FortiOS v4.0 MR3 Patch Release 3 Release Notes

Release Notesv4.0 MR3

Patch Release 3

01-433-84420-20111110

FortiGate® Multi-Threat Security System

Release Notes FortiOS v4.0 MR3 - Patch Release 3

Table of Contents 1 FortiOS v4.0 MR3 – Patch Release 3 ................................................................................................................. 1

1.1 Summary of Enhancements Provided by v4.0 MR3 Patch Release 3 ......................................................... 1 2 Special Notices .................................................................................................................................................... 2

2.1 General ........................................................................................................................................................ 2 3 Upgrade Information ........................................................................................................................................... 3

3.1 Upgrading from FortiOS v4.0 MR2 ............................................................................................................ 3 3.2 Upgrading from FortiOS v4.0 MR1 ............................................................................................................ 4

4 Downgrading to FortiOS v4.0.0 .......................................................................................................................... 7 5 Fortinet Product Integration and Support ........................................................................................................... 8

5.1 FortiManager Support ................................................................................................................................. 8 5.2 FortiAnalyzer Support ................................................................................................................................. 8 5.3 FortiClient Support ...................................................................................................................................... 8 5.4 FortiAP Support .......................................................................................................................................... 8 5.5 Fortinet Single Sign On (FSSO) Support .................................................................................................... 8 5.6 FortiExplorer Support ................................................................................................................................. 8 5.7 AV Engine and IPS Engine Support ............................................................................................................ 9 5.8 Module Support ........................................................................................................................................... 9 5.9 SSL-VPN Support ..................................................................................................................................... 10

5.9.1 SSL-VPN Standalone Client ............................................................................................................. 10 5.9.2 SSL-VPN Web Mode ......................................................................................................................... 11

5.10 SSL-VPN Host Compatibility List .......................................................................................................... 11 5.11 Explicit Web Proxy Browser Support ..................................................................................................... 12

6 Resolved Issues in FortiOS v4.0 MR3 - Patch Release 3 ................................................................................. 14 6.1 Command Line Interface (CLI) ................................................................................................................ 14 6.2 Web User Interface .................................................................................................................................... 14 6.3 System ....................................................................................................................................................... 14 6.4 High Availability ....................................................................................................................................... 16 6.5 Router ........................................................................................................................................................ 16 6.6 Firewall Policy .......................................................................................................................................... 16 6.7 Antivirus .................................................................................................................................................... 16 6.8 Web Filter .................................................................................................................................................. 16 6.9 Instant Message ......................................................................................................................................... 17 6.10 Voice Over IP (VoIP) ............................................................................................................................... 17 6.11 WAN Optimization .................................................................................................................................. 17 6.12 VPN ......................................................................................................................................................... 17 6.13 WiFi ......................................................................................................................................................... 18 6.14 Log & Report .......................................................................................................................................... 18 6.15 GTP&Dynamic Profile ............................................................................................................................ 18 6.16 Vulnerability ............................................................................................................................................ 18

7 Known Issues in FortiOS v4.0 MR3 - Patch Release 3 .................................................................................... 19 7.1 Web UI ...................................................................................................................................................... 19 7.2 WiFi ........................................................................................................................................................... 19

8 Image Checksums ............................................................................................................................................. 20

i November 10, 2011


Change Log

Date Change Description

2011-11-09 Initial Release.

2011-11-10 Changed FortiAnalyzer compatibility support information in Section 5 and added bug 151594 into Section 6.

© Copyright 2011 Fortinet Inc. All rights reserved.Release Notes FortiOS™ v4.0 MR3 Patch Release 3.

TrademarksCopyright© 2011 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.

Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com

ii November 10, 2011

https://suppport.fortinet.com/


iii November 10, 2011


1 FortiOS v4.0 MR3 – Patch Release 3This document provides installation instructions, and addresses issues and caveats in FortiOSTM v4.0 MR3 B0496 - Patch Release 3 release. The following outlines the release status for several models.

