FortiOS 5.6.3 Release Notes

Change Log

Date Change Description
2017-12-05 Initial release.
2017-12-07 Added 443203 to Resolved Issues.

Added 463211 to Known Issues.

Moved 452384 from Known Issues to Resolved Issues.

Deleted Internet Explorer version 11 from Product Integration and Support.

2017-12-08 Added 443870 to Resolved Issues.

Added caution to Upgrade Information > Upgrading to FortiOS 5.6.3.

   

 

Introduction

This document provides the following information for FortiOS 5.6.3 build 1547:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.3 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E, FG51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG-70DPOE, FG-80C, FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D,

FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG-

101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG-

200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E,

FG-400D, FG-500D, FG-500E, FG-501E, FG-600C, FG-600D, FG-800C, FG-800D, FG900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E,

FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-

3810D, FG-3815D, FG-3960E, FG-3980E, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE,

FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E,

FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-AWS,

FG-VM64-AWSONDEMAND, FG-VM64-GCP, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.6.3 images are delivered upon request and are not available on the customer support firmware download page.

Introduction

What’s new in FortiOS 5.6.3

For a list of new features and enhancements that have been made in FortiOS 5.6.3, see the What’s New for FortiOS 5.6.3 document.

Special Notices

Built-in certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

Special Notices

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.3, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient profile changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

FortiExtender support

Due to OpenSSL updates, FortiOS 5.6.3 cannot manage FortiExtender anymore. If you run FortiOS with FortiExtender, you must use a newer version of FortiExtender such as 3.2.1 or later.

Upgrade Information

Upgrading to FortiOS 5.6.3

FortiOS version 5.6.3 officially supports upgrading from version 5.4.5, 5.4.6, 5.6.0, 5.6.1, and 5.6.2. To upgrade from other versions, see Supported Upgrade Paths.

If you are upgrading from version 5.6.1 or 5.6.2, this caution does not apply.

Before upgrading, ensure that port 4433 is not used for admin-port or admin-sport (in config system global), or for SSL VPN (in config vpn ssl settings). If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

After upgrading, if FortiLink mode is enabled, you must manually create an explicit firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch (such as from the FortiLink interface) to the RADIUS server through the FortiGate.

FortiGate-VM64-Azure upgrade

You can upgrade from the GUI or CLI. Because some configurations are not kept in the upgrade, we recommend you do a factory reset using execute factoryreset, and then reconfigure the VM.

Your original VM license is kept in the upgrade.

Security Fabric upgrade

FortiOS 5.6.3 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.1 l FortiClient 5.6.0 l FortiClient EMS 1.2.2 l FortiAP 5.4.2 and later l FortiSwitch 3.6.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

 

FortiClient profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

  • Advanced FortiClient profiles (XML configuration).
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard Banner, client-based logging when on-net, and Single Sign-on Mobility Agent.
  • VPN provisioning. l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths. l Client-side web filtering when on-net. l iOS and Android configuration by using the FortiOS GUI.

With FortiOS 5.6.3, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec VPN, or SSL VPN) connections to FortiOS 5.6.2, but not for Security Fabric functions.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.3, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

11

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name.

For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.

  1. Restore the configuration.
  2. Perform the downgrade.

Amazon AWS enhanced networking compatibility issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.3 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 5.6.3 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3
  • I2 l M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

 

Product Integration and Support

FortiOS 5.6.3 support

The following table lists 5.6.3 product integration and support information:

Web Browsers l Microsoft Edge 38 l Mozilla Firefox version 54 l Google Chrome version 59 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 10 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Security Fabric upgrade on page 9. For the latest information, see FortiManagercompatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Security Fabric upgrade on page 9. For the latest information, see FortiAnalyzercompatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient Microsoft

Windows

See important compatibility information in Security Fabric upgrade on page 9.

l 5.6.1

If FortiClient is managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient Mac OS X See important compatibility information in Security Fabric upgrade on page 9.

l 5.6.0

If FortiClient is managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient iOS l 5.4.3 and later
FortiClient Android and FortiClient VPN Android l 5.4.1 and later
FortiAP l 5.4.2 and later l 5.6.0

 

FortiAP-S                                     l 5.4.3 and later l 5.6.0
   FortiSwitch OS                             l 3.6.2 and later

(FortiLink support)

   FortiController                              l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C.

