FortiOS Release Notes - Fortinet Document Library

FortiOS Release Notes - Fortinet Document Library
FortiOS - Release Notes
VERSION 5.4.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
December 21, 2015
FortiOS 5.4.0 Release Notes
01-540-293566-20151221
TABLE OF CONTENTS
Change Log
Introduction
Supported models
What’s new in FortiOS 5.4.0
Special Notices
Built-In Certificate
Default log setting change
FortiAnalyzer Support
FG-92D High Availability in Interface Mode
FG-900D and FG-1000D
FG-3700DX
FortiGate units running 5.4.0
FortiGate-VM 5.4 for VMware ESXi
FortiPresence
Log Disk Usage
SSLVPN
SSLVPN setting page
Upgrade Information
Upgrading from FortiOS 5.2.4 or later
Unified Disk Usage
FortiGate-VM 5.4 for VMware ESXi
Downgrading to previous firmware versions
FortiGate VM firmware
Firmware image checksums
Product Integration and Support
FortiOS 5.4.0 support
Language support
SSL VPN support
SSL VPN standalone client
SSL VPN web mode
SSL VPN host compatibility list
Resolved Issues
Known Issues
5
6
6
7
8
8
8
8
8
8
8
9
9
9
9
9
10
11
11
11
12
12
12
13
14
14
17
17
17
18
18
20
25
Limitations
Citrix XenServer limitations
Open Source XenServer limitations
30
30
30
Change Log
Change Log
5
Date
Change Description
2015-12-21
Initial release.
2015-12-22
Added, FG-30E, FG50E, FG-51E, FWF-30E, FWF-50E, and FWF-51E to Supported
Models.
2015-12-23
Added FortiAnalyzer and FortiManager 5.4.0 to Product Integration and Support.
Release Notes
Fortinet, Inc.
Introduction
This document provides the following information for FortiOS 5.4.0 build 1011:
l
Special Notices
l
Upgrade Information
l
Product Integration and Support
l
Resolved Issues
l
Known Issues
l
Limitations
See the Fortinet Document Library for FortiOS documentation.
Supported models
FortiOS 5.4.0 supports the following models.
FortiGate
FG-30D, FG-30D-POE, FG-60D, FG-60D-POE, FG-70D, FG-70D-POE, FG-80D, FG90D, FGT-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-140D, FG140D-POE, FG- 200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FG300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C, FG-900D, FG-1000C, FG1000D, FG-1200D, FG-1500D, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG3600C, FG-3700D, FG-3700DX, FG-3810D, FG-5001C, FG-5001D
FortiWiFi
FWF-30D, FWF-30D-POE, FWF-60D, FWF-60D-POE, FWF-90D, FWF-90D-POE,
FWF-92D
FortiGate Rugged
FGR-90D
FortiGate VM
FG-VM32, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV,
FG-VM64-KVM, FG-VM64-XEN , FG-VMX,
FortiOS Carrier
FortiOS Carrier 5.4.0 images are delivered upon request and are not available on the
customer support firmware download page.
Release Notes
Fortinet, Inc.
6
Introduction
What’s new in FortiOS 5.4.0
The following models are released on a special branch based off of FortiOS 5.4.0. As
such, the System > Dashboard > Status page and the output from the get system
status CLI command displays the build number. FG-30E
is released on build 6973.
FG-50E
is released on build 6973.
FG-51E
is released on build 6973.
FWF-30E
is released on build 6973.
FWF-50E
is released on build 6973.
FWF-51E
is released on build 6973.
To confirm that you are running the proper build, the output from the get system
status CLI command has a branch point field that should read 1011.
What’s new in FortiOS 5.4.0
For a list of new features and enhancements that have been made in FortiOS 5.4.0 see the What’s New for
FortiOS 5.4.0 document available in the Fortinet Document Library.
7
Release Notes
Fortinet, Inc.
Special Notices
Built-In Certificate
FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit
certificate with the 14 DH group.
Default log setting change
For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that
supports STAT disk, log disk is enabled by default.
