FortiOS 5.6.3 Release Notes

Change Log

Date	Change Description
2017-12-05	Initial release.
2017-12-07	Added 443203 to Resolved Issues. Added 463211 to Known Issues. Moved 452384 from Known Issues to Resolved Issues. Deleted Internet Explorer version 11 from Product Integration and Support.
2017-12-08	Added 443870 to Resolved Issues. Added caution to Upgrade Information > Upgrading to FortiOS 5.6.3.

Introduction

This document provides the following information for FortiOS 5.6.3 build 1547:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.3 supports the following models.

FortiGate	FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E, FG51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG-70DPOE, FG-80C, FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG- 101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG- 200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E, FG-400D, FG-500D, FG-500E, FG-501E, FG-600C, FG-600D, FG-800C, FG-800D, FG900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG- 3810D, FG-3815D, FG-3960E, FG-3980E, FG-5001C, FG-5001D
FortiWiFi	FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D
FortiGate Rugged	FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM	FG-SVM, FG-VM64, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-GCP, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-KVM
FortiOS Carrier	FortiOS Carrier 5.6.3 images are delivered upon request and are not available on the customer support firmware download page.

Introduction

What’s new in FortiOS 5.6.3

For a list of new features and enhancements that have been made in FortiOS 5.6.3, see the What’s New for FortiOS 5.6.3 document.

Special Notices

Built-in certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

All packet types are allowed, but depending on the network topology, an STP loop may result.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

Special Notices

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.3, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient profile changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

FortiExtender support

Due to OpenSSL updates, FortiOS 5.6.3 cannot manage FortiExtender anymore. If you run FortiOS with FortiExtender, you must use a newer version of FortiExtender such as 3.2.1 or later.

Upgrade Information

Upgrading to FortiOS 5.6.3

FortiOS version 5.6.3 officially supports upgrading from version 5.4.5, 5.4.6, 5.6.0, 5.6.1, and 5.6.2. To upgrade from other versions, see Supported Upgrade Paths.

If you are upgrading from version 5.6.1 or 5.6.2, this caution does not apply.

Before upgrading, ensure that port 4433 is not used for admin-port or admin-sport (in config system global), or for SSL VPN (in config vpn ssl settings). If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

After upgrading, if FortiLink mode is enabled, you must manually create an explicit firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch (such as from the FortiLink interface) to the RADIUS server through the FortiGate.

FortiGate-VM64-Azure upgrade

You can upgrade from the GUI or CLI. Because some configurations are not kept in the upgrade, we recommend you do a factory reset using execute factoryreset, and then reconfigure the VM.

Your original VM license is kept in the upgrade.

Security Fabric upgrade

FortiOS 5.6.3 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.1 l FortiClient 5.6.0 l FortiClient EMS 1.2.2 l FortiAP 5.4.2 and later l FortiSwitch 3.6.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

Advanced FortiClient profiles (XML configuration).
Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard Banner, client-based logging when on-net, and Single Sign-on Mobility Agent.
VPN provisioning. l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths. l Client-side web filtering when on-net. l iOS and Android configuration by using the FortiOS GUI.

With FortiOS 5.6.3, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec VPN, or SSL VPN) connections to FortiOS 5.6.2, but not for Security Fabric functions.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.3, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

Back up your configuration.
In the backup configuration, replace all long VDOM names with its corresponding short VDOM name.

For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.

Restore the configuration.
Perform the downgrade.

Amazon AWS enhanced networking compatibility issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.3 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 5.6.3 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

C3 l C4 l R3
I2 l M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
.out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

.out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.3 support

The following table lists 5.6.3 product integration and support information:

Web Browsers	l Microsoft Edge 38 l Mozilla Firefox version 54 l Google Chrome version 59 l Apple Safari version 9.1 (For Mac OS X) Other web browsers may function correctly, but are not supported by Fortinet.
Explicit Web Proxy Browser	l Microsoft Edge 40 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 10 (For Mac OS X) Other web browsers may function correctly, but are not supported by Fortinet.
FortiManager	See important compatibility information in Security Fabric upgrade on page 9. For the latest information, see FortiManagercompatibility with FortiOS in the Fortinet Document Library. Upgrade FortiManager before upgrading FortiGate.
FortiAnalyzer	See important compatibility information in Security Fabric upgrade on page 9. For the latest information, see FortiAnalyzercompatibility with FortiOS in the Fortinet Document Library. Upgrade FortiAnalyzer before upgrading FortiGate.
FortiClient Microsoft Windows	See important compatibility information in Security Fabric upgrade on page 9. l 5.6.1 If FortiClient is managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.
FortiClient Mac OS X	See important compatibility information in Security Fabric upgrade on page 9. l 5.6.0 If FortiClient is managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.
FortiClient iOS	l 5.4.3 and later
FortiClient Android and FortiClient VPN Android	l 5.4.1 and later
FortiAP	l 5.4.2 and later l 5.6.0

FortiAP-S l 5.4.3 and later l 5.6.0
FortiSwitch OS l 3.6.2 and later (FortiLink support)
FortiController l 5.2.5 and later Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C.
FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On l 5.0 build 0264 and later (needed for FSSO agent support OU in group filters) (FSSO) _lWindows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8 FSSO does not currently support IPv6.
FortiExtender l 3.2.1 and later See FortiExtender support on page 8.
AV Engine l 5.247
IPS Engine l 3.442
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5
VM Series – SR-IOV	The following NIC chipset cards are supported: l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language	GUI
English	✔
Chinese (Simplified)	✔
Chinese (Traditional)	✔
French	✔
Japanese	✔
Korean	✔
Portuguese (Brazil)	✔
Spanish (Spain)	✔

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System

Installer

Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2334. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System	Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Microsoft Windows 8 / 8.1 (32-bit & 64-bit)	Microsoft Internet Explorer version 11 Mozilla Firefox version 54 Google Chrome version 59
Microsoft Windows 10 (64-bit)	Microsoft Edge Microsoft Internet Explorer version 11 Mozilla Firefox version 54 Google Chrome version 59
Linux CentOS 6.5 / 7 (32-bit & 64-bit)	Mozilla Firefox version 54
Mac OS 10.11.1	Apple Safari version 9 Mozilla Firefox version 54 Google Chrome version 59
iOS	Apple Safari Mozilla Firefox Google Chrome
Android	Mozilla Firefox Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

It is recommended to verify the accuracy of the GUID for the software you are using for SSL VPN host check. The following Knowledge Base article at http://kb.fortinet.com/ describes how to identify the GUID for antivirus and firewall products: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL VPN Host check.

After verifying GUIDs, you can update GUIDs in FortiOS using this command:

config vpn ssl web host-check-software

Following is an example of how to update the GUID for AVG Internet Security 2017 on Windows 7 and Windows 10 by using the FortiOS CLI.

The GUIDs in this example are only for AVG Internet Security 2017 on Windows 7 and Windows 10. The GUIDs might be different for other versions of the software and other operation systems.

To update GUIDs in FortiOS:

Use the config vpn ssl web host-check-software command to edit the AVG-InternetSecurity-AV variable to set the following GUID for AVG Internet Security 2017: 4D41356F-32AD-7C42-C820-63775EE4F413.
Edit the AVG-Internet-Security-FW variable to set the following GUID:

757AB44A-78C2-7D1A-E37F-CA42A037B368.

Resolved Issues

The following issues have been fixed in version 5.6.3. For inquires about a particular bug, please contact Customer Service & Support.

Application Control

Bug ID	Description
441996	No UTM AppCtrl log for signature Gmail_Attachment.Download when action is blocked.

Bug ID	Description
415496	GTPU sanity drop by gtp-in-gtp checking if GTPU payload has kind of invalid UDP header (IP fragment case).
445321	GTP, 2 cases of protocol anomaly drops to review (status=prohibited).

DLP

Bug ID	Description
435283	block-page-status-code doesn’t work for HTTP status code of DLP replacement message.
454112	HIBUN file with *.exe extension is detected as exe file.

DNS Filter

Bug ID	Description
438834	DNS filter blocks access when rating error occurs, even with allow request on rating error enabled.

FIPS-CC

Bug ID	Description
440307	Wildcard certificate support/handling for SAN/CN reference identifiers.
Firewall
Bug ID	Description
449195	DNAT not working for SCTP -Multi-homing Traffic.

FortiCarrier

FortiLink

Bug ID	Description
434470	Explicit policy for traffic originating from interface dedicated to FortiLink.
441300	Limited options in FortiLink quarantine stanza to use, giving users no way to trigger the quarantine function.
445373	For 802.1X, FortiSwitch port disappeared after upgrading FortiGate from 5.6.0 to 5.6.1 with 802.1X enabled without security-group/user-group.

GUI

Bug ID	Description
365378	Cannot assign ha-mgmt-interface IP address in the same subnet as other port from the GUI.
398397	Slowness in accessing Policy and Address page in GUI after upgrading from 5.2.2 to 5.4.1.
402775	Add multiple ports and port range support in the explicit FTP/web proxy.
403146	Slow GUI Policy tab with more than 600 policies.
409100	Edit admin/user, enable FortiToken mobile, or click send activation email before saving sends empty activation code.
412401	Incorrect throughput reading in GUI-System-HA page.
450919	IPS sensor with >= 8192 signature entries should not be created from GUI.

