FortiOS v401 Release Notes

FortiGate Multi-Threat Security System
Release Notes
v4.0.1
01-401-84420-20090402
Release Notes
FortiOS v4.0.1
Table of Contents
1 FortiOS v4.0.1.....................................................................................................................................................1
2 Upgrade Information...........................................................................................................................................2
2.1 Upgrading from FortiOS v3.00 MR6/MR7................................................................................................2
3 Downgrading to FortiOS v3.00..........................................................................................................................5
4 Fortinet Product Integration and Support..........................................................................................................6
4.1 FortiManager Support.................................................................................................................................6
4.2 Fortinet Server Authentication Extension (FSAE) Support........................................................................6
4.3 AV Engine and IPS Engine Support...........................................................................................................6
4.4 SSL-VPN Client Support............................................................................................................................6
5 Resolved Issues in FortiOS v4.0.1.....................................................................................................................7
5.1 Command Line Interface (CLI)..................................................................................................................7
5.2 Web User Interface.....................................................................................................................................7
5.3 System.........................................................................................................................................................8
5.4 High Availability.........................................................................................................................................9
5.5 Router........................................................................................................................................................10
5.6 Firewall.....................................................................................................................................................10
5.7 Web Filter..................................................................................................................................................10
5.8 Data Leak Prevention................................................................................................................................10
5.9 Voice Over IP (VoIP)................................................................................................................................10
5.10 Application Control.................................................................................................................................11
5.11 VPN.........................................................................................................................................................11
5.12 WAN Optimization.................................................................................................................................12
5.13 Endpoint Control.....................................................................................................................................12
5.14 VOIP.......................................................................................................................................................13
5.15 Log & Report..........................................................................................................................................13
5.16 FSAE.......................................................................................................................................................13
6 Image Checksums.............................................................................................................................................14
Change Log
Date
2009-04-02
Change Description
Initial Release.
Copyright 2009 Fortinet Inc. All rights reserved.

Release Notes FortiOS v4.0.1
Trademarks
Copyright 2009 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the
identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.
Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support
tickets via the support site:
https://support.fortinet.com
April 2, 2009
Release Notes
FortiOS v4.0.1
1 FortiOS v4.0.1
This document outlines resolved issues of FortiOSTM v4.0.1 B0098 firmware for the Fortinet FortiGate Multi-threat Security System.
Please reference the full version of the FortiOS v4.0.0 release notes for new features and known issues. The following outlines the
release status for several models.
Model
FortiOS v4.0.1 Release Status
FGT-30B, FGT-50B, FGT-50B-HD, FWF-50B, FGT-60B, FWF-60B, FGT-100A,

FGT-110C, FGT-200A, FGT-224B, FGT-300A, FGT-310B, FGT-400A, FGT-500A,
FGT-620B, FGT-800, FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-3016B, FGT-3600,
FGT-3600A, FGT-3810A, FGT-5001, FGT-5001A, FGT-5001-FA2, and FGT-5005-FA2
All models are supported on the

