Category Archives: Fortinet

Log files and types – FortiOS 6

Log files and types

As the log messages are being recorded, log messages are also being put into different log files. The log file contains the log messages that belong to that log type, for example, traffic log messages are put in the traffic log file.

When downloading the log file from within Log & Report, the file name indicates the log type and the device on which it is stored, as well as the date, time, and a unique id for that log.

This name is in the format <logtype> – <logdevice> – <date> T <time> . <id>.log.

For example, AntiVirusLog-disk-2012-09-13T11_07_57.922495.log.

Below, each of the different log files are explained. Traffic and Event logs come in multiple types, but all contain the base type such as ‘Event’ in the filename. Log Types based on network traffic

Log Type	Description
Traffic	The traffic logs records all traffic to and through the FortiGate interface. Different categories monitor different kinds of traffic, whether it be forward, local, or sniffer.
Event	The event logs record management and activity events within the device in particular areas: System, Router, VPN, User, Endpoint, HA, WAN Opt./Cache, and WiFi. For example, when an administrator logs in or logs out of the web-based manager, it is logged both in System and in User events.
Antivirus	The antivirus log records virus incidents in Web, FTP, and email traffic.
Web Filter	The web filter log records HTTP FortiGate log rating errors including web content blocking actions that the FortiGate unit performs.
Application Control	The application log records application usage, monitoring or blocking as configured in the security profiles.
Intrusion	The intrusion log records attacks that are detected and prevented by the FortiGate unit.
Email Filter	The email filter log records blocking of email address patterns and content in SMTP, IMAP, and POP3 traffic.

Log database and datasets

Log Type	Description
Vulnerability Scan	The Vulnerability Scan (Netscan) log records vulnerabilities found during the scanning of the network.
Data Leak Prevention	The Data Leak Prevention log records log data that is considered sensitive and that should not be made public. This log also records data that a company does not want entering their network.
VoIP	The VoIP log records VoIP traffic and messages. It only appears if VoIP is enabled on the Administrator Settings page.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Explanation of a debug log message – FortiOS 6

Leave a reply

Explanation of a debug log message

Debug log messages are only generated if the log severity level is set to Debug. The Debug severity level is the lowest log severity level and is rarely used. This severity level usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly. Debug log messages are generated by all types of FortiGate features.

The following is an example of a debug log message:

date=2010-01-25 time=17:25:54 logid=9300000000 type=webfilter subtype=urlfilter level=debug msg=“found in cache”

Example of a Debug log message

Debug log
date=(2010-01-25)	The year, month and day of when the event occurred in the format yyyymm-dd.
time=(17:25:54)	The hour, minute and second of when the event occurred in the format hh:mm:ss.
logid=(93000000000)	A ten-digit unique identification number. The number represents that log message and is unique to that log message. This ten-digit number helps to identify the log message.
type=(webfilter)	The section of system where the event occurred. There are eleven log types in FortiOS 4.0.
subtype=(urlfilter)	The subtype of the log message. This represents a policy applied to the FortiGate feature in the firewall policy.
level=(debug)	The priority level of the event. There are six priority levels to specify.
msg=(“found in cache”)	Explains the activity or event that the FortiGate unit recorded.

Viewing log messages and archives

Depending on the log device, you may be able to view logs within the web-based manager or CLI on the FortiGate unit. If you have configured a FortiAnalyzer unit, local hard disk, or system memory, you can view log messages from within the web-based manager or CLI. If you have configured either a Syslog or WebTrends server, you will not be able to view log messages from the web-based manager or CLI. There is also no support for viewing log messages stored on a FortiCloud server, from the FortiGate unit’s web-based manager or CLI.

You do not have to view log messages from only the web-based manager. You can view log messages from the CLI as well, using the execute log display command. This command allows you to see specific log messages that you already configured within the execute log filter command. The execute log filter command configures what log messages you will see, how many log messages you can view at one time (a maximum of 1000 lines of log messages), and the type of log messages you can view. For more information about viewing log messages in the CLI, see “Viewing logs from the CLI”.

There are two log viewing options in FortiOS: Format and Raw. The Raw format displays logs as they appear within the log file. You can view log messages in the Raw format using the CLI or a text editor, such as Notepad. Format is in a more human-readable format, and you can easily filter information when viewing log messages this way. The Format view is what you see when viewing logs in the web-based manager.

When you download the log messages from within the log message page (for example, Log & Report > Forward Traffic), you are downloading log messages in the Raw format.

Viewing log messages in detail

From any log page, you can view detailed information about the log message in the log viewer table, located (by default) at the bottom of the page. Each page contains this log viewer table. The Log Viewer Table can contain the Archive tab, which allows you to see the archived version of the log message. The Archive tab only displays the archived log’s details if archiving is enabled and logs are being archived by the FortiGate unit, but archived logs will also be recorded when using a FortiAnalyzer unit or the FortiCloud service.

When you are viewing traffic log messages, some of the categories (such as ‘Application Name’) have entries that can be selected to open a dialog box containing FortiGuard information about the entry. From within the dialog box, you can select the Reference link and go directly to the corresponding FortiGuard page, which contains additional information.

Viewing logs in Raw format allows you to view all log fields at once, as well as have a log file available regardless of whether you are archiving logs or not. You download the log file by selecting Download Log. The log file is named in the following format: <log_type><log_location><log_date/time>.<log_number>.log. For example, SystemEventLog-disk-2012-09-19T12_13_46.933949.log, which is an event log. The time period is the day and month of when the log was downloaded, not the time period of the log messages within the file itself.

Quarantine

Within the Log & Report menu, you can view detailed information about each quarantined file. The information can either be sorted or filtered, depending on what you want to view.

You must enable quarantine settings within an antivirus profile and the destination must be configured in the CLI using the config antivirus quarantine command. The destination can be either a FortiAnalyzer unit or local disk.

Sort the files by file name, date, service, status, duplicate count (DC), or time to live (TTL). Filter the list to view only quarantined files with a specific status or from a specific service.

The file quarantine list displays the following information about each quarantined file.

Quarantine page

Lists all files that are considered quarantined by the unit. On this page you can filter information so that only specific files are displayed on the page.

GUI Item		Description
Source		Either FortiAnalyzer or Local Disk, depending where you configure to quarantined files to be stored.
Sort by		Sort the list. Choose from: Status, Service, File Name, Date, TTL, or Duplicate Count. Select Apply to complete the sort.

