FortiOS v5.2.0 (beta 4) Release Notes

Add to my manuals
40 Pages

advertisement

FortiOS v5.2.0 (beta 4) Release Notes | Manualzz

FortiOS v5.2.0 (Beta 4)

Release Notes

FortiOS v5.2.0 (Beta 4) Release Notes (Build 564)

April 30, 2014

01-520-234298-20140430

Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and

FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other

Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other resultsmay vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s

General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation

Fortinet Video Libarary

Knowledge Base

Customer Service & Support

Training Services

FortiGuard

Document Feedback docs.fortinet.com

video.fortinet.com

kb.fortinet.com

support.fortinet.com

training.fortinet.com

fortiguard.com

[email protected]

Table of Contents

Change Log....................................................................................................... 5

New Features in FortiOS v5.2.0 (Beta 4)......................................................... 6

FortiView usability improvements ............................................................................ 6

IPSec VPN ............................................................................................................... 6

Virtual WAN link load balancing and link monitoring ............................................... 7

Authentication .......................................................................................................... 7

Endpoint Control...................................................................................................... 7

Firewall..................................................................................................................... 8

VoIP.......................................................................................................................... 8

FortiOS Carrier ......................................................................................................... 8

Logging & Reporting ................................................................................................ 9

Tablesize ................................................................................................................ 10

Application Control ................................................................................................ 10

Misc ....................................................................................................................... 11

Web Filtering .......................................................................................................... 11

Wireless ................................................................................................................. 12

New Features in FortiOS v5.2.0 (Beta 3)................................................................ 13

New Features in FortiOS v5.2.0 (Beta 2)................................................................ 18

New Features in FortiOS v5.2.0 (Beta 1)................................................................ 20

Supported Models .......................................................................................... 26

FortiGate ................................................................................................................ 26

FortiWiFi................................................................................................................. 26

FortiGate VM.......................................................................................................... 26

FortiSwitch ............................................................................................................. 26

Product Integration and Support .................................................................. 27

Web browser support ............................................................................................ 27

FortiManager and FortiAnalyzer support ............................................................... 27

FortiClient support (Windows, Mac OS X, iOS and Android)................................. 27

FortiAP support...................................................................................................... 28

FortiSwitch support ............................................................................................... 28

FortiController support........................................................................................... 28

Virtualization software support .............................................................................. 28

Fortinet Single Sign-On (FSSO) support................................................................ 29

FortiExplorer support (Microsoft Windows, Mac OS X and iOS) ........................... 29

FortiExtender support ............................................................................................ 29

AV Engine and IPS Engine support ....................................................................... 29

Page 3

Language support.................................................................................................. 29

Module support...................................................................................................... 30

SSL VPN support................................................................................................... 31

Explicit web proxy browser support ...................................................................... 33

Resolved Issues.............................................................................................. 34

Resolved issues from FortiOS v5.2.0 (Beta 3) ....................................................... 34

Other resolved issues in FortiOS v5.2.0 (Beta 4) ................................................... 34

Known Issues.................................................................................................. 36

Known issues with FortiOS v5.2.0 (Beta 4)............................................................ 36

Known issues from FortiOS v5.2.0 (Beta 3) ........................................................... 36

Known issues from FortiOS v5.2.0 (Beta 2) ........................................................... 36

Known issues from FortiOS v5.2.0 (Beta 1) ........................................................... 36

Appendix A: About FortiGate VMs ................................................................ 38

FortiGate VM model information............................................................................ 38

FortiGate VM firmware........................................................................................... 38

Citrix XenServer limitations.................................................................................... 39

Open Source Xen limitations ................................................................................. 39

Table of Contents Page 4 FortiOS v5.2.0 (Beta 4) Release Notes

Change Log

Date

April 30, 2014

April 29, 2014

Change Description

Removed GUI instructions and a CLI command from the description of application control information gathering improvements in

“Application

Control” on page 10 .

Added FEX-100A and corrected the build number in the section

“FortiExtender support” on page 29 .

Initial release.

Page 5

New Features in FortiOS v5.2.0 (Beta 4)

FortiView usability improvements

• A number of improvements to FortiView usability and functionality. You will notice changes throughout the FortiView GUI pages. (237570, 236537, 236834, 239168, 237914, 238539,

237405)

IPSec VPN

This section describes new features in FortiOS v5.2.0 (Beta 4) build 564. Each feature description includes a bug number from Fortinet’s internal bug tracking system.

FortiView usability improvements

IPSec VPN

Virtual WAN link load balancing and link monitoring

Authentication

Endpoint Control

Firewall

VoIP

FortiOS Carrier

Logging & Reporting

Tablesize

Application Control

Misc

Web Filtering

Wireless

New Features in FortiOS v5.2.0 (Beta 3)

New Features in FortiOS v5.2.0 (Beta 2)

New Features in FortiOS v5.2.0 (Beta 1)

• Prioritized DH group configuration/negotiation. (234056)

In FOS 5.2, the default DH group has changed from 5 to 14, to provide sufficient protection for stronger cipher suites that include AES and SHA2. Because of this change, both IKEv1 and IKEv2 now allow up to 3 DH groups to be configured in the phase 1 and phase 2 settings, while preserving the ordering since the initiator always begins by using the first group in the list. The default DH group in the configuration has been updated to include group 14 and 5, in that order. You can add and remove other groups and the order they appear in the configuration is the order in which they are negotiated.

The IKEv1 protocol does not natively provide for DH group negotiation in Aggressive Mode and Quick Mode. As a result, when multiple DH groups are used with IKEv1 Aggressive

Mode or Quick Mode, delays in tunnel establishment can occur and so it is recommended to continue to configure matching DH groups on both peers whenever possible.

New Features in FortiOS v5.2.0 (Beta 4) Page 6 FortiOS v5.2.0 (Beta 4) Release Notes

Virtual WAN link load balancing and link monitoring

• New measured volume (measured bandwidth usage distribution) method for virtual WAN link load balancing. (235214)

A new virtual WAN link load balancing option that balances traffic between the interface members of the virtual WAN link so that all of the interfaces get the same volume of traffic.

You can also add a volume ratio for each WAN link. The higher the volume ratio the higher the amount of traffic sent to that link.

• Allow multiple source and destination addresses and address ranges for services in virtual

WAN link load balancing. (234106, 233357)

• Link Health Monitor added to System > Monitor > Link Monitor. (235801, 235801, 233916,

233602)

This feature displays status of all virtual WAN link ports as well as the number of sessions, bandwidth, and link quality for each port in the virtual WAN link.

Authentication

• Improved the efficiency of how user authentication with multiple groups is processed by

FortiOS. (218909)

The following command can be used to test authentication of a user account with multiple authentication servers.

diagnose test authserver user <username> <password> <group1>

<group2>...

Endpoint Control

• Endpoint license changes. (231328)

New Endpoint licenses are now available in FortiOS 5.2. Information about the status of the current license can be found in the FortiClient section of the License Information widget.

The following licenses will be available:

• Desktop models and FortiGate-VM00: 200 clients

• 1U models, FortiGate-VM01 and FortiGate-VM02: 2,000 clients

• 2U models and FortiGate-VM04: 8,000 clients

• 3U models, FortiGate-ATCA, and FortiGate-VM08: 20,000 clients

Because the new licenses are for one year, the activation method has changed. New licenses are purchased similarly to a FortiGuard service, with no further registration of the license required. The device can then be registered with the FortiGate unit.

If the device does not have access to Internet, you can download the license key from support site and manually upload it to your FortiGate. The license will be for that specific device and will have an license expiry date.

While the older licenses from FortiOS 5.0 will still be supported, they will have the following limitations:

• The On-net/Off-net feature will not be supported.

• Logging options will only appear in the CLI.

• FortiAnalyzer Support for logging and reporting will be limited.

• You will not be able to enter any v5.0 license keys.