FortiAnalyzer Support
Due to the FortiAnalyzer Log Encrypt setting being removed, users will need to simplify the log transmission
setting.
FG-92D High Availability in Interface Mode
The FortiGate-92D may fail to form a HA cluster and may experience a spanning tree loop if it is configured with
the following:
l
operating in interface mode
l
at least one of the interfaces, for example interface9, is used has the HA heartbeat interface
l
a second interface is connected to an external switch
Workaround: use either WAN1 or WAN2 as the HA heartbeat device.
FG-900D and FG-1000D
CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload
if both ingress and egress ports belong to the same NP6 chip.
FG-3700DX
CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.
Release Notes
Fortinet, Inc.
8
Special Notices
FortiGate units running 5.4.0
FortiGate units running 5.4.0
FortiGate units running 5.4.0 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on
newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.
FortiGate-VM 5.4 for VMware ESXi
Upon upgrading to FortiOS 5.4.0, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the
VMXNET2 vNIC driver.
FortiPresence
For FortiPresence users, it is recommended to change the FortiGate web administration TLS version in order to
allow the connection.
config system global
set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2
end
Log Disk Usage
Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.
SSLVPN
The following RDP/VNC web portals are not supported for the following platforms:
9
l
FGT-80D
l
FGR-90D
l
FGT-92D
l
FWF-92D
l
FGT-200D
l
FGT-200D-POE
l
FGT-240D
l
FGT-240D-POE
l
FGT-600C
l
FGT-800C
l
FGT-1000C
l
FGT-3240C
Release Notes
Fortinet, Inc.
SSLVPN setting page
l
FGT-3600C
l
FGT-5001C
Special Notices
SSLVPN setting page
The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the
How to purchase and import a signed SSL certificate document.
Release Notes
Fortinet, Inc.
10
Upgrade Information
Upgrading from FortiOS 5.2.4 or later
FortiOS version 5.4.0 officially supports upgrade from version 5.2.4 or later.
Unified Disk Usage
FortiOS 5.4.0 changes the disk usage behavior upon upgrading from FortiOS 5.2. The table below describes the
new logging and WANopt disk usage for single and two disk FortiGate devices running FortiOS 5.4.0.
Single Disk Platforms (Logging or WANopt)
Only Logging enabled
No change.
Only WANopt enabled
No change.
Both Logging & WANopt
enabled
In 5.4.0, the upgrade process configures the disk
for Logging. However, you may change the disk to
use WANopt.
Two Disk Platforms (First disk is reserved for Logging; the second is reserved for WANopt)
Only Logging enabled on
the first disk
No change.
Only Logging enabled on
the second disk
In 5.4.0, Logging is changed to the first disk. The
Logging data is lost on the second disk.
Only WANopt enabled on
the first disk
In 5.4.0, WANopt is changed to the second disk.
The WANopt cache is lost on the first disk.
Only WANopt enabled on
the second disk
No change.
Both Logging & WANopt
enabled
Regardless of the 5.2 configuration, the 5.4.0
upgrade process will change the configuration so
that Logging uses the first disk and WANopt uses
the second disk.
Logging data and WANopt cache may or may not
be lost depending on which disk they were configured on prior to upgrading.
11
Release Notes
Fortinet, Inc.
FortiGate-VM 5.4 for VMware ESXi
Upgrade Information
FortiGate-VM 5.4 for VMware ESXi
Upon upgrading to FortiOS 5.4.0, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the
VMXNET2 vNIC driver.
Downgrading to previous firmware versions
Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings
are retained:
l
operation mode
l
interface IP/management IP
l
static route table
l
DNS settings
l
VDOM parameters/settings
l
admin user account
l
session helpers
l
system access profiles.
When downgrading from 5.4 to 5.2, users will need to reformat the logdisk.
FortiGate VM firmware
Fortinet provides FortiGate VM firmware images for the following virtual environments:
Citrix XenServer and Open Source XenServer
l
l
l
.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package
contains the QCOW2 file for Open Source XenServer.
.out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package
contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.
Linux KVM
l
l
.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains
QCOW2 that can be used by qemu.
