Professional Documents
Culture Documents
FortiOS v4.0 MR3 Patch Release 5 Release Notes
FortiOS v4.0 MR3 Patch Release 5 Release Notes
FortiOS v4.0 MR3 Patch Release 5 Release Notes
This document provides installation instructions and addresses issues and caveats in
FortiOS v4.0 MR3 Patch Release 5 build 0513.
Table 1 outlines the release status for these models. Table 2 lists the supported
virtualization platforms for this release.
General
The TFTP boot process erases all current firewall configuration and replaces it with the
factory default settings.
IMPORTANT!
Monitor Settings Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This
for Web-based allows for all the objects in the Web-based Manager to be viewed properly.
Manager access
Web browser Microsoft Internet Explorer 8.0 and Mozilla Firefox 3.5 or later are fully supported.
support
Before any Save a copy of your FortiGate unit configuration (including replacement messages)
upgrade prior to upgrading.
After any upgrade If you are using the Web-based Manager, clear the browser cache prior to login on the
FortiGate to ensure the Web-based Manager screens are displayed properly.
The Virus and Attack definitions included with an image upgrade may be older than
ones currently available from the Fortinet's FortiGuard Distribution Server. Fortinet
recommends performing an Update Now (System > Config > FortiGuard > AntiVirus
and IPS Options) as soon as possible after upgrading. Consult the FortiOS
Handbook/FortiOS Carrier Handbook for detailed procedures.
With the release of FortiOS v4.0 MR3 Patch Release 2 and later, the FortiGate-1240B
will run a 64-bit version of FortiOS. This has introduced certain limitations on
upgrading firmware in a high availability (HA) environment, and downgrading.
When performing an upgrade from a 32-bit FortiOS version to a 64-bit FortiOS version,
and the FortiGate-1240Bs are running in a HA environment with the uninterruptable-
upgrade option enabled, the upgrade process may fail on the master device after the
slave devices have been successfully upgraded. To work around this situation, users
may disable the uninterruptable-upgrade option to allow all HA members to be
successfully upgraded. Without the uninterruptable-upgrade feature enabled, several
minutes of service unavailability are to be expected.
Downgrading a FortiGate-1240B from FortiOS v4.0 MR3 Patch Release 2 is not
supported due to technical limitations between 64-bit and 32-bit versions of FortiOS.
The only procedure to downgrade firmware is by using the TFTP server and BIOS
menu to perform the downgrade. In this case the configuration will need to be restored
from a previously backed up version.
FortiOS v4.0 MR3 Patch Release 5 officially supports upgrade from the FortiOS v4.0
MR2 Patch Release 4 or later. See the upgrade path below. The arrows indicate
"upgrade to".
FortiOS v4.0 MR2 The upgrade is supported from FortiOS v4.0 MR2 Patch Release B0313 or later.
v4.0 MR2 Patch Release 4 B0313 (or later)
↓
v4.0 MR3 Patch Release 5 B0513 GA
After every upgrade, ensure that the build number and branch point match the image
that was loaded.
DDNS DDNS configurations under interface are moved to global mode config system
ddns after upgrading to FortiOS v4.0 MR3 Patch Release 5.
Ping server gwdetect related configurations under specific interfaces are moved under router per
VDOM mode, and config router gwdetect can be used to configure the option
after upgrading to FortiOS v4.0 MR3 Patch Release 5.
SNMP A 32 bits network mask will be added to an IP address of SNMP host upon upgrading
community to FortiOS v4.0 MR3 Patch Release 5.
AMC slot settings The default value of ips-weight under config system amc-slot will be changed
from balanced to less-fw after upgrading to FortiOS v4.0 MR3 Patch Release 5.
Wireless radio Wireless radio settings, except for SSID, Security Mode, and Authentication settings,
settings will be lost after upgrading.
Web filter The contents of web filter overrides will be lost after upgrading from FortiOS v4.0 MR2
overrides Patch Release 4 B0313 to FortiOS v4.0 MR3 Patch Release 5.
Firewall policy If the source interface or destination interface is set as the amc-XXX interface, the
settings default value of ips-sensor under config firewall policy is changed from
all_default to default after upgrading to FortiOS v4.0 MR3 Patch Release 5.
URL filter The action options in the urlfilter configuration have been changed from Allow,
Pass, Exempt, and Block to Allow, Monitor, Exempt, and Block. The Allow
action will not report log in v4.0 MR3 Patch Release 1. The Monitor action will act as
the function that allows log reporting. The Pass action in v4.0 MR2 has been merged
with Exempt in v4.0 MR3 Patch Release 1, and the CLI command has been changed
from set action pass to set exempt pass.
FortiGuard log The settings of config log fortiguard filter are removed after upgrading to
filter FortiOS v4.0 MR3 Patch Release 5.
