Category Archives: Release Notes

FortiOS 5.4.5 Release Notes

Change Log

Date Change Description
2017-06-08 Initial release of FortiOS 5.4.5.
2017-06-09 Added 403937 to Resolved Issues.

Updated Upgrade Information > Upgrading to FortiOS 5.6.0.

Updated 435124 in Known Issues.

2017-06-13 Removed 416678 from Known Issues.

Added 398052 to Resolved Issues.

Added FGT-140 and FGT-140-POE to Introduction > Supported models > Special branch supported models.

 

Introduction

This document provides the following information for FortiOS 5.4.5 build 1138:

FortiGate FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,

FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FG-90D-POE, FG-92D, FG94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG-

600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D,

FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C,

FG-3700D, FG-3700DX, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE
FortiGate Rugged FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN

FortiOS 5.4.5 supports the additional CPU cores through a license update on the following VM models:

l     VMware 16, 32, unlimited l KVM 16

l     Hyper-V 16, 32, unlimited

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.4.5 images are delivered upon request and are not available on the customer support firmware download page.

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.5 supports the following models.

Introduction                                                                                                                              Supported models

Special branch supported models

The following models are released on a special branch of FortiOS 5.4.5. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1138.

FGR-30D is released on build 7662.
FGR-35D is released on build 7662.
FGR-30D-A is released on build 7662.
FGT-30E-MI is released on build 6229.
FGT-30E-MN is released on build 6229.
FWF-30E-MI is released on build 6229.
FWF-30E-MN is released on build 6229.
FWF-50E-2R is released on build 7657.
FGT-52E is released on build 6226.
FGT-60E is released on build 6225.
FWF-60E is released on build 6225.
FGT-61E is released on build 6225.
FWF-61E is released on build 6225.
FGT-80E is released on build 6225.
FGT-80E-POE is released on build 6225.
FGT-81E is released on build 6225.
FGT-81E-POE is released on build 6225.
FGT-90E is released on build 6230.
FGT-90E-POE is released on build 6230.
FGT-91E is released on build 6230.
FWF-92D is released on build 7660.
FGT-100E is released on build 6225.

 

What’s new in FortiOS 5.4.5                                                                                                                Introduction

FGT-100EF is released on build 6225.
FGT-101E is released on build 6225.
FGT-140E is released on build 6257.
FGT-140E-POE is released on build 6257.
FGT-200E is released on build 6228.
FGT-201E is released on build 6228.
FGT-2000E is released on build 6227.
FGT-2500E is released on build 6227.

What’s new in FortiOS 5.4.5

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.5, see the What’s New forFortiOS 5.4.5 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config system global set hw-switch-ether-filter <enable | disable>

FG-900D and FG-1000D                                                                                                               Special Notices

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units managed by FortiManager 5.0 or 5.2

Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Note that the FortiClient license should be considered before upgrading. Full featured FortiClient 5.2, and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on the environment needs, FortiClient EMS license may need to be purchased for endpoint provisioning. Please consult Fortinet Sales or your reseller for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. A new license will need to be procured for either FortiClient EMS or FortiGate. To verify if a license purchase is compatible with 5.4.1 and later, the SKU should begin with FC-10-C010.

 

Special Notices                                                                                FortiClient (Mac OS X) SSL VPN Requirements

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.5, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the

FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,

Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security

Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page                                                                                                                   Special Notices

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM Firmware Upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.

Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:

…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.4.5

FortiOS version 5.4.5 officially supports upgrading from version 5.4.3 and later and 5.2.9 and later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is a separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths.

Upgrading to FortiOS 5.6.0

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

  • FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

  • Cooperative Security Fabric – Upgrade Guide
  • FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

FortiGate-VM 5.4 for VMware ESXi                                                                                          Upgrade Information

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.5, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

 

Upgrade Information                                                                                                            FortiGate VM firmware

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.4.5 support

The following table lists 5.4.5 product integration and support information:

Web Browsers l Microsoft Edge 38 l Microsoft Internet Explorer 11 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Microsoft Internet Explorer 11 l Mozilla Firefox version 53 l Apple Safari version 10 (For Mac OS X) l Google Chrome version 58

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager For the latest information, see the FortiManagerand FortiOS Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer For the latest information, see the FortiAnalyzerand FortiOS Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

l 5.4.1

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading the FortiGate.

FortiClient iOS l 5.4.1
FortiClient Android and FortiClient VPN Android l 5.4.0

FortiOS 5.4.5

FortiAP l 5.4.1 and later l 5.2.5 and later

Before upgrading FortiAP units, verify that you are running the current recommended FortiAP version. To do this in the GUI, go to the WiFi Controller> Managed Access Points > Managed FortiAP. If your FortiAP is not running the recommended version, the OS Version column displays the message: A recommended update is available.

FortiAP-S l 5.4.1 and later
FortiSwitch OS

(FortiLink support)

l 3.5.0 and later
FortiController l 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox l 2.1.0 and later l 1.4.0 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0256 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExplorer l 2.6.0 and later.

Some FortiGate models may be supported on specific FortiExplorer versions.

 

FortiOS 5.4.5 support                                                                                             Product Integration and Support

FortiExplorer iOS l 1.0.6 and later

Some FortiGate models may be supported on specific FortiExplorer iOS versions.

FortiExtender l 3.0.0 l 2.0.2 and later
AV Engine l 5.247
IPS Engine l 3.311
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN support                                                                                                  Product Integration and Support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Product Antivirus Firewall
Symantec Endpoint Protection 11

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 53
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 53

Google Chrome version 58

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

SSL VPN

Product Antivirus Firewall
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.4.5. For inquires about a particular bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
392200 Encrypted archive log is generated even though the function archive-log in antivirus profile is unset.

DLP

Bug ID Description
379911 DLP filter order is not applied to encrypted files.

Firewall

Bug ID Description
304276 Policy real time view shows incorrect statistic in session offload to np6.
378482 TCP/UDP traffic fais when NAT/UTM is enabled on FGT-VM in KVM.
395241 After IPS is enabled on LB-VIP policy, this message displays: ipsapp session open failed: all providers busy.
402158 Some policy settings are not installed in complex sessions.
416111 FQDN address is unresolved in a VDOM although the URL is resolved with IP.

GUI

Bug ID Description
283682 Cannot delete FSSO-polling AD group from LDAP list tree window in FSSO-user GUI.
356998 urlfilter list re-order on GUI does not work.
371149 30D GUI should support FortiSwitch controller feature when CLI supports it.
372898 User group name should escape XSS script at UserGroups page.
Bug ID Description
374166 Using Edge cannot select the firewall address when configuring a static route.
374350 Field pre-shared key may be unavailable when editing the IPsec dialup tunnel created through the VPN wizard.
378428 FortiGate logs a connection of category deny (red sign) even though traffic is allowed through policy.
379331 DHCP Monitor page does not fully display the page selector pane.
384532 Cannot set IPsec vpn xauth user group inherit from policy in GUI when setting xauthtype auto server.
385482 Webui loads indefinitely when accessing a none access webpage from custom admin profile.
386285 GUI Wizard fails to create FortiClient Dialup IPsec VPN if HA is enabled.
386849 When editing IPsec tunnel, Accessible Networks field cannot load if there is nested address group.
387640 Duplicate entry found when auto generate guest user.
388454 GUI failures when FSSO group contains an apostrophe.
394067 Improve displaying the warning: File System Check Recommended.
395711 pyfcgid takes 100% of CPU when managed switch page displayed.
396430 CSRF token is disclosed in several URLs.
401247 Cannot nest service group within another service group through GUI.
409104 Fix virtual-wire wildcard VLANs not handling u-turn traffic properly.
421918 HTTPSD debug improvement.

HA

Bug ID Description
373200 Quick failover occurs when enabling portmonitor.
382798 Master unit delay in sending heartbeat packet.
386434 HA configuration and VLAN interface disappear from config after reboot.
Bug ID Description
396938 Reboot of FGT HA cluster member with redundant HA management interface deletes HA configuration.
397171 FIB of VDOMs in vcluster2 is not synced to the slave.
404736 SCTP synchronized sessions in HA cluster, when one reboots the master, the traffic is interrupted.
404874 Some commands for HA in diag debug report and exec tac report need to be updated.
408167 Heartbeat packets broadcast out of ports not configured as HB ports, even though the HB ports are directly connected.
Bug ID Description
377255 Can’t read UTM details on log panel when set location to FortiAnalyzer.
377733 Results/Deny All filter does not return all required/expected data.

IPsec VPN

Bug ID Description
356330 Cross NP6-Chip IPsec traffic does not work in SLBC environment.
374326 Accept type: Any peerID may be unavailable when creating a IPsec dialup tunnel with a pre-shared key and ikev1 in main mode.
386802 Unable to establish phase 2 when using address group/group object as quick mode selectors.
392097 3DES encryption susceptible to Sweet32 attack.
395044 OSPF over IPsec IKEv2 with dialup tunnel does not work as for IKEv1.
397386 Slave worker blades attempt to establish site to site IPsec VPN tunnel.
409050 unregister_netdevice messages appears on console when CAPWAP message is transmitted over IPsec tunnel.
411682 ADVPN failover does not update rtcache entry.
412987 IPsec VPN certificate not validated against PKI user’s CN and Subject.

Logging & Report

Bug ID Description
386742 Missing deny traffic log when user traffic is blocked by NAC quarantine.
397702 Add kernel related log messages for protocol attacks.
397714 Need a fill log disk utility to assist with CC testing.
398802 Forward traffic log shows dstintf=unknown-0 after enabling antivirus.
401511 FortiGate Local Report showing incorrect Malware Victims and Malware Sources.
402712 Username truncated in Webfilter & DLP logs.
406071 DNS filtering shows error: all Fortiguard SDNS servers failed to respond.
417128 Syslog message are missed in Fortigate.
421062 FortiGate 60E stopped sending logs to FortiAnalyzer when reliable enabled.

Router

Bug ID Description
373892 ECMP(BGP) routing failover time.
374306 Number of concurrent sessions affect the convergence time after HA failover.
383013 Message ha_fib_rtnl_hdl: msg truncated, increase buf size showing up on console.
385264 AS-override has not been applied in multihop AS path condition.
392250 BGP session not establishing with Cisco Nexus.
393623 Policy routing change not is not reflected.
397087 VRIP cannot be reached on 51E when it is acting as VRRP master.
399415 Local destined IPv6 traffic matched by PBR.
405408 FortiGate creates corrupted OSPF LS Update packet when certain number of networks is propagated.
421151 ICMP redirect received in root affects another VDOM’s route gateway selection.

SSL VPN

Bug ID Description
370986 SSL VPN LDAP user password renew doesn’t work when two factor authentication is enabled.
375827 SSL VPN web mode get Access denied to FOS 5.4.1 GA B1064 under VDOM.
375894 SSL VPN web mode access FMG B1066/FAZ B1066 error.
387276 SSL VPN should support Windows 10 OS check.
389566 “AltGr” key does not work when connecting to RDP-TLS server through SSL VPN web portal from IE 11.
394272 SSL VPN proxy mode can’t proxy some web server URL normally
395497 https-redirect for SSL VPN does not support realms.
396932 Some web sites not working over web SSL VPN.
399784 URL modified incorrectly for a dropdown in application server.
402743 User peer causes SSL VPN access failure even though user group has no user peer.
405799 AV breaks login to OWA via SSLVPN web mode.
406028 Citrix with Xenapp 7.x not working via SSLVPN web portal.
408624 SSL VPN certificate UPN+LDAP authentication works only on first policy.

System

Bug ID Description
182287 Implementation for check_daemon_enable() is not efficient.
283952 VLAN interface Rx bytes statistics higher than underlying aggregate interface.
302722 Using CLI #get system hardware status makes CLI hang.
306041 SSH error Broken pipe on client when using remote forwarding and SSH deep packet option log port fwd is enabled.
354490 False positive sensor alarms in Event log.
355256 After reassigning a hardware switch to a TP-mode VDOM, bridge table does not learn MAC addresses until after a reboot.

 

Bug ID Description
375798 Multihoming SCTP sessions are not correctly offloaded.
376423 Sniffer is not able to capture ICMPv6 packets with Hop-by-Hop option when using filter icmp6.
377192 DHCP request after lease expires is sent with former unicast IP instead of 0.0.0.0 as source.
378364 L2TP over IPsec tunnel cannot be established in FortiGate VM.
379883 Link-monitor doesn’t remove the route when it is in “die” state.
381363 Empty username with Radius 802.1x WSSO authentication.
382657 ICMP Packets bigger than 1418 bytes are dropped when offloading for IPsec tunnel is enabled.

Affected models: FG-30D, FG-60D, FG-70D, FG-90D, FG-90D-POE, FG-94D, FG-98D, FG-200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FWF-30D, FWF-60D, FWF-90D, FWF-90D-POE.

383126 50E/51E TP mode – STP BPDU forwarding destined to 01:80:c2:00:00:00 has stopped after warm/cold reboot.
385455 Inconsistent trusted host behavior.
385903 Changing allowedaccess on FG-200D hardware switch interfaces causes hard-switch to stop functioning.
386271 On FWF-90D after enabling IPS sensor with custom sig, in 60% chance need to wait for 30+ seconds to let ping packet pass.
386395 Missing admin name in system event log related to admin NAC quarantine.
388971 Insufficient guard queue size when sending files to FSA.
389407 High memory usage for radvd process.
389711 Suggest asic_pkts/asic_bytes counter in diagnose firewall iprope show should remain after FortiGate reboot.
391168 Delayed Gratuitous ARP during SLBC Chassis Fail-back.
391460 FortiGuard Filtering Services Availability check is forever loading.
392655 Conserve mode – 4096 SLAB leak suspected.
393275 VDOM admin forced change password while there is other login session gets The name is a reserved keyword by the system“.

 

Bug ID Description
393343 Remove botnet filter option if interface role is set to LAN.
394775 GUI not behaving properly after successful upload of FTK200CD file.
395039 Loopback interface: Debug Flow and logs do not show the usage of firewall policy ID.
396018 Backup slave member of a redundant interface accept and process incoming traffic.
397984 SLBC – FIB sync may fail if there is a large routing table update.
398852 UDP jumbo frames arrives fragmented on a 3600C are blocked when acceleration is enabled.
399364 VDOM config restore fails for GRE interface bound to IPsec VPN interface.
399648 LAN ports status is up after reboot even if administrative status is down on FG-30D.
400907 Ethernet Ports Activity LED doesn’t light for shared copper ports.
401360 LDAP group query failed when the fixed length buffer overflows.
402742 VDOM list page does not load.
403532 FG-100D respond fragmented ICMP request with non-fragmented reply right after factory reset.
403724 Real number of FortiToken supported doesn’t match tablesize on some platforms.
403937 High memory on VSD.
404258 L2TP second user cannot connect to FG-600D via a router (NAPT).
404480 Link-monitor is not detecting the server once it becomes available.
405234 Unable to load application control replacement message logo and image in explicit proxy (HTTPS).
405757 Interface link not coming up when FortiGate interface is set to 1000full.
406071 DNS Filtering showing error all Fortiguard SDNS servers failed to respond.
406519 Administrative users assigned to prof_admin profile do not have access to diagnose CLI command.
406689 Autoupdate schedule time is reset after rebooting.
Bug ID Description
406972 Device become unresponsive for 30 min. during IPS update when cfg-save option is set to manual.
409828 Cisco switches don’t discover FortiGate using LLDP on internalX ports.
410463 SNMP is not responding when queried on a loopback IP address with an asymmetric SNMP packet path.
410901 PKI peer CA search stops on first match based on CA subject name.
411432 scanunitd gets high CPU when making configuration changes.
411433 voipd shows high CPU when making configuration changes.
411685 If IPPool is enabled in the firewall policy, offloaded traffic to NP6 is encrypted with a wrong SPI.
414243 DNS Filter local FortiGuard SDNS servers failed to respond due to malformed packet.
416678 FG101E/100E has reports of firewall lockups in production.
418205 High CPU utilization after upgrade from FortiOS 5.2.10 to 5.4.4.
420170 Skip the rating for dynamic DNS update type queries.

