Category Archives: Release Notes

What’s New in AV Engine 5.355

What’s New in AV Engine 5.355

New features

  • Support for opening ACE, ISO, and CRX compression formats. l New Content Disarm and Reconstruction (CDR) feature. l Script checksum support for HTML files.
  • Support for hidden zlib files in Object Linking and Embedding (OLE) content. l New scan timeout control framework.

Enhancements

  • Content Pattern Recognition Language (CPRL) signature runtime performance improvements. l Win32 emulator optimization. l APK and ZIP decompression optimization. l Accelerated checksum calculation.
  • File typing supports more file types including Dotnet, CHM, Mach-O, DMG and XAR, and RTF. l Script file typing improvements.

AV Engine for FortiOS and FortiAP-S Release Notes                                                                                             5

Fortinet Technologies Inc.

Fortinet Product Support                                                                                         Product Integration and Support

Product Integration and Support

Fortinet Product Support

The following table lists AV engine product integration and support information:

FortiOS 5.4.0 and later

5.6.0 and later

FortiAP-S 5.4.0 and later

5.6.0 and later

6                                                                                             AV Engine for FortiOS and FortiAP-S Release Notes

Fortinet Technologies Inc.

Resolved Issues                                                                                                                                   AV engine

Resolved Issues

The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Customer Service & Support.

AV engine

Bug ID Description
453487 Add support for gzip files with flag’s reserved bits set
453982 Apply more signatures on RTF files.
413069 Fixed a crash in the JS emulator.
421545 Fixed a signature loading failure bug on FortiOS SOC3 platforms.
  Fixed potential memory issues found by fuzzing in GZIP, CAB and HTML parsing.
413625 Fixed Win32Emulator performance down bug.
  Fixed memory leaks and overflows in pyarch, sis, and rar decompression.
  Fixed potential memory bugs in autoit, arj and aspack decompression.
440519 Flag UPX as archive bomb if the decompressed size is 100 times greater than original file size.
  Fixed AV engine X86_64 crash on Windows 10 build 1703.

FortiOS

Bug ID Description
467820 Fixed missing file names for RAR v5.0.
458192 MSI and KGB file types are now on the list to be sent to FortiSandbox as potentially suspicious files.

7000 Series Chassis FortiOS 5.4.5 Release Notes

Introduction

This document provides the following information for FortiGate-7000 v5.4.5 build 6481:

l Supported Models l What’s New in FortiGate-7000 v5.4.5 build 6481 l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues

Supported Models

FortiGate-7000 v5.4.5 build 6481 supports all ForGate-7030E, 7040E, and 7060E models and configurations.

What’s New in FortiGate-7000 v5.4.5 build 6481

The following new features have been added to FortiGate-7000 v5.4.5 build 6481 firmware:

M1 and M2 interfaces can use different VLANs for heartbeat traffic (408386)

The M1 and M2 interfaces can be configured to use different VLANs for HA heartbeat traffic.

The following command now configures the VLAN used by the M1 interface (default 999):

config system ha set hbdev-vlan-id 999

end

The following new command configures the VLAN used by the M2 interface (default 1999):

config system ha set hbdev-second-vlan-id 1999

end

GTP load balancing

GTP load balancing is supported for FortiGate-7000 configurations licensed for FortiOS Carrier. You can use the following command to enable GTP load balancing. This command is only available after you have licensed the FortiGate-7000 for FortiOS Carrier.

config load-balance setting set gtp-load-balance enable end

What’s New in FortiGate-7000 v5.4.5 build 6481                                                                                    Introduction

FSSO user authentication is synchronized

FSSO user authentication is synchronized to all FIM and FPM modules. FSSO users are no longer required to reauthenticate when sessions are processed by a different FIM or FPM module.

HA Link failure threshold changes (422264 )

The link failure threshold is now determined based on the all FIM modules in a chassis. This means that the chassis with the fewest active links will become the backup chassis.

FortiGate-7000s running FortiOS v5.4.5 can be configured as dialup IPsec VPN servers

The following shows how to setup a dialup IPsec VPN configuration where the FortiGate-7000 running v5.4.5 acts as a dialup IPsec VPN server.

Configure the phase1, set type to dynamic.

config vpn ipsec phase1-interface edit dialup-server set type dynamic set interface “v0020” set peertype any set psksecret < password>

end

Configure the phase 2, to support dialup IPsec VPN, set the destination subnet to 0.0.0.0 0.0.0.0.

config vpn ipsec phase2-interface edit dialup-server set phase1name dialup-server set src-subnet 4.2.0.0 255.255.0.0 set dst-subnet 0.0.0.0 0.0.0.0

end

To configure the remote FortiGate as a dialup IPsec VPN client

The dialup IPsec VPN client should advertise its local subnet(s) using the phase 2 src-subnet option.

Introduction                                                                                    What’s New in FortiGate-7000 v5.4.5 build 6481

config vpn ipsec phase1-interface edit “to-fgt7k” set interface “v0020” set peertype any set remote-gw 1.2.0.1 set psksecret <password>

end

config vpn ipsec phase2-interface edit “to-fgt7k” set phase1name “to-fgt7k” set src-subnet 4.2.6.0 255.255.255.0 set dst-subnet 4.2.0.0 255.255.0.0

next edit “to-fgt7k-2” set phase1name “to-fgt7k” set src-subnet 4.2.7.0 255.255.255.0 set dst-subnet 4.2.0.0 255.255.0.0 end

Special Notices

This section highlights some of the operational changes that administrators should be aware of for FortiGate7000 5.4.5 build 6481.

Recommended configuration for traffic that cannot be load balanced

The following flow rules are recommended to handle common forms of traffic that cannot be load balanced. These flow rules send GPRS (port 2123), SSL VPN, IPv4 and IPv6 IPsec VPN, ICMP and ICMPv6 traffic to the primary (or master) FPM.

The CLI syntax below just shows the configuration changes. All other options are set to their defaults. For example, the flow rule option that controls the FPM slot that sessions are sent to is forward-slot and in all cases below forward-slot is set to its default setting of master. This setting sends matching sessions to the primary (or master) FPM.

config load-balance flow-rule edit 20 set status enable set ether-type ipv4 set protocol udp set dst-l4port 2123-2123

next edit 21 set status enable set ether-type ip set protocol tcp set dst-l4port 10443-10443 set comment “ssl vpn to the primary FPM”

next edit 22 set status enable set ether-type ipv4 set protocol udp set src-l4port 500-500 set dst-l4port 500-500 set comment “ipv4 ike”

next edit 23 set status enable set ether-type ipv4 set protocol udp set src-l4port 4500-4500 set comment “ipv4 ike-natt src”

next edit 24 set status enable set ether-type ipv4 set protocol udp set dst-l4port 4500-4500 set comment “ipv4 ike-natt dst”

Special Notices                                                   Recommended configuration for traffic that cannot be load balanced

next edit 25 set status enable set ether-type ipv4 set protocol esp set comment “ipv4 esp”

next edit 26 set status enable set ether-type ipv6 set protocol udp set src-l4port 500-500 set dst-l4port 500-500 set comment “ipv6 ike”

next edit 27 set status enable set ether-type ipv6 set protocol udp set src-l4port 4500-4500 set comment “ipv6 ike-natt src”

next edit 28 set status enable set ether-type ipv6 set protocol udp set dst-l4port 4500-4500 set comment “ipv6 ike-natt dst”

next edit 29 set status enable set ether-type ipv6 set protocol esp set comment “ipv6 esp”

next edit 30 set ether-type ipv4 set protocol icmp set comment “icmp”

next edit 31 set status enable set ether-type ipv6 set protocol icmpv6 set comment “icmpv6”

next edit 32 set ether-type ipv6 set protocol 41 end

Upgrade Information

FortiGate-7000 v5.4.5 build 6481supports upgrading from FortiGate-7000 v5.4.3 build 6382.

All of the modules in your FortiGate-7000 chassis run the same firmware image. You can upgrade the firmware by using the management IP address to log into the primary interface module GUI or CLI and perform a firmware upgrade just as you would for any FortiGate product. During the upgrade process, the firmware of all of the modules in the chassis upgrades in one step. Firmware upgrades should be done during a quiet time because traffic is briefly interrupted during the upgrade process.

Upgrading an HA configuration

Even if uninterruptable-upgrade is enabled, upgrading a FortiGate-7000 HA configuration will cause a minor traffic disruption. You should upgrade HA cluster firmware when traffic is low or during a maintenance period.

IPsec VPN issues when upgrading from v5.4.3 to v5.4.5

If your FortiGate-7000 configuration includes IPsec VPNs you should enhance your IPsec VPN Phase 2 configurations as described in this section. If your FortiGate-7000 does not include IPsec VPNs you can proceed with a normal firmware upgrade.

Because the FortiGate-7000 only allows 16-bit to 32-bit routes for remote subnets, you must add one or more destination subnets to your IPsec VPN phase 2 configuration for FortiGate-7000 v5.4.5 using the following command:

config vpn ipsec phase2-interface edit “to_fgt2″So set phase1name <name> set src-subnet <IP> <netmask> set dst-subnet <IP> <netmask>

end Where

src-subnet is the subnet protected by the FortiGate that you are configuring and from which users connect to the destination subnet. Configuring the source subnet is optional but recommended.

dst-subnet is the destination subnet behind the remote IPsec VPN endpoint. Configuring the destination subnet is required.

You can add the source and destination subnets either before or after upgrading to v5.4.5 as these settings are compatible with both v5.4.3 and v5.4.5. However, if you make these changes after upgrading, your IPsec VPNs may not work correctly until these configuration changes are made.

Upgrade Information                                                             IPsec VPN issues when upgrading from v5.4.3 to v5.4.5

Adding source and destination subnets to IPsec VPN phase 2 configurations

In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can just add the subnets to the phase 2 configuration.

Enter the following command to add the source and destination subnets to the FortiGate-7000 IPsec VPN Phase 2 configuration.

config vpn ipsec phase2-interface edit “to_fgt2″So set phase1name “to_fgt2” set src-subnet 172.16.1.0 255.255.255.0 set dst-subnet 172.16.2.0 255.255.255.0

end

In a more complex configuration, such as the one below with a total of 5 subnets you still need to add all of the subnets to the Phase 2 configuration. In this case you can create a firewall address for each subnet and the addresses to address groups and add the address groups to the Phase 2 configuration.

Enter the following commands to create firewall addresses for each subnet.

config firewall address edit “local_subnet_1” set subnet 4.2.1.0 255.255.255.0

next

edit “local_subnet_2” set subnet 4.2.2.0 255.255.255.0

IPsec VPN issues when upgrading from v5.4.3 to v5.4.5                                                             Upgrade Information

next edit “remote_subnet_3”

set subnet 4.2.3.0 255.255.255.0

next edit “remote_subnet_4”

set subnet 4.2.4.0 255.255.255.0

next edit “remote_subnet_5”

set subnet 4.2.5.0 255.255.255.0

end

And then put the five firewall addresses into two firewall address groups.

config firewall addrgrp edit “local_group” set member “local_subnet_1” “local_subnet_2”

next

edit “remote_group” set member “remote_subnet_3” “remote_subnet_4” “remote_subnet_5”

end

Now, use the firewall address groups in the Phase 2 configuration:

config vpn ipsec phase2-interface edit “to-fgt2” set phase1name “to-fgt2” set src-addr-type name set dst-addr-type name set src-name “local_group” set dst-name “remote_group” end

Product Integration and Support

See the Product Integration and Support section of the FortiOS 5.4.5 release notes for product integration and support information for FortiGate-7000 v5.4.5 build 6481.

Also please note the following exceptions for FortiGate-7000 v5.4.5 build 6481:

Minimum recommended FortiManager firmware version : 5.6.1

Minimum recommended FortiAnalyzer firmware version : 5.4.4

FortiGate-7000 v5.4.5 special features and limitations

FortiGate-7000 v5.4.5 has specific behaviors which may differ from FortiOS features. For more information, see the “Special features and limitations for FortiGate-7000 v5.4.5” section of the most recent version of the FortiGate-7000 Handbook chapter available at http://docs.fortinet.com/d/fortigate-7000.

Resolved Issues

The following issues have been fixed in FortiGate-7000 v5.4.5 build 6481. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID Description
464156 HA heartbeat VLAN tags not correctly applied to HA heartbeat traffic.
464735 Decode VDOM license key failed error messages no longer appear when FortiGate-7000 components start up.
462228 NAT sessions are no longer dropped from DP timers problems after a system restart.
455825 FortiGuard auto-update no longer keeps contacting FortiGuard to request updates after a successful update.
460289 Authenticated users are synchronized to all FPMs. Users no longer have to re-authenticate if some of their traffic is processed by a different FPM.
454070 In an HA configuration, IPv4 routes are now correctly synchronized to all FPMs.
456140 In an HA configuration, only the primary FIM module communicates with FortiManager.
456116 History output of the diagnose sys ha status command now includes timestamps to show when failover occurred.
422602 In an HA configuration, failovers no longer occur after an antivirus update.
452415 The output of the diagnose sys link-monitor status command is now synchronized.
454411 Local certificates are now synchronized to all FIM modules.
453285 VLAN Traffic continues to flow through Link Aggregation (LAG) interfaces between two FIMs if one of the FIMs is shut down.
448131 Incorrect link local IPv6 addresses that caused IPv6 traffic slowdowns have been corrected.
410647 TCP, HTTP, and UDP-based link monitoring for SD-WAN link load balancing is now supported.
423946 The cmdbsvr process no longer crashes when 500 VDOMs and 10k policies have been configured.
439398 The diagnose vpn ssl list command now correctly displays information for all FIM and FPM modules.
442607 Changes to replacement messages made from a VDOM can now be successfully saved.
415234 You can set the Interface to any when creating a firewall VIP.

Resolved Issues

Bug ID Description
410741 AntiVirus, Web Filtering, and other security profile log messages generated by FPM modules now appear on the GUI of all FIM or FPM modules (including the GUI of the primary FIM module).
417584 HA chassis failover from management links only occurs if no management links are available on the chassis. As long as at least one management link is available a failover will not occur.
424015 Fixed a bug with firmware updates with uninterruptable-upgrade enabled to cause extra chassis failovers.
408535 The hostname is now synchronized to all modules.
392288 A configuration that includes 500 VDOMs can now be restored from the GUI.