Bug ID	Description
412652	Unexpected behavior seen when one cluster unit has a monitored port down and another cluster unit has ping server issues.
436585	Issues with different hardware generation when operating in a HA cluster.
439152	FGSP – standalone config sync – synchronizes BGP neighbor.
441716	Traffic stops when load-balance-all is enabled in active-active HA when npu_vlink is used in the path.
442085	After HA failover, the new master unit uses an OSPF MD5 authentication encryption sequence that is lower than the previous sequence number.
442663	No NTP sync and feature license invalid at backup device in FGSP cluster.
442907	Admin password expiry calculation is 1 sec. different on master and slave which causes HA to be out of sync for about 20 mins.
449147	No security database update on slave unit in FGSP environment.
Bug ID	Description
452052	vcluster2’s VMAC on VLAN Interface is not persistent after vcluster1 fails over.
452715	ha-mgmt-interface on slave unit is overwritten when backed up and restored.
454347	Ping server penalties are taken into account even when they are not configured in HA settings anymore.
455513	Management VDOMs I/F address on slave is lost or sync’ed with Master’s.

IPsec VPN

Bug ID	Description
401847	Half of IPsec tunnels traffic lost 26 minutes after power on a spare 1500D.
416102	Traffic over IPsec VPN gets dropped after two pings when it is getting offloaded to NPU.
441267	FortiGate static remote-gateway can change if peer sends ESP traffic with different IP address.
442671	Set broadcast-forward enable not working for IPsec interface.
445657	FortiOS Traffic Selector narrowing accepts wrong proposal.

Log & Report

Bug ID	Description
422901	Power disruption message when logging with prof_admin.
441476	Rolled log file is not uploaded to FTP server by max-log-file-size.
443001	Export log field descriptions for documentation.

Proxy

Bug ID	Description
403140	Improve filtering capabilities of LDAP search Explicit Proxy with Kerberos authentication.
435332	Keepalive Exempted HTTPs traffic keeps on kernal and proxy.
441284	www.nieporet.pl website loads very slowly in proxy mode when AV is applied.
442252	WAD stops forwarding traffic on both transparent proxy and explicit web proxy after IPS test over web proxy.
442328	Replacement message image fails to load.
443870	Incorrect extended master secret (EMS) handling in proxy mode deep-inspection causes SSL connection failure.
Bug ID	Description
444257	After Upgrading from 1466 to 1484 GA, SSL Deep Inspection breaks for many SSL sites using Chrome.
445312	tcp-timewait-timer does not have any effect when WAD is running.
445374	Proxies should preserve DSCP flags.
447274	Specific web page fails to load when proxy-based AV profile is enabled on Explicit web proxy policy.

Routing

Bug ID	Description
441506	BGP Aggregate address results in blackhole for incoming traffic.

Security Fabric

Bug ID	Description
409156	In Security Fabric Audit, the unlicensed FDS FortiGate shouldn’t be marked Passed in Firmware & Subscriptions.

SSL VPN

Bug ID	Description
412850	SSL VPN portal redirect fails with a Javascript error.
443203	In SSL VPN web mode, RDP quick connect fails with domain\username format credentials via NLA.

System

Bug ID	Description
278660	FGT-AWSONDEMAND is unable to handle FortiCare registration
290708	nturbo may not support CAPWAP traffic.
393006	NPU offloading causes issues with Arista.
404119	FSSO is not enabled when FSSO policy was created.
411415	Update FortiOS API to remove IPS sessions in parallel with firewall sessions.
414811	Restore NIC offload capabilities on FortiGate KVM VM.
420568	fclicense daemon has several signal 11 crashes.
422413	Use API monitor to get data for FortiToken list page.
Bug ID	Description
423332	Merge Top3 “Improve GTP Performance” to 5.6 and 5.8.
423508	Traffic from CAPWAP is not offloading on NP6 FortiGate.
437195	GTE – PDP update request should update the associated tunnel even when two TEID’s are the same.
437589	Slow throughput on 1000D between 10G and 1G interfaces.
437801	FG-30E WAN interface MTU override drop packet issue.
438405	HRX/PKTCHK drops over NP6 with 1.5 Gbps.
439126	Auto-script using diagnose command fails with Unknown action 0 after rebooting FortiGate.
440412	Added SNMP trap for per-CPU usage.
440448	FG-800C will not get IP on the LTE-modem interface using Novatel U620.
440564	After clicking the DHCP renew button, the GUI page doesn’t refresh.
440850	Latency noticed with port pair when MAC address flapping between port pair members.
440923	The FortiGate interface DHCP client does not work properly in some situations.
441269	3600C memory leak due to IKED.
441532	Suggest to add SNMP/CLI monitoring capabilities of NP6 session table.
442300	FGT5HD kernel panic on 5.6.0-build 1449.
443019	After running for some time, the FG-30E console keep printing memory leak error messages.
444090	Cannot get SNMP values for NP6 counters.
451456	Support DHCP Option 82 on FortiGate DHCP relay – rfc3046.
454939	Virtual-wire-pair config is lost after reboot when using at least one VXLAN interface as member.

Wireless

Bug ID	Description
414606	CAPWAP encapsulated DNS traffic not forwarded back to IPsec tunnel.
421239	Tunnel mode SSID not working when FortiAP managed through IPsec VPN with NP6 offloading enabled.
437949	Split tunnel enhancement: set split-tunneling-acl-path [tunnel \| local].

Common Vulnerabilities and Exposures

Bug ID	Description
442365	FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference: l 2017-7738 Visit https://fortiguard.com/psirt for more information.
446892	FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference: l 2017-13077 l 2017-13078 l 2017-13079 l 2017-13080 l 2017-13081 Visit https://fortiguard.com/psirt for more information.
452384	FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference: l 2017-14185 Visit https://fortiguard.com/psirt for more information.
452730	FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference: l 2017-14186 Visit https://fortiguard.com/psirt for more information.
453971	FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference: l 2017-14187 Visit https://fortiguard.com/psirt for more information.
456392	FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference: l 2017-13077 Visit https://fortiguard.com/psirt for more information.

Known Issues

The following issues have been identified in version 5.6.3. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Application Control

Bug ID	Description
435951	Traffic keeps going through the DENY NGFW policy configured with URL category.
448247	Traffic-shaper in shaping policy does not work for specific application category like as P2P.

Authentication

Bug ID	Description
460229	Existing terminal server sessions overridden with the last TS user that logged in.
AV
Bug ID	Description
446204	The filename of character in Korean shows mismatch encoding type in GUI.

FIPS-CC

Bug ID	Description
463211	When alarm is enabled in FIPS mode, the console hangs and the getty process uses very high CPU usage.

FortiGate 3815D

Bug ID	Description
385860	FG-3815D does not support 1GE SFP transceivers.
FortiGate 500D
Bug ID	Description
403449	FortiGate 500D has some issue with FINISAR transceiver.

Bug ID	Description
356174	FortiGuard updategrp read-write privilege admin cannot open FortiGuard page.
374247	GUI list may list another VDOM interface when editing a redundant interface.
374844	Should show ipv6 address when set ipv6 mode to pppoe/dhcp on GUI > Network > Interfaces.
375036	The Archived Data in the Sniffer Traffic log may not display detailed content and download.

FortiSwitch-Controller/FortiLink

Bug ID	Description
304199	HA with FortiLink traffic loss – no virtual MAC.
357360	DHCP snooping may not work on IPv6.
369099	FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
404399	FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
408082	Operating a dedicated hardware switch into FortiLink changes STP from enable to disable in a hidden way.
415380	DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP. Workaround: disable switch-controller-dhcp-snooping on FortiLink VLAN interfaces.
462080	FG-300E reboots with kernel panic errors.

FortiView

Bug ID	Description
366627	FortiView Cloud Application may display incorrect drill down File and Session list in the Applications View.
368644	Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172	FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
408100	Log fields are not aligned with columns after drill down on FortiView and Log details.
441835	Drill down a auth-failed wifi client entry in “Failed Authentication” could not display detail logs when CSF enabled.
442238	FortiView VPN map can’t display Google map (199 dialup VPN tunnel).
442367	In FortiView > Cloud Applications, when the cloud users column is empty, drill down will not load.

GUI

Bug ID	Description
375383	If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box.
422413	Use API monitor to get data for FortiToken list page.
422901	Power disruption message when logging with prof_admin.
439185	AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231	Link cannot show different colors based on link usage legend in logical topology real time view.
445113	IPS engine 3.428 on Fortigate sometimes cannot detect Psiphon packets that iscan can detect.
446756	Guest user print template can’t display pictures while printing.
451776	Admin GUI has limit of 10 characters for OTP.
459904	Rogue AP Monitor does not show the Name of the AP in the Detected By column.

Bug ID	Description
443418	User is not listed in quarantine list in case block duration value is set long enough.
450693	ERR_SSL_PROTOCOL_ERROR when deep scan enabled along with IPS in policy.

Bug ID	Description
441078	The time duration of packet-transporting process stops to pre-master node after HA failover takes too long.
455284	sshd daemon not started when just allowed ssh option on ha-mgmt-interface.
457554	FortiGate does not send syslog after ha-mgmt-interface link goes down and then up.
457877	Packets dropped with TNS session-helper enabled on FGSP cluster.
458320	Cluster uptime was not consistent.
461731	HA dedicated management port settings are modified and unreachable after restoring the configuration backup.
461915	When standalone config sync is enabled in FGSP, IPv6 setting of interface is sync’ed.

