FortiGate® Multi-Threat Security System

Release Notes
v4.0 MR1
Patch Release 6

01-416-84420-20100720
Release Notes FortiOS v4.0 MR1 - Patch Release 6

Table of Contents
1 FortiOS v4.0 MR1 - Patch Release 6..................................................................................................................1
2 Special Notices....................................................................................................................................................2
2.1 General........................................................................................................................................................2
2.2 FWF-80CM and FWF-81CM Hardware.....................................................................................................2
2.3 Fortinet SSL-VPN App Support................................................................................................................. 2
2.4 FGT-1240B Management Port....................................................................................................................2
3 Upgrade Information...........................................................................................................................................3
3.1 Upgrading from FortiOS v3.00 MR6/MR7................................................................................................ 3
3.2 Upgrading from FortiOS v4.0.....................................................................................................................6
4 Downgrading to FortiOS v3.00...........................................................................................................................9
5 Fortinet Product Integration and Support......................................................................................................... 10
5.1 Fortinet Server Authentication Extension (FSAE) Support......................................................................10
5.2 SSL-VPN Support.....................................................................................................................................10
5.2.1 SSL-VPN Standalone Client............................................................................................................. 10
5.3 Web Browser Support for SSL-VPN........................................................................................................10
6 Known Issues in FortiOS v4.0 MR1 - Patch Release 6.................................................................................... 12
6.1 High Availability.......................................................................................................................................12
7 Resolved Issues in FortiOS v4.0 MR1 - Patch Release 6.................................................................................13
7.1 System.......................................................................................................................................................13
7.2 IPS.............................................................................................................................................................13
8 Image Checksums............................................................................................................................................. 14
9 Appendix A – P2P Clients and Supported Configurations...............................................................................15

i July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

Change Log

Date Change Description

2010-06-30 Initial Release.

2010-07-20 Added bug 119233 to the Known Issues section.

© Copyright 2010 Fortinet Inc. All rights reserved.

Release Notes FortiOS™ v4.0. MR1 - Patch Release 6.

Trademarks
Copyright© 2010 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the
identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.

Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support
tickets via the support site:
https://support.fortinet.com

ii July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

1 FortiOS v4.0 MR1 - Patch Release 6

This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR1 B0205- Patch Release 6
release. The following outlines the release status for several models.

Model FortiOS v4.0 MR1 - Patch Release 6 Release Status

FWF-80CM The officially released images for these models are based off of FortiOS v4.0 MR1 - Patch Release 6 –
FWF-81CM fg_4-1_80cm_rework/build_tag_6352 and is located in the same directory as the models supported on the
regular FortiOS v4.0 MR1 branch.

The build number for these images in the System > Status page and the output from the "get system
status" CLI command displays 6352. To confirm that you are running the proper build, the output from
the "get system status" CLI command has a "Branch point:" field. This should read 205.

FGT-200B The officially released image for this model is based off of FortiOS v4.0 MR1 - Patch Release 6 –
FGT-200B-POE fg_4-1_200b/build_tag_5275 and is located in the same directory as the models supported on the regular
FortiOS v4.0 MR1 branch.

The build number for this images in the System > Status page and the output from the "get system status"
CLI command displays 5275. To confirm that you are running the proper build, the output from the "get
system status" CLI command has a "Branch point:" field. This should read 205.
FGV-80C The officially released image for this model is based off of FortiOS v4.0 MR1 - Patch Release 6 –
FWV-80CS fg_4-1_voice_80c/build_tag_5274 and is located in the same directory as the models supported on the
regular FortiOS v4.0 MR1 branch.

The build number for this image in the System > Status page and the output from the "get system status"
CLI command displays 5274. To confirm that you are running the proper build, the output from the "get
system status" CLI command has a "Branch point:" field. This should read 205.

