FortiOS v4.0 MR2 Patch Release 13 Release Notes

FortiOS v4.
0 MR2 Patch Release 13

Release Notes
FortiOS v4.0 MR2 Patch Release 13 Release Notes September 05, 2012 01-4213-180205-20120905 Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Technical Documentation Knowledge Base Customer Service & Support Training Services FortiGuard Document Feedback
docs.fortinet.com kb.fortinet.com support.fortinet.com training.fortinet.com fortiguard.com techdocs@fortinet.com
Table of Contents
Change Log....................................................................................................... Introduction....................................................................................................... FortiOS Carrier.................................................................................................. Special Notices .................................................................................................
Important ................................................................................................................. Monitor settings for Web-based Manager access............................................. Supported web browsers .................................................................................. Before any upgrade ........................................................................................... After any upgrade ..............................................................................................
4 5 7 8
8 8 8 8 8
General..................................................................................................................... 8
Upgrade Information ........................................................................................ 9

Upgrading from FortiOS v4.0................................................................................... 9 FortiOS v4.0 ....................................................................................................... 9 Network interface configuration......................................................................... 9 WebFilter Banned Word and Exempt Word List................................................ 9 VoIP settings .................................................................................................... 11 NNTP DLP Archive........................................................................................... 11 Upgrading from FortiOS v4.0 MR1 ........................................................................ FortiOS v4.0 MR1 ............................................................................................ DLP rule ........................................................................................................... System Autoupdate settings............................................................................ IPS DoS sensor log setting .............................................................................. 11 12 12 12 12
Downgrading to FortiOS v4.0 MR1........................................................................ 12
Product Integration ........................................................................................ 13

Fortinet Single Sign-On (FSSO) support................................................................ 13 AV Engine and IPS Engine support ....................................................................... 13 SSL-VPN support .................................................................................................. 13 SSL-VPN standalone client.............................................................................. 13 FortiAP support...................................................................................................... 14
Resolved Issues.............................................................................................. 15
Resolved issues ............................................................................................... 15
Limitations....................................................................................................... 16
Citrix XenServer limitations.................................................................................... 16 Open source Xen limitations .................................................................................. 16
Image Checksums.......................................................................................... 17
Page 3
Change Log
Date 2012-09-05 2012-09-07 2012-09-11 Change Description Initial release. Changed supported AV Engine and IPS Engine information. Added bug 173399 to Resolved Issues table.
Page 4
Introduction
This document provides installation instructions and addresses issues and caveats in FortiOS v4.0 MR2 Patch Release 13 build 0349. Table 1 outlines the release status for these models. Table 1: Supported models FortiGate Models FG-30B, FG-50B, FG-51B, FG-60B, FG-80C, FG-80CM, FG-82C, FG-100A, FG-110C, FG-111C, FG-200A, FG-200B, FG-200B-PoE, FG-224B, FG-300A, FG-310B, FG-311B, FG-310B-DC, FG-400A, FG-500A, FG-620B, FG-620B-DC, FG-621B, FG-800, FG-800F, FG-1000A, FG-1000A-FA2, FG-1000A-LENC, FG-1240B, FG-3016B, FG-3040B, FG-3140B, FG-3600, FG-3600A, FG-3810A, FG-3950B, FG-3951B, FG-5001, FG-5001A, FG-5001B, FG-5001FA2, FG-5002FB2, and FG-5005FA2 FWF-30B, FWF-50B, FWF-60B, FWF-80CM, and FWF-81CM. FG-60C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A This model is released on a special branch based off of FortiOS v4.0 MR2 Patch Release 13: fg_4-2_60c/build_tag_5918. As such, the build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5918 as the build number. To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point: field that should read 0349. This model is released on a special branch based off of FortiOS v4.0 MR2 Patch Release 13: fg_4-2_300c/build_tag_4244. As such, the build number found at System > Dashboard > Status and the output from the get system status CLI command displays 4244 as the build number. To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point: field that should read 0349. v4.0 MR2 Patch Release 13 All models are supported on the regular v4.0 MR2 Patch Release 13 branch.
FG-300C
Fortinet Technologies Inc.
Page 5
FortiOS v4.0 MR2 Patch Release 13 Release Notes
Table 1: Supported models (continued) FortiGate Models FortiGate-VM v4.0 MR2 Patch Release 13 This model is released on a special branch based off of FortiOS v4.0 MR2 Patch Release 13: fg_4-2_vmware_esx/build_tag_5919. As such, the build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5919 as the build number. To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point: field that should read 0349. This model is released on a special branch based off of FortiOS v4.0 MR2 Patch Release 13: fg_4-2_one/build_tag_5917. As such, the build number found at System > Dashboard > Status and the output from the get system status CLI command displays 5917 as the build number. To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point: field that should read 0349.
FortiGate-One
See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v4.0 MR2.
Page 6
FortiOS Carrier
This chapter provides platform support information for FortiOS Carrier v4.0 MR2 Patch Release 13 build 0349. Table 2 outlines the release status for these models. Table 2: Supported models FortiCarrier Models FCR-3810A, FCR-3950B, FCR-3951B, FCR-5001A, and FCR-5001B. Firmware image filenames begin with FK. FortiOS Carrier v4.0 MR2 Patch Release 13 All models are supported on the regular v4.0 MR2 Patch Release 13 branch.
See http://docs.fortinet.com/fgt.html for additional documents on FortiCarrier v4.0 MR2.
Page 7
Special Notices
General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.
Important
Monitor settings for Web-based Manager access
Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all the objects in the Web-based Manager to be viewed properly.
Supported web browsers