regular v4.0.1 branch.
Please visit http://docs.forticare.com/fgt.html for additinal documents on FortiOS v4.0 release.
April 2, 2009
2 Upgrade Information
2.1 Upgrading from FortiOS v3.00 MR6/MR7
FortiOS v4.0.1 officially supports upgrade from the most recent Patch Release in MR6 or MR7. See the upgrade path below. The
arrows indicate "upgrade to".
[MR6]
The upgrade is supported from FortiOS v3.00 B0673 Patch Release 4 or later.
MR6 B0673 Patch Release 4 (or later)
v4.0.1 B0098
After every upgrade, ensure that the build number and branch point match the image that was loaded.
[MR7]
The upgrade is supported from FortiOS v3.00 B0733 Patch Release 2 or later.
MR7 B0733 Patch Release 2 (or later)
v4.0.1 B0098
After every upgrade, ensure that the build number and branch point match the image that was loaded.
[Log Settings Changes]
In FortiOS v4.0.1, the option to configure rule under 'config log trafficfilter' has been removed, therefore any related
configuration is lost upon upgrading from FortiOS MR6 to FortiOS v4.0.1.
[FG-3016B Upgrade]
Interface names on the FGT-3016B have been changed in FortiOS v4.0.1 to match the port names on the face plate. After upgrading
from FortiOS MR6 to FortiOS v4.0.1, all port names in the FortiGate configuration are changed as per the following port mapping.
Old port names before upgrading
New port names after upgrading
port1
mgmt1
port2
mgmt2
port3
port1
port4
port2
port5
port3
port6
port4
port7
port5
port8
port6
port9
port7
port10
port8
port11
port9
port12
port10
port13
port11
port14
port12
port15
port13
port16
port14
port17
port15
port18
port16
Note: After the release of FortiOS v3.00 MR6 firmware a new revision of the FGT-3016B included a name change to two ports on the
left side of the faceplate. Previously, they were labeled 1 and 2. Now they are called MGMT 1 MGMT 2. However, the BIOS still
refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2.
[System Settings]
In FortiOS v4.0.1, the p2p-rate-limit setting under 'config system settings' has been removed, therefore any
related configuration is lost upon upgrading from FortiOS MR6/MR7 to FortiOS v4.0.1.
[Router Access-list]
All configuration under 'config router access-list' may be lost after upgrading from FortiOS v3.0.0 MR6/MR7 to
FortiOS v4.0.1.
[Identity Based Policy]
Firewall policy authentication has been reworked in FortiOS v4. Any firewall policy that requires authentication is now known as an
Identity Based Policy. Previously, a separate authentication firewall policy had to be created for different schedules, services, and
traffic shaping settings but in FortiOS v4 all firewall authentication settings are configured in the Identity Based Policy section of a
firewall policy. If no traffic matches any of the Identity Based Policies, the traffic is subjected to an implicit DENY ALL. For
example:
In FortiOS v3.00 MR6/MR7
config firewall policy
edit 1
set action accept
set groups grp1 grp2
set service HTTP
...
next
edit 2
set action accept
set service TELNET
next
...
end
After upgrading to FortiOS v4.0.1
edit 1
set action accept
set identity-based enable
config identity-based-policy
edit 1
set service HTTP
next
end
next
edit 2
set action accept

set service TELNET
end
next
In FortiOS v4.0.1, the TELNET policy is never hit because of the implicit DENY ALL at the bottom of Identity Based Policy. To
correct the behaviour, you must move the non-Identity Based Policy (TELNET policy) above the Identity Based Policy.
Reorganized policy in FortiOS v4.0.1
edit 2
set action accept
set service TELNET
next
edit 1
set action accept
set identity-based enable
config identity-based-policy
edit 1
set service HTTP
next
end
next
end
[IPv6 Tunnel ]
All configuration under 'config system ipv6-tunnel' may be lost after upgrading from FortiOS v3.0.0 MR7 to FortiOS
v4.0.1.
[User Group]
In FortiOS v3.00 a protection profile can be assigned to an user group from web UI, but in FortiOS v4.0 it can only be assigned from
CLI.
[Zone Configuration]
In FortiOS v3.00 a Zone name could be upto 32 characters but in v4 it has changed to upto 15 characters. Any Zone names in FortiOS
v3.00 with more than 15 characters will be lost after upgrading to FortiOS v4.0.1.
[IPv6 Vlan Interfaces]
Vlan interface with ipv6-address configured will be lost after upgrading from FortiOS v3.00 to FortiOS v4.0.1.
[FDS Push-update Settings]
The address and port settings under 'config system autoupdate push-update' may be lost after upgrading to FortiOS
v4.0.1.
[Content Archive Summary]
The content archive summary related configuration will be lost after upgrading to FortiOS v4.0.1.
[RTM Interface Configuration]
Upon upgrading from FortiOS v3.00 MR6/MR7 to v4.0.1, the RTM interface and some of the configuration that uses RTM objects are
not retained. In FortiOS v3.00, RTM objects used upper-case letters, such as "RTM/1". FortiOS v4.0.1 uses lower-case letters for
RTM objects.
[HA IPSec Session Pickup]
When upgrading from FortiOS MR6 to FortiOS v4.0.1, the IPSec sessions are not pickedup.
3 Downgrading to FortiOS v3.00