Web Filter

Bug ID Description
188128 For the Flowbase web filter, the CLI command set https-replacemsg disable does not work.

WebProxy

Bug ID Description
376808 Explicit proxy PAC File distribution in FortiOS 5.4.x not working properly.
383817 WAD crashes with a signal 11 (segmentation fault) in wad_port_fwd_peer_shutdown and wad_http_session_task_end.
398052 WAD session leak.
398405 WAD crashes without backtrace.
400454 Improve WAD debug trace and crash log information.
Bug ID Description
402155 WAS crashes with signal 6 in wad_authenticated_user_authenticate after upgrade to 5.4.3.
402778 WAD does not authorize user if it belongs to more than 256 usergroups with Kerberos authentication.
405264 WAD crash when flush FTP over HTTP traffic.
408503 Cannot access websites when SSL Inspection is set to Inspect All Ports with Proxy Option enabled only for HTTP(ANY).
412462 Fortinet-Bar does not show up on iPhone with iOS 10.2.1 Safari and Google Chrome 57.0.2987.100.
415918 Explicit proxy users are disconnected once a VDOM is created / removed.
421092 WAD consuming memory when explicit webproxy is used.

WiFi

Bug ID Description
387146 Wireless client RSSO authentication fails after reconnection to AP.

Common Vulnerabilities and Exposures

Bug ID Description
374501 FortiOS 5.4.5 is no longer vulnerable to the following CVE Reference: l 2016-0723

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.4.5. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).
Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.

Endpoint Control

Bug ID Description
374855 Third party compliance may not be reported if FortiClient has no AV feature.
375149 FortiGate does not auto update AV signature version while Endpoint Control is enabled.
391537 Buffer size is too small when sending large vulnerability list to FortiGate.

Firewall

Bug ID Description
364589 LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D

Bug ID Description
385860 FortiGate-3815D does not support 1GE SFP transceivers.

FortiRugged-60D

Bug ID Description
375246 invalid hbdev dmz may be received if the default hbdev is used.

FortiSwitch-Controller/FortiLink

Bug ID Description
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully but fails to pass traffic until you reboot FortiSwitch.
374346 Adding or reducing stacking connections may block traffic for 20 seconds.

FortiView

Bug ID Description
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
372350 Threat view: Threat Type and Event information is missing in the last level of the threat view.
372897 Invalid -4 and invalid 254 is shown as the submitted file status.
373142 Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
375187 Using realtime auto update may increase chrome browser memory usage.

GUI

Bug ID Description
289297 Threat map may not be fully displayed when screen resolution is not big enough.
297832 Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
355388 The Select window for remote server in remote user group may not work as expected.
365223 CSF: downstream FGT may be shown twice when it uses hardware switch to connect upstream.
365317 Unable to add new AD group in second FSSO local polling agent.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
368069 Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
369155 There is no Archived Data tab for email attachment in the DLP log detail page.

Known Issues

Bug ID Description
372908 The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.
372943 Explicit proxy policy may show a blank for default authentication method.
374081 wan-load-balance interface may be shown in the address associated interface list.
374162 GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
374224 The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374320 Editing a user from the Policy list page may redirect to an empty user edit page.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
374397 Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
374521 Unable to Revert revisions in GUI.
374525 When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.
375346 You may not be able to download the application control packet capture from the forward traffic log.
373363 Multicast policy interface may list the wan-load-balance interface.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
375036 The Archived Data in the SnifferTraffic log may not display detailed content and download.
375227 You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
375369 May not be able to change IPsec manualkey config in GUI.
375383 Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
Bug ID Description
379050 User Definition intermittently not showing assigned token.
421423 Cannot download certificate in Security Profiles > SSL/SSH Inspection. Workaround: Go to System > Certificates to download.

HA

Bug ID Description
399115 ID for the new policy (when using edit 0) is different on master and on slave unit.

IPsec

Bug ID Description
393958 Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.

Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.

Router

Bug ID Description
299490 During and after failover, some multicast groups take up to 480 seconds to recover.

SSL VPN

Bug ID Description
303661 The Start Tunnel feature may have been removed.
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
374644 SSL VPN tunnel mode Fortinet bar may not be displayed.
375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
382223 SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.

Known Issues

System

Bug ID Description
284512 When using the Dashboard Interface History widget, the httpds process uses excessive memory and then crashes.
287612 Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to log in to FortiGate via SSH.
371320 show system interface may not show the Port list in sequential order.
372717 Option admin-https-banned-cipher in sys global may not work as expected.
392960 FOS support for V4 BIOS.

Upgrade

Bug ID Description
269799 Sniffer config may be lost after upgrade.
289491 When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair name exceeds 12 characters.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

VM

Bug ID Description
364280 ssh-dss may not work on FGT-VM-LENC.

WiFi

Bug ID Description
434991 WTP tablesize limitation cause WTP entry to be lost after upgrade from v5.4.4 to 5.4.5.

Affected models: FG-30D, FG-30D-POE, FG-30E, FWF-30D, FWF-30D-POE, FWF-30E.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.6 Release Notes

Introduction

This document provides the following information for FortiOS 5.6.0 build 1449:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.0 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG50E, FG-51E, FG-52E, FG-60D, FG-60E, FG-61E, FG-70D, FG-70D-POE, FG-80C,

FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF,

FG-101E, FG-140D, FG-140D-POE, FG- 200D, FG-200D-POE, FG-240D, FG-240D-

POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C,

FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-

3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-

3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-

POE, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60E, FWF-61E,

FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.6.0 images are delivered upon request and are not available on the customer support firmware download page.

What’s new in FortiOS 5.6.0                                                                                                                Introduction

What’s new in FortiOS 5.6.0

For a list of new features and enhancements that have been made in FortiOS 5.6.0, see the What’s New for FortiOS 5.6.0 document.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.0, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web

Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.6.0

FortiOS version 5.6.0 officially supports upgrading from version 5.4.3 and 5.4.4.

Security Fabric Upgrade

FortiOS 5.6.0 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.0 l FortiClient 5.6.0 l FortiClient EMS 1.2.0 l FortiAP 5.4.2 and later l FortiSwitch 3.5.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

  • Advanced FortiClient profiles (XML configuration)
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths l Client-side web filtering when on-net

  • iOS and Android configuration by using the FortiOS GUI

With FortiOS 5.6.0, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec, VPN, or SSL VPN) connections to FortiOS 5.6.0, but not for Security Fabric functions.

Upgrade Information                                                                                          FortiGate-VM 5.6 for VMware ESXi

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.0, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles.

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS Enhanced Networking Compatibility Issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.0 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 5.6.0 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

 

FortiGate VM firmware                                                                                                            Upgrade Information

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.0 support

The following table lists 5.6.0 product integration and support information:

Web Browsers l Microsoft Edge 25 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 46 l Google Chrome version 50 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 25 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 45 l Google Chrome version 51 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Security Fabric Upgrade on page 8. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Security Fabric Upgrade on page 8. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

See important compatibility information in Security Fabric Upgrade on page 8.

l 5.6.0

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient iOS l 5.4.3 and later

11

FortiOS 5.6.0 support

FortiClient Android and FortiClient VPN Android l 5.4.0
FortiAP l 5.4.2 and later l 5.6.0
FortiAP-S l 5.4.3 and later l 5.6.0
FortiSwitch OS

(FortiLink support)

l 3.5.2 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.0 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0254 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExtender l 3.1.1
AV Engine l 5.239
IPS Engine l 3.410
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later

 

Product Integration and Support                                                                                                  Language support

Microsoft   l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source   l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware   l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV   The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language   GUI
English  
Chinese (Simplified)  
Chinese (Traditional)  
French  
Japanese  
Korean  
Portuguese (Brazil)  
Spanish (Spain)  

SSL VPN support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Microsoft Windows 7 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Windows 10 (64-bit)

2333
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333
Virtual Desktop for Microsoft Windows 7 SP1 (32-bit) 2333

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 52

Google Chrome version 56

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 52

Google Chrome version 56

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 52

Product Integration and Support                                                                                                  SSL VPN support

Operating System Web Browser
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 52

Google Chrome version 56

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009  
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

SSL VPN support

Product Antivirus Firewall
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.6.0. For inquires about a particular bug, please contact CustomerService & Support.

Firewall

Bug ID Description
398673 For the NGFW_vdom, App_category, and URL_category in NGFW, action=pass firewall policy don’t work as expected.

FortiRugged 60D

Bug ID Description
375246 Invalid hbdev dmz may be received if the default hbdev is used.
FortiGate 80D  
Bug ID Description
373127 FG-80D VLAN interface does not receive packets.
FortiGate 92D  
Bug ID Description
267347 FG-92D does not support hardware switch.

Endpoint Control

Bug ID Description
374855 Third party compliance may not be reported if FortiClient has no AV feature.
375149 FortiGate does not auto update AV signature version while Endpoint Control is enabled.
402054 Non-registered endpoint user is missing I understand button on the warning portal.

Resolved Issues

FortiView

Bug ID Description
372350 Threat view: Threat Type and Event information are missing at the lowest level.
373142 The filter result of Threat View may not be correct when adding a filter on a threat and threat type on the first level.
374947 FortiView may show empty country in the IPv6 traffic because country info is missing in log.

GUI

Bug ID Description
355388 The Select window for remote server in remote user group may not work as expected.
365223 CSF: downstream FortiGate may be shown twice when it uses hardware switch to connect upstream.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
372943 Explicit proxy policy may show a blank for default authentication method.
373127 FG-80D VLAN interfaces may fail to pass traffic.
374146 Peer certificate may still show up when editing IPsec VPN tunnel and even when setting the authmethod pre-shared key.
374166 Using Edge cannot select the firewall address when configuring a static route.
374221 SSL VPN setting portal mapping realm field misses the / option.
374237 You may not be able to set a custom NTP server using GUI if you did not config it using CLI first.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374343 After enabling inspect-all in ssl-ssh-profile, user may not be able to modify allowinvalidserver-cert from GUI.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374371 The IPS Predefined Signature information pop up window may not be seen as it is hidden behind the Add Signature window.
374521 Unable to Revert revisions on GUI.
Bug ID Description
374326 Accept type: Any peer ID may be unavailable when creating a IPsec dialup tunnel with a pre-shared key and ikev1 in main mode.
375020 IPsec tunnel Fortinet bar may not be displayed properly.

Resolved Issues

Bug ID Description
375255 You may not be able to quarantine the FortiClient device in FortiView because of a javascript error.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
375290 Fortinet Bar may not be displayed properly.
375346 You may not be able to download the application control packet capture from the forward traffic log.
376808,

378744

The proxy.pac file is not updated according to changes from GUI.
403655 GUI has issue loading some web pages with IE 11 and Edge web browsers.
404781 Setup wizard does not work properly.
407030 Interface bandwidth widget is always loading for newly added interfaces.
407060 Some right-click menu items are missing icon on policy and firewall object list page.
407284 FortiView encounters JavaScript in non-root VDOM and FortiView from FortiAnalyzer.
408908 GUI has issue creating a site2site IPsec tunnel with authmethod psk.
409594 Unable to create VLAN interface for non-management VDOM at ‘Global’ view.

HA

Bug ID Description
409707 User cannot login to FGT after restore config in HA.

IPsec

Resolved Issues Kernel

Bug ID Description
395515 ICMP unreachable message processing causes high CPU usage in kernel and DHCP daemon.
Bug ID Description
287612 Span function of software switch may not work on FortiGate 51E or FortiGate 30E.
304482 NP6 offloading may be lost when the IPsec interface has the aes256gcm proposal.
371320 Show system interface may not show the Port list in sequential order.
371986 NP6 may have issue handling fragment packets.
372717 Admin-https-banned-cipher in sys global may not work as expected.

Log & Report

Bug ID Description
300637 MUDB logs may display Unknown in the Attack Name field under UTM logs.
367247 FortiSwitch log may not show the details in GUI, while in CLI the details are displayed.
374103 Botnet detection events are not listed in the Learning Report.
374411 Local and Learning report web usage may only report data for outgoing traffic.
401511 FortiGate local report shows incorrect malware victims and malware sources.

SSL VPN

Bug ID Description
282914 If users use SSL VPN in Web Mode, they may not be able to access a FortiGate running 5.4.
375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
408281 IE 11 and Safari browsers cannot load SSL VPN web portal page.
409755 iOS FortiClient 5.4.3.139 fails to connect to SSL VPN tunnel mode.

System

Resolved Issues

Bug ID Description
378870 When AV mode is flow-mode, the counters of fgAvStatsEntry cannot be counted up.
402589 Cannot forward traffic in TP VDOM with NP6Lite NPU VDOM link.
409198 System time zone may not take effect.
409203 Firewall recurring schedule does not work with time range.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

WiFi

Bug ID Description
409670 mpsk-key entries do not allow saving passphrase in encrypted format.

Common Vulnerabilities and Exposures

Bug ID Description
374501 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-0723

Visit https://fortiguard.com/psirt for more information.

378697 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-2512

Visit https://fortiguard.com/psirt for more information.

379870 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2003-1418 l 2007-6750

Visit https://fortiguard.com/psirt for more information.

383538 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-3713 l 2016-5829

Visit https://fortiguard.com/psirt for more information.

383564 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-5696

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.6.0. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Antivirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json)
Firewall  
Bug ID Description
412799 auto-asic-offload disable does not work for NGFW policy.

FortiGate 800D

Bug ID Description
404228 All the interfaces status are down except mgmt after cfg revert.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
408082 Operating a dedicated hardware switch into FortiLink changes STP from enable to disable.
415380 DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP. The workaround is to disable switch-controller-dhcpsnooping on FortiLink VLAN interfaces.

Known Issues

FortiView

Bug ID Description
366627 FortiView Cloud Application may display the incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
Bug ID Description
396319 For the NGFW_vdom, the application UTM log action is always PASS when firewall policy deny the traffic.

GUI

Bug ID Description
303928 After upgrading from 5.2 to 5.4, the default flow based AV profile may not be visible or selectable in the Firewall policy page in the GUI.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374247 GUI list may list another VDOM interface when editing a redundant interface.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.
397010 GUI does not display the App-DB and INDUSTRIAL-DB information.
413754 GUI create VDOM link on TP VDOM fails with error.
413891 In Topology > FortiAnalyzer, clicking Configure setting redirects to VDOM security fabric page.
413921 In FSSO standard mode, context menu allows you to delete ad-groups polled from CA.

HA

Bug ID Description
414336 Slave cannot sync to master with redundant interface.

Log & Report

Known Issues

Bug ID Description
412649 In NGFW Policy mode, FGT does not create webfilter logs.
413778 With long VDOM names, no log is displayed when only one field subtype forward is added to traffic log filter.

Security Fabric

Bug ID Description
385341 If there are multiple FortiAPs managed, GUI cannot display managed FortiAPs in FortiView > Physical Topology page.
403085 The session tab cannot be displayed on historical page when you drill down into the members.
403229 FortiGate is unable to drill down to the final level when using FortiAnalyzer as logging device.
406561 Matching username is not highlighted in tooltip after topology search.
408495 An improper warning message may appear in the FortiAnalyzer log when changing the root FortiGate to a downstream FortiGate.
409156 An unlicensed FortiGate may be marked as Passed in Firmware & Subscriptions.
411368 Multiple MAC addresses may be displayed abnormally in Device field.
411479 The icon used to signify the souce of logs when the time range is set to now is incorrect.
411645 Drilling down to an upstream FortiGate from a downstream FortiGate may produce a blank page.
412104 The drill down for an aggregated device is not displayed as an individual device.
412249 Threats of a downstream FortiGate cannot be displayed on the root FortiGate.
412930 Security Audit Event are shown incorrectly in the security fabric child nodes.
413189 The bubble chart with FortiAnalyzer view may not be drawn correctly.
413492 CSF topology change can cause high CPU usage by miglogd on CSF root.
413742 A red circle to indicate the root node of the security fabric may be displayed on each child FortiGate.
413912 An upstream FortiGate may still be displayed incorrectly when Security Fabric is disabled on a downstream FortiGate.

