FortiGate Multi-Threat Security System

Release Notes FortiOS v3.00 MR7 Patch Release 10 Rev. 1.0

a!uary 1"# $011

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

Table of Contents
1 FortiOS v3.00 MR7 Patch Release 10.....................................................................................................................................1 1.1 General................................................................................................................................................................................3 1.2 Single Hard Drive S !!ort "or FG#$111%..........................................................................................................................3 1.3 File #rans"er &i'itation......................................................................................................................................................3 1.( Forti%lient v(.0 S !!ort......................................................................................................................................................( 2 Resolved )ss es in FortiOS MR7 Patch Release 10................................................................................................................* 2.1 S+ste'.................................................................................................................................................................................* 2.2 High ,vaila-ilit+.................................................................................................................................................................* 2.3 .P/.....................................................................................................................................................................................* 3 0!grade )n"or'ation..................................................................................................................................................................1 3.1 0!grading "ro' FortiOS v2.*0...........................................................................................................................................1 3.2 0!grading "ro' FortiOS v2.20...........................................................................................................................................1 3.3 0!grading "ro' FortiOS v3.00 MR* and MR1................................................................................................................10 3.( Do3ngrading to FortiOS v3.00.........................................................................................................................................1* 3.* Do3ngrading to FortiOS v2.20.........................................................................................................................................1* 3.1 Do3ngrading to FortiOS v2.*0.........................................................................................................................................1* ( )'age %hec4s 's.....................................................................................................................................................................11 Change Log Revision 1.0 1.1 )nitial Release. %hanged descri!tion o" - g 122525 to -e 'ore acc rate in Resolved )ss es section Change Description

6 %o!+right 2010 Fortinet )nc. ,ll rights reserved. Release /otes FortiOS v3.00 MR7 Patch Release 10. Trademarks Prod cts 'entioned in this doc 'ent are trade'ar4s or registered trade'ar4s o" their res!ective holders. Registered c sto'ers 3ith valid s !!ort contracts 'a+ enter their s !!ort tic4ets at the Fortinet % sto'er S !!ort site7 htt!s788s !!ort."ortinet.co'

a!uary 1"# $011

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

1 FortiOS v3.00 MR7 Patch Release 10

#his doc 'ent o tlines resolved iss es o" FortiOS v3.00 MR7 907*( Patch Release 10 "ir'3are "or the Fortinet FortiGate M lti$threat Sec rit+ S+ste'. Please re"erence the " ll version o" the FortiOS v3.00 MR7 release notes "or ne3 "eat res and 4no3n iss es. #he "ollo3ing o tlines the release stat s "or each 'odel. Model FG#$3109 FG#$3210, FG#$3100, FG#$30119 FortiOS v3.00 MR7 Release Status #he o""iciall+ released i'ages "or these 'odels are -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:a'c:-+!ass8- ild:**70 and is located in the sa'e director+ as the 'odels s !!orted on the reg lar FortiOS v3.00 MR7 -ranch. #he - ild n '-er "or these i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **70. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(. FG#$1209 FG#$1209$D% #he o""iciall+ released i'ages "or these 'odels are -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:120-8- ild:tag:**73 and is located in the sa'e director+ as the 'odels s !!orted on the reg lar FortiOS v3.00 MR7 -ranch. #he - ild n '-er "or these i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **73. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(. FG#$110% #he o""iciall+ released i'age "or this 'odel is -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:110c8- ild:tag:**15 and is located in the sa'e director+ as the 'odels s !!orted on the reg lar FortiOS v3.00 MR7 -ranch. #he - ild n '-er "or this i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **15. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(. FG#$111% ote! #he FG#$110%$HD has -een rena'ed to FG#$111%. #he i'age "ile na'e also has -een rena'ed to <FGT_111C-v300-build0754-FORTINET.out< and is sed on -oth the e>isting FG#$110%$HD 'odel and the FG#$111% 'odel. Once the i'age is loaded= -oth the <get syste st!tus< %&) o t! t and the 3e- 0) re"erence the FG#$111%. #he o""iciall+ released i'age "or this 'odel is -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:110c8- ild:tag:**15 and is located in the sa'e director+ as the 'odels s !!orted on the reg lar FortiOS v3.00 MR7 -ranch. #he - ild n '-er "or this i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **15. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(. FG#$*001,$S? FG#$*001,$D? ote7 Sa'e "ir'3are i'age is sed "or FG#$*001,$S? and FG#$*001,$D? 'odels. #he o""iciall+ released i'ages "or these 'odels are -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:*001a:s38- ild:tag:**20 and is located in the sa'e director+ as the 'odels s !!orted on the reg lar MR7 -ranch. #he - ild n '-er "or these i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste'

a!uary 1"# $011

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10 stat s< %&) co''and dis!la+s **20. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(.

FG#$*19

ote! #he FG#$*09$HD has -een rena'ed to FG#$*19. #he i'age "ile na'e also has -een rena'ed to <FGT_51"-v300-build0754-FORTINET.out< and is sed on -oth the e>isting FG#$*09$HD 'odel and the FG#$*19 'odel. Once the i'age is loaded= -oth the <get syste st!tus< %&) o t! t and the 3e- 0) re"erence the FG#$*19. #he o""iciall+ released i'age "or this 'odel is -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:*1-8- ild:tag:**72 and is located in the sa'e director+ as the 'odels s !!orted on the reg lar FortiOS v3.00 MR7 -ranch. #he - ild n '-er "or this i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **72. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(.