Model FortiOS v4.0 MR3 Patch Release 3 Status

FGT-30B, FWF-30B, FGT-50B, FGT-51B, FWF-50B, FGT-60B, FWF-60B, FGT-60C, FWF-60C,

FWF-60CM, FWF-60CX-A, FGT-80C, FGT-80CM, FWF-80CM, FWF-81CM, FGT-82C, FGT-

100A, FGT-110C, FGT-111C, FGT-200A, FGT-200B, FGT-200B-POE, FGT-224B, FGT-300A,

FGT-300C, FGT-310B, FGT-311B, FGT-310B-DC, FGT-400A, FGT-500A, FGT-620B, FGT-620B-DC,

FGT-621B, FGT-800, FGT-800F, FGT-1000A, FGT-1000A-FA2, FGT-1000A-LENC, FGT-1240B, FGT-3016B, FGT-3040B, FGT-3140B, FGT-3600,

FGT-3600A, FGT-3810A, FGT-3950B, FGT-3951B, FGT-5001A, FGT-5001, FGT-5001B, FGT-

5001FA2, FGT-5002FB2, FGT-5005FA2, FGT-ONE, FGT-VM and FGT-VM64.

All models are supported on the regular v4.0 MR3-- Patch Release 3 branch.

Please visit http://docs.forticare.com/fgt.html for additional documents on FortiOS v4.0 MR3 Patch Release 3.

1.1 Summary of Enhancements Provided by v4.0 MR3 Patch Release 3The following is a brief list of the new features added in FortiOS v4.0 MR3 Patch Release 3.• FortiGuard Web Filter Category Update• Multiple Email Fields Logging• Report in PDF and Web Format• Up to 100 VDoms Support for 1240B

1 November 10, 2011

http://docs.forticare.com/fgt.html


2 Special Notices

2.1 GeneralThe TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

IMPORTANT!

Monitor Settings for Web User Interface Access

• Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all objects in the Web UI to be viewed properly.

Web Browser Support

• Microsoft Internet ExplorerTM 8.0 (IE8) and FireFox 3.5 or later are fully supported.

BEFORE any upgrade

• [FortiGate Configuration] Save a copy of your FortiGate unit configuration (including replacement messages) prior to upgrading.

AFTER any upgrade

• [WebUI Display] If you are using the Web UI, clear the browser cache prior to login on the FortiGate to ensure proper display of the Web UI screens.

• [Update the AV/IPS definitions] The AV/IPS signature included with an image upgrade may be older than ones currently available from the Fortinet's FortiGuard system. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. Consult the FortiGate User Guide for detailed procedures.

2 November 10, 2011


3 Upgrade Information

3.1 Upgrading from FortiOS v4.0 MR2FortiOS v4.0 MR3 - Patch Release 3 officially supports upgrade from the FortiOS v4.0 MR2 Patch Release 4 or later. See the upgrade path below.

[FortiOS v4.0 MR2]The upgrade is supported from FortiOS v4.0 MR2 Patch Release 4 B0313 or later.

v4.0 MR2 Patch Release 4 B0313 (or later)↓

v4.0 MR3 Patch Release 3 B0496 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[DDNS]DDNS config under interface are moved to global mode “config system ddns” after upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[DNS Server] “dns-query recursive/non-recursive” option under specific interface are moved to system level per VDom mode and “config system dns-server” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[Ping Server]“gwdetect” related configurations under specific interface has been moved to under router per VDom mode. “config router gwdetect” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[Central-management]“set auto-backup disable” and “set authorized-manager-only enable” configurations under “config system central-management” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[SNMP community]A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[Modem Settings]“wireless-custom-vendor-id”and “wireless-custom-product-id” are moved from “config system modem” to “config system 3g-modem custom” upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[AMC slot settings]The default value of ips-weight under config system amc-slot will be changed from balanced to less-fw after upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[Wireless radio settings]wireless radio settings except SSID, Security Mode, Authentication settings will be lost after upgrade. Workaround is put into Special Notice Section.

[Web filter overrides]The contents of web filter overrides will be lost after upgrading from FortiOS v4.0 MR2 Patch Release 4 B0313 to FortiOS v4.0 MR3 - Patch Release 3.

[Firewall policy settings]

3 November 10, 2011


If the source interface or destination interface set as amc-XXX interface, the default value of ips-sensor under config firewall policy will changed from all_default to default after upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[URL Filter]The “action” options in urlfilter configuration have been changed from “Allow, Pass, Exempt, Block” to “Allow, Monitor, Exempt, Block”. Action “Allow” will not report log in v4.3.1. New action “Monitor” will act the function as allow with reporting log. Action “Pass” in v4.2 has been merged to “Exempt” in v4.3.1 and the CLI command has been changed from “set action pass” to “set exempt pass”.

