FortiOS 5.6 Release Notes

Introduction

This document provides the following information for FortiOS 5.6.0 build 1449:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.0 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG50E, FG-51E, FG-52E, FG-60D, FG-60E, FG-61E, FG-70D, FG-70D-POE, FG-80C,

FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF,

FG-101E, FG-140D, FG-140D-POE, FG- 200D, FG-200D-POE, FG-240D, FG-240D-

POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C,

FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-

3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-

3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-

POE, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60E, FWF-61E,

FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.6.0 images are delivered upon request and are not available on the customer support firmware download page.

What’s new in FortiOS 5.6.0                                                                                                                Introduction

What’s new in FortiOS 5.6.0

For a list of new features and enhancements that have been made in FortiOS 5.6.0, see the What’s New for FortiOS 5.6.0 document.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.0, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web

Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.6.0

FortiOS version 5.6.0 officially supports upgrading from version 5.4.3 and 5.4.4.

Security Fabric Upgrade

FortiOS 5.6.0 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.0 l FortiClient 5.6.0 l FortiClient EMS 1.2.0 l FortiAP 5.4.2 and later l FortiSwitch 3.5.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

  • Advanced FortiClient profiles (XML configuration)
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths l Client-side web filtering when on-net

  • iOS and Android configuration by using the FortiOS GUI

With FortiOS 5.6.0, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec, VPN, or SSL VPN) connections to FortiOS 5.6.0, but not for Security Fabric functions.

Upgrade Information                                                                                          FortiGate-VM 5.6 for VMware ESXi

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.0, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles.

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS Enhanced Networking Compatibility Issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.0 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 5.6.0 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

 

FortiGate VM firmware                                                                                                            Upgrade Information

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.0 support

The following table lists 5.6.0 product integration and support information:

Web Browsers l Microsoft Edge 25 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 46 l Google Chrome version 50 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 25 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 45 l Google Chrome version 51 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Security Fabric Upgrade on page 8. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Security Fabric Upgrade on page 8. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

See important compatibility information in Security Fabric Upgrade on page 8.

l 5.6.0

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient iOS l 5.4.3 and later

11

FortiOS 5.6.0 support

FortiClient Android and FortiClient VPN Android l 5.4.0
FortiAP l 5.4.2 and later l 5.6.0
FortiAP-S l 5.4.3 and later l 5.6.0
FortiSwitch OS

(FortiLink support)

l 3.5.2 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.0 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0254 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExtender l 3.1.1
AV Engine l 5.239
IPS Engine l 3.410
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later

 

Product Integration and Support                                                                                                  Language support

Microsoft   l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source   l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware   l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV   The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language   GUI
English  
Chinese (Simplified)  
Chinese (Traditional)  
French  
Japanese  
Korean  
Portuguese (Brazil)  
Spanish (Spain)  

SSL VPN support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Microsoft Windows 7 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Windows 10 (64-bit)

2333
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333
Virtual Desktop for Microsoft Windows 7 SP1 (32-bit) 2333

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 52

Google Chrome version 56

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 52

Google Chrome version 56

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 52

Product Integration and Support                                                                                                  SSL VPN support

Operating System Web Browser
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 52

Google Chrome version 56

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009  
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

SSL VPN support

Product Antivirus Firewall
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.6.0. For inquires about a particular bug, please contact CustomerService & Support.

Firewall

Bug ID Description
398673 For the NGFW_vdom, App_category, and URL_category in NGFW, action=pass firewall policy don’t work as expected.

FortiRugged 60D

Bug ID Description
375246 Invalid hbdev dmz may be received if the default hbdev is used.
FortiGate 80D  
Bug ID Description
373127 FG-80D VLAN interface does not receive packets.
FortiGate 92D  
Bug ID Description
267347 FG-92D does not support hardware switch.

Endpoint Control

Bug ID Description
374855 Third party compliance may not be reported if FortiClient has no AV feature.
375149 FortiGate does not auto update AV signature version while Endpoint Control is enabled.
402054 Non-registered endpoint user is missing I understand button on the warning portal.

Resolved Issues

FortiView

Bug ID Description
372350 Threat view: Threat Type and Event information are missing at the lowest level.
373142 The filter result of Threat View may not be correct when adding a filter on a threat and threat type on the first level.
374947 FortiView may show empty country in the IPv6 traffic because country info is missing in log.

