FortiOS v5.0.0 GA Release Notes - NVC

FortiOS v5.0.0 GARelease Notes

FortiOS v5.0.0 GA Release Notes

November 01, 2012

01-500-184150-20121101

Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are

registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks

of Fortinet. All other product or company names may be trademarks of their respective owners.

Performance metrics contained herein were attained in internal lab tests under ideal conditions,

and performance may vary. Network variables, different network environments and other

conditions may affect performance results. Nothing herein represents any binding commitment

by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the

extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a

purchaser that expressly warrants that the identified product will perform according to the

performance metrics herein. For absolute clarity, any such warranty will be limited to

performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in

full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise

this publication without notice, and the most current version of the publication shall be

applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

http://docs.fortinet.com

http://kb.fortinet.com

https://support.fortinet.com

http://training.fortinet.com

http://www.fortiguard.com/

mailto:[email protected]?Subject=Technical%20Documentation%20Feedback

Table of Contents

Change Log....................................................................................................... 6

Introduction....................................................................................................... 7Supported models ................................................................................................... 7

FortiGate ............................................................................................................ 7

FortiWiFi ............................................................................................................. 7

FortiGate Virtual Machine .................................................................................. 7

FortiSwitch ......................................................................................................... 7

Supported virtualization software ............................................................................ 7

Summary of enhancements..................................................................................... 8

FortiOS v5.0.0 GA .............................................................................................. 8

FortiGuard override................................................................................................ 15

Special Notices............................................................................................... 16General................................................................................................................... 16

Important ............................................................................................................... 16

Monitor settings for Web-based Manager access........................................... 16

Before any upgrade ......................................................................................... 16

After any upgrade ............................................................................................ 16

WAN Optimization ................................................................................................. 16

SSL-VPN web portal.............................................................................................. 16

MAC address filter list............................................................................................ 17

Spam Filter profile.................................................................................................. 17

Spam Filter Black/White List.................................................................................. 17

DLP rule settings.................................................................................................... 17

ID-based firewall policy ......................................................................................... 17

SSL deep-scan ...................................................................................................... 17

FortiGate 100D upgrade and downgrade limitations............................................. 18

Upgrade Information ...................................................................................... 19Upgrading from FortiOS v5.0.0 beta release 7 ...................................................... 19

Reports ............................................................................................................ 19

Upgrading from FortiOS v4.0 MR3 ........................................................................ 19

Table size limits................................................................................................ 19

SQL logging upgrade limitation ....................................................................... 20

Downgrading to previous FortiOS versions........................................................... 20

Product Integration and Support .................................................................. 21Supported web browsers ...................................................................................... 21

Fortinet Single Sign-On (FSSO) support................................................................ 21

FortiExplorer support (Windows/Mac OS X).......................................................... 21

FortiExplorer support (iOS) .................................................................................... 21

AV Engine and IPS Engine support ....................................................................... 21

FortiAP support...................................................................................................... 21

Module support...................................................................................................... 22

SSL-VPN support .................................................................................................. 23

SSL-VPN standalone client.............................................................................. 23

SSL-VPN web mode ........................................................................................ 24

SSL-VPN host compatibility list ....................................................................... 24

Explicit Web Proxy browser support ..................................................................... 25

Resolved Issues.............................................................................................. 26AntiVirus ........................................................................................................... 26

Client Reputation ............................................................................................. 26

Device Visibility ................................................................................................ 26

ELBC................................................................................................................ 26

Email Filter ....................................................................................................... 27

Endpoint Control .............................................................................................. 27

Firewall ............................................................................................................. 27

FortiCarrier ....................................................................................................... 28

FortiGate VM.................................................................................................... 28

High Availability................................................................................................ 28

IPsec VPN ........................................................................................................ 29

IPS.................................................................................................................... 29

Log & Report.................................................................................................... 29

Routing............................................................................................................. 30

SSL................................................................................................................... 30

SSL-VPN.......................................................................................................... 30

System ............................................................................................................. 31

Upgrade ........................................................................................................... 32

VoIP.................................................................................................................. 33

Vulnerability...................................................................................................... 33

WAN Optimization & Web Proxy...................................................................... 33

Web-based Manager ....................................................................................... 34

Web Filter......................................................................................................... 36

WiFi .................................................................................................................. 37

Fortinet Technologies Inc. FortiOS v5.0.0 GA Release Notes

http://www.fortinet.com/

Known Issues.................................................................................................. 39Client Reputation ............................................................................................. 39

Device Visibility ................................................................................................ 39

Firewall ............................................................................................................. 39

High Availability................................................................................................ 39

IPsec VPN ........................................................................................................ 40

Log & Report.................................................................................................... 40

SSL-VPN.......................................................................................................... 40

System ............................................................................................................. 41

Web-based Manager ....................................................................................... 41

Upgrade ........................................................................................................... 41

Limitations....................................................................................................... 42Add Device Access List ......................................................................................... 42

Image Checksum............................................................................................ 43



Change Log

Date Change Description

2012-11-01 Initial release.

2012-11-02 Removed the following bugs: 185835, 185898, 186086, 187229, 184515, 186237, 186471,

187153, 183471, 180589, 187241, 184651, 186743, 187117, 187238, 174780, 175445,182014,

183818, 187001, 187124. Updated screen shot on page 15. Removed FG-3600A from table 3.

2012-11-07 Added a note to the summary of enhancements.

2012-11-14 Updated WAN Optimization special notice.

2012-11-22 Minor updates. No content has been added.

2012-12-28 Minor updates. No content has been added.

2013-01-04 Removed references to Xen virtualization software support.

Introduction

This document provides a summary of new features, support information, installation

instructions, integration, resolved and known issues in FortiOS v5.0.0 GA build 0128.

Supported models

The following models are supported on FortiOS v5.0.0 GA.

FortiGate

FG-20C, FG-20C-ADSL-A, FG-40C, FG-60C, FG-60C-PoE, FG-80C, FG-80CM, FG-100D,

FG-110C, FG-111C, FG-200B, FG-200B-PoE, FG-300C, FG-310B, FG-310B-DC, FG-311B,

FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800C, FG-1000C, FG-1240B, FG-3016B,

FG-3040B, FG-3140B, FG-3810A, FG-3950B, FG-3951B, FG-5001A, FG-5001B, and

FG-5101C.

FortiWiFi

FWF-20C, FWF-20C-ADSL-A, FWF-40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A,

FWF-80CM, and FWF-81CM.

FortiGate Virtual Machine

FG-VM32 and FG-VM64.

FortiSwitch

FS-5203B

Supported virtualization software

The following virtualization software is supported on FortiOS v5.0.0 GA.

