Professional Documents
Culture Documents
Release Notes
v4.0.1
01-401-84420-20090402
Release Notes
FortiOS v4.0.1
Table of Contents
1 FortiOS v4.0.1.....................................................................................................................................................1
2 Upgrade Information...........................................................................................................................................2
2.1 Upgrading from FortiOS v3.00 MR6/MR7................................................................................................2
3 Downgrading to FortiOS v3.00..........................................................................................................................5
4 Fortinet Product Integration and Support..........................................................................................................6
4.1 FortiManager Support.................................................................................................................................6
4.2 Fortinet Server Authentication Extension (FSAE) Support........................................................................6
4.3 AV Engine and IPS Engine Support...........................................................................................................6
4.4 SSL-VPN Client Support............................................................................................................................6
5 Resolved Issues in FortiOS v4.0.1.....................................................................................................................7
5.1 Command Line Interface (CLI)..................................................................................................................7
5.2 Web User Interface.....................................................................................................................................7
5.3 System.........................................................................................................................................................8
5.4 High Availability.........................................................................................................................................9
5.5 Router........................................................................................................................................................10
5.6 Firewall.....................................................................................................................................................10
5.7 Web Filter..................................................................................................................................................10
5.8 Data Leak Prevention................................................................................................................................10
5.9 Voice Over IP (VoIP)................................................................................................................................10
5.10 Application Control.................................................................................................................................11
5.11 VPN.........................................................................................................................................................11
5.12 WAN Optimization.................................................................................................................................12
5.13 Endpoint Control.....................................................................................................................................12
5.14 VOIP.......................................................................................................................................................13
5.15 Log & Report..........................................................................................................................................13
5.16 FSAE.......................................................................................................................................................13
6 Image Checksums.............................................................................................................................................14
Change Log
Date
2009-04-02
Change Description
Initial Release.
April 2, 2009
Release Notes
FortiOS v4.0.1
1 FortiOS v4.0.1
This document outlines resolved issues of FortiOSTM v4.0.1 B0098 firmware for the Fortinet FortiGate Multi-threat Security System.
Please reference the full version of the FortiOS v4.0.0 release notes for new features and known issues. The following outlines the
release status for several models.
Model
April 2, 2009
2 Upgrade Information
2.1 Upgrading from FortiOS v3.00 MR6/MR7
FortiOS v4.0.1 officially supports upgrade from the most recent Patch Release in MR6 or MR7. See the upgrade path below. The
arrows indicate "upgrade to".
[MR6]
The upgrade is supported from FortiOS v3.00 B0673 Patch Release 4 or later.
MR6 B0673 Patch Release 4 (or later)
v4.0.1 B0098
After every upgrade, ensure that the build number and branch point match the image that was loaded.
[MR7]
The upgrade is supported from FortiOS v3.00 B0733 Patch Release 2 or later.
MR7 B0733 Patch Release 2 (or later)
v4.0.1 B0098
After every upgrade, ensure that the build number and branch point match the image that was loaded.
[Log Settings Changes]
In FortiOS v4.0.1, the option to configure rule under 'config log trafficfilter' has been removed, therefore any related
configuration is lost upon upgrading from FortiOS MR6 to FortiOS v4.0.1.
[FG-3016B Upgrade]
Interface names on the FGT-3016B have been changed in FortiOS v4.0.1 to match the port names on the face plate. After upgrading
from FortiOS MR6 to FortiOS v4.0.1, all port names in the FortiGate configuration are changed as per the following port mapping.
Old port names before upgrading
port1
mgmt1
port2
mgmt2
port3
port1
port4
port2
port5
port3
port6
port4
port7
port5
port8
port6
port9
port7
port10
port8
port11
port9
port12
port10
port13
port11
port14
port12
port15
port13
port16
port14
port17
port15
port18
port16
Note: After the release of FortiOS v3.00 MR6 firmware a new revision of the FGT-3016B included a name change to two ports on the
left side of the faceplate. Previously, they were labeled 1 and 2. Now they are called MGMT 1 MGMT 2. However, the BIOS still
refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2.
[System Settings]
In FortiOS v4.0.1, the p2p-rate-limit setting under 'config system settings' has been removed, therefore any
related configuration is lost upon upgrading from FortiOS MR6/MR7 to FortiOS v4.0.1.
[Router Access-list]
All configuration under 'config router access-list' may be lost after upgrading from FortiOS v3.0.0 MR6/MR7 to
FortiOS v4.0.1.
[Identity Based Policy]
Firewall policy authentication has been reworked in FortiOS v4. Any firewall policy that requires authentication is now known as an
Identity Based Policy. Previously, a separate authentication firewall policy had to be created for different schedules, services, and
traffic shaping settings but in FortiOS v4 all firewall authentication settings are configured in the Identity Based Policy section of a
firewall policy. If no traffic matches any of the Identity Based Policies, the traffic is subjected to an implicit DENY ALL. For
example:
In FortiOS v3.00 MR6/MR7
config firewall policy
edit 1
set action accept
set groups grp1 grp2
set service HTTP
...
next
edit 2
set action accept
set service TELNET
next
...
end
After upgrading to FortiOS v4.0.1
config firewall policy
edit 1
set action accept
set identity-based enable
config identity-based-policy
edit 1
set groups grp1 grp2
set service HTTP
next
end
next
edit 2
next
In FortiOS v4.0.1, the TELNET policy is never hit because of the implicit DENY ALL at the bottom of Identity Based Policy. To
correct the behaviour, you must move the non-Identity Based Policy (TELNET policy) above the Identity Based Policy.
