Fortios 5.2.0 Beta 4 Release Notes

FortiOS v5.2.0 (Beta 4)Release Notes

FortiOS v5.2.0 (Beta 4) Release Notes (Build 564)

April 30, 2014

01-520-234298-20140430

Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and

FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other

Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All

other product or company names may be trademarks of their respective owners. Performance

and other metrics contained herein were attained in internal lab tests under ideal conditions,

and actual performance and other resultsmay vary. Network variables, different network

environments and other conditions may affect performance results. Nothing herein represents

any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or

implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s

General Counsel, with a purchaser that expressly warrants that the identified product will

perform according to certain expressly-identified performance metrics and, in such event, only

the specific performance metrics expressly identified in such binding written contract shall be

binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the

same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants,

representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves

the right to change, modify, transfer, or otherwise revise this publication without notice, and the

most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Fortinet Video Libarary video.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

http://docs.fortinet.com

http://video.fortinet.com

https://support.fortinet.com

http://training.fortinet.com

http://www.fortiguard.com/

mailto:[email protected]?Subject=Technical%20Documentation%20Feedback

http://kb.fortinet.com

Table of Contents

Change Log....................................................................................................... 5

New Features in FortiOS v5.2.0 (Beta 4)......................................................... 6

FortiView usability improvements ............................................................................ 6

IPSec VPN ............................................................................................................... 6

Virtual WAN link load balancing and link monitoring ............................................... 7

Authentication.......................................................................................................... 7

Endpoint Control...................................................................................................... 7

Firewall..................................................................................................................... 8

VoIP.......................................................................................................................... 8

FortiOS Carrier ......................................................................................................... 8

Logging & Reporting ................................................................................................ 9

Tablesize ................................................................................................................ 10

Application Control ................................................................................................ 10

Misc ....................................................................................................................... 11

Web Filtering.......................................................................................................... 11

Wireless ................................................................................................................. 12

New Features in FortiOS v5.2.0 (Beta 3)................................................................ 13



Supported Models .......................................................................................... 26

FortiGate ................................................................................................................ 26

FortiWiFi................................................................................................................. 26

FortiGate VM.......................................................................................................... 26

FortiSwitch............................................................................................................. 26

Product Integration and Support .................................................................. 27

Web browser support ............................................................................................ 27

FortiManager and FortiAnalyzer support ............................................................... 27

FortiClient support (Windows, Mac OS X, iOS and Android)................................. 27

FortiAP support...................................................................................................... 28

FortiSwitch support ............................................................................................... 28

FortiController support........................................................................................... 28

Virtualization software support .............................................................................. 28

Fortinet Single Sign-On (FSSO) support................................................................ 29

FortiExplorer support (Microsoft Windows, Mac OS X and iOS)........................... 29

FortiExtender support ............................................................................................ 29

AV Engine and IPS Engine support ....................................................................... 29

Language support.................................................................................................. 29

Module support...................................................................................................... 30

SSL VPN support................................................................................................... 31

Explicit web proxy browser support ...................................................................... 33

Resolved Issues.............................................................................................. 34

Resolved issues from FortiOS v5.2.0 (Beta 3) ....................................................... 34

Other resolved issues in FortiOS v5.2.0 (Beta 4) ................................................... 34

Known Issues.................................................................................................. 36

Known issues with FortiOS v5.2.0 (Beta 4)............................................................ 36

Known issues from FortiOS v5.2.0 (Beta 3) ........................................................... 36



Appendix A: About FortiGate VMs ................................................................ 38

FortiGate VM model information............................................................................ 38

FortiGate VM firmware........................................................................................... 38

Citrix XenServer limitations.................................................................................... 39

Open Source Xen limitations ................................................................................. 39

Table of Contents FortiOS v5.2.0 (Beta 4) Release Notes

http://www.fortinet.com/

Change Log

Date Change Description

April 30, 2014 Removed GUI instructions and a CLI command from the description of

application control information gathering improvements in “Application

Control” on page 10.

Added FEX-100A and corrected the build number in the section

“FortiExtender support” on page 29.

April 29, 2014 Initial release.

New Features in FortiOS v5.2.0 (Beta 4)

This section describes new features in FortiOS v5.2.0 (Beta 4) build 564. Each feature

description includes a bug number from Fortinet’s internal bug tracking system.

• FortiView usability improvements

• IPSec VPN

• Virtual WAN link load balancing and link monitoring

• Authentication

• Endpoint Control

• Firewall

• VoIP

• FortiOS Carrier

• Logging & Reporting

• Tablesize

• Application Control

• Misc

• Web Filtering

• Wireless

• New Features in FortiOS v5.2.0 (Beta 3)



FortiView usability improvements

• A number of improvements to FortiView usability and functionality. You will notice changes

throughout the FortiView GUI pages. (237570, 236537, 236834, 239168, 237914, 238539,

237405)

IPSec VPN

• Prioritized DH group configuration/negotiation. (234056)

In FOS 5.2, the default DH group has changed from 5 to 14, to provide sufficient protection

for stronger cipher suites that include AES and SHA2. Because of this change, both IKEv1

and IKEv2 now allow up to 3 DH groups to be configured in the phase 1 and phase 2

settings, while preserving the ordering since the initiator always begins by using the first

group in the list. The default DH group in the configuration has been updated to include

group 14 and 5, in that order. You can add and remove other groups and the order they

appear in the configuration is the order in which they are negotiated.

The IKEv1 protocol does not natively provide for DH group negotiation in Aggressive Mode

and Quick Mode. As a result, when multiple DH groups are used with IKEv1 Aggressive

Mode or Quick Mode, delays in tunnel establishment can occur and so it is recommended to

continue to configure matching DH groups on both peers whenever possible.

New Features in FortiOS v5.2.0 (Beta 4) FortiOS v5.2.0 (Beta 4) Release Notes

Virtual WAN link load balancing and link monitoring

• New measured volume (measured bandwidth usage distribution) method for virtual WAN link

load balancing. (235214)

A new virtual WAN link load balancing option that balances traffic between the interface

members of the virtual WAN link so that all of the interfaces get the same volume of traffic.

You can also add a volume ratio for each WAN link. The higher the volume ratio the higher

the amount of traffic sent to that link.

• Allow multiple source and destination addresses and address ranges for services in virtual

WAN link load balancing. (234106, 233357)

• Link Health Monitor added to System > Monitor > Link Monitor. (235801, 235801, 233916,

233602)

This feature displays status of all virtual WAN link ports as well as the number of sessions,

bandwidth, and link quality for each port in the virtual WAN link.

Authentication

• Improved the efficiency of how user authentication with multiple groups is processed by

FortiOS. (218909)

The following command can be used to test authentication of a user account with

multiple authentication servers.

diagnose test authserver user <username> <password> <group1> <group2>...

Endpoint Control

• Endpoint license changes. (231328)

New Endpoint licenses are now available in FortiOS 5.2. Information about the status of the

current license can be found in the FortiClient section of the License Information widget.

The following licenses will be available:

• Desktop models and FortiGate-VM00: 200 clients

• 1U models, FortiGate-VM01 and FortiGate-VM02: 2,000 clients

• 2U models and FortiGate-VM04: 8,000 clients

• 3U models, FortiGate-ATCA, and FortiGate-VM08: 20,000 clients

Because the new licenses are for one year, the activation method has changed. New

licenses are purchased similarly to a FortiGuard service, with no further registration of the

license required. The device can then be registered with the FortiGate unit.

If the device does not have access to Internet, you can download the license key from

support site and manually upload it to your FortiGate. The license will be for that specific

device and will have an license expiry date.