   FortiSandbox                               l 2.3.3 and later
   Fortinet Single Sign-On               l 5.0 build 0264 and later (needed for FSSO agent support OU in group filters)

(FSSO)                                                l Windows Server 2016 Datacenter

l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

FSSO does not currently support IPv6.

  FortiExtender                                l 3.2.1 and later

See FortiExtender support on page 8.

   AV Engine                                    l 5.247
   IPS Engine                                    l 3.442
Virtualization Environments
Citrix                                           l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM                                   l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
   Microsoft                                     l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5
VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2334. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 54

Google Chrome version 59

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

It is recommended to verify the accuracy of the GUID for the software you are using for SSL VPN host check. The following Knowledge Base article at http://kb.fortinet.com/ describes how to identify the GUID for antivirus and firewall products: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL VPN Host check.

After verifying GUIDs, you can update GUIDs in FortiOS using this command:

config vpn ssl web host-check-software

Following is an example of how to update the GUID for AVG Internet Security 2017 on Windows 7 and Windows 10 by using the FortiOS CLI.

The GUIDs in this example are only for AVG Internet Security 2017 on Windows 7 and Windows 10. The GUIDs might be different for other versions of the software and other operation systems.

To update GUIDs in FortiOS:

  1. Use the config vpn ssl web host-check-software command to edit the AVG-InternetSecurity-AV variable to set the following GUID for AVG Internet Security 2017: 4D41356F-32AD-7C42-C820-63775EE4F413.
  2. Edit the AVG-Internet-Security-FW variable to set the following GUID:

757AB44A-78C2-7D1A-E37F-CA42A037B368.

 

Resolved Issues

The following issues have been fixed in version 5.6.3. For inquires about a particular bug, please contact Customer Service & Support.

Application Control

Bug ID Description
441996 No UTM AppCtrl log for signature Gmail_Attachment.Download when action is blocked.
Bug ID Description
415496 GTPU sanity drop by gtp-in-gtp checking if GTPU payload has kind of invalid UDP header (IP fragment case).
445321 GTP, 2 cases of protocol anomaly drops to review (status=prohibited).

DLP

Bug ID Description
435283 block-page-status-code doesn’t work for HTTP status code of DLP replacement message.
454112 HIBUN file with *.exe extension is detected as exe file.

DNS Filter

Bug ID Description
438834 DNS filter blocks access when rating error occurs, even with allow request on rating error enabled.

FIPS-CC

Bug ID Description
440307 Wildcard certificate support/handling for SAN/CN reference identifiers.
Firewall  
Bug ID Description
449195 DNAT not working for SCTP -Multi-homing Traffic.

FortiCarrier

FortiLink

Bug ID Description
434470 Explicit policy for traffic originating from interface dedicated to FortiLink.
441300 Limited options in FortiLink quarantine stanza to use, giving users no way to trigger the quarantine function.
445373 For 802.1X, FortiSwitch port disappeared after upgrading FortiGate from 5.6.0 to 5.6.1 with 802.1X enabled without security-group/user-group.

GUI

Bug ID Description
365378 Cannot assign ha-mgmt-interface IP address in the same subnet as other port from the GUI.
398397 Slowness in accessing Policy and Address page in GUI after upgrading from 5.2.2 to 5.4.1.
402775 Add multiple ports and port range support in the explicit FTP/web proxy.
403146 Slow GUI Policy tab with more than 600 policies.
409100 Edit admin/user, enable FortiToken mobile, or click send activation email before saving sends empty activation code.
412401 Incorrect throughput reading in GUI-System-HA page.
450919 IPS sensor with >= 8192 signature entries should not be created from GUI.

HA

Bug ID Description
412652 Unexpected behavior seen when one cluster unit has a monitored port down and another cluster unit has ping server issues.
436585 Issues with different hardware generation when operating in a HA cluster.
439152 FGSP – standalone config sync – synchronizes BGP neighbor.
441716 Traffic stops when load-balance-all is enabled in active-active HA when npu_vlink is used in the path.
442085 After HA failover, the new master unit uses an OSPF MD5 authentication encryption sequence that is lower than the previous sequence number.
442663 No NTP sync and feature license invalid at backup device in FGSP cluster.
442907 Admin password expiry calculation is 1 sec. different on master and slave which causes HA to be out of sync for about 20 mins.
449147 No security database update on slave unit in FGSP environment.
Bug ID Description
452052 vcluster2’s VMAC on VLAN Interface is not persistent after vcluster1 fails over.
452715 ha-mgmt-interface on slave unit is overwritten when backed up and restored.
454347 Ping server penalties are taken into account even when they are not configured in HA settings anymore.
455513 Management VDOMs I/F address on slave is lost or sync’ed with Master’s.

