Вы находитесь на странице: 1из 17

FortiGate® Multi-Threat Security System

Release Notes
v4.0 MR2
Patch Release 1

01-421-84420-20100520
Release Notes FortiOS v4.0 MR2 - Patch Release 1

Table of Contents
1 FortiOS v4.0 MR2 - Patch Release 1..................................................................................................................1
2 Special Notices....................................................................................................................................................2
2.1 General........................................................................................................................................................2
3 Upgrade Information...........................................................................................................................................3
3.1 Upgrading from FortiOS v4.0.....................................................................................................................3
3.2 Upgrading from FortiOS v4.0 MR1............................................................................................................5
4 Downgrading to FortiOS v4.0 MR1................................................................................................................... 6
5 Known Issues in FortiOS v4.0 MR2 - Patch Release 1...................................................................................... 7
5.1 Web User Interface..................................................................................................................................... 7
6 Resolved Issues in FortiOS v4.0 MR2 - Patch Release 1...................................................................................8
6.1 Command Line Interface (CLI).................................................................................................................. 8
6.2 Web User Interface..................................................................................................................................... 8
6.3 System.........................................................................................................................................................9
6.4 High Availability.......................................................................................................................................11
6.5 Router........................................................................................................................................................11
6.6 Firewall..................................................................................................................................................... 12
6.7 VPN...........................................................................................................................................................12
6.8 WAN Optimization...................................................................................................................................12
6.9 Web Filter..................................................................................................................................................12
6.10 Antispam................................................................................................................................................. 13
6.11 Data Leak Prevention..............................................................................................................................13
6.12 Log & Report.......................................................................................................................................... 13
7 Image Checksums............................................................................................................................................. 14

i May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

Change Log

Date Change Description

2010-05-20 Initial Release.

© Copyright 2010 Fortinet Inc. All rights reserved.


Release Notes FortiOS™ v4.0. MR2 - Patch Release 1.

Trademarks
Copyright© 2010 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the
identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.

Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support
tickets via the support site:
https://support.fortinet.com

ii May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

1 FortiOS v4.0 MR2 - Patch Release 1


This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR2 B0279 - Patch Release 1
release. The following outlines the release status for several models.

Model FortiOS v4.0 MR2 - Patch Release 1 Release Status

FGT-30B, FWF-30B, FGT-50B, FGT-51B, FWF-50B, All models are supported on the regular v4.0 MR2 - Patch Release 1 branch.
FGT-60B, FWF-60B, FGT-80C, FGT-80CM, FWF-
80CM, FWF-81CM, FGT-82C, FGT-100A, FGT-
110C, FGT-111C, FGT-200A, FGT-200B, FGT-200B-
POE, FGT-224B, FGT-300A, FGT-310B, FGT-311B,
FGT-310B-DC, FGT-400A, FGT-500A, FGT-620B,
FGT-620B-DC, FGT-800, FGT-800F, FGT-1000A,
FGT-1000A-FA2, FGT-1000A-LENC, FGT-1240B,
FGT3016B, FGT-3600, FGT-3600A, FGT-3810A,
FGT-5001A, FGT-5001, FGT-5001-FA2, and FGT-
5005-FA2.

Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR2 release.

1 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

2 Special Notices
2.1 General
The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

IMPORTANT!

Monitor Settings for Web User Interface Access

• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to
be viewed properly.

Web Browser Support

• Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.

BEFORE any upgrade

• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to
upgrading.

AFTER any upgrade

• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper
display of the Web UI screens.
• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently
available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible
after upgrading. Consult the FortiGate User Guide for detailed procedures.

2 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

3 Upgrade Information

3.1 Upgrading from FortiOS v4.0


FortiOS v4.0 MR2 Patch Release 1 officially supports upgrade from the FortiOS v4.0 Patch Release 4 or later. See the upgrade path
below. The arrows indicate "upgrade to".

[FortiOS v4.0]
The upgrade is supported from FortiOS v4.0.4 B0113 or later.

v4.0.4 B0113 (or later)



v4.0 MR2 Patch Release 1 B0279

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[Network Interface Configuration]


If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after
upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR2 Patch Release 1 the ips-sniffer-mode setting will
be changed to disable.