Microsoft Hyper-V
l
l
.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package
contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file
fortios.vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.
Release Notes
Fortinet, Inc.
12
Upgrade Information
Firmware image checksums
VMware ESX and ESXi
l
l
.out: Download either the 32-bit or 64-bit firmware image to upgrade your existing FortiGate VM installation.
.ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation. This package
contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files
used by the OVF file during deployment.
Firmware image checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service &
Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums,
enter the image file name including the extension, and select Get Checksum Code.
13
Release Notes
Fortinet, Inc.
Product Integration and Support
FortiOS 5.4.0 support
The following table lists 5.4.0 product integration and support information:
Web Browsers
l
Microsoft Internet Explorer version 11
l
Mozilla Firefox version 37
l
Google Chrome version 43
l
Apple Safari version 7.0 (For Mac OS X)
Other web browsers may function correctly, but are not supported
by Fortinet.
Explicit Web Proxy Browser
l
Microsoft Internet Explorer versions 8, 9, 10, and 11
l
Mozilla Firefox version 27
l
Apple Safari version 6.0 (For Mac OS X)
l
Google Chrome version 34
Other web browsers may function correctly, but are not supported
by Fortinet.
FortiManager
l
5.4.0
l
5.2.5 and later
You should upgrade your FortiManager prior to upgrading the
FortiGate.
FortiAnalyzer
l
5.4.0
l
5.2.5 and later
You should upgrade your FortiAnalyzer prior to upgrading the
FortiGate.
FortiClient Microsoft Windows and FortiClient Mac
OS X
FortiClient iOS
FortiClient Android and
FortiClient VPN Android
Release Notes
Fortinet, Inc.
l
5.2.5 and later
l
5.2.2 and later
l
5.2.6 and later
14
Product Integration and Support
FortiAP
FortiOS 5.4.0 support
l
5.2.5 and later
l
5.0.10
You should verify what the current recommended FortiAP version
is for your FortiAP prior to upgrading the FortiAP units. You can do
this by going to the WiFi Controller > Managed Access Points >
Managed FortiAP page in the GUI. Under the OS Version column
you will see a message reading A recommended update is
available for any FortiAP that is running an earlier version than
what is recommended.
FortiSwitch OS (FortiLink
support)
l
3.3.0 and later
Supported models: FSR112D-POE, FS108D-POE, FS224D-POE,
FS124D, FS124D-POE, FS224D-FPOE
l
3.2.0 and later
Supported models: FS-108D-POE, FS-224D-POE, FSR-112DPOE
l
3.0.1 and later
Supported model: FS-224D-POE
l
2.0.3
Supported models: FS-28C, FS-324B-POE, FS-348B, FS-448B
FortiController
l
5.2.0 and later
Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C
l
5.0.3 and later
Supported model: FCTL-5103B
FortiSandbox
15
l
2.1.0 and later
l
1.4.0 and later
Release Notes
Fortinet, Inc.
FortiOS 5.4.0 support
Fortinet Single Sign-On
(FSSO)
Product Integration and Support
l
l
5.0 build 0242 and later (needed for FSSO agent support OU in
group filters)
l
Windows Server 2008 64-bit
l
Windows Server 2008 R2 64-bit
l
Windows Server 2012 Standard
l
Windows Server 2012 R2 Standard
4.3 build 0164 (contact Support for download)
l
Microsoft Windows Server 2003 R2 (32-bit and 64-bit)
l
Microsoft Windows Server 2008 (32-bit and 64-bit)
l
Microsoft Windows Server 2008 R2 64-bit
l
Microsoft Windows Server 2012 Standard Edition
l
Microsoft Windows Server 2012 R2
l
Novell eDirectory 8.8
FSSO does not currently support IPv6.
FortiExplorer
l
2.7 build 1088 and later.
Some FortiGate models may be supported on specific
FortiExplorer versions.
FortiExplorer iOS
l
1.0.6 build 0130 and later
Some FortiGate models may be supported on specific
FortiExplorer iOS versions.
