FortiOS v2.80 MR12 Release Notes
Uploaded by
coberpeddyFortiOS v2.80 MR12 Release Notes
Uploaded by
coberpeddyFortiGate Multi-Threat Security System
Release Notes FortiOS v2.80 MR12 Rev. 1.0
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
Table of Contents
1 FortiOS v2.80 Maintenance Release 12....................................................................................................................................1 2 Upgrade Information.................................................................................................................................................................2 2.1 General...............................................................................................................................................................................2 2.2 AV Signature Changes ......................................................................................................................................................2 2.3 Special Notices...................................................................................................................................................................2 2.4 Upgrading from FortiOS v2.50..........................................................................................................................................4 2.5 Upgrading from FortiOS v2.80..........................................................................................................................................6 2.6 Downgrade Notice..............................................................................................................................................................7 2.7 FortiManager System Support............................................................................................................................................7 3 FortiOS v2.80 Features..............................................................................................................................................................8 3.1 System................................................................................................................................................................................8 3.1.1 Role Based Administration........................................................................................................................................8 3.1.2 Configuration File Backup Improvements.................................................................................................................8 3.1.3 Redesigned WebUI....................................................................................................................................................8 3.1.4 Redesigned CLI .......................................................................................................................................................9 3.1.5 Dynamic DNS Support..............................................................................................................................................9 3.1.6 Multiple Secondary IP Addresses Per Interface........................................................................................................9 3.1.7 IPv6 Traffic Forwarding............................................................................................................................................9 3.1.8 ADSL (PPPoE ) Connection Idle Timeout Support ...............................................................................................10 3.1.9 PPPoE and DHCP Relay Support............................................................................................................................10 3.1.10 Virtual Domain Support in NAT and Transparent Modes.....................................................................................10 3.1.11 Improved "out-of-the-box" Usability for SOHO Models......................................................................................10 3.1.12 Support Extended and Non-Latin1(ISO 8850-1) Characters.................................................................................11 3.1.13 User Field Improvements.......................................................................................................................................11 3.1.14 One-Button Transmission of FortiGate System Info For Troubleshooting...........................................................11 3.1.15 IEEE 802.11 WLAN Client Mode Supported.......................................................................................................11 3.1.16 Alert Email Address Length..................................................................................................................................11 3.1.17 Console Paging Mode............................................................................................................................................11 3.1.18 LCD........................................................................................................................................................................11 3.1.19 Compressed Configuration Back-up Files.............................................................................................................12 3.1.20 AV/NIDS Updates.................................................................................................................................................12 3.1.21 Internal Modem Support for FortiGate-60M.........................................................................................................12 3.1.22 Bug Reporting........................................................................................................................................................12 3.1.23 Alert Message Console..........................................................................................................................................13 3.1.24 Forwarding Domains.............................................................................................................................................13 3.2 High Availability..............................................................................................................................................................13 3.2.1 Non-dedicated HA Port............................................................................................................................................13 3.2.2 Link Fail-over..........................................................................................................................................................13 3.2.3 Firmware Upgrade and Configuration Upload........................................................................................................13 3.2.4 HA Link Security.....................................................................................................................................................13 3.2.5 Support for FortiGate-60/100/200 and FortiWiFi-60 Models.................................................................................13 3.2.6 HA Active-Active Mode Now Can Load Balance Non-AV Traffic.......................................................................14 3.2.7 HA Synchronization Status......................................................................................................................................14 3.3 Router ..............................................................................................................................................................................14 3.3.1 Policy Route WebUI................................................................................................................................................14 3.3.2 Routing Monitor.......................................................................................................................................................14 3.3.3 Enhanced RIP Routing Protocol Support ...............................................................................................................14 3.3.4 OSPF Routing Protocol Support..............................................................................................................................14 3.4 Firewall.............................................................................................................................................................................15 3.4.1 Protection Profile.....................................................................................................................................................15 3.4.2 Improved Custom TCP/IP Support and Pre-defined Services ................................................................................15 3.4.3 Increased Maximum Number of Policy Routes on High-end Models.....................................................................15 3.4.4 IP Address Ranges...................................................................................................................................................15
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3.4.5 Multiple IP Pools.....................................................................................................................................................15 3.4.6 DiffServ Settings......................................................................................................................................................16 3.4.7 Static NAT (SNAT) Port Floating...........................................................................................................................16 3.4.8 SIP Support..............................................................................................................................................................16 3.5 FortiGuard Antivirus.....................................................................................................................................................16 3.5.1 Heuristic Virus Detection........................................................................................................................................16 3.5.2 Grayware Protection................................................................................................................................................16 3.5.3 Submit Quarantined Virus Sample to Fortinet.........................................................................................................16 3.5.4 HTML Link for Scanned Virus Detection...............................................................................................................16 3.5.5 Append Customized Text to Email Messages.........................................................................................................17 3.5.6 PPTP and L2TP AV scanning..................................................................................................................................17 3.5.7 High-end Models AV Optimize Command.............................................................................................................17 3.5.8 Antivirus Scan Support for ARJ Compression Format............................................................................................17 3.5.9 File Uncompression Maximum for AV Scanning...................................................................................................17 3.5.10 Windows Control Panel Extensions Support.........................................................................................................17 3.5.11 FortiGuard Antivirus and FortiGuard Intrusion Protection.............................................................................17 3.6 VPN..................................................................................................................................................................................18 3.6.1 IPSec Tunnel Support in Transparent Mode............................................................................................................18 3.6.2 DHCP Support Over IPSec......................................................................................................................................18 3.6.3 User Authentication via RSA SecurIDTM..............................................................................................................18 3.6.4 IP Address Range Support in IPSec Firewall Policies.............................................................................................18 3.6.5 Overlapping Address Support .................................................................................................................................18 3.6.6 Central Site Internet Access.....................................................................................................................................18 3.6.7 IPSec Dynamic DNS support...................................................................................................................................19 3.6.8 Policy Selector in IPSec Phase2..............................................................................................................................19 3.6.9 Site-to-Site/Dialup Tunnels.....................................................................................................................................19 3.7 Spam Filter.......................................................................................................................................................................19 3.7.1 Content Filtering......................................................................................................................................................19 3.7.2 FortiGuard AntiSpam Service...............................................................................................................................20 3.8 IPS Functionality..............................................................................................................................................................20 3.8.1 Dynamic Threat Prevention System........................................................................................................................20 3.8.2 IPS signature Autoupdate........................................................................................................................................20 3.9 Web Content Filtering......................................................................................................................................................21 3.10 Log & Reporting.............................................................................................................................................................21 4 MR12 Release Issues...............................................................................................................................................................23 4.1 Resolved Issues in FortiOS v2.80 MR12.........................................................................................................................23 4.1.1 HA.............................................................................................................................................................................23 4.1.2 VPN...........................................................................................................................................................................23 4.1.3 System.......................................................................................................................................................................23 4.2 Resolved Issues in FortiOS v2.80 MR11 and Earlier.......................................................................................................24 4.2.1 System......................................................................................................................................................................24 4.2.2 WebUI.......................................................................................................................................................................25 4.2.3 HA............................................................................................................................................................................26 4.2.4 Router ......................................................................................................................................................................26 4.2.5 Firewall....................................................................................................................................................................27 4.2.6 FortiGuard................................................................................................................................................................28 4.2.7 VPN..........................................................................................................................................................................28 4.2.8 IPS............................................................................................................................................................................29 4.2.9 Logging & Reporting...............................................................................................................................................29 4.2.10 FortiGuard AntiSpam..........................................................................................................................................30 4.2.11 Antivirus.................................................................................................................................................................30 5 Known Issues in FortiOS v2.80 MR12....................................................................................................................................31 5.1 HA.....................................................................................................................................................................................31 5.2 IPS.....................................................................................................................................................................................31 5.3 VPN...................................................................................................................................................................................32 5.4 System...............................................................................................................................................................................32 April 28, 2006 ii
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
5.5 Router................................................................................................................................................................................32 5.6 Antivirus............................................................................................................................................................................32 6 Image MD5 Checksums..........................................................................................................................................................34 Change Log Rev. 1.0 - Initial Release. Copyright 2006 Fortinet Inc. All rights reserved. Release Notes FortiOS v2.80 MR12
Fortinet Customer Support Contacts: Please refer to http://support.fortinet.com
April 28, 2006
iii
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
1 FortiOS v2.80 Maintenance Release 12
This document outlines the features of the FortiOS v2.80 Maintenance Release 12 (B514) firmware for the FortiGate MultiTthreat Security System. MR12 is a bug fix only release.
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
2 Upgrade Information
2.1 General
FortiOS v2.80 MR12 supports all FortiGate models except the FortiGate-50. For the high-end models, FortiGate-3000 and higher, there are specific images to support different Virtual Domain (VDom) maximums. Save a copy of your FortiGate unit configuration (including replacement messages and content filtering lists) prior to upgrading. Note: The TFTP upgrade erases all current firewall configuration and replaces it with the Factory Default settings.
IMPORTANT! After any version upgrade, [WebUI display] if you are using the GUI, clear the browser cache prior to login to the FortiGate unit to ensure proper display of the GUI screens.
[Update the AV/NIDS definitions] The AV/NIDS signature included with an image upgrade may be older than currently available from FortiGuard. Fortinet recommends performing an "Update Now" as soon as possible after upgrading. (Consult the FortiGate User Guide for detailed procedures.)
2.2 AV Signature Changes
The following default actions have been changed in NIDS signatures newer than version 2.214:
icmp_flood (clear_session => disable) ping_death (drop => disable) large_icmp (none => disable) udp_flood (drop_session => disable)
2.3 Special Notices
Fortinet Subscription Based Services Name Change
Fortinet has changed the names of all its subscription based services. The new names are as follows: FortiGuard - Antivirus FortiGuard - Intrusion Protection FortiGuard - AntiSpam FortiGuard - Web Filtering
Clock Configuration
The system daylight savings mode must configured before the timezone and current time is set. This is required, as the correct time, as set by the user, is influenced by the timezone, and the daylight savings mode.
Daylight Savings Time
Prior to FortiOS v2.80 MR9 B393, when the firewall adjusts its clock for daylight savings, the update daemon would restart continually, which prevents the firewall from receiving antivirus and IPS updates.. The workaround is to disable the daylight savings time option (System > Config > Time). To compensate for the one hour difference either adjust the clock manually or if you are using NTP select a time zone one hour ahead of yours. For example, if your time zone is GMT-8:00, select GMT-7:00. FortiOS v2.80 MR9 B393 and all future MRs resolve this problem.
