FortiClient Open Ports Diagram
Category Archives: Fortinet
FortiAuthenticator Open Ports Diagram
FortiAP-S Open Ports Diagram
FortiAnalyzer Open Ports Diagram
FortiGate Open Ports Diagram
Example users on an internal network connecting to FTP servers on the Internet through the explicit FTP with RADIUS authentication and virus scanning
Example users on an internal network connecting to FTP servers on the Internet through the explicit FTP with RADIUS authentication and virus scanning
This example describes how to configure the explicit FTP proxy for the example network shown below. In this example, users on the internal network connect to the explicit FTP proxy through the Internal interface with IP address 10.31.101.100. The explicit web proxy is configured to use port 2121 so to connect to an FTP server on the Internet users must first connect to the explicit FTP proxy using IP address 10.31.101.100 and port 2121.
Example explicit FTP proxy network topology
In this example, explicit FTP proxy users must authenticate with a RADIUS server before getting access to the proxy. To apply authentication, the security policy that accepts explicit FTP proxy traffic includes an identity based policy that applies per session authentication to explicit FTP proxy users and includes a user group with the RADIUS server in it. The identity based policy also applies UTM virus scanning and DLP.
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:
1. Enable the explicit FTP proxy and change the FTP port to 2121.
2. Enable the explicit FTP proxy on the internal interface.
3. Add a RADIUS server and user group for the explicit FTP proxy.
4. Add a user identity security policy for the explicit FTP proxy.
5. Enable antivirus and DLP features for the identity-based policy.
Configuring the explicit FTP proxy – web-based manager
Use the following steps to configure the explicit FTP proxy from FortiGate web-based manager.
To enable and configure the explicit FTP proxy
1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options and change the following settings:
Enable Explicit FTP Proxy Select.
Listen on Interface No change. This field will eventually show that the explicit web proxy is enabled for the Internal interface.
FTP Port 2121
Default Firewall Policy
Action Deny
2. Select Apply.
To enable the explicit FTP proxy on the Internal interface
1. Go to Network > Interfaces, edit the Internal interface and select Enable Explicit FTP Proxy.
To add a RADIUS server and user group for the explicit FTP proxy
1. Go to User & Device > RADIUS Servers.
2. Select Create New to add a new RADIUS server:
Name RADIUS_1
Primary Server Name/IP 10.31.101.200
Primary Server Secret RADIUS_server_secret
3. Go to User > User > User Groups and select Create New.
Name Explict_proxy_user_group
Type Firewall
Remote groups RADIUS_1
Group Name ANY
4. Select OK.
To add a security policy for the explicit FTP proxy
1. Go to Policy & Objects > Addresses and select Create New.
2. Add a firewall address for the internal network:
Address Name Internal_subnet
Type Subnet
Subnet / IP Range 10.31.101.0
Interface Any
3. Go to Policy & Objects > Explicit Proxy Policy and select Create New.
4. Configure the explicit FTP proxy security policy.
Explicit Proxy Type FTP
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Action AUTHENTICATE
5. Under Configure Authentication Rules select Create New to add an authentication rule:
Groups Explicit_policy
Users Leave blank
Schedule always
6. Turn on Antivirus and Web Filter and select the default profiles for both.
7. Select the default proxy options profile.
8. Select OK.
9. Make sure Enable IP Based Authentication is not selected and Default Authentication Method is set to Basic.
10. Select OK.
Configuring the explicit FTP proxy – CLI
Use the following steps to configure the example explicit web proxy configuration from the CLI.
To enable and configure the explicit FTP proxy
1. Enter the following command to enable the explicit FTP proxy and set the TCP port that proxy accepts FTP
connections on to 2121.