• vSphere 4.0, 4.1, and 5.0

See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v5.0.0 GA.



http://docs.fortinet.com/fgt.html

Summary of enhancements

FortiOS v5.0.0 GA

The following is a list of enhancements in FortiOS v5.0.0 GA:

• Ability to disable the console login

• Ability to setup RADIUS-based SSO (RSSO) using RADIUS Accounting from Web-based

Manager

• Added the Carrier feature to Virtual Machine with the new license model

• Added csum comparison support for FortiClient configuration distribution

• Added custom Application Control and IPS Signatures

• Added a download widget and history widget to the SSL-VPN portal

• Add Endpoint Control to the FG-40C/FWF-40C

• Added FortiClient advertisement option in Endpoint Control profile

• Added IPv6 IPS support to XLP firmware

• Added NAT/Route Device device type/category

• Added Web-based Manager support for multicast policy and multicast address.

• Added the option to format the boot device before a firmware update

• Added the option to log to a FortiManager

• Added support for Web Filter quota streaming

• Added support for GTP monitor mode

• Add text to the help/logout icons in SSL-VPN portal

• Additional pre-defined service groups; Web Access and Email Access

• Additional columns for the session list

• Allow setting a more general source filter after more specific filters

• Allow a virtual domain (VDOM) link to link transparent VDOM with NAT/Route VDOM

• AntiVirus and Web Filter Web-based Manager updates

• Application Control and IPS Web-based Manager improvements

• ARIA encryption support

• auth-lockout parameter was added to enable the authentication lockout function in

non-FIPS-CC mode

• Auto-IPsec restricted to desktop platforms

• Automatic reboot after kernel panic

• Automatic Rogue AP suppression

• Automatic TX power adjustment to prevent co-channel interference

• Better support for long hostnames in the CLI prompt

• Block botnet and phishing connections

• Bridge VLAN tagged local bridging SSID with physical port

Not all features/enhancements listed below are supported on all models.



• BYOD: Added replacement message for BYOD device capture portal and SIP User-Agent

scanning support

• BYOD: Endpoint Profile updates

• BYOD: FortiClient Endpoint profile

• BYOD: Phase 1 of the Bring Your Own Device feature set implemented

• BYOD: WiFi device monitor and enforcement

• CAPWAP data channel DTLS encryption support

• Central management configuration improvement

• Charts for search phrase

• Citrix agent support for Single Sign-On (SSO)

• CLI options to hide WAN Optimization and explicit proxy

• Click-able icon on FortiAP

• Client load balancing support (frequency handoff and AP handoff)

• Client reputation

• Client reputation in sniffer mode

• Configuration wizard included for all 1U models

• Consolidate IPS and vulnerability management services

• Content type scanning by FortiGuard category

• Corporate ID for endpoint registration and configuration deployment

• Cost column added to the OSPF Web-based Manager

• Create new IPsec site-to-site and dial up tunnels directly from the policy page

• Create short-cut or blocking entry using switch access control list

• Data Leak Prevention (DLP) filter improvements

• Dedicated interface for FortiAP

• Device based license for FortiCloud

• DFS support for Japan

• DFS channel support for FortiWiFi

• DHCPv6 relay

• DHCP and WiFi Web-based Manager clean-up

• Display options on Web-based Manager to show and hide certificates

• Display threat information from FortiGuard Encyclopedia

• DLP watermarking

• DNS service profile

• DOS policy improvements

• Dynamic comment field

• Dynamic profile redesign - HA synchronization component

• Dynamically cost of lag interface

• ELBCv3 enhancements

• ELBCv3 support for the FG-5101C

• Enable unit operation widget on FG-600C, FG-800C, and FG-1000C

• Endpoint control client installers

• Endpoint control feature enhancements

• Enhanced drill-down reports



• Enhanced SNMP based device monitoring

• Enhanced soft-switch feature: hardware switching

• Evasion attacks exploiting file-parsing vulnerabilities in AntiVirus products

• Explicit proxy and SSL decryption

• Explicit proxy integration with IPS and Application Control

• Extend SIP helper for MSRP support

• Facetime support

• Factory license feature

• Fake AP detection

• FortiCloud account activation

• FCCK header extended to include app signature version and vulnerability scan engine

version

• Flow-based Web Filter support for replacement message in HTTPS Web Filter

• FortiAP Web-based Manager

• FortiCarrier GTP extensions (Top3 #1390, #1413)

• FortiCarrier logging Improvements

• FortiClient limits in v5.0 (Endpoint Control)

• FortiClient registration password enforcement

• FortiClient ubiquitous authentication

• FortiCloud report pages and status widget updates

• FortiExplorer for iPhone (USB-A)

• FortiGate AAA

• FortiGuard DDNS

• FortiGuard license updates - DNS and dashboard changes

• FortiGuard message service

• Fortinet redundant UTM protocol (FRUP) on FG-100D

• Fortinet Single Sign-On (FSSO) polling enhancement

• FortiOS Apache web server upgrades

• FS-5203B inter-chassis HA support (A-P mode only)

• FortiToken soft token support

• GeoIP override

• Generalized TTL Security Mechanism (GTSM) support (RFC 5082)

• Global FortiGuard server override

• Global view menu implementation

• GTP profile name character limit increased to 63 characters

• Guest access provisioning

• Guest management feature enhancements

• Web-based Manager lite implementation

• HTTP-only authentication over HTTPS channel

• Increased default SSL-VPN worker number

• Increased limit on SSID to 64 for FG-100D and above

• Increased limit on URL filter, Web Profile, Group Profile, and Policy

• Increased VDOM limit on the FG-1000C and FG-1240B from 100 to 250



• Increased Router Policy limit

• IP fragment and NAT enhancements

• IP Pool fixed port range

• IPsec IKEv2 IDr is now configurable

• IPS/Application Control improvement

• IPS signatures clean-up

• IPS engine improvements

• IPv6 explicit proxy

• IPv6 MIBs

• IPv6 NAT: NAT66, NAT64, DNS64

• IPv6 Per-IP shaper

• IPv6 policy routing

• IPv6 route sync and BGP6 support to ELBCv3

• IPv6 session offloading and IPv4 trap session offloading

• IPv6 session pickup in HA mode

• IPv6 SSL proxy IPS inspection

• JSON API for token support

• LACP support on the FS-5203B

• Local bridge added to the FortiAP

• Local bridging SSID

• Local-in policy logging

• Log message organization

• Log search performance improved and SQL log database reduced

• Log speed improved

• Log viewer improvements

• Low end model feature updates (HA/Packet-Capture/AV-Quarantine/IPS-ETDB)

• Low end platform feature matrix

• MAC address logging

• MAC tunnel client to the FortiOS firmware image included

• Managed FortiAP context menu improvements

• Management port restriction on the FG-100D

• Maximum user authentication timeout value increased to 24 hours

• Messaging Application Programming Interface (MAPI) content scan

• Medium severity added to default IPS sensor

• Merge new AV engine v5

• Merge BGP AS-Path rewrite

• Merged Endpoint Control profile updates

• Merged FTCL-5103B related FortiOS side support

• Merged FS-5203B and content cluster solution

• Merged IPS Engine version 2

• Merged NPI branch for the FG-100D

• Merge UTM incidents into traffic log

• Move device identification options to Interface page



• Multicast policy enhancement (CLI)

• Multi-VDOM admin

• NAT64 acceleration (XLR/XLP)

