FortiOS v3.00 MR7 Release Notes Patch Release 5

FortiGate™ Multi-Threat
Security System
Release Notes
FortiOS™ v3.00 MR7
Patch Release 5
Rev. 1.0
April 18, 2009

Fortinet Inc Release Notes FortiOS™ v3.00 MR7 – Patch Release 5
Table of Contents
1 FortiOS v3.00 MR7 Release – Patch Release 5.........................................................................................................................1
1.1 General................................................................................................................................................................................2
1.2 Single Hard Drive Support for FGT-111C..........................................................................................................................2
1.3 File Transfer Limitation......................................................................................................................................................2
1.4 FortiClient v4.0 Support......................................................................................................................................................2
2 Fortinet Product Integration and Support...................................................................................................................................3
2.1 SSL-VPN Client Support....................................................................................................................................................3
3 Resolved Issues in FortiOS MR7 – Patch Release 5..................................................................................................................4
3.1 System.................................................................................................................................................................................4
3.2 Firewall................................................................................................................................................................................4
3.3 VPN.....................................................................................................................................................................................4
3.4 Web Filter............................................................................................................................................................................4
3.5 VOIP....................................................................................................................................................................................5
3.6 FSAE...................................................................................................................................................................................5
4 Known Issues in FortiOS v3.00 MR7 – Patch Release 5...........................................................................................................6
4.1 Firewall................................................................................................................................................................................6
5 Upgrade Information..................................................................................................................................................................7
5.1 Upgrading from FortiOS v2.50...........................................................................................................................................7
5.2 Upgrading from FortiOS v2.80...........................................................................................................................................7
5.3 Upgrading from FortiOS v3.00 MR5 and MR6................................................................................................................11
5.4 Downgrading to FortiOS v3.00.........................................................................................................................................16
6 Image Checksums.....................................................................................................................................................................17
Change Log
Revision Change Description

1.0 • Added the following bugs to the Resolved Issues section for B0741 – Patch Release 5: 85166,
90854, 91937, 90849, 91963, 82013, 92920, 92641, 93770, 92273, 85424, 84953, 93986, and
85170.
© Copyright 2009 Fortinet Inc. All rights reserved.

Release Notes FortiOS™ v3.00 MR7 – Patch Release 5.
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Registered customers with valid support contracts may enter their support tickets at the Fortinet Customer Support site:
https://support.fortinet.com
April 18, 2009 i

1 FortiOS v3.00 MR7 Release – Patch Release 5

This document outlines resolved issues of FortiOS v3.00 MR7 B0741 – Patch Release 5 firmware for the Fortinet FortiGate
Multi-threat Security System. Please reference the full version of the FortiOS v3.00 MR7 release notes for new features and
known issues. The following outlines the release status for each model.
Model FortiOS v3.00 MR7 Release Status

FGT-310B These models are released on a special branch based off of MR7 Patch Release 5 B0741 –
FGT-3810A fg300_mr7_amc_bypass/build_5419. As such, the build number in the System > Status page and the
FGT-3600A output from the "get system status" CLI command displays 5419 as the build number. To
FGT-3016B confirm that you are running the proper build, the output from the "get system status" CLI
command has a "Branch point:" field. This should read 741.
FGT-620B This model is released on a special branch based off of MR7 B0741 Patch Release 5 –
fg300_mr7_620b/build_tag_5415. As such, the build number in the System > Status page and the
output from the "get system status" CLI command displays 5415 as the build number. To
confirm that you are running the proper build, the output from the "get system status" CLI
FGT-110C This model is released on a special branch based off of MR7 B0741 Patch Release 5 –
fg300_mr7_110c/build_tag_5418. As such, the build number in the System > Status page and the
FGT-111C Note: The FGT-110C-HD has been renamed to FGT-111C. The image file name also has been
renamed to "FGT_111C-v300-build0741-FORTINET.out" and is used on both the existing
FGT-110C-HD model and the FGT-111C model. Once the image is loaded, both the "get system
status" CLI output and the web UI reference the FGT-11C.
This model is released on a special branch based off of MR7 B0741 Patch Release 5 –
fg300_mr7_110c/build_tag_5418. As such, the build number in the System > Status page and the
FGT-5001A-SW Note: Same firmware image is used for FGT-5001A-SW and FGT-5001A-DW models.
FGT-5001A-DW
This model is released on a special branch based off of MR7 B0741 Patch Release 5 –
fg300_mr7_5001a_sw/build_tag_5414. As such, the build number in the System > Status page and the
FGT-51B Note: The FGT-50B-HD has been renamed to FGT-51B. The image file name also has been renamed
to "FGT_51B-v300-build0741-FORTINET.out" and is used on both the existing FGT-50B-
HD model and the FGT-51B model. Once the image is loaded, both the "get system status"
CLI output and the web UI reference the FGT-51B.
This model is released on a special branch based off of MR7 B0741 Patch Release 5 – fg300_mr7_51b/
build_tag_5416. As such, the build number in the System > Status page and the output from the "get
system status" CLI command displays 5416 as the build number. To confirm that you are
running the proper build, the output from the "get system status" CLI command has a "Branch
point:" field. This should read 741.
April 18, 2009 1