[FortiGuard Log Filter]The settings of “config log fortiguard filter” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[FortiGuard Log Setting]The options “quotafull” and “use-hdd” in “config log fortiguard setting” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

3.2 Upgrading from FortiOS v4.0 MR1FortiOS v4.0 MR3 - Patch Release 3 officially supports upgrade from the FortiOS v4.0 MR1 Patch Release 9 or later. See the upgrade path below.

[FortiOS v4.0 MR1]The upgrade is supported from FortiOS v4.0 MR1 Patch Release 4 B0213 Patch Release 9 or later.

v4.0 MR1 Patch Release 9 B0213 (or later)↓

v4.0 MR3 Patch Release 3 B0496 GA

After every upgrade, ensure that the build number and branch point match the image that was loaded.

[Network Interface Configuration]If a network interface has ips-sniffer-mode option set to enable, and that interface is being used by a firewall policy, then after upgrading from FortiOS v4.0.0 or any subsequent patch to FortiOS v4.0 MR3 - Patch Release 3 the ips-sniffer-mode setting will be changed to disable.

[Traffic shaping]The Unit of guaranteed-bandwidth,inbandwidth, outbandwidth and maximum-bandwidth of traffic shaping has been changed from kilo-bytes/sec to kilo-bits/sec after upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[System Autoupdate Settings]The default values of config system autoupdate schedule will be changed from disable to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[DHCP Server]The name of DHCP Server are replaced with entry number. The “start-ip” and “end-ip” are changed to “config ip-range” under DHCP Server after upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[DDNS]DDNS config under interface are moved to global mode “config system ddns” after upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[DNS Server]

4 November 10, 2011


“dns-query recursive/non-recursive” option under specific interface are moved to system level per VDom mode and “config system dns-server” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[Ping Server]“gwdetect” related configurations under specific interface has been moved to under router per VDom mode. “config router gwdetect” can be used to configure the option upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[Central-management]“set auto-backup disable” and “set authorized-manager-only enable” configurations under “config system central-management” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[SNMP community]A 32 bits network mask will be added to an IP address of SNMP host upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[Modem Settings]“wireless-custom-vendor-id”and “wireless-custom-product-id” are moved from “config system modem” to “config system 3g-modem custom” upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[IPS DoS sensor log setting]The default log setting of an IPS DoS sensor is disable on FortiOS v4.0 MR3 - Patch Release 3. Whether the log stetting of an IPS DoS sensor is disable or enable on FortiOS v4.1.9 or any subsequent patch, after upgrading to FortiOS v4.0 MR3 - Patch Release 3, the setting will be set to disable.

[IPS sensor log setting]The log setting of IPS sensors is enable by default on FortiOS v4.0 MR3 - Patch Release 3. If the log setting of an IPS sensor is disabled on FortiOS v4.1.9 or any subsequent patch, the value will be kept after upgrading to FortiOS v4.0 MR3 - Patch Release 3. If the log setting of an IPS sensor is enable or default on FortiOS v4.1.9 or any subsequent patch, the value will be changed to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[DLP Rule]A DLP rule with subprotocol setting set to sip simple sccp will be lost upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[Web Filter & Spam Filter]The name webfilter-status and spamfilter-status have been change to webfilter-force-off and antispam-force-off. The default values is set to enable after upgrading to FortiOS v4.0 MR3 - Patch Release 3. To use web filter and spam filter, users have to disable the two entries by using the following CLI command:

config system fortiguard set webfilter-force-off disable set antispam-force-off disableend

[URL Filter]The “action” options in urlfilter configuration have been changed from “Allow, Pass, Exempt, Block” to “Allow, Monitor, Exempt, Block”. Action “Allow” will not report log in v4.3.1. New action “Monitor” will act the function as allow with reporting log. Action “Pass” in v4.2 has been merged to “Exempt” in v4.3.1 and the CLI command has been changed from “set action pass” to “set exempt pass”.

[FortiGuard Log Filter]The settings of “config log fortiguard filter” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

[FortiGuard Log Setting]

5 November 10, 2011


The options “quotafull” and “use-hdd” in “config log fortiguard setting” are removed upon upgrading to FortiOS v4.0 MR3 - Patch Release 3.

