Professional Documents
Culture Documents
FortiOS v4.0 MR1 Patch Release 6 Release Notes
FortiOS v4.0 MR1 Patch Release 6 Release Notes
Release Notes
v4.0 MR1
Patch Release 6
01-416-84420-20100720
Release Notes FortiOS v4.0 MR1 - Patch Release 6
Table of Contents
1 FortiOS v4.0 MR1 - Patch Release 6..................................................................................................................1
2 Special Notices....................................................................................................................................................2
2.1 General........................................................................................................................................................2
2.2 FWF-80CM and FWF-81CM Hardware.....................................................................................................2
2.3 Fortinet SSL-VPN App Support................................................................................................................. 2
2.4 FGT-1240B Management Port....................................................................................................................2
3 Upgrade Information...........................................................................................................................................3
3.1 Upgrading from FortiOS v3.00 MR6/MR7................................................................................................ 3
3.2 Upgrading from FortiOS v4.0.....................................................................................................................6
4 Downgrading to FortiOS v3.00...........................................................................................................................9
5 Fortinet Product Integration and Support......................................................................................................... 10
5.1 Fortinet Server Authentication Extension (FSAE) Support......................................................................10
5.2 SSL-VPN Support.....................................................................................................................................10
5.2.1 SSL-VPN Standalone Client............................................................................................................. 10
5.3 Web Browser Support for SSL-VPN........................................................................................................10
6 Known Issues in FortiOS v4.0 MR1 - Patch Release 6.................................................................................... 12
6.1 High Availability.......................................................................................................................................12
7 Resolved Issues in FortiOS v4.0 MR1 - Patch Release 6.................................................................................13
7.1 System.......................................................................................................................................................13
7.2 IPS.............................................................................................................................................................13
8 Image Checksums............................................................................................................................................. 14
9 Appendix A – P2P Clients and Supported Configurations...............................................................................15
Change Log
Trademarks
Copyright© 2010 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the
identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.
Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support
tickets via the support site:
https://support.fortinet.com
FWF-80CM The officially released images for these models are based off of FortiOS v4.0 MR1 - Patch Release 6 –
FWF-81CM fg_4-1_80cm_rework/build_tag_6352 and is located in the same directory as the models supported on the
regular FortiOS v4.0 MR1 branch.
The build number for these images in the System > Status page and the output from the "get system
status" CLI command displays 6352. To confirm that you are running the proper build, the output from
the "get system status" CLI command has a "Branch point:" field. This should read 205.
FGT-200B The officially released image for this model is based off of FortiOS v4.0 MR1 - Patch Release 6 –
FGT-200B-POE fg_4-1_200b/build_tag_5275 and is located in the same directory as the models supported on the regular
FortiOS v4.0 MR1 branch.
The build number for this images in the System > Status page and the output from the "get system status"
CLI command displays 5275. To confirm that you are running the proper build, the output from the "get
system status" CLI command has a "Branch point:" field. This should read 205.
FGV-80C The officially released image for this model is based off of FortiOS v4.0 MR1 - Patch Release 6 –
FWV-80CS fg_4-1_voice_80c/build_tag_5274 and is located in the same directory as the models supported on the
regular FortiOS v4.0 MR1 branch.
The build number for this image in the System > Status page and the output from the "get system status"
CLI command displays 5274. To confirm that you are running the proper build, the output from the "get
system status" CLI command has a "Branch point:" field. This should read 205.
FGT-30B, FWF-30B, All models are supported on the regular v4.0 MR1 - Patch Release 6 branch.
FGT-50B, FWF-50B,
FGT-51B, FGT-60B,
FWF-60B, FGT-80C,
FGT-80CM, FGT-82C,
FGT-100A, FGT-110C,
FGT-111C, FGT-200A,
FGT-224B, FGT-300A,
FGT-310B, FGT-311B,
FGT-310B-DC, FGT-
400A, FGT-500A, FGT-
620B, FGT-620B-DC,
FGT-800, FGT-800F,
FGT-1000A, FGT-
1000A-FA2, FGT-1240B,
FGT-3600, FGT-
3600A,FGT-3810A,FGT-
3016B,FGT-5001A,FGT-
5001, FGT-5001-FA2,
and FGT-5005-FA2.
Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR1 release.
2 Special Notices
2.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.
IMPORTANT!
• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to
be viewed properly.
• Microsoft Internet ExplorerTM 7.0/8.0 and FireFox 3.0x are fully supported.
• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to
upgrading.
• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper
display of the Web UI screens.
• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently
available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible
after upgrading. Consult the FortiGate User Guide for detailed procedures.
3 Upgrade Information
[MR6]
The upgrade is supported from FortiOS v3.00 B0678 Patch Release 6 or later.
After every upgrade, ensure that the build number and branch point match the image that was loaded.
[MR7]
The upgrade is supported from FortiOS v3.00 B0753 Patch Release 9 or later.
After every upgrade, ensure that the build number and branch point match the image that was loaded.
[FG-3016B Upgrade]
Interface names on the FGT-3016B have been changed in FortiOS v4 to match the port names on the face plate. After upgrading
from FortiOS v3.0 MR6 to FortiOS v4.0 MR1 - Patch Release 6, all port names in the FortiGate configuration are changed as per the
following port mapping.
