Resolved Issues
The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Customer Support.
Antispam
Table 6: Resolved antispam issues Bug ID 154340 178515 185152 189889 Description Proxy worker crashes with signal 7 on emails. The Hotmail general email log "to" and "cc" fields include double quotations. FortiGuard Spam IP address check does not work over SMTP and SMTPS. The scanunit process crashed when MMS endpoint BWL check was enabled.
Antivirus
Table 7: Resolved antivirus issues Bug ID 176174 184584 187648 Description ETDB is erased and set default_db as ex. (Build 0080) avengine scanmode issue on 64-bit platforms. ETDB version is 0 after update-av and FLDB update is unexpected. (Build 0127)
CLI
Table 8: Resolved CLI issues Bug ID 185946 190782 191061 Description Lots of pop up errors from console. (Build 4890) A combination of PARSE_F_MULARG and PARSE_F_SKIP causes the CLI to behave incorrectly. Create a new diag test command for fdsmgmtd.
Page 26
Client reputation
Table 9: Resolved client reputation issues Bug ID 184435 187627 187686 Description diagnose client-reputation test related CLI comments do not work. Missing crscore/craction in the host-detail for a failed connection/blocked policy. sql_db ioerror can cause a reputation data update to fail.
Device visibility
Table 10: Resolved device visibility issues Bug ID 189181 Description Add a new pre-defined device group for Windows tablets.
DLP
Table 11: Resolved DLP issues Bug ID 145588 175582 187307 Description The DLP log of a file pattern has the wrong file field with an HTTP POST request. The Archive and DLP monitor is unresponsive when report by protocol is selected. Check dlp file type filter is not selectable with message.
Endpoint control
Table 12: Resolved endpoint control issues Bug ID 187048 188259 190985, 190994 191040, 191052 191092 191345 Description FortiGate devices renew the Endpoint License expiry time when FortiClient is offline. Need to enforce disabling broadcast-forticlient-discovery when listen-forticlient-connection is disabled. When copying and pasting a FortiClient configuration into advanced-cfg-buffer, an application firewall rule list is required. Support multiple endpoints which have the same IP (from different VDOMS) in Endpoint Control record table. Allow FortiClient license upgrade feature on FG-110C and FG-111C. FortiGate will deny the traffic from a registered FortiClient over SSL-VPN.
Page 27
Firewall
Table 13: Resolved firewall issues Bug ID 156726 163589 167304 174101 180372 183325 184312 184375 186588 186836 187125 187131 187202 187549 188039 188975 189067 189876 190636 190776 190990, 191585 Description HTTPS SSL deep-scan download stalls at 99%. Management login support for RADIUS Challenge-Response. Control concurrent user authentication in identity-based-policy. Move auth-lockout to VDOM and add enable/disable commands. Device policy and explicit proxy should be mutually exclusive in the Web-based Manager and CLI. The multicast policy set protocol in CLI will not display any default values, the Web-based Manager displays default values correctly. High CPU usage by proxyworker process, along with multiple signal 11 segmentation faults. Uploads are interrupted by FortiGate devices with the load balancer feature enabled. DLP, AV, and Web Filter sometimes does not work when inspect-all is enabled. Re-enabling the UTM status of a firewall policy can result in all UTM options disappearing. Load balance health check monitor port change after reboot. Changing the members of a service group does not immediately affect a policy. The TLS connection cannot be completed. A method is required to control for TLS decryption. DCE-RPC high port assignment is not allowed when using Microsoft SCOM 2012. Firewall multicast policy source NAT does not work. In user visibility, Kerberos authentication takes higher priority than FSSO authentication. Driver fix for traffic failure reported from production and IQC. Support the SSL next-proto-negotiation extension. The connection will be reset if a client requests TLSv1.2 but the server chooses TLSv1.1 or below when SSL deep scan is enabled. Firewall policy can be set without service with the action IPsec or deny. System crashed showing ehci_hcd fatal errors.
Page 28
Table 13: Resolved firewall issues (continued) Bug ID 191050 191171, 191319 191471 191570 191606 151728, 174277, & 177976 Description Handle HTTP connection upgrade in transparent proxy to support WebSocket traffic. FortiSwitch-controller configuration bug fix. FCT-Access once enabled on an interface will implicitly open port 8010 on all interfaces in the same VDOM. FSSO_Guest_User group does not work for ID-based policy. all service prot_type is not set. UTM Web and Email monitor statistic recording.