GUI Item	Description
Filter	Filter the list. Choose either Status (infected, blocked, or heuristics) or Service (IMAP, POP3, SMTP, FTP, HTTP, MM1, MM3, MM4, MM7, IM, or NNTP). Select Apply to complete the filtering. Heuristics mode is configurable through the CLI only. If your unit supports SSL content scanning and inspection Service can also be IMAPS, POP3S, SMTPS, or HTTPS. For more information, see the Security Features chapter of the FortiOS Handbook.
Apply	Select to apply the sorting and filtering selections to the list of quarantined files.
Delete	Select to delete the selected files.
Page Controls	Use the controls to page through the list.
Remove All Entries	Removes all quarantined files from the local hard disk. This icon only appears when the files are quarantined to the hard disk.
File Name	The file name of the quarantined file. When a file is quarantined, all spaces are removed from the file name, and a 32-bit checksum is performed on the file. The checksum appears in the replacement message but not in the quarantined file. The file is stored on the FortiGate hard disk with the following naming convention: <32bit_CRC>.<processed_filename> For example, a file named Over Size.exe is stored as 3fc155d2.oversize.exe.
Date	The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm. This value indicates the time that the first file was quarantined if duplicates are quarantined.
Service	The service from which the file was quarantined (HTTP, FTP, IMAP, POP3, SMTP, MM1, MM3, MM4, MM7, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS).
Status	The reason the file was quarantined: infected, heuristics, or blocked.
Status Description	Specific information related to the status, for example, “File is infected with “W32/Klez.h”” or “File was stopped by file block pattern.”
DC	Duplicate count. A count of how many duplicates of the same file were quarantined. A rapidly increasing number can indicate a virus outbreak.
GUI Item	Description
TTL	Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit labels the file as EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. The TTL information is not available if the files are quarantined on a FortiAnalyzer unit.
Upload status	Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded. This option is available only if the FortiGate unit has a local hard disk.
Download	Select to download the corresponding file in its original format. This option is available only if the FortiGate unit has a local hard disk.
Submit	Select to upload a suspicious file to Fortinet for analysis. This option is available only if the FortiGate unit has a local hard disk.

Customizing the display of log messages on the web-based manager

Customizing log messages on the web-based manager allows you to remove or add columns from the page and filter the information that appears. For example, you can view only log messages that appeared on December 4, between the hours of 8:00 and 8:30 am.

Select the submenu in Log & Report in which you want to customize the display of log messages, such as Log & Report > Forward Traffic.
Right click on the title bar at the top of any column, and uncheck a column title such as Date/Time to remove it from the interface. Check other columns to add them to the interface. When you are finished, click outside the menu and the page will refresh with the new column settings in place.
Choose a column you’d like to filter, and select the funnel icon next to the title of the column. For example, select the funnel in the Src (Source) column. In the text field, enter the source IP address 1.1.1.1 and then select the check box beside NOT.

This filters out the all log messages that have the 1.1.1.1 source IP address in the source IP log field, such as the ones generated when running log tests in the CLI.

Select OK to save the customize settings, and then view the log messages on the page.

Log messages that originate from the 1.1.1.1 source address will no longer appear in the list.

How to download log messages and view them from on a computer

After recording some activity, you can download log messages to view them from a computer. This is can be very useful when in a remote location, or if you want to view log messages at your convenience, or to view packet logs or traffic logs.

In Log & Report, select the submenu that you want to download log messages from.

For example, Log & Report > Forward Traffic.

files and types

Select the Download Log option and save the log file to your computer.

The log file will be downloaded like any other file. Log file names contain their log type and date in the name, so it is recommended to create a folder in which to archive your log messages, as they can be sorted easily.

Open a text editor such as Notepad, open the log file, and then scroll to view all the log messages. You can easily search or scroll through the logs to see the information that is available.

Log messages – FortiOS 6

Leave a reply

Log messages

Log messages are recorded by the FortiGate unit, giving you detailed information about the network activity. Each log message has a unique number that helps identify it, as well as containing fields; these fields, often called log fields, organize the information so that it can be easily extracted for reports.

These log fields are organized in such a way that they form two groups: the first group, made up of the log fields that come first, is called the log header. The log header contains general information, such as the unique log identification and date and time that indicates when the activity was recorded. The log body is the second group, and contains all the other information about the activity. There are no two log message bodies that are alike, however, there may be fields common to most log bodies, such as the srcintf or identidix log fields.

The log header also contains information about the log priority level which is indicated in the level field. The priority level indicates the immediacy and the possible repercussions of the logged action. For example, if the field contains ‘alert’, you need to take immediate action with regards to what occurred. There are six log priority levels.

The log severity level is the level at and above which the FortiGate unit records logs. The log severity level is defined by you when configuring the logging location. The FortiGate unit will log all messages at and above the priority level you select. For example, if you select Error, the unit will log only Error, Critical, Alert, and Emergency level messages.

Log priority levels

Levels	Description
0 – Emergency	The system has become unstable.
1 – Alert	Immediate action is required.
2 – Critical	Functionality is affected.
3 – Error	An error condition exists and functionality could be affected.
Levels	Description
4 – Warning	Functionality could be affected.
5 – Notification	Information about normal events.
6 – Information	General information about system operations.

The Debug priority level, not shown above, is rarely used. It is the lowest log priority level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly.

Example log header fields

Log header
date=(2010-08-03)	The year, month and day of when the event occurred in yyyy-mm-dd format.
time=(12:55:06)	The hour, minute and second of when the event occurred in the format hh:mm:ss.
log_id=(2457752353)	A five or ten-digit unique identification number. The number represents that log message and is unique to that log message. This ten-digit number helps to identify the log message.
type=(dlp)	The section of system where the event occurred.
subtype=(dlp)	The subtype category of the log message.
level=(notice)	The priority level of the event. See the table above.
vd=(root)	The name of the virtual domain where the action/event occurred in. If no virtual domains exist, this field always contains root.

Example log body fields

Log body
policyid=(1)	The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero.
identidx=(0)	The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.
sessionid=(311)	The serial number of the firewall session of which the event happened.
srcip=(10.10.10.1)	The source IP address.
Log body
srcport=(1190)	The source port number.
srcintf=(internal)	The source interface name.
dstip=(192.168.1.122)	The destination IP address.
dstport=(80)	The destination port number.
dstintf=(wan1)	The destination interface name.
service=(https)	The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.
status=(detected)	The action the FortiGate unit took.
hostname=(example.com)	The home page of the web site.
url=(/image/trees_pine_ forest/)	The URL address of the web page that the user was viewing.
msg=(data leak detected (Data Leak Prevention Rule matched)	Explains the FortiGate activity that was recorded. In this example, the data leak that was detected matched the rule, All-HTTP, in the DLP sensor.
rulename=(All-HTTP)	The name of the DLP rule within the DLP sensor.
action=(log-only)	The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no action type is specified, this field display log-only.
severity=(1)	The level of severity for that specific rule.

Logs from other devices, such as the FortiAnalyzer unit and Syslog server, contain a slightly different log header. For example, when viewing FortiGate log messages on the FortiAnalyzer unit, the log header contains the following log fields when viewed in the Raw format:

itime=1302788921 date=20110401 time=09:04:23 devname=FG50BH3G09601792 device_ id=FG50BH3G09601792 log_id=0100022901 type=event subtype=system level=notice vd=root The log body contains the rest of the information of the log message, and this information is unique to the log message itself.

For detailed information on all log messages, see the FortiGate Log Message Reference.

FortiOS features available for logging – FortiOS 6

Leave a reply

FortiOS features available for logging

Logs record FortiGate activity, providing detailed information about what is happening on your network. This recorded activity is found in log files, which are stored on a log device. However, logging FortiGate activity requires configuring certain settings so that the FortiGate unit can record the activity. These settings are often referred to as log settings, and are found in most security profiles, but also in Log & Report > Log Settings.