Old port names before upgrading New port names after upgrading
port1 mgmt1
port2 mgmt2
port3 port1
port4 port2
port5 port3
port6 port4
port7 port5
port8 port6
port9 port7
port10 port8
port11 port9
port12 port10
port13 port11
port14 port12
port15 port13
port16 port14
port17 port15
port18 port16
Note: After the release of FortiOS v3.00 MR6 firmware a new revision of the FGT-3016B included a name change to two ports on
the left side of the faceplate. Previously, they were labeled 1 and 2. Now they are called MGMT 1 MGMT 2. However, the BIOS
still refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2.
[System Settings]
In FortiOS v4.0.0, the p2p-rate-limit setting under 'config system settings' has been removed, therefore any
related configuration is lost upon upgrading from FortiOS MR6/MR7 to FortiOS v4.0 MR1 - Patch Release 6.
[Router Access-list]
All configuration under 'config router access-list' may be lost after upgrading from FortiOS v3.0.0 MR6/MR7 to
FortiOS v4.0 MR1 - Patch Release 6.
next
end
next
edit 2
set action accept
set service TELNET
next
end
In FortiOS v4.0 MR1 - Patch Release 6, the TELNET policy is never hit because of the implicit DENY ALL at the bottom of Identity
Based Policy. To correct the behaviour, you must move the non-Identity Based Policy (TELNET policy) above the Identity Based
Policy.
[IPv6 Tunnel ]
All configuration under 'config system ipv6-tunnel' may be lost after upgrading from FortiOS v3.0.0 MR7 to FortiOS
v4.0 MR1 - Patch Release 6.
[User Group]
In FortiOS v3.00 a protection profile can be assigned to an user group from web UI, but in FortiOS v4.0 it can only be assigned from
CLI.
[Zone Configuration]
In FortiOS v3.00 a Zone name could be up to 32 characters but in v4 it has changed to up to 15 characters. Any Zone names in
FortiOS v3.00 with more than 15 characters will be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 6.
[VIP Settings]
'set http-ip-header' setting under VIP configuration will inadvertently get set to disable after upgrading from FortiOS
v3.00 MR6/MR7 to FortiOS v4.0 MR1 - Patch Release 6.
[SSL-VPN Bookmarks]
Some SSLVPN bookmarks may be lost after upgrading to FortiOS v4.0 MR1 - Patch Release 6.
[FortiOS v4.0]
The upgrade is supported from FortiOS v4.0.4 B0113 Patch Release 4 or later.
After every upgrade, ensure that the build number and branch point match the image that was loaded.
In FortiOS v4.0.4
edit "badword2"
set status enable
next
end
set name "BannedWordList"
next
end
Before upgrading, backup your configuration, parse the webfilter exempt list entries, and merge them into the webfilter content list
after the upgrade.
After merging the exempt list from v4.0.4 to the webfilter content list
edit "badword2"
set action exempt
set status enable
next
end
set name "BannedWordList"
next
end
[VoIP Settings]
FortiOS v4.0 MR1 - Patch Release 6 adds functionality to archive message and files as caught by the Data Leak Prevention feature,
which includes some VoIP messages. However, some scenarios have an implication configuration retention on the upgrading.
Consider the following:
Upon upgrading to FortiOS v4.0 MR1 - Patch Release 6, the VoIP settings are not moved into the DLP archive feature.
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDom parameters/settings
• admin user account
• session helpers
• system access profiles
Note: FSAE images can be downloaded from the support site using the given link:
ftp://support.fortinet.com/FortiGate/v4.00/4.0MR2/MR2/FSAE/
7.1 System
Description: Traffic may loop between redundant interface members binding to a NPU interface.
Bug ID: 126677
Status: Fixed in v4.0 MR1 - Patch Release 6.
7.2 IPS
Description: IPS scanning may cause the FortiGate to delay forwarding the first packet by few seconds.
Bug ID: 124138
Status: Fixed in v4.0 MR1 - Patch Release 6.
8 Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com).
After login, click on the "Firmware Images Checksum Code" link in the left frame.
Note: As some P2P clients use encrypted connections, the FortiGate may not succeed in blocking the traffic from traversing the
firewall.
Skype Kazaa BearShare Shareaza BitComet eMule Azureus LimeWire iMesh DC++ Winny
3.8 3.2.7 7.0 4.1 1.0.7 0.49b 4.0.0.2 4.18.8 8.0 0707 728
Standard Ports
Direct Internet Connection
Pass N/A N/A OK OK OK OK OK OK OK OK OK
Block N/A N/A OK OK OK OK OK OK OK OK OK
Rate Limit N/A N/A Bug ID: OK OK Bug ID: OK Bug ID: 77852 OK N/A OK
86147 86452
Standard Ports
Proxy Internet Connection
Pass N/A N/A OK N/A N/A OK OK OK N/A N/A N/A
Block N/A N/A OK N/A N/A OK OK OK N/A N/A N/A
Rate Limit N/A N/A OK N/A N/A Bug ID: OK OK N/A N/A N/A
86452
Non-standard Ports
Direct Internet Connection
Pass OK OK N/A OK OK OK OK OK OK N/A N/A
Block Bug ID: 37845 OK N/A OK OK OK OK OK OK N/A N/A
Rate Limit N/A OK N/A OK OK Bug ID: OK Bug ID: 77852 OK N/A N/A
86452
Non-standard Ports
Proxy Internet Connection
Pass OK OK N/A N/A N/A OK OK OK N/A N/A N/A
Block Bug ID: 37845 OK N/A N/A N/A OK OK OK N/A N/A N/A
Rate Limit N/A OK N/A N/A N/A Bug ID: OK Bug ID: 77852 N/A N/A N/A
86452