FGT-30B, FWF-30B, All models are supported on the regular v4.0 MR1 - Patch Release 6 branch.
FGT-50B, FWF-50B,
FGT-51B, FGT-60B,
FWF-60B, FGT-80C,
FGT-80CM, FGT-82C,
FGT-100A, FGT-110C,
FGT-111C, FGT-200A,
FGT-224B, FGT-300A,
FGT-310B, FGT-311B,
FGT-310B-DC, FGT-
400A, FGT-500A, FGT-
620B, FGT-620B-DC,
FGT-800, FGT-800F,
FGT-1000A, FGT-
1000A-FA2, FGT-1240B,
FGT-3600, FGT-
3600A,FGT-3810A,FGT-
3016B,FGT-5001A,FGT-
5001, FGT-5001-FA2,
and FGT-5005-FA2.

Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR1 release.

1 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

2 Special Notices
2.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

IMPORTANT!

Monitor Settings for Web User Interface Access

• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to
be viewed properly.

Web Browser Support

• Microsoft Internet ExplorerTM 7.0/8.0 and FireFox 3.0x are fully supported.

BEFORE any upgrade

• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to
upgrading.

AFTER any upgrade

• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper
display of the Web UI screens.
• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently
available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible
after upgrading. Consult the FortiGate User Guide for detailed procedures.

2.2 FWF-80CM and FWF-81CM Hardware

There are two revisions of hardware for the FWF-80CM and FWF-81CM. Revisions that have a hardware ID like that shown below
support the Rogue Access Point Detection feature that previous models do not. The hardware ID is visible on the bottom of the
FortiWiFi chassis.

Model Hardware ID (HWID) System Part #

FWF-80CM C4BD62-04AA-0000 or later P05405-04-01 or later
FWF-81CM C4BW33-02AA-0000 or later P06075-02-01 or later

2.3 Fortinet SSL-VPN App Support

Fortinet has developed and released an Apple iPhone and iPod Touch application for SSL-VPN access. Search for "Fortinet" in the
Apple's App store to download the application.

2.4 FGT-1240B Management Port

Port39 and Port40 on the FortiGate-1240B has been added as management ports. Administrators can now use Port1, Port2, Port39 or
Port40 as management interface.

2 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

3 Upgrade Information

3.1 Upgrading from FortiOS v3.00 MR6/MR7

FortiOS v4.0 MR1 - Patch Release 6 officially supports upgrade from the most recent Patch Release in MR6 or MR7. See the upgrade
path below. The arrows indicate "upgrade to".

[MR6]
The upgrade is supported from FortiOS v3.00 B0678 Patch Release 6 or later.

MR6 B0678 Patch Release 6 (or later)

↓
v4.0 MR1 - Patch Release 6 B0205 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[MR7]
The upgrade is supported from FortiOS v3.00 B0753 Patch Release 9 or later.

MR7 B0753 Patch Release 9 (or later)

↓
v4.0 MR1 - Patch Release 6 B0205 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[Log Settings Changes]

In FortiOS v4, the option to configure a rule under 'config log trafficfilter' has been removed, therefore any related
configuration is lost upon upgrading from FortiOS MR6 to FortiOS v4.0 MR1 - Patch Release 6.

[FG-3016B Upgrade]
Interface names on the FGT-3016B have been changed in FortiOS v4 to match the port names on the face plate. After upgrading
from FortiOS v3.0 MR6 to FortiOS v4.0 MR1 - Patch Release 6, all port names in the FortiGate configuration are changed as per the
following port mapping.

Old port names before upgrading New port names after upgrading

port1 mgmt1
port2 mgmt2
port3 port1
port4 port2
port5 port3
port6 port4
port7 port5
port8 port6
port9 port7
port10 port8
port11 port9

3 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

port12 port10
port13 port11
port14 port12
port15 port13
port16 port14
port17 port15
port18 port16
Note: After the release of FortiOS v3.00 MR6 firmware a new revision of the FGT-3016B included a name change to two ports on
the left side of the faceplate. Previously, they were labeled 1 and 2. Now they are called MGMT 1 MGMT 2. However, the BIOS
still refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2.

[System Settings]
In FortiOS v4.0.0, the p2p-rate-limit setting under 'config system settings' has been removed, therefore any
related configuration is lost upon upgrading from FortiOS MR6/MR7 to FortiOS v4.0 MR1 - Patch Release 6.

