Category Archives: Fortinet

Example users on an internal network connecting to FTP servers on the Internet through the explicit FTP with RADIUS authentication and virus scanning

Example users on an internal network connecting to FTP servers on the Internet through the explicit FTP with RADIUS authentication and virus scanning

This example describes how to configure the explicit FTP proxy for the example network shown below. In this example, users on the internal network connect to the explicit FTP proxy through the Internal interface with IP address 10.31.101.100. The explicit web proxy is configured to use port 2121 so to connect to an FTP server on the Internet users must first connect to the explicit FTP proxy using IP address 10.31.101.100 and port 2121.

 

Example explicit FTP proxy network topology

In this example, explicit FTP proxy users must authenticate with a RADIUS server before getting access to the proxy. To apply authentication, the security policy that accepts explicit FTP proxy traffic includes an identity based policy that applies per session authentication to explicit FTP proxy users and includes a user group with the RADIUS server in it. The identity based policy also applies UTM virus scanning and DLP.

 

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

1. Enable the explicit FTP proxy and change the FTP port to 2121.

2. Enable the explicit FTP proxy on the internal interface.

3. Add a RADIUS server and user group for the explicit FTP proxy.

4. Add a user identity security policy for the explicit FTP proxy.

5. Enable antivirus and DLP features for the identity-based policy.

 

Configuring the explicit FTP proxy – web-based manager

Use the following steps to configure the explicit FTP proxy from FortiGate web-based manager.

 

To enable and configure the explicit FTP proxy

1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options and change the following settings:

 

Enable Explicit FTP Proxy       Select.

Listen on Interface                   No change. This field will eventually show that the explicit web proxy is enabled for the Internal interface.

FTP Port                                     2121

Default Firewall Policy

ActioDeny

2. Select Apply.

 

To enable the explicit FTP proxy on the Internal interface

1. Go to Network > Interfaces, edit the Internal interface and select Enable Explicit FTP Proxy.

 

To add a RADIUS server and user group for the explicit FTP proxy

1. Go to User & Device > RADIUS Servers.

2. Select Create New to add a new RADIUS server:

 

Name                                           RADIUS_1

Primary Server Name/IP           10.31.101.200

Primary Server Secret              RADIUS_server_secret

3. Go to User > User > User Groups and select Create New.

 

Name                                           Explict_proxy_user_group

Type                                            Firewall

Remote groups                         RADIUS_1

Group Name                              ANY

4. Select OK.

 

To add a security policy for the explicit FTP proxy

1. Go to Policy & Objects > Addresses and select Create New.

2. Add a firewall address for the internal network:

 

Address Name                           Internal_subnet

Type                                            Subnet

Subnet / IP Range                     10.31.101.0

Interface                                     Any

3. Go to Policy & Objects > Explicit Proxy Policy and select Create New.

4. Configure the explicit FTP proxy security policy.

 

Explicit Proxy Type                  FTP

Source Address                        Internal_subnet

Outgoing Interface                   wan1

Destination Address                 all

Action                                         AUTHENTICATE

5. Under Configure Authentication Rules select Create New to add an authentication rule:

 

Groups                                       Explicit_policy

Users                                          Leave blank

Schedule                                    always

6. Turn on Antivirus and Web Filter and select the default profiles for both.

7. Select the default proxy options profile.

8. Select OK.

9. Make sure Enable IP Based Authentication is not selected and Default Authentication Method is set to Basic.

10. Select OK.

 

Configuring the explicit FTP proxy – CLI

Use the following steps to configure the example explicit web proxy configuration from the CLI.

 

 

To enable and configure the explicit FTP proxy

1. Enter the following command to enable the explicit FTP proxy and set the TCP port that proxy accepts FTP

connections on to 2121.

config ftp-proxy explicit set status enable

set incoming-port 2121

set sec-default-action deny end

 

To enable the explicit FTP proxy on the Internal interface

1. Enter the following command to enable the explicit FTP proxy on the internal interface.

config system interface edit internal

set explicit-ftp-proxy enable

end

 

To add a RADIUS server and user group for the explicit FTP proxy

1. Enter the following command to add a RADIUS server:

config user radius edit RADIUS_1

set server 10.31.101.200

set secret RADIUS_server_secret

end

2. Enter the following command to add a user group for the RADIUS server.

config user group

edit Explicit_proxy_user_group set group-type firewall

set member RADIUS_1

end

 