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
H.323 Support FastStart
FastStart/H.245 Tunneling and Microsoft NetMeeting is supported in FortiOS v2.80 MR12.
SMTP Splice
Starting in FortiOS v2.80 MR10, the ability to disable SMTP splice is supported when AV scanning is enabled. SMTP splice is enabled by default when AV scanning is enabled in the firewall policy, but can be turned off through the CLI. Administrators can choose between AV scanning or spam filter tagging of SMTP traffic since the AV splice operation now precludes the use of tagging an email message with a spam subject-line tag. (Splice means that the FortiGate Antivirus Firewall sends part of the message or file to the destination address while it perfoms AV scanning.)
FTP Splice
FTP splice now can be disabled or enabled.
Configuration Reset Message During Upgrade in WebUI
When upgrading from a FortiOS v2.50 image to a FortiOS v2.80 pre-MR5 release to MR11 from the WebUI, a message is displayed "The system configuration will be set to default. All the original configuraiton will be lost...". This message is incorrect and clicking "OK" will NOT erase the current configuration. Previous versions of FortiOS do not handle the embedded RSA signature in the MR9 image and cause the display of this message.
"File too big" Error During Upgrade
When upgrading from v2.80 MR3, if a "File too big" error message is displayed, reboot the FortiGate firewall and attempt the upgrade again. The reboot will clear the internal RAM disk of the temporary files that may be blocking the upgrade procedure. If the condition persists, then backup all configuration files and use the flash memory reformat function from the console boot-up menu.
Compressed Configuration Back-up File
The entire FortiGate configuration settings in MR5 and later are stored in a compressed format (zip file) when clicking on the "Maintenance > Backup & Restore > All Configuration Files" from the WebUI.
Content Log Access
Access to the Content Log messages (HTTP, FTP, SMTP, POP3, IMAP content) is now through the Firewall > Protection Profile settings and are only available through the FortiLog System settings. The IP address of a FortiLog System unit or a syslog unit can be configured to receive the Content Log messages. Content Log messages are also no longer available from the WebUI Log&Report >Log Access screen.
Virtual Domains with Zones in Transparent Mode
Contact Fortinet Customer Support for assistance before upgrading to FortiOS v2.80 if your FortiGate configuration uses more than 10 Virtual Domains with Zones in Transparent mode operation, otherwise loss of configuration settings will result.
Cerberian Web Filter Users
Cerberian Web Filter functionality was removed in FortiOS v2.80 MR3 and no longer is supported. This functionality is now provided by the FortiGuard Web Filtering Service. Current Cerberian license holders are eligible for a free upgrade to the FortiGuard Web Filtering Service and should contact their local Fortinet Sales representative.
AV Oversize File/Email Handling
Antivirus scanning of oversize files or email messages (>10 MB or greater than 10% of system memory) requires temporary buffering to the internal hard disk (on supported models). This function has been disabled and will no longer be supported. Any files larger than the allowable AV scan memory limit will be handled as indicated by the Protection Profile "Oversize file" setting. Ensure that all Protection Profiles have the AV Buffer-to-Disk option disabled prior to upgrading from pre-MR4 versions. Failure to do so will result in all AV scanning options disabled in all Protection Profiles after the upgrade.
Static Route Priority
3
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
Each static route entered in the firewall has an index when entered either through the GUI or through the CLI. The index is used as the priority of the static route a lower index value has a higher preference. Changes to affect the priority of identical static routes are made through the CLI.
Restoring System configurations via the "System Configuration" backup file
The "System configuration" file created via "Maintenance > Backup & Restore > System Configuration" does not store "CA Certificates", "SpamFilter" and "Webfilter" settings. Users that wish to backup and restore FortiGate firewall configuration settings using this file are asked to first backup the "CA Certificates", "SpamFilter" and "WebFilter" configuration settings before upgrading to a newer version of FortiOS. After upgrading, please restore each configuration file before restoring the "System configuration" file.
Log Policies
The Log policy "Local" and "Console" setting found in FortiOS v2.50 is not supported in FortiOS v2.80.
FortiGate FortiBoost Blade Naming Change
FortiGate firewall blades previously known as "FortiBoost" are known now as "FG5002FB2". All CLI and GUI elements now reflect the name change. Note:
Image names that begin with "FGT_BOOST" are for the "FG5002FB2" blades. Image names that begin with "FGT_5000" are for the "FG5001" blades.
File Blocking
File blocking is not supported for file names encoded in the following character sets: X-SJIF for Japanese characters GB231 for Simplified Chinese characters BIG5 for Traditional Chinese characters EUC-KR for Korean characters
Replacement Messages
Filenames that contain the following character sets are renamed to question marks in the replacement message: X-SJIF for Japanese characters GB231 for Simplified Chinese characters BIG5 for Traditional Chinese characters EUC-KR for Korean characters
Valid User Defined Banned Word Characters
Only the following characters are allowed when specifying banned words with wildcard type: a-z A-Z 0-9 \ ^ $ . [ ] | ( ) { } + ? * If you want to use other characters to specify a banned word, please use regular expression type instead.
Replacement Message Size Changes
Replacement message sizes have been changed from 1024bytes to 4096 bytes in FortiOS v2.80 MR11.
2.4 Upgrading from FortiOS v2.50
For FortiGate units currently on FortiOS v2.50, upgrade to at least v2.50 MR10 prior to upgrading to v2.80 MR11. The following are additional caveats when upgrading from FortiOS v2.50.
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
Configuration File
FortiOS v2.50 CLI commands are incompatible with the FortiOS v2.80 CLI commands. Attempts to restore a configuration file from FortiOS v2.50 will fail. The existing configuration on a unit running v2.50 will be upgraded to the new v2.80 syntax automatically during the upgrade process.
Admin Password
The "admin" password and passwords for other administrator users are now preserved when upgrading from v2.50.
Secondary IP Addresses
The secondary IP address settings assigned to interfaces are now retained upon upgrade to v2.80 MR5. Previous v2.80 MR releases did not keep the secondary IP addresses. (Bug ID 16211 now resolved.)
HDD Reformat
If your model has a hard disk, back-up the log files then run "exec formatlogdisk" from the CLI or accept the pop-up window prompt in the WebUI after the first login. Note that this operation will erase any existing log files on the hard disk, requires several minutes to complete, and involves a system reboot. Backup the log files before executing this command and choose a low traffic period since there is a brief interruption while the unit reboots.
Firewall Custom Services
In FortiOS v2.80, the Custom Service definition can only be a single contiguous range of source or destination ports. Multiple individual ports or ranges are no longer supported. Any such Custom Service definitions must be converted to individual ranges and then combined into a Service Group. When upgrading to v2.80 MR6 or later, Custom Service definitions that use multiple port ranges will be converted to new Custom Service definitions of discrete ranges. The administrator must then manually create a new Service Group comprised of the converted Custom Service definitions.
IPSec Phase1 Local ID Format
A FQDN email address used in as the "Local ID" for a dialup VPN is now accepted when upgrading to v2.80 MR5 or later. (It was removed during the upgrade to v2.80 MR4 and earlier.) The rest of the Phase1 configuration is retained. This value had to be re-entered manually through the WebUI or CLI. (Bug ID 16212 is now resolved.)
Transparent Mode Virtual Domains
Only 10 Virtual Domains in Transparent mode are allowed in the standard FortiOS v2.80 images. Any additional VDoms configured after the first ten in the configuration file are deleted when upgrading to v2.80. Only FortiGate-3000 and higher models can support more than 10 VDoms and is a licensed feature.
Web and Email Content Block List Files
The formats of the web and email content block list files (e.g. banword.dat) have changed in v2.80 and therefore, a v2.50 list file cannot be uploaded into v2.80. Existing block list entries in the FortiGate unit at the time of upgrade will be converted. Contact Fortinet Customer Support for help with upgrading web and email content block list files.
HA Cluster Upgrade
To upgrade a High Availability cluster from a FortiOS v2.50 version, each cluster member must be upgraded while the unit is off-line and disconnected from the HA Cluster. While disconnected from the HA cluster, the HA-monitored interfaces of the unit must be connected to a hub or switch to prevent a "linkfail" state which will prevent login to the unit.
CLI command hierarchy
In FortiOS v2.80 the CLI commands are now hierarchical. In general, a configuration area must be specified first (e.g. config system interface), then an item (e.g. edit port1) before a set or unset command can be issued. A CLI prompt or a command followed by <TAB> cycles through the possible options; '? <ENTER>' displays a list of all possible options.
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
CLI "set" command behaviour
The CLI "set" behaviour has changed in FortiOS v2.80. In v2.50, for a given "set" command, all of the parameters to be modified or enabled must be entered on the same line. This differs from FortiOS v2.50 that allowed separate "set" lines to be additive in constructing the command parameters. For example in v2.80, in the interface configuration, "set allowaccess http" followed by "set allowaccess telnet" results only in TELNET being enabled on the interface.
VLAN Configurations
VLAN configurations are not not retained when upgrading from FortiOS v2.50. Please manually update each value as per settings in FortiOS v2.50 after the upgrade.
Custom Firewall Service Protocol Configurations
Custom Firewall Service Protocol Configurations are not retained when upgrading from FortiOS v2.50. Please manually update each value as per settings in FortiOS v2.50 after the upgrade.
EmailFilter Subject Tags
Custom EmailFilter subject tags are not retained when upgrading from FortiOS v2.50. Please manually update each value as per settings in FortiOS v2.50 after the upgrade.
Custom Interface DHCP Server Settings
Custom Interface DHCP server "dhcp-server mode" settings are not retained when upgrading from FortiOS v2.50 MR11 to FortiOS v2.80 MR11. Please manually update each value as per settings in FortiOS v2.50 MR11 after the upgrade.
2.5 Upgrading from FortiOS v2.80
For FortiGate units already on FortiOS v2.80, upgrade to at least v2.80 MR5 prior to upgrading to v2.80 MR11. The following are additional caveats when upgrading from a previous FortiOS v2.80 build.
Protection Profiles and AV Buffer-to-Disk
Ensure that all Protection Profiles have the AV Buffer-to-Disk option disabled prior to upgrading from a pre-MR4 version. Failure to do so will result in all AV scanning options disabled in all Protection Profiles after the upgrade.
Spam Filter Lists
The Spam Filter List format was changed in v2.80 MR3 and restoring any old format lists will fail. Contact Customer Support for assistance in converting pre-MR4 lists. Existing lists in the FortiGate configuration are converted as part of the firmware upgrade process.