 

 

Known Issues

The following issues have been identified in FortiGate-7000 v5.4.5 build 6481. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID Description
449276 FortiGuard IPS signature updates may cause an HA failover.
455632 FIM modules may incorrectly leave and rejoin an HA cluster.
444107 Remote disk share mounting fails when using NFS v2/v3 over UDP. To work around this issue use NFS over TCP.
440550 Some FortiView pages may display Failed to get FortiView data error messages.
460148 The application field in system event log crash messages is unreadable.
459413 HA remote IP monitoring using the pingserver-monitor-interface, pingserverfailover-threshold, and pingserver-flip-timeout options does not work.
459424 The GUI the VDOM list page does not show correct CPS, CPU, and memory usage for each VDOM.
456872 Routes to LACP LAGs are not synchronized to all modules.
442168 Traffic counters that display interface traffic for a physical interface do not display traffic sent and received by VLANs added to the physical interface.
422404 FPMs cannot communicate with the configured FortiAnalyzer if source-ip is set to the IP address of a management interface.
449298 FortiGate-7000 resource utilization is not reported correctly by FortiAnalyzer.

FortiOS 5.6.3 Release Notes

Change Log

Date Change Description
2017-12-05 Initial release.
2017-12-07 Added 443203 to Resolved Issues.

Added 463211 to Known Issues.

Moved 452384 from Known Issues to Resolved Issues.

Deleted Internet Explorer version 11 from Product Integration and Support.

2017-12-08 Added 443870 to Resolved Issues.

Added caution to Upgrade Information > Upgrading to FortiOS 5.6.3.

   

 

Introduction

This document provides the following information for FortiOS 5.6.3 build 1547:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.3 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E, FG51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG-70DPOE, FG-80C, FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D,

FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG-

101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG-

200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E,

FG-400D, FG-500D, FG-500E, FG-501E, FG-600C, FG-600D, FG-800C, FG-800D, FG900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E,

FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-

3810D, FG-3815D, FG-3960E, FG-3980E, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE,

FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E,

FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-AWS,

FG-VM64-AWSONDEMAND, FG-VM64-GCP, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.6.3 images are delivered upon request and are not available on the customer support firmware download page.

Introduction

What’s new in FortiOS 5.6.3

For a list of new features and enhancements that have been made in FortiOS 5.6.3, see the What’s New for FortiOS 5.6.3 document.

Special Notices

Built-in certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

Special Notices

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.3, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient profile changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

FortiExtender support

Due to OpenSSL updates, FortiOS 5.6.3 cannot manage FortiExtender anymore. If you run FortiOS with FortiExtender, you must use a newer version of FortiExtender such as 3.2.1 or later.

Upgrade Information

Upgrading to FortiOS 5.6.3

FortiOS version 5.6.3 officially supports upgrading from version 5.4.5, 5.4.6, 5.6.0, 5.6.1, and 5.6.2. To upgrade from other versions, see Supported Upgrade Paths.

If you are upgrading from version 5.6.1 or 5.6.2, this caution does not apply.

Before upgrading, ensure that port 4433 is not used for admin-port or admin-sport (in config system global), or for SSL VPN (in config vpn ssl settings). If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

After upgrading, if FortiLink mode is enabled, you must manually create an explicit firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch (such as from the FortiLink interface) to the RADIUS server through the FortiGate.

FortiGate-VM64-Azure upgrade

You can upgrade from the GUI or CLI. Because some configurations are not kept in the upgrade, we recommend you do a factory reset using execute factoryreset, and then reconfigure the VM.

Your original VM license is kept in the upgrade.

Security Fabric upgrade

FortiOS 5.6.3 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.1 l FortiClient 5.6.0 l FortiClient EMS 1.2.2 l FortiAP 5.4.2 and later l FortiSwitch 3.6.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

 

FortiClient profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

  • Advanced FortiClient profiles (XML configuration).
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard Banner, client-based logging when on-net, and Single Sign-on Mobility Agent.
  • VPN provisioning. l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths. l Client-side web filtering when on-net. l iOS and Android configuration by using the FortiOS GUI.

With FortiOS 5.6.3, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec VPN, or SSL VPN) connections to FortiOS 5.6.2, but not for Security Fabric functions.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.3, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

11

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name.

For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.

  1. Restore the configuration.
  2. Perform the downgrade.

Amazon AWS enhanced networking compatibility issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.3 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 5.6.3 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3
  • I2 l M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

 

Product Integration and Support

FortiOS 5.6.3 support

The following table lists 5.6.3 product integration and support information:

Web Browsers l Microsoft Edge 38 l Mozilla Firefox version 54 l Google Chrome version 59 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 10 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Security Fabric upgrade on page 9. For the latest information, see FortiManagercompatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Security Fabric upgrade on page 9. For the latest information, see FortiAnalyzercompatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient Microsoft

Windows

See important compatibility information in Security Fabric upgrade on page 9.

l 5.6.1

If FortiClient is managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient Mac OS X See important compatibility information in Security Fabric upgrade on page 9.

l 5.6.0

If FortiClient is managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient iOS l 5.4.3 and later
FortiClient Android and FortiClient VPN Android l 5.4.1 and later
FortiAP l 5.4.2 and later l 5.6.0

 

FortiAP-S                                     l 5.4.3 and later l 5.6.0
   FortiSwitch OS                             l 3.6.2 and later

(FortiLink support)

   FortiController                              l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C.

   FortiSandbox                               l 2.3.3 and later
   Fortinet Single Sign-On               l 5.0 build 0264 and later (needed for FSSO agent support OU in group filters)

(FSSO)                                                l Windows Server 2016 Datacenter

l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

FSSO does not currently support IPv6.

  FortiExtender                                l 3.2.1 and later

See FortiExtender support on page 8.

   AV Engine                                    l 5.247
   IPS Engine                                    l 3.442
Virtualization Environments
Citrix                                           l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM                                   l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
   Microsoft                                     l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5
VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2334. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 54

Google Chrome version 59

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

It is recommended to verify the accuracy of the GUID for the software you are using for SSL VPN host check. The following Knowledge Base article at http://kb.fortinet.com/ describes how to identify the GUID for antivirus and firewall products: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL VPN Host check.

After verifying GUIDs, you can update GUIDs in FortiOS using this command:

config vpn ssl web host-check-software

Following is an example of how to update the GUID for AVG Internet Security 2017 on Windows 7 and Windows 10 by using the FortiOS CLI.

The GUIDs in this example are only for AVG Internet Security 2017 on Windows 7 and Windows 10. The GUIDs might be different for other versions of the software and other operation systems.

To update GUIDs in FortiOS:

  1. Use the config vpn ssl web host-check-software command to edit the AVG-InternetSecurity-AV variable to set the following GUID for AVG Internet Security 2017: 4D41356F-32AD-7C42-C820-63775EE4F413.
  2. Edit the AVG-Internet-Security-FW variable to set the following GUID:

757AB44A-78C2-7D1A-E37F-CA42A037B368.

 

Resolved Issues

The following issues have been fixed in version 5.6.3. For inquires about a particular bug, please contact Customer Service & Support.

Application Control

Bug ID Description
441996 No UTM AppCtrl log for signature Gmail_Attachment.Download when action is blocked.
Bug ID Description
415496 GTPU sanity drop by gtp-in-gtp checking if GTPU payload has kind of invalid UDP header (IP fragment case).
445321 GTP, 2 cases of protocol anomaly drops to review (status=prohibited).

DLP

Bug ID Description
435283 block-page-status-code doesn’t work for HTTP status code of DLP replacement message.
454112 HIBUN file with *.exe extension is detected as exe file.

DNS Filter

Bug ID Description
438834 DNS filter blocks access when rating error occurs, even with allow request on rating error enabled.

FIPS-CC

Bug ID Description
440307 Wildcard certificate support/handling for SAN/CN reference identifiers.
Firewall  
Bug ID Description
449195 DNAT not working for SCTP -Multi-homing Traffic.

FortiCarrier

FortiLink

Bug ID Description
434470 Explicit policy for traffic originating from interface dedicated to FortiLink.
441300 Limited options in FortiLink quarantine stanza to use, giving users no way to trigger the quarantine function.
445373 For 802.1X, FortiSwitch port disappeared after upgrading FortiGate from 5.6.0 to 5.6.1 with 802.1X enabled without security-group/user-group.

GUI

Bug ID Description
365378 Cannot assign ha-mgmt-interface IP address in the same subnet as other port from the GUI.
398397 Slowness in accessing Policy and Address page in GUI after upgrading from 5.2.2 to 5.4.1.
402775 Add multiple ports and port range support in the explicit FTP/web proxy.
403146 Slow GUI Policy tab with more than 600 policies.
409100 Edit admin/user, enable FortiToken mobile, or click send activation email before saving sends empty activation code.
412401 Incorrect throughput reading in GUI-System-HA page.
450919 IPS sensor with >= 8192 signature entries should not be created from GUI.

HA

Bug ID Description
412652 Unexpected behavior seen when one cluster unit has a monitored port down and another cluster unit has ping server issues.
436585 Issues with different hardware generation when operating in a HA cluster.
439152 FGSP – standalone config sync – synchronizes BGP neighbor.
441716 Traffic stops when load-balance-all is enabled in active-active HA when npu_vlink is used in the path.
442085 After HA failover, the new master unit uses an OSPF MD5 authentication encryption sequence that is lower than the previous sequence number.
442663 No NTP sync and feature license invalid at backup device in FGSP cluster.
442907 Admin password expiry calculation is 1 sec. different on master and slave which causes HA to be out of sync for about 20 mins.
449147 No security database update on slave unit in FGSP environment.
Bug ID Description
452052 vcluster2’s VMAC on VLAN Interface is not persistent after vcluster1 fails over.
452715 ha-mgmt-interface on slave unit is overwritten when backed up and restored.
454347 Ping server penalties are taken into account even when they are not configured in HA settings anymore.
455513 Management VDOMs I/F address on slave is lost or sync’ed with Master’s.

IPsec VPN

Bug ID Description
401847 Half of IPsec tunnels traffic lost 26 minutes after power on a spare 1500D.
416102 Traffic over IPsec VPN gets dropped after two pings when it is getting offloaded to NPU.
441267 FortiGate static remote-gateway can change if peer sends ESP traffic with different IP address.
442671 Set broadcast-forward enable not working for IPsec interface.
445657 FortiOS Traffic Selector narrowing accepts wrong proposal.

Log & Report

Bug ID Description
422901 Power disruption message when logging with prof_admin.
441476 Rolled log file is not uploaded to FTP server by max-log-file-size.
443001 Export log field descriptions for documentation.

Proxy

Bug ID Description
403140 Improve filtering capabilities of LDAP search Explicit Proxy with Kerberos authentication.
435332 Keepalive Exempted HTTPs traffic keeps on kernal and proxy.
441284 www.nieporet.pl website loads very slowly in proxy mode when AV is applied.
442252 WAD stops forwarding traffic on both transparent proxy and explicit web proxy after IPS test over web proxy.
442328 Replacement message image fails to load.
443870 Incorrect extended master secret (EMS) handling in proxy mode deep-inspection causes SSL connection failure.
Bug ID Description
444257 After Upgrading from 1466 to 1484 GA, SSL Deep Inspection breaks for many SSL sites using Chrome.
445312 tcp-timewait-timer does not have any effect when WAD is running.
445374 Proxies should preserve DSCP flags.
447274 Specific web page fails to load when proxy-based AV profile is enabled on Explicit web proxy policy.

Routing

Bug ID Description
441506 BGP Aggregate address results in blackhole for incoming traffic.

Security Fabric

Bug ID Description
409156 In Security Fabric Audit, the unlicensed FDS FortiGate shouldn’t be marked Passed in Firmware & Subscriptions.

SSL VPN

Bug ID Description
412850 SSL VPN portal redirect fails with a Javascript error.
443203 In SSL VPN web mode, RDP quick connect fails with domain\username format credentials via NLA.

System

Bug ID Description
278660 FGT-AWSONDEMAND is unable to handle FortiCare registration
290708 nturbo may not support CAPWAP traffic.
393006 NPU offloading causes issues with Arista.
404119 FSSO is not enabled when FSSO policy was created.
411415 Update FortiOS API to remove IPS sessions in parallel with firewall sessions.
414811 Restore NIC offload capabilities on FortiGate KVM VM.
420568 fclicense daemon has several signal 11 crashes.
422413 Use API monitor to get data for FortiToken list page.
Bug ID Description
423332 Merge Top3 “Improve GTP Performance” to 5.6 and 5.8.
423508 Traffic from CAPWAP is not offloading on NP6 FortiGate.
437195 GTE – PDP update request should update the associated tunnel even when two TEID’s are the same.
437589 Slow throughput on 1000D between 10G and 1G interfaces.
437801 FG-30E WAN interface MTU override drop packet issue.
438405 HRX/PKTCHK drops over NP6 with 1.5 Gbps.
439126 Auto-script using diagnose command fails with Unknown action 0 after rebooting FortiGate.
440412 Added SNMP trap for per-CPU usage.
440448 FG-800C will not get IP on the LTE-modem interface using Novatel U620.
440564 After clicking the DHCP renew button, the GUI page doesn’t refresh.
440850 Latency noticed with port pair when MAC address flapping between port pair members.
440923 The FortiGate interface DHCP client does not work properly in some situations.
441269 3600C memory leak due to IKED.
441532 Suggest to add SNMP/CLI monitoring capabilities of NP6 session table.
442300 FGT5HD kernel panic on 5.6.0-build 1449.
443019 After running for some time, the FG-30E console keep printing memory leak error messages.
444090 Cannot get SNMP values for NP6 counters.
451456 Support DHCP Option 82 on FortiGate DHCP relay – rfc3046.
454939 Virtual-wire-pair config is lost after reboot when using at least one VXLAN interface as member.

Wireless

Bug ID Description
414606 CAPWAP encapsulated DNS traffic not forwarded back to IPsec tunnel.
421239 Tunnel mode SSID not working when FortiAP managed through IPsec VPN with NP6 offloading enabled.
437949 Split tunnel enhancement: set split-tunneling-acl-path [tunnel | local].

Common Vulnerabilities and Exposures

Bug ID Description
442365 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-7738

Visit https://fortiguard.com/psirt for more information.