FortiGate VM
Table 14: Resolved FortiGate VM issues Bug ID 186173 186809 186809, 186810, 190416 186810 190416 Description FortiGate-VM64.hw07.vmxnet2.ovf and FortiGate-VM.hw07_vmxnet2.ovf cannot support HA. The FortiClient license support for FG-VM01 should be 1000. Set VM license levels for limiting python processes and FortiClient licenses.
FG-VM00 should not have the Enter License option for the FortiClient Registration License. FG-VM is constantly in conserve mode.
GTP
Table 15: Resolved GTP issues Bug ID 172442 Description MMS profile alert-int parameter missing.
Page 29
High Availability
Table 16: Resolved high availability issues Bug ID 153089 156040 185272 185628 186053 186681 186788 187026 187090 187091 187263 187424 187430 187994 188912 190223 190237 191144 191692 Description Automatic backup configuration bug in HA mode. Redundant HA in-sync log messages. When displaying a log message in a slave event log, the slave clock is adjusted to an invalid time. Part of the session information is not synchronized correctly under HA Active-Active mode when a device based firewall policy is configured. All heartbeat links fail simultaneously, triggered by traffic. The VLAN interface has the HA MAC address on both cluster members, after vcluster failover. Bulk CLI scripts cannot synchronize to a slave FortiGate if there is a comment on the script. A new HA cluster slave cannot synchronize an IPsec VPN tunnel from its master after synchronizing both sides. The slave log cannot be sent to a FortiAnalyzer when first forming the HA cluster. The master does not forward the slave's log to FortiAnalyzer in a multi VDOM environment when the new member has VDOMs configured. A FortiGate slave has cw_acd and cmdbsvr process crashes when synchronizing its configuration. The configuration cannot synchronize between the master and slave. A FG-100D device configured as HA master experienced a kernel crash and rebooted by itself. src-vis daemon crashes on the slave. Devices cannot get updates when configured in HA. Existing sessions hang after HA failover, when using FSSO authentication and disclaimer. Changing firewall policy attributes does not cause the checksum to change. The HA management interface cannot be configured and the newcli daemon crashed, The FortiGate device fails to send a FortiToken mobile activation code when a unit is operating in HA.
Page 30
IPS
Table 17: Resolved IPS issues Bug ID 170316 184016 190637 Description The proxyworker process will crash under SSH protocol fuzzing. IPS DoS log is different for an XLP offload with the CPU processed. Do not show fail open if IPS is busy due to signature or configuration change.
IPsec VPN
Table 18: Resolved IPsec VPN issues Bug ID 176133 178665 182017 182910 183382 183638 184463 186975 190405 190752 190763 191229 Description NPU offload does not work with IPsec VPN IPv6. L2TP over IPsec client cannot ping to internal network if the FortiGate has PPPoE WAN connection. A FortiGate PPTP client using PAP fails. The IPsec monitor shows the wrong user name for a dialup VPN with RSA aggressive mode. Invalid ESP packets are regularly generated. VPN DDNS gateway cache conflicts causing high IKED CPU usage. IPv6 traffic is lost when passed through an IPsec VPN with NP4 fast-path enabled. Enabling transparent mode npu-offload in IPsec phase1 could not force traffic to offload. IKEv2 DPD failure which brings down the tunnel when the peer was still reachable. iPhone 5 IPsec VPN connection issues. L2TP over IPSec issue with Chrome OS. Delete notify sent issue when IPsec SA hard expires.
