Category Archives: Release Notes

FortiOS 6.2.3 Release Notes

Change Log

Date Change Description
2019-12-19 Initial release.
2019-12-19 Updated Resolved issues and Known issues.
2019-12-20 Updated Changes in CLI defaults.
2019-12-30 Added 585122 to Resolved issues.
2020-01-02 Updated Product integration and support > FortiExtender.
2020-01-03 Updated Known issues.
2020-01-06 Updated Introduction and supported models > Special branch supported models. Removed image download note from Introduction and supported models.
2020-01-07 Added 581663 to Resolved issues.
2020-01-09 Added FG-60F, FG-61F, FG-100F, and FG-101F to Introduction and supported models > Special branch supported models.
2020-01-17 Updated Resolved issues and Known issues.

Added Special notices > System Advanced menu removal (combined with System Settings).

2020-01-20 Updated Resolved issues and Known issues.
2020-01-22 Updated New features orenhancements and Known issues.
2020-01-27 Updated Special notices > New Fortinet cloud services.
2020-02-04 Added Special notices > L2TP overIPsec on certain mobile devices (459996). Updated Resolved issues and Known issues.
2020-02-13 Added Special branch support forFortiAP-W2 231E section in Introduction and supported models.
2020-02-21 Added FG-2200E, FG-2201E, FG-3300E, and FG-3301E to Introduction and supported models > Special branch supported models.
2020-02-24 Updated Special notices, New features orenhancements, Known issues, and Resolved issues.
2020-02-25 Updated Known issues and Resolved issues.

Introduction and supported models

This guide provides release information for FortiOS 6.2.3 build 1066.

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FG-30E-MG is released on build 8255.
FG-60E-DSL is released on build 6164.

FortiOS 6.2.3 supports the following models.

FortiGate FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG-51E, FG-52E, FG-60E,

FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-92D, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E,

FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-400E,

FG-401E, FG-500D, FG-500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D,

FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG3000D, FG-3100D, FG-3200D, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1

FortiWiFi FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E
FortiGate Rugged FGR-30D, FGR-35D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS,

FG-VM64-AWSONDEMAND, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND,

FG-VM64-GCP, FG-VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-KVM,

FG-VM64-OPC, FG-VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 6.2.3 images are delivered on request and are not available on the Beta portal.

Special branch supported models

The following models are released on a special branch of FortiOS 6.2.3. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1066.

 

Introduction and supported models

FG-60E-DSLJ is released on build 6164.
FG-60F is released on build 6188.
FG-61F is released on build 6188.
FG-100F is released on build 6188.
FG-101F is released on build 6188.
FG-1100E is released on build 5401.
FG-1101E is released on build 5401.
FG-2200E is released on build 8329.
FG-2201E is released on build 8329.
FG-3300E is released on build 8329.
FG-3301E is released on build 8329.
FWF-60E-DSL is released on build 6164.
FWF-60E-DSLJ is released on build 6164.

Special branch support for FortiAP-W2 231

A special branch for FortiOS 6.2.3 to support the FortiAP-W2 231E has been released. You may download the FortiOS images on the Fortinet Customer Service & Support site under the following directory:

/FortiGate/v6.00/Feature_Support/6.2.3/

Supplemental Release Notes are available.

The FortiAP-W2 231E is supported in FortiAP-W2 6.2.3.

Special notices

  • New Fortinet cloud services l FortiGuard Security Rating Service
  • Using FortiManager as a FortiGuard server on page 10 l FortiGate hardware limitation l CAPWAP traffic offloading
  • FortiClient (Mac OS X) SSL VPN requirements l Use of dedicated management interfaces (mgmt1 and mgmt2) l NP4lite platforms l Tags option removed from GUI
  • System Advanced menu removal (combined with System Settings) on page 11 l L2TP over IPsec on certain mobile devices on page 12 l Application group improvements on page 12 l NGFW mode on page 12

New Fortinet cloud services

FortiOS 6.2.0 introduced several new cloud-based services listed below. The new services require updates to FortiCare and Fortinet’s FortiCloud single sign-on (SSO) service.

  • Overlay Controller VPN
  • FortiGuard Cloud-Assist SD-WAN Interface Bandwidth Monitoring l FortiManager Cloud l FortiAnalyzer Cloud

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate model: l FGR-30D l FGR-35D l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E

  • FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E l FWF-50E-2R l FWF-51E

Using FortiManager as a FortiGuard server

If you use FortiManager as a FortiGuard server, and you configure the FortiGate to use a secure connection to FortiManager, you must use HTTPS with port 8888. HTTPS with port 53 is not supported.

FortiGate hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D does not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

 

CAPWAP traffic offloading

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip. The following models are affected: l FG-900D l FG-1000D l FG-2000E l FG-2500E

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

Use of dedicated management interfaces (mgmt1 and mgmt2)

Bug ID Description
584254 l Removed System > Advanced menu (moved most features to System > Settings page).

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

NP4lite platforms

FortiOS 6.2 and later does not support NP4lite platforms.

Tags option removed from GUI

The Tags option is removed from the GUI. This includes the following:

l The System > Tags page is removed. l The Tags section is removed from all pages that had a Tags section. l The Tags column is removed from all column selections.

System Advanced menu removal (combined with System Settings)

Bug ID Description
  l Moved configuration script upload feature to top menu > Configuration > Scripts page. l Removed GUI support for auto-script configuration (the feature is still supported in the CLI). l Converted all compliance tests to security rating tests.

L2TP over IPsec on certain mobile devices

Bug ID Description
459996 Samsung Galaxy Tab A 8 and Android 9.0 crash after L2TP over IPsec is connected.

Application group improvements

Bug ID Description
565309 Application Group improvements.

NGFW mode

Bug ID Description
584314 NGFW mode should have a link to show list of all applications.

Changes in default behavior

CLI

  • Removed dependency between gui-per-policy-disclaimer in the system setting and per-policydisclaimer in the user setting.
  • There is a new default any-to-any-all-to-all policy after changing from NGFW mode to policy-based mode.

GUI

l In the Feature Visibility page, the Per-policy Disclaimer option name was changed to Policy Disclaimer. l Firewall Policy was renamed to SSL Inspection & Authentication after changing from NGFW mode to policybased mode.

WiFi Controller

The default extension information setting in wtp-profile has changed from disable to enable.

Previous releases 6.2.3 release
config wireless-controller wtp-profile edit <FAP-Profile> set ext-info-enable disable

next

end

config wireless-controller wtp-profile edit <FAP-Profile> set ext-info-enable enable <== changed

next

end

The default platform type in wtp-profile has changed from 220B to 221E.

Previous releases 6.2.3 release
config wireless-controller wtp-profile edit <New profile> config platform set type 220B

end

next

end

config wireless-controller wtp-profile edit <New profile> config platform set type 221E <== changed

end

next

end

 

Changes in CLI defaults

Routing l auxiliary-session {enable | disable} option added at the VDOM level.

System

Previous releases 6.2.3 release
config webfilter profile edit “encrypted-web” set comment ” set replacemsg-group ” unset options config file-filter set status enable set log enable set scan-archive-contents enable config entries edit “1” set comment ” config webfilter profile edit “encrypted-web” set comment ” set replacemsg-group ” unset options config file-filter set status enable set log enable set scan-archive-contents enable config entries edit “1” set comment ”
  • Consolidate FortiTelemetry and capwap into fabric to allow Security Fabric access in system interface.
Previous releases 6.2.3 release
config system interface edit <Port number> set allowaccess capwap <== Removed set fortiheartbeat <== Removed

next

end

config system interface edit <Port number> set allowaccess fabric <== New

next

end

  • Add execute factoryreset-shutdown to combine the functionality of the factory-reset and shutdown l Add more functions for SMC NTP and the ability to get information from SMC NTP:

config system smc-ntp <== New set ntpsync disable <== New set syncinterval 60 <== New

set channel 5 <== New end

Web Filter l Enable file-filter password protected blocked for 7Z, RAR, PDF, MSOffice, and MSOfficeX.

Changes in CLI defaults

Previous releases 6.2.3 release
set protocol http ftp set action log set direction any set password-protected

yes set file-type “zip” <==

only zip can be selected next

end

end

next

end

set protocol http ftp set action log set direction any set password-protected

yes set file-type “zip” “7z” “msoffice” “msofficex” “pdf” “rar” <==changed next

end

end

next

end

WiFi Controller l FAP-U431F and FAP-U433F can support 802.11ax on 2.4 GHz radio-2 when the platform mode is single-5G.

Previous releases 6.2.3 release
config wireless-controller wtp-profile edit “FAPU431F-default” config platform set type U431F set mode single-5G

end config radio-1 set band 802.11ax-5G

end config radio-2 set band ?

802.11b 802.11b.

802.11g 802.11g/b.

802.11n 802.11n/g/b at 2.4GHz.

802.11n,g-only 802.11n/g at 2.4GHz.

802.11g-only 802.11g.

802.11n-only 802.11n at

2.4GHz. end config radio-3 set mode monitor

end

next

end

config edit

2.4GHz.

2.4GHz.

2.4GHz.

2.4GHz.

2.4GHz.

802.11a

wireless-controller wtp-profile

“FAPU431F-default” config platform set type U431F set mode single-5G

end config radio-1 set band 802.11ax-5G

end config radio-2 set band ?

802.11b 802.11b.

802.11g 802.11g/b.

802.11n 802.11n/g/b at

802.11ax 802.11ax/n/g/b at

<==added

802.11n,g-only 802.11n/g at

802.11g-only 802.11g.

802.11n-only 802.11n at

802.11ax,n-only 802.11ax/n at

<==added

802.11ax,n,g-only

x/n/g at 2.4GHz. <==added

802.11ax-only 802.11ax at

Changes in CLI defaults

Previous releases 6.2.3 release
  2.4GHz.<==added end config radio-3 set mode monitor

end

next

end

Resolved Issues

Bug ID Description
574882 FAP-U431F and FAP-U433F can support 802.11ax on 2.4 GHz radio-2 when the platform mode is single-5G.

config wireless-controller wtp-profile edit “FAPU431F-default” config platform set type U431F set mode single-5G

end config radio-1 set band 802.11ax-5G

end config radio-2 set band 802.11ax

end config radio-3 set mode monitor

end

next

end

Changes in default values

Bug ID Description
548906 Change default extension information setting in wtp-profile from disable to enable.

config wireless-controller wtp-profile edit <FAP-Profile> set ext-info-enable enable <== changed

next

end

585889 Change default platform type setting in wtp-profile from 220B to 221E.

config wireless-controller wtp-profile edit <New profile> config platform set type 221E <== changed

end

next

end

 

Changes in table size

Bug ID Description
599271 Except for desktop models, all other platforms’ table size of VIP real servers are increased as follows:

l 1U platforms increased from 8 to 16 l 2U platforms increased from 32 to 64 l High-end platforms increased from 32 to 256

 

New features or enhancements

Bug ID Description
529445 In wids-profile, add the new ap-scan-threshold setting, which is the minimum signal level of rogue APs detected and required by the managed FortiAP devices. Only the rogue APs with a signal level higher than the threshold will be reported to the FortiGate WiFi Controller.

config wireless-controller wids-profile edit <WIDS-profile-name> set ap-scan enable set ap-scan-threshold “-80”

next

end

The range of ap-scan-threshold, in dBm, is -95 to -20 (default = -90).

553372 Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labelled Fabric Connection. If either CAPWAP or FortiTelemetry were enabled on a particular interface, the new fabric option will be enabled after upgrading.
557614 FortiGate support for NSX-T v2.4: East/West traffic.
562394 Add support for EMS cloud:

l Added CMDB attribute fortinet-one-cloud-authentication to FortiClient EMS table. l Added curl verbose diagnosis debugs to FortiClient NAC daemon for debug images. l Added fortiems-cloud option to type attribute in user.fsso table.

571639 Add support for tracking number of hits to a policy route:

l  Policy route hit counter and last used tag added to each policy displayed in diagnose firewall proute list command.

l  New CLI command diagnose firewall proute show, displays policy route hit counter and last used for a given proute id, (if 0, dumps all).

l  New CLI command diagnose firewall proute clear, clears policy route hit counter and last used for a given proute id, (if 0, clears all).

573568 Change public IP and routing table entries allocated in different resource groups in Azure HA.

In an Azure HA scenario, the EIP and route table to fail over is specified in the SDN connector configuration. A new attribute, resource-group, is added to allow customers to specify the resource group that a EIP or route table is from. This new attribute can be empty so upgrade code is not needed.

If the resource-group of the EIP or route table is not provided, it is assumed the resource comes from the same resource group as the SDN connector setting (if it is not set there, assume the same resource group as the FortiGate itself by getting it from the instance metadata).

579484 Limit OCVPN spoke to only join existing overlay.
580889 DPDK support on FortiOS VM platform.

 

New features or enhancements

Bug ID Description
591567 Add support for additional SHA-2 algorithms with SNMPv3.
593148 Update interface-related pages to use AngularJS and muTable.

Interfaces list:

l  Radio buttons in the top-right corner let users switch between grouping by type, role, and sort lists alphabetically have been removed. There is a dropdown instead with the following options:

l  Group by type l Group by zone l Group by status, l Group by role l No grouping

l  Zones do not support parent-child relationships anymore.

l  The DHCP Server column has been divided into two separate columns, DHCP Clients and DHCP Ranges.

l  CSF support has been added. When switching to a downstream device, both the list and the faceplate should update.

l  For VDOMs, administrators can only view complete information about interfaces for the VDOM they are in. This applies even to administrators who have access to more than one VDOM.

l  On devices that support VLAN switching, the VLAN Switch Mode toggle has been removed from the list page. It now shows up under System> Settings.

l  Faceplates do not auto-refresh on page load anymore. For auto-refresh, users need to enable the muTable refresh feature from the button in the bottom-right corner.

Interfaces dialog:

l  Under Administrative Access, CAPWAP and FortiTelemetry have been combined into one option labelled Fabric Connection.

l  The secondary IP address toggle has been moved from the Miscellaneous section to the Address section.

l  A gutter has been added that displays the device hostname,the interface it belongs to, and relevant help links.

CLI changes:

l Consolidate fortitelemetry and capwap into fabric for allowaccess in system.interface.

Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

  1. Go to https://support.fortinet.com.
  2. From the Download menu, select Firmware Images.
  3. Check that Select Product is FortiGate.
  4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version

  1. Click Go.

Device detection changes

In FortiOS 6.0.x, the device detection feature contains multiple sub-components, which are independent:

  • Visibility – Detected information is available for topology visibility and logging.
  • FortiClient endpoint compliance – Information learned from FortiClient can be used to enforce compliance of those endpoints.
  • Device-based policies – Device type/category and detected devices/device groups can be defined as custom devices, and then used in device-based policies.

In 6.2, these functionalities have changed:

  • Visibility – Configuration of the feature remains the same as FortiOS 6.0, including FortiClient information. l FortiClient endpoint compliance – A new fabric connector replaces this, and aligns it with all other endpoint connectors for dynamic policies. For more information, see Dynamic Policy FortiClient EMS (Connector) in the FortiOS 6.2.0 New Features Guide.
  • Mac-address-based policies – A new address type is introduced (Mac Address Range), which can be used in regular policies. The previous device policy feature can be achieved by manually defining MAC addresses, and then adding them to regular policy table in 6.2. For more information, see MAC Addressed-Based Policies in the FortiOS 6.2.0 New Features Guide.

If you were using device policies in 6.0.x, you will need to migrate these policies to the regular policy table manually after upgrade. After upgrading to 6.2.0:

  1. Create MAC-based firewall addresses for each device.
  2. Apply the addresses to regular IPv4 policy table.

FortiClient Endpoint Telemetry license

Starting with FortiOS 6.2.0, the FortiClient Endpoint Telemetry license is deprecated. The FortiClient Compliance profile under the Security Profiles menu has been removed as has the Enforce FortiClient Compliance Check option under each interface configuration page. Endpoints running FortiClient 6.2.0 now register only with FortiClient EMS 6.2.0 and compliance is accomplished through the use of Compliance Verification Rules configured on FortiClient EMS 6.2.0 and enforced through the use of firewall policies. As a result, there are two upgrade scenarios:

  • Customers using only a FortiGate device in FortiOS 6.0 to enforce compliance must install FortiClient EMS 6.2.0 and purchase a FortiClient Security Fabric Agent License for their FortiClient EMS installation.
  • Customers using both a FortiGate device in FortiOS 6.0 and FortiClient EMS running 6.0 for compliance enforcement, must upgrade the FortiGate device to FortiOS 6.2.0, FortiClient to 6.2.0, and FortiClient EMS to 6.2.0.

The FortiClient 6.2.0 for MS Windows standard installer and zip package containing FortiClient.msi and language transforms and the FortiClient 6.2.0 for macOS standard installer are included with FortiClient EMS 6.2.0.

Fortinet Security Fabric upgrade

FortiOS 6.2.3 greatly increases the interoperability between other Fortinet products. This includes:

  • FortiAnalyzer 6.2.3 l FortiClient EMS 6.2.0 l FortiClient 6.2.2 l FortiAP 5.4.4 and later l FortiSwitch 3.6.9 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

If the Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.2.3. When the Security Fabric is enabled in FortiOS 6.2.3, all FortiGate devices must be running FortiOS 6.2.3.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.2.3 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.2.3 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

  • Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox)

 

  • FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting) l LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

  • operation mode l interface IP/management IP l static route table l DNS settings l admin user account l session helpers l system access profiles

Amazon AWS enhanced networking compatibility issue

With this enhancement, there is a compatibility issue with 5.6.2 and older AWS VM versions. After downgrading a 6.2.3 image to a 5.6.2 or older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.2.3 to 5.6.2 or older versions, running the enhanced NIC driver is not allowed. The following AWS instances are affected:

C5

C5d

C5n

F1

G3

G4

H1

I3

I3en

Inf1 m4.16xlarge

M5

M5a

M5ad M5d

M5dn

M5n

P2

P3

R4

R5

R5a

R5ad R5d

R5dn

R5n

T3

T3a

u-6tb1.metal u-9tb1.metal u-12tb1.metal u-18tb1.metal u-24tb1.metal

X1 X1e z1d

A workaround is to stop the instance, change the type to a non-ENA driver NIC type, and continue with downgrading.

FortiLink access-profile setting

The new FortiLink local-access profile controls access to the physical interface of a FortiSwitch that is managed by FortiGate.

After upgrading FortiGate to 6.2.3, the interface allowaccess configuration on all managed FortiSwitches are overwritten by the default FortiGate local-access profile. You must manually add your protocols to the localaccess profile after upgrading to 6.2.3.

To configure local-access profile:

config switch-controller security-policy local-access edit [Policy Name] set mgmt-allowaccess https ping ssh set internal-allowaccess https ping ssh

next

end

To apply local-access profile to managed FortiSwitch:

config switch-controller managed-switch edit [FortiSwitch Serial Number] set switch-profile [Policy Name] set access-profile [Policy Name]

next

end

FortiGate VM with V-license

This version allows FortiGate VM with V-License to enable split-vdom.

To enable split-vdom:

config system global set vdom-mode [no-vdom | split vdom]

end

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any] end

FortiView widgets

FortiView widgets have been rewritten in 6.2.3. FortiView widgets created in previous versions are deleted in the upgrade.

 

Product integration and support

The following table lists FortiOS 6.2.3 product integration and support information:

Web Browsers l Microsoft Edge 44 l Mozilla Firefox version 71 l Google Chrome version 78

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 42 l Mozilla Firefox version 71 l Google Chrome version 78 l Microsoft Internet Explorer version 11

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Fortinet Security Fabric upgrade on page 22. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on page 22. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient:

l Microsoft Windows l Mac OS X l Linux

l 6.2.0

See important compatibility information in FortiClient Endpoint Telemetry license on page 22 and Fortinet Security Fabric upgrade on page 22.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.

FortiClient iOS l 6.2.0 and later
FortiClient Android and FortiClient VPN Android l 6.2.0 and later
FortiAP l 5.4.2 and later l 5.6.0 and later
FortiAP-S l 5.4.3 and later l 5.6.0 and later
FortiAP-U l 5.4.5 and later

 

FortiAP-W2 l 5.6.0 and later
FortiSwitch OS

(FortiLink support)

l 3.6.9 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l 5.0 build 0287 and later (needed for FSSO agent support OU in group filters) l Windows Server 2019 Standard l Windows Server 2019 Datacenter l Windows Server 2019 Core l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2016 Core l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Windows Server 2012 Core l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2008 Core l Novell eDirectory 8.8
FortiExtender l 4.1.2
AV Engine l 6.00132
IPS Engine l 5.00043
Virtualization Environments  
Citrix l XenServer version 7.1
Linux KVM l Ubuntu 18.04.3 LTS l QEMU emulator version 2.11.1 (Debian 1:2.11+dfsg-1ubuntu7.21) l libvirtd (libvirt) 4.0.0
Microsoft l Hyper-V Server 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, and 6.7

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04 / 18.04 (32-bit & 64-bit)

2336. Download from the Fortinet Developer Network: https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 61

Google Chrome version 68

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 61

Google Chrome version 68

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X El Capitan 10.11.1 Apple Safari version 11

Mozilla Firefox version 61

Google Chrome version 68

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus   Firewall
Symantec Endpoint Protection 11  
Kaspersky Antivirus 2009    
McAfee Security Center 8.1  
Trend Micro Internet Security Pro  
F-Secure Internet Security 2009  

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved issues

The following issues have been fixed in version 6.2.3. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID Description
590092 Cannot clear scanunit vdom-stats to reset the statistics on ATP widget.
590170 Policy in flow mode blocking .JAR archive files.

Data Leak Prevention

Bug ID Description
586689 Downloading a file with FTP client in EPSV mode will hang.
591676 Enable file filter password protected blocked for 7Z, RAR, PDF, MSOffice, and MSOfficeX.