New Features in FortiOS v5.2.0 (Beta 4) Page 7 FortiOS v5.2.0 (Beta 4) Release Notes

Firewall

• Simplifying and optimizing NAC-quarantine (First phase, more changes in future FortiOS versions). (232211,126666,137528)

In the first phase of simplifying NAC quarantine all ban types have been removed except

IPv4 or IPv6 source IP address. In addition NAC quarantine features are now handled by the kernel so the config user ban command has been removed.

For DLP sensors the only NAC quarantine option is quarantine-ip to quarantine all traffic from the IP address.

For antivirus profiles the only NAC quarantine option is quar-src-ip to quarantine all traffic from the source IP.

For IPS sensors, the only NAC quarantine option is attacker to block attacker's IP.

For IPv4 DoS-policies, the only NAC quarantine option is attacker to block attacker's IP.

For IPv6 DoS-policies, the only NAC quarantine option is attacker to block attacker's IP.

VoIP

• Change default SIP behavior to proxy VoIP ALG. (237213)

Previous versions of FortiOS used the SIP session helper for all SIP sessions. You had to remove the SIP session helper from the configuration for SIP traffic to use the SIP ALG.

Now, by default all SIP traffic is now processed by the SIP ALG. You can change the default setting using the following command: config system settings set default-voip-alg-mode {proxy-based | kernel-helper-based} end

The default is proxy-based which means the SIP ALG is used. If set to kernel-helper-based the SIP session helper is used.

If a SIP session is accepted by a firewall policy with a VoIP profile, the session is processed using the SIP ALG even if default-voip-alg-mode is set to kernel-helper-based.

If a SIP session is accepted by a firewall policy that does not include a VoIP profile:

• If default-voip-alg-mode is set to proxy-based SIP traffic is processed by the SIP

ALG using the default VoIP profile.

• If default-voip-alg-mode is set to kernel-helper-based SIP traffic is processed by the SIP session helper. If the SIP session help has been removed then no SIP processing takes place.

FortiOS Carrier

• Add support for per-stream rate limiting of GTP traffic and the ability to apply rate limiting separately for GTPv0 and GTPv1. (236999,183334)

New Features in FortiOS v5.2.0 (Beta 4) Page 8 FortiOS v5.2.0 (Beta 4) Release Notes

In addition FortiOS Carrier now indicates the GTP version in rate limiting log messages and writes a rate limiting warning log message when a packet exceeds the rate limiting threshold.

config firewall gtp edit my-gtp-profile set rate-limit-mode {per-profile | per-stream} set warning-threshold {0 - 99} config {message-rate-limit-v0 | message-rate-limit-v1 | message-rate-limit-v2} set create-pdp-request <rate-limit> set delete-pdp-request <rate-limit> set echo-request <rate-limit> end end

• New GTPv0 and GTPv1 per APN rate limiting. (227151)

This requirement is intended to fulfill the business model of M2M (mobile 2 mobile) providers who leverage cellular wireless networks to provide tailored data services to a non-telco organization. For example, vending machines for a soft drink company can send inventory data and receive advertising updates via cellular data.

Since M2M providers cross multiple wireless carriers, and have multiple customers they actually deploy unique Access Point Names (APNs) per customer, unfortunately they don't have very large address space, so they are forced to overload many APNs on a single IP address.

The problem occurs when there is a network issue that takes some customers offline (for a variety of reasons) and the affected cellular devices don't behave "well" resulting in a flood of APN negotiations that may affect other customers on the same IP address.

This enhancement extends the GTP current rate limiting capability to examine the APN in the pdp-create-context field and optionally apply rate-limiting based on the associated profile.

You can use following CLI command to set rate limits per APN: config firewall gtp-profile

...

set rate-limit-mode per-apn config per-apn-shaper end edit entry1 set apn <APN-name> set version <version> set rate-limit <limit> end

Logging & Reporting

• FortiOS now writes separate log messages for local in deny actions for unicast traffic and local in deny actions for multicast traffic. (231272)

Split previous log local-in-deny function into two functions, which are local-in-deny-unicast and local-in-deny-broadcast functions.

• When a FortiOS component crashes, FortiOS now generates an event log message with information about the crash, similar to a shortened crash log. (238137)

New Features in FortiOS v5.2.0 (Beta 4) Page 9 FortiOS v5.2.0 (Beta 4) Release Notes

• New command to enable reports. Using this command you can also choose whether to include sniffer log messages in Report results. (224804)

Use the following command to enable producing a report that uses both sniffer logs and forward traffic logs: config report setting set status enable end set report-source sniffer-traffic forward traffic

Tablesize

• The number of object tags has been increased and the number is managed by the tablesize system.object-tag. (234899)

The actual numbers for each model will appear in the FortiOS 5.2 Max Values Table.

Application Control

• Application Control Usability Improvements and 5-Point-Risk Rating. (224969, 233847,

238980)

The following changes have been made to improve usability in the web-based manager:

• Application sensors and filters pages are now created on a single page, found at Security

Profiles > Application Control.

• A drop down menu appears when you right-click on a category, allowing the action for that category to be changed.

• Filter criteria, such as popularity, technology, and risk, have been removed.

• New application sensors can only be created by category and application.

A new rating system is used for all pages related to application control, including the application list, the application filters list, traffic logs, the FortiView Applications dashboard, and the FortiView All Sessions dashboard. The rating system is as follows:

Risk Level Description

Critical Applications that are used to conceal activity to evade detection.

Example

Tor, SpyBoss

High Applications that can cause data leakage, or prone to vulnerabilities or downloading malware.

Remote Desktop, File

Sharing, P2P

Medium Applications that can be misused.

VoIP, Instant Messaging,

File Storage, WebEx,

Gmail

Elevated Applications are used for personal communications or can lower productivity.

Low Business Related Applications or other harmless applications.

Gaming, Facebook,

Youtube

Windows Updates

• Application control information gathering improvements. (240161)

New Features in FortiOS v5.2.0 (Beta 4) Page 10 FortiOS v5.2.0 (Beta 4) Release Notes

Application control can now extract the following information and record it in application control and traffic log messages:

• Information about user logins and file transfers for cloud applications.

• Video names for many popular video streaming including YouTube, NetFlix, Vevo,

Dailymotion, Veoh, Hulu, Vube, Metacafe, LiveLeak, Break, and Ustream.

• The following new fields have been added to both the application control log and to traffic logs: clouduser, cloudaction, filename, and filesize.

A new custom IPS and application control signature option,

--deep_ctrl, has been added.

The following new diagnose commands have also been added:

• diagnose ips debug dac info

• diagnose ips debug dac clear

• diagnose ips debug enable dac

Misc

• By default the vulnerability scanner is not displayed on the GUI. (239815)

To add the vulnerability scanner go to System > Config > Features and turn on this feature.

• Hardware-switch interface Switch Port Analyzer (SPAN) feature. (234051)

The Switch Port Analyzer (SPAN) feature is now available for hardware switch interfaces on

FortiGate models with built-in hardware switches (for example, the FortiGate-100D, 140D, and 200D etc.). The SPAN feature (also called port mirroring) allows you to send a copy of the packets received or sent by one interface to another. So, for example, you could send all traffic received by the WAN interface to another interface and connect a sniffer to that other interface to monitor the traffic on the WAN interface.

To enable SPAN on a hardware switch, go to System > Network > Interfaces and edit a hardware switch interface. By default the system may have a hardware switch interface called lan. You can also create a new hardware switch interface.

Select the SPAN checkbox. Select a source port from which traffic will be mirrored. Select the destination port to which the mirrored traffic is sent. Select to mirror traffic received, traffic sent, or both.

You can also use the following CLI command to enable SPAN on the lan hardware switch and mirror traffic received by port6 to port10: config system virtual-switch edit lan set span enable set span-source-port port6 set span-dest-port port10 set span-direction Rx end end

Web Filtering

• Web Filter - HTTP Referrer Field Check/Verify (236709)

You can now add a referrer to URL filters. If a referer is specified, the hostname in the referer field of the HTTP require will be compared for any entry that contains the matching URL. If the referer matches, then the specified action will be performed by proxy.

