FortiGate® Multi-Threat Security System

Release Notes
v4.0 MR2
Patch Release 4

01-424-84420-20110315
Release Notes FortiOS v4.0 MR2 - Patch Release 4

Table of Contents
1 FortiOS v4.0 MR2 - Patch Release 4..................................................................................................................1
2 Special Notices....................................................................................................................................................2
2.1 General........................................................................................................................................................2
2.2 FMC-XG2 Module Support........................................................................................................................2
2.3 FMC-C20 and FMC-F20 Module Support................................................................................................. 2
2.4 Cross-Card Fastpath Feature Support on NP4 Interfaces........................................................................... 2
2.5 New Session Per Second ............................................................................................................................2
3 Upgrade Information...........................................................................................................................................3
3.1 Upgrading from FortiOS v4.0.....................................................................................................................3
3.2 Upgrading from FortiOS v4.0 MR1............................................................................................................5
4 Downgrading to FortiOS v4.0 MR1................................................................................................................... 6
5 Fortinet Product Integration and Support........................................................................................................... 7
5.1 Fortinet Server Authentication Extension (FSAE) Support........................................................................7
5.2 AV Engine and IPS Engine Support...........................................................................................................7
5.3 SSL-VPN Support.......................................................................................................................................7
5.3.1 SSL-VPN Standalone Client............................................................................................................... 7
6 Resolved Issues in FortiOS v4.0 MR2 - Patch Release 4...................................................................................9
6.1 Web UI........................................................................................................................................................9
6.2 System.........................................................................................................................................................9
6.3 High Availability.........................................................................................................................................9
6.4 IPS.............................................................................................................................................................10
6.5 Web Filter..................................................................................................................................................10
7 Known Issues in FortiOS v4.0 MR2 - Patch Release 4.................................................................................... 11
7.1 Web Proxy.................................................................................................................................................11
7.2 IPS.............................................................................................................................................................11
8 Image Checksums............................................................................................................................................. 12
Change Log

Date Change Description

2011-03-02 Initial Release.

2011-03-04 Added bug 132618 to the Resolved Issues section.

2011-03-15 Added FMC-C20 and FMC-F20 Module support information into Section 1 and Section 2.

© Copyright 2011 Fortinet Inc. All rights reserved.

Release Notes FortiOS™ v4.0. MR2 - Patch Release 4.

Trademarks
Copyright© 2011 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the
identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.

Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support
tickets via the support site:
https://support.fortinet.com

i March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

1 FortiOS v4.0 MR2 - Patch Release 4

This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR2 B0313 - Patch Release 4
release. The following outlines the release status for several models.

Model FortiOS v4.0 MR2 - Patch Release 4 Release Status

FGT-30B, FWF-30B, FGT-50B, FGT-51B, FWF-50B, All models are supported on the regular v4.0 MR2 - Patch Release 4 branch.
FGT-60B, FWF-60B, FGT-80C, FGT-80CM, FWF-
80CM, FWF-81CM, FGT-82C, FGT-100A, FGT-
110C, FGT-111C, FGT-200A, FGT-200B, FGT-
200B-POE, FGT-224B, FGT-300A, FGT-310B, FGT-
311B, FGT-310B-DC, FGT-400A, FGT-500A, FGT-
620B, FGT-620B-DC, FGT-621B, FGT-800, FGT-
800F, FGT-1000A, FGT-1000A-FA2, FGT-1000A-
LENC, FGT-1240B, FGT-3016B, FGT-3040B, FGT-
3600, FGT-3600A, FGT-3810A, FGT-3950B, FGT-
3951B, FGT-5001A, FGT-5001, FGT-5001FA2, and
FGT-5005FA2.

