FortiOS v3.00 MR7 Release Notes Patch Release 5

FortiGate™ Multi-Threat Security System

Release NotesFortiOS™ v3.00 MR7

Patch Release 5Rev. 1.0

April 18, 2009

Fortinet Inc Release Notes FortiOS™ v3.00 MR7 – Patch Release 5

Table of Contents1 FortiOS v3.00 MR7 Release – Patch Release 5.........................................................................................................................1

1.1 General................................................................................................................................................................................21.2 Single Hard Drive Support for FGT-111C..........................................................................................................................21.3 File Transfer Limitation......................................................................................................................................................21.4 FortiClient v4.0 Support......................................................................................................................................................2

2 Fortinet Product Integration and Support...................................................................................................................................32.1 SSL-VPN Client Support....................................................................................................................................................3

3 Resolved Issues in FortiOS MR7 – Patch Release 5..................................................................................................................43.1 System.................................................................................................................................................................................43.2 Firewall................................................................................................................................................................................43.3 VPN.....................................................................................................................................................................................43.4 Web Filter............................................................................................................................................................................43.5 VOIP....................................................................................................................................................................................53.6 FSAE...................................................................................................................................................................................5

4 Known Issues in FortiOS v3.00 MR7 – Patch Release 5...........................................................................................................64.1 Firewall................................................................................................................................................................................6

5 Upgrade Information..................................................................................................................................................................75.1 Upgrading from FortiOS v2.50...........................................................................................................................................75.2 Upgrading from FortiOS v2.80...........................................................................................................................................75.3 Upgrading from FortiOS v3.00 MR5 and MR6................................................................................................................115.4 Downgrading to FortiOS v3.00.........................................................................................................................................165.5 Downgrading to FortiOS v2.80.........................................................................................................................................165.6 Downgrading to FortiOS v2.50.........................................................................................................................................16

6 Image Checksums.....................................................................................................................................................................17

Change Log

Revision Change Description

1.0 • Added the following bugs to the Resolved Issues section for B0741 – Patch Release 5: 85166, 90854, 91937, 90849, 91963, 82013, 92920, 92641, 93770, 92273, 85424, 84953, 93986, and 85170.

© Copyright 2009 Fortinet Inc. All rights reserved.Release Notes FortiOS™ v3.00 MR7 – Patch Release 5.

TrademarksProducts mentioned in this document are trademarks or registered trademarks of their respective holders.

Registered customers with valid support contracts may enter their support tickets at the Fortinet Customer Support site:

https://support.fortinet.com

April 18, 2009 i


1 FortiOS v3.00 MR7 Release – Patch Release 5This document outlines resolved issues of FortiOS v3.00 MR7 B0741 – Patch Release 5 firmware for the Fortinet FortiGate Multi-threat Security System. Please reference the full version of the FortiOS v3.00 MR7 release notes for new features and known issues. The following outlines the release status for each model.

Model FortiOS v3.00 MR7 Release Status

FGT-310BFGT-3810AFGT-3600AFGT-3016B

These models are released on a special branch based off of MR7 Patch Release 5 B0741 – fg300_mr7_amc_bypass/build_5419. As such, the build number in the System > Status page and the output from the "get system status" CLI command displays 5419 as the build number. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 741.

FGT-620B This model is released on a special branch based off of MR7 B0741 Patch Release 5 –fg300_mr7_620b/build_tag_5415. As such, the build number in the System > Status page and theoutput from the "get system status" CLI command displays 5415 as the build number. Toconfirm that you are running the proper build, the output from the "get system status" CLIcommand has a "Branch point:" field. This should read 741.

FGT-110C This model is released on a special branch based off of MR7 B0741 Patch Release 5 –fg300_mr7_110c/build_tag_5418. As such, the build number in the System > Status page and theoutput from the "get system status" CLI command displays 5418 as the build number. Toconfirm that you are running the proper build, the output from the "get system status" CLIcommand has a "Branch point:" field. This should read 741.

FGT-111C Note: The FGT-110C-HD has been renamed to FGT-111C. The image file name also has been renamed to "FGT_111C-v300-build0741-FORTINET.out" and is used on both the existing FGT-110C-HD model and the FGT-111C model. Once the image is loaded, both the "get system status" CLI output and the web UI reference the FGT-11C.

This model is released on a special branch based off of MR7 B0741 Patch Release 5 –fg300_mr7_110c/build_tag_5418. As such, the build number in the System > Status page and theoutput from the "get system status" CLI command displays 5418 as the build number. Toconfirm that you are running the proper build, the output from the "get system status" CLIcommand has a "Branch point:" field. This should read 741.

FGT-5001A-SWFGT-5001A-DW

Note: Same firmware image is used for FGT-5001A-SW and FGT-5001A-DW models.