Known Issues

Bug ID Description
414013 The FortiGate may produce an “Internal CLI error” on GUI when changing the logging mode from default to local.
414147 The topology fails to be updated after changing the upstream port on a child FortiGate.
414301 Security Fabric topology will not be displayed due to js error if managed FortiSwitches have redundant topology.

SSL VPN

Bug ID Description
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
396788 SSL VPN GUI is unable to keep SSO password information for user bookmark.
413758 Auto-generated SSL interface do not ‘t associate with SSLVPN_TUNNEL_ADDR1 for a long name VDOM.

System

Bug ID Description
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
410916 FG-5001D might encounter kernel panic after set split port.
412244 Fortitoken Mobile push won’t work when VDOM is enabled.
413885 long-vdom-name is disabled after exe factoryrest2.
414482 miglogd might keep crashing if more than 50000 polices are configured.
414490 FG-101E might hang after reboot.

Known Issues

WiFi

Bug ID Description
382296 Unable to redirect HTTPS FortiGuard web filtering block page when deploying webfilter with deep inspection on IE and Firefox.
413693 WPA_Entreprise with Radius Auth mode fails with VDOM that has a long VDOM name.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiCore 2.0.0 Release Notes

Introduction

This document provides upgrade instructions and release information about FortiCore Version 2.0.0. Please review all sections in this document prior to upgrading your device.

Supported models

This release covers the following FortiCore models:

  • 3600E
  • 3700E
  • 3800E
  • 3805E

Summary of enhancements

FortiCore Version 2.0.0 includes the following new features:

  • OVSDB support for configuration
  • LAG for front panel ports

FortiCore features and capabilities are described in the FortiCore Admin Guide, available at the following location: http://docs.fortinet.com/forticore/admin-guides

 

 

Upgrade Information

Upgrading

FortiCore Version 2.0.0 supports upgrade from release 1.2.0. and downgrade from release 2.0.0 to 1.2.0.

To upgrade the firmware, follow these instructions from the dashboard page of the web-based admin tool:

  1. Download the desired firmware version from the Fortinet support site to your local hard drive.
  2. Click the update button next to the current firmware version.
  3. Select the firmware file and click OK.
  4. The system automatically loads the firmware and performs a system restart.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image

Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support                                                                                           SDN Gateway Support

Product Integration and Support

SDN Gateway Support

FortiCore supports any SDN Gateway that is compliant to OpenFlow version 1.3.

FortiCore product was tested primarily with the OpenDaylight SDN controller, provided by the Linux Foundation.

Web Browser Support

The FortiCore web-based administration interface supports the following browser versions:

l Mozilla Firefox version 36 l Google Chrome version 43

Other web browsers may function correctly, but are not supported by FortiCore.

FortiAP 5.4.2 Release Notes

Introduction

This document provides the following information for FortiAP version 5.4.2:

l Supported models l What’s new in FortiAP 5.4.2 l Upgrade Information l Product Integration and Support l Resolved Issues

For more information on upgrading your FortiAP device, see the Deploying Wireless Networks for FortiOS 5.4 guide in the Fortinet Document Library.

Supported models

FortiAP version 5.4.2 supports the following models:

Model support

Model Build
FAP-11C, FAP-14C, FAP-21D, FAP-24D, FAP-25D, FAP-112B,

FAP-112D, FAP-221B, FAP-221C, FAP-222B, FAP-222C,

FAP-223B, FAP-223C, FAP-224D, FAP-320B, FAP-320C,

FAP-321C, FAP-CAM-214B

0354

What’s new in FortiAP 5.4.2

The following is a list of new features and enhancements in FortiAP version 5.4.2:

  • Support for DFS channels on more FAP SKUs:
  • FAP-321C-S, l FAP-222C-K l FAP-221B-I, FAP-221C-I, FAP-222C-I, FAP-223C-I, FAP-320B-I, FAP-320C-I, FAP-321C-I
  • Support for 64-digit hexadecimal passphrase in WPA2-Personal SSID

The following features require FortiCloud 3.1.0:

  • OKC support for FortiCloud WPA2-Enterprise SSID with RADIUS authentication l Dynamic VLAN support for FortiCloud WPA2-Enterprise SSID l Support for time zone and day-light-saving settings from FortiCloud l During firmware upgrade, FAP can download firmware image from a HTTPS server as instructed by FortiCloud.

What’s new in FortiAP 5.4.2                                                                                                                Introduction

The following features require FortiGate running FortiOS 5.6.0:

  • PMF support for local-standalone SSID with WPA2-Personal/Enterprise security
  • New security option for CAPWAP data channel: IPsec VPN

Note: FAP-320B cannot support this feature due to its flash limit. l Support for QoS Profile (rate limits per SSID and per client IP) l Add “lease-time” setting to NAT-mode local-standalone VAP

6

Upgrade Information

Upgrading from FortiAP version 5.4.1

FortiAP 5.4.2 supports upgrading from 5.4.1.

Downgrading to previous firmware versions

FortiAP 5.4.2 does not support downgrading to previous firmware versions.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Supported Upgrade Paths

To view all previous FortiAP versions, build numbers, and their supported upgrade pathways, see the following Fortinet Cookbook link:

http://cookbook.fortinet.com/supported-upgrade-paths-fortiap/

Product Integration and Support

FortiAP 5.4.2 support

The following table lists FortiAP version 5.4.2 product integration and support information.

FortiAP 5.4.2 support

Web Browsers l     Microsoft Internet Explorer version 11 l Mozilla Firefox version 41 l Google Chrome version 47

l     Safari 8

Other web browsers may function correctly, but are not supported by Fortinet.

FortiOS 5.4.2 and later
FortiExplorer (Windows/MAC) 2.6.0 (model FAP-11C only)
FortiExplorer iOS 2.0.0 (models FAP-11C, 21D, 24D, 112D, 320B, and 320C only)

8

Resolved Issues

The following issues have been fixed in version 5.4.2. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID Description
206429 FAP WIDS function could not detect spoofed de-authentication attack to its operating SSID.
300277 The NAT setting in FAP was not cleared correctly when VAP configuration in FortiGate has localstandalone disabled. (FortiGate will have the fix in FortiOS 5.6.0.)
369467 In FortiCloud captive-portal SSID setup, Social Media login page might become inaccessible due to DNS load balancing or rotation.
375543 FAP reported excess event logs about operating channel and Tx Power on 2.4 GHz radio.
307852 In FAP GUI, FortiCloud Account field now allows up to 50 characters.
381375 BPDU frames got truncated by FAP LAN to tunnel SSID when CAPWAP-data is plain text.
381602 Country code “AUSTRALIA” should be supported by FAP with region code “N “.
390947 Country code “SAUDI ARABIA” should be supported by FAP with region code “E “.
382926 Country code “INDONESIA” now is supported by a new region code “F “.
380931 Schedule of local-standalone SSID did not work when FAP lost connection with FortiCloud.
374626 Memory usage of IP pool of DHCP server in NAT-mode local-standalone SSID has been improved.
369162 For dual-radio FAP platforms, when both radios have the same NAT-mode local-standalone SSID configured, they can use the same IP and subnet mask settings now.
379123 Local-standalone SSID can support pre-authentication now.
391677 FAP-320C had lower TX power than expected.
281684 FAP sometimes encountered “PN check failed” issue.
395016 FAP-320C-E 2.4GHz Radio had inconsistent TX power when configured 1 dBm.
395010 FAP-320C-E 5Ghz Radio TX power was stuck at 0 once cwWtpd was killed.
395244 Improvement. Now FAP sends WTP ID information packet to FortiPresence Server more frequently.

Resolved Issues

Bug ID Description
389205 FortiAP 5.4.2 is no longer vulnerable to the following CVE Reference: 2016-6308, 2016-6307, 2016-6306, 2016-6305, 2016-6304, 2016-6303, 2016-6302, 2016-2183, 2016-2182, 2016-2181, 2016-2180, 2016-2179, 2016-2178, 2016-2177.

Visit https://fortiguard.com/psirt for more information.

10

Known Issues

The following issues have been identified in version 5.4.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Bug ID Description
301726 Sniffer mode does not work on 802.11ac radios. Sniffer will be stuck in INIT(0) state and no packets will be captured.
300081 FortiAPs may encounter high CPU usage intermittently after a FortiGate wireless controller pushes a local-authentication virtual AP (VAP) configuration to them.
245323 Spectrum analysis may result in high CPU usage on some FortiAP models including the FAP221B, FAP-223B, and FAP-221C.
236312 Split-tunneling SSIDs do not support VLANs.

FortiOS 5.4.4 Release Notes

What’s new in FortiOS 5.4.4

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.4, see the What’s New forFortiOS 5.4.4 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

 

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units running 5.4.4 and managed by FortiManager 5.0 or 5.2

FortiGate units running 5.4.4 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Note that the FortiClient license should be considered before upgrading. Full featured FortiClient 5.2, and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on the environment needs, FortiClient EMS license may need to be purchased for endpoint provisioning. Please consult Fortinet Sales or your reseller for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. A new license will need to be procured for either FortiClient EMS or FortiGate. To verify if a license purchase is compatible with 5.4.1 and later, the SKU should begin with FC-10-C010.

 

FortiAnalyzer 5.4.2 Release Notes

Change Log

Date Change Description
2016-12-14 Initial release of 5.4.2.
2016-12-15 Added 400028 to Known Issues and 389255 and 383563 to Resolved Issues. Noted that FortiAnalyzer supports Microsoft Hyper-V 2016 in the FortiAnalyzer VM Firmware section.

 

Introduction

This document provides the following information for FortiAnalyzer version 5.4.2 build 1151:

l Supported models l What’s new in FortiAnalyzer version 5.4.2 l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues

For more information on upgrading your FortiAnalyzer device, see the FortiAnalyzer Upgrade Guide.

Supported models

FortiAnalyzer version 5.4.2 supports the following models:

FortiAnalyzer FAZ-200D, FAZ-300D, FAZ-400E, FAZ-1000D, FAZ-1000E, FAZ-2000B, FAZ-2000E, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ-3500E, FAZ-3500F, FAZ-3900E, and FAZ4000B.
FortiAnalyzer VM FAZ-VM64, FAZ-VM64-AWS, FAZ-VM64-Azure, FAZ-VM64-HV, FAZ-VM64-KVM, and FAZ-VM64-XEN (Citrix XenServer and Open Source Xen).

Introduction                                                                                             What’s new in FortiAnalyzer version 5.4.2

What’s new in FortiAnalyzer version 5.4.2

The following is a list of new features and enhancements in FortiAnalyzer version 5.4.2.

Security Service—Indicators of Compromise

IOC Enhancement

Improved threat catch rate

FortiView

FortiView improvements

  • Improved filters, refresh interval selection and summary headers on drilldown l Performance improvements
  • Device-level hcache now supported in FortiView

Reports

SAAS Application Report

Default report template for monitoring sanctioned and unsanctioned SAAS applications

Cyber Threat Assessment Report

New report template for cyber threat assessment Report Usability Improvements

l Simplified template configuration l Streamlined report workflow

Event Management

Events Calendar View

Displays alerts on calendar with weekly/monthly views for quick access and intuitive event monitoring

 

What’s new in FortiAnalyzer version 5.4.2                                                                                               Introduction

Log View

Add CVE-ID to Log View

Common Vulnerabilities and Exposures number (CVE ID) for known security threats added to Log View > Security > Intrusion Prevention

System Settings

Dashboard

New widget for collector mode to monitor log forwarding rate

Product Intgration

Support for FortiAuthenticator integration

Help

Links to how-to videos in the Help menu

Special Notices

This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 5.4.2.

IPsec connection to FortiOS for logging

FortiAnalyzer 5.4.2 no longer supports an IPsec connection with FortiOS 5.0/5.2. However UDP or TCP + reliable are supported.

Instead of IPsec, you can use the FortiOS reliable logging feature to encrypt logs and send them to FortiAnalyzer. You can enable the reliable logging feature on FortiOS by using the configure log fortianalyzer setting command. You can also control the encryption method on FortiOS by using the set encalgorithm default/high/low/disable command.

FortiAnalyzer 5.4.1 and earlier does support IPsec connection with FortiOS 5.0/5.2.

Datasets Related to Browse Time

FortiAnalyzer 5.4.2 contains enhancements to calculating the estimated browse time. Due to the changes, cloned datasets that query for browse time may not be able to return any results after upgrade.

System Configuration or VM License is Lost after Upgrade

When upgrading FortiAnalyzer from 5.4.0 or 5.4.1 to 5.4.2, it is imperative to reboot the unit before installing the

5.4.2 firmware image. Please see the FortiAnalyzer Upgrade Guide for details about upgrading. Otherwise, FortiAnalyzer may lose system configuration or VM license after upgrade. There are two options to recover the FortiAnalyzer unit:

  1. Reconfigure the system configuration or add VM license via CLI with execute add-vm-license <vm license>.
  2. Restore the 5.4.0 backup and upgrade to 5.4.2.

SSLv3 on FortiAnalyzer-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global set ssl-protocol t1sv1 end

No support for remote SQL database                                                                                                Special Notices

No support for remote SQL database

Starting with FortiAnalyzer software versions 5.0.7 and 5.2.0, remote SQL database support will only cover the insertion of log data into the remote MySQL database. Historical log search and reporting capabilities, which rely on the remote SQL data, will no longer be supported.

Those wishing to use the full set of FortiAnalyzer features are encouraged to switch as soon as possible to storing SQL data locally on the FortiAnalyzer. The local database can be built based upon existing raw logs already stored on the FortiAnalyzer.

Pre-processing logic of ebtime

Logs with the following conditions met are considered usable for the calculation of estimated browsing time:

Traffic logs with logid of 13 or 2, when logid == 13, hostname must not be empty. The service field should be either HTTP, 80/TCP or 443/TCP.

If all above conditions are met, then devid, vdom, and user (srcip if user is empty) are combined as a key to identify a user. For time estimation, the current value of duration is calculated against history session start and end time, only un-overlapped part are used as the ebtime of the current log.

In version 5.0.5 or later, Explicit Proxy logs (logid=10) are checked when calculating the estimated browsing time.

Log Aggregation or Forwarding

Log aggregation or forwarding works from 5.4 to 5.4 or 5.4.1 to 5.4.1. Please use the same FortiAnalyzer version on all the units. Other FortiAnalyzer versions not supported.

Upgrade Information

Upgrading to FortiAnalyzer 5.4.2

You can upgrade FortiAnalyzer 5.2.0 or later directly to 5.4.2.If you are upgrading from versions earlier than 5.2.0, you will need to upgrade to FortiAnalyzer 5.2 first. (We recommend that you upgrade to 5.2.9, the latest version of FortiAnalyzer 5.2.)

Downgrading to previous versions

FortiAnalyzer does not provide a full downgrade path. You can downgrade to a previous firmware release via the GUI or CLI, but doing so results in configuration loss. A system reset is required after the firmware downgrading process has completed. To reset the system, use the following CLI commands via a console port connection:

execute reset all-settings execute format {disk | disk-ext4}

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service &

Support portal, https://support.fortinet.com. To verify the integrity of the download, select the Checksum link next to the HTTPS download link. A dialog box will be displayed with the image file name and checksum code. Compare this checksum with the checksum of the firmware image.

FortiAnalyzer VM firmware

Fortinet provides FortiAnalyzer VM firmware images for Amazon AWS, Citrix and Open Source XenServer, Linux KVM, Microsoft Hyper-V Server, and VMware ESX/ESXi virtualization environments.

Amazon Web Services l The 64-bit Amazon Machine Image (AMI) is available on the AWS marketplace.

FortiAnalyzer VM firmware                                                                                                        Upgrade Information

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiAnalyzer VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiAnalyzer VM installation. This package contains the QCOW2 file for the Open Source Xen Server.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiAnalyzer VM installation. This package contains the Citrix XenServer Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiAnalyzer VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiAnalyzer VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Azure

The files for Microsoft Azure have AZURE in the filenames, for example FAZ_VM64_AZURE-v<number>build<number>-FORTINET.out.hyperv.zip.