New Features in FortiOS v5.2.0 (Beta 4) Page 11 FortiOS v5.2.0 (Beta 4) Release Notes

The referrer can also be set in the web-based manager, but only if advanced webfilter features has been enabled using the following command: config system global set gui-webfilter-advanced enable end

After this command is used, a new column will be created in Security Profiles > Web Filter >

Static URL Filter to set the referrer.

The command set referrer-host has been added to the CLI. The CLI has also changed so that URL filters are now identified by their IDs, and the URL values can be set under each entry.

config webfilter urlfilter edit <ID> config entries edit 1 set url <url> set referrer-host <url> set type {simple | regex | wildcard} set action {block | allow | monitor | exempt} set status {enable | disable} end end

• Restrict access to Google Corporate Accounts only. (235247)

A new option has to webfiltering to restrict Google access to Google's corporate accounts.

This allows you to block access to some Google accounts and services while allowing access to corporate Google accounts.

To use this option, go to Security Profiles > Web Filter and select Restrict to Corporate

Google Accounts Only under Proxy Options. You can then add the appropriate Google domains that will be allowed.

If you wish to configure these options in the CLI, you must have the URL filter refer to a web-proxy profile that used the Modifying HTTP Request Headers feature described below.

This command is only visible when the action is set to either allow or monitor.

Wireless

• Radius Accounting for WiFi. (232224)

RADIUS accounting is now supported for wireless networks, allowing RADIUS accounting messages to be sent that contain a wireless user's name and IP address.

If an accounting server has been enabled for RADIUS, the wireless client information will be sent to it.

• Captive Portal (235329, 237512, 234510, 234508, 232671, 238009, 237996, 237751,

237576, 234569, 238478, 238008, 237734, 237476, 237742)

New Configuration Options

The following options can now be configured for captive portals that use wireless interfaces:

• Security exempt list name: security-exempt-list <name>

• URL redirection after disclaimer/authentication: security-redirect-url <url>

• Captive portal type: portal-type {auth | email-collect}

WPA Personal Security + Captive Portal

New Features in FortiOS v5.2.0 (Beta 4) Page 12 FortiOS v5.2.0 (Beta 4) Release Notes

A new option has also been added that uses WPA Personal security as well as a captive portal. This option also allows groups to be imported from the policy.

• Wireless Captive Portal Updates. (239746, 239143, 239790, 239836)

New Features in FortiOS v5.2.0 (Beta 3)

FortiView

• New FortiView pages: - Web Sites and Threats. (235514)

Web Sites displays a chart showing the most commonly visited websites. You can drill down to view details about each access to each site.

Threats lists the most commonly received threats and the users who either sent or received them.

Antivirus

• Flow-based virus scanning displays a virus found message. (228916)

Flow-based virus scanning can usually display a virus found message in the user’s web browser when an infected file is found:

• The message can be displayed immediately if the infected file fits into one server response packet

• If the infected file is larger than one server response packet, the URL of the virus found message is put into a cache and the block page is displayed the next time this URL is accessed. In this case the user’s browser will appear to hang and if they refresh their browser the virus found message is displayed.

Firewall

• Captive Portal updates: (234289).

When configuring a captive portal you can select a user group or set it to use the user groups added to the firewall policy that accepted the user connection.

Standard authentication replacement messages are now also used for captive portals.

New WiFi interface captive-portal options: config wireless-controller vap edit "wifi" set security captive-portal set security-exempt-list "exempt_list_01" set security-redirect-url "http://www.fortinet.com" set portal-type auth [|email-collect] end

Use the exempt list to list MAC addresses and IP addresses that are exempt from authenticating with the captive portal.

• Support certificate replacement in SSL/SSH inspection profiles that use SSL certificate-inspection mode. (232850)

When SSL certificate-inspection mode is chosen in an SSL/SSH Inspection profile, if a web page is blocked the FortiOS uses a replacement message to display a web page indicating that the page was blocked. The FortiGate now uses the CA currently in use for that session for SSL handshake before displaying the replacement message page. Previously, FortiOS used a pre-defined certificate for the replacement message which would result in a browser warning message.

New Features in FortiOS v5.2.0 (Beta 4) Page 13 FortiOS v5.2.0 (Beta 4) Release Notes

• Select the certificate used by the FortiGate authentication system for HTTPS authentication.

(233020)

You can now select the CA certificate that the authentication system uses when asking a user to authenticate using HTTPS. Use the following command to select the CA certificate to use. It can be any CA certificate loaded into the FortiGate configuration. You can only specify one certificate and it is used for all HTTPS authentication requests: config user setting set auth-ca-cert <certificate-name> end

• Server load balancing virtual IP support for replacing the X-Forwarded-For header to with a new header with a user-configurable name. (230831)

By default, if http-ip-header is enabled in a virtual-server configuration then as HTTP(S) traffic flows through a virtual server FortiOS either adds an X-Forward-For header with the client's original IP address or updates any existing X-Forwarded-For header with the client's

IP address. Some servers want the client's original IP address but do not want to use

X-Forwarded-For and instead want a configurable name to be used. The new attribute http-ip-header-name allows this name to be defined.

If defined then any existing X-Forwarded-For header is removed and a new header with the given name is added containing the client IP address.

config firewall vip set type server-load-balance set http-ip-header-name <header-name>

Consider a simple virtual server: config firewall vip edit ssl set type server-load-balance set server-type https

By default it has a http-ip-header option which is disabled: set ?

...

http-multiplex Enable/disable multiplex HTTP requests/responses over a single TCP connection.

http-ip-header Add an additional HTTP header containing client's original IP address outlook-web-access Enable/disable adding HTTP header indicating

SSL offload for Outlook Web Access server.

...

If enabled: set http-ip-header enable

New Features in FortiOS v5.2.0 (Beta 4) Page 14 FortiOS v5.2.0 (Beta 4) Release Notes

FortiCarrier

• Improvements to GTP logging to make searching GTP sessions easier and more accurate.

(221888, 222684, 232058)

• Three new CLI commands are added to GTP profile for gtpu logging. gtpu-forwarded-log and gtpu-denied-log control whether to record a log entry for forwarded and dropped packets or not, respectively. gtpu-log-freq controls the log frequency for gtpu packets. The log frequency value is per number of packets. For example set gtpu-log-freq 10 means the FortiGate unit should record a log entry for every 10 packets.

IPsec

then now the http-ip-header-name option is visible: set ?

...

http-multiplex Enable/disable multiplex HTTP requests/responses over a single TCP connection.

http-ip-header Add an additional HTTP header containing client's original IP address http-ip-header-name Name of HTTP header containing client's IP address, if empty X-Forwarded-For is used.

outlook-web-access Enable/disable adding HTTP header indicating

SSL offload for Outlook Web Access server.

....

By default it is empty and X-Forwarded-For will be used: get

...

srcintf-filter: http-ip-header : enable http-ip-header-name : monitor :

...

If a new value is defined: set http-ip-header-name X-Billing-Address get

...

http-ip-header : enable http-ip-header-name : X-Billing-Address monitor : color : 0

...

then that will be used instead of X-Forwarded-For.

• Support modifying HTTP request headers in proxy. (235247)

• Allow more control over adding routes to dialup (dynamic) IPsec VPN configurations.

(231749)

New Features in FortiOS v5.2.0 (Beta 4) Page 15 FortiOS v5.2.0 (Beta 4) Release Notes

You can enable add-route in any dialup (dynamic) policy-based or interface-based phase

1 configuration. This option functions the same way the add-route option used for dynamic interface-based phase 1’s with mode-cfg enabled. This option adds a route to the FortiGate unit’s routing information base when the dynamic tunnel is negotiated. You can use the distance and priority options to set the distance and priority of this route. If this results in a route with the lowest distance it is added to the FortiGate unit’s forwarding information base.