While the older licenses from FortiOS 5.0 will still be supported, they will have the following

limitations:

• The On-net/Off-net feature will not be supported.

• Logging options will only appear in the CLI.

• FortiAnalyzer Support for logging and reporting will be limited.

• You will not be able to enter any v5.0 license keys.


Firewall

• Simplifying and optimizing NAC-quarantine (First phase, more changes in future FortiOS

versions). (232211,126666,137528)

In the first phase of simplifying NAC quarantine all ban types have been removed except

IPv4 or IPv6 source IP address. In addition NAC quarantine features are now handled by the

kernel so the config user ban command has been removed.

For DLP sensors the only NAC quarantine option is quarantine-ip to quarantine all traffic

from the IP address.

For antivirus profiles the only NAC quarantine option is quar-src-ip to quarantine all

traffic from the source IP.

For IPS sensors, the only NAC quarantine option is attacker to block attacker's IP.

For IPv4 DoS-policies, the only NAC quarantine option is attacker to block attacker's IP.

For IPv6 DoS-policies, the only NAC quarantine option is attacker to block attacker's IP.

VoIP

• Change default SIP behavior to proxy VoIP ALG. (237213)

Previous versions of FortiOS used the SIP session helper for all SIP sessions. You had to

remove the SIP session helper from the configuration for SIP traffic to use the SIP ALG.

Now, by default all SIP traffic is now processed by the SIP ALG. You can change the default

setting using the following command:

config system settingsset default-voip-alg-mode {proxy-based | kernel-helper-based}

end

The default is proxy-based which means the SIP ALG is used. If set to

kernel-helper-based the SIP session helper is used.

If a SIP session is accepted by a firewall policy with a VoIP profile, the session is processed

using the SIP ALG even if default-voip-alg-mode is set to kernel-helper-based.

If a SIP session is accepted by a firewall policy that does not include a VoIP profile:

• If default-voip-alg-mode is set to proxy-based SIP traffic is processed by the SIP

ALG using the default VoIP profile.

• If default-voip-alg-mode is set to kernel-helper-based SIP traffic is processed

by the SIP session helper. If the SIP session help has been removed then no SIP

processing takes place.

FortiOS Carrier

• Add support for per-stream rate limiting of GTP traffic and the ability to apply rate limiting

separately for GTPv0 and GTPv1. (236999,183334)


In addition FortiOS Carrier now indicates the GTP version in rate limiting log messages and

writes a rate limiting warning log message when a packet exceeds the rate limiting

threshold.

config firewall gtpedit my-gtp-profile

set rate-limit-mode {per-profile | per-stream}set warning-threshold {0 - 99}

config {message-rate-limit-v0 | message-rate-limit-v1 | message-rate-limit-v2}

set create-pdp-request <rate-limit>set delete-pdp-request <rate-limit>set echo-request <rate-limit>

endend

• New GTPv0 and GTPv1 per APN rate limiting. (227151)

This requirement is intended to fulfill the business model of M2M (mobile 2 mobile) providers

who leverage cellular wireless networks to provide tailored data services to a non-telco

organization. For example, vending machines for a soft drink company can send inventory

data and receive advertising updates via cellular data.

Since M2M providers cross multiple wireless carriers, and have multiple customers they

actually deploy unique Access Point Names (APNs) per customer, unfortunately they don't

have very large address space, so they are forced to overload many APNs on a single IP

address.

The problem occurs when there is a network issue that takes some customers offline (for a

variety of reasons) and the affected cellular devices don't behave "well" resulting in a flood

of APN negotiations that may affect other customers on the same IP address.

This enhancement extends the GTP current rate limiting capability to examine the APN in the

pdp-create-context field and optionally apply rate-limiting based on the associated

profile.

You can use following CLI command to set rate limits per APN:

config firewall gtp-profile...

set rate-limit-mode per-apnconfig per-apn-shaper

edit entry1set apn <APN-name>set version <version>set rate-limit <limit>

endend

Logging & Reporting

• FortiOS now writes separate log messages for local in deny actions for unicast traffic and

local in deny actions for multicast traffic. (231272)

Split previous log local-in-deny function into two functions, which are local-in-deny-unicast

and local-in-deny-broadcast functions.

• When a FortiOS component crashes, FortiOS now generates an event log message with

information about the crash, similar to a shortened crash log. (238137)


• New command to enable reports. Using this command you can also choose whether to

include sniffer log messages in Report results. (224804)

Use the following command to enable producing a report that uses both sniffer logs and

forward traffic logs:

config report settingset status enableset report-source sniffer-traffic forward traffic

end

Tablesize

• The number of object tags has been increased and the number is managed by the tablesize

system.object-tag. (234899)

The actual numbers for each model will appear in the FortiOS 5.2 Max Values Table.

Application Control

• Application Control Usability Improvements and 5-Point-Risk Rating. (224969, 233847,

238980)

The following changes have been made to improve usability in the web-based manager:

• Application sensors and filters pages are now created on a single page, found at Security

Profiles > Application Control.

• A drop down menu appears when you right-click on a category, allowing the action for

that category to be changed.

• Filter criteria, such as popularity, technology, and risk, have been removed.

• New application sensors can only be created by category and application.

A new rating system is used for all pages related to application control, including the

application list, the application filters list, traffic logs, the FortiView Applications dashboard,

and the FortiView All Sessions dashboard. The rating system is as follows:

• Application control information gathering improvements. (240161)

Risk Level Description Example

Critical Applications that are used to conceal activity

to evade detection.

Tor, SpyBoss

High Applications that can cause data leakage, or

prone to vulnerabilities or downloading

malware.

Remote Desktop, File

Sharing, P2P

Medium Applications that can be misused. VoIP, Instant Messaging,

File Storage, WebEx,

Gmail

Elevated Applications are used for personal

communications or can lower productivity.

Gaming, Facebook,

Youtube

Low Business Related Applications or other

harmless applications.

Windows Updates


Application control can now extract the following information and record it in application

control and traffic log messages:

• Information about user logins and file transfers for cloud applications.

• Video names for many popular video streaming including YouTube, NetFlix, Vevo,

Dailymotion, Veoh, Hulu, Vube, Metacafe, LiveLeak, Break, and Ustream.

• The following new fields have been added to both the application control log and to

traffic logs: clouduser, cloudaction, filename, and filesize.

A new custom IPS and application control signature option, --deep_ctrl, has been

added.

The following new diagnose commands have also been added:

• diagnose ips debug dac info

• diagnose ips debug dac clear

• diagnose ips debug enable dac

Misc

• By default the vulnerability scanner is not displayed on the GUI. (239815)

To add the vulnerability scanner go to System > Config > Features and turn on this feature.

• Hardware-switch interface Switch Port Analyzer (SPAN) feature. (234051)

The Switch Port Analyzer (SPAN) feature is now available for hardware switch interfaces on

FortiGate models with built-in hardware switches (for example, the FortiGate-100D, 140D,

and 200D etc.). The SPAN feature (also called port mirroring) allows you to send a copy of

the packets received or sent by one interface to another. So, for example, you could send all

traffic received by the WAN interface to another interface and connect a sniffer to that other

interface to monitor the traffic on the WAN interface.

To enable SPAN on a hardware switch, go to System > Network > Interfaces and edit a

hardware switch interface. By default the system may have a hardware switch interface

called lan. You can also create a new hardware switch interface.

Select the SPAN checkbox. Select a source port from which traffic will be mirrored. Select

the destination port to which the mirrored traffic is sent. Select to mirror traffic received,

traffic sent, or both.