IPsec VPN

Bug ID Description
401847 Half of IPsec tunnels traffic lost 26 minutes after power on a spare 1500D.
416102 Traffic over IPsec VPN gets dropped after two pings when it is getting offloaded to NPU.
441267 FortiGate static remote-gateway can change if peer sends ESP traffic with different IP address.
442671 Set broadcast-forward enable not working for IPsec interface.
445657 FortiOS Traffic Selector narrowing accepts wrong proposal.

Log & Report

Bug ID Description
422901 Power disruption message when logging with prof_admin.
441476 Rolled log file is not uploaded to FTP server by max-log-file-size.
443001 Export log field descriptions for documentation.

Proxy

Bug ID Description
403140 Improve filtering capabilities of LDAP search Explicit Proxy with Kerberos authentication.
435332 Keepalive Exempted HTTPs traffic keeps on kernal and proxy.
441284 www.nieporet.pl website loads very slowly in proxy mode when AV is applied.
442252 WAD stops forwarding traffic on both transparent proxy and explicit web proxy after IPS test over web proxy.
442328 Replacement message image fails to load.
443870 Incorrect extended master secret (EMS) handling in proxy mode deep-inspection causes SSL connection failure.
Bug ID Description
444257 After Upgrading from 1466 to 1484 GA, SSL Deep Inspection breaks for many SSL sites using Chrome.
445312 tcp-timewait-timer does not have any effect when WAD is running.
445374 Proxies should preserve DSCP flags.
447274 Specific web page fails to load when proxy-based AV profile is enabled on Explicit web proxy policy.

Routing

Bug ID Description
441506 BGP Aggregate address results in blackhole for incoming traffic.

Security Fabric

Bug ID Description
409156 In Security Fabric Audit, the unlicensed FDS FortiGate shouldn’t be marked Passed in Firmware & Subscriptions.

SSL VPN

Bug ID Description
412850 SSL VPN portal redirect fails with a Javascript error.
443203 In SSL VPN web mode, RDP quick connect fails with domain\username format credentials via NLA.

System

Bug ID Description
278660 FGT-AWSONDEMAND is unable to handle FortiCare registration
290708 nturbo may not support CAPWAP traffic.
393006 NPU offloading causes issues with Arista.
404119 FSSO is not enabled when FSSO policy was created.
411415 Update FortiOS API to remove IPS sessions in parallel with firewall sessions.
414811 Restore NIC offload capabilities on FortiGate KVM VM.
420568 fclicense daemon has several signal 11 crashes.
422413 Use API monitor to get data for FortiToken list page.
Bug ID Description
423332 Merge Top3 “Improve GTP Performance” to 5.6 and 5.8.
423508 Traffic from CAPWAP is not offloading on NP6 FortiGate.
437195 GTE – PDP update request should update the associated tunnel even when two TEID’s are the same.
437589 Slow throughput on 1000D between 10G and 1G interfaces.
437801 FG-30E WAN interface MTU override drop packet issue.
438405 HRX/PKTCHK drops over NP6 with 1.5 Gbps.
439126 Auto-script using diagnose command fails with Unknown action 0 after rebooting FortiGate.
440412 Added SNMP trap for per-CPU usage.
440448 FG-800C will not get IP on the LTE-modem interface using Novatel U620.
440564 After clicking the DHCP renew button, the GUI page doesn’t refresh.
440850 Latency noticed with port pair when MAC address flapping between port pair members.
440923 The FortiGate interface DHCP client does not work properly in some situations.
441269 3600C memory leak due to IKED.
441532 Suggest to add SNMP/CLI monitoring capabilities of NP6 session table.
442300 FGT5HD kernel panic on 5.6.0-build 1449.
443019 After running for some time, the FG-30E console keep printing memory leak error messages.
444090 Cannot get SNMP values for NP6 counters.
451456 Support DHCP Option 82 on FortiGate DHCP relay – rfc3046.
454939 Virtual-wire-pair config is lost after reboot when using at least one VXLAN interface as member.

Wireless

Bug ID Description
414606 CAPWAP encapsulated DNS traffic not forwarded back to IPsec tunnel.
421239 Tunnel mode SSID not working when FortiAP managed through IPsec VPN with NP6 offloading enabled.
437949 Split tunnel enhancement: set split-tunneling-acl-path [tunnel | local].