FortiExtender
l
2.0.2 build 0011 and later
AV Engine
l
5.00227
IPS Engine
l
3.00156
l
XenServer version 5.6 Service Pack 2
l
XenServer version 6.0 and later
Linux KVM
l
CentOS 6.4 (qemu 0.12.1) and later
Microsoft
l
Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source
l
XenServer version 3.4.3
l
XenServer version 4.1 and later
l
ESX versions 4.0 and 4.1
l
ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5 and 6.0
Virtualization Environments
Citrix
VMware
Release Notes
Fortinet, Inc.
16
Product Integration and Support
Language support
FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2
vNIC driver.
Language support
The following table lists language support information.
Language support
Language
GUI
English
✔
Chinese (Simplified)
✔
Chinese (Traditional)
✔
French
✔
Japanese
✔
Korean
✔
Portuguese (Brazil)
✔
Spanish (Spain)
✔
SSL VPN support
SSL VPN standalone client
The following table lists SSL VPN tunnel client standalone installer for the following operating systems.
Operating system and installers
17
Operating System
Installer
Microsoft Windows XP SP3 (32-bit)
Microsoft Windows 7 (32-bit & 64-bit)
Microsoft Windows 8 (32-bit & 64-bit)
Microsoft Windows 8.1 (32-bit & 64-bit)
2323
Release Notes
Fortinet, Inc.
SSL VPN support
Product Integration and Support
Operating System
Installer
Linux CentOS 6.5 (32-bit & 64-bit)
Linux Ubuntu 12.0.4 (32-bit & 64-bit)
2323
Virtual Desktop for Microsoft Windows 7 SP1 (32-bit)
2323
Other operating systems may function correctly, but are not supported by Fortinet.
SSL VPN web mode
The following table lists the operating systems and web browsers supported by SSL VPN web mode.
Supported operating systems and web browsers
Operating System
Web Browser
Microsoft Windows 7 SP1 (32-bit/64-bit)
Microsoft Internet Explorer version 11
Mozilla Firefox version 42
Microsoft Windows 8/8.1 (32-bit/64-bit)
Microsoft Internet Explorer version 11
Mozilla Firefox 42
Mac OS 10.9
Safari 7
Linux CentOS version 6.5
Mozilla Firefox 42
Other operating systems and web browsers may function correctly, but are not supported by Fortinet.
SSL VPN host compatibility list
The following table lists the antivirus and firewall client software packages that are supported.
Supported Microsoft Windows XP antivirus and firewall software
Product
Antivirus
Firewall
Symantec Endpoint Protection 11
✔
✔
Kaspersky Antivirus 2009
✔
McAfee Security Center 8.1
✔
✔
Trend Micro Internet Security Pro
✔
✔
F-Secure Internet Security 2009
✔
✔
Release Notes
Fortinet, Inc.
18
Product Integration and Support
SSL VPN support
Supported Microsoft Windows 7 32-bit antivirus and firewall software
Product
Antivirus
Firewall
✔
✔
F-Secure Internet Security 2011
✔
✔
Kaspersky Internet Security 2011
✔
✔
McAfee Internet Security 2011
✔
✔
Norton 360™ Version 4.0
✔
✔
Norton™ Internet Security 2011
✔
✔
Panda Internet Security 2011
✔
✔
Sophos Security Suite
✔
✔
Trend Micro Titanium Internet Security
✔
✔
ZoneAlarm Security Suite
✔
✔
Symantec Endpoint Protection Small Business Edition 12.0
✔
✔
CA Internet Security Suite Plus Software
AVG Internet Security 2011
19
Release Notes
Fortinet, Inc.
Resolved Issues
The following issues have been fixed in version 5.4.0. For inquires about a particular bug, please contact
Customer Service & Support.
Device Visibility
Bug ID
Description
300577
Add QUIC support in passive device detection.
299500
Ensure Mac is not detected as an iPhone.
DLP
Bug ID
Description
282782
DLP does not stop processing filter(s) after the first match. Therefore, DLP file patterns
matching *.xap for Silverlight keeps being blocked as an executable.
299924
Support integration of tag %%SUBJECT%% as part of the custom replacement message is
set as the email subject.
