FortiOS - Release Notes VERSION 5.4.0 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: firstname.lastname@example.org December 21, 2015 FortiOS 5.4.0 Release Notes 01-540-293566-20151221 TABLE OF CONTENTS Change Log Introduction Supported models What’s new in FortiOS 5.4.0 Special Notices Built-In Certificate Default log setting change FortiAnalyzer Support FG-92D High Availability in Interface Mode FG-900D and FG-1000D FG-3700DX FortiGate units running 5.4.0 FortiGate-VM 5.4 for VMware ESXi FortiPresence Log Disk Usage SSLVPN SSLVPN setting page Upgrade Information Upgrading from FortiOS 5.2.4 or later Unified Disk Usage FortiGate-VM 5.4 for VMware ESXi Downgrading to previous firmware versions FortiGate VM firmware Firmware image checksums Product Integration and Support FortiOS 5.4.0 support Language support SSL VPN support SSL VPN standalone client SSL VPN web mode SSL VPN host compatibility list Resolved Issues Known Issues 5 6 6 7 8 8 8 8 8 8 8 9 9 9 9 9 10 11 11 11 12 12 12 13 14 14 17 17 17 18 18 20 25 Limitations Citrix XenServer limitations Open Source XenServer limitations 30 30 30 Change Log Change Log 5 Date Change Description 2015-12-21 Initial release. 2015-12-22 Added, FG-30E, FG50E, FG-51E, FWF-30E, FWF-50E, and FWF-51E to Supported Models. 2015-12-23 Added FortiAnalyzer and FortiManager 5.4.0 to Product Integration and Support. Release Notes Fortinet, Inc. Introduction This document provides the following information for FortiOS 5.4.0 build 1011: l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations See the Fortinet Document Library for FortiOS documentation. Supported models FortiOS 5.4.0 supports the following models. FortiGate FG-30D, FG-30D-POE, FG-60D, FG-60D-POE, FG-70D, FG-70D-POE, FG-80D, FG90D, FGT-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-140D, FG140D-POE, FG- 200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FG300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C, FG-900D, FG-1000C, FG1000D, FG-1200D, FG-1500D, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG3600C, FG-3700D, FG-3700DX, FG-3810D, FG-5001C, FG-5001D FortiWiFi FWF-30D, FWF-30D-POE, FWF-60D, FWF-60D-POE, FWF-90D, FWF-90D-POE, FWF-92D FortiGate Rugged FGR-90D FortiGate VM FG-VM32, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN , FG-VMX, FortiOS Carrier FortiOS Carrier 5.4.0 images are delivered upon request and are not available on the customer support firmware download page. Release Notes Fortinet, Inc. 6 Introduction What’s new in FortiOS 5.4.0 The following models are released on a special branch based off of FortiOS 5.4.0. As such, the System > Dashboard > Status page and the output from the get system status CLI command displays the build number. FG-30E is released on build 6973. FG-50E is released on build 6973. FG-51E is released on build 6973. FWF-30E is released on build 6973. FWF-50E is released on build 6973. FWF-51E is released on build 6973. To confirm that you are running the proper build, the output from the get system status CLI command has a branch point field that should read 1011. What’s new in FortiOS 5.4.0 For a list of new features and enhancements that have been made in FortiOS 5.4.0 see the What’s New for FortiOS 5.4.0 document available in the Fortinet Document Library. 7 Release Notes Fortinet, Inc. Special Notices Built-In Certificate FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group. Default log setting change For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports STAT disk, log disk is enabled by default. FortiAnalyzer Support Due to the FortiAnalyzer Log Encrypt setting being removed, users will need to simplify the log transmission setting. FG-92D High Availability in Interface Mode The FortiGate-92D may fail to form a HA cluster and may experience a spanning tree loop if it is configured with the following: l operating in interface mode l at least one of the interfaces, for example interface9, is used has the HA heartbeat interface l a second interface is connected to an external switch Workaround: use either WAN1 or WAN2 as the HA heartbeat device. FG-900D and FG-1000D CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip. FG-3700DX CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported. Release Notes Fortinet, Inc. 8 Special Notices FortiGate units running 5.4.0 FortiGate units running 5.4.0 FortiGate units running 5.4.0 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy. FortiGate-VM 5.4 for VMware ESXi Upon upgrading to FortiOS 