config ftp-proxy explicit set status enable
set incoming-port 2121
set sec-default-action deny end
To enable the explicit FTP proxy on the Internal interface
1. Enter the following command to enable the explicit FTP proxy on the internal interface.
config system interface edit internal
set explicit-ftp-proxy enable
end
To add a RADIUS server and user group for the explicit FTP proxy
1. Enter the following command to add a RADIUS server:
config user radius edit RADIUS_1
set server 10.31.101.200
set secret RADIUS_server_secret
end
2. Enter the following command to add a user group for the RADIUS server.
config user group
edit Explicit_proxy_user_group set group-type firewall
set member RADIUS_1
end
To add a security policy for the explicit FTP proxy
1. Enter the following command to add a firewall address for the internal subnet:
config firewall address edit Internal_subnet
set type iprange
set start-ip 10.31.101.1 set end-ip 10.31.101.255
end
2. Enter the following command to add the explicit FTP proxy security policy:
config firewall explicit-proxy-policy edit 0
set proxy ftp
set dstintf wan1
set srcaddr Internal_subnet set dstaddr all
set action accept
set identity-based enable set ipbased disable
set active-auth-method basic config identity-based-policy
edit 0
set groups Explicit_Proxy_user_group set schedule always
set utm-status enable set av-profile default
set profile-protocol-options default end
end
Testing and troubleshooting the configuration
You can use the following steps to verify that the explicit FTP proxy configuration is working as expected. These steps use a command line FTP client.
To test the explicit web proxy configuration
1. From a system on the internal network start an FTP client and enter the following command to connect to the FTP
proxy:
ftp 10.31.101.100
The explicit FTP proxy should respond with a message similar to the following:
Connected to 10.31.101.100.
220 Welcome to Fortigate FTP proxy
Name (10.31.101.100:user):
2. At the prompt enter a valid username and password for the RADIUS server followed by a user name for an FTP server on the Internet and the address of the FTP server. For example, if a valid username and password on the RADIUS server is ex_name and ex_pass and you attempt to connect to an FTP server at ftp.example.com with user name s_name, enter the following at the prompt:
Name (10.31.101.100:user):ex_name:ex_pass:s_name@ftp.example.com
3. You should be prompted for the password for the account on the FTP server.
4. Enter the password and you should be able to connect to the FTP server.
5. Attempt to explore the FTP server file system and download or upload files.
6. To test UTM functionality, attempt to upload or download an ECAR test file. Or upload or download a tex file containing text that would be matched by the DLP sensor.
For eicar test files, go to http://eicar.org.
FortiOS 5.2.10 Release Notes
Introduction
This document provides the following information for FortiOS 5.2.10 build 0742:
- Special Notices
- Upgrade Information
- Product Integration and Support
- Resolved Issues
- Known Issues
- Limitations
See the Fortinet Document Library for FortiOS documentation.
Supported models
FortiOS 5.2.10 supports the following models.
FortiGate | FG-20C, FG-20C-ADSL-A, FG-30D, FG-30D-POE, FG-40C, FG-60C, FG-60C-SFP,
FG-60C-POE, FG-60D, FG-60D-3G4G-VZW, FG-60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FGT-90D-POE, FG-92D, FG-94D-POE, FG98D-POE, FG-100D, FG-110C, FG- 111C, FG-140D, FG-140D-POE, FG-140D-POE- T1, FG-200B, FG-200B-POE, FG- 200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300C, FG-300D, FG-310B, FG-310B-DC, FG-311B, FG-400D, FG-500D, FG-620B, FG-620B-DC, FG- 621B, FG-600C, FG-600D, FG-800C, FG- 800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1240B, FG-1500D, FG1500DT, FG-3000D, FG-3100D, FG-3040B, FG-3140B, FG-3200D, FG-3240C, FG- 3600C, FG-3700D, FG-3700DX, FG-3810D, FG-3815D, FG-3950B, FG-3951B |
FortiWiFi | FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-30D-POE, FWF-40C, FWF-60C,
FWF-60CM, FWF-60CX-ADSL-A, FWF-60D, FWF-60D-3G4G-VZW, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D |
FortiGate Rugged | FGR-60D, FGR-100C |
FortiGate VM | FG-VM64, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN |
FortiSwitch | FS-5203B |
FortiOS Carrier | FCR-3950B and FCR-5001B
FortiOS Carrier 5.2.10 images are delivered upon request and are not available on the customer support firmware download page. FortiOS Carrier firmware image file names begin with FK. |
Introduction Last Release of Software
The following models are released on a special branch based off of FortiOS 5.2.10. As such, the System > Dashboard > Status page and the output from the get system status CLI command displays the build number.
|
To confirm that you are running the proper build, the output from the get system status CLI command has a branch point field that should read 0742.