To add a security policy for the explicit FTP proxy

1. Enter the following command to add a firewall address for the internal subnet:

config firewall address edit Internal_subnet

set type iprange

set start-ip 10.31.101.1 set end-ip 10.31.101.255

end

2. Enter the following command to add the explicit FTP proxy security policy:

config firewall explicit-proxy-policy edit 0

set proxy ftp

set dstintf wan1

set srcaddr Internal_subnet set dstaddr all

set action accept

set identity-based enable set ipbased disable

set active-auth-method basic config identity-based-policy

edit 0

set groups Explicit_Proxy_user_group set schedule always

set utm-status enable set av-profile default

set profile-protocol-options default end

end

 

Testing and troubleshooting the configuration

You can use the following steps to verify that the explicit FTP proxy configuration is working as expected. These steps use a command line FTP client.

 

To test the explicit web proxy configuration

1. From a system on the internal network start an FTP client and enter the following command to connect to the FTP

proxy:

ftp 10.31.101.100

The explicit FTP proxy should respond with a message similar to the following:

Connected to 10.31.101.100.

220 Welcome to Fortigate FTP proxy

Name (10.31.101.100:user):

2. At the prompt enter a valid username and password for the RADIUS server followed by a user name for an FTP server on the Internet and the address of the FTP server. For example, if a valid username and password on the RADIUS server is ex_name and ex_pass and you attempt to connect to an FTP server at ftp.example.com with user name s_name, enter the following at the prompt:

Name (10.31.101.100:user):ex_name:ex_pass:s_name@ftp.example.com

3. You should be prompted for the password for the account on the FTP server.

4. Enter the password and you should be able to connect to the FTP server.

5. Attempt to explore the FTP server file system and download or upload files.

 

6. To test UTM functionality, attempt to upload or download an ECAR test file. Or upload or download a tex file containing text that would be matched by the DLP sensor.

 

For eicar test files, go to http://eicar.org.

FortiOS 5.2.10 Release Notes

Introduction

This document provides the following information for FortiOS 5.2.10 build 0742:

  • Special Notices
  • Upgrade Information
  • Product Integration and Support
  • Resolved Issues
  • Known Issues
  • Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.2.10 supports the following models.

FortiGate FG-20C, FG-20C-ADSL-A, FG-30D, FG-30D-POE, FG-40C, FG-60C, FG-60C-SFP,

FG-60C-POE, FG-60D, FG-60D-3G4G-VZW, FG-60D-POE, FG-70D, FG-70D-POE,

FG-80C, FG-80CM, FG-80D, FG-90D, FGT-90D-POE, FG-92D, FG-94D-POE, FG98D-POE, FG-100D, FG-110C, FG- 111C, FG-140D, FG-140D-POE, FG-140D-POE-

T1, FG-200B, FG-200B-POE, FG- 200D, FG-200D-POE, FG-240D, FG-240D-POE,

FG-280D-POE, FG-300C, FG-300D, FG-310B, FG-310B-DC, FG-311B, FG-400D,

FG-500D, FG-620B, FG-620B-DC, FG- 621B, FG-600C, FG-600D, FG-800C, FG-

800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1240B, FG-1500D, FG1500DT, FG-3000D, FG-3100D, FG-3040B, FG-3140B, FG-3200D, FG-3240C, FG-

3600C, FG-3700D, FG-3700DX, FG-3810D, FG-3815D, FG-3950B, FG-3951B

FortiWiFi FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-30D-POE, FWF-40C, FWF-60C,

FWF-60CM, FWF-60CX-ADSL-A, FWF-60D, FWF-60D-3G4G-VZW, FWF-60D-POE,

FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-60D, FGR-100C
FortiGate VM FG-VM64, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN
FortiSwitch FS-5203B
FortiOS Carrier FCR-3950B and FCR-5001B

FortiOS Carrier 5.2.10 images are delivered upon request and are not available on the customer support firmware download page.

FortiOS Carrier firmware image file names begin with FK.

Introduction                                                                                                                    Last Release of Software

The following models are released on a special branch based off of FortiOS 5.2.10. As such, the System > Dashboard > Status page and the output from the get system status CLI command displays the build number.

 

FGT-VM64-

AWS/AWSONDEMAND

Released on build 9428.
FGT-VM64-AZURE Released on build 5817.

To confirm that you are running the proper build, the output from the get system status CLI command has a branch point field that should read 0742.