GUI

Bug ID Description
355388 The Select window for remote server in remote user group may not work as expected.
365223 CSF: downstream FortiGate may be shown twice when it uses hardware switch to connect upstream.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
372943 Explicit proxy policy may show a blank for default authentication method.
373127 FG-80D VLAN interfaces may fail to pass traffic.
374146 Peer certificate may still show up when editing IPsec VPN tunnel and even when setting the authmethod pre-shared key.
374166 Using Edge cannot select the firewall address when configuring a static route.
374221 SSL VPN setting portal mapping realm field misses the / option.
374237 You may not be able to set a custom NTP server using GUI if you did not config it using CLI first.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374343 After enabling inspect-all in ssl-ssh-profile, user may not be able to modify allowinvalidserver-cert from GUI.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374371 The IPS Predefined Signature information pop up window may not be seen as it is hidden behind the Add Signature window.
374521 Unable to Revert revisions on GUI.
Bug ID Description
374326 Accept type: Any peer ID may be unavailable when creating a IPsec dialup tunnel with a pre-shared key and ikev1 in main mode.
375020 IPsec tunnel Fortinet bar may not be displayed properly.

Resolved Issues

Bug ID Description
375255 You may not be able to quarantine the FortiClient device in FortiView because of a javascript error.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
375290 Fortinet Bar may not be displayed properly.
375346 You may not be able to download the application control packet capture from the forward traffic log.
376808,

378744

The proxy.pac file is not updated according to changes from GUI.
403655 GUI has issue loading some web pages with IE 11 and Edge web browsers.
404781 Setup wizard does not work properly.
407030 Interface bandwidth widget is always loading for newly added interfaces.
407060 Some right-click menu items are missing icon on policy and firewall object list page.
407284 FortiView encounters JavaScript in non-root VDOM and FortiView from FortiAnalyzer.
408908 GUI has issue creating a site2site IPsec tunnel with authmethod psk.
409594 Unable to create VLAN interface for non-management VDOM at ‘Global’ view.

HA

Bug ID Description
409707 User cannot login to FGT after restore config in HA.

IPsec

Resolved Issues Kernel

Bug ID Description
395515 ICMP unreachable message processing causes high CPU usage in kernel and DHCP daemon.
Bug ID Description
287612 Span function of software switch may not work on FortiGate 51E or FortiGate 30E.
304482 NP6 offloading may be lost when the IPsec interface has the aes256gcm proposal.
371320 Show system interface may not show the Port list in sequential order.
371986 NP6 may have issue handling fragment packets.
372717 Admin-https-banned-cipher in sys global may not work as expected.

Log & Report

Bug ID Description
300637 MUDB logs may display Unknown in the Attack Name field under UTM logs.
367247 FortiSwitch log may not show the details in GUI, while in CLI the details are displayed.
374103 Botnet detection events are not listed in the Learning Report.
374411 Local and Learning report web usage may only report data for outgoing traffic.
401511 FortiGate local report shows incorrect malware victims and malware sources.

SSL VPN

Bug ID Description
282914 If users use SSL VPN in Web Mode, they may not be able to access a FortiGate running 5.4.
375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
408281 IE 11 and Safari browsers cannot load SSL VPN web portal page.
409755 iOS FortiClient 5.4.3.139 fails to connect to SSL VPN tunnel mode.

System

Resolved Issues

Bug ID Description
378870 When AV mode is flow-mode, the counters of fgAvStatsEntry cannot be counted up.
402589 Cannot forward traffic in TP VDOM with NP6Lite NPU VDOM link.
409198 System time zone may not take effect.
409203 Firewall recurring schedule does not work with time range.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

WiFi

Bug ID Description
409670 mpsk-key entries do not allow saving passphrase in encrypted format.

Common Vulnerabilities and Exposures

Bug ID Description
374501 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-0723

Visit https://fortiguard.com/psirt for more information.

378697 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-2512

Visit https://fortiguard.com/psirt for more information.

379870 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2003-1418 l 2007-6750

Visit https://fortiguard.com/psirt for more information.

383538 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-3713 l 2016-5829

Visit https://fortiguard.com/psirt for more information.