[Router Access-list]
All configuration under 'config router access-list' may be lost after upgrading from FortiOS v3.0.0 MR6/MR7 to
FortiOS v4.0 MR1 - Patch Release 6.

[Identity Based Policy]

Firewall policy authentication has been reworked in FortiOS v4. Any firewall policy that requires authentication is now known as an
Identity Based Policy. Previously, a separate authentication firewall policy had to be created for different schedules, services, and
traffic shaping settings but in FortiOS v4 all firewall authentication settings are configured in the Identity Based Policy section of a
firewall policy. If no traffic matches any of the Identity Based Policies, the traffic is subjected to an implicit DENY ALL. For
example:

In FortiOS v3.00 MR6/MR7

config firewall policy

edit 1
set action accept
set groups grp1 grp2
set service HTTP
...
next
edit 2
set action accept
set service TELNET
next
...
end

After upgrading to FortiOS v4.0 MR1 - Patch Release 6

config firewall policy

edit 1
set action accept
set identity-based enable
config identity-based-policy
edit 1
set groups grp1 grp2
set service HTTP

4 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

next
end
next
edit 2
set action accept
set service TELNET
next
end

In FortiOS v4.0 MR1 - Patch Release 6, the TELNET policy is never hit because of the implicit DENY ALL at the bottom of Identity
Based Policy. To correct the behaviour, you must move the non-Identity Based Policy (TELNET policy) above the Identity Based
Policy.

Reorganized policy in FortiOS v4.0 MR1 - Patch Release 6

config firewall policy

edit 2
set action accept
set service TELNET
next
edit 1
set action accept
set identity-based enable
config identity-based-policy
edit 1
set groups grp1 grp2
set service HTTP
next
end
next
end

[IPv6 Tunnel ]
All configuration under 'config system ipv6-tunnel' may be lost after upgrading from FortiOS v3.0.0 MR7 to FortiOS
v4.0 MR1 - Patch Release 6.

[User Group]
In FortiOS v3.00 a protection profile can be assigned to an user group from web UI, but in FortiOS v4.0 it can only be assigned from
CLI.

[Zone Configuration]
In FortiOS v3.00 a Zone name could be up to 32 characters but in v4 it has changed to up to 15 characters. Any Zone names in
FortiOS v3.00 with more than 15 characters will be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 6.

[IPv6 Vlan Interfaces]

Vlan interface with ipv6-address configured will be lost after upgrading from FortiOS v3.00 to FortiOS v4.0 MR1 - Patch
Release 6.

[VIP Settings]
'set http-ip-header' setting under VIP configuration will inadvertently get set to disable after upgrading from FortiOS
v3.00 MR6/MR7 to FortiOS v4.0 MR1 - Patch Release 6.

[FDS Push-update Settings]

The address and port settings under 'config system autoupdate push-update' may be lost after upgrading to FortiOS
v4.0 MR1 - Patch Release 6.

5 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

[Content Archive Summary]

The content archive summary related configuration will be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 6.

[RTM Interface Configuration]

Upon upgrading from FortiOS v3.00 MR6/MR7 to v4.0 MR1, the RTM interface and some of the configuration that uses RTM
objects are not retained. In FortiOS v3.00, RTM objects used upper-case letters, such as "RTM/1". FortiOS v4.0 MR1 - Patch
Release 6 uses lower-case letters for RTM objects.

[SSL-VPN Bookmarks]
Some SSLVPN bookmarks may be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 6.

[Web Filter Exempt List]

FortiOS v4.0 MR1 - Patch Release 6 merged the web content block and web content exempt list into one list. Upon upgrading to v4.0
MR1, ONLY the web content block list is retained.

[IPS DoS Sensor Configuration]

When upgrading from FortiOS v3.00 MR6/MR7 to FortiOS v4.0 MR1, the IPS DoS Sensor configuration in v3.00 is not converted to
corresponding DoS policy. Hence, the DoS Sensor related configuration may be lost.