Last Release of Software

Due to the device flash size limitations, the following FortiGate models’ last release of software will be FortiOS version 5.2.5. It is noted that these devices already have entered into their End-of-Life Cycle. Further details and exact dates can be found on the Fortinet CustomerSupport portal:

Affected Products:

  • FortiGate FG-3016B
  • FortiGate FG-3810A
  • FortiGate FG-5001A SW & DW
  • FortiCarrier FK-3810A
  • FortiCarrier FK-5001A SW & DW7

Special Notices

Local report customization removed

Local report customization has been removed from FortiOS 5.2. You can still record and view local reports, but you can no longer customize their appearance. For more control over customizing local reports, you can use FortiAnalyzer or FortiCloud.

Compatibility with FortiOS versions

The following units have a new WiFi module built-in that is not compatible with FortiOS 5.2.1 and lower. It is recommended to use FortiOS 5.2.2 and later for these units.

Affected models

Model Part Number
FWF-60CX-ADSL PN: 8918-04 and later

The following units have a memory compatibility issue with FortiOS 5.2.1 and lower. It is recommended to use FortiOS 5.2.2 and later for these units.

Affected models

Model Part Number
FG-600C PN: 8908-08 and later
FG-600C-DC PN: 10743-08 and later
FG-600C-LENC PN: 11317-07 and later

Removed WANOPT, NETSCAN, FEXP features from USB-A

The following features have been removed from the FortiGate and FortiWiFi 80C, 80CM, and 81CM:

  • WAN Optimization
  • Vulnerability scanning
  • Using FortiExplorer on a smartphone to manage the device by connecting to the USB-A port

Router Prefix Sanity Check

Prior to FortiOS 5.2.4 under the config router prefix table, if there are any le and ge settings that have the same prefix length as the prefix, you may lose the prefix rule after upgrading to FortiOS 5.2.4 or later.

WAN Optimization in FortiOS 5.2.4

In FortiOS 5.2.4:

  • If your FortiGate does not have a hard disk, WAN Optimization is not available.
  • If your FortiGate has a hard disk, you can configure WAN Optimization from the CLI.
  • If your FortiGate has two hard disks, you can configure WAN Optimization from the GUI.

See the FortiOS 5.2.4 Feature Platform Matrix to check the availability for your FortiGate model.

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate-92D High Availability in Interface Mode

The FortiGate-92D may fail to form an HA cluster and experience a spanning tree loop if it is configured with the following:

  • operating in interface mode
  • at least one of the interfaces, for example interface9, is used has the HA heartbeat interface
  • a second interface is connected to an external switch

Workaround: use either WAN1 or WAN2 as the HA heartbeat device.

Default log setting change

For FG-5000 blades and FG-3900 series, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FG-5001D operating in FortiController or Dual FortiController mode

When upgrading a FG-5001D operating in FortiController or dual FortiController mode from version 5.0.7 (B4625) to FortiOS version 5.2.3, you may experience a back-plane interface connection issue. This is due to a change to the ELBC interface mapping ID. After the upgrade, you will need to perform a factory reset and then re-configure the device.

FortiGate units running 5.2.10

FortiGate units running 5.2.10 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

For the latest information, see the FortiManagerand FortiOS Compatibility.

Firewall services

Downgrading from 5.2.3 to 5.2.2 may cause the default protocol number in the firewall services to change. Double check your configuration after downgrading to 5.2.2.

FortiPresence

For FortiPresence users, it is recommended to change the FortiGate web administration TLS version in order to allow the connection.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

Upgrade Information

Upgrading from FortiOS 5.2.8 or later

FortiOS version 5.2.10 officially supports upgrade from version 5.2.8 or later.

Upgrading from FortiOS 5.0.13 or later

FortiOS version 5.2.10 officially supports upgrade from version 5.0.13 or later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.2 Supported Upgrade Paths

Web filter log options change from disabled to enabled after upgrade

After upgrading from FortiOS 5.0.12 or 5.0.14 to FortiOS 5.2.10, all log options for web filter change from disabled to enabled, except the log-all-url option.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

  • operation mode
  • interface IP/management IP
  • static route table
  • DNS settings
  • VDOM parameters/settings
  • admin user account
  • session helpers
  • system access profiles.

 

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 32-bit or 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.2.10 support

The following table lists 5.2.10 product integration and support information:

Web Browsers                               l Microsoft Internet Explorer version 11

lMozilla Firefox version 42 l Google Chrome version 46

lApple Safari version 7.0 (For Mac OS X)

Other web browsers may function correctly, but are not supported by

Fortinet.

Explicit Web Proxy Browser l Microsoft Internet Explorer versions 8, 9, 10, and 11 l Mozilla Firefox version 27 l Apple Safari version 6.0 (For Mac OS X)

l Google Chrome version 34

Other web browsers may function correctly, but are not supported by

Fortinet.