Last Release of Software
Due to the device flash size limitations, the following FortiGate models’ last release of software will be FortiOS version 5.2.5. It is noted that these devices already have entered into their End-of-Life Cycle. Further details and exact dates can be found on the Fortinet CustomerSupport portal:
Affected Products:
- FortiGate FG-3016B
- FortiGate FG-3810A
- FortiGate FG-5001A SW & DW
- FortiCarrier FK-3810A
- FortiCarrier FK-5001A SW & DW7
Special Notices
Local report customization removed
Local report customization has been removed from FortiOS 5.2. You can still record and view local reports, but you can no longer customize their appearance. For more control over customizing local reports, you can use FortiAnalyzer or FortiCloud.
Compatibility with FortiOS versions
The following units have a new WiFi module built-in that is not compatible with FortiOS 5.2.1 and lower. It is recommended to use FortiOS 5.2.2 and later for these units.
Affected models
Model | Part Number |
FWF-60CX-ADSL | PN: 8918-04 and later |
The following units have a memory compatibility issue with FortiOS 5.2.1 and lower. It is recommended to use FortiOS 5.2.2 and later for these units.
Affected models
Model | Part Number |
FG-600C | PN: 8908-08 and later |
FG-600C-DC | PN: 10743-08 and later |
FG-600C-LENC | PN: 11317-07 and later |
Removed WANOPT, NETSCAN, FEXP features from USB-A
The following features have been removed from the FortiGate and FortiWiFi 80C, 80CM, and 81CM:
- WAN Optimization
- Vulnerability scanning
- Using FortiExplorer on a smartphone to manage the device by connecting to the USB-A port
Router Prefix Sanity Check
Prior to FortiOS 5.2.4 under the config router prefix table, if there are any le and ge settings that have the same prefix length as the prefix, you may lose the prefix rule after upgrading to FortiOS 5.2.4 or later.
WAN Optimization in FortiOS 5.2.4
In FortiOS 5.2.4:
- If your FortiGate does not have a hard disk, WAN Optimization is not available.
- If your FortiGate has a hard disk, you can configure WAN Optimization from the CLI.
- If your FortiGate has two hard disks, you can configure WAN Optimization from the GUI.
See the FortiOS 5.2.4 Feature Platform Matrix to check the availability for your FortiGate model.
Built-In Certificate
FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.
FortiGate-92D High Availability in Interface Mode
The FortiGate-92D may fail to form an HA cluster and experience a spanning tree loop if it is configured with the following:
- operating in interface mode
- at least one of the interfaces, for example interface9, is used has the HA heartbeat interface
- a second interface is connected to an external switch
Workaround: use either WAN1 or WAN2 as the HA heartbeat device.
Default log setting change
For FG-5000 blades and FG-3900 series, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.
FG-5001D operating in FortiController or Dual FortiController mode
When upgrading a FG-5001D operating in FortiController or dual FortiController mode from version 5.0.7 (B4625) to FortiOS version 5.2.3, you may experience a back-plane interface connection issue. This is due to a change to the ELBC interface mapping ID. After the upgrade, you will need to perform a factory reset and then re-configure the device.
FortiGate units running 5.2.10
FortiGate units running 5.2.10 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.
For the latest information, see the FortiManagerand FortiOS Compatibility.
Firewall services
Downgrading from 5.2.3 to 5.2.2 may cause the default protocol number in the firewall services to change. Double check your configuration after downgrading to 5.2.2.
FortiPresence
For FortiPresence users, it is recommended to change the FortiGate web administration TLS version in order to allow the connection.
config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2
end
SSL VPN setting page
The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.
Upgrade Information
Upgrading from FortiOS 5.2.8 or later
FortiOS version 5.2.10 officially supports upgrade from version 5.2.8 or later.
Upgrading from FortiOS 5.0.13 or later
FortiOS version 5.2.10 officially supports upgrade from version 5.0.13 or later.
When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.
There is separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.2 Supported Upgrade Paths
Web filter log options change from disabled to enabled after upgrade
After upgrading from FortiOS 5.0.12 or 5.0.14 to FortiOS 5.2.10, all log options for web filter change from disabled to enabled, except the log-all-url option.
Downgrading to previous firmware versions
Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:
- operation mode
- interface IP/management IP
- static route table
- DNS settings
- VDOM parameters/settings
- admin user account
- session helpers
- system access profiles.