DNS Filter

Bug ID Description
561297 DNS filtering does not perform well on the zone transfer when a large DNS zone’s AXFR response consists of one or more messages.
563441 7K DNS filter breaking DNS zone transfer.
574980 DNS translation is not working when request is checked against the local FortiGate.
583449 DNS filter explicit block all (wildcard FQDN) not working in 6.2 firmware.
586526 Unable to change DNS filter profile category action after upgrading from 6.0.5 to 6.2.0.

Explicit Proxy

Bug ID Description
504011 FortiGate does not generate traffic logs for SOCKS proxy.
588211 WAD cannot learn policy if multiple policies use the same FQDN address.
589065 FSSO-based NTLM sessions from explicit proxy do not respect timeout duration and type.
589811 urfilter process does not started when adding a category as dstaddr in a proxy policy with the deny action.
590942 AV does not forward reply when GET for FTP over HTTP is used.

Firewall

Bug ID Description
508015 Editing a policy in the GUI changes the FSSO setting to disable.
558996 FortiGate sends type-3 code-1 IP unreachable for VIP.
584451 NGFW default block page partially loads.
585073 Adding too many address objects to a local-in policy causes all blocking to fail.
585122 Should not be allowed to rename VIP or address with the same name as an existing VIP group or address group object.
590039 Samsung OEM internet browser cannot connect to FortiGate VS/VIP.
597110 When creating a firewall address with the associated-interface setting, CMD gets stuck if there is a large nested address group.

FortiView

Bug ID Description
582341 On Policies page, consolidated policies are without names and tooltips; tooltips not working for security policies.

GUI

Bug ID Description
282160 GUI does not show byte information for aggregate and VLAN interface.
303651 Should hide Override internal DNS option if vdom-dns is set to disable.
438298 When VDOM is enabled, the interface faceplate should only show data for interfaces managed by the admin.
451306 Add a tooltip for IPS Rate Based Signatures.
460698 There is no uptime information in the HA Status widget for the slave unit’s GUI.
467495 A wrong warning message appears that the source interface has no members after enabling an inserted proxy policy.
478472 Options 150, 15, and 51 for the DHCP server should not be shown after removing them and having no related configuration in the backend.
480731 Interface filter gets incorrect result (EMAC VLAN, VLAN ID, etc.) when entries are collapsed.
482437 SD-WAN member number is not correct in Interfaces page.
493527 Compliance events GUI page does not load when redirected from the advanced compliance page.
498892 GUI shows wrong relationship between VLAN and physical interface after adding them to a zone.
502962 Get “Fail to retrieve info” for default VDOM link on Network > Interfaces page.
505066 Not possible to select value for DN field in LDAP GUI browser.
510685 Hardware Switch row is shown indicating a number of interfaces but without any interfaces below.
514027 Cannot disable CORS setting on GUI.
531376 Get “Internal Server Error” when editing an aggregate link that has a name with a space in it.
534853 Suggest GUI Interfaces list includes SIT tunnels.
536718 Cannot change MAC address settting when configuring a reserved DHCP client.
536843 LACP aggregate interface flaps when adding/removing a member interface (first position in member list).
537307 “Failed to retrieve info” message appears for ha-mgmt-interface in Network > Interfaces.
538125 Hovering mouse over FortiExtender virtual interface shows incorrect information.
587673 On Proxy Policy page, the default view method (Interface PairView) is not clickable.
540098 GUI does not display the status for VLAN and loopback in the Network > Interfaces > Status column.
542544 In Log & Report, filtering for blank values (None) always shows no results.
544442 Virtual IPs page should not show port range dialog box when the protocol is ICMP.

 

Bug ID Description
552811 Scripts pushed from FortiCloud do not show up in System > Advanced Settings when FortiCloud remote access is used.
553290 The tooltip for VLAN interfaces displays as “Failed to retrieve info”.
555687 Network mask of a VPN interface is changed to 255.255.255.255 without an actual configuration change.
559866 When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via the management tunnel.
560206 Change/remove FortiCloud standalone reference.
563053 Warning messages for third-party transceivers were removed in 6.2.1 to prevent excessive RMA or support tickets. In 6.2.2, warnings were re-added for third-party transceivers.
565748 New interface pair consolidated policy added via CLI is not displayed on GUI policy page.
566414 Application Name field shows vuln_id for custom signature, not its application name in logs.
567369 Cannot save DHCP Relay configuration when the Relay IP address list is separated by a comma.
571909 SSL VPN Settings page shows undefined error.
573456 FortiGate without disk email alert settings page should remove Disk usage exceeds option.
574101 Empty firmware version in managed FortiSwitch from FortiGate GUI.
582658 Email filter page keeps loading and cannot create a new profile when the VDOM admin only has emailfilter permission.
583049 Internal server error while trying to create a new interface.
584419 Issue with application and filter overrides.
584426 Add Selected button does not show up under FSSO Fabric Connector with custom admin profile.
584560 GUI does not have the option to disable the interface when creating a VLAN interface.
586604 No matching IPS signatures are found when Severity or Target filter is applied.
586749 Enable/disable Disarm and Reconstruction in the GUI only affects the SMTP protocol in AV profiles.
587091 When logged in as administrator with web filter read/write only privilege, the Web Rating Overrides GUI page cannot load.
588028 If the Endpoint Control feature is disabled, the exempt options for captive portal are not shown in the GUI.
588222 WAN Opt. Monitor displays Total Savings as negative integers during file transfers.
588665 Option to reset statistics from Monitor> WAN Opt. Monitor in GUI does not clear the counters.
589085 Web filter profile warning message when logged in with read/write admin on VDOM environment.
Bug ID Description
592244 VIPs dialog page should be able to create VIP with the same extip/extport but different source IP address.
593433 DHCP offset option 2 has to be removed before changing the address range for the DHCP server in the GUI.
594162 Interface hierarchy is not respected in the GUI when a LAG interface belongs to SD-WAN and its VLANs belong to a zone.
594565 Wrong Sub-Category appears in the Edit Web Rating Override page.
Bug ID Description
540718 Signal 14 alarm crashes were observed on DFA rebuild.
579018 IPS engine 5.030 signal 14 alarm clock crash at nturbo_on_event.
586608 The CPU consumption of ipsengine gets high with customer configuration file.

HA

Bug ID Description
479780 Slave fails to send and receive HA heartbeat when configuring cfg-revert setting on FG-2500E.
540632 In HA, management-ip that is set on a hardware switch interface does not respond to ping after executing reboot.
575020 HA failing config sync on VM01 with error (slave and master have different hdisk status) when master is pre-configured.
581906 HA slave sending out GARP packets in 16-20 seconds after HA monitored interface failed.
585348 default-gateway injected by dynamic-gateway on PPP interface deleted by other interface down.
585675 exe backup disk alllogs ftp command causes FortiGate to enter conserve mode.
586004 Moving VDOM via GUI between virtual clusters causes cluster to go out of sync and VDOM state work/standby does not change.
586835 HA slave unable to get checksum from master. HA sync in Z state.
590931 Multiple PPPoE connections on a single interface does not sync PPPoE dynamic assigned IP and cannot start re-negotiation.

Intrusion Prevention IPsec VPN

Bug ID Description
577502 OCVPN cannot register—status “Undefined”.
582251 IKEv2 with EAP peer ID authentication validation does not work.
582876 ADVPN connections from the hub disconnects one-by-one and IKE gets stuck.
584982 The customer is unable to log in to VPN with RADIUS intermittently.
Bug ID Description
525328 External resource does not support no content length.
549660 WAD crash with signal 11.
573028 WAD crash causing traffic interruption.

Log & Report

Bug ID Description
578057 Action field in traffic log cannot record security policy action—it shows the consolidated policy action.
580887 No traffic log after reducing miglogd child to 1.
586038 FortiOS 6.0.6 reports too long VPN tunnel durations in local report.
590598 Log viewer application control cannot show any logs (page is stuck loading).
590852 Log filter can return empty result when there are too many logs, but the filter result is small.
591152 IPS logs set srcintf(role)/dstinf(role) reversely at the time of IPS signature reverse pattern.
591523 When refreshing logs in GUI, some log_se processes are running extremely long and consuming CPU.
593907 Miglogd still uses the daylight savings time after the daylight savings end.
596278 sentdelta and rcvddelta showing 0 if syslog format is set to CSV.
599860 When logtraffic is set to all, existing sessions cannot change the egress interfaces when the routing table is updated with a new outgoing interface.

Proxy

Bug ID Description
579400 High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.
580592 Policy in proxy-based mode with AV and WAF profile denies access to Nginx with enabled gzip compression.
584719 WAD reads ftp over-limit multi-line response incorrectly.
587214 WAD crash for wad_ssl_port_on_ocsp_notify.
587987 In case of TLS 1.3 with certificate inspection and a certificate with an empty CN name, WAD workers would locate a random size for CN name and then cause unexpected high memory usage in WAD workers.
592153 Potential memory leak that will be triggered by certificate inspection CIC connection in WAD.
593365 WAD crash due to user learned from proxy not purged from the kernel when user is deleted from proxy or zone with empty interface member.
594237 Slow download speed in proxy-based mode compared to flow-based mode.
594725 WAD memory leak detected on cert_hash in wad_ssl_cert.
596012 Receive SSL fatal alert with source IP 0.0.0.0.

REST API

Bug ID Description
587470 REST API to support revision flag.

Routing

Bug ID Description
371453 OSPF translated type 5 LSA not flushed according to RFC-3101.
524229 SD-WAN health-check keep records useless logs under some circumstances.
570686 FortiOS 6.2.1 introduces asymmetric return path on the hub in SD-WAN after the link change due to SLA on the spoke.
582078 ISDB ID is changed after restoring the configuration under the situation where the FortiGate has a previous ISDB version.
584095 SD-WAN option of set gateway enable/set default enable override available on connected routes.
Bug ID Description
584477 In transparent mode with asymmetric routing, packet in the reply direction does not use asymmetric route.
585027 There is no indication in proute if the SD-WAN service is default or not.
585325 IPv6 route cannot be inactive after link-monitor is down when link-monitor are set with ipv4 and ipv6.
587198 After failover/recovery of link, E2 route with non-zero forward address recurses to itself as a next hope.
587700 Routing monitor policy view cannot show source and destination data for SD-WAN route and wildcard destination.
587970 SD-WAN rules route-tag still used in service rule but not in diagnose sys virtual-wanlink route-tag-list.
589620 Link monitor with tunnel as srcintf cannot recover after remote server down/up.
592599 FortiGate sends malformed OSPFv3 LSAReq/LSAck packets on interfaces with MTU = 9k.
593375 OSPF NSSA with multiple ASBRs losing valid external OSPF routes in upsteam neighbors as different ASBRs are power cycled.
593864 Routing table is not always updated when BGP gets an update with changed next hop.
594685 Unable to create the IPsec VPN directly in Network > SD-WAN.
595937 PPPoE interface bandwidth is mistakenly calculated as 0 in SD-WAN.

Security Fabric

Bug ID Description
575495 FGCP dynamic objects are not populated in the slave unit.
586587 Security Fabric widget keeps loading when FortiSwitches are in a loop, or the FortiSwitch is in MCLAG mode.
587758 Invalid CIDR format shows as valid by the Security Fabric threat feed.
589503 Threat Feeds show the URL is invalid if there is a special character in the URL.
592344 CSF automation configuration cannot be synced to downstream from root.

SSL VPN

Bug ID Description
525342 In some special cases, SSL VPN main state machine reads function pointer is empty that will cause SSL VPN daemon crash.
557806 Cannot fully load a website through SSL VPN bookmark.
570171 When accessing ACT application through SSL VPN web mode, the embedded calendar request gets wrong response and redirects to login page.
573787 SSL VPN web mode not displaying custom web application’s JavaScript parts.
576288 FSSO groups set in rule with SSL VPN interface.
578908 Fails to load bookmark site over SSL VPN portal.
580377 Unable to access https://outlook.office365.com as bookmark in SSL VPN web mode.
583339 Support HSTS include SubDomains and preload option under SSL VPN settings.
584780 When the SSL VPN portal theme is set to red, the style is lost in the SSL VPN portal.
585754 A VPN SSL bookmark failed to load the Proxmox GUI interface.
586032 Unable to download report from an internal server via SSL VPN web mode connection.
586035 The policy “script-src ‘self'” will block the SSL VPN proxy URL.
587075 SAML login is not stable for SSL VPN, it requires restarting sslvpnd to enable the function.
588119 There is no OS support for the latest macOS Catalina version (10.15) when using SSL VPN tunnel mode.
588720 SSL VPN web portal bookmarks cannot resolve hostname.
589015 SSO does not correctly URL-encode POST-ed credentials.
590643 href rewrite has some issues with the customer’s JS file.
591613 https://outlook.office365.com cannot be accessed in SSLVPN web portal.
592318 After sslvpn proxy, some Kurim JS files run with an error.
592935 sslvpnd crashed on FortiGate.
593082 SSL VPN bookmark does not load Google Maps on internal server.
593641 Cannot access HTTPS bookmark, get a blank page.
593850 SSL VPN logs out after some users click through the remote application.
594160 Screen shot feature is not working though SSL VPN portal.
594247 Cannot access https://cdn.i-ready.com through SSL VPN web portal.
595920 SSL VPN web mode goes to 99% on a specific bookmark.
596273 sslvpnd worker process crashes, causing a zombie tunnel session.
Bug ID Description
596843 Internal website not working in SSL VPN web mode.
597282 The latest FortiOS GUI does not render when accessing it by the SSL VPN portal.

Switch Controller

Bug ID Description
581370 FortiSwitch managed by FortiGate not updating the RADIUS settings and user group in the FortiSwitch.
586299 Adding factory-reset device to HA fails with switch-controller.qos settings in root.
592111 FortiSwitch shows offline CAPWAP response packet getting dropped/failed after upgrading from 6.2.2.

System

Bug ID Description
484749 TCP traffic with tcp_ecn tag cannot go through ipip ipv6 tunnel with NP6 offload enabled.
502387 X.509 certificate support required for FGFM portocol.
511790 Router info does not update after plugging out/plugging in USB modem.
528052 FortiGuard filtering services show as unavailable for read-only admin.
547712 HPE does not protect against DDoS attacks like flood on IKE and BGP destination ports.
556408 Aggregate link does not work for LACP mode active for FG-60E internal ports but works for wan1 and wan2 combination.
570759 RX/TX counters for VLAN interfaces based on LACP interface are 0.
572003 There was a hardware defect in an earlier revision of SSD used for FG-61E. When powering off then powering on in a very short time, the SSD may jump into ROM mode and cannot recover until a power circle.
573090 Making a change to a policy through inline editing is very slow with large table sizes.
573238 Session TTL expiry timer is not reset for VLAN traffic when offloading is enabled.
573973 ASIC offloading sessions sticking to interfaces after SD-WAN SLA interface selection.
577423 FG-80D and FG-92D kernel error in CLI during FortiGate boot up.
578259 FG-3980E VLANs over LAG interface show no TX/RX statistics.

 

Bug ID Description
578608 High CPU usage due to dnsproxy process as high at 99%.
580038 Problems with cmdbsvr while handling a large number of FSSO address groups and security policies.
581496 FG-201E stops sending out packets and NP6lite is stuck.
581528 SSH/RDP sessions are terminated unexpectedly.
581998 Session clash event log found on FG-6500F when passing a lot of the same source IP ICMP traffic over load-balance VIP.
582520 Enabling offloading drops fragmented packets.
583199 fgfmsd crashed with signal 11 when some code accesses a VDOM that has been deleted, but does not check the return value from CMDB query.
583602 Script to purge and re-create a local-in-policy ran against the remote FortiGate directly (in the CLI) is causing auto-update issues.
586301 GUI cannot show default Fortinet logo for replacement messages.
586551 When an SD-WAN member is disabled or VWL is disabled, snmpwalk shows “No Such Object available on this agent at this OID” message.
587498 FortiGate sends ICMP type 3 code 3 (port unreachable) for UDP 500 and UDP 520 against vulnerability scan.
587540 Netflow traffic records sent with wrong interface index 0 (inputint = 0 and outputint = 0).
588035 Kernel crashes when sniffing packets on interfaces that are related to EMAC VLAN.
588202 FortiGate returns invalid configuration during FortiManager retrieving configuration.
589027 EMAC VLAN drops traffic when asymmetric roue enabled on internet VDOM.
589234 Local system DNS setting instead of DNS setting acquired from upstream DHCP server was assigned to client under management VDOM.
589517 Dedicated management CPU running on high CPU (soft IRQ).
589978 alertemail username length cannot go beyond 35 characters.
590295 OID for the IPsec VPN phase 2 selector only displays the first one on the list.
591466 Cannot change the mask for an existing secondary IP on interfaces.
592787 FortiGate got rebooted automatically due to kernel crash.
593606 diagnose hardware test suite all fails due to FortiLink loopback test.
594157 FortiGate accepts invalid configuration from FortiManager.
594499 Communication over PPPoE fails after installing PPPoE configuration from FortiManager.
595598 SOC4 devices may reboot by watchdog after upgrading to FortiOS 6.2.2 (build 6083). Affected platforms: FG-60F, FG-61F, FG-100F, and FG-101F.
596180 Constant DHCPD crashes.

Upgrade

Bug ID Description
586793 Address objects have reference to old firewall policy after upgrading from 6.0.6 > 6.2.x NGFW policies.
Bug ID Description
571212 Only one CPU core in AWS is being used for traffic processing.
577653 vMotion tasks cause connections to be dropped as sessions related to vMotion VMs do not appear on the destination VMX.

User & Device

Bug ID Description
567831 Local FSSO poller regularly missing logon events.
583745 Wrong categorization of OS from device detection.
586334 Brief connectivity loss on shared service when RDP session is logged in to from local device.
586394 Authentication list entry is not created/updated after changing the client PC with another user in FSSO polling mode.
587293 The session to the SQL database is closed as timeout when a new user logs in to terminal server.
587519 fnbamd takes high CPU usage and user not able to authenticate.
587666 Mobile token authentication does not work for SSL VPN on SOC3 platforms.

Affected models include: FG-60E, FG-60E-POE, FG-61E, FG-80E, FG-80E-POE, FG-81E, FG81E-POE, FG-100E, FG-100EF, FG-101E, FG-140E, FWF-60E, FWF-61E.

592241 Gmail POP3 authentication fails with certificate error since version 6.0.5.
592253 RADIUS state attribute truncated in access request when using third-party MFA (ping ID).
593116 Client PC matching multiple authentication methods (firewall, FSSO, RSSO, WSSO) may not be matched to NGFW policies correctly.
597496 Guest user log in expires after first log in and no longer works; user is not removed from the firewall authentication list after the set time.

VM

Bug ID Description
579708 Should replace GUI option to register to FortiCare from AWS PAYG with link to portal for registration.
582123 EIP does not failover if the master FortiGate is rebooted or stopped from the Alibaba Cloud console.
586954 FGCP cluster member reboots in infinite loop and hatalk daemon dumps the core with segmentation fault.
588436 Azure SDN connector unable to connect to Azure Kubneretes integrated with AAD.
589445 VM deployed in ESX platform with VMXNET3 does not show the correct speed and duplex settings.
590140 FG-VM-LENC unable to validate new license.
590149 Azure FortiGate crashing frequently when MLX4 driver RX jumbo.
590253 VLAN not working on FortiGate in a Hyper-V deployment.
590555 Allow PAYG AWS VM to bootstrap the configuration first before acquiring FortiCare license.
590780 Azure FortiGate-VM (BYOL) unable to boot up when loading a lower vCPU license than the instance’s vCPU.
591563 Azure autoscale not syncing after upgrading to 6.2.2.
592000 In Alibaba Cloud, multiple VPC route entries fail to switch when HA fails over.
592611 HA not fully failing over when using OCI.
593797 FG-VM64-AWS not responding to ICMP6 request when destination IPv6 address is in the neighbor cache entry.
Bug ID Description
560904 In NGFW mode, Security Profiles GUI is missing Web Rating Overrides page.
581523 Wrong web filter category when using flow-based inspection.
587120 Administrator logged in with web filter read/write privilege cannot create or edit web filter profiles in the GUI.

VoIP

Bug ID Description
582271 Add support for Cisco IP Phone keepalive packet.

Web Filter WiFi Controller

Bug ID Description
520677 When editing a FortiAP profile on the FortiGate web UI, the previously selected SSID group(s) cannot be displayed.
555659 When FortiAP is managed with cross VDOM links, the WiFi client cannot join to SSID when autoasic-offload is enabled.
566054 Errors pop up while creating or editing as SSID.
567011 WPA2-Enterprise SSID should support acct-all-servers setting in RADIUS to send accounting messages to all servers.
567933 FortiAP unable to connect to FortiGate via IPsec VPN tunnel with dtls-policy clear-text.
572350 FortiOS GUI cannot support FAP-U431F and FAP-U433F profiles.
580169 Captive portal (disclaimer) redirect not working for Android phones.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
568788 FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

l CVE-2007-6750

576090 FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

l CVE-2019-17655

576941 FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

l CVE-2019-15703

581663 FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

l CVE-2019-9496

582538 FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

l CVE-2019-17656

 

Known issues

The following issues have been identified in version 6.2.3. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID Description
563250 Shared memory does not empty out properly under /tmp.

Data Leak Prevention

Bug ID Description
591178 WAD fails to determine the correct file name when downloading a file from Nextcloud.

DNS Filter

Bug ID Description
582374 License shows expiry date of 0000-00-00.

Endpoint Control

Bug ID Description
538095 Compliance cannot work correctly due to the same MAC address reported by all devices.

Explicit Proxy

Bug ID Description
594580 FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message.
594598 Enabling proxy policies (+400) increases memory by 30% and up to 80% total.
603707 The specified port configurations of https-incoming-port for config web-proxy explicit disappeared after rebooting.
605209 LDAP ignores source-ip with web proxy Kerberos authentication.

Firewall

Bug ID Description
593103 When a policy denies traffic for a VIP and send-deny-packet is enabled, ICMP unreachable message references the mapped address, not the external.
595044 Get new CLI signal 11 crash log when performing execute internet-service refresh.
598559 ISDB matches all objects and chooses the best one based on their weight values and the firewall policy.
599253 GUI traffic shaper Bandwidth Utilization should use KBps units.
600644 IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies.
601331 Virtual load-balance VIP and intermittent HTTP health check failures.
604886 Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.

FortiView

Bug ID Description
592309 FortiGate with double loop FortiSwitches—FortiView physical topology page cannot load; get “Failed to get FortiView data” error message.
599124 Ban IP under FortiView frequently fails.

GUI

Bug ID Description
354464 AntiVirus profile in GUI should not override quarantine archive value.
514632 Inconsistent Refcnt value in GUI when using ports in HA session-sync-dev.
517744 Widget for CPU memory and sessions does not show real time diagram in 12-hours and 24-hours mode.
535099 GUI should add support for new MAC address filter in SSID dialog page.
541042 Log viewer forward traffic cannot support double negate filter (client side issue).
557786 GUI response is very slow when accessing Monitor> IPsec Monitor (api/v2/monitor/vpn/ipsec is taking a long time).
563549 Recurring httpsd crash at [0x01f17bc0] => /bin/httpsd lh_char_hash (+0x0000).
564849 HA warning messsage, This FortiGate has taken overforthe master, remains after master takes back control.
565309 Application sroups improvements.
579711 Cannot run Security Rating due to disk issue (diagnose security-rating clean fails).
584314 NGFW mode should have a link to show all applications in the list.
584915 OK button missing on all pages (policy, interface, system settings) on Android mobile.
584939 VPN event logs shows incorrectly when adding two action filters and if the filter action filter contains

“-“.

585055 High CPU utilization by httpsd daemon if there are too many API connections.
585924 Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages.
589709 Status icon in Tunnel column on IPsec Tunnels page should be removed.
593899 Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error.
598725 Login page shows random characters when system language is not English.
599284 pyfcgid crashed with signal 11 (Segmentation fault) received.
599401 FortiGuard quota category details displays No matching entries found for local category.
601568 Interface status is not displayed on faceplate when viewing from the System > HA page.
601653 When deleting an AV profile in the GUI, there is no confirmation message prompt.
602637 Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3.
607972 FortiGate enters conserve mode when accessing Amazon AWS ISDB object.
601653 When deleting an AV profile in the GUI, there is no confirmation message prompt.
Bug ID Description
606074 Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3.
611436 FortiGate displays a hacked webpage after selecting an IPS log.

HA

Bug ID Description
588908 FG-3400E hasync reports the “Network is unreachable”.
598937 Local user creation causes HA to be out of sync for several minutes.
601550 Application hasync crashes several times.
602247 IP pool used in cross-AZ should not sync between the cluster members.
602266 The configuration of the SD-WAN interface gateway IP should not sync.
602406 In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the slave unit.

Intrusion Prevention

Bug ID Description
565747 IPS engine 5.00027 has signal 11 crash.
586544 IPS intelligent mode not working when reflect sessions are created on different physical interfaces.
587668 IPS engine 5.00035 has signal 11 crash.

IPsec VPN

Bug ID Description
589096 In IPsec after HA failover, performance regression and IKESAs is lost.
592361 Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.
594962 IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a nonFortiGate in a remote peer gateway.
Bug ID Description
595810 Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection.
597748 L2TP/IPsec VPN disconnects frequently.
604334 L2TP disconnection when transferring large files.
Bug ID Description
584631 REST API admin with token unable to configure HA setting (via login session works).
599516 When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access.

Log & Report

Bug ID Description
589782 IPS sensor log-attack-context output truncated.
593557 Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address.
595151 Log filter for user name in UPN format is not consistent when the log location is set to FortiAnalyzer and local disk.
597494 In FIPS-CC mode, API access check returns 401 causing FortiAnalyzer to repeat the login (should return 403).
602459 GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion.
605174 Incorrect sentdelta/rcvddelta in traffic log statistics for RTSP sessions.
606533 User observes FGT internal error while trying to log in from the web UI.

Proxy

Bug ID Description
575224 WAD high memory usage from worker process causing conserve mode and traffic issues.
582475 WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

REST API Routing

Bug ID Description
537354 BFD/BGP dropping when outbandwidth is set on interface.
580207 Policy route does not apply to local-out traffic.
593951 Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based.
597733 IPv6 ECMP routes cannot be synchronized correctly to HA slave unit.
600332 SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.
600995 Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2.

Security Fabric

Bug ID Description
599195 Unable to get consistent results from the security rating.
599474 FortiGate SDN connector not seeing all available tag name-value pairs.
604670 Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system’s timezone configuration.

SSL VPN

Bug ID Description
505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.
563022 SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy.
594416 Accessing FortiGate GUI through SSL VPN web mode causes Network > Interfaces page to return an error.
595627 Cannot access some specific sites through SSL VPN web mode.
598659 SSL VPN daemon crash.
599668 In SSL VPN web mode, page keeps loading after user authenticates into internal application.
599671 In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.
Bug ID Description
599960 RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed.
600103 Sslvpnd crashes when trying to query a DNS host name without a period (.).
602645 SSL VPN Synology NAS web bookmark log in page does not work after upgrading to 6.2.3.
603957 SSL VPN LDAPS authentication does not work in multiple user group configurations after upgrading the firewall to 6.0.7.
605699 Internal HRIS website dropdown list box not loading in SSL VPN web mode.

Switch Controller

Bug ID Description
517663 For a managed FortiSwitch already running the latest GA image, Upgrade Available tag shows unexpectedly.
588584 GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.
605864 If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting.
608231 LLDP policy did not download completely to the managed FortiSwitch 108Es.

System

Bug ID Description
464340 EHP drops for units with no NP service module.
527459 SDN address filter unable to handle space character.
555616 TCP packets send wrong interface and high CPU.
563276 High memory usage on FortiGate 30E after upgrading firmware to 6.0.5.
576337 SNMP polling stopped when FortiManager API script executed onto FortiGate.
578031 FortiManager Cloud cannot be removed once the FortiGate has trouble on contract.
582498 Traffic can be offloaded to both NTurbo and NP6 when DoS policy is applied on ingress/egress interface in a policy with IPS.
589079 QSFP interface goes down when the get system interface transceiver command is interrupted.
Bug ID Description
592570 VLAN switch does not work on FG-100E.
592827 FortiGate is not sending DHCP request after receiving offer.
594018 Update daemon is locked to one resolved update server.
594577 Out of order packets for an offloaded multicast stream.
594865 diagnose internet-service match does not return the IP value of the IP reputation database object.
594871 Potential memory leak triggered by FTP command in WAD.
595338 Unable to execute ping6 when configuring execute ping6-options tos, except for default.
595467 Invalid multicast policy created after transparent VDOM restored.
598527 ISDB may cause crashes after downgrading FortiGate firmware.
598928 FortiGate restarts fgfm tunnel every two minutes when FortiManager is defined as FQDN.
600032 SNMP does not provide routing table for non-management VDOM.
602523 DDNS monitor-interface uses the monitored interface if DDNS services other than FortiGuard DDNS are used.
602548 Some of the clients are not getting their IP through DHCP intermittently.
603194 NP multicast session remains after the kernel session is deleted.
603551 DHCPv6 relay does not work on FG-2200E.
604550 Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0.
604699 Five FG-30Es and one FG-100D enter in conserve mode in a transparent mode deployment.
607015 Too many DNS lookups with global NTP server as global NTP server often changes its IP.
610900 Low throughput on FG-2201E for traffic with ECN flag enabled.

User & Device

Bug ID Description
573317 SSO admin with a user name over 35 characters cannot log in after the first login.
580391 Unable to create MAC address-based policies in NGFW mode.
591461 FortiGate does not send user IP to TACACS server during authentication.
592047 GUI RADIUS test fails with vdom-dns configuration.
Bug ID Description
596844 Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device identification.
593361 No source IP option available for OCSP certificate checking.
594863 UPN extraction does not work for particular PKI.
605206 FortiClient server certificate in FSSO CA uses weak public key strength of 1024 bits and certificate expiring in May 2020.
605404 FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy with thousands of address objects.
605437 FortiOS does not understand CMPv2 grantedWithMods response.
605950 RDP and other applications affected (freezing, disconnecting) after upgrading to 6.2.3 due to no session match error.

VM

Bug ID Description
575346 gui-wanopt cache missing under system settings after upgrading a FortiGate VM with two disks.
587180 FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.
587757 FG-VM image unable to be deployed on AWS with additional HDD(st1) disk type.
596742 Azure SDN connector replicates configuration from master to slave during configuration restore.
597003 Unable to bypass self-signed certificates on Chrome in macOS Catalina.
598419 Static routes are not in sync on FortiGate Azure.
599430 FG-VM-AZURE fails to boot up due to rtnl_lock deadlock.
600077 Randomly getting the vmxnet3 tx:hang error, which shuts down port2.
600975 Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing NETVSC offering and vPCI offering at the same time.
601357 FortiGate VM Azure in HA has unsuccessful failover.
601528 License validation failure log message missing when using FortiManager to validate a VM.
603599 VIP in autoscale on GCP not syncing to other nodes.
605435 API call to associate elastic IP is triggered only when the unit becomes the master.
605511 FG-VM-GCP reboots a couple of times due to kernel panic.
606527 GUI and CLI interface dropdown lists are inconsistent.
608881 IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

Web Filter

Bug ID Description
593203 Cannot enter a name for a web rating override and save—error message appears when entering the name.

WiFi Controller

Bug ID Description
563630 Kernel panic observed on FWF-60E.
599690 Unable to perform COA with device MAC address for 802.1x wireless connection when usemanagement-vdom is enabled.
601012 When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country code.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 6.2.2 Release Notes

TABLE OF CONTENTS

Change Log                                                                                                                           5

 

 

Change Log

Date Change Description
2019-10-09 Initial release.
2019-10-10 Added 551119 to Resolved Issues.

Added commands to the Previous releases column in Changes in CLI defaults SSH and SSL VPN sections.

 

Introduction and supported models

This guide provides release information for FortiOS 6.2.2 build 1010.

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 6.2.2 supports the following models.

FortiGate FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG-51E, FG-52E, FG-60E,

FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-92D, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E,

FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-400E,

FG-401E, FG-500D, FG-500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D,

FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG3000D, FG-3100D, FG-3200D, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1

FortiWiFi FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E
FortiGate Rugged FGR-30D, FGR-35D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS,

FG-VM64-AWSONDEMAND, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND,

FG-VM64-GCP, FG-VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-KVM,

FG-VM64-OPC, FG-VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 6.2.2 images are delivered on request and are not available on the Beta portal.

Special branch supported models

The following models are released on a special branch of FortiOS 6.2.2. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1010.

FGR-90D is released on build 5335.

Special notices

  • Common vulnerabilities and exposures l New Fortinet cloud services l FortiGuard Security Rating Service l FortiGate hardware limitation l CAPWAP traffic offloading
  • FortiClient (Mac OS X) SSL VPN requirements l Use of dedicated management interfaces (mgmt1 and mgmt2) l NP4lite platforms l Tags option removed from GUI l Mobile token authentication

Common vulnerabilities and exposures

FortiOS 6.2.1 is no longer vulnerable to the issue described in the following link – https://fortiguard.com/psirt/FG-IR-19144.

New Fortinet cloud services

FortiOS 6.2.0 introduced several new cloud-based services listed below. The new services require updates to FortiCare and Fortinet’s FortinetOne single sign-on (SSO) service. These updates will be available by mid-Q2 2019.

  • Overlay Controller VPN
  • FortiGuard Cloud-Assist SD-WAN Interface Bandwidth Monitoring l FortiManager Cloud l FortiAnalyzer Cloud

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate model: l FGR-30D l FGR-35D l FGT-30E l FGT-30E-MI

Special notices                                                                                                                                                          8

l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E l FWF-50E-2R l FWF-51E

FortiGate hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D does not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

 

Special notices

CAPWAP traffic offloading

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip. The following models are affected: l FG-900D l FG-1000D l FG-2000E l FG-2500E

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

NP4lite platforms

FortiOS 6.2 and later does not support NP4lite platforms.

Tags option removed from GUI

The Tags option is removed from the GUI. This includes the following:

l The System > Tags page is removed. l The Tags section is removed from all pages that had a Tags section. l The Tags column is removed from all column selections.

Mobile token authentication

Mobile token authentication does not work for SSL VPN on SOC3 platforms.

Affected models include FG-60E, FG-60E-POE, FG-61E, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-100E, FG100EF, FG-101E, FG-140E, FWF-60E, FWF-61E.

Changes in default behavior

AntiVirus

l In previous releases, the scan mode controls which features are displayed based on their compatibility with proxy and flow’s [quick | full] mode (now [default | legacy]).

This release disregards this behavior, making antivirus profile scan-mode agnostic. This means that all AV options are displayed regardless of the AV profile’s scan-mode setting. Enforcement is handled by the kernel based on the firewall policy using AV. Unsupported AV features do not take effect if inspection mode is proxy or flow. l In this release, AntiVirus can do SSH inspection.

FOC

apn option under apn-shaper now accepts multiple apn or apngroup.

Previous releases 6.2.2 release
config gtp apn edit “apn1” set apn “internet”

next edit “apn2” set apn “intranet”

next

end

config gtp apngrp edit “apngrp1” set member “apn1”

next

end

config gtp apn-shaper edit 1 next end

config gtp apn edit “apn1” set apn “internet”

next edit “apn2” set apn “intranet”

next

end

config gtp apngrp edit “apngrp1” set member “apn1”

next

end

config gtp apn-shaper edit 1 set apn “apn2” “apngrp1” <==changed

next end

FortiSwitch Controller

  • FortiLink interface is on by default on FortiGate E series platform.
  • On FG-100E and higher, create an empty FortiLink aggregate interface (fortilink) by default. If aggregate interface is not supported, create a hardware switch interface instead.
  • For FortiGate models below FG-100E, create an empty FortiLink hardware switch interface (fortilink) by default. If hardware switch interface is not supported, create aggregate interface instead.
  • When the FortiLink interface is enabled, CLI displays an error message when trying to change the FortiGate to TP mode.

default behavior

Firewall

  • Only IP and Protocol are matched and source port is ignored when ISDB is applied as source in policy. l Internet-service-addition will overwrite default ports of internet-service ID if protocols are the same. l Firewall policy supports wildcard-fqdn object with FQDN type.
  • This release supports srcaddr/dstaddr/internet-service/internet-service-src negate in consolidated policy.
  • All attributes for FABRIC_DEVICE object, except for IP address and type, can be modified from CLI but not from GUI.

Log & Report

l In previous releases, FortiGate only sends event log to FAZ-Cloud. In this release, FortiGate sends both event log and UTM log to FAZ-Cloud.

Switch l Add VLAN switch feature to FG-300E and FG-301E.

System

  • API user must have at least one trust host IP Address. l Only show diagnose sys nmi-watchdog command on platforms that have “nmi” button.
  • With mgmt interface set to dedicated to management, added three kinds of cases. l When no trust host is set, all IPv4 and IPv6 addresses have access. l When only IPv4 addresses are set to trust host, IPv6 address cannot log in.
  • When only IPv6 addresses are set to trust host, IPv4 address cannot log in.
  • There is no mgmt option in GRE tunnel interface when it is set to dedicated to management. l Allow VDOM admin to create loopback interface if no physical interface in VDOM.
  • The trust-ip option in config system interface always override trusthost option in config system admin.

 

Changes in CLI defaults

AntiVirus

Add SSH inspection. This is only compatible with proxy inspection.

Previous releases 6.2.2 release
config antivirus profile edit “profile_name” next end config antivirus profile edit “profile_name” config ssh                         <==added set options scan                <==added unset archive-block             <==added unset archive-log                <==added set emulator enable             <==added set outbreak-prevention disabled <==added

end

next end

Endpoint Control

Add fortiems-cloud option under FSSO user.

Previous releases 6.2.2 release
config user fsso edit <name> next end config user fsso edit <name> set type fortiems-cloud <==added

next end

Add attribute fortinetone-cloud-authentication to endpoint control fctems.

Previous releases 6.2.2 release
config endpoint-control fctems edit <name> next end config endpoint-control fctems edit <name> set fortinetone-cloud-authentication [enable |

disable] <==added next end

Add sub-second-sampling under GTP.

Previous releases 6.2.2 release
config firewall gtp edit “gtpp” next end config firewall gtp edit “gtpp” set sub-second-sampling enable <==added set sub-second-interval 0.1   <==added

next end

Firewall

Add HTTPS as a type of health check for VIP load-balance monitor.

Previous releases 6.2.2 release
config firewall ldb-monitor edit [Monitor Name] set type ?

ping   PING health monitor. tcp       TCP-connect health monitor. http HTTP-GET health monitor.

config firewall ldb-monitor edit [Monitor Name] set type ?

ping   PING health monitor. tcp       TCP-connect health monitor. http   HTTP-GET health monitor.

https   HTTP-GET health monitor with SSL. <==added

Remove set type wildcard-fqdn and set wildcard-fqdn <string> from firewall address.

Previous releases 6.2.2 release
config firewall address edit [Address] set type wildcard-fqdn    <==removed set wildcard-fqdn <string> <==removed

next end

config firewall address edit [Address]

next end

Add CLI commands to support address and service negate in consolidated policy.

Previous releases 6.2.2 release
config firewall consolidated policy edit [Policy ID]

next end

config firewall consoli edit [Policy ID] set srcaddr-negate set dstaddr-negate dated policy

[enable | disable]   <==added

[enable | disable]   <==added

  set service-negate [enable | disable]   <==added
Previous releases 6.2.2 release
  set internet-service-negate [enable | disable]      

<==added set internet-service-src-negate [enable |

disable] <==added next end

Proxy

Previous releases 6.2.2 release
  config firewall traffic-class  <==added edit [Class-ID]             <==added end                            <==added

In protocol option profile, add ssl-offloaded command under each protocol.

Previous releases 6.2.2 release
config firewall edit “”de config end config end config end config end config end

next end

profile-protocol-options

fault-clone””

http ftp imap pop3 smtp

config firewall edit “”de config set

end config set

end config set

end config set end

profile-pr

fault-clone”” http ssl-offloaded

ftp ssl-offloaded

imap ssl-offloaded

pop3 ssl-offloaded

oto

no

no

no

no

col-options

<==added

<==added

<==added

<==added

  config smtp    
  set

end

next end

ssl-offloaded no <==added

Traffic Shaping

Add a new global CLI table to define traffic classes. This is ‘s a mapping between class-ID and naming. class-ID from shaping-policy, shaping-profile, and traffic-shaper need to be data-sourced from this CLI table.

Log & Report

Add CLI allowing user to configure socket priority and maximum log rate per remote log device.

Similar setting apply to config log fortiguard setting and config log syslogd setting.

Previous releases 6.2.2 release  
config log fortianalyzer setting end

config log fortianalyzer overridesetting end

config set set

end config

log fortianalyzer priority [default max-log-rate [Log

log fortianalyzer

setting

| low]             <==added Rate, unit is MBps] <==added

override-setting

  set priority [default | low]             <==added
  set end max-log-rate [Log Rate, unit is MBps] <==added

Add the test command option in CLI.

Previous releases 6.2.2 release
diag test application miglogd diag test application miglogd 40 <==added option “40”

SSH

Add file transfer scan over SSH (SCP and SFTP).

Previous releases 6.2.2 release
config ssh-filter profile edit [Profile Name] set default-command-log disable

next end

config ssh-filter profile edit [Profile Name] set block x11 shell exec port-forward tun-

forward sftp scp unknown <==added scp set log x11 shell exec port-forward tun-

forward sftp scp unknown  <==added scp set default-command-log disable

config file-filter                 <==added set status enable               <==added set log enable                  <==added set scan-archive-contents enable <==added config entries                  <==added edit [Entry]                 <==added set comment ”            <==added set action block          <==added

  set direction any         <==added
  set password-protected any <==added
  set file-type “msoffice”  <==added
Previous releases 6.2.2 release
  next

end

end

next end

SSL VPN

Remove citrix and portforward from apptype in the three entries in SSL VPN web bookmark.

Previous releases 6.2.2 release
conf vpn ssl web user-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix.           <==removed ftp FTP.

portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next

end

conf vpn ssl web user-group-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix.          <==removed ftp FTP.

portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS. ssh SSH.

conf vpn ssl web user-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next

end

conf vpn ssl web user-group-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next end

Previous releases 6.2.2 release  
telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next

end

conf vpn ssl web portal edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix.          <==removed ftp FTP.

portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next end

next

end

conf vpn ssl web portal edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next end

System

Add description in system security zones.

Previous releases 6.2.2 release
config system zone edit [Zone Name]

next end

config system zone edit [Zone Name] set description “” <==added

next end

Increase the maximum number of DNS servers supported in DHCP server from 3 to 4.

Previous releases 6.2.2 release
config system dhcp server edit [Server ID] set dns-server1 1.1.1.1 set dns-server2 2.2.2.2 set dns-server3 3.3.3.3

next

end

config system dhcp server edit [Server ID] set dns-server1 1.1.1.1 set dns-server2 2.2.2.2 set dns-server3 3.3.3.3 set dns-server4 4.4.4.4 <==added

next

end

VM

Remove vdom-modemulti-vdom option for cloud-based ondemand FGT-VM.

Previous releases 6.2.2 release
config sys global set vdom-mode ?

no-vdom Disable split/multiple VDOMs

mode.

split-vdom Enable split VDOMs mode.

multi-vdom Enable multiple VDOMs mode.

<==removed end

config sys global set vdom-mode ?

no-vdom Disable split/multiple VDOMs

mode. split-vdom Enable split VDOMs mode.

end

Remove security rating from FGT_VMX and FGT_SVM.

Previous releases 6.2.2 release
diagnose security-rating version <==removed  

Enable CPU hot plug in kernel configuration.

Previous releases 6.2.2 release
  execute cpu show <==added

Active CPU number: 1 Total CPU number: 8

execute cpu add 1 <==added

Active CPU number: 2

Total CPU number: 8

Collect EIP from cloud-VMS (Azure, AWS, GCP, AliCloud, and OCI).

Previous releases 6.2.2 release
pcui-cloudinit-test # execute <?>

config sys interface edit [Name] next

end

conf sys global set sslvpn-cipher-hardware-acceleration

<==removed end

pcui-cloudinit-test # execute <?> update-eip Update external IP. <==added

config sys interface edit [Name] set eip                 <==added

next

end

conf sys global end

WiFi Controller

Add portal-type external-auth when captive-portal is enabled on local-bridge VAP.

Previous releases 6.2.2 release  
config wireless-controller vap edit “wifi.fap.02” set ssid “bridge-captive” set local-bridging enable set security captive-portal set external-web

“170.00.00.000/portal/index.php” set radius-server “peap”

next end

config wireless-controller vap edit “wifi.fap.02” set ssid “bridge-captive” set local-bridging enable set security captive-portal set portal-type external-auth set external-web

“170.00.00.000/portal/index.php” set radius-server “peap”

next end

<==added

Move darrp-optimize and darrp-optimize-schedules configurations from Global level to VDOM level.

Previous releases 6.2.2 release
### Global ### config wireless-controller timers set darrp-optimize 86400 <==removed set darrp-optimize-schedules “default-

darrp-optimize” <==removed end

### VDOM ### config wireless-controller setting set darrp-optimize 86400 <==added set darrp-optimize-schedules “default-

darrp-optimize” <==added end

Add external-web-format setting under captive-portal VAP when external portal is selected.

Previous releases 6.2.2 release
config wireless-controller vap edit guestwifi set ssid “GuestWiFi” set security captive-portal set external-web

“http://170.00.00.000/portal/index.php” set selected-usergroups “Guest-group” set intra-vap-privacy enable set schedule “always”

next end

config wireless-controller vap edit guestwifi set ssid “GuestWiFi” set security captive-portal set external-web

“http://170.00.00.000/portal/index.php” set selected-usergroups “Guest-group” set intra-vap-privacy enable set schedule “always”

set external-web-format auto-detect

<==added next end

Add new WTP profiles FAPU431F-default and FAPU433F-default.

Previous releases   6.2.2 release
config wireless-controller edit [FAPU431F-default | config platform

end

wtp-profile

FAPU433F-default]

config wireless-controller edit [FAPU431F-default config platform

set type [U431F | set mode [dual-5G end

wtp-profile

| FAPU433F-default]

U433F]      <==added | single-5G] <==added

config wireless-controller edit [FAPU431F-default

default] next

end

wtp-profile | FAPU433F- config wireless-controller wtp-profile edit [FAPU431F-default | FAPU433F-

default] config radio-1             <==added set band 802.11ax-5G   <==added

end

config radio-2             <==added set band 802.11ax-5G   <==added

end

config radio-3             <==added set band 802.11n,g-only <==added

end

next

end

config wireless-controller edit [SSID name]

next

end

vap config wireless-controller vap edit [SSID name] set high-efficiency enable <==added set target-wake-time enable <==added

next

end

For DFS approved countries, add 160 MHz channel bonding support for FortiAP U421EV/U422EV/U423EV models.

Previous releases 6.2.2 release
config wireless-controller wtp-profile edit [ FAPU421EV-default |

FAPU422EV-default | FAPU423EV-default ] config radio-2 set band 802.11ac

end

next

end

config wireless-controller wtp-profile edit [ FAPU421EV-default | FAPU422EV-default |

FAPU423EV-default ] config radio-2 set band 802.11ac

set channel-bonding 160MHz <==added

end

next

end

Add MPSK schedule that allows setting valid period for MPSK.

Previous releases 6.2.2 release
config wireless-controller vap edit [SSID Interface Name] set mpsk enable config mpsk-key edit [MPSK Entry Name] set passphrase 11111111

next

end

next end

config wireless-controller vap edit [SSID Interface Name] set mpsk enable config mpsk-key edit [MPSK Entry Name] set passphrase 11111111

set mpsk-schedules “always” <==added

next

end

next end

Add GRE&L2TP support in WiFi.

Previous releases 6.2.2 release
config wireless-controller vap edit “80e_gre” set ssid “FOS-QA_Bruce_80e_gre” set local-bridging enable set vlanid 3135

next

end

config wireless-controller wag-profile <==added edit [Profile Name]               <==added

end

config wireless-controller vap edit “80e_gre” set ssid “FOS-QA_Bruce_80e_gre” set local-bridging enable set vlanid 3135 set primary-wag-profile “tunnel” <==added set secondary-wag-profile “l2tp” <==added

next

end

 

Changes in default values

AntiVirus

Change AV scan mode from [quick | full] to [default | legacy]. The default value is set to default.

Previous releases 6.2.2 release
config antivirus profile edit “profile_name” set scan-mode [quick | full]

next end

config antivirus profile edit “profile_name” set scan-mode [default | legacy] <==changed

next end

Log & Report

Change default value from disable to enable for some configuration options under fortianalyzer-cloud filter.

Previous releases 6.2.2 release
config log fortianalyzer-cloud filter set severity information set forward-traffic disable set local-traffic disable set multicast-traffic disable set sniffer-traffic disable set anomaly disable set voip disable set dlp-archive disable set filter ” set filter-type include end config log fortianalyzer-cloud filter set severity information set forward-traffic enable  <==changed set local-traffic enable    <==changed set multicast-traffic enable <==changed set sniffer-traffic enable  <==changed set anomaly enable          <==changed set voip enable             <==changed set dlp-archive disable set filter ” set filter-type include end

Changes in default values

System

After creating a new VDOM, add default certificates for ssl-cert and ssl-ca-cert under web-proxy setting.

Previous releases 6.2.2 release
show web-proxy global config web-proxy global set ssl-cert ” set ssl-ca-cert ” set proxy-fqdn “default.fqdn”

end

show web-proxy global config web-proxy global set ssl-cert ‘Fortinet_Factory’  <==changed set ssl-ca-cert ‘Fortinet_CA_SSL’ <==changed set proxy-fqdn “default.fqdn”

end

WiFi Controller

Change default LLDP setting in wtp-profile from disable to enable.

Previous releases 6.2.2 release
config wireless-controller wtp-profile edit [FAP-Profile] set lldp disable

end

end

config wireless-controller wtp-profile edit [FAP-Profile] set lldp enable <==changed

end

end

The default channel-utilization setting in wtp-profile is changed from disable to enable.

Previous releases 6.2.2 release
config wire edit [FAP config set

end config set

end

next end

less-controller wtp-profile

Profile Name] radio-1

channel-utilization disable

radio-2

channel-utilization disable

config wire edit [FAP config set

end config set

end

next end

less-controller wtp-profile

Profile Name] radio-1

channel-utilization enable <==changed

radio-2

channel-utilization enable <==changed

Increase normal WTP capacity on high end FortiGates from 1024 to 2048.

Previous releases 6.2.2 release
FGT( 1000, end ) = 1024 -> 2048 FGT( 1000, end ) = 1024 -> 2048

Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

  1. Go to https://support.fortinet.com.
  2. From the Download menu, select Firmware Images.
  3. Check that Select Product is FortiGate.
  4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version

  1. Click Go.

Device detection changes

In FortiOS 6.0.x, the device detection feature contains multiple sub-components, which are independent:

  • Visibility – Detected information is available for topology visibility and logging.
  • FortiClient endpoint compliance – Information learned from FortiClient can be used to enforce compliance of those endpoints.
  • Mac-address-based device policies – Detected devices can be defined as custom devices, and then used in devicebased policies.

In 6.2, these functionalities have changed:

  • Visibility – Configuration of the feature remains the same as FortiOS 6.0, including FortiClient information. l FortiClient endpoint compliance – A new fabric connector replaces this, and aligns it with all other endpoint connectors for dynamic policies. For more information, see Dynamic Policy FortiClient EMS (Connector) in the FortiOS 6.2.0 New Features Guide.
  • Mac-address-based policies – A new address type is introduced (Mac Address Range), which can be used in regular policies. The previous device policy feature can be achieved by manually defining MAC addresses, and then adding them to regular policy table in 6.2. For more information, see MAC Addressed-Based Policies in the FortiOS 6.2.0 New Features Guide.

If you were using device policies in 6.0.x, you will need to migrate these policies to the regular policy table manually after upgrade. After upgrading to 6.2.0:

  1. Create MAC-based firewall addresses for each device.
  2. Apply the addresses to regular IPv4 policy table.

 

FortiClient Endpoint Telemetry license

Starting with FortiOS 6.2.0, the FortiClient Endpoint Telemetry license is deprecated. The FortiClient Compliance profile under the Security Profiles menu has been removed as has the Enforce FortiClient Compliance Check option under each interface configuration page. Endpoints running FortiClient 6.2.0 now register only with FortiClient EMS 6.2.0 and compliance is accomplished through the use of Compliance Verification Rules configured on FortiClient EMS 6.2.0 and enforced through the use of firewall policies. As a result, there are two upgrade scenarios:

  • Customers using only a FortiGate device in FortiOS 6.0 to enforce compliance must install FortiClient EMS 6.2.0 and purchase a FortiClient Security Fabric Agent License for their FortiClient EMS installation.
  • Customers using both a FortiGate device in FortiOS 6.0 and FortiClient EMS running 6.0 for compliance enforcement, must upgrade the FortiGate device to FortiOS 6.2.0, FortiClient to 6.2.0, and FortiClient EMS to 6.2.0.

The FortiClient 6.2.0 for MS Windows standard installer and zip package containing FortiClient.msi and language transforms and the FortiClient 6.2.0 for macOS standard installer are included with FortiClient EMS 6.2.0.

Fortinet Security Fabric upgrade

FortiOS 6.2.2 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.2.0 l FortiClient EMS 6.2.0 l FortiClient 6.2.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.9 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

If Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.2.2. When Security Fabric is enabled in FortiOS 6.2.2, all FortiGate devices must be running FortiOS 6.2.2.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.2.2 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.2.2 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

  • Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox)
  • FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting) l LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l admin user account l session helpers l system access profiles

Amazon AWS enhanced networking compatibility issue

With this enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.2.2 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.2.2 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3
  • I2 l M4 l D2

FortiLink access-profile setting

The new FortiLink local-access profile controls access to the physical interface of a FortiSwitch that is managed by FortiGate.

After upgrading FortiGate to 6.2.2, the interface allowaccess configuration on all managed FortiSwitches are overwritten by the default FortiGate local-access profile. You must manually add your protocols to the localaccess profile after upgrading to 6.2.2.

To configure local-access profile:

config switch-controller security-policy local-access edit [Policy Name] set mgmt-allowaccess https ping ssh set internal-allowaccess https ping ssh

next

end

To apply local-access profile to managed FortiSwitch:

config switch-controller managed-switch edit [FortiSwitch Serial Number] set switch-profile [Policy Name] set access-profile [Policy Name]

next

end

FortiGate VM with V-license

This version allows FortiGate VM with V-License to enable split-vdom.

To enable split-vdom:

config system global set vdom-mode [no-vdom | split vdom]

end

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any]

end

FortiView widgets

FortiView widgets have been rewritten in 6.2.2. FortiView widgets created in previous versions are deleted in the upgrade.

 

Product integration and support

The following table lists FortiOS 6.2.2 product integration and support information:

Web Browsers l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Fortinet Security Fabric upgrade on page 25. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on page 25. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient:

l Microsoft Windows l Mac OS X l Linux

l 6.2.0

See important compatibility information in FortiClient Endpoint Telemetry license on page 25 and Fortinet Security Fabric upgrade on page 25.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.

FortiClient iOS l 6.2.0 and later
FortiClient Android and FortiClient VPN Android l 6.2.0 and later
FortiAP l 5.4.2 and later l 5.6.0 and later
FortiAP-S l 5.4.3 and later l 5.6.0 and later
FortiAP-U l 5.4.5 and later
FortiAP-W2 l 5.6.0 and later

 

FortiSwitch OS

(FortiLink support)

l 3.6.9 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l 5.0 build 0282 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2016 Core l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Windows Server 2012 Core l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2008 Core l Novell eDirectory 8.8
FortiExtender l 3.2.1
AV Engine l 6.00132
IPS Engine l 5.00035
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, and 6.7

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04 / 18.04 (32-bit & 64-bit)

2336. Download from the Fortinet Developer Network: https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 61

Google Chrome version 68

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 61

Google Chrome version 68

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X El Capitan 10.11.1 Apple Safari version 11

Mozilla Firefox version 61

Google Chrome version 68

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus   Firewall
Symantec Endpoint Protection 11  
Kaspersky Antivirus 2009    
McAfee Security Center 8.1  
Trend Micro Internet Security Pro  
F-Secure Internet Security 2009  

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved issues

The following issues have been fixed in version 6.2.2. For inquires about a particular bug, please contact Customer Service & Support.

New features or enhancements

Bug ID Description
457153 Support for SSL VPN sign on using certificate and remote (LDAP or RADIUS) username/password authentication.
538760 Monitor API to check SLBC cluster checksum status. New API added – monitor/system/configsync/status.
544704 FortiOS support for 802.11ax FortiAP-U431F/U433F.
550912 Support for link aggregation LACP on entry level FortiGate is extended to all two-digit entry level box for the following models:

FGR-30D, FGR-35D, FG-30E, FG-30E-MI, FG-30E-MN, FG-50E, FG-51E, FG-52E, FG-60E,

FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-92D, FWF-30E, FWF-30E-MI, FWF-30E-MN, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E

554965 IPv6 is supported in communication between the following:

l Collector agent and FortiGate l Collector agent and DC_agent l Collector agent and terminal server agent

AntiSpam

Bug ID Description
559802 Spam mail can’t be checked by antispam filter on SMTP protocol.

AntiVirus

Bug ID Description
545381 When proxy-av is configured for firewall policy, FTP file upload is stopped.
553143 Redundant logs and alert emails sent when file is sent to FortiSandbox Cloud via Suspicious Files Only.
561524 Cannot send an email with PDF attachment when FortiSandbox Cloud Inspection is enabled.
562037 CDR does not disarm files when they are sent over HTTP-POST even though despite AV logs show file has been disarmed.
Bug ID Description
575177 Advanced Threat Protection Statistics widget clean file count is incorrect.
580212 Policy in flow mode blocking Adobe creative cloud desktop application.

Application Control

Bug ID Description
558380 AppCtl does not detect application with webproxy-forward-server.

DNS Filter

Bug ID Description
567172 Enforcing Safe Search in 6.0.5 blocks access to Google domains which makes Safe Search not work.
578267 DNS request to a second DNS server with same Transaction ID is discarded when DNS Filter is enabled on a policy.
581778 Cannot re-order DNS domain filter list.

Data Leak Prevention

Bug ID Description
522472 DLP logs have a wrong reference link to archived file.
540317 DLP cannot detect attached zip files when receiving emails via MAPI over HTTP.
570379 DLP only detects the first word of filename.

Explicit Proxy

Bug ID Description
543794 High CPU due to WAD process.
552334 Website does not work with SSL Deep inspection due to OCSP validation process.
557265 Browser redirect loop after re-authentication when using proxy-re-authentication-mode absolute.
561843 AppCtl unscans the traffic to forwarding to upstream proxy.
564582 Explicit proxy policy treats domain.tld in FQDN firewall address object as wildcard.
567029 WAD crashes at crypto_kxp_xform_block_enc when WAD is restarted while visiting a website after an authentication.
571034 Using disclaimer causes incorrect redirection.
Bug ID Description
572220 Unable to match the expected firewall proxy-policy when dstint is set to Zone where Zone member has PPPoE interface.
577372 WAD has signal 11 crash at wad_ssl_cert_get_auth_status.

Firewall

Bug ID Description
539421 Load Balance monitor stats reset after mode change.
540949 Health status of standby server in server load balance not available in GUI or CLI.
545056 Firewall should not be evaluated when an interface bandwidth widget is added to the dashboard.
552329 NP6 sessions dropped after any change in GUI.
554329 Schedule policy is not activated on time.
558689 Traffic dropped by anti replay in ECMP with IPS.
558690 Session timer left at half-open value once established in an ECMP with IPS context.
563471 HTTP load balancing doesn’t work after rebooting in Transparent mode.
563928 SFTP connection failure when SSH DPI and app-ctrl are enabled.
564990 Captive-portal-exempt is not supported in consolidated policy.
566951 Unexpected reverse path check failure on IPv6.
570468 FortiGate randomly not processing some NAT64 packets.
570507 Application control causing NAT hairpin traffic to be dropped.

Workaround: Create a new firewall policy from scratch and the default application control can be applied again.

571022 SNAT before encryption in policy-based VPN for local traffic after upgrade from 5.6.8 to 6.0.5.
571832 Provide different protocol/port list when the same ISDB object is used as source/destination.
577752 Policy with a VIP with a destination interface of a zone is dropping packets.

FortiView

Bug ID Description
527540 Cannot click the Quarantine Host option on a registered device.
537819 FortiView All Sessions page: tooltip of geography IP show ‘undefined’.
553627 FortiView pages cannot load with Failed to retrieve FortiView data.

GUI

Bug ID Description
445074 The MMS profiles pages have been removed from the FortiOS Carrier GUI.

Workaround: You can configure MMS profiles from the CLI using the config firewall mms-profile command.

479692 GUI shows error Image file doesn’t match platform even when the user is uploading correct image.
486230 GUI on FGT3800D with 5.6.3 is very slow – configuration with numerous policies.
493704 While accessing the FortiGate page, PC browser memory usage keeps spiking and finally PC hangs.
502740 Remove GUI instructions for Dialup-FortiClient VPN.
504829 GUI should not log out if there is 401 error on downstream device.
513157 Cannot filter on hit count “0” for policy match.
523403 GUI Protocol Port Mapping configuration should be rejected when an invalid port number such as -1 is entered.
526254 Interface page keep loading when VDOM admin have netgrp permission.
528649 vpngrp read or read-write access profile doesn’t work properly.
540056 Error message enhancement while creating packet capture in GUI with filter set to high port range.
540737 Should show warning and block user to use no-inspection SSL-SSH profile when any UTM profile is used.
543487 Collected Email Monitor page cannot list the wireless client if connected from captive-portal+emailcollection.
543637 Not able to filter the policy by multiple ID.
544313 GUI SD-WAN Monitor page keep loading.
548653 SSO_admin (super_admin) can’t open CLI window from GUI. Error says too many concurrent connection.
552552 Personal Privacy in FortiGuard category based filter mistranslated.
555121 Context menu of AP Group has unsupported actions enabled after change view on Managed FortiAPs page.
559799 Webhook automation host header incorrect.
560430 Some app-category cannot be listed on security policy editing page and get JS error.
561334 GUI SSID main passphrase and MPSK minimum length should be flexible according to new “wfacompatibility” setting.
563053 Warning message for third-party transceivers were removed for 6.2.1 to prevent excessive RMA or support tickets. 6.2.2 re-added the warning for third-party transceivers.
563445 Upgrade NGFW VDOM from v6.2.0, security policy should support virtual-wan-link interface.
Bug ID Description
564201 After OSPF change via GUI, password for virtual-link will completely disappear and must be reentered.
564601 Remove the license requirement to upload FortiGuard packages through the GUI when in USG mode.
565109 Add Selected button does not appear under Application Control slide-in when VDOM is enabled.
566666 AP comments do not appear on the columns for Managed AP page.
568176 GUI response is very slow when accessing Route-Monitor page in GUI.
569080 SD-WAN rule GUI page doesn’t show red exclamation mark for DST-negate enabled, like firewall policy.
569259 Fabric SAML with FortiManager management. Downstream FortiGate login with SAML super admin only have read-only access on most pages.
571674 GUI config changes generate misleading config event logs.
571828 GUI admin password injected as PSK when adding phase2 configuration on Chrome.
572027 In Log View/FortiView, GUI cannot list logs from FortiAnalyzer on FGT/FWF boxes.
573070 Interface widget not loading fully (keeps spinning) when a VDOM “prof_admin” is used.
573869 Log search index files are never deleted when the logdisk is out of space.
574239 AWS/AWSONDEMAND missing dropdown selection box for HTTPS server and WiFi certificates in GUI.
575756 Port Link speed option is missing on the FortiGate GUI after upgrading the managed FortiSwitch to 6.2.1.
579259 Firewall User Monitor shows “Failed to retrieve info” and no entries if session-based proxy authentication is used.
583760 After adding few Web Rating Overrides via GUI to an already existing long list of URIs, Web Rating Overrides page is not loaded and keeps spinning.

HA

Bug ID Description
543602 Unnecessary syncing process started during upgrade when it takes longer.
554187 HA slave gets FW Signature un-certified after upgrading image from the master.
555056 Enable 2-factor using vcluster in GUI gets overwritten (sync) by slave.
555998 Load balanced (A-A) slave-session doesn’t forward traffic after session is dirtied due to FortiManager policy install.
557277 FortiGate FGSP configured with standalone-config-sync will sync the FortinAlayzer source-IP configuration to the slave.
Bug ID Description
557473 FGSP found checksum mismatch after replaced one of the units in the cluster.
559172 VLAN in VDOM in virtual cluster not showing virtual MAC for the vcluster.
560096 Restoring config fails on slave when using TACACS+ (master OK).
560107 Cluster upgrade from 5.6.7 build 1653 to SB 5.6.8 build 3667 takes longer than normal.
563551 HASYNC aborts on slave unit.
569629 HA A-A local FQDN not resolving on slave unit.
574564 In an HA configuration with HA uninterruptible upgrade enabled, some signature database files may fail to synchronize upon upgrading from 5.6.9 and earlier to 5.6.10.
575715 Unable the sync the Local-GW in FGSP.
576638 HA cluster GUI change does not send logs to the slave immediately.
577115 Master unit console keeps showing message [ha_auth_set_logon_msg:228] buffer overflow.
578475 FortiGate HA reports not synced if firewall policy of master and slave does not contain the same VIP.

Intrusion Prevention

Bug ID Description
545823 Creating/editing a DoS-Policy takes a long time. GUI hangs or displays Error 500: Internal Server Error.
561623 IPS engine 5.009 crashes when updated new FFDB has different size from the old one.

IPsec VPN

Bug ID Description
449212 New dialup IPsec tunnel in policy mode/mode-cfg overwrites previously established tunnel.
537450 Site-to-site VPN policy based with DDNS destination fail to connect.
553759 ESP packets are sent to the wrong MAC after a routing change when IPsec SA is offloaded.
558693 FW90D VPN becomes unresponsive after changing VPN DDNS/Monitor.
559180 The command include-local-lan gets disabled after firewall is rebooted.
560223 Add support for EdDSA certificates for proxy-based deep-inspection / virtual-server when using TLS 1.3. This is resolved by: 0560223, 0561319, 0561820, 0561821, 0561822, 0561823, 0564510.
564237 After configuring SD-WAN and creating SD-WAN rule based on bandwidth criteria, the bandwidth value for tunnel interface is not calculated correctly.
569586 IPsec certificate based IKEv2 VPNs fail to read out certificate subject as username if ECC certificate is involved.
Bug ID Description
571209 Traffic over VLAN sub-interface pushed through the IPsec policy based VPN interface.
574115 PKI certificates with OU and/or DC as subject fail for PKI user filters.
575238 Redirected traffic on the same interface (ingress and egress interface are the same) is dropped.
575477 IKED memory leak.
577502 OCVPN cannot register – status ‘Undefined’.

Log & Report

Bug ID Description
387294 Country flags in Botnet C&C table and Top Destinations by Bandwidth table are all missing.
545948 FortiGate periodically stops sending syslog messages.
551459 srcintf is unknown-0 in traffic log for service DNS when action is IP connection error.
556199 No logs are generated when using local-in policy on ha-mgmt interface.
558702 miglogd not working until sysctl killall miglogd. Reboot does not help.
565216 Memory of miglogd increase and enter conserve mode.
565505 miglogd high CPU utilization.
566843 No log generated when traffic is blocked by setting tunnel-non-http in webproxy.
568795 Specific traffic type is not logged on FAZ/Memory.
576024 Set sniffer policy to only log logtraffic=utm but many traffic log stats are still generated in disk or FortiAnalyzer.

Proxy

Bug ID Description
457347 WAD crashes in wad_http_client_body_done when ICAP is enabled.
544414 WAD handles transparent FTP/FTPS traffic.
551119 Certificate blacklist not working correctly in proxy mode.
559166 In firmware 6.0.5, WAD CPU usage on all cores reaches 100% in each around 30s.
562610 FortiGate generates WAD crash wad_mem_malloc.
563154 Can’t open a particular web page via explicit proxy with deep inspection and webfilter profile enabled.
566859 In WAD conserve mode 5.6.8, max_blocks value is high on some workers.
567796 WAD constantly crashes every few seconds.
567942 FortiGate cannot block blacklist certificate against TLS 1.3 if the blacklist certificate server address
Bug ID Description
  is exempt.
568905 WAD crashes due to RCX null.
572489 SSL handshake sometimes fail due to FortiGate replying back FIN to client.
573340 WAD causing memory leak.
573721 For FortiGate with client certificate inspect mode, traffic will trigger WAD crash.
573917 Certain web pages time out.
574171 Fail to connect https://drive.google.com by TLS 1.3.
574730 Wildcard URL filter stops working after upgrade.
576852 WAD process crashes in internet_svc_entry_cmp.
579400 High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.
581865 In Proxy inspection with Application control and certificate inspection, TLS error for certain web pages,in EDGE browser only.
582714 WAD might leak memory during SSL session ticket resumption.
583736 WAD application crashing in v6.2.1.

REST API

Bug ID Description
566837 HTTPSD process crashes when using REST API.

Routing

Bug ID Description
558979 ECMP-based session with auxiliary session and IPS is not offloaded in reply direction.
559645 Creating static route from GUI should set Dynamic Gateway disabled by default.
560633 OSPF route for AD-VPN tunnel interface flaps.
562159 ADVPN OSPF unable to ping over ADVPN linknet.
567497 FortiGate sends PIM register messages to RP for group 64.0.0.0 about nonexistent sources.
570686 FortiOS 6.2.1 introduces asymmetric return path on the HUB in SD-WAN after the link change due to SLA on the spoke.
571714 DHCPv6 relay shows no route to host when there are multiple paths to reach it.
573789 OSPF with virtual clustering not learning routes.
578623 Gradual memory increase with full BGP table.
581488 BGP confederation router sending incorrect AS to neighbor-group routers.

SSL VPN

Bug ID Description
476377 SSL VPN FortiClient login with FAC user FTM two-factor fail because it times out too fast.
478957 SSL VPN web portal login history is not displayed if logs are stored in FortiAnalyzer.
481038 Web application is not loading through SSL VPN portal.
491733 When SSL VPN receives multiple HTTPS post requests under web filter, read_request_data_ f loops even when client is stopped, which causes the SSL VPN process to use 99% of CPU.
496584 SSL VPN bad password attempt causes excessive bind requests against LDAP and lockout of accounts.
515889 SSL VPN web mode has trouble loading internal web application.
525172 A web application accessed through SSL VPN web mode triggers Error 500 on Java server.
530509 Invalid HTTP Request when SMB via SSL VPN bookmark is executed with MS Server 2016, but works fine with MS server 2008R2.
531848 FortiSIEM WebGUI does not load on web portal.
537341 SSL bookmark is not loading SAP portal information.
545177 Web mode fails for SharePoint page.
549654 Citrix bookmarks should be disabled in SSL VPN portal.
549994 SSL VPN web mode logon page should not show Skip button for remote user with Force password change on next logon.
551695 Office365 applications through SSL VPN bookmarks.
555344 Downloading PDF file throigh SSL VPN portal.
555611 SSL VPN web mode web forward not working for video camera system after upgrade to 6.0.4.
556657 Internal website not working through SSL VPN web mode.
558076 In firmware 6.2.0, RDWeb (Windows Server 2016) via SSL web portal does not work.
558080 McAfee ESM 11 display issues in SSL VPN web portal.
558473 For FG-200E, after upgrading from 6.0.4 to 6.2.0, SSL VPN HTTPS bBookmark does not load (Secure Connection Failed).
559171 With SSL VPN web mode unable to get dropdown menu from internal web page.
559785 FortiMail login page with SSL VPN portal not displaying correctly.
560505 SharePoint 2019 page access fails using web mode.
560730 SSL VPN web mode SSO doesn’t work for some site like FAc login.
560747 The referer header is not correct, and some files are not loaded properly.
561585 SSL VPN doesn’t correctly show Windows Admin center application.

 

Bug ID Description
563147 Connection to internal portal freezes when using SSL VPN web bookmark.
563798 Redirect in bookmark is not loading.
564850 Object from CARL source not showing through SSL VPN web mode.
564871 SSL VPN users create multiple connections.
567182 In SSL VPN web mode, videos on internal website won’t display.
567626 SSL VPN still allows password expired users to change password and get access.
567628 SSL VPN banned-cipher SHA256 not completely working.
567987 In SSL VPN web mode, RDP disconnects when copying long text from remote to local.
568481 Internal website using java is not accessed using SSL VPN web mode.
568838 Internal website not working through SSL VPN web mode.
569030 SSL VPN tunnel mode can only add split tunneling of user’s policy with groups and its users in different SSL VPN policies.
569711 Error for proxy ssh database through SSL VPN.
570445 CMAT application through SSL VPN not working properly.
570620 SSL VPN web mode does not work properly for the website using JavaScript.
571005 NextCloud through SSL VPN behaving strangely.
571479 Cannot access sub-menus from the internal main website through the bookmark when using SSL VPN web mode.
571721 Local portal adzh-srop-nidm02.intern.cube.ch needs more than 10 min. to load via SSL VPN bookmark.
572653 Unable to access Qlik Sense URL via SSL VPN web mode .
573527 SSL web portal CSP v3 compatibility issue.
573853 TX packet drops on ssl.root interface.
574551 Subpages on internal websites are not working via SSL VPN web mode (Tunnel mode is OK).
574724 SSL VPN conserve mode on FWF-30E when FortiGate unit enters memory less than 25%.
575248 Synology DSM login page is not displayed when accessed via SSL VPN bookmark or connection tool.
575259 SSL VPN connection is being dropped intermittently.
576013 The SSL VPN web mode webserver link is not rewritten correctly after login.
576288 VIP customer – FSSO groups set in rule with SSL VPN interface.
578581 SSL web mode VPN portal freezing when opening some websites using JavaScript.
580182 The EOASIS website is not displayed properly using SSL VPN web mode.
Bug ID Description
580384 SSL VPN web mode not redirecting URL as expected after successful login.
581863 Accessing http://nlyte.ote.gr/nlyte/ configured with bookmark name ‘NLYTE’ not getting authentication page.
582115 Third-party (Ultimo) web app does not load over SSL VPN web portal.
582161 Internal web application is not accessable through web SSL VPN.

Switch Controller

Bug ID Description
557280 Need to add FSW port information on Security Fabric and device inventory the same as before

6.0.4.

563939 802-1X timer reauth-period option 0 doesn’t work.

System

Bug ID Description
423311 200E/201E software switch span function does not work.
470875 OID seems to be COUNTER32 instead of GAUGE32.
498599 Can’t create loopback interface by VDOM admin if there’s no physical interface in VDOM.
520283 Can’t show global setting when VDOM admin run exec tac report command.
531675 SFP ports do not link down when SFP cat5 interface status of FortiGate on the other side goes down.
539970 Kernel panic on HA pair of 301E.
540083 Partial traffic outage with softirq on 100%.
545449 IPinIP traffic over another IPinIP is dropped in NP6-Lite when offloading is enabled.
550206 Memory (SKB) which is no longer needed is not released in NP6 and NP6lite drivers (100E, 140E, 3600D, 3800D).
551281 process_tunnel_timeout_notify:377, send timeout notify message error -1 1 message printed in console.
556408 Aggregate link doesn’t work for LACP mode active for 60E internal ports but works for wan1 and wan2 combination.
557172 When there are many application-control based Internet-service entries in SD-WAN, system performance is affected by high CPU usage of softirq.
557527 FortiGate as L2TP client does not negotiate correctly.
557798 High memory utilization caused by authd and WAD processes.

 

Bug ID Description
559467 Support four DNS records inside DHCP offer.
560411 3980E unresponsive with millions of sessions in TIME_WAIT.
560686 4x10G split-port does not work on FG-3700D rev 2.
561097 SD-WAN rule corrupted on reboot after ISDB update.
561234 FG-800D shows wrong HA, ALERM LED status.
561929 REST API cmdb/router/aspath-list is not inserting new values.
562049 TLS 1.3 resumption and Pre-Shared Key (PSK) fail if Hello Retry Request is received.
563232 Authorization fails when 0.0.0.0/0 is listed as the trusted host.
563497 The trust-ip-x feature on interface does not work.
564184 Split DNS not working. CNAME fails to resolve.
564579 Updated crash signal 14, object creation not allowed from cli errno=Resource temporarily unavailable.
564911 DHCPDISCOVERY NATed with TP management IP when sent to NAT VDOM .
565291 SD-WAN rule doesn’t work with nested firewall address group selected as source or destination.
565296 Wrong configuration transmitted by FOS to FortiManager under certain conditions.
565631 DHCP relay sessions are removed from the session table after applying any config change.
567487 CPU goes to 100% when modifying members of an addrgrp object.
567504 Speed test break the cluster.
568215 Kernel bug at net/core/skbuff.
569652 High memory utilization after FortiOS and IPSengine upgrade.
570227 FortiGate is not selecting an NTP server that has a clock time in the majority clique of other NTP servers.
570834 STP (Spanning Tree) flapping.
571207 DHCP with manual address does not provide subnetmask in DHCP ACK.
572411 Timezone for Canary Islands is missing.
572428 lldptx – Application Crashed – Signal 11 Segmentation Fault.
572707 Configuration is corrupted when restoring a VDOM.
572763 softirq causing high CPU when session increase in an acceptable way.
573177 GUI cannot save edits made on replacement messages in a VDOM. When using CLI, user gets logged out while editing.
574086 Kernel panic occurs after upgrading from 6.2.0 to 6.2.1.
574110 When adding admin down interface as a member of aggregate interface, it shows up and process
Bug ID Description
  the traffic.
574327 FortiGate CSR traffic to SCEP srv generated from the root VDOM instead of the VDOM we create the CSR.
574991 FortiGate can’t extract the user principal name UPN from user certificate when certificate contains UPN and additional names.
576063 Crashlog keeps having cid could not load sigs after FortiGate is authed into FortiManager.
577047 FortiGate takes a long time to reboot when it has many firewall addresses used in many policies.
577302 Virtual WAN Link process (vwl) memory usage keeps increasing after upgrading to 6.2.1.
578531 forticldd deamon resolved mgrctrl1.fortinet.com to wrong IP address.
578746 FortiGate does not accept FortiManager created country code and causes address install fails.
579524 DHCP lease is not stable and dhcpd process crashes.
580185 authd4 crashes when deleting a VDOM or rebooting the FortiGate.
580883 DNS servers acquired via PPPoE in non-management VDOMs are used for DHCP DNS server option 6.
582547 fgfmsd crash makes connection to FortiManager go down.

Upgrade

Bug ID Description
550410 Cannot edit addrgrp which includes wildcardfqdn object after upgrade from v5.6.x.
556002 Some firewall policies were deleted after upgrade from FOS 6.0.4 to FOS 6.2.0.
558995 L2 WCCP stops working after upgrade to FOS 6.0.3 or newer.
562444 The firewall policy with internet-service enabled was lost after upgrade from 6.0.5.
580450 Policies removed after an upgrade in NGFW Policy Mode: maximum number of entries has been reached.

User & Device

Bug ID Description
547657 Disclaimer+Auth Guest portal RADIUS auth failing due to FAC trying to resolve 3rd party websites as access-points.
549394 fnbamd crashes frequently.
558332 CoA from FAC is not working for FortiGate wired interface based captive portal.
561289 User-based Kerberos Authentication not working in new VDOM.
Bug ID Description
561610 src-vis process memory leak.
562185 Disclaimer redirection to IP instead of FQDN results in Certificate/SSL warning.
562861 RADIUS CoA (disconnect request) not working with use-management-vdom.
567990 Hard-timeout setting not working for captive portal.
Bug ID Description
564290 FOS can’t collaborate web-cache with FortiProxy successfully.

VM

Bug ID Description
524052 Application cloudinitd has signal 11 crash on FortiGate-VM64-GCP.
561083 VPN tunnels not coming up after HA failover in GCP.
561909 Azure SDN connector try querying invalid FQDN when using Azure Stack Integrated systems.
567137 VM in Oracle cloud has 100% CPU usage in system space.
570176 HA cluster multi AZ does not failover IPsec VPN in AWS with TGW.
571652 OCI SDN connector gets HTTP response err:500 when enabling use-metadata-iam.
573952 FGT-VM with network driver vmxnet3 has lots of fragments when testing throughput.
575400 In Azure SDN, the firewall address filter cannot fetch the secondary public and private IP addresses of the NICs.
578727 FGTVM_OPC unable to failover the route properly during failover.
578966 OpenStack PCI passthru sub interface VLAN cannot received traffic.
580738 In the Cluster setup, slave unit can have different fingerprint for the OCI SDN connector, which can cause unit to fail to connect to OCI metatdata server properly.
580911 EIP assigned to the secondary IP address on the OCI do not ‘t fail over during HA failover.
577856 Add missing AWS HA failover error log and set firewall.vip/vip46/vip6/vip64 not sync’ing when cross zone HA is configured.

VoIP

Bug ID Description
570430 SIP ALG generates a VoIP session with wrong direction.
580588 SDP information fields are not being natted in Multipart Media Encapsulation traffic.

WanOpt Web Filter

Bug ID Description
356487 When central-management is NONE, include-default-servers setting is not honored by rating.
549928 Block page images not loading for web sites protected by HSTS.
551956 Proxy web filtering blocks innocent sites due to urlsource=”FortiSandBox Block”.
565952 Proxy-based Webfilter breaks WCCP traffic.

WiFi Controller

Bug ID Description
540027 FortiWiFi working as client mode cannot see and connect to the hotspot SSID from iOS devices.
569966 WPA2-Enterprise SSID authentication cannot utilize the source IP setting in RADIUS server configuration.
570745 FAPs detecting BSSIDs of others FAPs managed by the same WC as Fake-ap-on-air.
573024 FAP cannot be managed by FortiGate when admin trusthost is configured.

 

Known issues

The following issues have been identified in version 6.2.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Data Leak Prevention

Bug ID Description
586689 Downloading a file with FTP client in EPSV mode will hang.
DNS Filter  
Bug ID Description
586526 Unable to change DNS filter profile category action after upgrading from 6.0.5 to 6.2.0.
FortiView  
Bug ID Description
582341 Fortiview > policies: Consolidate policy without name and tooltips, Security policy with tooltips are not working.

GUI

Bug ID Description
282160 GUI does not show byte info for aggregate and VLAN interface.
438298 When VDOM is enabled, the interface faceplate should only show data for interfaces managed by the admin.
480731 Interface filter get incorrect result (EMAC VLAN, VLAN ID, etc.) when entries are collapsed.
510685 Hardware Switch Row is shown, indicating a number of interfaces but without any interfaces below.
514632 Inconsistent Refcnt value in GUI when using ports in HA session-sync-dev.
537307 Gets “Fail to retrieve info” for ha-mgmt-interface on GUI > interface page.
540098 GUI does not display the status for VLAN and loopback under status column at Network > interfaces.
541042 Log viewer Forward Traffic cannot support double negate filter (client side issue).
542544 In Log & Report, filtering for blank values (None) always show no results.
553290 The tooltip of VLAN interface displays Failed to retrieve info on GUI.
Bug ID Description
557786 GUI response is very slow when accessing IPSec-Monitor (api/v2/monitor/vpn/ipsec is taking a long time).
559866 When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via management tunnel.
565748 New interface pair consolidated policy added via CLI is not displayed on GUI policy page.
573456 FortiGate without disk Email Alert Settings page should remove Disk usage exceeds option.
574101 Empty firmware version in managed FortiSwitch from FortiGate GUI.
579711 An error occurs while running Security Rating.
583049 Internal Server Error while trying to create new interface.
584939 VPN event logs shows incorrectly when adding two action filters and if the filter action filter contains

“-“.

586749 Enable/Disable Disarm and Reconstruction on GUI only takes effect on SMTP protocol in AV profile.
Bug ID Description
573028 WAD crashes causing traffic interruption.
575224 WAD – high memory usage from worker process causing conserve mode and traffic issues.

HA

Bug ID Description
479780 Slave fails to send and receive HA heartbeat on config cfg-revert setting on FGT2500E.
575020 HA failing config sync on VM01 with error (slave and master have different hdisk status) when master is pre-configured.
581906 HA slave sending out GARP packets in 16-20 seconds after HA monitored interface failed.
586004 Moving VDOM via GUI between virtual clusters causes cluster to go out of sync but VDOM state work/standby doesn’t change.

IPsec VPN

Bug ID Description
582251 IKEv2 with eap auth peerid validation doesn’t work.

Proxy REST API

Bug ID Description
584631 REST API admin with token unable to configure HA setting (via login session can work).

Security Fabric

Bug ID Description
578268 Downstream device shows offline.
586587 Security Fabric widget keep loading when FortiSwitch is in a loop or two FortiSwitches are in mclag mode.
587758 Invalid CIDR format shows as valid by Security Fabric threat feed.

SSL VPN

Bug ID Description
505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.
563022 SSL VPN LDAP group object matching only matches the first policy, isn’t ‘t consistent with normal firewall policy.
585754 An SSL VPN bookmark failed to load the GUI of proxmox GUI interface.

Switch Controller

Bug ID Description
581370 FortiSwitch managed by FortiGate not updating RADIUS settings and user group in the FortiSwitch.
586299 Adding factory-reset device to HA fails with switch-controller.qos settings in root.

System

Bug ID Description
464340 EHP drops for units with no NP_SERVICE_MODULE.
484749 TCP traffic with tcp_ecn tag cannot go through ipip IPv6 tunnel with NP6 offload enabled.
555616 TCP packets send wrong interface and high CPU.
562212 Management tunnel to devices goes down and cannot reclaim tunnel; so policy pushes get stuck.
570759 RX/TX counters for VLAN interfaces based on LACP interface are 0.
573973 ASIC offloading sessions sticking to interfaces after SD-WAN SLA interface selection.
Bug ID Description
575013 Errors in the FortiGate’s CLI 8 debug, when FortiManager is obtaining the HA status and mgmtdata status, if ha-mgmt-status enabled.
581998 Session clash event log found on FG-6500F when passing a lot of same source IP ICMP traffic over Load balance VIP.

User & Device

Bug ID Description
569062 fnbamd takes high CPU usage and user cannot authenticate.

VM

Bug ID Description
579013 FortiGate HA failover fails in Azure stack due to invalid authentication token tenant.
579708 Should replace GUI option to register to FortiCare from AWS PAYG with link to portal for registration.
587180 FGTVM64_KVM is unable to boot up properly when doing a hard reboot with the host.
587757 FG-VM image unable to be deployed on AWS with additional disk of type HDD(st1).

WiFi Controller

Bug ID Description
555659 When FAP is managed across VDOM links, WiFi client can’t join SSID when auto-asicoffload is enabled.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 6.2.0 Release Notes

Introduction and supported models

This guide provides release information for FortiOS 6.2.0 build 0866.

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 6.2.0 supports the following models.

FortiGate FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG-51E, FG-52E, FG-60E,

FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-92D, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E,

FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-400E,

FG-401E, FG-500D, FG-500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D,

FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG3000D, FG-3100D, FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1

FortiWiFi FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E
FortiGate Rugged FGR-30D, FGR-35D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS,

FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN,

FG-VM64-GCP, FG-VM64-OPC, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCPONDEMAND

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 6.2.0 images are delivered on request and are not available on the Beta portal.

Special Notices

  • FortiGuard Security Rating Service l FortiGate hardware limitation l CAPWAP traffic offloading
  • FortiClient (Mac OS X) SSL VPN requirements l Use of dedicated management interfaces (mgmt1 and mgmt2) l Using FortiAnalyzer units running older versions on page 8

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate model: l FGR-30D l FGR-35D l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E-2R l FWF-50E l FWF-51E

FortiGate hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

Special Notices                                                                                                                                                          7

FG-92D does not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

CAPWAP traffic offloading

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip. The following models are affected: l FG-900D l FG-1000D l FG-2000E l FG-2500E

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

 

Special Notices

Using FortiAnalyzer units running older versions

When using FortiOS 6.2.0 with FortiAnalyzer units running 5.6.5 or lower, or 6.0.0-6.0.2, FortiAnalyzer might report increased bandwidth and session counts if there are sessions that last longer than two minutes.

For accurate bandwidth and session counts, upgrade the FortiAnalyzer unit to 5.6.6 or higher, or 6.0.2 or higher.

Changes in default behavior

Firewall

Remove dependency of ssl-ssh-profile on utm-status under firewall policy (531885).

Previous releases 6.2.0 release
You must enable utm-status under firewall policy before configuring ssl-ssh-profile. You can configure ssl-ssh-profile by itself. When you upgrade, this configuration is added to the existing firewall policy.

Log & Report

Previous releases 6.2.0 release
Super admin: can back up and restore configuration file.

Global admin: can back up and restore configuration file.

Super admin: can back up and restore configuration file. Global admin: can only back up configuration file.

Starting from the 6.2.0 release, exe log list displays the result of the current log device.

Previous releases 6.2.0 release
exe log list only lists the disk log file. exe log list lists the log file from the current log device (disk/memory).

exe log list shows the memory log file in exe log filter device memory.

exe log list shows the disk log file in exe log filter device disk.

Separate policy and address log-uuid options into two individual options.

Previous releases 6.2.0 release
config system global set log-uuid [policy-only | extended |

disable] end

config system global set log-uuid-policy [enable | disable] set log-uuid-address [enable | disable] end

System

Starting from the 6.2.0 release, Global admin can only back up but not restore the configuration file. default behavior

Previous releases 6.2.0 release
VDOM admin: can back up and restore VDOM

configuration file with full Admin and Maintenance permission.

VDOM admin: can back up and restore VDOM

configuration file with full Admin and Maintenance permission.

Devices configured under security-exempt-list are void after upgrading to 6.2.0.

Previous releases 6.2.0 release
config user security-exempt-list edit “1” set description “device” config rule edit 1 set devices “linux-pc”

next edit 2 set srcaddr “10-1-100-0”

next

end

next

end

config user security-exempt-list edit “1” set description “device” config rule edit 2 set srcaddr “10-1-100-0”

next

end

next

end

 

Changes in CLI defaults

Anti-Spam

Rename spamfilter to emailfilter.

Previous releases 6.2.0 release
config spamfilter bwl end

config spamfilter profile end

config firewall policy edit [Policy ID] set spamfilter-profile [Profile Name]

next end

config emailfilter bwl end

config emailfilter profile end

config firewall policy edit [Policy ID] set emailfilter-profile [Profile Name]

next end

Data Leak Prevention

Rename DLP fp-sensitivity to sensitivity.

Previous releases 6.2.0 release
config dlp fp-sensitivity end config dlp sensitivity end

Firewall

Rename utm-inspection-mode to inspection-mode under firewall policy.

Previous releases 6.2.0 release
config firewall policy edit [Policy ID] set utm-inspection-mode [proxy | flow]

next end

config firewall policy edit [Policy ID] set inspection-mode [proxy | flow]

next end

 

Add a new direction command to Internet service group. Members are filtered according to the direction selected. The direction of a group cannot be changed after it is set.

Previous releases 6.2.0 release
config firewall internet-service-group edit [Internet Service Group Name] set member 65537 65538

next end

config firewall internet-service-group edit [Internet Service Group Name] set direction [source | destination |

both] set member 65537 65538

next end

FortiView

Previous releases 6.2.0 release
execute ha manage [ID] execute ha manage [ID] [admin-username]

The following FortiView CLI has been changed in this release.

Previous releases 6.2.0 release
config system admin

edit [User Name]

config gui

edit [Dashboard ID] config widget edit [Widget ID] set type fortiview set report-by source <- removed set timeframe realtime <- removed set sort-by “bytes” <- removed set visualization table <- removed

next

end

next

end next end

config system admin

edit [User Name]

config gui

edit [Dashboard ID] config widget

edit [Widget ID]

set type fortiview set fortiview-type ” <- added set fortiview-sort-by ” <- added set fortiview-timeframe ” <- added set fortiview-visualization ” <- added set fortiview-device ” <- added

next

end next

end next end

HA

The CLI command for HA member management is changed.

Intrusion Prevention

Move Botnet configuration option from interface level and policy level to IPS profile.

Previous releases 6.2.0 release
config system interface edit [Interface Name] set scan-botnet-connections

block | monitor] next

end

config firewall policy edit [Policy ID] set scan-botnet-connections

block | monitor] next

end

config firewall proxy-policy edit [Policy ID] set scan-botnet-connections

block | monitor] next

end

config firewall interface-policy edit [Policy ID] set scan-botnet-connections

block | monitor] next

end

config firewall sniffer edit [Policy ID] set scan-botnet-connections

block | monitor] next end

[disable

[disable

[disable

[disable

[disable

|

|

|

|

|

config ips sensor edit [Sensor name] set scan-botnet-connections [disable |

block | monitor] next end

IPsec VPN

Add net-device option under static/DDNS tunnel configuration.

Previous releases 6.2.0 release
config vpn ipsec phase1-interface edit [Tunnel Name] set type [static | ddns]

next end

config vpn ipsec phase1-interface edit [Tunnel Name] set type [static | ddns] set net-device [enable | disable]

next end

Log & Report

Move botnet-connection detection from malware to log threat-weight.

Previous releases 6.2.0 release
config log threat-weight config malware set botnet-connection [critical | high

| medium | low | disable] end end

config log threat-weight set botnet-connection [critical | high

| medium | low | disable] end

SDS.

Previous releases 6.2.0 release
config log threat-weight config malware set botnet-connection [critical | high

| medium | low | disable] end end

config log threat-weight set botnet-connection [critical | high

| medium | low | disable] end

Add new certificate verification option under FortiAnalyzer setting.

Previous releases 6.2.0 release
config log fortianalyzer setting set status enable

set server [FortiAnalyzer IP address] end

config log fortianalyzer setting set status enable set server [FortiAnalyzer IP address] set certificate-verification [enable |

disable] set serial [FortiAnalyzer Serial number] set access-config [enable | disable] end

Proxy

Move SSH redirect option from firewall ssl-ssh-profile to firewall policy.

Previous releases 6.2.0 release
config firewall ssl-ssh-profile edit [Profile Name] config ssh set ssh-policy-check [enable | disable]

end

next end

config firewall policy

edit [Policy ID]

set ssh-policy-redirect [enable | disable]

next end

Move HTTP redirect option from profile protocol option to firewall policy.

Previous releases 6.2.0 release
config firewall profile-protocol-option edit [Profile Name] config http set http-policy [enable | disable]

end

next end

config firewall policy

edit [Policy ID]

set http-policy-redirect [enable | disable]

next end

Move UTM inspection mode from VDOM setting/AV profile/webfilter profile/emailfilter profile/DLP sensor to firewall policy.

Previous releases 6.2.0 release
config system setting set inspection-mode [proxy |

end

config antivirus profile edit [Profile Name] set inspection-mode [proxy

next

end

config webfilter profile edit [Profile Name] set inspection-mode [proxy

flow]

| flow-based]

| flow-based]

config firewall policy edit [Policy ID] set inspection-mode [flow | proxy]

next end

Previous releases 6.2.0 release
next

end

config spamfilter profile edit [Profile Name] set flow-based [enable | disable]

next

end

config dlp sensor edit [Sensor Name] set flow-based [enable | disable]

next end

Routing

For compatibility with the API, the CLI command for OSPF MD5 is changed from a single line configuration to sub-table configuration.

Previous releases 6.2.0 release
config router ospf config ospf-interface edit [Interface Entry Name] set interface [Interface] set authentication md5

set md5-key [Key ID] [Key String Value]

next

end end

config router ospf config ospf-interface edit [Interface Entry Name] set interface [Interface] set authentication md5 config md5-keys edit [Key ID] set key-string [Key String Value]

next

end

next

end end

The name internet-service-ctrl and internet-service-ctrl-group is changed to internetservice-app-ctrl and internet-service-app-ctrl-group to specify it’s using application control.

Previous releases 6.2.0 release
config system virtual-wan-link config service edit [Priority Rule ID] set internet-service enable set internet-service-ctrl

[Application ID] set internet-service-ctrl-group

[Group Name] next

end end

config system virtual-wan-link config service edit [Priority Rule ID] set internet-service enable set internet-service-app-ctrl

[Application ID] set internet-service-app-ctrl-group

[Group Name] next

end end

Add cost for each SD-WAN member so that in the SLA mode in a SD-WAN rule, if SLAs are met for each member, the selection is based on the cost.

Previous releases 6.2.0 release
config system virtual-wan-link config member edit [Sequence Number]

next

end end

config system virtual-wan-link config member edit [Sequence Number] set cost [Value]

next

end end

Add a load-balance mode for SD-WAN rule. When traffic matches this rule, this traffic should be distributed based on the LB algorithm.

Previous releases 6.2.0 release
config system virtual-wan-link config service edit [Priority Rule ID] set mode [auto | manual | priority |

sla] next

end end

config system virtual-wan-link config service edit [Priority Rule ID] set mode [auto | manual | priority |

sla | load-balance] next

end end

Security Fabric

Add control to collect private or public IP address in SDN connectors.

Previous releases 6.2.0 release
config firewall address

edit [Address Name] set type dynamic set comment ” set visibility enable set associated-interface ” set sdn aws

set filter “tag.Name=publicftp”

next end

config firewall address

edit [Address Name] set type dynamic set comment ” set visibility enable set associated-interface ” set sdn aws

set filter “tag.Name=publicftp” set sdn-addr-type [private | public | all]

next end

Add generic support for integrating ET products (FortiADC, FortiMail, FortiWeb, FortiDDoS, FortiWLC) with Security Fabric.

Previous releases 6.2.0 release
config system csf config fabric-device edit [Device Name] set device-ip [Device IP] set device-type fortimail set login [Login Name] set password [Login Password]

next

end end

config system csf config fabric-device edit [Device Name] set device-ip [Device IP] set https-port 443

set access-token [Device Access Token]

next

end end

Add support for multiple SDN connectors under dynamic firewall address.

Previous releases 6.2.0 release
config firewall address edit [Address Name] set type dynamic set color 2 set sdn azure

set filter “location=NorthEurope”

next end

config firewall address edit [Address Name] set type dynamic set color 2 set sdn [SDN connector instance] set filter “location=NorthEurope”

next end

System

Add split VDOM mode configuration.

Previous releases 6.2.0 release
config global set vdom-admin [enable | disable] end config global set vdom-admin [no-vdom | split-vdom |

multi-vdom] end

WiFi Controller

Remove http and telnet in allowaccess options under wireless-controller wtp-profile and wireless-controller wtp.

Previous releases 6.2.0 release
config wireless-controller wtp-profile edit [WTP Profile Name]

set allowaccess http | https | telnet |

ssh next

end

config wireless-controller wtp

edit [WTP ID] set override-allowaccess enable set allowaccess http | https | telnet |

ssh next end

config wireless-controller wtp-profile edit [WTP Profile Name] set allowaccess https | ssh

next

end

config wireless-controller wtp

edit [WTP ID] set override-allowaccess enable set allowaccess https | ssh

next end

 

Changes in default values

Firewall

The default profile for ssl-ssh-profile is changed from certificate-inspection to no-inspection.

Previous releases 6.2.0 release
Config firewall policy

edit [Policy ID]

set ssl-ssh-profile certificateinspection   next end

Config firewall policy

edit [Policy ID]

set ssl-ssh-profile no-inspection

next end

IPsec VPN

The default value for net-device option under dynamic(dialup) tunnel has changed from disable to enable.

Previous releases 6.2.0 release
config vpn ipsec phase1-interface edit [Tunnel Name] set type dynamic set net-device disable

next end

config vpn ipsec phase1-interface edit [Tunnel Name] set type dynamic set net-device enable

next end

Log & Report

The default value, minimum value, and maximum value for memory log is changed.

Previous releases 6.2.0 release
config log memory global-setting set max-size 65536 end config log memory global-setting set max-size [1% of total RAM] end

Changes in default values                                                                                                                                         21

Routing

The default SD-WAN health-check interval is changed from 1 to 500 and the unit is changed from seconds to milliseconds.

Previous releases 6.2.0 release
config system virtual-wan-link config health-check edit [Health Check Name] set interval 1

next

end end

config system virtual-wan-link config health-check edit [Health Check Name] set interval 500

next

end end

The default link-monitor interval is changed from 1 to 500 and the unit is changed from seconds to milliseconds.

Previous releases 6.2.0 release
config system link-monitor edit [Link Monitor Name] set interval 1

next end

config system link-monitor edit [Link Monitor Name] set interval 500

next end

System

The default protocol used for FortiGuard service communication is changed from UDP to HTTPS.

The protocol setting remains unchanged for FortiGates upgrading from v6.0 to v6.2.

Previous releases 6.2.0 release
config system fortiguard set protocol udp set port 8888 end config system fortiguard set protocol https set port 8888 end

Changes in default values

Switch Controller

The default value for FortiLink split interface is changed from disable to enable.

Previous releases 6.2.0 release
config system interface edit [FortiLink Interface] set fortilink enable

set fortilink-split-interface disable

next end

config system interface edit [FortiLink Interface] set fortilink enable

set fortilink-split-interface enable

next end

WiFi Controller

The default value of broadcast-suppression under wireless vap is changed from dhcp-up arp-known to dhcp-up arp-known dhcp-ucast.

Previous releases 6.2.0 release
config wireless-controller vap edit [vap-name] set broadcast-suppression dhcp-up arp-

known next end

config wireless-controller vap edit [vap-name] set broadcast-suppression dhcp-up dhcp-

ucast arp-known next end

The default value of control-message-offload under wireless-controller wtp-profile is changed from ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu to ebpframe aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu sta-health.

Previous releases 6.2.0 release
config wireless-controller wtp-profile edit [FAP Profile Name] set control-message-offload ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu next end config wireless-controller wtp-profile edit [FAP Profile Name] set control-message-offload ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu sta-health next end

Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

  1. Go to https://support.fortinet.com.
  2. From the Download menu, select Firmware Images.
  3. Check that Select Product is FortiGate.
  4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version

  1. Click Go.

FortiClient Endpoint Telemetry license

Starting with FortiOS 6.2.0, the FortiClient Endpoint Telemetry license is deprecated and as a result there are two upgrade scenarios:

  • Customers using only a FortiGate device in FortiOS 6.0 to enforce compliance must install FortiClient EMS 6.2.0 and purchase a FortiClient Security Fabric Agent License.
  • Customers using both a FortiGate device in FortiOS 6.0 and FortiClient EMS running 6.0 for compliance enforcement, must upgrade both the FortiGate device to FortiOS 6.2.0, FortiClient to 6.2.0, and FortiClient EMS to 6.2.0.

Fortinet Security Fabric upgrade

FortiOS 6.2.0 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.2.0 l FortiClient EMS 6.2.0 l FortiClient 6.2.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.9 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

If Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.2.0. When Security Fabric is enabled in FortiOS 6.2.0, all FortiGate devices must be running FortiOS 6.2.0.

 

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.2.0 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.2.0 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

l Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox) l FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting) l LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l admin user account l session helpers l system access profiles

Amazon AWS enhanced networking compatibility issue

With this enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.2.0 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.2.0 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

FortiLink access-profile setting

The new FortiLink local-access profile controls access to the physical interface of a FortiSwitch that is managed by FortiGate.

After upgrading FortiGate to 6.2.0, the interface allowaccess configuration on all managed FortiSwitches are overwritten by the default FortiGate local-access profile. You must manually add your protocols to the localaccess profile after upgrading to 6.2.0.

To configure local-access profile:

config switch-controller security-policy local-access edit [Policy Name] set mgmt-allowaccess https ping ssh set internal-allowaccess https ping ssh

next

end

To apply local-access profile to managed FortiSwitch:

config switch-controller managed-switch edit [FortiSwitch Serial Number] set switch-profile [Policy Name] set access-profile [Policy Name]

next

end

FortiGate VM with V-license

This version allows FortiGate VM with V-License to enable split-vdom.

To enable split-vdom:

config system global set vdom-mode [no-vdom | split vdom] end

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any]

end

FortiView widgets

FortiView widgets have been rewritten in 6.2.0. FortiView widgets created in previous versions are deleted in the upgrade.

 

Product Integration and Support

The following table lists FortiOS 6.2.0 product integration and support information:

Web Browsers l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 41 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Fortinet Security Fabric upgrade on page 23. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on page 23. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient:

l Microsoft Windows l Mac OS X l Linux

l 6.2.0

See important compatibility information in FortiClient Endpoint Telemetry license on page 23 and Fortinet Security Fabric upgrade on page 23.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.

FortiClient iOS l 6.2.0 and later
FortiClient Android and FortiClient VPN Android l 6.2.0 and later
FortiAP l 5.4.2 and later l 5.6.0 and later
FortiAP-S l 5.4.3 and later l 5.6.0 and later

 

FortiSwitch OS

(FortiLink support)

l 3.6.9 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l 5.0 build 0276 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8
FortiExtender l 3.2.1
AV Engine l 6.00127
IPS Engine l 4.00219
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04 (32-bit & 64-bit)

2336. Download from the Fortinet Developer Network: https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 61

Google Chrome version 68

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 61

Google Chrome version 68

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X El Capitan 10.11.1 Apple Safari version 11

Mozilla Firefox version 61

Google Chrome version 68

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 6.2.0. For inquires about a particular bug, please contact Customer Service & Support.

Anti-Spam

Bug ID Description
295539 Spam filter profile CLI options are disabled after GUI change.
477496 Unable to add email wildcard to black/white list GUI in Anti-Spam profile.

AntiVirus

Bug ID Description
474538 Remove mobile malware protection option from GUI.
491675 FTP Server is not accessible when AV profile is set to proxy based inspection.
502138 AV full-scan mode causes traffic to fail.
513667 WAD crash when av-scan is blocking the input and HTTP session is closing.
516072 In flow mode, scanunit API does not allow IPS to submit a scan job for a URL with no filename.
519759 Process scanunit crash in removeTransformCleanup when Outbreak Prevention is enabled.
522343 scanunitd experiences a constant different kind of crash.
525151 Flow AV profile and SSL deep inspection writes blocked invalid cert logs to webfilter logs.
525711 FortiGate not sending email headers to FortiSandbox.
537666 Flow AV in quick mode cannot block large infected samples (eicar.exe).
541023 Scanunit worker leaves urlfilter API socket files behind in tmp.

Application Control

Bug ID Description
511151 Application Control with traffic shaper is not attached to session.
Authentication
Bug ID Description
447575 Standard vs. Advanced mismatch on FortiOS GUI.
Bug ID Description
463849 FAC remote LDAP user authentication via RADIUS fails on invalid token if password change and 2FA are both required.

Data Leak Prevention

Bug ID Description
486958 scanunit signal 14 alarm clock caused by DLP scanning bz2 file.
496255 Some XML-based MS Office files are recognized as ZIP files.
518146 DLP incorrectly blocking .deb file extension (DLP log unclear for matches in archive files).
524910 DLP profile to block the file name pattern “*” not blocking uploading files.

DNS Filter

Bug ID Description
472267 DNS filter performance improvement.

Endpoint Control

Bug ID Description
543635 Extend GTP0/GTP1 policy for new RAT types.

Explicit Proxy

Bug ID Description
413187 XFF header enhancements (strip-off & enforcement) for URL filtering module.
445312 tcp-timewait-timer does not have any effect when WAD is running.
477289 Proxy is unexpectedly sending FIN packet (FTP over HTTP traffic).
491118 Kerberos users unable to access the internet.
500182 UDP over SOCKS PROXY.
503478 Presence of X-XSS-Protection header causes response to be not cacheable.
506654 High memory usage on WAD.
506821 Explicit web proxy, slow speed.
509876 Web-proxy internet service as DST address cannot work for some IP address range overlap case.
509994 Website denied due to certificate error (revoked) only in Proxy_policy and deep inspection profile.
512294 WAD should not keep buffer data if the server’s response broke the HTTP protocol.
Bug ID Description
515327 WAD returns 502 Bad Gateway if the server disconnects without data received.
521344 Explicit FTP proxy doesn’t work with second IP address.
521899 When proxy srvc is set to protocol CONNECT and client tries to connect to HTTPS page, client gets message: Access Denied.
524933 Agentless NTLM – FortiGate adds redundant domain suffix to username when it is already present (UPN used).

Firewall

Bug ID Description
390422 Cannot add a wildcard FQDN object to an addrgrp which is applying in policy
457294 GUI to allow negate an address object.
466999 Implicit deny policy generating logs when logging is disabled.
484599 Cannot use custom internet service group in traffic shaping policy.
484603 Cannot use application group in traffic shaping policy.
492034 Traffic not matching expected sessions and getting denied.
497535 In NGFW policy mode, applications allowed by unintended policy ID when together with firewall-session-dirty check new.
503904 Creating a new address group gives error: Associated Interface conflict detected!.
508085 Customer does not accept the confirmation of 0.0.0.0/0 object while creating address object errors.
508098 Creating wildcard address object errors but still creates the object.
511143 set logtraffic-start enable option is not available for policy64/policy46.
520558 Should not do passive port NAT for FTP session helper.
521337 Adding ports in a custom ISDB service for all the IP of the service is not easily achievable.
522447 FortiGate logging is not stable and stopped working.
525995 Session marked dirty when routing table updated for route which is not related to the session.
529685 WCCP not use the tunnel.
535468 DCE/RPC session-helper expectation session is removed unexpectedly.
536868 A FortiGate in TP mode with set send-deny-packet enabled policy, generates strange ICMP-REPLY for TCP SYN/ICMP-REQUEST/UD.
537227 When forwarding the multicast traffic for the first time, the packet size is not calculated correctly.
541248 FortiGate does not offer TLS-RSA-* ciphers when virtual server is configured and strongcrypto is disabled.
541596 Virtual server rejects TLS connections when plain RSA ciphers are specified in custom cipher-list.

FortiView

Bug ID Description
256264 Realtime session list cannot show IPv6 session and related issues.
414172 HTTPsd / DNSproxy / high CPU / memory with high rate UDP 1Byte spoofing traffic.
453610 Fortiview >Policies(or Sources) >Now, it shows nothing when filtered by physical interface at PPPoE mode.
460016 In Fortiview > Threats, drill down one level, click Return and the graph is cleared.
488886 FortiView > Sources is unable to sort information accurately when filtering by policy ID number.
521497 FortiView > All Sessions > real time view is missing right-click menu to end session/ban ip.
527751 No user name on Fortiview > Sources main page

GUI

Bug ID Description
457966 Virtual wire pair > Add VLAN range filter on GUI.
462011 GUI is blank when accessed by radius user with read-access profile.
469082 prof_admin profile admins not able to display GUI IPv4 source address.
470698 Create new default dashboards in factory default settings.
473148 FGT5001D Sessions widget in Dashboard show negative % for nTurbo after throughput test.
478057 Cannot restore configuration when GUI access to the FortiGate is via a connection with small bandwidth.
493704 While accessing FortiGate page, browser memory usage keeps spiking and finally PC hangs.
498738 GUI creating B/W widget referencing SIT-Tunnel generates error.
501911 In FOS-AWS prompts user password = instance ID, and forces user to change password upon initial log in.
502785 Remove # of interfaces from device list.
503867 Some certificates break Certificate page.
505187 Getting error Some changes failed to save when configuring IPv4 policies on firewall.
509791 Editing Address Objects name within SSL-SSH inspection profile selection pane cause loss of Address/Web exemption objects.
509978 Unable to download the results of the scheduled script.
515022 FortiGate and FSA has right connectivity, but Test Connectivity on GUI interface is showing

Unreachable or not Authorized.

516295 Error connecting to FortiCloud message while trying to access Forticloud Reports in GUI.
Bug ID Description
518964 Slowness when adding or removing member from address group via SSH.
518970 Suggestion to improve SD-WAN SLA creation page’s invalid-entry handling.
521253 LAG interface is not listed on the dropdown list when configuring DNS Service.
523902 REST API issue: Access Token only verifies the first 30 characters.
526748 Firewall policies with action DENY show default proxy-options applied in GUI.
527137 Local GW disappears from GUI.
528464 Disappearing policy add-also happens in 6.0.3 build 0200.
533018 Process nsm with high CPU when displaying the GUI section of IP4 and IPv6 policy when receiving full routing of BGP.
536841 DNS server in VPN SSL setting is overwritten when SSL-VPN settings are modified via GUI.

HA

Bug ID Description
445214 Slave in AP cluster memory/CPU spike as a result of DHCP/HA sync issue.
461915 When standalone config sync is enabled in FGSP, IPv6 setting of interface is synced.
477392 Can’t use FAC username, password, and FortiToken two-factor authenticate login HA slave unit.
481943 A green check mark indicating HA sync status on GUI is only put on a side of virtual cluster 1.
482548 Conserve mode caused by hasync consuming most available memory.
486846 FGSP session sync for FGCP cluster keeps syncronizing sessions back to the originator even after the traffic is stopped.
487444 FortiGate stops accepting traffic from any interface in a hardware switch after HA fail-over in 80/81E.
494029 After failover, cannot connect to management-IP of backup device.
503433 hasync daemon crashes when admin session timeout and cluster could be out of sync for a short period.
503763 Config sync communication on heartbeat link not encrypted when encryption is enabled under system HA.
503897 FG-501E units generating logs only for five minutes after rebooting the unit, then do not generate anymore logs.
507013 Out of sync after config change.
509557 Duplicate MAC on mgmt2 ports.
510660 Upgrade to build 3574 fails for HA cluster.
511522 HA uninterruptible upgrade from 9790 to 3558 fails.
Bug ID Description
513940 Enormous amount of session between heartbeat Interfaces for port 703 (HASYNC).
515401 SLBC-Dual mode: Slave chassis blade sending traffic logs.
516234 GUI checksums show slave is not synchronized when the master is synchronized.
517537 Slave out-of-sync. Unable to log into slave unit.
518116 Suggest to add a command to show virtual_mac usages on FGCP HA.
518621 ha-mgmt-interface IPv6 GW is not registered when ha-mgmt-interface IPv4 GW is not set.
518717 MTU of session-sync-dev does not come into effect.
519653 Increase FGSP session sync from 200 VDOM to 500 VDOM.
523733 Successive failovers lead to complete traffic stop (IPSEC[01]_IQUEUE counter catching all traffic).
526252 High memory caused by updated daemon.
526492 FGSP between two FGCP clusters – session expectation.
526703 FGSP of FGCP cluster, does not pickup NAT’ed sessions.
530215 Application hasync *** signal 11 (Segmentation fault) received ***.
531083 Config of HA pair of FortiGates goes out of sync when removed from Central Management (FortiManager).
531812 FGSP config replicating BGP and OSPF info after a config restore.
532015 High CPU on Core1 due to session sync process.
535534 Multicast-forward setting is lost after a backup restore on a FGCP cluster.
537289 Old master keeps forwarding traffic after failover.
539707 Wrong status for ping server after failover in the output of the command get sys ha status.
Bug ID Description
381062 Provide accurate statistics across multiple IPS daemons.
452131 ipsengine up time on FG-51E is a negative number after changing db from extended to regular.
469608 ICMP Packets drop while FGD updates.

ICAP

Bug ID Description
478617 ICAP X-Authenticated-Groups information.

Intrusion Prevention

Bug ID Description
476219 Delay for BFD in IPinIP traffic hitting policy with IPS while IPsec calculates new key.
489557 traceroute issues when IPS is enabled.
503895 Traffic drops for 15 seconds when UTM is enabled.
509352 IPv4.Invalid.Datagram.Size attack is not detected in IDS mode.
516128 Victim is quarantined after IPS attack.
517059 One arm sniffer is unable to see HTTPS log in web filter logs.
537162 High memory due to IPS and SSL-VPN going into conserve mode.
541224 Network loop over virtual-wire-pair in HA mode if running diagnose sys ha reset-uptime.

IPsec VPN

Bug ID Description
463441 NAT -T broken with AWS and Fortigate.
471326 AES-256-GCM for phase 1.
481720 Using transparent mode and policy base VPN, about 4 ICMP packets which exceed over MTU 1375 byte are dropped.
491305 Packet from FCT can not go through VXLAN over IPsec depending on packet size.
493918 Memory leak with IKED.
494285 Slow IPsec traffic between FortiGate and AWS FortiGate once run iPerf between unix and linux.
509559 Invalid ESP packet detected (replayed packet) when having high load on IPsec tunnel.
514519 OSPF neighbor can’t up because IPsec tunnel interface MTU keeps changing.
515132 ADVPN shortcut continuously flapping.
515375 VPN goes down randomly, also affects remote sites dialup.
517088 IPsec Gateway never clears unless manually forced.
517849 Index of existing OIDs changes when installing new IPsec tunnels to the FortiGate – breaks monitoring.
518063 DPD shows unnegotiated and is not functioning correctly on ADVPN Spoke.
519187 IKE route should not be deleted if it is needed by other proxyids.
520151 When two certificates are configured on p1, both aren’t offered or the wrong one is offered.
523567 MTU values does not gets calculated correctly in GRE over IPsec.
524101 Unnecessary next-hop restriction on static route prevents using static routing on Hub with ‘netdevice disable.’
Bug ID Description
527496 Rename One Click VPN to Overlay Controller VPN.
529448 Shouldn’t PPK:no be shown at IKEv2 SA level when NO-PPK-AUTH was used?
531203 Cannot edit existing phase1-interface config.
536899 One issue and two possible enhancements when proxying IKE mode-cfg and DHCP.
537140 KEv2 EAP – FortiGate fails to respond to IKE_AUTH when ECDSA certificate is used by ForitGate.
537450 Site-to-site VPN policy based – with DDNS destination fail to connect.
537769 FortiGate sends failure response to L2TP CHAP authentication attempt before checking it against RADIUS server.
537848 FortiGate IPsec VPN phase1-interface and phase2-interface configurations are not saved into configuration file.
540560 Missing IKE SA HA sync when FortiGate is mode-cfg client + xauth.

Log & Report

Bug ID Description
387324 Archive mark is always on under UTM logs page when log-display location set to FAZ.
477393 Negative values in ‘Load Balance’ monitor logs.
479607 Scheduled auto-update happens twice in ten seconds but a log entry for the first try is not logged.
490379 Long-live session statistics logs add sentdelta and rcvddelta fields for FortiCloud FortiView as required.
491914 miglogd : syslog reliable mode is claiming all logs failed when some pass.
503394 Duplicate description for different log IDs: LOG_ID_CHG_CONFIG & LOG_ID_CONF_CHG etc.
503395 Duplicate description for different log IDs: LOG_ID_POWER_FAILURE, LOG_ID_POWER_ FAILURE_WARNING etc.
503396 Duplicate description for different log IDs.
503397 IPsec logging – Duplicate description for different log IDs.
503398 AP Event log: Duplicate description for different log IDs.
503399 PPPOE Event log: Duplicate description for different log IDs.
503400 RADIUS event log: Duplicate description for different log IDs.
503401 SSL Event logs: Duplicate description for different log IDs.
504012 Duplicate description for different log IDs: LOG_ID_LEAVE_FD_CONSERVE_MODE, LOG_ID_ LEAVE_FD_CONSERVE_MODE_NOTIF.
505393 Quad File Dropped Reason forticloud-daily-quota-exceeded.
510973 FortiGate with disk and send logs to FAZ has PCI alerts.
Bug ID Description
518402 miglogd crash and no logs are generated.
521020 VPN usage duration days in local report is not correct.
523829 When destination interface is PPPoE, intf-role is logged as Undefined even though the role is not undefined.
540157 Cannot view logs from FortiGate when secondary IP is used (only secondary IP is allowed to go internet on upstream).

Proxy

Bug ID Description
458057 Constant DNS query on built-in FQDN cause network congestion.
470407 IPv6-Happy-Eyeballs-Mechanism not working with proxy-based Webfilter-Profile.
487096 SSL handshake fail when activate ESET application.
491417 FortiGate is dropping server hello packets when urlfilter is enabled.
492372 Multiple WAD crashes with signal 11 (Segmentation fault).
500965 FGT-200E in kernel conserve mode. WAD process consuming high memory.
505171 ICAP does not work if there is no other proxy-based UTM feature enabled in the policy.
506995 FGT1200D WAD Crashing 5.6.5 (wad mapi).
507155 System went into conserve mode due to wad after upgrade to 5.6.5.
507585 Support multiple DC servers in the agentless NTLM auth as well as user based matching.
512434 Need to do changes in default replacement message of Invalid certificate Message.
512936 SSL certificate inspection in proxy mode doesn’t use CN from Valid Certificate for categorization when SNI is not present.
513270 Certificate error with SSL deep inspection.
516147 WAD crashes.
516863 Webproxy learn-client-ip webfilter’s auth/warn/ovrd does not work.
518933 Certificate inspection (CN base) web category filter doesn’t work.
519021 The customer is unable to access internal CRM application server with antivirus enabled.
521051 HTTP WebSocket 101 switching protocol requests mismatch in v6.0.3.
525518 Skype call drops when handled by WAD process after around three sec of being answered.
526322 WAD Crashes when processing transparent proxy traffic after upgrade to 6.0.3.
526667 FortiGate doesn’t forward request:port command after 0 byte file transmission.
529792 WAD process crash with signal 11.
Bug ID Description
530906 Certificate chaining is broken on FortiGate site (deep inspection) for certain web sites.
531526 FTP proxy ignores OTP in authentication.
531575 Web site access failure due to OCSP check in WAD + Deep SSL inspection.
532121 WAD uses high CPU with “netlink recvmsg No buffer space available” after upgrade to 6.0.3+.
534346 WAD memory leak on OCSP certificate caching.
536063 SSL deep inspection doesn’t work with OCSP stapling.
536623 WAD performs category SSL-Exemptions when SSL-inspection profiles are in “protect-server” mode.
537183 Removed default ssl-exempt entries page show empty.
539452 FortiGate does not follow Authority key identifier when sending certificate chain in deep inspection.
540067 Wildcard addresses removed from SSL deep inspection exempt list after upgrade to 6.0.4 from 5.6.

REST API

Bug ID Description
424403 REST API for system csf didn’t return csf group name.
467747 REST API user cannot create API user via autoscript upload and cannot set API password via CLI.

Routing

Bug ID Description
441506 BGP Aggregate address results in blackhole for incoming traffic.
448205 Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.
449010 WAN LLB session log srcip and dstip are mixed up intermittently.
476805 FortiGate delays to send keepalive which causes neighbor’s hold down timer to expire and reset the BGP neighborship.
485408 Merge vwl_valeo project – No option for proute based on only dynamic routes.
499328 Add VRF filtering capability to command get router info routing-table all.
500432 IGMP multicast joins taking very long time and uses high NSM CPU utilization.
503638 config system ipip-tunnel is lost after reboot when pppoe interface is used.
505189 Kernel is missing routes.
509561 SD-WAN health check status log is incorrect.
509768 Spillover rules do not work on PPPoE virtual-wan-link.
Bug ID Description
511203 When using policy route for IPv6, NAT64 does not work.
511932 Can’t make mgmt1 and mgmt2 redundant interfaces.
515683 FortiGate generates fragmented OSPFv3 DBD packets.
518655 IPv6 doesn’t respond to neighbor solicitation request.
518677 Log message MOB-L2-UNTRUST:311 not found in router advertisement enabled. the list! seen on VDOM with IPv6
518943 RIPv2 with MD5 authentication key ID incompatible with oth er vendors.
519498 Cease unspecified sent to all BGP peers when new peer is created.
522258 Some missing fields in proute list.
522271 Central NAT – Not updating when dst interface changes.
525182 WLAN guest user in VDOM makes the cluster out of sync.
526008 Differences between routing table and kernel forward information. ADVPN + BGP.
527478 Proute list fill “null ” application name.
529683 Upgrade from 5.6 to 6.0 causes all routes to be advertised in BGP.
530545 SD-WAN Health-Check – Reported packet loss inaccurate.
531660 With VRRP use VRDST checking without default gateway.
531947 SD WAN IPsec interfaces keep failing over when link selection strategy is set to Custom-profile.
532257 OSPFD crash (Segmentation fault) – NSSA – removal of network statement for interface in ‘down’ state.
537110 BGP/BFD packets marked as CS0.
538411 Successfully configured static route CLI commands fail with parse errors after reboot.
539982 Multicast failed after failover from another interface.
540103 OSPF6 will advertise only /128 prefixes to neighbours using point-to-point network type.
544603 Multicast on interfaces with secondary IP addresses.

Security Fabric

Bug ID Description
473086 Quarantine monitor, should support showing devices for the whole fabric.
481381 Industry field shows up abnormally when adding security rating widget.
491508 If downstream device is part of security fabric, it should be exempted from FortiClient enforcement.
504773 Some minor GUI improvement to facilitate security fabric config.
Bug ID Description
505068 Add CSF trust-list support into GUI.
505073 Should let approval request message be more standing out.
505656 Edge: Page reloaded when hovering on a connecting line between objects in topology.
525790 Not able to connect through SSL VPN to addresses resolved by SDN dynamic objects.
537130 Email notifications from automation stitches are being sent with a blank from field.

SSL VPN

Bug ID Description
453740 Remove unused java source file in fortiweb/java.
466438 High CPU usage by sslvpnd [web and mixed mode].
477231 Unable to login to VMware vSphere vCenter 6.5 through SSL VPN web portal.
482497 Running diagnose npu np6lite session in FGT-201E results in high CPU and system instability.
483712 SSLVPND consumes high memory causing FGT enter conserve mode.
491130 SSLVPND 100% VPN when accessing OWA through bookmark.
491733 SSL VPN process taking 99% of CPU utilization even not using SSL VPN.
492654 SSLVPND process is crashing and users are disconnecting from SSL VPN.
493127 Connection to web server freezes when using SSL VPN web bookmark.
496584 SSL VPN bad password attempt causes excessive bindRequests against LDAP and lockout of accounts.
500901 SSL VPN web portal connect to FMG (5.6.3) unable to view Managed devices and policy packages.
508101 HTTPS bookmark to internal website produces error after the initial successful login.
509333 SSL VPN to Nextcloud doesn’t open.
511107 RADIUS 2FA + password change against FAC fails due to unexpected state AVP + GUI bug.
511111 When accessing an internal listing website via SSL VPN, loading long lists fails or is interrupted.
515370 SSL VPN access denied if address object added after group object in firewall policy
517819 Unable to load web page in SSL VPN web mode.
518406 Unable to load WebPage through SSL VPN webmode. Some js files of xunta internal web sites have problems.
519113 SSL VPN web mode SMB connection doesn’t work when enable then disable SMBCD debug.
519483 Invalid HTTP Request‘ when SMB via SSL VPN bookmark is executed.
519987 HTTP bookmark error SyntaxError: Expected ‘)’ after accessing internal server.

 

Bug ID Description
520307 Unable to view Cisco APIC web interface page after logging using SSL VPN web portal.
520361 SSL VPN portal not loading predefined bookmarks.
520965 IBM QRadar page not displaying in SSL VPN web-mode.
521459 HSTS header missing again under SSL VPN.
522987 Backup and restore the VDOM config with SSL VPN settings causes some critical flags and counter for SSL VPN to not update so SSL VPN stops working.
523450 Unable to access internal website via bookmark in SSL VPN web mode.
523647 Search result gives empty output upon accessing the URL https://ieeexplore.ieee.org via SSL VPN bookmark.
523717 Dropdown list can not get expanded through bookmarks (SSL VPN).
525106 HTML PABX Admin Console not working correctly in SSL VPN Mode.
525375 Atlassian Confluence wiki Javascript problem via SSL VPN web mode.
527342 sslConnGotoNextState:298 error when use SSL VPN bookmark method access huawei appliances.
527348 JavaScript script is not available when connecting using SSL VPN web mode.
527476 Update from web mode fails for SharePoint page using MS NLB.
528289 SSL VPN crashes when it receives HTTP request with header “X-Forwarded-For” because of the wrong use of sslvpn_ap_pstrcat.
528630 For SSL VPN with the realm named sslvpn, the authentication fails.
529186 Problem loading reaching internal web server through SSL VPN Web bookmark when using HTTPS. Some js files of “srvdnsmgt” do not run correctly.
529930 Scrolling in Jira is not working in SSL VPN web mode.
530223 SSL VPN wants client certificate even when no client-cert for realm is configured.
530833 Synology NAS login page stuck after login when accessing by SSL VPN Web portal.
531683 Can’t authenticate on internal web server using web mode SSL VPN.
531827 Active cache memory leak after upgrade to 6.0.3 GA.
532261 SSL VPN web mode RDP connection not working when security set to NLA.
532464 Unable to load webpage in SSL VPN Webmode.
533008 SSL web mode is not modifying links on certain web pages.
534728 Unable to get dropdown menu from internal server via SSL VPN web mode connection.
535739 SSL VPN bookmark fails with JavaScript error.
536058 Redirected port is not entered in the URL through SSL VPN web mode.
536847 Not able to access OnlyOffice through SSL VPN web mode.
Bug ID Description
537120 Adding latest macOS in the SSL OS-check-list.
537133 SSL VPN web mode gets redirected out of SSL VPN proxy.
537275 SSL VPN for users with passwords that expires allows password change after the password is expired.
537341 SSL bookmark is not loading a SAP portal information.
538904 Unable to receive SSL tunnel IP address.
539187 SSL VPN random stale sessions exhausting IP pool.
539948 Unable to load webpage in SSL VPN web mode.
545492 Unable to change tabs for internal website through web SSL VPN HTTPS bookmark.