You can also enable add-route in any policy-based or interface-based phase 2 configuration that is associated with a dialup (dynamic) phase 1. In the phase 2, add-route can be enabled, disabled or set to use the same route as the phase 1.

• Allow multiple interfaces for IKE/IPsec VPN policies. (230415)

You can add multiple incoming and outgoing interfaces to policy-based IPsec VPN firewall policies (Action set to IPsec).

• Allow IKE authentication against group in policy. (231690)

You can add Source Users to policy-based IPsec VPN firewall policies (Action set to IPsec).

If no users or user groups are added to the Phase 1, the Source Users in the policy are can authenticate with the IPsec VPN.

Logging & Reporting

• Improvements to reporting. (233366, 233181, 232327)

The report available on the FortiGate unit (under Log & Report > Report) has been improved with better threat related charts and application and bandwidth related charts.

Routing

• BGP neighbor groups. (237029)

This feature allows a large number of neighbors to be configured automatically based on a range of neighbors' source addresses.

Start by adding a BGP neighbor group: config router bgp config neighbor-group edit <neighbor-group-name> set remote-as 100

...

end

(All options for BGP neighbor are supported except password.)

Then add a BGP neighbor range: config router bgp config neighbor-range edit 1 set prefix 192.168.1.0/24 set max-neighbor-num 100 set neighbor-group <neighbor-group-name> end

System

• Select a custom language for an SSL VPN web portal and for the Guest Management page for administrators who can only provision guest accounts. (227415)

New Features in FortiOS v5.2.0 (Beta 4) Page 16 FortiOS v5.2.0 (Beta 4) Release Notes

To enable custom language support: config system global set gui-custom-language enable end

Go to System > Admin > Administrators and add an administrator. When you select Restrict

to Provision Guest Accounts you can also select the language that appears on the Guest

Management GUI page for that administrator.

Go to VPN > SSL > Portals to add an SSL VPN portal. When configuring the portal you can select the language that appears on the portal.

FortiOS comes with a number of languages that you can apply to an SSL VPN portal and the

Guest Management GUI page. You can also add you own language by going to System >

Config > Advanced > Language and uploading a new language template. Here you can also view and download a sample language template that you can use to create your own custom language file.

• Support configuring DHCP advanced options in the GUI. (228329)

When editing the DHCP configuration on an interface you can select Advanced to configure the following:

• Set the interface to DHCP relay mode

• Send an NTP server IP address to DHCP clients

• Set the time zone of the DHCP client

• Set advanced DHCP options such as time such as Host Name (DHCP option 12), Boot file size (DHCP option 13). You can set an option from the list or enter the DHCP option number.

• FortiGate units support the Novatel U679 (Bell) LTE modem. (225531)

• GUI support for hardware switch features. (233756)

You can manually allocate VLANs on virtual switch interfaces from the GUI. To enable this feature, enter the following CLI command: config system global set virtual-switch-vlan enable end

Then from the GUI go to System > Network > Interfaces > Create New. Set the Type to VLAN

Switch, set a VLAN ID, and add switch ports as Physical Interface Members. To be able to add switch ports you must first remove them from the lan interface.

• Enable taking an aggregate interface down if a configured number of physical interfaces in the aggregate are not connected. (229624) config system interface edit agg-int set type aggregate set min-links 3 set min-links-down {operational | administrative}

Where min-links is the minimum number of links to be up before the aggregate is down and min-links-down specifies whether to set the aggregate to be operationally down or administratively down when more than min-links are down.

• License widget updates and registration wizard replacement. (233166, 235855, 235853)

• Change factory default values for FortiClient on-net status and FortiClient access. (237035)

New Features in FortiOS v5.2.0 (Beta 4) Page 17 FortiOS v5.2.0 (Beta 4) Release Notes

Webfilter

• When FortiGuard Web Filtering displays authentication and override pages you can configure the FortiGate unit to send the pages using HTTPS instead of HTTP. This is a

FortiGuard web filtering configuration set once for FortiGuard. (187272, 231380)

The following new options are available config webfilter fortiguard set ovrd-auth-https {disable | enable} (Web Filtering override) set warn-auth-https {disable | enable} (Web Filtering authentication) end

Wireless

• Support split tunnelling for FortiAPs. Split tunneling allows you to optimize WiFi traffic flow by keeping local traffic off of the WiFi controller. Instead local traffic is handled by the FortiAP unit. Basically, with split tunneling, a remote user associates with a single SSID, not multiple

SSIDs, to access corporate resources (for example, a mail server) and local resources (for example, a local printer). The remote AP examines ACLs to distinguish between corporate traffic destined for the controller and local traffic. Traffic which matches the AP ACL rules are switched locally and NAT operation is performed changing the client’s source IP address to the AP’s interface IP address which is routable at the local site/network. The rest of the packets are centrally switched over data tunnel. (234937)

Enable split tunnelling for an SSID by editing an SSID (go to Wireless > WiFi Network > SSID) and selecting Split Tunneling. You must also add Split Tunnelling Subnets to FortiAP profiles or to managed FortiAPs. The Split tunnelling subnets are the local traffic subnets and would usually match the subnet connected to the FortiAP.

• FortiAP CLI Console Access (230588)

If login-enable is enabled in a FortiAP configuration, from the FortiOS Managed FortiAPs page you can log into the FortiAP’s CLI.

New Features in FortiOS v5.2.0 (Beta 2)

FortiOS Carrier

• Add support for tunnel create/modify/delete across GTP version 1 & 2 (226037)

• GTP Logging Improvements (229210, 229562)

IPSec VPN

• Add support for IKE mode config to use a remote DHCP server to assign the client IP address. (177415)

Logging & Report

• 5-Point-Risk Rating for Applications (229368)

Routing

• Allow ECMP to use both source and destination addresses. (230398)

• Added support for BGP conditional advertisement. (228722)

New Features in FortiOS v5.2.0 (Beta 4) Page 18 FortiOS v5.2.0 (Beta 4) Release Notes

SSL VPN

• SSLVPN Updates (225885, 231869)

Device Visibility

• Extended device visibility to detect devices based on traffic that does not flow through the

FortiGate but which the FortiGate does see. This includes: (219483)

• Traffic that hits an interface with “set ips-sniffer-mode enable”

• Broadcast and multicast traffic

Firewall

• Preserve Class of Service (CoS) Bits (216290)

• Support UUID for VIP/VIP6/VIP46/VIP64/VIPGRP/VIPGRP6/VIPGRP46/VIPGRP64. (224622)

• Link Load Balance (LLB) -- Link quality based distribution. (228868)

• Add Source-IP, Destination-IP, and Username to the replacement messages. (176238)

• WLAN External Web authentication support (195254)

• Add more information to block page for flow-based web filtering (227974)

• SSL Inspection - server certificate upload (proxy) (193400)

HA

• RFC 6311 IKE Message ID sync support allow IKEv2 to re-negotiate send and receive message ID counters after HA fail over. (212653)

• HA for DHCP/PPPoE. (227196)

• HA override wait-time to cause the cluster to wait to renegotiate after a unit joins a cluster and if override is enabled. (232111) config system ha set override-wait-time <time> end

IPS

• Generate sniffer log. (224702)

• IPS Packet Capture Improvements. (113088, 230501, 165013, 195280, 230530, 230469,

230486, 229211)

System

• Add DHCP Server ‘on-net’ property. (227770)

• Add support for LLDP transmission. (224654)

• Implementing Link monitor (223683)

• Scheduled FDN upgrade flexibility (208394)

• SNMP trap & alert message for USB modem unplugged (228450)

GUI (web-based manager) usability changes

• Interface list improvements. (178943, 228616)

New Features in FortiOS v5.2.0 (Beta 4) Page 19 FortiOS v5.2.0 (Beta 4) Release Notes

• DHCP related GUI improvements. (221932)

• LDAP query inside ID policy. (193045)

• IPv6 address range support on GUI. (182243)

• FortiView Updates (228044, 230777, 228071, 227052, 227600, 227844)

• Move explicit proxy policy to a separate table (232684)

• Per VDOM CPU and memory usage widget (220121)

• System Resource Widget Updates (197167, 221055, 218711, 228286)

• Link Health Check GUI support. (230051, 232611, 226034, 225744, 226366, 233602)

• The FortiClient Vulnerability Scan module is enabled in the FortiClient Profile from the CLI. To enable Vulnerability Scan, enter the following CLI commands: config endpoint-control profile edit <profile-name> config forticlient-winmac-settings set forticlient-vuln-scan {enable | disable} set forticlient-vuln-scan-schedule {daily | weekly | monthly} set forticlient-vuln-scan-on-registration {enable | disable} set forticlient-ui-options {av | wf | af | vpn | vs} end end

When setting the forticlient-ui-options, you must include all the modules that you want to enable in the FortiClient console.