IPS Log & Report

Bug ID	Description
412649	In NGFW Policy mode, FortiGate does not create webfilter logs.
438858	Synchronized log destination with Log View and FortiView display source.

Proxy

Bug ID	Description
454185	Specific application does not work when deep inspection is enabled.

Security Fabric

Bug ID	Description
403229	In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368	In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
414013	Log Settings shows Internal CLI error when enabling historical FortiView at the same time as disk logging.

SSL VPN

Bug ID	Description
405239	URL rewritten incorrectly for a specific page in application server.
441068	SSL VPN unable to connect in tunnel mode, seeing multiple stale sessions for the same user.

System

Bug ID	Description
295292	If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280	ssh-dss may not work on FGT-VM-LENC.
436580	PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only.
436746	NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411	Monitor NP6 IPsec engine status.
450389	IPv6 problem with neighbor-cache.
Bug ID	Description
451456	DHCP Option 82 on FortiGate DHCP relay – rfc3046.
457096	FortiGate to FortiManager tunnel (FGFM) using the wrong source IP when multiple paths exist.
459273	Slave worker blade loses local administrator accounts.

Bug ID	Description
441129	Certify FortiGate-VMX v5.6 with NSX v6.3 and vSphere v6.5.

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

XenTools installation is not supported.
FortiGate-VM can be imported or deployed in only the following three formats:
XVA (recommended)
VHD l OVF
The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.4.7 Release Notes

Leave a reply

Introduction

This document provides the following information for FortiOS 5.4.7 build 1167:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.7 supports the following models.

FortiGate	FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FG-90D-POE, FG-92D, FG94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG- 600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3700DX, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D
FortiWiFi	FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE
FortiGate Rugged	FGR-60D, FGR-90D
FortiGate VM	FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN FortiOS 5.4.7 supports the additional CPU cores through a license update on the following VM models: l VMware 16, 32, unlimited l KVM 16 l Hyper-V 16, 32, unlimited
Pay-as-you-go images	FOS-VM64, FOS-VM64-KVM
FortiOS Carrier	FortiOS Carrier 5.4.7 images are delivered upon request and are not available on the customer support firmware download page.

Introduction Supported models

Special branch supported models

The following models are released on a special branch of FortiOS 5.4.7. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1167.

FGR-30D	is released on build 7703.
FGR-30D-A	is released on build 7703.
FGR-35D	is released on build 7703.
FG-30E-MI	is released on build 6465.
FG-30E-MN	is released on build 6465.
FWF-30E-MI	is released on build 6465.
FWF-30E-MN	is released on build 6465.
FWF-50E-2R	is released on build 7702.
FG-52E	is released on build 6445.
FG-60E	is released on build 6453.
FG-60E-POE	is released on build 6453.
FWF-60E	is released on build 6453.
FG-61E	is released on build 6453.
FWF-61E	is released on build 6453.
FG-80E	is released on build 6453.
FG-80E-POE	is released on build 6453.
FG-81E	is released on build 6453.
FG-81E-POE	is released on build 6453.
FG-90E	is released on build 6457.
FG-91E	is released on build 6457.
FWF-92D	is released on build 7701.
FG-100E	is released on build 6453.

Supported models Introduction

FG-100EF	is released on build 6453.
FG-101E	is released on build 6453.
FG-140E	is released on build 6453.
FG-140E-POE	is released on build 6453.
FG-200E	is released on build 6456.
FG-201E	is released on build 6456.
FG-300E	is released on build 4087.
FG-301E	is released on build 4087.
FG-500E	is released on build 4087.
FG-501E	is released on build 4087.
FG-2000E	is released on build 6458.
FG-2500E	is released on build 6458.
FG-3960E	is released on build 6460.
FG-3980E	is released on build 6460.
FG-5001E	is released on build 6452.
FG-5001E1	is released on build 6452.
FG-VM64	is released on build 6446.
FG-VM64-HV	is released on build 6446.
FG-VM64-KVM	is released on build 6446.
FG-VM64-OPC	is released on build 3332.
FG-VM64-XEN	is released on build 6446.
FG-VM64-AWSONDEMAND	is released on build 6446.
FG-VM64-AZURE	is released on build 6446.
FG-VM64-AZUREONDEMAND	is released on build 6446.

Introduction What’s new in FortiOS 5.4.7

What’s new in FortiOS 5.4.7

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.7, see the What’s New forFortiOS 5.4.7 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate with an RSA 2048-bit key; and FortiOS supports DH group 14 for key-exchange.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

Policy list display changes

To improve performance, FortiOS 5.4.6 implemented the following changes when displaying lists in Policy & Objects.

In Policy & Objects > Addresses:

The Address |Group |All option at the top is removed and all addresses and groups are displayed in sections.
Paging options at the bottom are removed.
The group member count is moved to the Details

In Policy & Objects > Policy lists:

The Sequence view and # column are removed. l Custom sections (global-labels) are no longer supported.
To start searching, press Enter, click the search button, or click outside the search box. l Column filters are reset when you leave or reload the page. l Section expand/collapse settings are reset when you leave or reload the page.

FortiAnalyzer support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Special Notices Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D hardware limitation

PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config system global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units managed by FortiManager 5.0 or 5.2 Special Notices

FortiGate units managed by FortiManager 5.0 or 5.2

Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Consider the FortiClient license before upgrading. Full featured FortiClient 5.2 and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on your organization’s needs, you might need to purchase a FortiClient EMS license for endpoint provisioning. Contact your sales representative for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. You need to purchase a new license for either FortiClient EMS or FortiGate. A license is compatible with 5.4.1 and later if the SKU begins with FC-10-C010.

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.7, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient profile changes

With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

Special Notices FortiPresence

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the

FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,

Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security

Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log disk usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM firmware upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.

Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:

…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Use of dedicated management interfaces (mgmt1 and mgmt2) Special Notices

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

DLP, AV

In 5.2, Block page was sent to client with HTTP status code 200 by default. In 5.4 and later, Block page is sent to client with a clearer HTTP status code of 403 Forbidden.

Upgrade Information

Upgrading to FortiOS 5.4.7

FortiOS version 5.4.7 officially supports upgrading from version 5.4.5 and later, and 5.2.11 and later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is a separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths .

Upgrading to FortiOS 5.6.0

This only applies if you are upgrading to version 5.6.0. If you are upgrading to version 5.6.1 or later, you don’t need to reconfigure IPsec settings.

If you have configured IPsec in version 5.4.7 and you upgrade to 5.6.0, you must reconfigure all IPsec phase1 psksecret settings after upgrading to 5.6.0 in order to establish an IPsec tunnel.

Cooperative Security Fabric upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

Cooperative Security Fabric – Upgrade Guide
FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

FortiGate-VM 5.4 for VMware ESXi Upgrade Information

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.7, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS enhanced networking compatibility issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

C3 l C4 l R3 l I2
M4 l D2

Upgrade Information FortiGate VM firmware

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
.out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

.out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

Product Integration and Support

FortiOS 5.4.7 support

The following table lists 5.4.7 product integration and support information:

Web Browsers	l Microsoft Edge 38 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 9.1 (For Mac OS X) Other web browsers may function correctly, but are not supported by Fortinet.
Explicit Web Proxy Browser	l Microsoft Edge 40 l Mozilla Firefox version 53 l Apple Safari version 10 (For Mac OS X) l Google Chrome version 58 Other web browsers may function correctly, but are not supported by Fortinet.
FortiManager	For the latest information, see the FortiManagerand FortiOS Compatibility . You should upgrade your FortiManager prior to upgrading the FortiGate.
FortiAnalyzer	For the latest information, see the FortiAnalyzerand FortiOS Compatibility . You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.
FortiClient Microsoft Windows and FortiClient Mac OS X	l 5.4.1 and later If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading the FortiGate.
FortiClient iOS	l 5.4.1 and later
FortiClient Android and FortiClient VPN Android	l 5.4.0 and later

FortiOS 5.4.7

FortiAP	l 5.4.1 and later l 5.2.5 and later Before upgrading FortiAP units, verify that you are running the current recommended FortiAP version. To do this in the GUI, go to the WiFi Controller> Managed Access Points > Managed FortiAP. If your FortiAP is not running the recommended version, the OS Version column displays the message: A recommended update is available.
FortiAP-S	l 5.4.1 and later
FortiSwitch OS (FortiLink support)	l 3.5.0 and later
FortiController	l 5.2.0 and later Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later Supported model: FCTL-5103B
FortiSandbox	l 2.1.0 and later l 1.4.0 and later
Fortinet Single Sign-On (FSSO)	l 5.0 build 0264 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Server Edition l Windows Server 2016 Datacenter l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8 l 4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8 FSSO does not currently support IPv6.
FortiExplorer	l 2.6.0 and later. Some FortiGate models may be supported on specific FortiExplorer versions.

FortiOS 5.4.7 support Product Integration and Support

FortiExplorer iOS	l 1.0.6 and later Some FortiGate models may be supported on specific FortiExplorer iOS versions.
FortiExtender	l 3.0.0 l 2.0.2 and later
AV Engine	l 5.247
IPS Engine	l 3.438
Virtualization Environments
Citrix	l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM	l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft	l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source	l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware	l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5
VM Series – SR-IOV	The following NIC chipset cards are supported: l Intel 82599 l Intel X540 l Intel X710/XL710

Language

Language support

The following table lists language support information.