Reorganized policy in FortiOS v4.0.1
config firewall policy
edit 2
set action accept
set service TELNET
next
edit 1
set action accept
set identity-based enable
config identity-based-policy
edit 1
set groups grp1 grp2
set service HTTP
next
end
next
end
[IPv6 Tunnel ]
All configuration under 'config system ipv6-tunnel' may be lost after upgrading from FortiOS v3.0.0 MR7 to FortiOS
v4.0.1.
[User Group]
In FortiOS v3.00 a protection profile can be assigned to an user group from web UI, but in FortiOS v4.0 it can only be assigned from
CLI.
[Zone Configuration]
In FortiOS v3.00 a Zone name could be upto 32 characters but in v4 it has changed to upto 15 characters. Any Zone names in FortiOS
v3.00 with more than 15 characters will be lost after upgrading to FortiOS v4.0.1.
[IPv6 Vlan Interfaces]
Vlan interface with ipv6-address configured will be lost after upgrading from FortiOS v3.00 to FortiOS v4.0.1.
[FDS Push-update Settings]
The address and port settings under 'config system autoupdate push-update' may be lost after upgrading to FortiOS
v4.0.1.
[Content Archive Summary]
The content archive summary related configuration will be lost after upgrading to FortiOS v4.0.1.
[RTM Interface Configuration]
Upon upgrading from FortiOS v3.00 MR6/MR7 to v4.0.1, the RTM interface and some of the configuration that uses RTM objects are
not retained. In FortiOS v3.00, RTM objects used upper-case letters, such as "RTM/1". FortiOS v4.0.1 uses lower-case letters for
RTM objects.
[HA IPSec Session Pickup]
When upgrading from FortiOS MR6 to FortiOS v4.0.1, the IPSec sessions are not pickedup.
operation modes
interface IP/management IP
route static table
DNS settings
VDom parameters/settings
admin user account
session helpers
system access profiles
5.3 System
Description: VDOM administrators does not have permission to run sniffer command on dialup VPN interfaces.
Bug ID: 91037
Status: Fixed in v4.0.1.
Description: Traffic passed by the FortiGate may occasionally exceed outbandwith limit set on an interface.
Bug ID: 91510
Status: Fixed in v4.0.1.
Description: During FortiGate bootup the 'subnet overlap' setting is not checked and overlap subnets are always allowed.
Bug ID: 86786
Status: Fixed in v4.0.1.
Description: Unexpected error messages are printed on console after rebooting FGT-50B-HD.
Bug ID: 91645
Status: Fixed in v4.0.1.
Affected Models: FGT-50B-HD
Description: IPS Engine 1.117 may crash if VDOMs are repeatedly added and deleted.
Bug ID: 91966
Status: Fixed in v4.0.1.
Description: Traffic Shapping cannot be configured for P2P applications.
Bug ID: 91890
Status: Fixed in v4.0.1.
Description: ssl.<vdom> default interface cannot be deleted even after related VDOM is deleted.
Bug ID: 92102
Status: Fixed in v4.0.1.
Description: LDAP distinguished name query does not work with Windows 2003 server.
Bug ID: 68279
Status: Fixed in v4.0.1.
Description: FortiGate displays an error message when administrator tries to add or remove local user to an user group.
Bug ID: 92674
Status: Fixed in v4.0.1.
Affected Models: FGT-30B
Description: IM daemon (imd) may cause memory leak.
Bug ID: 93212
Status: Fixed in v4.0.1.
Description: Uploading an FGT_* image on a FortiCarrier hardware causes FortiGate device to continuously reboot.
Bug ID: 90123
Status: Fixed in v4.0.1.
Description: Radius authentication starts failing abruptly after running for some time.
Bug ID: 85424
5.5 Router
Description: rtmon daemon flushes the route cache every time the cmdb changes.
Bug ID: 92543
Status: Fixed in v4.0.1.
5.6 Firewall
Description: Some firewall addresses may be lost after restoring FortiGate's configuration file.
Bug ID: 91963
Status: Fixed in v4.0.1.
5.11 VPN
Description: The SSL-VPN RDP applet with FR keyboard mapping does not allow user to type most of the characters with ATL-GR
key under WinWord application.
Bug ID: 80205
Status: Fixed in v4.0.1.
Description: After logging in on SSL-VPN web portal, open a http bookmark. A "you are going to leave a secure internet
connection..." alert messages will be displayed, if the user selects 'no' option then "web page can't be found" error is displayed.
Bug ID: 83962
Status: Fixed in v4.0.1.
Description: SSL-VPN user cannot login if 'url redirect' is configured and 'block pop-up window' option is enabled in the browser.
Bug ID: 84841
Status: Fixed in v4.0.1.
Description: SSL-VPN user is unable to install cache clean plugin for FireFox 2.0.
Bug ID: 90730
Status: Fixed in v4.0.1.
Description: SSL application may randomly crash and a 'signal 11' crash entry is logged in the crash log.
Bug ID: 86556
Status: Fixed in v4.0.1.
Description: SSL-VPN tunnel cannot be connected from web portal when SSL-VPN port is set to 443.
Bug ID: 92832
Status: Fixed in v4.0.1.
Description: "Exit when browser exits" option in the virtual desktop application does not work.
Bug ID: 90927
Status: Fixed in v4.0.1.
Description: FireFox browser does not send split tunnel information to SSL-VPN daemon.
Bug ID: 91539
Status: Fixed in v4.0.1.
Description: Users using Internet Explorer web browser to connect to SSL-VPN web portal may not be able to open RDP, FTP and
VNC links.
Bug ID: 92727
Status: Fixed in v4.0.1.
Description: WLAN interface route stays in the kernal after switching to TP mode.
Bug ID: 92669
Status: Fixed in v4.0.1.
Description: If the remote client's IP address overlaps with one of the FGT's local subnets then IPSec over DHCP may fail.
Bug ID: 92978
Status: Fixed in v4.0.1.
Description: User can successfully log on to the SSLVPN portal with a revoked certificate.
5.14 VOIP
Description: Any SIP message carried by UDP that is greater than 2048 bytes long is dropped by the SIP proxy.
Bug ID: 90854
Status: Fixed in v4.0.1.
5.16 FSAE
Description: IPchange feature for FSAE does not work with multiple FSAE servers.
Bug ID: 90849
Status: Fixed in 4.0.1
6 Image Checksums
08a58085c42c5ebc3524d9ab61feddb7
0ba34ed3fbbfaa0ede530ac6b46e63d9
1aad33ae4efb82bae63b119a43a9ea33
0d5bf6ca57cd9ad2e08ce41b0712883d
77a945b1c9771bf33a06babff33235da
07ee0400602d21b009db995ec053d758
79c9d151907f62ff56b570aa9a36f06b
f86208defa8a2082935f1d0becef2ec4
d9f397d43ccc11be21a8399aedd34535
cad1412ff781b5c310b392dd6d05e307
1b540cc5b86bbd57375749f4f1ada918
65d24f688ef73052632c5b303256444c
daa136ce4fa58970046f43718391b817
4615f1e6a2fee1023eebec5c390da4f7
b9fc070db59c0897d0f3e66714b22ed2
8936f037527536265d324e905f769a73
d3b722c9fc7e4bbc381feff009055d88
3bcdfcbb49dd8c3158a6f497f1d6edb0
649bf58238a4ee93565297ff6f6f26e8
30f38f199ddbac2538e307d92e09ea62
69f05e52ce4f3a9271c35a7f1157ad50
3e2345edbaa41ee739093de5abe1aeef
519feba88a596b7c71490f051f69db88
d285885b554d67ed4a22458e041b746e
fda4ec37cf61d2d81efb3b5f05f72118
7d261704714ea531bc91bfdf6fb9b6ef
c50549956585ddad32dea61e702b3221
5bcb35493a75e2d4322ac3e5ad692026
*FGT_1000A-v400-build0098-FORTINET.out
*FGT_1000AFA2-v400-build0098-FORTINET.out
*FGT_1000A_LENC-v400-build0098-FORTINET.out
*FGT_100A-v400-build0098-FORTINET.out
*FGT_110C-v400-build0098-FORTINET.out
*FGT_200A-v400-build0098-FORTINET.out
*FGT_224B-v400-build0098-FORTINET.out
*FGT_300A-v400-build0098-FORTINET.out
*FGT_3016B-v400-build0098-FORTINET.out
*FGT_30B-v400-build0098-FORTINET.out
*FGT_310B-v400-build0098-FORTINET.out
*FGT_3600-v400-build0098-FORTINET.out
*FGT_3600A-v400-build0098-FORTINET.out
*FGT_3810A-v400-build0098-FORTINET.out
*FGT_400A-v400-build0098-FORTINET.out
*FGT_5001-v400-build0098-FORTINET.out
*FGT_5001A-v400-build0098-FORTINET.out
*FGT_5001FA2-v400-build0098-FORTINET.out
*FGT_5005FA2-v400-build0098-FORTINET.out
*FGT_500A-v400-build0098-FORTINET.out
*FGT_50B-v400-build0098-FORTINET.out
*FGT_50B_HD-v400-build0098-FORTINET.out
*FGT_60B-v400-build0098-FORTINET.out
*FGT_620B-v400-build0098-FORTINET.out
*FGT_800-v400-build0098-FORTINET.out
*FGT_800F-v400-build0098-FORTINET.out
*FWF_50B-v400-build0098-FORTINET.out
*FWF_60B-v400-build0098-FORTINET.out