298236
Improve credit card number check handled by DLP sensor.
Firewall
Bug ID
Description
277238
RSSO set the endpoint DB record "block status" to the incorrect
value
295643
Improved authentication daemon optimization.
282807
NP4lite leaks some unNATed packets on the external interface when NAT ports are
exhausted.
297421
HTTPs traffici is blocked after an AV/IPS database update from FortiGuard.
296931
TCP Window size overruns in FGT when remote server announces the Window Scaling is 0.
295164
oversize-log disable does not work for FTP downloads.
298411
When installing vip to the kernel, check if the sock list is empty or not when deleting sock
list elements.
Release Notes
Fortinet, Inc.
20
Resolved Issues
Bug ID
Description
293132,
291689
Do not offer abbreviated TLS handshake on mismatched versions.
298937
Proxyd ssl-exempt must not check the IP address if a hostname exists.
GUI
Bug ID
Description
258101
When testing a RADIUS server and it does not connect, an error occurs.
274256
HTTP 500 error occurs when trying to view a CA certificate.
262009
GUI shows incorrect IP address and interface for DDNS domains.
275377
Secondary IP and netmask for VLAN interfaces are reversed.
251641
Insert policy below/above does not work in a multicast policy list.
269191
Client monitor page is not showing clients when filter is set on SSIDs.
276756
Profile groups > Ref. links do not work.
274256
HTTP 500 error occurs when trying to view a CA certificate.
269191
Client monitor page is not showing clients when filter is set on SSID.
286110
GUI shows different certificate name under the VPN SSL setting compared to the CLI.
260886
Policy dialog cannot load large number of addresses (10,000 or more).
286533
GUI RADIUS Test Connectivity does not respond to use-management-vdom set.
294403
Users cannot choose or change the Source Device Type in GUI on the SSLVPN Firewall
policy.
274588
Dashboard Status screen incorrectly shows FortiToken status.
272420
One invisible group is selected in LDAP Remote Group.
High Availability
21
Bug ID
Description
294950
Radiusd is not able to synch with a database with a secondary unit, the keeps the database locked and prevents users from being able to authenticate.
Release Notes
Fortinet, Inc.
Resolved Issues
Bug ID
Description
299848
Remote+Wildcard admin are only matched compared to one group on the slave device.
298647
npu_vlinks receives the same virtual-mac in a HA configuration.
IPS
Bug ID
Description
260302
283644
287743
IPS engine daemon does not rely on the View ID to obtain configuration.
IPsec
Bug ID
Description
294697
IPsec traffic is blocked after a HA failover.
279519
When adding and/or modifying a Firewall policy, IPsec traffic stops during a vlink and/or
lpck offload session.
Log & Report
Bug ID
Description
300881
Modify service and log desc when traffic is denied due to an explicit proxy policy
295179
Offset the device time field in the logs on the FortiAnalyzer.
Routing
Bug ID
Description
298214
If two out of four GWs for policy routes go down, one proute may be down but another
proute is incorrectly up.
282126
OSPF should be able to filter incoming external routes by route-map.
296921
nssa-default-information-originate to make a OSPF always sends a default
route of information to NSSA.
298290
pim-dm should use kernel route to query the nexthop, instead of using the NSM module.
299593
rip and ripng's offset-list status to be enabled by default.
Release Notes
Fortinet, Inc.
22
Resolved Issues
SSLVPN
Bug ID
Description
297315
User node cannot be found when the password has changed.
257689
SSLVPN OWA 2013 send button does not work as expected.
300748
MS RemoteApp and Desktop Connections are not shown via SSLVPN webportal.
SSO
Bug ID
Description
290746
FortiGate removes FSSO logins as soon as the Collector agent is disconnected.
System
23
Bug ID
Description
276628
npu-vlink stops working when adding a transparent VDOM.
295794
Hardware-switch does not block an access from undefined hosts in the IP/MAC binding
table after reboot.
297132
Kernel and NP6 shaper interprets set maximum-bandwidth 0 differently.
295022
Load all CAs in current VDOMs for OCSP certificate verification.
271239
Admin password authentication cannot be disabled with public key authentication.
