Category Archives: FortiOS

Dynamic DNS

If your ISP changes your external IP address on a regular basis, and you have a static domain name, you can configure the external interface to use a dynamic DNS service to ensure external users and/or customers can always connect to your company firewall.

If you have a FortiGuard subscription, you can use FortiGuard as your DDNS server. To configure dynamic DNS in the web-based manager, go to System > Network > DNS, select Enable FortiGuard DDNS, and enter the relevant information for the interface communicating to the server, and which server to use, and relevant information.

If you do not have a FortiGuard subscription, or want to use an alternate server, you can configure dynamic DNS in the CLI use the commands below. Within the CLI you can configure a DDNS for each interface. Only the first configured port appears in the web-based manager. Additional commands vary with the DDNS server you select.

config system ddns

edit <instance_value>

set monitor-interface <external_interface>

set ddns-server <ddns_server_selection>

end

You can also use FortiGuard (when subscribed) as a DDNS as well. To configure, use the CLI commands:

config system fortiguard set ddns-server-ip

set ddns-server-port end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

DNS services

Leave a reply

DNS services

A DNS server is a public service that converts symbolic node names to IP addresses. A Domain Name System (DNS) server implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com when browsing the Internet. FortiOS supports DNS configuration for both IPv4 and IPv6 addressing.

The FortiGate unit includes default DNS server addresses. However, these should be changed to those provided by your Internet Service Provider. The defaults are DNS proxies and are not as reliable as those from your ISP.

Within FortiOS, there are two DNS configuration options; each provide a specific service, and can work together to provide a complete DNS solution.

DNS settings

Basic DNS queries are configured on interfaces that connect to the Internet. When a web site is requested, for example, the FortiGate unit will look to the configured DNS servers to provide the IP address to know which server to contact to complete the transaction.

DNS server addresses are configured by going to System > Network > DNS. Here you specify the DNS server addresses. Typically, these addresses are supplied by your ISP. An additional option is available if you have local Microsoft domains on the network, by entering a domain name in the Local Domain Name field.

In a situation where all three fields are configured, the FortiGate unit will first look to the local domain. If no match is found, a request is sent to the external DNS servers.

If virtual domains are enabled, you create a DNS database in each VDOM. All of the interfaces in a VDOM share the DNS database in that VDOM.

Additional DNS CLI configuration

Further options are available from the CLI with the command config system dns. Within this command you can set the following commands:

dns-cache-limit – enables you to set how many DNS entries are stored in the cache. Entries that remain in the cache provide a quicker response to requests than going out to the Internet to get the same information.
dns-cache-ttl – enables you to set how long entries remain in the cache in seconds, between 60 and 86,400 (24 hours).
cache-notfound-responses – when enabled, any DNS requests that are returned with NOTFOUND can be stored in the cache.
source-ip – enables you to define a dedicated IP address for communications with the DNS server.

DNS server

You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain your entries (master DNS server), or use it as a jumping point, where the server refers to an outside source (slave DNS server). A local master DNS server works similarly to the DNS server addresses configured in System > Network > DNS, but all entries must be added manually. This enables you to add a local DNS server to include specific URL/IP address combinations.

The DNS server options are not visible in the web-based manager by default. To enable the server, go to System > Config > Featuresand select DNS Database.

While a master DNS server is an easy method of including regularly used addresses to save on going to an outside DNS server, it is not recommended to make it the authoritative DNS server. IP addresses may change, and maintaining any type of list can quickly become labor-intensive.

A FortiGate master DNS server is best set for local services. For example, if your company has a web server on the DMZ that is accessed by internal employees as well as external users, such as customers or remote users. In this situation, the internal users when accessing the site would send a request for website.example.com, that would go out to the DNS server on the web, to return an IP address or virtual IP. With an internal DNS, the same site request is resolved internally to the internal web server IP address, minimizing inbound/outbound traffic and access time.

As a slave, DNS server, the FortiGate server refers to an external or alternate source as way to obtain the url/IP combination. This useful if there is a master DNS server for a large company where a list is maintained. Satellite offices can then connect to the master DNS server to obtain the correct addressing.

The DNS server entries does not allow CNAME entries, as per RFC 1912, section 2.4.

To configure a master DNS server – web-based manager

1. Go to System > Network > DNS Server, and select Create New for DNS Database.

2. Select the Type of Master.

3. Select the View as Shadow.

4. The view is the accessibility of the DNS server. Selecting Public, external users can access, or use, the DNS server. Selecting Shadow, only internal users can use it.

5. Enter the DNS Zone, for example, WebServer.

6. Enter the domain name for the zone, for example com.

7. Enter the hostname of the DNS server, for example, Corporate.

8. Enter the contact address for the administrator, for example, admin@example.com.

9. Set Authoritative to Disable.

10. Select OK.

11. Enter the DNS entries for the server by selecting Create New.

12. Select the Type, for example, Address (A).

13. Enter the Hostname, for example example.com.

14. Enter the remaining information, which varies depending on the Type selected.

15. Select OK.

To configure a DNS server – CLI

config system dns-database edit WebServer

set domain example.com set type master

set view shadow set ttl 86400

set primary-name corporate set contact admin@exmple.com set authoritative disable

config dns-entry edit 1

set hostname web.example.com set type A

set ip 192.168.21.12 set status enable

end end

Recursive DNS

You can set an option to ensure these types of DNS server is not the authoritative server. When configured, the FortiGate unit will check its internal DNS server (Master or Slave). If the request cannot be fulfilled, it will look to the external DNS servers. This is known as a split DNS configuration.

You can also have the FortiGate unit look to an internal server should the Master or Slave not fulfill the request by using the CLI commands:

config system dns-database edit example.com

…

set view shadow

end

For this behavior to work completely, for the external port, you must set the DNS query for the external interface to be recursive. This option is configured in the CLI only.

To set the DNS query

config system dns-server edit wan1

end

set mode recursive

DHCP servers and relays

1 Reply

DHCP servers and relays

Note that DHCP server options are not available in transparent mode.

A DHCP server provides an address to a client on the network, when requested, from a defined address range. An interface cannot provide both a server and a relay for connections of the same type (regular or IPsec).

However, you can configure a Regular DHCP server on an interface only if the interface is a physical interface with a static IP address. You can configure an IPsec DHCP server on an interface that has either a static or a dynamic IP address.