6 November 10, 2011


4 Downgrading to FortiOS v4.0.0Downgrading to FortiOS v4.0.0 GA (or later) results in configuration loss on ALL models. Only the following settings are retained:

• operation modes• interface IP/management IP• route static table• DNS settings• VDom parameters/settings• admin user account• session helpers• system access profiles

7 November 10, 2011


5 Fortinet Product Integration and Support

5.1 FortiManager SupportFortiOS v4.0 MR3 - Patch Release 3 is supported by FortiManager v4.0 MR3.

5.2 FortiAnalyzer SupportFortiOS v4.0 MR3 is compatible with FortiAnalyzer devices running FortiAnalyzer v4.0 MR3.

If you are using a FortiAnalyzer unit running FortiAnalyzer v4.0 MR2, you must upgrade it to FortiAnalyzer v4.0 MR3. FortiAnalyzer units running FortiAnalyzer v4.0 MR2 will not function correctly with FortiOS v4.0 MR3.

5.3 FortiClient SupportFortiOS v4.0 MR3 - Patch Release 3 is fully compatible with FortiClient v4.0 MR2 Patch 3.

FortiOS v4.0 MR3 - Patch Release 3 is supported by FortiClient v4.0 MR3 for the following:

• 32-bit version of Microsoft Windows XP • 32-bit version of Microsoft Windows Vista • 64-bit version of Microsoft Windows Vista• 32-bit version of Microsoft Windows 7 • 64-bit version of Microsoft Windows 7

5.4 FortiAP SupportFortiOS v4.0 MR3 - Patch Release 3 supports the following FortiAP models:

• FortiAP-210B• FortiAP-220A• FortiAP-220B

• FortiAP-222B

The FortiAP devices must be running FortiAP v4.0 MR3 and above.

5.5 Fortinet Single Sign On (FSSO) SupportFortiOS v4.0 MR3 - Patch Release 3 is supported by FSSO v4.3.0 B0108 for the following:

• 32-bit version of Microsoft Windows 2003 R2 Server • 64-bit version of Microsoft Windows 2003 R2 Server• 32-bit version of Microsoft Windows 2008 Server • 64-bit version of Microsoft Windows 2008 Server• 64-bit version of Microsoft Windows 2008 R2 Server• Novell E-directory 8.8.

IPv6 currently is not supported by FSSO.

5.6 FortiExplorer SupportFortiOS v4.0 MR3 - Patch Release 3 is supported by FortiExplorer 1.3.1215.

8 November 10, 2011


5.7 AV Engine and IPS Engine SupportFortiOS v4.0 MR3 - Patch Release 3 is supported by AV Engine 4.00382 and IPS Engine 1.00241.

5.8 Module SupportFortiOS v4.0 MR3 - Patch Release 3 supports AMC removable modules. These modules are not hot swappable. The FortiGate must be turned off before the module is inserted or removed.

AMC Modules FortiGate Support

Internal Hard Drive (ASM-S08) FGT-310BFGT-620BFGT-621BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Internal Hard Drive (FSM-064) FGT-200BFGT-311B

FGT-1240BFGT-3040BFGT-3140BFGT-3951B

Single Width 4-port 1Gbps Ethernet interface (ASM-FB4) FGT-310BFGT-311BFGT-620BFGT-621BFGT-1240BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Dual Width 2-port 10Gbps Ethernet interface (ADM-XB2) FGT-3810AFGT-5001A-DW

Dual Width 8-port 1Gbps Ethernet interface (ADM-FB8) FGT-3810AFGT-5001A-DW

Single Width 2-port Fiber 1Gbps bypass interface (ASM-FX2) FGT-310BFGT-311BFGT-620BFGT-621BFGT-1240BFGT-3016BFGT-3600AFGT-3810A

FGT-5001A-SW

Single Width 4-port Ethernet bypass interface (ASM-CX4) FGT-310BFGT-311BFGT-620BFGT-621B