FortiGate VM firmware
Fortinet provides FortiGate VM firmware images for the following virtual environments:
Citrix XenServer and Open Source XenServer
- .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
- .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
- .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.
Linux KVM
- .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
- .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.
Microsoft Hyper-V
- .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
- .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.
VMware ESX and ESXi
- .out: Download either the 32-bit or 64-bit firmware image to upgrade your existing FortiGate VM installation.
- .ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.
Firmware image checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.
Product Integration and Support
FortiOS 5.2.10 support
The following table lists 5.2.10 product integration and support information:
Web Browsers l Microsoft Internet Explorer version 11
lMozilla Firefox version 42 l Google Chrome version 46 lApple Safari version 7.0 (For Mac OS X) Other web browsers may function correctly, but are not supported by Fortinet. |
Explicit Web Proxy Browser l Microsoft Internet Explorer versions 8, 9, 10, and 11 l Mozilla Firefox version 27 l Apple Safari version 6.0 (For Mac OS X)
l Google Chrome version 34 Other web browsers may function correctly, but are not supported by Fortinet. |
FortiManager For the latest information, see the FortiManagerand FortiOS Compatibility.
You should upgrade your FortiManager prior to upgrading the FortiGate. |
FortiAnalyzer For the latest information, see the FortiAnalyzerand FortiOS Compatibility.
You should upgrade your FortiAnalyzer prior to upgrading the FortiGate. |
FortiClient Microsoft Win- l 5.4.0 and later dows and FortiClient Mac l 5.2.5 and later OS X |
FortiClient iOS l 5.4.1 l 5.2.2 and later |
FortiClient Android and l 5.2.8
FortiClient VPN Android l 5.2.7 |
FortiOS 5.2.10 support Product Integration and Support
FortiAP | l 5.2.5 and later l 5.0.10
You should verify what the current recommended FortiAP version is for your FortiAP prior to upgrading the FortiAP units. You can do this by going to the WiFi Controller > Managed Access Points > Managed FortiAP page in the GUI. Under the OS Version column you will see a message reading A recommended update is available for any FortiAP that is running an earlier version than what is recommended. |
FortiSwitch OS (FortiLink support) | l 3.4.2 build 0192
Supported models: all FortiSwitch D models. |
FortiSwitch-ATCA | l 5.0.3 and later
Supported models: FS-5003A, FS-5003B |
FortiController | l 5.2.0 and later
Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later Supported model: FCTL-5103B |
FortiSandbox | l 2.2.1 l 2.1.0 |
Fortinet Single Sign-On (FSSO) | l 5.0 build 0254 (needed for FSSO agent support OU in group filters) l Windows Server 2008 (64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8
l 4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8 FSSO does not currently support IPv6. |
FortiExplorer | l 2.6 build 1083 and later.
Some FortiGate models may be supported on specific FortiExplorer versions. |
FortiExplorer iOS | l 1.0.6 build 0130 and later
Some FortiGate models may be supported on specific FortiExplorer iOS versions. |
FortiExtender | l | 3.0.0 build 0069 |
l | 2.0.0 build 0003 and later | |
AV Engine | l | 5.177 |
IPS Engine | l | 3.174 |
Virtualization Environments | ||
Citrix | l | XenServer version 5.6 Service Pack 2 |
l | XenServer version 6.0 and later | |
Linux KVM | l | RHEL 7.1/Ubuntu 12.04 and later |
l | CentOS 6.4 (qemu 0.12.1) and later | |
Microsoft | l | Hyper-V Server 2008 R2, 2012, and 2012 R2 |
Open Source | l | XenServer version 3.4.3 |
l | XenServer version 4.1 and later | |
VMware | l | ESX versions 4.0 and 4.1 |
l | ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5 and 6.0 |
Language support
The following table lists language support information.
SSL VPN support
SSL VPN standalone client
The following table lists SSL VPN tunnel client standalone installer for the following operating systems.