FGT-80C This model is released on a special branch based off of MR7 B0741 Patch Release 5 –
FGT-80CM fg300_mr7_80C/build_tag_5417. As such, the build number in the System > Status page and the
FWF-80CM output from the "get system status" CLI command displays 5417 as the build number. To
All Other Models All other models are supported on the regular MR7 branch.
1.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.
IMPORTANT!
Monitor Settings for Web User Interface Access:
• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the
Web UI to be viewed properly.
BEFORE any upgrade,
• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages)
prior to upgrading.
AFTER any upgrade,
• [WebUI display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure
proper display of the Web UI screens.
• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones
currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as
soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.
1.2 Single Hard Drive Support for FGT-111C

The FortiGate-111C contains two hard drive bays but supports only one hard drive at one time.
1.3 File Transfer Limitation

Large WMP streaming video may fail to load when antivirus 'File Filter' feature is enabled. Decreasing the
httpoversizelimit value to 2 or lower can be used as a workaround to this limitation.
1.4 FortiClient v4.0 Support

When FortiClient check is enabled and FortiClient 3.0.x is installed on the FortiGate, then clients with higher FortiClient
version (FortiClient 4.0.x) installed will not be recognized by the FortiGate and will be asked to download FortiClient 3.0.x
installer.
April 18, 2009 2

2 Fortinet Product Integration and Support

2.1 SSL-VPN Client Support
FortiOS v3.00 MR7 Patch Release 5 supports the SSL-VPN tunnel client standalone installer B389 for the following:
• Windows in .exe and .msi format

• Windows for virtual desktop in .exe format
• Linux CentOS 5.2
• Windows XP SP2
• Windows Vista SP1
• Mac OS X 10.5.5
April 18, 2009 3

3 Resolved Issues in FortiOS MR7 – Patch Release 5

3.1 System
Description: Outbandwith limit on a VPN interface does not take effect after the FortiGate is rebooted.
Models Affected: All
Bug ID: 85166 Status: Fixed in MR7 – Patch Release 5.
Description: The FortiGates FTP proxy does not bind to listen port on PORT command.
Description: Radius authentication starts failing abruptly after running for some time.
Description: The FortiGate unit with hardware driven by NP2 driver may randomly crash or hang.
3.2 Firewall
Description: Some firewall addresses may be lost after restoring FortiGate's configuration file.
Description: Firewall policy is lost after upgrading from FortiOS MR5 to MR7, if the action for the policy is unset before
upgrading.
3.3 VPN
Description: User cannot access OWA properly from SSLVPN web portal.
Bug ID: 91937, 92273 Status: Fixed in MR7 – Patch Release 5.
Description: IPSec daemon (iked) memory usage increases due to memory leak.
Description: IPSec daemon (iked) may crash in an event of HA failover if XAUTH is enabled.
Description: The 'Keep connection alive' option in SSLVPN stand-alone application may cause client software to reconnect
automatically. If the password is one time only, SSLVPN client may cause user accounts to get locked with reconnect.
3.4 Web Filter

Description: Some HTTPS websites, where the server hello and the certificate is sent in separate packets, bypasses URL
April 18, 2009 4

filtering.
3.5 VOIP
Description: Any SIP message carried by UDP that is greater than 2048 bytes long is dropped by the SIP proxy.
3.6 FSAE
Description: IPchange feature for FSAE does not work with multiple FSAE servers.
April 18, 2009 5

4 Known Issues in FortiOS v3.00 MR7 – Patch Release 5

4.1 Firewall
Description: Firewall policies that are configured with an address group that contains no addresses are lost upon upgrading
from FortiOS v2.80 MR11 builds to FortiOS v3.00 MR6 and MR7 patches. Note that an empty firewall address group is an
incomplete configuration and should not be applied to a firewall policy.
Bug ID: 84674 Status: To be fixed in a future release.
Workaround: Add firewall addresses to the address group
before applying the group to the firewall policy.
April 18, 2009 6

5 Upgrade Information
5.1 Upgrading from FortiOS v2.50
Upgrades from FortiOS v2.50 to FortiOS v3.00 directly is NOT supported. Upgrade to at least FortiOS v2.80 MR11 prior to
upgrading to FortiOS v3.00 MR7 Patch Release 5. Refer to the FortiOS v2.80 MR11 release notes for upgrade procedures.
5.2 Upgrading from FortiOS v2.80

Upgrade to FortiOS v2.80 MR11 prior to upgrading to FortiOS v3.00 MR7 Patch Release 5. Refer to the FortiOS v2.80
MR11 release notes for upgrade procedures.
The following are caveats when upgrading from FortiOS v2.80 MR11 to FortiOS v3.00 MR7 Patch Release 5.
[Deprecated IPS Groups]