You can also use the following CLI command to enable SPAN on the lan hardware switch

and mirror traffic received by port6 to port10:

config system virtual-switchedit lan

set span enable set span-source-port port6set span-dest-port port10set span-direction Rx

end end

Web Filtering

• Web Filter - HTTP Referrer Field Check/Verify (236709)

You can now add a referrer to URL filters. If a referer is specified, the hostname in the referer

field of the HTTP require will be compared for any entry that contains the matching URL. If

the referer matches, then the specified action will be performed by proxy.


The referrer can also be set in the web-based manager, but only if advanced webfilter

features has been enabled using the following command:

config system globalset gui-webfilter-advanced enable

end

After this command is used, a new column will be created in Security Profiles > Web Filter >

Static URL Filter to set the referrer.

The command set referrer-host has been added to the CLI. The CLI has also changed so

that URL filters are now identified by their IDs, and the URL values can be set under each

entry.

config webfilter urlfilteredit <ID>

config entriesedit 1

set url <url> set referrer-host <url> set type {simple | regex | wildcard} set action {block | allow | monitor | exempt} set status {enable | disable}

end end

• Restrict access to Google Corporate Accounts only. (235247)

A new option has to webfiltering to restrict Google access to Google's corporate accounts.

This allows you to block access to some Google accounts and services while allowing

access to corporate Google accounts.

To use this option, go to Security Profiles > Web Filter and select Restrict to Corporate

Google Accounts Only under Proxy Options. You can then add the appropriate Google

domains that will be allowed.

If you wish to configure these options in the CLI, you must have the URL filter refer to a

web-proxy profile that used the Modifying HTTP Request Headers feature described below.

This command is only visible when the action is set to either allow or monitor.

Wireless

• Radius Accounting for WiFi. (232224)

RADIUS accounting is now supported for wireless networks, allowing RADIUS accounting

messages to be sent that contain a wireless user's name and IP address.

If an accounting server has been enabled for RADIUS, the wireless client information will be

sent to it.

• Captive Portal (235329, 237512, 234510, 234508, 232671, 238009, 237996, 237751,

237576, 234569, 238478, 238008, 237734, 237476, 237742)

New Configuration Options

The following options can now be configured for captive portals that use wireless interfaces:

• Security exempt list name: security-exempt-list <name>

• URL redirection after disclaimer/authentication: security-redirect-url <url>

• Captive portal type: portal-type {auth | email-collect}

WPA Personal Security + Captive Portal


A new option has also been added that uses WPA Personal security as well as a captive

portal. This option also allows groups to be imported from the policy.

• Wireless Captive Portal Updates. (239746, 239143, 239790, 239836)


FortiView

• New FortiView pages: - Web Sites and Threats. (235514)

Web Sites displays a chart showing the most commonly visited websites. You can drill down

to view details about each access to each site.

Threats lists the most commonly received threats and the users who either sent or received

them.

Antivirus

• Flow-based virus scanning displays a virus found message. (228916)

Flow-based virus scanning can usually display a virus found message in the user’s web

browser when an infected file is found:

• The message can be displayed immediately if the infected file fits into one server

response packet

• If the infected file is larger than one server response packet, the URL of the virus found

message is put into a cache and the block page is displayed the next time this URL is

accessed. In this case the user’s browser will appear to hang and if they refresh their

browser the virus found message is displayed.

Firewall

• Captive Portal updates: (234289).

When configuring a captive portal you can select a user group or set it to use the user

groups added to the firewall policy that accepted the user connection.

Standard authentication replacement messages are now also used for captive portals.

New WiFi interface captive-portal options:

config wireless-controller vapedit "wifi"

set security captive-portalset security-exempt-list "exempt_list_01"set security-redirect-url "http://www.fortinet.com"set portal-type auth [|email-collect]

end

Use the exempt list to list MAC addresses and IP addresses that are exempt from

authenticating with the captive portal.

• Support certificate replacement in SSL/SSH inspection profiles that use SSL

certificate-inspection mode. (232850)

When SSL certificate-inspection mode is chosen in an SSL/SSH Inspection profile, if a web

page is blocked the FortiOS uses a replacement message to display a web page indicating

that the page was blocked. The FortiGate now uses the CA currently in use for that session

for SSL handshake before displaying the replacement message page. Previously, FortiOS

used a pre-defined certificate for the replacement message which would result in a browser

warning message.


• Select the certificate used by the FortiGate authentication system for HTTPS authentication.

(233020)

You can now select the CA certificate that the authentication system uses when asking a

user to authenticate using HTTPS. Use the following command to select the CA certificate to

use. It can be any CA certificate loaded into the FortiGate configuration. You can only

specify one certificate and it is used for all HTTPS authentication requests:

config user settingset auth-ca-cert <certificate-name>

end

• Server load balancing virtual IP support for replacing the X-Forwarded-For header to with a

new header with a user-configurable name. (230831)

By default, if http-ip-header is enabled in a virtual-server configuration then as HTTP(S)

traffic flows through a virtual server FortiOS either adds an X-Forward-For header with the

client's original IP address or updates any existing X-Forwarded-For header with the client's

IP address. Some servers want the client's original IP address but do not want to use

X-Forwarded-For and instead want a configurable name to be used. The new attribute

http-ip-header-name allows this name to be defined.

If defined then any existing X-Forwarded-For header is removed and a new header with the

given name is added containing the client IP address.

config firewall vip set type server-load-balanceset http-ip-header-name <header-name>

Consider a simple virtual server:

config firewall vipedit ssl

set type server-load-balanceset server-type https

By default it has a http-ip-header option which is disabled:

set ?...http-multiplex Enable/disable multiplex HTTP requests/responses

over a single TCP connection.http-ip-header Add an additional HTTP header containing client's

original IP addressoutlook-web-access Enable/disable adding HTTP header indicating

SSL offload for Outlook Web Access server....

If enabled:

set http-ip-header enable


then now the http-ip-header-name option is visible:

set ?...http-multiplex Enable/disable multiplex HTTP requests/responses

over a single TCP connection.http-ip-header Add an additional HTTP header containing client's

original IP addresshttp-ip-header-name Name of HTTP header containing client's IP

address, if empty X-Forwarded-For is used.outlook-web-access Enable/disable adding HTTP header indicating

SSL offload for Outlook Web Access server.....

By default it is empty and X-Forwarded-For will be used:

get...srcintf-filter:http-ip-header : enablehttp-ip-header-name :monitor :...

If a new value is defined:

set http-ip-header-name X-Billing-Addressget...http-ip-header : enablehttp-ip-header-name : X-Billing-Addressmonitor :color : 0...

then that will be used instead of X-Forwarded-For.

• Support modifying HTTP request headers in proxy. (235247)

FortiCarrier

• Improvements to GTP logging to make searching GTP sessions easier and more accurate.

(221888, 222684, 232058)

• Three new CLI commands are added to GTP profile for gtpu logging.

gtpu-forwarded-log and gtpu-denied-log control whether to record a log entry for

forwarded and dropped packets or not, respectively. gtpu-log-freq controls the log

frequency for gtpu packets. The log frequency value is per number of packets. For example

set gtpu-log-freq 10 means the FortiGate unit should record a log entry for every 10

packets.

IPsec

• Allow more control over adding routes to dialup (dynamic) IPsec VPN configurations.

(231749)


You can enable add-route in any dialup (dynamic) policy-based or interface-based phase

1 configuration. This option functions the same way the add-route option used for dynamic

interface-based phase 1’s with mode-cfg enabled. This option adds a route to the FortiGate

unit’s routing information base when the dynamic tunnel is negotiated. You can use the

distance and priority options to set the distance and priority of this route. If this results

in a route with the lowest distance it is added to the FortiGate unit’s forwarding information

base.