301887
Enable NPU SynProxy support for FG-3700DX and FG-5001D.
298828
Unable to set 31-bit mask for a secondary IP address.
298057
Root Dispersion and Root Delay of diagnose sys ntp status command is an invalid
value.
257176
CPU increases when adding FAPs to FGT-60C-PoE.
301244
Incoming PPPoE frame is accepted even when the destination MAC address is not local.
298867
GMT +13:00 Samoa time zone with DST is not supported.
297451
Member port is removed from a software-switch after rebooting if a management-vdom is
in TP-mode.
297666
Support CRL download over HTTP/1.1.
Release Notes
Fortinet, Inc.
Resolved Issues
Bug ID
Description
286771
set macaddr option does not work for a switch-interface.
299585
Always recycle the nturbo/ips local mbuf even if the nturbo buffer has been removed
to avoid a nturbo mbuf leak in IPS.
282472
NP6 Multicast traffic is duplicated.
297478
snifferd process locks administrators even after admintimeout.
298204
FWF-30E/50E/51E goes into the system conserve mode.
276941
No value is returned when accessing Virtual Switch interface's OIDs.
273124
Some of the Current Usage information under VDOM > Global Resources is incorrect.
Upgrade
Bug ID
Description
298540
297001
After HA cluster upgrade, Master and Slave boxes have different checksums for the webfilter profile in the root VDOM.
WANopt & Webproxy
Bug ID
Description
297486
DNS improvements to handle fwd proxy server.
WiFi
Bug ID
Description
265950
Wifi user unable to access internal applications after enabling Application Control.
240602
Anonymous identity should not replace the real authentication account when a client is connecting to WPA-Enterprise.
Release Notes
Fortinet, Inc.
24
Known Issues
The following issues have been identified in version 5.4.0. For inquires about a particular bug or to report a bug,
please contact Customer Service & Support.
Firewall
Bug ID
Description
304317,
304136
WAD daemon may crash when enabling WAD debug.
304449
TELNET may not be able to trigger authentication when the application profile and the user
group are both configured.
304432
Protect server may not work as expected when enabling the Proxy AV and deep inspection.
FortiView
25
Bug ID
Description
303747
Source > Filter Source Device may not work.
289376
Applying the filter All by using the right click method may not work in the All Session page.
301315
Device Topology page, should add dependency warning if no interface has device detection
enabled.
303940
Web Site > Security Action filter may not work
277558
Policy page > IPv6 policy may be displayed as IPv4 policy in realtime view.
303787
Application page > Filter on a Unknown Application may not work.
303823
Policy page > Source and Destination interface might show unknown-0 message.
300055
In Traffic Shaping page , bandwidth and dropped bytes may not be accurately listed for the
Forward Shaper.
299900
In the Traffic shaping page, the IPv6 shaping may miss reply-shaper name and may
not be able to drill down the menu.
Release Notes
Fortinet, Inc.
Known Issues
GUI
Bug ID
Description
289297
Threat map may not be fully displayed when screen resolution is not big enough.
302633
Several list pages may have alignment issues with Chrome 47.
303928
After upgrading from 5.2 to 5.4, the default flow based AV profile may not be visible or
selectable in the Firewall policy page in GUI.
303642
Route lookup window may be empty.
303645
If no route is found, the IPv6 route lookup result may not be accurate.
302576
GUI may display the password-policy rules on the Admin page even the passwordpolicy does not apply to that admin user.
303038
Dead Peer Detection setting in IPsec tunnel templates page may show on-demand instead
of enable.
303776
There may not be any options available in the Log View; a JS error occurs when setting a filter in the protocol field.
304100
Users may not be able to enable Feature Select in Global or VDOM on the following platforms: FG-3700D, FG-3700DX, FG-3810D and FG-5001D.
304119
Explicit Proxy Policy may receive an internal error if All Ports is enabled in any of ssl-ssh
certificates in the inspection profile.
304482
NP6 offloading may be lost when the IPsec interface has the aes256gcm proposal.
304491
Users may not be able to set the IPsec VPN Xauth User Group to inherit groups from
policy in GUI.