[WebFilter Banned Word and Exempt Word List]


FortiOS v4.0 MR1 merged the web filter banned and exempt word list into one list under "config webfilter content".
Upon upgrading to v4.0 MR2, ONLY the banned word list is retained. For example:

In FortiOS v4.0.4

config webfilter bword


edit 1
config entries
edit "badword1"
set status enable
next
edit "badword2"
set status enable
next
end
set name "BannedWordList"
next
end

config webfilter exmword


edit 1
config entries
edit "goodword1"
set status enable
next
edit "goodword2"
set status enable
next
end
set name "ExemptWordList"
next

3 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

end

After upgrading to FortiOS v4.0 MR2

config webfilter content


edit 1
config entries
edit "badword1"
set status enable
next
edit "badword2"
set status enable
next
end
set name "BannedWordList"
next
end

Before upgrading, backup your configuration, parse the webfilter exempt list entries, and merge them into the webfilter content list
after the upgrade.

After merging the exempt list from v4.0.4 to the webfilter content list

config webfilter content


edit 1
config entries
edit "goodword1"
set status enable
next
edit "goodword2"
set action exempt
set status enable
next
edit "badword1"
set status enable
next
edit "badword2"
set action exempt
set status enable
next
end
set name "BannedWordList"
next
end

[VoIP Settings]

FortiOS v4.0 MR2 has functionality to archive message and files as caught by the Data Leak Prevention feature, which includes some
VoIP messages. However, some scenarios have an implication configuration retention on the upgrading. Consider the following:

• FortiGate in v4.0.4 has two protection profiles: PP1 and PP2.


• PP1 contains
o DLP sensor: DLP1
o Application control list: APP1 which archives SIP messages
• PP2 contains
o DLP sensor: DLP1

4 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

o Application control list: APP2 which has content-summary enabled for SIMPLE

Upon upgrading to FortiOS v4.0 MR2 Patch Release 1, the VoIP settings are not moved into the DLP archive feature.

[NNTP DLP Archive]


NNTP content archive settings will be lost after upgrading to FortiOS v4.0 MR2 Patch Release 1.

[EmailFilter Banned Word Setting]


The "set spam-bword-table X" setting under "config firewall profile" will be lost after upgrading from FortiOS
v4.0.4 to FortiOS v4.0 MR2 Patch Release 1.

[HTTPS Invalid Certificate Setting]


The HTTPS "allow-invalid-server-cert" setting under "config firewall profile" will be lost after upgrading from FortiOS
v4.0.4 to FortiOS v4.0 MR2 Patch Release 1.

3.2 Upgrading from FortiOS v4.0 MR1


FortiOS v4.0 MR2 Patch Release 1 officially supports upgrade from the FortiOS v4.0 MR1 Patch Release 4 or later. See the upgrade
path below. The arrows indicate "upgrade to".

[FortiOS v4.0 MR1]


The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 B0196 Patch Release 4 or later.

v4.0 MR1 Patch Release 4 B0196 (or later)



v4.0 MR2 Patch Release 1 B0279

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[DLP Rule]
A DLP rule with subprotocol setting set to 'sip simple sccp' will be lost upon upgrading to FortiOS v4.0 MR2 Patch Release 1.

[HTTPS Invalid Certificate Setting]


The HTTPS "allow-invalid-server-cert" setting under "config firewall profile" will be lost after upgrading from FortiOS
v4.0 MR1 Patch Release 3 B0194 to FortiOS v4.0 MR2 Patch Release 1 B0279.

[AlertMail Setting]
The "set local-disk-usage-warning enable " setting under "config alertemail settings" will get reset to
disable after upgrading to FortiOS v4.0 MR2 Patch Release 1.

[System Autoupdate Settings]


The settings under "config system autoupdate schedule" will get set to default values after upgrading to FortiOS v4.0
MR2 Patch Release 1.

5 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

4 Downgrading to FortiOS v4.0 MR1


Downgrading to FortiOS v4.0 MR1 results in configuration loss on ALL models. Only the following settings are retained:

• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDom parameters/settings
• admin user account
• session helpers
• system access profiles

6 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

5 Known Issues in FortiOS v4.0 MR2 - Patch Release 1


This section lists the known issues of this release, but is NOT a complete list. For enquiries about a particular bug not
listed here, contact Customer Support.

5.1 Web User Interface


Description: Live netscan status cannot be correctly updated on IE 8 browser if the browser's 'Internet Options' configuration is set to
default setting.
Bug ID: 125344
Status: To be fixed in a future release.
Workaround: Change IE8 browser setting to: Tool > Internet Options > Browsing History > Setting > 'Everytime I visit the
webpage'.

7 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

6 Resolved Issues in FortiOS v4.0 MR2 - Patch Release 1


The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about a
particular bug, contact Customer Support.