You can also enable add-route in any policy-based or interface-based phase 2

configuration that is associated with a dialup (dynamic) phase 1. In the phase 2, add-route

can be enabled, disabled or set to use the same route as the phase 1.

• Allow multiple interfaces for IKE/IPsec VPN policies. (230415)

You can add multiple incoming and outgoing interfaces to policy-based IPsec VPN firewall

policies (Action set to IPsec).

• Allow IKE authentication against group in policy. (231690)

You can add Source Users to policy-based IPsec VPN firewall policies (Action set to IPsec).

If no users or user groups are added to the Phase 1, the Source Users in the policy are can

authenticate with the IPsec VPN.

Logging & Reporting

• Improvements to reporting. (233366, 233181, 232327)

The report available on the FortiGate unit (under Log & Report > Report) has been improved

with better threat related charts and application and bandwidth related charts.

Routing

• BGP neighbor groups. (237029)

This feature allows a large number of neighbors to be configured automatically based on a

range of neighbors' source addresses.

Start by adding a BGP neighbor group:

config router bgpconfig neighbor-group

edit <neighbor-group-name>set remote-as 100 ...

(All options for BGP neighbor are supported except password.)

end

Then add a BGP neighbor range:

config router bgpconfig neighbor-range

edit 1set prefix 192.168.1.0/24set max-neighbor-num 100set neighbor-group <neighbor-group-name>

end

System

• Select a custom language for an SSL VPN web portal and for the Guest Management page

for administrators who can only provision guest accounts. (227415)


To enable custom language support:

config system globalset gui-custom-language enable

end

Go to System > Admin > Administrators and add an administrator. When you select Restrict

to Provision Guest Accounts you can also select the language that appears on the Guest

Management GUI page for that administrator.

Go to VPN > SSL > Portals to add an SSL VPN portal. When configuring the portal you can

select the language that appears on the portal.

FortiOS comes with a number of languages that you can apply to an SSL VPN portal and the

Guest Management GUI page. You can also add you own language by going to System >

Config > Advanced > Language and uploading a new language template. Here you can also

view and download a sample language template that you can use to create your own

custom language file.

• Support configuring DHCP advanced options in the GUI. (228329)

When editing the DHCP configuration on an interface you can select Advanced to configure

the following:

• Set the interface to DHCP relay mode

• Send an NTP server IP address to DHCP clients

• Set the time zone of the DHCP client

• Set advanced DHCP options such as time such as Host Name (DHCP option 12), Boot

file size (DHCP option 13). You can set an option from the list or enter the DHCP option

number.

• FortiGate units support the Novatel U679 (Bell) LTE modem. (225531)

• GUI support for hardware switch features. (233756)

You can manually allocate VLANs on virtual switch interfaces from the GUI. To enable this

feature, enter the following CLI command:

config system globalset virtual-switch-vlan enable

end

Then from the GUI go to System > Network > Interfaces > Create New. Set the Type to VLAN

Switch, set a VLAN ID, and add switch ports as Physical Interface Members. To be able to

add switch ports you must first remove them from the lan interface.

• Enable taking an aggregate interface down if a configured number of physical interfaces in

the aggregate are not connected. (229624)

config system interfaceedit agg-int

set type aggregateset min-links 3set min-links-down {operational | administrative}

Where min-links is the minimum number of links to be up before the aggregate is down

and min-links-down specifies whether to set the aggregate to be operationally down or

administratively down when more than min-links are down.

• License widget updates and registration wizard replacement. (233166, 235855, 235853)

• Change factory default values for FortiClient on-net status and FortiClient access. (237035)


Webfilter

• When FortiGuard Web Filtering displays authentication and override pages you can

configure the FortiGate unit to send the pages using HTTPS instead of HTTP. This is a

FortiGuard web filtering configuration set once for FortiGuard. (187272, 231380)

The following new options are available

config webfilter fortiguard set ovrd-auth-https {disable | enable} (Web Filtering override)

set warn-auth-https {disable | enable} (Web Filtering authentication)

end

Wireless

• Support split tunnelling for FortiAPs. Split tunneling allows you to optimize WiFi traffic flow

by keeping local traffic off of the WiFi controller. Instead local traffic is handled by the FortiAP

unit. Basically, with split tunneling, a remote user associates with a single SSID, not multiple

SSIDs, to access corporate resources (for example, a mail server) and local resources (for

example, a local printer). The remote AP examines ACLs to distinguish between corporate

traffic destined for the controller and local traffic. Traffic which matches the AP ACL rules are

switched locally and NAT operation is performed changing the client’s source IP address to

the AP’s interface IP address which is routable at the local site/network. The rest of the

packets are centrally switched over data tunnel. (234937)

Enable split tunnelling for an SSID by editing an SSID (go to Wireless > WiFi Network > SSID)

and selecting Split Tunneling. You must also add Split Tunnelling Subnets to FortiAP profiles

or to managed FortiAPs. The Split tunnelling subnets are the local traffic subnets and would

usually match the subnet connected to the FortiAP.

• FortiAP CLI Console Access (230588)

If login-enable is enabled in a FortiAP configuration, from the FortiOS Managed FortiAPs

page you can log into the FortiAP’s CLI.


FortiOS Carrier

• Add support for tunnel create/modify/delete across GTP version 1 & 2 (226037)

• GTP Logging Improvements (229210, 229562)

IPSec VPN

• Add support for IKE mode config to use a remote DHCP server to assign the client IP

address. (177415)

Logging & Report

• 5-Point-Risk Rating for Applications (229368)

Routing

• Allow ECMP to use both source and destination addresses. (230398)

• Added support for BGP conditional advertisement. (228722)


SSL VPN

• SSLVPN Updates (225885, 231869)

Device Visibility

• Extended device visibility to detect devices based on traffic that does not flow through the

FortiGate but which the FortiGate does see. This includes: (219483)

• Traffic that hits an interface with “set ips-sniffer-mode enable”

• Broadcast and multicast traffic

Firewall

• Preserve Class of Service (CoS) Bits (216290)

• Support UUID for VIP/VIP6/VIP46/VIP64/VIPGRP/VIPGRP6/VIPGRP46/VIPGRP64. (224622)

• Link Load Balance (LLB) -- Link quality based distribution. (228868)

• Add Source-IP, Destination-IP, and Username to the replacement messages. (176238)

• WLAN External Web authentication support (195254)

• Add more information to block page for flow-based web filtering (227974)

• SSL Inspection - server certificate upload (proxy) (193400)

HA

• RFC 6311 IKE Message ID sync support allow IKEv2 to re-negotiate send and receive

message ID counters after HA fail over. (212653)

• HA for DHCP/PPPoE. (227196)

• HA override wait-time to cause the cluster to wait to renegotiate after a unit joins a cluster

and if override is enabled. (232111)

config system haset override-wait-time <time>

end

IPS

• Generate sniffer log. (224702)

• IPS Packet Capture Improvements. (113088, 230501, 165013, 195280, 230530, 230469,

230486, 229211)

System

• Add DHCP Server ‘on-net’ property. (227770)

• Add support for LLDP transmission. (224654)

• Implementing Link monitor (223683)

• Scheduled FDN upgrade flexibility (208394)

• SNMP trap & alert message for USB modem unplugged (228450)

GUI (web-based manager) usability changes

• Interface list improvements. (178943, 228616)


• DHCP related GUI improvements. (221932)

• LDAP query inside ID policy. (193045)

• IPv6 address range support on GUI. (182243)

• FortiView Updates (228044, 230777, 228071, 227052, 227600, 227844)

• Move explicit proxy policy to a separate table (232684)

• Per VDOM CPU and memory usage widget (220121)

• System Resource Widget Updates (197167, 221055, 218711, 228286)

• Link Health Check GUI support. (230051, 232611, 226034, 225744, 226366, 233602)

• The FortiClient Vulnerability Scan module is enabled in the FortiClient Profile from the CLI. To

enable Vulnerability Scan, enter the following CLI commands:

config endpoint-control profileedit <profile-name>

config forticlient-winmac-settingsset forticlient-vuln-scan {enable | disable}set forticlient-vuln-scan-schedule {daily | weekly |

monthly}set forticlient-vuln-scan-on-registration {enable |

disable}set forticlient-ui-options {av | wf | af | vpn | vs}

endend

When setting the forticlient-ui-options, you must include all the modules that you want to

enable in the FortiClient console.

