Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Load balancing diagnose commands

Load balancing diagnose commands

You can also use the following diagnose commands to view status information for load balancing virtual servers and real servers:

diagnose firewall vip realserver {down | flush | healthcheck | list | up}

diagnose firewall vip virtual-server {filter | log | real-server | session | stats}

For example, the following command lists and displays status information for all real servers:

diagnose firewall vip virtual-server real-server

vd root/0 vs vs/2 addr 10.31.101.30:80 status 1/1

conn: max 0 active 0 attempts 0 success 0 drop 0 fail 0

vd root/0 vs vs/2 addr 10.31.101.20:80 status 1/1

conn: max 0 active 0 attempts 0 success 0 drop 0 fail 0

Many of the diagnostic commands involve retrieving information about one or more virtual servers. To control which servers are queried you can define a filter:

diagnose firewall vip virtual-server filter <filter_str>

Where <filter_str> can be:

 

  • clear erase the current filter
  • dst the destination address range to filter by
  • dst-port the destination port range to filter by
  • list display the current filter
  • name the vip name to filter by
  • negate negate the specified filter parameter
  • src the source address range to filter by
  • src-port the source port range to filter by
  • vd index of virtual domain. -1 matches all

The default filter is empty so no filtering is done.

 

Logging Diagnostics

The logging diagnostics provide information about two separate features:

diagnose firewall vip virtual-server log {console | filter}

Where

  • console {disable | enable} enables or disables displaying the event log messages generated by virtual server traffic on the console to simplify debugging.
  • filter sets a filter for the virtual server debug log
  • The filter option controls what entries the virtual server daemon will log to the console if diagnose debug application vs level is non-zero. The filtering can be done on source, destination, virtual-server name, virtual domain, and so on:

diagnose firewall vip virtual-server log filter <filter_str>

Where <filter_str> can be

  • clear erase the current filter
  • dst the destination address range to filter by
  • dst-port the destination port range to filter by
  • list display the current filter
  • name the virtual-server name to filter by
  • negate negate the specified filter parameter
  • src the source address range to filter by
  • src-port the source port range to filter by
  • vd index of virtual domain. -1 matches all

The default filter is empty so no filtering is done.

 

Real server diagnostics

Enter the following command to list all the real servers:

diag firewall vip virtual-server real-server list

In the following example there is only one virtual server called slb and it has two real-servers:

diag firewall vip virtual-server server

vd root/0 vs slb/2 addr 172.16.67.191:80 status 1/1

conn: max 10 active 0 attempts 0 success 0 drop 0 fail 0 http: available 0 total 0

vd root/0 vs slb/2 addr 172.16.67.192:80 status 1/1

conn: max 10 active 1 attempts 4 success 4 drop 0 fail 0 http: available 1 total 1

The status indicates the administrative and operational status of the real-server.

  • max indicates that the real-server will only allow 10 concurrent connections.
  • active is the number of current connections to the server attempts is the total number of connections attempted success is the total number of connections that were successful.
  • drop is the total number of connections that were dropped because the active count hit max.
  • fail is the total number of connections that failed to complete due to some internal problem (for example, lack of memory).

If the virtual server has HTTP multiplexing enabled then the HTTP section indicates how many established connections to the real-sever are available to service a HTTP request and also the total number of connections


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Monitoring load balancing

Monitoring load balancing

From the web-based manager you can go to Monitor > Load Balance Monitor to monitor the status of configured virtual servers and real server and start or stop the real servers. You can also use the get test ipldb command from the CLI to display similar information.

For each real server the monitor displays health status (up or down), active sessions, round trip time and the amount of bytes of data processed. From the monitor page you can also stop sending new sessions to any real server. When you select to stop sending sessions the FortiGate unit performs of graceful stop by continuing to send data for sessions that were established or persistent before you selected stop. However, no new sessions are started.

 

Virtual Server

The IP addresses of the existing virtual servers.

 

Real Server

The IP addresses of the existing real servers.

 

Health Status

Displays the health status according to the health check results for each real server. A green arrow means the server is up. A red arrow means the server is down.

 

Mode

The mode of the health check monitor. Can be active, standby, or disabled.

 

Monitor Events

Display each real server’s up and down times.

 

Active Sessions

Display each real server’s active sessions.

 

RTT (ms)

Displays the Round Trip TIme (RTT) of each real server. By default, the RTT is “<1”. This value will change only when ping monitoring is enabled on a real server.

 

Bytes Processed

Displays the traffic processed by each real server.

 

Graceful Stop/Start

Select to start or stop real servers. When stopping a server, the FortiGate unit will not accept new sessions but will wait for the active sessions to finish.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Chapter 17 – Load Balancing

Chapter 17 – Load Balancing

This FortiOS Handbook chapter contains the following sections: Configuring load balancing describes FortiOS server load balancing. Load balancing configuration examples describes some basic and advanced load balancing configurations.

 

New load balancing features in FortiOS 5.4

 

ChaCha20 and Poly1305 cipher suites added for SSL load balancing (264785)

FortiOS 5.4 adds support for ChaCha20 and Poly1305 for SSL load balancing (see RFC 7539 for information about ChaCha20 and Poly1305). You can use the following command to view the complete list of supported cipher suites:

config firewall vip edit <vip-name>

set type server-load-balance set server-type https

set ssl-algorithm custom config ssl-cipher-suites

edit 0

set cipher ?

In most configurations the matching cipher suite is automatically selected.

All of these cipher suites are available to all of FortiOS’s implementations of SSL but the complete list of supported cipher suites is only viewable using the above command.

You can also use the above command to limit the set of cipher suites that are available for a given SSL offloading configuration. For example, use the following command to limit an SSL load balancing configuration to use the three cipher suites that support ChaCha20 and Poly1305:

config firewall vip edit <vip-name>

set type server-load-balance set server-type https

set ssl-algorithm custom config ssl-cipher-suites

edit 1

set cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 next

edit 2

set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 next

edit 3

set cipher TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 end

end

Configuring load balancing

This section describes how to use the FortiOS server load balancing to load balance traffic to multiple backend servers.

You can configure FortiOS load balancing to intercept incoming traffic with a virtual server and distribute it among one or more backend real servers. By doing so, FortiOS enables multiple real servers to respond as if they were a single device or virtual server. This in turn means that more simultaneous requests can be handled by the servers.

 

Server load balancing configuration

Traffic can be balanced across multiple backend real servers based on a selection of load balancing methods including static (failover), round robin, weighted to account for different sized servers, or based on the health and performance of the server including round trip time, number of connections. The load balancer can balance layer 7 HTTP, HTTPS, SSL, generic layer 4 TCP, UDP and generic layer 3 IP protocols. Session persistence is supported based on injected HTTP/HTTPS cookies or the SSL session ID.

You can bind up to 8 real servers can to one virtual server. The real server topology is transparent to end users, and the users interact with the system as if it were only a single server with the IP address and port number of the virtual server. The real servers may be interconnected by high-speed LAN or by geographically dispersed WAN. The FortiGate unit schedules requests to the real servers and makes parallel services of the virtual server to appear to involve a single IP address.

There are additional benefits to load balancing. First, because the load is distributed across multiple servers, the service being provided can be highly available. If one of the servers breaks down, the load can still be handled by the other servers. Secondly, this increases scalability. If the load increases substantially, more servers can be added behind the FortiGate unit in order to cope with the increased load.

Load balancing and other FortiOS features

Flow-based and proxy-based security features such as virus scanning, IPS, DLP, application control, and web filtering can be applied to load balanced sessions. This includes SSL offloading and multiplexing. Applying these UTM features to load balancing traffic may reduce load balancing performance.

Authentication is not supported for load balancing sessions. Usually FortiGate load balancing is used to allow public access to services on servers protected by a FortiGate unit. Authentication is not generally not required for this kind of configuration.

Features such web proxying, web caching, and WAN optimization also do not work with load balanced sessions. However, most other features that can be applied by a security policy are supported.

 

Configuring load balancing from the web-based manager

A virtual server is a specialized firewall virtual IP that performs server load balancing. From the web-based manager you add load balancing virtual server by going to Policy & Objects > Virtual Servers.

 

Name

Enter the name for the virtual server.

 

Type

Select the protocol to be load balanced by the virtual server. If you select a general protocol such as IP, TCP, or UDP the virtual server load balances all IP, TCP, or UDP sessions. If you select specific protocols such as HTTP, HTTPS, or SSL you can apply additional server load balancing features such as Persistence and HTTP Multiplexing.