Language support

Language	GUI
English	✔
Chinese (Simplified)	✔
Chinese (Traditional)	✔
French	✔
Japanese	✔
Korean	✔
Portuguese (Brazil)	✔
Spanish (Spain)	✔

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System

Installer

Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2335. Download from the Fortinet Developer Network https://fndn.fortinet.net .

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN support Product Integration and Support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System	Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Microsoft Windows 8 / 8.1 (32-bit & 64-bit)	Microsoft Internet Explorer version 11 Mozilla Firefox version 53 Google Chrome version 58
Microsoft Windows 10 (64-bit)	Microsoft Edge Microsoft Internet Explorer version 11 Mozilla Firefox version 53 Google Chrome version 58
Linux CentOS 6.5 / 7 (32-bit & 64-bit)	Mozilla Firefox version 53
Mac OS 10.11.1	Apple Safari version 9 Mozilla Firefox version 53 Google Chrome version 58
iOS	Apple Safari Mozilla Firefox Google Chrome
Android	Mozilla Firefox Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

It is recommended to verify the accuracy of the GUID for the software you are using for SSLVPN host check. The following Knowledge Base article at http://kb.fortinet.com/ describes how to identify the GUID for antivirus and firewall products: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL VPN Host check.

After verifying GUIDs, you can update GUIDs in FortiOS by using this command: config vpn ssl web host-check-software

SSL VPN

Following is an example of how to update the GUID for AVG Internet Security 2017 on Windows 7 and Windows 10 by using the FortiOS CLI.

To update GUIDs in FortiOS:

Use the config vpn ssl web host-check-software command to edit the AVG-InternetSecurity-AV variable to set the following GUID for AVG Internet Security 2017:

4D41356F-32AD-7C42-C820-63775EE4F413

Edit the AVG-Internet-Security-FW variable to set the following GUID: 757AB44A-78C2-7D1A-E37F-CA42A037B368

Resolved Issues

The following issues have been fixed in version 5.4.7. For inquires about a particular bug, please contact CustomerService & Support.

Common Vulnerabilities and Exposures

Bug ID

CVE references

452730

FortiOS 5.4.7 is no longer vulnerable to the following CVE Reference: l 2017-14186

Visit https://fortiguard.com/psirt for more information.

Known Issues

The following issues have been identified in version 5.4.7. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID	Description
374969	FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).

Bug ID	Description
375246	invalid hbdev dmz may be received if the default hbdev is used.

Endpoint Control

Bug ID	Description
374855	Third party compliance may not be reported if FortiClient has no AV feature.
375149	FortiGate does not auto update AV signature version while Endpoint Control (fortiheartbeat) is enabled but no AV profile is used.
391537	Buffer size is too small when sending large vulnerability list to FortiGate.

Firewall

Bug ID	Description
364589	LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D

Bug ID	Description
385860	FortiGate-3815D does not support 1 GE SFP transceivers.

FortiRugged-60D

Known Issues

FortiSwitch-Controller/FortiLink

Bug ID	Description
304199	Using HA with FortiLink can encounter traffic loss during failover.
357360	DHCP snooping may not work on IPv6.
369099	FortiSwitch authorizes successfully but fails to pass traffic until you reboot FortiSwitch.

FortiView

Bug ID	Description
368644	Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
372350	Threat view: Threat Type and Event information is missing in the last level of the threat view.
373142	Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
375187	Using realtime auto update may increase chrome browser memory usage.

GUI

Bug ID	Description
289297	Threat map may not be fully displayed when screen resolution is not big enough.
297832	Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
355388	The Select window for remote server in remote user group may not work as expected.
365223	In Security Fabric topology, a downstream FortiGate may be shown twice when it uses hardware switch to connect upstream.
365317	Unable to add new AD group in second FSSO local polling agent.
365378	You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
368069	Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
369155	There is no Archived Data tab for email attachment in the DLP log detail page.
372908	The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.

Known Issues

Bug ID	Description
372943	Explicit proxy policy may show a blank for default authentication method.
373363	Multicast policy interface may list the wan-load-balance interface.
373546	Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374081	wan-load-balance interface may be shown in the address associated interface list.
374162	GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
374224	The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374320	Editing a user from the Policy list page may redirect to an empty user edit page.
374322	Interfaces page may display the wrong MAC Address for the hardware switch.
374363	Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374373	Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
374397	Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
374521	Unable to Revert revisions in GUI.
374525	When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.
375036	The Archived Data in the SnifferTraffic log may not display detailed content and download.
375227	You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page.
375259	Addrgrp editing page receives a js error if addrgrp contains another group object.
375346	You may not be able to download the application control packet capture from the forward traffic log.
375369	May not be able to change IPsec manualkey config in GUI.
375383	The Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
379050	User Definition intermittently not showing assigned token.

Known Issues

IPsec

Bug ID	Description
393958	Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
435124	Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0. Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.
439923	IKE static tunnels using set peertype one may fail to negotiate.

Bug ID	Description
287612	Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
290708	nturbo may not support CAPWAP traffic.
295292	If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199	FortiLink traffic is lost in HA mode.
364280	User cannot use ssh-dss algorithm to log in to FortiGate via SSH.
371320	show system interface may not show the Port list in sequential order.

Router

Bug ID	Description
299490	During and after failover, some multicast groups take up to 480 seconds to recover.

SSL VPN

Bug ID	Description
303661	The Start Tunnel feature may have been removed.
304528	SSL VPN Web Mode PKI user might immediately log back in even after logging out.
374644	SSL VPN tunnel mode Fortinet bar may not be displayed.
382223	SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.

System

Known Issues

Bug ID	Description
372717	Option admin-https-banned-cipher in sys global may not work as expected.
392960	FOS support for V4 BIOS.
445383	Traffic cannot go through LACP static mode interface with NP6 offload enabled.

Upgrade

Bug ID	Description
289491	When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair name exceeds 12 characters.

Visibility

Bug ID	Description
374138	FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

Bug ID	Description
364280	ssh-dss may not work on FG-VM-LENC.

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

XenTools installation is not supported.
FortiGate-VM can be imported or deployed in only the following three formats:
XVA (recommended) l VHD l OVF
The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

IPv6 IPS

Leave a reply

IPv6 IPS

IPv6 IPS signature scan can be enabled by interface policy. The user can create an normal IPS sensor and assign it to the IPv6 interface policy.

config firewall interface-policy6 edit 1 set interface “port1” set srcaddr6 “all” set dstaddr6 “all” set service6 “ANY” set ips-sensor-status enable set ips-sensor “all_default”

end

One-Arm IDS

Leave a reply

One-Arm IDS

Interface-based policy only defines what and how IPS functions are applied to the packets transmitted by the interface. It works no matter if the port is used in a forwarding path or used as an One-Arm device.

To enable One-Arm IDS, the user should first enable sniff-mode on the interface,

config system interface edit port2 set ips-sniffer-mode enable

end

Once sniff-mode is turned on, both incoming and outgoing packets will be dropped after IPS inspections. The port can be connected to a hub or a switch’s SPAN port. Any packet picked up by the interface will still follow the interface policy so different IPS and DoS anomaly checks can be applied.

DoS Protection

Leave a reply

DoS Protection

Denial of Service (DoS) policies are primarily used to apply DoS anomaly checks to network traffic based on the FortiGate interface it is entering as well as the source and destination addresses. DoS checks are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system, so that legitimate users can no longer use it.

DoS policies are similar to firewall policies except that instead of defining the way traffic is allowed to flow, they keep track of certain traffic patterns and attributes and will stop traffic displaying those attributes. Further, DoS policies affect only incoming traffic on a single interface. You can further limit a DoS policy by source address, destination address, and service.

DoS configurations have been changed a couple of times in the past. In FortiOS 4.0, DoS protection is moved to the interface policy, so when it is enabled, it is the first thing checked when a packet enters FortiGate. Because of this early detection, DoS policies are a very efficient defense that uses few resources. Denial of service attacks, for example, are detected and its packets dropped before requiring security policy look-ups, antivirus scans, and other protective but resource-intensive operations.

A DoS policy examines network traffic arriving at an interface for anomalous patterns usually indicating an attack. This does not mean that all anomalies experience by the firewall are the result of an intentional attack.

Because an improperly configured DoS anomaly check can interfere with network traffic, no DoS checks are preconfigured on a factory default FortiGate unit. You must create your own before they will take effect. Thresholds for newly created sensors are preset with recommended values that you can adjust to meet the needs of your network.

To create a Denial of Service policy determine if it needs to be an IPv4 or IPv6 policy, then go to:

Policy & Objects > IPv4 DoS Policy for IPv4.

Policy & Objects > IPv6 DoS Policy for IPv6.

The Enable SSH Deep Scan feature is enabled by default when creating a new

SSL/SSH Inspection profile. There are situations were this feature can cause issues so be sure that you would like it enabled before applying it.

DoS Protection

Settings used in configuring DoS

Incoming Interface

The interface to which this security policy applies. It will be the that the traffic is coming into the firewall on.