User Domain and Firewall Policies
The User Domain function (MR2 and earlier) has been removed from MR3 and later releases. Any firewall policies that use User Domain will be deleted from the configuration when upgrading to v2.80 MR3. The User Domain function has been replaced by an expanded User Group function that allows a User Group to be associated with a Protection Profile. See the Enhancements Section for further details.
HA Cluster Upgrade
To upgrade a High Availability Cluster from a previous FortiOS v2.80 version, only the Master unit needs to be upgraded if the current version is FortiOS v2.80. The Slave units will be automatically upgraded by the Master unit.
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
IPSec Phase1 Peer ID Configuration Reset
When upgrading from MR7, the IPSec Phase1 Peer ID configuration is reset to "accept any peer ID". This is a problem with MR7 with the Peer ID setting saved incorrectly in the configuration in the non-volitile memory. MR9 correctly saves the Peer ID settings.
Web Pattern Block Entries with Special Character
When upgrading from MR6 or earlier, web pattern block entries that use certain special characters are removed from the configuration. This issue has been fixed. The special characters are < > ( ) # " '
Static NAT VIPs
In MR9, newly added static NAT VIPs do not work unless the configuration is rewritten prior to using it. For example, 1. configure static NAT VIP 2. add to firewall policy 3. re-apply any existing setting in the current configuration, such as a firewall address
However, if step 3. is skipped, the static NAT VIP will not work. Existing VIPs prior to upgrade are not affected.
2.6 Downgrade Notice
In order to downgrade to v2.50 or an earlier version of v2.80, it is necessary to first reformat the hard drive for FortiGate models 200 and above. The special hard drive formatting image must be loaded using the Boot ROM TFTP reload procedure. Contact Customer Support for obtaining reformatting images and instructions. NOTE: All configuration settings are lost and set to factory defaults when a downgrade is performed (TFTP reload or WebUI downgrade).
2.7 FortiManager System Support
FortiOS v2.80 MR11 will be supported in FortiManager v3.00 GA. Attempts to use earlier FortiManager versions to control and configure FortiGate units running FortiOS v2.80 MR11 may result in unpredictable behaviour or configuration errors.
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3 FortiOS v2.80 Features
A short summary of the features in FortiOS v2.80 appears below. Refer to the FortiOS v2.80 User and Reference Guides for further information.
3.1 System
3.1.1 Role Based Administration
Description: Prior to the FortiOS v2.80 release, we allow for multiple system administrators to be created per FortiGate unit, with each assigned different access rights from read only to read/write. More granularity has been added in FortiOS v2.80 to expand the access rights from the system level to the object level. With FortiOS v2.80, the following objects within a FortiGate unit can be configured for each system administrator as "Not Accessible", "Read Only", and "Read/write": Device status Log and report Device configuration Users Security Policy Administrator This permits definition of multiple administrator users with varying read and write capabilities based on administrator profiles. For example, a Cryptographic officer may be assigned an administration user profile with only read-write capabilities for the VPN area of the firewall. Administrators have access to all of the virtual domains on the FortiGate unit. Administrators logging into the CLI or web-based manager always log into the root domain and then must enter the virtual domain that they want to administer.
3.1.2
Configuration File Backup Improvements
Description: FortiOS v2.80 provides a consolidated backup function, enabling backup for system configuration, content filtering URL list, content filtering key words, content filtering exempt list, email filtering black and white list as well as key words, and NIDS/IDP settings, in a single place on the WebUI. Description: DHCP server leases will now be backed up on whenever the system re-starts (e.g. Reboot, shutdown, reload, mode change, or upgrade). This preserves the dyanmic IP assignments when the FortiGate unit is acting as a DHCP server.
3.1.3
Redesigned WebUI
Description: The WebUI has been redesigned extensively for improved usability and convenience. Improved status and session monitoring Improved workflow through rearranging some functional tasks (e.g. Maintenance page for download of all configuration and settings) Improved usability of complex WebUI pages (optional "advanced" sections to configure complicated functions) Access the CLI from the WebUI pop-up window Improved security (support for TLS) Context-sensitive online help Improved support for NetscapeTM and MozillaTM browsers Browser window title shows FortiGate hostname New Log-in screen that hides the sidebar menu prior to log-in to the FortiGate Antivirus Firewall Pop-up window for formating of hard disk after upgrade if required (post-MR4 releases) Formatted Log display to view the log messages from the WebUI in "raw" format or a parsed column format. To preserve a custom column setting and order for the current login session, cookie support must be enabled in your HTML browser.
Service Availability Icons
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
Description: Coloured status icons are now used to indicate Update Center and FortiGuard availability.
Content Summary Description: Content Summary section in System Status screen shows recent HTTP, FTP, and email activity. Policy ID in Session Monitor Description: The session monitor page in the WebUI now shows the corresponding firewall policy ID number.
3.1.4
Redesigned CLI
Description: Version 2.80 of the FortiOS introduces major changes to the Command Line Interface (CLI). The method of entering commands, as well as the structure, navigation, command types, and command branches have all changed. Type "tree" to view the entire CLI command tree of commands and options (This is a long list.). For a comparison of FortiOS versions 2.50 and 2.80 command branches, see the following table. CLI enhancements The FortiGate CLI functionality has been enhanced with the following changes:
Basic HA information is added to the output of "get system status" DHCP and PPPoE information is now displayed in CLI "get system interface"
Comparison of FortiOS versions v2.50 and v2.80 command branches v2.50 v2.80 Description of change set config, set unset get execute show diagnose diagnose The config command branch replaces the set command branch. The config branch uses configuration shells. The set command is still used for setting functional parameters. The unset function has been moved under the config branch. The get command branch has some changes to how it functions. The execute command branch has been updated. The show command branch is new. The diagnose command branch has been updated.
unset get execute
See the FortiOS v2.80 CLI Reference Guide for a complete description of how to use the v2.80 CLI structure. Note: FortiOS v2.50 CLI commands are incompatible with the FortiOS v2.80 CLI commands. Attempts to restore a configuration file from FortiOS v2.50 will fail. An existing FortiOS v2.50 configuration can be upgraded, or a new configuration must be entered via the FortiOS v2.80 CLI or WebUI.
3.1.5
Dynamic DNS Support
Description: FortiOS v2.80 adds Dynamic DNS (DDNS) support to the interface configuration to map a dynamic IP address to a static hostname. New DDNS servers support include: dhs.org, dyndns.org, dyns.net, ods.org, tzo.com, dnsalias.com, dnsart.com, vavic.com, dipdns.com, now.net.cn
3.1.6
Multiple Secondary IP Addresses Per Interface
Description: An interface can now be assigned multiple secondary IP addresses. In FortiOS v2.50 only a single secondary IP address was allowed; FortiOS v2.80 allows up to 32 secondary IP addresses. This is a CLI-only command.
3.1.7
IPv6 Traffic Forwarding
Description: FortiOS v2.80 provides forwarding of IPv6 traffic and is configured through the CLI. (Other FortiGate functions such as firewall polices, content filtering, AV scanning, etc. are currently not available for IPv6 traffic.)
April 28, 2006
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3.1.8
ADSL (PPPoE ) Connection Idle Timeout Support
Description: To support better ADSL environments using PPPoE and where service providers bill based on connection time, an idle timeout option can be configured to automatically disconnect the connection after a period of inactivity. In PPPOE mode there will now be two other options on "system interface", lcp-echo-interval and lcp-max-echo-failures. lcpecho-interval controls the interval in seconds between lcp echo requests and max failures sets the number of missed requests before the ppp link is concidered dead, and reconnected. CLI commands: config set set set end system <interface> mode pppoe lcp-echo-interval <seconds> lcp-max-echo-fails <# of attempts>
3.1.9
PPPoE and DHCP Relay Support
Description: Dynamic addressing using PPPoE on an interface can now support DHCP relay to allow client DHCP requests to be forwarded to a pre-configured DHCP server accessible from another FortiGate interface.
3.1.10 Virtual Domain Support in NAT and Transparent Modes
Description: Virtual Domain (VDom) is used in conjunction with VLAN technology to allow customers to create multiple, independently managed security domains, either to secure discrete departments within an enterprise or as the basis for a service providers managed security service. FortiOS v2.36 and v2.50 releases support 802.1q VLAN processing, a pre-requisite of VDom functionality. VDom functionality extends these capabilities to provide more complete and granular virtualization, with the following key features: Multi-tier security domain design concept: One FortiGate unit can have multiple VDoms, and within each VDom, multiple security zones plus interfaces can be defined each zone further made of physical interfaces as well as sub-interfaces mapped to VLAN tags; no traffic is allowed between VDoms Firewall policies and addresses configurable on a per VDom basis Logging and reporting on a per VDom basis 802.1Q VLAN trunking. 802.1Q VLAN tagged packet processing. AV profiles, firewall services, system times, etc. are shared across all VDoms . Virtual router support on a per VDom basis in NAT/Route mode, so that overlapping IP addresses defined in different VDoms are supported. 2 VDoms are supported for NAT/router mode and 10 VDoms in Transparent mode in all FortiGate models with the standard FortiOS v2.80 firmware. (In pre-MR4 releases, only 2 VDoms were supported in NAT and Transparent mode operation.) Greater than 2 VDom support requires a special version of FortiOS available as an extra-cost option on the FortiGate-3000 and higher models, and is dependent the number of VDoms supported.
3.1.11 Improved "out-of-the-box" Usability for SOHO Models
Description: For FortiGate-100 models and lower, the following features make set-up easier and quicker:
HTTP is enabled by default on the Internal interface DNS Forwarding The client PC sets its DNS server address the local FortiGate interface and all DNS requests sent to FortiGate unit are relayed to the DNS server configured in FortiGate unit (GUI: System > Network > DNS).
April 28, 2006
10
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3.1.12 Support Extended and Non-Latin1(ISO 8850-1) Characters
Description: Non-alphanumeric characters such as underscore ("_") and "@"are now supported in the Username and Password fields. Non-Latin1(ISO 8850-1) characters can also be used in the configuration for object names such as for usernames, groups, IPSec tunnels, etc.