FortiGuard log The options quotafull and use-hdd in config log fortiguard setting are
setting removed upon upgrading to FortiOS v4.0 MR3 Patch Release 5.
FortiOS v4.0 MR3 Patch Release 5 officially supports upgrade from the FortiOS v4.0
MR1 Patch Release 9 or later. See the upgrade path below.
FortiOS v4.0 MR1 The upgrade is supported from FortiOS v4.0 MR1 Patch Release 9 B0213 or later.
v4.0 MR1 Patch Release 9 B0213 (or later)
↓
vv4.0 MR3 Patch Release 5 B0513 GA
After every upgrade, ensure that the build number and branch point match the image
that was loaded.
Network If a network interface has the ips-sniffer-mode option set to enable, and that
interface interface is being used by a firewall policy, then after upgrading from FortiOS v4.0, or
configuration any subsequent patch, to FortiOS v4.0 MR3 Patch Release 5 the ips-sniffer-mode
setting will be changed to disable.
System The default values of config system autoupdate schedule will be changed
autoupdate from disable to enable after upgrading to FortiOS v4.0 MR3 Patch Release 5.
settings
DHCP server The names of DHCP Servers are replaced with entry numbers. start-ip and end-ip
are changed to config ip-range under DHCP Server after upgrading to FortiOS
v4.0 MR3 Patch Release 5.
DDNS DDNS configurations under interface are moved to global mode config system
ddns after upgrading to FortiOS v4.0 MR3 Patch Release 5.
Ping server gwdetect related configurations under specific interfaces are moved under router per
VDOM mode, and config router gwdetect can be used to configure the option
after upgrading to FortiOS v4.0 MR3 Patch Release 5.
SNMP A 32 bits network mask will be added to an IP address of SNMP host upon upgrading
community to FortiOS v4.0 MR3 Patch Release 5.
IPS DoS sensor The default log setting of an IPS DoS sensor is disable on FortiOS v4.0 MR3 Patch
log setting Release 5. Whether the log stetting of an IPS DoS sensor is disable or enable on
FortiOS v4.0 MR1 Patch Release 9, or any subsequent patch, after upgrading to
FortiOS v4.0 MR3 Patch Release 5, the setting will be set to disable.
IPS sensor log The log setting of IPS sensors is enable by default on FortiOS v4.0 MR3 Patch
setting Release 5. If the log setting of an IPS sensor is disabled on FortiOS v4.0 MR1 Patch
Release 9, or any subsequent patch, the value will be kept after upgrading to FortiOS
v4.0 MR3 Patch Release 5. If the log setting of an IPS sensor is enable or default
on FortiOS v4.0 MR1 Patch Release 9, or any subsequent patch, the value will be
changed to enable after upgrading to FortiOS v4.0 MR3 Patch Release 5.
DLP rule A DLP rule with subprotocol settings set to sip simple sccp will be lost after
upgrading to FortiOS v4.0 MR3 Patch Release 5.
Web filter and The names webfilter-status and spamfilter-status have been change to
Spam filter webfilter-force-off and antispam-force-off. The default values are set to
enable after upgrading to FortiOS v4.0 MR3 Patch Release 5. To use web filter and
spam filter, users have to disable the two entries by using the following CLI command:
config system fortiguard
set webfilter-force-off disable
set antispam-force-off disable
end
URL filter The action options in the urlfilter configuration have been changed from Allow,
Pass, Exempt, and Block to Allow, Monitor, Exempt, and Block. The Allow
action will not report log in v4.0 MR3 Patch Release 1. The Monitor action will act as
the function that allows log reporting. The Pass action in v4.0 MR2 has been merged
with Exempt in v4.0 MR3 Patch Release 1, and the CLI command has been changed
from set action pass to set exempt pass.
FortiGuard log The settings of config log fortiguard filter are removed after upgrading to
filter FortiOS v4.0 MR3 Patch Release 5.
FortiGuard log The options quotafull and use-hdd in config log fortiguard setting are
setting removed upon upgrading to FortiOS v4.0 MR3 Patch Release 5.
Downgrading to FortiOS v4.0 GA (or later) results in configuration loss on ALL models.
Only the following settings are retained:
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDOM parameters/settings
• admin user account
• session helpers
• system access profiles.
FortiManager support
FortiOS v4.0 MR3 Patch Release 5 is supported by FortiManager v4.0 MR3 Patch
Release 2 and later.
FortiAnalyzer support
FortiClient support
FortiOS v4.0 MR3 Patch Release 5 is fully compatible with FortiClient v4.0 MR2 Patch
Release 3.
FortiOS v4.0 MR3 Patch Release 5 is supported by FortiClient v4.0 MR3 for the
following:
• Microsoft Windows XP 32-bit
• Microsoft Windows Vista 32-bit
• Microsoft Windows Vista 64-bit
• Microsoft Windows 7 32-bit
• Microsoft Windows 7 64-bit
FortiAP support
FortiOS v4.0 MR3 Patch Release 5 supports the following FortiAP models:
• FortiAP 210B
• FortiAP 220A
• FortiAP 220B
• FortiAP 221B
• FortiAP 222B
The FortiAP devices must be running FortiAP v4.0 MR3 and above.