Downgrading to FortiOS v3.00 results in configuration loss on ALL models. Only the following settings are retained:
1.
2.
3.
4.
5.
6.
7.
8.
operation modes
interface IP/management IP
route static table
DNS settings
VDom parameters/settings
admin user account
session helpers
system access profiles
4 Fortinet Product Integration and Support

4.1 FortiManager Support
FortiOS v4.0.1 is supported by FortiManager v4.0.1.
Note: FortiOS v4.0.1 is not supported by FortiManager v4.0.0 due to issues (93131, 94056) in FortiManager v4.0.0.
4.2 Fortinet Server Authentication Extension (FSAE) Support

FortiOS v4.0.1 is supported by FSAE v3.00 B040 (FSAE collector agent 3.5.040) for the following:
32-bit version of Microsoft Windows 2003 Server

Novell E-directory 8.8.
IPv6 currently is not supported by FSAE.
4.3 AV Engine and IPS Engine Support

FortiOS v4.0.1 is supported by AV Engine 3.00011 and IPS Engine 1.00119.
4.4 SSL-VPN Client Support

FortiOS v4.0.1 supports the SSL-VPN tunnel client standalone installer B2012 for the following:
Windows in .exe and .msi format

Linux in .tar.gz format
Mac OS X in .dmg format
Virtual Desktop in .jar format for Windows XP and Vista
5 Resolved Issues in FortiOS v4.0.1

The resolved issues section does not list every bug that has been fixed with this release. For inquires about a particular bug, contact
Customer Support.
5.1 Command Line Interface (CLI)

Description: 'diagnose autoupdate versions' command does not show correct contract information for AS Rule Set and
AS Engine.
Bug ID: 91430
Status: Fixed in v4.0.1.
Description: "set ip" command should not be available when interface is set to DHCP mode.
Bug ID: 91360
Description: Setting max-lines value under 'config log memory global-setting' close to maximum may cause error
messages on console and in some cases may freeze the console.
Bug ID: 91445
Description: Output of 'get system interface physical' does not show duplex setting for some interfaces.
Bug ID: 91223
5.2 Web User Interface

Description: FortiGate web UI response is slow when adding a large number of VIPs.
Bug ID: 91757
Description: Firewall > Policy web UI page does not load up properly when language is set to Traditional Chinese.
Bug ID: 91492, 91591, 91595
Description: SSL-VPN TELNET applet window is too small and cannot be resized.
Bug ID: 91042
Description: When editing UTM > Data Leak Prevention > Compound rule the Add/Delete icon sometimes disappears.
Bug ID: 91449
Description: Web UI for FortiGate unit running FOC firmware image should display 'FortiCarrier' instead of 'FortiGate' label on the
header.
Bug ID: 90902
Description: Firewall > Policy web UI page does not translate "User Authentication Disclaimer" option correctly in Traditional
Chinese language.
Bug ID: 92576
Description: User cannot edit VDOM resources from the web UI when HA is enabled and maximum number of VDOMs exist.
Bug ID: 91456