3.1.13 User Field Improvements
Description: The User allowable field parameters has been improved to provide:
Increase maximum length to 20 single-byte characters for the LDAP CN ID field Permit the whitespace character in user names
3.1.14 One-Button Transmission of FortiGate System Info For Troubleshooting
Description: FortiOS v2.80 provides a handy button on the WebUI for system administrators to send troubleshooting information to Fortinet and partner support personnel, including the current version of the FortiOS system, the version of the AV and NIDS definition files, system configuration, etc. Prior to use of this feature, you should first contact Customer Support to obtain a FortiCare Ticket number to include in your submission. Fortinet does not guarantee any response to any query unless a FortiCare Ticket has been assigned. (GUI: System > Maintenance > Support > Report a Bug)
3.1.15 IEEE 802.11 WLAN Client Mode Supported
Description: On the FortiWiFi-60, IEEE 802.11b/g client mode is now supported. Previous FortiOS versions only supported access point mode. This is configured from the WLAN GUI or CLI commands.
3.1.16 Alert Email Address Length
Description: The maximum length for an alert email address has been increased to 63 single-byte characters. The previous maximum was 34 characters in the WebUI.
3.1.17 Console Paging Mode
Description: The console can be configured to output in a paged "more" mode or a standard mode. The CLI session must be restarted for the new mode to take effect. CLI commands: config system console set output more end config system console set output standard end
3.1.18 LCD
Description: Changes entered on the LCD panel can be aborted by pressing the "ESC" key. Previously, the data entry had to be completed. Description: The HA status is now displayed on the LCD display of models supporting HA and LCD displays. The LCD will show one of "Standalone, Primary, or Slave #", along with the mode "A-A or A-P."
April 28, 2006
11
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3.1.19 Compressed Configuration Back-up Files
Description: When backing up "all configuration files" from the WebUI (System > Maintenance), a compressed zipfile is now used to save space. This new compressed version is created after the first configuration change made after upgrading to MR5.
3.1.20 AV/NIDS Updates
Fortinet Protection System Server Connection Reliability Description: To improve reliability of the scheduled AV/NIDS update during busy network periods (e.g. after a Push Update Notification is received by the FortiGate unit), the 'minute' field of the scheduled update is assigned a random value. The 'minute' field can still be configured through the CLI. Any 'minute' value (0-59) is now allowed and a value of 60 means the FortiGate unit choses a random value.
3.1.21 Internal Modem Support for FortiGate-60M
Description: FortiGate-60M model is supported in MR8 and later. The 60M combines a built-in "56K" modem with the popular FortiGate-60 platform to provide a convenient solution for installations requiring a dial-up backup or for secured Point-of-Sale configurations.
3.1.22 Bug Reporting
Description: New simplified format for bug reporting page in the WebUI (System > Maintenance > Support > Report Bug). The bug report is sent in an encrypted attachment to Fortinet Customer Support. Response to submissions require a separate request to you regional Customer Support contact.
April 28, 2006
12
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3.1.23 Alert Message Console
Description: A new display section in the GUI has been added to inform firewall administrators of certain critical events that have occurred. It is called the Alert Message Console and is accessed in the System > Status page. The events that are displayed are: system reboots firmware upgrades connection limit reached
3.1.24 Forwarding Domains
Description: A new feature has been added to the FortiGate firewall that can be used as a filter to control how broadcast traffic are forwarded to each interface. Administrator can now assign "forwarding domain" memberships to each FortiGate firewall interface. When a broadcast arrives on an interface that belongs to one forwarding domain 'X', only interfaces that are belong to that forwarding domain are forwarded the broadcast traffic. Note: This feature is only available when the FortiGate firewall is in transparent mode.
3.2 High Availability
3.2.1 Non-dedicated HA Port
Description: HA cluster communication can now be configured for one or more interfaces. Enabling cluster communication for more interfaces increases reliability. If an interface fails, cluster communicate can be diverted to other interfaces. By default, HA cluster communication is enabled for two interfaces: the DMZ or HA interface and the normal external interface.
3.2.2
Link Fail-over
Description: If a monitored cluster member interface detects a link failure, the cluster member reports the status of its links to the primary unit. The primary unit attempts to re-balance traffic according to the link failure status of all cluster members. If an interface on the primary unit detects a link failure, the primary with the next highest HA score becomes the primary unit. Note that AV scanned sessions do not fail-over when a cluster member fails.
3.2.3
Firmware Upgrade and Configuration Upload
Description: To improve ease of maintenance, HA in v2.80 supports firmware upgrade and configuration upload while in operation. Once the master unit has been updated, then the slave cluster members will be automatically updated.
3.2.4
HA Link Security
Description: HA data is now encrypted between members of an HA cluster. This reduces the effectiveness of a malicious attack through re-play or spoofed data using the HA interfaces.
3.2.5
Support for FortiGate-60/100/200 and FortiWiFi-60 Models
Description: HA is now supported on FortiGate-60, FortiGate-100, FortiGate-200 and FortiWiFi-60 models. For the FortiWiFi-60, the WLAN interface is not a supported HA interface.
April 28, 2006
13
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3.2.6
HA Active-Active Mode Now Can Load Balance Non-AV Traffic
Description: HA Active-Active mode can now load-balance all TCP sessions. Previously, only AV scanned traffic (e.g. HTTP, SMTP, POP3, etc.) would have the sessions distributed among the HA cluster members. Load-balancing is disabled by default. Note that AV scanned sessions do not fail-over when a cluster member fails.
3.2.7
HA Synchronization Status
A new CLI command has been added to show if slave and primary units have synchronized. CLI command: diag sys ha checksync
3.3 Router
3.3.1 Policy Route WebUI
Description: Previously only available through the CLI, FortiOS v2.80 MR3 allows configuration of static policy routes through the WebUI (Router > Policy). Policy routing will route packets based on:
Source address Protocol, service type, or port range Incoming or source interface
3.3.2
Routing Monitor
Description: The FortiGate routing table can now be viewed from the WebUI (Router > Monitor) or CLI ("get router info routing_table"). This allows the administrator to view all the static and dynamic routes that influence traffic routing.
3.3.3
Enhanced RIP Routing Protocol Support
Description: RIP routing protocol support has been enhanced to include: Classful and Classless subnet support Keychain security Offset, distribution, and redistribution lists Access, prefix, and router map lists Split horizon Database and status viewing
3.3.4
OSPF Routing Protocol Support
Description: OSPF routing protocol support has been added in FortiOS v2.80 with the following features: OSPF Version 2 Support OSPF Area Support (50 maximum) Route Redistribution with Type Multiple Instances Support (OSPF per virtual domain) Opaque LSA Support Database Overflow Support Simple Password Authentication MD5 authentication OSPF Hello Parameter Configuration OSPF Interface Configuration (100 maximum) OSPF NSSA Type 1 and Type 2 External Virtual Links Support April 28, 2006 14
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3.4 Firewall
3.4.1 Protection Profile
Menus Description: FortiOS v2.80s Protection Profile renames the "Content Profile" menu option in v2.50, adds new functionality, and provides improved information consolidation for improved usability. Protection Profile provides the following profile categories under v2.80: Anti-Virus Web Filtering Web Category Filtering Spam Filtering IPS Content Archive User Groups Description: An expanded User Group function allows a User Group to be associated with a Protection Profile. This replaces the User Domain function in earlier v2.80 releases.
The new simplified method for configuring authentication groups is: 1. Configure local user 2. Configure local user group, selecting the protection profile associated with this group 3. In policy configuration when authentication is enabled, select multiple groups to the allowed authentication group
HTTP Resume Block Description: An option for the Protection Profiles is "HTTP resume block" to prevent partial downloads of files that may be used to evade the FortiGate AV scanner. This is a similar feature to blocking fragmented mail (SMTP, POP3, IMAP) messages.
3.4.2
Improved Custom TCP/IP Support and Pre-defined Services
Description: Custom TCP/IP services can now be defined for ICMP in addition to TCP and UDP. There are new predefined services for traffic types such as AOL and MSN Messenger.
3.4.3
Increased Maximum Number of Policy Routes on High-end Models
Description: In MR8 and later, the maximum number of policy routes on FortiGate-800 models and above has been increased to 250 from 100.
3.4.4
IP Address Ranges
Description: The IP addresses for firewall policies may now be specified as a range as well as the typical subnet groupings. The range is limited to span 256 addresses. As of v2.80 MR4, this includes Encrypt (IPSec) firewall polices.
3.4.5
Multiple IP Pools
Description: Multiple IP pools per interface are now supported and for NAT-enabled policies the assigned NAT-source address is randomly selected from the IP pool rather than being limited to the IP address of the destination interface. The IP pools can also contain IP addresses belonging to subnets that are different from the subnet of the interface on which the IP pools are defined.
Increased Number of IP Pools In MR7 and later, all models now support up to a maximum of 512 IP pools for NAT firewall policies. IP pools are created with Address Groups defined in the Firewall configuration area. The previous maximum was 50 IP pools.
April 28, 2006
15
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3.4.6
DiffServ Settings
Description: The DiffServ bits (DSCP differentiated services code/control point) of incoming and outgoing packets can be overwritten to specific values to support the QoS policies of a network. The default behaviour is to pass the DiffServ bits from source to destination packets unchanged.
3.4.7
Static NAT (SNAT) Port Floating
Description: Static NAT port assignment for outbound-NAT will now always override the source port and assign the source port into upper range and thus prevent any collision-related problems for self-originated traffic.
3.4.8
SIP Support
Description: Support for Session Initiation Protocol (SIP) has been added for MR10. The following scenarios are supported: A and B: SIP terminals P: proxy
A ---- FGT ---- B, A calls B. This works in both transparent and routed modes with or without NAT enabled. A ---- FGT ---- P ---- B, A registers with P, A calls B or B calls A. This works in both transparent and routed modes with or without NAT enabled. Note that P and B must be behind the same FortiGate interface. A, B ---- FGT ---- P, A and B register with P, A calls B. This works in transparent mode only. NAT mode is not supported. Note that A and B must be behind the same FortiGate interface.
Note that VIPs are not supported, so A and B in the above scenarios can not be a VIP mapped destination.
3.5 FortiGuard Antivirus
3.5.1 Heuristic Virus Detection
Description: FortiOS v2.80 release includes heuristic detection of viruses, worms, and Trojan attacks, which complements existing signature-based detection and also is especially effective at detecting new, or so-called "Zero Day" attacks. In this first phase, binary executable files are scanned for the common techniques used by malicious code to take control of program flow execution.
3.5.2
Grayware Protection
Description: FortiOS v2.80 provides a new category of antivirus protection called Grayware. Grayware programs are unsolicited commercial software programs that get installed on computers, often without the user's consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious means such as gathering personal information or surfing patterns. This feature is configurable through the Protection Profiles.