5.4.0, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver. FortiPresence For FortiPresence users, it is recommended to change the FortiGate web administration TLS version in order to allow the connection. config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2 end Log Disk Usage Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates. SSLVPN The following RDP/VNC web portals are not supported for the following platforms: 9 l FGT-80D l FGR-90D l FGT-92D l FWF-92D l FGT-200D l FGT-200D-POE l FGT-240D l FGT-240D-POE l FGT-600C l FGT-800C l FGT-1000C l FGT-3240C Release Notes Fortinet, Inc. SSLVPN setting page l FGT-3600C l FGT-5001C Special Notices SSLVPN setting page The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document. Release Notes Fortinet, Inc. 10 Upgrade Information Upgrading from FortiOS 5.2.4 or later FortiOS version 5.4.0 officially supports upgrade from version 5.2.4 or later. Unified Disk Usage FortiOS 5.4.0 changes the disk usage behavior upon upgrading from FortiOS 5.2. The table below describes the new logging and WANopt disk usage for single and two disk FortiGate devices running FortiOS 5.4.0. Single Disk Platforms (Logging or WANopt) Only Logging enabled No change. Only WANopt enabled No change. Both Logging & WANopt enabled In 5.4.0, the upgrade process configures the disk for Logging. However, you may change the disk to use WANopt. Two Disk Platforms (First disk is reserved for Logging; the second is reserved for WANopt) Only Logging enabled on the first disk No change. Only Logging enabled on the second disk In 5.4.0, Logging is changed to the first disk. The Logging data is lost on the second disk. Only WANopt enabled on the first disk In 5.4.0, WANopt is changed to the second disk. The WANopt cache is lost on the first disk. Only WANopt enabled on the second disk No change. Both Logging & WANopt enabled Regardless of the 5.2 configuration, the 5.4.0 upgrade process will change the configuration so that Logging uses the first disk and WANopt uses the second disk. Logging data and WANopt cache may or may not be lost depending on which disk they were configured on prior to upgrading. 11 Release Notes Fortinet, Inc. FortiGate-VM 5.4 for VMware ESXi Upgrade Information FortiGate-VM 5.4 for VMware ESXi Upon upgrading to FortiOS 5.4.0, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver. Downgrading to previous firmware versions Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained: l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles. When downgrading from 5.4 to 5.2, users will need to reformat the logdisk. FortiGate VM firmware Fortinet provides FortiGate VM firmware images for the following virtual environments: Citrix XenServer and Open Source XenServer l l l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation. .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer. .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files. Linux KVM l l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation. .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu. Microsoft Hyper-V l l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation. .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file fortios.vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager. Release Notes Fortinet, Inc. 12 Upgrade Information Firmware image checksums VMware ESX and ESXi l l .out: Download either the 32-bit or 64-bit firmware image to upgrade your existing FortiGate VM installation. .ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment. Firmware image checksums The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code. 13 Release Notes Fortinet, Inc. Product Integration and Support FortiOS 5.4.0 support The following table lists 5.4.0 product integration and support information: Web Browsers l Microsoft Internet Explorer version 11 l Mozilla Firefox version 37 l Google Chrome version 43 l Apple Safari version 7.0 (For Mac OS X) Other web browsers may function correctly, but are not supported by Fortinet. Explicit Web Proxy Browser l Microsoft Internet Explorer versions 8, 9, 10, and 11 l Mozilla Firefox version 27 l Apple Safari version 6.0 (For Mac OS X) l Google Chrome version 34 Other web browsers may function correctly, but are not supported by Fortinet. FortiManager l 5.4.0 l 5.2.5 and later You should upgrade your FortiManager prior to upgrading the FortiGate. FortiAnalyzer l 5.4.0 l 5.2.5 and later You should upgrade your FortiAnalyzer prior to upgrading the FortiGate. FortiClient Microsoft Windows and FortiClient Mac