This model is released on a special branch based off of MR7 B0741 Patch Release 5 – fg300_mr7_5001a_sw/build_tag_5414. As such, the build number in the System > Status page and the output from the "get system status" CLI command displays 5414 as the build number. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 741.

FGT-51B Note: The FGT-50B-HD has been renamed to FGT-51B. The image file name also has been renamed to "FGT_51B-v300-build0741-FORTINET.out" and is used on both the existing FGT-50B-HD model and the FGT-51B model. Once the image is loaded, both the "get system status" CLI output and the web UI reference the FGT-51B.

This model is released on a special branch based off of MR7 B0741 Patch Release 5 – fg300_mr7_51b/build_tag_5416. As such, the build number in the System > Status page and the output from the "get system status" CLI command displays 5416 as the build number. To confirm that you are running the proper build, the output from the "get system status" CLI command has a "Branch point:" field. This should read 741.

April 18, 2009 1


FGT-80CFGT-80CMFWF-80CM

This model is released on a special branch based off of MR7 B0741 Patch Release 5 –fg300_mr7_80C/build_tag_5417. As such, the build number in the System > Status page and theoutput from the "get system status" CLI command displays 5417 as the build number. Toconfirm that you are running the proper build, the output from the "get system status" CLIcommand has a "Branch point:" field. This should read 741.

All Other Models All other models are supported on the regular MR7 branch.

1.1 GeneralThe TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

IMPORTANT!Monitor Settings for Web User Interface Access:

• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly.

BEFORE any upgrade,

• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading.

AFTER any upgrade,

• [WebUI display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens.

• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.

1.2 Single Hard Drive Support for FGT-111CThe FortiGate-111C contains two hard drive bays but supports only one hard drive at one time.

1.3 File Transfer LimitationLarge WMP streaming video may fail to load when antivirus 'File Filter' feature is enabled. Decreasing the httpoversizelimit value to 2 or lower can be used as a workaround to this limitation.

1.4 FortiClient v4.0 SupportWhen FortiClient check is enabled and FortiClient 3.0.x is installed on the FortiGate, then clients with higher FortiClient version (FortiClient 4.0.x) installed will not be recognized by the FortiGate and will be asked to download FortiClient 3.0.x installer.

April 18, 2009 2


2 Fortinet Product Integration and Support

2.1 SSL-VPN Client SupportFortiOS v3.00 MR7 Patch Release 5 supports the SSL-VPN tunnel client standalone installer B389 for the following:

• Windows in .exe and .msi format• Windows for virtual desktop in .exe format• Linux CentOS 5.2• Windows XP SP2• Windows Vista SP1• Mac OS X 10.5.5

April 18, 2009 3


3 Resolved Issues in FortiOS MR7 – Patch Release 53.1 SystemDescription: Outbandwith limit on a VPN interface does not take effect after the FortiGate is rebooted.Models Affected: AllBug ID: 85166 Status: Fixed in MR7 – Patch Release 5.

Description: The FortiGates FTP proxy does not bind to listen port on PORT command.Models Affected: AllBug ID: 82013 Status: Fixed in MR7 – Patch Release 5.

Description: Radius authentication starts failing abruptly after running for some time.Models Affected: AllBug ID: 85424 Status: Fixed in MR7 – Patch Release 5.

Description: The FortiGate unit with hardware driven by NP2 driver may randomly crash or hang.Models Affected: AllBug ID: 93986 Status: Fixed in MR7 – Patch Release 5.

3.2 FirewallDescription: Some firewall addresses may be lost after restoring FortiGate's configuration file.Models Affected: AllBug ID: 91963 Status: Fixed in MR7 – Patch Release 5.

Description: Firewall policy is lost after upgrading from FortiOS MR5 to MR7, if the action for the policy is unset before upgrading.Models Affected: AllBug ID: 84953 Status: Fixed in MR7 – Patch Release 5.

3.3 VPNDescription: User cannot access OWA properly from SSLVPN web portal.Models Affected: AllBug ID: 91937, 92273 Status: Fixed in MR7 – Patch Release 5.

Description: IPSec daemon (iked) memory usage increases due to memory leak.Models Affected: AllBug ID: 92920 Status: Fixed in MR7 – Patch Release 5.

Description: IPSec daemon (iked) may crash in an event of HA failover if XAUTH is enabled.Models Affected: AllBug ID: 93770 Status: Fixed in MR7 – Patch Release 5.

Description: The 'Keep connection alive' option in SSLVPN stand-alone application may cause client software to reconnect automatically. If the password is one time only, SSLVPN client may cause user accounts to get locked with reconnect.Models Affected: AllBug ID: 85170 Status: Fixed in MR7 – Patch Release 5.

3.4 Web FilterDescription: Some HTTPS websites, where the server hello and the certificate is sent in separate packets, bypasses URL

April 18, 2009 4


filtering.Models Affected: AllBug ID: 92641 Status: Fixed in MR7 – Patch Release 5.