  • Select HTTP to load balance only HTTP sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 80 for HTTP sessions). You can also select HTTP Multiplex. You can also set Persistence to HTTP Cookie to select cookie-based persistence.
  • Select HTTP to load balance only HTTP sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 80 for HTTP sessions). You can also select HTTP Multiplex. You can also set Persistence to HTTP Cookie to select cookie-based persistence.
  • Select HTTPS to load balance only HTTPS sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 443 for HTTPS sessions). You can also select Multiplex HTTP requests/responses. You can also set Persistence to HTTP Cookie to select cookie-based persistence. You can also set Persistence to SSL Session ID.
  • Select IMAPS to load balance only IMAPS sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 993 for IMAPS sessions). You can also set Persistence to SSL Session ID.
  • Select POP3S to load balance only POP3S sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 995 for POP3S sessions). You can also set Persistence to SSL Session ID.
  • Select SMTPS to load balance only SMTPS sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 465 for SMTPS sessions). You can also set Persistence to SSL Session ID.
  • Select SSL to load balance only SSL sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced.
  • Select TCP to load balance only TCP sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced.
  • Select UDP to load balance only UDP sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced.
  • Select IP to load balance all sessions accepted by the security policy that contains this virtual server.

 

Interface

Select the virtual server external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network.

 

Virtual Server IP

The IP address of the virtual server. This is an IP address on the external interface that you want to map to an address on the destination network.

 

Virtual Server Port

Enter the external port number that you want to map to a port number on the destination network. Sessions with this destination port are load balanced by this virtual server.

 

Load Balance Method

Select the load balancing method used by the virtual server.

 

Persistence

Configure persistence to make sure that a user is connected to the same server every time they make a request that is part of the same session. Session persistence is supported for HTTP and SSL sessions.

 

HTTP Multiplexing

Select to use the FortiGate unit to multiplex multiple client connections into a few connections between the FortiGate unit and the real server.

 

Preserve Client IP

Select to preserve the IP address of the client in the X-Forwarded-For HTTP header. This can be useful if you want log messages on the real servers to the client’s original IP address. If this option is not selected, the header will contain the IP address of the FortiGate unit.

This option appears only if HTTP or HTTS are selected for Type, and is available only if HTTP Multiplexing is selected.

 

SSL Offloading

Select to accelerate clients’ SSL connections to the server by using the Fortinet FortiGate unit to perform SSL operations, then select which segments of the connection will receive SSL offloading.

 

Certificate

Select the certificate to use with SSL Offloading. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.

This option appears only if HTTPS or SSL are selected for Type, and is available only if SSL Offloading is selected.

 

Health Check

Select which health check monitor configuration will be used to determine a server’s connectivity status.

 

Configuring load balancing from the CLI

From the CLI you configure load balancing by adding a firewall virtual IP and setting the virtual IP type to server load balance:

config firewall vip edit Vserver-HTTP-1

set type server-load-balance

A virtual server includes a virtual server IP address bound to an interface. The virtual server IP address is the destination address incoming packets to be load balanced and the virtual server is bound to the interface that receives the packets to be load balanced.

For example, if you want to load balance incoming HTTP traffic from the Internet to a group of web servers on a DMZ network, the virtual server IP address is the known Internet IP address of the web servers and the virtual server binds this IP address to the FortiGate interface connected to the Internet.

When you bind the virtual server’s external IP address to a FortiGate unit interface, by default, the network interface responds to ARP requests for the bound IP address. Virtual servers use proxy ARP, as defined in RFC 1027, so that the FortiGate unit can respond to ARP requests on a network for a real server that is actually installed on another network. In some cases you may not want the network interface sending ARP replies. You can use the arp-reply option disable sending ARP replies:

config firewall vip edit Vserver-HTTP-1

set type server-load-balance set arp-reply disable

The load balancing virtual server configuration also includes the virtual server port. This is the TCP port on the bound interface that the virtual server listens for traffic to be load balanced on. The virtual server can listen on any port.

 

Load balancing methods

The load balancing method defines how sessions are load balanced to real servers. A number of load balancing methods are available as listed below.

All load balancing methods will not send traffic to real servers that are down or not responding. However, the FortiGate unit can only determine if a real server is not responding by using a health check monitor. You should always add at least one health check monitor to a virtual server or to individual real servers, or load balancing methods may attempt to distribute sessions to real servers that are not functioning.

 

Source IP Hash

The traffic load is statically spread evenly across all real servers. However, sessions are not assigned according to how busy individual real servers are. This load balancing method provides some persistence because all sessions from the same source address always go to the same real server. However, the distribution is stateless, so if a real server is added or removed (or goes up or down) the distribution is changed and persistence could be lost.

 

Round Robin

Directs new requests to the next real server, and treats all real servers as equals regardless of response time or number of connections. Dead real servers or non responsive real servers are avoided.

 

Weighted

Real servers with a higher weight value receive a larger percentage of connections. Set the real server weight when adding a real server.

 

First Alive

Always directs sessions to the first alive real server. This load balancing schedule provides real server failover protection by sending all sessions to the first alive real server and if that real server fails, sending all sessions to the next alive real server. Sessions are not distributed to all real servers so all sessions are processed by the “first” real server only.

First refers to the order of the real servers in the virtual server configuration. For example, if you add real servers A, B and C in that order, then all sessions always go to A as long as it is alive. If A goes down then sessions go to B and if B goes down sessions go to C. If A comes back up sessions go back to A. Real servers are ordered in the virtual server configuration in the order in which you add them, with the most recently added real server last. If you want to change the order you must delete and re-add real servers in the required order.

 

Least RTT

Directs sessions to the real server with the least round trip time. The round trip time is determined by a Ping health check monitor and is defaulted to 0 if no Ping health check monitors are added to the virtual server.

 

Least Session

Directs requests to the real server that has the least number of current connections. This method works best in environments where the real servers or other equipment you are load balancing all have similar capabilities. This load balancing method uses the FortiGate session table to track the number of sessions being processed by each real server. The FortiGate unit cannot detect the number of sessions actually being processed by a real server.

 

HTTP Host

Load balances HTTP host connections across multiple real servers using the host’s HTTP header to guide the connection to the correct real server.

 

Session persistence

Use persistence to make sure that a user is connected to the same real server every time they make an HTTP, HTTPS, or SSL request that is part of the same user session. For example, if you are load balancing HTTP and HTTPS sessions to a collection of eCommerce web servers, when a user is making a purchase they will be starting multiple sessions as they navigate the eCommerce site. In most cases all of the sessions started by this user during on eCommerce session should be processed by the same real server. Typically, the HTTP protocol keeps track of these related sessions using cookies. HTTP cookie persistence makes sure that all sessions that are part of the same user session are processed by the same real server.

When you configure persistence, the FortiGate unit load balances a new session to a real server according to the load balance method. If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server. For more information about HTTP and HTTPS persistence, see “HTTP and HTTPS persistence”.

 

Real servers

Add real servers to a load balancing virtual server to provide the information the virtual server requires to be able to send sessions to the server. A real server configuration includes the IP address of the real server and port number that the real server receives sessions on. The FortiGate unit sends sessions to the real server’s IP address using the destination port number in the real server configuration.

When configuring a real server you can also specify the weight (used if the load balance method is set to weighted) and you can limit the maximum number of open connections between the FortiGate unit and the real server. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests other real servers until the connection number drops below the specified limit. Setting Maximum Connections to 0 means that the FortiGate unit does not limit the number of connections to the real server.

 

Real server active, standby, and disabled modes

By default the real server mode setting is active indicating that the real server is available to receive connections. If the real server is removed from the network (for example, for routine maintenance or because of a hardware or software failure) you can change the mode to standby or disabled. In disabled mode the FortiGate unit no longer sends sessions to the real server.

If a real server is in standby mode the FortiGate also does not send sessions to it unless other real servers added to the same virtual server become unavailable. For example:

  • A virtual server that includes two real servers one in active mode and one in standby mode. If the real server in active mode fails, the real server in standby mode is changed to active mode and all sessions are sent to this real server.
  • A virtual server includes three real servers, two in active mode and one in standby mode, if one of the real servers in active mode fails, the real server in standby mode is changed to active mode and sessions are load balanced between it and still operating real server. If both real servers in active mode fail, all sessions are sent to the real server in standby mode.