6.1 Command Line Interface (CLI)


Description: 'set fp-anomaly' option is not available on some NP2 ports.
Models Affected: FGT-3016B
Bug ID: 122785
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: TTL value range is not displayed for some CLI commands.
Bug ID: 117464
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: 'set nac-quar-expiry' command shows an unexpected error message. The setting is not correctly saved.
Bug ID: 114962
Status: Fixed in v4.0 MR2 - Patch Release 1.

6.2 Web User Interface


Description: Firewall policy disclaimer checkbox cannot be checked when using IE8 browser.
Bug ID: 121950
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Modified System>Network>Interface>Wlan web UI page.


Bug ID: 118328
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Storage quotas cannot be saved from the web UI in non-management VDoms.
Bug ID: 122198
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: User cannot enable application control log setting under UTM > Application Control > Application Control List web
UI.
Bug ID: 121979
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Update appearance of wireless features when wireless option is disabled.


Bug ID: 120849
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Sometimes 'details' button on Top Sessions widget does not work .
Bug ID: 122253
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: System > Log and Archive Statistics does not include URLs being blocked by FortiGuard service.
Bug ID: 112066
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: URL filter whitelist only shows one page of URLs even if there are more URLs than what one page can display.
Bug ID: 123160

8 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: There is no function to change the order of policy routes via web UI.
Bug ID: 123283
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Fix English to Chinese language translation bugs in web UI.


Bug ID: 123245
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: FortiGuard categories are not displayed correctly when language is set to Japanese.
Bug ID: 121122
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: User is unable to edit replacement messages from web UI when using Internet Explorer web browser.
Bug ID: 123920
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Improve interface for Network Vulnerability scan.


Bug ID: 121443
Status: Fixed in v4.0 MR2 - Patch Release 1.

6.3 System
Description: Netscan limits are not defined in the tablesize.
Bug ID: 123268
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Fix rsyslogd memory leak issue.


Bug ID: 122901
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Disk type for SSD disks are reported as ASM-S08:SSD.


Bug ID: 122310
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: VDom administrator may be able to changing other VDoms setting using 'exe enter' command.
Bug ID: 122642
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Administrator with read-only privilege can delete SSL-VPN login user.
Bug ID: 122655
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: FortiGate does not have CP6 support for AES cipher-suites with SSL 3.0
Bug ID: 120506
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: FortiManager in GMS mode cannot delete unused object in the FortiGate.
Bug ID: 122596
Status: Fixed in v4.0 MR2 - Patch Release 1.

9 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

Description: A 'Unable to proc_mkdir in scsi.c/build_proc_dir_entries<6>scsi7' error message may be


displayed on the console when a USB drive is connected to the FortiGate.
Bug ID: 118893
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Storage object cannot be added for 2nd or later partitions on SAS virtual disks.
Bug ID: 122973
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Log disk size should be included in FGFM message between the FortiGate and FortiManager.
Bug ID: 123097
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: SSL offload does not work to servers running protocols where the server initiates traffic first.
Bug ID: 123204
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Some unexpected messages may get displayed on the FortiGate's console when AV quarantine is enabled.
Bug ID: 122062
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: SpamFilter feature may not work after upgrading to FortiOS v4.0 MR2 if blank lists are being used.
Bug ID: 123402
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: IPS engine does not release the file handler of the signature files after an IPS package update. This may cause a
temporary file to consume a large amount of flash memory.
Bug ID: 121526
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Switching admin-port to web proxy port may cause httpsd to crash.
Bug ID: 123058
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: NP4 interface does not work properly and may encounter frequent Tx timeout.
Bug ID: 123493
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Enhancement in new user and new user group dialog.


Bug ID: 119596
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Kernel crash was encountered when IPS scanning was enabled and stress traffic was passed through the FortiGate.
Bug ID: 123597
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Default and Strict VoIP profiles are missing after upgrading to FortiOS v4.0 MR2.
Bug ID: 122225, 123142
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: NPU code enhancements to make device driver more robust.


Bug ID: 124007
Status: Fixed in v4.0 MR2 - Patch Release 1.