3.5 VOIPDescription: Any SIP message carried by UDP that is greater than 2048 bytes long is dropped by the SIP proxy.Models Affected: AllBug ID: 90854 Status: Fixed in MR7 – Patch Release 5.

3.6 FSAEDescription: IPchange feature for FSAE does not work with multiple FSAE servers.Models Affected: AllBug ID: 90849 Status: Fixed in MR7 – Patch Release 5.

April 18, 2009 5


4 Known Issues in FortiOS v3.00 MR7 – Patch Release 5

4.1 FirewallDescription: Firewall policies that are configured with an address group that contains no addresses are lost upon upgrading from FortiOS v2.80 MR11 builds to FortiOS v3.00 MR6 and MR7 patches. Note that an empty firewall address group is an incomplete configuration and should not be applied to a firewall policy.Models Affected: AllBug ID: 84674 Status: To be fixed in a future release.

Workaround: Add firewall addresses to the address group before applying the group to the firewall policy.

April 18, 2009 6


5 Upgrade Information

5.1 Upgrading from FortiOS v2.50Upgrades from FortiOS v2.50 to FortiOS v3.00 directly is NOT supported. Upgrade to at least FortiOS v2.80 MR11 prior to upgrading to FortiOS v3.00 MR7 Patch Release 5. Refer to the FortiOS v2.80 MR11 release notes for upgrade procedures.

5.2 Upgrading from FortiOS v2.80Upgrade to FortiOS v2.80 MR11 prior to upgrading to FortiOS v3.00 MR7 Patch Release 5. Refer to the FortiOS v2.80 MR11 release notes for upgrade procedures.

The following are caveats when upgrading from FortiOS v2.80 MR11 to FortiOS v3.00 MR7 Patch Release 5.

[Deprecated IPS Groups]Certain IPS groups found in FortiOS v2.80 have been removed and their corresponding signatures merged into other IPS groups. As such, those IPS groups are lost when upgrading to FortiOS v3.00 MR7 Patch Release 5. To restore the lost group signature settings, perform the following steps:

• Identify which "lost" IPS group you currently have configured in FortiOS v2.80 from the list found in Appendix A.• Note the signatures settings that are contained in the FortiOS v2.80 group, and identify in the table the equivalent

FortiOS v3.00 group(s) that contains the signature.• Repeat step 1-2 for each "lost" group.• After upgrading to FortiOS v3.00 MR7 Patch Release 5, for each group lost, manually configure the equivalent

signature settings under the FortiOS v3.00 group(s).

[IPSec VIP]FortiOS v2.80 supports VIPs configured on a config vpn ipsec vip, which essentially is a proxy ARP. There is no such command in FortOS v3.00, but rather is replaced by the config system proxy-arp command. The upgrade scripts do not support this in FortiOS v3.00 MR7 Patch Release 5. You will need to reconfigure any FortiOS v2.80 IPSec VIPs to use the system proxy-arp command in FortiOS v3.00. The command is valid on a per VDom basis in NAT mode. The following is an example CLI configuration.

config system proxy-arpedit 1

set ip 192.168.5.111set interface "port1"next

edit 2set ip 192.168.5.110set interface "port3"next

end

[FortiOS v2.80 PING Generators]PING generators in FortiOS v2.80 are able to bring up two tunnels automatically, but FortiOS v3.00 auto-negotiate command, which is disabled by default, replaces this functionality. The feature is available in the IPSec phase 2 configuration for both IPSec tunnels and IPSec interfaces.

[Web Filter and Spam Filter Lists]In FortiOS v2.80, the following lists can be backed-up and restored, but in FortiOS v3.00, the lists are stored in the system configuration file and therefore, can not be restored.

April 18, 2009 7


• Web Filtering• Web Content Block• Web URL Block List• Web URL Exempt List

• Spam Filtering• IP Address• RBL & ORDBL• Email Address• MIME Headers• Banned Word

FortiOS v3.00 has a feature whereby CLI commands can be imported from a file - see Section 3.2.11: Bulk CLI Configuration Importing. If the FortiOS v2.80 lists are converted to FortiOS v3.00 CLI commands and saved in a text file, the file can be imported using the Bulk CLI Import. Refer to Appendix B: Mapping FortiOS v2.80 Web Filtering and Spam Filtering Lists to FortiOS v3.00 CLI Commands for help on creating a text to import these lists.

[ActiveX, Cookie, and Java Applet Filter]In FortiOS v2.80, ActiveX, Cookie, and Java Applet filtering must be enabled in the Web Filter > Script Filter page and then in the protection profile under Web Filtering. FortiOS v3.00 has removed the necessity to enable this filtering under the Web Filter > Script Filter page. It now is accomplished only through the protection profile. On upgrading from FortiOS v2.80 to FortiOS v3.00, if any of ActiveX, Cookie, and Java Applet filtering are enabled under the Web Filter > Script Filter page, that setting will be reflected in every protection profile.