Source Address

This will be the address that the traffic is coming from and must be a address listed in the Address section of the Firewall Objects. This can include the predefined “all” address which covers any address coming in on any interface. Multiple addresses or address groups can be chosen

Destination Address

This will be the address that the traffic is addressed to. In this case it must be an address that is associated with the firewall itself. For instance it could be one of the interface address of the firewall, a secondary IP address or the interface address assigned to a Virtual IP address. Just like with the Source Address this address must be already configured before being used in the DoS policy. Multiple addresses, virtual IPs or virtual IP groups can be chosen.

Service

While the Service field allows for the use of the ALL service some administrators prefer to optimize the resources of the firewall and only check on the services that will be answered on an interface. Multiple services or service groups can be chosen.

Anomalies

The anomalies can not be configured by the user. They are predefined sensors set up for specific patterns of anomalous traffic

The anomalies that have been predefined for use in the DoS Policies are:

Anomaly Name	Description	Recommended Threshold
tcp_syn_flood	If the SYN packet rate of new TCP connections, including retransmission, to one destination IP address exceeds the configured threshold value, the action is executed.	2000 packets per second.
tcp_port_scan	If the SYN packet rate of new TCP connections, including retransmission, from one source IP address exceeds the configured threshold value, the action is executed.	1000 packets per second.
tcp_src_session	If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value, the action is executed.	5000 concurrent sessions.

Anomaly Name	Description	Recommended Threshold
tcp_dst_session	If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed.	5000 concurrent sessions.
udp_flood	If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed.	2000 packets per second.
udp_scan	If the number of UDP sessions originating from one source IP address exceeds the configured threshold value, the action is executed.	2000 packets per second.
udp_src_session	If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value, the action is executed.	5000 concurrent sessions.
udp_dst_session	If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value, the action is executed.	5000 concurrent sessions.
icmp_flood	If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.	250 packets per second.
icmp_sweep	If the number of ICMP packets originating from one source IP address exceeds the configured threshold value, the action is executed.	100 packets per second.
icmp_src_ session	If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value, the action is executed.	300 concurrent sessions
icmp_dst_ session	If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value, the action is executed.	3000 concurrent sessions
ip_src_session	If the number of concurrent IP connections from one source IP address exceeds the configured threshold value, the action is executed.	5000 concurrent sessions.
ip_dst_session	If the number of concurrent IP connections to one destination IP address exceeds the configured threshold value, the action is executed.	5000 concurrent sessions.
sctp_flood	If the number of SCTP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.	2000 packets per second

DoS Protection

Anomaly Name	Description	Recommended Threshold
sctp_scan	If the number of SCTP sessions originating from one source IP address exceeds the configured threshold value, the action is executed.	1000 packets per second
sctp_src_session	If the number of concurrent SCTP connections from one source IP address exceeds the configured threshold value, the action is executed.	5000 concurrent sessions
sctp_dst_session	If the number of concurrent SCTP connections to one destination IP address exceeds the configured threshold value, the action is executed.	5000 concurrent sessions

Status

The status field is enabled to enable the sensor for the associated anomaly. In terms of actions performed there is no difference between disabling a sensor and having the action as “Pass” but by disabling sensors that are not being used for blocking or logging you can save some resources of the firewall that can be better used elsewhere.

Logging

Regardless of whether the traffic is blocked or passed through the anomalous traffic will be logged.

Pass

Allows the anomalous traffic to pass through unimpeded.

Block

For Thresholds based on the number of concurrent sessions blocking the anomaly will not allow more than the number of concurrent sessions set as the threshold.

For rate based thresholds where the threshold is measured in packets per second, the Action setting “Block” prevents the overwhelming of the firewall by anomalous traffic in one of 2 ways. Setting which of those 2 ways will be issued is determined in the CLI.

l continuous – blocks packets once an anomaly is detected. This overrides individual anomaly settings. l periodical – allows matching anomalous traffic up to the rate set by the threshold.

If the period for a particular anomaly is 60 seconds, such as those where the threshold is measured in concurrent sessions, after the 60 second timer has expired, the number of allowed packets that match the anomaly criteria is reset to zero. This means that if you allow 10 sessions through before blocking, after the 60 seconds is up, another 10 will be allowed. The attrition of sessions from expiration should keep the allowed sessions from reaching the maximum.

To set the type of block action for the rate based anomaly sensors:

config ips global set anomaly-mode continuous set anomaly-mode periodical end

Threshold

The threshold can be either in terms of concurrent session or in packets per second depending on which sensor is being referred to.

Interface Policies

Leave a reply

Interface Policies

Interface policies are implemented before the “security” policies and are only flow based. They are configured in the CLI.

This feature allows you to attach a set of IPS policies with the interface instead of the forwarding path, so packets can be delivered to IPS before entering firewall. This feature is used for following IPS deployments:

One-Arm: by defining interface policies with IPS and DoS anomaly checks and enabling sniff-mode on the interface, the interface can be used for one-arm IDS;
IPv6 IPS: IPS inspection can be enabled through interface IPv6 policy. Only IPS signature scan is supported in

FortiOS 4.0. IPv6 DoS protection is not supported; l Scan traffics that destined to FortiGate; l Scan and log traffics that are silently dropped or flooded by Firewall or Multicast traffic.

IPS sensors can be assigned to an interface policy. Both incoming and outgoing packets are inspected by IPS sensor (signature).

Here is an example of an interface policy,

# show full-configuration

config firewall interface-policy edit 1 set status enable

set comments ‘test interface policy #1’ set logtraffic utm set interface “port9” set srcaddr “all” set dstaddr “all”

set service “ALL” set application-list-status disable set ips-sensor-status disable set dsri disable set av-profile-status enable set av-profile “default” set webfilter-profile-status disable set spamfilter-profile-status disable set dlp-sensor-status disable set scan-botnet-connections disable next

end

VPN Policies

Leave a reply

VPN Policies

At one point, if you wanted to have secure digital communications between 2 points a private network would be created. This network would only allow the people that were intended to get the communications on it. This is very straightforward if the 2 points are in the same room or even in the same building. It can all be done physically. If you are supposed to be on the secure network

VPNs are an answer to one of today’s biggest concerns, how to make digital communications secure between to points that must communicate over the Internet which anybody can have access to.

There are two types of VPNs supported by FortiOS, SSL and IPsec. They are differentiated by the security protocol suites that are used to secure the traffic. These are both described in more detail in the VPN section, but the IPsec VPN can be configured as an Action with a firewall policy.

IPsec Policies

IPsec policies allow IPsec VPN traffic access to the internal network from a remote location. These policies include authentication information that authenticates users and user group or groups. These policies specify the following:

the FortiGate firewall interface that provides the physical connection to the remote VPN gateway, usually an interface connected to the Internet
the FortiGate firewall interface that connects to the private network l IP addresses associated with data that has to be encrypted and decrypted l optional: a schedule that restricts when the VPN can operate, and services (or types of data) that can be sent.

For a route-based (interface mode) VPN, you do not configure an IPsec security policy. Instead, you configure two regular ACCEPT security policies, one for each direction of communication, with the IPsec virtual interface as the source or destination interface, as appropriate.

DSRI

The Disable Server Response Inspection (DSRI) options is available for configuration in the CLI. This is used to assist performance when only URL filtering is being used. This allows the system to ignore the HTTP server responses. The setting is configured to be disabled by default.

Interface Policies

CLI syntax for changing the status of the DSRI setting

In IPv4 or IPv6 firewall policies

config firewall policy|policy6 edit 0 set dsri enable|disable end

In IPv4 or IPv6 interface policies

config firewall interface-policy|interface-policy6 edit 0 set dsri enable|disable end

When using the sniffer

config firewall sniffer edit 0 set dsri enable|disable end

Protocol Types

Leave a reply

Protocol Types

One of the fundamental aspects of a service is the type of protocol that use used to define it. When a service is defined one of the following categories of protocol needs to be determined: l TCP/UDP/SCTP l ICMP l ICMPv6 l IP

Depending on which of these protocol categories is choose another set of specifications will can also be defined.

Protocol Type	Related specifications
TCP/UDP/SCTP	This is the most commonly used service protocol category. Once this category has been selected the other available options to choose are an address, either IP or FQDN, and the protocol and port number. The protocol will be TCP, UDP or SCTP.
ICMP or ICMP6	When ICMP or ICMP6 is chosen the available options are the ICMP Type and its code.
IP	When IP is the chosen protocol type the addition option is the Protocol Number.

TCP/UDP/SCTP

TCP

Transmission Control Protocol (TCP) is one of the core or fundamental protocols of the Internet. It is part of the Transport Layer of the OSI Model. It is designed to provide reliable delivery of data from a program on one device on the network or Internet to another program on another device on the network or Internet. TCP achieves its reliability because it is a connection based protocol. TCP is stream-oriented. It transports streams of data reliably and in order.

TCP establishes a prior connection link between the hosts before sending data. This is often referred to as the handshake. Once the link is established the protocol uses checks to verify that the data transmitted. If an error check fails the data is retransmitted. This makes sure that the data is getting to the destination error free and in the correct order so that it can be put back together into a form that is identical to the way they were sent.