You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP.

If an interface is connected to multiple networks via routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay.

You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the unit.

DHCP Server configuration

To add a DHCP server, go to System > Network > Interface. Edit the interface, and select Enable for the DHCP Server row.

DHCP Server IP This appears only when Mode is Relay. Enter the IP address of the DHCP

server where the FortiGate unit obtains the requested IP address.

Address Range

By default, the FortiGate unit assigns an address range based on the address of the interface for the complete scope of the address. For example, if the interface address is 172.20.120.230, the default range cre- ated is 172.20.120.231 to 172.20.120.254. Select the range and select Edit to adjust the range as needed, or select Create New to add a dif- ferent range.

Netmask Enter the netmask of the addresses that the DHCP server assigns.

Default Gateway

Select to either use the same IP as the interface or select Specify and enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

DNS Server Select to use the system’s DNS settings or select Specify and enter the IP address of the DNS server.

Advanced... (expand to reveal more options)

Mode Select the type of DHCP server the FortiGate unit will be. By default, it is a server. Select Relay if needed. When Relay is selected, the above con- figuration is replaced by a field to enter the DHCP Server IP address.

Type Select to use the DHCP in regular or IPsec mode.

MAC Address Access Con- trol List

Select to match an IP address from the DHCP server to a specific client or device using its MAC address.

In a typical situation, an IP address is assigned ad hoc to a client, and that assignment times out after a specific time of inactivity from the client, known as the lease time. To ensure a client or device always has the same IP address, that is, there is no lease time, use IP reservation.

Add from DHCP Client List If the client is currently connected and using an IP address from the DHCP server, you can select this option to select the client from the list.

DHCP in IPv6

You can use DHCP with IPv6 using the CLI. To configure DHCP, ensure IPv6 is enabled by going to System > Config > Features and enable IPv6. Use the CLI command

config system dhcp6 server

For more information on the configuration options, see the CLI Reference.

Service

On low-end FortiGate units, a DHCP server is configured, by default on the Internal interface:

IP Range 192.168.1.110 to 192.168.1.210

Netmask 255.255.255.0

Default gateway 192.168.1.99

Lease time 7 days

DNS Server 1 192.168.1.99

These settings are appropriate for the default Internal interface IP address of 192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match.

Alternatively, after the FortiGate unit assigns an address, you can go to System > Monitor > DHCP Monitor, locate the particular user. Select the check box for the user and select Add to Reserved.

Lease time

The lease time determines the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client request for an IP address The default lease time is seven days. To change the lease time, use the following CLI commands:

config system dhcp server

edit <server_entry_number>

set lease-time <seconds>

end

To have an unlimited lease time, set the value to zero.

DHCP options

When adding a DHCP server, you have the ability to include DHCP codes and options. The DHCP options are BOOTP vendor information fields that provide additional vendor-independent configuration parameters to manage the DHCP server. For example, you may need to configure a FortiGate DHCP server that gives out a separate option as well as an IP address. For example, an environment that needs to support PXE boot with Windows images.

The option numbers and codes are specific to the particular application. The documentation for the application will indicate the values to use. Option codes are represented in a option value/HEX value pairs. The option is a value 1 and 255.

You can add up to three DHCP code/option pairs per DHCP server.

To configure option 252 with value http://192.168.1.1/wpad.dat – CLI

config system dhcp server edit <server_entry_number>

set option1 252 687474703a2f2f3139322e3136382e312e312f777061642e646174

end

For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions.

Exclude addresses in DHCP a range

If you have a large address range for the DHCP server, you can block a range of addresses that will not be included in the available addresses for the connecting users. To do this, go to the CLI and enter the commands:

config system dhcp server edit <server_entry_number>

config exclude-range

edit <sequence_number> set start-ip <address> set end-ip <address>

end end

end

DHCP Monitor

To view information about DHCP server connections, go to System > Monitor > DHCP Monitor. On this page, you can also add IP address to the reserved IP address list.

Breaking an address lease

Should you need to end an IP address lease, you can break the lease using the CLI. This is useful if you have limited addresses, longer lease times where leases are no longer necessary. For example, with corporate visitors.

To break a lease enter the CLI command:

execute dhcp lease-clear <ip_address>

Assigning IP address by MAC address

To prevent users in the from changing their IP addresses and causing IP address conflicts or unauthorized use of IP addresses, you can bind an IP address to a specific MAC address using DHCP.

Use the CLI to reserve an IP address for a particular client identified by its device MAC address and type of connection. The DHCP server then always assigns the reserved IP address to the client. The number of reserved addresses that you can define ranges from 10 to 200 depending on the FortiGate model.

After setting up a DHCP server on an interface by going to System > Network > Interface, select the blue arrow next to Advanced to expand the options. If you know the MAC address of the system select Create New to add it, or if the system has already connected, locate it in the list, select its check box and select Add from DHCP Client List.

You can also match an address to a MAC address in the CLI. In the example below, the IP address 10.10.10.55 for User1 is assigned to MAC address 00:09:0F:30:CA:4F.

config system dhcp reserved-address edit User1

set ip 10.10.10.55

set mac 00:09:0F:30:CA:4F

set type regular end

FortiExtender

1 Reply

FortiExtender

FortiGate units support the use of wireless, 3G and 4G modems connected to a FortiExtender which will be connected to the FortiGate unit.

Installing the 3G/4G modem

Remove the housing cover of the FortiExtender and use the provided USB extension cable to connect your 3G/4G modem to the device.

For more information on installing the 3G/4G modem, see the QuickStart Guide.

Connecting the FortiExtender unit

If you are using the provided PoE injector:

1. Plug the provided Ethernet cable into the Ethernet port of the FortiExtender and insert the other end of the

Ethernet cable into the AP/Bridge port on the injector, then plug the injector into an electrical outlet.

2. Connect the LAN port of the PoE injector to a FortiGate, FortiWifi, or FortiSwitch device.

If you are not using the PoE injector:

1. Insert the other end of the Ethernet cable into a PoE LAN port on an appropriate FortiGate, FortiWifi or FortiSwitch device.

For more information on connecting the FortiExtender unit, see the QuickStart Guide.