  • .out: Download the firmware image to upgrade your existing FortiAnalyzer VM installation.
  • .hyperv.zip: Download the package for a new FortiAnalyzer VM installation. This package contains a Virtual Hard Disk (VHD) file for Microsoft Azure.

Microsoft Hyper-V Server

The files for Microsoft Hyper-V Server have HV in the filenames, for example, FAZ_VM64_HV-v<number>build<number>-FORTINET.out.hyperv.zip.

  • .out: Download the firmware image to upgrade your existing FortiAnalyzer VM installation.
  • .hyperv.zip: Download the package for a new FortiAnalyzer VM installation. This package contains a Virtual Hard Disk (VHD) file for Microsoft Hyper-V Server.

VMware ESX/ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing VM installation.
  • .ovf.zip: Download either the 64-bit package for a new VM installation. This package contains an Open Virtualization Format (OVF) file for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

For more information see the FortiManager product data sheet available on the Fortinet web site, http://www.fortinet.com/products/fortimanager/virtual-securitymanagement.html. VM installation guides are available in the Fortinet Document Library.

 

Upgrade Information                                                                                                                     SNMP MIB files

SNMP MIB files

You can download the FORTINET-FORTIMANAGER-FORTIANALYZER.mib MIB file in the firmware image file folder. The Fortinet Core MIB file is located in the main FortiAnalyzer v5.00 file folder.

Product Integration and Support

FortiAnalyzer version 5.4.2 support

The following table lists FortiAnalyzer version 5.4.2 product integration and support information:

Web Browsers l Microsoft Internet Explorer version 11 l Mozilla Firefox version 50 l Google Chrome version 54

Other web browsers may function correctly, but are not supported by Fortinet.

FortiOS/FortiOS Carrier l 5.4.0 to 5.4.2 l 5.2.0 to 5.2.10 l 5.0.4 to 5.0.12 l 4.3.2 to 4.3.18
FortiAnalyzer l 5.4.0 to 5.4.2 l 5.2.0 to 5.2.9 l 5.0.0 to 5.0.13
FortiCache l 4.1.3 l 4.0.4
FortiClient l 5.2.0 and later l 5.0.4 and later
FortiMail l 5.3.8 l 5.2.9 l 5.1.6 l 5.0.10
FortiManager l 5.4.0 to 5.4.2 l 5.2.0 and later l 5.0.0 and later

Feature support

FortiSandbox   l 2.3.2 l 2.2.2 l 2.1.3 l 2.0.3 l 1.4.0 and later l 1.3.0 l 1.2.0 and 1.2.3
FortiSwitch ATCA   l 5.0.0 and later l 4.3.0 and later l 4.2.0 and later
FortiWeb   l 5.6.0 l 5.5.4 l 5.4.1 l 5.3.8 l 5.2.4 l 5.1.4 l 5.0.6
FortiDDoS   l 4.2.3 l 4.1.12
FortiAuthenticator   l 4.2.0
Virtualization   l    Amazon Web Service AMI, Amazon EC2, Amazon EBS l Citrix XenServer 6.2 l Linux KVM Redhat 6.5 l Microsoft Azure l Microsoft Hyper-V Server 2008 R2, 2012 & 2012 R2 l OpenSource XenServer 4.2.5 l VMware:

l    ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, and 6.0

Feature support

The following table lists FortiAnalyzer feature support for log devices.

 

FortiGate Management

Platform Log View FortiView Event Management Reports
FortiGate ü ü ü ü
FortiCarrier ü ü ü ü
FortiAnalyzer ü   ü  
FortiCache ü   ü ü
FortiClient registered to FortiGate ü ü   ü
FortiClient registered to FortiClient EMS ü ü   ü
FortiDDoS ü ü ü ü
FortiMail ü   ü ü
FortiManager ü   ü  
FortiSandbox ü   ü ü
FortiWeb ü   ü ü
Syslog ü   ü  

FortiGate Management

You can enable FortiManager features on some FortiAnalyzer models. FortiAnalyzer models with FortiManager features enabled can manage a small number of FortiGate devices, and all but a few FortiManager features are enabled on FortiAnalyzer. The following table lists the supported modules for FortiAnalyzer with FortiManager Features enabled:

FortiManager Management Modules FortiAnalyzer with FortiManager Features

Enabled

Device Manager ü
Policy & Objects ü
AP Manager ü

Language support

FortiManager Management Modules FortiAnalyzer with FortiManager Features

Enabled

FortiClient Manager ü
VPN Manager ü
FortiGuard  
FortiMeter  
FGT-VM License Activation  

Language support

The following table lists FortiAnalyzer language support information.

Language GUI Reports
English ü ü
Chinese (Simplified) ü ü
Chinese (Traditional) ü ü
French   ü
Hebrew   ü
Hungarian   ü
Japanese ü ü
Korean ü ü
Portuguese   ü
Russian   ü
Spanish   ü

To change the FortiAnalyzer language setting, go to System Settings > Admin > Admin Settings, in Administrative Settings > Language select the desired language from the drop-down list. The default value is Auto Detect.

Russian, Hebrew, and Hungarian are not included in the default report languages. You can import language translation files for these languages via the command line interface using one of the following commands:

execute sql-report import-lang <language name> <ftp> <server IP address> <user name> <password> <file name>

execute sql-report import-lang <language name> <sftp <server IP address> <user name>

<password> <file name> execute sql-report import-lang <language name> <scp> <server IP address> <user name>

<password> <file name> execute sql-report import-lang <language name> <tftp> <server IP address> <file name> For more information, see the FortiAnalyzer CLI Reference.

Supported models

The following tables list which FortiGate, FortiCarrier, FortiDDoS, FortiAnalyzer, FortiMail, FortiManager, FortiWeb, FortiCache, and FortiSandbox models and firmware versions can log to a FortiAnalyzer appliance running version 5.4.2. Please ensure that the log devices are supported before completing the upgrade.

FortiGate models

Model Firmware Version
FortiGate: FG-30D, FG-30D-POE, FG-30E, FG-30E-3G4G-INTL, FG-30E-

3G4G-NAM, FG-50E, FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E,

FG-61E, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D,

FG-90D-POE,FG-90E, FG-91E, FG-92D, FG-94D-POE, FG-98D-POE, FG-

100D, FG-100E, FG-101E, FG-140D, FG-140D-POE, FG-200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-200E, FG-201E, FGT-

300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-

900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-

3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG3700DX, FG-3810D, FG-3815D, FG-2000E, FG-2500E, FG 3800D, FG7040E-1, FG-7040E-2, FG-7040E-3, FG-7040E-4, FG-7040E-5,FG-7040E6, FG-7060E-1, FG-7060E-2, FG-7060E-3, FG-7060E-4, FG-7060E-5,FG7060E-6

FortiGate 5000 Series: FG-5001C, FG-5001D

FortiGate DC: FG-80C-DC, FG-600C-DC, FG-800C-DC, FG-1000C-DC,

FG-1500D-DC, FG-3000D-DC, FG-3100D-DC, FG-3200D-DC, FG-3240CDC, FG-3600C-DC, FG-3700D-DC, FG-3800D-DC, FG-3810D-DC

FortiGate Low Encryption: FG-80C-LENC, FG-100D-LENC, FG-600CLENC, FG-1000C-LENC

FortiWiFi: FWF-30D, FWF-30E, FWF-30E-3G4G-INTL, FWF-30E-3G4G-

NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-30D-POE, FWF-60D,

FWF-60D-POE, FWF-90D, FWF-90D-POE, FWF-92D, FWF-60E, FWF61E, FWF-80CM, FWF-81CM

FortiGate VM: FG-VM, FG-VM64, FG-VM64-AWS, FG-VM64AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN, FGVMX-Service-Manager

FortiGate Rugged: FGR-30D, FGR-35D, FGR-60D, FGR-90D

5.4

 

 

Model Firmware Version
FortiGate: FG-20C, FG-20C-ADSL-A, FG-30D, FG-30D-POE, FG-40C,

FG-60C, FG-60C-POE, FG-60C-SFP, FG-60D, FG-60D-3G4G-VZW, FG-

60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D,

FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-110C,

FG-111C, FG-140D, FG-140D-POE, FG-140D-POE-T1, FG-200B, FG200B-POE, FG-200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-

POE, FG-300C, FG-300D, FG-310B, FG-311B, FG-400D, FG-500D, FG600D, FG-900D, FG-600C, FG-620B, FG-621B, FG-800C, FG-800D, FG-

1000C, FG-1000D, FG-1200D, FG-1240B, FG-1500D, FG-1500DT, FG-

3000D, FG-3016B, FG-3040B, FG-3100D, FG-3140B, FG-3200D, FG-

3240C, FG-3600C,FG-3700D, FG-3700DX, FG-3810A, FG-3810D, FG3815D, FG-3950B, FG-3951B

FortiGate 5000 Series: FG-5001A, FG-5001A-SW, FG-5001A-LENC, FG5001A-DW-LENC, FG-5001A-SW-LENC, FG-5001B, FG-5001C, FG5001D, FG-5101C

FortiGate DC: FG-80C-DC, FG-300C-DC, FG-310B-DC, FG-600C-DC,

FG-620B-DC, FG-621B-DC, FG-800C-DC, FG-1000C-DC, FG-1240B-DC,

FGT-1500D-DC, FG-3000D-DC, FG-3040B-DC, FG-3100D-DC, FG-3140B-

DC, FG-3200D-DC, FG-3240C-DC, FG-3600C-DC, G-3700D-DC, FG3810A-DC, FG-3810D-DC, FG-3815D-DC, FG-3950B-DC, FG-3951B-DC

FortiGate Low Encryption: FG-20C-LENC, FG-40C-LENC, FG-60CLENC, FG-80C-LENC, FG-100D-LENC, FG-200B-LENC, FG-300C-LENC,

FG-620B-LENC, FG-1000C-LENC, FG-1240B-LENC, FG-3040B-LENC,

FG-310B-LENC, FG-600C-LENC, FG-3140B-LENC, FG-3810A-LENC, FG3950B-LENC

FortiWiFi: FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-30D-POE, FWF-

40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A, FWF-60D, FWF-60D3G4G-VZW, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF90D-POE, FWF-92D

FortiGate Rugged: FGR-60D, FGR-100C

FortiGate VM: FG-VM-Azure, FG-VM, FG-VM64, FG-VM64-HV, FG-

VM64-KVM, FG-VM64-XEN

FortiSwitch: FS-5203B, FCT-5902D

5.2

 

Model Firmware Version
FortiGate: FG-20C, FG-20C-ADSL-A, FG-30D, FG-30D-POE, FG-40C,

FG-60C, FG-60C-POE, FG-60C-SFP, FG-60D, FG-60D-3G4G-VZW, FG-

60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D,

FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-110C,

FG-111C, FG-140D, FG-140D-POE, FG-140D-POE-T1, FG-200B, FG200B-POE, FG-200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-

POE, FG-300C, FG-300D, FG-310B, FG-311B, FG-500D, FG-600C, FG-

620B, FG-621B, FG-700D, FG-800C, FG-900D, FG-1000C, FG-1000D,

FG-1200D, FG-1240B, FG-1500D, FG-3000D, FG-3016B, FG-3040B, FG-

3100D, FG-3140B, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG3810A, FG-3950B, FG-3951B

FortiGate 5000 Series: FG-5001A, FG-5001A-SW, FG-5001A-LENC, FG5001A-DW-LENC, FG-5001A-SW-LENC, FG-5001B, FG-5001C, FG5001D, FG-5101C

FortiGate DC: FG-80C-DC, FG-300C-DC, FG-310B-DC, FG-600C-DC,

FG-620B-DC, FG-621B-DC, FG-800C-DC, FG-1000C-DC, FG-1240B-DC,

FG-3000D-DC, FG-3040B-DC, FG-3100D-DC, FG-3140B-DC, FG-3200D-

DC, FG-3240C-DC, FG-3600C-DC, FG-3700D-DC, FG-3810A-DC, FG3950B-DC, FG-3951B-DC

FortiGate Low Encryption: FG-20C-LENC, FG-40C-LENC, FG-60CLENC, FG-80C-LENC, FG-100D-LENC, FG-200B-LENC, FG-300C-LENC,

FG-310B-LENC, FG-600C-LENC, FG-620B-LENC, FG-1000C-LENC, FG-

1240B-LENC, FG-3040B-LENC, FG-3140B-LENC, FG-3810A-LENC, FG3950B-LENC

FortiWiFi:FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-30D-POE, FWF-

40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A, FWF-60D, FWF-60DPOE, FWF-60D-3G4G-VZW, FWF-80CM, FWF-81CM, FWF-90D, FWF90D-POE, FWF-92D

FortiGate Rugged: FGR-60D, FGR-90D, FGR-100C

FortiGateVoice: FGV-40D2, FGV-70D4

FortiGate VM: FG-VM, FG-VM64, FG-VM64-AWS, FG-VM64AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN

FortiSwitch: FS-5203B

5.0

FortiCarrier Models

Model Firmware Version
FortiCarrier: FCR-3000D, FCR-3100D, FCR-3200D, FCR-3700D, FCR3700DX, FCR-3800D, FCR-3810D, FCR-3815D, FCR-5001C, FCR-5001D,

FCR-3000D-DC, FCR-3100D-DC, FCR-3200D-DC, FCR-3240C, FCR3600C, FCR-3700D-DC, FCR-3810D-DC, FCR-5001C

FortiCarrier DC: FCR-3000D-DC, FCR-3100D-DC, FCR-3200D-DC, FCR-

3240C-DC, FCR-3600C-DC, FCR-3700D-DC, FCR-3810D-DC, FCR3815D-DC

FortiCarrier VM: FCR-VM, FCR-VM64, FCR-VM64-AWS, FCR-VM64AWSONDEMAND, FCR-VM64-HV, FCR-VM64-KVM

5.4
FortiCarrier: FCR-3000D, FCR-3100D, FCR-3200D, FCR-3240C, FCR3600C, FCR-3700D, FCR-3700DX, FCR-3810A, FCR-3810D, FCR-3815D,

FCR-3950B, FCR-3951B, FCR-5001A, FCR-5001B, FCR-5001C,FCR5001D, FCR-5101C, FCR5203B, FCR-5902D

FortiCarrier DC: FCR-3000D-DC, FCR-3100D-DC, FCR-3200D-DC, FCR-

3700D-DC, FCR-3810D-DC

FortiCarrier Low Encryption: FCR-5001A-DW-LENC

FortiCarrier VM: FCR-VM, FCR-VM64, FCR-VM64-HV, FCR-VM64-KVM,

FCR-Vm64-XEN, FCR-VM64-AWSONDEMAND

5.2
FortiCarrier: FCR-3240C, FCR-3600C, FCR-3810A, FCR-3950B, FCR3951B, FCR-5001A, FCR-5001B, FCR-5001C, FCR-5001D, FCR-5101C

FortiCarrier DC: FCR-3240C-DC, FCR-3600C-DC, FCR-3810A-DC, FCR-

3950B-DC, FCR-3951B-DC

FortiCarrier Low Encryption: FCR-5001A-DW-LENC

FortiCarrier VM: FCR-VM, FCR-VM64

5.0

FortiDDoS models

Model Firmware Version
FortiDDoS: FI-200B, FI-400B, FI-600B, FI-800B, FI-900B, FI-1000B, FI1200B, FI-2000B 4.2, 4.1, 4.0

FortiAnalyzer models

Model Firmware Version
FortiAnalyzer: FAZ-200D, FAZ-300D, FAZ-400E, FAZ-1000D, FAZ1000E, FAZ-2000B, FAZ-2000E, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ-3500E, FAZ-3500F, FAZ-3900E, and FAZ-4000B.

FortiAnalyzer VM: FAZ-VM64, FAZ-VM64-Azure, FAZ-VM64-HV, FAZVM64-XEN (Citrix XenServer and Open Source Xen), FAZ-VM64-KVM, and FAZ-VM64-AWS.