 

Adding real servers from the web-based manager

To add a real server from the web-based manager go to Policy & Objects > Real Servers.

 

Virtual Server

Select the virtual server that will send sessions to this real server.

 

IP Address

Enter the IP address of the real server.

 

Port

Enter the port number on the destination network to which the external port number is mapped.

 

Weight

Enter the weight value of the real server. The higher the weight value, the higher the percentage of connections the server will handle. A range of 1-255 can be used. This option is available only if the associated virtual server’s load balance method is Weighted.

 

Max Connections

Enter the limit on the number of active connections directed to a real server. A range of 1-99999 can be used. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit.

Setting Maximum Connections to 0 means that the FortiGate unit does not limit the number of connections to the real server.

 

HTTP Host

Enter the HTTP header for load balancing across multiple real servers. This feature is used for load balancing HTTP host connections across multiple real servers using the host’s HTTP header to guide the connection to the correct real server, providing better load balancing for those specific connections.

 

Mode

Select a mode for the real server.

 

Adding real servers from the CLI

To add a real server from the CLI you configure a virtual server and add real servers to it. For example, to add three real servers to a virtual server that load balances UDP sessions on port 8190 using weighted load balancing. For each real server the port is not changed. The default real server port is 0 resulting in the traffic being sent the real server with destination port 8190. Each real sever is given a different weight. Servers with higher weights have a max-connections limit to prevent too many sessions from being sent to them.

config firewall vip edit Vserver-UDP-1

set type server-load-balance set server-type udp

set ldb-method weighted set extip 172.20.120.30 set extintf wan1

set extport 8190

set monitor ping-mon-1 config realservers

edit 1

set ip 10.31.101.30 set weight 100

set max-connections 10000 next

edit 2

set ip 10.31.101.40 set weight 100

set max-connections 10000 next

edit 3

set ip 10.31.101.50 set weight 10

end

end

 

Health check monitoring

From the FortiGate web-based manager you can go to Policy & Objects > Health Check and configure health check monitoring so that the FortiGate unit can verify that real servers are able respond to network connection attempts. If a real server responds to connection attempts the load balancer continues to send sessions to it. If a real server stops responding to connection attempts the load balancer assumes that the server is down and does not send sessions to it. The health check monitor configuration determines how the load balancer tests the real servers. You can use a single health check monitor for multiple load balancing configurations.

You can configure TCP, HTTP and Ping health check monitors. Usually you would want the health check monitor to use the same protocol for checking the health of the server as the traffic being load balanced to it. For example, for an HTTP load balancing configuration you would normally use an HTTP health check monitor.

For the TCP and HTTP health check monitors you can specify the destination port to use to connect to the real servers. If you set the port to 0, the health check monitor uses the port defined in the real server. This allows you to use the same health check monitor for multiple real servers using different ports. You can also configure the interval, timeout and retry. A health check occurs every number of seconds indicated by the interval. If a reply is not received within the timeout period the health check is repeated every second. If no response is received after the number of configured retires, the virtual server is considered unresponsive, and load balancing does not send traffic to that real server. The health check monitor will continue to contact the real server and if successful, the load balancer can resume sending sessions to the recovered real server.

The default health check configuration has an interval of 10 seconds, a timeout of 2 seconds and a retry of 3. This means that the health check monitor checks the health of a real server every 10 seconds. If a reply is not received within 2 seconds the health check monitor re-checks the server every second for 3 retries. If no response is received for 2 seconds after the final retry the server is considered unresponsive. This entire process takes a total of 7 seconds to consider a virtual server as unresponsive (2 second timeout + (3 re-checks x 1 second) + 2 second timeout = 7 seconds). Since this health check process is repeated every 10 seconds, a server can be down for a maximum of 10 + 7 = 17 seconds before the health check monitor considers it down.

For HTTP health check monitors, you can add URL that the FortiGate unit connects to when sending a get request to check the health of a HTTP server. The URL should match an actual URL for the real HTTP servers. The URL is optional.

The URL would not usually include an IP address or domain name. Instead it should start with a “/” and be followed by the address of an actual web page on the real server. For example, if the IP address of the real server is 10.31.101.30, the URL “/test_page.htm” causes the FortiGate unit to send an HTTP get request to “http://10.31.101.30/test_page.htm”.

For HTTP health check monitors, you can also add a matched content phrase that a real HTTP server should include in response to the get request sent by the FortiGate unit using the content of the URL option. If the URL returns a web page, the matched content should exactly match some of the text on the web page. You can use the URL and Matched Content options to verify that an HTTP server is actually operating correctly by responding to get requests with expected web pages. Matched content is only required if you add a URL.

For example, you can set matched content to “server test page” if the real HTTP server page defined by the URL option contains the phrase “server test page”. When the FortiGate unit receives the web page in response to the URL get request, the system searches the content of the web page for the matched content phrase.

 

Name

Enter the name of the health check monitor configuration.

 

Type

Select the protocol used to perform the health check.

  • TCP
  • HTTP
  • PING

Port

Enter the port number used to perform the health check. If you set the Port to 0, the health check monitor uses the port defined in the real server. This way you can use a single health check monitor for different real servers.

This option does not appear if the Type is PING.

Interval

Enter the number of seconds between each server health check.

 

URL

For HTTP health check monitors, add a URL that the FortiGate unit uses when sending a get request to check the health of a HTTP server. The URL should match an actual URL for the real HTTP servers. The URL is optional.

The URL would not usually include an IP address or domain name. Instead it should start with a “/” and be followed by the address of an actual web page on the real server. For example, if the IP address of the real server is 10.10.10.1, the URL “/test_page.htm” causes the FortiGate unit to send an HTTP get request to “http://10.10.10.1/test_page.htm”.

This option appears only if Type is HTTP.

 

Matched Content

For HTTP health check monitors, add a phrase that a real HTTP server should include in response to the get request sent by the FortiGate unit using the content of the URL option. If the URL returns a web page, the Matched Content should exactly match some of the text on the web page. You can use the URL and Matched Content options to verify that an HTTP server is actually operating correctly by responding to get requests with expected web pages. Matched content is only required if you add a URL.

For example, you can set Matched Content to “server test page” if the real HTTP server page defined by the URL option contains the phrase “server test page”. When the FortiGate unit receives the web page in response to the URL get request, the system searches the content of the web page for the Matched Content phrase.

This option appears only if Type is HTTP.

 

Timeout

Enter the number of seconds which must pass after the server health check to indicate a failed health check.

 

Retry

Enter the number of times, if any, a failed health check will be retried before the server is determined to be inaccessible.

 

Load balancing limitations

The following limitations apply when adding virtual IPs, load balancing virtual servers, and load balancing real servers. Load balancing virtual servers are actually server load balancing virtual IPs. You can add server load balance virtual IPs from the CLI.

  • Virtual IP External IP Address/Range entries or ranges cannot overlap with each other or with load balancing virtual server Virtual Server IP entries.
  • A virtual IP Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255.
  • A real server IP cannot be 0.0.0.0 or 255.255.255.255.
  • If a static NAT virtual IP External IP Address/Range is 0.0.0.0, the Mapped IP Address/Range must be a single IP address.
  • If a load balance virtual IP External IP Address/Range is 0.0.0.0, the Mapped IP Address/Range can be an address range.
  • When port forwarding, the count of mapped port numbers and external port numbers must be the same. The web-based manager does this automatically but the CLI does not.
  • Virtual IP and virtual server names must be different from firewall address or address group names.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

UTM/NGFW packet flow: proxy-based inspection

UTM/NGFW packet flow: proxy-based inspection

If a FortiGate or VDOM is configured for proxy-based inspection then a mixture of flow-based and proxy-based inspection occurs. Packets initially encounter the IPS engine, which uses the same steps described in UTM/NGFW packet flow: flow-based inspection on page 1899 to apply single-pass IPS, Application Control and CASI if configured in the firewall policy accepting the traffic.

The packets are then sent to the FortiOS UTM/NGFW proxy for proxy-based inspection. The proxy first determines if the traffic is SSL traffic that should be decrypted for SSL inspection. SSL traffic to be inspected is decrypted by the proxy. SSL decryption is offloaded to and accelerated by CP8 or CP9 processors.

Proxy-based inspection extracts and caches content, such as files and web pages, from a content session and inspects the cached content for threats. Content inspection happens in the following order: VoIP inspection, DLP, AntiSpam, Web Filtering, Antivirus, and ICAP.