446892 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-13077 l 2017-13078 l 2017-13079 l 2017-13080 l 2017-13081

Visit https://fortiguard.com/psirt for more information.

452384 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-14185

Visit https://fortiguard.com/psirt for more information.

452730 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-14186

Visit https://fortiguard.com/psirt for more information.

453971 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-14187

Visit https://fortiguard.com/psirt for more information.

456392 FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:

l 2017-13077

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.6.3. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
448247 Traffic-shaper in shaping policy does not work for specific application category like as P2P.

Authentication

Bug ID Description
460229 Existing terminal server sessions overridden with the last TS user that logged in.
AV  
Bug ID Description
446204 The filename of character in Korean shows mismatch encoding type in GUI.

FIPS-CC

Bug ID Description
463211 When alarm is enabled in FIPS mode, the console hangs and the getty process uses very high CPU usage.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.
FortiGate 500D  
Bug ID Description
403449 FortiGate 500D has some issue with FINISAR transceiver.
Bug ID Description
356174 FortiGuard updategrp read-write privilege admin cannot open FortiGuard page.
374247 GUI list may list another VDOM interface when editing a redundant interface.
374844 Should show ipv6 address when set ipv6 mode to pppoe/dhcp on GUI > Network >

Interfaces.

375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 HA with FortiLink traffic loss – no virtual MAC.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
408082 Operating a dedicated hardware switch into FortiLink changes STP from enable to disable in a hidden way.
415380 DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP.

Workaround: disable switch-controller-dhcp-snooping on FortiLink VLAN interfaces.

462080 FG-300E reboots with kernel panic errors.

FortiView

Bug ID Description
366627 FortiView Cloud Application may display incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
408100 Log fields are not aligned with columns after drill down on FortiView and Log details.
441835 Drill down a auth-failed wifi client entry in “Failed Authentication” could not display detail logs when CSF enabled.
442238 FortiView VPN map can’t display Google map (199 dialup VPN tunnel).
442367 In FortiView > Cloud Applications, when the cloud users column is empty, drill down will not load.

GUI

Bug ID Description
375383 If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box.
422413 Use API monitor to get data for FortiToken list page.
422901 Power disruption message when logging with prof_admin.
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
445113 IPS engine 3.428 on Fortigate sometimes cannot detect Psiphon packets that iscan can detect.
446756 Guest user print template can’t display pictures while printing.
451776 Admin GUI has limit of 10 characters for OTP.
459904 Rogue AP Monitor does not show the Name of the AP in the Detected By column.
Bug ID Description
443418 User is not listed in quarantine list in case block duration value is set long enough.
450693 ERR_SSL_PROTOCOL_ERROR when deep scan enabled along with IPS in policy.

HA

Bug ID Description
441078 The time duration of packet-transporting process stops to pre-master node after HA failover takes too long.
455284 sshd daemon not started when just allowed ssh option on ha-mgmt-interface.
457554 FortiGate does not send syslog after ha-mgmt-interface link goes down and then up.
457877 Packets dropped with TNS session-helper enabled on FGSP cluster.
458320 Cluster uptime was not consistent.
461731 HA dedicated management port settings are modified and unreachable after restoring the configuration backup.
461915 When standalone config sync is enabled in FGSP, IPv6 setting of interface is sync’ed.

IPS Log & Report

Bug ID Description
412649 In NGFW Policy mode, FortiGate does not create webfilter logs.
438858 Synchronized log destination with Log View and FortiView display source.

Proxy

Bug ID Description
454185 Specific application does not work when deep inspection is enabled.

Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
414013 Log Settings shows Internal CLI error when enabling historical FortiView at the same time as disk logging.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.
441068 SSL VPN unable to connect in tunnel mode, seeing multiple stale sessions for the same user.

System

Bug ID Description
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280 ssh-dss may not work on FGT-VM-LENC.
436580 PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411 Monitor NP6 IPsec engine status.
450389 IPv6 problem with neighbor-cache.
Bug ID Description
451456 DHCP Option 82 on FortiGate DHCP relay – rfc3046.
457096 FortiGate to FortiManager tunnel (FGFM) using the wrong source IP when multiple paths exist.
459273 Slave worker blade loses local administrator accounts.

VM

Bug ID Description
441129 Certify FortiGate-VMX v5.6 with NSX v6.3 and vSphere v6.5.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.4.7 Release Notes

Introduction

This document provides the following information for FortiOS 5.4.7 build 1167:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.7 supports the following models.

FortiGate FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,

FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FG-90D-POE, FG-92D, FG94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG-

600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D,

FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C,

FG-3700D, FG-3700DX, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE
FortiGate Rugged FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN

FortiOS 5.4.7 supports the additional CPU cores through a license update on the following VM models:

l     VMware 16, 32, unlimited l KVM 16

l     Hyper-V 16, 32, unlimited

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.4.7 images are delivered upon request and are not available on the customer support firmware download page.

Introduction                                                                                                                              Supported models

Special branch supported models

The following models are released on a special branch of FortiOS 5.4.7. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1167.

FGR-30D is released on build 7703.
FGR-30D-A is released on build 7703.
FGR-35D is released on build 7703.
FG-30E-MI is released on build 6465.
FG-30E-MN is released on build 6465.
FWF-30E-MI is released on build 6465.
FWF-30E-MN is released on build 6465.
FWF-50E-2R is released on build 7702.
FG-52E is released on build 6445.
FG-60E is released on build 6453.
FG-60E-POE is released on build 6453.
FWF-60E is released on build 6453.
FG-61E is released on build 6453.
FWF-61E is released on build 6453.
FG-80E is released on build 6453.
FG-80E-POE is released on build 6453.
FG-81E is released on build 6453.
FG-81E-POE is released on build 6453.
FG-90E is released on build 6457.
FG-91E is released on build 6457.
FWF-92D is released on build 7701.
FG-100E is released on build 6453.

Supported models                                                                                                                              Introduction

FG-100EF is released on build 6453.
FG-101E is released on build 6453.
FG-140E is released on build 6453.
FG-140E-POE is released on build 6453.
FG-200E is released on build 6456.
FG-201E is released on build 6456.
FG-300E is released on build 4087.
FG-301E is released on build 4087.
FG-500E is released on build 4087.
FG-501E is released on build 4087.
FG-2000E is released on build 6458.
FG-2500E is released on build 6458.
FG-3960E is released on build 6460.
FG-3980E is released on build 6460.
FG-5001E is released on build 6452.
FG-5001E1 is released on build 6452.
FG-VM64 is released on build 6446.
FG-VM64-HV is released on build 6446.
FG-VM64-KVM is released on build 6446.
FG-VM64-OPC is released on build 3332.
FG-VM64-XEN is released on build 6446.
FG-VM64-AWSONDEMAND is released on build 6446.
FG-VM64-AZURE is released on build 6446.
FG-VM64-AZUREONDEMAND is released on build 6446.

Introduction                                                                                                                What’s new in FortiOS 5.4.7

What’s new in FortiOS 5.4.7

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.7, see the What’s New forFortiOS 5.4.7 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate with an RSA 2048-bit key; and FortiOS supports DH group 14 for key-exchange.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

Policy list display changes

To improve performance, FortiOS 5.4.6 implemented the following changes when displaying lists in Policy & Objects.

In Policy & Objects > Addresses:

  • The Address |Group |All option at the top is removed and all addresses and groups are displayed in sections.
  • Paging options at the bottom are removed.
  • The group member count is moved to the Details

In Policy & Objects > Policy lists:

  • The Sequence view and # column are removed. l Custom sections (global-labels) are no longer supported.
  • To start searching, press Enter, click the search button, or click outside the search box. l Column filters are reset when you leave or reload the page. l Section expand/collapse settings are reset when you leave or reload the page.

FortiAnalyzer support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Special Notices                                                                                 Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config system global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

 

FortiGate units managed by FortiManager 5.0 or 5.2                                                                         Special Notices

FortiGate units managed by FortiManager 5.0 or 5.2

Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Consider the FortiClient license before upgrading. Full featured FortiClient 5.2 and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on your organization’s needs, you might need to purchase a FortiClient EMS license for endpoint provisioning. Contact your sales representative for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. You need to purchase a new license for either FortiClient EMS or FortiGate. A license is compatible with 5.4.1 and later if the SKU begins with FC-10-C010.

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.7, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient profile changes

With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

Special Notices                                                                                                                               FortiPresence

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the

FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,

Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security

Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log disk usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM firmware upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.

Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:

…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Use of dedicated management interfaces (mgmt1 and mgmt2)                                                           Special Notices

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

DLP, AV

In 5.2, Block page was sent to client with HTTP status code 200 by default. In 5.4 and later, Block page is sent to client with a clearer HTTP status code of 403 Forbidden.

 

Upgrade Information

Upgrading to FortiOS 5.4.7

FortiOS version 5.4.7 officially supports upgrading from version 5.4.5 and later, and 5.2.11 and later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is a separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths.

Upgrading to FortiOS 5.6.0

This only applies if you are upgrading to version 5.6.0. If you are upgrading to version 5.6.1 or later, you don’t need to reconfigure IPsec settings.

If you have configured IPsec in version 5.4.7 and you upgrade to 5.6.0, you must reconfigure all IPsec phase1 psksecret settings after upgrading to 5.6.0 in order to establish an IPsec tunnel.

Cooperative Security Fabric upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

  • FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

  • Cooperative Security Fabric – Upgrade Guide
  • FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

FortiGate-VM 5.4 for VMware ESXi                                                                                           Upgrade Information

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.7, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS enhanced networking compatibility issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

Upgrade Information                                                                                                             FortiGate VM firmware

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.4.7 support

The following table lists 5.4.7 product integration and support information:

Web Browsers l Microsoft Edge 38 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Mozilla Firefox version 53 l Apple Safari version 10 (For Mac OS X) l Google Chrome version 58

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager For the latest information, see the FortiManagerand FortiOS Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer For the latest information, see the FortiAnalyzerand FortiOS Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

l 5.4.1 and later

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading the FortiGate.

FortiClient iOS l 5.4.1 and later
FortiClient Android and FortiClient VPN Android l 5.4.0 and later

 

FortiOS 5.4.7

FortiAP l 5.4.1 and later l 5.2.5 and later

Before upgrading FortiAP units, verify that you are running the current recommended FortiAP version. To do this in the GUI, go to the WiFi Controller> Managed Access Points > Managed FortiAP. If your FortiAP is not running the recommended version, the OS Version column displays the message: A recommended update is available.

FortiAP-S l 5.4.1 and later
FortiSwitch OS

(FortiLink support)

l 3.5.0 and later
FortiController l 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox l 2.1.0 and later l 1.4.0 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0264 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2016 Server Edition l Windows Server 2016 Datacenter l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExplorer l 2.6.0 and later.

Some FortiGate models may be supported on specific FortiExplorer versions.

FortiOS 5.4.7 support                                                                                             Product Integration and Support

FortiExplorer iOS l 1.0.6 and later

Some FortiGate models may be supported on specific FortiExplorer iOS versions.

FortiExtender l 3.0.0 l 2.0.2 and later
AV Engine l 5.247
IPS Engine l 3.438
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2335. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN support                                                                                                  Product Integration and Support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 53
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 53

Google Chrome version 58

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

It is recommended to verify the accuracy of the GUID for the software you are using for SSLVPN host check. The following Knowledge Base article at http://kb.fortinet.com/ describes how to identify the GUID for antivirus and firewall products: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL VPN Host check.

After verifying GUIDs, you can update GUIDs in FortiOS by using this command: config vpn ssl web host-check-software

SSL VPN

Following is an example of how to update the GUID for AVG Internet Security 2017 on Windows 7 and Windows 10 by using the FortiOS CLI.

To update GUIDs in FortiOS:

  1. Use the config vpn ssl web host-check-software command to edit the AVG-InternetSecurity-AV variable to set the following GUID for AVG Internet Security 2017:

4D41356F-32AD-7C42-C820-63775EE4F413

  1. Edit the AVG-Internet-Security-FW variable to set the following GUID: 757AB44A-78C2-7D1A-E37F-CA42A037B368

 

Resolved Issues

The following issues have been fixed in version 5.4.7. For inquires about a particular bug, please contact CustomerService & Support.

Common Vulnerabilities and Exposures

Bug ID CVE references
452730 FortiOS 5.4.7 is no longer vulnerable to the following CVE Reference: l 2017-14186

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.4.7. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).
Bug ID Description
375246 invalid hbdev dmz may be received if the default hbdev is used.

Endpoint Control

Bug ID Description
374855 Third party compliance may not be reported if FortiClient has no AV feature.
375149 FortiGate does not auto update AV signature version while Endpoint Control (fortiheartbeat) is enabled but no AV profile is used.
391537 Buffer size is too small when sending large vulnerability list to FortiGate.

Firewall

Bug ID Description
364589 LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D

Bug ID Description
385860 FortiGate-3815D does not support 1 GE SFP transceivers.

FortiRugged-60D

Known Issues

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully but fails to pass traffic until you reboot FortiSwitch.

FortiView

Bug ID Description
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
372350 Threat view: Threat Type and Event information is missing in the last level of the threat view.
373142 Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
375187 Using realtime auto update may increase chrome browser memory usage.

GUI

Bug ID Description
289297 Threat map may not be fully displayed when screen resolution is not big enough.
297832 Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
355388 The Select window for remote server in remote user group may not work as expected.
365223 In Security Fabric topology, a downstream FortiGate may be shown twice when it uses hardware switch to connect upstream.
365317 Unable to add new AD group in second FSSO local polling agent.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
368069 Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
369155 There is no Archived Data tab for email attachment in the DLP log detail page.
372908 The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.

 

Known Issues

Bug ID Description
372943 Explicit proxy policy may show a blank for default authentication method.
373363 Multicast policy interface may list the wan-load-balance interface.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374081 wan-load-balance interface may be shown in the address associated interface list.
374162 GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
374224 The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374320 Editing a user from the Policy list page may redirect to an empty user edit page.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
374397 Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
374521 Unable to Revert revisions in GUI.
374525 When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.
375036 The Archived Data in the SnifferTraffic log may not display detailed content and download.
375227 You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
375346 You may not be able to download the application control packet capture from the forward traffic log.
375369 May not be able to change IPsec manualkey config in GUI.
375383 The Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
379050 User Definition intermittently not showing assigned token.