FortiManager                       For the latest information, see the FortiManagerand FortiOS Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer                       For the latest information, see the FortiAnalyzerand FortiOS Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft Win- l 5.4.0 and later dows and FortiClient Mac l 5.2.5 and later OS X
FortiClient iOS                               l 5.4.1 l 5.2.2 and later
FortiClient Android and                   l 5.2.8

FortiClient VPN Android                  l 5.2.7

FortiOS 5.2.10 support                                                                                            Product Integration and Support

FortiAP l 5.2.5 and later l 5.0.10

You should verify what the current recommended FortiAP version is for your

FortiAP prior to upgrading the FortiAP units. You can do this by going to the

WiFi Controller > Managed Access Points > Managed FortiAP page in the GUI. Under the OS Version column you will see a message reading A recommended update is available for any FortiAP that is running an earlier version than what is recommended.

FortiSwitch OS (FortiLink support) l 3.4.2 build 0192

Supported models: all FortiSwitch D models.

FortiSwitch-ATCA l 5.0.3 and later

Supported models: FS-5003A, FS-5003B

FortiController l 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox l 2.2.1 l 2.1.0
Fortinet Single Sign-On (FSSO) l  5.0 build 0254 (needed for FSSO agent support OU in group filters) l Windows Server 2008 (64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExplorer l 2.6 build 1083 and later.

Some FortiGate models may be supported on specific FortiExplorer versions.

FortiExplorer iOS l 1.0.6 build 0130 and later

Some FortiGate models may be supported on specific FortiExplorer iOS versions.

 

FortiExtender l 3.0.0 build 0069
  l 2.0.0 build 0003 and later
AV Engine l 5.177
IPS Engine l 3.174
Virtualization Environments    
Citrix l XenServer version 5.6 Service Pack 2
  l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later
  l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3
  l XenServer version 4.1 and later
VMware l ESX versions 4.0 and 4.1
  l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5 and 6.0

Language support

The following table lists language support information.

 

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating System   Web Browser
Microsoft Windows 7 SP1 (32-bit)   Microsoft Internet Explorer versions 9, 10 and 11 Mozilla Firefox version 33
Microsoft Windows 7 SP1 (64-bit)   Microsoft Internet Explorer versions 9, 10, and 11 Mozilla Firefox version 33
Microsoft Windows 8/8.1 (32bit/62bit)   Microsoft Internet Explorer versions 10 and 11 Mozilla Firefox 42
Mac OS 10.9   Safari 7
Linux CentOS version 5.6   Mozilla Firefox version 5.6
Linux Ubuntu version 12.0.4   Mozilla Firefox version 5.6

Operating system and installers

Operating System Installer
Microsoft Windows XP SP3 (32-bit)

Microsoft Windows 7 (32-bit & 64-bit)

Microsoft Windows 8 (32-bit & 64-bit)

Microsoft Windows 8.1 (32-bit & 64-bit)

2328
Microsoft Windows 10 (32 bit & 64 bit) 2329
Linux CentOS 6.5 (32-bit & 64-bit) Linux Ubuntu 12.0.4 (32-bit & 64-bit) 2328
Virtual Desktop for Microsoft Windows 7 SP1 (32-bit) 2328

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11 ü ü
Kaspersky Antivirus 2009 ü  
McAfee Security Center 8.1 ü ü
Trend Micro Internet Security Pro ü ü
F-Secure Internet Security 2009 ü ü

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software ü ü
AVG Internet Security 2011    
F-Secure Internet Security 2011 ü ü
Kaspersky Internet Security 2011 ü ü
McAfee Internet Security 2011 ü ü
Norton 360™ Version 4.0 ü ü
Norton™ Internet Security 2011 ü ü
Panda Internet Security 2011 ü ü
Sophos Security Suite ü ü
Trend Micro Titanium Internet Security ü ü
ZoneAlarm Security Suite ü ü
Symantec Endpoint Protection Small Business Edition 12.0 ü ü

 

Resolved Issues

The following issues have been fixed in version 5.2.10. For inquires about a particular bug, please contact CustomerService & Support.