Certain IPS groups found in FortiOS v2.80 have been removed and their corresponding signatures merged into other IPS
groups. As such, those IPS groups are lost when upgrading to FortiOS v3.00 MR7 Patch Release 5. To restore the lost group
signature settings, perform the following steps:
• Identify which "lost" IPS group you currently have configured in FortiOS v2.80 from the list found in Appendix A.
• Note the signatures settings that are contained in the FortiOS v2.80 group, and identify in the table the equivalent
FortiOS v3.00 group(s) that contains the signature.
• Repeat step 1-2 for each "lost" group.
• After upgrading to FortiOS v3.00 MR7 Patch Release 5, for each group lost, manually configure the equivalent
signature settings under the FortiOS v3.00 group(s).
[IPSec VIP]
FortiOS v2.80 supports VIPs configured on a config vpn ipsec vip, which essentially is a proxy ARP. There is no
such command in FortOS v3.00, but rather is replaced by the config system proxy-arp command. The upgrade
scripts do not support this in FortiOS v3.00 MR7 Patch Release 5. You will need to reconfigure any FortiOS v2.80 IPSec
VIPs to use the system proxy-arp command in FortiOS v3.00. The command is valid on a per VDom basis in NAT
mode. The following is an example CLI configuration.
config system proxy-arp

edit 1
set ip 192.168.5.111
set interface "port1"
next
edit 2
set ip 192.168.5.110
set interface "port3"
next
end
[FortiOS v2.80 PING Generators]

PING generators in FortiOS v2.80 are able to bring up two tunnels automatically, but FortiOS v3.00 auto-negotiate
command, which is disabled by default, replaces this functionality. The feature is available in the IPSec phase 2
configuration for both IPSec tunnels and IPSec interfaces.
[Web Filter and Spam Filter Lists]

In FortiOS v2.80, the following lists can be backed-up and restored, but in FortiOS v3.00, the lists are stored in the system
configuration file and therefore, can not be restored.
April 18, 2009 7

• Web Filtering
• Web Content Block
• Web URL Block List
• Web URL Exempt List
• Spam Filtering
• IP Address
• RBL & ORDBL
• Email Address
• MIME Headers
• Banned Word
FortiOS v3.00 has a feature whereby CLI commands can be imported from a file - see Section 3.2.11: Bulk CLI
Configuration Importing. If the FortiOS v2.80 lists are converted to FortiOS v3.00 CLI commands and saved in a text file,
the file can be imported using the Bulk CLI Import. Refer to Appendix B: Mapping FortiOS v2.80 Web Filtering and Spam
Filtering Lists to FortiOS v3.00 CLI Commands for help on creating a text to import these lists.
[ActiveX, Cookie, and Java Applet Filter]

In FortiOS v2.80, ActiveX, Cookie, and Java Applet filtering must be enabled in the Web Filter > Script Filter page and then
in the protection profile under Web Filtering. FortiOS v3.00 has removed the necessity to enable this filtering under the
Web Filter > Script Filter page. It now is accomplished only through the protection profile. On upgrading from FortiOS
v2.80 to FortiOS v3.00, if any of ActiveX, Cookie, and Java Applet filtering are enabled under the Web Filter > Script Filter
page, that setting will be reflected in every protection profile.
[Static Routes without Device Setting Configured]

In FortiOS v2.80, the device setting for a static route is optional. FortiOS v3.00 MR4 has made this setting mandatory. If the
device setting is not configured, the static route is dropped upon upgrade to FortiOS v3.00 MR7 Patch Release 5.
[Log Filtering Changes]

In FortiOS v2.80, log filtering to a device, such as FortiAnalyzer, hard disk, or memory, is controlled on a global basis
meaning, once log filtering is enabled for an event, any firewall policy that produces such an event results in a log message
sent to that device. In FortiOS v3.00, log filtering is controlled in two ways:
1. On a per-device basis
config log <device> filter
2. On a per-protection profile basis

config firewall profile
edit <profile name>
The per-device filters control whether or not log messages are sent to the device. The per-protection profile filters control
whether or not matching traffic through a protection profile results in a log message sent to the device. Upon upgrade from
FortiOS v2.80 to FortiOS v3.00, only the per-device log filters are retained - protection profile is altered to accomodate
logging, except for log-web-ftgd-err, which is enabled by default. After upgrading, review the firewall policies that
require logging to be enabled.
[VDom Licensing]
FortiOS v2.80 supports additional virtual domains by way a FortiOS image that contains a hardcoded number of VDoms in
it. FortiOS v3.00 uses a VDom license key to upgrade the number of VDoms on high-end models FGT-3000 and up. Upon
upgrading from FortiOS v2.80, the VDoms and all of their associated configuration are retained, but in the event of a factory
reset and a configuration restore, the FortiGate will fail to add all of the VDoms. If you are running FortiOS v2.80 with more
than the default number of VDoms, follow these steps when upgrading to FortiOS v3.00:
1. Backup configuration for FortiOS v2.80.