[Static Routes without Device Setting Configured]In FortiOS v2.80, the device setting for a static route is optional. FortiOS v3.00 MR4 has made this setting mandatory. If the device setting is not configured, the static route is dropped upon upgrade to FortiOS v3.00 MR7 Patch Release 5.

[Log Filtering Changes]In FortiOS v2.80, log filtering to a device, such as FortiAnalyzer, hard disk, or memory, is controlled on a global basis meaning, once log filtering is enabled for an event, any firewall policy that produces such an event results in a log message sent to that device. In FortiOS v3.00, log filtering is controlled in two ways:

1. On a per-device basisconfig log <device> filter

2. On a per-protection profile basisconfig firewall profile

edit <profile name>

The per-device filters control whether or not log messages are sent to the device. The per-protection profile filters control whether or not matching traffic through a protection profile results in a log message sent to the device. Upon upgrade from FortiOS v2.80 to FortiOS v3.00, only the per-device log filters are retained - protection profile is altered to accomodate logging, except for log-web-ftgd-err, which is enabled by default. After upgrading, review the firewall policies that require logging to be enabled.

[VDom Licensing]FortiOS v2.80 supports additional virtual domains by way a FortiOS image that contains a hardcoded number of VDoms in it. FortiOS v3.00 uses a VDom license key to upgrade the number of VDoms on high-end models FGT-3000 and up. Upon upgrading from FortiOS v2.80, the VDoms and all of their associated configuration are retained, but in the event of a factory reset and a configuration restore, the FortiGate will fail to add all of the VDoms. If you are running FortiOS v2.80 with more than the default number of VDoms, follow these steps when upgrading to FortiOS v3.00:

1. Backup configuration for FortiOS v2.80.2. Upgrade to FortiOS v3.00.3. Backup configuration for FortiOS v3.00.

April 18, 2009 8


4. Contact Customer Support to obtain a FortiOS v3.00 VDom license key. If you are running an HA cluster, you need a license key for each unit in the cluster.

5. In the event the configuration needs to be reloaded, the VDom license key needs to be configured first.

Another scenario occurs with FortiOS v2.80 and upgrading with a image that contains additional VDoms. Below are the necessities for this scenario to occur:

• FortiGate is running FortiOS v2.80 with additional VDoms, such 25 VDoms• Not all VDoms are configured, for example only 15

After upgrading to FortiOS v3.00 MR4, if the FortiGate does not let you add 16th VDom. You must contact Customer Support to obtain a FortiOS v3.00 VDom license key, install it, and then add additional VDoms.

[Alert E-mail Replacement Messages]Alert E-mail was modified in FortiOS v3.00 MR4. The FortiGate generates and formats its own message for the alert e-mail. Thus any modified alert e-mail replacement messages are not retained upon upgrade to FortiOS v3.00 MR4.

[Alert E-mail Filter]The Alert E-mail filter feature has been changed in FortiOS v3.00 MR4. Now, alert e-mails are sent based on category or thresholds. See Section 4.14.4 Alert E-mail Enhancement.

[Administrative Users]In FortiOS v2.80, an admin user is a global setting, not a per-VDom and thus does not belong to a management VDom. After upgrading to FortiOS v3.00 MR7, all v2.80 administrative users are assigned to the root VDom by default. If the management VDom is not assigned to the root VDom, then administrative users, except for the default "admin" user, will fail to login to the management VDom after upgrading.

[Policy Routing]Both "input-device" and "output-device" are mandatory attributes from FortiOS v3.00 MR2. However, "output-device" is not a mandatory attribute in FortiOS v2.80, therefore, policy routes with out "output-device" configured are lost after upgrading to FortiOS v3.00 MR4 or later.

[VLANs Under WLAN Interfaces]FortiOS v3.00 MR7 does not support VLANs under the WLAN interface and thus any configuration settings referring to the VLANs, as well as the VLANs themselves, are lost upon upgrade to FortiOS v3.00 MR4 or later.