• NAT64 in kernel/NP6

• NAT64 high availability (HA)

• Network visibility: destination hostname and geographic visibility

• Network visibility: user visibility

• New address type: Network Service

• New CLI command to set factory default except VDOM/interface settings

• New functionality added to FortiOS v4.0 MR3 based FIPS-CC branch

• New OID for HA master/slave status

• New setup wizard design

• NP4 accelerate inter-VDOM traffic

• One-arm sniffer improvement

• One-arm URL filtering

• Option to control show/hide replacement message groups

• Option to restrict the number of IP addresses that can be leased to the same MAC address

• OSPF6 support same link types as OSPF(IPv4)

• PDF report improvements

• Performance improvement by moving data path from user daemon to kernel

• Per VDOM and global limits on guest user accounts

• Policy edit merge

• Policy list enhancement

• Pre and post login warning message for the admin log in

• QoS support for traffic between the controller and FortiAP

• RADIUS based SSO revision - added a new RSSO user group and rename the dynamic

profile to RSSO

• RADIUS override support for multiple VDOM administrators

• Real-time geography updates

• Real-time sessions widget feature

• Rename DoS policy on the Web-based Manager

• Reorganized service items

• Restriction to virtual IP (VIP) on specific interfaces

• RF analysis feature

• RNG/RBG driver improvements

• Search engine configuration

• Secure OTP seed import

• Separate DoS policy from interface policy

• Set DHCP options to get TFTP server IP and config file name to restore the configurations

• Setting added to always drop fragmented packets and then log the action

• Simple VPN setup support added

• Simplify FG-20C, FWF-20C, FG-40, and FWF-40C

• SIP enhancements to add the original IP address in the SIP message header after NAT



• SIP over TLS inspection

• Sniffer improvements

• SNMP extensions for BGP

• SNMP implementation for Intelligent Platform Management Interface (IPMI) sensor

• SNMP trap for FortiAP or FortiSwitch up/down event

• Soft token activation feature added

• Some embedded java scripts using Sharepoint should not be rewritten through SSL Web

portal

• Support Sprint U602 3G/4G USB adapter, consolidate it with LTE support

• Support update for IPS XLR/XLP engine

• SSH handover support

• SSL CA certificate selection moved to each UTM proxy options

• SSL deep-scan configuration improvements

• SSL inspection support for IPS and Application Control

• SSL inspection performance improvements

• SSL-VPN authentication high availability (HA) failover support

• SSL-VPN extensions

• SSL-VPN Web-based Manager extensions

• SSO support for FTP and SMB added under SSL-VPN

• Standalone management VDOM

• Submit files detected as suspicious by AV engine to a FDS public server via email

• Supply FQDN in the captive portal

• Support Bidirectional Forwarding Detection (BFD) static neighbor

• Support cache-cookie option to set web cache behavior on cookie

• Support Citrix feature by FSSO module

• Support configuration from iOS devices through USB interface

• Support configuration synchronization in standalone mode

• Support DHCP Client for IPv6 addresses

• Support DHCP servers on the VDOM-link interface

• Support dynamic data chunking for WAN Optimization byte cache

• Support dynamic-profile for SSH proxy

• Support for adding X-Forwarded-Proto for SSL offload half mode

• Support for asymmetric traffic flows improvements

• Support Fortinet bar for standard web proxy/SSL proxy/Explicit proxy

• Support for IKE to bind to loop-back interface

• Support for secondary/backup remote authentication server

• Support for Softbank 3G modem 004z (ZTE WCDMA Technologies MSM)

• Support for new FAP-112B, FAP-223B, and FAP-320B

• Support for FG-5101C and FG-5103B

• Support GPRS tunneling protocol version 2 (GTPv2)

• Support HTTPS offload and HTTPS cache features

• Support Internet Content Adaptation Protocol (ICAP) in explicit Web Proxy

• Support IPS for IPv6 forwarding policy



• Support network visibility features for Client Reputation

• Support not sync config with FortiGate option on the FortiClient side

• Support per VLAN MTU setting

• Support RADIUS-based SSO

• Support server probes and remote request response in http-get and ping

• Support SMS contract activation

• Support SSH inspection

• Support SSL-VPN push configuration of DNS suffix

• Support SSO Polling Mode from FortiGate directly

• Support Spanning Tree Protocol (STP) for FortiGate Switch Mode interfaces

• Support user-based authentication

• Support user-based policy for FSSO

• Support Virtual Switch

• Support WAN Optimization and content scan in a single VDOM

• Support WAN Optimization per policy

• Switch access control list (ACL) short-cut extension

• Switch interfaces/interface list improvements

• Switch port extensions

• Token import feature on Web-based Manager

• Translate multicast frames to unicast frame

• Update Analytics widget

• User and Device menu

• UTM email filter feature improvements

• Virtual Hardware-Switch Improvements for FG-100D

• Visibility: new dashboard widgets

• VPN case for FortiClient registration and authentication

• WCCP L2 mode

• Web-based Manager filtering improvements

• Web-based Manager for IPv6 policy routing

• Web-based Manager interface clean up

• Web-based Manager options added for SSL-VPN, personal bookmarks, simplified routing,

and DLP

• Web-based Manager performance improvements

• Web-based Manager support for NP4 inter-VDOM links

• Web-based Manager support for standalone management VDOM

• Web Cache extensions

• WIDS Management flood detection

• WiFi Bridge SSID with physical port

• WiFi client mode usability improvements

• WiFi client mode usability back-end support

• WiFi encryption support

• WiFi improvements

• WiFi mesh support



• Wireless client load balance

• Wireless Intrusion Detection Systems (WIDS) support

• Wireless Sniffing support

• Wireless SSO

• XG2 Load Balance with DoS protection

• Yandex search engine safe search support

FortiGuard override

The Use FortiManager for All FortiGuard Communication option, under Admin > Central

Management allows the FortiGuard Servers to be directed to the FortiManager. When enabled,

all features will only communicate with the FortiGuard servers provided by the FortiManager.

See Figure 1.

Figure 1: FortiGuard Override Enable



Special Notices

General

The TFTP boot process erases all current firewall configuration and replaces it with the factory

default settings.

Important

Monitor settings for Web-based Manager access

Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for

all the objects in the Web-based Manager to be viewed properly.

Before any upgrade

Save a copy of your FortiGate unit configuration (including replacement messages) prior to

upgrading.

After any upgrade

If you are using the Web-based Manager, clear the browser cache prior to login on the FortiGate

to ensure the Web-based Manager screens are displayed properly.

The Virus and Attack definitions included with an image upgrade may be older than ones

currently available from the Fortinet's FortiGuard Distribution Server. Fortinet recommends

performing an Update Now (System > Config > FortiGuard > AntiVirus and IPS Options) as soon

as possible after upgrading. Consult the FortiOS Handbook/FortiOS Carrier Handbook for

detailed procedures.