TCP is configured more for reliability than for speed and because of this TCP will likely be slower than a connectionless protocol such as UDP. This is why TCP is generally not used for real time applications such as voice communication or online gaming. Some of the applications that use TCP are:

l World Wide Web (HTTP and HTTPS) l Email (SMTP, POP3, IMAP4) l Remote administration (RDP) l File transfer (FTP)

UDP

User Datagram Protocol (UDP) like TCP is one of the core protocols of the Internet and part of the Transport Layer of the OSI Model. UDP is designed more for speed than reliability and is generally used for different applications than TCP. UDP sends messages, referred to as datagrams across the network or Internet to other hosts without establishing a prior communication link. In other words, there is no handshake.

UDP is an unreliable service as the datagrams can arrive out of order, duplicated or go missing without any mechanism to verify them. UDP works on the assumption that any error checking is done by the application or is not necessary for the function of the application. This way it avoids the overhead that is required to verify the integrity of the data.

This lack of overhead improves the speed of the data transfer and is why UDP is often used by applications that are time sensitive in nature. UDP’s stateless nature is also great for applications that answer a large number of small queries from a large number of clients.

Common uses for UDP are:

l Domain Name Resolution (DNS) l Time (NTP) l Streaming media (RTSP, RTP and RTCP) l Telephone of the Internet (VoIP) l File Transfer (TFTP) l Logging (SNMP) l Online games (GTP and OGP)

SCTP

Stream Control Transmission Protocol (SCTP) is part of the Transport Layer of the OSI Model just like TCP and UDP and provides some of the features of both of those protocols. It is message or datagram orientated like UDP but it also ensures reliable sequential transport of data with congestion control like TCP.

SCTP provides the following services:

Acknowledged error-free non-duplicated transfer of user data l Data fragmentation to conform to discovered path MTU size l Sequenced delivery of user messages within multiple streams, with an option for order-of-arrival delivery of individual user messages
Optional bundling of multiple user messages into a single SCTP packet l Network-level fault tolerance through supporting of multi-homing at either or both ends of an association l Congestion avoidance behavior and resistance to flooding and masquerade attacks

SCTP uses multi-streaming to transport its messages which means that there can be several independent streams of messages traveling in parallel between the points of the transmission. The data is sent out in larger chunks of data than is used by TCP just like UDP but the messages include a sequence number within each message in the same way that TCP does so that the data can be reassembled at the other end of the transmission in the correct sequence without the data having to arrive in the correct sequence.

SCTP is effective as the transport protocol for applications that require monitoring and session-loss detection. For such applications, the SCTP path and session failure detection mechanisms actively monitor the connectivity of the session. SCTP differs from TCP in having multi-homing capabilities at either or both ends and several streams within a connection, typically referred to as an association. A TCP stream represents a sequence of bytes; an SCTP stream represents a sequence of messages.

Some common applications of SCTP include supporting transmission of the following protocols over IP networks:

SCTP is important in 3G and 4G/LTE networks (for example, HomeNodeB = FemtoCells) l SS7 over IP (for example, for 3G mobile networks) l SCTP is also defined and used for SIP over SCTP and H.248 over SCTP l Transport of Public Switched Telephone Network (PSTN) signaling messages over IP networks.

SCTP is a much newer protocol. It was defined by the IETF Signaling Transport (SIGTRAN) working group in 2000. It was introduced by RFC 3286 and more fully define by RFC 4960.

The FortiGate firewall can apply security policies to SCTP sessions in the same way as TCP and UDP sessions. You can create security policies that accept or deny SCTP traffic by setting the service to “ALL”. FortiOS does not include pre-defined SCTP services. To configure security policies for traffic with specific SCTP source or destination ports you must create custom firewall services for SCTP.

FortiGate units route SCTP traffic in the same way as TCP and UDP traffic. You can configure policy routes specifically for routing SCTP traffic by setting the protocol number to 132. SCTP policy routes can route SCTP traffic according to the destination port of the traffic if you add a port range to the policy route.

You can configure a FortiGate unit to perform stateful inspection of different types of SCTP traffic by creating custom SCTP services and defining the port numbers or port ranges used by those services. FortiGate units support SCTP over IPv4. The FortiGate unit performs the following checks on SCTP packets:

l Source and Destination Port and Verification Tag. l Chunk Type, Chunk Flags and Chunk Length l Verify that association exists l Sequence of Chunk Types (INIT, INIT ACK, etc) l Timer checking l Four way handshake checking l Heartbeat mechanism l Protection against INIT/ACK flood DoS attacks, and long-INIT flooding l Protection against association hijacking

FortiOS also supports SCTP sessions over IPsec VPN tunnels, as well as full traffic and event logging for SCTP sessions.

Protocol Port Values

The source and destination ports for TCP/UDP/SCTP services are important to get correct. If they are reversed the service will not work. The destination port(s) are the on ones that refer to the ports that the computer will be listening on. These are the port numbers that most people are familiar with when they associate a port number to a protocol. In most cases the source port will be one that is randomly assigned by the computer that is not being already used by another service.

Most people associate HTTP with port 80. This means that a web-server will be listening on port 80 for any http requests being sent to the computer. The computer that is sending the request can use any port that is not already assigned to another service or communication session. There are 65,535 ports that it can randomly assign, but because the ports from 1 to 1024 are normally used for listening for incoming communications it is usually not in that range. It is unless there is a specific instance when you know that a communication will be coming from a predefined source port it is best practice to set the source port range from 1 to 65,535.

ICMP

The Internet Control Message Protocol (ICMP) is a protocol layered onto the Internet Protocol Suite to provide error reporting flow control and first-hop gateway redirection. It is normally used by the operating systems of networked computers to send connectivity status query, response and error messages. It is assigned protocol number 1. There is a separate version of the protocol for both IPv4 and for IPv6. It is not designed to be absolutely reliable like TCP.

ICMP is not typically used for transporting data or for end-user network applications with the exception of some diagnostic utilities such as ping and traceroute.

ICMP messages are sent in several situations, for example:

l when a datagram cannot reach its destination, l time exceeded messages l redirect messages l when the gateway does not have the buffering capacity to forward a datagram l when the gateway can direct the host to send traffic on a shorter route.

Some of the specific ICMP message types are: l ICMP_ECHO l ICMP_TIMESTAMP l ICMP_INFO_REQUEST l ICMP_ADDRESS

For ICMP error messages, only those reporting an error for an existing session can pass through the firewall. The security policy will allow traffic to be routed, forwarded or denied. If allowed, the ICMP packets will start a new session. Only ICMP error messages of a corresponding security policy is available will be sent back to the source. Otherwise, the packet is dropped. That is, only ICMP packets for a corresponding security policy can traverse the FortiGate unit.

ICMP Types and Codes

ICMP has a number of messages that are identified by the “Type” field. Some of these types have assigned “Code” fields as well. The table below shows the different types of ICMP Types with their associated codes if there are any.

ICMP Types and Codes

Type Number	Type Name	Optional Code(s)
0	Echo Reply
1	Unassigned
2	Unassigned
3	Destination Unreachable	0 Net Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation Needed and Don’t Fragment was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Communication with Destination Network is Administratively Prohibited 10 Communication with Destination Host is Administratively Prohibited 11 Destination Network Unreachable for Type of Service 12 Destination Host Unreachable for Type of Service 13 Communication Administratively Prohibited 14 Host Precedence Violation 15 Precedence cutoff in effect
4	Source Quench

Type Number	Type Name	Optional Code(s)
5	Redirect	0 Redirect Datagram for the Network (or subnet) 1 Redirect Datagram for the Host 2 Redirect Datagram for the Type of Service and Network 3 Redirect Datagram for the Type of Service and Host
6	Alternate Host Address
7	Unassigned
8	Echo
9	Router Advertisement
10	Router Selection
11	Time Exceeded	0 Time to Live exceeded in Transit 1 Fragment Reassembly Time Exceeded
12	Parameter Problem	0 Pointer indicates the error 1 Missing a Required Option 2 Bad Length
13	Timestamp
14	Timestand Reply
15	Information Request
16	Information Reply
17	Address Mask Request
18	Address Mask Reply
19	Reserved (for Security)
Type Number	Type Name		Optional Code(s)
20 – 29	Reserved (for Robustness Experiment)
30	Traceroute
31	Datagram Conversion Error
32	Mobile Host Redirect
33	IPv6 Where-AreYou
34	IPv6 I-Am-Here
35	Mobile Registration
36	Mobile Registration Reply
37	Domain Name Request
38	Domain Name Reply
39	SKIP
40	Photuris
41 – 255	Reserved

log-invalid-packet

The log-invalid-packet CLI setting is one that is intended to log invalid ICMP packets. The exact definition being:

If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B)|TCP (C,D) header, then if FortiOS can locate the A:C -> B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped.

When this field is enabled, the FortiGate also log messages that are not ICMP error packets.

Types of logs covered by log-invalid-packet

Invalid ICMP l If ICMP error message verification (see “check-reset-range”) is enabled
Invalid DNS packets l DNS packets that contain requests for non-existing domains
iprope check failed l reverse path check fail l denied and broadcast traffic l no session matched

Some other examples of messages that are not errors that will be logged, based on RFC792: Type 3 messages correspond to “Destination Unreachable Message” l Type 3, Code 1 = host unreachable l Type 3, Code 3 = port unreachable

Type 11 messages correspond to “Time Exceeded Message” l Type 11, Code 0 = time to live exceeded in transit

ICMPv6

Internet Control Message Protocol version 6 (ICMPv6) is the new implementation of the Internet Control Message Protocol (ICMP) that is part of Internet Protocol version 6 (IPv6). The ICMPv6 protocol is defined in RFC 4443.