FGT-1240B FGT-3016BFGT-3600A

9 November 10, 2011


AMC Modules FortiGate Support

FGT-3810AFGT-5001A-SW

AMC Security Processing Engine Module (ASM-CE4) FGT-1240BFGT-3810AFGT-3016B

FGT-5001A-SW

AMC Security Processing Engine Module (ADM-XE2) FGT-3810AFGT-5001A-DW

AMC Security Processing Engine Module (ADM-XD4) FGT-3810AFGT-5001A-DW

AMC Security Processing Engine Module (ADM-FE8) FGT-3810A

Rear Transition Module (RTM-XD2) FGT-5001A-DW

Four Port T1/E1 WAN Security Processing Module (ASM-ET4) FGT-310BFGT-311B

Rear Transition Module (RTM-XB2) FGT-5001A-DW

Fortinet Mezzanine Card (FMC-XG2) FGT-3950BFGT-3951B

Fortinet Mezzanine Card (FMC-XD2) FGT-3950BFGT-3951B

Fortinet Mezzanine Card (FMC-F20) FGT-3950BFGT-3951B

Fortinet Mezzanine Card (FMC-C20) FGT-3950BFGT-3951B

5.9 SSL-VPN Support

5.9.1 SSL-VPN Standalone ClientFortiOS v4.0 MR3 - Patch Release 3 supports the SSL-VPN tunnel client standalone installer B2148 for the following:

• Windows in .exe and .msi format• Linux in .tar.gz format• Mac OS X in .dmg format• Virtual Desktop in .jar format for Windows 7, XP, and Vista

The following Operating Systems are supported.

Windows Linux Mac OS X

Windows XP 32-bit SP2 CentOS 5.2 (2.6.18-el5) Leopard 10.6.3

Windows XP 64-bit SP1 Ubuntu 8.0.4 (2.6.24-23)

Windows Vista 32-bit SP1


Windows 7 32-bit

10 November 10, 2011


Windows 7 64-bit

Virtual Desktop Support

Windows XP 32-bit SP2


Windows 7 32-bit

5.9.2 SSL-VPN Web ModeThe following browsers and operating systems are supported by SSL-VPN web mode.

Operating System Browser

Windows XP 32-bit SP2 IE7, IE8, IE9 and FF 3.6

Windows XP 64-bit SP1 IE7, IE9 and FF 3.6

Windows Vista 32-bit SP1 IE7, IE8, IE9 and FF 3.6

Windows Vista 64-bit SP1 IE7, IE9 and FF 3.6

Windows 7 32-bit IE8 , IE9 and FF 3.6

Windows 7 64-bit IE8, IE9 and FF 3.6

CentOS 5.2 (2.6.18-el5) FF 1.5 and FF 3.0

Ubuntu 8.0.4 (2.6.24-23) FF 3.0

Mac OS X Leopard 10.5 Safari 4.1

5.10 SSL-VPN Host Compatibility ListThe following Antivirus and Firewall client software packages are supported.

Product Antivirus Firewall

Windows XP

Symantec Endpoint Protection v11 √ √

Kaspersky Antivirus 2009 √ Ҳ

McAfee Security Center v8.1 √ √

Trend Micro Internet Security Pro √ √

F-Secure Internet Security 2009 √ √


Windows 7 (32bit)

CA Internet Security Suite Plus Software

√ √




AVG Internet Security 2011 Ҳ Ҳ


Kaspersky Internet Security 2011 √ √

McAfee Internet Security 2011 √ √

Norton 360™ Version 4.0 √ √

Norton™ Internet Security 2011 √ √

Panda Internet Security 2011 √ √

Sophos Security Suite √ √

Trend Micro Titanium Internet Security

√ √

ZoneAlarm Security Suite √ √

Symantec Endpoint Protection Small Business Edition 12.0

√ √


Windows 7 (64bit)

CA Internet Security Suite Plus Software

√ √

AVG Internet Security 2011 Ҳ Ҳ


Kaspersky Internet Security 2011 √ √

McAfee Internet Security 2011 √ √

Norton 360™ Version 4.0 √ √

Norton™ Internet Security 2011 √ √

Panda Internet Security 2011 √ √

Sophos Security Suite √ √

Trend Micro Titanium Internet Security

√ √

ZoneAlarm Security Suite √ √

Symantec Endpoint Protection Small Business Edition 12.0

√ √

5.11 Explicit Web Proxy Browser SupportThe following browsers are supported by Explicit Web Proxy feature.

Supported Browser

Internet Explorer 7



Internet Explorer 8

FireFox 3.x



6 Resolved Issues in FortiOS v4.0 MR3 - Patch Release 3The resolved issues listed below does not list every bug that has been corrected with this release. For inquires about aparticular bug, contact Customer Support.