WAN Optimization

In FortiOS 5.0, WAN Optimization is enabled in security policies and WAN Optimization rules are

no longer required. Instead of adding a security policy that accepts traffic to be optimized and

then creating WAN Optimization rules to apply WAN Optimization, in FortiOS v5.0.0 you create

security policies that accept traffic to be optimized and enable WAN Optimization in those

policies. WAN Optimization is applied by WAN Optimization profiles which are created

separately and added to WAN Optimization security policies.

SSL-VPN web portal

Only one SSL-VPN web portal is retained upon upgrading to v5.0.0 GA. If the web portal does

not exist after upgrade, the associated web portal configuration in a policy are not retained.



MAC address filter list

The mac-filter command under the config wireless-controller vap setting is not

retained upon upgrading to v5.0.0 GA. It is migrated into both config user device and config user device-access-list setting.

Spam Filter profile

The spam filter profile has been changed in v5.0.0 GA. The spam-emaddr-table and

spam-ipbwl-table have been merged into the spam-bwl-table. The spam-bwl-table

exists in the spam filter profile.

Spam Filter Black/White List

The config spamfilter emailbwl and config spamfilter ipbwl are combined into

config spamfilter bwl.

DLP rule settings

The config dlp rule CLI command is removed in v5.0.0 GA. The DLP rule settings have

been moved to inside the DLP sensor.

ID-based firewall policy

ID-based firewall policy will not use destination addresses as the behavior in FortiOS v4.0 MR3.

Work around

Need to re-arrange the sequence of the firewall policies that are below the identity based policy.

If any of the firewall policies that are below the identity based policy has the same source as the

identity based policy, those polices will not be hit. You would need to move those firewall

policies above the identity based policy.

SSL deep-scan

SSL Deep-scan configuration improvements.

Before upgrade

• The AntiVirus, Web Filter, and Antispam profiles had separate protocol settings for the SSL

and non-SSL protocols.

• For HTTPS deep-scanning to be done, deep-scan needed to be enabled for HTTPS in the

UTM proxy options.

After upgrade

• The settings for the SSL protocols in the AntiVirus, Web Filter, and Antispam profiles have

been removed. Instead, the non-SSL options will apply to both the SSL and non-SSL

versions of each protocol. The UTM proxy options now includes an enable/disable for each



protocol. This is used to control which protocols are scanned and which SSL enabled

protocols are decrypted.

• To use HTTPS non-deep (SSL handshake) inspection, HTTPS needs to be enabled in the

UTM proxy options. A Web Filter profile with https-url-scan enabled needs to be applied in

the policy with the UTM proxy options. The Web Filter profile option changes the inspection

mode to non-deep scan. AV will not be performed if this option is enabled. The Web Filter

profile option does not apply if SSL inspect-all is enabled in the UTM proxy options.

Behavior

• After upgrade, all the SSL related settings in the AntiVirus, Web Filter, and Antispam profiles

will be lost. The non-SSL settings will be retained and applied to the related SSL protocols if

they are enabled in the UTM proxy options. The protocol status in the UTM proxy options will

default to enable for the non-SSL protocols and will default to disable for the SSL protocols.

The UTM proxy options should be modified to enable the SSL protocols wherever inspection

is required.

• Any profiles requiring non-deep HTTPS inspection will need to be modified to include a Web

Filter profile and UTM proxy options with the settings as described above. The original

HTTPS deep-scan settings will be lost upon upgrade.

FortiGate 100D upgrade and downgrade limitations

With the release of FortiOS v5.0.0 GA and later, the FortiGate 100D will run a 64-bit version of

FortiOS. This has introduced certain limitations on upgrading firmware in a high availability (HA)

environment and downgrading.

When performing an upgrade from a 32-bit FortiOS version to a 64-bit FortiOS version and the

FortiGate 100Ds are running in a HA environment with the uninterruptable-upgrade option

enabled, the upgrade process may fail on the primary device after the subordinate devices have

been successfully upgraded. To work around this situation, users may disable the

uninterruptable-upgrade option to allow all HA members to be successfully upgraded. Without

the uninterruptable-upgrade feature enabled, several minutes of service unavailability are to be

expected.

Downgrading a FortiGate 100D from FortiOS v5.0.0 GA is not supported due to technical

limitations between 64-bit and 32-bit versions of FortiOS. The only procedure to downgrade

firmware is by using the TFTP server and BIOS menu to perform the downgrade. In this case the

configuration will need to be restored from a previously backed up version



Upgrade Information

Upgrading from FortiOS v5.0.0 beta release 7

FortiOS v5.0.0 GA build 0128 officially supports upgrade from FortiOS v5.0.0 beta release 7

build 0105.

Reports

Before you run a report after upgrading to v5.0.0 GA you must enter the following CLI

commands on console:

execute report-config resetThis will reset report templates to the factory default.All changes to the default report will be lost!Do you want to continue? (y/n)yReport configuration was reset to the factory default.

execute report recreate-dbThis will recreate the report database from the log database.Do you want to continue? (y/n)yRequest to recreate report database is successfully sent.

Upgrading from FortiOS v4.0 MR3

FortiOS v5.0.0 GA build 0128 officially supports upgrade from FortiOS v4.0 MR3 Patch Release

10 or later.

Table size limits

FortiOS v5.0.0 GA has changed the maximum allowable limits on some objects. As a result, the

configuration for some objects may be lost. These include:

• dlp sensor

• firewall vip

• application list

• dlp sensor filter

• ips sensor

For more information, see the Maximum Values Table for FortiOS 5.0 at http://docs.fortinet.com.



SQL logging upgrade limitation

For the following units after upgrading to FortiOS v5.0.0 GA, SQL logging will be retained based

on the total size of the RAM available on the device. Logs will use up to maximum of 10% of the

RAM. Once passed that threshold, any new logs will start to overwrite the older logs. The

historical report generation will also be affected based on the SQL logs that are available for

query.

FG-100D, FG-300C

Downgrading to previous FortiOS versions

Downgrading to previous FortiOS versions results in configuration loss on all models. Only the

following settings are retained:

• operation modes

• interface IP/management IP

• route static table

• DNS settings

• VDOM parameters/settings

• admin user account

• session helpers

• system access profiles.



Product Integration and Support

Supported web browsers

• Microsoft Internet Explorer 8 and 9

• Mozilla FireFox 15.0 and 16.0

• Google Chrome 22.0

Fortinet Single Sign-On (FSSO) support

FortiOS v5.0.0 GA is supported by FSSO v4.0 MR3 build 0128 for the following:

• Microsoft Windows Server 2003 R2 32-bit


• Microsoft Windows Server 2008 32-bit

• Microsoft Windows Server 2008 Server 64-bit


• Novell eDirectory 8.8.

IPv6 currently is not supported by FSSO.

FortiExplorer support (Windows/Mac OS X)

FortiOS v5.0.0 GA is supported by FortiExplorer 2.0.1022.

FortiExplorer support (iOS)

FortiOS v5.0.0 GA is supported by FortiExplorer v1.0.3.0109.

AV Engine and IPS Engine support

FortiOS v5.0.0 GA is supported by AV Engine 5.00032 and IPS Engine 2.00043.