If no threat is found the proxy relays the content to its destination. If a threat is found the proxy can block the threat and replace it with a replacement message.

Decrypted SSL traffic is sent to the IPS engine (where IPS, Application Control, and CASI can be applied) before re-entering the proxy where actual proxy-based inspection is applied to the decrypted SSL traffic. Once decrypted SSL traffic has been inspected it is re-encrypted and forwarded to its destination. SSL encryption is offloaded to and accelerated by CP8 or CP9 processors. If a threat is found the proxy can block the threat and replace it with a replacement message.

The proxy can also block VoIP traffic that contains threats. VoIP inspection can also look inside VoIP packets and extract port and address information and open pinholes in the firewall to allow VoIP traffic through.

ICAP intercepts HTTP and HTTPS traffic and forwards it to an ICAP server. The FortiGate is the surrogate, or “middle-man”, and carries the ICAP responses from the ICAP server to the ICAP client; the ICAP client then responds back, and the FortiGate unit determines the action that should be taken with these ICAP responses and requests.

utm-ngfw-proxy-mode

Comparison of inspection types

The tables in this section show how different security functions map to different inspection types.

 

Mapping security functions to inspection types

The table below lists FortiOS security functions and shows whether they are applied by the kernel, flow-based inspection or proxy-based inspection.

 

 

FortiOS security functions and inspection types

Security Function    Kernel

(Stateful inspection)

Flowbased inspection       Proxy-based inspection

Firewall                       yes

IPsec VPN                   yes

Traffic Shaping           yes

User Authentication    yes

Management Traffic yes

SSL VPN                     yes

IPS                                     yes

Antivirus              yes                                          yes

Application Control             yes

CASI                 yes

Web filtering          yes                                          yes

DLP                                                                        yes                                          yes

Email Filtering                                                                                                        yes

VoIP inspection                                                                                                      yes

ICAP                                                                                                                      yes

 

More information about inspection methods

The three inspection methods each have their own strengths and weaknesses. The following table looks at all three methods side-by-side.

 

Inspection methods comparison

Feature                             Stateful                             Flow                                 Proxy

Inspection unit per ses- sion

first packet                          selected packets, single pass architecture, sim- ultaneous application of configured inspection methods

complete content, con- figured inspection meth- ods applied in order

 

Feature                             Stateful                             Flow                                 Proxy

Memory, CPU required       low                                      medium                              high

Level of threat protection    good                                   better                                  best

Authentication                    yes

IPsec and SSL VPN            yes

Antivirus protection                                                         yes                                      yes

Web Filtering                                                                  yes                                      yes

Data Leak Protection (DLP)

yes                                      yes

Application control                                                          yes

IPS                                                                                 yes

Delay in traffic                    minor                                  no                                       small

Reconstruct entire con- tent

no                                       yes


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

UTM/NGFW packet flow: flow-based inspection

UTM/NGFW packet flow: flow-based inspection

Flow-based UTM/NGFW inspection identifies and blocks security threats in real time as they are identified by sampling packets in a session and uses single-pass architecture that involves Direct Filter Approach (DFA) pattern matching to identify possible attacks or threats.

If a FortiGate or a VDOM is configured for flow-based inspection, depending on the options selected in the firewall policy that accepted the session, flow-based inspection can apply IPS, Application Control, Cloud Access Security Inspection (CASI), Web Filtering, DLP, and Antivirus. Flow-based inspection is all done by the IPS engine and as you would expect, no proxying is involved.

Before flow-based inspection can be applied the IPS engine uses a series of decoders to determine the appropriate security modules to be applied depending on the protocol of the packet and on policy settings. In addition, if SSL inspection is configured, the IPS engine also decrypts SSL packets. SSL decryption is offloaded and accelerated by CP8 or CP9 processors

All of the applicable flow-based security modules are applied simultaneously in one single pass, and pattern matching is offloaded and accelerated by CP8 or CP9 processors. IPS, Application Control and CASI, flow-based Web Filtering and flow-based DLP filtering happen together. CASI signatures are applied as part of application control. Flow-based antivirus caches files during protocol decoding and submits cached files for virus scanning while the other matching is carried out.

Flow-based inspection typically requires less processing resources than proxy-based inspection and since its not a proxy, flow-based inspection does not change packets (unless a threat is found and packets are blocked). Flow- based inspection cannot apply as many features as proxy inspection (for example, flow-based inspection does not support client comforting and some aspects of replacement messages).

IPS, Application Control, and CASI are only applied using flow-based inspection. Web Filtering, DLP and Antivirus can also be applied using proxy-based inspection.

utm-ngfw-flow-mode


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Packet flow: FortiGates with NP6 processors – packets in an NTurbo session

Packet flow: FortiGates with NP6 processors – packets in an NTurbo session

If your FortiGate supports NTurbo, many flow-based UTM/NGFW sessions can be offloaded to NP6 processors.

nturbo-session

After the first packet, subsequent packets in an offloaded flow-based UTM/NGFW session skip routing, and kernel processors. Flow-based UTM/NGFW operations are still handled by the CPU with IPSA offloading pattern matching to CP8 or CP9 processors.

If a security threat is found the session is dropped. Otherwise, packets that are not blocked by UTM/NGFW are forwarded out of the egress interfaces by the NP6 processor.

NTurbo is not compatible with DoS polices, session helpers, or and most types of tunneling. If any of these features are present, flow-based UTM/NGFW sessions are not offloaded by NTurbo.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Change of FortiGuard Filtering Port to mitigate Internet link flaps

I have a friend that has some FortiGates at his business. I have been helping him troubleshoot some random WAN1 port flapping issues. Well, after doing some research and looking through the documentation I found the below from Fortinet. Guess what internet provider he uses…..you’re right….COMCRAP….I mean, Comcast.

Some modems, ComCast for example, are known to drop the network connection or reboot if they receive non-DNS traffic on UDP port 53 which is well known DNS port, but which is also used to connect to the FortiGuard service.

An example of log messages that can be observed in logs on FortiGate is shown below:

date=2099-05-03 time=17:12:50 logid=0100020099 type=event subtype=system level=information vd=”root” logdesc=”Interface status changed” action=interface-stat-change status=UP msg=”Link monitor: Interface wan1 was turned up”
date=2099-05-03 time=17:12:47 logid=0100020099 type=event subtype=system level=information vd=”root” logdesc=”Interface status changed” action=interface-stat-change status=DOWN msg=”Link monitor: Interface wan1 was turned down”

Note that it is not necessary that the Link Monitor feature is configured, this log message will appear in logs each time the physical link is lost.

This cause can be confirmed by connecting a switch between the FortiGate and a modem.

If the switch has logging functionality then the interface facing the FortiGate will be stable while the interface connected to a modem will be flapping.

The workaround is to use port 8888 for FortiGuard.  This can be changed from GUI or CLI.

GUI

System > FortiGuard > Filtering

Select 8888 as “FortiGuard Filtering Port”

CLI

config system fortiguard
set port 8888
end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiOS 5.4.2 Release Notes

Introduction

This document provides the following information for FortiOS 5.4.2 build 1100:

  • Special Notices
  • Upgrade Information
  • Product Integration and Support
  • Resolved Issues
  • Known Issues
  • Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.2 supports the following models.

FortiGate FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,

FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D FG-90D, FG-90D-POE, FG92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D,

FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D,

FG-1200D, FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C,

FG-3600C, FG-3700D, FG-3700DX, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60DPOE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D
FortiGate Rugged FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.4.2 images are delivered upon request and are not available on the customer support firmware download page.

 

What’s new in FortiOS 5.4.2

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.2, see the What’s New for FortiOS 5.4.2 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

 

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units running 5.4.2 and managed by FortiManager 5.0 or 5.2

FortiGate units running 5.4.2 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Note that the FortiClient license should be considered before upgrading.

Full featured FortiClient 5.2, and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on the environment needs, FortiClient EMS license may need to be purchased for endpoint provisioning. Please consult Fortinet Sales or your reseller for guidance on the appropriate licensing for  your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. A new license will need to be procured for either FortiClient EMS or FortiGate. To verify if a license purchase is compatible with 5.4.1 and later, the SKU should begin with FC-10-C010

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.2, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS v5.4.1, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus, Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

 

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

Upgrade Information

Upgrading to FortiOS 5.4.2

FortiOS version 5.4.2 officially supports upgrading from version 5.4.0 and 5.2.7.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

  • FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

  • Cooperative Security Fabric – Upgrade Guide
  • FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

Model-60D Boot Issue

The following 60D models have an issue upon upgrading to FortiOS 5.4.1. The second disk (flash) is unformatted and results in the /var/log/ directory being mounted to an incorrect partition used exclusively for storing the firmware image and booting.