Operating System | Web Browser | |
Microsoft Windows 7 SP1 (32-bit) | Microsoft Internet Explorer versions 9, 10 and 11 Mozilla Firefox version 33 | |
Microsoft Windows 7 SP1 (64-bit) | Microsoft Internet Explorer versions 9, 10, and 11 Mozilla Firefox version 33 | |
Microsoft Windows 8/8.1 (32bit/62bit) | Microsoft Internet Explorer versions 10 and 11 Mozilla Firefox 42 | |
Mac OS 10.9 | Safari 7 | |
Linux CentOS version 5.6 | Mozilla Firefox version 5.6 | |
Linux Ubuntu version 12.0.4 | Mozilla Firefox version 5.6 |
Operating system and installers
Operating System | Installer |
Microsoft Windows XP SP3 (32-bit)
Microsoft Windows 7 (32-bit & 64-bit) Microsoft Windows 8 (32-bit & 64-bit) Microsoft Windows 8.1 (32-bit & 64-bit) |
2328 |
Microsoft Windows 10 (32 bit & 64 bit) | 2329 |
Linux CentOS 6.5 (32-bit & 64-bit) Linux Ubuntu 12.0.4 (32-bit & 64-bit) | 2328 |
Virtual Desktop for Microsoft Windows 7 SP1 (32-bit) | 2328 |
Other operating systems may function correctly, but are not supported by Fortinet.
SSL VPN web mode
The following table lists the operating systems and web browsers supported by SSL VPN web mode.
Supported operating systems and web browsers
Other operating systems and web browsers may function correctly, but are not supported by Fortinet.
SSL VPN host compatibility list
The following table lists the antivirus and firewall client software packages that are supported.
Supported Microsoft Windows XP antivirus and firewall software
Product | Antivirus | Firewall |
Symantec Endpoint Protection 11 | ü | ü |
Kaspersky Antivirus 2009 | ü | |
McAfee Security Center 8.1 | ü | ü |
Trend Micro Internet Security Pro | ü | ü |
F-Secure Internet Security 2009 | ü | ü |
Supported Microsoft Windows 7 32-bit antivirus and firewall software
Product | Antivirus | Firewall |
CA Internet Security Suite Plus Software | ü | ü |
AVG Internet Security 2011 | ||
F-Secure Internet Security 2011 | ü | ü |
Kaspersky Internet Security 2011 | ü | ü |
McAfee Internet Security 2011 | ü | ü |
Norton 360™ Version 4.0 | ü | ü |
Norton™ Internet Security 2011 | ü | ü |
Panda Internet Security 2011 | ü | ü |
Sophos Security Suite | ü | ü |
Trend Micro Titanium Internet Security | ü | ü |
ZoneAlarm Security Suite | ü | ü |
Symantec Endpoint Protection Small Business Edition 12.0 | ü | ü |
Resolved Issues
The following issues have been fixed in version 5.2.10. For inquires about a particular bug, please contact CustomerService & Support.
FortiAP
Bug ID | Description |
381602 | AUSTRALIA should use region code N |
FortiGate 1500D
Bug ID | Description |
386683 | FG-1500D kernel panics after roughly 24 hours of uptime |
Bug ID | Description |
386021 | FSSO local poller fails on some X86 32 platform |
FortiSwitch
Bug ID | Description |
376375 | FortiSwitch with B0181 (v3.4.1) can be discovered, but may be unable to obtain the IP address and be successfully authorized |
AV
Bug ID | Description |
389464 | Flow-AV failed to detect eicar file if ssl-exempt entries exceed 140 |
384520 | Chunk decoding causes segmentation fault because of incorrect pointer calculation |
FOC
Bug ID | Description |
382343 | GTPv2 Create-Sesssion-Response message with non-accepted Cause value should be allowed, even if the mandatory IE Bearer-Context is missing |
FSSO
Resolved Issues
GUI
Bug ID | Description |
388759 | Can’t view interface list via VDOM |
290997 | Missing Enable IPsec Interface Mode from GUI for pof_admin when VDOM enabled |
389417 | Cannot display firewall policies from GUI in VDOM root |
370360 | VDOM read-only admin can view super admin and other higher privilege admin’s password hash via REST API and direct URL |
292210 | Error 174 when changing administrator’s profile |
363546 | Error 500 when saving urlfilter list with 4900 entries |
385482 | GUI is loading indefinitely when accessing a “none” access web page from custom admin profile |
HA
Bug ID | Description |
385999 | Log backup of execute backup disk xxx feature does not work fine on HA master unit |