Page 31
Table 19: Resolved log & report issues (continued) Bug ID 161048 163808 168405 169215 172636 173614 178128 181291 181391 183447 184465 184875 185209 185916 185949 186280 186362 186918 187003 187505 187567 188002 188038 188117 Description When the schedule is set to weekly, Traffic History by Bandwidth/Sessions are empty. Cannot show the value of NIDS_EVENT in alertmail. (Build 0105) The quarantine archive tab loads in the Web-based Manager. Cannot send a slave log to FortiCloud. Logging of HTTP POST command blocking in Web Filtering. The spam filter log subject field is blank. Add the subject field to the DLP log. The log quota of VDOMs can exceed the size of the disk. If keeping bps as the unit, the correct number should be 8 times the current number. Add extended-utm-log to VoIP. The modem event log has the wrong format. The Web-based Manager should show the VOIP log. The traffic log is generated when utm-incident-traffic-log and log-traffic are both disabled. The ID field name in the DHCP log should be changed. No IPS incidents are in the traffic log; the report and client reputations do not have the related charts. A false alertmail email is sent out when HA status changes is enabled. Cannot add custom charts. Alertmail shows Failed to send alert email in logs, but the message has actually been sent. There is no invalid log for failed connection attempt cause; it fails to track the related client reputation. The reportd daemon has a signal 11 crash when a report is run manually. The IPMC-sensor log has illegal characters and the system log cannot be displayed in the Web-based Manager. Logs still use daylight savings time. The scheduled upload for dlp-archive does not work. DLP archive upload to FortiAnalyzer does not work when the upload option is store-and-upload.
Page 32
Table 19: Resolved log & report issues (continued) Bug ID 188126 188144 188199 188326 188420, 190116 188734 188854 188958 189785 190519 190553 190913 191106 191245 Description The log is deleted and there is a false emergency event log when usage is very low. The Top web users by bandwidth chart needs to be re-sized. There should be an event log when a scheduled update succeeds. The FG-100D receives a Failed to create statement for INSERT INTO apps error message after formatlogdisk. Generate an event log entry when connecting to a modem successfully. Traffic log is inconsistent after test AV sample. (Build 0131) UTM incident traffic logs are confusing when they match multiple UTM profiles. This causes the report and reputation to be incorrect. The miglogd daemon crashed when handling an abnormal log file. (Build 0130) Need to add crscore/craction to the traffic logs sent to FortiAnalyzer. Show FortiCloud log upload progress. (Build 0137) DLP PDF font handling issue from Ubuntu PDF generator. forticldd daemon usage issue, CPU is at 99%. Purge disk log after 7 days by default. Pause before attempting to connect to FortiCloud after an unsuccessful attempt.
Routing
Table 20: Resolved routing issues Bug ID 176314 182783 184378 185808 188201 188470, 188480 Description OSPF Hello uses a 32-bit netmask even if the tunnel interface IP has a smaller bitmask. The gateway of static route is its own address and should not be allowed or not be shown in routing table. The password function of IPv6 BGP neighbor does not work. PIM-SSM Multicast stream is PRUNED while other IGMPv3 receivers are still present. A four byte AS number is shown as '-1' in aggregate routes 'aggregated by'. Delete the detectserver option of fail-detect-option in transparent mode and add host name check for gwdetect server name.
Page 33
Table 20: Resolved routing issues (continued) Bug ID 188645 190671 Description IPv6 address on FWF-60CM interface cannot be pingable when the routing path is asymmetric. (Build 0128) Make regexp "^$" work for locally originated BGP routes.
Source visibility
Table 21: Resolved source visibility issues Bug ID 185512 Description The KDC-REQ user name is not recorded when user visibility is enabled.
SSL-VPN
Table 22: Resolved SSL-VPN issues Bug ID 133510 181139 182464 183875 184140 184285 185359 187320 187822 188048 188083 188730 189246 Description No SSL-VPN tunnel plugin is available for 64-bit web browsers. Cannot open a JSP object in SSL web mode. The SSL-VPN tunnel widget does not work in the web mode portal on Windows 8 with Internet Explorer 10. There is an SMB/CIFS operation error in the SSL-VPN web portal. The RDP login screen is not displayed in full screen mode with SSL-VPN in web mode. Add the FortiClient download widget to the SSL-VPN web portal. Failed to create an SSL-VPN policy with the wizard because sslvpn-portal is not set. When a user logs out of SSL-VPN web mode from Fortinet bar they are redirected to an incorrect page. The SSL-VPN portal idle timeout does not work with Fortinet Bar enabled. The web mode SSL-VPN daemon crashes when the firewall policy address type is FQDN. The SSL daemon crashes when accessing the FortiGate Web-based Manager in web mode. The portal message setting is inconsistent for default and newly added SSL-VPN portals. PING6 for unreachable destination caused SSL-VPN portal to hang.