304495
In Network > Explicit Proxy page, when users edit Listen on Interfaces, the page may stop
responding.
304395
The SSLVPN Web Portal RSA token in New Pin Mode may notwork.
304645
Traffic Shapers bandwidth unit may display kb/s while the backend config has mbps/gbps.
304627
In the HA setup, restoring config in GUI, only master's config might be restored, but slave's
config may not be restored.
304436
GUI might show a different received/sent value with CLI on GUI->Modem monitor page.
304439
Users may not be able to set UTM profiles in IPsec Action Policy page.
304455
GUI > Interface > DHCP Server > Advanced > DHCP Client List page may not display
correctly on Chrome 47.
Release Notes
Fortinet, Inc.
26
Known Issues
High Availability
Bug ID
Description
304433
New import local certificate may cause the HA to become out of sync in a multi VDOM environment.
Workaround: reboot the master.
IPsec
Bug ID
Description
296439
L2TP over IPsec tunnel may not be able to be established.
Log & Report
Bug ID
Description
304217
miglogd may stop working its protocol and port overlap is with another service.
Affected policy: IPv4/IPv6 multicast policy, IPv4/IPv6 DOS policy and sniffer policy.
304533
AntiVirus log may not have a URL section when a Gmail attachment is downloaded.
SSLVPN
Bug ID
Description
282914
If users use SSLVPN in Web Mode, they may not be able to access a FortiGate running 5.4.
300054
SSLVPN login replacement messages may be reset to factory default when upgrading from
5.2.
304528
SSLVPN Web Mode PKI user might immediately log back in even when logging out.
304139
SSLVPN Login Anyway might not work when limit-user-logins is enabled.
System
27
Bug ID
Description
275631
Multicast traffic may be able to be offloaded by XLP in NAT mode when there is no PIM
enabled.
295292
If private-data-encryption is enabled, when restoring config to a FortiGate, the
FortiGate may not prompt the user to enter the key.
Release Notes
Fortinet, Inc.
Known Issues
Bug ID
Description
301947
On NP6 ports, hairpinned traffic may be blocked after the traffic that initializes the original NATs stops responding.
Workaround: disable fastpath on the NP6 port.
303626
Switch VLAN may not be accessible in trunk (LACP) mode on 200 series platforms.
297923
Newly created HW switch on NP4 platforms may not be accessible until users reboot.
290708
nturbo may not support CAPWAP traffic.
304118
VLAN and hardware switch interface may lose the secondary IP during the upgrade from
v5.2 to v5.4.
Workaround: unset role under config system interface then manually
adding the secondary IP back.
303906
The CLI may stop working when configuring Interface Policy6.
298348
IPv6 may not work on the internal interface.
Affected platform: FGT-92D
304472
Health-check over pppoe interface may not work after a FGT reboot.
304320
LENC FGT may not be able to update the modem-list and message-update; it may
not be able to connect to FortiAnalyzer.
303959
When the VDOM is enabled, the EAP_proxy may not be able to handle the certificate
chain with a depth of more than two.
304667
When FGT has only one disk and it is used by WANopt, the factory reset may not reset the
disk to log.
Workaround: use CLI to set disk-usage to log under config system
global.
Upgrade
Bug ID
Description
269799
sniffer config may be lost after upgrade.
WANopt & Webproxy
Bug ID
Description
291241
WAD may have a fd leak after concurrent tests.
Release Notes
Fortinet, Inc.
28
Known Issues
29
Bug ID
Description
271526
A WAD session leak may occur.
Release Notes
Fortinet, Inc.
Limitations
Citrix XenServer limitations
The following limitations apply to Citrix XenServer installations:
l
XenTools installation is not supported.
l
FortiGate-VM can be imported or deployed in only the following three formats:
l
l
XVA (recommended)
l
VHD
l
OVF
The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual
NIC. Other formats will require manual configuration before the first power on process.
Open Source XenServer limitations
When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may
arise when using the QCOW2 format and existing HDA issues.
Release Notes
Fortinet, Inc.
30
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising