Deny security policies deny traffic that is coming into the network. The FortiGate unit automatically blocks traffic that is associated with a deny security policy.
Deny security policies are usually configured when you need to restrict specific traffic, for example, SSH traffic. Deny security policies can also help when you want to block a service, such as DNS, but allow a specific DNS server.
Any security policy that is automatically added by the FortiGate unit has a policy ID number of zero (0). The most common reasons the FortiGate unit creates this policy is:
This policy can appear in logs but will never appear in the security policy list, and therefore, can never be repositioned in the list.
When viewing the FortiGate firewall logs, you may find a log field entry indicating policyid=0. The following log message example indicates the log field policyid=0 in bold.
2008-10-06 00:13:49 log_id=0022013001 type=traffic subtype=violation pri=warning vd=root SN=179089 duration=0 user=N/A group=N/A rule=0 policyid=0 proto=17 service=137/udp app_type=N/A status=deny src=10.181.77.73 srcname=10.181.77.73 dst=10.128.1.161 dstname=10.128.1.161 src_int=N/A dst_int=”Internal” sent=0 rcvd=0 src_port=137 dst_port=137 vpn=N/A tran_ip=0.0.0.0 tran_port=0
On the FortiGate unit, there are a number of protocols and traffic that is specific to the internal workings of FortiOS. For many of these traffic sources, you can identify a specific port/IP address for this self-originating traffic. The following traffic can be configured to a specific port/IP address:
Security policies control the flow of traffic through the FortiGate unit. The FortiGate unit also includes the option of controlling internal traffic, that is, management traffic.
Each interface includes an allow access configuration to allow management access for specific protocols. Local policies are set up automatically to allow all users all access. Local-in policies takes this a step further, to enable or restrict the user with that access. This also extends beyond the allow access selection.
Local-in policies are configured in the CLI with the commands:
config firewall local-in-policy edit <policy_number> set intf <source_interface> set srcaddr <source_address> set dstaddr <destination_address> set action {accept | deny} set service <service name> set schedule <schedule_name>
end
For example, you can configure a local-in policy so that only administrators can access the FortiGate unit on weekends from a specific management computer at 192.168.21.12, represented by the address object mgmtcomp1, using SSH on port 3 (192.168.21.77 represented by the address object FG-port3) using the Weekend schedule which defines the time the of access.
config firewall local-in-policy edit <1> set intf port3 set srcaddr mgmt-comp1
Security Policy 0
set dstaddr FG-port3 set action accept set service SSH set schedule Weekend
end
You can also disable a policy should there be a requirement to turn off a policy for troubleshooting or other purpose. To disable a policy enter the commands:
config firewall local-in-policy edit <policy_number> set status disable
end
Use the same commands with a status of enable to use the policy again.
It is also an option to dedicate the interface as HA management interface by using the setting: set ha-mgmt-intf-only enable
Local-in policies are also supported for IPv6 by entering the command: config firewall local-in-policy6.
While there is a section under Policy & Objects for viewing the existing Local In Policy configuration, policies cannot be created or edited here in the GUI. The Local In polices can only be created or edited in the CLI.
Now in FortiGate, there are two places that IPS can be enabled, in a firewall policy and in an interface policy. In the firewall policy implementation, IPS sensor can be configured in both CLI and GUI. When adding an IPS sensor to an interface policy it must be done through the CLI. There is no GUI input window for the “Interface Policy”. There is however, a DoS Policy section in the GUI.
In many evaluation or certification tests, FortiGate firewall is often required to log any packets dropped by the firewall. In most of cases, these packets are of invalid headers so firewall just drops them silently. It is natural to forward all these packets to IPS first so FortiGate firewall is able to generate logs for invalid packets.
Flooded, broadcast and multicast traffics do not reach any of services in the forwarding path. They can be inspected by the interface policy as long as they match the addresses defined. Potentially, L2 packets can also be sent to IPS for inspection through interface-policy, but it is not enabled in FortiOS 4.0.
IPS enabled in firewall policies can only inspect the traffic pass through FortiGate unit, not the traffic destined to FortiGate unit. Enabling IPS in interface-policy allows IPS to pick up any packet on the interface so it is able to inspect attacks targeting FGT.
| Date | Change Description |
| 2017-12-05 | Initial release. |
| 2017-12-07 | Added 443203 to Resolved Issues.
Added 463211 to Known Issues. Moved 452384 from Known Issues to Resolved Issues. Deleted Internet Explorer version 11 from Product Integration and Support. |
| 2017-12-08 | Added 443870 to Resolved Issues.
Added caution to Upgrade Information > Upgrading to FortiOS 5.6.3. |
This document provides the following information for FortiOS 5.6.3 build 1547:
l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations
For FortiOS documentation, see the Fortinet Document Library.
FortiOS 5.6.3 supports the following models.
| FortiGate | FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E, FG51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG-70DPOE, FG-80C, FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D,
FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG- 101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG- 200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E, FG-400D, FG-500D, FG-500E, FG-501E, FG-600C, FG-600D, FG-800C, FG-800D, FG900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG- 3810D, FG-3815D, FG-3960E, FG-3980E, FG-5001C, FG-5001D |
| FortiWiFi | FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE,
FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D |
| FortiGate Rugged | FGR-30D, FGR-35D, FGR-60D, FGR-90D |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-AWS,
FG-VM64-AWSONDEMAND, FG-VM64-GCP, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-KVM |
| FortiOS Carrier | FortiOS Carrier 5.6.3 images are delivered upon request and are not available on the customer support firmware download page. |
Introduction
For a list of new features and enhancements that have been made in FortiOS 5.6.3, see the What’s New for FortiOS 5.6.3 document.
FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.
FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:
FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:
config global set hw-switch-ether-filter <enable | disable>
When the command is enabled:
When the command is disabled:
CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.
Special Notices
Upon upgrading to FortiOS 5.6.3, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.
With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.
The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.
For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.
Due to OpenSSL updates, FortiOS 5.6.3 cannot manage FortiExtender anymore. If you run FortiOS with FortiExtender, you must use a newer version of FortiExtender such as 3.2.1 or later.
FortiOS version 5.6.3 officially supports upgrading from version 5.4.5, 5.4.6, 5.6.0, 5.6.1, and 5.6.2. To upgrade from other versions, see Supported Upgrade Paths.
If you are upgrading from version 5.6.1 or 5.6.2, this caution does not apply.
Before upgrading, ensure that port 4433 is not used for admin-port or admin-sport (in config system global), or for SSL VPN (in config vpn ssl settings). If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.
After upgrading, if FortiLink mode is enabled, you must manually create an explicit firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch (such as from the FortiLink interface) to the RADIUS server through the FortiGate.
You can upgrade from the GUI or CLI. Because some configurations are not kept in the upgrade, we recommend you do a factory reset using execute factoryreset, and then reconfigure the VM.
Your original VM license is kept in the upgrade.
FortiOS 5.6.3 greatly increases the interoperability between other Fortinet products. This includes:
l FortiAnalyzer 5.6.1 l FortiClient 5.6.0 l FortiClient EMS 1.2.2 l FortiAP 5.4.2 and later l FortiSwitch 3.6.2 and later
Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.
Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.
After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.
The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:
With FortiOS 5.6.3, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec VPN, or SSL VPN) connections to FortiOS 5.6.2, but not for Security Fabric functions.
Upon upgrading to FortiOS 5.6.3, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.
Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:
l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles
11
If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:
For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.3 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.
When downgrading from 5.6.3 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:
Fortinet provides FortiGate VM firmware images for the following virtual environments:
Citrix XenServer and Open Source XenServer
Linux KVM
Microsoft Hyper-V
VMware ESX and ESXi
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.
The following table lists 5.6.3 product integration and support information:
| Web Browsers | l Microsoft Edge 38 l Mozilla Firefox version 54 l Google Chrome version 59 l Apple Safari version 9.1 (For Mac OS X)
Other web browsers may function correctly, but are not supported by Fortinet. |
| Explicit Web Proxy Browser | l Microsoft Edge 40 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 10 (For Mac OS X)
Other web browsers may function correctly, but are not supported by Fortinet. |
| FortiManager | See important compatibility information in Security Fabric upgrade on page 9. For the latest information, see FortiManagercompatibility with FortiOS in the Fortinet Document Library.
Upgrade FortiManager before upgrading FortiGate. |
| FortiAnalyzer | See important compatibility information in Security Fabric upgrade on page 9. For the latest information, see FortiAnalyzercompatibility with FortiOS in the Fortinet Document Library.
Upgrade FortiAnalyzer before upgrading FortiGate. |
| FortiClient Microsoft
Windows |
See important compatibility information in Security Fabric upgrade on page 9.
l 5.6.1 If FortiClient is managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate. |
| FortiClient Mac OS X | See important compatibility information in Security Fabric upgrade on page 9.
l 5.6.0 If FortiClient is managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate. |
| FortiClient iOS | l 5.4.3 and later |
| FortiClient Android and FortiClient VPN Android | l 5.4.1 and later |
| FortiAP | l 5.4.2 and later l 5.6.0 |
| FortiAP-S l 5.4.3 and later l 5.6.0 | |
| FortiSwitch OS l 3.6.2 and later
(FortiLink support) |
|
| FortiController l 5.2.5 and later
Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C. |
|
| FortiSandbox l 2.3.3 and later | |
| Fortinet Single Sign-On l 5.0 build 0264 and later (needed for FSSO agent support OU in group filters)
(FSSO) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8 FSSO does not currently support IPv6. |
|
| FortiExtender l 3.2.1 and later
See FortiExtender support on page 8. |
|
| AV Engine l 5.247 | |
| IPS Engine l 3.442 | |
| Virtualization Environments | |
| Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later | |
| Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later | |
| Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2 | |
| Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later | |
| VMware l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5 | |
| VM Series – SR-IOV | The following NIC chipset cards are supported:
l Intel 82599 l Intel X540 l Intel X710/XL710 |
The following table lists language support information.
Language support
| Language | GUI |
| English | ✔ |
| Chinese (Simplified) | ✔ |
| Chinese (Traditional) | ✔ |
| French | ✔ |
| Japanese | ✔ |
| Korean | ✔ |
| Portuguese (Brazil) | ✔ |
| Spanish (Spain) | ✔ |
The following table lists SSL VPN tunnel client standalone installer for the following operating systems.
Operating system and installers
| Operating System | Installer |
| Linux CentOS 6.5 / 7 (32-bit & 64-bit)
Linux Ubuntu 16.04 |
2334. Download from the Fortinet Developer Network https://fndn.fortinet.net. |
Other operating systems may function correctly, but are not supported by Fortinet.
The following table lists the operating systems and web browsers supported by SSL VPN web mode.
Supported operating systems and web browsers
| Operating System | Web Browser |
| Microsoft Windows 7 SP1 (32-bit & 64-bit)
Microsoft Windows 8 / 8.1 (32-bit & 64-bit) |
Microsoft Internet Explorer version 11
Mozilla Firefox version 54 Google Chrome version 59 |
| Microsoft Windows 10 (64-bit) | Microsoft Edge
Microsoft Internet Explorer version 11 Mozilla Firefox version 54 Google Chrome version 59 |
| Linux CentOS 6.5 / 7 (32-bit & 64-bit) | Mozilla Firefox version 54 |
| Mac OS 10.11.1 | Apple Safari version 9
Mozilla Firefox version 54 Google Chrome version 59 |
| iOS | Apple Safari
Mozilla Firefox Google Chrome |
| Android | Mozilla Firefox
Google Chrome |
Other operating systems and web browsers may function correctly, but are not supported by Fortinet.
It is recommended to verify the accuracy of the GUID for the software you are using for SSL VPN host check. The following Knowledge Base article at http://kb.fortinet.com/ describes how to identify the GUID for antivirus and firewall products: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL VPN Host check.
After verifying GUIDs, you can update GUIDs in FortiOS using this command:
config vpn ssl web host-check-software
Following is an example of how to update the GUID for AVG Internet Security 2017 on Windows 7 and Windows 10 by using the FortiOS CLI.
The GUIDs in this example are only for AVG Internet Security 2017 on Windows 7 and Windows 10. The GUIDs might be different for other versions of the software and other operation systems.
To update GUIDs in FortiOS:
757AB44A-78C2-7D1A-E37F-CA42A037B368.
The following issues have been fixed in version 5.6.3. For inquires about a particular bug, please contact Customer Service & Support.
Application Control
| Bug ID | Description |
| 441996 | No UTM AppCtrl log for signature Gmail_Attachment.Download when action is blocked. |
| Bug ID | Description |
| 415496 | GTPU sanity drop by gtp-in-gtp checking if GTPU payload has kind of invalid UDP header (IP fragment case). |
| 445321 | GTP, 2 cases of protocol anomaly drops to review (status=prohibited). |
DLP
| Bug ID | Description |
| 435283 | block-page-status-code doesn’t work for HTTP status code of DLP replacement message. |
| 454112 | HIBUN file with *.exe extension is detected as exe file. |
DNS Filter
| Bug ID | Description |
| 438834 | DNS filter blocks access when rating error occurs, even with allow request on rating error enabled. |
FIPS-CC
| Bug ID | Description |
| 440307 | Wildcard certificate support/handling for SAN/CN reference identifiers. |
| Firewall | |
| Bug ID | Description |
| 449195 | DNAT not working for SCTP -Multi-homing Traffic. |
FortiCarrier
FortiLink
| Bug ID | Description |
| 434470 | Explicit policy for traffic originating from interface dedicated to FortiLink. |
| 441300 | Limited options in FortiLink quarantine stanza to use, giving users no way to trigger the quarantine function. |
| 445373 | For 802.1X, FortiSwitch port disappeared after upgrading FortiGate from 5.6.0 to 5.6.1 with 802.1X enabled without security-group/user-group. |
GUI
| Bug ID | Description |
| 365378 | Cannot assign ha-mgmt-interface IP address in the same subnet as other port from the GUI. |
| 398397 | Slowness in accessing Policy and Address page in GUI after upgrading from 5.2.2 to 5.4.1. |
| 402775 | Add multiple ports and port range support in the explicit FTP/web proxy. |
| 403146 | Slow GUI Policy tab with more than 600 policies. |
| 409100 | Edit admin/user, enable FortiToken mobile, or click send activation email before saving sends empty activation code. |
| 412401 | Incorrect throughput reading in GUI-System-HA page. |
| 450919 | IPS sensor with >= 8192 signature entries should not be created from GUI. |
HA
| Bug ID | Description |
| 412652 | Unexpected behavior seen when one cluster unit has a monitored port down and another cluster unit has ping server issues. |
| 436585 | Issues with different hardware generation when operating in a HA cluster. |
| 439152 | FGSP – standalone config sync – synchronizes BGP neighbor. |
| 441716 | Traffic stops when load-balance-all is enabled in active-active HA when npu_vlink is used in the path. |
| 442085 | After HA failover, the new master unit uses an OSPF MD5 authentication encryption sequence that is lower than the previous sequence number. |
| 442663 | No NTP sync and feature license invalid at backup device in FGSP cluster. |
| 442907 | Admin password expiry calculation is 1 sec. different on master and slave which causes HA to be out of sync for about 20 mins. |
| 449147 | No security database update on slave unit in FGSP environment. |
| Bug ID | Description |
| 452052 | vcluster2’s VMAC on VLAN Interface is not persistent after vcluster1 fails over. |
| 452715 | ha-mgmt-interface on slave unit is overwritten when backed up and restored. |
| 454347 | Ping server penalties are taken into account even when they are not configured in HA settings anymore. |
| 455513 | Management VDOMs I/F address on slave is lost or sync’ed with Master’s. |
IPsec VPN
| Bug ID | Description |
| 401847 | Half of IPsec tunnels traffic lost 26 minutes after power on a spare 1500D. |
| 416102 | Traffic over IPsec VPN gets dropped after two pings when it is getting offloaded to NPU. |
| 441267 | FortiGate static remote-gateway can change if peer sends ESP traffic with different IP address. |
| 442671 | Set broadcast-forward enable not working for IPsec interface. |
| 445657 | FortiOS Traffic Selector narrowing accepts wrong proposal. |
Log & Report
| Bug ID | Description |
| 422901 | Power disruption message when logging with prof_admin. |
| 441476 | Rolled log file is not uploaded to FTP server by max-log-file-size. |
| 443001 | Export log field descriptions for documentation. |
Proxy
| Bug ID | Description |
| 403140 | Improve filtering capabilities of LDAP search Explicit Proxy with Kerberos authentication. |
| 435332 | Keepalive Exempted HTTPs traffic keeps on kernal and proxy. |
| 441284 | www.nieporet.pl website loads very slowly in proxy mode when AV is applied. |
| 442252 | WAD stops forwarding traffic on both transparent proxy and explicit web proxy after IPS test over web proxy. |
| 442328 | Replacement message image fails to load. |
| 443870 | Incorrect extended master secret (EMS) handling in proxy mode deep-inspection causes SSL connection failure. |
| Bug ID | Description |
| 444257 | After Upgrading from 1466 to 1484 GA, SSL Deep Inspection breaks for many SSL sites using Chrome. |
| 445312 | tcp-timewait-timer does not have any effect when WAD is running. |
| 445374 | Proxies should preserve DSCP flags. |
| 447274 | Specific web page fails to load when proxy-based AV profile is enabled on Explicit web proxy policy. |
Routing
| Bug ID | Description |
| 441506 | BGP Aggregate address results in blackhole for incoming traffic. |
Security Fabric
| Bug ID | Description |
| 409156 | In Security Fabric Audit, the unlicensed FDS FortiGate shouldn’t be marked Passed in Firmware & Subscriptions. |
SSL VPN
| Bug ID | Description |
| 412850 | SSL VPN portal redirect fails with a Javascript error. |
| 443203 | In SSL VPN web mode, RDP quick connect fails with domain\username format credentials via NLA. |
System
| Bug ID | Description |
| 278660 | FGT-AWSONDEMAND is unable to handle FortiCare registration |
| 290708 | nturbo may not support CAPWAP traffic. |
| 393006 | NPU offloading causes issues with Arista. |
| 404119 | FSSO is not enabled when FSSO policy was created. |
| 411415 | Update FortiOS API to remove IPS sessions in parallel with firewall sessions. |
| 414811 | Restore NIC offload capabilities on FortiGate KVM VM. |
| 420568 | fclicense daemon has several signal 11 crashes. |
| 422413 | Use API monitor to get data for FortiToken list page. |
| Bug ID | Description |
| 423332 | Merge Top3 “Improve GTP Performance” to 5.6 and 5.8. |
| 423508 | Traffic from CAPWAP is not offloading on NP6 FortiGate. |
| 437195 | GTE – PDP update request should update the associated tunnel even when two TEID’s are the same. |
| 437589 | Slow throughput on 1000D between 10G and 1G interfaces. |
| 437801 | FG-30E WAN interface MTU override drop packet issue. |
| 438405 | HRX/PKTCHK drops over NP6 with 1.5 Gbps. |
| 439126 | Auto-script using diagnose command fails with Unknown action 0 after rebooting FortiGate. |
| 440412 | Added SNMP trap for per-CPU usage. |
| 440448 | FG-800C will not get IP on the LTE-modem interface using Novatel U620. |
| 440564 | After clicking the DHCP renew button, the GUI page doesn’t refresh. |
| 440850 | Latency noticed with port pair when MAC address flapping between port pair members. |
| 440923 | The FortiGate interface DHCP client does not work properly in some situations. |
| 441269 | 3600C memory leak due to IKED. |
| 441532 | Suggest to add SNMP/CLI monitoring capabilities of NP6 session table. |
| 442300 | FGT5HD kernel panic on 5.6.0-build 1449. |
| 443019 | After running for some time, the FG-30E console keep printing memory leak error messages. |
| 444090 | Cannot get SNMP values for NP6 counters. |
| 451456 | Support DHCP Option 82 on FortiGate DHCP relay – rfc3046. |
| 454939 | Virtual-wire-pair config is lost after reboot when using at least one VXLAN interface as member. |
Wireless
| Bug ID | Description |
| 414606 | CAPWAP encapsulated DNS traffic not forwarded back to IPsec tunnel. |
| 421239 | Tunnel mode SSID not working when FortiAP managed through IPsec VPN with NP6 offloading enabled. |
| 437949 | Split tunnel enhancement: set split-tunneling-acl-path [tunnel | local]. |
Common Vulnerabilities and Exposures
| Bug ID | Description |
| 442365 | FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:
l 2017-7738 Visit https://fortiguard.com/psirt for more information. |
| 446892 | FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:
l 2017-13077 l 2017-13078 l 2017-13079 l 2017-13080 l 2017-13081 Visit https://fortiguard.com/psirt for more information. |
| 452384 | FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:
l 2017-14185 Visit https://fortiguard.com/psirt for more information. |
| 452730 | FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:
l 2017-14186 Visit https://fortiguard.com/psirt for more information. |
| 453971 | FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:
l 2017-14187 Visit https://fortiguard.com/psirt for more information. |
| 456392 | FortiOS 5.6.3 is no longer vulnerable to the following CVE Reference:
l 2017-13077 Visit https://fortiguard.com/psirt for more information. |
The following issues have been identified in version 5.6.3. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.