3.5.3
Submit Quarantined Virus Sample to Fortinet
Description: FortiOS v2.80 allows system administrators to submit files that have been quarantined by their FortiGate units to Fortinets Threat Response Team through a simple, one-button click from the FortiGate WebUI. (Antivirus > Quarantine > Config > Enable Autosubmit, and Antivirus > Quarantine > AutoSubmit for file pattern specification.)
3.5.4
HTML Link for Scanned Virus Detection
Description: In the event that log records are generated for virus and worm detection, an HTML link will be provided that points to the Fortinet virus encyclopedia definition available on the Fortinet website.
April 28, 2006
16
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3.5.5
Append Customized Text to Email Messages
Description: FortiOS v2.80 release allows the system administrator to define a message that will be appended to email messages that are destined towards destinations outside of the network protected by a FortiGate unit, For example, for a law firm, this user definable message could be a disclaimer for the firm; for another firm, the message can state that this particular mail is virus free as inspected by a FortiGate Antivirus Firewall. This feature adds more flexibility to the system administrator for managing their corporate messaging policy.
3.5.6
PPTP and L2TP AV scanning
Description: When the FortiGate is a terminating end-point to a PPTP or L2TP tunnel, the tunnel contents can now be AV scanned. This compliments the ability to scan IPSec tunnel traffic supported by previous FortiOS releases.
3.5.7
High-end Models AV Optimize Command
Description: On high-end models (FortiGate-3000and higher) optimisation for AV or throughput is available to achieve the best AV scanning performance. The CLI commands "config system global" > "set optimize antivirus" will optimize FortiGate operation for AV and is the system default. Note that this command will reboot the FortiGate unit.
3.5.8
Antivirus Scan Support for ARJ Compression Format
Description: The ARJ compression format is now supported for antivirus scanning.
3.5.9
File Uncompression Maximum for AV Scanning
Description: The FortiGate Antivirus Firewall has the ability to scan compressesed files by first performing a decompression to get to the target file. A new CLI option for max uncompressed size to scan has been added to allow the administrator to specify any value, in megabytes, within the available memory range, as well as 0 for no limit.The default is 10 MB. CLI commands: conf antivirus service <http, ftp, pop3, imap, smtp> set uncompsizelimit 10 end
3.5.10 Windows Control Panel Extensions Support
Description: To better deal with specific situations where Windows Control Panel Extensions are used to spread viruses or malicious code, *.cpl has been added to the default list of fileblock patterns. However, the *.cpl pattern will not appear after an upgrade to MR9 is performed because the upgrade routines do not add new items into the list to prevent overwriting the current list, which may or may not be customised. In order to have *.cpl appear in the list in MR9, you must explicitly add *.cpl for fileblock prior to upgrading through the WebUI. When TFTP upgrading, the entry is added to the list by default.
3.5.11 FortiGuard Antivirus and FortiGuard Intrusion Protection
Description: Currently, if an update to the AV Engine, AV Signature Database, or NIDS Signature Database is required, the entire AV Enginecode and the complete databases for AV and NIDS Signatures are sent, even if only a few signatures have changed or if one line of code in the AV Engine has changed. This method consumes a lot of bandwidth on network connections. MR10 introduces incremental updates. Updates are accomplished by sending only the changes between versions of the AVEngine, AV Signature Database, or NIDS Signature Database. Here is an example of how it works for a FortiGate running FortiOS v2.80 with AV Signature Database v4.639: 1 The FortiGate sends versioning information to the FDS 2 The FDS sends required incremental updates to the FortiGate The FDS has AV Signature Database v4.642 Since the FortiGate has v4.639, it needs to be updated The FDS sends 3 incremental updates (v4.640, v4.641, and v4.642) The FortiGate applies incremental updates to current version and now has AV Signature Database v4.642
April 28, 2006
17
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
Note: If the required incremental updates are not available on the FDS, the full update is sent instead.Add incremental update capabilities
3.6 VPN
3.6.1 IPSec Tunnel Support in Transparent Mode
Description: FortiOS v2.80 supports IPSec VPNs constructed in Transparent mode as well as NAT or Route mode. All features of IPSec VPN that are available in NAT/Route mode except for Concentrator (hub & spoke) are available in Transparent mode.
3.6.2
DHCP Support Over IPSec
Description: In FortiOS v2.80, DHCP over IPSec is supported by DHCP relay for an external DHCP server. In many remote access scenarios, a mechanism for making the remote host appear to be present on the local corporate network is useful. This may be accomplished by assigning the host a "virtual" address from the corporate network, and then tunnelling traffic via IPSec from the host's ISP-assigned address to the corporate security gateway. (Note: If the target DHCP server is on a different subnet from a FortiGate interface, a static route to the DHCP server's subnet must be manually entered into the FortiGate routing table.)
3.6.3
User Authentication via RSA SecurIDTM
Description: FortiOS v2.80 supports user authentication for IPSec tunnels using RSA SecurIDTM. The user must be configured in a RADIUS server to require SecurIDTM authentication.
3.6.4
IP Address Range Support in IPSec Firewall Policies
Description: Prior to MR4, firewall ENCRYPT polices for IPSec traffic had to use standard IP subnet ranges to specify the source and destination addresses. With MR4, arbitrary IP ranges are supported in the Firewall Address definition (WebUI: Firewall > Address).
3.6.5
Overlapping Address Support
Description: FortiOS v2.80 supports site-to-site VPN configurations in which the subnet addresses overlap between the two sides of the tunnel. Method 1: Outbound NAT Configure outbound NAT for the two subnets on two sides that have the same addressing scheme to support address overlap on the two sides. Method 2: VIP over IPSec Use VIP addresses set to the FortiGate external IP address to map the hosts on either side of the tunnel. For example, to allow host1 to access host2 in the following scenario: host1--------FG1---------FG2---host2 10.0.0.1 10.0.0.2 Set a VIP on FG1 that resolves to the host2 address, and a VIP on FG2 that points at host1. Phase 2 wildcard selectors must be selected.
3.6.6
Central Site Internet Access
Description: For IPSec tunnels, all traffic including Internet-bound traffic can be sent through the tunnel to the central site VPN Gateway. This allows consistent application of traffic filtering policies to be extended to the remote sites.
April 28, 2006
18
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
3.6.7
IPSec Dynamic DNS support
Description: Using DynDNS, IPSec VPN tunnels can be constructed even when dynamic IP addresses are being used on the termination points of the tunnel. FortiOS v2.80 provides full support for Dynamic DNS, enabling the FortiGate unit to be able to automatically register itself with a number of available Dynamic DNS services whenever the external interface IP address changes, either via a user-initiated change or through dynamic addressing schemes implemented by IP service providers.
3.6.8
Policy Selector in IPSec Phase2
Description: To better support multiple dial-up clients, IPSec Phase2 now supports a means to specify a firewall policy. To specify the firewall encryption policy source and destination IP addresses, select Specify a selector and then select the names of the source and destination addresses from the Source address and Destination address lists. You may also optionally specify source and destination port numbers and/or a protocol number. If this option is set, clients cannot propose a subnet/range selector. CLI commands: config vpn ipsec phase2 edit <phase2 name> set single-source enable end
3.6.9
Site-to-Site/Dialup Tunnels
Description: Internet browsing now is supported by site-to-site VPN tunnels (static tunnels) as well as dialup VPN tunnels.
3.7 Spam Filter
3.7.1 Content Filtering
Description: Email content filtering features first provided in FortiOS v2.50 have been significantly enhanced to provide a much more powerful anti-spam function that includes the following features:
Email content filtering support for SMTP, IMAP, and POP3 protocols Verification against DNSBL (DNS-based Black Lists) or ORDB (Open Relay Database) DNS lookup Action for spam email: providing options to Reject / Delete Support for content-based lists MIME Header Checking Reporting capabilities
DNSBL and ORDB lists act as domain name servers that match the domain of incoming email to a list of IP addresses known to send spam or allow spam to pass through. The FortiGate unit compares the IP address or domain name of the sender to any database lists you configure in sequence. If a match is found, the corresponding action is taken. If no match is found, the email is passed on to the next spam filter. (Note: The term "RBL" (Real-time Black List) is a type of DNSBL and is a registered trademark of MAPS LLC.) Reverse DNS look-up helps to counter email address spoofing by checking the SMTP mail servers reported HELO domain declaration with the result of a DNS look-up and comparing the IP address of the SMTP server. The return email address can also be checked for a valid domain with Reverse DNS look-up. Keyword and phrase lists have been improved to allow wildcards and Perl regular expressions as well as the ability to specify which part of the email message to scan (header, body, or all). A MIME headers list can be used to block or clear email from certain programs or with certain types of content. The Spam Filter compares the MIME header key-value pair of the sender to the list pair in sequence. If a match is found, the April 28, 2006 19
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
corresponding action is taken. If no match is found, the email is passed on to the next spam filter. The firewall protection profiles provide a means for applying specific anti-spam functions on a policy-by-policy basis.
3.7.2
FortiGuard AntiSpam Service
Description: Prior to MR10, this subscription based service in the GUI is labeled FortiSpamshield the name has been updated for MR10. Please see the Special Notices section for a description on all of the subscription based services. FortiGuard Antispam is a new subscription based service for providing antispam definitions (initially DNSBL or DNSbased black lists) updates through the FortiGuard - AntiSpam servers and is supported from MR4 and later. This service is available as of 2004 - Q4. (Note: Port UDP/8889 is used by the FortiGate unit to communicate with the FortiGuard AntiSpam servers and may require further configuration of other upstream firewalls.) In MR7 and later, there are new options in the firewall protection profile and a new FortiGuard - AntiSpam configuration screen to enable serivce and cache timeout in the Spam Filter menu. Administrators can check if a domain is on the black-list through the website http://www.nospammer.net. Submissions of spam email samples can be sent to "submissions@nospammer.net". Description: FortiGuard - AntiSpam adds URL look-up to the existing IP address look-up to check for known spam sources and spam emails. The firewall protection profiles now have an option to enable FortiGuard - AntiSpam URL checking. The WebUI has a new check-box option, while the CLI adds a new command: config firewall profile edit <profile-entry> set <smtp/pop3/imap> spamfsurl end
3.8 IPS Functionality
3.8.1 Dynamic Threat Prevention System
Description: In FortiOS v2.80, the existing Intrusion Detection and Prevention functions have been merged and expanded to provide a new Dynamic Threat Prevention System. IPS can be applied on a per-firewall policy basis through the Protection Profiles. All current NIDS signatures will include the option for an action to be taken to prevent the attack being detected. Signatures are arranged into groups based on the type of attack. Some signature groups also include additional configuration parameters in addition to the actions to take in response to a positive signature match: pass, drop, reset or clear packets or sessions. The detection signatures and prevention actions are updated automatically in real time via the FortiProtect Network. New in FortiOS v2.80 are "anomalies" to identify network traffic that does not fit known or preset traffic patterns. The FortiGate IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP protocols. Each anomaly comes with a recommended configuration that can be modified as required. Note that new anomaly lists are only provided in new firmware releases.