WAN Opt and Web Proxy

• Adding URL address type for explicit proxy (currently CLI only) (229215)

Web Filtering

• Add more information to block page replacement message for flow-based web filtering.

(227974)

• WCF/AS communications to FortiManager/FortiGuard using TCP port 80. (215828)

Wireless

• Add 802.11ac support on FOS side (228410, 222567)

• AP management Reorganization. (194194)

User Authentication

• External captive portal - redirect (233315)

New Features in FortiOS v5.2.0 (Beta 1)

FortiOS version numbering changes

• FortiOS firmware version numbering scheme now uses vMajor.minor.patch (label). For example, this release is v5.2.0 (Beta 4) using the new numbering scheme. (225622)

New Features in FortiOS v5.2.0 (Beta 4) Page 20 FortiOS v5.2.0 (Beta 4) Release Notes

Dashboard and monitoring improvements (FortiView)

• New FortiView-style dashboard widgets. FortiView integrates realtime and historical dashboard widgets into a single view that combines both realtime and historical data.

(227156)

• IPsec and SSL VPN Configuration and monitoring Improvements. (148967)

Antivirus

• Antivirus Profile GUI page improvements. (224928)

• Improved flow-based virus scanning catch rate. Flow-based virus scanning uses a new mode, called full mode. Full mode’s virus catch rate is as good a proxy-based virus scanning but with flow-based performance and latency. (216541)

Application Control and IPS

• One-arm sniffer virus scanning now uses a more effective virus scanning engine to improve virus scanning catch rates and performance. (219507)

• GUI support for configuring rate-based IPS signatures. In any IPS sensor you can turn on a selected list of rate-based signatures and adjust their Threshold, Duration, Track by setting,

Action and Block duration. In previous versions of FortiOS you had to either accept default values for these settings or you had to adjust them from the CLI. (220056)

• Inline SSL inspection and support for application control of applications that use the SPDY protocol. Inline SSL inspection supports flow based UTM features only. If using only

Flow-based features, then SSL inspection is also handled by IPS engine so it can leverage hardware acceleration or benefit from the processing techniques to boost performance.

(222100)

• New replacement messages for Application Control of HTTP-based applications. (224924)

• Extend the functionality of XLP processors to accelerate IPv6 DoS policies. XLP processors accelerate IPS on FortiGate models such as the FortiGate-5101C. (211082)

User and Device Authentication

• Configuring user and device authentication in firewall policies has been changed. To configure authentication add users, user groups or device types to a firewall policy. (223766,

22470, 205414, 210791, 191152)

• Support using POP3/POP3S servers for remote server user authentication. Users can authenticate using any normal authentication method supported by the FortiGate unit. The

FortiGate unit looks up their credentials on a POP3/POP3S server (instead of a remote LDAP or RADIUS server). (197354)

• New option to limit the maximum number accounts per guest user portal. (214067)

• RADIUS single sign-on (RSSO) support for IPv6 identity-based policies. (213217)

• RSSO guest user group. Similar to FSSO guest user group. (179915)

• Improve device groups by adding a new printer category and allowing device groups to reference device categories. (215319)

Endpoint Control

• FortiOS now supports syncing FortiClient registration information between FortiGate units and VMs running 32-bit and 64-bit versions of FortiOS. Some older FortiGate units run 32-bit

FortiOS. Most new ones and all VMs run 64-bit FortiOS. (197228)

New Features in FortiOS v5.2.0 (Beta 4) Page 21 FortiOS v5.2.0 (Beta 4) Release Notes

Firewall

• Dynamic destination NAT using DNS queries. New dns-translation VIP type. The VIP includes a mapped address range. For any session, the address that is mapped to is retrieved using a DNS lookup. (190690)

• TCP maximum segment size (MSS) clamping for IPv6 security policies. New policy6 options tcp-mss-sender and set tcp-mss-receiver.(223959)

• New options to exempt traffic from SSL deep inspection. You can create exemptions for

FortiGuard categories and for IPv4 and IPv6 firewall addresses and address groups.

(215182)

• Improvements to how the Fortinet bar refreshes after a successful web page logout.

(225558)

• Generate new unique default SSL inspection CA and server certificates the first time they are required. Previous versions of FortiOS all have the same default CA and sever certificates.

This new feature means that they will now be unique on each FortiGate unit. There are some exceptions, for example in a HA cluster all FortiGate units need the same CA and server certificates. You can also change them as required for load balancing and other configurations. (181441 )

Existing customers will not be affected by this change. FortiOS will not change the current defaults on upgrade. But you can use the commands below to generate new ones.

The following command re-generates the default SSL inspection CA certificate.

execute vpn certificate local generate default-ssl-ca

The following command re-generates the default SSL inspection server certificate.

execute vpn certificate local generate default-ssl-serv-key

• Socks proxy UDP support. (225260)

HA

• Turning off the FortiClient Configuration Deployment AntiVirus Protection option disables all

FortiClient antivirus functions on endpoints with FortiClient, including scheduled virus scans and right-clicking on a file to scan it for viruses. (209419)

• On the FortiGate unit you can create URL filter lists that optionally include wildcards and regular expressions and use endpoint control to implement them on endpoints with

FortiClient. (191397)

• Improvements to pushing FortiGuard Web Filtering Category settings to endpoints with

FortiClient. (226615)

• New diagnose sys ha set-as-master {disable | enable} command. Set to enable on a cluster unit that you always be the primary unit (master). If you set the command to disable you can include a date and time on which the disable option takes affect. (212075)

• HA now supports sending log messages and doing SNMP management from the HA reserved management interface. (186613 )

• Support VRRP groups. Include all relevant VRRP IDs and track the VRRP status to force all the VRRP group members to keep the same state. In this way if one group member changes state (for example, to BACKUP), all the other members in the same VRRP group will also change their state to BACKUP. (215454)

New Features in FortiOS v5.2.0 (Beta 4) Page 22 FortiOS v5.2.0 (Beta 4) Release Notes

IPsec VPN

• New full function IPsec VPN wizard and other improvements to IPsec VPN configuration web-based manager pages. The new wizard allows you to add all IPSec VPN configuration objects from the wizard. No need to add IPsec VPN firewall policies. The wizard supports interface-based IPsec VPN. (132055, 225947)

The following pages have been completely re-written:

• VPN Wizard including read-only tunnel templates (new)

• VPN gateway dialog/auto dialog (merged into vpn edit dialog)

• VPN IPsec Tunnels list page

• IPsec VPN phase 2 quick mode selector source and destination addresses can now be IPv6 firewall addresses and address groups. (133206)

• Add support for EAP authentication for IKEv2 IPsec VPNs. (208939)

• Support RSA certificate groups in IPsec VPN IKE phase 1 configurations. (190522)

• Implemented 3 new authentication methods for IKE as described by RFC 4754 : ECDSA-256,

ECDSA-384, ECDSA-521. IKEv1 support requires both sides of the exchange to use the same auth method. IKEv2 allows them to differ. (206110)

• Add support to IPsec VPN phase1s when IKE mode-cfg is enabled to allow multiple server