WAN Opt and Web Proxy

• Adding URL address type for explicit proxy (currently CLI only) (229215)

Web Filtering

• Add more information to block page replacement message for flow-based web filtering.

(227974)

• WCF/AS communications to FortiManager/FortiGuard using TCP port 80. (215828)

Wireless

• Add 802.11ac support on FOS side (228410, 222567)

• AP management Reorganization. (194194)

User Authentication

• External captive portal - redirect (233315)


FortiOS version numbering changes

• FortiOS firmware version numbering scheme now uses vMajor.minor.patch (label). For

example, this release is v5.2.0 (Beta 4) using the new numbering scheme. (225622)


Dashboard and monitoring improvements (FortiView)

• New FortiView-style dashboard widgets. FortiView integrates realtime and historical

dashboard widgets into a single view that combines both realtime and historical data.

(227156)

• IPsec and SSL VPN Configuration and monitoring Improvements. (148967)

Antivirus

• Antivirus Profile GUI page improvements. (224928)

• Improved flow-based virus scanning catch rate. Flow-based virus scanning uses a new

mode, called full mode. Full mode’s virus catch rate is as good a proxy-based virus scanning

but with flow-based performance and latency. (216541)

Application Control and IPS

• One-arm sniffer virus scanning now uses a more effective virus scanning engine to improve

virus scanning catch rates and performance. (219507)

• GUI support for configuring rate-based IPS signatures. In any IPS sensor you can turn on a

selected list of rate-based signatures and adjust their Threshold, Duration, Track by setting,

Action and Block duration. In previous versions of FortiOS you had to either accept default

values for these settings or you had to adjust them from the CLI. (220056)

• Inline SSL inspection and support for application control of applications that use the SPDY

protocol. Inline SSL inspection supports flow based UTM features only. If using only

Flow-based features, then SSL inspection is also handled by IPS engine so it can leverage

hardware acceleration or benefit from the processing techniques to boost performance.

(222100)

• New replacement messages for Application Control of HTTP-based applications. (224924)

• Extend the functionality of XLP processors to accelerate IPv6 DoS policies. XLP processors

accelerate IPS on FortiGate models such as the FortiGate-5101C. (211082)

User and Device Authentication

• Configuring user and device authentication in firewall policies has been changed. To

configure authentication add users, user groups or device types to a firewall policy. (223766,

22470, 205414, 210791, 191152)

• Support using POP3/POP3S servers for remote server user authentication. Users can

authenticate using any normal authentication method supported by the FortiGate unit. The

FortiGate unit looks up their credentials on a POP3/POP3S server (instead of a remote LDAP

or RADIUS server). (197354)

• New option to limit the maximum number accounts per guest user portal. (214067)

• RADIUS single sign-on (RSSO) support for IPv6 identity-based policies. (213217)

• RSSO guest user group. Similar to FSSO guest user group. (179915)

• Improve device groups by adding a new printer category and allowing device groups to

reference device categories. (215319)

Endpoint Control

• FortiOS now supports syncing FortiClient registration information between FortiGate units

and VMs running 32-bit and 64-bit versions of FortiOS. Some older FortiGate units run 32-bit

FortiOS. Most new ones and all VMs run 64-bit FortiOS. (197228)


• Turning off the FortiClient Configuration Deployment AntiVirus Protection option disables all

FortiClient antivirus functions on endpoints with FortiClient, including scheduled virus scans

and right-clicking on a file to scan it for viruses. (209419)

• On the FortiGate unit you can create URL filter lists that optionally include wildcards and

regular expressions and use endpoint control to implement them on endpoints with

FortiClient. (191397)

• Improvements to pushing FortiGuard Web Filtering Category settings to endpoints with

FortiClient. (226615)

Firewall

• Dynamic destination NAT using DNS queries. New dns-translation VIP type. The VIP

includes a mapped address range. For any session, the address that is mapped to is

retrieved using a DNS lookup. (190690)

• TCP maximum segment size (MSS) clamping for IPv6 security policies. New policy6

options tcp-mss-sender and set tcp-mss-receiver.(223959)

• New options to exempt traffic from SSL deep inspection. You can create exemptions for

FortiGuard categories and for IPv4 and IPv6 firewall addresses and address groups.

(215182)

• Improvements to how the Fortinet bar refreshes after a successful web page logout.

(225558)

• Generate new unique default SSL inspection CA and server certificates the first time they are

required. Previous versions of FortiOS all have the same default CA and sever certificates.

This new feature means that they will now be unique on each FortiGate unit. There are some

exceptions, for example in a HA cluster all FortiGate units need the same CA and server

certificates. You can also change them as required for load balancing and other

configurations. (181441)

Existing customers will not be affected by this change. FortiOS will not change the current

defaults on upgrade. But you can use the commands below to generate new ones.

The following command re-generates the default SSL inspection CA certificate.

execute vpn certificate local generate default-ssl-ca

The following command re-generates the default SSL inspection server certificate.

execute vpn certificate local generate default-ssl-serv-key

• Socks proxy UDP support. (225260)

HA

• New diagnose sys ha set-as-master {disable | enable} command. Set to

enable on a cluster unit that you always be the primary unit (master). If you set the

command to disable you can include a date and time on which the disable option takes

affect. (212075)

• HA now supports sending log messages and doing SNMP management from the HA

reserved management interface. (186613)

• Support VRRP groups. Include all relevant VRRP IDs and track the VRRP status to force all

the VRRP group members to keep the same state. In this way if one group member changes

state (for example, to BACKUP), all the other members in the same VRRP group will also

change their state to BACKUP. (215454)


IPsec VPN

• New full function IPsec VPN wizard and other improvements to IPsec VPN configuration

web-based manager pages. The new wizard allows you to add all IPSec VPN configuration

objects from the wizard. No need to add IPsec VPN firewall policies. The wizard supports

interface-based IPsec VPN. (132055, 225947)

The following pages have been completely re-written:

• VPN Wizard including read-only tunnel templates (new)

• VPN gateway dialog/auto dialog (merged into vpn edit dialog)

• VPN IPsec Tunnels list page

• IPsec VPN phase 2 quick mode selector source and destination addresses can now be IPv6

firewall addresses and address groups. (133206)

• Add support for EAP authentication for IKEv2 IPsec VPNs. (208939)

• Support RSA certificate groups in IPsec VPN IKE phase 1 configurations. (190522)

• Implemented 3 new authentication methods for IKE as described by RFC 4754: ECDSA-256,

ECDSA-384, ECDSA-521. IKEv1 support requires both sides of the exchange to use the

same auth method. IKEv2 allows them to differ. (206110)