Microsoft Internet Explorer 8.0 and 9.0 Mozilla FireFox 13.0 and 14.0
Before any upgrade

Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading.
After any upgrade

If you are using the Web-based Manager, clear the browser cache prior to login on the FortiGate to ensure the Web-based Manager screens are displayed properly. The Virus and Attack definitions included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard Distribution Server. Fortinet recommends performing an Update Now (System > Config > FortiGuard > AntiVirus and IPS Options) as soon as possible after upgrading. Consult the FortiOS Handbook/FortiOS Carrier Handbook for detailed procedures.
Page 8
Upgrade Information
Upgrading from FortiOS v4.0
FortiOS v4.0 MR2 Patch Release 13 officially supports upgrade from the FortiOS v4.0 Patch Release 4 or later. See the upgrade path below.
FortiOS v4.0
The upgrade is supported from FortiOS v4.0.4 build 0113 or later. v4.0.4 build 0113 (or later)
v4.0 MR2 Patch Release 13 build 0349 After every upgrade, ensure that the build number and branch point match the image that was loaded.
Network interface configuration

If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after upgrading from FortiOS v4.0.x, or any subsequent patch, to FortiOS v4.0 MR2 Patch Release 13, the ips-sniffer-mode setting will be changed to disable.
WebFilter Banned Word and Exempt Word List

FortiOS v4.0 MR1 merged the web filter banned and exempt word list into one list under config webfilter content. After you upgrade to v4.0 MR2, only the banned word list is retained. For example:
In FortiOS v4.0.4:
config webfilter bword edit 1 config entries edit "badword1" set status enable next edit "badword2" set status enable next end set name "BannedWordList" next end
Page 9
config webfilter exmword edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set status enable next end set name "ExemptWordList" next end
After upgrading to FortiOS v4.0 MR2:

config webfilter content edit 1 config entries edit "badword1" set status enable next edit "badword2" set status enable next end set name "BannedWordList" next end Before upgrading: backup your configuration, and parse the webfilter exempt list entries. Then merge them into the webfilter content list after the upgrade.
Page 10
After merging the exempt list from v4.0.4 to the webfilter content list:
config webfilter content edit 1 config entries edit "goodword1" set status enable next edit "goodword2" set action exempt set status enable next edit "badword1" set status enable next edit "badword2" set action exempt set status enable next end set name "BannedWordList" next end
VoIP settings
FortiOS v4.0 MR2 has the functionality to archive messages and files caught by the Data Leak Prevention (DLP) feature, which includes some VoIP messages. However, some scenarios have an implication configuration retention on the upgrading. Consider the following: FortiGate in v4.0.4 has two protection profiles: PP1 and PP2. PP1 contains: DLP sensor: DLP1 Application control list: APP1 which archives SIP messages PP2 contains: DLP sensor: DLP1 Application control list: APP2 which has content-summary enabled for SIMPLE Upon upgrading to FortiOS v4.0 MR2 Patch Release 13, the VoIP settings are not moved into the DLP archive feature.
NNTP DLP Archive

NNTP content archive settings will be lost after upgrading to FortiOS v4.0 MR2 Patch Release 13.
Upgrading from FortiOS v4.0 MR1

FortiOS v4.0 MR2 Patch Release 13 officially supports upgrade from the FortiOS v4.0 MR1 Patch Release 4 or later. See the upgrade path below.
Page 11
FortiOS v4.0 MR1

The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 build 0196 or later. v4.0 MR1 Patch Release 4 build 0196 (or later)
v4.0 MR2 Patch Release 13 build 0349 After every upgrade, ensure that the build number and branch point match the image that was loaded.
DLP rule
A DLP rule with subprotocol setting set to 'sip simple sccp' will be lost upon upgrading to FortiOS v4.0 MR2 Patch Release 13.
System Autoupdate settings

The settings under System > Maintenance > FortiGuard will get set to default values after upgrading to FortiOS v4.0 MR2 Patch Release 13.
IPS DoS sensor log setting