FortiOS v4.0 MR3 Patch Release 5 is supported by FSSO v4.3.0 B0108 for the
following:
• Microsoft Windows Server 2003 R2 32-bit
• Microsoft Windows Server 2003 R2 64-bit
• Microsoft Windows Server 2008 32-bit
• Microsoft Windows Server 2008 64-bit
• Microsoft Windows Server 2008 R2 64-bit
• Novell eDirectory 8.8.
IPv6 currently is not supported by FSSO.
FortiExplorer support
FortiOS v4.0 MR3 Patch Release 5 is supported by AV Engine 4.00382 and IPS Engine
1.00243.
Module support
FortiOS v4.0 MR3 Patch Release 5 supports Advanced Mezzanine Card (AMC),
Fortinet Mezzanine Card (FMC), Rear Transition Modules (RTM), and Fortinet Storage
Module (FSM) removable modules. These modules are not hot swappable. The
FortiGate unit must be turned off before the module is inserted or removed.
Table 3: Supported Modules
SSL-VPN support
SSL-VPN FortiOS v4.0 MR3 Patch Release 5 supports the SSL-VPN tunnel client standalone
standalone client installer B2148 for the following:
• Windows in .exe and .msi format
• Linux in .tar.gz format
• Mac OS X 10.6.x in .dmg format
• Virtual Desktop in .jar format for Windows 7, XP, and Vista
Table 4 lists the supported operating systems.
SSL-VPN web Table 5 lists the browsers and operating systems supported by SSL-VPN web mode.
mode
Table 5: Supported browsers and operating systems
SSL-VPN host The following tables list the AntiVirus and Firewall client software packages that are
compatibility list supported.
Table 6 lists supported Windows XP AntiVirus and Firewall software.
The following browsers are supported by the Explicit Web Proxy feature:
• Internet Explorer 7
• Internet Explorer 8
• Mozilla Firefox 3.x
The resolved issues listed below do not list every bug that has been corrected with this
release. For inquires about a particular bug, please contact Customer Support.
Table 9: Resolved Issues
Bug ID Description
124644 The function of intrazone allow does not work correctly for IPv6 traffic .
147506 HTTPS does not block files larger than the size limit except when the enable
oversize option on HTTP is enabled.
154106, 154284, Various WPA related connection and wifi client mode routing issues.
154964, 155166,
157973, 159345,
160338
154188 The firewall address in FQDN format is not removed when the DNS record
ceases to exist.
155166 The WiFi LED does not function correctly.
Models Affected: FortiWiFi 80CM and FortiWiFi 60C
157977 The NSM may crash after a HA switchover.
159090, 159674 Various explicit FTP proxy address issues.
159212 The CPS decreases significantly while the policy number is increasing.
Models Affected: FortiGate 200B and FortiGate 310B
159410 The sslvpn_url_rewrite function does not function correctly for relative URLs.
159498 IKE crashes if the peer IP address changes.
159521 The Web-based Manager does not show the WiFi link speed for AP clients.
159811 An SSL-VPN user can login with an untrusted certificate when sslvpn-ccert
is enabled.
159855 The SSL-VPN portal receives an SSL False Start error on Internet Explorer 8
and 9 after the latest Windows updates.
159861 IPS does not work correctly with virtual Server load balancing.
159935 Response time when a lot of address objects are changed by CLI scripting
is too long.
160073 Infromation in misssing from the multicast traffic log.
160174 The ICSA improperly reassembles invalid fragmented packets during a
targa2 Bonk attack.
160322 The connection lags in HTTP proxy when there are many simultaneous
connections.
160747 The SSL process is constantly using 99% of the CPU.
160752 The data rate shown in dia sys wireless stats is not in the correct units.
160947 After upgrading to FortiOS v4.0 MR3 Patch Release 4 ports 1 through 4 may
intermittently fail to pass traffic, ports 5 through 8 are unaffected.
Model Affected: FortiWiFi 60CX-ADSL
161006 Users are unable to start the wad daemon on models without the
HAVE_WANOPT macro.
Models Affected: FortiGate models that do not have storage
This section outlines the limitations in FortiOS v4.0 MR3 Patch Release 5.
When using Ubuntu 11.10, Xen 4.1.0, and libvir 0.9.2, importing issues may arise when
using the qcow2 format and existing HDA issues.
The MD5 checksums for all Fortinet software and firmware releases are available at the
Customer Service & Support website located at https://support.fortinet.com. After
logging in, click on Download > Firmware Image Checksum, enter the image file,
including the extension, and select Get Checksum Code.