FortiAP

Bug ID Description
381602 AUSTRALIA should use region code N

FortiGate 1500D

Bug ID Description
386683 FG-1500D kernel panics after roughly 24 hours of uptime
Bug ID Description
386021 FSSO local poller fails on some X86 32 platform

FortiSwitch

Bug ID Description
376375 FortiSwitch with B0181 (v3.4.1) can be discovered, but may be unable to obtain the IP address and be successfully authorized

AV

Bug ID Description
389464 Flow-AV failed to detect eicar file if ssl-exempt entries exceed 140
384520 Chunk decoding causes segmentation fault because of incorrect pointer calculation

FOC

Bug ID Description
382343 GTPv2 Create-Sesssion-Response message with non-accepted Cause value should be allowed, even if the mandatory IE Bearer-Context is missing

FSSO

Resolved Issues

GUI

Bug ID Description
388759 Can’t view interface list via VDOM
290997 Missing Enable IPsec Interface Mode from GUI for pof_admin when VDOM enabled
389417 Cannot display firewall policies from GUI in VDOM root
370360 VDOM read-only admin can view super admin and other higher privilege admin’s password hash via REST API and direct URL
292210 Error 174 when changing administrator’s profile
363546 Error 500 when saving urlfilter list with 4900 entries
385482 GUI is loading indefinitely when accessing a “none” access web page from custom admin profile

HA

Bug ID Description
385999 Log backup of execute backup disk xxx feature does not work fine on HA master unit
387212 HA gets out of sync frequently and hasync becomes zombie
389861 SNMP query for fgHaStatsSyncStatus on slave unit reports master as unsynchronized-

“0”

275426 Re-sync can’t be triggered when rebooting master and making some configuration changes on slave
367158 FortiGate HA configuration failed to sync issue with fsso-polling

IPS

Bug ID Description
392045 Update the default built-in IPS engine in FOS 5.2
IPsec VPN  
Bug ID Description
391038 Memory leak discovered with valgrind in IKEv2

Resolved

Bug ID Description
380629 fnbamd matches wrong peer corresponding to a phase1 associated to a different IPSEC local-gw
376135 DHCP process is crashing when more than 1500+ users connect via dial up IPsec VPN with DHCP over IPsec feature enabled.
387677 NP2 not offloading IPsec VPN traffic

Kernel

Bug ID Description
395515 ICMP unreachable message processing causes high CPU usage in kernel and DHCP daemon

Log/Report

Bug ID Description
385659 Make value of local-in-deny setting keep consistent with the value from previous build after upgrade
280894 Remove GUI support for report customization and add feature store option for local reporting
380611

385115

Miglogd constantly crashing after upgrade to 5.2.8
373221 Can’t clear log disk

Router

Bug ID Description
391240 BGP UPDATES without NEXT_HOP

SSL VPN

Bug ID Description
385274

388657

Upgrade OpenSSL to 1.0.2j
371933 Unable to connect to SMB server that supports only NTLMv2

Resolved Issues

System

Bug ID Description
287871 Administrative HTTPS and SSLVPN access using second WAN interface does not work after upgrade to 5.2.9
388032 Corrupted packets may cause malfunction of NP6, which causes NP ports to be unable to accept and forward traffic. Affected models: All NP6 platforms.
386876 Update geoip database to version 1.055(20161004)
276843 XG2 aggregate get very poor performance after enable npu-cascade-cluster
385897 The time, date and time are displayed differently in log
387675 ARP-Reply packets drops in NP6
389194 End of Daylight Savings (DST) timezone Turkey/Istanbul GMT +3
390088 Contract registration should accept characters
370151 CPU doesn’t remove dirty flag when returns session back to NP6
378207 authd process running high CPU when only RSSO logging is configured
369372 With low latency mode on NP6 unit enabled, only first 2 packets are correctly processed by FortiGate
389398 Can’t find xitem. Drop the response in dhcp relay debug
382996 Redundant type of interfaces are changing to aggregate after VDOM configuration restored
388603 After reassembling fragmented UDP packet, the s/d port become 0
376144 FortiManager failed to change FortiGate HA slave to master
283952 VLAN interface Rx bytes statistics higher than underlying aggregate interface
294198 Console prints out NP6: No lacp_trunk interface

Tablesize

Bug ID Description
390053 Increase firewall.schedule limits on higher end

Resolved User

Bug ID Description
373031 Unable to view FortiToken CD (FTK211) on FortiGate WebUI
294983 Radius Accounting do not follow use-management-vdom enable setting in Radius
374494 Tacacs+ Test button does not use set source-ip x.x.x.x

VM

Bug ID Description
272438 During the boot-up sequence, the FortiGate-VM device may encounter a harmless configuration error message

VoIP

Bug ID Description
382315 SIP re-invites causing excessive memory consumption in imd

WebProxy

Bug ID Description
371991 YouTube_Video.Play is not recognized with HTTPS in Application control Override
384581 Explicit Proxy Signing Certificate for replacement pages resets to default
387083 Constant Proxyworker crash with signal 8
304561 Proxyworker crashes on SMTP spamfilter
278318 only the first interface can work on web-proxy policy

 

Known Issues

The following issues have been identified in version 5.2.10. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Anti-spam

Bug ID Description
374283 Spamfilter does not leave Anti-Spam log for the exempted traffic by bwl matching.