Description: When WAN Opt. > Monitor web UI page is refreshed, all page settings are reset to default.
Bug ID: 90479
5.3 System
Description: VDOM administrators does not have permission to run sniffer command on dialup VPN interfaces.
Bug ID: 91037
Description: Traffic passed by the FortiGate may occasionally exceed outbandwith limit set on an interface.
Bug ID: 91510
Description: During FortiGate bootup the 'subnet overlap' setting is not checked and overlap subnets are always allowed.
Bug ID: 86786
Description: Unexpected error messages are printed on console after rebooting FGT-50B-HD.
Bug ID: 91645
Affected Models: FGT-50B-HD
Description: IPS Engine 1.117 may crash if VDOMs are repeatedly added and deleted.
Bug ID: 91966
Description: Traffic Shapping cannot be configured for P2P applications.
Bug ID: 91890
Description: ssl.<vdom> default interface cannot be deleted even after related VDOM is deleted.
Bug ID: 92102
Description: LDAP distinguished name query does not work with Windows 2003 server.
Bug ID: 68279
Description: FortiGate displays an error message when administrator tries to add or remove local user to an user group.
Bug ID: 92674
Affected Models: FGT-30B
Description: IM daemon (imd) may cause memory leak.
Bug ID: 93212
Description: Uploading an FGT_* image on a FortiCarrier hardware causes FortiGate device to continuously reboot.
Bug ID: 90123
Description: Radius authentication starts failing abruptly after running for some time.
Bug ID: 85424

Description: FTP proxy may crash if no filename is used for RETR or STOR and content-summary is enabled.
Bug ID: 93453
Description: When FortiGate sends a basic trap, the SNMP (snmpd) uses the v3 OID instead of the v4 OID.
Bug ID: 92278
Description: FortiGate does not send ARP for the secondary IP or VLAN interface on the redundant interface.
Bug ID: 81427
Description: User group gets deleted from all firewall polciies when that user group is renamed.
Bug ID: 91453
Description: All non-default VDOM administrator accounts may be lost when configuration is restroed from management vdom.
Bug ID: 90821
Description: FortiGate may enter conserve mode when user tries to view 3000+ firewall policies using web UI in global view.
Bug ID: 92336
Description: SMTP (smtpd) and POP3 (pop3d) proxies may randomly carsh when AntiSpam scanning is enabled.
Bug ID: 92200
Description: The FortiGate unit with hardware driven by NP2 driver may randomly crash or hang.
Bug ID: 92035, 93986
Description: The FortiGate's console may show an 'entry 0x8fb883d:0x40dda8f0 duplicated' error message upon
bootup.
Bug ID: 93518, 93862
Description: The FortiGate-110C-HD console may show an 'ata3: translated ATA stat/err' error upon bootup.
Bug ID: 93762
Affected Models: FGT-110C-HD
5.4 High Availability

Description: Wireless clients are unable to connect to FortiWiFi device in HA A-A mode.
Bug ID: 60089
Affected Models: FortiWiFi Models.
Description: Slave FortiGate goes out of sync when a VDom is moved betweeb VC1 and VC2.
Bug ID: 89681
Description: Output for 'diag sys ha dump' command shows unexpected errors.
Bug ID: 80024

Description: Slave FortiGates console shows some extra HA SYNC messages while syncing its configuration with the Master.
Bug ID: 90637
Description: Slave is sometimes unable to sync with Master FortiGate after upgrading from FortiOS v3.00MR7to v4.0.0.
Bug ID: 93625
5.5 Router
Description: rtmon daemon flushes the route cache every time the cmdb changes.
Bug ID: 92543
5.6 Firewall
Description: Some firewall addresses may be lost after restoring FortiGate's configuration file.
Bug ID: 91963
5.7 Web Filter

Description: Sometimes when user is trying to create an webfilter override, an 'Inva.lid Expiry Date' error is displayed.
Bug ID: 90412
Description: Some HTTPS webistes, where the server hello and the certificate is sent in separate packets, bypasses URL filtering.
Bug ID: 92641
Description: WebFilter content block does not work if content type is not specified.
Bug ID: 92279
5.8 Data Leak Prevention

Description: DLP rules does not take effect after rebooting the FortiGate.
Bug ID: 91680
Description: DLP does not work, when AV scanning is disabled, for NNTP protocol.
Bug ID: 91493
Description: DLP scanning does not work if only IMAPS, POP3S, SMTPS, or HTTPS protocols are enabled in DLP.
Bug ID: 94025
5.9 Voice Over IP (VoIP)

Description: IM daemon (imd) may randomly crash when some SIP traffic is passing thru the FortiGate.
Bug ID: 91868
5.10 Application Control