FG#$20% FG#$20%M F?F$20%M F?F$21%M

ote! Onl+ F?F$20%M and F?F$21%M Rev. 1 hard3are is s !!orted -+ FortiOS v3.00 MR7. #he o""iciall+ released i'ages "or these 'odels are -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:20%8- ild:tag:**71 and is located in the sa'e director+ as the 'odels s !!orted on the reg lar MR7 -ranch. #he - ild n '-er "or these i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **71. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(.

FG#$3119

#he o""iciall+ released i'age "or this 'odel is -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:311-8- ild:tag:**72 and is located in the sa'e director+ as the 'odels s !!orted on the reg lar FortiOS v3.00 MR7 -ranch. #he - ild n '-er "or this i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **72. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(.

FG#$3109$D%

#he o""iciall+ released i'age "or this 'odel is -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:310-:dc8- ild:tag:**75 and is located in the sa'e director+ as the 'odels s !!orted on the reg lar FortiOS v3.00 MR7 -ranch. #he - ild n '-er "or this i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **75. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(.

F?F$309

#he o""iciall+ released i'age "or this 'odel is -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:"330-8- ild:tag:**77 and is located in the sa'e director+ as the 'odels s !!orted on the reg lar FortiOS v3.00 MR7 -ranch. #he - ild n '-er "or this i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **77. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(.

FG#$22%

#he o""iciall+ released i'age "or this 'odel is -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:22c8- ild:tag:**7( and is located in the sa'e director+ as the 'odels s !!orted on the

a!uary 1"# $011

Forti!et %!c reg lar FortiOS v3.00 MR7 -ranch.

Release Notes FortiOS v3.00 MR7 & Patch Release 10

#he - ild n '-er "or this i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **7(. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(. FG#$12(09 #he o""iciall+ released i'age "or this 'odel is -ased o"" o" MR7 Patch Release 10 907*( "g300:'r7:12(0-8- ild:tag:**7* and is located in the sa'e director+ as the 'odels s !!orted on the reg lar FortiOS v3.00 MR7 -ranch. #he - ild n '-er "or this i'ages in the S+ste' ; Stat s !age and the o t! t "ro' the <get s+ste' stat s< %&) co''and dis!la+s **7*. #o con"ir' that +o are r nning the !ro!er - ild= the o t! t "ro' the <get s+ste' stat s< %&) co''and has a <9ranch !oint7< "ield. #his sho ld read 7*(. ,ll Other Models ,ll other 'odels are s !!orted on the reg lar MR7 -ranch.

1.1 General
#he #F#P -oot !rocess erases all c rrent "ire3all con"ig ration and re!laces it 3ith the "actor+ de"a lt settings.

IMPORTANT!
Monitor Settings for Web User Interface Access:

Fortinet reco''ends setting +o r 'onitor to a screen resol tion o" 1220>102(. #his allo3s "or all o-@ects in the ?e- 0) to -e vie3ed !ro!erl+.

BEFORE any u gra!e"

"Forti#ate Con$iguration% Save a co!+ o" +o r FortiGate nit con"ig ration Aincl ding re!lace'ent 'essagesB !rior to !grading.

AFTER any u gra!e=

"&e'() displa*% )" +o are sing the ?e- 0)= clear the -ro3ser cache !rior to login on the FortiGate to ens re !ro!er dis!la+ o" the ?e- 0) screens. "(pdate the +,-).S de$initions% #he ,.8)PS signat re incl ded 3ith an i'age !grade 'a+ -e older than ones c rrentl+ availa-le "ro' the FortinetCs FortiG ard s+ste'. Fortinet reco''ends !er"or'ing an <0!date /o3< as soon as !ossi-le a"ter !grading. %ons lt the FortiGate 0ser G ide "or detailed !roced res.

1.2 Sin le !ar" #rive S$%%ort for FGT&111C

#he FortiGate$111% contains t3o hard drive -a+s - t s !!orts onl+ one hard drive at one ti'e.

1.3 File Transfer 'i(itation

&arge ?MP strea'ing video 'a+ "ail to load 3hen antivir s CFile FilterC "eat re is ena-led. Decreasing the #tt$ove%si&eli it val e to 2 or lo3er can -e sed as a 3or4aro nd to this li'itation.

a!uary 1"# $011

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

1.) FortiClient v).0 S$%%ort

?ith the Forti%lient chec4 "eat re ena-led in the "ire3all !olic+ and Forti%lient 3.0.> installed on the FortiGate device= end$ !oint clients 3ith a higher Forti%lient version= As ch as v(.0B are not recogniDed -+ the FortiGate device and are as4ed to do3nload Forti%lient 3.0.> installer.

a!uary 1"# $011

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

2 Resolve" *ss$es in FortiOS MR7 Patch Release 10

2.1 S+ste(
Description! SM#P !ro>+ sho ld enter <9EP,SS:S#,#F< onl+ 3hen a !ositive res!onse "or S#,R##&S is received. Models +$$ected! ,ll /ug )D! 1132*7 Status! Fi>ed in MR7 Patch Release 10. Description! FG#$110% 4ee!s rando'l+ re-ooting ntil it "reeDes. Models +$$ected! FG#$110% /ug )D! 12*(22 Description! 0!date online hel! in SS& !ortal 3ith GSS v lnera-ilit+ "i>. Models +$$ected! ,ll /ug )D! 12*2*1

Status! Fi>ed in MR7 Patch Release 10.

Status! Fi>ed in MR7 Patch Release 10.