[IPSec Related Settings]Following parameters in a phase1 policy based IPSec tunnel are not retained upon upgrade from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 5:

config vpn ipsec phase1set dpd [enable|disable]set dpd-idleworry <integer>set dpd-idlecleanup <integer>

Following parameters in a phase2 policy based IPSec tunnel are not retained upon upgrade from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 5:

config vpn ipsec phase2set bindtoif <interface name>set internetbrowsing <interface name>

April 18, 2009 9


[System DHCP Exclude Range]In FortiOS v2.80 MR11 and MR12, "system dhcp exclude_range" is a standalone section to indicate the IP address that should be exempted from DHCP address pool. In FortiOS v3.00 MR7 Patch Release 5, this feature is implement by setting a "config exclude-range" section under "config system dhcp server". Upgrading from FortiOS v2.80 to FortiOS v3.00 MR7 copies these settings to every DHCP server settings:

config system dhcp serverconfig exclude-range

edit 1set start-ip 192.168.1.100set end-ip 192.168.1.200

next[Firewall Profiles/Schedule]In FortiOS v2.80, the firewall profile and firewall onetime/recurring schedule are global settings . Starting from FortiOS v3.00 MR5, these settings were moved to per-VDom, the upgrade from FortiOS v2.80 to FortiOS v3.00 MR7 copies this configuration to every VDom.

[Firewall Service Custom]In v280, firewall service custom is a global settings , start from FortiOS v300 MR5, these settings were moved to per-VDom, the upgrade from v280 to FortiOS v300 MR7 will copy this section to every Vdom.

[IPSec DPD Setting]The DPD parameter in a phase1 policy based IPSec tunnel is lost upon upgrade from FortiOS v2.80 to FortiOS v3.00 MR7.

[IPS Predefined Signatures]The severities of the predefined IPS signatures have been set to recommended levels and can not be altered. Upon upgrading from FortiOS v3.00 MR3 or earlier to FortiOS v3.00 MR4 or later, the severities are reset to the recommended values.

[IPSec Manual Keys in a VDom Configuration]IPSec tunnels configured in a non-root VDom that use manual keys are not retained upon upgrade if the tunnel was not referenced by a firewall policy.

[Static Routes without Device Setting Configured]In FortiOS v2.80, the device setting for a static route is optional. FortiOS v3.00 MR2 has made this setting mandatory. If the device setting is not configured, the static route is dropped upon upgrade.

[HA Monitor Interfaces WLAN]The WLAN interface can not be used as a monitored interface as of FortiOS v3.00 MR4, therefore, upgrading from FortiOS v2.80 to FortiOS v3.00 MR4 or later results in this configuration being lost.

[SSL-VPN Firewall Policies Without Groups]A SSL-VPN firewall policy configured without a group is lost after upgrading to FortiOS v3.00 MR7 Patch Release 5.

[VPN IPSec Phase1 with Type DDNS]Prior to FortiOS v3.00 MR4, the following IPSec Phase 1 configuration was accepted by the FortiGate even though the configuration was invalid:

config vpn ipsec phase1set type ddnsset peertype one set peerid aaa

From FortiOS v3.00 MR4, this no longer is accepted and therefore, the upgrade from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 5 results in loss of configuration.

[VPN PPTP Non-Firewall User Group]

April 18, 2009 10


Choosing a user group that is type NOT equal to firewall when configuring PPTP, results in loss of configuration when upgrading from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 5.

[DDNS Server – vavic.com]The DDNS service for "vavic.com" changed for FortiOS v3.00 MR5. The domain is retrieved automatically based on the user's account. Thus, upgrading from FortiOS v2.80 to FortiOS v3.00 MR7 Patch Release 5 will cause loss of configuration for this setting.

[Firewall IP Pools with Class D IP Addresses]Firewall IP pools using a Class D IP address are lost upon upgrading to FortiOS v3.00 MR7 Patch Release 5, since the configuration is now verified to be below 224.0.0.0.

[Firewall VPN Policies Sharing the Same Manual Key]In FortiOS v2.80, VPN tunnels can be shared across firewall policies, but in FortiOS v3.00 VPN tunnels are assigned to an interface and because the upgrade script assigns the VPN tunnel to one interface, subsequent policies using the VPN tunnel are lost.

[Oversize File Limit]After upgrading to FortiOS v3.00 MR7 Patch Release 5 from FortiOS v2.80 MR12 all oversize file limit value may change to zero.

5.3 Upgrading from FortiOS v3.00 MR5 and MR6Upgrading from FortiOS v3.00 MR5 and MR6 to FortiOS v3.00 MR7 is supported. MR7 Patch Release 5 officially supports upgrade from the most recent Patch Release in MR5 and MR6.

If you are upgrading from a release prior to MR5, please upgrade to MR5 or MR6 before upgrading to MR7 Patch Release 5. Please refer to the corresponding release notes for the proper upgrade path to MR5 or MR6.

[FG-3016B Upgrade]Interface names on the FGT-3016B have been changed in FortiOS v300 MR7 to match the port names on the face plate. After upgrading to MR7 Patch Release 5, all port names in the FortiGate configuration are changed as per the following port mapping.