2. Upgrade to FortiOS v3.00.
3. Backup configuration for FortiOS v3.00.
April 18, 2009 8

4. Contact Customer Support to obtain a FortiOS v3.00 VDom license key. If you are running an HA cluster, you need
a license key for each unit in the cluster.
5. In the event the configuration needs to be reloaded, the VDom license key needs to be configured first.
Another scenario occurs with FortiOS v2.80 and upgrading with a image that contains additional VDoms. Below are the
necessities for this scenario to occur:
• FortiGate is running FortiOS v2.80 with additional VDoms, such 25 VDoms

• Not all VDoms are configured, for example only 15
After upgrading to FortiOS v3.00 MR4, if the FortiGate does not let you add 16th VDom. You must contact Customer
Support to obtain a FortiOS v3.00 VDom license key, install it, and then add additional VDoms.
[Alert E-mail Replacement Messages]

Alert E-mail was modified in FortiOS v3.00 MR4. The FortiGate generates and formats its own message for the alert e-mail.
Thus any modified alert e-mail replacement messages are not retained upon upgrade to FortiOS v3.00 MR4.
[Alert E-mail Filter]

The Alert E-mail filter feature has been changed in FortiOS v3.00 MR4. Now, alert e-mails are sent based on category or
thresholds. See Section 4.14.4 Alert E-mail Enhancement.
[Administrative Users]
In FortiOS v2.80, an admin user is a global setting, not a per-VDom and thus does not belong to a management VDom. After
upgrading to FortiOS v3.00 MR7, all v2.80 administrative users are assigned to the root VDom by default. If the
management VDom is not assigned to the root VDom, then administrative users, except for the default "admin" user, will fail
to login to the management VDom after upgrading.
[Policy Routing]
Both "input-device" and "output-device" are mandatory attributes from FortiOS v3.00 MR2. However, "output-device" is not
a mandatory attribute in FortiOS v2.80, therefore, policy routes with out "output-device" configured are lost after upgrading
to FortiOS v3.00 MR4 or later.
[VLANs Under WLAN Interfaces]

FortiOS v3.00 MR7 does not support VLANs under the WLAN interface and thus any configuration settings referring to the
VLANs, as well as the VLANs themselves, are lost upon upgrade to FortiOS v3.00 MR4 or later.
[IPSec Related Settings]

Following parameters in a phase1 policy based IPSec tunnel are not retained upon upgrade from FortiOS v2.80 to FortiOS
v3.00 MR7 Patch Release 5:
config vpn ipsec phase1

set dpd [enable|disable]
set dpd-idleworry <integer>
set dpd-idlecleanup <integer>
Following parameters in a phase2 policy based IPSec tunnel are not retained upon upgrade from FortiOS v2.80 to FortiOS
v3.00 MR7 Patch Release 5:
set bindtoif <interface name>
set internetbrowsing <interface name>
April 18, 2009 9

[System DHCP Exclude Range]

In FortiOS v2.80 MR11 and MR12, "system dhcp exclude_range" is a standalone section to indicate the IP address
that should be exempted from DHCP address pool. In FortiOS v3.00 MR7 Patch Release 5, this feature is implement by
setting a "config exclude-range" section under "config system dhcp server". Upgrading from FortiOS v2.80 to
FortiOS v3.00 MR7 copies these settings to every DHCP server settings:
config system dhcp server

config exclude-range
edit 1
set start-ip 192.168.1.100
set end-ip 192.168.1.200
next
[Firewall Profiles/Schedule]
In FortiOS v2.80, the firewall profile and firewall onetime/recurring schedule are global settings . Starting from FortiOS
v3.00 MR5, these settings were moved to per-VDom, the upgrade from FortiOS v2.80 to FortiOS v3.00 MR7 copies this
configuration to every VDom.
[Firewall Service Custom]

In v280, firewall service custom is a global settings , start from FortiOS v300 MR5, these settings were moved to per-VDom,
the upgrade from v280 to FortiOS v300 MR7 will copy this section to every Vdom.
[IPSec DPD Setting]

The DPD parameter in a phase1 policy based IPSec tunnel is lost upon upgrade from FortiOS v2.80 to FortiOS v3.00 MR7.
[IPS Predefined Signatures]

The severities of the predefined IPS signatures have been set to recommended levels and can not be altered. Upon upgrading
from FortiOS v3.00 MR3 or earlier to FortiOS v3.00 MR4 or later, the severities are reset to the recommended values.
[IPSec Manual Keys in a VDom Configuration]

IPSec tunnels configured in a non-root VDom that use manual keys are not retained upon upgrade if the tunnel was not
referenced by a firewall policy.
[Static Routes without Device Setting Configured]

In FortiOS v2.80, the device setting for a static route is optional. FortiOS v3.00 MR2 has made this setting mandatory. If the
device setting is not configured, the static route is dropped upon upgrade.
[HA Monitor Interfaces WLAN]