FortiAP support

FortiOS v5.0.0 GA supports the following FortiAP models:

FAP-112B, FAP-210B, FAP-220B, FAP-221B, FAP-222B, FAP-223B, and FAP-320B

The FortiAP device must be running FortiAP v5.0.0 build 0021 or later.



Module support

FortiOS v5.0.0 GA supports Advanced Mezzanine Card (AMC), Fortinet Mezzanine Card (FMC),

Rear Transition Modules (RTM), and Fortinet Storage Module (FSM) removable modules. These

modules are not hot swappable. The FortiGate unit must be turned off before the module is

inserted or removed.

Table 1: Supported modules

AMC/FMC/FSM/RTM Modules FortiGate Platform

Storage Module

500GB HDD Single-Width AMC (ASM-S08)

FG-310B, FG-620B, FG-621B, FG-3016B,

FG-3810A, and FG-5001A

Storage Module

64GB SSD Fortinet Storage Module (FSM-064)

FG-200B, FG-311B, FG-1240B,

FG-3040B, FG-3140B, and FG-3951B

Accelerated Interface Module

4xSFP Single-Width AMC (ASM-FB4)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A, and

FG-5001A


2x10-GbE XFP Double-Width AMC (ADM-XB2)

FG-3810A and FG-5001A


8xSFP Double-Width AMC (ADM-FB8)


Bypass Module

2x1000 Base-SX Single-Width AMC (ASM-FX2)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A, and

FG-5001A

Bypass Module

4x10/100/1000 Base-T

Single-Width AMC (ASM-CX4)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A, and

FG-5001A

Security Processing Module

2x10/100/1000 SP2

Single-Width AMC (ASM-CE4)

FG-1240B, FG-3810A, FG-3016B, and

FG-5001A


2x10-GbE XFP SP2

Double-Width AMC (ADM-XE2)



4x10-GbE SFP+

Double-Width AMC (ADM-XD4)



8xSFP SP2

Double-Width AMC (ADM-FE8)

FG-3810A

Rear Transition Module

10-GbE backplane fabric (RTM-XD2)

FG-5001A

Security Processing Module (ASM-ET4) FG-310B and FG-311B

Rear Transition Module

10-GbE backplane fabric (RTM-XB2)

FG-5001A



SSL-VPN support

SSL-VPN standalone client

FortiOS v5.0.0 GA supports the SSL-VPN tunnel client standalone installer build 2276 for the

following:

• Windows in .exe and .msi format

• Linux in .tar.gz format

• Mac OS X 10.7 in .dmg format

• Virtual Desktop in .jar format for Windows 7.


2x10-GbE SFP+ (FMC-XG2)

FG-3950B and FG-3951B


2x10-GbE SFP+ (FMC-XD2)



20xSFP (FMC-F20)



20x10/100/1000 (FMC-C20)


Security Processing Module (FMC-XH0) FG-3950B

Table 1: Supported modules (continued)

Table 2: Supported operating systems

Windows Linux Mac OS X

Windows 7 32-bit CentOS 5.6 Mac OS X 10.7 (Lion)

Windows 7 64-bit

Virtual Desktop Support

Windows 7 32-bit Service

Pack 1



SSL-VPN web mode

The following table lists the browsers and operating systems supported by SSL-VPN web

mode.

SSL-VPN host compatibility list

The following tables list the AntiVirus and Firewall client software packages that are supported..

Table 3: Supported browsers and operating systems

Operating System Browser

Windows 7 32-bit Service Pack 1 Internet Explorer 8, Internet Explorer 9, and

Firefox 12

Windows 7 64-bit Service Pack 1 Internet Explorer 8, Internet Explorer 9, and

Firefox 12

CentOS 5.6 Firefox 3.6

Mac OS X 10.7 (Lion) Safari 5.1

Table 4: Supported Windows XP AntiVirus and Firewall software

Product AntiVirus Firewall

Symantec Endpoint Protection v11

Kaspersky AntiVirus 2009

McAfee Security Center v8.1

Trend Micro Internet Security Pro

F-Secure Internet Security 2009

Table 5: Supported Windows 7 32-bit and 64-bit AntiVirus and Firewall software


CA Internet Security Suite Plus Software

AVG Internet Security 2011

F-Secure Internet Security 2011

Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360™ Version 4.0

Norton™ Internet Security 2011

Panda Internet Security 2011

Sophos Security Suite

Trend Micro Titanium Internet Security



Explicit Web Proxy browser support

The following browsers are supported by the Explicit Web Proxy feature:

• Internet Explorer 8 and 9

• Mozilla Firefox 15.0 and 16.0

ZoneAlarm Security Suite

Symantec Endpoint Protection Small

Business Edition 12.0

Table 5: Supported Windows 7 32-bit and 64-bit AntiVirus and Firewall software (continued)




Resolved Issues

The resolved issues listed below do not list every bug that has been corrected with this release.

For inquires about a particular bug, please contact Customer Support.

AntiVirus

Client Reputation

Device Visibility

ELBC

Table 6: Resolved antivirus issues

Bug ID Description

181320 AV-failopen setting will cause the FortiGate not to scan any traffic on boot.

185428 Critical remote code execution vulnerability in AV UPX parsing.

Table 7: Resolved client reputation issues

Bug ID Description

176289 Cannot enable client reputation on identity based policy.

179375 Client reputation cannot track DoS critical attack.

Table 8: Resolved device visibility issues

Bug ID Description

179298 Cannot enable device-identification on transparent mode interface.

180043 Wrong device number in device host-type-summary.

183568 device-access-list name under interface does not reflect the change of a

changed device-access-list name.

Table 9: Resolved ELBC issues

Bug ID Description

179754 Web-based Manager widgets break configuration sync and may lead to traffic

outage.

182248 ELBC service group worker report failed to find log info error when a new

blade joins.




Email Filter

Endpoint Control

Firewall

185986 ELBC-CC failover console HA error message should not apply.

185996 FortiGate slave worker failed to sync with master FS-5203B on ELBC content

cluster mode.

Table 10: Resolved email filter issues

Bug ID Description

172296 Email subject encoding is not converted correctly to UTF-8 when adding a

spam tag.

173123 FortiGate cannot encode additional UTF-8 tags to mail subject properly.

174918 Arabic mixed with not-Arabic font for email attachment are not inspected. The

MIME parser is not correctly decoding.

184739 Email file pattern filter does not work correctly.

Table 11: Resolved endpoint control issues

Bug ID Description

182563 Convert FortiGate application control action reset to Block on FortiClient.

Table 12: Resolved firewall issues

Bug ID Description

163000 Flow-AV does not work on SMB version2 protocol.

164367 Proxyworker crashed with signal 7.

174196 Traffic shaper not functioning correctly.

176209 SSL proxy rewrites server certificate for explicit FTPS connection even if FTPS

is disabled in AntiVirus profile.

178111 IKE IPv6 session is set to block after bringing down the interface of it’s peer.

178403 Flow-based spam over SMTP-SSL, POP3-SSL, IMAP-SSL detected by proxy.

179410 Scan extra data sent with mail MIME body.

181982 Central-NAT cannot be configured in transparent mode.

182570 Should not add the AntiVirus group in iprope if there is no AntiVirus profile

enabled.