ICMPv6 is a multipurpose protocol. It performs such things as:

error reporting in packet processing l diagnostic functions l Neighbor Discovery process l IPv6 multicast membership reporting

It also designed as a framework to use extensions for use with future implementations and changes.

Examples of extensions that have already been written for ICMPv6:

Neighbor Discovery Protocol (NDP) – a node discovery protocol in IPv6 which replaces and enhances functions of ARP.
Secure Neighbor Discovery Protocol (SEND) – an extension of NDP with extra security. l Multicast Router Discovery (MRD) – allows discovery of multicast routers.

ICMPv6 messages use IPv6 packets for transportation and can include IPv6 extension headers. ICMPv6 includes some of the functionality that in IPv4 was distributed among protocols such as ICMPv4, ARP (Address Resolution Protocol), and IGMP (Internet Group Membership Protocol version 3).

ICMPv6 has simplified the communication process by eliminating obsolete messages.

ICMPv6 messages are subdivided into two classes: error messages and information messages.

Error Messages are divided into four categories:

Destination Unreachable
Time Exceeded
Packet Too Big
Parameter Problems

Information messages are divided into three groups:

Diagnostic messages
Neighbor Discovery messages
Messages for the management of multicast groups.

ICMPv6 Types and Codes

ICMPv6 has a number of messages that are identified by the “Type” field. Some of these types have assigned “Code” fields as well. The table below shows the different types of ICMP Types with their associated codes if there are any.

Type codes 0 − 127 are error messages and type codes 128 − 255 are for information messages.

ICMPv6 Types and Codes

Type Number	Type Name	Code
0	Reserved	0 – no route to destination 1 – communication with destination administratively prohibited 2 – beyond scope of source address 3 – address unreachable 4 – port unreachable 5 – source address failed ingress/egress policy 6 – reject route to destination 7 – Error in Source Routing Header
1	Destination Unreachable
2	Packet Too Big
3	Time Exceeded	0 – hop limit exceeded in transit 1 – fragment reassembly time exceeded
4	Parameter Problem	0 – erroneous header field encountered 1 – unrecognized Next Header type encountered 2 – unrecognized IPv6 option encountered

Type Number	Type Name	Code
100	Private Experimentation
101	Private Experimentation
102 – 126	Unassigned
127	Reserved for expansion if ICMPv6 error messages
128	Echo Request
129	Echo Replay
130	Multicast Listener Query
131	Multicast Listener Report
132	Multicast Listener Done
133	Router Solicitation
134	Router Advertisement
135	Neighbor Solicitation
136	Neighbor Advertisement
137	Redirect Message
138	Router Renumbering	0 – Router Renumbering Command 1 – Router Renumbering Result 255 – Sequence Number Reset

Type Number	Type Name	Code
139	ICMP Node Information Query	0 – The Data field contains an IPv6 address which is the Subject of this Query. 1 – The Data field contains a name which is the Subject of this Query, or is empty, as in the case of a NOOP. 2 – The Data field contains an IPv4 address which is the Subject of this Query.
140	ICMP Node Information Response	0 – A successful reply. The Reply Data field may or may not be empty. 1 – The Responder refuses to supply the answer. The Reply Data field will be empty. 2 – The Qtype of the Query is unknown to the Responder. The Reply Data field will be empty.
141	Inverse Neighbor Discovery Solicitation Message
142	Inverse Neighbor Discovery Advertisement Message
143	Version 2 Multicast Listener Report
144	Home Agent Address Discovery Request Message
145	Home Agent Address Discovery Reply Message
146	Mobile Prefix Solicitation
147	Mobile Prefix Advertisement
148	Certification Path Solicitation Message

Type Number	Type Name	Code
149	Certification Path Advertisement Message
150	ICMP messages utilized by experimental mobility protocols such as Seamoby
151	Multicast Router Advertisement
152	Multicast Router Solicitation
153	Multicast Router Termination
154	FMIPv6 Messages
155	RPL Control Message
156	ILNPv6 Locator Update Message
157	Duplicate Address Request
158	Duplicate Address Confirmation
159 − 199	Unassigned
200	Private experimentation
201	Private experimentation
255	Reserved for expansion of ICMPv6 informational messages

IP

Internet Protocol (IP) is the primary part of the Network Layer of the OSI Model that is responsible for routing traffic across network boundaries. It is the protocol that is responsible for addressing. IPv4 is probable the version that most people are familiar with and it has been around since 1974. IPv6 is its current successor and due to a shortage of available IPv4 addresses compared to the explosive increase in the number of devices that use IP addresses, IPv6 is rapidly increasing in use.

When IP is chosen as the protocol type the available option to further specify the protocol is the protocol number.

This is used to narrow down which protocol within the Internet Protocol Suite and provide a more granular control.

Protocol Number

IP is responsible for more than the address that it is most commonly associated with and there are a number of associated protocols that make up the Network Layer. While there are not 256 of them, the field that identifies them is a numeric value between 0 and 256.

In the Internet Protocol version 4 (IPv4) [RFC791] there is a field called “Protocol” to identify the next level protocol. This is an 8 bit field. In Internet Protocol version 6 (IPv6) [RFC2460], this field is called the “Next Header” field.

Protocol Numbers

#	Protocol	Protocol’s Full Name
0	HOPOPT	IPv6 Hop-by-Hop Option
1	ICMP	Internet Control Message Protocol
2	IGMP	Internet Group Management
3	GGP	Gateway-to-Gateway
4	IPv4	IPv4 encapsulation Protocol
5	ST	Stream
6	TCP	Transmission Control Protocol
7	CBT	CBT
8	EGP	Exterior Gateway Protocol
9	IGP	Any private interior gateway (used by Cisco for their IGRP)
10	BBN-RCC-MON	BBN RCC Monitoring
11	NVP-II	Network Voice Protocol
12	PUP	PUP

#	Protocol	Protocol’s Full Name
13	ARGUS	ARGUS
14	EMCON	EMCON
15	XNET	Cross Net Debugger
16	CHAOS	Chaos
17	UDP	User Datagram Protocol
18	MUX	Multiplexing
19	DCN-MEAS	DCN Measurement Subsystems
20	HMP	Host Monitoring
21	PRM	Packet Radio Measurement
22	XNS-IDP	XEROX NS IDP
23	TRUNK-1	Trunk-1
24	TRUNK-2	Trunk-2
25	LEAF-1	Leaf-1
26	LEAF-2	Leaf-2
27	RDP	Reliable Data Protocol
28	IRTP	Internet Reliable Transaction
29	ISO-TP4	ISO Transport Protocol Class 4
30	NETBLT	Bulk Data Transfer Protocol
31	MFE-NSP	MFE Network Services Protocol
32	MERIT-INP	MERIT Internodal Protocol
33	DCCP	Datagram Congestion Control Protocol
34	3PC	Third Party Connect Protocol
35	IDPR	Inter-Domain Policy Routing Protocol
36	XTP	XTP

#	Protocol	Protocol’s Full Name
37	DDP	Datagram Delivery Protocol
38	IDPR-CMTP	IDPR Control Message Transport Proto
39	TP++	TP++ Transport Protocol
40	IL	IL Transport Protocol
41	IPv6	IPv6 encapsulation
42	IPv6	SDRPSource Demand Routing Protocol
43	IPv6-Route	Routing Header for IPv6
44	IPv6-Frag	Fragment Header for IPv6
45	IDRP	Inter-Domain Routing Protocol
46	RSVP	Reservation Protocol
47	GRE	General Routing Encapsulation
48	DSR	Dynamic Source Routing Protocol
49	BNA	BNA
50	ESP	Encap Security Payload
51	AH	Authentication Header
52	I-NLSP	Integrated Net Layer Security TUBA
53	SWIPE	IP with Encryption
54	NARP	NBMA Address Resolution Protocol
55	MOBILE	IP Mobility
56	TLSP	Transport Layer Security Protocol using Kryptonet key management
57	SKIP	SKIP
58	IPv6-ICMP	ICMP for IPv6
59	IPv6-NoNxt	No Next Header for IPv6
60	IPv6-Opts	Destination Options for IPv6

#	Protocol	Protocol’s Full Name
61		any host internal protocol
62	CFTP	CFTP
63		any local network
64	SAT-EXPAK	SATNET and Backroom EXPAK
65	KRYPTOLAN	Kryptolan
66	RVD	MIT Remote Virtual Disk Protocol
67	IPPC	Internet Pluribus Packet Core
68		any distributed file system
69	SAT-MON	SATNET Monitoring
70	VISA	VISA Protocol
71	IPCV	Internet Packet Core Utility
72	CPNX	Computer Protocol Network Executive
73	CPHB	Computer Protocol Heart Beat
74	WSN	Wang Span Network
75	PVP	Packet Video Protocol
76	BR-SAT-MON	Backroom SATNET Monitoring
77	SUN-ND	SUN ND PROTOCOL-Temporary
78	WB-MON	WIDEBAND Monitoring
79	WB-EXPAK	WIDEBAND EXPAK
80	ISO-IP	ISO Internet Protocol
81	VMTP	VMTP
82	SECURE-VMTP	SECURE-VMTP
83	VINES	VINES
84	TTP	TTP