Common Vulnerabilities and Exposures

Bug ID Description
442365 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-7738

Visit https://fortiguard.com/psirt for more information.

446892 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-13077 l 2017-13078 l 2017-13079 l 2017-13080 l 2017-13081

Visit https://fortiguard.com/psirt for more information.

452384 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-14185

Visit https://fortiguard.com/psirt for more information.

452730 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-14186

Visit https://fortiguard.com/psirt for more information.

453971 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-14187

Visit https://fortiguard.com/psirt for more information.

456392 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-13077

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.6.3. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
448247 Traffic-shaper in shaping policy does not work for specific application category like as P2P.

Authentication

Bug ID Description
460229 Existing terminal server sessions overridden with the last TS user that logged in.
AV  
Bug ID Description
446204 The filename of character in Korean shows mismatch encoding type in GUI.

FIPS-CC

Bug ID Description
463211 When alarm is enabled in FIPS mode, the console hangs and the getty process uses very high CPU usage.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.
FortiGate 500D  
Bug ID Description
403449 FortiGate 500D has some issue with FINISAR transceiver.
Bug ID Description
356174 FortiGuard updategrp read-write privilege admin cannot open FortiGuard page.
374247 GUI list may list another VDOM interface when editing a redundant interface.
374844 Should show ipv6 address when set ipv6 mode to pppoe/dhcp on GUI > Network >

Interfaces.

375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 HA with FortiLink traffic loss – no virtual MAC.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
408082 Operating a dedicated hardware switch into FortiLink changes STP from enable to disable in a hidden way.
415380 DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP.

Workaround: disable switch-controller-dhcp-snooping on FortiLink VLAN interfaces.

462080 FG-300E reboots with kernel panic errors.

FortiView

Bug ID Description
366627 FortiView Cloud Application may display incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
408100 Log fields are not aligned with columns after drill down on FortiView and Log details.
441835 Drill down a auth-failed wifi client entry in “Failed Authentication” could not display detail logs when CSF enabled.
442238 FortiView VPN map can’t display Google map (199 dialup VPN tunnel).
442367 In FortiView > Cloud Applications, when the cloud users column is empty, drill down will not load.

GUI

Bug ID Description
375383 If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box.
422413 Use API monitor to get data for FortiToken list page.
422901 Power disruption message when logging with prof_admin.
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
445113 IPS engine 3.428 on Fortigate sometimes cannot detect Psiphon packets that iscan can detect.
446756 Guest user print template can’t display pictures while printing.
451776 Admin GUI has limit of 10 characters for OTP.
459904 Rogue AP Monitor does not show the Name of the AP in the Detected By column.
Bug ID Description
443418 User is not listed in quarantine list in case block duration value is set long enough.
450693 ERR_SSL_PROTOCOL_ERROR when deep scan enabled along with IPS in policy.

HA

Bug ID Description
441078 The time duration of packet-transporting process stops to pre-master node after HA failover takes too long.
455284 sshd daemon not started when just allowed ssh option on ha-mgmt-interface.
457554 FortiGate does not send syslog after ha-mgmt-interface link goes down and then up.
457877 Packets dropped with TNS session-helper enabled on FGSP cluster.
458320 Cluster uptime was not consistent.
461731 HA dedicated management port settings are modified and unreachable after restoring the configuration backup.
461915 When standalone config sync is enabled in FGSP, IPv6 setting of interface is sync’ed.

IPS Log & Report

Bug ID Description
412649 In NGFW Policy mode, FortiGate does not create webfilter logs.
438858 Synchronized log destination with Log View and FortiView display source.

Proxy

Bug ID Description
454185 Specific application does not work when deep inspection is enabled.

Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
414013 Log Settings shows Internal CLI error when enabling historical FortiView at the same time as disk logging.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.
441068 SSL VPN unable to connect in tunnel mode, seeing multiple stale sessions for the same user.

System

Bug ID Description
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280 ssh-dss may not work on FGT-VM-LENC.
436580 PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411 Monitor NP6 IPsec engine status.
450389 IPv6 problem with neighbor-cache.
Bug ID Description
451456 DHCP Option 82 on FortiGate DHCP relay – rfc3046.
457096 FortiGate to FortiManager tunnel (FGFM) using the wrong source IP when multiple paths exist.
459273 Slave worker blade loses local administrator accounts.

VM

Bug ID Description
441129 Certify FortiGate-VMX v5.6 with NSX v6.3 and vSphere v6.5.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

This entry was posted in FortiOS, Release Notes on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.