Once connected, your FortiGate appliance can automatically detect, connect with, and control the FortiExtender and modem via a CAPWAP tunnel.To do this, FortiExtender and FortiGate must be on the same Layer 2/3 subnet (or have DHCP relay between) and FortiGate must respond to FortiExtender’s request. In this example FortiExtender is connected to the lan interface of the FortiGate unit.

By default, FortiExtender is hidden and disabled.Enable it in FortiGate’s CLI:

config system global

set fortiextender enable

set wireless-cotnroller enable end

The control and provisioning of Wireless Access Point (CAPWAP) service must be enabled on the port to which the FortiExtender unit is connected (lan interface in this example) using the following CLI commands:

config system interface edit lan

set allowaccess capwap end

Once FortiExtender is discovered and authorized, a virtual WAN interface such as fext-wan1 is created on the Fortigate.

Configuring the FortiExtender unit

At this point, you can fully manage the FortiExtender from the FortiGate unit. To achieve this, you need to authorize the FortiExtender by going to System > Network > FortiExtender and click on Authorize. Once authorized, you can configure you device as required:

Link Status: Shows you if the link is Up or Down, click on Details to see the System and Modem Status.

IP Address: Shows you the current FortiExtender’s IP address, click on the link of the IP address to connect to the FortiExtender GUI.

OS Version: Shows the current FortiExtender’s build, click on Upgrade if you wish to upgrade the Firmware.

Configure Settings: Allows you to configure the Modem Settings, PPP Authentication, General, GSM / LTE, and CDMA.

Diagnostics: Allows you to diagnose the FortiExtender unit, you can choose a command form the existing commands and click on Run.

Existing commands are: Show device info, Show data session connection status, test connection, test disconnection, Get signal strength, AT Command.

Sample output of Show device info:

Manufacturer: Sierra Wireless, Incorporated

Model: AirCard 330U

Revision: SWI9200X_03.00.08.03AP R4019 CARMD-EN-10527 2011/12/07 18:43:13

IMEI: 359615040996060

IMEI SV: 7

FSN: CDU3153118210

3GPP Release 8

+GCAP: +CGSM OK

Modem Settings

The FortiExtender unit allows for two modes of operation for the modem; On Demand and Always Connect. In On Demand mode, the modem connects to an ISP only upon execution of the dial up operation and disconnects only upon subsequent hang up operation from the CLI.

Syntax

To connect, run the following CLI command:

execute extender dial <SN> // <SN> is the FortiExtender’s serial number.

To disconnect, run the following CLI command:

execute extender hangup <SN> // <SN> is the FortiExtender’s serial number.

In Always Connect mode, the modem is always connected to the internet, it can acts as a primary or backup method of connecting to the Internet.

By default, the Fortiextender will be in Always Connect mode once authorized.

Modem Settings is a matter of configuring the dialing mode. The dial mode is either Always Connect or On demand. Selecting Always Connect ensures that once the modem has connected, it remains connected to the ISP.

To configure the dial mode as needed – web-based manager

1. Go to System > Network > FortiExtender and click Configuring Settings.

2. Extend Modem Settings.

3. Select the Dial Mode of Always Connect or On Demand.

4. Enter the Redial Limit to 5 – Only applicable in On Demand mode.

5. If needed, enter the Quota Limit to the desired limit in Mega Byte -The recorded quota usage values are not persistent and lost upon rebooting Fortigate.

6. Select Ok.

Configuring the FortiGate unit

In order to allow inbound and outbound traffic through the 3G/4G modem, you need to add a security policy and, depending the scenario, a static route in the FortiGate unit.

Adding a policy

If your network will be using IPv4 addresses, go to Policy & Objects > Policy > IPv4 and select Create New to add a policy that allows users on the private network to access the Internet.

In the policy, set the Incoming Interface to the internal interface and the Outgoing Interface to fext-wan1 interface. You will also need to set Source Address, Destination Address, Schedule, and Service according to your network requirements.

Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Destination Interface Address is selected. Select OK.

Always–on, redundant of wan1

No route required as in FortiOS 5.2.2 the routing shows only active routes. Use the following CLI command to show all routes:

get router info routing-table all

Sample Output

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

* – candidate default

S* 0.0.0.0/0 [10/0] via 172.20.120.2, wan1

C 25.49.248.0/24 is directly connected, fext-wan1

C 169.254.1.1/32 is directly connected, ssl.root is directly connected, ssl.root

C 172.20.120.0/24 is directly connected, wan1

C 192.168.1.0/24 is directly connected, lan

Always–on, with select traffic going through the FortiExtender

In this scenario, a static route is required, if your network using IPv4 addresses, go to Router > Static > Static Routes or System > Network > Routing, depending on your FortiGate model, and select Create New. Set the Destination IP/Mask to 0.0.0.0/0.0.0.0, Device to fext-wan1, and set the Gateway to your gateway IP or to the next hop router, depending on your network requirements. Select OK.

FortiOS 5.4.3 Release Notes

Leave a reply

Introduction

This document provides the following information for FortiOS 5.4.3 build 1111:

Special Notices
Upgrade Information
Product Integration and Support
Resolved Issues
Known Issues
Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.3 supports the following models.

FortiGate	FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D FG-90D, FG-90D-POE, FG92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3700DX, FG-3810D, FG-3815D, FG-5001C, FG-5001D
FortiWiFi	FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60DPOE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE
FortiGate Rugged	FGR-60D, FGR-90D
FortiGate VM	FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-KVM
FortiOS Carrier	FortiOS Carrier 5.4.3 images are delivered upon request and are not available on the customer support firmware download page.

Special Branch Supported Models

The following models are released on a special branch based off of FortiOS 5.4.3. As such, the System > Dashboard > Status page and the output from the get system status CLI command displays the build number.

FGR-30D	is released on build 5861.
FGR-35D	is released on build 5861.
FGR-30D-A	is released on build 5861.
FGT-30E-MI	is released on build 5858.
FGT-30E-MN	is released on build 5858.
FWF-30E-MI	is released on build 5858.
FWF-30E-MN	is released on build 5858.
FWF-50E-2R	is released on build 5866.
FGT-52E	is released on build 5862.
FGT-60E	is released on build 5873.
FWF-60E	is released on build 5873.
FGT-61E	is released on build 5873.
FWF-61E	is released on build 5873.
FGT-90E	is released on build 5865.
FGT-91E	is released on build 5865.
FWF-92D	is released on build 9482.
FGT-100E	is released on build 5873.
FGT-101E	is released on build 5873.
FGT-200E	is released on build 5864.
FGT-201E	is released on build 5864.
FGT-2000E	is released on build 5860.
FGT-2500E	is released on build 5860.
FGT-3800D	is released on build 5859.