387212 | HA gets out of sync frequently and hasync becomes zombie |
389861 | SNMP query for fgHaStatsSyncStatus on slave unit reports master as unsynchronized-
“0” |
275426 | Re-sync can’t be triggered when rebooting master and making some configuration changes on slave |
367158 | FortiGate HA configuration failed to sync issue with fsso-polling |
IPS
Bug ID | Description |
392045 | Update the default built-in IPS engine in FOS 5.2 |
IPsec VPN | |
Bug ID | Description |
391038 | Memory leak discovered with valgrind in IKEv2 |
Resolved
Bug ID | Description |
380629 | fnbamd matches wrong peer corresponding to a phase1 associated to a different IPSEC local-gw |
376135 | DHCP process is crashing when more than 1500+ users connect via dial up IPsec VPN with DHCP over IPsec feature enabled. |
387677 | NP2 not offloading IPsec VPN traffic |
Kernel
Bug ID | Description |
395515 | ICMP unreachable message processing causes high CPU usage in kernel and DHCP daemon |
Log/Report
Bug ID | Description |
385659 | Make value of local-in-deny setting keep consistent with the value from previous build after upgrade |
280894 | Remove GUI support for report customization and add feature store option for local reporting |
380611
385115 |
Miglogd constantly crashing after upgrade to 5.2.8 |
373221 | Can’t clear log disk |
Router
Bug ID | Description |
391240 | BGP UPDATES without NEXT_HOP |
SSL VPN
Bug ID | Description |
385274
388657 |
Upgrade OpenSSL to 1.0.2j |
371933 | Unable to connect to SMB server that supports only NTLMv2 |
Resolved Issues
System
Bug ID | Description |
287871 | Administrative HTTPS and SSLVPN access using second WAN interface does not work after upgrade to 5.2.9 |
388032 | Corrupted packets may cause malfunction of NP6, which causes NP ports to be unable to accept and forward traffic. Affected models: All NP6 platforms. |
386876 | Update geoip database to version 1.055(20161004) |
276843 | XG2 aggregate get very poor performance after enable npu-cascade-cluster |
385897 | The time, date and time are displayed differently in log |
387675 | ARP-Reply packets drops in NP6 |
389194 | End of Daylight Savings (DST) timezone Turkey/Istanbul GMT +3 |
390088 | Contract registration should accept characters |
370151 | CPU doesn’t remove dirty flag when returns session back to NP6 |
378207 | authd process running high CPU when only RSSO logging is configured |
369372 | With low latency mode on NP6 unit enabled, only first 2 packets are correctly processed by FortiGate |
389398 | Can’t find xitem. Drop the response in dhcp relay debug |
382996 | Redundant type of interfaces are changing to aggregate after VDOM configuration restored |
388603 | After reassembling fragmented UDP packet, the s/d port become 0 |
376144 | FortiManager failed to change FortiGate HA slave to master |
283952 | VLAN interface Rx bytes statistics higher than underlying aggregate interface |
294198 | Console prints out NP6: No lacp_trunk interface |
Tablesize
Bug ID | Description |
390053 | Increase firewall.schedule limits on higher end |
Resolved User
Bug ID | Description |
373031 | Unable to view FortiToken CD (FTK211) on FortiGate WebUI |
294983 | Radius Accounting do not follow use-management-vdom enable setting in Radius |
374494 | Tacacs+ Test button does not use set source-ip x.x.x.x |
VM
Bug ID | Description |
272438 | During the boot-up sequence, the FortiGate-VM device may encounter a harmless configuration error message |
VoIP
Bug ID | Description |
382315 | SIP re-invites causing excessive memory consumption in imd |
WebProxy
Bug ID | Description |
371991 | YouTube_Video.Play is not recognized with HTTPS in Application control Override |
384581 | Explicit Proxy Signing Certificate for replacement pages resets to default |
387083 | Constant Proxyworker crash with signal 8 |
304561 | Proxyworker crashes on SMTP spamfilter |
278318 | only the first interface can work on web-proxy policy |
Known Issues
The following issues have been identified in version 5.2.10. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.