10 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

6.4 High Availability


Description: 'Top Viruses' graph for Virtual Cluster 2 does not work.
Bug ID: 96566
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: User should not be allowed to create a VDom named 'global' when HA mode is enabled.
Bug ID: 121785
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Unable to form a HA cluster, with multiple VDoms configured, after upgrading from FortiOS v3.00 B0752 to v4.0
MR1.
Bug ID: 122254
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Switch interface may drop ingressing unicast frames for around 300 seconds after a HA failover.
Models Affected: FGT-110C
Bug ID: 122583
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Banned user list may not synchronize correctly on virtual cluster 2.
Bug ID: 121941
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Enabling and disabling VDoms a few times may cause the master and slave FortiGate to go out-of-sync.
Bug ID: 122044
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: When HA is enabled, orphan system storage objects (those whose underlying partition/disks do not exist anymore) are
not deleted at system init.
Bug ID: 123258
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: New members may fail to join an existing HA cluster if the cluster is handling more that 7 million sessions.
Bug ID: 123290
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Slave FortiGate may randomly stop getting AV and IPS updates. Some error messages may also be displayed on the
console.
Bug ID: 123022
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Slave FortiGate may sometimes use incorrect MAC address while sending out packets using heartbeat interface.
Bug ID: 122515
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: HA session sync does not work in an A-A mode cluster with 3 or more members.
Bug ID: 123301
Status: Fixed in v4.0 MR2 - Patch Release 1.

6.5 Router
Description: Fix high CPU usage and memory leak of nsm routing daemon
Bug ID: 121774

11 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

Status: Fixed in v4.0 MR2 - Patch Release 1.

6.6 Firewall
Description: Changes made to a profile-group does not get applied to firewall policy.
Bug ID: 122828
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Server load balance VIP HTTP, HTTPS, SSL type incorrectly use VIP instead of interface IP for outbound traffic.
Bug ID: 122886
Status: Fixed in v4.0 MR2 - Patch Release 1.

6.7 VPN
Description: IPSec tunnel phase2 may not come up when Xauth client is enabled if the request is received after the phase1 is
established but before Xauth (or Mode Cfg) has completed.
Bug ID: 122378
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: SSL daemon may cause memory leak problems.


Bug ID: 122884
Status: Fixed in v4.0 MR2 - Patch Release 1.

6.8 WAN Optimization


Description: Fix various Wan Opt related issues.
Bug ID: 122546, 122207, 122952
Status: Fixed in v4.0 MR2 - Patch Release 1.

6.9 Web Filter


Description: WebFilter override feature may not work on the secondary virtual cluster in HA mode.
Bug ID: 120614
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: FortiGuard override feature may not work after upgrading to FortiOS v4.0 MR2.
Bug ID: 122332
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: URL filter exempt feature does not work.


Bug ID: 123197
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Web Filter local ratings setting should be per-vdom on web UI.
Bug ID: 122558
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Invalid rating returned by the FortiGuard server should be treated as rating error.
Bug ID: 123418
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: The Web Filter local rating feature does not always rate categories correctly.
Bug ID: 124363
Status: Fixed in v4.0 MR2 - Patch Release 1.

12 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

6.10 Antispam
Description: Antispam banned word filter fails to check embedded URLs in HTML email.
Bug ID: 120809
Status: Fixed in v4.0 MR2 - Patch Release 1.

6.11 Data Leak Prevention


Description: DLP fails to do content scanning of infected files.
Bug ID: 120902, 122782
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Content scanning does not work when DLP encrypted rule is enabled.
Bug ID: 123084
Status: Fixed in v4.0 MR2 - Patch Release 1.

6.12 Log & Report


Description: Log entry for IM should be updated to log profile and profile-group correctly.
Bug ID: 120528
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Increase IM archive length for non-english characters.


Bug ID: 121223
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Report quota feature does not work.


Bug ID: 116801
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Log entry for file pattern related logs shows filetype=Unknown.
Bug ID: 120308
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: FortiGate does not send the logs messages with a long URL properly to the FortiAnalyzer. This may cause
FortiAnalyzer to drop these logs.
Bug ID: 115438
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: IPS log entry may include two blank vd= fields.
Bug ID: 121598
Status: Fixed in v4.0 MR2 - Patch Release 1.

Description: Traffic logs in SQL format cannot be viewed properly in RAW format.
Bug ID: 122215
Status: Fixed in v4.0 MR2 - Patch Release 1.

13 May 20, 2010


Release Notes FortiOS v4.0 MR2 - Patch Release 1

7 Image Checksums
The MD5 checksums for the firmware images are available at the Fortinet Customer Support
website (https://support.fortinet.com). After login, click on the "Firmware Images
Checksum Code" link in the left frame.

(End of Release Notes.)

14 May 20, 2010

Вам также может понравиться