Description! Fi> vario s FortiGate "reeDing and 4ernel !anic iss es. Models +$$ected! ,ll /ug )D! 117512= 123201= 1235*0= 12(231= 12*215= 12*27*= 121113= 127200= 12252*= 125310= 130251 Status! Fi>ed in MR7 Patch Release 10. Description! Fi> e%ged_d!e o's 'e'or+ lea4 iss e. Models +$$ected! ,ll /ug )D! 52(*7

Status! Fi>ed in MR7 Patch Release 10.

2.2 !i h ,vailabilit+
Description! #he slave FortiGate 'a+ rando'l+ "reeDe. Models +$$ected! ,ll /ug )D! 11(*01 Status! Fi>ed in MR7 Patch Release 10.

Description! H, "ail over "eat re 'a+ not 3or4 correctl+ i" the cl ster has -een r nning "or 'ore than 2(2.* da+s. Models +$$ected! ,ll /ug )D! 122525 Status! Fi>ed in MR7 Patch Release 10.

2.3 -P.
Description! )'!rove ,FS )PSec encr+!tion !er"or'ance "or !ac4ets o" length greater than (12 -+tes. Models +$$ected! ,ll /ug )D! 11277( Status! Fi>ed in MR7 Patch Release 10. Description! SS&.P/ a thentication sing ne3 RS, !in 'a+ "ail "or FortiGateCs sing ' lti!le %P0Cs. Models +$$ected! ,ll 'odels sing ' lti!le %P0Cs /ug )D! 105*53 Status! Fi>ed in MR7 Patch Release 10. Description! Fi> vario s SS&.P/ RDP related - gs. Models +$$ected! ,ll /ug )D! 5153(= 112721= 11(150= 112701= 12*272

Status! Fi>ed in MR7 Patch Release 10.

a!uary 1"# $011

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

3 /% ra"e *nfor(ation 3.1 /% ra"in fro( FortiOS v2.00

0!grades "ro' FortiOS v2.*0 to FortiOS v3.00 directl+ is /O# s !!orted. 0!grade to at least FortiOS v2.20 MR11 !rior to !grading to FortiOS v3.00 MR7 Patch Release 10. Re"er to the FortiOS v2.20 MR11 release notes "or !grade !roced res.

3.2 /% ra"in fro( FortiOS v2.10

0!grade to FortiOS v2.20 MR11 !rior to !grading to FortiOS v3.00 MR7 Patch Release 10. Re"er to the FortiOS v2.20 MR11 release notes "or !grade !roced res. #he "ollo3ing are caveats 3hen !grading "ro' FortiOS v2.20 MR11 to FortiOS v3.00 MR7 Patch Release 10. "Deprecated ).S #roups% %ertain )PS gro !s "o nd in FortiOS v2.20 have -een re'oved and their corres!onding signat res 'erged into other )PS gro !s. ,s s ch= those )PS gro !s are lost 3hen !grading to FortiOS v3.00 MR7 Patch Release 10. #o restore the lost gro ! signat re settings= !er"or' the "ollo3ing ste!s7

)denti"+ 3hich <lost< )PS gro ! +o c rrentl+ have con"ig red in FortiOS v2.20 "ro' the list "o nd in ,!!endi> ,. /ote the signat res settings that are contained in the FortiOS v2.20 gro != and identi"+ in the ta-le the eH ivalent FortiOS v3.00 gro !AsB that contains the signat re. Re!eat ste! 1$2 "or each <lost< gro !. ,"ter !grading to FortiOS v3.00 MR7 Patch Release 10= "or each gro ! lost= 'an all+ con"ig re the eH ivalent signat re settings nder the FortiOS v3.00 gro !AsB.

").Sec ,).% FortiOS v2.20 s !!orts .)Ps con"ig red on a (o')ig v$' i$se( vi$= 3hich essentiall+ is a !ro>+ ,RP. #here is no s ch co''and in FortOS v3.00= - t rather is re!laced -+ the (o')ig syste $%o*y-!%$ co''and. #he !grade scri!ts do not s !!ort this in FortiOS v3.00 MR7 Patch Release 10. Eo 3ill need to recon"ig re an+ FortiOS v2.20 )PSec .)Ps to se the syste $%o*y-!%$ co''and in FortiOS v3.00. #he co''and is valid on a !er .Do' -asis in /,# 'ode. #he "ollo3ing is an e>a'!le %&) con"ig ration. (o')ig syste edit 1 $%o*y-!%$ set i$ 1+,.1-..5.111 set i'te%)!(e /$o%t1/ 'e*t set i$ 1+,.1-..5.110 set i'te%)!(e /$o%t3/ 'e*t

edit ,

e'd

"FortiOS v0.10 .) # #enerators% P)/G generators in FortiOS v2.20 are a-le to -ring ! t3o t nnels a to'aticall+= - t FortiOS v3.00 !uto-'egoti!te co''and= 3hich is disa-led -+ de"a lt= re!laces this " nctionalit+. #he "eat re is availa-le in the )PSec !hase 2 con"ig ration "or -oth )PSec t nnels and )PSec inter"aces. "&e' Filter and Spam Filter 2ists% )n FortiOS v2.20= the "ollo3ing lists can -e -ac4ed$ ! and restored= - t in FortiOS v3.00= the lists are stored in the s+ste' con"ig ration "ile and there"ore= can not -e restored.

a!uary 1"# $011

Forti!et %!c ?e- Filtering ?e- %ontent 9loc4 ?e- 0R& 9loc4 &ist ?e- 0R& F>e'!t &ist S!a' Filtering )P ,ddress R9& I ORD9& F'ail ,ddress M)MF Headers 9anned ?ord