Page 34
Table 22: Resolved SSL-VPN issues (continued) Bug ID 190106, 190336 191068 Description Minor issues with the downloading SSL-VPN plugins from FDS. SSL-VPN could not be accessed for newly created VDOM.
System
Table 23: Resolved system issues Bug ID 138324 139978 150876 159921 159974 161876 172299 175326 175520 178435 179382 179952 181367 181426 182835 183546 183664 183727 184182 Description The FortiToken drift value exceeds 254. Old acknowledged/deleted messages repeatedly show up in other message widgets on the dashboard. The duplex information on the FWF-60B displays incorrectly. There are no IPS fail-open status logs. FortiGate FSSO polling can not get all IP addresses if a workstation has multiple ethernet cards. The FG-600C gets a power supply 2 failure event log when the optional power supply is not installed. Ports 9-12 flap when connected to an Arista 7124SX switch. FortiGate responds to ARP requests on 192.168.0.1 on MGMT1 interface. FortiToken Mobile: current solution supports the root VDOM only. FQDN in the firewall will only grab the TTL value of an A record. The filters in interface > One-arm sniffer sometimes cannot accept or delete configurations. Stop quarantine and archive when in the conserve mode. Support larger replacement messages. After moving an interface into a newly created VDOM, the FortiGate unit still sends broadcasts in the old VDOM. The FG-200B port cannot detect FG-3016B link status. SSL process high memory issue. The PPPoE interface set defaultgw disable cannot remove the gateway. The FIPS-CC Alarms for user-auth-failure/lockout-threshold stops working. The CLI command diagnose test guest list reports null at the end of output.
Page 35
Table 23: Resolved system issues (continued) Bug ID 184206 184314 184699 184932 185422 185580 185606 185909 186100 186116 186448 186523 186530 186540 186672 186738 186797 187002 187274 187327 187498 187519 187878 Description Russian FSTEK certification requirement for image checksum. Add/remove of physical Interface to 802.3ad aggregation brings the aggregate port down. The configuration is changed after the first reboot of a firmware upgrade. Unable to administratively Down or Up a tunnel interface via the CLI in the config global section. The modem default route is not installed when a modem is in the non-root VDOM. FortiGate devices should be in the pending state when switching accounts from an old account. There is an SNMP problem when using 250 VDOMs. The FG-111C switch works abnormally with FortiOS 5.0. The server probe does not support PPPoE devices. The FG-100D LENC cannot update from the FDS. Cannot login to the FortiCloud portal automatically when a FortiGate device is managed by FortiManager. FortiToken activation fails on particular FDS servers. When configuring two-factor authentication, some super_admin users cannot see the token. Setting the speed to 100half/10half does not take effect for 1G copper interfaces. Multi-VDOM admin's VDOM list sequences affect which token can be used in two-factor login. The SNMP trap for IPsec should contain the tunnel name. The Miglogd daemon uses high CPU when the syslogd2 server is defined. There is a cmdbsvr segfault when changing firewall policy in the Web-based Manager. DDNS stops working. The CLI hangs when the CLI displays More and Ctrl+C is pressed. Merging daemons causes a signal 11 Crash. The speed LED on a shared NIC port is not lit on the FG-800C. Removing the secondary IP disconnects the admin session.
Page 36
Table 23: Resolved system issues (continued) Bug ID 187972 187975 188016 188169 188544 188772 188844 189189 189261 190116 190185 190292 190848 191215 191522 Description When restoring a multi-VDOM configuration, a configuration error occurs at reboot. Verify the DNS response code for the AAAA record (RFC 4074) when A record exist. Unable to delete the default firewall address. Mass MMS communication sockets are not removed after usage. The diagnose sys session6 filter command shows src twice. The diagnose system top command for CPU usage is not correct. Time Zone is incorrectly displayed. (Build 0128) FortiClient licenses should be kept after an upgrade. The authd and wad socket pipe fills up the /tmp directory. There is an unknown field name error message during PPPoE interface configuration. The update daemon uses up all the fd and stops working. Move reboot/shutdown to resource widget, update sysres widget. Unable to create a DHCP server on DHCP interface. (Build 0139) FG-1000C fails to change MGMT1 IP because subnets overlap, even though the subnets do not overlap. Unable to log in to FortiGate via SSH.
