FortiAP 5.4.2 Release Notes

Introduction

This document provides the following information for FortiAP version 5.4.2:

l Supported models l What’s new in FortiAP 5.4.2 l Upgrade Information l Product Integration and Support l Resolved Issues

For more information on upgrading your FortiAP device, see the Deploying Wireless Networks for FortiOS 5.4 guide in the Fortinet Document Library.

Supported models

FortiAP version 5.4.2 supports the following models:

Model support

Model Build
FAP-11C, FAP-14C, FAP-21D, FAP-24D, FAP-25D, FAP-112B,

FAP-112D, FAP-221B, FAP-221C, FAP-222B, FAP-222C,

FAP-223B, FAP-223C, FAP-224D, FAP-320B, FAP-320C,

FAP-321C, FAP-CAM-214B

0354

What’s new in FortiAP 5.4.2

The following is a list of new features and enhancements in FortiAP version 5.4.2:

  • Support for DFS channels on more FAP SKUs:
  • FAP-321C-S, l FAP-222C-K l FAP-221B-I, FAP-221C-I, FAP-222C-I, FAP-223C-I, FAP-320B-I, FAP-320C-I, FAP-321C-I
  • Support for 64-digit hexadecimal passphrase in WPA2-Personal SSID

The following features require FortiCloud 3.1.0:

  • OKC support for FortiCloud WPA2-Enterprise SSID with RADIUS authentication l Dynamic VLAN support for FortiCloud WPA2-Enterprise SSID l Support for time zone and day-light-saving settings from FortiCloud l During firmware upgrade, FAP can download firmware image from a HTTPS server as instructed by FortiCloud.

What’s new in FortiAP 5.4.2                                                                                                                Introduction

The following features require FortiGate running FortiOS 5.6.0:

  • PMF support for local-standalone SSID with WPA2-Personal/Enterprise security
  • New security option for CAPWAP data channel: IPsec VPN

Note: FAP-320B cannot support this feature due to its flash limit. l Support for QoS Profile (rate limits per SSID and per client IP) l Add “lease-time” setting to NAT-mode local-standalone VAP

6

Upgrade Information

Upgrading from FortiAP version 5.4.1

FortiAP 5.4.2 supports upgrading from 5.4.1.

Downgrading to previous firmware versions

FortiAP 5.4.2 does not support downgrading to previous firmware versions.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Supported Upgrade Paths

To view all previous FortiAP versions, build numbers, and their supported upgrade pathways, see the following Fortinet Cookbook link:

http://cookbook.fortinet.com/supported-upgrade-paths-fortiap/

Product Integration and Support

FortiAP 5.4.2 support

The following table lists FortiAP version 5.4.2 product integration and support information.

FortiAP 5.4.2 support

Web Browsers l     Microsoft Internet Explorer version 11 l Mozilla Firefox version 41 l Google Chrome version 47

l     Safari 8

Other web browsers may function correctly, but are not supported by Fortinet.

FortiOS 5.4.2 and later
FortiExplorer (Windows/MAC) 2.6.0 (model FAP-11C only)
FortiExplorer iOS 2.0.0 (models FAP-11C, 21D, 24D, 112D, 320B, and 320C only)

8

Resolved Issues

The following issues have been fixed in version 5.4.2. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID Description
206429 FAP WIDS function could not detect spoofed de-authentication attack to its operating SSID.
300277 The NAT setting in FAP was not cleared correctly when VAP configuration in FortiGate has localstandalone disabled. (FortiGate will have the fix in FortiOS 5.6.0.)
369467 In FortiCloud captive-portal SSID setup, Social Media login page might become inaccessible due to DNS load balancing or rotation.
375543 FAP reported excess event logs about operating channel and Tx Power on 2.4 GHz radio.
307852 In FAP GUI, FortiCloud Account field now allows up to 50 characters.
381375 BPDU frames got truncated by FAP LAN to tunnel SSID when CAPWAP-data is plain text.
381602 Country code “AUSTRALIA” should be supported by FAP with region code “N “.
390947 Country code “SAUDI ARABIA” should be supported by FAP with region code “E “.
382926 Country code “INDONESIA” now is supported by a new region code “F “.
380931 Schedule of local-standalone SSID did not work when FAP lost connection with FortiCloud.
374626 Memory usage of IP pool of DHCP server in NAT-mode local-standalone SSID has been improved.
369162 For dual-radio FAP platforms, when both radios have the same NAT-mode local-standalone SSID configured, they can use the same IP and subnet mask settings now.
379123 Local-standalone SSID can support pre-authentication now.
391677 FAP-320C had lower TX power than expected.
281684 FAP sometimes encountered “PN check failed” issue.
395016 FAP-320C-E 2.4GHz Radio had inconsistent TX power when configured 1 dBm.
395010 FAP-320C-E 5Ghz Radio TX power was stuck at 0 once cwWtpd was killed.
395244 Improvement. Now FAP sends WTP ID information packet to FortiPresence Server more frequently.

Resolved Issues

Bug ID Description
389205 FortiAP 5.4.2 is no longer vulnerable to the following CVE Reference: 2016-6308, 2016-6307, 2016-6306, 2016-6305, 2016-6304, 2016-6303, 2016-6302, 2016-2183, 2016-2182, 2016-2181, 2016-2180, 2016-2179, 2016-2178, 2016-2177.

Visit https://fortiguard.com/psirt for more information.

10

Known Issues

The following issues have been identified in version 5.4.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Bug ID Description
301726 Sniffer mode does not work on 802.11ac radios. Sniffer will be stuck in INIT(0) state and no packets will be captured.
300081 FortiAPs may encounter high CPU usage intermittently after a FortiGate wireless controller pushes a local-authentication virtual AP (VAP) configuration to them.
245323 Spectrum analysis may result in high CPU usage on some FortiAP models including the FAP221B, FAP-223B, and FAP-221C.
236312 Split-tunneling SSIDs do not support VLANs.
This entry was posted in FortiAP, Release Notes and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.