• Add support to IPsec VPN phase1s when IKE mode-cfg is enabled to allow multiple server

IPs to be defined and sent to the client if the client requests attribute 28681. (166524)

• IKEv2 Cookie Notification to prevent state and CPU exhaustion. See RFC 5996, Section 2.6,

IKE SA SPIs and Cookies. When the FortiGate unit detects that the number of half-open

IKEv2 SAs is above the threshold value, to preserve CPU and memory resources, the IPsec

VPN dialup server requires all future SA_INIT requests to include a valid cookie notification

payload that the server sends back. (222918)

Logging & Reporting

• Add log messages for Certification Revocation List (CRL) checking. The FortiGate unit

automatically updates CRL data according to the validation time stored in the CRL and the

configured update-interval, whichever comes first. If the update succeeds, log message

41987 is recorded. If the update fails, log message 41989 is recorded. (176611)

• Disable disk logging for FortiGate-3000 and 5000 series models. (227952)

Routing

• Support of OSPF fast hello. (210964)

• IPv6 Reverse Path Forwarding (RPF) checking. Check source address type and route to the

source address from the incoming interface. If the source address type is invalid or there is

no route to the source address from the incoming interface in the IPv6 routing table, or when

strict-src-check is set and the route is not the best, the packet will be dropped.

(201427)

SSL VPN

• Add replacement messages for SSL VPN host security check. (217743)

• SSL VPN configuration has been changed. SSL VPNs are configured by creating an SSL

VPN interface that includes all SSL VPN settings. Once the interface has been created you

add it to security policies just like any other interface. (205414)


http://www.ietf.org/rfc/rfc4754.txt

http://tools.ietf.org/search/rfc5996

System

• Add IPv6 Geographic IP address database. Correct country flags now appear in reports and

other displays for data about IPv6 addresses. (212135)

• ECDSA certificate support. FortiGate units can import and generate ECDSA certificates.

ECDSA certificates can be used for SSL VPN and HTTPS GUI access. (197950)

• Support Netflow V9.0. (167405)

• Object UUID (RFC 4122) support. Add a UUID attribute to some firewall objects so that log

messages can contain these UUIDs; which are used by FortiManager and FortiAnalyzer.

SHA-1 will be used for hash calculation. (212946)

• Configure ignoring the DF bit and fragmenting IPv4 traffic. (166479)

• Add FortiExtender support to FortiOS. (218132)

• Add FortiGate Traffic Priority (TOS/DSCP) feature. (214151)

• PPPOE support of RFC2516 service and AC name. (213945)

• Increase the maximum number of available VIPs. (217943)

• SNMPv3 AES 256bit support. (166488)

• Add Class of Service (CoS) Support (216290)

• Add min-links support to interface aggregation. (187533)

• Ability to ignore DF bit and fragment IPv4 traffic. (166479)

• Add one option to disable login-time feature. (215274)

• New option added to Administrator Profiles to allow or block access to packet capture

options. (213943)

• Enable autocomplete in the Replacement Message editor. (168804)

WAN Optimization and Explicit Web Proxy

• Move explicit proxy and WAN Optimization policies to a separate configuration path.

(226395)

In Beta 1 you cannot configure WAN Optimization or explicit web proxy policies from the GUI

(web-based manager). GUI support should be added in time for GA. Instead you must use

the following CLI command:

config firewall explicit-proxy-policyedit 0

set proxy {web | ftp | wanopt}etc...

• Added support for authentication IP-blackout for the explicit web proxy. (205706)

• Transparent web proxy. Also called reflect IP or true IP. When enabled, web proxy packets

exiting the FortiGate unit have their source IP address set to the original client source IP

address instead of the IP address of the exiting FortiGate interface. Enable this feature in a

web proxy firewall policy by entering set transparent enable. (209731)

• Support policy based profile to add/remove HTTP headers. (206173)

• To improve explicit web proxy performance, FortiOS now distributes explicit web proxy

processing to multiple CPU cores. By default web proxy traffic is handled by half of the CPU

cores in a FortiGate unit. So if your FortiGate unit has 4 CPU cores, by default two of them

can be used for explicit web proxy traffic. You can use the following command to increase or

decrease the number of CPU cores that are used. (138794)

config system globalset wad-worker-count <number>

end


http://www.ietf.org/rfc/rfc4122.txt

Where <number> is from 1 to the total number of CPU cores in your FortiGate unit.

GUI (web-based manager) usability changes

• Simplification of Firewall Objects and Security Profiles menu structures. (219151, 157554)

• Use a more sophisticated API for displaying names (for example, application names) in

FortiOS. (204942)

• Cloning, a feature available for easily creating a copy of a configuration object is now

available for more configuration objects. (221971)

• Add the ability to drag objects such as addresses, schedules and profiles between policies

on the policy list. (217610)

• Banned User List improvements. (219310)

• Improve Web-based manager field validation. Also, when an incorrect value is added to a

page retain validated settings instead of requiring them all to be re-added. (191487)

• Add a Search Box on IPS profile and Application List web-based manager pages. (226434)

• Added the ability to display CPU usage, memory usage and new session per second for

each VDOM. The information appears on the VDOM list page. You can use the following

command to get this information from the CLI: diagnose system vd stats (220121)

Web Filtering

• Improvements to HTTPS Web Filtering (without Deep Inspection). (214079)

• New default SSL inspection profile certificate-inspection: Only the SSL handshake is

inspected for the purpose of web filtering. https-url-scan option removed from webfilter

profile. In an SSL inspection profile the SSL inspect-all option and the https status option

now have three states: {disable | certificate-inspection | deep-inspection} . The status option

for the other protocols now uses deep-inspection instead of enabled.

Wifi

• Add WiFi FortiAP spectrum analysis graphs. (217437)

• Wireless Extensions for Spectrum Analysis. (208870)


Supported Models

The following models are supported by FortiOS v5.2.0 (Beta 4) build 564.

FortiGate

FG-20C, FG-20C-ADSL-A, FG-30D, FG-40C, FG-60C, FG-60C-POE, FG-60D, FG-70D,

FG-80C, FG-80CM, FG-90D, FGT-90D-POE, FG-100D, FG-110C, FG-111C, FG-140D,

FG-140D-POE, FG-140D-POE-T1, FG-200B, FG-200B-POE, FG-200D, FG-240D,

FG-280D-POE, FG-300C, FG-310B, FG-310B-DC, FG-311B, FG-600C, FG-620B,

FG-620B-DC, FG-621B, FG-800C, FG-1000C, FG-1240B, FG-3016B, FG-3040B, FG-3140B,

FG-3240C, FG-3600C, FG-3810A, FG-3950B, FG-3951B, FG-5001A, FG-5001B, FG-5001C,

and FG-5101C.

FortiWiFi

FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-40C, FWF-60C, FWF-60CM,

FWF-60CX-ADSL-A, FWF-60D, FWF-80CM, FWF-81CM, FWF-90D, and FWF-90D-POE.

FortiGate VM

FG-VM32, FG-VM64, and FG-VM64-XEN, FG-VM64-KVM, and FG-VM64-HV

FortiSwitch

FS-5203B

Supported Models FortiOS v5.2.0 (Beta 4) Release Notes

Product Integration and Support

Web browser support

FortiOS v5.2.0 (Beta 4) build 564 supports the latest versions of the following web browsers:

• Microsoft Internet Explorer version 10, 11

• Mozilla Firefox version 28

• Google Chrome version 33

• Apple Safari version 7

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager and FortiAnalyzer support

See the FortiManager and FortiAnalyzer Release Notes.