  • FG-60D-POE
  • FG-60D
  • FWF-60D-POE
  • FWF-60D

To fix the problem:

 

If your FortiGate device is currently running FortiOS 5.2.7:

  1. Backup your configuration.
  2. Upgrade to 5.4.1 B5447.

If your FortiGate device is currently running FortiOS 5.4.0 or 5.4.1:

  1. Backup your configuration.
  2. Connect to the console port of the FortiGate device.
  3. Reboot the system and enter the BIOS menu.
  4. Burn the firmware image to the primary boot device.
  5. Once the system finishes rebooting, restore your configuration.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading you should review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1:

  • Advanced FortiClient profiles (XML configuration)
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths l Client-side web filtering when on-net

  • iOS and Android configuration by using the FortiOS GUI

It is recommended that FortiClient Enterprise Management Server (EMS) should used for detailed Endpoint deployment and provisioning.

Unified Disk Usage

FortiOS 5.4.2 changes the disk usage behavior upon upgrading from FortiOS 5.2. The table below describes the new logging and WAN Optimization disk usage for single and two disk FortiGate devices running FortiOS 5.4.2.

Single Disk Platforms (Logging or WAN Optimization)
                                                   Only Logging enabled          No change.
Only WAN Optimization           No change. enabled

 

Both Logging & WAN Disk is reserved for logging. If WAN Optimization Optimization enabled is configured, the WAN Optimization cache is lost.
Two Disk Platforms (First disk reserved for Logging; second reserved for WAN Optimization)
                                                   Only Logging enabled on     No change.

the first disk

Only Logging enabled on        Logging is changed to the first disk. Logging data the second disk    is lost on the second disk.
Only WAN Optimization WAN Optimization is changed to the second disk. enabled on the first disk WAN Optimization cache is lost on the first disk.
Only WAN Optimization Second disk reserved for WAN Optimization. First enabled on the second disk reserved for logging even when the log disk disk status CLI command is disabled: log-disk-

status=disable.

Both Logging & WAN First disk reserved for logging. Second disk Optimization enabled reserved for WAN Optimization.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.2, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

  • operation mode
  • interface IP/management IP
  • static route table
  • DNS settings
  • VDOM parameters/settings
  • admin user account
  • session helpers
  • system access profiles.

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

 

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3
  • C4
  • R3
  • I2
  • M4
  • D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

 

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

 

Product Integration and Support

FortiOS 5.4.2 support

The following table lists 5.4.2 product integration and support information:

Web Browsers                                l Microsoft Edge 25

  • Microsoft Internet Explorer 11 l Mozilla Firefox version 46 l Google Chrome version 50
  • Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by

Fortinet.

Explicit Web Proxy Browser            l Microsoft Edge 25

  • Microsoft Internet Explorer 11 l Mozilla Firefox version 45 l Apple Safari version 9.1 (For Mac OS X)
  • Google Chrome version 51

Other web browsers may function correctly, but are not supported by

Fortinet.

FortiManager                                    For the latest information, see the FortiManagerand FortiOS

Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer                                    For the latest information, see the FortiAnalyzerand FortiOS

Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft Win-              5.4.1

dows and FortiClient Mac           If FortiClient is being managed by a FortiGate, you must upgrade

OS X                                            FortiClient before upgrading the FortiGate.

FortiClient iOS                                5.4.1
FortiClient Android and                   5.4.0

FortiClient VPN Android

FortiOS 5.4.2 support

FortiAP 5.4.1 5.2.5 and later

You should verify what the new FortiAP version is for your FortiAP prior to upgrading the FortiAP units. You can do this by going to the WiFi Controller > Managed Access Points > Managed FortiAP page in the GUI. Under the

OS Version column you will see a message reading A recommended update is available for any FortiAP that is running an earlier version than what is recommended.

FortiAP-421E and FortiAP-423E platforms only: Please call customer support for the FortiGate WiFi Controller image to manage these FortiAP models.

FortiAP-S 5.4.2 and later
FortiSwitch OS (FortiLink support) 3.4.2 and later
FortiController 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C, 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox 2.1.0 and later , 1.4.0 and later
Fortinet Single Sign-On (FSSO) 5.0 build 0250 and later (needed for FSSO agent support OU in group filters)

Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit, Windows Server 2012 Standard , Windows Server 2012 R2 Standard, Novell eDirectory 8.8

4.3 build 0164 (contact Support for download), Windows Server 2003 R2 (32-bit and 64-bit), Windows Server 2008 (32-bit and 64-bit), Windows Server 2008 R2 64-bit, Windows Server 2012 Standard Edition, Windows Server 2012 R2, Novell eDirectory 8.8

FSSO does not currently support IPv6.

 

FortiExplorer , 2.6 build 1083 and later.

Some FortiGate models may be supported on specific FortiExplorer versions.

FortiExplorer iOS 1.0.6 build 0130 and later

Some FortiGate models may be supported on specific FortiExplorer iOS versions.

FortiExtender 3.0.0

2.0.2 build 0011 and later

AV Engine 5.234
IPS Engine 3.294
Virtualization Environments  
Citrix XenServer version 5.6 Service Pack 2, XenServer version 6.0 and later
Linux KVM RHEL 7.1/Ubuntu 12.04 and later, CentOS 6.4 (qemu 0.12.1) and later
Microsoft Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source XenServer version 3.4.3, XenServer version 4.1 and later
VMware ESX versions 4.0 and 4.1

ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5 and 6.0

VM Series – SR-IOV The following NIC chipset cards are supported:

Intel 82599 ,Intel X540,Intel X710/XL710

Language support

The following table lists language support information.

SSL VPN support

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Microsoft Windows XP SP3 (32-bit)

Microsoft Windows 7 (32-bit & 64-bit)

Microsoft Windows 8 (32-bit & 64-bit)

Microsoft Windows 8.1 (32-bit & 64-bit)

2329
Microsoft Windows 10 (32-bit & 64-bit) 2329
Linux CentOS 6.5 (32-bit & 64-bit) Linux Ubuntu 12.0.4 (32-bit & 64-bit) 2329
Virtual Desktop for Microsoft Windows 7 SP1 (32-bit) 2329

Other operating systems may function correctly, but are not supported by Fortinet.

Product Integration and Support                                                                                                  SSL VPN support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit/64-bit) Microsoft Internet Explorer version 11 Mozilla Firefox version 46
Microsoft Windows 8/8.1 (32-bit/64-bit) Microsoft Internet Explorer version 11 Mozilla Firefox version 46
Mac OS 10.9 Safari 7
Linux CentOS version 6.5 Mozilla Firefox version 46

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009  
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011

SSL VPN support

Product Antivirus Firewall
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.4.2. For inquires about a particular bug, please contact CustomerService & Support.

FortiGate-60D

Bug ID Description
372629 Hardware issue of FG-60D cause config lost

FortiGate-80D

Bug ID Description
373153 FG-80D should support jumbo frame on new kernel
376656 FG-80D change port speed does not take effect

FortiGate-500D

Bug ID Description
371098 VLAN counters match physical port if NP6 offloading is disabled

FortiGate-800D

Bug ID Description
365101 Fail IQC traffic test, all blocking at port8 for ip connection

FortiGate-1500D

Bug ID Description
386683 Kernel panics after roughly 24 hours uptime
388646 FG-1500D: hardware test CPU/Memory test fail
370151 CPU doesn’t remove dirty flag when returns session back to NP6
295041 Destination MAC address on NP6 offloaded IPv6 sessions are not updated when neighbor MAC changes

FortiGate-3600D

Bug ID Description
385669 FG-3000D crash with kernel panic

FortiGate-3810D

Bug ID Description
375749 Sometimes NP6 gets np6_fos_ipsec_sa_install 746 npu_tunnel_idx doesn’t match error message

FortiLink

Bug ID Description
379098 FortiLink Switch-Controller: Support “edge-port” setting for managed switch ports
380919 EAP tunnel is terminated at Authenticator(FGT) instead of at Auth-Server
387398 no admin password on Fortilink managed switch

FortiView

Bug ID Description
375394 Httpsd crashes when accessing page of Fortiview>VPN in GUI
390105 Fortiview VPN page shows minus value in field “Bytes(sent/received)” for L2TP and PPTP tunnels