IPs to be defined and sent to the client if the client requests attribute 28681. (166524)

• IKEv2 Cookie Notification to prevent state and CPU exhaustion. See RFC 5996 , Section 2.6,

IKE SA SPIs and Cookies. When the FortiGate unit detects that the number of half-open

IKEv2 SAs is above the threshold value, to preserve CPU and memory resources, the IPsec

VPN dialup server requires all future SA_INIT requests to include a valid cookie notification payload that the server sends back. (222918)

Logging & Reporting

• Add log messages for Certification Revocation List (CRL) checking. The FortiGate unit automatically updates CRL data according to the validation time stored in the CRL and the configured update-interval, whichever comes first. If the update succeeds, log message

41987 is recorded. If the update fails, log message 41989 is recorded. (176611)

• Disable disk logging for FortiGate-3000 and 5000 series models. (227952)

Routing

• Support of OSPF fast hello. (210964)

• IPv6 Reverse Path Forwarding (RPF) checking. Check source address type and route to the source address from the incoming interface. If the source address type is invalid or there is no route to the source address from the incoming interface in the IPv6 routing table, or when strict-src-check is set and the route is not the best, the packet will be dropped.

(201427)

SSL VPN

• Add replacement messages for SSL VPN host security check. (217743)

• SSL VPN configuration has been changed. SSL VPNs are configured by creating an SSL

VPN interface that includes all SSL VPN settings. Once the interface has been created you add it to security policies just like any other interface. (205414)

New Features in FortiOS v5.2.0 (Beta 4) Page 23 FortiOS v5.2.0 (Beta 4) Release Notes

System

• Add IPv6 Geographic IP address database. Correct country flags now appear in reports and other displays for data about IPv6 addresses. (212135)

• ECDSA certificate support. FortiGate units can import and generate ECDSA certificates.

ECDSA certificates can be used for SSL VPN and HTTPS GUI access. (197950)

• Support Netflow V9.0. (167405)

• Object UUID ( RFC 4122 ) support. Add a UUID attribute to some firewall objects so that log messages can contain these UUIDs; which are used by FortiManager and FortiAnalyzer.

SHA-1 will be used for hash calculation. (212946)

• Configure ignoring the DF bit and fragmenting IPv4 traffic. (166479)

• Add FortiExtender support to FortiOS. (218132)

• Add FortiGate Traffic Priority (TOS/DSCP) feature. (214151)

• PPPOE support of RFC2516 service and AC name. (213945)

• Increase the maximum number of available VIPs. (217943)

• SNMPv3 AES 256bit support. (166488)

• Add Class of Service (CoS) Support (216290)

• Add min-links support to interface aggregation. (187533)

• Ability to ignore DF bit and fragment IPv4 traffic. (166479)

• Add one option to disable login-time feature. (215274)

• New option added to Administrator Profiles to allow or block access to packet capture options. (213943)

• Enable autocomplete in the Replacement Message editor. (168804)

WAN Optimization and Explicit Web Proxy

• Move explicit proxy and WAN Optimization policies to a separate configuration path.

(226395)

In Beta 1 you cannot configure WAN Optimization or explicit web proxy policies from the GUI

(web-based manager). GUI support should be added in time for GA. Instead you must use the following CLI command: config firewall explicit-proxy-policy edit 0 set proxy {web | ftp | wanopt} etc...

• Added support for authentication IP-blackout for the explicit web proxy. (205706)

• Transparent web proxy. Also called reflect IP or true IP. When enabled, web proxy packets exiting the FortiGate unit have their source IP address set to the original client source IP address instead of the IP address of the exiting FortiGate interface. Enable this feature in a web proxy firewall policy by entering set transparent enable. (209731)

• Support policy based profile to add/remove HTTP headers. (206173)

• To improve explicit web proxy performance, FortiOS now distributes explicit web proxy processing to multiple CPU cores. By default web proxy traffic is handled by half of the CPU cores in a FortiGate unit. So if your FortiGate unit has 4 CPU cores, by default two of them can be used for explicit web proxy traffic. You can use the following command to increase or decrease the number of CPU cores that are used. (138794) config system global set wad-worker-count <number> end

New Features in FortiOS v5.2.0 (Beta 4) Page 24 FortiOS v5.2.0 (Beta 4) Release Notes

Where

<number> is from 1 to the total number of CPU cores in your FortiGate unit.

GUI (web-based manager) usability changes

• Simplification of Firewall Objects and Security Profiles menu structures. (219151, 157554)

• Use a more sophisticated API for displaying names (for example, application names) in

FortiOS. (204942)

• Cloning, a feature available for easily creating a copy of a configuration object is now available for more configuration objects. (221971)

• Add the ability to drag objects such as addresses, schedules and profiles between policies on the policy list. (217610)

• Banned User List improvements. (219310)

• Improve Web-based manager field validation. Also, when an incorrect value is added to a page retain validated settings instead of requiring them all to be re-added. (191487)

• Add a Search Box on IPS profile and Application List web-based manager pages. (226434)

• Added the ability to display CPU usage, memory usage and new session per second for each VDOM. The information appears on the VDOM list page. You can use the following command to get this information from the CLI: diagnose system vd stats (220121)

Web Filtering

• Improvements to HTTPS Web Filtering (without Deep Inspection). (214079)

• New default SSL inspection profile certificate-inspection: Only the SSL handshake is inspected for the purpose of web filtering. https-url-scan option removed from webfilter profile. In an SSL inspection profile the SSL inspect-all option and the https status option now have three states: {disable | certificate-inspection | deep-inspection} . The status option for the other protocols now uses deep-inspection instead of enabled.

Wifi

• Add WiFi FortiAP spectrum analysis graphs. (217437)

• Wireless Extensions for Spectrum Analysis. (208870)

New Features in FortiOS v5.2.0 (Beta 4) Page 25 FortiOS v5.2.0 (Beta 4) Release Notes

Supported Models

The following models are supported by FortiOS v5.2.0 (Beta 4) build 564.

FortiGate

FG-20C, FG-20C-ADSL-A, FG-30D, FG-40C, FG-60C, FG-60C-POE, FG-60D, FG-70D,

FG-80C, FG-80CM, FG-90D, FGT-90D-POE, FG-100D, FG-110C, FG-111C, FG-140D,

FG-140D-POE, FG-140D-POE-T1, FG-200B, FG-200B-POE, FG-200D, FG-240D,

FG-280D-POE, FG-300C, FG-310B, FG-310B-DC, FG-311B, FG-600C, FG-620B,

FG-620B-DC, FG-621B, FG-800C, FG-1000C, FG-1240B, FG-3016B, FG-3040B, FG-3140B,

FG-3240C, FG-3600C, FG-3810A, FG-3950B, FG-3951B, FG-5001A, FG-5001B, FG-5001C, and FG-5101C.

FortiWiFi

FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-40C, FWF-60C, FWF-60CM,

FWF-60CX-ADSL-A, FWF-60D, FWF-80CM, FWF-81CM, FWF-90D, and FWF-90D-POE.

FortiGate VM

FG-VM32, FG-VM64, and FG-VM64-XEN, FG-VM64-KVM, and FG-VM64-HV

FortiSwitch

FS-5203B

Supported Models Page 26 FortiOS v5.2.0 (Beta 4) Release Notes

Product Integration and Support

Web browser support

FortiOS v5.2.0 (Beta 4) build 564 supports the latest versions of the following web browsers:

• Microsoft Internet Explorer version 10, 11

• Mozilla Firefox version 28

• Google Chrome version 33

• Apple Safari version 7

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager and FortiAnalyzer support

See the FortiManager and FortiAnalyzer Release Notes.