Release Notes FortiOS v3.00 MR7 & Patch Release 10

FortiOS v3.00 has a "eat re 3here-+ %&) co''ands can -e i'!orted "ro' a "ile $ see Section 3.2.117 9 l4 %&) %on"ig ration )'!orting. )" the FortiOS v2.20 lists are converted to FortiOS v3.00 %&) co''ands and saved in a te>t "ile= the "ile can -e i'!orted sing the 9 l4 %&) )'!ort. Re"er to ,!!endi> 97 Ma!!ing FortiOS v2.20 ?e- Filtering and S!a' Filtering &ists to FortiOS v3.00 %&) %o''ands "or hel! on creating a te>t to i'!ort these lists. "+ctive34 Cookie4 and 5ava +pplet Filter% )n FortiOS v2.20= ,ctiveG= %oo4ie= and Java ,!!let "iltering ' st -e ena-led in the ?e- Filter ; Scri!t Filter !age and then in the !rotection !ro"ile nder ?e- Filtering. FortiOS v3.00 has re'oved the necessit+ to ena-le this "iltering nder the ?e- Filter ; Scri!t Filter !age. )t no3 is acco'!lished onl+ thro gh the !rotection !ro"ile. On !grading "ro' FortiOS v2.20 to FortiOS v3.00= i" an+ o" ,ctiveG= %oo4ie= and Java ,!!let "iltering are ena-led nder the ?e- Filter ; Scri!t Filter !age= that setting 3ill -e re"lected in ever+ !rotection !ro"ile. "Static Routes 6ithout Device Setting Con$igured% )n FortiOS v2.20= the device setting "or a static ro te is o!tional. FortiOS v3.00 MR( has 'ade this setting 'andator+. )" the device setting is not con"ig red= the static ro te is dro!!ed !on !grade to FortiOS v3.00 MR7 Patch Release 10. "2og Filtering Changes% )n FortiOS v2.20= log "iltering to a device= s ch as Forti,nal+Der= hard dis4= or 'e'or+= is controlled on a glo-al -asis 'eaning= once log "iltering is ena-led "or an event= an+ "ire3all !olic+ that !rod ces s ch an event res lts in a log 'essage sent to that device. )n FortiOS v3.00= log "iltering is controlled in t3o 3a+s7 1. 2. On a !er$device -asis (o')ig log 0devi(e1 )ilte% On a !er$!rotection !ro"ile -asis (o')ig )i%e2!ll $%o)ile edit 0$%o)ile '! e1

#he !er$device "ilters control 3hether or not log 'essages are sent to the device. #he !er$!rotection !ro"ile "ilters control 3hether or not 'atching tra""ic thro gh a !rotection !ro"ile res lts in a log 'essage sent to the device. 0!on !grade "ro' FortiOS v2.20 to FortiOS v3.00= onl+ the !er$device log "ilters are retained $ !rotection !ro"ile is altered to acco''odate logging= e>ce!t "or log-2eb-)tgd-e%%= 3hich is ena-led -+ de"a lt. ,"ter !grading= revie3 the "ire3all !olicies that reH ire logging to -e ena-led. ",Dom 2icensing% FortiOS v2.20 s !!orts additional virt al do'ains -+ 3a+ a FortiOS i'age that contains a hard coded n '-er o" .Do's in it. FortiOS v3.00 ses a .Do' license 4e+ to !grade the n '-er o" .Do's on high$end 'odels FG#$3000 and !. 0!on !grading "ro' FortiOS v2.20= the .Do's and all o" their associated con"ig ration are retained= - t in the event o" a "actor+ reset and a con"ig ration restore= the FortiGate 3ill "ail to add all o" the .Do's. )" +o are r nning FortiOS v2.20 3ith 'ore than the de"a lt n '-er o" .Do's= "ollo3 these ste!s 3hen !grading to FortiOS v3.007 1. 2. 3. 9ac4 ! con"ig ration "or FortiOS v2.20. 0!grade to FortiOS v3.00. 9ac4 ! con"ig ration "or FortiOS v3.00. 7

a!uary 1"# $011

Forti!et %!c (. *.

Release Notes FortiOS v3.00 MR7 & Patch Release 10

%ontact % sto'er S !!ort to o-tain a FortiOS v3.00 .Do' license 4e+. )" +o are r nning an H, cl ster= +o need a license 4e+ "or each nit in the cl ster. )n the event the con"ig ration needs to -e reloaded= the .Do' license 4e+ needs to -e con"ig red "irst.

,nother scenario occ rs 3ith FortiOS v2.20 and !grading 3ith a i'age that contains additional .Do's. 9elo3 are the necessities "or this scenario to occ r7

FortiGate is r nning FortiOS v2.20 3ith additional .Do's= s ch 2* .Do's /ot all .Do's are con"ig red= "or e>a'!le onl+ 1*