[Antivirus Service on Non-Standard Port]

Upon upgrading from FortiOS v3.00 MR6/MR7 to v4.0 MR1, the settings for AntiVirus scanning on non-standard ports is not
retained.

3.2 Upgrading from FortiOS v4.0

FortiOS v4.0 MR1 - Patch Release 6 officially supports upgrade from the most recent Patch Release in FortiOS v4.0.0. See the
upgrade path below. The arrows indicate "upgrade to".

[FortiOS v4.0]
The upgrade is supported from FortiOS v4.0.4 B0113 Patch Release 4 or later.

v4.0.4 B0113 Patch Release 4 (or later)

↓
v4.0 MR1 - Patch Release 6 B0205 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[Network Interface Configuration]

If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after
upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR1 - Patch Release 6 the ips-sniffer-mode setting
will be changed to disable.

[Webfilter Banned Word and Exempt Word List]

FortiOS v4.0 MR1 - Patch Release 6 merged the web filter banned and exempt word list into one list under "config webfilter
content". Upon upgrading to v4.0 MR1, ONLY the banned word list is retained. For example:

In FortiOS v4.0.4

config webfilter bword

edit 1
config entries
edit "badword1"
set status enable
next

6 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

edit "badword2"
set status enable
next
end
set name "BannedWordList"
next
end

config webfilter exmword

edit 1
config entries
edit "goodword1"
set status enable
next
edit "goodword2"
set status enable
next
end
set name "ExemptWordList"
next
end

After upgrading to FortiOS v4.0 MR1 - Patch Release 6

config webfilter content

edit 1
config entries
edit "badword1"
set status enable
next
edit "badword2"
set status enable
next
end
set name "BannedWordList"
next
end

Before upgrading, backup your configuration, parse the webfilter exempt list entries, and merge them into the webfilter content list
after the upgrade.

After merging the exempt list from v4.0.4 to the webfilter content list

config webfilter content

edit 1
config entries
edit "goodword1"
set status enable
next
edit "goodword2"
set action exempt
set status enable
next
edit "badword1"
set status enable
next

7 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

edit "badword2"
set action exempt
set status enable
next
end
set name "BannedWordList"
next
end

[VoIP Settings]

FortiOS v4.0 MR1 - Patch Release 6 adds functionality to archive message and files as caught by the Data Leak Prevention feature,
which includes some VoIP messages. However, some scenarios have an implication configuration retention on the upgrading.
Consider the following:

• FortiGate in v4.0.3 has two protection profiles: PP1 and PP2.

• PP1 contains
o DLP sensor: DLP1
o Application control list: APP1 which archives SIP messages
• PP2 contains
o DLP sensor: DLP1
o Application control list: APP2 which has content-summary enabled for SIMPLE

Upon upgrading to FortiOS v4.0 MR1 - Patch Release 6, the VoIP settings are not moved into the DLP archive feature.

[Management Tunnel Configuration]

'config system management-tunnel' command has been removed in FortiOS v4.0 MR1 - Patch Release 6. The
management-tunnel settings has been integrated into central-management feature.

8 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

4 Downgrading to FortiOS v3.00

Downgrading to FortiOS v3.00 results in configuration loss on ALL models. Only the following settings are retained:

• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDom parameters/settings
• admin user account
• session helpers
• system access profiles

9 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

5 Fortinet Product Integration and Support

5.1 Fortinet Server Authentication Extension (FSAE) Support
FortiOS v4.0 MR1 - Patch Release 6 is supported by FSAE v3.00 B058 (FSAE collector agent 3.5.058) or later for the following:

• 32-bit version of Microsoft Windows 2003 R1 Server

• 64-bit version of Microsoft Windows 2003 R1 Server
• 32-bit version of Microsoft Windows 2008 R1 Server
• 64-bit version of Microsoft Windows 2008 R1 Server
• 64-bit version of Microsoft Windows 2008 R2 Server
• Novell E-directory 8.8.

IPv6 currently is not supported by FSAE.