To confirm that you are running the proper build, the output from the get system status CLI command has a branch point field that should read 1111.

What’s new in FortiOS 5.4.3

FortiOS 5.4.3 is a bug fix release with no new features.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed
PDUs are dropped and therefore no STP loop results
PPPoE packets are dropped
IPv6 packets are dropped
FortiSwitch devices are not discovered
HA may fail to form depending the network topology

When the command is disabled:

All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units running 5.4.3 and managed by FortiManager 5.0 or 5.2

FortiGate units running 5.4.3 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Note that the FortiClient license should be considered before upgrading.

Full featured FortiClient 5.2, and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on the environment needs, FortiClient EMS license may need to be purchased for endpoint provisioning. Please consult Fortinet Sales or your reseller for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. A new license will need to be procured for either FortiClient EMS or FortiGate. To verify if a license purchase is compatible with 5.4.1 and later, the SKU should begin with FC-10-C010

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.3, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS v5.4.1, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the

FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,

Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global

set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM Firmware Upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.

Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:

…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Upgrade Information

Upgrading to FortiOS 5.4.3

FortiOS version 5.4.3 officially supports upgrading from version 5.4.1 and later and 5.2.9 and later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

Cooperative Security Fabric – Upgrade Guide
FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading you should review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1:

Advanced FortiClient profiles (XML configuration)
Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard Banner, client-based logging when on-net, and Single Sign-on Mobility Agent

VPN provisioning
Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths
Client-side web filtering when on-net
iOS and Android configuration by using the FortiOS GUI

It is recommended that FortiClient Enterprise Management Server (EMS) should used for detailed Endpoint deployment and provisioning.

Unified Disk Usage

FortiOS 5.4.3 changes the disk usage behavior upon upgrading from FortiOS 5.2. The table below describes the new logging and WAN Optimization disk usage for single and two disk FortiGate devices running FortiOS 5.4.3.

Single Disk Platforms (Logging or WAN Optimization)

Only Logging enabled No change.

Only WAN Optimization No change. enabled

Both Logging & WAN Disk is reserved for logging. If WAN Optimization Optimization enabled is configured, the WAN Optimization cache is lost.

Two Disk Platforms (First disk reserved for Logging; second reserved for WAN Optimization)

Only Logging enabled on No change.

the first disk

Only Logging enabled on Logging is changed to the first disk. Logging data the second disk is lost on the second disk.

Only WAN Optimization WAN Optimization is changed to the second disk. enabled on the first disk WAN Optimization cache is lost on the first disk.

Only WAN Optimization Second disk reserved for WAN Optimization. First enabled on the second disk reserved for logging even when the log disk disk status CLI command is disabled: log-disk-

status=disable.

Both Logging & WAN First disk reserved for logging. Second disk Optimization enabled reserved for WAN Optimization.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.3, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

operation mode
interface IP/management IP
static route table
DNS settings
VDOM parameters/settings
admin user account
session helpers
system access profiles.

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
.out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Firmware image checksums Upgrade Information

Linux KVM

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

.out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
.ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.4.3 support

The following table lists 5.4.3 product integration and support information:

Web Browsers _lMicrosoft Edge 25

l Microsoft Internet Explorer 11 l Mozilla Firefox version 46 l Google Chrome version 50

l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by

Fortinet.

Explicit Web Proxy Browser _lMicrosoft Edge 25

l Microsoft Internet Explorer 11 l Mozilla Firefox version 45 l Apple Safari version 9.1 (For Mac OS X)

l Google Chrome version 51

Other web browsers may function correctly, but are not supported by

Fortinet.

FortiManager For the latest information, see the FortiManagerand FortiOS

Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer For the latest information, see the FortiAnalyzerand FortiOS

Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft Win- _l5.4.1

^{dows and FortiClient Mac}If FortiClient is being managed by a FortiGate, you must upgrade

^{OS X}FortiClient before upgrading the FortiGate.

FortiClient iOS _l5.4.1

FortiClient Android and _l5.4.0

FortiClient VPN Android

FortiAP	l 5.4.1 and later l 5.2.5 and later You should verify what the new FortiAP version is for your FortiAP prior to upgrading the FortiAP units. You can do this by going to the WiFi Controller > Managed Access Points > Managed FortiAP page in the GUI. Under the OS Version column you will see a message reading A recommended update is available for any FortiAP that is running an earlier version than what is recommended.
FortiAP-S	l 5.4.2 and later
FortiSwitch OS (FortiLink support)	l 3.5.0 and later
FortiController	l 5.2.0 and later Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later Supported model: FCTL-5103B
FortiSandbox	l 2.1.0 and later l 1.4.0 and later
Fortinet Single Sign-On (FSSO)	l 5.0 build 0254 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8 l 4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8 FSSO does not currently support IPv6.
FortiExplorer	l 2.6 build 1083 and later. Some FortiGate models may be supported on specific FortiExplorer versions.

FortiExplorer iOS	l 1.0.6 build 0130 and later Some FortiGate models may be supported on specific FortiExplorer iOS versions.
FortiExtender	l 3.0.0 l 2.0.2 build 0011 and later
AV Engine	l 5.239
IPS Engine	l 3.299
Virtualization Environments
Citrix	l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM	l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft	l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source	l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware	l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5 and 6.0
VM Series – SR-IOV	The following NIC chipset cards are supported: l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

SSL VPN support

Language support

Language	GUI
English	✔
Chinese (Simplified)	✔
Chinese (Traditional)	✔
French	✔
Japanese	✔
Korean	✔
Portuguese (Brazil)	✔
Spanish (Spain)	✔