The WLAN interface can not be used as a monitored interface as of FortiOS v3.00 MR4, therefore, upgrading from FortiOS
v2.80 to FortiOS v3.00 MR4 or later results in this configuration being lost.
[SSL-VPN Firewall Policies Without Groups]

A SSL-VPN firewall policy configured without a group is lost after upgrading to FortiOS v3.00 MR7 Patch Release 5.
[VPN IPSec Phase1 with Type DDNS]

Prior to FortiOS v3.00 MR4, the following IPSec Phase 1 configuration was accepted by the FortiGate even though the
configuration was invalid:

set type ddns
set peertype one
set peerid aaa
From FortiOS v3.00 MR4, this no longer is accepted and therefore, the upgrade from FortiOS v2.80 to FortiOS v3.00 MR7
Patch Release 5 results in loss of configuration.
[VPN PPTP Non-Firewall User Group]
April 18, 2009 10

Choosing a user group that is type NOT equal to firewall when configuring PPTP, results in loss of configuration when
upgrading from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 5.
[DDNS Server – vavic.com]

The DDNS service for "vavic.com" changed for FortiOS v3.00 MR5. The domain is retrieved automatically based on the
user's account. Thus, upgrading from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 5 will cause loss of configuration
for this setting.
[Firewall IP Pools with Class D IP Addresses]

Firewall IP pools using a Class D IP address are lost upon upgrading to FortiOS v3.00 MR7 Patch Release 5, since the
configuration is now verified to be below 224.0.0.0.
[Firewall VPN Policies Sharing the Same Manual Key]

In FortiOS v2.80, VPN tunnels can be shared across firewall policies, but in FortiOS v3.00 VPN tunnels are assigned to an
interface and because the upgrade script assigns the VPN tunnel to one interface, subsequent policies using the VPN tunnel
are lost.
[Oversize File Limit]

After upgrading to FortiOS v3.00 MR7 Patch Release 5 from FortiOS v2.80 MR12 all oversize file limit value may change to
zero.
5.3 Upgrading from FortiOS v3.00 MR5 and MR6

Upgrading from FortiOS v3.00 MR5 and MR6 to FortiOS v3.00 MR7 is supported. MR7 Patch Release 5 officially supports
upgrade from the most recent Patch Release in MR5 and MR6.
If you are upgrading from a release prior to MR5, please upgrade to MR5 or MR6 before upgrading to MR7 Patch Release 5.
Please refer to the corresponding release notes for the proper upgrade path to MR5 or MR6.
[FG-3016B Upgrade]
Interface names on the FGT-3016B have been changed in FortiOS v300 MR7 to match the port names on the face plate.
After upgrading to MR7 Patch Release 5, all port names in the FortiGate configuration are changed as per the following port
mapping.
Old port names before upgrading New port names after upgrading
port1 mgmt1
port2 mgmt2
port3 port1
port4 port2
port5 port3
port6 port4
port7 port5
port8 port6
port9 port7
port10 port8
April 18, 2009 11

port11 port9
port12 port10
port13 port11
port14 port12
port15 port13
port16 port14
port17 port15
port18 port16
Note: A new revision of the FGT-3016B included a name change to two ports on the left side of the faceplate and in the
FortiOS v3.00 MR7 firmware. Previously, they were labelled 1 and 2. Now they are called MGMT 1 MGMT 2. However,
the BIOS still refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2.
[FortiManager Acting as a FortiGuard Server]

If your FortiManager is being used as an on-site FortiGuard server (providing IPS and AV updates), then you MUST upgrade
the FortiManager to MR7 before upgrading the FortiGates to ensure no service disruption.
[Firewall IP Pools with Class D IP Addresses]

Firewall IP pools using a Class D IP address are lost upon upgrading to FortiOS v3.00 MR7 Patch Release 5, since the
configuration is now verified to be below 224.0.0.0.
[IPS Related Settings]

In FortiOS v3.00 MR6, introduced a significant change to the way IPS is configured.
Previously, if a firewall profile has "high critical" signatures enabled, during the upgrade a sensor is created with one
IPS filter in which the severity "high critical" is selected. This sensor is add to the firewall profile. For each severity
combination, a sensor is created. If the user changes the default signature settings, then these signatures are added to all of
those sensors as an IPS override. For example:
Prior to FortiOS v3.00 MR6

edit test1
set ips-signature info low medium high critical
next
edit test2
set ips-signature high critical
next
end
config ips group abc
config rule xyz123
set status enable
set action drop
set id 1234567
end
config rule xyz456
April 18, 2009 12

set status enable

set action pass
set id 7654321
end
end
FortiOS v3.00 MR7 configuration

edit test1
set ips-sensor-status enable
set ips-sensor fw_prof_upg_test1
next
edit test2
set ips-sensor-status enable
set ips-sensor fw_prof_upg_test2
next
end
config ips sensor
edit fw_prof_upg_test1
config filter
edit 1
set severity info low medium high critical
next
end
config override
edit 1234567
set status enable
set action block
next
edit 7654321
set status enable
set action pass
next
end
next
edit fw_prof_upg_test2
config filter
edit 1
set severity high critical
next
end
config override
edit 1234567
set status enable
set action block
next
edit 7654321
set status enable
set action pass
next
end
next
end
April 18, 2009 13