3.8.2
IPS signature Autoupdate
Description: When a new IPS signature database is pushed to FortiGates by the FDS, IPS settings that have been altered from their default values will be overridden. MR10 introduces a new command to do one of two things. If the option is disabled, existing settings are not overridden on updates received from the FDS. If the option is enabled, which is the default setting, the new IPS signature database is pushed with Fortinet recommended settings. The following is the new command syntax: #config system autoupdate ips #set accept-recommended-settings <disable|enable> April 28, 2006 20
Fortinet Inc. #end
Release Notes: FortiOS v2.80 MR12
3.9 Web Content Filtering
Description: In FortiOS v2.80, category based filtering is supported with the FortiGuard Web Filtering Service, Fortinet's high performance, server-based categorized URL filtering system. With the appropriate FortiGuard license, the administrator now has the ability to define and choose the categories of URLs that can be blocked per firewall policy. (This is a separately licensed product. Contact your local Fortinet Sales Representative for information.) FortiGuard capabilities include: 56 content categories. Granular policy enforcement. URL rating cache for high performance. Ability to monitor or deny users access to specific categories. Comprehensive historical statistics for all categories by profile Log of all requests for websites in monitored or denied categories. Description: A new FortiGuard Web Category Filtering configuration option has been added that allows the user to specify whether or not they would like image rating/blanking to be used. This feature adds the ability to rate images based on their URL and replace them with blank images if the image is to be denied. The supported image types are: image/gif image/jpeg image/tiff image/png image/bmp This configuration is available in both the WebUI and CLI. CLI command: config firewall profile edit "img-scan" set cat_options rate_image_urls end Also the source of the replacement blanking image can be specified to be a location remote to the FortiGate unit. (CLI only.) conf webfilter catblock set img_sink_ip xxx.xxx.xxx.xxx end
3.10 Log & Reporting
Description: The FortiGate Log and Reporting functionality has been enhanced with the following changes: Per user log/report for Web Filtering Traffic Log reports group and user for firewall policy authenticated traffic SNMP support for dial-up VPN tunnel monitoring (requires updated 2.80-MR3 or later version MIB) Alert Email now contain the FortiGate serial number information for identifying the FortiGate unit. Integration with the FortiLog System (secure tunnel, Content Log access, enhanced reporting)
Improved Update Logs Description: Modified the AV/NIDS update log message to include the version of the updates. e.g.: Fortigate updated <AV database version> <IDS database version> <AV Engine version> <IDS Engine version> <FortiGuard - AntiSpam database status> Persistent Log Columns GUI Description: When customizing the columns of the log message display, the order is stored in a browser "cookie" so that when returning to the log display webpage the column arrangement is retained for the current WebUI session.
April 28, 2006
21
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
Description: The IDs of locally defined users now are logged when the user surfs to a web site while FortiGuard Web Filtering is enabled. The firewall already logs user IDs when FortiGuard Web Filtering is not enabled.
Configuration Change Logs Description: The logging of configuration changes has been increased. Now when a firewall policy is altered, the change is logged.
April 28, 2006
22
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
4 MR12 Release Issues
4.1 Resolved Issues in FortiOS v2.80 MR12
4.1.1 HA
Description: When an active link fails on the "master" (A-A) cluster Fortigate firewall, all routes on the new slave are lost and not relearned once the "route-ttl" timer expires. This case issue only affects networks where dynamic routing is used. Models Affected: All. Bug ID: 33421 Status: Fixed in MR12. Description: A master unit running in TP mode does not pick-up sessions taken over by the slaves once the master returns from a reboot. Models Affected: All. Bug ID: 33242 Status: Fixed in MR12. Description: When a multicast firewall policy is defined to use a VLAN interface, and this interface is then deleted, the slave units synchronise properly. Upon a manual reboot the slaves become unsynchronised and continue to reboot. Models Affected: All. Bug ID: 34217 Status: Fixed in MR12.
4.1.2 VPN
Description: When a dialup IPSec tunnel consist of a phase2 tunnel that contains an underscore character, the tunnel will be dropped whenever a firewall policy setting is changed. Models Affected: All. Bug ID: 31658 Status: Fixed in MR12. Description: The IPSec Phase 1 or Phase 2 keylife does not expire when using a byte count value. Models Affected: All. Bug ID: 9830 Status: Fixed in MR12. Description: DNS forwarding fails to forward DNS queries through interfaces that are members of a zone. Models Affected: All. Bug ID: 37114 Status: Fixed in MR12. Description: A hub and spoke VPN topology with the hub connected to a FortiManager would fail to allow traffic between the hub FortiGates. Models Affected: All. Bug ID: 39173 Status: Fixed in MR12.
4.1.3 System
Description: The Systems GUI erroneously displays the "Chassis" option. This feature is not supported on the FGT5002 blade. Models Affected: FGT_5002 Bug ID: 33544 Status: Fixed in MR12. Description: Microsoft Netmeeting fails to setup the connection when messages are received at the FortiGate on a VIP. Models Affected: All. Bug ID: 35478 Status: Fixed in MR12.
April 28, 2006
23
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
4.2 Resolved Issues in FortiOS v2.80 MR11 and Earlier
4.2.1 System
Description: If a DHCP relay agent is configured on the HA interface, DHCP DISCOVER messages are not forwarded to the DHCP server. Models Affected: All. Bug ID: 28443 Status: Fixed in MR11. Description: FortiOS v2.80 introduced the Access Profile feature. Since FortiOS v2.50 does not support this feature, upon upgrading some administrator accounts are lost. For every admin user in FortiOS v2.50, the upgrade procedure creates a new Access Profile and since only a certain number of Access Profiles are configurable per FortiGate (8, 16, or 64 depending on the model), admin users beyond these limits are not retained in the upgrade. Models Affected: All. Bug ID: 25201 Status: Fix in MR11. Description: When DST ends, the system time alternates between the time when DST is enabled, and when the DST time is disabled. Models Affected: All. Bug ID: 22463 Status: Fix in MR11. Description: The FortiGate firewall does not send updates to the DDNS server when it acquires an IP address from a DHCP server. Models Affected: All. Bug ID:30713 Status: Fix in MR11. Description: When the l2forwarding feature is disabled on the FortiGate firewall, non-IPv4 multicast, broadcast and unknown destination frames are forwarded to all operational interfaces. Models Affected: All. Status: Fixed in MR11. Bug ID: 29101 Description: H.323 traffic that use UDP port 1719 causes the FortiGate firewall to system reboot. Models Affected: All. Status: Fixed in MR11. Bug ID: 30962 Description: FortiGate firewalls with serial number (s/n FG30002801030xxx) are not able to detect "downed" fiber ports. Models Affected: FGT3000(s/n FG30002801030xxx) Status: Fixed in MR11. Bug ID: 32122 Description: Images filenames for the FG1000A and FG1000AFA2 do not conform to standard filename naming conventions. The device model numbers are abbreviated. Models Affected:FG1000A/FG1000AFA2 Bug ID: 34589 Status: Fixed in MR11. Description: FortiAccel ports on the FG1000A and FG1000AFA2 are named Port11/Port12 instead of "PortA1/PortA2". Models Affected: FG1000A/FG1000AFA2 Bug ID: 34552 Status: Fixed in MR11. Description: SNMPv1 and SNMPv2 get-next requests failed on requests to fnIp (fortinet.4) and fnVpn (fortinet.9) OIDs. Models Affected: All. Bug ID: 24725 Status: Fixed in MR10. Description: If the system time was changed from NTP to manual time, administrative access to the firewall using HTTP, HTTPS, TELNET, SSH, PING, and SNMP would fail.
April 28, 2006
24
Fortinet Inc. Models Affected: All. Bug ID: 22672
Release Notes: FortiOS v2.80 MR12
Status: Fixed in MR10.
Description: Using the GUI to delete an SNMP host in a community deletes the hosts below it. Models Affected: All. Bug ID: 23767 Status: Fixed in MR10. Description: In an HA cluster configuration certain MIB OID locations sometimes do not respond to SNMP GET queries: memory, cpu, and sessions. Workaround is to view the information via the WebUI or CLI. Models Affected: FortiGate-3600. Bug ID: 22766 Status: Fixed in MR10. Description: To prevent XSS (cross site scripting) vulnerabilities, certain characters are disallowed in most CLI and WebUI fields. The Web Pattern Block field does currently not allow the following characters: < > ( ) # " ' Models Affected: All running v2.80-MR7 and MR8. Bug ID: 23374 Status: Fixed in MR10. Description: A Nessus-DOS attack would cause the CPU to spike and remain high even after the attack had stopped. Models Affected: All. Bug ID: 27249 Status: Fixed in MR10. Description: An interface sent an IPChange trap when the interface was brought up and down. Even if the IP address did not change, a trap would be sent. Models Affected: All. Bug ID: 18280 Status: Fixed in MR9. Description: The LCD misformats the information. When the firewall's operational mode is changed through the LCD, the confirmation message is misformatted. Models Affected: All models with an LCD. Bug ID: 19138 Status: Fixed in MR9. Description: The daylight savings time option causes the update daemon to restart. If the option is enabled while in the daylight savings time period the update daemon restarts. Models Affected: All. Bug ID: 24339 Status: Fixed in MR9.
4.2.2 WebUI
Description: When the FortiGate firewall is in HA mode, users are not able to access the quarantine page from neither Mozilla nor from Internet Explorer. Models Affected: All. Bug ID: 33362 Status: Fixed in MR11. Description: If a log file from a slave unit in an HA cluster was downloaded, the file name was "fetch". It has been changed to reflect the type of log being downloaded, such as "tlog", "elog", etc. Models Affected: All. Bug ID: 24181 Status: Fixed in MR10. Description: When more than 20 static VPN tunnels were configured, any connected dialup VPN tunnel would not appear in the VPN > IPSec > Monitor page. Models Affected: All. Bug ID: 23140 Status: Fixed in MR10. Description: 21497 Fields related to FortiLog encryption were not being displayed correctly when the encryption option was being enabled and disabled.