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System	Installer
Microsoft Windows XP SP3 (32-bit) Microsoft Windows 7 (32-bit & 64-bit) Microsoft Windows 8 (32-bit & 64-bit) Microsoft Windows 8.1 (32-bit & 64-bit)	2331
Microsoft Windows 10 (32-bit & 64-bit)	2331
Linux CentOS 6.5 (32-bit & 64-bit) Linux Ubuntu 12.0.4 (32-bit & 64-bit)	2331
Virtual Desktop for Microsoft Windows 7 SP1 (32-bit)	2331

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System	Web Browser
Microsoft Windows 7 SP1 (32-bit/64-bit)	Microsoft Internet Explorer version 11 Mozilla Firefox version 46
Microsoft Windows 8/8.1 (32-bit/64-bit)	Microsoft Internet Explorer version 11 Mozilla Firefox version 46
Mac OS 10.9	Safari 7
Linux CentOS version 6.5	Mozilla Firefox version 46

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product	Antivirus	Firewall
Symantec Endpoint Protection 11	✔	✔
Kaspersky Antivirus 2009	✔
McAfee Security Center 8.1	✔	✔
Trend Micro Internet Security Pro	✔	✔
F-Secure Internet Security 2009	✔	✔

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product	Antivirus	Firewall
CA Internet Security Suite Plus Software	✔	✔
AVG Internet Security 2011
F-Secure Internet Security 2011	✔	✔

SSL VPN support

Product	Antivirus	Firewall
Kaspersky Internet Security 2011	✔	✔
McAfee Internet Security 2011	✔	✔
Norton 360™ Version 4.0	✔	✔
Norton™ Internet Security 2011	✔	✔
Panda Internet Security 2011	✔	✔
Sophos Security Suite	✔	✔
Trend Micro Titanium Internet Security	✔	✔
ZoneAlarm Security Suite	✔	✔
Symantec Endpoint Protection Small Business Edition 12.0	✔	✔

Resolved Issues

The following issues have been fixed in version 5.4.3. For inquires about a particular bug, please contact CustomerService & Support.

FGT-3810D

Bug ID	Description
391998	CFP2 ports remains down after disconnecting and reconnecting fiber.
DLP
Bug ID	Description
367514	Executable files may not be blocked by DLP built-in .exe file-type filter.
FIPS-CC
Bug ID	Description
393649	SSH server rekey.

System

Bug ID	Description
392049	Cannot create the second IPv6 VIP, which has the same ext/int IP as the existing one, but different port-forwarding port.
393042	IPv6 traffic not distributed according to the lacp L4 algorithm.
392125	FGT to FMG backup config returned when with the Management server is not configured error message.
293751	After an HA failover, some multicast streams stop.
393034	The printout of show sys interface of FGT-3700D begins with port5 instead of port1.
394582	Update geoip database to version 1.058(20161104).
389398	Can’t find xitem. Drop the response in dhcp relay debug.
394471	Autoupdate tunneling password is shown in cleartext in CLI.

Bug ID	Description
393966	Trunk port doesn’t work if the only port member is located on the second switch chip.
370349	Properly spin down SSD during graceful shutdown process.
388046	Process confsyncd memory leak.
395272	unset password is pushed during installation when FGT admin password was changed on FGT.
383748	Read-only admin of one or multiple VDOMs is able to see the entire configuration including other VDOMs.
388280	Some global configurations (admin, interface) are missing when global prof_admin backup full configuration.
395804	The first 20 CPUs became 100% busy when less than 18 million IPv6 sessions were established.
395796	FGT shows Internet-service version(3) is not supported. during signature update and device boot.
382996	Redundant type of interfaces are changing to aggregate after VDOM config restore.
396641	Manualkey-interface incorrect CLI help text.
310199	Delay destroying the fgfm session in error cases.
395796	Add a fix to support internet service version 1.
371672	When create a new ftp-explicit-banner replacemsg, it misses 220 FTP reply code.
369372	With low latency mode on NP6 unit enabled, only first 2 packets are correctly processed by FortiGate.
386626	TCP Session’s timer consistently counting down until it goes expired while the traffic is passing through the unit.
393969	CPU spikes abnormally several times a day.
396574	FG-60E wan1/wan2 no longer come up after rebooting if the interface is down at boot.
387496	FSSO agent did not display all user group information.
389395	RDP-NLA connection to a windows server in multi domain environment overrides originator logon.

FortiSwitch

Bug ID	Description
393966	Trunk port does not work if the only VLAN member is on PoE interfaces.

FortiSwitch-Controller/FortiLink

Bug ID	Description
388024	Migrating the fix to limit FSWs based on FGT model on 5.4 branch.
FW
Bug ID	Description
389832	TCP/UDP ports 464 are missing in Service Group “Windows AD”.

GUI

Bug ID	Description
375290	Fortinet Bar may not be displayed properly.
393267	Cannot edit existing Web Filter profile.
376049	Increase requireJS page load timeout.
363546	Error 500 when saving urlfilter list with 4900 entries.
388759	Can’t view interface list via VDOM.
365667	PKI user groups are displayed incorrectly in the Log & Report > Event Log > VPN GUI.
390358	Permission denied. Insufficient privileges error is shown when opening Security Profiles>Anti-Span.
391111	Clicking the Apply button on Explicit Proxy page of one VDOM will disable Explicit Proxy of another VDOM.
393267	Failing to edit existing web filter profile overrides in GUI.
369374	Config backup for non-global admins when VDOMs are disabled.
291231	Added monitor API method to deauthenticate individual firewall users.
399315	Fixed display of botnet entitlement in 5.4 UI.

Bug ID	Description
391084	HA unable to sync inversed object entries.
388044	Four-member HA Cluster does not always re-converge properly when HB links are re-established
367158	FortiGate HA config failed to sync issue with fsso-polling.
388446	Session breaks when reboot master in PPPoE mode.
395407	When HA environment with pppoe failover, session down even if enabled session-pickup.
380279	exec reboot and exec shutdown triggered HA failover causes high packet loss.

Bug ID	Description
376135	DHCP process is crashing when more than 1500 users connect via dial up IPsec VPN with DHCP over IPsec feature enabled.
375910	enc_npuid and dev_npuid in diag vpn tunnel list output are reverse.
383939	Abnormal tracert through VPN tunnel on FG-30 and FGT/FWF-60D.