FOC

Bug ID Description
382343 GTPV2 – Create Session response message denied due to ‘ie-is-missing’

GUI

Bug ID Description
371106 Removed trusted host is not re-indexed but replaced with 0.0.0.0/0.
371904 GUI does not prevent upgrading invalid CC signature image in FIPS mode.
Bug ID Description
375255 Cannot quarantine FortiClient device on FortiView because of javascript error from trunk 5x.
288896 Should fall back to non-paging search if Oracle ODSEE 11.1 LDAP returns LDAP_ UNAVAILABLE_CRITICAL_EXTENSION.
390088 Contract registration should accept characters.
390794 Fix fail to create IPsec IKEv2 custom VPN tunnel with authmethod psk in GUI.
374221 SSLVPN setting portal mapping realm field misses the “/” option.
374339 SSLVPN setting page may not check the required fields.
386862 Large lists of address objects can take a considerable amount of time to load
292615 VLAN interface based on NPU vdom link can’t be displayed in vdom-network-interface page
370360 VDOM read-only admin can view super admin and other higher priviledge admin’s password hash via REST API and direct URL
373031 Unable to view FortiToken CD (FTK211) on FortiGate WebU
378817 Traffic Shapers list priority should display text word not number
391703 Add video links to FortiOS GUI
377539 Filter Overrides is removed after clicking on Apply on the Application Control profile

FortiSwitch Controller

Bug ID Description
388436 Traffic is intermittently blocked when HA FortiGate controls FSW by split interface.
387555 VLAN switch trunk function stops working

System

Bug ID Description
369540 Kills the parent process (fgfmsd) and causes script exec reboot from FMG does not work on FortiGate.
372629 Hardware issue of FG-60D causes config to be lost.
375188 After factoryreset2, split port interfaces are lost.

 

Bug ID Description
375141 When NP6 offload is enabled, traffic will show up in wrong VDOM but correct VLAN interface.
380157 ZebOS issues on new VDOM.
385362 Remove username and password requirement for CLI exec central-mgmt register-device FMGSN KEY username password.
367471 Fragmented out-of-sequence ICMP Reply can loop endlessly in npu-vlink.
385455 Inconsistent trustedhost behavior.
381857 LACP passive mode voluntarily initiate LACP negotiation then aggregate interfaces unexpected establishing.
374481 Alertmail does not work on CHANGED management VDOM.
384698 Cache memory increased abruptly.
390570 FEXT discovery issue fixed.
390592 Update geoip database to version 1.057.
387675 ARP-Reply packets drops in NP6.
376452

385278

ICMP packets with HBH options are now forwarded properly.
389194 End of Daylight Savings (DST) timezone Turkey/Istanbul GMT +3.
371387 Add two trailers for FK images, to make it pass the upgrade test.
381675 Support SNMP query for individual CPU Core monitoring in kernel-3.2.
390207 Fix ixgbevf driver VLAN issue.
292237 FG-200D hangs with transmit timeouts.
378761 Allow local-in traffic When system memory reaches 94%.
378558

380653

LACP over Virtual Wire Pair on 800C, ports not forwarding LACPDUs.
372632 Eliminate kernel crash and reboots while FortiManager pushes config changes.
356245 Fix LACP ignoring peer ID change.
380161 No reply to SNMP queries if reply should be routed via PBR.
Bug ID Description
374715 Add TCP seqnum verification to BGP on RST packets.
302021 Enable FortiTest feature for 400D/600D platforms.
378825

385964

Enable diagnose hardware test on FG-100D/800D and fix related bugs.
389047 Unable to edit/create system interface when a large number of detected devices exist has been fixed.
370778 Connection problem to new master FQDN address of FMG after failover.
386478 Add LFG60C B0735 (LENC) device failed with internal error.
375338 FortiManager with super_admin profile install capture-packet meet privilege issue.
373344 “diag ip address list” still show ip address although dhcp lease time expired
376144 FMG failed to change FGT HA slave to master
380600 CLI configurable NP6 optimization
388603 after reassembly fragmented UDP packet, the s/d port become 0
365441 FGT is showing capwap IP (224.0.1.140) and mac-address (01:00:5e:00:01:8c) even no capwap enable on the port
369353 Destination MAC address will not be updated for NPU offloaded IPv4 sessions sometimes.

Tablesize

Bug ID Description
382232 FG-900D explicit proxy max users < FG-800D.
390053 Increase firewall.schedule limits on higher end

Router

Bug ID Description
369864 BFD is DOWN randomly.
381974,

387318

Default static router setting should use port1.
Bug ID Description
382934 gpd may crash after executing get router info bgp route-map.
381908 Asymmetric routing in transparent VDOM has to be enabled for correct packet flow after upgrade from 5.2.
373820 Update route_cache only when there are changes in route table.
307530,

378075

Added support for BGP Local-AS feature.
391240 BGP UPDATES without NEXT_HOP
376765 E models cannot establish BGP session with Non-ARM platforms when MD5 password authentication enabled
391233 Multicast router doesn’t send the PIM register after upgrading from 5.2.7 to 5.4.1

WiFi

Bug ID Description
387163 Fix WiFi driver crash for 3.2 kernel FWF platforms.
371374 Add back support of wave2 FAP421E/423E.
376921 FortiGate kills cw_acd daemon continuously in 900+ APs large setup.
365255,

381030

WPA-Personal passphrase should support a fixed-length of 64 hexadecimal digits.
387163 Fix WiFi driver crash for 3.2 kernel FWF platforms.
309597 Fix WiFi region codes and DFS support.
374617 Memory leak happens when change large WTP sessions’s security option.
370657 FDS daemon should return error code when fortiap version is not available in FAPV
374385 Fortinet_WiFi is not signed by PositiveSSL_CA/Fortinet_WiFi_CA after LENC license is loaded
387163 FWF30E / kernel error happpened when purge vap interface by CLI

AV

Bug ID Description
373804 Encounter several scanunit daemon crash on US WiFi corp firewall.
384520 3600C crash on scanunit signal 11 (Segmentation fault)

DLP

Bug ID Description
369825 Do not compare DLP filesize filter for files inside an archive.

IPS

Bug ID Description
371254 ipsengine signal 11 crash happens on FG-60D/90D when IPS custom signature is detected.
378192 Per-IP shaper is not working for Application Category.
381547 Fix SynProxy offloading issue.
369137 IPSec performance decreased after upgraded FG-100D from V5.2.5 to V5.4.0 in certain test.
302853 Unnecessary debug message print out when change certain ips config.
379275 Fix FortiOS memory corruption caused by ips engine crash.
378252 Flow UTM: Save last session info into crash log when IPS engine crash happens.
379833 Adjust IPS CPU assignment to improve 3815D performance.
383525 Fix for IPsec mesh selectors not automatically brought up when phase2 auto-negotiate enabled.
379082 Proxyworker high CPU waiting for IPS to reinitialize.
389610 IPS app id/cat id should be datasrc and the cat id list source is inaccurate.
368729 State preservation test failed at max mem – attack packet not blocked
386050 WAD daemon consumes 99.8% CPU utilization
300785 Enabling sync-session-ttl will cause the existing IPS sessions to be removed
Bug ID Description
379084 Botnet DB update shouldn’t cause IPS/AppCtrl signature reload in CMDB
386271 After enabling IPS sensor with custom sig, in 60% chance need to wait for 30+ seconds to let ping packet pass
392520 Update IPS engine to build 3.294

Web Filter

Bug ID Description
378234 WAD crash in wad_fmem_free after upgrade to 5.4.1.
388731 Fix rpc-over-http will cause WAD crash when enable UUID is not found in RTS.
382501 Kerberos authentication fails with unexpected token length error.
376486 WAD not supporting full webfilter with transparent policy and external webproxy in SSL deepscan mode.
373251 Local FortiGuard overrided rating sometimes doesn’t work well.
380119 Webfilter Static URL filter blocking domains with similar name.
377206 Fix wanopt log incorrect and wad ntlm auth crash.
390446 Fix webfilter urlfilter mismatch.
380324

380682

Fix proxyd and wad ssl related issues.
388957 Fix YouTube EDU filter: None, Moderate, Strict.
393381 Suggest add webfilter profile fgd block and override config CLI correlation check

DNS Filter

Bug ID Description
390957 Make DNS filter available under flow-inspection mode has been fixed.
SSLVPN  
Bug ID Description
386167 Proxy vdom SSLVPN IPv6 av doesn’t block virus if IPv4 policy UTM disable.