Log settings provide the information that the FortiGate unit needs so that it knows what activities to record. This topic explains what activity each log file records, as well as additional information about the log file, which will help you determine what FortiGate activity the FortiGate unit should record.

Traffic

Traffic logs record the traffic that is flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through the unit, this type of logging is also referred to as firewall policy logging. Firewall policies control all traffic that attempts to pass through the FortiGate unit, between FortiGate interfaces, zones and VLAN sub-interfaces.

Logging traffic works in the following way:

l firewall policy has logging enabled on it (Log Allowed Traffic) l packet comes into an inbound interface l a possible log packet is sent regarding a match in the firewall policy, such as a URL filter l traffic log packet is sent, per firewall policy l packet passes and is sent out an interface

Traffic log messages are stored in the traffic log file. Traffic logs can be stored any log device, even system memory.

All security profile-related logs are now tracked within the Traffic logs, as of FortiOS 5.0, so all forward traffic can be searched in one place, such as if you are looking to see all activity from a particular address, security feature or traffic. Security profile logs are still tracked separately in the Security Log section, which only appears when logs exist.

If you have enabled and configured WAN Optimization, you can enable logging of this activity in the CLI using the config wanopt setting command. These logs contain information about WAN Optimization activity and are found in the traffic log file. When configuring logging of this activity, you must also enable logging within the security policy itself, so that the activity is properly recorded.

Sniffer

The Sniffer log records all traffic that passes through a particular interface that has been configured to act as a One-Armed Sniffer, so it can be examined separately from the rest of the Traffic logs.

FortiOS features available for logging

Other traffic

The traffic log also records interface traffic logging, which is referred to as Other Traffic. Other Traffic is enabled only in the CLI. When enabled, the FortiGate unit records traffic activity on interfaces as well as firewall policies. Logging Other Traffic puts a significant system load on the FortiGate unit and should be used only when necessary.

Logging other traffic works in the following way:

firewall policy has logging enabled on it (Log Allowed Traffic) and other-traffic l packet comes into an interface l interface log packet is sent to the traffic log that is enabled on that particular interface l possible log packet is sent regarding a match in the firewall policy, such as URL filter l interface log packet is sent to the traffic log if enabled on that particular interface l packet passes and is sent out an interface
interface log packet is sent to traffic (if enabled) on that particular interface

Event

The event log records administration management as well as FortiGate system activity, such as when a configuration has changed, admin login, or high availability (HA) events occur. Event logs are an important log file to record because they record FortiGate system activity, which provides valuable information about how your FortiGate unit is performing.

Event logs help you in the following ways:

l keeping track of configuration setting changes l IPsec negotiation, SSL VPN and tunnel activity l quarantine events, such as banned users l system performance l HA events and alerts l firewall authentication events l wireless events on models with WiFi capabilities l activities concerning modem and internet protocols L2TP, PPP and PPPoE l VIP activities l AMC disk’s bypass mode l VoIP activities that include SIP and SCCP protocols.

As of 5.4, every ‘execute’ CLI command now generates an ‘audit’ event log, allowing you to track configuration changes. You can enable/disable this feature in the CLI:

config system global set cli-audit-log [enable|disable]

end

The FortiGate unit records event logs only when events are enabled.

Traffic shaping

Traffic shaping, per-IP traffic shaping and reverse direction traffic shaping settings can be applied to a firewall policy, appearing within the traffic log messages.

By enabling this feature, you can see what traffic shaping, per-IP traffic shaping and reverse direction traffic shaping settings are being used.

Data Leak Prevention

Data Leak Prevention logs, or DLP logs, provide valuable information about the sensitive data trying to get through to your network as well as any unwanted data trying to get into your network. The DLP rules within a DLP sensor can log the following traffic types:

l email (SMTP, POP3 or IMAP; if SSL content SMTPS, POP3S, and IMAPS) l HTTP l HTTPS l FTP l NNTP l IM

A DLP sensor must have log settings enabled for each DLP rule and compound rule, as well as applied to a firewall policy so that the FortiGate unit records this type of activity. A DLP sensor can also contain archiving options, which these logs are then archived to the log device.

NAC Quarantine

Within the DLP sensor, there is an option for enabling NAC Quarantine. The NAC Quarantine option allows the FortiGate unit to record details of DLP operation that involve the ban and quarantine actions, and sends these to the event log file. The NAC Quarantine option must also be enabled within the Event Log settings. When enabling NAC quarantine within a DLP Sensor, you must enable this in the CLI because it is a CLI-only command.

Media Access Control (MAC) address

MAC address logs provide information about MAC addresses that the FortiGate unit sees on the network as well as those removed from the network. These log messages are stored in the event log (as subtype network; you can view these log messages in Log & Report > System Events) and are, by default, disabled in the CLI. You can enable logging MAC addresses using the following command syntax:

config log setting set neighbor-event enable

end

When enabled, a new log message is recorded every time a MAC address entry is added to the ARP table, and also when a MAC address is removed as well. A MAC address log message is also recorded when MAC addresses are connected to the local switch, or from a FortiAP or FortiSwitch unit.

FortiOS features available for logging

Application control

Application control logs provide detailed information about the traffic that internet applications such as Skype are generating. The application control feature controls the flow of traffic from a specific application, and the FortiGate unit examines this traffic for signatures that the application generates.

The log messages that are recorded provide information such as the type of application being used (such as P2P software), and what type of action the FortiGate unit took. These log messages can also help you to determine the top ten applications that are being used on your network. This feature is called application control monitoring and you can view the information from a widget on the Executive Summary page.

The application control list that is used must have logging enabled within the list, as well as logging enabled within each application entry. Each application entry can also have packet logging enabled. Packet logging for application control records the packet when an application type is identified, similar to IPS packet logging.

Logging of application control activity can only be recorded when an application control list is applied to a firewall policy, regardless of whether or not logging is enabled within the application control list.

Antivirus

Antivirus logs are recorded when, during the antivirus scanning process, the FortiGate unit finds a match within the antivirus profile, which includes the presence of a virus or grayware signature. Antivirus logs provide a way to understand what viruses are trying to get in, as well as additional information about the virus itself, without having to go to the FortiGuard Center and do a search for the detected virus. The link is provided within the log message itself.

These logs provide valuable information such as:

the name of the detected virus l the name of the oversized file or infected file l the action the FortiGate unit took, for example, a file was blocked
URL link to the FortiGuard Center which gives detailed information about the virus itself

The antivirus profile must have log settings enabled within it so that the FortiGate unit can record this activity, as well as having the antivirus profile applied to a firewall policy.

Web filter

Web filter logs record HTTP traffic activity. These log messages provide valuable and detailed information about this particular traffic activity on your network. Web filtering activity is important to log because it can inform you about:

l what types of web sites employees are accessing l users attempting to access banned web sites and how often this occurs l network congestion due to employees accessing the Internet at the same time l web-based threats resulting from users visiting non-business-related web sites

Web Filter logs are an effective tool to help you determine if you need to update your web filtering settings within a web filter profile due to unforeseen threats or network congestion. These logs also inform you about web filtering quotas that have been configured for filtering HTTP traffic.

You must configure logging settings within the web filter profile and apply the filter to a firewall policy so that the FortiGate unit can record the activity.