Application Control
| Bug ID | Description |
| 435951 | Traffic keeps going through the DENY NGFW policy configured with URL category. |
| 448247 | Traffic-shaper in shaping policy does not work for specific application category like as P2P. |
Authentication
| Bug ID | Description |
| 460229 | Existing terminal server sessions overridden with the last TS user that logged in. |
| AV | |
| Bug ID | Description |
| 446204 | The filename of character in Korean shows mismatch encoding type in GUI. |
FIPS-CC
| Bug ID | Description |
| 463211 | When alarm is enabled in FIPS mode, the console hangs and the getty process uses very high CPU usage. |
FortiGate 3815D
| Bug ID | Description |
| 385860 | FG-3815D does not support 1GE SFP transceivers. |
| FortiGate 500D | |
| Bug ID | Description |
| 403449 | FortiGate 500D has some issue with FINISAR transceiver. |
| Bug ID | Description |
| 356174 | FortiGuard updategrp read-write privilege admin cannot open FortiGuard page. |
| 374247 | GUI list may list another VDOM interface when editing a redundant interface. |
| 374844 | Should show ipv6 address when set ipv6 mode to pppoe/dhcp on GUI > Network >
Interfaces. |
| 375036 | The Archived Data in the Sniffer Traffic log may not display detailed content and download. |
FortiSwitch-Controller/FortiLink
| Bug ID | Description |
| 304199 | HA with FortiLink traffic loss – no virtual MAC. |
| 357360 | DHCP snooping may not work on IPv6. |
| 369099 | FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch. |
| 404399 | FortiLink goes down when connecting to ForiSwitch 3.4.2 b192. |
| 408082 | Operating a dedicated hardware switch into FortiLink changes STP from enable to disable in a hidden way. |
| 415380 | DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP.
Workaround: disable switch-controller-dhcp-snooping on FortiLink VLAN interfaces. |
| 462080 | FG-300E reboots with kernel panic errors. |
FortiView
| Bug ID | Description |
| 366627 | FortiView Cloud Application may display incorrect drill down File and Session list in the Applications View. |
| 368644 | Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect. |
| 375172 | FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate. |
| 408100 | Log fields are not aligned with columns after drill down on FortiView and Log details. |
| 441835 | Drill down a auth-failed wifi client entry in “Failed Authentication” could not display detail logs when CSF enabled. |
| 442238 | FortiView VPN map can’t display Google map (199 dialup VPN tunnel). |
| 442367 | In FortiView > Cloud Applications, when the cloud users column is empty, drill down will not load. |
GUI
| Bug ID | Description |
| 375383 | If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box. |
| 422413 | Use API monitor to get data for FortiToken list page. |
| 422901 | Power disruption message when logging with prof_admin. |
| 439185 | AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer. |
| 442231 | Link cannot show different colors based on link usage legend in logical topology real time view. |
| 445113 | IPS engine 3.428 on Fortigate sometimes cannot detect Psiphon packets that iscan can detect. |
| 446756 | Guest user print template can’t display pictures while printing. |
| 451776 | Admin GUI has limit of 10 characters for OTP. |
| 459904 | Rogue AP Monitor does not show the Name of the AP in the Detected By column. |
| Bug ID | Description |
| 443418 | User is not listed in quarantine list in case block duration value is set long enough. |
| 450693 | ERR_SSL_PROTOCOL_ERROR when deep scan enabled along with IPS in policy. |
HA
| Bug ID | Description |
| 441078 | The time duration of packet-transporting process stops to pre-master node after HA failover takes too long. |
| 455284 | sshd daemon not started when just allowed ssh option on ha-mgmt-interface. |
| 457554 | FortiGate does not send syslog after ha-mgmt-interface link goes down and then up. |
| 457877 | Packets dropped with TNS session-helper enabled on FGSP cluster. |
| 458320 | Cluster uptime was not consistent. |
| 461731 | HA dedicated management port settings are modified and unreachable after restoring the configuration backup. |
| 461915 | When standalone config sync is enabled in FGSP, IPv6 setting of interface is sync’ed. |
IPS Log & Report
| Bug ID | Description |
| 412649 | In NGFW Policy mode, FortiGate does not create webfilter logs. |
| 438858 | Synchronized log destination with Log View and FortiView display source. |
Proxy
| Bug ID | Description |
| 454185 | Specific application does not work when deep inspection is enabled. |
Security Fabric
| Bug ID | Description |
| 403229 | In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic. |
| 411368 | In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field. |
| 414013 | Log Settings shows Internal CLI error when enabling historical FortiView at the same time as disk logging. |
SSL VPN
| Bug ID | Description |
| 405239 | URL rewritten incorrectly for a specific page in application server. |
| 441068 | SSL VPN unable to connect in tunnel mode, seeing multiple stale sessions for the same user. |
System
| Bug ID | Description |
| 295292 | If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key. |
| 364280 | ssh-dss may not work on FGT-VM-LENC. |
| 436580 | PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only. |
| 436746 | NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM. |
| 440411 | Monitor NP6 IPsec engine status. |
| 450389 | IPv6 problem with neighbor-cache. |
| Bug ID | Description |
| 451456 | DHCP Option 82 on FortiGate DHCP relay – rfc3046. |
| 457096 | FortiGate to FortiManager tunnel (FGFM) using the wrong source IP when multiple paths exist. |
| 459273 | Slave worker blade loses local administrator accounts. |
VM
| Bug ID | Description |
| 441129 | Certify FortiGate-VMX v5.6 with NSX v6.3 and vSphere v6.5. |
The following limitations apply to Citrix XenServer installations:
When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.