FGT-60C This model is released on a special branch based off of FortiOS v4.0 MR2 -
FWF-60C Patch Release 4--fg_4-2_60c/build_tag_5422. As such, the build number in
the System > Dashboard > Status page and the output from the "get
system status" CLI command displays 5422 as the build number. To
confirm that you are running the proper build, the output from the "get
system status" CLI command has a "Branch point:" field. This should
read 313.
FGT-3950B to support the FMC-C20 or FMC-F20. The images to support the FMC-C20 and FMC-F20 are from a special
FGT-3951B to support the FMC-C20 or FMC-F20. branch based off of FortiOS v4.0 MR2 - Patch Release 4 –
fg_4-2_fmc_c20/build_tag_5423.

These images are available by calling Fortinet Customer Support.

The build number for this image in the System > Status page and the output
from the "get system status" CLI command displays 5423. To confirm that
you are running the proper build, the output from the "get system status"
CLI command has a "Branch point:" field. This should read 313.

Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR2 release.

1 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

2 Special Notices
2.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

IMPORTANT!

Monitor Settings for Web User Interface Access

• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to
be viewed properly.

Web Browser Support

• Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.

BEFORE any upgrade

• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to
upgrading.

AFTER any upgrade

• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper
display of the Web UI screens.
• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently
available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible
after upgrading. Consult the FortiGate User Guide for detailed procedures.

2.2 FMC-C20 and FMC-F20 Module Support

FortiOS v4.0 MR2 Patch Release 4 supports the FMC-C20 and FMC-F20 module for the FGT-3950B and FGT-3951B. The images
to support the FMC-C20 and FMC-F20 are from a special branch based off of FortiOS v4.0 MR2 - Patch Release 4 –
fg_4-2_fmc_c20/build_tag_5423.

These images are available by calling Fortinet Customer Support.

2.3 Cross-Card Fastpath Feature Support on NP4 Interfaces

Models that contain multiple NP4 processors (on-board or FMC-XD2, FMC-C20, FMC-F20 module) now support the fastpath feature
across the NP4 processors.

2.4 New Session Per Second

The CLI command, diag sys session stats, has been updated to report the rate at which new sessions are being created.
This is an instantaneous reading, not an average over a period. An idle FortiGate device reports zero for this counter.

2 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

3 Upgrade Information
3.1 Upgrading from FortiOS v4.0
FortiOS v4.0 MR2 Patch Release 4 officially supports upgrade from the FortiOS v4.0 Patch Release 4 or later. See the upgrade path
below. The arrows indicate "upgrade to".

[FortiOS v4.0]
The upgrade is supported from FortiOS v4.0.4 B0113 or later.

v4.0.4 B0113 (or later)

↓
v4.0 MR2 Patch Release 4 B0313

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[Network Interface Configuration]

If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after
upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR2 Patch Release 4 the ips-sniffer-mode setting will
be changed to disable.

[WebFilter Banned Word and Exempt Word List]

FortiOS v4.0 MR1 merged the web filter banned and exempt word list into one list under "config webfilter content".
Upon upgrading to v4.0 MR2, ONLY the banned word list is retained. For example:

In FortiOS v4.0.4

config webfilter bword

edit 1
config entries
edit "badword1"
set status enable
next
edit "badword2"
set status enable
next
end
set name "BannedWordList"
next
end

config webfilter exmword

edit 1
config entries
edit "goodword1"
set status enable
next
edit "goodword2"
set status enable
next
end
set name "ExemptWordList"
next
end

3 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

After upgrading to FortiOS v4.0 MR2

config webfilter content

edit 1
config entries
edit "badword1"
set status enable
next
edit "badword2"
set status enable
next
end
set name "BannedWordList"
next
end

Before upgrading, backup your configuration, parse the webfilter exempt list entries, and merge them into the webfilter content list
after the upgrade.