 

Bug ID Description
381112 Website drop-down menu does not work when accessed via SSLVPN bookmark.
371933 Unable to connect to SMB server which supports only NTLMv2.
371597 SSLVPN fail to login FGT 5.4 bookmark through Fortinet bar with url-obscuration enable.
371551 Fix SSLVPN user authenticates doesn’t follow firewall policy order when change user group order until reboot.
371807 Try next server when LDAP group auth failed on first firewall policy.
377207 fix could not access owncloud properly through SSLVPN.
377557 Change tunnel set-up timeout threshold for SSLVPN web portal with limit-userlogins.
382586 Fixed path not found is printed out when certificate is changed.
384200 Fix SSLVPN tunnel sometimes gets disconnected without error message.
374859 Fix got fork() failed after SSLVPN enter conserve mode.
379450 Fix SSLVPN crash with segmentation fault in sslvpn_ap_table_get after upgrading to 5.4.1.
379076 RDP session will be disconnected after the idle-timeout is expired on web-portal.
378103 Fix SSLVPN/newcli crash when running get vpn ssl monitor if there are more than 10000 tunnels.
380201

382393

Fixed SSLVPN has high CPU/crashed.
375561 RESOURCE_LEAK found in SSLVPN.
386968 Getting error Failed, suspended by other users when edit some content using Firefox.
379076 RDP session will be disconnected after the idle-timeout is expired on web-portal.
382828 SSLVPN web-mode not displaying login page of internal server, but tunnel-mode is OK.
355913 SSLVPN setting -> edit authentication/portal mapping page issue
387966 Username replaced by peer name in certificate based SSLVPN
Bug ID Description
375379 Username and password are displayed in clear text in the browser bar for CIFS/SMB SSL VPN Bookmark

IPsecVPN

Bug ID Description
376779 The algorithm names sha384 and sha512 are not displayed in the output of get commands for ipsec tunnel.
375749, 382568 Fix TPE_SHAPER drop on NP6 and an IPsec issue on FG-3810D.
383935 Policy-based routes does not work for Dialup IPSec routes in Fortios5.4.1.
376340 Change vpn ipsec phase1/phase1-interface peertype default from ‘any’ to ‘peer’
388408 Incorrect output for “get vpn ipsec stats crypto”

Web Application Firewall

Bug ID Description
378194 Suspect WAF breaks JSON file by adding zero to the end.
383520 WAF url-access not work.

Certification

Bug ID Description
365586 Need to restart fnbamd to load import CRL.
373930 Unset ssh-certificate can not allow client to access with null password.

WebProxy

Bug ID Description
384581 Explicit Proxy Signing Certificate for replacement pages resets to default.
374706 Fix a memory leak on proxyd.
380324 Transparent Proxy SSL Inspection closes connections before completion of SSL negotiation and/or complains of Bad Record.
Bug ID Description
389059 Improve SOCKS debug and WAF&AV scan on HTTP request.
381429 CP8 does not work for Proxy SSL acceleration.
378518 Fix WAD will crash when using web-proxy profile to add/remove HTTP headers.
390124

391748

Fix WAD SSL session ticket will cause crash on hello request, and add cert status extension support to fts.
371991 YouTube_Video.Play is not recognized with HTTPS in Application control Override.

Visibility

Bug ID Description
365259 src-vis crash on device with device detection eanbled on one-arm-sniffer interface
Bug ID Description
386446 tunnelip shouldn’t be shown if no tunnel IP in the log.

VM

Bug ID Description
372030 Increase VM00 memory limit to 1.5G.
376567 Fix network reachability issue of AWS instance launched from customer created ami.
372040 VLAN not forward traffic out on non-root VDOM.
374905 Error when attempting to deploy vApp on ESXi v6.0.0.
372487 Fix FG-VM stuck at rebooting the system when its rebooting.
378482 TCP/UDP traffic failing when NAT/UTM is enabled on FG-VM in KVM.
369167

391519

Improve cloudinit boot up config sequence.
371982 Fix FG-VM have no gui-wanopt.
392654 IPv6 basic network settings not available on unlicense VM01 or higher

Log

Bug ID Description
376157 Logging performance improvement for IPS/AppCtrl.
284055 Improve the antispam log fortiguardresp log field.
377928 FortiCloud report can’t be displayed on low-end platforms without SSD after burn image
373083 Broken remote log capabilities when resolve-ip is enabled

WANOPT

Bug ID Description
373825

376035

Fix Traffic was broken over A-P mode WANOPT on first attempt after WAD restarted.
393114 WAD crash in wad_str_copy_str after upgrade to 5.4.1

HA

Bug ID Description
387212 HA gets out of sync frequently and hasync becomes zombie.
385999 Log backup of execute backup disk xxx feature does not work fine on HA master unit.
374418 No safe method for modifying secondary vcluster membership via the CLI.
266261 FortiExtender interface unable to get DHCP IP on a FortiGate in HA mode.
301101 hasync process is running 100% of CPU.
389192 Can’t forward the SIP traffics(200OK messages) asymmetrical traffic environment in FGSP.
368447 FGSP should not sync static BFD setting.
375678 update-all-session-timer partially broken.
376449 FGSP: FGT1 clears SCTP Multihomed session marked established while data traffic is going through secondary path.
378213 FGSP: after a reboot of the FortiGate that holds the SCTP secondary path, this session is missing and will be reopened.
390929 hatalk crashed when set standaone-config-sync from enable to disable.
Bug ID Description
376045 Software switch can’t authorize FSWS successfully in HA scenario.
390926 After downgrade from b1086, HA can’t be synced.
382364 Correct typo error in HA setting (change helo-holddown to hello-holddown).

FSSO

Bug ID Description
386021 FSSO local poller fails on some X86 32 platform.

Firewall

Bug ID Description
376284 Fix CLI firewall.addrgrp when contain url upgrade from 5.2 to 5.4.
387367 Firewall is rebooting automatically.
373667 High vsd memory usage always triggers entering conserve mode when downloading file in SSL offload + IPS inspection.
368838 active-flow-timeout does not take effect for HTTP protocol when NP6 offloaded.
385983 ssl-http-location-conversion setting change from enable to disable by rebooting FortiGate.
375897 Sniffer policy upgrade from b0718 to b1064 failed.
383783 policy64 and policy46 ID should not use special id:4294967295.
297421 Fix policy re-push for multiple VDOMs.
297387

378560

On some platforms, UDP throughput is lower with more number of policies.

FIPS-CC

Bug ID Description
380703 Generation of IKE v2 nonces – NDcPP requirement.
375098 Remove CC error mode.
375102 Modify low level format for boot device (flash) in FIPS-CC mode.
Bug ID Description
375099 Update supported TLS cipher suites in FIPS-CC mode.
376860 IPSec ESP SA with stronger encryption than IKE SA shouldn’t be allowed.
387002 Add HMAC SHA-384/512 self-tests.
375100 Update supported SSH cipher suites in FIPS-CC mode.
387542 Remove CRL/Ceritifcate/CA may cause FIPS-CC self-test failure.
389003 FIPS-CC get self-test failure causes of /etc/cert/ca/ changes, which causes system halt.
388181 Add support to break RNG health tests

FortiCloud

Bug ID Description
380506 FortiGate’s forticldd daemon timer settings and updated timer discussion.
Upgrade  
Bug ID Description
393056 Explicit proxy config lost on interfaces after upgrading if vdom is enabled

VOIP

Bug ID Description
370201 Fix the imd crash issue when unregistering SIP with asterisk (*) contact, or multiple REGISTER message with same AOR and multiple contacts.
382315 Fix the issue that SIP re-invites causing excessive memory consumption in VOIPD.

Common Vulnerabilities and Exposures

Bug ID Description
379870 FortiOS 5.4.2 is no longer vulnerable to the following CVE References: l 2003-1418 l 2007-6750

Visit https://fortiguard.com/psirt for more information.

 

Bug ID Description
373707 FortiOS 5.4.2 is no longer vulnerable to the following CVE References: l 2016-1551 l 2016-1549 l 2016-2516 l 2016-2517 l 2016-2518 l 2016-2519 l 2016-1547 l 2016-1548 l 2015-7704 l 2015-8138 l 2016-1550

Visit https://fortiguard.com/psirt for more information.