SSL VPN

Bug ID	Description
307465	Fail to Copy & Paste through RDP when connected by SSL VPN web mode.
393698	SSL VPN web mode http/https SSO will keep trying even if the password is wrong.
393943	SSL VPN crash when connect to win2008 smb/CIFS bookmark with wrong password.
393758	Support for js to xml file containing html content.
387800	Skip fedtrul.js under owa.
396218	IE 11 fails to load OWA via SSL web portal.
391825	SSL VPN web mode does not work on port 80.
394936	Web-mode SSL VPN RDP bookmark does not allow connection without pre-populated username and password.
393980	libpthread is wrongly linked to RDP library.

IPsecVPN

Bug ID	Description
394515	URL exempt/allow does not work as expected when certificate-inspection is used.
395365	Webfilter override present certificate resigned using SHA-1.
396005, 396078	wad crash and scan unit free one share memory randomly.

Bug ID	Description
367514	Build-in AV engine 5.239.
371058	Properly detect executable (exe) file type and multiple file types.

WebProxy

Bug ID	Description
394844	When processing HTTP POST request with AV or IPS UTM is enabled, HTTP processing state is not correct.
382483	Unable to connect via SSH when Deep Scan is enabled in firewall policy for Putty.
301575	Proxyd crash on IMAP traffic.
395007	wad cannot process partial HTTP method correctly.
394314	inspect-all SSL profiles don’t work after reboot in explicit proxy on AWS platform.

Log/Report

Bug ID	Description
373221	Can’t clear log disk.
395471	Remove unsupported items from PCI-DSS checklist.
217208	Add log support for 802.1X authentication.
393970	crlevel wrong in raw traffic log for geolocation threat.
391786	Logdiskless FGT does not generate a log indicating a sandboxing result.

AppCtl

Bug ID	Description
394924	Disable kernel blocking of app-control identified sessions.

Bug ID	Description
297361	FGT-KVM– between 2 10G-ports of FGT-KVM04 test, It only got 2.75Gbps TCP throughput.
363439	KVM – UDP throughput of IMIX on KVM with VM08 is lower than it with VM01
372058	Upgrade to multiqueue virtio-net driver to improve network performance for FGT-KVM.
394578	Print VM license not showing proper creation date.
394158	Merge AWS NFR feature for bootstrapping.
393434	iked hang and crash when receiving IKEv1 fragments with frag ID 0.

Router

Bug ID	Description
395789	Add jitter to BGP auto start timer to avoid oscillations in some cases.
375932	BFD Path Down message doesn’t trigger BGP to clear the session.

Common Vulnerabilities and Exposures

Bug ID	Description
388594	FortiOS local admin password hashes could be obtained.

Known Issues

The following issues have been identified in version 5.4.3. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID	Description
374969	FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).
392200	Encrypted archive log is generated even though the function archive-log in antivirus profile is unset.

Bug ID	Description
385860	FortiGate-3815D does not support 1GE SFP transceivers.

DLP

Bug ID	Description
379911	DLP filter order is not applied on encrypted files.

Endpoint Control

Bug ID	Description
375149	FGT does not auto update AV signature version while Endpoint Control is enabled.
374855	Third party compliance may not be reported if FortiClient has no AV feature.
391537	Buffer size is too small when sending a large vulnerability list to FortiGate.

Firewall

Bug ID	Description
364589	LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D

FortiRugged-60D

Bug ID	Description
375246	invalid hbdev dmz may be received if the default hbdev is used.
357360	DHCP snooping does not work on IPv6.
374346	Adding or reducing stacking connections may block traffic for 20 seconds.

FortiSwitch-Controller/FortiLink

Bug ID	Description
369099	FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
357360	DHCP snooping may not work on IPv6.
304199	Using HA with FortiLink can encounter traffic loss during failover.

FortiView

Bug ID	Description
289376	Applying the filter All by using the right-click method may not work in the All Sessions page.
303940	Web Site > Security Action filter may not work.
373142	Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
366627	FortiView Cloud Application may display the incorrect drilldown File and Session list in the Applications View.
374947	FortiView may show empty country in the IPv6 traffic because country info is missing in log.
372350	Threat view: Threat Type and Event information are missing in the last level of the threat view.
375187	Using realtime auto update may increase chrome browser memory usage.
368644	Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172	FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
372897	Invalid -4 and invalid 254 is shown as the submitted file status.

GUI

Bug ID	Description
289297	Threat map may not be fully displayed when screen resolution is not big enough.
303928	After upgrading from 5.2 to 5.4, the default flow based AV profile may not be visible or selectable in the Firewall policy page in the GUI.
374166	Using Edge cannot select the firewall address when configuring a static route.
365223	CSF: downstream FGT may be shown twice when it uses hardware switch to connect upstream.
373546	Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
375383	Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
375369	May not be able to change IPsec manualkey config in GUI.
374363	Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374521	Unable to Revert revisions on GUI.
374081	wan-load-balance interface may be shown in the address associated interface list.
355388	The Select window for remote server in remote user group may not work as expected.
373363	Multicast policy interface may list the wan-load-balance interface.
372943	Explicit proxy policy may show a blank for default authentication method.
375346	You may not be able to download the application control packet capture from the forward traffic log.
374224	The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374322	Interfaces page may display the wrong MAC Address for the hardware switch.
374247	GUI list may list another VDOM interface when editing a redundant interface.
374320	Editing a user from the Policy list page may redirect to an empty user edit page.
375036	The Archived Data in the SnifferTraffic log may not display detailed content and download.
374397	Should only list any as destination interface when creating an explicit proxy in the TP VDOM.