Table 9: Resolved ELBC issues (continued)

Bug ID Description



FortiCarrier

FortiGate VM

High Availability

182581 FTPS failed to get file when AntiVirus is enabled.

182694 The SIP feature of geo-redundancy does not work.

182735 UTM inspect-all does not work.

183869 Expiry time failures.

183870 SSL deep scan does not support TLSv1.1 causing a handshake failure.

184582 FG-3140B IPv6 throughput extremely low.

184675 Sessions not passing traffic until reset.

Table 13: Resolved FortiCarrier issues

Bug ID Description

181977 Mass_mmsd daemon keeps crashing and message processing is very slow.

Table 14: Resolved FortiGate VM issues

Bug ID Description

166725 Update VM license purchase link.

182923 FG-VM00 should not have 10 VDOMs.

Table 15: Resolved high availability issues

Bug ID Description

177382 HA failed to sync between a FG-5101C and FS-5203B in content cluster

mode.

179226 End user had to re-login on SSL-VPN web mode when HA failover occurs.

180732 New slave failed to sync with master when the master has no SSL-VPN tunnel

address configuration.

180794 HA Split Brain occurs when error detected on FSM Module.

181271 HATALK daemon consumes 99% CPU utilization.

181455 When rebooting the standby device, the master device is affected.

181539 FS-5203B and FG-5001B failed in configuration sync.

Table 12: Resolved firewall issues (continued)

Bug ID Description



IPsec VPN

IPS

Log & Report

181574 VLAN interface MAC is not updated when underlying aggregate/redundant

MAC changes.

181972 FG-5101C report cannot sync configuration with master's in ELBC content

cluster mode.

182154 Factory reset device cannot sync with master due to replacement messages

in a multi-VDOM environment.

182307 Session is lost and marked as dirty after primary unit fails back from initial

fail-over.

185621 Traffic is not load balanced to slave under device_based firewall policy in HA

active-active mode without UTM enabled.

Table 16: Resolved IPsec VPN issues

Bug ID Description

168263 It would be better to make IPsec offloading work without the need of setting

local gateway.

178175 Incorrect Proxy ID quick mode selector after renaming an IPsec phase2

interface.

182576 IPsec VPN fails to delete IPsec SA in IPV6 mode.

Table 17: Resolved IPS issues

Bug ID Description

178598 Fix IPS daemon crash after deleting 500 VDOMs.

183251 CMDB crash when create/delete interface-policy.

Table 18: Resolved log & report issues

Bug ID Description

143357 Email subject in Japanese gets garbled in Log and Archive Statistics.

162847 Add Web-based Manager upload log schedule option.

169701 Disk log exceeds maximum limit 10885MB on FG-100D.

175311 Cannot restore report to default and message pops up.

177666 Log is not shown for multiple-IM entries in application control.

Table 15: Resolved high availability issues (continued)

Bug ID Description



Routing

SSL

SSL-VPN

180585 Sqldb crashed with signal 11.

181190 Failed to display log when log disk is full.

181270 execute log upload should be available under VDOM when override

fortianalyzer is store-and-upload.

181981 Log disk usage can exceed it’s quota.

182103 Missing source IP and destination IP value and app filed in some local traffic

log.

182477 AntiVirus archive writes the wrong status in log.

182934 Disk-logging performance decreased a lot than build 0094.

184024 Add new log field client_rep_score to traffic log.

Table 19: Resolved routing issues

Bug ID Description

174884 Change OSPF interface cost causes OSPF neighbor to re-establish.

183537 OSPFv2 slow convergence for Summary/Type-3 routes.

Table 20: Resolved SSL issues

Bug ID Description

182056 User less remained Framed-IP prevent the RADIUS authentication.

Table 21: Resolved SSL-VPN issues

Bug ID Description

150271 SSL-VPN web mode does not handle SWF Flash methods.

172878 Changing the SSL-VPN portal page layout from single-column to

double-column does not take effect.

175196 SSL-VPN Web mode connection issues to devices using SSH version 2.

177429 FortiOS did not resolve FQDN to IP before setting SSL split-tunnel route on

FortiClient.

180589 SSL-VPN Java applet (version 10.7.x) does not work with Mac OS X.

Table 18: Resolved log & report issues (continued)

Bug ID Description



System

183019 LDAP user fails to login to SSL-VPN with certain group match enabled.

183101 Java 1.7.0_07 does not work in SSL-VPN web mode in Firefox.

183794 The Host Check function did not properly validate the client's system when

running the periodic Host Check set for 300.

184054 sslvpn cert setting change cannot take effect when under stress.

185404 Remote web access portal upload hanged intermittently.

185455 sslvpnd daemon memory is leaking under stress test.

185658 sslvpnd daemon high CPU usage.

Table 22: Resolved system issues

Bug ID Description

150030 FWF-60CM mounted modem's flash disk which confused FortiOS.

163523 Newly created VLAN interface should be down in FIPS-CC mode.

169464 A lot of config-error-log errors after full configuration restored from USB drive

or Web-based Manager.

171083 Change Dynamic Start RADIUS server setting, does not take effect. Need to

restart the radiusd daemon.

171206 Table size updates.

171771 Low session sync performance on ELBCv3.

171927 FortiGate DHCP server cannot provide IP as per IP/mac binding list if the IP is

changed.

172738 Should disable email when enabling batch guest account creation.

173755 Remove dynamic profile implementation.

176951 No DoS attack log when XG2 is in NPU-Cascade mode.

177365 Cannot update the FG-5101C image from ELBC master's Web-based

Manager.

177500 Disabled user's authentication action is not logged.

179150 Console print out error message when enabling AV quarantine from

Web-based Manager.

179544 Keep RSSO RADIUS server parameter name consistency.

179729 Default profile 11n-only is missing after factory reset.

Table 21: Resolved SSL-VPN issues (continued)

Bug ID Description



Upgrade

180108 No alert-email for firewall authentication failure event.

180111 No alert-email for configuration change event.

181756 Explicit proxy performance improvement of NTLM authentication.

181780 The command execute interface dhcp6client-renew cannot work well after

clearing lease on server.

182379 Unable to handle kernel NULL pointer.

182508 Error message on CLI when enabling FIPS-CC.

182718 CLI create guest group should not allow set email disable when user-id is

email.

183048 Cannot activate FortiToken for FortiGate FIPS-CC mode.

183180 FIPS-CC mode FortiGate cannot restore image from flash.

183527 Some time zone values are wrongly set.

183586 IPS database fails to update to extended version.

183706 Enable Carrier license on FG-5101C.

183983 ICMPv6 packets which are too big are being scanned and dropped.

184733 FortiGate reboots with kernel dump message.

184906 Snmpd daemon consumes all available UNIX socket descriptors and

subsequently crashes.

185434 Software switch does not pass traffic after reboot.

186458 Add two more factory default profiles.

Table 23: Resolved upgrade issues

Bug ID Description

167806 SQL databases have errors and need to be rebuilt after upgrading from v4.0

build 0525.