383564 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-5696

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.6.0. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Antivirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json)
Firewall  
Bug ID Description
412799 auto-asic-offload disable does not work for NGFW policy.

FortiGate 800D

Bug ID Description
404228 All the interfaces status are down except mgmt after cfg revert.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
408082 Operating a dedicated hardware switch into FortiLink changes STP from enable to disable.
415380 DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP. The workaround is to disable switch-controller-dhcpsnooping on FortiLink VLAN interfaces.

Known Issues

FortiView

Bug ID Description
366627 FortiView Cloud Application may display the incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
Bug ID Description
396319 For the NGFW_vdom, the application UTM log action is always PASS when firewall policy deny the traffic.

GUI

Bug ID Description
303928 After upgrading from 5.2 to 5.4, the default flow based AV profile may not be visible or selectable in the Firewall policy page in the GUI.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374247 GUI list may list another VDOM interface when editing a redundant interface.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.
397010 GUI does not display the App-DB and INDUSTRIAL-DB information.
413754 GUI create VDOM link on TP VDOM fails with error.
413891 In Topology > FortiAnalyzer, clicking Configure setting redirects to VDOM security fabric page.
413921 In FSSO standard mode, context menu allows you to delete ad-groups polled from CA.

HA

Bug ID Description
414336 Slave cannot sync to master with redundant interface.

Log & Report

Known Issues

Bug ID Description
412649 In NGFW Policy mode, FGT does not create webfilter logs.
413778 With long VDOM names, no log is displayed when only one field subtype forward is added to traffic log filter.

Security Fabric

Bug ID Description
385341 If there are multiple FortiAPs managed, GUI cannot display managed FortiAPs in FortiView > Physical Topology page.
403085 The session tab cannot be displayed on historical page when you drill down into the members.
403229 FortiGate is unable to drill down to the final level when using FortiAnalyzer as logging device.
406561 Matching username is not highlighted in tooltip after topology search.
408495 An improper warning message may appear in the FortiAnalyzer log when changing the root FortiGate to a downstream FortiGate.
409156 An unlicensed FortiGate may be marked as Passed in Firmware & Subscriptions.
411368 Multiple MAC addresses may be displayed abnormally in Device field.
411479 The icon used to signify the souce of logs when the time range is set to now is incorrect.
411645 Drilling down to an upstream FortiGate from a downstream FortiGate may produce a blank page.
412104 The drill down for an aggregated device is not displayed as an individual device.
412249 Threats of a downstream FortiGate cannot be displayed on the root FortiGate.
412930 Security Audit Event are shown incorrectly in the security fabric child nodes.
413189 The bubble chart with FortiAnalyzer view may not be drawn correctly.
413492 CSF topology change can cause high CPU usage by miglogd on CSF root.
413742 A red circle to indicate the root node of the security fabric may be displayed on each child FortiGate.
413912 An upstream FortiGate may still be displayed incorrectly when Security Fabric is disabled on a downstream FortiGate.

Known Issues

Bug ID Description
414013 The FortiGate may produce an “Internal CLI error” on GUI when changing the logging mode from default to local.
414147 The topology fails to be updated after changing the upstream port on a child FortiGate.
414301 Security Fabric topology will not be displayed due to js error if managed FortiSwitches have redundant topology.

SSL VPN

Bug ID Description
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
396788 SSL VPN GUI is unable to keep SSO password information for user bookmark.
413758 Auto-generated SSL interface do not ‘t associate with SSLVPN_TUNNEL_ADDR1 for a long name VDOM.

System

Bug ID Description
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
410916 FG-5001D might encounter kernel panic after set split port.
412244 Fortitoken Mobile push won’t work when VDOM is enabled.
413885 long-vdom-name is disabled after exe factoryrest2.
414482 miglogd might keep crashing if more than 50000 polices are configured.
414490 FG-101E might hang after reboot.

Known Issues

WiFi

Bug ID Description
382296 Unable to redirect HTTPS FortiGuard web filtering block page when deploying webfilter with deep inspection on IE and Firefox.
413693 WPA_Entreprise with Radius Auth mode fails with VDOM that has a long VDOM name.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

This entry was posted in FortiOS 5.6, Release Notes on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.