Bug ID	Description
374221	SSL VPN setting portal mapping realm field misses the / option.
372908	The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.
374162	GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
375227	You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page.
375259	Addrgrp editing page receives a js error if addrgrp contains another group object.
374343	After enable inspect-all in ssl-ssh-profile, user may not be able to modify allow-invalid-server-cert from GUI.
372825	If the selected SSID has reached the maximum entry, the GUI will reset the previously selected SSID.
374191	The Interface may be hidden from the Physical list if its VLAN interface is a ZONE member in the GUI.
374525	When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.
374350	Field pre-shared key may be unavailable when editing the IPsec dialup tunnel created through the VPN wizard.
374371	The IPS Predefined Signature information popup window may not be displayed because it is hidden behind the Add Signature window.
374183	The Security page does not have details for the Forward Traffic log for an IPS attack when displaying a FortiAnalyzer log.
374538	Unable to enable Upload logs to FortiAnalyzer after disabling it.
374373	Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
365378	You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
374237	You may not be able to set a custom NTP server in the GUI if you did not config it in the CLI first.
393927	Policy List > FQDN Object Tooltip should show resolved IP addresses.
393267	Not possible to edit existing Web Filter profile.
Bug ID	Description
297832	Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
283682	Cannot delete FSSO-polling AD group from LDAP list tree window in FSSO-user GUI.
365317	Unable to add new AD group in second FSSO local polling agent.
369155	There is no Archived Data tab for email attachment in the DLP log detail page.
356998	urlfilter list re-order on GUI does not work.
387640	Duplicate entry found when auto generate guest user.
379050	User Definition intermittently not showing assigned token.
395711	pyfcgid takes 100% of CPU when managed switch page displayed.
368069	Cannot select wan-load-balance or members for incoming interface of IPSec tunnel.

Bug ID	Description
387216	HA virtual MAC is flapping.
399115	ID for the new policy (when using edit 0) is different on master and on slave unit.
396938	Reboot of FGT HA cluster member with redundant HA management interface deletes HA configuration.
397171	FIB of VDOMs in vcluster2 is not synced to the slave.

IPSec

Bug ID	Description
393958	Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
375020	IPsec tunnel Fortinet bar may not display properly.
374326	Accept type: Any peerID may be unavailable when creating a IPsec dialup tunnel with a pre-shared key and ikev1 in main mode.
386802	Unable to establish phase 2 when using address group/group object as quick mode selectors.
397386	Slave worker blades attempt to establish site to site IPsec VPN tunnel.

Logging & Report

Bug ID	Description
300637	MUDB logs may display Unknown in the Attack Name field under UTM logs.
374103	Botnet detection events are not listed in the Learning Report.
367247	FortiSwitch log may not show the details in the GUI, while in CLI the details are displayed.
374411	Local and Learning report web usage may only report data for outgoing traffic.
391786	Logdiskless FGT does not generate a log indicating a sandboxing result.
377733	Results/Deny All filter does not return all required/expected data.

Router

Bug ID	Description
393127	WLB measured-volume-based load balance does not work as expected after running for more than one day.
393623	Policy routing change not is not reflected.
385264	AS-override has not been applied in multihop AS path condition.
374306	Number of concurrent sessions affect the convergence time after HA failover.
299490	During and after failover, some MC Groups take up to 480 seconds to recover.
373892	ECMP(BGP) routing failover time.
397087	VRIP cannot be reached on 51E when it is acting as VRRP master.

SSL VPN

Bug ID	Description
304528	SSL VPN Web Mode PKI user might immediately log back in even after logging out.
303661	The Start Tunnel feature may have been removed.
375137	SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
374644	SSL VPN tunnel mode Fortinet bar may not be displayed.
395497	https-redirect for SSL VPN does not support realms.
Bug ID		Description
382223		SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.
366291		High CPU usage by SSL VPN.

System

Bug ID	Description
304199	FortiLink traffic is lost in HA mode.
295292	If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
290708	nturbo may not support CAPWAP traffic.
372717	Unable to access FortiGate GUI via https using low ciphers.
364280	User can not use ssh-dss algorithm to login to FortiGate via SSH.
371320	show system interface may not show the Port list in sequential order.
372717	admin-https-banned-cipher in sys global may not work as expected.
371986	NP6 may have issue handling fragment packets.
287612	Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
355256	After reassigning a hardware switch to a TP-mode VDOM, bridge table does not learn MAC addresses until after a reboot.
393395	The role of new VAP interface should be set as LAN.
393343	Remove botnet filter option if interface role is set to LAN.
392960	FOS support for V4 BIOS.
377192	DHCP request after lease expires is sent with former unicast IP instead of 0.0.0.0 as source.
397642	FGT5HD a-p cluster, LDAP authentication fails for users members of huge amount of LDAP groups.
381363	Empty username with Radius 802.1x WSSO auth.
354490	False positive sensor alarms in Event log.

Upgrade

Bug ID	Description
269799	Sniffer config may be lost after upgrade.

Visibility

Bug ID	Description
374138	FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

Bug ID	Description
364280	ssh-dss may not work on FGT-VM-LENC.
378421	Committing any change on SSL VPN Settings over web page returns error:500.

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

XenTools installation is not supported.
FortiGate-VM can be imported or deployed in only the following three formats:
XVA (recommended) l VHD l OVF
The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Modem

Leave a reply

Modem

FortiGate units support the use of wireless, 3G and 4G modems connected using the USB port or, if available, the express card slot. Modem access provides either primary or secondary (redundant) access to the Internet. For FortiGate units that do not include an internal modem (those units with an “M” designation), the modem interface will not appear in the web-based manager until enabled in the CLI. To enable the modem interface enter the CLI commands:

config system modem set status enable

end

You will need to log out of the FortiGate and log back in to see the modem configuration page at System > Network > Modem. Once enabled, modem options become available by going to System > Network > Interface.

Note that the modem interface is only available when the FortiGate unit is in NAT mode. To configure modem settings, go to System > Network > Modem.

Configuring the modem settings is a matter of entering the ISP phone number, user name and password. Depending on the modem, additional information may need to be supplied such as product identifiers, and initialization strings.

The FortiGate unit includes a number of common modems within its internal database. You can view these by selecting the Configure Modem link on the Modem Settings page. If your modem is not on the list, select Create New to add the information. This information is stored on the device, and will remain after a reboot.

Fortinet has an online database of modem models and configuration settings through FortiGuard. A subscription to the FortiGuard services is not required to access the information. As models are added, you can select the Configure Modem link and select Update Now to download new configurations.

USB modem port

Each USB modem has a specific dial-out port. This will be indicated with the documentation for your modem. To enable the correct USB port, use the CLI commands:

config system modem

set wireless-port {0 | 1 | 2}

end

To test the port, use the diagnose command:

diagnose sys modem com /1

The 1 will be the value of your USB port selected. The response will be:

Serial port: /dev/1

Press Ctrl+W to exit.