Application Control

Bug ID Description
273910 RTSP/RTP packets may not be forwarded if UTM (IPS and AppCtrl) is enabled.

FortiGate 3810D

Bug ID Description
285429 Traffic may not be able to go through the NPU VDOM link with traffic sharper enabled on FortiGate-3810D TP mode.

FortiGate 3815D

Bug ID Description
385860 FGT-3815D does not support 1GE SFP transceivers.

FortiSandbox

Bug ID Description
273244 On the FortiGate device in FortiView > FortiSandbox, the analysis result may show a pending status and the FortiCloud side may show an unknown status.
269830 The UTM log may incorrectly report a file that has been sent to FortiSandbox. FortiView > FortiSandbox may still show files are submitted even after the daily upload quota has been reached.

Known

Bug ID Description
272278 SIP calls may be denied when using a combination of SIP ALG, IPS, and AppCtrl.

GUI

Bug ID Description
310930 LDAP browser in LDAP-group-GUI may not respect group filter from LDAP server.
286226 Users may not be able to create new address objects from the Firewall Policy.
285813 When navigating FortiView > Application some security action filters may not work.
278638 Explicit policy may be automatically reset to log security events.
271113 When creating an id_based policy with SSL enabled, and the set gui-multipleutm disable is applied, an Entry not found error message may appear.
268346 All sessions: filter application, threat, and threat type, may not work as expected
246546 Adding an override application signature may cause all category settings to be lost.
215890 Local-category status display may not change after running unset category-override in the CLI.

System

Bug ID Description
302272 Medium type may be shown incorrectly on shared ports.
285981 Adding more than eight members to LACP get np6_lacp_add_slave may result in an error.
285520 On NP4 platforms, TCP traffic may not be able to be offloaded in the decryption direction.
263864 When the interface is configured with Auto-Speed, FG-3240C NP4 Port 1G may stay down after reboot.

Workaround: Set the interface speed to 1000/Full.

VoIP

Known Issues

Webfilter

Bug ID Description
380119 Webfilter static URL filter blocks additional domains with similar names.
378277 YouTube header injection (replacement for YouTube for Schools) was deleted.
284661 If the requested URL has port number, the URL filter may not block properly.

WiFi

Bug ID Description
267904 If the client is connecting to an SSID with WPA-Enterprise and User-group, it may not be able to pass the traffic policy.
355335 SSID may stop broadcasting.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Change of FortiGuard Filtering Port to mitigate Internet link flaps

I have a friend that has some FortiGates at his business. I have been helping him troubleshoot some random WAN1 port flapping issues. Well, after doing some research and looking through the documentation I found the below from Fortinet. Guess what internet provider he uses…..you’re right….COMCRAP….I mean, Comcast.

Some modems, ComCast for example, are known to drop the network connection or reboot if they receive non-DNS traffic on UDP port 53 which is well known DNS port, but which is also used to connect to the FortiGuard service.

An example of log messages that can be observed in logs on FortiGate is shown below:

date=2099-05-03 time=17:12:50 logid=0100020099 type=event subtype=system level=information vd=”root” logdesc=”Interface status changed” action=interface-stat-change status=UP msg=”Link monitor: Interface wan1 was turned up”
date=2099-05-03 time=17:12:47 logid=0100020099 type=event subtype=system level=information vd=”root” logdesc=”Interface status changed” action=interface-stat-change status=DOWN msg=”Link monitor: Interface wan1 was turned down”

Note that it is not necessary that the Link Monitor feature is configured, this log message will appear in logs each time the physical link is lost.

This cause can be confirmed by connecting a switch between the FortiGate and a modem.

If the switch has logging functionality then the interface facing the FortiGate will be stable while the interface connected to a modem will be flapping.

The workaround is to use port 8888 for FortiGuard.  This can be changed from GUI or CLI.

GUI

System > FortiGuard > Filtering

Select 8888 as “FortiGuard Filtering Port”

CLI

config system fortiguard
set port 8888
end