383538 FortiOS 5.4.2 is no longer vulnerable to the following CVE References: l 2016-3713 l 2016-5829

Visit https://fortiguard.com/psirt for more information.

381168 FortiOS 5.4.2 is no longer vulnerable to the following CVE Reference: l 2004-0230

Visit https://fortiguard.com/psirt for more information.

378697 FortiOS 5.4.2 is no longer vulnerable to the following CVE Reference: l 2016-2512

Visit https://fortiguard.com/psirt for more information.

383564 FortiOS 5.4.2 is no longer vulnerable to the following CVE Reference: l 2016-5696

Visit https://fortiguard.com/psirt for more information.

 

Bug ID Description
372770 FortiOS 5.4.2 is no longer vulnerable to the following CVE References: l 2016-6304 l 2016-6305 l 2016-2183 l 2016-6303 l 2016-6302 l 2016-2182 l 2016-2180 l 2016-2177 l 2015-2178 l 2015-2179 l 2016-2181 l 2016-6306 l 2016-6307 l 2016-6308

Visit https://fortiguard.com/psirt for more information.

389610 FortiOS 5.4.2 is no longer vulnerable to the following CVE References: l 2016-6309 l 2016-7052

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.4.2. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json)
Bug ID Description
392049 Cannot create the second IPv6 VIP which has the same ext/int IP as the existing one, but different port-forwarding port.
364589 LB VIP slow access when cookie persistence is enabled.

DLP

Bug ID Description
393649 Executable files may not be blocked by DLP built-in exe file-type filter.
379911 DLP filter order is not applied on encrypted files.

Endpoint Control

Bug ID Description
375149 FGT does not auto update AV signature version while Endpoint Control is enabled.
374855 Third party compliance may not be reported if FortiClient has no AV feature.
391537 Buffer size is too small when sending a large vulnerability list to FortiGate.

FIPS-CC

Bug ID Description
375149 NDcPP requires a SSH server rekey.

Firewall

FortiGate-3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.

FortiRugged-60D

Bug ID Description
375246 invalid hbdev dmz may be received if the default hbdev is used.
357360 DHCP snooping does not work on IPv6.
374346 Adding or reducing stacking connections may block traffic for 20 seconds.

FortiSwitch

Bug ID Description
393966 Trunk port does not work if the only VLAN member is on PoE interfaces.

FortiSwitch-Controller/FortiLink

Bug ID Description
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
357360 DHCP snooping may not work on IPv6.
304199 Using HA with FortiLink can encounter traffic loss during failover.

FortiView

Bug ID Description
289376 Applying the filter All by using the right click method may not work in the All Sessions page.
303940 Web Site > Security Action filter may not work.
373142 Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
366627 FortiView Cloud Application my display the incorrect drill down File and Session list in the Applications View.
374947 FortiView may show empty country in the IPv6 traffic because country info is missing in log.
Bug ID Description
372350 Threat view: Threat Type and Event information are missing in the last level of the threat view.
375187 Using realtime auto update may increase chrome browser memory usage.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
372897 Invalid -4 and invalid 254 is shown as the submitted file status.

GUI

Bug ID Description
289297 Threat map may not be fully displayed when screen resolution is not big enough.
303928 After upgrading from 5.2 to 5.4, the default flow based AV profile may not be visible or selectable in the Firewall policy page in the GUI.
374166 Using Edge cannot select the firewall address when configuring a static route.
365223 CSF: downstream FGT may be shown twice when it uses hardware switch to connect upstream.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
375383 Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
375369 May not be able to change IPsec manualkey config in GUI.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374521 Unable to Revert revisions on GUI.
374081 wan-load-balance interface may be shown in the address associated interface list.
355388 The Select window for remote server in remote user group may not work as expected.
373363 Multicast policy interface may list the wan-load-balance interface.
372943 Explicit proxy policy may show a blank for default authentication method.
375346 You may not be able to download the application control packet capture from the forward traffic log.

 

Bug ID Description
375290 Fortinet Bar may not be displayed properly.
374224 The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374247 GUI list may list another VDOM interface when editing a redundant interface.
374320 Editing a user from the Policy list page may re-direct to an empty user edit page.
375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.
374397 Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
374221 SS LVPN setting portal mapping realm field misses the / option.
372908 The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.
374162 GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
375227 You may be able to open the dropdown box and add new profiles even though it errors occur when editing a Firewall Policy page.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
374343 After enable inspect-all in ssl-ssh-profile, user may not be able to modify allow-invalid-server-cert from GUI
372825 If the selected SSID has reached the maximum entry, the GUI will reset the previously selected SSID.
374191 The Interface may be hidden from the Physical list if its VLAN interface is a ZONE member in the GUI.
374525 When activating the FortiCloud/Register-FortiGate clicking OK may not work the first time.
374350 Field pre-shared key may be unavailable when editing the IPsec dialup tunnel created through the VPN wizard
374371 The IPS Predefined Signature information popup window may not be displayed because it is hidden behind the Add Signature window.
Bug ID Description
374183 Security page does not have details for the Forward Traffic log for an IPS attack when displaying a FortiAnalyzer log.
374538 Unable to enable Upload logs to FortiAnalyzer after disabling it.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
374237 You may not be able to set a custom NTP server in the GUI if you did not config it in the CLI first.
393927 Policy List > FQDN Object Tooltip should show resolved IP addresses.
393267 Not possible to edit existing Web Filter profile.
297832 Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
283682 Cannot delete FSSO-polling AD group from LDAP list tree window in FSSO-user GUI.
365317 Unable to add new AD group in second FSSO local polling agent.

HA

Bug ID Description
387216 HA virtual MAC is flapping.
391084 HA unable to sync inversed object entries.
388044 Four member HA Cluster do not always re-converge properly when HB links are re-established.

IPS

Bug ID Description
393675 SSH due to Application Control Proxy in the Security Profile.
393958 Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
394157 IPS archive not uploaded to FAZ when it is in realtime mode.

IPSec

Bug ID Description
375020 IPsec tunnel Fortinet bar may not be displayed properly.
374326 Accept type: Any peer ID may be unavailable when creating a IPsec dialup tunnel with a pre-shared key and ikev1 in main mode.

Logging & Report

Bug ID Description
300637 MUDB logs may display Unknown in the Attack Name field under UTM logs.
374103 Botnet detection events are not listed in the Learning Report.
367247 FortiSwitch log may not show the details in the GUI, while in CLI the details are displayed.
374411 Local and Learning report web usage may only report data for outgoing traffic.
391786 Logdiskless FGT does not generate a log indicating a sandboxing result.
377733 Results/Deny All filter does not return all required/expected data.

Router

Bug ID Description
393127 WLB measured-volume-based load balance does not work as expected after running for more than one day.
393623 Policy routing change not is not reflected.
385264 AS-override has not been applied in multihop AS path condition.

SSL VPN

Bug ID Description
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
303661 The Start Tunnel feature may have been removed.
375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
374644 SSL VPN tunnel mode Fortinetbar may not be displayed.
Bug ID Description
393698 SSL VPN web mode http/https SSO will keep trying even if the password is wrong.
307465 Fail to Copy & Paste through RDP when connected by SSL VPN web mode.
393943 SSL VPN crash when connect to win2008 smb/CIFS bookmark with wrong password.

System

Bug ID Description
304199 FortiLink traffic is lost in HA mode.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
290708 nturbo may not support CAPWAP traffic.
372717 Unable to access FortiGate GUI via https using low ciphers.
364280 User can not use ssh-dss algorithm to login to FortiGate via SSH.
371320 show system interface may not show the Port list in sequential order.
372717 admin-https-banned-cipher in sys global may not work as expected.
371986 NP6 may have issue handling fragment packets.
287612 Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
355256 After reassigning a hardware switch to a TP-mode VDOM, bridge table does not learn MAC addresses until after a reboot.
388046 Confsyncd memory leak.
393395 The role of new VAP interface should be set as LAN.
393042 IPv6 traffic not distributed according to the lacp L4 algorithm.
393343 Remove botnet filter option if interface role is set to LAN.
392960 FOS support for V4 BIOS.
392125 FGT to FMG backup config returned with the Management server is not configured error message.
392125 After an HA failover some of the multicast streams stop.

Upgrade

Bug ID Description
269799 sniffer config may be lost after upgrade.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

VM

Bug ID Description
364280 ssh-dss may not work on FGT-VM-LENC.
378421 Committing any change on SSL VPN Settings over web page returns error:500.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!