OS X FortiClient iOS FortiClient Android and FortiClient VPN Android Release Notes Fortinet, Inc. l 5.2.5 and later l 5.2.2 and later l 5.2.6 and later 14 Product Integration and Support FortiAP FortiOS 5.4.0 support l 5.2.5 and later l 5.0.10 You should verify what the current recommended FortiAP version is for your FortiAP prior to upgrading the FortiAP units. You can do this by going to the WiFi Controller > Managed Access Points > Managed FortiAP page in the GUI. Under the OS Version column you will see a message reading A recommended update is available for any FortiAP that is running an earlier version than what is recommended. FortiSwitch OS (FortiLink support) l 3.3.0 and later Supported models: FSR112D-POE, FS108D-POE, FS224D-POE, FS124D, FS124D-POE, FS224D-FPOE l 3.2.0 and later Supported models: FS-108D-POE, FS-224D-POE, FSR-112DPOE l 3.0.1 and later Supported model: FS-224D-POE l 2.0.3 Supported models: FS-28C, FS-324B-POE, FS-348B, FS-448B FortiController l 5.2.0 and later Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later Supported model: FCTL-5103B FortiSandbox 15 l 2.1.0 and later l 1.4.0 and later Release Notes Fortinet, Inc. FortiOS 5.4.0 support Fortinet Single Sign-On (FSSO) Product Integration and Support l l 5.0 build 0242 and later (needed for FSSO agent support OU in group filters) l Windows Server 2008 64-bit l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard 4.3 build 0164 (contact Support for download) l Microsoft Windows Server 2003 R2 (32-bit and 64-bit) l Microsoft Windows Server 2008 (32-bit and 64-bit) l Microsoft Windows Server 2008 R2 64-bit l Microsoft Windows Server 2012 Standard Edition l Microsoft Windows Server 2012 R2 l Novell eDirectory 8.8 FSSO does not currently support IPv6. FortiExplorer l 2.7 build 1088 and later. Some FortiGate models may be supported on specific FortiExplorer versions. FortiExplorer iOS l 1.0.6 build 0130 and later Some FortiGate models may be supported on specific FortiExplorer iOS versions. FortiExtender l 2.0.2 build 0011 and later AV Engine l 5.00227 IPS Engine l 3.00156 l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later Linux KVM l CentOS 6.4 (qemu 0.12.1) and later Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2 Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5 and 6.0 Virtualization Environments Citrix VMware Release Notes Fortinet, Inc. 16 Product Integration and Support Language support FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver. Language support The following table lists language support information. Language support Language GUI English ✔ Chinese (Simplified) ✔ Chinese (Traditional) ✔ French ✔ Japanese ✔ Korean ✔ Portuguese (Brazil) ✔ Spanish (Spain) ✔ SSL VPN support SSL VPN standalone client The following table lists SSL VPN tunnel client standalone installer for the following operating systems. Operating system and installers 17 Operating System Installer Microsoft Windows XP SP3 (32-bit) Microsoft Windows 7 (32-bit & 64-bit) Microsoft Windows 8 (32-bit & 64-bit) Microsoft Windows 8.1 (32-bit & 64-bit) 2323 Release Notes Fortinet, Inc. SSL VPN support Product Integration and Support Operating System Installer Linux CentOS 6.5 (32-bit & 64-bit) Linux Ubuntu 12.0.4 (32-bit & 64-bit) 2323 Virtual Desktop for Microsoft Windows 7 SP1 (32-bit) 2323 Other operating systems may function correctly, but are not supported by Fortinet. SSL VPN web mode The following table lists the operating systems and web browsers supported by SSL VPN web mode. Supported operating systems and web browsers Operating System Web Browser Microsoft Windows 7 SP1 (32-bit/64-bit) Microsoft Internet Explorer version 11 Mozilla Firefox version 42 Microsoft Windows 8/8.1 (32-bit/64-bit) Microsoft Internet Explorer version 11 Mozilla Firefox 42 Mac OS 10.9 Safari 7 Linux CentOS version 6.5 Mozilla Firefox 42 Other operating systems and web browsers may function correctly, but are not supported by Fortinet. SSL VPN host compatibility list The following table lists the antivirus and firewall client software packages that are supported. Supported Microsoft Windows XP antivirus and firewall software Product Antivirus Firewall Symantec Endpoint Protection 11 ✔ ✔ Kaspersky Antivirus 2009 ✔ McAfee Security Center 8.1 ✔ ✔ Trend Micro Internet Security Pro ✔ ✔ F-Secure Internet Security 2009 ✔ ✔ Release Notes Fortinet, Inc. 18 Product Integration and Support SSL VPN support Supported Microsoft Windows 7 32-bit antivirus and firewall software Product Antivirus Firewall ✔ ✔ F-Secure Internet Security 2011 ✔ ✔ Kaspersky Internet Security 2011 ✔ ✔ McAfee Internet Security 2011 ✔ ✔ Norton 360™ Version 4.0 ✔ ✔ Norton™ Internet Security 2011 ✔ ✔ Panda Internet Security 2011 ✔ ✔ Sophos Security Suite ✔ ✔ Trend Micro Titanium Internet Security ✔ ✔ ZoneAlarm Security Suite ✔ ✔ Symantec Endpoint Protection Small Business Edition 12.0 ✔ ✔ CA Internet Security Suite Plus Software AVG Internet Security 2011 19 Release Notes Fortinet, Inc. Resolved Issues The following issues have been fixed in version 5.4.0. For inquires about a particular bug, please contact Customer Service & Support. Device Visibility Bug ID Description 300577 Add QUIC support in passive device detection. 299500 Ensure Mac is not detected as an iPhone. DLP Bug ID Description 282782 DLP does not stop processing filter(s) after the first match. Therefore, DLP file patterns matching *.xap for Silverlight keeps being blocked as an executable. 299924 Support integration of tag %%SUBJECT%% as part of the custom replacement message is set as the email subject. 298236 Improve credit card number check handled by DLP sensor. Firewall Bug ID Description 277238 RSSO set the endpoint DB record "block status" to the incorrect value 295643 Improved authentication daemon optimization. 282807 NP4lite leaks some unNATed packets on the external interface when NAT ports are exhausted. 297421 HTTPs traffici is blocked after an AV/IPS database update from FortiGuard. 296931 TCP Window size overruns in FGT when remote server announces the Window Scaling is 0. 295164 oversize-log disable does not work for FTP downloads. 298411 When installing vip to the kernel, check if the sock list is empty or not when deleting sock list elements. Release Notes Fortinet, Inc. 20 Resolved Issues Bug ID Description 293132, 291689 Do not offer abbreviated TLS handshake on mismatched versions. 298937 Proxyd ssl-exempt must not check the IP address if a hostname exists. GUI Bug ID Description 258101 When testing a RADIUS server and it does not connect, an error occurs. 274256 HTTP 500 error occurs when trying to view a CA certificate. 262009 GUI shows incorrect IP address and interface for DDNS domains. 275377 Secondary IP and netmask for VLAN interfaces are reversed. 251641 Insert policy below/above does not work in a multicast policy list. 269191 Client monitor page is not showing clients when filter is set on SSIDs. 276756 Profile groups > Ref. links do not work. 274256 HTTP 500 error occurs when trying to view a CA certificate. 269191 Client monitor page is not showing clients when filter is set on SSID. 286110 GUI shows different certificate name under the VPN SSL setting compared to the CLI. 260886 Policy dialog cannot load large number of addresses (10,000 or more). 286533 GUI RADIUS Test Connectivity does not respond to use-management-vdom set. 294403 Users cannot choose or change the Source Device Type in GUI on the SSLVPN Firewall policy. 274588 Dashboard Status screen incorrectly shows FortiToken status. 272420 One invisible group is selected in LDAP Remote Group. High Availability 21 Bug ID Description 294950 Radiusd is not able to synch with a database with a secondary unit, the keeps the database locked and prevents users from being able to authenticate. Release Notes Fortinet, Inc. Resolved Issues Bug ID Description 299848 Remote+Wildcard admin are only matched compared to one group on the slave device. 298647 npu_vlinks receives the same virtual-mac in a HA configuration. IPS Bug ID Description 260302 283644 287743 IPS engine daemon does not rely on the View ID to obtain configuration. IPsec Bug ID Description 294697 IPsec traffic is blocked after a HA failover. 279519 When adding and/or modifying a Firewall policy, IPsec traffic stops during a vlink and/or lpck offload session. Log & Report Bug ID Description 300881 Modify service and log desc when traffic is denied due to an explicit proxy policy 295179 Offset the device time field in the logs on the FortiAnalyzer. Routing Bug ID Description 298214 If two out of four GWs for policy routes go down, one proute may be down but another proute is incorrectly up. 282126 OSPF should be able to filter incoming external routes by route-map. 296921 nssa-default-information-originate to make a OSPF always sends a default route of information to NSSA. 298290 pim-dm should use kernel route to query the nexthop, instead of using the NSM module. 299593 rip and ripng's offset-list status to be enabled by default. Release Notes Fortinet, Inc. 22 Resolved Issues SSLVPN Bug ID Description 297315 User node cannot be found when the password has changed. 