The default log setting of an IPS DoS sensor is disable on FortiOS v4.0 MR2 Patch Release 2 or later. Whether the log setting of an IPS DoS sensor is disable or enable on FortiOS v4.0 MR1 Patch Release 9 or any subsequent patch, after upgrading to FortiOS v4.0 MR2 Patch Release 2 or later, the setting will be set to disable.
Downgrading to FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1 results in configuration loss on all models. Only the following settings are retained: operation modes interface IP/management IP route static table DNS settings VDOM parameters/settings admin user account session helpers system access profiles.
Page 12
Product Integration
Fortinet Single Sign-On (FSSO) support
FortiOS v4.0 MR2 Patch Release 13 is supported by FSSO (formerly FSAE) v4.3.0 build 0117 for the following: Microsoft Windows Server 2003 R2 32-bit Microsoft Windows Server 2003 R2 64-bit Microsoft Windows Server 2008 Server 32-bit Microsoft Windows Server 2008 64-bit Microsoft Windows Server 2008 R2 64-bit Novell sDirectory 8.8. IPv6 currently is not supported by FSSO.
AV Engine and IPS Engine support

FortiOS v4.0 MR2 Patch Release 13 is supported by AV Engine 4.00254 and IPS Engine 1.00247.
FortiOS v4.0 MR2 Patch Release 13 also supports AV Engine 4.00398 and IPS Engine 1.00250. When connected to FDS, the AV Engine and IPS Engine will be updated.
SSL-VPN support
SSL-VPN standalone client
FortiOS v4.0 MR2 Patch Release 13 supports the SSL-VPN tunnel client standalone installer build 2270 for the following: Windows in .exe and .msi format Linux in .tar.gz format Mac OS in .dmg format Virtual Desktop in .jar format for Windows 7, XP, and Vista
Page 13
Table 3 lists the supported operating systems. Table 3: Supported operating systems Windows
Windows XP 32-bit SP 3 Windows 7 32-bit SP 1 Windows 7 64-bit SP 1
Linux
CentOS 5.6
Mac OS X
Lion 10.7
Virtual Desktop Support

Windows 7 32-bit SP 1
FortiAP support
The following table lists which FortiAP devices and FortiOS operating systems are supported in FortiOS v4.0 MR2 Patch Release 13 build 0349. Table 4 outlines supported models Table 4: Supported models FortiAP Model FortiAP 210B FortiAP 220A FortiAP 221B FortiAP 222B FortiOS v4.0 MR2
For wireless controller support in FortiOS v4.0 MR2 the following firmware image is required: fg_4-2_fortiap/build_tag_6670. The build number for these images in the System > Status page and the output from the get system status CLI command displays 6670 To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point: field. This should read 0349. This firmware image is available under the following directory in the Firmware Images page of the Customer Support site after you login: FortiAP/v4.00/4.0MR2/MR2_Patch_13/Wireless_controller/
FortiAP v4.0 MR3 Patch Release 7 These models are supported on the regular v4.0 MR3 branch.
Page 14
Resolved Issues
The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Customer Service & Support.
Resolved issues
Table 5: Resolved issues Bug ID 173399 Description Ports on certain models may inadvertently shutdown after the system has been running for 248 days. Please see Customer Service Bulletin CSB-120813-1. Firewall Policy is not installed properly when applied via FortiManager.
175110
Page 15
Limitations
This section outlines the limitations in FortiOS v4.0 MR2 Patch Release 13.
Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations: XenTools installation is not supported. FortiGate-VM can be imported or deployed in only the following three formats: XVA (recommended) VHD OVF The XVA format comes preconfigured with default configurations for VM name, vCPU, memory, and vNIC. Other formats will require manual configuration before the first power on process.
Open source Xen limitations

When using Ubuntu 11.10, Xen 4.1.0, and libvir 0.9.2, importing issues may arise when using the qcow2 format and existing HDA issues.
Page 16
Image Checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support website located at https://support.fortinet.com. After logging in, click on Download > Firmware Image Checksum, enter the image file, including the extension, and select Get Checksum Code. Figure 1: Customer Service & Support image checksum tool
End of Release Notes

Fortinet Technologies Inc. Page 17 FortiOS v4.0 MR2 Patch Release 13 Release Notes

FortiOS v4.0 MR2 Patch Release 13 Release Notes

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiOS v4.0 MR2 Patch Release 13 Release Notes

Uploaded by

Copyright:

Available Formats

FortiOS v4.

0 MR2 Patch Release 13

docs.fortinet.com kb.fortinet.com support.fortinet.com training.fortinet.com fortiguard.com techdocs@fortinet.com

Upgrade Information ........................................................................................ 9

Downgrading to FortiOS v4.0 MR1........................................................................ 12

Product Integration ........................................................................................ 13

Fortinet Technologies Inc.