,"ter !grading to FortiOS v3.00 MR(= i" the FortiGate does not let +o add 11th .Do'. Eo ' st contact % sto'er S !!ort to o-tain a FortiOS v3.00 .Do' license 4e+= install it= and then add additional .Do's. "+lert 78mail Replacement Messages% ,lert F$'ail 3as 'odi"ied in FortiOS v3.00 MR(. #he FortiGate generates and "or'ats its o3n 'essage "or the alert e$'ail. #h s an+ 'odi"ied alert e$'ail re!lace'ent 'essages are not retained !on !grade to FortiOS v3.00 MR(. "+lert 78mail Filter% #he ,lert F$'ail "ilter "eat re has -een changed in FortiOS v3.00 MR(. /o3= alert e$'ails are sent -ased on categor+ or thresholds. See Section (.1(.( ,lert F$'ail Fnhance'ent. "+dministrative (sers% )n FortiOS v2.20= an ad'in ser is a glo-al setting= not a !er$.Do' and th s does not -elong to a 'anage'ent .Do'. ,"ter !grading to FortiOS v3.00 MR7= all v2.20 ad'inistrative sers are assigned to the root .Do' -+ de"a lt. )" the 'anage'ent .Do' is not assigned to the root .Do'= then ad'inistrative sers= e>ce!t "or the de"a lt <ad'in< ser= 3ill "ail to login to the 'anage'ent .Do' a"ter !grading. ".olic* Routing% 9oth <in! t$device< and <o t! t$device< are 'andator+ attri- tes "ro' FortiOS v3.00 MR2. Ho3ever= <o t! t$device< is not a 'andator+ attri- te in FortiOS v2.20= there"ore= !olic+ ro tes 3ith o t <o t! t$device< con"ig red are lost a"ter !grading to FortiOS v3.00 MR( or later. ",2+ s (nder &2+ )nter$aces% FortiOS v3.00 MR7 does not s !!ort .&,/s nder the ?&,/ inter"ace and th s an+ con"ig ration settings re"erring to the .&,/s= as 3ell as the .&,/s the'selves= are lost !on !grade to FortiOS v3.00 MR( or later. ").Sec Related Settings% Follo3ing !ara'eters in a !hase1 !olic+ -ased )PSec t nnel are not retained !on !grade "ro' FortiOS v2.20 to FortiOS v3.00 MR7 Patch Release 107 (o')ig v$' i$se( $#!se1 set d$d [enable|disable] set d$d-idle2o%%y <integer> set d$d-idle(le!'u$ <integer> Follo3ing !ara'eters in a !hase2 !olic+ -ased )PSec t nnel are not retained !on !grade "ro' FortiOS v2.20 to FortiOS v3.00 MR7 Patch Release 107 (o')ig v$' i$se( $#!se, set bi'dtoi) <interface name> set i'te%'etb%o2si'g <interface name>

a!uary 1"# $011

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

"S*stem D9C. 7:clude Range% )n FortiOS v2.20 MR11 and MR12= <syste d#($ e*(lude_%!'ge< is a standalone section to indicate the )P address that sho ld -e e>e'!ted "ro' DH%P address !ool. )n FortiOS v3.00 MR7 Patch Release 10= this "eat re is i'!le'ent -+ setting a <(o')ig e*(lude-%!'ge< section nder <con"ig s+ste' dhc! server<. 0!grading "ro' FortiOS v2.20 to FortiOS v3.00 MR7 co!ies these settings to ever+ DH%P server settings7 (o')ig syste d#($ se%ve% (o')ig e*(lude-%!'ge edit 1 set st!%t-i$ 1+,.1-..1.100 set e'd-i$ 1+,.1-..1.,00 'e*t "Fire6all .ro$iles-Schedule% )n FortiOS v2.20= the "ire3all !ro"ile and "ire3all oneti'e8rec rring sched le are glo-al settings . Starting "ro' FortiOS v3.00 MR*= these settings 3ere 'oved to !er$.Do'= the !grade "ro' FortiOS v2.20 to FortiOS v3.00 MR7 co!ies this con"ig ration to ever+ .Do'. "Fire6all Service Custom% )n v220= "ire3all service c sto' is a glo-al settings = start "ro' FortiOS v300 MR*= these settings 3ere 'oved to !er$.Do'= the !grade "ro' v220 to FortiOS v300 MR7 3ill co!+ this section to ever+ .do'. ").Sec D.D Setting% #he DPD !ara'eter in a !hase1 !olic+ -ased )PSec t nnel is lost !on !grade "ro' FortiOS v2.20 to FortiOS v3.00 MR7. ").S .rede$ined Signatures% #he severities o" the !rede"ined )PS signat res have -een set to reco''ended levels and can not -e altered. 0!on !grading "ro' FortiOS v3.00 MR3 or earlier to FortiOS v3.00 MR( or later= the severities are reset to the reco''ended val es. ").Sec Manual ;e*s in a ,Dom Con$iguration% )PSec t nnels con"ig red in a non$root .Do' that se 'an al 4e+s are not retained !on !grade i" the t nnel 3as not re"erenced -+ a "ire3all !olic+. "Static Routes 6ithout Device Setting Con$igured% )n FortiOS v2.20= the device setting "or a static ro te is o!tional. FortiOS v3.00 MR2 has 'ade this setting 'andator+. )" the device setting is not con"ig red= the static ro te is dro!!ed !on !grade. "9+ Monitor )nter$aces &2+ % #he ?&,/ inter"ace can not -e sed as a 'onitored inter"ace as o" FortiOS v3.00 MR(= there"ore= !grading "ro' FortiOS v2.20 to FortiOS v3.00 MR( or later res lts in this con"ig ration -eing lost. "SS28,. Fire6all .olicies &ithout #roups% , SS&$.P/ "ire3all !olic+ con"ig red 3itho t a gro ! is lost a"ter !grading to FortiOS v3.00 MR7 Patch Release 10. ",. ).Sec .hase< 6ith T*pe DD S% Prior to FortiOS v3.00 MR(= the "ollo3ing )PSec Phase 1 con"ig ration 3as acce!ted -+ the FortiGate even tho gh the con"ig ration 3as invalid7 (o')ig v$' i$se( $#!se1 set ty$e dd's set $ee%ty$e o'e set $ee%id !!! Fro' FortiOS v3.00 MR(= this no longer is acce!ted and there"ore= the !grade "ro' FortiOS v2.20 to FortiOS v3.00 MR7 Patch Release 10 res lts in loss o" con"ig ration. ",. ..T. on8Fire6all (ser #roup% a!uary 1"# $011 5

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

%hoosing a ser gro ! that is t+!e /O# eH al to "ire3all 3hen con"ig ring PP#P= res lts in loss o" con"ig ration 3hen !grading "ro' FortiOS v2.20 to FortiOS v3.00 MR7 Patch Release 10. "DD S Server = vavic.com% #he DD/S service "or <vavic.co'< changed "or FortiOS v3.00 MR*. #he do'ain is retrieved a to'aticall+ -ased on the serCs acco nt. #h s= !grading "ro' FortiOS v2.20 to FortiOS v3.00 MR7 Patch Release 10 3ill ca se loss o" con"ig ration "or this setting. "Fire6all ). .ools 6ith Class D ). +ddresses% Fire3all )P !ools sing a %lass D )P address are lost !on !grading to FortiOS v3.00 MR7 Patch Release 10= since the con"ig ration is no3 veri"ied to -e -elo3 22(.0.0.0. "Fire6all ,. .olicies Sharing the Same Manual ;e*% )n FortiOS v2.20= .P/ t nnels can -e shared across "ire3all !olicies= - t in FortiOS v3.00 .P/ t nnels are assigned to an inter"ace and -eca se the !grade scri!t assigns the .P/ t nnel to one inter"ace= s -seH ent !olicies sing the .P/ t nnel are lost. "Oversi>e File 2imit% ,"ter !grading to FortiOS v3.00 MR7 Patch Release 10 "ro' FortiOS v2.20 MR12 all oversiDe "ile li'it val e 'a+ change to Dero.

3.3 /% ra"in fro( FortiOS v3.00 MR0 an" MR2

0!grading "ro' FortiOS v3.00 MR* and MR1 to FortiOS v3.00 MR7 is s !!orted. MR7 Patch Release 10 o""iciall+ s !!orts !grade "ro' the 'ost recent Patch Release in MR* and MR1. )" +o are !grading "ro' a release !rior to MR*= !lease !grade to MR* or MR1 -e"ore !grading to MR7 Patch Release 10. Please re"er to the corres!onding release notes "or the !ro!er !grade !ath to MR* or MR1. "F#830<?/ (pgrade% )nter"ace na'es on the FG#$30119 have -een changed in FortiOS v300 MR7 to 'atch the !ort na'es on the "ace !late. ,"ter !grading to MR7 Patch Release 10= all !ort na'es in the FortiGate con"ig ration are changed as !er the "ollo3ing !ort 'a!!ing. Old port names 'e$ore upgrading !ort1 !ort2 !ort3 !ort( !ort* !ort1 !ort7 !ort2 !ort5 !ort10 a!uary 1"# $011 e6 port names a$ter upgrading 'g't1 'g't2 !ort1 !ort2 !ort3 !ort( !ort* !ort1 !ort7 !ort2 10

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

!ort11 !ort12 !ort13 !ort1( !ort1* !ort11 !ort17 !ort12

!ort5 !ort10 !ort11 !ort12 !ort13 !ort1( !ort1* !ort11

ote! , ne3 revision o" the FG#$30119 incl ded a na'e change to t3o !orts on the le"t side o" the "ace!late and in the FortiOS v3.00 MR7 "ir'3are. Previo sl+= the+ 3ere la-eled 1 and 2. /o3 the+ are called MGM# 1 MGM# 2. Ho3ever= the 9)OS still re"ers to the MGM# 1 and MGM# 2 !orts as !ort 1 and !ort 2. "FortiManager +cting as a Forti#uard Server% )" +o r FortiManager is -eing sed as an on$site FortiG ard server A!roviding )PS and ,. !datesB= then +o M0S# !grade the FortiManager to MR7 -e"ore !grading the FortiGates to ens re no service disr !tion. "Fire6all ). .ools 6ith Class D ). +ddresses% Fire3all )P !ools sing a %lass D )P address are lost !on !grading to FortiOS v3.00 MR7 Patch Release 10= since the con"ig ration is no3 veri"ied to -e -elo3 22(.0.0.0. ").S Related Settings% )n FortiOS v3.00 MR1= introd ced a signi"icant change to the 3a+ )PS is con"ig red. Previo sl+= i" a "ire3all !ro"ile has <#ig# (%iti(!l< signat res ena-led= d ring the !grade a sensor is created 3ith one )PS "ilter in 3hich the severit+ <#ig# (%iti(!l< is selected. #his sensor is add to the "ire3all !ro"ile. For each severit+ co'-ination= a sensor is created. )" the ser changes the de"a lt signat re settings= then these signat res are added to all o" those sensors as an )PS override. For e>a'!le7 Prior to FortiOS v3.00 MR6 (o')ig )i%e2!ll $%o)ile edit test1 set i$s-sig'!tu%e i')o lo2 ediu 'e*t edit test, set i$s-sig'!tu%e #ig# (%iti(!l 'e*t e'd (o')ig i$s g%ou$ !b( (o')ig %ule *y&1,3 set st!tus e'!ble set !(tio' d%o$ set id 1,345-7 e'd (o')ig %ule *y&45a!uary 1"# $011

#ig# (%iti(!l

11

Forti!et %!c set st!tus e'!ble set !(tio' $!ss set id 7-543,1

Release Notes FortiOS v3.00 MR7 & Patch Release 10

e'd e'd

FortiOS v3.00 MR7 configuration (o')ig )i%e2!ll $%o)ile edit test1 set i$s-se'so%-st!tus e'!ble set i$s-se'so% )2_$%o)_u$g_test1 'e*t edit test, set i$s-se'so%-st!tus e'!ble set i$s-se'so% )2_$%o)_u$g_test, 'e*t e'd (o')ig i$s se'so% edit )2_$%o)_u$g_test1 (o')ig )ilte% edit 1 set seve%ity i')o lo2 ediu 'e*t e'd (o')ig ove%%ide edit 1,345-7 set st!tus e'!ble set !(tio' blo(3 'e*t edit 7-543,1 set st!tus e'!ble set !(tio' $!ss 'e*t e'd 'e*t edit )2_$%o)_u$g_test, (o')ig )ilte% edit 1 set seve%ity #ig# (%iti(!l 'e*t e'd (o')ig ove%%ide edit 1,345-7 set st!tus e'!ble set !(tio' blo(3 'e*t edit 7-543,1 set st!tus e'!ble set !(tio' $!ss 'e*t e'd 'e*t e'd

#ig# (%iti(!l

a!uary 1"# $011

12

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

Follo3ing sections are re'oved 3hen !grading "ro' v3.00 MR* and MR1 to MR7 Patch Release 107 (o')ig i$s !'o !ly 4 (o')ig i$s g%ou$ 4 (o')ig syste !utou$d!te i$s Follo3ing co''and are re'oved 3hen !grading "ro' v3.00 MR* and MR1 to MR7 Patch Release 107 (o')ig syste glob!l set lo(!l-!'o !ly [enable|disable] (o')ig i$s glob!l set i$-$%oto(ol [enable|disable] 5(o')ig i$s (usto 6 3hich 3as a glo-al setting in FortiOS v3.00 MR( and MR* are co!ied into ever+ .Do' 3hen !grading to v3.00 MR7 Patch Release 10. ")M and .0.% #he sections K(o')ig i $,$ !i -use% 7 i(8-use% 7 y!#oo-use% 7 s'-use% 7 old-ve%sio' 7 $oli(yL 3hich 3ere glo-al settings in FortiOS v3.00 MR* are co!ied into ever+ .Do' a"ter !grading to v3.00 MR7 Patch Release 10. "Spam Filter% #he sections K(o')ig s$! )ilte% b2o%d 7 e !ilb2l 7 i$b2l 7 i$st%ust 7 #!ede%L 3hich 3ere glo-al settings in FortiOS v3.00 MR* are co!ied into ever+ .Do' 3hen !grade to v3.00 MR7 Patch Release 10. Section '(o')ig s$! )ilte% %bl( -eco'es '(o')ig s$! )ilte% d'sbl( a"ter !grading to FortiOS v3.00 MR7 Patch Release 10 and this section is co!ied into ever+ .Do'. "&e' Filter% #he sections K(o')ig 2eb)ilte% b2o%d 7 e* 2o%d 7 )tgd-lo(!l-(!t 7 )tgd-lo(!l-%!ti'g 7 )tgd-ov%d 7 )tgd-ov%d-use% 7 u%l)ilte%L 3hich 3ere glo-al settings in FortiOS v3.00 MR* are co!ied into ever+ .Do' a"ter !grading to v3.00 MR7 Patch Release 10. "FortiManager% Section K(o')ig syste ) L in FortiOS v3.00 MR* and MR1 'a+ -e lost a"ter !grading to MR7 Patch Release 10= nder this circ 'stance= +o need to reset the FortiManager !ara'eters nder K(o')ig syste )o%ti !'!ge%L section7 (o')ig syste )o%ti !'!ge% set i$ 1+,.1-..100.100 set vdo %oot e'd "(ser Setting% #here 3ere three !ara'eters 3hich nder s+ste' glo-al settings on FortiOS v3.00 MR* are 'oved into a ne3 section call K(o')ig use% setti'gL 3hich nder !er$.Do' settings. #he+ are7 set !ut#-(e%t <cert-name> set !ut#-se(u%e-#tt$ [enable|disable] set !ut#-ti eout <integer by minutes> set !ut#-ty$e [ftp | http | https | telnet ] "S M. )nter$ace )nde:% Since FortiOS v3.00 MR1 added a ne3 SS& inter"ace Assl.rootB. 0!grading "ro' FortiOS v3.00 MR* to MR7 Patch Release 10 increases the S/MP inter"ace inde> o" inter"ace -eca se the ssl.root inter"ace is added @ st a"ter the !h+sical inter"aces in the list. " T. Con$iguration%

a!uary 1"# $011

13

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10 't$< in MR7 Patch

#he "ollo3ing /#P related con"ig ration co''ands have -een 'oved nder <(o')ig syste Release 107 con"ig nt!server set nt!s+nc set s+ncinterval