257689 SSLVPN OWA 2013 send button does not work as expected. 300748 MS RemoteApp and Desktop Connections are not shown via SSLVPN webportal. SSO Bug ID Description 290746 FortiGate removes FSSO logins as soon as the Collector agent is disconnected. System 23 Bug ID Description 276628 npu-vlink stops working when adding a transparent VDOM. 295794 Hardware-switch does not block an access from undefined hosts in the IP/MAC binding table after reboot. 297132 Kernel and NP6 shaper interprets set maximum-bandwidth 0 differently. 295022 Load all CAs in current VDOMs for OCSP certificate verification. 271239 Admin password authentication cannot be disabled with public key authentication. 301887 Enable NPU SynProxy support for FG-3700DX and FG-5001D. 298828 Unable to set 31-bit mask for a secondary IP address. 298057 Root Dispersion and Root Delay of diagnose sys ntp status command is an invalid value. 257176 CPU increases when adding FAPs to FGT-60C-PoE. 301244 Incoming PPPoE frame is accepted even when the destination MAC address is not local. 298867 GMT +13:00 Samoa time zone with DST is not supported. 297451 Member port is removed from a software-switch after rebooting if a management-vdom is in TP-mode. 297666 Support CRL download over HTTP/1.1. Release Notes Fortinet, Inc. Resolved Issues Bug ID Description 286771 set macaddr option does not work for a switch-interface. 299585 Always recycle the nturbo/ips local mbuf even if the nturbo buffer has been removed to avoid a nturbo mbuf leak in IPS. 282472 NP6 Multicast traffic is duplicated. 297478 snifferd process locks administrators even after admintimeout. 298204 FWF-30E/50E/51E goes into the system conserve mode. 276941 No value is returned when accessing Virtual Switch interface's OIDs. 273124 Some of the Current Usage information under VDOM > Global Resources is incorrect. Upgrade Bug ID Description 298540 297001 After HA cluster upgrade, Master and Slave boxes have different checksums for the webfilter profile in the root VDOM. WANopt & Webproxy Bug ID Description 297486 DNS improvements to handle fwd proxy server. WiFi Bug ID Description 265950 Wifi user unable to access internal applications after enabling Application Control. 240602 Anonymous identity should not replace the real authentication account when a client is connecting to WPA-Enterprise. Release Notes Fortinet, Inc. 24 Known Issues The following issues have been identified in version 5.4.0. For inquires about a particular bug or to report a bug, please contact Customer Service & Support. Firewall Bug ID Description 304317, 304136 WAD daemon may crash when enabling WAD debug. 304449 TELNET may not be able to trigger authentication when the application profile and the user group are both configured. 304432 Protect server may not work as expected when enabling the Proxy AV and deep inspection. FortiView 25 Bug ID Description 303747 Source > Filter Source Device may not work. 289376 Applying the filter All by using the right click method may not work in the All Session page. 301315 Device Topology page, should add dependency warning if no interface has device detection enabled. 303940 Web Site > Security Action filter may not work 277558 Policy page > IPv6 policy may be displayed as IPv4 policy in realtime view. 303787 Application page > Filter on a Unknown Application may not work. 303823 Policy page > Source and Destination interface might show unknown-0 message. 300055 In Traffic Shaping page , bandwidth and dropped bytes may not be accurately listed for the Forward Shaper. 299900 In the Traffic shaping page, the IPv6 shaping may miss reply-shaper name and may not be able to drill down the menu. Release Notes Fortinet, Inc. Known Issues GUI Bug ID Description 289297 Threat map may not be fully displayed when screen resolution is not big enough. 302633 Several list pages may have alignment issues with Chrome 47. 303928 After upgrading from 5.2 to 5.4, the default flow based AV profile may not be visible or selectable in the Firewall policy page in GUI. 303642 Route lookup window may be empty. 303645 If no route is found, the IPv6 route lookup result may not be accurate. 302576 GUI may display the password-policy rules on the Admin page even the passwordpolicy does not apply to that admin user. 303038 Dead Peer Detection setting in IPsec tunnel templates page may show on-demand instead of enable. 