#	Protocol	Protocol’s Full Name
84	IPTM	Protocol Internet Protocol Traffic
85	NSFNET-IGP	NSFNET-IGP
86	DGP	Dissimilar Gateway Protocol
87	TCF	TCF
88	EIGRP	EIGRP
89	OSPFIGP	OSPFIGP
90	Sprite-RPC	Sprite RPC Protocol
91	LARP	Locus Address Resolution Protocol
92	MTP	Multicast Transport Protocol
93	AX.25	AX.25 Frames
94	IPIP	IP-within-IP Encapsulation Protocol
95	MICP	Mobile Internetworking Control Pro.
96	SCC-SP	Semaphore Communications Sec. Pro.
97	ETHERIP	Ethernet-within-IP Encapsulation
98	ENCAP	Encapsulation Header
99		any private encryption scheme
100	GMTP	GMTP
101	IFMP	Ipsilon Flow Management Protocol
102	PNNI	PNNI over IP
103	PIM	Protocol Independent Multicast
104	ARIS	ARIS
105	SCPS	SCPS
106	QNX	QNX
107	A/N	Active Networks

#	Protocol		Protocol’s Full Name
108	IPComp		IP Payload Compression Protocol
109	SNP		Sitara Networks Protocol
110	Compaq-Peer		Compaq Peer Protocol
111	IPX-in-IP		IPX in IP
112	VRRP		Virtual Router Redundancy Protocol
113	PGM		PGM Reliable Transport Protocol
114			any 0-hop protocol
115	L2TP		Layer Two Tunneling Protocol
116	DDX		D-II Data Exchange (DDX)
117	IATP		Interactive Agent Transfer Protocol
118	STP		Schedule Transfer Protocol
119	SRP		SpectraLink Radio Protocol
120	UTI		UTI
121	SMP		Simple Message Protocol
122	SM		SM
123	PTP		Performance Transparency Protocol
124	ISIS over IPv4
125	FIRE
126	CRTP		Combat Radio Transport Protocol
127	CRUDP		Combat Radio User Datagram
128	SSCOPMCE
129	IPLT
130	SPS		Secure Packet Shield
131	PIPE		Private IP Encapsulation within IP
#	Protocol	Protocol’s Full Name
132	SCTP	Stream Control Transmission Protocol
133	FC	Fibre Channel
134	RSVP-E2EIGNORE
135	Mobility Header
136	UDPLite
137	MPLS-in-IP
138	manet
139	HIP
140	Shim6
141	WESP
142	ROHC
143 − 252	Unassigned	Unassigned
253		Use for experimentation and testing
254		Use for experimentation and testing
255	Reserved

Further information can be found by researching RFC 5237.

Protocol Number

Protocol Numbers

#	Protocol	Protocol’s Full Name
0	HOPOPT	IPv6 Hop-by-Hop Option
1	ICMP	Internet Control Message Protocol
2	IGMP	Internet Group Management
3	GGP	Gateway-to-Gateway
4	IPv4	IPv4 encapsulation Protocol
5	ST	Stream
6	TCP	Transmission Control Protocol
7	CBT	CBT
8	EGP	Exterior Gateway Protocol
9	IGP	Any private interior gateway (used by Cisco for their IGRP)
10	BBN-RCC-MON	BBN RCC Monitoring
11	NVP-II	Network Voice Protocol
12	PUP	PUP
13	ARGUS	ARGUS
14	EMCON	EMCON
15	XNET	Cross Net Debugger
16	CHAOS	Chaos
17	UDP	User Datagram Protocol
18	MUX	Multiplexing
19	DCN-MEAS	DCN Measurement Subsystems
20	HMP	Host Monitoring
21	PRM	Packet Radio Measurement
22	XNS-IDP	XEROX NS IDP
23	TRUNK-1	Trunk-1

#	Protocol	Protocol’s Full Name
24	TRUNK-2	Trunk-2
25	LEAF-1	Leaf-1
26	LEAF-2	Leaf-2
27	RDP	Reliable Data Protocol
28	IRTP	Internet Reliable Transaction
29	ISO-TP4	ISO Transport Protocol Class 4
30	NETBLT	Bulk Data Transfer Protocol
31	MFE-NSP	MFE Network Services Protocol
32	MERIT-INP	MERIT Internodal Protocol
33	DCCP	Datagram Congestion Control Protocol
34	3PC	Third Party Connect Protocol
35	IDPR	Inter-Domain Policy Routing Protocol
36	XTP	XTP
37	DDP	Datagram Delivery Protocol
38	IDPR-CMTP	IDPR Control Message Transport Proto
39	TP++	TP++ Transport Protocol
40	IL	IL Transport Protocol
41	IPv6	IPv6 encapsulation
42	IPv6	SDRPSource Demand Routing Protocol
43	IPv6-Route	Routing Header for IPv6
44	IPv6-Frag	Fragment Header for IPv6
45	IDRP	Inter-Domain Routing Protocol
46	RSVP	Reservation Protocol
47	GRE	General Routing Encapsulation

#	Protocol	Protocol’s Full Name
48	DSR	Dynamic Source Routing Protocol
49	BNA	BNA
50	ESP	Encap Security Payload
51	AH	Authentication Header
52	I-NLSP	Integrated Net Layer Security TUBA
53	SWIPE	IP with Encryption
54	NARP	NBMA Address Resolution Protocol
55	MOBILE	IP Mobility
56	TLSP	Transport Layer Security Protocol using Kryptonet key management
57	SKIP	SKIP
58	IPv6-ICMP	ICMP for IPv6
59	IPv6-NoNxt	No Next Header for IPv6
60	IPv6-Opts	Destination Options for IPv6
61		any host internal protocol
62	CFTP	CFTP
63		any local network
64	SAT-EXPAK	SATNET and Backroom EXPAK
65	KRYPTOLAN	Kryptolan
66	RVD	MIT Remote Virtual Disk Protocol
67	IPPC	Internet Pluribus Packet Core
68		any distributed file system
69	SAT-MON	SATNET Monitoring
70	VISA	VISA Protocol
71	IPCV	Internet Packet Core Utility

#	Protocol	Protocol’s Full Name
72	CPNX	Computer Protocol Network Executive
73	CPHB	Computer Protocol Heart Beat
74	WSN	Wang Span Network
75	PVP	Packet Video Protocol
76	BR-SAT-MON	Backroom SATNET Monitoring
77	SUN-ND	SUN ND PROTOCOL-Temporary
78	WB-MON	WIDEBAND Monitoring
79	WB-EXPAK	WIDEBAND EXPAK
80	ISO-IP	ISO Internet Protocol
81	VMTP	VMTP
82	SECURE-VMTP	SECURE-VMTP
83	VINES	VINES
84	TTP	TTP
84	IPTM	Protocol Internet Protocol Traffic
85	NSFNET-IGP	NSFNET-IGP
86	DGP	Dissimilar Gateway Protocol
87	TCF	TCF
88	EIGRP	EIGRP
89	OSPFIGP	OSPFIGP
90	Sprite-RPC	Sprite RPC Protocol
91	LARP	Locus Address Resolution Protocol
92	MTP	Multicast Transport Protocol
93	AX.25	AX.25 Frames
94	IPIP	IP-within-IP Encapsulation Protocol

#	Protocol	Protocol’s Full Name
95	MICP	Mobile Internetworking Control Pro.
96	SCC-SP	Semaphore Communications Sec. Pro.
97	ETHERIP	Ethernet-within-IP Encapsulation
98	ENCAP	Encapsulation Header
99		any private encryption scheme
100	GMTP	GMTP
101	IFMP	Ipsilon Flow Management Protocol
102	PNNI	PNNI over IP
103	PIM	Protocol Independent Multicast
104	ARIS	ARIS
105	SCPS	SCPS
106	QNX	QNX
107	A/N	Active Networks
108	IPComp	IP Payload Compression Protocol
109	SNP	Sitara Networks Protocol
110	Compaq-Peer	Compaq Peer Protocol
111	IPX-in-IP	IPX in IP
112	VRRP	Virtual Router Redundancy Protocol
113	PGM	PGM Reliable Transport Protocol
114		any 0-hop protocol
115	L2TP	Layer Two Tunneling Protocol
116	DDX	D-II Data Exchange (DDX)
117	IATP	Interactive Agent Transfer Protocol
118	STP	Schedule Transfer Protocol

#	Protocol	Protocol’s Full Name
119	SRP	SpectraLink Radio Protocol
120	UTI	UTI
121	SMP	Simple Message Protocol
122	SM	SM
123	PTP	Performance Transparency Protocol
124	ISIS over IPv4
125	FIRE
126	CRTP	Combat Radio Transport Protocol
127	CRUDP	Combat Radio User Datagram
128	SSCOPMCE
129	IPLT
130	SPS	Secure Packet Shield
131	PIPE	Private IP Encapsulation within IP
132	SCTP	Stream Control Transmission Protocol
133	FC	Fibre Channel
134	RSVP-E2EIGNORE
135	Mobility Header
136	UDPLite
137	MPLS-in-IP
138	manet
139	HIP
140	Shim6
141	WESP
142	ROHC

VPN Policies

#	Protocol	Protocol’s Full Name
143 − 252	Unassigned	Unassigned
253		Use for experimentation and testing
254		Use for experimentation and testing
255	Reserved

Further information can be found by researching RFC 5237.