April 28, 2006
25
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
21953 The firewall would not allow an Xauth server to be setup on a dialup VPN Phase1 gateway, if the user group included a RADIUS and LDAP server. 21254 The GUI inadvertently displayed the DHCP-IPSec option in the IPSec VPN Phase2 configuration when Dynamic DNS is chosen for the remote gateway. Models Affected: All. Bug ID: 21497, 21953, 21254 Status: Fixed in MR9.
4.2.3
HA
Description: When in HA mode, 10.0.0.0/24 routes can not be added to the routing table. Models Affected: All. Bug ID: 31276 Status: Fixed in MR11. Description: When a new NIDS signature is installed on the FortiGate Firewall master, the slave firewall(s) will reboot once. Models Affected: All Bug ID: 33489 Status:Fixed in MR11. Description: FortiGate 60 firewalls running in HA mode erroneously permit users to enable the internal port as a monitored port. The internal interface is a switch port, so is restricted by design from being a monitored port. Models Affected: All Bug ID: 30162 Status:Fixed in MR11. Description: High availabilty is not supported on the FG1000A and FG1000AFA2 firewalls. Models Affected: FG1000A/FG1000AFA2 Bug ID: 34553 Status:Fixed in MR11. Description: Slave units in a three or more HA AA cluster using weighted round robin, would stop receiving sessions from the master unit. Models Affected: All. Bug ID: 23086 Status: Fixed in MR10. Description: In Transparent mode, HA Active-Active mode, the firewall cluster forwards multicast and broadcast packets. The cluster can receive these packet types at the same time and both the master and slave can forward them at the same time. This will confuse the switch because of the identical source MAC address on the packet. Models Affected: All. Bug ID: 23873 Status: Fixed in MR9 Description: When adding a new member to a HA cluster, the normal operation involves synchronizing the unit configuration followed by a system reboot of the new member. However, if the synchronization fails the slave will continuously reboot as it repeatedly attempts to synchronize the configuration. This can occur if a configuration change is made on the master when the HA link to the slave is down. Models Affected: All. Bug ID: 20530 Status: Fixed in MR9.
4.2.4
Router
Description: The policy routing feature does not automatically forward traffic through alternative routes when an associated route is removed. Models Affected: All Bug ID: 32302 Status:Fixed in MR11. Description: When a gateway address is not configured, policy routes for OSPF discovered routes do not work. Models Affected: All Bug ID:29938 Status:Fixed in MR11.
April 28, 2006
26
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
Description: Static routes with administrative distances of 128 or more would disappear from the routing table and would not be visible in GUI > Router > Monitor. Models Affected: All. Bug ID: 24263 Status: Fixed in MR10. Description: Some FTP clients running in FTP Active mode would hang when being routed through the firewall using a policy route. Models Affected: All. Bug ID: 21451 Status: Fixed in MR9. Description: Once RIP Split Horizon was enabled it could not be disabled. Both Split Horizon and Poison Reverse work if they are enabled together. Models Affected: All. Bug ID: 20625 Status: Fixed in MR9.
4.2.5
Firewall
Description: Using a blank field in the Common Name Identifier field allows all users defined in a Windows Active Directory to be authenticated, regardless of their position within the AD structure. If the Common Name Identifier field in an LDAP user is left blank, upon upgrading from FortiOS v2.80 MR9 to FortiOS v2.80 MR10, the field is filled in with "cn", which causes authentication attempts to fail if the above method is used. Models Affected: All. Bug ID: 29104 Status: Fixed in MR11. Description: In Route mode for non peer-to-peer H323 VoIP communication, the control session for a non-natted policy expiration time decreases even if there is some RTP traffic passing through the device linked with this session. Models Affected: All. Bug ID: 0027939 Status: Fixed in MR11. Description: H323 sessions use the odd port numbers for RTP traffic. Models Affected: All. Status: Fixed in MR11. Bug ID: 31714 Description: Non-NAT policy expiration time decreases even if there is RTP traffic passing through the device linked with the control session. Models Affected: All. Bug ID: 27939 Status: Fixed in MR11. Description: When a H.323 session is created, the H.323 session-helper modifies the source port of H.323 traffic. Models Affected: All. Bug ID: 32644 Status: Fixed in MR11. Description: When a user attempts to establish a SIP session through the FortiGate firewall, the SIP session-helper modifies the source port of the invite message header. Models Affected: All. Bug ID: 31814 Status: Fixed in MR11. Description: Microsoft NetMeeting call setup was not handled properly, thus resulting in failed calls. Models Affected: All. Bug ID: 20746 Status: Fixed in MR10. Description: In previous builds of FortiOS, the required session-helpers for SIP/H.323 were setup automatically when the image was upgraded not TFTP upgraded. However, changes to the CLI in later builds required users to add the sessionhelpers manually if the image was upgraded. TFTP upgrades are unaffected. Models Affected: All. Bug ID: 26627 Status: Fixed in MR10.
April 28, 2006
27
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
Description: When a firewall policy had authentication enabled and IM blocking enabled, IM would not be blocked. Models Affected: All. Bug ID: 25669 Status: Fixed in MR10. Description: Static NAT VIPs added after upgrading to FortiOS v2.80 MR9 do not work until the configuration is re-written. For example, 1. configure static NAT VIP 2. add static NAT VIP to firewall policy 3. re-apply any other existing setting in the current configuration, such as a firewall address VIPs that exist prior to upgrade are not affected. Models Affected: FortiGate300 and above. Bug ID: 24225
Status: Fixed in MR10.
Description: HTTP Authentication through the firewall fails if the user name contains special characters. FTP and TELNET did not observe the same behaviour. Models Affected: All. Bug ID: 20118 Status: Fixed in MR9. Description: The firewall inadvertently switched any UDP Port Forwarding VIP to a TCP Port Forwarding VIP. Models Affected: All. Bug ID: 21386 Status: Fixed in MR9.
4.2.6
FortiGuard
Description: Duplicate emails are received when DATAZ extensions are used by email servers. Models Affected: All. Bug ID: 29773 Status: Fixed in MR11.
4.2.7
VPN
Description: When users make non-IPSec related configuration changes, established IPSec tunnels are dropped. Models Affected: All. Bug ID: 32795 Status: Fixed in MR11. Description:When an interface is configured with a secondary IP address, VPN tunnels traffic for the primary IP address are not sent nor received. Models Affected: All. Bug ID: 30472 Status: Fixed in MR11. Description: On a FortiGate 200A firewall, users are not able to create PPTP sessions over unnumbered PPPoE interfaces. Models Affected: 200A Status: Fixed in MR11. Bug ID: 29881 Description: When the FortiGate 300 firewall is used as a VPN hub, tunnels between each of it's spokes go down unexpectedly. Models Affected: 300 Bug ID: 31628 Status: Fixed in MR11. Description: An IPSec tunnel between two FortiGate units would be brought down if a PPTP connection was attempted from a PC to one of the FortiGate units. Models Affected: All. Bug ID: 21384 Status: Fixed in MR9.
April 28, 2006
28
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
4.2.8
IPS
Description: When a "Syn Fin" packet is received on the FortiGate firewall, the firewall forwards one packet before dropping the next ones. Models Affected: All. Bug ID: 26628 Status: Fixed in MR11. Description: The IPS engine is not able to block traffic sent by Skype versions 1.3.066 and 1.4 beta. Models Affected: All. Bug ID: 32767 Status: Fixed in MR11. Description: The P2P > skype IPS signature found in the GUI under IPS > Signature > Predefined > p2p > skype does not block Skype IM sessions when the action is set to "drop session" or "clear session". Models Affected: All. Bug ID: 23125 Status: Fixed in MR11. Description: Changes made to IPS signatures are not saved upon a restore of the configuration file or an upgrade. For example, if you change the action on the "AskSam.as_web.Access " signature in the iss group from Pass to Drop Session, backup the configuration, upgrade the firewall, and then restore the configuration, the changes are not saved. Models Affected: All. Bug ID: 25636 Status: Fixed in MR10. Description: The IPS Engine would stop running when the firewall reached a high memory usage scenario. Models Affected: All. Bug ID: 29712 Status: Fixed in MR10.
4.2.9
Logging & Reporting
Description: Content logging may drop the first character of the From, To, and Subject header fields (RFC2822 Internet Message Format) if they contain no space after the colon (:) eliminator. Models Affected: All. Bug ID: 28194 Status: Fixed in MR11. Description: Log files greater than 300megs can not be searched on the slave FortiGate firewall. Models Affected: All. Bug ID: 28897 Status: Fixed in MR11. Description: The FortiGate firewall is unable to uploaded logs files via FTP if the FTP server the FortiGate firewall contacts goes down and comes back up at a later time. Models Affected: All. Bug ID: 29471 Status: Fixed in MR11. Description: When an interface goes down, the FortiGate firewall logs the event as belonging to the "informational" category instead of the "warninig" category. Models Affected: All. Bug ID: 20599 Status: Fixed in MR11. Description: The firewall alert mail function may fail to authenticate with some mail servers. Models Affected: All. Bug ID: 21168 Status: Fixed in MR9. Description: In the log file upload settings, the firewall uploads the log file with an incorrect file name. The uploaded log file has yyyymmdd as part of the file name. The firewall was using the incorrect month. Models Affected: All. Bug ID:21354 Status: Fixed in MR9.
April 28, 2006
29
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
4.2.10 FortiGuard AntiSpam
Description: When a word partially matches a regular expression that contains the "." pattern, that FortiGate Firewall erroneously identifies the email as containing a banned word and marks it as SPAM. Models Affected: All. Bug ID: 28658 Status: Fixed in MR11. Description: An entry in the Event Log appeared stating the FortiGuard AntiSpam license had expired even if the service was not enabled. Models Affected: All. Bug ID: 24347 Status: Fixed in MR10. Description: If the Return e-mail DNS check was enabled and antispam RBL was enabled or the FortiGuard AntiSpam RBL was enabled, the FortiGate would not perform a return e-mail DNS check. Models Affected: All. Bug ID: 25081 Status: Fixed in MR10.