FortiClient support (Windows, Mac OS X, iOS and Android)

FortiOS v5.2.0 (Beta 4) is supported by the following FortiClient software versions:

• FortiClient (Windows) v5.2.0 (Beta 2)

• Windows 8.1 (32-bit and 64-bit)

• Windows 8 (32-bit and 64-bit)

• Windows 7 (32-bit and 64-bit)

• Windows Vista (32-bit and 64-bit)

• Windows XP (32-bit)

• FortiClient (Mac OS X) v5.2.0 (Beta 2)

• Mac OS X v10.9 Mavericks

• Mac OS X v10.8 Mountain Lion

• Mac OS X v10.7 Lion

• Mac OS X v10.6 Snow Leopard

• FortiClient (iOS) v5.0.2.

• FortiClient (Android) v5.2.0.

Product Integration and Support Page 27 FortiOS v5.2.0 (Beta 4) Release Notes

FortiAP support

FortiOS v5.2.0 (Beta 4) supports the following FortiAP models:

FAP-11C, FAP-14C, FAP-28C, FAP-112B, FAP-210B, FAP-220B, FAP-221B, FAP-221C,

FAP-222B, FAP-223B, FAP-320B, and FAP-320C

The FortiAP device must be running FortiAP v5.0 Patch Release 7 build 0064 or later.

FAP-221C and FAP-320C

These models are released on a special branch based off of FAP v5.0 Patch Release 6. The branch point reads 060. The FAP-221C firmware has build number 4049. The FAP-320C firmware has build number 4050.

FortiSwitch support

FortiOS v5.2.0 (Beta 4) supports the following FortiSwitch models:

FS-28C, FS-324B-POE, FS-348B, and FS-448B

The FortiSwitch device must be running FortiSwitchOS v2.0 Patch Release 3 build 0018 or later.

FortiOS v5.2.0 (Beta 4) supports the following FortiSwitch-5000 series models:

FS-5003B, FS-5003A

The FortiSwitch-5000 device must be running FortiSwitchOS v5.0 Patch Release 3 build 0020 or later.

FortiController support

FortiOS v5.2.0 (Beta 4) supports the following FortiController models:

FCTL-5103B

The FCTL-5103B is supported by the FG-5001B and FG-5001C. The FortiController device must be running FortiSwitch-5000 OS v5.0 Patch Release 3 build 0020 or later.

Virtualization software support

FortiOS v5.2.0 (Beta 4) supports the following virtualization software:

• VMware ESX versions 4.0 and 4.1

• VMware ESXi versions 4.0, 4.1, 5.0, 5.1 and 5.5

• Citrix XenServer versions 5.6 Service Pack 2 and 6.0 or later

• Open Source Xen versions 3.4.3 and 4.1 or later

• Microsoft Hyper-V Server 2008 R2 and 2012

• KVM - CentOS 6.4 (qemu 0.12.1) or later

See

“About FortiGate VMs” on page 38 for more information.

Product Integration and Support Page 28 FortiOS v5.2.0 (Beta 4) Release Notes

Fortinet Single Sign-On (FSSO) support

FortiOS v5.2.0 (Beta 4) is supported by FSSO v4.0 MR3 B0153 for the following operating systems:

• Microsoft Windows Server 2012 R2

• Microsoft Windows Server 2012 Standard Edition

• Microsoft Windows Server 2008 R2 64-bit

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2003 R2 (32-bit and 64-bit)

• Novell eDirectory 8.8

FSSO does not currently support IPv6.

Other server environments may function correctly, but are not supported by Fortinet.

FortiExplorer support (Microsoft Windows, Mac OS X and iOS)

FortiOS v5.2.0 (Beta 4) is supported by FortiExplorer v2.4 build 1068 or later. See the

FortiExplorer v2.3 build 1052 Release Notes

for more information.

FortiOS v5.2.0 (Beta 4) is supported by FortiExplorer (iOS) v1.0.4 build 0118 or later. See the

FortiExplorer (iOS) v1.0.4 build 0118 Release Notes

for more information.

The FortiGate-70D has not been fully tested with this version of FortiExplorer.

FortiExtender support

FortiOS v5.2.0 (Beta 4) is supported by FortiExtender models FEX-20B, FEX-100A, and

FEX-100B running FEX v1.0 build 019.

AV Engine and IPS Engine support

FortiOS v5.2.0 (Beta 4) is supported by AV Engine v5.146 and IPS Engine v3.030.

Language support

The following table lists FortiOS language support information.

Table 1: FortiOS language support

Language

English

French

Portuguese (Brazil)

Spanish (Spain)

Korean

Web-based Manager

Documentation

-

-

-

-

Product Integration and Support Page 29 FortiOS v5.2.0 (Beta 4) Release Notes

Table 1: FortiOS language support

Language

Chinese (Simplified)

Chinese (Traditional)

Japanese

Web-based Manager

Documentation

-

-

-

To change the FortiGate language setting, go to System > Admin > Settings, in View Settings >

Language select the desired language from the drop-down menu.

Module support

FortiOS v5.2.0 (Beta 4) supports Advanced Mezzanine Card (AMC), Fortinet Mezzanine Card

(FMC), Rear Transition Module (RTM), and Fortinet Storage Module (FSM) removable modules.

These modules are not hot swappable. The FortiGate unit must be turned off before a module is inserted or removed.

Table 2: Supported modules and FortiGate models

AMC/FMC/FSM/RTM Module

Storage Module

500GB HDD Single-Width AMC (ASM-S08)

Storage Module

64GB SSD Fortinet Storage Module (FSM-064)

Accelerated Interface Module

4xSFP Single-Width AMC (ASM-FB4)

FortiGate Model

FG-310B, FG-620B, FG-621B, FG-3016B,

FG-3810A, FG-5001A

FG-200B, FG-311B, FG-1240B,

FG-3040B, FG-3140B, FG-3951B

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A

FG-3810A, FG-5001A Accelerated Interface Module

2x10-GbE XFP Double-Width AMC (ADM-XB2)

Accelerated Interface Module

8xSFP Double-Width AMC (ADM-FB8)

Bypass Module

2x1000 Base-SX Single-Width AMC (ASM-FX2)

FG-3810A, FG-5001A

Bypass Module

4x10/100/1000 Base-T

Single-Width AMC (ASM-CX4)

Security Processing Module

2x10/100/1000 SP2

Single-Width AMC (ASM-CE4)

Security Processing Module

2x10-GbE XFP SP2

Double-Width AMC (ADM-XE2)

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A

FG-310B, FG-311B, FG-620B, FG-621B,

FG-1240B, FG-3016B, FG-3810A,

FG-5001A

FG-1240B, FG-3810A, FG-3016B,

FG-5001A

FG-3810A, FG-5001A

Product Integration and Support Page 30 FortiOS v5.2.0 (Beta 4) Release Notes

Table 2: Supported modules and FortiGate models (continued)

FG-3810A, FG-5001A Security Processing Module

4x10-GbE SFP+

Double-Width AMC (ADM-XD4)

Security Processing Module

8xSFP SP2

Double-Width AMC (ADM-FE8)

Rear Transition Module

10-GbE backplane fabric (RTM-XD2)

Security Processing Module (ASM-ET4)

Rear Transition Module

10-GbE backplane fabric (RTM-XB2)

Security Processing Module

2x10-GbE SFP+ (FMC-XG2)

Accelerated Interface Module

2x10-GbE SFP+ (FMC-XD2)

Accelerated Interface Module

20xSFP (FMC-F20)

Accelerated Interface Module

20x10/100/1000 (FMC-C20)

Security Processing Module (FMC-XH0)

FG-3810A

FG-5001A

FG-310B, FG-311B

FG-5001A

FG-3950B, FG-3951B

FG-3950B, FG-3951B

FG-3950B, FG-3951B

FG-3950B, FG-3951B

FG-3950B

SSL VPN support

SSL VPN standalone client

FortiOS v5.2.0 (Beta 4) supports the SSL VPN tunnel client standalone installer build 2300 for the following operating systems:

• Microsoft Windows 8.1 (32-bit & 64-bit), 8 (32-bit & 64-bit), 7 (32-bit & 64-bit), and XP SP3 in

.exe and .msi formats

• Linux CentOS and Ubuntu in

.tar.gz format

• Mac OS X v10.9, 10.8 and 10.7 in

.dmg format

• Virtual Desktop in

.jar format for Microsoft Windows 7 SP1 (32-bit)

Other operating systems may function correctly, but are not supported by Fortinet.