Upgrade
Table 24: Resolved upgrade issues Bug ID 162779 Description Received Could not load host key: /tmp/ssh_host_rsa_key message after upgrading the FG-3140B from v4.0 build 0513 to v5.0 build 0023. A cluster of two FG-40C devices upgraded from v4.0 MR3 Patch Release 6 does not work. Upgrade unsuccessful due to too many entries in all tables of .firewall.service.category. When upgrading from build 0639 to build 0119, HTTPS deep scan does not upgrade properly.
Page 37
Table 24: Resolved upgrade issues (continued) Bug ID 188354 189209 Description After upgrading from v4.0 MR3, ports from profile-protocol-options are not added to the iprope list. After upgrading from v4.0 MR3 to v5.0, the endpoint-profile should be set as default.
VoIP
Table 25: Resolved VoIP issues Bug ID 178932 Description Problems encountered when enabling the SCCP VoIP profile.
Web-based Manager
Table 27: Resolved Web-based Manager issues Bug ID 149638 152072 154191 167572 167836 Description Show policy negates the status on the Web-based Manager. The pre- and post-login warning messages for admin log in have issues. Moving or refreshing the Web Filtering monitor page causes the device go into conserve mode. After changing the language, parts of the Web-based Manager still use the original language. Editing IPsec VPN v6 phase1 will result in an Invalid gateway address message.
Page 38 FortiOS v5.0 Patch Release 1 Release Notes
Table 27: Resolved Web-based Manager issues (continued) Bug ID Multiple Description Fixes for a large number of Web-based Manager bugs. Bug ID: 169314, 171703, 177692, 178755, 182799, 184117, 186760, 187703, 188286, 188405, 189201, 189799, 190308, 190322, 190461, 190493, 190506, 190728, 190772, 190794, 190796, 190867, 190871, 191005, 191480 171928, 185622 173130 176568 179645 180177 182051 182659 183435 183453 185173 185981 187041 187083 187465 187493 187699 187826 188036, 190446, 190627 httpsd daemon crash in some monitoring pages. The pull-down menu does not show up correctly when a firewall policy is created with a certain administrator profile. Unable to clear the secondary-server configuration of a RADIUS server from the Web-based Manager. NAT, shaper, and WAN Optimization settings should be hidden when the policy action is set to deny. UTM endpoint control client installers have a directory traversal vulnerability. The insert section does not work from the Web-based Manager. Once a firewall address is associated to an interface, it can not be reverted back to any from the Web-based Manager. Show the comment text, instead of just a note icon. The OK button does not save authentication settings in the web-proxy policy. The FWF-20C LAN + WiFi Setting wizard page displays an Invalid IP Range message incorrectly. (Build 0114) Application icons are incorrect in widgets, traffic logs, and application control lists. The OS signature was shown on device page when the mouse hovers over the device. A mobile token in activated status incorrectly has provision in the right click menu. The DoS policy page will display in a messy manner after setting the column ID in the policy page. Implicit firewall rules can be moved. Add policy drag & drop function back into the policy global view. With some specific wildcard addresses, the Web-based Manager firewall address page cannot be loaded. Widen columns for user/IP and recreate tables if table structure is not up to date.
Page 39
Table 27: Resolved Web-based Manager issues (continued) Bug ID 188398 188636 190026 190026, 190149 190149 190292 191057 Description Implicit user identity policy rules' action is shown incorrectly in the Web-based Manager. When switching the DLP sensor to the default profile, the Web-based Manager shows HTTP error 400. There are HTTP 500 errors on firewall policies, UTM options, and DNS pages with specific configurations. Non-utf8 characters cause Web-based Manager issues. There is an internal server error when editing a policy that contains special characters. Move the reboot and shutdown commands to the resource widget. Missing group in SSL-VPN traffic log caused Web-based Manager parser error.
Web Filter
Table 28: Resolved web filter issues Bug ID 158996 160110 164917, 187714 165025 172865 178351 178351 179265 180684 185181 186815 Description The FortiGuard override URL is incorrect when using deep inspection and a CN that contains wildcard characters. The monitor action of urlfilter should not exempt the block action of FortiGuard. Fix safe search enable issue. When the customize block page is enabled, the header HTTP/1.1 403 ... is lost in the HTTP package. For flow-based Web Filters, FortiGate devices cannot exempt SSL websites belonging to the bank category when deep-scan is enabled. When the local category is set to block, the category action cannot be disabled. In the ftgd-wf setting of a Web Filter profile, enable is renamed and takes a new role. CN based HTTPS Web URL Filtering does not work well under external proxy environments when exempt is configured as all. Web Filter quota resets incorrectly when the quota is edited. Browser-based FortiGuard Web Filtering override does not work. Websites could not be overriden to Unrated category by FortiGate local rating.
Page 40
Table 28: Resolved web filter issues (continued) Bug ID 188607 189954, 189987 Description FortiGuard service is intermittently unavailable. A restart of the urlfilter is required to recover. Redirect on HTTPS safe search and DLP PDF scan on SSN and CC.
WiFi
Table 29: Resolved WiFi issues Bug ID 131373 168555 177422 182204 186152 186562 188644 188805 189354 Description WPA on virtual AP devices does not work if the physical WLAN is set to WPA2. Captive portal FQDN does not work on WiFi interfaces. There is a problem with the HP slate tablet related to 802.11n MSDU frame aggregation. Manual and auto suppression do not work. The FWF-20C-ADSL-A has an incorrect wireless default configuration. Virtual AP intermittently stops working. Display the configuration also failed. Unable to create more than 508 SSIDs with RADIUS security. The WPA daemon is crashing, causing all Virtual APs to be reconfigured. Ap-bgscan scheduling does not work.
Page 41
Known Issues
The known issues listed below does not list every bug that has been reported with this release. For inquires about a particular bug, please contact Customer Service & Support.
Antivirus
Table 30: Known antivirus issues Bug ID 191950 Description Files being downloaded while AV is enabled may experience an interruption.
Firewall
Table 31: Known firewall issues Bug ID 186428 191184 Description The Web-based Manager fails to allow adding a tag for a firewall address. VLAN IDs and their assignment to a corresponding NPU may result in the interface not processing ARP requests properly.
FSSO
Table 32: Known FSSO issues Bug ID 186536 Description The status of the FSSO polling agent in the Web-based Manager is not shown correctly.
High Availability
Table 33: Known high availability issues Bug ID 192192 Description Enabling standalone-config-sync may fail to synchronize sessions.
IPS
Table 34: Known IPS issues Bug ID 171443 Description An application list traffic shaper fails to be applied on an FMC-XH0 and FMC-XG2 card.
Page 42
IPsec VPN
Table 35: Known IPsec VPN issues Bug ID 192347 Description The FortiGate device may drop sessions with NP4/IPsec offload in a hub and spoke or spoke to spoke traffic topology.
SSL-VPN
Table 37: Known SSL-VPN issues Bug ID 185658 191725 Description The SSL-VPN daemon may experience high CPU. An SSL-VPN may fail to renew passwords as authenticated by LDAPS.
System
Table 38: Known system issues Bug ID 190141 Description The configuration fails to accept DHCPv6 server domain names beginning with digits.
Web-based Manager
Table 39: Known Web-based Manager issues Bug ID 188785 188936 Description The Web-based Manager displays only one channel in the Client Monitor when bonding is configured. The Web-based Manager fails to allow usernames with special characters in an identity-based policy.
Page 43
WiFi
Table 40: Known WiFi issues Bug ID 184014 Description WiFi clients connected to FortiAP may experience high latency towards the wireless controller.
Upgrade
Table 41: Known upgrade issues Bug ID 192391 Description New created device based policy cannot retain original policy UTM related settings after enabling Endpoint Registration.
Page 44
Limitations
This section outlines the limitations in FortiOS v5.0 Patch Release 1.
Page 45
Image Checksum
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support website located at https://support.fortinet.com. After logging in, click on Download > Firmware Image Checksum, enter the image file, including the extension, and select Get Checksum Code. Figure 1: Customer Service & Support image checksum tool