Known Issues

IPsec

Bug ID Description
393958 Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.

Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.

439923 IKE static tunnels using set peertype one may fail to negotiate.
Bug ID Description
287612 Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to log in to FortiGate via SSH.
371320 show system interface may not show the Port list in sequential order.

Router

Bug ID Description
299490 During and after failover, some multicast groups take up to 480 seconds to recover.

SSL VPN

Bug ID Description
303661 The Start Tunnel feature may have been removed.
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
374644 SSL VPN tunnel mode Fortinet bar may not be displayed.
382223 SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.

System

Known Issues

Bug ID Description
372717 Option admin-https-banned-cipher in sys global may not work as expected.
392960 FOS support for V4 BIOS.
445383 Traffic cannot go through LACP static mode interface with NP6 offload enabled.

Upgrade

Bug ID Description
289491 When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair name exceeds 12 characters.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

VM

Bug ID Description
364280 ssh-dss may not work on FG-VM-LENC.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.4.6 Release Notes

Introduction

This document provides the following information for FortiOS 5.4.6 build 1165:

FortiGate FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,

FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FG-90D-POE, FG-92D, FG94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG-

600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D,

FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C,

FG-3700D, FG-3700DX, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE
FortiGate Rugged FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN

FortiOS 5.4.6 supports the additional CPU cores through a license update on the following VM models:

l     VMware 16, 32, unlimited l KVM 16

l     Hyper-V 16, 32, unlimited

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.4.6 images are delivered upon request and are not available on the customer support firmware download page.

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.6 supports the following models.

Introduction                                                                                                                              Supported models

Special branch supported models

The following models are released on a special branch of FortiOS 5.4.6. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1165.

FGR-30D is released on build 7686.
FGR-35D is released on build 7686.
FGR-30D-A is released on build 7686.
FG-30E-MI is released on build 6406.
FG-30E-MN is released on build 6406.
FWF-30E-MI is released on build 6406.
FWF-30E-MN is released on build 6406.
FWF-50E-2R is released on build 7688.
FG-52E is released on build 6401.
FG-60E is released on build 6408.
FWF-60E is released on build 6408.
FG-61E is released on build 6408.
FWF-61E is released on build 6408.
FG-80E is released on build 6408.
FG-80E-POE is released on build 6408.
FG-81E is released on build 6408.
FG-81E-POE is released on build 6408.
FG-90E is released on build 6405.
FG-90E-POE is released on build 6405.
FG-91E is released on build 6405.
FWF-92D is released on build 7687.
FG-100E is released on build 6408.

 

What’s new in FortiOS 5.4.6                                                                                                                Introduction

FG-100EF is released on build 6408.
FG-101E is released on build 6408.
FG-140E is released on build 6408.
FG-140E-POE is released on build 6408.
FG-200E is released on build 6402.
FG-201E is released on build 6402.
FG-300E is released on build 4075.
FG-301E is released on build 4075.
FG-500E is released on build 4075.
FG-501E is released on build 4075.
FG-2000E is released on build 6403.
FG-2500E is released on build 6403.
FG-3960E is released on build 6404.
FG-3980E is released on build 6404.
FG-5001E is released on build 6400.
FG-VM64-AZURE is released on build 6399.
FG-VM64-AZUREONDEMAND is released on build 6399.

What’s new in FortiOS 5.4.6

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.6, see the What’s New forFortiOS 5.4.6 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate with an RSA 2048-bit key; and FortiOS supports DH group 14 for key-exchange.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config system global set hw-switch-ether-filter <enable | disable>

FG-900D and FG-1000D                                                                                                               Special Notices

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units managed by FortiManager 5.0 or 5.2

Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Consider the FortiClient license before upgrading. Full featured FortiClient 5.2 and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on your organization’s needs, you might need to purchase a FortiClient EMS license for endpoint provisioning. Contact your sales representative for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. You need to purchase a new license for either FortiClient EMS or FortiGate. A license is compatible with 5.4.1 and later if the SKU begins with FC-10-C010.

 

Special Notices                                                                                FortiClient (Mac OS X) SSL VPN Requirements

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.6, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the

FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,

Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security

Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page                                                                                                                   Special Notices

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM Firmware Upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.

Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:

…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

DLP, AV

In 5.2, Block page was sent to client with HTTP status code 200 by default. In 5.4 and later, Block page is sent to client with a clearer HTTP status code of 403 Forbidden.

Upgrade Information

Upgrading to FortiOS 5.4.6

FortiOS version 5.4.6 officially supports upgrading from version 5.4.4 and later, and 5.2.10 and later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is a separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths.

Upgrading to FortiOS 5.6.0

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

  • FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

  • Cooperative Security Fabric – Upgrade Guide
  • FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

FortiGate-VM 5.4 for VMware ESXi                                                                                          Upgrade Information

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.6, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

 

Upgrade Information                                                                                                             FortiGate VM firmware

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.4.6 support

The following table lists 5.4.6 product integration and support information:

Web Browsers l Microsoft Edge 38 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Mozilla Firefox version 53 l Apple Safari version 10 (For Mac OS X) l Google Chrome version 58

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager For the latest information, see the FortiManagerand FortiOS Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer For the latest information, see the FortiAnalyzerand FortiOS Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

l 5.4.1 and later

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading the FortiGate.

FortiClient iOS l 5.4.1 and later
FortiClient Android and FortiClient VPN Android l 5.4.0 and later

FortiOS 5.4.6

FortiAP l 5.4.1 and later l 5.2.5 and later

Before upgrading FortiAP units, verify that you are running the current recommended FortiAP version. To do this in the GUI, go to the WiFi Controller> Managed Access Points > Managed FortiAP. If your FortiAP is not running the recommended version, the OS Version column displays the message: A recommended update is available.

FortiAP-S l 5.4.1 and later
FortiSwitch OS

(FortiLink support)

l 3.5.0 and later
FortiController l 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox l 2.1.0 and later l 1.4.0 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0264 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2016 Server Edition l Windows Server 2016 Datacenter l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExplorer l 2.6.0 and later.

Some FortiGate models may be supported on specific FortiExplorer versions.

 

FortiOS 5.4.6 support                                                                                             Product Integration and Support

FortiExplorer iOS l 1.0.6 and later

Some FortiGate models may be supported on specific FortiExplorer iOS versions.

FortiExtender l 3.0.0 l 2.0.2 and later
AV Engine l 5.247
IPS Engine l 3.438
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN support                                                                                                  Product Integration and Support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 53
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 53

Google Chrome version 58

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

It is recommended to verify the accuracy of the GUID for the software you are using for SSLVPN host check. The following Knowledge Base article at http://kb.fortinet.com/ describes how to identify the GUID for antivirus and firewall products: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL VPN Host check.

After verifying GUIDs, you can update GUIDs in FortiOS by using this command: config vpn ssl web host-check-software

SSL VPN

Following is an example of how to update the GUID for AVG Internet Security 2017 on Windows 7 and Windows 10 by using the FortiOS CLI.

To update GUIDs in FortiOS:

  1. Use the config vpn ssl web host-check-software command to edit the AVG-InternetSecurity-AV variable to set the following GUID for AVG Internet Security 2017:

4D41356F-32AD-7C42-C820-63775EE4F413

  1. Edit the AVG-Internet-Security-FW variable to set the following GUID: 757AB44A-78C2-7D1A-E37F-CA42A037B368

 

Resolved Issues

The following issues have been fixed in version 5.4.6. For inquires about a particular bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
300206 Proxy-AV POP3 44k throughput test constantly has aborted transactions with low stress level.
442328 Replacement message image fails to load.
Bug ID Description
422755 memory_tension_drop increase even though memory usage is very low.

DNS Filter

Bug ID Description
402831 DNS Filter and Interface page botnet DB check should be updated.
420170 Skip the rating for Dynamic DNS update type queries.
422407 dnsproxy process runing high CPU causing degradation of DNS traffic.
438834 DNS Filter blocks access when rating error occurs, even with allow request on rating error enabled.

Firewall

Bug ID Description
403514 Broadcast packets are not forwarded through VIP.
415035 Policy64 with VIP64 assigns incorrect SNAT IP 0.0.0.0.
421381 IPsec traffic matching NAT64 policy dropped by NP IPSEC0_IQUEUE.
424558 Renaming onetime schedule causes policy activation.
435070 Full Cone NAT not working for WhatsApp Video and Voice Call.

FortiGate-60D

FortiGate-5001D

Bug ID Description
392883 SLBC slave blades with TP VDOMs cannot connect to FSSO Collector Agent.

FortiGate and FortiWifi E Series

Bug ID Description
413699 In some FortiGate and FortiWifi E series models, the default Inspection Mode is flow-based instead of proxy-based.

Affected models: FG-60E, FG-61E, FWF-60E, FWF-61E, FG-80E, FG-81E, FG-80E-POE, FG-81E-POE, FG-100E, FG-101E, FG-100EF, FG-140E, FG-140E-POE.

FortiSwitch

Bug ID Description
435219 cu_acd causing memory leak leading to conserve mode.

GUI

Bug ID Description
367394 Colors configured for firewall address objects are not visible in firewall policy list.
368070 Custom category is not referenced when used in a web filter profile.
372907 Reference page shows no matching entries found for VPN tunnel with special characters in tunnel name.
378575 Disabled local rating categories are incorrectly added into new web filter profiles.
392500 In the GUI Interface Bandwidth widget, the speed keep jumping from real value to 0 bps.
397233 GUI improve visibility of hardware acceleration features and memory usage.
406486 Permission denied error is shown when changing AntiVirus configuration even when AntiVirus privilege is set to Read-Write.
408577 Admin and FortiClient profile cannot be displayed when language is Japanese.
409100 Edit admin/user, enable FortiToken mobile, click send activation email before saving would send empty activation code.
411415 Update FortiOS API to remove IPS sessions in parallel with firewall sessions.
Bug ID Description
421263 Multiple wildcard login accounts gives wrong guest account provisioning when Post-login-banner is enabled.
439160 Address object references are not displayed.

HA

Bug ID Description
389861 SNMP query for fgHaStatsSyncStatus on slave unit reports master as unsynchronized- “0”.
392677 The HA widget shows the slave status as not synchronized when the status is synchronized.
412652 Unexpected behavior occurs when one cluster unit has a monitored port down and the other cluster unit has ping server issues.
421639 HA kernel routes are not flushed after failover, when cluster learns a high number of routes.
423144 Reliable syslog using dedicated HA management interface doesn’t work.
437390 HA failover triggered before pingserver-failover-threshold is reached.
438197 PPPoE connection is disrupted by HA failover/failback.
442085 After HA failover, the new master unit uses an OSPF MD5 authentication encryption sequence that is lower than the previous sequence number.
442663 No NTP sync and feature license invalid at backup device in FGSP cluster.

IPS

Bug ID Description
422666 New mechanism to load IPS/App rules into CMDB to avoid FortiGate bootup failure or lockup.
434478 Information incorrect in diag test app ipsmonitor 13.
439245 When the firewall policy was applied by FortiManager, a crash log of the IPS engine occurred.
445900 SSL negotiation not completed when IPS and SSL Inspection profiles are present.

IPsec VPN

Bug ID Description
396953 “Encapsulation GRE” (GRE over IPsec) does not allow self-originated traffic to enter the tunnel.
401847 Half of IPsec tunnels traffic lost 26 minutes after power on a spare 1500D.
416102 Traffic over IPsec VPN getting dropped after 2 pings when it is getting offloaded to NPU.
416950 NP6 stop process traffic through IPsec tunnel.

Logging & Report

Bug ID Description
420147 Getting Errorconnecting to FortiCloud message when trying to access FortiCloud Reports in GUI.
445522 In Local report -Web Usage section, Top users by bandwidth seems to show the download as upload.

Router

Bug ID Description
424381 Random TCP sessions get stuck or time out.

Spam

Bug ID Description
410420 Spam emails are exempted if they are sent in one session.
416790 (no.x pattern matched) is not logged when bwl matches envelop MAIL FROM.

SSL VPN

Bug ID Description
375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
380974 SSL VPN sometimes gets key conflict when loading system provided keys.
401807 SSL VPN web mode for VNC could not launch pop up menu with F8.
Bug ID Description
412456 SSL VPN realm should be kept in the idle timeout redirected URL.
412850 SSL VPN Portal redirect not working. Fails with a Javascript error.
421261 Access to web sites via Webbase SSL VPN returns empty page after browsing for some time.
448852 OTP for RSA Server are truncated if they are longer than eight digits.

System

Bug ID Description
383624 Sending multicast traffic across NP6 inter-VDOM link may cause interfaces to stop sending/receiving.
392436 Slow throughput using 10G interfaces.
392655 Conserve mode – 4096 SLAB leak suspected.
393006 NPU offloading causes issues with Arista.
397266 Disable unnecessary FGT queries and RSS feeds.
407383 LACP will not negotiate on 100D ports 15 and 16 using FG-TRAN-SX.
408977 802.1AX L4 algorithm and NP4 do not distribute UDP evenly on egress LAG bundle.
415555 IPv6 ipv6-neighbor-cache configuration doesn’t survive after a reboot or flush command.
415910 CPU cores utilization shows 0% while handling CPS.
416678 FG101E/100E has reports of firewall lockups in production.
420150 NTPv3 with authentication enabled fails with error receive: authentication failed.
421714 Merge kxp D state fix into 5.4.6.
423375 Some configurations are missing in the output of show full-configuration.
424213 Cluster Virtual MAC address changed to Physical port MAC address when Ports are assigned on MGMT-VDOM.
434480 Admin user session does not time out.
Bug ID Description
436211 Kernel conserve mode occurs due to memory leak.
437589 Slow throughput on 1000D between 10G and 1G interfaces.
437925 FWF-81CM dnsproxy daemon has high memory usage.
438088 U-Turn traffic in Transparent mode VDOM does not work anymore.
438205 Packets in reply direction get dropped if ingress interface is not the same as egress in original direction.
438405 HRX/PKTCHK Drops over NP6 with 1.5 Gbps.
439115 IP-to-IP-Tunnel does not forward packets after rebooting.
439469 Dropped packets only on the LACP Interface but not on the physicals that is part of the LAG.
439897 Virtual wire pair on asymmetric environment.
440412 Added SNMP trap for per-CPU usage.
440923 The FortiGate interface DHCP client does not work properly in some situations.
441532 Suggest to add SNMP/CLI monitoring capabilities of NP6 session table.