Note: FSAE images can be downloaded from the support site using the given link:
ftp://support.fortinet.com/FortiGate/v4.00/4.0MR2/MR2/FSAE/

5.2 SSL-VPN Support

5.2.1 SSL-VPN Standalone Client
FortiOS v4.0 MR1 - Patch Release 6 supports the SSL-VPN tunnel client standalone installer B2073 for the following:

• Windows in .exe and .msi format

• Linux in .tar.gz format
• Mac OS X in .dmg format
• Virtual Desktop in .jar format for Windows XP and Vista

The following Operating Systems were tested.

Windows Linux Mac OS X

Windows XP 32-bit SP2 CentOS 5.2 (2.6.18-el5) Leopard 10.5
Windows XP 64-bit SP1 Ubuntu 8.0.4 (2.6.24-23)
Windows Vista 32-bit SP1
Windows Vista 64-bit SP1
Windows 7 32-bit
Windows 7 64-bit
Virtual Desktop Support
Windows XP 32-bit SP2
Windows Vista 32-bit SP1
Windows 7 32-bit

5.3 Web Browser Support for SSL-VPN

The following web browsers were tested:

• Internet Explorer 7.0

10 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

• Inetrnet Explorer 8.0

• FireFox 3.x

11 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

6 Known Issues in FortiOS v4.0 MR1 - Patch Release 6

6.1 High Availability
Description: Traffic is not load balanced between all members in HA A-A mode.
Bug ID: 119233
Status: To be fixed in a future release.

12 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

7 Resolved Issues in FortiOS v4.0 MR1 - Patch Release 6

The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about a
particular bug, contact Customer Support.

7.1 System
Description: Traffic may loop between redundant interface members binding to a NPU interface.
Bug ID: 126677
Status: Fixed in v4.0 MR1 - Patch Release 6.

7.2 IPS
Description: IPS scanning may cause the FortiGate to delay forwarding the first packet by few seconds.
Bug ID: 124138
Status: Fixed in v4.0 MR1 - Patch Release 6.

13 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

8 Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com).
After login, click on the "Firmware Images Checksum Code" link in the left frame.

14 July 20, 2010

Release Notes FortiOS v4.0 MR1 - Patch Release 6

9 Appendix A – P2P Clients and Supported Configurations

The following table outlines the supported configurations and related issues with several P2P clients. N/A means either the
application does not support the feature or it is not officially tested.t

Note: As some P2P clients use encrypted connections, the FortiGate may not succeed in blocking the traffic from traversing the
firewall.

Skype Kazaa BearShare Shareaza BitComet eMule Azureus LimeWire iMesh DC++ Winny
3.8 3.2.7 7.0 4.1 1.0.7 0.49b 4.0.0.2 4.18.8 8.0 0707 728
Standard Ports
Direct Internet Connection
Pass N/A N/A OK OK OK OK OK OK OK OK OK
Block N/A N/A OK OK OK OK OK OK OK OK OK
Rate Limit N/A N/A Bug ID: OK OK Bug ID: OK Bug ID: 77852 OK N/A OK
86147 86452
Standard Ports
Proxy Internet Connection
Pass N/A N/A OK N/A N/A OK OK OK N/A N/A N/A
Block N/A N/A OK N/A N/A OK OK OK N/A N/A N/A
Rate Limit N/A N/A OK N/A N/A Bug ID: OK OK N/A N/A N/A
86452
Non-standard Ports
Direct Internet Connection
Pass OK OK N/A OK OK OK OK OK OK N/A N/A
Block Bug ID: 37845 OK N/A OK OK OK OK OK OK N/A N/A
Rate Limit N/A OK N/A OK OK Bug ID: OK Bug ID: 77852 OK N/A N/A
86452
Non-standard Ports
Proxy Internet Connection
Pass OK OK N/A N/A N/A OK OK OK N/A N/A N/A
Block Bug ID: 37845 OK N/A N/A N/A OK OK OK N/A N/A N/A
Rate Limit N/A OK N/A N/A N/A Bug ID: OK Bug ID: 77852 N/A N/A N/A
86452

(End of Release Notes.)

15 July 20, 2010