171746 Fingerprint sensor becomes credit card sensor after upgrade from build 0637

to build 0099.

176129 DLP cannot change sensors which contain filter and rule properly after

upgrade from build 0637 to build 0099.

176199 DLP sensor log-only action becomes none action after upgrading.

176807 FW protocol option client reputation has no entries after upgrading from build

0632.

Table 22: Resolved system issues (continued)

Bug ID Description



VoIP

Vulnerability

WAN Optimization & Web Proxy

179185 After upgrading from v4.0 MR3 build 0637 to v5.0.0 build 0091, the Flow

Based Web Filter profile become proxy-based.

181631 FWF-60C upgrade to build 0101 reports decode VDOM license key.

181691 Address lost in multicast policy after upgrading from v4.0 MR3 Patch Release

10 to v5.0.0 build 0102.

182787 The setting of specific groups on remote server for user group is lost after

upgrading from v4.0 MR3 Patch Release 9 build 0637 to v5.0.0 build 0105.

182977 Sqldb process consumes 99% CPU after upgrading from v4.0 MR3 Patch

Release 10 to build 0105.

Table 24: Resolved VoIP issues

Bug ID Description

180504 No audio on incoming call to PBX which has call forwarding enabled.

Table 25: Resolved vulnerability issues

Bug ID Description

179219 Buffer overflow on lrat search string in URL causes the httpsd daemon to

crash.

182590 A memory corruption vulnerability in /system/network/intfchange URL.

182830 FortiGate Web-based Manager cmdb memory corruption when access URL

/api/cmdb?request=AA.

182839 FortiGate Web-based Manager intfchange secip parameter memory

corruption.

185425 FortiGate Web-based Manager Web Filter remote memory corruption

vulnerability.

Table 26: Resolved WAN Optimization & web proxy issues

Bug ID Description

172949 For the warning/authentication of Web Filter, could not automatically enter the

correct URL for HTTPS service.

182246 Explicit proxy ignores configured geographic IPs in proxy policy.

Table 23: Resolved upgrade issues (continued)

Bug ID Description



Web-based Manager

182618 SSL Deep Scan randomly invokes in explicit proxy mode with web content

filtering enabled.

182964 Fix WAD crash when cache object is invalidated by HTTP POST.

Table 27: Resolved Web-based Manager issues

Bug ID Description

118058 Cannot filter policy on count field.

144187 Updates to access profile configuration.

153342 Password change capability is different between CLI and Web-based

Manager.

160433 Editing a redundant interface and aggregate interface failed sometimes.

161433 Server refused to allocate pty.

162511 Cannot test connectivity for overridden FortiAnalyzer from Web-based

Manager.

163787 Increase sample size and rate for traffic history widget.

164359 Web-based Manager shows improper icmpcode when ICMP custom service

is configured as unset icmpcode.

165403 IPv6 Implicit policy incorrectly displayed and managed through Web-based

Manager.

165588 Suggest display link status for virtual-switch member on unit operation

widget.

168073 Cannot batch create After first login Expire type user from Web-based

Manager description.

170171 Web-based Manager cannot edit and delete custom Chinese firewall service

and service group.

170212 Row highlighting incorrect on replacement message list.

170615 New/edit firewall policy is too slow.

171459 The local-in policy is not correctly shown on Internet Explorer 9 when VDOMs

are enabled.

171695 FG-40C should remove Virtual Domain from session monitor column setting.

172096 Response error when set dlp sensor action to quarantine user.

172642 Change switch mode message should follow FortiGate switch interface name.

Table 26: Resolved WAN Optimization & web proxy issues (continued)

Bug ID Description



174120 Some Web-based Manager pages can only take 63 characters of comment

even 255 is listed.

174266 The httpsd daemon crashed when opening some monitor pages by accessing

FortiGate with IPv6.

174830 The change mode button should be removed since FG-20C only supports

switch mode.

174983 Transparent mode, IPsec vpn policy can not select vpn tunnel.

175445 Web-based Manager policy page shows SSID for Zone interface.

175765 TACACS+ server test function does not work on the Web-based Manager.

175917 The policy page shows an extra option with Profile Group enabled on policy.

176364 Web-based Manager has a problem to disable secondary-IP for VLAN

interface. (Build 0099)

176422 XSS Vulnerability in Report Sections.

176658 MAC address shall be able to added back when alias is set for a device in

BYOD

177114 VPN Tunnel names with an '&' sign can not be edited or deleted.

178138 It takes a long time to display historical System Resource widget.

178202 Display issue on address group page when the names of address members

are too short.

178746 Discover Assets icon should be removed from Vulnerability Scan Definition

page

178900 Need to increase the comment field size to 1024 for policy.

179093 Traffic shaper cannot be disabled in firewall policy at top level.

179959 Web-based Manager should support VLAN interface for device identification.

180040 A device can not be deleted from the Web-based Manager when no alias for

this device.

180120 Top destination IP address click session remove will display more destination

IP related sessions.

180196 Under interface mode, packet capture function does not work on internal

interface.

180222 Alias in BYOD shall be editable on Web-based Manager.

181307 Suggest Top Sessions by Source Address widget also include geographic

location information.

181361 Top widgets in Dashboard shows No matching entries found.

Table 27: Resolved Web-based Manager issues (continued)

Bug ID Description



Web Filter

182006 Clock in wizard does not display the current time and the time is not changed

when changing time zone.

182019 The right-click drop-down menu keeps loading.

182193 FortiToken can not be edited and deleted on the Web-based Manager.

182218 Firewall policy count is always zero though there are a lot of traffic goes

through.

182318 WiFi interface is missing SSID in policy list page and interface alias.

182402 The Create New button does not work on DLP sensor page.

182621 XSS vulnerability on several of the column filter value.

182623 Web-based Manager is not refreshed after applying log filter.

182685 Lost enhanced black background color on selected log entry after edit column

selector.

182750 Replacement message page can not be displayed, received an 500 Internal

Server Error.

182859 XSS vulnerability on FortiManager Send request string.

182908 Implicit deny policy is not shown.

184262 Incompatible information between widget and device page in BYOD.

184570 FortiGate Web-based Manager global_res many parameter memory

corruption.

184732 FortiGate Web-based Manager VDOM memory corruption.

185100 The default switch-vlan interface entry is missing.

185604 Unable to create VLAN interfaces on soft switch interface using the

Web-based Manager.

185764 Change display for FortiToken Mobile in License Information widget.

186175 FortiGate Web-based Manager Web Filter move remote memory corruption

vulnerability.

Table 28: Resolved web filter issues

Bug ID Description

165236 When FortiManager responds with a rating value 140, the FortiGate will deal

with the category as unrated(rating value=0).

171296 When the Web Filter service is expired, the FortiGate should not provide the

Web Filter service again.

Table 27: Resolved Web-based Manager issues (continued)

Bug ID Description



WiFi

180243,

182744,

163974,

180245

Remove FortiGuard disable option from Web Filter profile.

181059 In the Flow-based mode, the replacement message page could not be

displayed for HTTPS when a website is blocked.

181654 Fortinet Top Bar does not show Application Block and Web Quota messages.

182794 The action of authentication does not work due to an authd daemon crash.

182802 The feature per-user-bwl sometimes does not work.

182804 When enabling per-user-bwl in Web Filter and disabling per-user-bwl in

Global, the FortiGate will block all websites.

Table 29: Resolved WiFi issues

Bug ID Description

152811 Hide local-radio wtp entry on client-mode FortiWiFi.

160588 Many client-deleted-by-wtp events occur before the WiFi client is connected.

167332 VirtualAP interface should be created automatically when a VDOM is created.

168185 Cannot de-authenticate the WiFi guest provision account.

177347 Global wlac -c scan-clr-all cannot clear non-root VDOM scan results.

177422 Problem with HP slate tablet relate to 802.11n MSDU frame aggregation.

179090 FortiAP stops beaconing after enabling Auto TX power adjustment.

179466 Change unset band result to empty string and the default value.

180028 Wireless Single Sign-On (WSSO) does not work.

180602 FWF-40C (Client mode) cannot connect to FortiWiFi AC if channel changed

except reboot it or wait for over 10 minutes.

181005 A cw_acd daemon crash was observed in the crash log when running v4.0

MR3 Patch Release 7 build 0535 or v4.0 MR3 Patch Release 9 build 0637.

181124 The wtp-profile max-supported-mcs value should be adjusted according to

platform type.

181283 Client-mode FortiWiFi still connected to access point even after deleting

WiFi-network entries when disable auto-connect.

181802 Allow XSS characters in WiFi SSID names.

181978 SSID with 32 characters cannot work on FortiWiFi and FortiAP.

Table 28: Resolved web filter issues (continued)

Bug ID Description



182619 Disable VDOM change for SSID.

182678 One SSID stops working, other is fine. A reboot will fix the issue.

182824 Client-mode FortiWiFi can not connect access point steady with static_ip

mode.

182901 Client mode unable to connect to SSID.

182956 WSSO cannot work with Captive-Portal VAP.

183262 WSSO user list duplicate entries if the same group was selected in two more

id-policies.

183713 VirtualAP mac-filter should be removed.

Table 29: Resolved WiFi issues (continued)

Bug ID Description



Known Issues

The known issues listed below does not list every bug that has been reported with this release.

For inquires about a particular bug, please contact Customer Service & Support.

Client Reputation

Device Visibility

Firewall

High Availability

Table 30: Known client reputation issues

Bug ID Description

184496 Client reputation cannot track visiting local category.

Table 31: Known device visibility issues

Bug ID Description

186257 Block message does not work on WiFi devices when using thedevice

detection portal in BYOD.

Table 32: Known firewall issues

Bug ID Description

186588 DLP, AV, and Web Filter do not always work when inspect-all is enabled.

187123 The address field in a policy is not set when that address is set not to show.

187131 A change to the member of service group does not take effect on a policy

immediately.

187699 Under the Policy > Policy > Policy Web-based Manager page, drag and drop

re-ordering of firewall policies under Global View is unsupported. Cut and

copy is supported under Global View.

Table 33: Known high availability issues

Bug ID Description

169215 Cannot send slave log to FortiCloud.

185628 Part of session info is not synced correctly under HA Active-Active mode

when Device_based FW policy is configured.

185656 Sessions cannot pickup in HA environment under Device_based firewall

policy.




IPsec VPN

Log & Report

SSL-VPN

187090 Slave log cannot send to FortiAnalyzer when first forming HA.

187091 The master device does not forward slave's log to FortiAnalyzer.

Table 34: Known IPsec VPN issues

Bug ID Description

184503 IPsec VPN wget file over 3M fail when set keylife-type kbs and NP4 enable.

Table 35: Known log & report issues

Bug ID Description

161048 When schedule is set to weekly, Traffic History by Bandwidth/Sessions are

empty.

185209 A traffic log is generated when utm-incident-traffic-log and log-traffic are both

disabled.

185949 No IPS incidents in traffic log, thus report and client reputation do not have

related charts.

185952 The PDF content will show empty content page.

186808 Report has wrong categories in the default charts.

187003 No invalid log for failed connection attempt cause fail to track related client

reputation.

187078 Illegal character in neighbor-event log causes Web-based Manager parse

error.

Table 36: Known SSL-VPN issues

Bug ID Description

182464 SSL-VPN tunnel widget does not work in web mode portal in Windows 8

Internet Explorer 10.

Table 33: Known high availability issues (continued)

Bug ID Description



System

Web-based Manager

Upgrade

Table 37: Known system issues

Bug ID Description

170385 Unable to link at 1000full on all ports for FG-5001B.

185580 FortiGate should be in pending state when switching account from old

account.

185909 The FG-111C switch works abnormally in FortiOS v5.0.0 GA.

Table 38: Known Web-based Manager issues

Bug ID Description

174503 Multiple bookmark widgets will be created during creating multiple bookmarks

in one category.

180451 Select multiple policies does not work well.

183288 Cannot create central NAT entries from Web-based Manager.

183482 Missing archive tab in ips log gui.

185173 FWF-20C build 0114 wizard page LAN + WiFi Setting display Invalid IP Range

message incorrectly.

185359 Failed to create a SSL-VPN policy on Wizard because sslvpn-portal is not

set.

185390 Profile Protocol Options is set to default when creating identity-based IPv6

firewall policy.

185482 Web-based Manager does not fully support IPV6 device based policy.

186197 Wizard may become empty or stuck after Time Zone page on some platforms.

187083 Mobile token in activated status has provision in right click menu incorrectly.

187129 Device based policy page behaves abnormally with Internet Explorer 9.

187826 With some specific wildcard address, the Web-based Manager firewall

address page can not be loaded.

Table 39: Known upgrade issues

Bug ID Description

187104 After upgrading from v4.0 MR3 Patch Release 10, NTLM ID based policy does

not work.



Limitations

This section outlines the limitations in FortiOS v5.0.0 GA.

Add Device Access List

If the device-access-list has the action as deny. You will need to explicitly define a device

in order to allow it to work.

For instance,

config user deviceedit "win"

set mac 01:02:03:04:05:06next

end

config user device-access-listedit "wifi"

set default-action denyconfig device-list

edit 1set action acceptset device "windows-pc" <-------------the predefined

device-categorynextedit 2

set action acceptset device "win" <-------------the custom device

nextend

nextend

As a result, the predefined device-category entry 1 will not get access. Only the custom

device entry 2 would be able to get access.



Image Checksum

The MD5 checksums for all Fortinet software and firmware releases are available at the

Customer Service & Support website located at https://support.fortinet.com. After logging in

click on Download > Firmware Image Checksum, enter the image file including the extension

and select Get Checksum Code.

Figure 2: Customer Service & Support image checksum tool

End of Release Notes




FortiOS v5.0.0 GA Release Notes - NVC

Documents

Transcript of FortiOS v5.0.0 GA Release Notes - NVC