Old port names before upgrading New port names after upgrading

port1 mgmt1

port2 mgmt2

port3 port1

port4 port2

port5 port3

port6 port4

port7 port5

port8 port6

port9 port7

port10 port8

April 18, 2009 11


port11 port9

port12 port10

port13 port11

port14 port12

port15 port13

port16 port14

port17 port15

port18 port16

Note: A new revision of the FGT-3016B included a name change to two ports on the left side of the faceplate and in the FortiOS v3.00 MR7 firmware. Previously, they were labelled 1 and 2. Now they are called MGMT 1 MGMT 2. However, the BIOS still refers to the MGMT 1 and MGMT 2 ports as port 1 and port 2.

[FortiManager Acting as a FortiGuard Server]If your FortiManager is being used as an on-site FortiGuard server (providing IPS and AV updates), then you MUST upgrade the FortiManager to MR7 before upgrading the FortiGates to ensure no service disruption.

[Firewall IP Pools with Class D IP Addresses]Firewall IP pools using a Class D IP address are lost upon upgrading to FortiOS v3.00 MR7 Patch Release 5, since the configuration is now verified to be below 224.0.0.0.

[IPS Related Settings]In FortiOS v3.00 MR6, introduced a significant change to the way IPS is configured.

Previously, if a firewall profile has "high critical" signatures enabled, during the upgrade a sensor is created with one IPS filter in which the severity "high critical" is selected. This sensor is add to the firewall profile. For each severity combination, a sensor is created. If the user changes the default signature settings, then these signatures are added to all of those sensors as an IPS override. For example:

Prior to FortiOS v3.00 MR6

config firewall profileedit test1

set ips-signature info low medium high criticalnextedit test2

set ips-signature high criticalnext

endconfig ips group abc

config rule xyz123set status enableset action dropset id 1234567

endconfig rule xyz456

April 18, 2009 12


set status enableset action passset id 7654321

endend

FortiOS v3.00 MR7 configuration

config firewall profileedit test1

set ips-sensor-status enableset ips-sensor fw_prof_upg_test1

nextedit test2

set ips-sensor-status enableset ips-sensor fw_prof_upg_test2

nextendconfig ips sensor

edit fw_prof_upg_test1config filter

edit 1set severity info low medium high critical

nextendconfig override

edit 1234567set status enableset action block

nextedit 7654321

set status enableset action pass

nextend

nextedit fw_prof_upg_test2

config filteredit 1

set severity high criticalnext

endconfig override

edit 1234567set status enableset action block

nextedit 7654321

set status enableset action pass

nextend

nextend

April 18, 2009 13


Following sections are removed when upgrading from v3.00 MR5 and MR6 to MR7 Patch Release 5:config ips anomaly *config ips group *config system autoupdate ips

Following command are removed when upgrading from v3.00 MR5 and MR6 to MR7 Patch Release 5:config system global

set local-anomaly [enable|disable]

config ips globalset ip-protocol [enable|disable]

“config ips custom” which was a global setting in FortiOS v3.00 MR4 and MR5 are copied into every VDom when upgrading to v3.00 MR7 Patch Release 5.

[IM and P2P]The sections “config imp2p aim-user | icq-user | yahoo-user | msn-user | old-version | policy” which were global settings in FortiOS v3.00 MR5 are copied into every VDom after upgrading to v3.00 MR7 Patch Release 5.

[Spam Filter]The sections “config spamfilter bword | emailbwl | ipbwl | ipstrust | mhaeder” which were global settings in FortiOS v3.00 MR5 are copied into every VDom when upgrade to v3.00 MR7 Patch Release 5. Section “config spamfilter rbl” becomes “config spamfilter dnsbl” after upgrading to FortiOS v3.00 MR7 Patch Release 5 and this section is copied into every VDom.

[Web Filter]The sections “config webfilter bword | exmword | ftgd-local-cat | ftgd-local-rating | ftgd-ovrd | ftgd-ovrd-user | urlfilter” which were global settings in FortiOS v3.00 MR5 are copied into every VDom after upgrading to v3.00 MR7 Patch Release 5.

[FortiManager]Section “config system fm” in FortiOS v3.00 MR5 and MR6 may be lost after upgrading to MR7 Patch Release 5, under this circumstance, you need to reset the FortiManager parameters under “config system fortimanager” section:

config system fortimanagerset ip 192.168.100.100set vdom root

end

[User Setting]There were three parameters which under system global settings on FortiOS v3.00 MR5 are moved into a new section call “config user setting” which under per-VDom settings. They are:

set auth-cert <cert-name>set auth-secure-http [enable|disable]set auth-timeout <integer by minutes>set auth-type [ftp | http | https | telnet ]

[SNMP Interface Index]Since FortiOS v3.00 MR6 added a new SSL interface (ssl.root). Upgrading from FortiOS v3.00 MR5 to MR7 Patch Release 5 increases the SNMP interface index of interface because the ssl.root interface is added just after the physical interfaces in the list.