IPS (attack)

IPS logs, also referred to as attack logs, record attacks that occurred against your network. Attack logs contain detailed information about whether the FortiGate unit protected the network using anomaly-based defense settings or signature-based defense settings, as well as what the attack was.

The IPS or attack log file is especially useful because the log messages that are recorded contain a link to the FortiGuard Center, where you can find more information about the attack. This is similar to antivirus logs, where a link to the FortiGuard Center is provided as well that informs you of the virus that was detected by the FortiGate unit.

An IPS sensor with log settings enabled must be applied to a firewall policy so that the FortiGate unit can record the activity.

Packet logs

When you enable packet logging within an IPS signature override or filter, the FortiGate unit examines network packets, and if a match is found, saves them to the attack log. Packet logging is designed to be used as a diagnostic tool that can focus on a narrow scope of diagnostics, rather than a log that informs you of what is occurring on your network.

You should use caution when enabling packet logging, especially within IPS filters. Filter configuration that contains thousands of signatures could potentially cause a flood of saved packets, which would take up a lot of storage space on the log device. It would also take a great deal of time to sort through all the log messages, as well as consume considerable system resources to process.

You can archive packets, but you must enable this option on the Log Settings page. If your log configuration includes multiple FortiAnalyzer units, packet logs are only sent to the primary (first) FortiAnalyzer unit. Sending packet logs to the other FortiAnalyzer units is not supported.

Email filter

Email filter logs, also referred to as spam filter logs, record information regarding the content within email messages. For example, within an email filter profile, a match is found that finds the email message to be considered spam.

Email filter logs are recorded when the FortiGate unit finds a match within the email filter profile and logging settings are enabled within the profile.

If you are using a Banned Words List for email filtering, note that the filter pattern number is only recorded when the source email address contains a banned word.

Archives (DLP)

Recording DLP logs for network use is called DLP archiving. The DLP engine examines email, FTP, IM, NNTP, and web traffic. Archived logs are usually saved for historical use and can be accessed at any time. IPS packet logs can also be archived, within the Log Settings page.

You can start with the two default DLP sensors that have been configured specifically for archiving log data, Content_Archive and Content_Summary. They are available in Security Profiles > Data Leak Prevention. Content_Archive provides full content archiving, while Content_Summary provides summary archiving. For more information about how to configure DLP sensors, see the Security Features chapter of the FortiOS Handbook.

You must enable the archiving to record log archives. Logs are not archived unless enabled, regardless of whether or not the DLP sensor for archiving is applied to the firewall policy.

Network scan

Network scan logs are recorded when a scheduled scan of the network occurs. These log messages provide detailed information about the network’s vulnerabilities regarding software, as well as the discovery of any further vulnerabilities.

A scheduled scan must be configured and logging enabled within the Event Log settings, for the FortiGate unit to record these log messages.

Logging and reporting overview – FortiOS 6

Leave a reply

Logging and reporting overview

Logging and reporting in FortiOS can help you in determining what is happening on your network, as well as informing you of certain network activity, such as detection of a virus or IPsec VPN tunnel errors. Logging and reporting go hand in hand, and can become a valuable tool for information as well as helping to show others the activity that is happening on the network.

This section explains logging and reporting features that are available in FortiOS, and how they can be used to help you manage or troubleshoot issues. This includes how the FortiGate unit records logs, what a log message is, and what the log database is.

What is logging?

Logging records the traffic passing through the FortiGate unit to your network and what action the FortiGate unit took during its scanning process of the traffic. This recorded information is called a log message.

After a log message is recorded, it is stored within a log file which is then stored on a log device. A log device is a central storage location for log messages. The FortiGate unit supports several log devices, such as FortiAnalyzer units, the FortiCloud service, and Syslog servers. A FortiGate unit’s system memory and local disk can also be configured to store logs, and because of this, are also considered log devices.

When the recorded activity needs to be read in a more human way, the FortiGate unit can generate a Report. A report gathers all the log information that is needed for the report, and presents it in a graphical format, with customizable design and automatically generated charts. Reports can be used to present a graphical representation of what is going on in the network. Reports can also be generated on a FortiAnalyzer unit; if you want to generate reports on a FortiAnalyzer, see the FortiAnalyzer Setup and Administration Guide to help you create and generate those reports.

How the FortiGate unit records log messages

The FortiGate unit records log messages in a specific order, storing them on a log device. The order of how the FortiGate unit records log messages is as follows:

Incoming traffic is scanned.
During the scanning process, the FortiGate unit performs necessary actions, and simultaneously records the actions and results.
Log messages are sent to the log device.

Example: How the FortiGate unit records a DLP event

The FortiGate unit receives incoming traffic and scans for any matches associated within its firewall policies containing a DLP sensor.
A match is found; the DLP sensor, dlp_sensor, had a rule within it called All-HTTP with the action Exempt applied to the rule. The sensor also has Enable Logging selected, which indicates to the FortiGate unit that the activity should be recorded and placed in the DLP log file.
The FortiGate unit exempts the match, and places the recorded activity (the log message) within the DLP log file.
According to the log settings that were configured, logs are stored on the FortiGate unit’s local hard drive. The FortiGate unit places the DLP log file on the local hard drive.

What’s new in FortiOS 6.0 Logging

Leave a reply

What’s new in FortiOS 6.0

The following list contains new Logging & Reporting features added in FortiOS 6.0.

Automatic synchronization of log display location

In previous versions, log display location could differ between Log & Report and FortiView, which could result in empty log screens if the two were not synchronized. Now, both log viewers automatically pick the best available log device. A different log device can be manually selected.

As a result, the associated CLI command log gui-display location has been removed.

Improved log messages for SD-WAN link quality changes

FortiOS 6.0 introduces two new log messages:

22923: LOG_ID_EVENT_VWL_LQTY_STATUS is created when a member’s link quality is changed.
22924: LOG_ID_EVENT_VWL_VOLUME_STATUS is used only when load-balance-mode is set to

measured-volume-based. The log is created when a member starts or stops receiving traffic.

Extended UTM logging and improved syslog configuration

Multiple UTM features now have the ability to enable extended logging: WAF, Web Filtering, DLP, AntiVirus.

These new features can be enabled in the CLI:

config waf profile edit <profile name> set extended-log {enable | disable} end

config webfilter profile edit <profile name> set web-extended-log {enable | disable} set web-extended-all-action-log {enable | disable} end

config dlp sensor edit <sensor name> set dlp-extended-log {enable | disable} end

config antivirus profile edit <profile name> set av-extended-log {enable | disable} end

Updated reliable syslog encryption to comply with RFC 5425

In order to align with RFC 5425 (syslog on an encrypted TLS connection over TCP) and general logging security standards for syslog, reliable syslog encryption is customizable in the CLI: config log syslog setting set enc-algorithm {high-medium | high | low | disable} end

Also, syslog options for reliable logging transmission have been expanded:

config log syslog setting set mode {udp | legacy-reliable | reliable} end

See the FortiOS CLI Reference for more information about these commands.

Improved log display consistency at high load

Previous versions could display inconsistent log data when using Drill Down charts and when navigating between different log tables (in both Log & Report and FortiView). The maximum number of records now varies based on length that logs are kept, relative to device model size. Record numbers are configurable in config report setting.