If the port does not respond the output will be:

Can not open modem device ‘/dev/1’ : Broken pipe

Modes

The FortiGate unit allows for two modes of operation for the modem; stand alone and redundant. In stand alone mode, the modem connects to a dialup ISP account to provide the connection to the Internet. In redundant mode, the modem acts as a backup method of connecting to the Internet, should the primary port for this function fails.

Configuring either stand alone or redundant modes are very similar. The primary difference is the selection of the interface that the modem will replace in the event of it failing, and the configuration of a PING server to monitor the chosen interface.

Configuring stand alone mode

Configuring stand alone mode is a matter of configuring the modem information and the dialing mode. The dial mode is either Always Connect or Dial on demand. Selecting Always Connect ensures that once the modem has connected, it remains connected to the ISP. Selecting Dial on Demand, the modem only calls the ISP if packets are routed to the modem interface. Once sent, the modem will disconnect after a specified amount of time.

To configure standalone mode as needed – web-based manager

1. Go to System > Network > Modem.

2. Select the Mode of Standalone.

3. Select the Dial Mode of Dial on Demand.

4. Select the number of redials the modem attempts if connection fails to 5.

5. Select Apply.

To configure standalone mode as needed- CLI

config system modem set status enable set mode standalone

set auto-dial enable set redial 5

end

Configuring redundant mode

Redundant mode provides a backup to an interface, typically to the Internet. If that interface fails or disconnects, the modem automatically dials the configured phone number(s). Once connected, the FortiGate unit routes all traffic to the modem interface until the monitored interface is up again. The FortiGate unit pings the connection to determine when it is back online.

For the FortiGate to verify when the interface is back up, you need to configure a Ping server for that interface. You will also need to configure security policies between the modem interface and the other interfaces of the FortiGate unit to ensure traffic flow.

To configure redundant mode as needed – web-based manager

1. Go to System > Network > Modem.

2. Select the Mode of Redundant.

3. Select the interface the modem takes over from if it fails.

4. Select the Dial Mode of Dial on Demand.

5. Select the number of redials the modem attempts if connection fails to 5.

6. Select Apply.

To configure standalone mode as needed- CLI

config system modem set status enable set mode redundant set interface wan1

set auto-dial enable set redial 5

end

Link Health Monitor

Adding a link health monitor is required for routing fail over traffic. A link health monitor will confirm the connectivity of the device’s interface

To add a link health monitor

config system link-monitor edit “Example1”

set srcint <Interface_sending_probe>

set server <ISP_IP_address>

set protocol <Ping or http>

set gateway-ip <the_gateway_IP_to_reach_the_server_if_required>

set failtime <failure_count>

set interval <seconds>

set update-cascade-interface enable set update-static-route enable

set status enable

end

Additional modem configuration

The CLI provides additional configuration options when setting up the modem options including adding multiple ISP dialing and initialization options and routing. For more information, see the CLI Reference.

Modem interface routing

The modem interface can be used in FortiOS as a dedicated interface. Once enabled and configured, you can use it in security policies and define static and dynamic routing. Within the CLI commands for the modem, you can configure the distance and priority of routes involving the modem interface. The CLI commands are:

config system modem

set distance <route_distance>

set priority <priority_value>

end

For more information on the routing configuration in the CLI, see the CLI Reference. For more information on routing and configuring routing, see the Advanced Routing Guide.

Single firewall vs. vdoms

Leave a reply

Single firewall vs. vdoms

When VDOMs are not enabled, and the FortiGate unit is in transparent mode, all the interfaces on your unit become broadcast interfaces. The problem is there are no interfaces free for additional network segments.

A FortiGate with three interfaces means only limited network segments are possible without purchasing more FortiGate devices.

With multiple VDOMs you can have one of them configured in transparent mode, and the rest in NAT mode. In this configuration, you have an available transparent mode FortiGate unit you can drop into your network for troubleshooting, and you also have the standard.

This example shows how to enable VDOMs on the FortiGate unit and the basic and create a VDOM accounting on the DMZ2 port and assign an administrator to maintain the VDOM. First enable Virtual Domains on the FortiGate unit.

To enable VDOMs – web-based manager

1. Go to System > Dashboard > Status.

2. In the System Information widget, select Enable for Virtual Domain.

Note that on FortiGate-60 series and lower models, you need to enable VDOMs in the CLI only.

The FortiGate unit logs you out. Once you log back in, you will notice that the menu structure has changed. This reflects the global settings for all Virtual Domains.

To enable VDOMs – CLI

config system global

set vdom-admin enable end

Next, add the VDOM called accounting.

To add a VDOM – web-based manager

1. Go to Global > VDOM > VDOM, and select Create New.

2. Enter the VDOM name accounting.

3. Select OK.

To add a VDOM – CLI

config vdom

edit <new_vdom_name>

end

With the Virtual Domain created, you can assign a physical interface to it, and assign it an IP address.

To assign physical interface to the accounting Virtual Domain – web-based manager

1. Go to Global > Network > Interface.

2. Select the DMZ2 port row and select Edit.

3. For the Virtual Domain drop-down list, select accounting.

4. Select the Addressing Mode of Manual.

5. Enter the IP address for the port of 10.13.101.100/24.

6. Set the Administrative Access to HTTPS and SSH.

7. Select OK.

To assign physical interface to the accounting Virtual Domain – CLI

config global

config system interface edit dmz2

set vdom accounting

set ip 10.13.101.100/24 set allowaccess https ssh

next end

Single firewall vs. multiple virtual domains

Leave a reply

Single firewall vs. multiple virtual domains

A typical FortiGate setup, with a small to mid-range appliance, enables you to include a number of subnets on your network using the available ports and switch interfaces. This can potentially provide a means of having three or more mini networks for the various groups in a company. Within this infrastructure, multiple network administrators have access to the FortiGate to maintain security policies.

However, the FortiGate unit may not have enough interfaces to match the number of departments in the organization. If the FortiGate unit it running in transparent mode however, there is only one interface, and multiple network branches through the FortiGate are not possible.

A FortiGate unit with Virtual Domains (VDOMs) enabled, provides a means to provide the same functionality in transparent mode as a FortiGate in NAT mode. VDOMs are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network. For administration, an administrator can be assigned to each VDOM, minimizing the possibility of error or fouling network communications.

By default, most FortiGate units support 10 VDOMs. Many FortiGate models support purchasing a license key to increase the maximum number.