[NTP Configuration]

April 18, 2009 14


The following NTP related configuration commands have been moved under "config system ntp" in MR7 Patch Release 5: config ntpserver set ntpsync set syncinterval

[DNS Server Override]The "dns-server-override" command is available only for interfaces that are configured in the management Vdom.

[Switch Interface and Vlan Support in TP mode]As of FortiOS v3.00 MR7 vlan interface cannot be created under FortiGate switch interface in TP mode. (e.g. Internal interface on FGT60) Any vlan's under the switch interface will be lost after upgrading to MR7 Patch Release 5.

[VPN PPTP Non-Firewall User Group]Choosing a user group which type is NOT equal to firewall when configuring PPTP, results in loss of configuration when upgrading from FortiOS v300 MR5 to FortiOS v3.00 MR7 Patch Release 5.

[Report Configuration]"Report Config" feature has been reworked in FortiOS v3.00 MR7 Patch Release 5 to support FortiAnalyzer Report Engine v2. "config log report" command has been removed in FortiOS v3.00 MR7 Patch Release 5. All configuration under "config log report" may be lost upon upgrading to FortiOS v3.00 MR7 Patch Release 5.

[User Peers] User peers that are configured without a certificate authority (ca) or a subject are not retained upon upgrading to FortiOS v3.00 MR7 Patch Release 5. In MR7, at least one of these fields may be a mandatory setting.

[FortiGuard Configuration]The default setting for "central-mgmt-auto-backup" command has been changed to enable in FortiOS v3.00 MR7 Patch Release 5.

[Firewall Policy]"auth-path", "auth-cert" and "auth-redirect-addr" settings may be lost upon upgrading to FortiOS v3.00 MR7 Patch Release 5 if authentication group is not selected in the firewall policy.

[System IPv6]The section "config system ipv6-tunnel" is moved under "config system sit-tunnel" upon upgrading to v3.00 MR7 Patch Release 5.

[Global Setting]The section "allow-interface-subnet-overlap" which was under global settings in FortiOS v3.00 MR5 and MR6 is copied into every VDom under "config system settings" after upgrading to v3.00 MR7 Patch Release 5.

[VPN IPSec User Group Settings]In FortiOS v3.00 MR7 Patch Release 5 the user group settings have been changed to only reference firewall type user groups in XAuth and Peer group settings. VPN configuration may be lost upon upgrading to MR7 Patch Release 5, if non-firewall type user groups are used.

[Fortinet Local Certificate]In FortiOS MR7, the "Fortinet_Local" rsa certificate has been removed, hence any settings using "Fortinet_Local" as a rsa certificate may be lost after upgrading to MR7 Patch Release 5. Instead of Fortinet_Local use Fortinet_Factory rsa certificate.

[IPSec Quick Mode Selector]The IPSec Phase2 quick mode selector protocol settings are lost after upgrading from FortiOS v2.80 to FortiOS v3.00 Patch Release 2.

April 18, 2009 15


[FDS Push-update Settings]The address and port settings under 'config system autoupdate push-update' may be lost after upgrading to FortiOS v3.00 MR7.

[System Modem Settings]'config system modem' settings are lost after upgrading from FortiOS v3.00 MR6 to FortiOS v3.00 MR7 Patch Release 5.

[FGT-224B Firewall Mode Support]FortiOS v3.00 MR7 supports the FGT-224B operating in firewall mode only.

5.4 Downgrading to FortiOS v3.00Downgrading to FortiOS v3.00 results in configuration loss on ALL models. Only the following settings are retained:

• operation modes• interface IP/management IP• route static table• DNS settings• VDom parameters/settings• admin user account• session helpers• system access profiles

5.5 Downgrading to FortiOS v2.80Downgrading to FortiOS v2.80 results in configuration loss on ALL models. Only the following settings are retained:

• operation modes• interface IP/management IP• route static table• DNS settings• VDom parameters/settings• admin user account• session helpers• system access profiles

The FGT1000A-FA2 does not support downgrade to FortiOS v2.80. With the introduction of the FortiClient Check feature, the flash card has a different partition layout than that in FortiOS v2.80.