Log database queries used to collect Top Sources and Top Destinations data are significantly more efficient due to improved indexing speed.

FortiOS 5.6.6 Release Notes

1 Reply

Introduction

This document provides the following information for FortiOS 5.6.6 build 1630:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.6 supports the following models.

FortiGate	FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E, FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-DSL, FG-60E-POE, FG-61E, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE, FG-90E, FG-91E, FG-92D, FG-94D-POE, FG98D-POE, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG-200D, FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E, FG-400D, FG-500D, FG-500E, FG-501E, FG-600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-3960E, FG-3980E, FG-5001C, FG-5001D, FG-5001E, FG-5001E1
FortiWiFi	FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-60E-DSL, FWF-61E, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D
FortiGate Rugged	FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM	FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCP, FG-VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-OPC, FG-SVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier	FortiOS Carrier 5.6.6 images are delivered upon request and are not available on the customer support firmware download page.

Introduction

VXLAN supported models

The following models support VXLAN.

FortiGate	FG-30E, FG-30E-MI, FG-30E-MN, FG-50E, FG-51E, FG-52E, FG-60E, FG-60E-DLS, FG-60E-MC, FG-60E-MI, FG-60E-POE, FG-60EV, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-92D, FG-100D, FG-100E, FG-100EF, FG101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-500D, FG-500E, FG-501E, FG-600D, FG-800D, FG900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D, FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-3960E, FG-3980E, FG-5001D, FG-5001E, FG-5001E1
FortiWiFi	FWF-30E, FWF-30E-MI, FWF-30E-MN, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-60E-DSL, FWF-60E-MC, FWF-60E-MI, FWF-60EV, FWF-61E
FortiGate Rugged	FGR-30D, FGR-30D-A, FGR-35D
FortiGate VM	FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCP, FG-VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-NPU, FG-VM64-OPC, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN

Special Notices

Built-in certificate

New FortiGate and FortiWiFi D-series and above are shipped with a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

All packet types are allowed, but depending on the network topology, an STP loop may result.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

Special Notices

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.6, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient profile changes

With introduction of the Fortinet Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

FortiExtender support

Due to OpenSSL updates, FortiOS 5.6.6 cannot manage FortiExtender 3.2.0 or earlier. If you run FortiOS 5.6.6 with FortiExtender, you must use a newer version of FortiExtender such as 3.2.1 or later.

Using ssh-dss algorithm to log in to FortiGate

In version 5.4.5 and later, using ssh-dss algorithm to log in to FortiGate via SSH is no longer supported.

Pages: 1 2 3 4 5 6

FortiOS 5.4.5 Release Notes

Leave a reply

Change Log

Date	Change Description
2017-06-08	Initial release of FortiOS 5.4.5.
2017-06-09	Added 403937 to Resolved Issues. Updated Upgrade Information > Upgrading to FortiOS 5.6.0. Updated 435124 in Known Issues.
2017-06-13	Removed 416678 from Known Issues. Added 398052 to Resolved Issues. Added FGT-140 and FGT-140-POE to Introduction > Supported models > Special branch supported models.
2017-06-15	Added 399711, 421739, and 423452 to Resolved Issues.
2017-06-26	Added 389863 to Resolved Issues.
2017-06-30	Removed 374501 from Resolved Issues since that was resolved in 5.4.4. In Product Integration and Support section, updated FortiClient support to 5.4.1 and later.
2017-07-12	Added 424215 to Known Issues.

Introduction

This document provides the following information for FortiOS 5.4.5 build 1138:

FortiGate	FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FG-90D-POE, FG-92D, FG94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG- 600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3700DX, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D
FortiWiFi	FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE
FortiGate Rugged	FGR-60D, FGR-90D
FortiGate VM	FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN FortiOS 5.4.5 supports the additional CPU cores through a license update on the following VM models: l VMware 16, 32, unlimited l KVM 16 l Hyper-V 16, 32, unlimited
Pay-as-you-go images	FOS-VM64, FOS-VM64-KVM
FortiOS Carrier	FortiOS Carrier 5.4.5 images are delivered upon request and are not available on the customer support firmware download page.

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.5 supports the following models.

Introduction Supported models

Special branch supported models

The following models are released on a special branch of FortiOS 5.4.5. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1138.

FGR-30D	is released on build 7662.
FGR-35D	is released on build 7662.
FGR-30D-A	is released on build 7662.
FGT-30E-MI	is released on build 6229.
FGT-30E-MN	is released on build 6229.
FWF-30E-MI	is released on build 6229.
FWF-30E-MN	is released on build 6229.
FWF-50E-2R	is released on build 7657.
FGT-52E	is released on build 6226.
FGT-60E	is released on build 6225.
FWF-60E	is released on build 6225.
FGT-61E	is released on build 6225.
FWF-61E	is released on build 6225.
FGT-80E	is released on build 6225.
FGT-80E-POE	is released on build 6225.
FGT-81E	is released on build 6225.
FGT-81E-POE	is released on build 6225.
FGT-90E	is released on build 6230.
FGT-90E-POE	is released on build 6230.
FGT-91E	is released on build 6230.
FWF-92D	is released on build 7660.
FGT-100E	is released on build 6225.

What’s new in FortiOS 5.4.5 Introduction

FGT-100EF	is released on build 6225.
FGT-101E	is released on build 6225.
FGT-140E	is released on build 6257.
FGT-140E-POE	is released on build 6257.
FGT-200E	is released on build 6228.
FGT-201E	is released on build 6228.
FGT-2000E	is released on build 6227.
FGT-2500E	is released on build 6227.

What’s new in FortiOS 5.4.5

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.5, see the What’s New forFortiOS 5.4.5 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config system global set hw-switch-ether-filter <enable | disable>

FG-900D and FG-1000D Special Notices

When the command is enabled:

ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units managed by FortiManager 5.0 or 5.2

Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Consider the FortiClient license before upgrading. Full featured FortiClient 5.2 and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on your organization’s needs, you might need to purchase a FortiClient EMS license for endpoint provisioning. Contact your sales representative for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. You need to purchase a new license for either FortiClient EMS or FortiGate. A license is compatible with 5.4.1 and later if the SKU begins with FC-10-C010.

Special Notices FortiClient (Mac OS X) SSL VPN Requirements

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.5, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the

FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,

Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security

Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page Special Notices

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM Firmware Upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.

Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:

…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.4.5

FortiOS version 5.4.5 officially supports upgrading from version 5.4.3 and later and 5.2.9 and later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is a separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths .

Upgrading to FortiOS 5.6.0

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

Cooperative Security Fabric – Upgrade Guide
FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

FortiGate-VM 5.4 for VMware ESXi Upgrade Information

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.5, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

C3 l C4 l R3 l I2
M4 l D2

Upgrade Information FortiGate VM firmware

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
.out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

.out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.4.5 support

The following table lists 5.4.5 product integration and support information:

Web Browsers	l Microsoft Edge 38 l Microsoft Internet Explorer 11 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 9.1 (For Mac OS X) Other web browsers may function correctly, but are not supported by Fortinet.
Explicit Web Proxy Browser	l Microsoft Edge 40 l Microsoft Internet Explorer 11 l Mozilla Firefox version 53 l Apple Safari version 10 (For Mac OS X) l Google Chrome version 58 Other web browsers may function correctly, but are not supported by Fortinet.
FortiManager	For the latest information, see the FortiManagerand FortiOS Compatibility . You should upgrade your FortiManager prior to upgrading the FortiGate.
FortiAnalyzer	For the latest information, see the FortiAnalyzerand FortiOS Compatibility . You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.
FortiClient Microsoft Windows and FortiClient Mac OS X	l 5.4.1 and later If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading the FortiGate.
FortiClient iOS	l 5.4.1 and later
FortiClient Android and FortiClient VPN Android	l 5.4.0 and later

FortiOS 5.4.5

FortiAP	l 5.4.1 and later l 5.2.5 and later Before upgrading FortiAP units, verify that you are running the current recommended FortiAP version. To do this in the GUI, go to the WiFi Controller> Managed Access Points > Managed FortiAP. If your FortiAP is not running the recommended version, the OS Version column displays the message: A recommended update is available.
FortiAP-S	l 5.4.1 and later
FortiSwitch OS (FortiLink support)	l 3.5.0 and later
FortiController	l 5.2.0 and later Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later Supported model: FCTL-5103B
FortiSandbox	l 2.1.0 and later l 1.4.0 and later
Fortinet Single Sign-On (FSSO)	l 5.0 build 0256 and later (needed for FSSO agent support OU in group filters) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8 l 4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8 FSSO does not currently support IPv6.
FortiExplorer	l 2.6.0 and later. Some FortiGate models may be supported on specific FortiExplorer versions.

FortiOS 5.4.5 support Product Integration and Support

FortiExplorer iOS	l 1.0.6 and later Some FortiGate models may be supported on specific FortiExplorer iOS versions.
FortiExtender	l 3.0.0 l 2.0.2 and later
AV Engine	l 5.247
IPS Engine	l 3.311
Virtualization Environments
Citrix	l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM	l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft	l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source	l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware	l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5
VM Series – SR-IOV	The following NIC chipset cards are supported: l Intel 82599 l Intel X540 l Intel X710/XL710

Language

Language support

The following table lists language support information.

Language support

Language	GUI
English	✔
Chinese (Simplified)	✔
Chinese (Traditional)	✔
French	✔
Japanese	✔
Korean	✔
Portuguese (Brazil)	✔
Spanish (Spain)	✔

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System

Installer

Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN support Product Integration and Support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Product	Antivirus		Firewall
Symantec Endpoint Protection 11	✔		✔

Supported operating systems and web browsers

Operating System	Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Microsoft Windows 8 / 8.1 (32-bit & 64-bit)	Microsoft Internet Explorer version 11 Mozilla Firefox version 53 Google Chrome version 58
Microsoft Windows 10 (64-bit)	Microsoft Edge Microsoft Internet Explorer version 11 Mozilla Firefox version 53 Google Chrome version 58
Linux CentOS 6.5 / 7 (32-bit & 64-bit)	Mozilla Firefox version 53
Mac OS 10.11.1	Apple Safari version 9 Mozilla Firefox version 53 Google Chrome version 58
iOS	Apple Safari Mozilla Firefox Google Chrome
Android	Mozilla Firefox Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

SSL VPN

Product	Antivirus	Firewall
Kaspersky Antivirus 2009	✔
McAfee Security Center 8.1	✔	✔
Trend Micro Internet Security Pro	✔	✔
F-Secure Internet Security 2009	✔	✔

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product	Antivirus	Firewall
CA Internet Security Suite Plus Software	✔	✔
AVG Internet Security 2011	✔	✔
F-Secure Internet Security 2011	✔	✔
Kaspersky Internet Security 2011	✔	✔
McAfee Internet Security 2011	✔	✔
Norton 360™ Version 4.0	✔	✔
Norton™ Internet Security 2011	✔	✔
Panda Internet Security 2011	✔	✔
Sophos Security Suite	✔	✔
Trend Micro Titanium Internet Security	✔	✔
ZoneAlarm Security Suite	✔	✔
Symantec Endpoint Protection Small Business Edition 12.0	✔	✔

Resolved Issues

The following issues have been fixed in version 5.4.5. For inquires about a particular bug, please contact CustomerService & Support.

AntiVirus

Bug ID	Description
392200	Encrypted archive log is generated even though the function archive-log in antivirus profile is unset.

DLP

Bug ID	Description
379911	DLP filter order is not applied to encrypted files.

Firewall

Bug ID	Description
304276	Policy real time view shows incorrect statistic in session offload to np6.
378482	TCP/UDP traffic fais when NAT/UTM is enabled on FGT-VM in KVM.
395241	After IPS is enabled on LB-VIP policy, this message displays: ipsapp session open failed: all providers busy.
402158	Some policy settings are not installed in complex sessions.
416111	FQDN address is unresolved in a VDOM although the URL is resolved with IP.

GUI

Bug ID	Description
283682	Cannot delete FSSO-polling AD group from LDAP list tree window in FSSO-user GUI.
356998	urlfilter list re-order on GUI does not work.
371149	30D GUI should support FortiSwitch controller feature when CLI supports it.
372898	User group name should escape XSS script at UserGroups page.
Bug ID	Description
374166	Using Edge cannot select the firewall address when configuring a static route.
374350	Field pre-shared key may be unavailable when editing the IPsec dialup tunnel created through the VPN wizard.
378428	FortiGate logs a connection of category deny (red sign) even though traffic is allowed through policy.
379331	DHCP Monitor page does not fully display the page selector pane.
384532	Cannot set IPsec vpn xauth user group inherit from policy in GUI when setting xauthtype auto server.
385482	Webui loads indefinitely when accessing a none access webpage from custom admin profile.
386285	GUI Wizard fails to create FortiClient Dialup IPsec VPN if HA is enabled.
386849	When editing IPsec tunnel, Accessible Networks field cannot load if there is nested address group.
387640	Duplicate entry found when auto generate guest user.
388454	GUI failures when FSSO group contains an apostrophe.
394067	Improve displaying the warning: File System Check Recommended.
395711	pyfcgid takes 100% of CPU when managed switch page displayed.
396430	CSRF token is disclosed in several URLs.
401247	Cannot nest service group within another service group through GUI.
409104	Fix virtual-wire wildcard VLANs not handling u-turn traffic properly.
421918	HTTPSD debug improvement.

Bug ID	Description
373200	Quick failover occurs when enabling portmonitor.
382798	Master unit delay in sending heartbeat packet.
386434	HA configuration and VLAN interface disappear from config after reboot.
Bug ID	Description
396938	Reboot of FGT HA cluster member with redundant HA management interface deletes HA configuration.
397171	FIB of VDOMs in vcluster2 is not synced to the slave.
404736	SCTP synchronized sessions in HA cluster, when one reboots the master, the traffic is interrupted.
404874	Some commands for HA in diag debug report and exec tac report need to be updated.
408167	Heartbeat packets broadcast out of ports not configured as HB ports, even though the HB ports are directly connected.