6.1 Command Line Interface (CLI)Description: CLI command “show” might not work when an administrator was associated with a customized profile. Bug ID: 151975Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Users might fail to register/unregister FortiGate device from FortiManager via CLI after upgrade. Bug ID: 154113, 154494Status: Fixed in v4.0 MR3 - Patch Release 3.

6.2 Web User InterfaceDescription: Administrator was forced to logout when a disabled VDom was selected.Bug ID: 138568Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Users may fail to create a FSSO group when IE9 was used.Bug ID: 153005Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: A VLAN interface might disappear on Web UI when it was chosen to be HA management interface.Bug ID: 152064Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Option wildcard was set by default when a firewall address was configured incorrectly. Bug ID: 152396Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: A read-only administrator might not be associated with its privileges correctly via Web UI.Bug ID: 151194Status: Fixed in v4.0 MR3 - Patch Release 3.

6.3 SystemDescription: All settings on the web page under system->Admin->Settings on Web UI were reset when FortiGate was registered to FortiManager or when FortiGate was unregistered from FortiManager. Bug ID: 153007Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Logs may not be sent to Syslog server when server is configured with IPv6 address. Bug ID: 148199Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: A change in firewall policy might take one or two seconds to be effect when thousands of firewall policies have been setup.Bug ID: 152401, 152822Status: Fixed in v4.0 MR3 - Patch Release 3.



Description: FortiGuard Web Filter might be inactive for several milliseconds when a firewall policy was changed. Bug ID: 144971Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Improvements on debugging broadcast flow.Bug ID: 152397, 152398Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Management session shall be kept when run CLI command “diagnose sys session clear”.Bug ID: 149957Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Redundant modem might not work when its monitor interface had never been connected.Bug ID: 152709Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Framed-IP entries might still exist when massive dial-up IPSec tunnels were disconnected.Bug ID: 152090Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: 1G speed option might be missing when “npu-cascade-cluster” was enabled on FGT-3140B.Model Affected: FortiGate-3140BBug ID: 153552Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: A NPU interface might not be changed to another VDom when NPU fastpath was disabled.Model Affected: FortiGate models that support NPU interfacesBug ID: 153200Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Some of multiple simultaneous administrative logins might fail and might prevent CLI commands from executing. Bug ID: 150826Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Increase table size for DNS server. Bug ID: 152735Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Fix on high memory usage issue caused by SSL proxy daemon and DLP archive daemon. Bug ID: 149497, 150744Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: SSL proxy may catch SMTP TLS connections even when SMTPS was disabled in anti-virus settings. Bug ID: 153146Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Fix on CPU spike issue when anti-virus and IPS are enabled simultaneous on FortiGate-3140B.Model Affected: FortiGate-3140BBug ID: 154832Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: The status of an aggregate port should reflect the status of negotiation than status of the physical links.Bug ID: 153346



Status: Fixed in v4.0 MR3 - Patch Release 3.

6.4 High AvailabilityDescription: DHCP leases on a VAP interface are not synchronized between HA members. Bug ID: 153171Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Uninterrupted upgrade might fail when the dynamic profile option was used and system was running FOC firmware. Bug ID: 153972Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: ha-mgmt-interface-gateway might stop working when the speed setting was changed on the management interface. Bug ID: 154729Status: Fixed in v4.0 MR3 - Patch Release 3.

6.5 RouterDescription: Handled by same NPU, passing traffic from a VLAN interface to physical interface might be stopped when the route fall back from backup link to primary link in BGP routing table. Model Affected: FortiGate models that support NPU interfacesBug ID: 150444Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: BGP sessions were dropped randomly when new HA member joined the cluster that had hundreds VDoms.Bug ID: 152947Status: Fixed in v4.0 MR3 - Patch Release 3.

6.6 Firewall PolicyDescription: Those sessions initiated from a VIP server might be dropped when strict-dirty-session option was enabled.Bug ID: 153843, 153151Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: A connection request to Load Balance server might be dropped prematurely when 100-continue response was sent by the server. Bug ID: 154867Status: Fixed in v4.0 MR3 - Patch Release 3.

6.7 AntivirusDescription: Virus affected files might not be blocked completely when files were uploaded with SilverLight.Bug ID: 134799Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: A client might fail to login to a FTP server with its VIP via FTPS protocol when anti-virus scanning option was on. Bug ID: 137058Status: Fixed in v4.0 MR3 - Patch Release 3.