After merging the exempt list from v4.0.4 to the webfilter content list

config webfilter content

edit 1
config entries
edit "goodword1"
set status enable
next
edit "goodword2"
set action exempt
set status enable
next
edit "badword1"
set status enable
next
edit "badword2"
set action exempt
set status enable
next
end
set name "BannedWordList"
next
end

[VoIP Settings]

FortiOS v4.0 MR2 has functionality to archive message and files as caught by the Data Leak Prevention feature, which includes some
VoIP messages. However, some scenarios have an implication configuration retention on the upgrading. Consider the following:

• FortiGate in v4.0.4 has two protection profiles: PP1 and PP2.

• PP1 contains
o DLP sensor: DLP1
o Application control list: APP1 which archives SIP messages
• PP2 contains
o DLP sensor: DLP1
o Application control list: APP2 which has content-summary enabled for SIMPLE

4 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

Upon upgrading to FortiOS v4.0 MR2 Patch Release 4, the VoIP settings are not moved into the DLP archive feature.

[NNTP DLP Archive]

NNTP content archive settings will be lost after upgrading to FortiOS v4.0 MR2 Patch Release 4.

3.2 Upgrading from FortiOS v4.0 MR1

FortiOS v4.0 MR2 Patch Release 4 officially supports upgrade from the FortiOS v4.0 MR1 Patch Release 4 or later. See the upgrade
path below. The arrows indicate "upgrade to".

[FortiOS v4.0 MR1]

The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 B0196 Patch Release 4 or later.

v4.0 MR1 Patch Release 4 B0196 (or later)

↓
v4.0 MR2 Patch Release 4 B0313

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[DLP Rule]
A DLP rule with subprotocol setting set to 'sip simple sccp' will be lost upon upgrading to FortiOS v4.0 MR2 Patch Release 4.

[System Autoupdate Settings]

The settings under "config system autoupdate schedule" will get set to default values after upgrading to FortiOS v4.0
MR2 Patch Release 4.

5 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

4 Downgrading to FortiOS v4.0 MR1

Downgrading to FortiOS v4.0 MR1 results in configuration loss on ALL models. Only the following settings are retained:

• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDom parameters/settings
• admin user account
• session helpers
• system access profiles

6 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

5 Fortinet Product Integration and Support

5.1 Fortinet Server Authentication Extension (FSAE) Support
FortiOS v4.0 MR2 - Patch Release 4 is supported by FSAE v3.00 B063 (FSAE collector agent 3.5.063) or later for the following:

• 32-bit version of Microsoft Windows 2003 R1 Server

• 64-bit version of Microsoft Windows 2003 R1 Server
• 32-bit version of Microsoft Windows 2008 R1 Server
• 64-bit version of Microsoft Windows 2008 R1 Server
• 64-bit version of Microsoft Windows 2008 R2 Server
• Novell E-directory 8.8.

IPv6 currently is not supported by FSAE.

The FSAE v3.00 B063 feature enhancements:

• DCAgent support for MAC OS

• Collector Agent Improvements to support live information collection for debugging purposes

Note: FSAE images can be downloaded from the support site using the given link:
ftp://support.fortinet.com/FortiGate/v4.00/4.0MR2/MR2/FSAE/

5.2 AV Engine and IPS Engine Support

FortiOS v4.0 MR2 Patch Release 4 is supported by AV Engine 4.00254 and IPS Engine 1.00171.

5.3 SSL-VPN Support

5.3.1 SSL-VPN Standalone Client

FortiOS v4.0 MR2 Patch Release 4 supports the SSL-VPN tunnel client standalone installer B2085 for the following:

• Windows in .exe and .msi format

• Linux in .tar.gz format
• Mac OS X in .dmg format
• Virtual Desktop in .jar format for Windows 7, XP, and Vista

The following Operating Systems are supported.

Windows Linux Mac OS X

Windows XP 32-bit SP3 CentOS 5.2 (2.6.18-el5) Leopard 10.5
Windows XP 64-bit SP1 Ubuntu 10.0.4
Windows Vista 32-bit SP1
Windows Vista 64-bit SP1
Windows 7 32-bit
Windows 7 64-bit
Virtual Desktop Support
Windows XP 32-bit SP2

7 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

Windows Vista 32-bit SP1

Windows 7 32-bit

8 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

6 Resolved Issues in FortiOS v4.0 MR2 - Patch Release 4

The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about a particular bug,
please contact Customer Support.