FortiClient support (Windows, Mac OS X, iOS and Android)

FortiOS v5.2.0 (Beta 4) is supported by the following FortiClient software versions:

• FortiClient (Windows) v5.2.0 (Beta 2)

• Windows 8.1 (32-bit and 64-bit)

• Windows 8 (32-bit and 64-bit)

• Windows 7 (32-bit and 64-bit)

• Windows Vista (32-bit and 64-bit)

• Windows XP (32-bit)

• FortiClient (Mac OS X) v5.2.0 (Beta 2)

• Mac OS X v10.9 Mavericks

• Mac OS X v10.8 Mountain Lion

• Mac OS X v10.7 Lion

• Mac OS X v10.6 Snow Leopard

• FortiClient (iOS) v5.0.2.

• FortiClient (Android) v5.2.0.

Product Integration and Support FortiOS v5.2.0 (Beta 4) Release Notes

FortiAP support

FortiOS v5.2.0 (Beta 4) supports the following FortiAP models:

FAP-11C, FAP-14C, FAP-28C, FAP-112B, FAP-210B, FAP-220B, FAP-221B, FAP-221C,

FAP-222B, FAP-223B, FAP-320B, and FAP-320C

The FortiAP device must be running FortiAP v5.0 Patch Release 7 build 0064 or later.

FortiSwitch support

FortiOS v5.2.0 (Beta 4) supports the following FortiSwitch models:

FS-28C, FS-324B-POE, FS-348B, and FS-448B

The FortiSwitch device must be running FortiSwitchOS v2.0 Patch Release 3 build 0018 or later.

FortiOS v5.2.0 (Beta 4) supports the following FortiSwitch-5000 series models:

FS-5003B, FS-5003A

The FortiSwitch-5000 device must be running FortiSwitchOS v5.0 Patch Release 3 build 0020

or later.

FortiController support

FortiOS v5.2.0 (Beta 4) supports the following FortiController models:

FCTL-5103B

The FCTL-5103B is supported by the FG-5001B and FG-5001C. The FortiController device

must be running FortiSwitch-5000 OS v5.0 Patch Release 3 build 0020 or later.

Virtualization software support

FortiOS v5.2.0 (Beta 4) supports the following virtualization software:

• VMware ESX versions 4.0 and 4.1

• VMware ESXi versions 4.0, 4.1, 5.0, 5.1 and 5.5

• Citrix XenServer versions 5.6 Service Pack 2 and 6.0 or later

• Open Source Xen versions 3.4.3 and 4.1 or later

• Microsoft Hyper-V Server 2008 R2 and 2012

• KVM - CentOS 6.4 (qemu 0.12.1) or later

See “About FortiGate VMs” on page 38 for more information.

FAP-221C and FAP-320C

These models are released on a special branch based off of FAP v5.0 Patch Release 6. The

branch point reads 060. The FAP-221C firmware has build number 4049. The FAP-320C

firmware has build number 4050.


Fortinet Single Sign-On (FSSO) support

FortiOS v5.2.0 (Beta 4) is supported by FSSO v4.0 MR3 B0153 for the following operating

systems:

• Microsoft Windows Server 2012 R2

• Microsoft Windows Server 2012 Standard Edition

• Microsoft Windows Server 2008 R2 64-bit

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2003 R2 (32-bit and 64-bit)

• Novell eDirectory 8.8

FSSO does not currently support IPv6.

Other server environments may function correctly, but are not supported by Fortinet.

FortiExplorer support (Microsoft Windows, Mac OS X and iOS)

FortiOS v5.2.0 (Beta 4) is supported by FortiExplorer v2.4 build 1068 or later. See the

FortiExplorer v2.3 build 1052 Release Notes for more information.

FortiOS v5.2.0 (Beta 4) is supported by FortiExplorer (iOS) v1.0.4 build 0118 or later. See the

FortiExplorer (iOS) v1.0.4 build 0118 Release Notes for more information.

The FortiGate-70D has not been fully tested with this version of FortiExplorer.

FortiExtender support

FortiOS v5.2.0 (Beta 4) is supported by FortiExtender models FEX-20B, FEX-100A, and

FEX-100B running FEX v1.0 build 019.

AV Engine and IPS Engine support

FortiOS v5.2.0 (Beta 4) is supported by AV Engine v5.146 and IPS Engine v3.030.

Language support

The following table lists FortiOS language support information.

Table 1: FortiOS language support

Language Web-based Manager Documentation

English

French -

Portuguese (Brazil) -

Spanish (Spain) -

Korean -


To change the FortiGate language setting, go to System > Admin > Settings, in View Settings >

Language select the desired language from the drop-down menu.

Module support

FortiOS v5.2.0 (Beta 4) supports Advanced Mezzanine Card (AMC), Fortinet Mezzanine Card

(FMC), Rear Transition Module (RTM), and Fortinet Storage Module (FSM) removable modules.

These modules are not hot swappable. The FortiGate unit must be turned off before a module is

inserted or removed.

Chinese (Simplified) -

Chinese (Traditional) -

Japanese -

Table 1: FortiOS language support

Language Web-based Manager Documentation

Table 2: Supported modules and FortiGate models

AMC/FMC/FSM/RTM Module FortiGate Model

Storage Module

500GB HDD Single-Width AMC (ASM-S08)

FG-310B, FG-620B, FG-621B, FG-3016B,

FG-3810A, FG-5001A

Storage Module

64GB SSD Fortinet Storage Module (FSM-064)

FG-200B, FG-311B, FG-1240B,

FG-3040B, FG-3140B, FG-3951B

Accelerated Interface Module

4xSFP Single-Width AMC (ASM-FB4)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A


2x10-GbE XFP Double-Width AMC (ADM-XB2)

FG-3810A, FG-5001A


8xSFP Double-Width AMC (ADM-FB8)

FG-3810A, FG-5001A

Bypass Module

2x1000 Base-SX Single-Width AMC (ASM-FX2)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A

Bypass Module

4x10/100/1000 Base-T

Single-Width AMC (ASM-CX4)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A

Security Processing Module

2x10/100/1000 SP2

Single-Width AMC (ASM-CE4)

FG-1240B, FG-3810A, FG-3016B,

FG-5001A


2x10-GbE XFP SP2

Double-Width AMC (ADM-XE2)

FG-3810A, FG-5001A


SSL VPN support

SSL VPN standalone client

FortiOS v5.2.0 (Beta 4) supports the SSL VPN tunnel client standalone installer build 2300 for

the following operating systems:

• Microsoft Windows 8.1 (32-bit & 64-bit), 8 (32-bit & 64-bit), 7 (32-bit & 64-bit), and XP SP3 in

.exe and .msi formats

• Linux CentOS and Ubuntu in .tar.gz format

• Mac OS X v10.9, 10.8 and 10.7 in .dmg format

• Virtual Desktop in .jar format for Microsoft Windows 7 SP1 (32-bit)

Other operating systems may function correctly, but are not supported by Fortinet.


4x10-GbE SFP+

Double-Width AMC (ADM-XD4)

FG-3810A, FG-5001A


8xSFP SP2

Double-Width AMC (ADM-FE8)

FG-3810A

Rear Transition Module

10-GbE backplane fabric (RTM-XD2)

FG-5001A

Security Processing Module (ASM-ET4) FG-310B, FG-311B

Rear Transition Module

10-GbE backplane fabric (RTM-XB2)

FG-5001A


2x10-GbE SFP+ (FMC-XG2)

FG-3950B, FG-3951B


2x10-GbE SFP+ (FMC-XD2)

FG-3950B, FG-3951B


20xSFP (FMC-F20)

FG-3950B, FG-3951B


20x10/100/1000 (FMC-C20)

FG-3950B, FG-3951B

Security Processing Module (FMC-XH0) FG-3950B

Table 2: Supported modules and FortiGate models (continued)


SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web

mode.