Bug ID	Description
377255	Can’t read UTM details on log panel when set location to FortiAnalyzer.
377733	Results/Deny All filter does not return all required/expected data.

IPsec VPN

Bug ID	Description
356330	Cross NP6-Chip IPsec traffic does not work in SLBC environment.
374326	Accept type: Any peerID may be unavailable when creating a IPsec dialup tunnel with a pre-shared key and ikev1 in main mode.
386802	Unable to establish phase 2 when using address group/group object as quick mode selectors.
392097	3DES encryption susceptible to Sweet32 attack.
395044	OSPF over IPsec IKEv2 with dialup tunnel does not work as for IKEv1.
397386	Slave worker blades attempt to establish site to site IPsec VPN tunnel.
409050	unregister_netdevice messages appears on console when CAPWAP message is transmitted over IPsec tunnel.
411682	ADVPN failover does not update rtcache entry.
412987	IPsec VPN certificate not validated against PKI user’s CN and Subject.

Logging & Report

Bug ID	Description
386742	Missing deny traffic log when user traffic is blocked by NAC quarantine.
397702	Add kernel related log messages for protocol attacks.
397714	Need a fill log disk utility to assist with CC testing.
398802	Forward traffic log shows dstintf=unknown-0 after enabling antivirus.
401511	FortiGate Local Report showing incorrect Malware Victims and Malware Sources.
402712	Username truncated in Webfilter & DLP logs.
406071	DNS filtering shows error: all Fortiguard SDNS servers failed to respond.
417128	Syslog message are missed in Fortigate.
421062	FortiGate 60E stopped sending logs to FortiAnalyzer when reliable enabled.

Router

Bug ID	Description
373892	ECMP(BGP) routing failover time.
374306	Number of concurrent sessions affect the convergence time after HA failover.
383013	Message ha_fib_rtnl_hdl: msg truncated, increase buf size showing up on console.
385264	AS-override has not been applied in multihop AS path condition.
392250	BGP session not establishing with Cisco Nexus.
393623	Policy routing change not is not reflected.
397087	VRIP cannot be reached on 51E when it is acting as VRRP master.
399415	Local destined IPv6 traffic matched by PBR.
405408	FortiGate creates corrupted OSPF LS Update packet when certain number of networks is propagated.
421151	ICMP redirect received in root affects another VDOM’s route gateway selection.

SSL VPN

Bug ID	Description
370986	SSL VPN LDAP user password renew doesn’t work when two factor authentication is enabled.
375827	SSL VPN web mode get Access denied to FOS 5.4.1 GA B1064 under VDOM.
375894	SSL VPN web mode access FMG B1066/FAZ B1066 error.
387276	SSL VPN should support Windows 10 OS check.
389566	“AltGr” key does not work when connecting to RDP-TLS server through SSL VPN web portal from IE 11.
394272	SSL VPN proxy mode can’t proxy some web server URL normally.
395497	https-redirect for SSL VPN does not support realms.
396932	Some web sites not working over web SSL VPN.
399711	SSL VPN does not decode hostcheck string properly for latest FortiClient.
399784	URL modified incorrectly for a dropdown in application server.
402743	User peer causes SSL VPN access failure even though user group has no user peer.
405799	AV breaks login to OWA via SSL VPN web mode.
406028	Citrix with Xenapp 7.x not working via SSL VPN web portal.
408624	SSL VPN certificate UPN+LDAP authentication works only on first policy.
423452	Citrix Xenapp not working properly via SSL VPN web portal.

System

Bug ID	Description
182287	Implementation for check_daemon_enable() is not efficient.
283952	VLAN interface Rx bytes statistics higher than underlying aggregate interface.
302722	Using CLI #get system hardware status makes CLI hang.
306041	SSH error Broken pipe on client when using remote forwarding and SSH deep packet option log port fwd is enabled.

Bug ID	Description
354490	False positive sensor alarms in Event log.
355256	After reassigning a hardware switch to a TP-mode VDOM, bridge table does not learn MAC addresses until after a reboot.
375798	Multihoming SCTP sessions are not correctly offloaded.
376423	Sniffer is not able to capture ICMPv6 packets with Hop-by-Hop option when using filter icmp6.
377192	DHCP request after lease expires is sent with former unicast IP instead of 0.0.0.0 as source.
378364	L2TP over IPsec tunnel cannot be established in FortiGate VM.
379883	Link-monitor doesn’t remove the route when it is in “die” state.
381363	Empty username with Radius 802.1x WSSO authentication.
382657	ICMP Packets bigger than 1418 bytes are dropped when offloading for IPsec tunnel is enabled. Affected models: FG-30D, FG-60D, FG-70D, FG-90D, FG-90D-POE, FG-94D, FG-98D, FG-200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FWF-30D, FWF-60D, FWF-90D, FWF-90D-POE.
383126	50E/51E TP mode – STP BPDU forwarding destined to 01:80:c2:00:00:00 has stopped after warm/cold reboot.
385455	Inconsistent trusted host behavior.
385903	Changing allowedaccess on FG-200D hardware switch interfaces causes hard-switch to stop functioning.
386271	On FWF-90D after enabling IPS sensor with custom sig, in 60% chance need to wait for 30+ seconds to let ping packet pass.
386395	Missing admin name in system event log related to admin NAC quarantine.
388971	Insufficient guard queue size when sending files to FSA.
389407	High memory usage for radvd process.
389711	Suggest asic_pkts/asic_bytes counter in diagnose firewall iprope show should remain after FortiGate reboot.
391168	Delayed Gratuitous ARP during SLBC Chassis Fail-back.
391460	FortiGuard Filtering Services Availability check is forever loading.

Bug ID	Description
392655	Conserve mode – 4096 SLAB leak suspected.
393275	VDOM admin forced change password while there is other login session gets The name is a reserved keyword by the system.
393343	Remove botnet filter option if interface role is set to LAN.
394775	GUI not behaving properly after successful upload of FTK200CD file.
395039	Loopback interface: Debug Flow and logs do not show the usage of firewall policy ID.
396018	Backup slave member of a redundant interface accept and process incoming traffic.
397984	SLBC – FIB sync may fail if there is a large routing table update.
398852	UDP jumbo frames arrives fragmented on a 3600C are blocked when acceleration is enabled.
399364	VDOM config restore fails for GRE interface bound to IPsec VPN interface.
399648	LAN ports status is up after reboot even if administrative status is down on FG-30D.
400907	Ethernet Ports Activity LED doesn’t light for shared copper ports.
401360	LDAP group query failed when the fixed length buffer overflows.
402742	VDOM list page does not load.
403532	FG-100D respond fragmented ICMP request with non-fragmented reply right after factory reset.
403724	Real number of FortiToken supported doesn’t match tablesize on some platforms.
403937	High memory on VSD.
404258	L2TP second user cannot connect to FG-600D via a router (NAPT).
404480	Link-monitor is not detecting the server once it becomes available.
405234	Unable to load application control replacement message logo and image in explicit proxy (HTTPS).
405757	Interface link not coming up when FortiGate interface is set to 1000full.
406071	DNS Filtering showing error all Fortiguard SDNS servers failed to respond.
Bug ID	Description
406519	Administrative users assigned to prof_admin profile do not have access to diagnose CLI command.
406689	Autoupdate schedule time is reset after rebooting.
406972	Device become unresponsive for 30 min. during IPS update when cfg-save option is set to manual.
409828	Cisco switches don’t discover FortiGate using LLDP on internalX ports.
410463	SNMP is not responding when queried on a loopback IP address with an asymmetric SNMP packet path.
410901	PKI peer CA search stops on first match based on CA subject name.
411432	scanunitd gets high CPU when making configuration changes.
411433	voipd shows high CPU when making configuration changes.
411685	If IPPool is enabled in the firewall policy, offloaded traffic to NP6 is encrypted with a wrong SPI.
414243	DNS Filter local FortiGuard SDNS servers failed to respond due to malformed packet.
416678	FG101E/100E has reports of firewall lockups in production.
418205	High CPU utilization after upgrade from FortiOS 5.2.10 to 5.4.4.
420170	Skip the rating for dynamic DNS update type queries.