This document provides the following information for FortiOS 5.4.7 build 1167:
l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations
See the Fortinet Document Library for FortiOS documentation.
FortiOS 5.4.7 supports the following models.
| FortiGate | FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,
FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FG-90D-POE, FG-92D, FG94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG- 600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3700DX, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D |
| FortiWiFi | FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE |
| FortiGate Rugged | FGR-60D, FGR-90D |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
FortiOS 5.4.7 supports the additional CPU cores through a license update on the following VM models: l VMware 16, 32, unlimited l KVM 16 l Hyper-V 16, 32, unlimited |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-KVM |
| FortiOS Carrier | FortiOS Carrier 5.4.7 images are delivered upon request and are not available on the customer support firmware download page. |
Introduction Supported models
The following models are released on a special branch of FortiOS 5.4.7. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1167.
| FGR-30D | is released on build 7703. |
| FGR-30D-A | is released on build 7703. |
| FGR-35D | is released on build 7703. |
| FG-30E-MI | is released on build 6465. |
| FG-30E-MN | is released on build 6465. |
| FWF-30E-MI | is released on build 6465. |
| FWF-30E-MN | is released on build 6465. |
| FWF-50E-2R | is released on build 7702. |
| FG-52E | is released on build 6445. |
| FG-60E | is released on build 6453. |
| FG-60E-POE | is released on build 6453. |
| FWF-60E | is released on build 6453. |
| FG-61E | is released on build 6453. |
| FWF-61E | is released on build 6453. |
| FG-80E | is released on build 6453. |
| FG-80E-POE | is released on build 6453. |
| FG-81E | is released on build 6453. |
| FG-81E-POE | is released on build 6453. |
| FG-90E | is released on build 6457. |
| FG-91E | is released on build 6457. |
| FWF-92D | is released on build 7701. |
| FG-100E | is released on build 6453. |
Supported models Introduction
| FG-100EF | is released on build 6453. |
| FG-101E | is released on build 6453. |
| FG-140E | is released on build 6453. |
| FG-140E-POE | is released on build 6453. |
| FG-200E | is released on build 6456. |
| FG-201E | is released on build 6456. |
| FG-300E | is released on build 4087. |
| FG-301E | is released on build 4087. |
| FG-500E | is released on build 4087. |
| FG-501E | is released on build 4087. |
| FG-2000E | is released on build 6458. |
| FG-2500E | is released on build 6458. |
| FG-3960E | is released on build 6460. |
| FG-3980E | is released on build 6460. |
| FG-5001E | is released on build 6452. |
| FG-5001E1 | is released on build 6452. |
| FG-VM64 | is released on build 6446. |
| FG-VM64-HV | is released on build 6446. |
| FG-VM64-KVM | is released on build 6446. |
| FG-VM64-OPC | is released on build 3332. |
| FG-VM64-XEN | is released on build 6446. |
| FG-VM64-AWSONDEMAND | is released on build 6446. |
| FG-VM64-AZURE | is released on build 6446. |
| FG-VM64-AZUREONDEMAND | is released on build 6446. |
Introduction What’s new in FortiOS 5.4.7
For a detailed list of new features and enhancements that have been made in FortiOS 5.4.7, see the What’s New forFortiOS 5.4.7 document available in the Fortinet Document Library.
FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate with an RSA 2048-bit key; and FortiOS supports DH group 14 for key-exchange.
For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.
To improve performance, FortiOS 5.4.6 implemented the following changes when displaying lists in Policy & Objects.
In Policy & Objects > Addresses:
In Policy & Objects > Policy lists:
In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.
Special Notices Removed SSL/HTTPS/SMTPS/IMAPS/POP3S
SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.
FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:
FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:
config system global set hw-switch-ether-filter <enable | disable>
When the command is enabled:
When the command is disabled:
CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.
CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.
FortiGate units managed by FortiManager 5.0 or 5.2 Special Notices
Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.
Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.
Consider the FortiClient license before upgrading. Full featured FortiClient 5.2 and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on your organization’s needs, you might need to purchase a FortiClient EMS license for endpoint provisioning. Contact your sales representative for guidance on the appropriate licensing for your organization.
The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. You need to purchase a new license for either FortiClient EMS or FortiGate. A license is compatible with 5.4.1 and later if the SKU begins with FC-10-C010.
FortiClient (Mac OS X) SSL VPN requirements
When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.
Upon upgrading to FortiOS 5.4.7, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.
With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.
Special Notices FortiPresence
In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the
FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,
Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security
Profiles.
When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.
FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.
config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2
end
Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.
To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.
The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.
The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.
Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:
…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/
Use of dedicated management interfaces (mgmt1 and mgmt2) Special Notices
For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.
In 5.2, Block page was sent to client with HTTP status code 200 by default. In 5.4 and later, Block page is sent to client with a clearer HTTP status code of 403 Forbidden.
FortiOS version 5.4.7 officially supports upgrading from version 5.4.5 and later, and 5.2.11 and later.
When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.
There is a separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths.
This only applies if you are upgrading to version 5.6.0. If you are upgrading to version 5.6.1 or later, you don’t need to reconfigure IPsec settings.
If you have configured IPsec in version 5.4.7 and you upgrade to 5.6.0, you must reconfigure all IPsec phase1 psksecret settings after upgrading to 5.6.0 in order to establish an IPsec tunnel.
FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:
The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:
This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.
FortiGate-VM 5.4 for VMware ESXi Upgrade Information
Upon upgrading to FortiOS 5.4.7, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.
Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:
l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles
When downgrading from 5.4 to 5.2, users will need to reformat the log disk.
Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.
Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:
Upgrade Information FortiGate VM firmware
Fortinet provides FortiGate VM firmware images for the following virtual environments:
Citrix XenServer and Open Source XenServer
Linux KVM
Microsoft Hyper-V
VMware ESX and ESXi
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.
The following table lists 5.4.7 product integration and support information:
| Web Browsers | l Microsoft Edge 38 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 9.1 (For Mac OS X)
Other web browsers may function correctly, but are not supported by Fortinet. |
| Explicit Web Proxy Browser | l Microsoft Edge 40 l Mozilla Firefox version 53 l Apple Safari version 10 (For Mac OS X) l Google Chrome version 58
Other web browsers may function correctly, but are not supported by Fortinet. |
| FortiManager | For the latest information, see the FortiManagerand FortiOS Compatibility.
You should upgrade your FortiManager prior to upgrading the FortiGate. |
| FortiAnalyzer | For the latest information, see the FortiAnalyzerand FortiOS Compatibility.
You should upgrade your FortiAnalyzer prior to upgrading the FortiGate. |
| FortiClient Microsoft
Windows and FortiClient Mac OS X |
l 5.4.1 and later
If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading the FortiGate. |
| FortiClient iOS | l 5.4.1 and later |
| FortiClient Android and FortiClient VPN Android | l 5.4.0 and later |
FortiOS 5.4.7
| FortiAP | l 5.4.1 and later l 5.2.5 and later
Before upgrading FortiAP units, verify that you are running the current recommended FortiAP version. To do this in the GUI, go to the WiFi Controller> Managed Access Points > Managed FortiAP. If your FortiAP is not running the recommended version, the OS Version column displays the message: A recommended update is available. |
| FortiAP-S | l 5.4.1 and later |
| FortiSwitch OS
(FortiLink support) |
l 3.5.0 and later |
| FortiController | l 5.2.0 and later
Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later Supported model: FCTL-5103B |
| FortiSandbox | l 2.1.0 and later l 1.4.0 and later |
| Fortinet Single Sign-On (FSSO) | l 5.0 build 0264 and later (needed for FSSO agent support OU in group filters)
l Windows Server 2016 Server Edition l Windows Server 2016 Datacenter l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8 l 4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8 FSSO does not currently support IPv6. |
| FortiExplorer | l 2.6.0 and later.
Some FortiGate models may be supported on specific FortiExplorer versions. |
FortiOS 5.4.7 support Product Integration and Support
| FortiExplorer iOS | l 1.0.6 and later
Some FortiGate models may be supported on specific FortiExplorer iOS versions. |
| FortiExtender | l 3.0.0 l 2.0.2 and later |
| AV Engine | l 5.247 |
| IPS Engine | l 3.438 |
| Virtualization Environments | |
| Citrix | l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later |
| Linux KVM | l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later |
| Microsoft | l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016 |
| Open Source | l XenServer version 3.4.3 l XenServer version 4.1 and later |
| VMware | l ESX versions 4.0 and 4.1
l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5 |
| VM Series – SR-IOV | The following NIC chipset cards are supported:
l Intel 82599 l Intel X540 l Intel X710/XL710 |
Language
The following table lists language support information.
Language support
| Language | GUI |
| English | ✔ |
| Chinese (Simplified) | ✔ |
| Chinese (Traditional) | ✔ |
| French | ✔ |
| Japanese | ✔ |
| Korean | ✔ |
| Portuguese (Brazil) | ✔ |
| Spanish (Spain) | ✔ |
The following table lists SSL VPN tunnel client standalone installer for the following operating systems.
Operating system and installers
| Operating System | Installer |
| Linux CentOS 6.5 / 7 (32-bit & 64-bit)
Linux Ubuntu 16.04 |
2335. Download from the Fortinet Developer Network https://fndn.fortinet.net. |
Other operating systems may function correctly, but are not supported by Fortinet.
SSL VPN support Product Integration and Support
The following table lists the operating systems and web browsers supported by SSL VPN web mode.
Supported operating systems and web browsers
| Operating System | Web Browser |
| Microsoft Windows 7 SP1 (32-bit & 64-bit)
Microsoft Windows 8 / 8.1 (32-bit & 64-bit) |
Microsoft Internet Explorer version 11
Mozilla Firefox version 53 Google Chrome version 58 |
| Microsoft Windows 10 (64-bit) | Microsoft Edge
Microsoft Internet Explorer version 11 Mozilla Firefox version 53 Google Chrome version 58 |
| Linux CentOS 6.5 / 7 (32-bit & 64-bit) | Mozilla Firefox version 53 |
| Mac OS 10.11.1 | Apple Safari version 9
Mozilla Firefox version 53 Google Chrome version 58 |
| iOS | Apple Safari
Mozilla Firefox Google Chrome |
| Android | Mozilla Firefox
Google Chrome |
Other operating systems and web browsers may function correctly, but are not supported by Fortinet.
It is recommended to verify the accuracy of the GUID for the software you are using for SSLVPN host check. The following Knowledge Base article at http://kb.fortinet.com/ describes how to identify the GUID for antivirus and firewall products: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL VPN Host check.
After verifying GUIDs, you can update GUIDs in FortiOS by using this command: config vpn ssl web host-check-software
SSL VPN
Following is an example of how to update the GUID for AVG Internet Security 2017 on Windows 7 and Windows 10 by using the FortiOS CLI.