4.2.11 Antivirus
Description: In previous builds of FortiOS, splice for SMTP would be enabled when antivirus scanning was enabled. This has changed for MR10. SMTP splice can be disabled when antivirus scanning is enabled. Please see the Special Notes section for more information FTP and SMTP Splice. Models Affected: All. Bug ID: 21480 Status: Fixed in MR10. Description: The "Web Resume Download Block" feature was not working. The download would resume from where it stopped rather than from the start of the file again. Models Affected: All. Bug ID: 23821 Status: Fixed in MR10. Description: When the FortiGate reaches a low memory condition, the "system global av_failopen" antivirus feature determines how sessions are handled. There are three options for this feature: off connections are received and handled regardless of the free memory one-shot connections bypass the AV engine and the administrator must manually change the setting to off or pass in order to resume AV scanning pass connections bypass the AV engine and AV scanning resumes when the low memory condition is resolved The default option for this feature is pass. In previous builds it was set to off. Models Affected: All. Bug ID: no bug Status: Fixed in MR10. Description: The firewall does not block oversized files through FTP when AV was enabled. If the downloaded file is larger than the threshold, the firewall would not block the file. Models Affected: All. Bug ID: 18431 Status: Fixed in MR9. Description: The details of the Content Archive (System > Status) displayed misformatted IP addresses. Models Affected: All. Bug ID: 21415 Status: Fixed in MR9.
April 28, 2006
30
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
5 Known Issues in FortiOS v2.80 MR12
5.1 HA
Description: All sessions are dropped when a unit with master override reboots and then rejoins the HA cluster. This behaviour is shown only when the master is rebooted (reboot, or power up), not when an interface is disconnected and reconnected. Models Affected: All. Bug ID: 16058 Status: Fix in a future release.
5.2 IPS
Description: The default settings of some IPS signatures were changed in IPS database version 2.211. The following is a list of the signatures that changed. If your firewall is using an IPS database version that is older than 2.211 and you upgrade to MR10, which has an IPS database version of 2.216, then the following signatures will change. You must manually change them if you wish to enable them. Please see the IPS sub-section of the Enhancements Provided by FortiOS v2.80 MR10 section for a command to prevent the settings from being overwritten by future IPS signature updates. Signatures which have been disabled by default CyberKit.2.2 SMB.DCERPC.SamrEnumerateAliasesInDomain.139 Private.Access.UDP ip_decoder:ipv4_bad_checksum dns_decoder:invalid_pointer dns_decoder:invalid_opcode dns_decoder:invalid_param CyberKit.2.2 SMB.DCERPC.SamrEnumerateAliasesInDomain.139 http_decoder:double_encoding tcp_decoder:tcp_bad_checksum im:aim im:msn im:yahoo im:qq pop_decoder:nested_request pop_decoder:unknown_cmd pop_decoder:unknown_reply smtp_decoder:nested_request smtp_decoder:unknown_cmd smtp_decoder:unknown_reply imap_decoder:unknown_cmd imap_decoder:unknown_reply udp_decoder:udp_bad_checksum Private.Access.UDP Anamolies whose threshold have been changed icmp_src_session (100 => 200) tcp_src_session (2000 => 5000) udp_src_session (1000 => 5000)
April 28, 2006
31
Fortinet Inc. Models Affected: All. Bug ID: None.
Release Notes: FortiOS v2.80 MR12
Status: None.
5.3 VPN
Description: When an IPSec dial-up client is using an address group for the source address, the FortiGate VPN Gateway firewall policy applies only to the last entry in the dial-up client address group. e.g. On the FortiGate dial-up server, the encrypt policy source-to-destination is: 192.168.2.0->all. On dialup client: 192.168.4.0+192.168.22.0 (address group)->192.168.2.0. Then, the resulting dial-up encrypt firewall policy is: 192.168.2.0-> 192.168.22.0 Models Affected: All. Bug ID: 13786 Status: Fix in a future release. Workaround: Create a dedicated tunnel on the VPN Gateway just for this client (with a matching policy), or make the client initiate separate tunnels for each address subnet. Description: When a dialup VPN connection is made to a FortiGate firewall, the phase 2 SA's timer is not reset automatically when there is still an active session. Models Affected: All. Bug ID: 33295 Status: Fix in a future release. Workaround: Enable phase2 keepalive on the VPN dialup client.
5.4 System
Description: FortiOS v2.80 introduced the Access Profile feature. Since FortiOS v2.50 does not support this feature, upon upgrading some administrator accounts are lost. For every admin user in FortiOS v2.50, the upgrade procedure creates a new Access Profile and since only a certain number of Access Profiles are configurable per FortiGate (8, 16, or 64 depending on the model), admin users beyond these limits are not retained in the upgrade. Models Affected: All. Bug ID: 25201 Status: Fix in a future release. Description: When the FortiGate firewall non-reserved IP pool is used up, the FortiGate firewall will assign reserved IP addresses to requesting DHCP clients. Models Affected: All. Bug ID: 31376 Status: Fix in a future release.
5.5 Router
Description: When a FortiGate running RIPv2 has a passive interface, authentication enabled, and a neighbour configured, no authentication information is contained in any of the RIPv2 packets. Models Affected: All. Bug ID: Status: Fix in a future release.
5.6 Antivirus
Description: Files that have Japanese characters in the filename are not blocked by the FortiGate firewall. Models Affected: All. Bug ID: 32369 Status: Fix in a future release. Description: When an infected file has Japanese characters in the filename, the FortiGate firewall will send a replacement message and replace the name of the file with a series of "?". Models Affected: All.
April 28, 2006
32
Fortinet Inc. Bug ID: 32419
Release Notes: FortiOS v2.80 MR12 Status: Fix in a future release.
April 28, 2006
33
Fortinet Inc.
Release Notes: FortiOS v2.80 MR12
6 Image MD5 Checksums
dd3617e94f2562c6dce0086b427f7f4a 9ab3b78c562cfd8cb06e6e9798bcdefc a37152d9406f551e104f0749a33950e0 a67ce8941acf8d84c84badc5cd631df7 cd4781428dfd42487b4758ca3641d1a0 3410114bbc3632697c531f087222c930 8b7e101df1c3aa79560e4b5d87e82b6d 2049a4dfddbb61a49587c7fdbf3e0475 a61e496ac353b2e721567e0e15de3a25 4055d93eaa22ee79d4e223bcff804167 5667a528d69dcd5e2fed5c328909b4c3 2bb2adc299b7a307038ce8fa3dea9a4b f1b2a6642bfb17f06df0d2bc7710270c 035836de175150c3f482b625b97e2163 148ef9b82d652ccc94c61c8ad9dcbbfa b403841acdcb6eaeca938ae7dd6cd6ae 1680d1addcb618c028d1df38ab1d15a9 01012a8832c21e6f118d56675769221c ef185634ba06125b4e004d7fe1c5b346 f324296912ecb9e4c6981f75fe969e0f 4cf951284cf574b1d2f73ee30be89f4b 89a35fa8fbdf5b49f8e717bfc974a37f d120b2a1d18b8b0f1fbdc61a2a2f50f3 8ad0f7c989311171cb7079633722cbf8 *FGT_1000AFA2-v280-build514-FORTINET.out *FGT_1000A-v280-build514-FORTINET.out *FGT_100A-v280-build514-FORTINET.out *FGT_100-v280-build514-FORTINET.out *FGT_1K-v280-build514-FORTINET.out *FGT_200A-v280-build514-FORTINET.out *FGT_200-v280-build514-FORTINET.out *FGT_3000-v280-build514-FORTINET.out *FGT_300A-v280-build514-FORTINET.out *FGT_300-v280-build514-FORTINET.out *FGT_3600-v280-build514-FORTINET.out *FGT_400A-v280-build514-FORTINET.out *FGT_400-v280-build514-FORTINET.out *FGT_5001-v280-build514-FORTINET.out *FGT_5002FB2-v280-build514-FORTINET.out *FGT_500A-v280-build514-FORTINET.out *FGT_500-v280-build514-FORTINET.out *FGT_50AM-v280-build514-FORTINET.out *FGT_50A-v280-build514-FORTINET.out *FGT_60M-v280-build514-FORTINET.out *FGT_60-v280-build514-FORTINET.out *FGT_800F-v280-build514-FORTINET.out *FGT_800-v280-build514-FORTINET.out *FWF_60-v280-build514-FORTINET.out
(End of Release Notes) April 28, 2006 34
You might also like
- Fortigate Multi-Threat Security System: Release NotesNo ratings yetFortigate Multi-Threat Security System: Release Notes35 pages
- FortiOS v4.0 MR2 Patch Release 15 Release NotesNo ratings yetFortiOS v4.0 MR2 Patch Release 15 Release Notes19 pages
- FortiOS v4.0 MR3 Patch Release 12 Release NotesNo ratings yetFortiOS v4.0 MR3 Patch Release 12 Release Notes36 pages
- FortiOS-7.4.0-New_Features_Guide751-800No ratings yetFortiOS-7.4.0-New_Features_Guide751-80050 pages
- Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsFrom EverandSecuring ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsNo ratings yet
- A Line Follower Robot From Design To Implementation - Technical Issues and ProblemsNo ratings yetA Line Follower Robot From Design To Implementation - Technical Issues and Problems5 pages
- Digital Backdrops: Quick Guide To Using BackdropsNo ratings yetDigital Backdrops: Quick Guide To Using Backdrops5 pages
- Latest Cisco EnsurePass ICND1 100 101 Dumps PDFNo ratings yetLatest Cisco EnsurePass ICND1 100 101 Dumps PDF145 pages
- Oversampling ADC: Advanced Analog IC Design Oversampling ADC Professor Y. Chiu ECE 581 Fall 2009No ratings yetOversampling ADC: Advanced Analog IC Design Oversampling ADC Professor Y. Chiu ECE 581 Fall 200924 pages
- Architecture of A Grid-Enabled Web Search EngineNo ratings yetArchitecture of A Grid-Enabled Web Search Engine15 pages
- 2004-SNUG-paper Verilog PLI Versus SystemVerilog DPI PDFNo ratings yet2004-SNUG-paper Verilog PLI Versus SystemVerilog DPI PDF18 pages
- Access Learning: Select A Lesson To OpenNo ratings yetAccess Learning: Select A Lesson To Open1 page
- HikCentral Professional V1.5.1 FAQ 20200110No ratings yetHikCentral Professional V1.5.1 FAQ 2020011056 pages
- Digital Marketing and Social Networking in Business EnvirontmentNo ratings yetDigital Marketing and Social Networking in Business Environtment32 pages
- IEEE IoT Towards Definition Internet of Things Revision1 27MAY15No ratings yetIEEE IoT Towards Definition Internet of Things Revision1 27MAY1586 pages
- Domain Name System Pramod Gundimeda IT-640-X3313 Professor. Andrew PotterNo ratings yetDomain Name System Pramod Gundimeda IT-640-X3313 Professor. Andrew Potter5 pages