fortios v5.0 patch release 1 release notes
Post on 21-Oct-2015
351 Views
Preview:
TRANSCRIPT
FortiOS v5.0 Patch Release 1Release Notes
FortiOS v5.0 Patch Release 1 Release Notes
December 21, 2012
01-501-190082-20121221
Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.
Technical Documentation docs.fortinet.com
Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback techdocs@fortinet.com
Table of Contents
Change Log....................................................................................................... 6
Introduction....................................................................................................... 7Supported models ................................................................................................... 7
FortiGate ............................................................................................................ 7
FortiWiFi ............................................................................................................. 7
FortiGate Virtual Machine .................................................................................. 7
FortiSwitch ......................................................................................................... 7
Supported virtualization software ............................................................................ 7
Summary of enhancements..................................................................................... 8
FortiOS v5.0 Patch Release 1 ............................................................................ 8
Special Notices................................................................................................. 9General..................................................................................................................... 9
Important ................................................................................................................. 9
Monitor settings for Web-based Manager access............................................. 9
Before any upgrade ........................................................................................... 9
After any upgrade .............................................................................................. 9
WAN Optimization ................................................................................................... 9
MAC address filter list.............................................................................................. 9
Spam Filter profile.................................................................................................. 10
Spam Filter Black/White List.................................................................................. 10
DLP rule settings.................................................................................................... 10
ID-based firewall policy ......................................................................................... 10
FortiGate 100D upgrade and downgrade limitations............................................. 11
Upgrade Information ...................................................................................... 12Upgrading from FortiOS v5.0.0 GA........................................................................ 12
Captive portal................................................................................................... 12
Reports ............................................................................................................ 16
SSL-VPN web portal ........................................................................................ 16
Virtual switch and the FortiGate 100D ............................................................. 16
Upgrading from FortiOS v4.0 MR3 ........................................................................ 16
Table size limits................................................................................................ 16
SQL logging upgrade limitation ....................................................................... 17
SSL deep-scan ................................................................................................ 17
Profile protocol options.................................................................................... 18
Downgrading to previous FortiOS version............................................................. 20
Product Integration and Support .................................................................. 21Supported web browsers ...................................................................................... 21
Page 3
FortiClient support ................................................................................................. 21
Fortinet Single Sign-On (FSSO) support................................................................ 21
FortiExplorer support (Windows/Mac OS X/iOS)................................................... 21
AV Engine and IPS Engine support ....................................................................... 21
FortiAP support...................................................................................................... 22
FortiSwitch support ............................................................................................... 22
Module support...................................................................................................... 22
SSL-VPN support .................................................................................................. 23
SSL-VPN standalone client.............................................................................. 23
SSL-VPN web mode ........................................................................................ 24
SSL-VPN host compatibility list ....................................................................... 24
Explicit Web Proxy browser support ..................................................................... 25
Resolved Issues.............................................................................................. 26Antispam.......................................................................................................... 26
Antivirus ........................................................................................................... 26
CLI.................................................................................................................... 26
Client reputation............................................................................................... 27
Device visibility................................................................................................. 27
DLP .................................................................................................................. 27
Endpoint control............................................................................................... 27
Firewall ............................................................................................................. 28
FortiGate VM.................................................................................................... 29
GTP .................................................................................................................. 29
High Availability................................................................................................ 30
IPS.................................................................................................................... 31
IPsec VPN ........................................................................................................ 31
Log & Report.................................................................................................... 31
Routing............................................................................................................. 33
Source visibility ................................................................................................ 34
SSL-VPN.......................................................................................................... 34
System ............................................................................................................. 35
Upgrade ........................................................................................................... 37
VoIP.................................................................................................................. 38
WAN optimization and webproxy .................................................................... 38
Web-based Manager ....................................................................................... 38
Web Filter......................................................................................................... 40
WiFi .................................................................................................................. 41
Fortinet Technologies Inc. Page 4 FortiOS v5.0 Patch Release 1 Release Notes
Known Issues.................................................................................................. 42Antivirus ........................................................................................................... 42
Firewall ............................................................................................................. 42
FSSO................................................................................................................ 42
High Availability................................................................................................ 42
IPS.................................................................................................................... 42
IPsec VPN ........................................................................................................ 43
Log & Report.................................................................................................... 43
SSL-VPN.......................................................................................................... 43
System ............................................................................................................. 43
Web-based Manager ....................................................................................... 43
WiFi .................................................................................................................. 44
Upgrade ........................................................................................................... 44
Limitations....................................................................................................... 45Add Device Access List ......................................................................................... 45
Image Checksum............................................................................................ 46
Fortinet Technologies Inc. Page 5 FortiOS v5.0 Patch Release 1 Release Notes
Change Log
Date Change Description
2012-12-21 Initial release.
Page 6
Introduction
This document provides installation instructions, integration, support, and resolved/known
issues in FortiOS v5.0 Patch Release 1 build 0147.
Supported models
The following models are supported on FortiOS v5.0 Patch Release 1.
FortiGate
FG-20C, FG-20C-ADSL-A, FG-40C, FG-60C, FG-60C-PoE, FG-80C, FG-80CM, FG-100D,
FG-110C, FG-111C, FG-200B, FG-200B-PoE, FG-300C, FG-310B, FG-310B-DC, FG-311B,
FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800C, FG-1000C, FG-1240B, FG-3016B,
FG-3040B, FG-3140B, FG-3240C, FG-3810A, FG-3950B, FG-3951B, FG-5001A, FG-5001B,
and FG-5101C.
FortiWiFi
FWF-20C, FWF-20C-ADSL-A, FWF-40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A,
FWF-80CM, and FWF-81CM.
FortiGate Virtual Machine
FG-VM32 and FG-VM64.
FortiSwitch
FS-5203B
Supported virtualization software
The following virtualization software is supported on FortiOS v5.0 Patch Release 1.
• vSphere 4.0, 4.1, and 5.0
See http://docs.fortinet.com/fgt.html for additional documentation on FortiOS v5.0 Patch
Release 1.
Fortinet Technologies Inc. Page 7 FortiOS v5.0 Patch Release 1 Release Notes
Summary of enhancements
FortiOS v5.0 Patch Release 1
The following is a list of enhancements in FortiOS v5.0 Patch Release 1:
• Add new drill-downs for the top sessions widget
• Add new Endpoint Control feature activities in the log
• Add PING server on FG-20C/FWF-20C devices
• Add support for IKEv2 configuration payload
• Addition of sort and filter functions for Web-based Manager pages
• Allow the identity base policy to spill over
• Device policy improvements
• Disk log settings returned
• Endpoint control: FortiClient logging (GUI)
• Endpoint registration over SSL-VPN tunnel mode
• Extend SIP helper for MSRP supporting MSRP NAT
• FortiClient endpoint control over IPsec VPN support
• FortiCloud certificate activation
• FortiSwitch Controller on FG-100D
• HA support for BYOD feature
• One-time schedule alert expiration
• Separate SSL/SSH deep inspection profile
• Schedule the rogue AP background scan
• Simplified client reputation configuration
• Support USB encrypted configuration file
• Support WiFi DFS models for Japan/Korea
• WIDS profile Web-based Manager support
Not all features/enhancements listed below are supported on all models.
Fortinet Technologies Inc. Page 8 FortiOS v5.0 Patch Release 1 Release Notes
Special Notices
General
The TFTP boot process erases all current firewall configuration and replaces it with the factory
default settings.