Other operating systems and web browsers may function correctly, but are not supported by

Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Table 3: Supported operating systems and web browsers

Operating System Web Browser

Microsoft Windows 7 32-bit SP1 Microsoft Internet Explorer versions 8, 9, 10 and

11

Mozilla Firefox version 26

Microsoft Windows 7 64-bit SP1 Microsoft Internet Explorer versions 8, 9, 10, and

11

Mozilla Firefox version 26

Linux CentOS version 5.6 and Ubuntu

version 12.0.4

Mozilla Firefox version 5.6

Mac OS X v10.7 Lion Apple Safari version 7

Table 4: Supported Windows XP antivirus and firewall software

Product Antivirus Firewall

Symantec Endpoint Protection v11

Kaspersky Antivirus 2009

McAfee Security Center v8.1

Trend Micro Internet Security Pro

F-Secure Internet Security 2009

Table 5: Supported Windows 7 32-bit and 64-bit antivirus and firewall software


CA Internet Security Suite Plus Software

AVG Internet Security 2011

F-Secure Internet Security 2011

Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360™ Version 4.0


Explicit web proxy browser support

The following web browsers are supported by FortiOS v5.2.0 (Beta 4) for the explicit web proxy

feature:

• Microsoft Internet Explorer versions 8, 9, 10, and 11

• Mozilla Firefox version 27

• Apple Safari version 6.0

• Google Chrome version 34

Other web browsers may function correctly, but are not supported by Fortinet.

Norton™ Internet Security 2011

Panda Internet Security 2011

Sophos Security Suite

Trend Micro Titanium Internet Security

ZoneAlarm Security Suite

Symantec Endpoint Protection Small

Business Edition 12.0

Table 5: Supported Windows 7 32-bit and 64-bit antivirus and firewall software (continued)



Resolved Issues

This chapter describes issues with FortiOS v5.2.0 (beta 3 and previous) that have been resolved

for FortiOS v5.2.0 (Beta 4). If you would like to see a more complete list of resolved issues for

this release you can request one by emailing [email protected].

Resolved issues from FortiOS v5.2.0 (Beta 3)

The following issues from FortiOS v5.2.0 (Beta 3) have been resolved for FortiOS v5.2.0 (Beta 4).

Upgrade

• Customized charts lost in default layout after upgrade to 5.2.0 Beta 3. (236568)

Wanopt & Webproxy

• Webcache only runs on a single CPU in multi-CPU platforms. (228488)

Other resolved issues in FortiOS v5.2.0 (Beta 4)

HA

• Duplicates in HA global checksum triggers out of sync. (231808)

Firewall

• Adding multi-VDOM admin overrides trusted host restrictions on ping. (235944)

• One Way audio with SIP ALG. (231678)

• SSL worker is utilizing high CPU when deep scanning is enabled. (223330)

SSL VPN

• Cannot log into SSL-VPN Web portal after deleting vlan/policy then configuring same

vlan/policy again. (236992)

• SSLVPN is restarted with all users every time updated CRL is downloaded. (237009)

System

• SCP configuration restore command syntax not consistent with backup command. (237009)

• Removing restriction on having dots in intf names when packet capture is issued. (233289)

SSL-related

• OpenSSL in FortiOS has CVE-2014-0160. (237976)

Resolved Issues FortiOS v5.2.0 (Beta 4) Release Notes

mailto://[email protected]

Resolved Issues FortiOS v5.2.0 (Beta 4) Release Notes

Known Issues

This chapter lists some known issues with FortiOS v5.2.0 (Beta 4) build 564.

Known issues with FortiOS v5.2.0 (Beta 4)

• Application control cloud-based signatures do not appear. (239938)

Known issues from FortiOS v5.2.0 (Beta 3)

The following were known issues in FortiOS v5.2.0 (Beta 3) that continue to be known issues in

FortiOS v5.2.0 (Beta 4).

Upgrade

• The application control signature categories File.Sharing and Special have been removed

but are still visible on the GUI. (237471)

Web-based Manager

• When configuring a FortiAP profile from the GUI this list of Bands is incorrect. (237464)

Workaround: Use the CLI to configure the correct Band.




Web-based Manager

• FortiView History views are only available for FG-100D and above (1U appliances and

above). This is by design. (232664)




Antivirus

• On on some so low-end FortiGate models, the new full-mode flow-based antivirus scanning

mode cannot utilize the extended antivirus database. (223258)

Known Issues FortiOS v5.2.0 (Beta 4) Release Notes

Web Filtering

• If you change a policy from proxy-based Web Filtering to flow-based Web Filtering, users

who receive HTTPS traffic may see an invalid certificate error message in their web browser.

This happens because of how proxy-based and flow-based HTTPS web filtering generates

CA certificates. (227441)

Work around: This issue is rare and will not be fixed. It should only happen if the policy is

changed while it is processing traffic. Users need to delete the CA Certificate on their

browsers and accept the new certificate.

Known Issues FortiOS v5.2.0 (Beta 4) Release Notes

Appendix A: About FortiGate VMs

FortiGate VM model information

Five different FortiGate VM models are available, each with different levels of support for some

key features.

For more information see the FortiGate VM product datasheet available on the Fortinet web site,

http://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-VM01.pdf.

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following VM environments:

VMware

• .out: Download either the 32-bit or 64-bit firmware image to upgrade your existing

FortiGate VM installation.

• .ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation.

This package contains Open Virtualization Format (OVF) files for VMware and two Virtual

Machine Disk Format (VMDK) files used by the OVF file during deployment.

Xen

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM

installation.

• .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation.

This package contains the QCOW2 file for Open Source Xen.

• .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation.

This package contains the Citrix Xen Virtual Appliance (XVA), Virtual Hard Disk (VHD), and

OVF files.

Table 6: FortiGate VM model

Support Feature VM-00 VM-01 VM-02 VM-04 VM-08

Virtual CPUs 1 1 1 or 2 1 to 4 1 to 8

Virtual Network Interfaces 2 to 10

Memory Requirements 1 GB 2 GB 4 GB 6 GB 12 GB

Storage 30 GB to 2 TB

VDOMs 1 10 25 50 250

CAPWAP Wireless Access Points 32 32 256 256 1024

Remote Wireless Access Points 32 32 256 256 3072

About FortiGate VMs FortiOS v5.2.0 (Beta 4) Release Notes

http://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-VM01.pdf


Hyper-V


installation.

• .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This

package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012.

It also contains the file fortios.vhd in the Virtual Hard Disks folder that can be manually

added to the Hyper-V Manager.

KVM


installation.

• .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This

package contains qcow2 that can be used by qemu.

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

• XenTools installation is not supported.

• FortiGate VM can be imported or deployed in only the following three formats:

• XVA (recommended)

• VHD

• OVF

• The XVA format comes pre-configured with default configurations for VM name, virtual CPU,

memory, and virtual NIC. Other formats will require manual configuration before the first

power on process.

Open Source Xen limitations

When using Ubuntu version 11.10, Xen version 4.1.0, and libvir version 0.9.2, importing issues

may arise when using the QCOW2 format and existing HDA issues.

About FortiGate VMs FortiOS v5.2.0 (Beta 4) Release Notes


Fortios 5.2.0 Beta 4 Release Notes

Documents

Transcript of Fortios 5.2.0 Beta 4 Release Notes