6.8 Web FilterDescription: Users might fail to create a new local category via Web UI until at lease one local category had been created via CLI.Bug ID: 153196Status: Fixed in v4.0 MR3 - Patch Release 3.



6.9 Instant MessageDescription: Instant messages might be blocked by IPS engine accidentally and might not be logged properly by IMD daemon.Bug ID: 144194, 144695Status: Fixed in v4.0 MR3 - Patch Release 3.

6.10 Voice Over IP (VoIP)Description: SIP proxy might not translate maddr parameter correctly in contact header. Bug ID: 137058Status: Fixed in v4.0 MR3 - Patch Release 3.

6.11 WAN OptimizationDescription: wad daemon kept crashing when SSL option is enabled and client tried to access server by using HTTPS.Bug ID: 151100Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Traffic was not properly NATed when the WCCP server was unreachable. Bug ID: 151776Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Some web sites might not be accessed when IE8 or IE9 were used and Web Cache was enabled.Model Affected: FortiGate-200B and FortiGate-80C series modelsBug ID: 153725Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: An user may be redirected to a wrong web site by Web Cache after a web site was accessed with its IP address. Bug ID: 151594Status: Fixed in v4.0 MR3 - Patch Release 3.

6.12 VPNDescription: Multiple fixes on difficulties of accessing some certain web sites via SSL VPN.Bug ID: 149489, 141231, 142302, 154310Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: IKE v2 SA might not work with RSA certificates.Bug ID: 154084Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Support more than 14,000 concurrent SSL VPN tunnels.Bug ID: 148546Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: CRL update might restart SSL VPN daemon and all SSL VPN tunnels were reset. Bug ID: 150059Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Multiple fixes on SSL VPN portal in Asia languages. Bug ID: 154642, 154646Status: Fixed in v4.0 MR3 - Patch Release 3.



6.13 WiFiDescription: Fix and improvements on WiFi configurations.Bug ID: 152734 Status: Fixed in v4.0 MR3 - Patch Release 3.

6.14 Log & ReportDescription: System performance can not be persevered when log query is conducted in large database.Bug ID: 151084Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: An anonymous user may be logged in event logs when explicit web-proxy was enabled.Bug ID: 148180Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Some special characters in UTF-8 might not be displayed correctly in Email archive. Bug ID: 140300Status: Fixed in v4.0 MR3 - Patch Release 3.

Description: Alert emails might not send to the mail server with IPv6 address. Bug ID: 140300Status: Fixed in v4.0 MR3 - Patch Release 3.

6.15 GTP&Dynamic ProfileDescription: Authentication and warning override might not work when web filter option was not enabled on the firewall policy. Bug ID: 154182Status: Fixed in v4.0 MR3 - Patch Release 3.

6.16 VulnerabilityDescription: Fix on Clickjack possibility on TCP port 10443.Bug ID: 147966Status: Fixed in v4.0 MR3 - Patch Release 3.



7 Known Issues in FortiOS v4.0 MR3 - Patch Release 3This section lists the known issues of this release, but is NOT a complete list. For inquiries about a particular bug notlisted here, contact Customer Support.

7.1 Web UIDescription: Web page was frozen when an user tried to run PDF report in IE9.Bug ID: 156208Status: To be fixed in a future release.

Description: Charts might display wrong number of bars and the number of bars can not be set under “UTM Profiles-->Monitor-->Application Monitor” page.Bug ID: 156210Status: To be fixed in a future release.

Description: Accessible network option may not be configured when Split-Tunnel option is enabled under “VPN-->IPsec-->Create FortiClient VPN” pageBug ID: 156318Status: To be fixed in a future release.

7.2 WiFiDescription: Express-card modem "Novatel Merlin X950D" can not be detected .Model Affected: FWF-60CMBug ID: 152926Status: To be fixed in a future release.

Description: AES and TKIP can not be active the same time on FWF-80CM and FWF-81CM.Model Affected: FWF-80CM, FWF-81CMBug ID: 152526Status: To be fixed in a future release.



8 Image ChecksumsThe MD5 checksums for the firmware images are available at the Fortinet Customer Support website (https://support.fortinet.com). After login, click on the "Firmware Images Checksum Code" link in the left frame.

(End of Release Notes.)


FortiOS v4.0 MR3 Patch Release 3 Release Notes

Documents

branch point

gwdetect related

rear transition

config system

web filter

contact customer

fortinet mezzanine

config router