5.4
FortiAnalyzer: FAZ-100C, FAZ-200D, FAZ-200E, FAZ-300D, FAZ-400C,

FAZ-400E, FAZ-1000C, FAZ-1000D, FAZ-1000E, FAZ-2000B, FAZ-3000D,

FAZ-3000E, FAZ-3000F, FAZ-3500E, FAZ-3500F, FAZ-3900E, FAZ-4000B

FortiAnalyzer VM: FAZ-VM, FAZ-VM-AWS, FAZ-VM64, FAZ-VM64-

Azure, FAZ-VM64-HV, FAZ-VM64-KVM, FAZ-VM64-XEN

5.2
FortiAnalyzer: FAZ-100C, FAZ-200D, FAZ-200E, FAZ-300D, FAZ-400B,

FAZ-400C, FAZ-400E, FAZ-1000B, FAZ-1000C, FAZ-1000D, FAZ-1000E,

FAZ-2000A, FAZ-2000B, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ3500E, FAZ-3500F, FAZ-4000A, FAZ-4000B

FortiAnalyzer VM: FAZ-VM, FAZ-VM64, FAZ-VM64-AWS, FAZ-VM64-

Azure, FAZ-VM64-HV, FAZ-VM-KVM, FAZ-VM-XEN

5.0

FortiMail models

Model Firmware Version
FortiMail: FE-60D, FE-200D, FE-200E, FE-400C, FE-400E, FE-1000D, FE-

2000B, FE-2000E, FE-3000C, FE-3000D, FE-3000E, FE-3200E, FE-5002B

FortiMail Low Encryption: FE-3000C-LENC

FortiMail VM: FE-VM64, FE-VM64-HV, FE-VM64-XEN

5.3.7
FortiMail: FE-60D, FE-200D, FE-200E, FE-400C, FE-400E, FE-1000D, FE2000B, FE-3000C, FE-3000D, FE-5002B

FortiMail VM: FE-VM64, FE-VM64-HV, FE-VM64-XEN

5.2.8
FortiMail: FE-100C, FE-200D, FE-200E, FE-400B, FE-400C, FE-400E, FE-

1000D, FE-2000B, FE-3000C, FE-3000D, FE-5001A, FE-5002B

FortiMail VM: FE-VM64

5.1.6
FortiMail: FE-100C, FE-200D, FE-200E, FE-400B, FE-400C, FE-1000D,

FE-2000A, FE-2000B, FE-3000C, FE-3000D, FE-4000A, FE-5001A, FE5002B

FortiMail VM: FE-VM64

5.0.10

FortiSandbox models

Model Firmware Version
FortiSandbox: FSA-1000D, FSA-3000D, FSA-3000E, FSA-3500D

FortiSandbox VM: FSA-VM

2.3.2
FortiSandbox: FSA-1000D, FSA-3000D, FSA-3500D

FortiSandbox VM: FSA-VM

2.2.0

2.1.0

FortiSandbox: FSA-1000D, FSA-3000D

FortiSandbox VM: FSA-VM

2.0.0

1.4.2

FortiSandbox: FSA-1000D, FSA-3000D 1.4.0 and 1.4.1

1.3.0

1.2.0 and later

FortiSwitch ACTA models

Model Firmware Version
FortiController: FTCL-5103B, FTCL-5902D, FTCL-5903C, FTCL-59 5.2.0
FortiSwitch-ATCA: FS-5003A, FS-5003B

FortiController: FTCL-5103B, FTCL-5903C, FTCL-5913C

5.0.0
FortiSwitch-ATCA: FS-5003A, FS-5003B 4.3.0

4.2.0

FortiWeb models

Model Firmware Version
FortiWeb: FWB-2000E 5.6.0
FortiWeb: FWB-100D, FWB-400C, FWB-400D, FWB-1000C, FWB-1000D,

FWB-3000C, FWB-3000CFSX, FWB-3000D, FWB-3000DFSX, FWB3000E, FWB-3010E, FWB-4000C, FWB-4000D, FWB-4000E

FortiWeb VM: FWB-VM-64, FWB-XENAWS, FWB-XENOPEN, FWB-

XENSERVER, FWB-HYPERV, FWB-KVM, FWB-AZURE

5.5.3
Model Firmware Version
FortiWeb: FWB-100D, FWB-400C, FWB-1000C, FWB-3000C, FWB3000CFSX, FWB-3000D, FWB-3000DFSX, FWB-3000E, FWB-4000C, FWB-4000D, FWB-4000E

FortiWeb VM: FWB-VM64, FWB-XENAWS, FWB-XENOPEN, FWB-

XENSERVER, FWB-HYPERV

5.4.1
FortiWeb: FWB-100D, FWB-400B, FWB-400C, FWB-1000B, FWB-1000C,

FWB-1000D, FWB-3000C, FWB-3000CFSX, FWB-3000D, FWB3000DFSX, FWB-3000E, FWB-4000C, FWB-4000D, FWB-4000E

FortiWeb VM: FWB-VM64, FWB-XENAWS, FWB-XENOPEN, FWB-

XENSERVER, and FWB-HYPERV

5.3.8
FortiWeb: FWB-100D, FWB-400B, FWB-400C, FWB-1000B, FWB-1000C,

FWB-1000D, FWB-3000C, FWB-3000CFSX, FWB-3000D, FWB3000DFSX, FWB-3000E, FWB-4000C, FWB-4000D, FWB-4000E

FortiWeb VM: FWB-VM64, FWB-HYPERV,FWB-XENAWS, FWBXENOPEN, FWB-XENSERVER

5.2.4

FortiCache models

Model Firmware Version
FortiCache: FCH-400C, FCH-400E, FCH-1000C, FCH-1000D, FCH3000C, FCH-3000D, FCH-3900E FortiCache VM: FCH-VM64 4.0

 

Resolved Issues

The following issues have been fixed in FortiAnalyzer version 5.4.2. For inquires about a particular bug, please contact Customer Service & Support.

Device Manager

Bug ID Description
382383 When there are many unregistered devices, they may intermittently disconnect from FortiAnalyzer.
382811 FortiAnalyzer should be able to sustain stable connections with more than 3500 devices and able to receive logs successfully.
306276 FortiCarrier ADOM should not be displayed when no device is registered.

FortiView

Bug ID Description
217103 FortiAnalyzer should allow users to view or download the Application Control archive files.
233869 There should be an option to clear search history.
371773 There may be performance issues to view logs when using the scroll bar.
379612 The filter, [-msg=”Virtual cluster’s vdom is added”], should display the relevant logs in the Log View.
379977 FortiAnalyzer cannot filter out users for SSL & Dialup IPSec VPNs.
382557 Drop box may become too narrow to view and select FortiGate device.
386279 Users need to click on the Go button twice before the log time frame is updated.
308171 Aggregated Dialed Time is incorrectly calculated in VPN-Top-Dial-Up and VPN-Users-ByDuration datasets.
387209 FortiGate devices that query FortiGuard should not be flagged as highly suspicious.
390173 FortiAnalyzer is unable to display part of the DLP content.

Logging                                                                                                                                      Resolved Issues

Bug ID Description
395191 UTM Deny logs are displayed with no action on FortiAnalyzer’s GUI.
397036 FortiAnalyzer should accept more characters for log view and policy search.

Logging

Bug ID Description
373262 FortiAnalyzer should allow users to specify the invoke time to auto delete logs.
381559 HA device logs are not received in aggregation mode.
383238 FortiAnalyzer should increase the limit for the number of aggregated clients.
393615 When using wildcard in the second or third octet for source IP in the Log View filter, incorrect results are returned.

Reporting

Bug ID Description
248563 Within the WiFi Network Summary report, AP Name should be the FortiAP’s name instead of the VAP interface’s name.
373718 Reports show devices with their serial numbers instead of hostnames.
377589 Blocked sites should not be counted within the Top 50 Site By Browsing Time.
383251 Reports may not contain any user data when a user filter is applied.
234007 Estimated browsing time dataset should pull log data according to time period specified.
383955 GUI fails to display chart library if there is a chart with invalid table columns.
397822 Users may not be able to generate custom reports after resizing FAZ-VM disk and rebuilding DB.
391482 User changes on LDAP server may not get updated on FortiAnalyzer for the user filter in reports.

Resolved Issues                                                                                                                          System Settings

System Settings

Bug ID Description
386865 Sorting for Analytics or Archive does not work on the Storage Info page.
391076 Qmail server is rejecting Email from FortiAnalyzer as the mail body contains bare LFs.
366224 FortiAnalyzer generates invalid Event logs on auto deleting policy from ADOM.
Bug ID Description
384180 FortiAnalyzer 5.4.2 is no longer vulnerable to the following TMP Reference:

2016-0023

Visit https://fortiguard.com/psirt for more information.

380634 FortiAnalyzer 5.4.2 is no longer vulnerable to the following CVE-Reference:

2016-5387

Visit https://fortiguard.com/psirt for more information.

Others

Bug ID Description
365639 The XML call to searchFazLog does not return the pktlog information.
366332 Logs are not imported when there are more than 1000 log files.
376758 FortiAnalyzer needs a diagnostic command to show supported platforms.
388071 FortiAnalyzer may not be able to render a proper web GUI page when making a change.
389137 Port 8900 and 8901 may be open without being in use.
391900 Scheduled log ftp backup may not be successful.

Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures                                                                                         Resolved Issues

Bug ID Description
389255 FortiAnalyzer5.4.2 is no longer vulnerable to the following CVE-References:

l 2016-6308 l 2016-6307 l 2016-6306 l 2016-6305 l 2016-6304 l 2016-6303 l 2016-6302 l 2016-2183 l 2016-2182 l 2016-2181 l 2016-2179 l 2016-2178 l 2016-2177

Visit https://fortiguard.com/psirt for more information.

383563 FortiAnalyzer 5.4.2 is no longer vulnerable to the following CVE-Reference:

l 2016-5696

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in FortiAnalyzer version 5.4.2. For inquires about a particular bug or to report a bug, please contact Fortinet Customer Service & Support.

FortiView

Bug ID Description
396699 Filter should be persistent when changing view from formatted log to raw log or vice versa.
Bug ID Description
395243 FortiAnalyzer should correctly show the local user and radius wildcard user who is performing delete, download, or import log file actions from Log Browse.
396417 Test Emails fails when the recipient has a different domain than the account configured under SMTP server settings.

Logging

Bug ID Description
388185 Log files for Router should include IP addresses for sites that have multiple addresses.
389592 Filter does not return any results if message is part of the filter.
400028 Policy UUID is not inserted into SQL DB

Reporting

Bug ID Description
390502 FortiAnalyzer should allow cloning of the pre-defined reports: User Top 500 Websites by Bandwidth and User Top 500 Websites by Session.

System Settings

FortiOS 5.2.10 Release Notes

Introduction

This document provides the following information for FortiOS 5.2.10 build 0742:

  • Special Notices
  • Upgrade Information
  • Product Integration and Support
  • Resolved Issues
  • Known Issues
  • Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.2.10 supports the following models.

FortiGate FG-20C, FG-20C-ADSL-A, FG-30D, FG-30D-POE, FG-40C, FG-60C, FG-60C-SFP,

FG-60C-POE, FG-60D, FG-60D-3G4G-VZW, FG-60D-POE, FG-70D, FG-70D-POE,

FG-80C, FG-80CM, FG-80D, FG-90D, FGT-90D-POE, FG-92D, FG-94D-POE, FG98D-POE, FG-100D, FG-110C, FG- 111C, FG-140D, FG-140D-POE, FG-140D-POE-

T1, FG-200B, FG-200B-POE, FG- 200D, FG-200D-POE, FG-240D, FG-240D-POE,

FG-280D-POE, FG-300C, FG-300D, FG-310B, FG-310B-DC, FG-311B, FG-400D,

FG-500D, FG-620B, FG-620B-DC, FG- 621B, FG-600C, FG-600D, FG-800C, FG-

800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1240B, FG-1500D, FG1500DT, FG-3000D, FG-3100D, FG-3040B, FG-3140B, FG-3200D, FG-3240C, FG-

3600C, FG-3700D, FG-3700DX, FG-3810D, FG-3815D, FG-3950B, FG-3951B

FortiWiFi FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-30D-POE, FWF-40C, FWF-60C,

FWF-60CM, FWF-60CX-ADSL-A, FWF-60D, FWF-60D-3G4G-VZW, FWF-60D-POE,

FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-60D, FGR-100C
FortiGate VM FG-VM64, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN
FortiSwitch FS-5203B
FortiOS Carrier FCR-3950B and FCR-5001B

FortiOS Carrier 5.2.10 images are delivered upon request and are not available on the customer support firmware download page.

FortiOS Carrier firmware image file names begin with FK.

Introduction                                                                                                                    Last Release of Software

The following models are released on a special branch based off of FortiOS 5.2.10. As such, the System > Dashboard > Status page and the output from the get system status CLI command displays the build number.

 

FGT-VM64-

AWS/AWSONDEMAND

Released on build 9428.
FGT-VM64-AZURE Released on build 5817.

To confirm that you are running the proper build, the output from the get system status CLI command has a branch point field that should read 0742.

Last Release of Software

Due to the device flash size limitations, the following FortiGate models’ last release of software will be FortiOS version 5.2.5. It is noted that these devices already have entered into their End-of-Life Cycle. Further details and exact dates can be found on the Fortinet CustomerSupport portal:

Affected Products:

  • FortiGate FG-3016B
  • FortiGate FG-3810A
  • FortiGate FG-5001A SW & DW
  • FortiCarrier FK-3810A
  • FortiCarrier FK-5001A SW & DW7

Special Notices

Local report customization removed

Local report customization has been removed from FortiOS 5.2. You can still record and view local reports, but you can no longer customize their appearance. For more control over customizing local reports, you can use FortiAnalyzer or FortiCloud.

Compatibility with FortiOS versions

The following units have a new WiFi module built-in that is not compatible with FortiOS 5.2.1 and lower. It is recommended to use FortiOS 5.2.2 and later for these units.

Affected models

Model Part Number
FWF-60CX-ADSL PN: 8918-04 and later

The following units have a memory compatibility issue with FortiOS 5.2.1 and lower. It is recommended to use FortiOS 5.2.2 and later for these units.

Affected models

Model Part Number
FG-600C PN: 8908-08 and later
FG-600C-DC PN: 10743-08 and later
FG-600C-LENC PN: 11317-07 and later

Removed WANOPT, NETSCAN, FEXP features from USB-A

The following features have been removed from the FortiGate and FortiWiFi 80C, 80CM, and 81CM:

  • WAN Optimization
  • Vulnerability scanning
  • Using FortiExplorer on a smartphone to manage the device by connecting to the USB-A port

Router Prefix Sanity Check

Prior to FortiOS 5.2.4 under the config router prefix table, if there are any le and ge settings that have the same prefix length as the prefix, you may lose the prefix rule after upgrading to FortiOS 5.2.4 or later.

WAN Optimization in FortiOS 5.2.4

In FortiOS 5.2.4:

  • If your FortiGate does not have a hard disk, WAN Optimization is not available.
  • If your FortiGate has a hard disk, you can configure WAN Optimization from the CLI.
  • If your FortiGate has two hard disks, you can configure WAN Optimization from the GUI.

See the FortiOS 5.2.4 Feature Platform Matrix to check the availability for your FortiGate model.

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate-92D High Availability in Interface Mode

The FortiGate-92D may fail to form an HA cluster and experience a spanning tree loop if it is configured with the following:

  • operating in interface mode
  • at least one of the interfaces, for example interface9, is used has the HA heartbeat interface
  • a second interface is connected to an external switch

Workaround: use either WAN1 or WAN2 as the HA heartbeat device.

Default log setting change

For FG-5000 blades and FG-3900 series, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FG-5001D operating in FortiController or Dual FortiController mode

When upgrading a FG-5001D operating in FortiController or dual FortiController mode from version 5.0.7 (B4625) to FortiOS version 5.2.3, you may experience a back-plane interface connection issue. This is due to a change to the ELBC interface mapping ID. After the upgrade, you will need to perform a factory reset and then re-configure the device.