Following sections are removed when upgrading from v3.00 MR5 and MR6 to MR7 Patch Release 5:
config ips anomaly *
config ips group *
config system autoupdate ips
Following command are removed when upgrading from v3.00 MR5 and MR6 to MR7 Patch Release 5:
config system global
set local-anomaly [enable|disable]
config ips global

set ip-protocol [enable|disable]
“config ips custom” which was a global setting in FortiOS v3.00 MR4 and MR5 are copied into every VDom when
upgrading to v3.00 MR7 Patch Release 5.
[IM and P2P]

The sections “config imp2p aim-user | icq-user | yahoo-user | msn-user | old-version |
policy” which were global settings in FortiOS v3.00 MR5 are copied into every VDom after upgrading to v3.00 MR7
Patch Release 5.
[Spam Filter]
The sections “config spamfilter bword | emailbwl | ipbwl | ipstrust | mhaeder” which were
global settings in FortiOS v3.00 MR5 are copied into every VDom when upgrade to v3.00 MR7 Patch Release 5. Section
“config spamfilter rbl” becomes “config spamfilter dnsbl” after upgrading to FortiOS v3.00 MR7 Patch
Release 5 and this section is copied into every VDom.
[Web Filter]
The sections “config webfilter bword | exmword | ftgd-local-cat | ftgd-local-rating |
ftgd-ovrd | ftgd-ovrd-user | urlfilter” which were global settings in FortiOS v3.00 MR5 are copied into
every VDom after upgrading to v3.00 MR7 Patch Release 5.
[FortiManager]
Section “config system fm” in FortiOS v3.00 MR5 and MR6 may be lost after upgrading to MR7 Patch Release 5,
under this circumstance, you need to reset the FortiManager parameters under “config system fortimanager”
section:
config system fortimanager
set ip 192.168.100.100
set vdom root
end
[User Setting]
There were three parameters which under system global settings on FortiOS v3.00 MR5 are moved into a new section call
“config user setting” which under per-VDom settings. They are:
set auth-cert <cert-name>
set auth-secure-http [enable|disable]
set auth-timeout <integer by minutes>
set auth-type [ftp | http | https | telnet ]
[SNMP Interface Index]

Since FortiOS v3.00 MR6 added a new SSL interface (ssl.root). Upgrading from FortiOS v3.00 MR5 to MR7 Patch Release
5 increases the SNMP interface index of interface because the ssl.root interface is added just after the physical interfaces in
the list.
[NTP Configuration]
April 18, 2009 14

The following NTP related configuration commands have been moved under "config system ntp" in MR7 Patch
Release 5:
config ntpserver
set ntpsync
set syncinterval
[DNS Server Override]

The "dns-server-override" command is available only for interfaces that are configured in the management Vdom.
[Switch Interface and Vlan Support in TP mode]

As of FortiOS v3.00 MR7 vlan interface cannot be created under FortiGate switch interface in TP mode. (e.g. Internal
interface on FGT60) Any vlan's under the switch interface will be lost after upgrading to MR7 Patch Release 5.
[VPN PPTP Non-Firewall User Group]

Choosing a user group which type is NOT equal to firewall when configuring PPTP, results in loss of configuration when
upgrading from FortiOS v300 MR5 to FortiOS v3.00 MR7 Patch Release 5.
[Report Configuration]
"Report Config" feature has been reworked in FortiOS v3.00 MR7 Patch Release 5 to support FortiAnalyzer Report Engine
v2. "config log report" command has been removed in FortiOS v3.00 MR7 Patch Release 5. All configuration under
"config log report" may be lost upon upgrading to FortiOS v3.00 MR7 Patch Release 5.
[User Peers]
User peers that are configured without a certificate authority (ca) or a subject are not retained upon upgrading to FortiOS
v3.00 MR7 Patch Release 5. In MR7, at least one of these fields may be a mandatory setting.
[FortiGuard Configuration]
The default setting for "central-mgmt-auto-backup" command has been changed to enable in FortiOS v3.00 MR7
Patch Release 5.
[Firewall Policy]
"auth-path", "auth-cert" and "auth-redirect-addr" settings may be lost upon upgrading to FortiOS v3.00
MR7 Patch Release 5 if authentication group is not selected in the firewall policy.
[System IPv6]
The section "config system ipv6-tunnel" is moved under "config system sit-tunnel" upon upgrading
to v3.00 MR7 Patch Release 5.
[Global Setting]
The section "allow-interface-subnet-overlap" which was under global settings in FortiOS v3.00 MR5 and
MR6 is copied into every VDom under "config system settings" after upgrading to v3.00 MR7 Patch Release 5.
[VPN IPSec User Group Settings]