To update GUIDs in FortiOS:
4D41356F-32AD-7C42-C820-63775EE4F413
The following issues have been fixed in version 5.4.7. For inquires about a particular bug, please contact CustomerService & Support.
Common Vulnerabilities and Exposures
| Bug ID | CVE references |
| 452730 | FortiOS 5.4.7 is no longer vulnerable to the following CVE Reference: l 2017-14186
Visit https://fortiguard.com/psirt for more information. |
The following issues have been identified in version 5.4.7. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.
AntiVirus
| Bug ID | Description |
| 374969 | FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json). |
| Bug ID | Description |
| 375246 | invalid hbdev dmz may be received if the default hbdev is used. |
Endpoint Control
| Bug ID | Description |
| 374855 | Third party compliance may not be reported if FortiClient has no AV feature. |
| 375149 | FortiGate does not auto update AV signature version while Endpoint Control (fortiheartbeat) is enabled but no AV profile is used. |
| 391537 | Buffer size is too small when sending large vulnerability list to FortiGate. |
Firewall
| Bug ID | Description |
| 364589 | LB VIP slow access when cookie persistence is enabled. |
FortiGate-3815D
| Bug ID | Description |
| 385860 | FortiGate-3815D does not support 1 GE SFP transceivers. |
FortiRugged-60D
Known Issues
FortiSwitch-Controller/FortiLink
| Bug ID | Description |
| 304199 | Using HA with FortiLink can encounter traffic loss during failover. |
| 357360 | DHCP snooping may not work on IPv6. |
| 369099 | FortiSwitch authorizes successfully but fails to pass traffic until you reboot FortiSwitch. |
FortiView
| Bug ID | Description |
| 368644 | Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect. |
| 372350 | Threat view: Threat Type and Event information is missing in the last level of the threat view. |
| 373142 | Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level. |
| 375187 | Using realtime auto update may increase chrome browser memory usage. |
GUI
| Bug ID | Description |
| 289297 | Threat map may not be fully displayed when screen resolution is not big enough. |
| 297832 | Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies. |
| 355388 | The Select window for remote server in remote user group may not work as expected. |
| 365223 | In Security Fabric topology, a downstream FortiGate may be shown twice when it uses hardware switch to connect upstream. |
| 365317 | Unable to add new AD group in second FSSO local polling agent. |
| 365378 | You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI. |
| 368069 | Cannot select wan-load-balance or members for incoming interface of IPsec tunnel. |
| 369155 | There is no Archived Data tab for email attachment in the DLP log detail page. |
| 372908 | The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM. |
Known Issues
| Bug ID | Description |
| 372943 | Explicit proxy policy may show a blank for default authentication method. |
| 373363 | Multicast policy interface may list the wan-load-balance interface. |
| 373546 | Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered. |
| 374081 | wan-load-balance interface may be shown in the address associated interface list. |
| 374162 | GUI may show the modem status as Active in the Monitor page after setting the modem to disable. |
| 374224 | The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page. |
| 374320 | Editing a user from the Policy list page may redirect to an empty user edit page. |
| 374322 | Interfaces page may display the wrong MAC Address for the hardware switch. |
| 374363 | Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP. |
| 374373 | Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy. |
| 374397 | Should only list any as destination interface when creating an explicit proxy in the TP VDOM. |
| 374521 | Unable to Revert revisions in GUI. |
| 374525 | When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time. |
| 375036 | The Archived Data in the SnifferTraffic log may not display detailed content and download. |
| 375227 | You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page. |
| 375259 | Addrgrp editing page receives a js error if addrgrp contains another group object. |
| 375346 | You may not be able to download the application control packet capture from the forward traffic log. |
| 375369 | May not be able to change IPsec manualkey config in GUI. |
| 375383 | The Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface. |
| 379050 | User Definition intermittently not showing assigned token. |
Known Issues
IPsec
| Bug ID | Description |
| 393958 | Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha. |
| 435124 | Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.
Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings. |
| 439923 | IKE static tunnels using set peertype one may fail to negotiate. |
| Bug ID | Description |
| 287612 | Span function of software switch may not work on FortiGate-51E/FortiGate-30E. |
| 290708 | nturbo may not support CAPWAP traffic. |
| 295292 | If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key. |
| 304199 | FortiLink traffic is lost in HA mode. |
| 364280 | User cannot use ssh-dss algorithm to log in to FortiGate via SSH. |
| 371320 | show system interface may not show the Port list in sequential order. |
Router
| Bug ID | Description |
| 299490 | During and after failover, some multicast groups take up to 480 seconds to recover. |
SSL VPN
| Bug ID | Description |
| 303661 | The Start Tunnel feature may have been removed. |
| 304528 | SSL VPN Web Mode PKI user might immediately log back in even after logging out. |
| 374644 | SSL VPN tunnel mode Fortinet bar may not be displayed. |
| 382223 | SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”. |
System
Known Issues
| Bug ID | Description |
| 372717 | Option admin-https-banned-cipher in sys global may not work as expected. |
| 392960 | FOS support for V4 BIOS. |
| 445383 | Traffic cannot go through LACP static mode interface with NP6 offload enabled. |
Upgrade
| Bug ID | Description |
| 289491 | When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair name exceeds 12 characters. |
Visibility
| Bug ID | Description |
| 374138 | FortiGate device with VIP configured may be put under Router/NAT devices because of an address change. |
VM
| Bug ID | Description |
| 364280 | ssh-dss may not work on FG-VM-LENC. |
The following limitations apply to Citrix XenServer installations:
When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.