Important
Monitor settings for Web-based Manager access
Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for
all the objects in the Web-based Manager to be viewed properly.
Before any upgrade
Save a copy of your FortiGate unit configuration (including replacement messages) prior to
upgrading.
After any upgrade
If you are using the Web-based Manager, clear the browser cache prior to login on the FortiGate
to ensure the Web-based Manager screens are displayed properly.
The virus and attack definitions included with the image upgrade may be older than what
currently is available from FortiGuard. Fortinet recommends performing an Update Now (System
> Config > FortiGuard > AntiVirus and IPS Options) as soon as possible after upgrading.
Consult the FortiOS Handbook/FortiOS Carrier Handbook for detailed procedures.
WAN Optimization
In FortiOS 5.0, WAN Optimization is enabled in security policies and WAN Optimization rules are
no longer required. Instead of adding a security policy that accepts traffic to be optimized and
then creating WAN Optimization rules to apply WAN Optimization, in FortiOS v5.0 you create
security policies that accept traffic to be optimized and enable WAN Optimization in those
policies. WAN Optimization is applied by WAN Optimization profiles which are created
separately and added to WAN Optimization security policies.
MAC address filter list
The mac-filter command under the config wireless-controller vap setting is not
retained after upgrading to FortiOS v5.0 Patch Release 1. It is migrated into both config user device and config user device-access-list setting.
Fortinet Technologies Inc. Page 9 FortiOS v5.0 Patch Release 1 Release Notes
Spam Filter profile
The spam filter profile has been changed in FortiOS v5.0 Patch Release 1. The
spam-emaddr-table and spam-ipbwl-table have been merged into the
spam-bwl-table. The spam-bwl-table exists in the spam filter profile.
Spam Filter Black/White List
The config spamfilter emailbwl and config spamfilter ipbwl commands are
combined into config spamfilter bwl.
DLP rule settings
The config dlp rule command is removed in FortiOS v5.0 Patch Release 1. The DLP rule
settings have been moved to inside the DLP sensor.
ID-based firewall policy
If the user has enabled fail-through-unauthenticated in the identity-based policy, the
following logic will apply:
• For unauthenticated users: if none of the accepted policies are matched and an
identity-based policy has been hit, the normal authentication process will be triggered based
on specific settings.
• For authenticated users: if an identity-based policy is matched, then the traffic will be
controlled by this policy. If none of the sub-rules are matched, the traffic will get dropped.
To enable/disable fail-through-unauthenticated in the identity-based policy, enter the
following in the CLI:
config firewall policyedit <id>
set identity-based enableset fall-through-unauthenticated [disable|enable]next
end
Fortinet Technologies Inc. Page 10 FortiOS v5.0 Patch Release 1 Release Notes
FortiGate 100D upgrade and downgrade limitations
With the release of FortiOS v5.0.0 GA and later, the FortiGate 100D runs a 64-bit version of
FortiOS. This has introduced certain limitations on upgrading and downgrading firmware in an
HA environment.
When upgrading from a 32-bit FortiOS version to a 64-bit FortiOS version on FortiGate 100Ds
running in a HA environment with uninterruptable-upgrade enabled, the upgrade process
may fail on the primary device after the subordinate devices have been successfully upgraded.
To work around this situation, users may disable the uninterruptable-upgrade option to allow all
HA members to be successfully upgraded. Without the uninterruptable-upgrade feature
enabled, several minutes of service unavailability are to be expected.
Downgrading a FortiGate 100D from FortiOS v5.0.0 GA is not supported due to technical
limitations between 64-bit and 32-bit versions of FortiOS. The only procedure to downgrade
firmware is by using the TFTP server and BIOS menu to perform the downgrade. In this case the
configuration will need to be restored from a previously backed up version.
Fortinet Technologies Inc. Page 11 FortiOS v5.0 Patch Release 1 Release Notes
Upgrade Information
Upgrading from FortiOS v5.0.0 GA
FortiOS v5.0 Patch Release 1 build 0147 officially supports upgrade from FortiOS v5.0.0 GA.
Captive portal
The captive portal configuration has been altered in FortiOS v5.0 Patch Release 1 and upon
upgrading the previous configuration may be lost or changed. Review the following
configuration examples before upgrading.
Endpoint control
The following examples detail an endpoint control configuration to allow all compliant Windows
and Mac OS X computers network access. All non-compliant computers will be sent to the
captive portal.
Example FortiOS v5.0.0 GA configuration:
edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset identity-based enableset identity-from deviceset nat enable
config identity-based-policyedit 1
set schedule "always"set dstaddr "all"set service "ALL"set devices "windows-pc" "mac"set endpoint-compliance enable
nextedit 2
set schedule "always"set dstaddr "all"set service "ALL"set devices allset action captureset devices "windows-pc" "mac"set captive-portal forticlient-compliance-enforcement
nextend
next
Fortinet Technologies Inc. Page 12 FortiOS v5.0 Patch Release 1 Release Notes
In FortiOS v5.0 Patch Release 1, the configuration has changed. Notice that sub-policy 2 has
been removed. The new set forticlient-compliance-enforcement-portal enable
and set forticlient-compliance-devices windows-pc mac CLI commands have
been added to the master policy.
Example FortiOS v5.0 Patch Release 1 configuration:
edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset forticlient-compliance-enforcement-portal enableset forticlient-compliance-devices windows-pc macset identity-based enableset identity-from deviceset nat enable
config identity-based-policyedit 1
set schedule "always"set dstaddr "abc"set service "ALL"set devices "windows-pc" "mac"set endpoint-compliance enable
nextend
next
After the upgrade, you may experience a configuration loss with the removal of sub-policy 2. If
this occurs, you have to enter the following CLI commands:
set forticlient-compliance-enforcement-portal enableset forticlient-compliance-devices windows-pc mac
Device detection
The following examples detail a device detection configuration to allow Android, Blackberry,
and iPhone devices network access. The captive portal is used to optionally learn the device
type, or send back a replacement message if device type cannot be determined.
Example FortiOS v5.0.0 GA configuration:
edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset identity-based enableset identity-from deviceset nat enable
config identity-based-policyedit 1
set schedule "always"set dstaddr "all"
Fortinet Technologies Inc. Page 13 FortiOS v5.0 Patch Release 1 Release Notes
set service "ALL"set devices "android-phone" "blackberry-phone" "ip-phone"
nextedit 2
set schedule "always"set dstaddr "all"set service "ALL"set devices allset action captureset captive-portal device-detection
nextend
next
In FortiOS v5.0 Patch Release 1, the configuration has been changed. Notice that sub-policy 2
has been removed. The new set device-detection-portal enable CLI command has
been added to the master policy.
Example FortiOS v5.0 Patch Release 1 configuration:
edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset device-detection-portal enableset identity-based enableset identity-from deviceset nat enable
config identity-based-policyedit 1
set schedule "always"set dstaddr "abc"set service "ALL"set devices "android-phone" "blackberry-phone" "ip-phone"
nextend
next
After the upgrade, you may experience a configuration loss with the removal of sub-policy 2. If
this occurs, you have to enter the following CLI command:
set device-detection-portal enable
Email collection
The following examples details an email collection configuration which would allow all devices
for which an email-address has been collected network access. Any device which has not had
an email collected would be directed to the captive portal.