Product Integration and Support Page 31 FortiOS v5.2.0 (Beta 4) Release Notes

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Table 3: Supported operating systems and web browsers

Operating System

Microsoft Windows 7 32-bit SP1

Microsoft Windows 7 64-bit SP1

Web Browser

Microsoft Internet Explorer versions 8, 9, 10 and

11

Mozilla Firefox version 26

Microsoft Internet Explorer versions 8, 9, 10, and

11

Mozilla Firefox version 26

Mozilla Firefox version 5.6

Linux CentOS version 5.6 and Ubuntu version 12.0.4

Mac OS X v10.7 Lion Apple Safari version 7

Other operating systems and web browsers may function correctly, but are not supported by

Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Table 4: Supported Windows XP antivirus and firewall software

Product

Symantec Endpoint Protection v11

Kaspersky Antivirus 2009

McAfee Security Center v8.1

Trend Micro Internet Security Pro

F-Secure Internet Security 2009

Antivirus

Firewall

Table 5: Supported Windows 7 32-bit and 64-bit antivirus and firewall software

Product

CA Internet Security Suite Plus Software

AVG Internet Security 2011

F-Secure Internet Security 2011

Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360™ Version 4.0

Antivirus

Firewall

Product Integration and Support Page 32 FortiOS v5.2.0 (Beta 4) Release Notes

Table 5: Supported Windows 7 32-bit and 64-bit antivirus and firewall software (continued)

Product

Norton™ Internet Security 2011

Panda Internet Security 2011

Sophos Security Suite

Trend Micro Titanium Internet Security

ZoneAlarm Security Suite

Symantec Endpoint Protection Small

Business Edition 12.0

Antivirus

Firewall

Explicit web proxy browser support

The following web browsers are supported by FortiOS v5.2.0 (Beta 4) for the explicit web proxy feature:

• Microsoft Internet Explorer versions 8, 9, 10, and 11

• Mozilla Firefox version 27

• Apple Safari version 6.0

• Google Chrome version 34

Other web browsers may function correctly, but are not supported by Fortinet.

Product Integration and Support Page 33 FortiOS v5.2.0 (Beta 4) Release Notes

Resolved Issues

This chapter describes issues with FortiOS v5.2.0 (beta 3 and previous) that have been resolved for FortiOS v5.2.0 (Beta 4). If you would like to see a more complete list of resolved issues for this release you can request one by emailing [email protected]

.

Resolved issues from FortiOS v5.2.0 (Beta 3)

The following issues from FortiOS v5.2.0 (Beta 3) have been resolved for FortiOS v5.2.0 (Beta 4).

Upgrade

• Customized charts lost in default layout after upgrade to 5.2.0 Beta 3. (236568)

Wanopt & Webproxy

• Webcache only runs on a single CPU in multi-CPU platforms. (228488)

Other resolved issues in FortiOS v5.2.0 (Beta 4)

HA

• Duplicates in HA global checksum triggers out of sync. (231808)

Firewall

• Adding multi-VDOM admin overrides trusted host restrictions on ping. (235944)

• One Way audio with SIP ALG. (231678)

• SSL worker is utilizing high CPU when deep scanning is enabled. (223330)

SSL VPN

• Cannot log into SSL-VPN Web portal after deleting vlan/policy then configuring same vlan/policy again. (236992)

• SSLVPN is restarted with all users every time updated CRL is downloaded. (237009)

System

• SCP configuration restore command syntax not consistent with backup command. (237009)

• Removing restriction on having dots in intf names when packet capture is issued. (233289)

SSL-related

• OpenSSL in FortiOS has CVE-2014-0160. (237976)

Resolved Issues Page 34 FortiOS v5.2.0 (Beta 4) Release Notes

Resolved Issues Page 35 FortiOS v5.2.0 (Beta 4) Release Notes

Known Issues

This chapter lists some known issues with FortiOS v5.2.0 (Beta 4) build 564.

Known issues with FortiOS v5.2.0 (Beta 4)

• Application control cloud-based signatures do not appear. (239938)

Known issues from FortiOS v5.2.0 (Beta 3)

The following were known issues in FortiOS v5.2.0 (Beta 3) that continue to be known issues in

FortiOS v5.2.0 (Beta 4).

Upgrade

• The application control signature categories File.Sharing and Special have been removed but are still visible on the GUI. (237471)

Web-based Manager

• When configuring a FortiAP profile from the GUI this list of Bands is incorrect. (237464)

Workaround: Use the CLI to configure the correct Band.

Known issues from FortiOS v5.2.0 (Beta 2)

The following were known issues in FortiOS v5.2.0 (Beta 2) that continue to be known issues in

FortiOS v5.2.0 (Beta 4).

Web-based Manager

• FortiView History views are only available for FG-100D and above (1U appliances and above). This is by design. (232664)

Known issues from FortiOS v5.2.0 (Beta 1)

The following were known issues in FortiOS v5.2.0 (Beta 1) that continue to be known issues in

FortiOS v5.2.0 (Beta 3).

Antivirus

• On on some so low-end FortiGate models, the new full-mode flow-based antivirus scanning mode cannot utilize the extended antivirus database. (223258)

Known Issues Page 36 FortiOS v5.2.0 (Beta 4) Release Notes

Web Filtering

• If you change a policy from proxy-based Web Filtering to flow-based Web Filtering, users who receive HTTPS traffic may see an invalid certificate error message in their web browser.

This happens because of how proxy-based and flow-based HTTPS web filtering generates

CA certificates. (227441)

Work around: This issue is rare and will not be fixed. It should only happen if the policy is changed while it is processing traffic. Users need to delete the CA Certificate on their browsers and accept the new certificate.

Known Issues Page 37 FortiOS v5.2.0 (Beta 4) Release Notes

Appendix A: About FortiGate VMs

FortiGate VM model information

Five different FortiGate VM models are available, each with different levels of support for some key features.

Table 6: FortiGate VM model

Support Feature

Virtual CPUs

Virtual Network Interfaces

Memory Requirements

Storage

VDOMs

CAPWAP Wireless Access Points

Remote Wireless Access Points

VM-00

1

1 GB

32

32

VM-01

1

2 GB

32

32

VM-02

1 or 2

2 to 10

4 GB

30 GB to 2 TB

256

256

VM-04

1 to 4

6 GB

50

256

256

VM-08

1 to 8

12 GB

250

1024

3072

For more information see the FortiGate VM product datasheet available on the Fortinet web site, http://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-VM01.pdf

.

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following VM environments:

VMware

.out: Download either the 32-bit or 64-bit firmware image to upgrade your existing

FortiGate VM installation.

.ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation.

This package contains Open Virtualization Format (OVF) files for VMware and two Virtual

Machine Disk Format (VMDK) files used by the OVF file during deployment.

Xen

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.

.out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation.

This package contains the QCOW2 file for Open Source Xen.

.out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation.

This package contains the Citrix Xen Virtual Appliance (XVA), Virtual Hard Disk (VHD), and

OVF files.

About FortiGate VMs Page 38 FortiOS v5.2.0 (Beta 4) Release Notes

Hyper-V

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.

.out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012.

It also contains the file fortios.vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

KVM

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.

.out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains qcow2 that can be used by qemu.

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

• XenTools installation is not supported.

• FortiGate VM can be imported or deployed in only the following three formats:

• XVA (recommended)

• VHD

• OVF

• The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source Xen limitations

When using Ubuntu version 11.10, Xen version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

About FortiGate VMs Page 39 FortiOS v5.2.0 (Beta 4) Release Notes

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

Download PDF

advertisement

Table of contents