Description: Application Control feature does not work for IM/VOIP category when the rule is set for 'All Applications'.
Bug ID: 90212
5.11 VPN
Description: The SSL-VPN RDP applet with FR keyboard mapping does not allow user to type most of the characters with ATL-GR
key under WinWord application.
Bug ID: 80205
Description: After logging in on SSL-VPN web portal, open a http bookmark. A "you are going to leave a secure internet
connection..." alert messages will be displayed, if the user selects 'no' option then "web page can't be found" error is displayed.
Bug ID: 83962
Description: SSL-VPN user cannot login if 'url redirect' is configured and 'block pop-up window' option is enabled in the browser.
Bug ID: 84841
Description: SSL-VPN user is unable to install cache clean plugin for FireFox 2.0.
Bug ID: 90730
Description: SSL application may randomly crash and a 'signal 11' crash entry is logged in the crash log.
Bug ID: 86556
Description: SSL-VPN tunnel cannot be connected from web portal when SSL-VPN port is set to 443.
Bug ID: 92832
Description: "Exit when browser exits" option in the virtual desktop application does not work.
Bug ID: 90927
Description: FireFox browser does not send split tunnel information to SSL-VPN daemon.
Bug ID: 91539
Description: Users using Internet Explorer web browser to connect to SSL-VPN web portal may not be able to open RDP, FTP and
VNC links.
Bug ID: 92727
Description: WLAN interface route stays in the kernal after switching to TP mode.
Bug ID: 92669
Description: If the remote client's IP address overlaps with one of the FGT's local subnets then IPSec over DHCP may fail.
Bug ID: 92978
Description: User can successfully log on to the SSLVPN portal with a revoked certificate.
Bug ID: 74258

Description: PKI user cannot log on to SSL-VPN web portal using Internet Explorer browser.
Bug ID: 91917
Description: If multiple dialup gateways are configured on the same interface, but with different SA proposals, and there is a
misconfiguration, then the VPN connection might get stuck on the wrong gateway and tunnel will not come up even after the misconfiguration is fixed.
Bug ID: 88749
Description: User cannot access OWA from SSL-VPN web portal.
Bug ID: 91937
Description: The SSL proxy used by SSL offload and the SSL inspection features rejects any SSL handshake record that is greater
than 8KB in length.
Bug ID: 88326
5.12 WAN Optimization

Description: wad proxy may crash if 'Cache Explicit Proxy' option is enabled under WAN Opt. > Cache settings.
Bug ID: 91400
Description: WANOPT peer cannot be renamed when they are being used.
Bug ID: 90948
5.13 Endpoint Control

Description: Some files needed for endpoint control check are stored on the RAM disk and are lost after rebooting the FortiGate.
Bug ID: 91467
Description: Endpoint control updates are never executed when central management is disabled.
Bug ID: 90625
Description: Manufacturer field is not correctly shown on 'Endpoint List' page if the endpoint user is using IBM Thinkpad laptop.
Bug ID: 93265
Description: Endpoint control record-list is not cleared when a policy is deleted.
Bug ID: 91688
Description: Remove system time check for endpoint control in v4.0.1.
Bug ID: 93530
5.14 VOIP
Description: Any SIP message carried by UDP that is greater than 2048 bytes long is dropped by the SIP proxy.
Bug ID: 90854
5.15 Log & Report

Description: Filter for Remote log is missing 'Contains' field.
Bug ID: 89704
Description: Traffic log entry for SSL-VPN shows 0.0.0.0 as destination ip.
Bug ID: 82877
Description: IPS attack log entry does not always show the profile name that blocked the attack.
Bug ID: 85102
Description: Application Control log entry always has the profile field as N/A.
Bug ID: 90937
Description: RADIUS events are not logged under management VDOM.
Bug ID: 89683
Description: Spam filter log entry for MM1 flooding is missing source and destination interface.
Bug ID: 88989
Description: Source and destination address field in the attack log does not support IPv6 address.
Bug ID: 91799
Description: AntiSpam log entry for traffic detected by AntiSpam Engine shows incorrect log message.
Bug ID: 91629
Description: Logging to FAMS may cease if the Home server status keeps changing.
Bug ID: 92480
5.16 FSAE
Description: IPchange feature for FSAE does not work with multiple FSAE servers.
Bug ID: 90849
Status: Fixed in 4.0.1
6 Image Checksums
08a58085c42c5ebc3524d9ab61feddb7
0ba34ed3fbbfaa0ede530ac6b46e63d9
1aad33ae4efb82bae63b119a43a9ea33
0d5bf6ca57cd9ad2e08ce41b0712883d
77a945b1c9771bf33a06babff33235da
07ee0400602d21b009db995ec053d758
79c9d151907f62ff56b570aa9a36f06b
f86208defa8a2082935f1d0becef2ec4
d9f397d43ccc11be21a8399aedd34535
cad1412ff781b5c310b392dd6d05e307
1b540cc5b86bbd57375749f4f1ada918
65d24f688ef73052632c5b303256444c
daa136ce4fa58970046f43718391b817
4615f1e6a2fee1023eebec5c390da4f7
b9fc070db59c0897d0f3e66714b22ed2
8936f037527536265d324e905f769a73
d3b722c9fc7e4bbc381feff009055d88
3bcdfcbb49dd8c3158a6f497f1d6edb0
649bf58238a4ee93565297ff6f6f26e8
30f38f199ddbac2538e307d92e09ea62
69f05e52ce4f3a9271c35a7f1157ad50
3e2345edbaa41ee739093de5abe1aeef
519feba88a596b7c71490f051f69db88
d285885b554d67ed4a22458e041b746e
fda4ec37cf61d2d81efb3b5f05f72118
7d261704714ea531bc91bfdf6fb9b6ef
c50549956585ddad32dea61e702b3221
5bcb35493a75e2d4322ac3e5ad692026
*FGT_1000A-v400-build0098-FORTINET.out
*FGT_1000AFA2-v400-build0098-FORTINET.out
*FGT_1000A_LENC-v400-build0098-FORTINET.out
*FGT_110C-v400-build0098-FORTINET.out
*FGT_224B-v400-build0098-FORTINET.out
*FGT_3600-v400-build0098-FORTINET.out
*FGT_5001FA2-v400-build0098-FORTINET.out
*FGT_5005FA2-v400-build0098-FORTINET.out
*FGT_50B_HD-v400-build0098-FORTINET.out
*FGT_800F-v400-build0098-FORTINET.out
*FWF_50B-v400-build0098-FORTINET.out
*FWF_60B-v400-build0098-FORTINET.out
(End of Release Notes.)

FortiOS v401 Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiOS v401 Release Notes

Uploaded by

Copyright:

Available Formats

FortiGate Multi-Threat Security System

Copyright 2009 Fortinet Inc. All rights reserved.

FortiOS v4.0.1 Release Status

FGT-30B, FGT-50B, FGT-50B-HD, FWF-50B, FGT-60B, FWF-60B, FGT-100A,

All models are supported on the

Please visit http://docs.forticare.com/fgt.html for additinal documents on FortiOS v4.0 release.

New port names after upgrading

set action accept

3 Downgrading to FortiOS v3.00

4 Fortinet Product Integration and Support

4.2 Fortinet Server Authentication Extension (FSAE) Support

32-bit version of Microsoft Windows 2003 Server

IPv6 currently is not supported by FSAE.

4.3 AV Engine and IPS Engine Support

4.4 SSL-VPN Client Support

Windows in .exe and .msi format

5 Resolved Issues in FortiOS v4.0.1

5.1 Command Line Interface (CLI)

5.2 Web User Interface

Status: Fixed in v4.0.1.

Status: Fixed in v4.0.1.

5.4 High Availability

Bug ID: 80024

5.7 Web Filter

5.8 Data Leak Prevention

5.9 Voice Over IP (VoIP)

5.10 Application Control

Bug ID: 74258

5.12 WAN Optimization

5.13 Endpoint Control

5.15 Log & Report

(End of Release Notes.)

You might also like