"D S Server Override% #he <d's-se%ve%-ove%%ide< co''and is availa-le onl+ "or inter"aces that are con"ig red in the 'anage'ent .do'. "S6itch )nter$ace and ,lan Support in T. mode% ,s o" FortiOS v3.00 MR7 vlan inter"ace cannot -e created nder FortiGate s3itch inter"ace in #P 'ode. Ae.g. )nternal inter"ace on FG#10B ,n+ vlanCs nder the s3itch inter"ace 3ill -e lost a"ter !grading to MR7 Patch Release 10. ",. ..T. on8Fire6all (ser #roup% %hoosing a ser gro ! 3hich t+!e is /O# eH al to "ire3all 3hen con"ig ring PP#P= res lts in loss o" con"ig ration 3hen !grading "ro' FortiOS v300 MR* to FortiOS v3.00 MR7 Patch Release 10. "Report Con$iguration% <Re!ort %on"ig< "eat re has -een re3or4ed in FortiOS v3.00 MR7 Patch Release 10 to s !!ort Forti,nal+Der Re!ort Fngine v2. <(o')ig log %e$o%t< co''and has -een re'oved in FortiOS v3.00 MR7 Patch Release 10. ,ll con"ig ration nder <(o')ig log %e$o%t< 'a+ -e lost !on !grading to FortiOS v3.00 MR7 Patch Release 10. "(ser .eers% 0ser !eers that are con"ig red 3itho t a certi"icate a thorit+ AcaB or a s -@ect are not retained !on !grading to FortiOS v3.00 MR7 Patch Release 10. )n MR7= at least one o" these "ields 'a+ -e a 'andator+ setting. "Forti#uard Con$iguration% #he de"a lt setting "or /(e't%!l- g t-!uto-b!(3u$/ co''and has -een changed to ena-le in FortiOS v3.00 MR7 Patch Release 10. "Fire6all .olic*% /!ut#-$!t#/= /!ut#-(e%t/ and /!ut#-%edi%e(t-!dd%/ settings 'a+ -e lost !on !grading to FortiOS v3.00 MR7 Patch Release 10 i" a thentication gro ! is not selected in the "ire3all !olic+. "S*stem ).v?% #he section /(o')ig syste i$v--tu''el/ is 'oved nder /(o')ig syste to v3.00 MR7 Patch Release 10. sit-tu''el/ !on !grading

"#lo'al Setting% #he section /!llo2-i'te%)!(e-sub'et-ove%l!$/ 3hich 3as nder glo-al settings in FortiOS v3.00 MR* and MR1 is co!ied into ever+ .Do' nder /(o')ig syste setti'gs/ a"ter !grading to v3.00 MR7 Patch Release 10. ",. ).Sec (ser #roup Settings% )n FortiOS v3.00 MR7 Patch Release 10 the ser gro ! settings have -een changed to onl+ re"erence "ire3all t+!e ser gro !s in G, th and Peer gro ! settings. .P/ con"ig ration 'a+ -e lost !on !grading to MR7 Patch Release 10= i" non$ "ire3all t+!e ser gro !s are sed. "Fortinet 2ocal Certi$icate% )n FortiOS MR7= the <Fortinet:&ocal< rsa certi"icate has -een re'oved= hence an+ settings sing <Fortinet:&ocal< as a rsa certi"icate 'a+ -e lost a"ter !grading to MR7 Patch Release 10. )nstead o" Fortinet:&ocal se Fortinet:Factor+ rsa certi"icate. ").Sec @uick Mode Selector% #he )PSec Phase2 H ic4 'ode selector !rotocol settings are lost a"ter !grading "ro' FortiOS v2.20 to FortiOS v3.00 Patch Release 2.

a!uary 1"# $011

1(

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

"FDS .ush8update Settings% #he address and !ort settings nder 9(o')ig syste FortiOS v3.00 MR7.

!utou$d!te $us#-u$d!te9 'a+ -e lost a"ter !grading to

"S*stem Modem Settings% 9(o')ig syste ode 9 settings are lost a"ter !grading "ro' FortiOS v3.00 MR1 to FortiOS v3.00 MR7 Patch Release 10. "F#T800A/ Fire6all Mode Support% FortiOS v3.00 MR7 s !!orts the FG#$22(9 o!erating in "ire3all 'ode onl+.

3.) #o3n ra"in to FortiOS v3.00

Do3ngrading to FortiOS v3.00 res lts in con"ig ration loss on ,&& 'odels. Onl+ the "ollo3ing settings are retained7

o!eration 'odes inter"ace )P8'anage'ent )P ro te static ta-le D/S settings .Do' !ara'eters8settings ad'in ser acco nt session hel!ers s+ste' access !ro"iles

3.0 #o3n ra"in to FortiOS v2.10

Do3ngrading to FortiOS v2.20 res lts in con"ig ration loss on ,&& 'odels. Onl+ the "ollo3ing settings are retained7

o!eration 'odes inter"ace )P8'anage'ent )P ro te static ta-le D/S settings .Do' !ara'eters8settings ad'in ser acco nt session hel!ers s+ste' access !ro"iles

#he FG#1000,$F,2 does not s !!ort do3ngrade to FortiOS v2.20. ?ith the introd ction o" the Forti%lient %hec4 "eat re= the "lash card has a di""erent !artition la+o t than that in FortiOS v2.20.

3.2 #o3n ra"in to FortiOS v2.00

Do3ngrading to FortiOS v2.*0 res lts in loss o" con"ig ration on ,&& 'odels.

a!uary 1"# $011

1*

Forti!et %!c

Release Notes FortiOS v3.00 MR7 & Patch Release 10

) *(a e Chec4s$(s
#he MD* chec4s 's "or the "ir'3are i'ages are availa-le at the Fortinet % sto'er S !!ort 3e-site Ahtt!s788s !!ort."ortinet.co'B. ,"ter login= clic4 on the <Fir'3are )'ages %hec4s ' %ode< lin4 in the le"t "ra'e. AFnd o" Release /otes.B

a!uary 1"# $011

11