Web Filter

Bug ID	Description
188128	For the Flowbase web filter, the CLI command set https-replacemsg disable does not work.

WebProxy

Bug ID	Description
376808	Explicit proxy PAC File distribution in FortiOS 5.4.x not working properly.
383817	WAD crashes with a signal 11 (segmentation fault) in wad_port_fwd_peer_shutdown and wad_http_session_task_end.
389863	Signal 11 WAD and HTTPSD processes, and GUI not accessible.
Bug ID	Description
398052	WAD session leak.
398405	WAD crashes without backtrace.
400454	Improve WAD debug trace and crash log information.
402155	WAS crashes with signal 6 in wad_authenticated_user_authenticate after upgrade to 5.4.3.
402778	WAD does not authorize user if it belongs to more than 256 usergroups with Kerberos authentication.
405264	WAD crash when flush FTP over HTTP traffic.
408503	Cannot access websites when SSL Inspection is set to Inspect All Ports with Proxy Option enabled only for HTTP(ANY).
412462	Fortinet-Bar does not show up on iPhone with iOS 10.2.1 Safari and Google Chrome 57.0.2987.100.
415918	Explicit proxy users are disconnected once a VDOM is created / removed.
421092	WAD consuming memory when explicit webproxy is used.

WiFi

Bug ID	Description
387146	Wireless client RSSO authentication fails after reconnection to AP.

Common Vulnerabilities and Exposures

FortiOS 5.4.5 is no longer vulnerable to the following CVE references. For more information, see https://fortiguard.com/psirt.

Bug ID	CVE references
421739	l CVE-2017-7734 l CVE-2017-7735

Known Issues

The following issues have been identified in version 5.4.5. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID	Description
374969	FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).

Bug ID	Description
304199	Using HA with FortiLink can encounter traffic loss during failover.

Endpoint Control

Bug ID	Description
374855	Third party compliance may not be reported if FortiClient has no AV feature.
375149	FortiGate does not auto update AV signature version while Endpoint Control is enabled.
391537	Buffer size is too small when sending large vulnerability list to FortiGate.

Firewall

Bug ID	Description
364589	LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D

Bug ID	Description
385860	FortiGate-3815D does not support 1GE SFP transceivers.

FortiRugged-60D

Bug ID	Description
375246	invalid hbdev dmz may be received if the default hbdev is used.

FortiSwitch-Controller/FortiLink

Bug ID	Description
357360	DHCP snooping may not work on IPv6.
369099	FortiSwitch authorizes successfully but fails to pass traffic until you reboot FortiSwitch.
374346	Adding or reducing stacking connections may block traffic for 20 seconds.

FortiView

Bug ID	Description
368644	Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
372350	Threat view: Threat Type and Event information is missing in the last level of the threat view.
372897	Invalid -4 and invalid 254 is shown as the submitted file status.
373142	Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
375172	FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
375187	Using realtime auto update may increase chrome browser memory usage.

GUI

Bug ID	Description
289297	Threat map may not be fully displayed when screen resolution is not big enough.
297832	Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
355388	The Select window for remote server in remote user group may not work as expected.
365223	CSF: downstream FGT may be shown twice when it uses hardware switch to connect upstream.
365317	Unable to add new AD group in second FSSO local polling agent.
365378	You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
368069	Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
369155	There is no Archived Data tab for email attachment in the DLP log detail page.

Known Issues

	Bug ID		Description
	372908		The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.
	372943		Explicit proxy policy may show a blank for default authentication method.
	374081		wan-load-balance interface may be shown in the address associated interface list.
	374162		GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
	374224		The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
	374320		Editing a user from the Policy list page may redirect to an empty user edit page.
	374322		Interfaces page may display the wrong MAC Address for the hardware switch.
	374373		Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
	374397		Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
	374521		Unable to Revert revisions in GUI.
	374525		When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.
	375346		You may not be able to download the application control packet capture from the forward traffic log.
	373363		Multicast policy interface may list the wan-load-balance interface.
	373546		Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
	374363		Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
	375036		The Archived Data in the SnifferTraffic log may not display detailed content and download.
	375227		You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page.
	375259		Addrgrp editing page receives a js error if addrgrp contains another group object.
	375369		May not be able to change IPsec manualkey config in GUI.
	375383		Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
Bug ID		Description
379050		User Definition intermittently not showing assigned token.
421423		Cannot download certificate in Security Profiles > SSL/SSH Inspection. Workaround: Go to System > Certificates to download.

Bug ID	Description
399115	ID for the new policy (when using edit 0) is different on master and on slave unit.

IPsec

Bug ID

Description

393958

Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.

435124

Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.

Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.

Router

Bug ID	Description
299490	During and after failover, some multicast groups take up to 480 seconds to recover.

SSL VPN

Bug ID	Description
303661	The Start Tunnel feature may have been removed.
304528	SSL VPN Web Mode PKI user might immediately log back in even after logging out.
374644	SSL VPN tunnel mode Fortinet bar may not be displayed.
375137	SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
382223	SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.

Known Issues

System

Bug ID	Description
284512	When using the Dashboard Interface History widget, the httpds process uses excessive memory and then crashes.
287612	Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
290708	nturbo may not support CAPWAP traffic.
295292	If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199	FortiLink traffic is lost in HA mode.
364280	User cannot use ssh-dss algorithm to log in to FortiGate via SSH.
371320	show system interface may not show the Port list in sequential order.
372717	Option admin-https-banned-cipher in sys global may not work as expected.
392960	FOS support for V4 BIOS.
424215	FG-80C halts during boot after upgrade from 5.2.10 to 5.4.4.

Upgrade

Bug ID	Description
269799	Sniffer config may be lost after upgrade.
289491	When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair name exceeds 12 characters.

Visibility

Bug ID	Description
374138	FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

Bug ID	Description
364280	ssh-dss may not work on FGT-VM-LENC.

WiFi

Bug ID

Description

434991

WTP tablesize limitation cause WTP entry to be lost after upgrade from v5.4.4 to 5.4.5.

Affected models: FG-30D, FG-30D-POE, FG-30E, FWF-30D, FWF-30D-POE, FWF-30E.

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

XenTools installation is not supported.
FortiGate-VM can be imported or deployed in only the following three formats:
XVA (recommended) l VHD l OVF
The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.