In FortiOS v3.00 MR7 Patch Release 5 the user group settings have been changed to only reference firewall type user groups
in XAuth and Peer group settings. VPN configuration may be lost upon upgrading to MR7 Patch Release 5, if non-firewall
type user groups are used.
[Fortinet Local Certificate]

In FortiOS MR7, the "Fortinet_Local" rsa certificate has been removed, hence any settings using "Fortinet_Local" as a rsa
certificate may be lost after upgrading to MR7 Patch Release 5. Instead of Fortinet_Local use Fortinet_Factory rsa
certificate.
[IPSec Quick Mode Selector]

The IPSec Phase2 quick mode selector protocol settings are lost after upgrading from FortiOS v2.80 to FortiOS v3.00 Patch
Release 2.
April 18, 2009 15

[FDS Push-update Settings]

The address and port settings under 'config system autoupdate push-update' may be lost after upgrading to
FortiOS v3.00 MR7.
[System Modem Settings]

'config system modem' settings are lost after upgrading from FortiOS v3.00 MR6 to FortiOS v3.00 MR7 Patch
Release 5.
[FGT-224B Firewall Mode Support]

FortiOS v3.00 MR7 supports the FGT-224B operating in firewall mode only.
5.4 Downgrading to FortiOS v3.00

Downgrading to FortiOS v3.00 results in configuration loss on ALL models. Only the following settings are retained:
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDom parameters/settings
• admin user account
• session helpers
• system access profiles

Downgrading to FortiOS v2.80 results in configuration loss on ALL models. Only the following settings are retained:
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDom parameters/settings
• admin user account
• session helpers
• system access profiles
The FGT1000A-FA2 does not support downgrade to FortiOS v2.80. With the introduction of the FortiClient Check feature,
the flash card has a different partition layout than that in FortiOS v2.80.

Downgrading to FortiOS v2.50 results in loss of configuration on ALL models.
April 18, 2009 16

6 Image Checksums
b931d2cfbdd1a7924f838bceb527cfbc *FGT_3016B-v300-build0741-FORTINET.out
a343e8bf37acb793348e4469a88fa4b7 *FGT_310B-v300-build0741-FORTINET.out
26be85f79e2194ac86a8607d0d9e65c5 *FGT_3600A-v300-build0741-FORTINET.out
899dfb165af298f8f994f30a1a0491c6 *FGT_3810A-v300-build0741-FORTINET.out
d406492cdee88786be516fd366d23ad2 *FGT_620B-v300-build0741-FORTINET.out
3ed3b75e6fd193bd0a1c09ccbb582c72 *FGT_110C-v300-build0741-FORTINET.out
18f161e05bb198f2108592ec87480a9f *FGT_111C-v300-build0741-FORTINET.out
404d17860a1a1e956906a31503b8e365 *FGT_5001A-v300-build0741-FORTINET.out
840be8a903a83685fffe9a7d6c3469eb *FGT_51B-v300-build0741-FORTINET.out
1b4aa36dd3065c973a3d682a4cb6b703 *FGT_80C-v300-build0741-FORTINET.out
734bc216c333e5645c508127e3bf2f42 *FGT_80CM-v300-build0741-FORTINET.out
771c6e700e182575e74626b45216a5f6 *FWF_80CM-v300-build0741-FORTINET.out
c715bc57b4edd9bcc2243b04de15fd73 *FGT_100-v300-build0741-FORTINET.out
b36c85ab1390c2449bf2ee23b931ef2e *FGT_1000A-v300-build0741-FORTINET.out
6acf38adeb3d4bbedfd75a9fb61fc7b4 *FGT_1000AFA2-v300-build0741-FORTINET.out
d134e26238e18822a6ac4083973eac6e *FGT_1000A_LENC-v300-build0741-FORTINET.out
078344afc253527e030cc3f0a92ebd2c *FGT_100A-v300-build0741-FORTINET.out
5e7ee7a153e216a86cffd9b76dd9ed46 *FGT_1K-v300-build0741-FORTINET.out
a2470d664a05b9f16fa80438c92d10a0 *FGT_200-v300-build0741-FORTINET.out
54a6b4f36ff3ac423ba468614a2449da *FGT_200A-v300-build0741-FORTINET.out
1f1c716b72b0e96284144d3542490003 *FGT_224B-v300-build0741-FORTINET.out
a81b92ea8b47f88ca492f2c3bfa041a9 *FGT_300-v300-build0741-FORTINET.out
b91e413d6a1f7d5c8ee0f856ba7132af *FGT_3000-v300-build0741-FORTINET.out
118a9fe5e1ba4cddba3d2563dfce687e *FGT_300A-v300-build0741-FORTINET.out
51e6a0d999de65bd55adc9e2eb7537ae *FGT_30B-v300-build0741-FORTINET.out
cf1836287061dfa99d3545ed989b3b21 *FGT_3600-v300-build0741-FORTINET.out
3abddbfe284ee0bb752198ece1354c66 *FGT_400-v300-build0741-FORTINET.out
66578700da4357ecbc0892394629a046 *FGT_400A-v300-build0741-FORTINET.out
f8cef74f8ed261238588bde7e8e91f2e *FGT_500-v300-build0741-FORTINET.out
83337f59a94cf4ab9e78eedb137a82be *FGT_5001-v300-build0741-FORTINET.out
bad610c9d80a6dfdd74851e93625813e *FGT_5001FA2-v300-build0741-FORTINET.out
4f4a07d51bbc85e8ee7011944cb13876 *FGT_5002FB2-v300-build0741-FORTINET.out
8634c0891e486a1ab780d1b52c38863f *FGT_5005FA2-v300-build0741-FORTINET.out
f8d17ecfeb252eb93f60ac4c3de39c2b *FGT_500A-v300-build0741-FORTINET.out
88d396a610393daf4224acdd2ebd8544 *FGT_50A-v300-build0741-FORTINET.out
9dbe1f5ef75c6c7d993c662c668626e6 *FGT_50B-v300-build0741-FORTINET.out
9a18d02c5a51bd921796f46e688aa91d *FGT_60-v300-build0741-FORTINET.out
e3ab3884f80c3e4673bab943cab213ed *FGT_60ADSL-v300-build0741-FORTINET.out
3a2b93ab0c8cf24880848cd9736d672c *FGT_60B-v300-build0741-FORTINET.out
5224292cf119949363b408ee85619d71 *FGT_60M-v300-build0741-FORTINET.out
7c80bccd59bdfcb0e7f73b23572548e2 *FGT_800-v300-build0741-FORTINET.out
6ec6da93a636c0e83700d1cb683feb92 *FGT_800F-v300-build0741-FORTINET.out
d74c07ac087746774b63ddaffa7d5a2b *FWF_50B-v300-build0741-FORTINET.out
8d430e4e6017e2671dc57fa63630e37a *FWF_60-v300-build0741-FORTINET.out
f7be70ae93611a209fd06b6f503dc211 *FWF_60A-v300-build0741-FORTINET.out
2bfe9e63fadb1a3fdfeb8c2eab1a01a0 *FWF_60AM-v300-build0741-FORTINET.out
c0d6ead93f184bf667c6bafe9e397ea0 *FWF_60B-v300-build0741-FORTINET.out
(End of Release Notes.)
April 18, 2009 17