Upgrade

Bug ID Description
404089 Uninterruptible upgrade failed because routes are not yet synced on new master.

User and FSSO

Bug ID Description
378085 User authentication timeout max. setting change.
378207 authd process running high CPU when only RSSO logging is configured.
412487 RSSO Endpoint Storage limits the number of characters to 48.
437204 authd sends malformed NTLM TYPE2 to browser and breaks NTLM authentication.
438758 A CRL update on the FortiGate does not trigger an auto-update to the FortiManager.

VM

Bug ID Description
424452 SNMP traps not being sent when interface is down.
441294 The network bandwidth show a zero value.

VoIP

Bug ID Description
423437 SIP ALG does not translate all MSRP SEND messages if more than one SEND message is contained within a single packet.

Web Filter

Bug ID Description
409110 Web page override login page loads slowly.
420967 Proxy AV + Proxy WF + SSL Certificate Inspection (Inspect All Ports) results in HTTPS traffic bypassing WiFi.
423020 Regex value changes in the URL filter.
435258 Send Fin/Ack to the client during HTTP POST request.
436354 Replace Message Group Web FilterBlock Override page not working.

WebProxy

Bug ID Description
415385 Explicit FTP proxy issue on zero file size transfers.
416208 WAD Dispatcher reached FD limit with large number of CLOSE_WAIT sockets, some workers entered “D” state.
417001 Explicit HTTP proxy drops HTTPS connections on WiFi rating failures.
417491 WAD crashed when handling FTP over HTTP traffic.
418193 Some HTTPS sites show Secure Connection Failed with flow-based web filter (static URL filter only) and SSL certificate inspection.
423077 WAD crashed after upgrading from 5.2.10 to 5.4.4 GA release.
Bug ID Description
434787 FortiGate deep inspection is causing nonconforming extension certificate error on MAC, Android, and Chromebook devices.
435283 block-page-status-code doesn’t work for HTTP status code of the DLP replacement message.

WiFi

Bug ID             Description
364688            Packet loss when offloading CAPWAP traffic.
434991            WTP tablesize limitation cause WTP entry to be lost after upgrade from 5.4.4 to 5.4.5.

Affected models: FG-30D, FG-30D-POE, FG-30E, FWF-30D, FWF-30D-POE, FWF-30E.

437949 Split tunnel enhancement: set split-tunneling-acl-path [tunnel | local].

Common Vulnerabilities and Exposures

Bug ID CVE references
405122 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-3732 l 2017-7055

Visit https://fortiguard.com/psirt for more information.

415416 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-7733

Visit https://fortiguard.com/psirt for more information.

416322 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-2636

Visit https://fortiguard.com/psirt for more information.

422133 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-3555

Visit https://fortiguard.com/psirt for more information.

440744 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-7739

Visit https://fortiguard.com/psirt for more information.

442365 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-7738

Visit https://fortiguard.com/psirt for more information.

 

Bug ID CVE references
446892 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-13077 l 2017-13078 l 2017-13079 l 2017-13080 l 2017-13081 l 2017-13082

Visit https://fortiguard.com/psirt for more information.

449257 FortiOS5.4.6 is no longer vulnerable to the following CVE Reference: l 2017-14182

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.4.6. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).
Bug ID Description
375246 invalid hbdev dmz may be received if the default hbdev is used.

Endpoint Control

Bug ID Description
374855 Third party compliance may not be reported if FortiClient has no AV feature.
375149 FortiGate does not auto update AV signature version while Endpoint Control (fortiheartbeat) is enabled but no AV profile is used.
391537 Buffer size is too small when sending large vulnerability list to FortiGate.

Firewall

Bug ID Description
364589 LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D

Bug ID Description
385860 FortiGate-3815D does not support 1 GE SFP transceivers.

FortiRugged-60D

Known

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully but fails to pass traffic until you reboot FortiSwitch.

FortiView

Bug ID Description
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
372350 Threat view: Threat Type and Event information is missing in the last level of the threat view.
373142 Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
375187 Using realtime auto update may increase chrome browser memory usage.

GUI

Bug ID Description
289297 Threat map may not be fully displayed when screen resolution is not big enough.
297832 Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
355388 The Select window for remote server in remote user group may not work as expected.
365223 In Security Fabric topology, a downstream FortiGate may be shown twice when it uses hardware switch to connect upstream.
365317 Unable to add new AD group in second FSSO local polling agent.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
368069 Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
369155 There is no Archived Data tab for email attachment in the DLP log detail page.
372908 The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.

Known Issues

Bug ID Description
372943 Explicit proxy policy may show a blank for default authentication method.
373363 Multicast policy interface may list the wan-load-balance interface.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374081 wan-load-balance interface may be shown in the address associated interface list.
374162 GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
374224 The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374320 Editing a user from the Policy list page may redirect to an empty user edit page.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
374397 Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
374521 Unable to Revert revisions in GUI.
374525 When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.
375036 The Archived Data in the SnifferTraffic log may not display detailed content and download.
375227 You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
375346 You may not be able to download the application control packet capture from the forward traffic log.
375369 May not be able to change IPsec manualkey config in GUI.
375383 The Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
379050 User Definition intermittently not showing assigned token.

Known

Bug ID Description
398397 Slowness in accessing Policy and Address page in GUI after upgrading from 5.2.2 to 5.4.1.
403146 Slow GUI Policy tab when there are more than 600 policies.
453751 In IE11, the Policy and Address page keeps reloading when there are many entries.
454259 The Policy list page does not display tooltips for policy comments.

HA

Bug ID Description
399115 ID for the new policy (when using edit 0) is different on master and on slave unit.

IPsec

Bug ID Description
393958 Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.

Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.

439923 IKE static tunnels using set peertype one may fail to negotiate.

Router

Bug ID Description
299490 During and after failover, some multicast groups take up to 480 seconds to recover.

SSL VPN

Bug ID Description
303661 The Start Tunnel feature may have been removed.
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
374644 SSL VPN tunnel mode Fortinet bar may not be displayed.
382223 SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.
404863 In SSL VPN Web Mode, clicking new bookmark gets error Internal: invalid parameter.

Known Issues

Bug ID Description
364280 ssh-dss may not work on FG-VM-LENC.

System

Bug ID Description
287612 Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to log in to FortiGate via SSH.
371320 show system interface may not show the Port list in sequential order.
372717 Option admin-https-banned-cipher in sys global may not work as expected.
392960 FOS support for V4 BIOS.
445383 Traffic cannot go through LACP static mode interface with NP6 offload enabled.

Upgrade

Bug ID Description
289491 When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair name exceeds 12 characters.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

VM

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.6.2 Release Notes

Introduction

This document provides the following information for FortiOS 5.6.2 build 1486:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.2 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG50E, FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-61E, FG-70D, FG-70D-

POE, FG-80C, FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE,

FG-90D, FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E,

FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D,

FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE,

FG-300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-900D,

FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E,

FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-

POE, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E,

FWF-61E, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.6.2 images are delivered upon request and are not available on the customer support firmware download page.

What’s new in FortiOS 5.6.2                                                                                                                Introduction

What’s new in FortiOS 5.6.2

For a list of new features and enhancements that have been made in FortiOS 5.6.2, see the What’s New for FortiOS 5.6.2 document.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements                                                                                Special Notices

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.2, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web

Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.6.2

FortiOS version 5.6.2 officially supports upgrading from version 5.4.4, 5.4.5, 5.6.0, and 5.6.1. To upgrade from other versions, see Supported Upgrade Paths.

Before upgrading, ensure that port 4433 is not used for admin-port or adminsport (in config system global), or for SSL VPN (in config vpn ssl settings).

If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

Security Fabric Upgrade

FortiOS 5.6.2 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.0 l FortiClient 5.6.0 l FortiClient EMS 1.2.1 l FortiAP 5.4.2 and later l FortiSwitch 3.5.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

  • Advanced FortiClient profiles (XML configuration)
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths FortiGate-VM 5.6 for VMware ESXi   Upgrade Information

  • Client-side web filtering when on-net
  • iOS and Android configuration by using the FortiOS GUI

With FortiOS 5.6.2, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec VPN, or SSL VPN) connections to FortiOS 5.6.2, but not for Security Fabric functions.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.2, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles.

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS Enhanced Networking Compatibility Issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.2 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Upgrade Information                                                                                                            FortiGate VM firmware

When downgrading from 5.6.2 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums                                                                                                    Upgrade Information

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.2 support

The following table lists 5.6.2 product integration and support information:

Web Browsers l Microsoft Edge 38 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 54 l Google Chrome version 59 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 10 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Security Fabric Upgrade on page 9. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Security Fabric Upgrade on page 9. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

See important compatibility information in Security Fabric Upgrade on page 9.

l 5.6.0

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient iOS l 5.4.3 and later

 

FortiOS 5.6.2 support

FortiClient Android and FortiClient VPN Android l 5.4.1 and later
FortiAP l 5.4.2 and later l 5.6.0
FortiAP-S l 5.4.3 and later l 5.6.0
FortiSwitch OS

(FortiLink support)

l 3.5.6 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0254 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExtender l 3.1.1 and later
AV Engine l 5.247
IPS Engine l 3.426
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later

Product Integration and Support                                                                                                  Language support

VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54

Product Integration and Support                                                                                                  SSL VPN support

Operating System Web Browser
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 54

Google Chrome version 59

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

SSL VPN support

Product Antivirus Firewall
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.6.2. For inquires about a particular bug, please contact CustomerService & Support.

GUI

Bug ID Description
442145 httpsd daemon signal 11 crash due to missing default parameter for /endpointcontrol/avatar/download.
442939 Switch-controller Managed FortiSwitch failed to be displayed and triggered Internal Server Error.

SSL VPN

Bug ID Description
442808 SSL VPN daemon crash and users disconnected when any one of tunnel users log out.

 

Known Issues

The following issues have been identified in version 5.6.2. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
441996 No UTM AppCtrl log for signature Gmail_Attachment.Download when action is blocked.
Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.

Firewall

Bug ID Description
434959 NGFW policy with App Control policy blocks traffic.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.

FortiLink

Bug ID Description
434470 Explicit policy for traffic originating from interface dedicated to FortiLink.
441300 Limited options in FortiLink quarantine stanza to use, giving users no way to trigger the quarantine function.

FortiSwitch-Controller/FortiLink

Known Issues

Bug ID Description
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
408082 Operating a dedicated hardware switch into FortiLink changes STP from enable to disable.
415380 DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP.

Workaround: disable switch-controller-dhcp-snooping on FortiLink VLAN interfaces.

445373 For 802.1X, FortiSwitch port disappeared after upgrading FortiGate from 5.6.0 to 5.6.1 with 802.1X enabled without security-group/user-group.

FortiView

Bug ID Description
366627 FortiView Cloud Application may display the incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
402507 In physical/logical topology, threat drill down fails and keeps GUI loading unexpectedly.
408100 Log fields are not aligned with columns after drill down on FortiView and Log details.
441835 Drill down a auth-failed wifi client entry in “Failed Authentication” could not display detail logs when CSF enabled.
442238 FortiView VPN map can’t display Google map (199 dialup VPN tunnel).
442367 In FortiView > Cloud Applications, when the cloud users column is empty, drill down will not load.

GUI

Bug ID Description
374247 GUI list may list another VDOM interface when editing a redundant interface.
375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.
375383 If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box.

 

Known Issues

Bug ID Description
398397 Slowness in accessing Policy and Address page in GUI after upgrading from 5.2.2 to 5.4.1.
402775 Add multiple ports and port range support in the explicit FTP/web proxy.
403146 Slow GUI Policy tab with more than 600 policies.
412401 Incorrect throughput reading in GUI-System-HA page.
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is

FortiAnalyzer.

442231 Link cannot show different colors based on link usage legend in logical topology real time view.
Bug ID Description
412649 In NGFW Policy mode, FGT does not create webfilter logs.
438858 Synchronized log destination with Log View and FortiView display source.
441476 Rolled log file is not uploaded to FTP server by max-log-file-size.

HA

Bug ID Description
439152 FGSP – standalone config sync – synchronizes BGP neighbor.
441078 The time duration of packet-transporting process stops to pre-master node after HA failover takes too long.
441716 Traffic stops when load-balance-all is enabled in active-active HA when npu_vlink is used in the path.
436585 Issues with different hardware generation when operating in a HA cluster.

IPsec

Bug ID Description
416102 Traffic over IPsec VPN gets dropped after two pings when it is getting offloaded to NPU.

Log & Report

Known Issues

Proxy

Bug ID Description
442252 WAD stops forwarding traffic on both transparent proxy and explicit web proxy after IPS test over web proxy.

Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
409156 In Security Fabric Audit, The unlicensed FDS FortiGate shouldn’t be marked Passed in Firmware & Subscriptions.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
414013 Log Settings shows Internal CLI error when enabling historical FortiView at the same time as disk logging.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.

System

Bug ID Description
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
436580 PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
437801 FG-30E WAN interface MTU override drop packet issue.
438405 HRX/PKTCHK drops over NP6 with 1.5 Gbps.

Known Issues

Bug ID Description
439126 Auto-script using diagnose command fails with Unknown action 0 after rebooting FortiGate.
439553 Virtual wire pair config missing after reboot.
440411 Monitor NP6 IPsec engine status.
440412 SNMP trap for per-CPU usage.
440448 FG-800C will not get IP on the LTE-modem interface using Novatel U620.
441532 Suggest to add SNMP/CLI monitoring capabilities of NP6 session table.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.6.1 Release Notes

Introduction

This document provides the following information for FortiOS 5.6.1 build 1484:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.1 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG50E, FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-61E, FG-70D, FG-70D-

POE, FG-80C, FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE,

FG-90D, FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E,

FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D,

FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE,

FG-300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-900D,

FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E,

FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-

POE, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E,

FWF-61E, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.6.1 images are delivered upon request and are not available on the customer support firmware download page.

What’s new in FortiOS 5.6.1                                                                                                                Introduction

What’s new in FortiOS 5.6.1

For a list of new features and enhancements that have been made in FortiOS 5.6.1, see the What’s New for FortiOS 5.6.1 document.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements                                                                                Special Notices

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.1, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web

Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.6.1

FortiOS version 5.6.1 officially supports upgrading from version 5.4.4, 5.4.5, and 5.6.0. To upgrade from other versions, see Supported Upgrade Paths.