Anti-spam
Bug ID | Description |
374283 | Spamfilter does not leave Anti-Spam log for the exempted traffic by bwl matching. |
Application Control
Bug ID | Description |
273910 | RTSP/RTP packets may not be forwarded if UTM (IPS and AppCtrl) is enabled. |
FortiGate 3810D
Bug ID | Description |
285429 | Traffic may not be able to go through the NPU VDOM link with traffic sharper enabled on FortiGate-3810D TP mode. |
FortiGate 3815D
Bug ID | Description |
385860 | FGT-3815D does not support 1GE SFP transceivers. |
FortiSandbox
Bug ID | Description |
273244 | On the FortiGate device in FortiView > FortiSandbox, the analysis result may show a pending status and the FortiCloud side may show an unknown status. |
269830 | The UTM log may incorrectly report a file that has been sent to FortiSandbox. FortiView > FortiSandbox may still show files are submitted even after the daily upload quota has been reached. |
Known
Bug ID | Description |
272278 | SIP calls may be denied when using a combination of SIP ALG, IPS, and AppCtrl. |
GUI
Bug ID | Description |
310930 | LDAP browser in LDAP-group-GUI may not respect group filter from LDAP server. |
286226 | Users may not be able to create new address objects from the Firewall Policy. |
285813 | When navigating FortiView > Application some security action filters may not work. |
278638 | Explicit policy may be automatically reset to log security events. |
271113 | When creating an id_based policy with SSL enabled, and the set gui-multipleutm disable is applied, an Entry not found error message may appear. |
268346 | All sessions: filter application, threat, and threat type, may not work as expected |
246546 | Adding an override application signature may cause all category settings to be lost. |
215890 | Local-category status display may not change after running unset category-override in the CLI. |
System
Bug ID | Description |
302272 | Medium type may be shown incorrectly on shared ports. |
285981 | Adding more than eight members to LACP get np6_lacp_add_slave may result in an error. |
285520 | On NP4 platforms, TCP traffic may not be able to be offloaded in the decryption direction. |
263864 | When the interface is configured with Auto-Speed, FG-3240C NP4 Port 1G may stay down after reboot.
Workaround: Set the interface speed to 1000/Full. |
VoIP
Known Issues
Webfilter
Bug ID | Description |
380119 | Webfilter static URL filter blocks additional domains with similar names. |
378277 | YouTube header injection (replacement for YouTube for Schools) was deleted. |
284661 | If the requested URL has port number, the URL filter may not block properly. |
WiFi
Bug ID | Description |
267904 | If the client is connecting to an SSID with WPA-Enterprise and User-group, it may not be able to pass the traffic policy. |
355335 | SSID may stop broadcasting. |
Limitations
Citrix XenServer limitations
The following limitations apply to Citrix XenServer installations:
- XenTools installation is not supported.
- FortiGate-VM can be imported or deployed in only the following three formats:
- XVA (recommended) l VHD l OVF
- The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.
Open Source XenServer limitations
When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.
Change of FortiGuard Filtering Port to mitigate Internet link flaps
I have a friend that has some FortiGates at his business. I have been helping him troubleshoot some random WAN1 port flapping issues. Well, after doing some research and looking through the documentation I found the below from Fortinet. Guess what internet provider he uses…..you’re right….COMCRAP….I mean, Comcast.
Some modems, ComCast for example, are known to drop the network connection or reboot if they receive non-DNS traffic on UDP port 53 which is well known DNS port, but which is also used to connect to the FortiGuard service.
An example of log messages that can be observed in logs on FortiGate is shown below:
date=2099-05-03 time=17:12:50 logid=0100020099 type=event subtype=system level=information vd=”root” logdesc=”Interface status changed” action=interface-stat-change status=UP msg=”Link monitor: Interface wan1 was turned up”
date=2099-05-03 time=17:12:47 logid=0100020099 type=event subtype=system level=information vd=”root” logdesc=”Interface status changed” action=interface-stat-change status=DOWN msg=”Link monitor: Interface wan1 was turned down”
Note that it is not necessary that the Link Monitor feature is configured, this log message will appear in logs each time the physical link is lost.
This cause can be confirmed by connecting a switch between the FortiGate and a modem.
If the switch has logging functionality then the interface facing the FortiGate will be stable while the interface connected to a modem will be flapping.
The workaround is to use port 8888 for FortiGuard. This can be changed from GUI or CLI.
GUI
System > FortiGuard > Filtering
Select 8888 as “FortiGuard Filtering Port”
CLI
config system fortiguard
set port 8888
end