5.6 Downgrading to FortiOS v2.50Downgrading to FortiOS v2.50 results in loss of configuration on ALL models.

April 18, 2009 16


6 Image Checksumsb931d2cfbdd1a7924f838bceb527cfbc *FGT_3016B-v300-build0741-FORTINET.outa343e8bf37acb793348e4469a88fa4b7 *FGT_310B-v300-build0741-FORTINET.out26be85f79e2194ac86a8607d0d9e65c5 *FGT_3600A-v300-build0741-FORTINET.out899dfb165af298f8f994f30a1a0491c6 *FGT_3810A-v300-build0741-FORTINET.outd406492cdee88786be516fd366d23ad2 *FGT_620B-v300-build0741-FORTINET.out3ed3b75e6fd193bd0a1c09ccbb582c72 *FGT_110C-v300-build0741-FORTINET.out18f161e05bb198f2108592ec87480a9f *FGT_111C-v300-build0741-FORTINET.out404d17860a1a1e956906a31503b8e365 *FGT_5001A-v300-build0741-FORTINET.out840be8a903a83685fffe9a7d6c3469eb *FGT_51B-v300-build0741-FORTINET.out1b4aa36dd3065c973a3d682a4cb6b703 *FGT_80C-v300-build0741-FORTINET.out734bc216c333e5645c508127e3bf2f42 *FGT_80CM-v300-build0741-FORTINET.out771c6e700e182575e74626b45216a5f6 *FWF_80CM-v300-build0741-FORTINET.outc715bc57b4edd9bcc2243b04de15fd73 *FGT_100-v300-build0741-FORTINET.outb36c85ab1390c2449bf2ee23b931ef2e *FGT_1000A-v300-build0741-FORTINET.out6acf38adeb3d4bbedfd75a9fb61fc7b4 *FGT_1000AFA2-v300-build0741-FORTINET.outd134e26238e18822a6ac4083973eac6e *FGT_1000A_LENC-v300-build0741-FORTINET.out078344afc253527e030cc3f0a92ebd2c *FGT_100A-v300-build0741-FORTINET.out5e7ee7a153e216a86cffd9b76dd9ed46 *FGT_1K-v300-build0741-FORTINET.outa2470d664a05b9f16fa80438c92d10a0 *FGT_200-v300-build0741-FORTINET.out54a6b4f36ff3ac423ba468614a2449da *FGT_200A-v300-build0741-FORTINET.out1f1c716b72b0e96284144d3542490003 *FGT_224B-v300-build0741-FORTINET.outa81b92ea8b47f88ca492f2c3bfa041a9 *FGT_300-v300-build0741-FORTINET.outb91e413d6a1f7d5c8ee0f856ba7132af *FGT_3000-v300-build0741-FORTINET.out118a9fe5e1ba4cddba3d2563dfce687e *FGT_300A-v300-build0741-FORTINET.out51e6a0d999de65bd55adc9e2eb7537ae *FGT_30B-v300-build0741-FORTINET.outcf1836287061dfa99d3545ed989b3b21 *FGT_3600-v300-build0741-FORTINET.out3abddbfe284ee0bb752198ece1354c66 *FGT_400-v300-build0741-FORTINET.out66578700da4357ecbc0892394629a046 *FGT_400A-v300-build0741-FORTINET.outf8cef74f8ed261238588bde7e8e91f2e *FGT_500-v300-build0741-FORTINET.out83337f59a94cf4ab9e78eedb137a82be *FGT_5001-v300-build0741-FORTINET.outbad610c9d80a6dfdd74851e93625813e *FGT_5001FA2-v300-build0741-FORTINET.out4f4a07d51bbc85e8ee7011944cb13876 *FGT_5002FB2-v300-build0741-FORTINET.out8634c0891e486a1ab780d1b52c38863f *FGT_5005FA2-v300-build0741-FORTINET.outf8d17ecfeb252eb93f60ac4c3de39c2b *FGT_500A-v300-build0741-FORTINET.out88d396a610393daf4224acdd2ebd8544 *FGT_50A-v300-build0741-FORTINET.out9dbe1f5ef75c6c7d993c662c668626e6 *FGT_50B-v300-build0741-FORTINET.out9a18d02c5a51bd921796f46e688aa91d *FGT_60-v300-build0741-FORTINET.oute3ab3884f80c3e4673bab943cab213ed *FGT_60ADSL-v300-build0741-FORTINET.out3a2b93ab0c8cf24880848cd9736d672c *FGT_60B-v300-build0741-FORTINET.out5224292cf119949363b408ee85619d71 *FGT_60M-v300-build0741-FORTINET.out7c80bccd59bdfcb0e7f73b23572548e2 *FGT_800-v300-build0741-FORTINET.out6ec6da93a636c0e83700d1cb683feb92 *FGT_800F-v300-build0741-FORTINET.outd74c07ac087746774b63ddaffa7d5a2b *FWF_50B-v300-build0741-FORTINET.out8d430e4e6017e2671dc57fa63630e37a *FWF_60-v300-build0741-FORTINET.outf7be70ae93611a209fd06b6f503dc211 *FWF_60A-v300-build0741-FORTINET.out2bfe9e63fadb1a3fdfeb8c2eab1a01a0 *FWF_60AM-v300-build0741-FORTINET.outc0d6ead93f184bf667c6bafe9e397ea0 *FWF_60B-v300-build0741-FORTINET.out

(End of Release Notes.)

April 18, 2009 17

FortiOS v3.00 MR7 Release Notes Patch Release 5

Documents

Transcript of FortiOS v3.00 MR7 Release Notes Patch Release 5