Before upgrading, ensure that port 4433 is not used for admin-port or adminsport (in config system global), or for SSL VPN (in config vpn ssl settings).

If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

Security Fabric Upgrade

FortiOS 5.6.1 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.0 l FortiClient 5.6.0 l FortiClient EMS 1.2.1 l FortiAP 5.4.2 and later l FortiSwitch 3.5.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

  • Advanced FortiClient profiles (XML configuration)
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths FortiGate-VM 5.6 for VMware ESXi   Upgrade Information

  • Client-side web filtering when on-net
  • iOS and Android configuration by using the FortiOS GUI

With FortiOS 5.6.1, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec VPN, or SSL VPN) connections to FortiOS 5.6.0, but not for Security Fabric functions.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.1, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles.

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS Enhanced Networking Compatibility Issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.1 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Upgrade Information                                                                                                            FortiGate VM firmware

When downgrading from 5.6.1 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums                                                                                                    Upgrade Information

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.1 support

The following table lists 5.6.1 product integration and support information:

Web Browsers l Microsoft Edge 38 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 54 l Google Chrome version 59 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 10 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Security Fabric Upgrade on page 9. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Security Fabric Upgrade on page 9. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

See important compatibility information in Security Fabric Upgrade on page 9.

l 5.6.0

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient iOS l 5.4.3 and later

 

FortiOS 5.6.1 support

FortiClient Android and FortiClient VPN Android l 5.4.1 and later
FortiAP l 5.4.2 and later l 5.6.0
FortiAP-S l 5.4.3 and later l 5.6.0
FortiSwitch OS

(FortiLink support)

l 3.5.6 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0254 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExtender l 3.1.1 and later
AV Engine l 5.247
IPS Engine l 3.426
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later

Product Integration and Support                                                                                                  Language support

VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54

Product Integration and Support                                                                                                  SSL VPN support

Operating System Web Browser
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 54

Google Chrome version 59

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

SSL VPN support

Product Antivirus Firewall
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.6.1. For inquires about a particular bug, please contact CustomerService & Support.

Antivirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file (.json).
398332 FortiSandbox results are not showing up in FortiView > FortiSandbox.
408147 Virus detected with correct name but wrong virusid.
411432 scanunitd causes high CPU usage when making configuration changes.

Authentication

Bug ID Description
402621 Radius Accounting Packet Calling-Station-ID field should return MAC address instead of IP address.
403147 Cannot create guest users with short phone number.
412846 Google Chrome browser display NET::ERR_CERT_COMMON_NAME_INVALID certificate waning on authentication page.
416618 LDAP does not work when number of matching entries is even in user group.
437204 authd sends malformed NTLM TYPE2 to browser and breaks NTLM authentication.
438972 Nested Groups in LDAP authentication does not work when the Domain users in AD is not the Primary Group.

DLP

Bug ID Description
367514 Executable files may not be blocked by DLP built-in .exe file-type filter.
416469 DLP quarantined IP when the action is set to block/log-only.
422355 DLP file-type filter cannot detect .mov file during file upload.

DNSFilter

Bug ID Description
414243 DNSFilter local FortiGuard SDNS servers failed to respond due to malformed packet.
422407 dnsproxy causes high CPU usage and degradation of DNS traffic.

FOC

Bug ID Description
406692 GTP noip-filter blocking IPv6 gtp-u traffic.
412883 Over-subscription of TP2 XAUI when running GTP in LAG with FG3700DX platform.
Bug ID Description
305575 In the Policy List, the NAT column can give more useful information.
416111 FQDN address is unresolved in a VDOM, although the URL is resolved with IP.

FortiGate 92D

Bug ID Description
412432 fgt92d_link running in D state.

FortiLink

Bug ID Description
422750 FortiGate sending corrupted configuration to FortiSwitch.
435219 cu_acd causing memory leak leading to Conserve Mode.
438973 Managed FortiSwitch speed setting not synced in FortiGate HA cluster.

FortiView

Bug ID Description
378576 The All Sessions > filter application on historical view does not work and suggests adding filter for destination port.
390495 Unable to view web sites in FortiView for 5 minutes, 1 hour, and 24 hours.

Firewall

Bug ID Description
416678 FG-100E and FG-101E may have firewall lockups in production.
424558 Renaming onetime schedule causes policy activation.
433688 Netflow report for a long, live FTP session is incorrect.
435070 Full Cone NAT not working for WhatsApp video and voice call.
435095 FortiOS ICMP replies or error messages are dropped when asymmetric routing is involved.
435700 RSTP session-helper does not modify the IP in describe payload when the server IP is a VIP.

GUI

Bug ID Description
310497 Improve GUI error message when trying to create a VLAN interface and physical interface is not selected.
368069 Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
373602 Cannot access System > Advanced from the GUI – page keep loading.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
380943 Webfilter profile, GUI to support search in URL filter table.
388104 Interface list expand column display improperly in VLAN interface in a Zone.
394359 REST API firewall policy lookup does not work properly.
397010 GUI does not display the App-DB and INDUSTRIAL-DB information.
398394 Log viewer, negative filter for severity Information field cannot be done manually.
407938 device-access-list configuration is removed when making a change to the interface in the GUI.
408577 Admin and FortiClient profile cannot be displayed when language is Japanese.
413754 GUI create VDOM link on TP VDOM fails with error.
413891 In Topology > FortiAnalyzer, clicking Configure setting redirects to VDOM security fabric page.
Bug ID Description
413921 In FSSO standard mode, context menu allows you to delete ad-groups polled from CA.
415326 CLI configuration for address object allows IP range 0.0.0.0-x.x.x.x, but not in GUI.
418534 IP address, DHCP, allowaccess disappeared when selecting a local-bridge SSID as a member in soft-switch interface.
421263 Multiple wildcard login accounts gives wrong guest account provisioning when Postlogin-banner is enabled.
423410 Zone interface shows as down in the IPv4 Policy page even when its member is up.
434613 GUI cannot select HA monitor interfaces in other VDOMs.
438709 GUI system time is incorrect when setting timezone.
438948 Address object length name is limited in CLI Console tool.
441350 Trying to access the root FortiGate Security Fabric dashboard produces Error 404.

HA

Bug ID Description
392677 The HA widget shows the slave status as Not Synchronized even when the status is synchronized.
404089 Uninterruptible upgrade fails because routes are not yet synced with new master.
414336 Slave cannot sync to master with redundant interface.
416673 The System > HA pane is not in the GUI. HA is supported and can be configured in the CLI.
421639 HA kernel routes are not flushed after failover when cluster has a large number of routes.
423144 Reliable syslog using dedicated HA management interface doesn’t work.
434800 SNMP trap does not reach SNMP server via HA Master when hbdev interface is up.
437390 HA failover triggered before pingserver-failover-threshold is reached.
438374 HA reserved management interface unable to access or ping.

IPS

Bug ID Description
412470 When a firewall policy is deleted, traffic is lost.
417411 One-ARM sniffer logs sent/revd shown in reverse direction.
434478 Information incorrect in diag test app ipsmonitor 13.
434592 Ethernet.IP is not recognized in ICS app ctrl signature by sniffer mode.

IPsec

Bug ID Description
401847 Half of IPsec tunnels traffic lost 26 minutes after powering on a spare FG-1500D.
412863 NP6 drops fragment packet with payload 15319 bytes or higher.
412987 IPsec VPN certificate not validated against PKI user’s CN and Subject.
414899 Apple Cisco IPsec VPN group name (IKE ID) length limit.
415353 Telnet connection timing out with IPsec through MPLS when offloading is enabled.
435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.

Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.

438648 outbound enable not set on bi-directional IPsec policy.
439923 For FG-60E, 12-character FQDN Peer ID causes communication failure.
440615 When monitor-hold-down-delay is used in IKEv2 then the value of monitorhold-down-delay has no effect and so once the IKE SA for the primary tunnel is established, it immediately takes the secondary down.

Log & Report

Bug ID Description
386668 FortiGate sends FortiAnalyzer different time stamps from its disk log.
391013 Some traffic flow does not show in traffic log.
396319 For the NGFW_vdom, the application UTM log action is always PASS when firewall policy deny the traffic.
409831 Traffic statistic not tally in report.
Bug ID Description
413778 With long VDOM names, no log is displayed when only one field subtype forward is added to traffic log filter.
417128 Syslog message are missed in FortiGate.

Proxy

Bug ID Description
414496 URL getting Blocked -IPS SensorTriggered.
415627 After upgrading to 5.6, certificate inspection causes certificate warning.
418193 Some HTTPS sites show Secure Connection Failed (static URL filter only flow-based webfilter, certificate inspection).
424362 Multiple crashes of WAD process.
437990 MiTM Proxy mode HTTPS Interception Weakens TLS Security.

Router

Bug ID Description
397087 VRIP cannot be reached on FG-51E when it is acting as VRRP master.
412336 Specific static route on vwl member interface should not be controlled by vwl status.
415366 WAN LLB with IP pools configured for two ISP connections.
424381 TCP sessions are stuck or time out randomly.
434026 SD-WAN health check does not remove route.

Security Fabric

Bug ID Description
385341 If there are multiple FortiAPs managed, GUI cannot display managed FortiAPs in FortiView > Physical Topology page.
403085 The session tab cannot be displayed on historical page when you drill down.
406561 Matching username is not highlighted in tooltip after topology search.
Bug ID Description
408495 An improper warning message may appear in the FortiAnalyzer log when changing the root FortiGate to a downstream FortiGate.
411479 The icon used to signify the source of logs when the time range is set to now is incorrect.
411645 Drilling down from a root FortiGate to a downstream FortiGate causes an error.
412104 The drill down for an aggregated device is not displayed as an individual device.
412249 Threats of a downstream FortiGate cannot be displayed on the root FortiGate.
412930 The Security Audit Event is not hidden on Security Fabric child nodes.
413189 The bubble chart with FortiAnalyzer view may not be drawn correctly.
413492 Security Fabric topology change can cause high CPU usage by miglogd on Security Fabric root.
413742 In Security Fabric topology, the red circle to indicate the root node of the Security Fabric should not be displayed on each child FortiGate.
413912 In Security Fabric topology, the upstream FortiGate can still be displayed when Security Fabric is disabled on a downstream FortiGate.
414147 In Security Fabric topology, the topology cannot be updated after changing the upstream port on a child FortiGate.
414301 Security Fabric topology is not displayed due to js error Cannot read property ‘VDOM’ of undefined.

SLBC

Bug ID Description
378207 authd process causes high CPU usage when only RSSO logging is configured.

Spam

Bug ID Description
398277 Application scanunit crashes with signal 6 received.
408971 Management Traffic is sent out via wrong interface in Virtual WAN Link.
410420 Spam emails are exempted if they are sent in one session.
Bug ID Description
416790 (no.x pattern matched) is not logged when bwl matches envelop MAIL FROM.
424443 Client behind FG-60E cannot get bounced mail when sending a spam mail to Hotmail /Outlook.

SSL VPN

Bug ID Description
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
380974 Possible root cause of SSL VPN fail with error:0B080074: ..X509_check_ private_key:key values mismatch/ApacheSSLSetCertStuff.
396788 SSL VPN GUI is unable to keep SSO password information for user bookmark.
399784 URL modified incorrectly in a dropdown list in application server.
406028 Citrix with Xenapp 7.x not working via SSL VPN web portal.
408624 SSL VPN certificate UPN+LDAP authentication works only on first policy.
412850 SSL VPN portal redirect fails with a Javascript error.
413758 Auto-generated SSL interface do not associate with SSLVPN_TUNNEL_ADDR1 for a long name VDOM.
414074 Application with Jira 7.2 and higher does not display properly in SSL VPN web mode.
415543 Request ability to exclude certain services from being created via personal bookmark.
415746 SSO on SSL VPN HTTP bookmark uses OTP instead of password in Auth HTTP header field when user authenticates via TFA.
423415 Incorrectly resolved membership for group members using SSL VPN.
424561 SSL VPN web mode has trouble loading certain page in HTTP/HTTPS bookmark.
433779 RDP bookmark doesn’t work after upgrading to 5.6.
438004 A bookmark having access link to a web page does not work via SSL VPN web mode.

System

Bug ID Description
383126 FG-50E/FG-51E TP mode – STP BPDU forwarding destined to 01:80:c2:00:00:00 stops after warm/cold reboot.
396781 Interface policy cannot block traffic encapsulated in PPPoE.
403572 Fragmentation not working on VLAN with mtu-override on NP6.
410463 SNMP is not responding when queried on a loopback IP address with an asymmetric SNMP packet path.
412184 If you use port 4433 for the admin-port, admin-sport, you cannot access GUI anymore.
412244 Fortitoken Mobile push won’t work when VDOM is enabled.
413885 long-vdom-name of global setting is disabled after exe factoryrest2.
413909,

404337

The diagnose hardware test system cpu, diagnose hardware test cpu model, and diagnose hardware test bios fail to produce a correct hardware report.

Affected models: FortiGate / FortiWiFi 30E, 50E, 51E, 52E, 60E, 61E, 80E, 81E, 100E, 100EF, 101E, and 140E series.

414242 Offload not supported on 200E aggregate interfaces.
414482 The pre-allocated size for interface cache and policy cache is not big enough.
415555 IPv6 ipv6-neighbor-cache configuration is lost after a reboot or flush command.
416950 NP6 stops process traffic through IPsec tunnel.
417644 When remote wildcard admin with Radius accprofile-override is enabled (super admin), restoring config fails on slave.
420150 NTPv3 with authentication enabled fails with error receive: authentication failed.
421813 With VDOM enabled, after restoring a VDOM, the members of a zone are removed.
422414 FG-90D + FG-100D modem port not responding.
422755 FG-60D removes session unexpectedly – memory_tension_drop increase even though memory usage is very low.
423039 After the upgrade from 5.4.4 to 5.6.0, FortiGate cannot receive public IP with Netgear Aircard 341U.
Bug ID Description
423375 Some configurations are missing in the output of show full-configuration.
424213 Cluster virtual MAC address is changed to physical port MAC address when ports are assigned on MGMT-VDOM.
434480 Admin user session does not time out.
434823 Firewall system halted when the sniffer is enabled in console.
436211 Kernel conserve mode due to memory leak.
436437 FortiGate cannot apply the FortiClient renew license from FortiGuard server.
437599 ICMP unreachable packet is blocked by transparent FortiGate.
438197 PPPoE connection is disrupted by HA failover/failback.
438944 BPDU frames are not changed in TP mode when one arm is connected to multiple VLANs.
439897 Virtual wire pair on asymmetric environment issue.
440041 DHCPv6 seems to fail when ip6-mode is DHCP – failed to assign link-local address.
Bug ID Description
414402 vmtoolsd continuously crashes.

User

Bug ID Description
378085 User authentication timeout max setting change.
410901 PKI peer CA search stops on first match based on CA subject name.
412487 RSSO Endpoint Storage limits the number of characters to 48.
421456 FortiGate cannot authenticate with Cisco ISE Radius and token.
434849 Guest UserEmail Template cut off when emailed to the recipient.
439760 User name is not visible in logs and on blocking page when using explicit proxy and Kerberos authentication.

VM

Bug ID Description
414811 Restore NIC offload capabilities on FortiGate KVM VM.
416783 FortiGate Image for ESXi loses interface information when reboot-upon-configrestore is disabled and a config is restored.
438174 Fortinet VM Product range device detection improved.

VoIP

Bug ID Description
423437 SIP ALG does not translate all MSRP SEND messages if more than one SEND message is contained within a single packet.

WebProxy

Bug ID Description
398405 WAD crashes without backtrace – WAF HTTP header matching problem.
406292 After update to 5.4.3 (B1111), WAD sometimes crashes.
415385 Explicit FTP proxy issue on zero file size transfers.
417491 WAD crashes when handling FTP over HTTP traffic.
421092 WAD consuming memory when explicit webproxy is used.
423077 WAD crashed after upgrading from 5.2.10 to 5.4.4 GA release.
423128 Unable to access www.ch.endress.com when deep inspection is enabled on explicitproxy policy.
424208 Expired certificates with valid issuers are treated as untrusted.
438759 TeamViewer not blocked with explicit proxy application control with SSL “deep inspection”.

WiFi

Bug ID Description
396580 Memory leak and crash reported for hostapd.
409110 Web page override login page loads slowly.
413214 Remote APs traffic not working.
Bug ID Description
413693 WPA_Entreprise with Radius Auth mode fails with VDOM that has a long VDOM name.
417001 Explicit HTTP proxy drops HTTPS connections on WiFi rating failures.
420967 Proxy AV + Proxy WF + SSL Certificate Inspection (Inspect All Ports) results in HTTPS traffic bypassing WiFi.
423020 Regex value changes in the URL filter.
436354 Replace Message Group Web FilterBlock Override page not working.
438003 Part of APs failed to be managed by FortiGate because cw_acd crashed in CMCC portal authentication.

Common Vulnerabilities and Exposures

FortiOS5.6.1 is no longer vulnerable to the following issues and CVE references. For more information, see https://fortiguard.com/psirt.

Bug ID Description
409913 l 2017-3130
414418 l 2017-3131 l 2017-3132 l 2017-3133
416322 l 2017-2636
416914 l 2016-10229
421539 l 2009-3555
422133 l 2009-3555
438599 FortiOS: SHA1-intermediate is not transfer to browser after proxy DPI.
440744 FortiOS: Reflected XSS in Web Proxy Disclaimer Response web page due proxy URL has not been sanitized.

 

Known Issues

The following issues have been identified in version 5.6.1. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
441996 No UTM AppCtrl log for signature Gmail_Attachment.Download when action is blocked.

Firewall

Bug ID Description
434959 NGFW policy with App Control policy blocks traffic.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.

FortiLink

Bug ID Description
434470 Explicit policy for traffic originating from interface dedicated to FortiLink.
441300 Limited options in FortiLink quarantine stanza to use, giving users no way to trigger the quarantine function.

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.

Known

Bug ID Description
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
408082 Operating a dedicated hardware switch into FortiLink changes STP from enable to disable.
415380 DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP.

Workaround: disable switch-controller-dhcp-snooping on FortiLink VLAN interfaces.

FortiView

Bug ID Description
366627 FortiView Cloud Application may display the incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
402507 In physical/logical topology, threat drill down fails and keeps GUI loading unexpectedly.
408100 Log fields are not aligned with columns after drill down on FortiView and Log details.
441835 Drill down a auth-failed wifi client entry in “Failed Authentication” could not display detail logs when CSF enabled
442238 FortiView VPN map can’t display Google map (199 dialup VPN tunnel).
442367 In FortiView > Cloud Applications, when the cloud users column is empty, drill down will not load.

GUI

Bug ID Description
374247 GUI list may list another VDOM interface when editing a redundant interface.
375036 The Archived Data in the SnifferTraffic log may not display detailed content and download.
375383 If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box.
398397 Slowness in accessing Policy and Address page in GUI after upgrading from 5.2.2 to 5.4.1.
402775 Add multiple ports and port range support in the explicit FTP/web proxy.

Known Issues

Bug ID Description
403146 Slow GUI Policy tab with more than 600 policies.
412401 Incorrect throughput reading in GUI-System-HA page.
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is

FortiAnalyzer.

442231 Link cannot show different colors based on link usage legend in logical topology real time view.
Bug ID Description
442252 WAD stops forwarding traffic on both transparent proxy and explicit web proxy after IPS test over web proxy.

HA

Bug ID Description
439152 FGSP – standalone config sync – synchronizes BGP neighbor.
441078 The time duration of packet-transporting process stops to pre-master node after HA failover takes too long.
441716 Traffic stops when load-balance-all is enabled in active-active HA when npu_vlink is used in the path.
436585 Issues with different hardware generation when operating in a HA cluster.

IPsec

Bug ID Description
416102 Traffic over IPsec VPN gets dropped after two pings when it is getting offloaded to NPU.

Log & Report

Bug ID Description
412649 In NGFW Policy mode, FGT does not create webfilter logs.
438858 Synchronized log destination with Log View and FortiView display source.
441476 Rolled log file is not uploaded to FTP server by max-log-file-size.

Proxy

Known Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
409156 In Security Fabric Audit, The unlicensed FDS FortiGate shouldn’t be marked Passed in Firmware & Subscriptions.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
414013 Log Settings shows Internal CLI error when enabling historical FortiView at the same time as disk logging.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.

System

Bug ID Description
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
436580 PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
437801 FG-30E WAN interface MTU override drop packet issue.
438405 HRX/PKTCHK drops over NP6 with 1.5 Gbps.
439126 Auto-script using diagnose command fails with Unknown action 0 after rebooting FortiGate.
439553 Virtual wire pair config missing after reboot.
440411 Monitor NP6 IPsec engine status.

Known Issues

Bug ID Description
440412 SNMP trap for per-CPU usage.
440448 FG-800C will not get IP on the LTE-modem interface using Novatel U620.
441532 Suggest to add SNMP/CLI monitoring capabilities of NP6 session table.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.4.5 Release Notes

Change Log

Date Change Description
2017-06-08 Initial release of FortiOS 5.4.5.
2017-06-09 Added 403937 to Resolved Issues.

Updated Upgrade Information > Upgrading to FortiOS 5.6.0.

Updated 435124 in Known Issues.

2017-06-13 Removed 416678 from Known Issues.

Added 398052 to Resolved Issues.

Added FGT-140 and FGT-140-POE to Introduction > Supported models > Special branch supported models.

2017-06-15 Added 399711, 421739, and 423452 to Resolved Issues.
2017-06-26 Added 389863 to Resolved Issues.
2017-06-30 Removed 374501 from Resolved Issues since that was resolved in 5.4.4.

In Product Integration and Support section, updated FortiClient support to 5.4.1 and later.

2017-07-12 Added 424215 to Known Issues.

Introduction

This document provides the following information for FortiOS 5.4.5 build 1138:

FortiGate FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,

FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FG-90D-POE, FG-92D, FG94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG-

600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D,

FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C,

FG-3700D, FG-3700DX, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE
FortiGate Rugged FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN

FortiOS 5.4.5 supports the additional CPU cores through a license update on the following VM models:

l     VMware 16, 32, unlimited l KVM 16

l     Hyper-V 16, 32, unlimited

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.4.5 images are delivered upon request and are not available on the customer support firmware download page.

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.5 supports the following models.

Introduction                                                                                                                              Supported models

Special branch supported models

The following models are released on a special branch of FortiOS 5.4.5. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1138.

FGR-30D is released on build 7662.
FGR-35D is released on build 7662.
FGR-30D-A is released on build 7662.
FGT-30E-MI is released on build 6229.
FGT-30E-MN is released on build 6229.
FWF-30E-MI is released on build 6229.
FWF-30E-MN is released on build 6229.
FWF-50E-2R is released on build 7657.
FGT-52E is released on build 6226.
FGT-60E is released on build 6225.
FWF-60E is released on build 6225.
FGT-61E is released on build 6225.
FWF-61E is released on build 6225.
FGT-80E is released on build 6225.
FGT-80E-POE is released on build 6225.
FGT-81E is released on build 6225.
FGT-81E-POE is released on build 6225.
FGT-90E is released on build 6230.
FGT-90E-POE is released on build 6230.
FGT-91E is released on build 6230.
FWF-92D is released on build 7660.
FGT-100E is released on build 6225.

 

What’s new in FortiOS 5.4.5                                                                                                                Introduction

FGT-100EF is released on build 6225.
FGT-101E is released on build 6225.
FGT-140E is released on build 6257.
FGT-140E-POE is released on build 6257.
FGT-200E is released on build 6228.
FGT-201E is released on build 6228.
FGT-2000E is released on build 6227.
FGT-2500E is released on build 6227.

What’s new in FortiOS 5.4.5

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.5, see the What’s New forFortiOS 5.4.5 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config system global set hw-switch-ether-filter <enable | disable>

FG-900D and FG-1000D                                                                                                               Special Notices

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units managed by FortiManager 5.0 or 5.2

Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Consider the FortiClient license before upgrading. Full featured FortiClient 5.2 and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on your organization’s needs, you might need to purchase a FortiClient EMS license for endpoint provisioning. Contact your sales representative for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. You need to purchase a new license for either FortiClient EMS or FortiGate. A license is compatible with 5.4.1 and later if the SKU begins with FC-10-C010.

 

Special Notices                                                                                FortiClient (Mac OS X) SSL VPN Requirements

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.5, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the

FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,

Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security

Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page                                                                                                                   Special Notices

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM Firmware Upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.

Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:

…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.4.5

FortiOS version 5.4.5 officially supports upgrading from version 5.4.3 and later and 5.2.9 and later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is a separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths.

Upgrading to FortiOS 5.6.0

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

  • FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

  • Cooperative Security Fabric – Upgrade Guide
  • FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

FortiGate-VM 5.4 for VMware ESXi                                                                                          Upgrade Information

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.5, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

 

Upgrade Information                                                                                                            FortiGate VM firmware

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.4.5 support

The following table lists 5.4.5 product integration and support information:

Web Browsers l Microsoft Edge 38 l Microsoft Internet Explorer 11 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Microsoft Internet Explorer 11 l Mozilla Firefox version 53 l Apple Safari version 10 (For Mac OS X) l Google Chrome version 58

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager For the latest information, see the FortiManagerand FortiOS Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer For the latest information, see the FortiAnalyzerand FortiOS Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

l 5.4.1 and later

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading the FortiGate.

FortiClient iOS l 5.4.1 and later
FortiClient Android and FortiClient VPN Android l 5.4.0 and later

FortiOS 5.4.5

FortiAP l 5.4.1 and later l 5.2.5 and later

Before upgrading FortiAP units, verify that you are running the current recommended FortiAP version. To do this in the GUI, go to the WiFi Controller> Managed Access Points > Managed FortiAP. If your FortiAP is not running the recommended version, the OS Version column displays the message: A recommended update is available.

FortiAP-S l 5.4.1 and later
FortiSwitch OS

(FortiLink support)

l 3.5.0 and later
FortiController l 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox l 2.1.0 and later l 1.4.0 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0256 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExplorer l 2.6.0 and later.

Some FortiGate models may be supported on specific FortiExplorer versions.

 

FortiOS 5.4.5 support                                                                                             Product Integration and Support

FortiExplorer iOS l 1.0.6 and later

Some FortiGate models may be supported on specific FortiExplorer iOS versions.

FortiExtender l 3.0.0 l 2.0.2 and later
AV Engine l 5.247
IPS Engine l 3.311
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN support                                                                                                  Product Integration and Support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Product Antivirus Firewall
Symantec Endpoint Protection 11

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 53
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 53

Google Chrome version 58

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

SSL VPN

Product Antivirus Firewall
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.4.5. For inquires about a particular bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
392200 Encrypted archive log is generated even though the function archive-log in antivirus profile is unset.

DLP

Bug ID Description
379911 DLP filter order is not applied to encrypted files.

Firewall

Bug ID Description
304276 Policy real time view shows incorrect statistic in session offload to np6.
378482 TCP/UDP traffic fais when NAT/UTM is enabled on FGT-VM in KVM.
395241 After IPS is enabled on LB-VIP policy, this message displays: ipsapp session open failed: all providers busy.
402158 Some policy settings are not installed in complex sessions.
416111 FQDN address is unresolved in a VDOM although the URL is resolved with IP.

GUI

Bug ID Description
283682 Cannot delete FSSO-polling AD group from LDAP list tree window in FSSO-user GUI.
356998 urlfilter list re-order on GUI does not work.
371149 30D GUI should support FortiSwitch controller feature when CLI supports it.
372898 User group name should escape XSS script at UserGroups page.
Bug ID Description
374166 Using Edge cannot select the firewall address when configuring a static route.
374350 Field pre-shared key may be unavailable when editing the IPsec dialup tunnel created through the VPN wizard.
378428 FortiGate logs a connection of category deny (red sign) even though traffic is allowed through policy.
379331 DHCP Monitor page does not fully display the page selector pane.
384532 Cannot set IPsec vpn xauth user group inherit from policy in GUI when setting xauthtype auto server.
385482 Webui loads indefinitely when accessing a none access webpage from custom admin profile.
386285 GUI Wizard fails to create FortiClient Dialup IPsec VPN if HA is enabled.
386849 When editing IPsec tunnel, Accessible Networks field cannot load if there is nested address group.
387640 Duplicate entry found when auto generate guest user.
388454 GUI failures when FSSO group contains an apostrophe.
394067 Improve displaying the warning: File System Check Recommended.
395711 pyfcgid takes 100% of CPU when managed switch page displayed.
396430 CSRF token is disclosed in several URLs.
401247 Cannot nest service group within another service group through GUI.
409104 Fix virtual-wire wildcard VLANs not handling u-turn traffic properly.
421918 HTTPSD debug improvement.

HA

Bug ID Description
373200 Quick failover occurs when enabling portmonitor.
382798 Master unit delay in sending heartbeat packet.
386434 HA configuration and VLAN interface disappear from config after reboot.
Bug ID Description
396938 Reboot of FGT HA cluster member with redundant HA management interface deletes HA configuration.
397171 FIB of VDOMs in vcluster2 is not synced to the slave.
404736 SCTP synchronized sessions in HA cluster, when one reboots the master, the traffic is interrupted.
404874 Some commands for HA in diag debug report and exec tac report need to be updated.
408167 Heartbeat packets broadcast out of ports not configured as HB ports, even though the HB ports are directly connected.
Bug ID Description
377255 Can’t read UTM details on log panel when set location to FortiAnalyzer.
377733 Results/Deny All filter does not return all required/expected data.

IPsec VPN

Bug ID Description
356330 Cross NP6-Chip IPsec traffic does not work in SLBC environment.
374326 Accept type: Any peerID may be unavailable when creating a IPsec dialup tunnel with a pre-shared key and ikev1 in main mode.
386802 Unable to establish phase 2 when using address group/group object as quick mode selectors.
392097 3DES encryption susceptible to Sweet32 attack.
395044 OSPF over IPsec IKEv2 with dialup tunnel does not work as for IKEv1.
397386 Slave worker blades attempt to establish site to site IPsec VPN tunnel.
409050 unregister_netdevice messages appears on console when CAPWAP message is transmitted over IPsec tunnel.
411682 ADVPN failover does not update rtcache entry.
412987 IPsec VPN certificate not validated against PKI user’s CN and Subject.

Logging & Report

Bug ID Description
386742 Missing deny traffic log when user traffic is blocked by NAC quarantine.
397702 Add kernel related log messages for protocol attacks.
397714 Need a fill log disk utility to assist with CC testing.
398802 Forward traffic log shows dstintf=unknown-0 after enabling antivirus.
401511 FortiGate Local Report showing incorrect Malware Victims and Malware Sources.
402712 Username truncated in Webfilter & DLP logs.
406071 DNS filtering shows error: all Fortiguard SDNS servers failed to respond.
417128 Syslog message are missed in Fortigate.
421062 FortiGate 60E stopped sending logs to FortiAnalyzer when reliable enabled.

Router

Bug ID Description
373892 ECMP(BGP) routing failover time.
374306 Number of concurrent sessions affect the convergence time after HA failover.
383013 Message ha_fib_rtnl_hdl: msg truncated, increase buf size showing up on console.
385264 AS-override has not been applied in multihop AS path condition.
392250 BGP session not establishing with Cisco Nexus.
393623 Policy routing change not is not reflected.
397087 VRIP cannot be reached on 51E when it is acting as VRRP master.
399415 Local destined IPv6 traffic matched by PBR.
405408 FortiGate creates corrupted OSPF LS Update packet when certain number of networks is propagated.
421151 ICMP redirect received in root affects another VDOM’s route gateway selection.

SSL VPN

Bug ID Description
370986 SSL VPN LDAP user password renew doesn’t work when two factor authentication is enabled.
375827 SSL VPN web mode get Access denied to FOS 5.4.1 GA B1064 under VDOM.
375894 SSL VPN web mode access FMG B1066/FAZ B1066 error.
387276 SSL VPN should support Windows 10 OS check.
389566 “AltGr” key does not work when connecting to RDP-TLS server through SSL VPN web portal from IE 11.
394272 SSL VPN proxy mode can’t proxy some web server URL normally.
395497 https-redirect for SSL VPN does not support realms.
396932 Some web sites not working over web SSL VPN.
399711 SSL VPN does not decode hostcheck string properly for latest FortiClient.
399784 URL modified incorrectly for a dropdown in application server.
402743 User peer causes SSL VPN access failure even though user group has no user peer.
405799 AV breaks login to OWA via SSL VPN web mode.
406028 Citrix with Xenapp 7.x not working via SSL VPN web portal.
408624 SSL VPN certificate UPN+LDAP authentication works only on first policy.
423452 Citrix Xenapp not working properly via SSL VPN web portal.

System

Bug ID Description
182287 Implementation for check_daemon_enable() is not efficient.
283952 VLAN interface Rx bytes statistics higher than underlying aggregate interface.
302722 Using CLI #get system hardware status makes CLI hang.
306041 SSH error Broken pipe on client when using remote forwarding and SSH deep packet option log port fwd is enabled.

 

Bug ID Description
354490 False positive sensor alarms in Event log.
355256 After reassigning a hardware switch to a TP-mode VDOM, bridge table does not learn MAC addresses until after a reboot.
375798 Multihoming SCTP sessions are not correctly offloaded.
376423 Sniffer is not able to capture ICMPv6 packets with Hop-by-Hop option when using filter icmp6.
377192 DHCP request after lease expires is sent with former unicast IP instead of 0.0.0.0 as source.
378364 L2TP over IPsec tunnel cannot be established in FortiGate VM.
379883 Link-monitor doesn’t remove the route when it is in “die” state.
381363 Empty username with Radius 802.1x WSSO authentication.
382657 ICMP Packets bigger than 1418 bytes are dropped when offloading for IPsec tunnel is enabled.

Affected models: FG-30D, FG-60D, FG-70D, FG-90D, FG-90D-POE, FG-94D, FG-98D, FG-200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FWF-30D, FWF-60D, FWF-90D, FWF-90D-POE.

383126 50E/51E TP mode – STP BPDU forwarding destined to 01:80:c2:00:00:00 has stopped after warm/cold reboot.
385455 Inconsistent trusted host behavior.
385903 Changing allowedaccess on FG-200D hardware switch interfaces causes hard-switch to stop functioning.
386271 On FWF-90D after enabling IPS sensor with custom sig, in 60% chance need to wait for 30+ seconds to let ping packet pass.
386395 Missing admin name in system event log related to admin NAC quarantine.
388971 Insufficient guard queue size when sending files to FSA.
389407 High memory usage for radvd process.
389711 Suggest asic_pkts/asic_bytes counter in diagnose firewall iprope show should remain after FortiGate reboot.
391168 Delayed Gratuitous ARP during SLBC Chassis Fail-back.
391460 FortiGuard Filtering Services Availability check is forever loading.

 

Bug ID Description
392655 Conserve mode – 4096 SLAB leak suspected.
393275 VDOM admin forced change password while there is other login session gets The name is a reserved keyword by the system.
393343 Remove botnet filter option if interface role is set to LAN.
394775 GUI not behaving properly after successful upload of FTK200CD file.
395039 Loopback interface: Debug Flow and logs do not show the usage of firewall policy ID.
396018 Backup slave member of a redundant interface accept and process incoming traffic.
397984 SLBC – FIB sync may fail if there is a large routing table update.
398852 UDP jumbo frames arrives fragmented on a 3600C are blocked when acceleration is enabled.
399364 VDOM config restore fails for GRE interface bound to IPsec VPN interface.
399648 LAN ports status is up after reboot even if administrative status is down on FG-30D.
400907 Ethernet Ports Activity LED doesn’t light for shared copper ports.
401360 LDAP group query failed when the fixed length buffer overflows.
402742 VDOM list page does not load.
403532 FG-100D respond fragmented ICMP request with non-fragmented reply right after factory reset.
403724 Real number of FortiToken supported doesn’t match tablesize on some platforms.
403937 High memory on VSD.
404258 L2TP second user cannot connect to FG-600D via a router (NAPT).
404480 Link-monitor is not detecting the server once it becomes available.
405234 Unable to load application control replacement message logo and image in explicit proxy (HTTPS).
405757 Interface link not coming up when FortiGate interface is set to 1000full.
406071 DNS Filtering showing error all Fortiguard SDNS servers failed to respond.
Bug ID Description
406519 Administrative users assigned to prof_admin profile do not have access to diagnose CLI command.
406689 Autoupdate schedule time is reset after rebooting.
406972 Device become unresponsive for 30 min. during IPS update when cfg-save option is set to manual.
409828 Cisco switches don’t discover FortiGate using LLDP on internalX ports.
410463 SNMP is not responding when queried on a loopback IP address with an asymmetric SNMP packet path.
410901 PKI peer CA search stops on first match based on CA subject name.
411432 scanunitd gets high CPU when making configuration changes.
411433 voipd shows high CPU when making configuration changes.
411685 If IPPool is enabled in the firewall policy, offloaded traffic to NP6 is encrypted with a wrong SPI.
414243 DNS Filter local FortiGuard SDNS servers failed to respond due to malformed packet.
416678 FG101E/100E has reports of firewall lockups in production.
418205 High CPU utilization after upgrade from FortiOS 5.2.10 to 5.4.4.
420170 Skip the rating for dynamic DNS update type queries.

Web Filter

Bug ID Description
188128 For the Flowbase web filter, the CLI command set https-replacemsg disable does not work.

WebProxy

Bug ID Description
376808 Explicit proxy PAC File distribution in FortiOS 5.4.x not working properly.
383817 WAD crashes with a signal 11 (segmentation fault) in wad_port_fwd_peer_shutdown and wad_http_session_task_end.
389863 Signal 11 WAD and HTTPSD processes, and GUI not accessible.
Bug ID Description
398052 WAD session leak.
398405 WAD crashes without backtrace.
400454 Improve WAD debug trace and crash log information.
402155 WAS crashes with signal 6 in wad_authenticated_user_authenticate after upgrade to 5.4.3.
402778 WAD does not authorize user if it belongs to more than 256 usergroups with Kerberos authentication.
405264 WAD crash when flush FTP over HTTP traffic.
408503 Cannot access websites when SSL Inspection is set to Inspect All Ports with Proxy Option enabled only for HTTP(ANY).
412462 Fortinet-Bar does not show up on iPhone with iOS 10.2.1 Safari and Google Chrome 57.0.2987.100.
415918 Explicit proxy users are disconnected once a VDOM is created / removed.
421092 WAD consuming memory when explicit webproxy is used.

WiFi

Bug ID Description
387146 Wireless client RSSO authentication fails after reconnection to AP.

Common Vulnerabilities and Exposures

FortiOS 5.4.5 is no longer vulnerable to the following CVE references. For more information, see https://fortiguard.com/psirt.

Bug ID CVE references
421739 l CVE-2017-7734 l CVE-2017-7735

 

Known Issues

The following issues have been identified in version 5.4.5. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).
Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.

Endpoint Control

Bug ID Description
374855 Third party compliance may not be reported if FortiClient has no AV feature.
375149 FortiGate does not auto update AV signature version while Endpoint Control is enabled.
391537 Buffer size is too small when sending large vulnerability list to FortiGate.

Firewall

Bug ID Description
364589 LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D

Bug ID Description
385860 FortiGate-3815D does not support 1GE SFP transceivers.

FortiRugged-60D

Bug ID Description
375246 invalid hbdev dmz may be received if the default hbdev is used.

FortiSwitch-Controller/FortiLink

Bug ID Description
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully but fails to pass traffic until you reboot FortiSwitch.
374346 Adding or reducing stacking connections may block traffic for 20 seconds.

FortiView

Bug ID Description
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
372350 Threat view: Threat Type and Event information is missing in the last level of the threat view.
372897 Invalid -4 and invalid 254 is shown as the submitted file status.
373142 Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
375187 Using realtime auto update may increase chrome browser memory usage.

GUI

Bug ID Description
289297 Threat map may not be fully displayed when screen resolution is not big enough.
297832 Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
355388 The Select window for remote server in remote user group may not work as expected.
365223 CSF: downstream FGT may be shown twice when it uses hardware switch to connect upstream.
365317 Unable to add new AD group in second FSSO local polling agent.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
368069 Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
369155 There is no Archived Data tab for email attachment in the DLP log detail page.

Known Issues

Bug ID Description
372908 The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.
372943 Explicit proxy policy may show a blank for default authentication method.
374081 wan-load-balance interface may be shown in the address associated interface list.
374162 GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
374224 The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374320 Editing a user from the Policy list page may redirect to an empty user edit page.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
374397 Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
374521 Unable to Revert revisions in GUI.
374525 When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.
375346 You may not be able to download the application control packet capture from the forward traffic log.
373363 Multicast policy interface may list the wan-load-balance interface.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
375036 The Archived Data in the SnifferTraffic log may not display detailed content and download.
375227 You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
375369 May not be able to change IPsec manualkey config in GUI.
375383 Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
Bug ID Description
379050 User Definition intermittently not showing assigned token.
421423 Cannot download certificate in Security Profiles > SSL/SSH Inspection. Workaround: Go to System > Certificates to download.

HA

Bug ID Description
399115 ID for the new policy (when using edit 0) is different on master and on slave unit.

IPsec

Bug ID Description
393958 Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.

Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.

Router

Bug ID Description
299490 During and after failover, some multicast groups take up to 480 seconds to recover.

SSL VPN

Bug ID Description
303661 The Start Tunnel feature may have been removed.
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
374644 SSL VPN tunnel mode Fortinet bar may not be displayed.
375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
382223 SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.

Known Issues

System

Bug ID Description
284512 When using the Dashboard Interface History widget, the httpds process uses excessive memory and then crashes.
287612 Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to log in to FortiGate via SSH.
371320 show system interface may not show the Port list in sequential order.
372717 Option admin-https-banned-cipher in sys global may not work as expected.
392960 FOS support for V4 BIOS.
424215 FG-80C halts during boot after upgrade from 5.2.10 to 5.4.4.

Upgrade

Bug ID Description
269799 Sniffer config may be lost after upgrade.
289491 When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair name exceeds 12 characters.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

VM

Bug ID Description
364280 ssh-dss may not work on FGT-VM-LENC.

WiFi

Bug ID Description
434991 WTP tablesize limitation cause WTP entry to be lost after upgrade from v5.4.4 to 5.4.5.

Affected models: FG-30D, FG-30D-POE, FG-30E, FWF-30D, FWF-30D-POE, FWF-30E.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.