6.1 Web UI
Description: When a vdom-admin is enabled, the global scope incorrectly shows the Router > Static web UI page.
Bug ID: 135159
Status: Fixed in v4.0 MR2 - Patch Release 4.

Description: Some websites may not be fully loaded when IPS and AV are enabled on the effective firewall policy simultaneously.
Bug ID: 137972
Status: Fixed in v4.0 MR2 - Patch Release 4.

6.2 System
Description: The reserved bits field has an incorrect default value for the Encoded-Group address in the PIM-SM Candidate-RP-
Advertisement message.
Bug ID: 129705
Status: Fixed in v4.0 MR2 - Patch Release 4.

Description: Size of MAC address table has been increased to enhance performance.
Bug ID: 131770, 135414, 137153
Status: Fixed in v4.0 MR2 - Patch Release 4.

Description: An unexpected failure is reported during reassembly of IP fragments.

Bug ID: 136658
Status: Fixed in v4.0 MR2 - Patch Release 4.

Description: An SFP interface status is not properly detected.

Bug ID: 137082
Status: Fixed in v4.0 MR2 - Patch Release 4.

Description: Traffic statistics on NP4 interfaces fail to show correct data.

Model Affected: FortiGate models that support NP4 interfaces
Bug ID: 136885
Status: Fixed in v4.0 MR2 - Patch Release 4.

Description: VLAN interface can not be removed successfully.

Bug ID: 132618
Status: Fixed in v4.0 MR2 - Patch Release 4.

6.3 High Availability

Description: In certain topologies, a slave unit in an HA cluster may fail to sync with master in a multi-VDom environment.
Bug ID: 135982
Status: Fixed in v4.0 MR2 - Patch Release 4.

Description: The master unit may inadvertently use an unusual virtual MAC address on VLAN interfaces.
Bug ID: 136830
Status: Fixed in v4.0 MR2 - Patch Release 4.

9 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

6.4 IPS
Description: Some offloaded attacks may not be detected by the modules specified below.
Model Affected: FortiGate models that support the FMC-XG2, ASM-CE4, ADM-XE2, ADM-FE8 modules.
Bug ID: 138464
Status: Fixed in v4.0 MR2 - Patch Release 4.

Description: Traffic throughput may fluctuate when IPS is enabled on XLR interfaces.
Model Affected: FortiGate models that support the FMC-XG2, ASM-CE4, ADM-XE2, ADM-FE8 modules.
Bug ID: 138757
Status: Fixed in v4.0 MR2 - Patch Release 4.

6.5 Web Filter

Description: Configuring a local category may fail to take effect on a FGT-3950B or FGT-3951B.
Model Affected: FGT-3950B, FGT-3951B
Bug ID: 137181
Status: Fixed in v4.0 MR2 - Patch Release 4.

10 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

7 Known Issues in FortiOS v4.0 MR2 - Patch Release 4

This section lists the known issues of this release, but is NOT a complete list. For enquiries about a particular bug not
listed here, contact Customer Support.

7.1 Web Proxy

Description: In rare occasions, the FortiGate's web proxy may prematurely terminate FTP connection.
Bug ID: 124589
Status: To be fixed in a future release.

7.2 IPS
Description: Traffic through the FortiGate device may be experience an increase in latency for a short period when an IPS signature
update is performed.
Bug ID: 135825
Status: To be fixed in a future release.

11 March 15, 2011

Release Notes FortiOS v4.0 MR2 - Patch Release 4

8 Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Support website
(https://support.fortinet.com). After login, click on the "Firmware Images Checksum Code" link in the left
frame.

(End of Release Notes.)

12 March 15, 2011