FortiGate units running 5.2.10

FortiGate units running 5.2.10 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

For the latest information, see the FortiManagerand FortiOS Compatibility.

Firewall services

Downgrading from 5.2.3 to 5.2.2 may cause the default protocol number in the firewall services to change. Double check your configuration after downgrading to 5.2.2.

FortiPresence

For FortiPresence users, it is recommended to change the FortiGate web administration TLS version in order to allow the connection.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

Upgrade Information

Upgrading from FortiOS 5.2.8 or later

FortiOS version 5.2.10 officially supports upgrade from version 5.2.8 or later.

Upgrading from FortiOS 5.0.13 or later

FortiOS version 5.2.10 officially supports upgrade from version 5.0.13 or later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.2 Supported Upgrade Paths

Web filter log options change from disabled to enabled after upgrade

After upgrading from FortiOS 5.0.12 or 5.0.14 to FortiOS 5.2.10, all log options for web filter change from disabled to enabled, except the log-all-url option.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

  • operation mode
  • interface IP/management IP
  • static route table
  • DNS settings
  • VDOM parameters/settings
  • admin user account
  • session helpers
  • system access profiles.

 

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 32-bit or 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.2.10 support

The following table lists 5.2.10 product integration and support information:

Web Browsers                               l Microsoft Internet Explorer version 11

lMozilla Firefox version 42 l Google Chrome version 46

lApple Safari version 7.0 (For Mac OS X)

Other web browsers may function correctly, but are not supported by

Fortinet.

Explicit Web Proxy Browser l Microsoft Internet Explorer versions 8, 9, 10, and 11 l Mozilla Firefox version 27 l Apple Safari version 6.0 (For Mac OS X)

l Google Chrome version 34

Other web browsers may function correctly, but are not supported by

Fortinet.

FortiManager                       For the latest information, see the FortiManagerand FortiOS Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer                       For the latest information, see the FortiAnalyzerand FortiOS Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft Win- l 5.4.0 and later dows and FortiClient Mac l 5.2.5 and later OS X
FortiClient iOS                               l 5.4.1 l 5.2.2 and later
FortiClient Android and                   l 5.2.8

FortiClient VPN Android                  l 5.2.7

FortiOS 5.2.10 support                                                                                            Product Integration and Support

FortiAP l 5.2.5 and later l 5.0.10

You should verify what the current recommended FortiAP version is for your

FortiAP prior to upgrading the FortiAP units. You can do this by going to the

WiFi Controller > Managed Access Points > Managed FortiAP page in the GUI. Under the OS Version column you will see a message reading A recommended update is available for any FortiAP that is running an earlier version than what is recommended.

FortiSwitch OS (FortiLink support) l 3.4.2 build 0192

Supported models: all FortiSwitch D models.

FortiSwitch-ATCA l 5.0.3 and later

Supported models: FS-5003A, FS-5003B

FortiController l 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox l 2.2.1 l 2.1.0
Fortinet Single Sign-On (FSSO) l  5.0 build 0254 (needed for FSSO agent support OU in group filters) l Windows Server 2008 (64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExplorer l 2.6 build 1083 and later.

Some FortiGate models may be supported on specific FortiExplorer versions.

FortiExplorer iOS l 1.0.6 build 0130 and later

Some FortiGate models may be supported on specific FortiExplorer iOS versions.

 

FortiExtender l 3.0.0 build 0069
  l 2.0.0 build 0003 and later
AV Engine l 5.177
IPS Engine l 3.174
Virtualization Environments    
Citrix l XenServer version 5.6 Service Pack 2
  l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later
  l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3
  l XenServer version 4.1 and later
VMware l ESX versions 4.0 and 4.1
  l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5 and 6.0

Language support

The following table lists language support information.

 

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating System   Web Browser
Microsoft Windows 7 SP1 (32-bit)   Microsoft Internet Explorer versions 9, 10 and 11 Mozilla Firefox version 33
Microsoft Windows 7 SP1 (64-bit)   Microsoft Internet Explorer versions 9, 10, and 11 Mozilla Firefox version 33
Microsoft Windows 8/8.1 (32bit/62bit)   Microsoft Internet Explorer versions 10 and 11 Mozilla Firefox 42
Mac OS 10.9   Safari 7
Linux CentOS version 5.6   Mozilla Firefox version 5.6
Linux Ubuntu version 12.0.4   Mozilla Firefox version 5.6

Operating system and installers

Operating System Installer
Microsoft Windows XP SP3 (32-bit)

Microsoft Windows 7 (32-bit & 64-bit)

Microsoft Windows 8 (32-bit & 64-bit)

Microsoft Windows 8.1 (32-bit & 64-bit)

2328
Microsoft Windows 10 (32 bit & 64 bit) 2329
Linux CentOS 6.5 (32-bit & 64-bit) Linux Ubuntu 12.0.4 (32-bit & 64-bit) 2328
Virtual Desktop for Microsoft Windows 7 SP1 (32-bit) 2328

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11 ü ü
Kaspersky Antivirus 2009 ü  
McAfee Security Center 8.1 ü ü
Trend Micro Internet Security Pro ü ü
F-Secure Internet Security 2009 ü ü

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software ü ü
AVG Internet Security 2011    
F-Secure Internet Security 2011 ü ü
Kaspersky Internet Security 2011 ü ü
McAfee Internet Security 2011 ü ü
Norton 360™ Version 4.0 ü ü
Norton™ Internet Security 2011 ü ü
Panda Internet Security 2011 ü ü
Sophos Security Suite ü ü
Trend Micro Titanium Internet Security ü ü
ZoneAlarm Security Suite ü ü
Symantec Endpoint Protection Small Business Edition 12.0 ü ü

 

Resolved Issues

The following issues have been fixed in version 5.2.10. For inquires about a particular bug, please contact CustomerService & Support.

FortiAP

Bug ID Description
381602 AUSTRALIA should use region code N

FortiGate 1500D

Bug ID Description
386683 FG-1500D kernel panics after roughly 24 hours of uptime
Bug ID Description
386021 FSSO local poller fails on some X86 32 platform

FortiSwitch

Bug ID Description
376375 FortiSwitch with B0181 (v3.4.1) can be discovered, but may be unable to obtain the IP address and be successfully authorized

AV

Bug ID Description
389464 Flow-AV failed to detect eicar file if ssl-exempt entries exceed 140
384520 Chunk decoding causes segmentation fault because of incorrect pointer calculation

FOC

Bug ID Description
382343 GTPv2 Create-Sesssion-Response message with non-accepted Cause value should be allowed, even if the mandatory IE Bearer-Context is missing

FSSO

Resolved Issues

GUI

Bug ID Description
388759 Can’t view interface list via VDOM
290997 Missing Enable IPsec Interface Mode from GUI for pof_admin when VDOM enabled
389417 Cannot display firewall policies from GUI in VDOM root
370360 VDOM read-only admin can view super admin and other higher privilege admin’s password hash via REST API and direct URL
292210 Error 174 when changing administrator’s profile
363546 Error 500 when saving urlfilter list with 4900 entries
385482 GUI is loading indefinitely when accessing a “none” access web page from custom admin profile

HA

Bug ID Description
385999 Log backup of execute backup disk xxx feature does not work fine on HA master unit
387212 HA gets out of sync frequently and hasync becomes zombie
389861 SNMP query for fgHaStatsSyncStatus on slave unit reports master as unsynchronized-

“0”

275426 Re-sync can’t be triggered when rebooting master and making some configuration changes on slave
367158 FortiGate HA configuration failed to sync issue with fsso-polling

IPS

Bug ID Description
392045 Update the default built-in IPS engine in FOS 5.2
IPsec VPN  
Bug ID Description
391038 Memory leak discovered with valgrind in IKEv2

Resolved

Bug ID Description
380629 fnbamd matches wrong peer corresponding to a phase1 associated to a different IPSEC local-gw
376135 DHCP process is crashing when more than 1500+ users connect via dial up IPsec VPN with DHCP over IPsec feature enabled.
387677 NP2 not offloading IPsec VPN traffic

Kernel

Bug ID Description
395515 ICMP unreachable message processing causes high CPU usage in kernel and DHCP daemon

Log/Report

Bug ID Description
385659 Make value of local-in-deny setting keep consistent with the value from previous build after upgrade
280894 Remove GUI support for report customization and add feature store option for local reporting
380611

385115

Miglogd constantly crashing after upgrade to 5.2.8
373221 Can’t clear log disk

Router

Bug ID Description
391240 BGP UPDATES without NEXT_HOP

SSL VPN

Bug ID Description
385274

388657

Upgrade OpenSSL to 1.0.2j
371933 Unable to connect to SMB server that supports only NTLMv2

Resolved Issues

System

Bug ID Description
287871 Administrative HTTPS and SSLVPN access using second WAN interface does not work after upgrade to 5.2.9
388032 Corrupted packets may cause malfunction of NP6, which causes NP ports to be unable to accept and forward traffic. Affected models: All NP6 platforms.
386876 Update geoip database to version 1.055(20161004)
276843 XG2 aggregate get very poor performance after enable npu-cascade-cluster
385897 The time, date and time are displayed differently in log
387675 ARP-Reply packets drops in NP6
389194 End of Daylight Savings (DST) timezone Turkey/Istanbul GMT +3
390088 Contract registration should accept characters
370151 CPU doesn’t remove dirty flag when returns session back to NP6
378207 authd process running high CPU when only RSSO logging is configured
369372 With low latency mode on NP6 unit enabled, only first 2 packets are correctly processed by FortiGate
389398 Can’t find xitem. Drop the response in dhcp relay debug
382996 Redundant type of interfaces are changing to aggregate after VDOM configuration restored
388603 After reassembling fragmented UDP packet, the s/d port become 0
376144 FortiManager failed to change FortiGate HA slave to master
283952 VLAN interface Rx bytes statistics higher than underlying aggregate interface
294198 Console prints out NP6: No lacp_trunk interface

Tablesize

Bug ID Description
390053 Increase firewall.schedule limits on higher end

Resolved User

Bug ID Description
373031 Unable to view FortiToken CD (FTK211) on FortiGate WebUI
294983 Radius Accounting do not follow use-management-vdom enable setting in Radius
374494 Tacacs+ Test button does not use set source-ip x.x.x.x

VM

Bug ID Description
272438 During the boot-up sequence, the FortiGate-VM device may encounter a harmless configuration error message

VoIP

Bug ID Description
382315 SIP re-invites causing excessive memory consumption in imd

WebProxy

Bug ID Description
371991 YouTube_Video.Play is not recognized with HTTPS in Application control Override
384581 Explicit Proxy Signing Certificate for replacement pages resets to default
387083 Constant Proxyworker crash with signal 8
304561 Proxyworker crashes on SMTP spamfilter
278318 only the first interface can work on web-proxy policy

 

Known Issues

The following issues have been identified in version 5.2.10. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Anti-spam

Bug ID Description
374283 Spamfilter does not leave Anti-Spam log for the exempted traffic by bwl matching.

Application Control

Bug ID Description
273910 RTSP/RTP packets may not be forwarded if UTM (IPS and AppCtrl) is enabled.

FortiGate 3810D

Bug ID Description
285429 Traffic may not be able to go through the NPU VDOM link with traffic sharper enabled on FortiGate-3810D TP mode.

FortiGate 3815D

Bug ID Description
385860 FGT-3815D does not support 1GE SFP transceivers.

FortiSandbox

Bug ID Description
273244 On the FortiGate device in FortiView > FortiSandbox, the analysis result may show a pending status and the FortiCloud side may show an unknown status.
269830 The UTM log may incorrectly report a file that has been sent to FortiSandbox. FortiView > FortiSandbox may still show files are submitted even after the daily upload quota has been reached.

Known

Bug ID Description
272278 SIP calls may be denied when using a combination of SIP ALG, IPS, and AppCtrl.

GUI

Bug ID Description
310930 LDAP browser in LDAP-group-GUI may not respect group filter from LDAP server.
286226 Users may not be able to create new address objects from the Firewall Policy.
285813 When navigating FortiView > Application some security action filters may not work.
278638 Explicit policy may be automatically reset to log security events.
271113 When creating an id_based policy with SSL enabled, and the set gui-multipleutm disable is applied, an Entry not found error message may appear.
268346 All sessions: filter application, threat, and threat type, may not work as expected
246546 Adding an override application signature may cause all category settings to be lost.
215890 Local-category status display may not change after running unset category-override in the CLI.

System

Bug ID Description
302272 Medium type may be shown incorrectly on shared ports.
285981 Adding more than eight members to LACP get np6_lacp_add_slave may result in an error.
285520 On NP4 platforms, TCP traffic may not be able to be offloaded in the decryption direction.
263864 When the interface is configured with Auto-Speed, FG-3240C NP4 Port 1G may stay down after reboot.

Workaround: Set the interface speed to 1000/Full.

VoIP

Known Issues

Webfilter

Bug ID Description
380119 Webfilter static URL filter blocks additional domains with similar names.
378277 YouTube header injection (replacement for YouTube for Schools) was deleted.
284661 If the requested URL has port number, the URL filter may not block properly.

WiFi

Bug ID Description
267904 If the client is connecting to an SSID with WPA-Enterprise and User-group, it may not be able to pass the traffic policy.
355335 SSID may stop broadcasting.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.4.2 Release Notes

Introduction

This document provides the following information for FortiOS 5.4.2 build 1100:

  • Special Notices
  • Upgrade Information
  • Product Integration and Support
  • Resolved Issues
  • Known Issues
  • Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.2 supports the following models.

FortiGate FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,

FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D FG-90D, FG-90D-POE, FG92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D,

FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D,

FG-1200D, FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C,

FG-3600C, FG-3700D, FG-3700DX, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60DPOE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D
FortiGate Rugged FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.4.2 images are delivered upon request and are not available on the customer support firmware download page.

 

What’s new in FortiOS 5.4.2

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.2, see the What’s New for FortiOS 5.4.2 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

 

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units running 5.4.2 and managed by FortiManager 5.0 or 5.2

FortiGate units running 5.4.2 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Note that the FortiClient license should be considered before upgrading.

Full featured FortiClient 5.2, and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on the environment needs, FortiClient EMS license may need to be purchased for endpoint provisioning. Please consult Fortinet Sales or your reseller for guidance on the appropriate licensing for  your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. A new license will need to be procured for either FortiClient EMS or FortiGate. To verify if a license purchase is compatible with 5.4.1 and later, the SKU should begin with FC-10-C010

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.2, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS v5.4.1, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus, Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

 

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

Upgrade Information

Upgrading to FortiOS 5.4.2

FortiOS version 5.4.2 officially supports upgrading from version 5.4.0 and 5.2.7.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

  • FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

  • Cooperative Security Fabric – Upgrade Guide
  • FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

Model-60D Boot Issue

The following 60D models have an issue upon upgrading to FortiOS 5.4.1. The second disk (flash) is unformatted and results in the /var/log/ directory being mounted to an incorrect partition used exclusively for storing the firmware image and booting.

  • FG-60D-POE
  • FG-60D
  • FWF-60D-POE
  • FWF-60D

To fix the problem:

 

If your FortiGate device is currently running FortiOS 5.2.7:

  1. Backup your configuration.
  2. Upgrade to 5.4.1 B5447.

If your FortiGate device is currently running FortiOS 5.4.0 or 5.4.1:

  1. Backup your configuration.
  2. Connect to the console port of the FortiGate device.
  3. Reboot the system and enter the BIOS menu.
  4. Burn the firmware image to the primary boot device.
  5. Once the system finishes rebooting, restore your configuration.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading you should review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1:

  • Advanced FortiClient profiles (XML configuration)
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths l Client-side web filtering when on-net

  • iOS and Android configuration by using the FortiOS GUI

It is recommended that FortiClient Enterprise Management Server (EMS) should used for detailed Endpoint deployment and provisioning.