303776 There may not be any options available in the Log View; a JS error occurs when setting a filter in the protocol field. 304100 Users may not be able to enable Feature Select in Global or VDOM on the following platforms: FG-3700D, FG-3700DX, FG-3810D and FG-5001D. 304119 Explicit Proxy Policy may receive an internal error if All Ports is enabled in any of ssl-ssh certificates in the inspection profile. 304482 NP6 offloading may be lost when the IPsec interface has the aes256gcm proposal. 304491 Users may not be able to set the IPsec VPN Xauth User Group to inherit groups from policy in GUI. 304495 In Network > Explicit Proxy page, when users edit Listen on Interfaces, the page may stop responding. 304395 The SSLVPN Web Portal RSA token in New Pin Mode may notwork. 304645 Traffic Shapers bandwidth unit may display kb/s while the backend config has mbps/gbps. 304627 In the HA setup, restoring config in GUI, only master's config might be restored, but slave's config may not be restored. 304436 GUI might show a different received/sent value with CLI on GUI->Modem monitor page. 304439 Users may not be able to set UTM profiles in IPsec Action Policy page. 304455 GUI > Interface > DHCP Server > Advanced > DHCP Client List page may not display correctly on Chrome 47. Release Notes Fortinet, Inc. 26 Known Issues High Availability Bug ID Description 304433 New import local certificate may cause the HA to become out of sync in a multi VDOM environment. Workaround: reboot the master. IPsec Bug ID Description 296439 L2TP over IPsec tunnel may not be able to be established. Log & Report Bug ID Description 304217 miglogd may stop working its protocol and port overlap is with another service. Affected policy: IPv4/IPv6 multicast policy, IPv4/IPv6 DOS policy and sniffer policy. 304533 AntiVirus log may not have a URL section when a Gmail attachment is downloaded. SSLVPN Bug ID Description 282914 If users use SSLVPN in Web Mode, they may not be able to access a FortiGate running 5.4. 300054 SSLVPN login replacement messages may be reset to factory default when upgrading from 5.2. 304528 SSLVPN Web Mode PKI user might immediately log back in even when logging out. 304139 SSLVPN Login Anyway might not work when limit-user-logins is enabled. System 27 Bug ID Description 275631 Multicast traffic may be able to be offloaded by XLP in NAT mode when there is no PIM enabled. 295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key. Release Notes Fortinet, Inc. Known Issues Bug ID Description 301947 On NP6 ports, hairpinned traffic may be blocked after the traffic that initializes the original NATs stops responding. Workaround: disable fastpath on the NP6 port. 303626 Switch VLAN may not be accessible in trunk (LACP) mode on 200 series platforms. 297923 Newly created HW switch on NP4 platforms may not be accessible until users reboot. 290708 nturbo may not support CAPWAP traffic. 304118 VLAN and hardware switch interface may lose the secondary IP during the upgrade from v5.2 to v5.4. Workaround: unset role under config system interface then manually adding the secondary IP back. 303906 The CLI may stop working when configuring Interface Policy6. 298348 IPv6 may not work on the internal interface. Affected platform: FGT-92D 304472 Health-check over pppoe interface may not work after a FGT reboot. 304320 LENC FGT may not be able to update the modem-list and message-update; it may not be able to connect to FortiAnalyzer. 303959 When the VDOM is enabled, the EAP_proxy may not be able to handle the certificate chain with a depth of more than two. 304667 When FGT has only one disk and it is used by WANopt, the factory reset may not reset the disk to log. Workaround: use CLI to set disk-usage to log under config system global. Upgrade Bug ID Description 269799 sniffer config may be lost after upgrade. WANopt & Webproxy Bug ID Description 291241 WAD may have a fd leak after concurrent tests. Release Notes Fortinet, Inc. 28 Known Issues 29 Bug ID Description 271526 A WAD session leak may occur. Release Notes Fortinet, Inc. Limitations Citrix XenServer limitations The following limitations apply to Citrix XenServer installations: l XenTools installation is not supported. l FortiGate-VM can be imported or deployed in only the following three formats: l l XVA (recommended) l VHD l OVF The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process. Open Source XenServer limitations When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues. Release Notes Fortinet, Inc. 30 Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project