Example FortiOS v5.0.0 GA configuration:
edit 3set srcintf "internal"set dstintf "wan1"
Fortinet Technologies Inc. Page 14 FortiOS v5.0 Patch Release 1 Release Notes
set srcaddr "all"set action acceptset identity-based enableset identity-from deviceset nat enable
config identity-based-policyedit 1
set schedule "always"set dstaddr "all"set service "ALL"set devices email-collection
nextedit 2
set schedule "always"set dstaddr "all"set service "ALL"set devices allset action captureset captive-portal email-collection
nextend
next
In FortiOS v5.0 Patch Release 1, the configuration has been changed. Notice that sub-policy 2
has been removed and the new set email-collection-portal enable has been added
to the master policy.
Example FortiOS v5.0 Patch Release 1 configuration:
edit 3set srcintf "internal"set dstintf "wan1"set srcaddr "all"set action acceptset email-collection-portal enableset identity-based enableset identity-from deviceset nat enable
config identity-based-policyedit 1
set schedule "always"set dstaddr "abc"set service "ALL"set devices all
nextend
next
After the upgrade, you may experience a configuration loss with the removal of sub-policy 2. If
this occurs, you have to enter the following CLI command:
set email-collection-portal enable
Fortinet Technologies Inc. Page 15 FortiOS v5.0 Patch Release 1 Release Notes
Reports
Before you run a report after upgrading to v5.0 Patch Release 1, you must enter the following
CLI commands on console:
execute report-config resetThis will reset report templates to the factory default.All changes to the default report will be lost!Do you want to continue? (y/n)yReport configuration was reset to the factory default.
execute report recreate-dbThis will recreate the report database from the log database.Do you want to continue? (y/n)yRequest to recreate report database is successfully sent.
SSL-VPN web portal
For FortiGate 60C variants and lower models only one SSL-VPN web portal is retained after
upgrading to FortiOS v5.0 Patch Release 1.
Virtual switch and the FortiGate 100D
The name Virtual Switch is used by different objects on the Web-based Manager and the CLI.
On the Web-based Manager Virtual Switch refers to an interface type and is used for the
FortiSwitch Controller feature. This instance of Virtual Switch maps to the CLI command
config switch-controller vlan.
The second instance of Virtual Switch in the CLI, config system virtual-switch is used
to configure the hardware switch. This command maps to the Web-based Manager Hardware
Switch interface type.
Upgrading from FortiOS v4.0 MR3
FortiOS v5.0 Patch Release 1 build 0147 officially supports upgrade from FortiOS v4.0 MR3
Patch Release 10 or later.
Table size limits
FortiOS v5.0 Patch Release 1 has changed the maximum allowable limits on some objects. As a
result, the configuration for some objects may be lost. These include:
• dlp sensor
• firewall vip
• application list
• dlp sensor filter
• ips sensor
Fortinet Technologies Inc. Page 16 FortiOS v5.0 Patch Release 1 Release Notes
SQL logging upgrade limitation
For the following units, after upgrading to FortiOS v5.0 Patch Release 1 SQL logging will be
retained based on the total size of the RAM available on the device. Logs will use up to
maximum of 10% of the RAM, once passed that threshold any new logs will start to overwrite
the older logs. The historical report generation will also be affected based on the SQL logs that
are available for query.
FG-100D and FG-300C
SSL deep-scan
New SSL/SSH inspection option is introduced to include all SSL protocols. The protocol status
in SSL/SSH inspection will default to disable for the SSL protocols. The SSL/SSH inspection
should be modified to enable the SSL protocols wherever inspection is required.
Before upgrade
• The AntiVirus, Web Filter, and Antispam profiles had separate protocol settings for the SSL
and non-SSL protocols.
• For HTTPS deep-scanning to be done, deep-scan needed to be enabled for HTTPS in the
UTM proxy options.
After upgrade
• The settings for the SSL protocols in the AntiVirus, Web Filter, and Antispam profiles have
been removed. Instead, the non-SSL options will apply to both the SSL and non-SSL
versions of each protocol. The SSL/SSH inspection options now includes an enable/disable
option for each protocol. This is used to control which protocols are scanned and which SSL
enabled protocols are decrypted.
• To use HTTPS non-deep (SSL handshake) inspection, HTTPS needs to be enabled in the
SSL/SSH inspection options. A Web Filter profile with https-url-scan enabled needs to
be applied in the policy with the SSL/SSH inspection options. The Web Filter profile option
changes the inspection mode to non-deep scan. AV will not be performed if this option is
enabled. The Web Filter profile option does not apply if SSL inspect-all is enabled in the
SSL/SSH inspection options.
Behavior
• After upgrade, all the SSL related settings in the AntiVirus, Web Filter, and Antispam profiles
will be lost. The non-SSL settings will be retained and applied to the related SSL protocols if
they are enabled in the SSL/SSH inspection options. The protocol status in the SSL/SSH
inspection options will default to enable for the non-SSL protocols and will default to disable
for the SSL protocols. The SSL/SSH inspection options should be modified to enable the
SSL protocols wherever inspection is required.
• Any profiles requiring non-deep HTTPS inspection will need to be modified to include a Web
Filter profile and SSL/SSH inspection options with the settings as described above. The
original HTTPS deep-scan settings will be lost upon upgrade.
Fortinet Technologies Inc. Page 17 FortiOS v5.0 Patch Release 1 Release Notes
Profile protocol options
Deep inspection status configurations are not retained for FTPS/IMAPS/POP3S/SMTPS after
upgrading from FortiOS v4.3 MR3.
Example FortiOS v4.3 MR3 configuration:
config firewall profile-protocol-optionsedit "default"
set comment "all default services"config http
set port 80set port 8080set options no-content-summaryunset post-lang
endconfig https
set port 443set port 8443set options allow-invalid-server-certunset post-langset deep-scan enable
endconfig ftp
set port 21set options no-content-summary splice
endconfig ftps
set port 990set options no-content-summary spliceunset post-lang
endconfig imap
set port 143set options fragmail no-content-summary
endconfig imaps
set port 993set options fragmail no-content-summary
endconfig pop3
set port 110set options fragmail no-content-summary
endconfig pop3s
set port 995set options fragmail no-content-summary
endconfig smtp
set port 25
Fortinet Technologies Inc. Page 18 FortiOS v5.0 Patch Release 1 Release Notes
set options fragmail no-content-summary spliceendconfig smtps
set port 465set options fragmail no-content-summary splice
endconfig nntp
set port 119set options no-content-summary splice
endnext
end
Example FortiOS v5.0 Patch Release 1 configuration:
config firewall profile-protocol-optionsedit "default"
set comment "all default services"config http
set ports 80 8080set options no-content-summaryunset post-lang
endconfig ftp
set ports 21set options no-content-summary splice
endconfig imap
set ports 143set options fragmail no-content-summary
endconfig mapi
set ports 135set options fragmail no-content-summary
endconfig pop3
set ports 110set options fragmail no-content-summary
endconfig smtp
set ports 25set options fragmail no-content-summary splice
endconfig nntp
set ports 119set options no-content-summary splice
endconfig dns
set ports 53
Fortinet Technologies Inc. Page 19 FortiOS v5.0 Patch Release 1 Release Notes
endnext
end
config firewall deep-inspection-optionsedit "default"
set comment "all default services"config https
set ports 443 8443set allow-invalid-server-cert enable
endconfig ftps
set ports 990set status disable
endconfig imaps
set ports 993set status disable
endconfig pop3s
set ports 995set status disable
endconfig smtps
set ports 465set status disable
endnext
end
Downgrading to previous FortiOS version
Downgrading to previous FortiOS versions results in configuration loss on all models. Only the
following settings are retained:
• operation modes
• interface IP/management IP
• route static table
• DNS settings
• VDOM parameters/settings
• admin user account
• session helpers
• system access profiles.
Fortinet Technologies Inc. Page 20 FortiOS v5.0 Patch Release 1 Release Notes
Product Integration and Support
Supported web browsers
• Microsoft Internet Explorer 8 and 9
• Mozilla FireFox 15.0 and 16.0
• Google Chrome 22.0
FortiClient support
FortiOS v5.0 Patch Release 1 is supported by the following:
• FortiClient for Windows build 0194
• FortiClient for Mac OS X build 0081
Fortinet Single Sign-On (FSSO) support
FortiOS v5.0 Patch Release 1 is supported by FSSO v4.0 MR3 B0129 for the following:
• Microsoft Windows Server 2003 R2 32-bit
• Microsoft Windows Server 2003 R2 64-bit
• Microsoft Windows Server 2008 32-bit
• Microsoft Windows Server 2008 Server 64-bit
• Microsoft Windows Server 2008 R2 64-bit
• Novell eDirectory 8.8
IPv6 is not currently supported by FSSO.
FortiExplorer support (Windows/Mac OS X/iOS)
FortiOS v5.0 Patch Release 1 is supported by FortiExplorer 2.1.1038 for Windows and Mac OS
X.
FortiOS v5.0 Patch Release 1 is supported by FortiExplorer v1.0.3.0109 for iOS.
AV Engine and IPS Engine support
FortiOS v5.0 Patch Release 1 is supported by AV Engine 5.00032 and IPS Engine 2.00043.
Fortinet Technologies Inc. Page 21 FortiOS v5.0 Patch Release 1 Release Notes
FortiAP support
FortiOS v5.0 Patch Release 1 supports the following FortiAP models:
FAP-11C, FAP-112B, FAP-210B, FAP-220B, FAP-221B, FAP-222B, FAP-223B, and
FAP-320B
The FortiAP device must be running FortiAP v5.0.0 GA build 0021 or later.
FortiSwitch support
FortiOS v5.0 Patch Release 1 supports the following FortiSwitch models:
FS-348B
The FortiSwitch device must be running FortiSwitch v1.00 Patch Release 2 build 4030.
Module support
FortiOS v5.0 Patch Release 1 supports Advanced Mezzanine Card (AMC), Fortinet Mezzanine
Card (FMC), Rear Transition Module (RTM), and Fortinet Storage Module (FSM) removable
modules. These modules are not hot swappable. The FortiGate unit must be turned off before a
module is inserted or removed.
Table 1: Supported modules
AMC/FMC/FSM/RTM Module FortiGate Platform
Storage Module
500GB HDD Single-Width AMC (ASM-S08)
FG-310B, FG-620B, FG-621B, FG-3016B,
FG-3810A, FG-5001A
Storage Module
64GB SSD Fortinet Storage Module (FSM-064)
FG-200B, FG-311B, FG-1240B,
FG-3040B, FG-3140B, FG-3951B
Accelerated Interface Module
4xSFP Single-Width AMC (ASM-FB4)
FG-310B, FG-311B, FG-620B, FG-621B,
FG-1240B, FG-3016B, FG-3810A,
FG-5001A
Accelerated Interface Module
2x10-GbE XFP Double-Width AMC (ADM-XB2)
FG-3810A, FG-5001A
Accelerated Interface Module
8xSFP Double-Width AMC (ADM-FB8)
FG-3810A, FG-5001A
Bypass Module
2x1000 Base-SX Single-Width AMC (ASM-FX2)
FG-310B, FG-311B, FG-620B, FG-621B,
FG-1240B, FG-3016B, FG-3810A,
FG-5001A
Bypass Module
4x10/100/1000 Base-T
Single-Width AMC (ASM-CX4)
FG-310B, FG-311B, FG-620B, FG-621B,
FG-1240B, FG-3016B, FG-3810A,
FG-5001A
Security Processing Module
2x10/100/1000 SP2
Single-Width AMC (ASM-CE4)
FG-1240B, FG-3810A, FG-3016B,
FG-5001A
Fortinet Technologies Inc. Page 22 FortiOS v5.0 Patch Release 1 Release Notes
SSL-VPN support
SSL-VPN standalone client
FortiOS v5.0 Patch Release 1 supports the SSL-VPN tunnel client standalone installer build
2281 for the following:
• Windows in .exe and .msi format
• Linux in .tar.gz format
• Mac OS X 10.7 in .dmg format
Security Processing Module
2x10-GbE XFP SP2
Double-Width AMC (ADM-XE2)
FG-3810A, FG-5001A
Security Processing Module
4x10-GbE SFP+
Double-Width AMC (ADM-XD4)
FG-3810A, FG-5001A
Security Processing Module
8xSFP SP2
Double-Width AMC (ADM-FE8)
FG-3810A
Rear Transition Module
10-GbE backplane fabric (RTM-XD2)
FG-5001A
Security Processing Module (ASM-ET4) FG-310B, FG-311B
Rear Transition Module
10-GbE backplane fabric (RTM-XB2)
FG-5001A
Security Processing Module
2x10-GbE SFP+ (FMC-XG2)
FG-3950B, FG-3951B
Accelerated Interface Module
2x10-GbE SFP+ (FMC-XD2)
FG-3950B, FG-3951B
Accelerated Interface Module
20xSFP (FMC-F20)
FG-3950B, FG-3951B
Accelerated Interface Module
20x10/100/1000 (FMC-C20)
FG-3950B, FG-3951B
Security Processing Module (FMC-XH0) FG-3950B
Table 1: Supported modules (continued)
Fortinet Technologies Inc. Page 23 FortiOS v5.0 Patch Release 1 Release Notes
• Virtual Desktop in .jar format for Windows 7.
SSL-VPN web mode
The following table lists the operating systems and browsers supported by SSL-VPN web
mode.
SSL-VPN host compatibility list
The following tables list the AntiVirus and Firewall client software packages that are supported..
Table 2: Supported operating systems
Windows Linux Mac OS X
Windows 7 32-bit CentOS 5.6 Mac OS X 10.7 (Lion)
Windows 7 64-bit
Virtual Desktop Support
Windows 7 32-bit Service
Pack 1
Table 3: Supported browsers and operating systems
Operating System Browser
Windows 7 32-bit Service Pack 1 Internet Explorer 8, Internet Explorer 9, and
Firefox 12
Windows 7 64-bit Service Pack 1 Internet Explorer 8, Internet Explorer 9, and
Firefox 12
CentOS 5.6 Firefox 3.6
Mac OS X 10.7 (Lion) Safari 5.1
Table 4: Supported Windows XP AntiVirus and Firewall software
Product AntiVirus Firewall
Symantec Endpoint Protection v11
Kaspersky AntiVirus 2009
McAfee Security Center v8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009
Table 5: Supported Windows 7 32-bit and 64-bit AntiVirus and Firewall software
Product AntiVirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
Fortinet Technologies Inc. Page 24 FortiOS v5.0 Patch Release 1 Release Notes
Explicit Web Proxy browser support
The following browsers are supported by the Explicit Web Proxy feature:
• Internet Explorer 8 and 9
• Mozilla Firefox 15.0 and 16.0
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small
Business Edition 12.0
Table 5: Supported Windows 7 32-bit and 64-bit AntiVirus and Firewall software (continued)
Product AntiVirus Firewall
Fortinet Technologies Inc. Page 25 FortiOS v5.0 Patch Release 1 Release Notes
Resolved Issues
The resolved issues listed below do not list every bug that has been corrected with this release.
For inquires about a particular bug, please contact Customer Support.
Antispam
Antivirus
CLI
Table 6: Resolved antispam issues
Bug ID Description
154340 Proxy worker crashes with signal 7 on emails.
178515 The Hotmail general email log "to" and "cc" fields include double quotations.
185152 FortiGuard Spam IP address check does not work over SMTP and SMTPS.
189889 The scanunit process crashed when MMS endpoint BWL check was
enabled.
Table 7: Resolved antivirus issues
Bug ID Description
176174 ETDB is erased and set default_db as ex. (Build 0080)
184584 avengine scanmode issue on 64-bit platforms.
187648 ETDB version is 0 after update-av and FLDB update is unexpected. (Build
0127)
Table 8: Resolved CLI issues
Bug ID Description
185946 Lots of pop up errors from console. (Build 4890)
190782 A combination of PARSE_F_MULARG and PARSE_F_SKIP causes the CLI to
behave incorrectly.
191061 Create a new diag test command for fdsmgmtd.
Fortinet Technologies Inc. Page 26 FortiOS v5.0 Patch Release 1 Release Notes
Client reputation
Device visibility
DLP
Endpoint control
Table 9: Resolved client reputation issues
Bug ID Description
184435 diagnose client-reputation test related CLI comments do not work.
187627 Missing crscore/craction in the host-detail for a failed
connection/blocked policy.
187686 sql_db ioerror can cause a reputation data update to fail.
Table 10: Resolved device visibility issues
Bug ID Description
189181 Add a new pre-defined device group for Windows tablets.
Table 11: Resolved DLP issues
Bug ID Description
145588 The DLP log of a file pattern has the wrong file field with an HTTP POST
request.
175582 The Archive and DLP monitor is unresponsive when report by protocol
is selected.
187307 Check dlp file type filter is not selectable with message.
Table 12: Resolved endpoint control issues
Bug ID Description
187048 FortiGate devices renew the Endpoint License expiry time when FortiClient is
offline.
188259 Need to enforce disabling broadcast-forticlient-discovery when
listen-forticlient-connection is disabled.
190985,
190994
When copying and pasting a FortiClient configuration into
advanced-cfg-buffer, an application firewall rule list is required.
191040,
191052
Support multiple endpoints which have the same IP (from different VDOMS) in
Endpoint Control record table.
191092 Allow FortiClient license upgrade feature on FG-110C and FG-111C.
191345 FortiGate will deny the traffic from a registered FortiClient over SSL-VPN.
Fortinet Technologies Inc. Page 27 FortiOS v5.0 Patch Release 1 Release Notes
Firewall
Table 13: Resolved firewall issues
Bug ID Description
156726 HTTPS SSL deep-scan download stalls at 99%.
163589 Management login support for RADIUS Challenge-Response.
167304 Control concurrent user authentication in identity-based-policy.
174101 Move auth-lockout to VDOM and add enable/disable commands.
180372 Device policy and explicit proxy should be mutually exclusive in the
Web-based Manager and CLI.
183325 The multicast policy set protocol in CLI will not display any default values,
the Web-based Manager displays default values correctly.
184312 High CPU usage by proxyworker process, along with multiple signal 11
segmentation faults.
184375 Uploads are interrupted by FortiGate devices with the load balancer feature
enabled.
186588 DLP, AV, and Web Filter sometimes does not work when inspect-all is
enabled.
186836 Re-enabling the UTM status of a firewall policy can result in all UTM options
disappearing.
187125 Load balance health check monitor port change after reboot.
187131 Changing the members of a service group does not immediately affect a
policy.
187202 The TLS connection cannot be completed. A method is required to control for
TLS decryption.
187549 DCE-RPC high port assignment is not allowed when using Microsoft SCOM
2012.
188039 Firewall multicast policy source NAT does not work.
188975 In user visibility, Kerberos authentication takes higher priority than FSSO
authentication.
189067 Driver fix for traffic failure reported from production and IQC.
189876 Support the SSL next-proto-negotiation extension.
190636 The connection will be reset if a client requests TLSv1.2 but the server
chooses TLSv1.1 or below when SSL deep scan is enabled.
190776 Firewall policy can be set without service with the action IPsec or deny.
190990,
191585
System crashed showing ehci_hcd fatal errors.
Fortinet Technologies Inc. Page 28 FortiOS v5.0 Patch Release 1 Release Notes
FortiGate VM
GTP
191050 Handle HTTP connection upgrade in transparent proxy to support WebSocket
traffic.
191171,
191319
FortiSwitch-controller configuration bug fix.
191471 FCT-Access once enabled on an interface will implicitly open port 8010 on all
interfaces in the same VDOM.
191570 FSSO_Guest_User group does not work for ID-based policy.
191606 all service prot_type is not set.
151728,
174277, &
177976
UTM Web and Email monitor statistic recording.
Table 14: Resolved FortiGate VM issues
Bug ID Description
186173 FortiGate-VM64.hw07.vmxnet2.ovf and FortiGate-VM.hw07_vmxnet2.ovf
cannot support HA.
186809 The FortiClient license support for FG-VM01 should be 1000.
186809,
186810,
190416
Set VM license levels for limiting python processes and FortiClient licenses.
186810 FG-VM00 should not have the Enter License option for the FortiClient
Registration License.
190416 FG-VM is constantly in conserve mode.
Table 15: Resolved GTP issues
Bug ID Description
172442 MMS profile alert-int parameter missing.
Table 13: Resolved firewall issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 29 FortiOS v5.0 Patch Release 1 Release Notes
High Availability
Table 16: Resolved high availability issues
Bug ID Description
153089 Automatic backup configuration bug in HA mode.
156040 Redundant HA in-sync log messages.
185272 When displaying a log message in a slave event log, the slave clock is
adjusted to an invalid time.
185628 Part of the session information is not synchronized correctly under HA
Active-Active mode when a device based firewall policy is configured.
186053 All heartbeat links fail simultaneously, triggered by traffic.
186681 The VLAN interface has the HA MAC address on both cluster members, after
vcluster failover.
186788 Bulk CLI scripts cannot synchronize to a slave FortiGate if there is a comment
on the script.
187026 A new HA cluster slave cannot synchronize an IPsec VPN tunnel from it’s
master after synchronizing both sides.
187090 The slave log cannot be sent to a FortiAnalyzer when first forming the HA
cluster.
187091 The master does not forward the slave's log to FortiAnalyzer in a multi VDOM
environment when the new member has VDOMs configured.
187263 A FortiGate slave has cw_acd and cmdbsvr process crashes when
synchronizing it’s configuration.
187424 The configuration cannot synchronize between the master and slave.
187430 A FG-100D device configured as HA master experienced a kernel crash and
rebooted by itself.
187994 src-vis daemon crashes on the slave.
188912 Devices cannot get updates when configured in HA.
190223 Existing sessions hang after HA failover, when using FSSO authentication and
disclaimer.
190237 Changing firewall policy attributes does not cause the checksum to change.
191144 The HA management interface cannot be configured and the newcli daemon
crashed,
191692 The FortiGate device fails to send a FortiToken mobile activation code when a
unit is operating in HA.
Fortinet Technologies Inc. Page 30 FortiOS v5.0 Patch Release 1 Release Notes
IPS
IPsec VPN
Log & Report
Table 17: Resolved IPS issues
Bug ID Description
170316 The proxyworker process will crash under SSH protocol fuzzing.
184016 IPS DoS log is different for an XLP offload with the CPU processed.
190637 Do not show fail open if IPS is busy due to signature or configuration change.
Table 18: Resolved IPsec VPN issues
Bug ID Description
176133 NPU offload does not work with IPsec VPN IPv6.
178665 L2TP over IPsec client cannot ping to internal network if the FortiGate has
PPPoE WAN connection.
182017 A FortiGate PPTP client using PAP fails.
182910 The IPsec monitor shows the wrong user name for a dialup VPN with RSA
aggressive mode.
183382 Invalid ESP packets are regularly generated.
183638 VPN DDNS gateway cache conflicts causing high IKED CPU usage.
184463 IPv6 traffic is lost when passed through an IPsec VPN with NP4 fast-path
enabled.
186975 Enabling transparent mode npu-offload in IPsec phase1 could not force
traffic to offload.
190405 IKEv2 DPD failure which brings down the tunnel when the peer was still
reachable.
190752 iPhone 5 IPsec VPN connection issues.
190763 L2TP over IPSec issue with Chrome OS.
191229 Delete notify sent issue when IPsec SA hard expires.
Table 19: Resolved log & report issues
Bug ID Description
121065 log-disk-quota in global resource and vdom-property can be set
smaller than the sum of quota in log disk setting. (Build 0101)
153210 ICMP6 is logged as others in the traffic log.
Fortinet Technologies Inc. Page 31 FortiOS v5.0 Patch Release 1 Release Notes
161048 When the schedule is set to weekly, Traffic History by Bandwidth/Sessions are
empty.
163808 Cannot show the value of NIDS_EVENT in alertmail. (Build 0105)
168405 The quarantine archive tab loads in the Web-based Manager.
169215 Cannot send a slave log to FortiCloud.
172636 Logging of HTTP POST command blocking in Web Filtering.
173614 The spam filter log subject field is blank.
178128 Add the subject field to the DLP log.
181291 The log quota of VDOMs can exceed the size of the disk.
181391 If keeping bps as the unit, the correct number should be 8 times the current
number.
183447 Add extended-utm-log to VoIP.
184465 The modem event log has the wrong format.
184875 The Web-based Manager should show the VOIP log.
185209 The traffic log is generated when utm-incident-traffic-log and
log-traffic are both disabled.
185916 The ID field name in the DHCP log should be changed.
185949 No IPS incidents are in the traffic log; the report and client reputations do not
have the related charts.
186280 A false alertmail email is sent out when HA status changes is enabled.
186362 Cannot add custom charts.
186918 Alertmail shows Failed to send alert email in logs, but the message has
actually been sent.
187003 There is no invalid log for failed connection attempt cause; it fails to track the
related client reputation.
187505 The reportd daemon has a signal 11 crash when a report is run manually.
187567 The IPMC-sensor log has illegal characters and the system log cannot be
displayed in the Web-based Manager.
188002 Logs still use daylight savings time.
188038 The scheduled upload for dlp-archive does not work.
188117 DLP archive upload to FortiAnalyzer does not work when the upload option is
store-and-upload.
Table 19: Resolved log & report issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 32 FortiOS v5.0 Patch Release 1 Release Notes
Routing
188126 The log is deleted and there is a false emergency event log when usage is very
low.
188144 The Top web users by bandwidth chart needs to be re-sized.
188199 There should be an event log when a scheduled update succeeds.
188326 The FG-100D receives a Failed to create statement for INSERT INTO apps
error message after formatlogdisk.
188420,
190116
Generate an event log entry when connecting to a modem successfully.
188734 Traffic log is inconsistent after test AV sample. (Build 0131)
188854 UTM incident traffic logs are confusing when they match multiple UTM
profiles. This causes the report and reputation to be incorrect.
188958 The miglogd daemon crashed when handling an abnormal log file. (Build
0130)
189785 Need to add crscore/craction to the traffic logs sent to FortiAnalyzer.
190519 Show FortiCloud log upload progress. (Build 0137)
190553 DLP PDF font handling issue from Ubuntu PDF generator.
190913 forticldd daemon usage issue, CPU is at 99%.
191106 Purge disk log after 7 days by default.
191245 Pause before attempting to connect to FortiCloud after an unsuccessful
attempt.
Table 20: Resolved routing issues
Bug ID Description
176314 OSPF Hello uses a 32-bit netmask even if the tunnel interface IP has a smaller
bitmask.
182783 The gateway of static route is its own address and should not be allowed or
not be shown in routing table.
184378 The password function of IPv6 BGP neighbor does not work.
185808 PIM-SSM Multicast stream is PRUNED while other IGMPv3 receivers are still
present.
188201 A four byte AS number is shown as '-1' in aggregate routes 'aggregated by'.
188470,
188480
Delete the detectserver option of fail-detect-option in transparent mode and
add host name check for gwdetect server name.
Table 19: Resolved log & report issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 33 FortiOS v5.0 Patch Release 1 Release Notes
Source visibility
SSL-VPN
188645 IPv6 address on FWF-60CM interface cannot be pingable when the routing
path is asymmetric. (Build 0128)
190671 Make regexp "^$" work for locally originated BGP routes.
Table 21: Resolved source visibility issues
Bug ID Description
185512 The KDC-REQ user name is not recorded when user visibility is enabled.
Table 22: Resolved SSL-VPN issues
Bug ID Description
133510 No SSL-VPN tunnel plugin is available for 64-bit web browsers.
181139 Cannot open a JSP object in SSL web mode.
182464 The SSL-VPN tunnel widget does not work in the web mode portal on
Windows 8 with Internet Explorer 10.
183875 There is an SMB/CIFS operation error in the SSL-VPN web portal.
184140 The RDP login screen is not displayed in full screen mode with SSL-VPN in
web mode.
184285 Add the FortiClient download widget to the SSL-VPN web portal.
185359 Failed to create an SSL-VPN policy with the wizard because sslvpn-portal is
not set.
187320 When a user logs out of SSL-VPN web mode from Fortinet bar they are
redirected to an incorrect page.
187822 The SSL-VPN portal idle timeout does not work with Fortinet Bar enabled.
188048 The web mode SSL-VPN daemon crashes when the firewall policy address
type is FQDN.
188083 The SSL daemon crashes when accessing the FortiGate Web-based Manager
in web mode.
188730 The portal message setting is inconsistent for default and newly added
SSL-VPN portals.
189246 PING6 for unreachable destination caused SSL-VPN portal to hang.
Table 20: Resolved routing issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 34 FortiOS v5.0 Patch Release 1 Release Notes
System
190106,
190336
Minor issues with the downloading SSL-VPN plugins from FDS.
191068 SSL-VPN could not be accessed for newly created VDOM.
Table 23: Resolved system issues
Bug ID Description
138324 The FortiToken drift value exceeds 254.
139978 Old acknowledged/deleted messages repeatedly show up in other message
widgets on the dashboard.
150876 The duplex information on the FWF-60B displays incorrectly.
159921 There are no IPS fail-open status logs.
159974 FortiGate FSSO polling can not get all IP addresses if a workstation has
multiple ethernet cards.
161876 The FG-600C gets a power supply 2 failure event log when the optional power
supply is not installed.
172299 Ports 9-12 flap when connected to an Arista 7124SX switch.
175326 FortiGate responds to ARP requests on 192.168.0.1 on MGMT1 interface.
175520 FortiToken Mobile: current solution supports the root VDOM only.
178435 FQDN in the firewall will only grab the TTL value of an A record.
179382 The filters in interface > One-arm sniffer sometimes cannot accept or delete
configurations.
179952 Stop quarantine and archive when in the conserve mode.
181367 Support larger replacement messages.
181426 After moving an interface into a newly created VDOM, the FortiGate unit still
sends broadcasts in the old VDOM.
182835 The FG-200B port cannot detect FG-3016B link status.
183546 SSL process high memory issue.
183664 The PPPoE interface set defaultgw disable cannot remove the gateway.
183727 The FIPS-CC Alarms for user-auth-failure/lockout-threshold stops
working.
184182 The CLI command diagnose test guest list reports null at the end of
output.
Table 22: Resolved SSL-VPN issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 35 FortiOS v5.0 Patch Release 1 Release Notes
184206 Russian FSTEK certification requirement for image checksum.
184314 Add/remove of physical Interface to 802.3ad aggregation brings the
aggregate port down.
184699 The configuration is changed after the first reboot of a firmware upgrade.
184932 Unable to administratively Down or Up a tunnel interface via the CLI in the
config global section.
185422 The modem default route is not installed when a modem is in the non-root
VDOM.
185580 FortiGate devices should be in the pending state when switching accounts
from an old account.
185606 There is an SNMP problem when using 250 VDOMs.
185909 The FG-111C switch works abnormally with FortiOS 5.0.
186100 The server probe does not support PPPoE devices.
186116 The FG-100D LENC cannot update from the FDS.
186448 Cannot login to the FortiCloud portal automatically when a FortiGate device is
managed by FortiManager.
186523 FortiToken activation fails on particular FDS servers.
186530 When configuring two-factor authentication, some super_admin users cannot
see the token.
186540 Setting the speed to 100half/10half does not take effect for 1G copper
interfaces.
186672 Multi-VDOM admin's VDOM list sequences affect which token can be used in
two-factor login.
186738 The SNMP trap for IPsec should contain the tunnel name.
186797 The Miglogd daemon uses high CPU when the syslogd2 server is defined.
187002 There is a cmdbsvr segfault when changing firewall policy in the
Web-based Manager.
187274 DDNS stops working.
187327 The CLI hangs when the CLI displays More and Ctrl+C is pressed.
187498 Merging daemons causes a signal 11 Crash.
187519 The speed LED on a shared NIC port is not lit on the FG-800C.
187878 Removing the secondary IP disconnects the admin session.
Table 23: Resolved system issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 36 FortiOS v5.0 Patch Release 1 Release Notes
Upgrade
187972 When restoring a multi-VDOM configuration, a configuration error occurs at
reboot.
187975 Verify the DNS response code for the AAAA record (RFC 4074) when A record
exist.
188016 Unable to delete the default firewall address.
188169 Mass MMS communication sockets are not removed after usage.
188544 The diagnose sys session6 filter command shows src twice.
188772 The diagnose system top command for CPU usage is not correct.
188844 Time Zone is incorrectly displayed. (Build 0128)
189189 FortiClient licenses should be kept after an upgrade.
189261 The authd and wad socket pipe fills up the /tmp directory.
190116 There is an unknown field name error message during PPPoE interface
configuration.
190185 The update daemon uses up all the fd and stops working.
190292 Move reboot/shutdown to resource widget, update sysres widget.
190848 Unable to create a DHCP server on DHCP interface. (Build 0139)
191215 FG-1000C fails to change MGMT1 IP because subnets overlap, even though
the subnets do not overlap.
191522 Unable to log in to FortiGate via SSH.
Table 24: Resolved upgrade issues
Bug ID Description
162779 Received Could not load host key: /tmp/ssh_host_rsa_key
message after upgrading the FG-3140B from v4.0 build 0513 to v5.0 build
0023.
180843 A cluster of two FG-40C devices upgraded from v4.0 MR3 Patch Release 6
does not work.
183837 Upgrade unsuccessful due to too many entries in all tables of
.firewall.service.category.
186008 When upgrading from build 0639 to build 0119, HTTPS deep scan does not
upgrade properly.
Table 23: Resolved system issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 37 FortiOS v5.0 Patch Release 1 Release Notes
VoIP
WAN optimization and webproxy
Web-based Manager
188354 After upgrading from v4.0 MR3, ports from profile-protocol-options are not
added to the iprope list.
189209 After upgrading from v4.0 MR3 to v5.0, the endpoint-profile should be set as
default.
Table 25: Resolved VoIP issues
Bug ID Description
178932 Problems encountered when enabling the SCCP VoIP profile.
Table 26: Resolved WAN optimization and webproxy issues
Bug ID Description
173668 The user monitor page reports incorrectly for Web-proxy users authenticated
via FSSO.
185273 WAN Optimization Byte cache is not used in the reverse direction after a
coldstart transfer.
185755 While testing explicit web proxy features, a segfault was observed.
187887 In explicit web-proxy, the traffic quota does not expire for HTTPS traffic.
188901 File upload fails (HTTP POST) through explicit proxy on specific websites.
189072 The webproxy firewall policy is lost for special schedule settings.
190746 The WAD daemon crashes for HTTP 0.9 traffic if DLP scan is enabled.
Table 27: Resolved Web-based Manager issues
Bug ID Description
149638 Show policy negates the status on the Web-based Manager.
152072 The pre- and post-login warning messages for admin log in have issues.
154191 Moving or refreshing the Web Filtering monitor page causes the device go into
conserve mode.
167572 After changing the language, parts of the Web-based Manager still use the
original language.
167836 Editing IPsec VPN v6 phase1 will result in an Invalid gateway address
message.
Table 24: Resolved upgrade issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 38 FortiOS v5.0 Patch Release 1 Release Notes
Multiple Fixes for a large number of Web-based Manager bugs.
Bug ID: 169314, 171703, 177692, 178755, 182799, 184117, 186760, 187703,
188286, 188405, 189201, 189799, 190308, 190322, 190461, 190493, 190506,
190728, 190772, 190794, 190796, 190867, 190871, 191005, 191480
171928,
185622
httpsd daemon crash in some monitoring pages.
173130 The pull-down menu does not show up correctly when a firewall policy is
created with a certain administrator profile.
176568 Unable to clear the secondary-server configuration of a RADIUS server from
the Web-based Manager.
179645 NAT, shaper, and WAN Optimization settings should be hidden when the
policy action is set to deny.
180177 UTM endpoint control client installers have a directory traversal vulnerability.
182051 The insert section does not work from the Web-based Manager.
182659 Once a firewall address is associated to an interface, it can not be reverted
back to any from the Web-based Manager.
183435 Show the comment text, instead of just a note icon.
183453 The OK button does not save authentication settings in the web-proxy policy.
185173 The FWF-20C LAN + WiFi Setting wizard page displays an Invalid IP Range
message incorrectly. (Build 0114)
185981 Application icons are incorrect in widgets, traffic logs, and application control
lists.
187041 The OS signature was shown on device page when the mouse hovers over the
device.
187083 A mobile token in activated status incorrectly has provision in the right click
menu.
187465 The DoS policy page will display in a messy manner after setting the column
ID in the policy page.
187493 Implicit firewall rules can be moved.
187699 Add policy drag & drop function back into the policy global view.
187826 With some specific wildcard addresses, the Web-based Manager firewall
address page cannot be loaded.
188036,
190446,
190627
Widen columns for user/IP and recreate tables if table structure is not up to
date.
Table 27: Resolved Web-based Manager issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 39 FortiOS v5.0 Patch Release 1 Release Notes
Web Filter
188398 Implicit user identity policy rules' action is shown incorrectly in the Web-based
Manager.
188636 When switching the DLP sensor to the default profile, the Web-based
Manager shows HTTP error 400.
190026 There are HTTP 500 errors on firewall policies, UTM options, and DNS pages
with specific configurations.
190026,
190149
Non-utf8 characters cause Web-based Manager issues.
190149 There is an internal server error when editing a policy that contains special
characters.
190292 Move the reboot and shutdown commands to the resource widget.
191057 Missing group in SSL-VPN traffic log caused Web-based Manager parser
error.
Table 28: Resolved web filter issues
Bug ID Description
158996 The FortiGuard override URL is incorrect when using deep inspection and a
CN that contains wildcard characters.
160110 The monitor action of urlfilter should not exempt the block action of
FortiGuard.
164917,
187714
Fix safe search enable issue.
165025 When the customize block page is enabled, the header HTTP/1.1 403 ... is lost
in the HTTP package.
172865 For flow-based Web Filters, FortiGate devices cannot exempt SSL websites
belonging to the bank category when deep-scan is enabled.
178351 When the local category is set to block, the category action cannot be
disabled.
178351 In the ftgd-wf setting of a Web Filter profile, enable is renamed and takes a
new role.
179265 CN based HTTPS Web URL Filtering does not work well under external proxy
environments when exempt is configured as all.
180684 Web Filter quota resets incorrectly when the quota is edited.
185181 Browser-based FortiGuard Web Filtering override does not work.
186815 Websites could not be overriden to Unrated category by FortiGate local rating.
Table 27: Resolved Web-based Manager issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 40 FortiOS v5.0 Patch Release 1 Release Notes
WiFi
188607 FortiGuard service is intermittently unavailable. A restart of the urlfilter is
required to recover.
189954,
189987
Redirect on HTTPS safe search and DLP PDF scan on SSN and CC.
Table 29: Resolved WiFi issues
Bug ID Description
131373 WPA on virtual AP devices does not work if the physical WLAN is set to WPA2.
168555 Captive portal FQDN does not work on WiFi interfaces.
177422 There is a problem with the HP slate tablet related to 802.11n MSDU frame
aggregation.
182204 Manual and auto suppression do not work.
186152 The FWF-20C-ADSL-A has an incorrect wireless default configuration.
186562 Virtual AP intermittently stops working. Display the configuration also failed.
188644 Unable to create more than 508 SSIDs with RADIUS security.
188805 The WPA daemon is crashing, causing all Virtual APs to be reconfigured.
189354 Ap-bgscan scheduling does not work.
Table 28: Resolved web filter issues (continued)
Bug ID Description
Fortinet Technologies Inc. Page 41 FortiOS v5.0 Patch Release 1 Release Notes
Known Issues
The known issues listed below does not list every bug that has been reported with this release.
For inquires about a particular bug, please contact Customer Service & Support.
Antivirus
Firewall
FSSO
High Availability
IPS
Table 30: Known antivirus issues
Bug ID Description
191950 Files being downloaded while AV is enabled may experience an interruption.
Table 31: Known firewall issues
Bug ID Description
186428 The Web-based Manager fails to allow adding a tag for a firewall address.
191184 VLAN IDs and their assignment to a corresponding NPU may result in the
interface not processing ARP requests properly.
Table 32: Known FSSO issues
Bug ID Description
186536 The status of the FSSO polling agent in the Web-based Manager is not shown
correctly.
Table 33: Known high availability issues
Bug ID Description
192192 Enabling standalone-config-sync may fail to synchronize sessions.
Table 34: Known IPS issues
Bug ID Description
171443 An application list traffic shaper fails to be applied on an FMC-XH0 and
FMC-XG2 card.
Fortinet Technologies Inc. Page 42 FortiOS v5.0 Patch Release 1 Release Notes
IPsec VPN
Log & Report
SSL-VPN
System
Web-based Manager
Table 35: Known IPsec VPN issues
Bug ID Description
192347 The FortiGate device may drop sessions with NP4/IPsec offload in a hub and
spoke or spoke to spoke traffic topology.
Table 36: Known log & report issues
Bug ID Description
183778 DoS logs do not contain the interface-policy ID.
191808 The FortiGate device fails to generate logs for application control with explicit
proxy.
Table 37: Known SSL-VPN issues
Bug ID Description
185658 The SSL-VPN daemon may experience high CPU.
191725 An SSL-VPN may fail to renew passwords as authenticated by LDAPS.
Table 38: Known system issues
Bug ID Description
190141 The configuration fails to accept DHCPv6 server domain names beginning
with digits.
Table 39: Known Web-based Manager issues
Bug ID Description
188785 The Web-based Manager displays only one channel in the Client Monitor
when bonding is configured.
188936 The Web-based Manager fails to allow usernames with special characters in
an identity-based policy.
Fortinet Technologies Inc. Page 43 FortiOS v5.0 Patch Release 1 Release Notes
WiFi
Upgrade
Table 40: Known WiFi issues
Bug ID Description
184014 WiFi clients connected to FortiAP may experience high latency towards the
wireless controller.
Table 41: Known upgrade issues
Bug ID Description
192391 New created device based policy cannot retain original policy UTM related
settings after enabling Endpoint Registration.
Fortinet Technologies Inc. Page 44 FortiOS v5.0 Patch Release 1 Release Notes
Limitations
This section outlines the limitations in FortiOS v5.0 Patch Release 1.
Add Device Access List
If the device-access-list has the action as deny. You will need to explicitly define a device
in order to allow it to work.
For instance,
config user deviceedit "win"
set mac 01:02:03:04:05:06next
end
config user device-access-listedit "wifi"
set default-action denyconfig device-list
edit 1set action acceptset device "windows-pc" <------------- predefined
device-categorynextedit 2
set action acceptset device "win" <------------- custom device
nextend
nextend
As a result, the predefined device-category entry 1 will not get access. Only the custom
device entry 2 would be able to get access.
Fortinet Technologies Inc. Page 45 FortiOS v5.0 Patch Release 1 Release Notes
Image Checksum
The MD5 checksums for all Fortinet software and firmware releases are available at the
Customer Service & Support website located at https://support.fortinet.com. After logging in,
click on Download > Firmware Image Checksum, enter the image file, including the extension,
and select Get Checksum Code.
Figure 1: Customer Service & Support image checksum tool
End of Release Notes
Fortinet Technologies Inc. Page 46 FortiOS v5.0 Patch Release 1 Release Notes
top related