Unified Disk Usage

FortiOS 5.4.2 changes the disk usage behavior upon upgrading from FortiOS 5.2. The table below describes the new logging and WAN Optimization disk usage for single and two disk FortiGate devices running FortiOS 5.4.2.

Single Disk Platforms (Logging or WAN Optimization)
                                                   Only Logging enabled          No change.
Only WAN Optimization           No change. enabled

 

Both Logging & WAN Disk is reserved for logging. If WAN Optimization Optimization enabled is configured, the WAN Optimization cache is lost.
Two Disk Platforms (First disk reserved for Logging; second reserved for WAN Optimization)
                                                   Only Logging enabled on     No change.

the first disk

Only Logging enabled on        Logging is changed to the first disk. Logging data the second disk    is lost on the second disk.
Only WAN Optimization WAN Optimization is changed to the second disk. enabled on the first disk WAN Optimization cache is lost on the first disk.
Only WAN Optimization Second disk reserved for WAN Optimization. First enabled on the second disk reserved for logging even when the log disk disk status CLI command is disabled: log-disk-

status=disable.

Both Logging & WAN First disk reserved for logging. Second disk Optimization enabled reserved for WAN Optimization.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.2, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

  • operation mode
  • interface IP/management IP
  • static route table
  • DNS settings
  • VDOM parameters/settings
  • admin user account
  • session helpers
  • system access profiles.

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

 

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3
  • C4
  • R3
  • I2
  • M4
  • D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

 

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

 

Product Integration and Support

FortiOS 5.4.2 support

The following table lists 5.4.2 product integration and support information:

Web Browsers                                l Microsoft Edge 25

  • Microsoft Internet Explorer 11 l Mozilla Firefox version 46 l Google Chrome version 50
  • Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by

Fortinet.

Explicit Web Proxy Browser            l Microsoft Edge 25

  • Microsoft Internet Explorer 11 l Mozilla Firefox version 45 l Apple Safari version 9.1 (For Mac OS X)
  • Google Chrome version 51

Other web browsers may function correctly, but are not supported by

Fortinet.

FortiManager                                    For the latest information, see the FortiManagerand FortiOS

Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer                                    For the latest information, see the FortiAnalyzerand FortiOS

Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft Win-              5.4.1

dows and FortiClient Mac           If FortiClient is being managed by a FortiGate, you must upgrade

OS X                                            FortiClient before upgrading the FortiGate.

FortiClient iOS                                5.4.1
FortiClient Android and                   5.4.0

FortiClient VPN Android

FortiOS 5.4.2 support

FortiAP 5.4.1 5.2.5 and later

You should verify what the new FortiAP version is for your FortiAP prior to upgrading the FortiAP units. You can do this by going to the WiFi Controller > Managed Access Points > Managed FortiAP page in the GUI. Under the

OS Version column you will see a message reading A recommended update is available for any FortiAP that is running an earlier version than what is recommended.

FortiAP-421E and FortiAP-423E platforms only: Please call customer support for the FortiGate WiFi Controller image to manage these FortiAP models.

FortiAP-S 5.4.2 and later
FortiSwitch OS (FortiLink support) 3.4.2 and later
FortiController 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C, 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox 2.1.0 and later , 1.4.0 and later
Fortinet Single Sign-On (FSSO) 5.0 build 0250 and later (needed for FSSO agent support OU in group filters)

Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit, Windows Server 2012 Standard , Windows Server 2012 R2 Standard, Novell eDirectory 8.8

4.3 build 0164 (contact Support for download), Windows Server 2003 R2 (32-bit and 64-bit), Windows Server 2008 (32-bit and 64-bit), Windows Server 2008 R2 64-bit, Windows Server 2012 Standard Edition, Windows Server 2012 R2, Novell eDirectory 8.8

FSSO does not currently support IPv6.

 

FortiExplorer , 2.6 build 1083 and later.

Some FortiGate models may be supported on specific FortiExplorer versions.

FortiExplorer iOS 1.0.6 build 0130 and later

Some FortiGate models may be supported on specific FortiExplorer iOS versions.

FortiExtender 3.0.0

2.0.2 build 0011 and later

AV Engine 5.234
IPS Engine 3.294
Virtualization Environments  
Citrix XenServer version 5.6 Service Pack 2, XenServer version 6.0 and later
Linux KVM RHEL 7.1/Ubuntu 12.04 and later, CentOS 6.4 (qemu 0.12.1) and later
Microsoft Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source XenServer version 3.4.3, XenServer version 4.1 and later
VMware ESX versions 4.0 and 4.1

ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5 and 6.0

VM Series – SR-IOV The following NIC chipset cards are supported:

Intel 82599 ,Intel X540,Intel X710/XL710

Language support

The following table lists language support information.

SSL VPN support

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Microsoft Windows XP SP3 (32-bit)

Microsoft Windows 7 (32-bit & 64-bit)

Microsoft Windows 8 (32-bit & 64-bit)

Microsoft Windows 8.1 (32-bit & 64-bit)

2329
Microsoft Windows 10 (32-bit & 64-bit) 2329
Linux CentOS 6.5 (32-bit & 64-bit) Linux Ubuntu 12.0.4 (32-bit & 64-bit) 2329
Virtual Desktop for Microsoft Windows 7 SP1 (32-bit) 2329

Other operating systems may function correctly, but are not supported by Fortinet.

Product Integration and Support                                                                                                  SSL VPN support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit/64-bit) Microsoft Internet Explorer version 11 Mozilla Firefox version 46
Microsoft Windows 8/8.1 (32-bit/64-bit) Microsoft Internet Explorer version 11 Mozilla Firefox version 46
Mac OS 10.9 Safari 7
Linux CentOS version 6.5 Mozilla Firefox version 46

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009  
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011

SSL VPN support

Product Antivirus Firewall
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.4.2. For inquires about a particular bug, please contact CustomerService & Support.

FortiGate-60D

Bug ID Description
372629 Hardware issue of FG-60D cause config lost

FortiGate-80D

Bug ID Description
373153 FG-80D should support jumbo frame on new kernel
376656 FG-80D change port speed does not take effect

FortiGate-500D

Bug ID Description
371098 VLAN counters match physical port if NP6 offloading is disabled

FortiGate-800D

Bug ID Description
365101 Fail IQC traffic test, all blocking at port8 for ip connection

FortiGate-1500D

Bug ID Description
386683 Kernel panics after roughly 24 hours uptime
388646 FG-1500D: hardware test CPU/Memory test fail
370151 CPU doesn’t remove dirty flag when returns session back to NP6
295041 Destination MAC address on NP6 offloaded IPv6 sessions are not updated when neighbor MAC changes

FortiGate-3600D

Bug ID Description
385669 FG-3000D crash with kernel panic

FortiGate-3810D

Bug ID Description
375749 Sometimes NP6 gets np6_fos_ipsec_sa_install 746 npu_tunnel_idx doesn’t match error message

FortiLink

Bug ID Description
379098 FortiLink Switch-Controller: Support “edge-port” setting for managed switch ports
380919 EAP tunnel is terminated at Authenticator(FGT) instead of at Auth-Server
387398 no admin password on Fortilink managed switch

FortiView

Bug ID Description
375394 Httpsd crashes when accessing page of Fortiview>VPN in GUI
390105 Fortiview VPN page shows minus value in field “Bytes(sent/received)” for L2TP and PPTP tunnels

FOC

Bug ID Description
382343 GTPV2 – Create Session response message denied due to ‘ie-is-missing’

GUI

Bug ID Description
371106 Removed trusted host is not re-indexed but replaced with 0.0.0.0/0.
371904 GUI does not prevent upgrading invalid CC signature image in FIPS mode.
Bug ID Description
375255 Cannot quarantine FortiClient device on FortiView because of javascript error from trunk 5x.
288896 Should fall back to non-paging search if Oracle ODSEE 11.1 LDAP returns LDAP_ UNAVAILABLE_CRITICAL_EXTENSION.
390088 Contract registration should accept characters.
390794 Fix fail to create IPsec IKEv2 custom VPN tunnel with authmethod psk in GUI.
374221 SSLVPN setting portal mapping realm field misses the “/” option.
374339 SSLVPN setting page may not check the required fields.
386862 Large lists of address objects can take a considerable amount of time to load
292615 VLAN interface based on NPU vdom link can’t be displayed in vdom-network-interface page
370360 VDOM read-only admin can view super admin and other higher priviledge admin’s password hash via REST API and direct URL
373031 Unable to view FortiToken CD (FTK211) on FortiGate WebU
378817 Traffic Shapers list priority should display text word not number
391703 Add video links to FortiOS GUI
377539 Filter Overrides is removed after clicking on Apply on the Application Control profile

FortiSwitch Controller

Bug ID Description
388436 Traffic is intermittently blocked when HA FortiGate controls FSW by split interface.
387555 VLAN switch trunk function stops working

System

Bug ID Description
369540 Kills the parent process (fgfmsd) and causes script exec reboot from FMG does not work on FortiGate.
372629 Hardware issue of FG-60D causes config to be lost.
375188 After factoryreset2, split port interfaces are lost.

 

Bug ID Description
375141 When NP6 offload is enabled, traffic will show up in wrong VDOM but correct VLAN interface.
380157 ZebOS issues on new VDOM.
385362 Remove username and password requirement for CLI exec central-mgmt register-device FMGSN KEY username password.
367471 Fragmented out-of-sequence ICMP Reply can loop endlessly in npu-vlink.
385455 Inconsistent trustedhost behavior.
381857 LACP passive mode voluntarily initiate LACP negotiation then aggregate interfaces unexpected establishing.
374481 Alertmail does not work on CHANGED management VDOM.
384698 Cache memory increased abruptly.
390570 FEXT discovery issue fixed.
390592 Update geoip database to version 1.057.
387675 ARP-Reply packets drops in NP6.
376452

385278

ICMP packets with HBH options are now forwarded properly.
389194 End of Daylight Savings (DST) timezone Turkey/Istanbul GMT +3.
371387 Add two trailers for FK images, to make it pass the upgrade test.
381675 Support SNMP query for individual CPU Core monitoring in kernel-3.2.
390207 Fix ixgbevf driver VLAN issue.
292237 FG-200D hangs with transmit timeouts.
378761 Allow local-in traffic When system memory reaches 94%.
378558

380653

LACP over Virtual Wire Pair on 800C, ports not forwarding LACPDUs.
372632 Eliminate kernel crash and reboots while FortiManager pushes config changes.
356245 Fix LACP ignoring peer ID change.
380161 No reply to SNMP queries if reply should be routed via PBR.
Bug ID Description
374715 Add TCP seqnum verification to BGP on RST packets.
302021 Enable FortiTest feature for 400D/600D platforms.
378825

385964

Enable diagnose hardware test on FG-100D/800D and fix related bugs.
389047 Unable to edit/create system interface when a large number of detected devices exist has been fixed.
370778 Connection problem to new master FQDN address of FMG after failover.
386478 Add LFG60C B0735 (LENC) device failed with internal error.
375338 FortiManager with super_admin profile install capture-packet meet privilege issue.
373344 “diag ip address list” still show ip address although dhcp lease time expired
376144 FMG failed to change FGT HA slave to master
380600 CLI configurable NP6 optimization
388603 after reassembly fragmented UDP packet, the s/d port become 0
365441 FGT is showing capwap IP (224.0.1.140) and mac-address (01:00:5e:00:01:8c) even no capwap enable on the port
369353 Destination MAC address will not be updated for NPU offloaded IPv4 sessions sometimes.

Tablesize

Bug ID Description
382232 FG-900D explicit proxy max users < FG-800D.
390053 Increase firewall.schedule limits on higher end

Router

Bug ID Description
369864 BFD is DOWN randomly.
381974,

387318

Default static router setting should use port1.
Bug ID Description
382934 gpd may crash after executing get router info bgp route-map.
381908 Asymmetric routing in transparent VDOM has to be enabled for correct packet flow after upgrade from 5.2.
373820 Update route_cache only when there are changes in route table.
307530,

378075

Added support for BGP Local-AS feature.
391240 BGP UPDATES without NEXT_HOP
376765 E models cannot establish BGP session with Non-ARM platforms when MD5 password authentication enabled
391233 Multicast router doesn’t send the PIM register after upgrading from 5.2.7 to 5.4.1

WiFi

Bug ID Description
387163 Fix WiFi driver crash for 3.2 kernel FWF platforms.
371374 Add back support of wave2 FAP421E/423E.
376921 FortiGate kills cw_acd daemon continuously in 900+ APs large setup.
365255,

381030

WPA-Personal passphrase should support a fixed-length of 64 hexadecimal digits.
387163 Fix WiFi driver crash for 3.2 kernel FWF platforms.
309597 Fix WiFi region codes and DFS support.
374617 Memory leak happens when change large WTP sessions’s security option.
370657 FDS daemon should return error code when fortiap version is not available in FAPV
374385 Fortinet_WiFi is not signed by PositiveSSL_CA/Fortinet_WiFi_CA after LENC license is loaded
387163 FWF30E / kernel error happpened when purge vap interface by CLI

AV

Bug ID Description
373804 Encounter several scanunit daemon crash on US WiFi corp firewall.
384520 3600C crash on scanunit signal 11 (Segmentation fault)

DLP

Bug ID Description
369825 Do not compare DLP filesize filter for files inside an archive.

IPS

Bug ID Description
371254 ipsengine signal 11 crash happens on FG-60D/90D when IPS custom signature is detected.
378192 Per-IP shaper is not working for Application Category.
381547 Fix SynProxy offloading issue.
369137 IPSec performance decreased after upgraded FG-100D from V5.2.5 to V5.4.0 in certain test.
302853 Unnecessary debug message print out when change certain ips config.
379275 Fix FortiOS memory corruption caused by ips engine crash.
378252 Flow UTM: Save last session info into crash log when IPS engine crash happens.
379833 Adjust IPS CPU assignment to improve 3815D performance.
383525 Fix for IPsec mesh selectors not automatically brought up when phase2 auto-negotiate enabled.
379082 Proxyworker high CPU waiting for IPS to reinitialize.
389610 IPS app id/cat id should be datasrc and the cat id list source is inaccurate.
368729 State preservation test failed at max mem – attack packet not blocked
386050 WAD daemon consumes 99.8% CPU utilization
300785 Enabling sync-session-ttl will cause the existing IPS sessions to be removed
Bug ID Description
379084 Botnet DB update shouldn’t cause IPS/AppCtrl signature reload in CMDB
386271 After enabling IPS sensor with custom sig, in 60% chance need to wait for 30+ seconds to let ping packet pass
392520 Update IPS engine to build 3.294

Web Filter

Bug ID Description
378234 WAD crash in wad_fmem_free after upgrade to 5.4.1.
388731 Fix rpc-over-http will cause WAD crash when enable UUID is not found in RTS.
382501 Kerberos authentication fails with unexpected token length error.
376486 WAD not supporting full webfilter with transparent policy and external webproxy in SSL deepscan mode.
373251 Local FortiGuard overrided rating sometimes doesn’t work well.
380119 Webfilter Static URL filter blocking domains with similar name.
377206 Fix wanopt log incorrect and wad ntlm auth crash.
390446 Fix webfilter urlfilter mismatch.
380324

380682

Fix proxyd and wad ssl related issues.
388957 Fix YouTube EDU filter: None, Moderate, Strict.
393381 Suggest add webfilter profile fgd block and override config CLI correlation check

DNS Filter

Bug ID Description
390957 Make DNS filter available under flow-inspection mode has been fixed.
SSLVPN  
Bug ID Description
386167 Proxy vdom SSLVPN IPv6 av doesn’t block virus if IPv4 policy UTM disable.