FortiOS v3.00 MR7 Release Notes Patch Release 5

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

FortiOS v3.00 MR7 Release Notes Patch Release 5

Caricato da

Copyright:

Formati disponibili

FortiGate™ Multi-Threat

April 18, 2009

Revision Change Description

© Copyright 2009 Fortinet Inc. All rights reserved.

April 18, 2009 i

1 FortiOS v3.00 MR7 Release – Patch Release 5

Model FortiOS v3.00 MR7 Release Status

April 18, 2009 1

BEFORE any upgrade,

AFTER any upgrade,

1.2 Single Hard Drive Support for FGT-111C

1.3 File Transfer Limitation

1.4 FortiClient v4.0 Support

April 18, 2009 2

2 Fortinet Product Integration and Support

• Windows in .exe and .msi format

April 18, 2009 3

3 Resolved Issues in FortiOS MR7 – Patch Release 5

3.4 Web Filter

April 18, 2009 4

April 18, 2009 5

4 Known Issues in FortiOS v3.00 MR7 – Patch Release 5

April 18, 2009 6

5.2 Upgrading from FortiOS v2.80

[Deprecated IPS Groups]

config system proxy-arp

[FortiOS v2.80 PING Generators]

[Web Filter and Spam Filter Lists]

April 18, 2009 7

[ActiveX, Cookie, and Java Applet Filter]

[Static Routes without Device Setting Configured]

[Log Filtering Changes]

2. On a per-protection profile basis

1. Backup configuration for FortiOS v2.80.

April 18, 2009 8

• FortiGate is running FortiOS v2.80 with additional VDoms, such 25 VDoms

[Alert E-mail Replacement Messages]

[Alert E-mail Filter]

[VLANs Under WLAN Interfaces]

[IPSec Related Settings]

config vpn ipsec phase1

April 18, 2009 9

[System DHCP Exclude Range]

config system dhcp server

[Firewall Service Custom]

[IPSec DPD Setting]

[IPS Predefined Signatures]

[IPSec Manual Keys in a VDom Configuration]

[Static Routes without Device Setting Configured]

[HA Monitor Interfaces WLAN]

[SSL-VPN Firewall Policies Without Groups]

[VPN IPSec Phase1 with Type DDNS]

config vpn ipsec phase1

[VPN PPTP Non-Firewall User Group]

April 18, 2009 10

[DDNS Server – vavic.com]

[Firewall IP Pools with Class D IP Addresses]

[Firewall VPN Policies Sharing the Same Manual Key]

[Oversize File Limit]

5.3 Upgrading from FortiOS v3.00 MR5 and MR6

April 18, 2009 11

[FortiManager Acting as a FortiGuard Server]

[Firewall IP Pools with Class D IP Addresses]

[IPS Related Settings]