 

Bug ID Description
381112 Website drop-down menu does not work when accessed via SSLVPN bookmark.
371933 Unable to connect to SMB server which supports only NTLMv2.
371597 SSLVPN fail to login FGT 5.4 bookmark through Fortinet bar with url-obscuration enable.
371551 Fix SSLVPN user authenticates doesn’t follow firewall policy order when change user group order until reboot.
371807 Try next server when LDAP group auth failed on first firewall policy.
377207 fix could not access owncloud properly through SSLVPN.
377557 Change tunnel set-up timeout threshold for SSLVPN web portal with limit-userlogins.
382586 Fixed path not found is printed out when certificate is changed.
384200 Fix SSLVPN tunnel sometimes gets disconnected without error message.
374859 Fix got fork() failed after SSLVPN enter conserve mode.
379450 Fix SSLVPN crash with segmentation fault in sslvpn_ap_table_get after upgrading to 5.4.1.
379076 RDP session will be disconnected after the idle-timeout is expired on web-portal.
378103 Fix SSLVPN/newcli crash when running get vpn ssl monitor if there are more than 10000 tunnels.
380201

382393

Fixed SSLVPN has high CPU/crashed.
375561 RESOURCE_LEAK found in SSLVPN.
386968 Getting error Failed, suspended by other users when edit some content using Firefox.
379076 RDP session will be disconnected after the idle-timeout is expired on web-portal.
382828 SSLVPN web-mode not displaying login page of internal server, but tunnel-mode is OK.
355913 SSLVPN setting -> edit authentication/portal mapping page issue
387966 Username replaced by peer name in certificate based SSLVPN
Bug ID Description
375379 Username and password are displayed in clear text in the browser bar for CIFS/SMB SSL VPN Bookmark

IPsecVPN

Bug ID Description
376779 The algorithm names sha384 and sha512 are not displayed in the output of get commands for ipsec tunnel.
375749, 382568 Fix TPE_SHAPER drop on NP6 and an IPsec issue on FG-3810D.
383935 Policy-based routes does not work for Dialup IPSec routes in Fortios5.4.1.
376340 Change vpn ipsec phase1/phase1-interface peertype default from ‘any’ to ‘peer’
388408 Incorrect output for “get vpn ipsec stats crypto”

Web Application Firewall

Bug ID Description
378194 Suspect WAF breaks JSON file by adding zero to the end.
383520 WAF url-access not work.

Certification

Bug ID Description
365586 Need to restart fnbamd to load import CRL.
373930 Unset ssh-certificate can not allow client to access with null password.

WebProxy

Bug ID Description
384581 Explicit Proxy Signing Certificate for replacement pages resets to default.
374706 Fix a memory leak on proxyd.
380324 Transparent Proxy SSL Inspection closes connections before completion of SSL negotiation and/or complains of Bad Record.
Bug ID Description
389059 Improve SOCKS debug and WAF&AV scan on HTTP request.
381429 CP8 does not work for Proxy SSL acceleration.
378518 Fix WAD will crash when using web-proxy profile to add/remove HTTP headers.
390124

391748

Fix WAD SSL session ticket will cause crash on hello request, and add cert status extension support to fts.
371991 YouTube_Video.Play is not recognized with HTTPS in Application control Override.

Visibility

Bug ID Description
365259 src-vis crash on device with device detection eanbled on one-arm-sniffer interface
Bug ID Description
386446 tunnelip shouldn’t be shown if no tunnel IP in the log.

VM

Bug ID Description
372030 Increase VM00 memory limit to 1.5G.
376567 Fix network reachability issue of AWS instance launched from customer created ami.
372040 VLAN not forward traffic out on non-root VDOM.
374905 Error when attempting to deploy vApp on ESXi v6.0.0.
372487 Fix FG-VM stuck at rebooting the system when its rebooting.
378482 TCP/UDP traffic failing when NAT/UTM is enabled on FG-VM in KVM.
369167

391519

Improve cloudinit boot up config sequence.
371982 Fix FG-VM have no gui-wanopt.
392654 IPv6 basic network settings not available on unlicense VM01 or higher

Log

Bug ID Description
376157 Logging performance improvement for IPS/AppCtrl.
284055 Improve the antispam log fortiguardresp log field.
377928 FortiCloud report can’t be displayed on low-end platforms without SSD after burn image
373083 Broken remote log capabilities when resolve-ip is enabled

WANOPT

Bug ID Description
373825

376035

Fix Traffic was broken over A-P mode WANOPT on first attempt after WAD restarted.
393114 WAD crash in wad_str_copy_str after upgrade to 5.4.1

HA

Bug ID Description
387212 HA gets out of sync frequently and hasync becomes zombie.
385999 Log backup of execute backup disk xxx feature does not work fine on HA master unit.
374418 No safe method for modifying secondary vcluster membership via the CLI.
266261 FortiExtender interface unable to get DHCP IP on a FortiGate in HA mode.
301101 hasync process is running 100% of CPU.
389192 Can’t forward the SIP traffics(200OK messages) asymmetrical traffic environment in FGSP.
368447 FGSP should not sync static BFD setting.
375678 update-all-session-timer partially broken.
376449 FGSP: FGT1 clears SCTP Multihomed session marked established while data traffic is going through secondary path.
378213 FGSP: after a reboot of the FortiGate that holds the SCTP secondary path, this session is missing and will be reopened.
390929 hatalk crashed when set standaone-config-sync from enable to disable.
Bug ID Description
376045 Software switch can’t authorize FSWS successfully in HA scenario.
390926 After downgrade from b1086, HA can’t be synced.
382364 Correct typo error in HA setting (change helo-holddown to hello-holddown).

FSSO

Bug ID Description
386021 FSSO local poller fails on some X86 32 platform.

Firewall

Bug ID Description
376284 Fix CLI firewall.addrgrp when contain url upgrade from 5.2 to 5.4.
387367 Firewall is rebooting automatically.
373667 High vsd memory usage always triggers entering conserve mode when downloading file in SSL offload + IPS inspection.
368838 active-flow-timeout does not take effect for HTTP protocol when NP6 offloaded.
385983 ssl-http-location-conversion setting change from enable to disable by rebooting FortiGate.
375897 Sniffer policy upgrade from b0718 to b1064 failed.
383783 policy64 and policy46 ID should not use special id:4294967295.
297421 Fix policy re-push for multiple VDOMs.
297387

378560

On some platforms, UDP throughput is lower with more number of policies.

FIPS-CC

Bug ID Description
380703 Generation of IKE v2 nonces – NDcPP requirement.
375098 Remove CC error mode.
375102 Modify low level format for boot device (flash) in FIPS-CC mode.
Bug ID Description
375099 Update supported TLS cipher suites in FIPS-CC mode.
376860 IPSec ESP SA with stronger encryption than IKE SA shouldn’t be allowed.
387002 Add HMAC SHA-384/512 self-tests.
375100 Update supported SSH cipher suites in FIPS-CC mode.
387542 Remove CRL/Ceritifcate/CA may cause FIPS-CC self-test failure.
389003 FIPS-CC get self-test failure causes of /etc/cert/ca/ changes, which causes system halt.
388181 Add support to break RNG health tests

FortiCloud

Bug ID Description
380506 FortiGate’s forticldd daemon timer settings and updated timer discussion.
Upgrade  
Bug ID Description
393056 Explicit proxy config lost on interfaces after upgrading if vdom is enabled

VOIP

Bug ID Description
370201 Fix the imd crash issue when unregistering SIP with asterisk (*) contact, or multiple REGISTER message with same AOR and multiple contacts.
382315 Fix the issue that SIP re-invites causing excessive memory consumption in VOIPD.

Common Vulnerabilities and Exposures

Bug ID Description
379870 FortiOS 5.4.2 is no longer vulnerable to the following CVE References: l 2003-1418 l 2007-6750

Visit https://fortiguard.com/psirt for more information.

 

Bug ID Description
373707 FortiOS 5.4.2 is no longer vulnerable to the following CVE References: l 2016-1551 l 2016-1549 l 2016-2516 l 2016-2517 l 2016-2518 l 2016-2519 l 2016-1547 l 2016-1548 l 2015-7704 l 2015-8138 l 2016-1550

Visit https://fortiguard.com/psirt for more information.

383538 FortiOS 5.4.2 is no longer vulnerable to the following CVE References: l 2016-3713 l 2016-5829

Visit https://fortiguard.com/psirt for more information.

381168 FortiOS 5.4.2 is no longer vulnerable to the following CVE Reference: l 2004-0230

Visit https://fortiguard.com/psirt for more information.

378697 FortiOS 5.4.2 is no longer vulnerable to the following CVE Reference: l 2016-2512

Visit https://fortiguard.com/psirt for more information.

383564 FortiOS 5.4.2 is no longer vulnerable to the following CVE Reference: l 2016-5696

Visit https://fortiguard.com/psirt for more information.

 

Bug ID Description
372770 FortiOS 5.4.2 is no longer vulnerable to the following CVE References: l 2016-6304 l 2016-6305 l 2016-2183 l 2016-6303 l 2016-6302 l 2016-2182 l 2016-2180 l 2016-2177 l 2015-2178 l 2015-2179 l 2016-2181 l 2016-6306 l 2016-6307 l 2016-6308

Visit https://fortiguard.com/psirt for more information.

389610 FortiOS 5.4.2 is no longer vulnerable to the following CVE References: l 2016-6309 l 2016-7052

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.4.2. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json)
Bug ID Description
392049 Cannot create the second IPv6 VIP which has the same ext/int IP as the existing one, but different port-forwarding port.
364589 LB VIP slow access when cookie persistence is enabled.

DLP

Bug ID Description
393649 Executable files may not be blocked by DLP built-in exe file-type filter.
379911 DLP filter order is not applied on encrypted files.

Endpoint Control

Bug ID Description
375149 FGT does not auto update AV signature version while Endpoint Control is enabled.
374855 Third party compliance may not be reported if FortiClient has no AV feature.
391537 Buffer size is too small when sending a large vulnerability list to FortiGate.

FIPS-CC

Bug ID Description
375149 NDcPP requires a SSH server rekey.

Firewall

FortiGate-3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.

FortiRugged-60D

Bug ID Description
375246 invalid hbdev dmz may be received if the default hbdev is used.
357360 DHCP snooping does not work on IPv6.
374346 Adding or reducing stacking connections may block traffic for 20 seconds.

FortiSwitch

Bug ID Description
393966 Trunk port does not work if the only VLAN member is on PoE interfaces.

FortiSwitch-Controller/FortiLink

Bug ID Description
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
357360 DHCP snooping may not work on IPv6.
304199 Using HA with FortiLink can encounter traffic loss during failover.

FortiView

Bug ID Description
289376 Applying the filter All by using the right click method may not work in the All Sessions page.
303940 Web Site > Security Action filter may not work.
373142 Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
366627 FortiView Cloud Application my display the incorrect drill down File and Session list in the Applications View.
374947 FortiView may show empty country in the IPv6 traffic because country info is missing in log.
Bug ID Description
372350 Threat view: Threat Type and Event information are missing in the last level of the threat view.
375187 Using realtime auto update may increase chrome browser memory usage.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
372897 Invalid -4 and invalid 254 is shown as the submitted file status.

GUI

Bug ID Description
289297 Threat map may not be fully displayed when screen resolution is not big enough.
303928 After upgrading from 5.2 to 5.4, the default flow based AV profile may not be visible or selectable in the Firewall policy page in the GUI.
374166 Using Edge cannot select the firewall address when configuring a static route.
365223 CSF: downstream FGT may be shown twice when it uses hardware switch to connect upstream.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
375383 Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
375369 May not be able to change IPsec manualkey config in GUI.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374521 Unable to Revert revisions on GUI.
374081 wan-load-balance interface may be shown in the address associated interface list.
355388 The Select window for remote server in remote user group may not work as expected.
373363 Multicast policy interface may list the wan-load-balance interface.
372943 Explicit proxy policy may show a blank for default authentication method.
375346 You may not be able to download the application control packet capture from the forward traffic log.

 

Bug ID Description
375290 Fortinet Bar may not be displayed properly.
374224 The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374247 GUI list may list another VDOM interface when editing a redundant interface.
374320 Editing a user from the Policy list page may re-direct to an empty user edit page.
375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.
374397 Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
374221 SS LVPN setting portal mapping realm field misses the / option.
372908 The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.
374162 GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
375227 You may be able to open the dropdown box and add new profiles even though it errors occur when editing a Firewall Policy page.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
374343 After enable inspect-all in ssl-ssh-profile, user may not be able to modify allow-invalid-server-cert from GUI
372825 If the selected SSID has reached the maximum entry, the GUI will reset the previously selected SSID.
374191 The Interface may be hidden from the Physical list if its VLAN interface is a ZONE member in the GUI.
374525 When activating the FortiCloud/Register-FortiGate clicking OK may not work the first time.
374350 Field pre-shared key may be unavailable when editing the IPsec dialup tunnel created through the VPN wizard
374371 The IPS Predefined Signature information popup window may not be displayed because it is hidden behind the Add Signature window.
Bug ID Description
374183 Security page does not have details for the Forward Traffic log for an IPS attack when displaying a FortiAnalyzer log.
374538 Unable to enable Upload logs to FortiAnalyzer after disabling it.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
374237 You may not be able to set a custom NTP server in the GUI if you did not config it in the CLI first.
393927 Policy List > FQDN Object Tooltip should show resolved IP addresses.
393267 Not possible to edit existing Web Filter profile.
297832 Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
283682 Cannot delete FSSO-polling AD group from LDAP list tree window in FSSO-user GUI.
365317 Unable to add new AD group in second FSSO local polling agent.

HA

Bug ID Description
387216 HA virtual MAC is flapping.
391084 HA unable to sync inversed object entries.
388044 Four member HA Cluster do not always re-converge properly when HB links are re-established.

IPS

Bug ID Description
393675 SSH due to Application Control Proxy in the Security Profile.
393958 Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
394157 IPS archive not uploaded to FAZ when it is in realtime mode.

IPSec

Bug ID Description
375020 IPsec tunnel Fortinet bar may not be displayed properly.
374326 Accept type: Any peer ID may be unavailable when creating a IPsec dialup tunnel with a pre-shared key and ikev1 in main mode.

Logging & Report

Bug ID Description
300637 MUDB logs may display Unknown in the Attack Name field under UTM logs.
374103 Botnet detection events are not listed in the Learning Report.
367247 FortiSwitch log may not show the details in the GUI, while in CLI the details are displayed.
374411 Local and Learning report web usage may only report data for outgoing traffic.
391786 Logdiskless FGT does not generate a log indicating a sandboxing result.
377733 Results/Deny All filter does not return all required/expected data.

Router

Bug ID Description
393127 WLB measured-volume-based load balance does not work as expected after running for more than one day.
393623 Policy routing change not is not reflected.
385264 AS-override has not been applied in multihop AS path condition.

SSL VPN

Bug ID Description
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
303661 The Start Tunnel feature may have been removed.
375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
374644 SSL VPN tunnel mode Fortinetbar may not be displayed.
Bug ID Description
393698 SSL VPN web mode http/https SSO will keep trying even if the password is wrong.
307465 Fail to Copy & Paste through RDP when connected by SSL VPN web mode.
393943 SSL VPN crash when connect to win2008 smb/CIFS bookmark with wrong password.

System

Bug ID Description
304199 FortiLink traffic is lost in HA mode.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
290708 nturbo may not support CAPWAP traffic.
372717 Unable to access FortiGate GUI via https using low ciphers.
364280 User can not use ssh-dss algorithm to login to FortiGate via SSH.
371320 show system interface may not show the Port list in sequential order.
372717 admin-https-banned-cipher in sys global may not work as expected.
371986 NP6 may have issue handling fragment packets.
287612 Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
355256 After reassigning a hardware switch to a TP-mode VDOM, bridge table does not learn MAC addresses until after a reboot.
388046 Confsyncd memory leak.
393395 The role of new VAP interface should be set as LAN.
393042 IPv6 traffic not distributed according to the lacp L4 algorithm.
393343 Remove botnet filter option if interface role is set to LAN.
392960 FOS support for V4 BIOS.
392125 FGT to FMG backup config returned with the Management server is not configured error message.
392125 After an HA failover some of the multicast streams stop.

Upgrade

Bug ID Description
269799 sniffer config may be lost after upgrade.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

VM

Bug ID Description
364280 ssh-dss may not work on FGT-VM-LENC.
378421 Committing any change on SSL VPN Settings over web page returns error:500.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.