Switch Controller

Bug ID Description
306406 FortiSwitch Ports page display improvements.
503402 Switch controller event: duplicate description for different log IDs.
512112 Add allowaccess profile to the physical interfaces on the FortiSwitch.
522457 After a physical port of FortiLink LAG has link down/up, fortilinkd packet cannot be sent from FortiGate to FortiSwitch.
527521 On FortiSwitch Ports page, Display More does not work.
529915 FortiGate sends FortiSwitch serial# in SNMP trap fgFcSwName instead of FortiSwitch hostname.
530237 HA cluster out-of-sync after changing port POE mode on switch-controller managed-switch settings : Double commit.

System

Bug ID Description
370151 CPU doesn’t remove dirty flag when returns session back to NP6.
404944 Kernel Panic on creation of aggregate interface belonging to different NP6, when NP6 is configured in low latency mode.
408977 802.1AX L4 algorithm and NP4 do not distribute UDP evenly on egress LAG bundle.
415910 CPU cores utilization shows 0 percent while handling CPS in 5.4.
435910 On FG-50E and FG-51E ifHCOutOctets rolls as if counter32.
462178 Front Panel “SPEED” LED is flushing Green when Transmitting & receiving data.

 

Bug ID Description
466805 Adding USB Host devices to a virtual machine connected by USB to FortiGate 500D causes the units to restart in loop.
468684 EHP drop improvement for units using NP_SERVICE_MODULE.
471191 Request to improve CLI help text for config system NP6 session-timeout options.
474737 fwgrp read&read-write access profile doesn’t work properly.
477886 PRP support.
479533 skippingBad tar header message flooding on console after rebooting box and retrieving logs.
481511 Sniffer packet feature does not display any reverse packets on trunk interface.
482916 WAD crash with signal 6.
488400 FGFM sessions timeout when NPU offloaded (also applies to 6.0.0).
489772 vlan-filter is not straightforward.
491425 FortiGate sends MAB packet two minutes after receiving Access-Reject.
492441 Policy packet capture does not show timestamp.
492655 DNSproxy does not seem to update link-monitor module.
493126 One of the aggregate port members is transmitting irregularly LACP packets.
495572 Some of the FortiGate SNMP OIDs not giving any value.
496934 DNS Domain List.
498636 External resource should not update CMDB and cause FortiManager revision.
499435 Allow packet sniffer to use RAM disk.
503318 Accessing FDS via proxy server without DNS resolution.
504057 Service Object Limitation of 4096 needs to be increased.
505252 EMAC VLAN: SNMP data is incorrect.
505468 Incorrect SNMP answer for get-next.
505522 Intermittent failure of DHCP address assignment.
505715 DHCP lease new IP to same EFTPOS S800 device cause DHCP lease exhausted.
505927 ddnscd fortiddns monitor-interface is not being updated properly.
505930 FG3700D freeze when deleting VDOM.
506223 FortiGate is not compliant with rfc3397 (Domain Search Option Format).
507518 Partial configuration loss after root VDOM restore.

 

Bug ID Description
509939 Firewall objects not visible or editable (Return code -361) when logged in via SSH key authentication.
510200 FGT DNS configuration doesn’t allow one word domain names.
510419 HTTP link-monitor – response parser is case-sensitive (Content-Length header).
511018 SSH/SSL VPN connection to external VLAN interface drop by changing unrelated interface IP or restart OSPF.
513339 Finisar FCLF8521p2BTL (FG-TRAN-GC) and (FS-TRAN-GC) FCLF8522P2BTL transceivers not detected by FortiOS.
513419 High CPU on some cores of CPU & packet drops around 2-3%.
516783 DSA and RSA fingerprints are identical.
519246 ipmc_sensord process not checking sensors due to pending jobs.
519492 Not able to access TP FortiGate from different network.
519493 MCLAG: if remote side change systemID, only one port goes down, the other remains up.
521193 DNSPROXY causing high CPU usage.
521902 Addresses are taking a long time to load.
524083 MSS size negotiation is wrong when configured MTU value is less than 297.
524422 Merge br_6-0_sp back to 6.0 and 6.2.
525813 FortiGate managed by FortiManager intermittently going offline after rebooting FortiGate.
526240 Inactive interfaces in LAG causing unbalance packet distribution and link saturation.
526646 LAG interface flaps when the member ports go up.
526771 Allow sit-tunnel to not specify the source address.
526788 Password policy forces password change even if expire-status is disabled.
527390 Kernel panic in the HA cluster with FortiGate-3800D units running FortiOS v6.0.0 build 0200
527599 Internal prioritization of OSPF/BGP/BFD packets in conjunction with HPE feature.
527902 TXT records are truncated in DNS replies, when FortiGate is used as DNS server.
528004 Add global log device statistics to SNMP.
528465 GRE tunnel does not come up.
531584 Kernel Panic when Fragmented Multicast Traffic received on EMAC-VLAN interface.
531636 Certificate chain validation fails when trying to fetch the intermediate CA cert; untrusted cert presented.
532966 In SNMPv3 config, to select the Encryption Algorithm should be “Encryption Algorithm” instead of the label “Authentication Algorithm”.
Bug ID Description
533556 Read-only admin account can delete IPsec SA.
535420 SNMPv3 traps settings are not available in the GUI.
535730 Memory leak after upgrade to 6.0.4.
536520 GTP Tunnel States are not synced on subordinate unit after a reboot.
536817 FortiGate sending DHCP offer using broadcast.
539090 Modifying FortiGate administrator password to complex ones via SSH triggers a FortiManager password change by auto-update.
540634 Status of a port member of a redundant interface changes if an alias is set.
541211 Cannot create soft switch with VX LAN interface under same base interface.
541243 DHCP option doesn’t include all NTP servers.
542258 DHCP exclusion isn’t used for new DHCP range if the range is lower than the existing DHCP range.

Upgrade

Bug ID Description
495994 After upgrade to V5.4.9, observing lot of IPS syntax errors on the console screen.
511529 vdom-property limits error after upgrade from 5.4.6 to 5.6.3.
524948 Wrong management-vdom after upgrade from V6.0 or rebooting FortiGate.
530793 config-error-log shows after upgrade from v5.6.6 to v5.6.7.

User & Device

Bug ID Description
437117 Single Sign-on, multiple FSSO polling servers with the same AD (LDAP) server, cannot select the same user or group.
453095 Mobile FortiTokens not assignable VDOM in vcluster on slave unit.
470803 fnbamd uses high CPU when receive user member groups.
499941 Not able to SSH into FortiGate through FortiManager using TACAS+ user.
516403 FSSO – established session aren’t re-evaluated when a user is removed from an Active Directory group.
523891 FortiGate: Unable to browse structure of Netscape LDAP.
525648 FortiOS does not prompt for token when Access-Challenge is received – RADIUS authentication fails.
525816 LDAP search issue after upgrade to 5.6.6 build 3444 from 5.6.5 build 3342.
525925 Unable to login to FortiGate using Symantec 2-factor authentication.
Bug ID Description
525929 LDAPS requests fail with fnbamd stop error “Not enough bytes”. LDAP works fine. Additional timeout observed.
527340 FortiGate fails to match User group after passing authentication (Local User).
529945 Local certificate content changes should be directly applied for the admin-server-cert sent to the client browser.
535279 FortiGate sends error user password to RADIUS server for CMCC auth user sometimes.
538304 Aggregate interface (four member) flapps when the third member interface goes down.
538407 FortiOS doesn’t allow setting source-ip for mobile token activation.
Bug ID Description
500087 Support WCCP set up with one arm WCCP web cache diagram.

VM

Bug ID Description
484540 FOS VM serial number changes during firmware upgrade.
512019 FortiGate VM closed network + UTM license showing Package update failed due to invalid contract.
512713 Connectivity loss between FGT-SVM and FGT-VMX cause license to became invalid after one hour.
526471 VMX: Adding a security group with ~30+ devices into the redirection policy the connection starts to experience huge delay.
528405 FortiMeter Consumption is not accurate.
540062 Kernel panic after upgrade from 5.6.7 to 5.6.8.
541531 Service Manager is not automatically updated with the NSX dynamic security groups.

VoIP

Bug ID Description
508277 Non-SIP packet send to SIP ALG got dropped with no log.
509625 Issues with RTP when ISP connections flaps when two equal default routes are present.

WCCP Web Application Firewall

Bug ID Description
463468 Clients are unable to connect to the mail server when WAF is enabled on the VIP policy.

Web Filter

Bug ID Description
486087 Unable to open one URL on the redirection after the upgrade.
499604 Web Filter profile with SSL does not check SNI against server certificate.
499864 Web Filter profile’s proxy options to allow corporate Gmail accounts gets overlooked if “general interest” category is blocked.
506707 Web filter CLI only options are unset when clicking Apply via GUI.
507253 ovrd-auth-port-https uses VIP’s mapped IP as CN when no TLS SNI is present.
509860 Regex case insensitivity flag is ignored in 5.6.5 and 6.0.2 when FortiGate is in proxy mode.
526555 WAD Segmentation Signal 11 in 6.0.3.
531101 Web Filter inspection proxy mode unable to resolve hostname because website is unrated.
531471 The URL filter is not blocking a page when there are many entries in it.
532823 Wrong FortiGuard page displayed with Override enabled on Web Filter profile.
536099 “Filtering Services Availability” keeps showing as green even when port 8888 is blocked by an upstream device.
541539 URL filter wildcard expression not matched correctly in proxy mode.

WiFi Controller

Bug ID Description
503106 Remote site client connected to the FAP14C Ethernet port is randomly not able to reach the LAN client connected to the FortiGate.
505661 FortiWiFi sends DHCP Offer as a unicast address via WiFi interface even though the BROADCAST bit is set to “1” in DHCP Discover.
507622 FortiGate does not send WTP-ID in RADIUS accounting packet when client is connected with captive-portal SSID.
512606 FortiWiFi not working with FortiPresence Pro.
519321 FWF-50E kernel panic due to a WiFi driver issue.
520521 Application hostapd crashed – causing a wireless outage.
521832 CAPWAP traffic is not offloaded successfully when using dynamic-vlan SSID and IPS profile or AV profile is enabled in the policy.
Bug ID Description
522762 Frequent hostapd crash.
525959 Part of FAP221C and FAPC24JE went offline and failed to be managed by the controller again.
527587 Different accounting behavior between FAP221C and FAPC24JE for CMCC portal auth.
530328 CAPWAP traffic dropped when offloaded if packets are fragmented.
543562 11r clients stuck on the default/fail VLAN when using WPA2 enterprise and dynamic-vlan while roaming between APs.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
395544 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2017-17544

452730 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2017-14186

495090 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13366

496642 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13371

502940 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13374

510148 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-15473

528040 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13384

529353 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13380

529377 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13379

529712 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13381

529719 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13383

529745 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13382

 

Bug ID CVE references
534592 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2019-5587

539553 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2019-5586

 

Known Issues

The following issues have been identified in version 6.2.0. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.

Data Leak Prevention

Bug ID Description
548396 DLP archiving intermittently blocks a file when it should be log only.
547437 WAD crash due to scheduler error occurs when oversized file is bypassing the DLP sensor.

Explicit Proxy

Bug ID Description
548415 User cannot pass authentication after timeout if using IP-based authentication.
Firewall
Bug ID Description
541348 Shaper in shaping policy is not applied when URL category is configured.

FortiView

Bug ID Description
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
482045 FortiView – no data shown on Traffic from WAN.
526956 FortiView widgets get deleted upon upgrading to B222.
544017 FortiView > VPN 1 hour historical shows entries from 8 hours ago when logged in from FortiCloud.

GUI

Bug ID Description
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
451776 Admin GUI has limit of 10 characters for OTP.
504770 Introduce an enable/disable button in the GUI to toggle central SNAT table.
532309 Custom device page keep loading and cannot create device group.
546254 Forward traffic log cannot be shown on Windows Edge browser.
546953 DNS Filter column and Profile Group column is missing on policy list.
547393 GUI still shows fortianalyzer-cloud connection status error even after FortiGate connects to fortianalyzer-cloud.
547458 Cannot access VOIP profile list and only the default profile editor is shown.
547808 Security rating event logs cannot be shown in split-vdom FortiGate GUI.
548091 Cannot configure network interface IP addresses from GUI for FG-5001D and FG-5001E.

HA

Bug ID Description
479987 FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works).

Intrusion Prevention

Bug ID Description
445113 IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.
548649 IPS custom signature is not detected after FortiGate is rebooted or upgraded.

IPsec VPN

Bug ID Description
469798 The interface shaping with egress shaping profile doesn’t work for offloaded traffic.
481201 The OCVPN feature is delayed about one day after registering on FortiCare.
545871 IPsec tunnel can’t establish if OCVPN members with different Fortinet_CA and Fortinet_factory cert.

Log & Report

Bug ID Description
412649 In NGFW Policy mode, FortiGate does not create web filter logs.

Proxy

Bug ID Description
546360 When applying proxy address in transparent proxy policy, FortiGate blocks traffic and reports SSL_ ERROR_SYSCALL.
548233 SMTP, POP3, IMAP starttls cannot be exempted by FortiGate when first time traffic goes through FortiGate.
Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
462552 Add an extra dialog in the interface page to clean up config when changing a FortiLink interface back to a regular port.
548145 Configuring FortiLink from GUI does not work on platforms that do not support hardware switch.

Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
547659 Access denied error when reviewing security recommendations from physical topology in VDOM mode.
547509 Fail to configure Security Fabric if only enable FortiAnalyzer cloud logging not FortiAnalyzer logging in GUI.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.
476838 Check domain log-on as SSL VPN host checks condition.
495522 RDP session freezes when using SSL VPN tunnel mode.

Switch Controller

Bug ID Description
548453 Ondemand platforms show error with FortiCare/FortinetOne login.
548531 FGT-AWS HA failover and SDN using IAM role do not work due to AWS IAM role token length being

+increased.

System

Bug ID Description
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
385860 FG-3815D does not support 1GE SFP transceivers.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
472843 When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes.
474132 FG-51E hang under stress test since build 0050.
494042 If we create VLAN in VDOM A, then we cannot create ZONE name with the same VLAN name in VDOM B.
495532 EHP drop improvement for units with no NP_SERVICE_MODUL.
548076 FortiGateCloud cannot restore configuration on FortiGate.

Upgrade

Bug ID Description
470575 After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and web filter.
473075 When upgrading, multicast policies are lost when there is a zone member as interface.
481408 When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
494217 Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1. Workaround: Use CLI to rename the user bookmark to the new name.
539112 Devices configured under security-exempt-list become void after upgrade.
548256 Upgrading to v6.2 from v6.0.x causes CIFS/SMB configurations in AV profile to be lost.

VM

Web Filter

Bug ID Description
538593 B0821: FGD service on https/8888 does not work well under specific wanopt topology.
544342 When encryption is set to yes, file-type incorrectly shows all file types when only zip files are supported.
544342 Web filter file: filter match only encrypted files will still block un-encrypted MS Office files.
545334 Web filter file filtering does not support FTP traffic inspection but user can still configure FTP protocol in GUI and CLI.
547772 Web filter FGD category is not detected by sniffer policy for HTTPS traffic.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 6.0.4 Release Notes

Supported models

FortiOS 6.0.4 supports the following models.

FortiGate FG-30D, FG-30D-POE, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E,

FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG70D-POE, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE,

FG-90E, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG-101E,

FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG-200E,

FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E,

FG-400D, FG-500D, FG-500E, FG-501E, FG-600D, FG-800D, FG-900D, FG-1000D,

FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D,

FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1

FortiWiFi FWF-30D, FWF-30D-POE, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM,

FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS,

FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN,

FG-VM64-GCP, FG-VM64-OPC, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCPONDEMAND

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 6.0.4 images are delivered upon request and are not available on the customer support firmware download page.

Introduction

Special branch supported models

The following models are released on a special branch of FortiOS 6.0.4. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 0231.

FG-60E-DSL   is released on build 5168.
FG-60E-DSLJ   is released on build 5168.
FWF-60E-DSL   is released on build 5168.
FWF-60E-DSLJ   is released on build 5168.

 

Special Notices

  • WAN optimization and web caching functions l FortiGuard Security Rating Service
  • Built-in certificate
  • FortiGate and FortiWiFi-92D hardware limitation
  • FG-900D and FG-1000D
  • FortiClient (Mac OS X) SSL VPN requirements
  • FortiClient profile changes l Use of dedicated management interfaces (mgmt1 and mgmt2)

WAN optimization and web caching functions

WAN optimization and web caching functions are removed from 60D and 90D series platforms, starting from 6.0.0 due to their limited disk size. Platforms affected are: l FGT-60D l FGT-60D-POE l FWF-60D l FWF-60D-POE l FGT-90D l FGT-90D-POE l FWF-90D l FWF-90D-POE l FGT-94D-POE

Upon upgrading from 5.6 patches to 6.0.0, diagnose debug config-error-log read will show command parse error about wanopt and webcache settings.

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate model:

  • FGR-30D-A l FGR-30D l FGR-35D l FGR-60D l FGR-90D l FGT-200D

 

  • FGT-200D-POE l FGT-240D l FGT-240D-POE l FGT-280D-POE l FGT-30D l FGT-30D-POE l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E l FGT-60D l FGT-60D-POE l FGT-70D l FGT-70D-POE l FGT-90D l FGT-90D-POE l FGT-94D-POE l FGT-98D-POE l FWF-30D l FWF-30D-POE l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E-2R l FWF-50E l FWF-51E l FWF-60D l FWF-60D-POE l FWF-90D l FWF-90D-POE l FWF-92D

Built-in certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

9

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiClient profile changes

With introduction of the Fortinet Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn.

FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Using FortiAnalyzer units running older versions

When using FortiOS 6.0.4 with FortiAnalyzer units running 5.6.5 or lower, or 6.0.0-6.0.2, FortiAnalyzer might report increased bandwidth and session counts if there are sessions that last longer than two minutes.

For accurate bandwidth and session counts, upgrade the FortiAnalyzer unit to 5.6.6 or higher, or 6.0.2 or higher.

 

Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

  1. Go to https://support.fortinet.com.
  2. From the Download menu, select Firmware Images.
  3. Check that Select Product is FortiGate.
  4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version

  1. Click Go.

Fortinet Security Fabric upgrade

FortiOS 6.0.4 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.0.0 l FortiClient 6.0.0 l FortiClient EMS 6.0.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.4 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

If Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.0.4. When Security Fabric is enabled, you cannot have some FortiGate devices running 6.0.4 and some running 5.6.x.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.0.4 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.0.4 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

l Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox) l FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting) l LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS enhanced networking compatibility issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.0.4 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.0.4 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4

13

  • R3
  • I2 l M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any] end

 

Product Integration and Support

The following table lists FortiOS 6.0.4 product integration and support information:

Web Browsers l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 41 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in . For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in . For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient:

l Microsoft Windows l Mac OS X l Linux

l 6.0.0

See important compatibility information in Fortinet Security Fabric upgrade on page 11.

If you’re upgrading both FortiOS and FortiClient from 5.6 to 6.0, upgrade FortiClient first to avoid compatibility issues.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.

FortiClient iOS l 5.6.0 and later
FortiClient Android and FortiClient VPN Android l 5.4.2 and later
FortiAP l 5.4.2 and later l 5.6.0 and later
FortiAP-S l 5.4.3 and later l 5.6.0 and later

 

FortiSwitch OS

(FortiLink support)

l 3.6.4 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l 5.0 build 0272 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8
FortiExtender l 3.2.1
AV Engine l 6.00019
IPS Engine l 4.00029
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04 (32-bit & 64-bit)

2336. Download from the Fortinet Developer Network: https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 61

Google Chrome version 68

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 61

Google Chrome version 68

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X El Capitan 10.11.1 Apple Safari version 11

Mozilla Firefox version 61

Google Chrome version 68

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus   Firewall
Symantec Endpoint Protection 11  
Kaspersky Antivirus 2009    
McAfee Security Center 8.1  
Trend Micro Internet Security Pro  
F-Secure Internet Security 2009  

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 6.0.4. For inquires about a particular bug, please contact Customer Service & Support. Antivirus

Bug ID Description
516072 In flow mode, scanunit API does not allow IPS to submit scan job for URL with no filename.
519759 Process scanunit crashes.
522343 scanunitd having constant different kind of crash.

Endpoint Control

Bug ID Description
495132 Automation stitch IOC for Access Layer Quarantine works incompletely.

Explicit Proxy

Bug ID Description
521344 Explicit FTP proxy doesn’t work with secondary IP address.
521899 When proxy srvc is set to protocol CONNECT and client tries to connect to HTTPS page, client gets message: Access Denied.
523974 Cannot access some web sites with deep inspection enabled.

Firewall

Bug ID Description
390422 When a firewall address group is used in firewall policy, a wildcard FQDN address should not be allowed to be added into the firewall address group as a member.
503904 Creating a new address group gives error: Associated Interface conflict detected!.
504057 Service Object Limitation of 4096 needs to be increased.
511261 RSH connection disconnects when we have multiple commands executed via script and we can see the message no session matched.
514187 VIP ping healthchecks fail with high number of realservers.

FortiView

Bug ID Description
256264 Realtime session list cannot show IPv6 session and related issues.
453610 Fortiview >Policies(or Sources) >Now shows nothing when filtered by physical interface at PPPoE mode.
460016 In Fortiview > Threats, drill down one level, click Return and the graph is cleared.
461811 In Cloud Applications widget bubble view, the tooltip cannot display Application.
488886 FortiView > Sources is unable to sort information accurately when filtering by policy ID number.
495070 In FortiView > Cloud Applications > Applications, GUI keeps loading and without any response.
527700 FortiView pages cannot be loaded by latest Chrome version 71.0.3578.80.

GUI

Bug ID Description
437117 In Single Sign-on, multiple FSSO polling servers with the same AD (LDAP) server cannot select the same user or group.
456289 GUI to support two-level device classification schema.
491919 GUI – Routing Monitor page does not load with large number of routes inserted in the routing table.
497427 V3.3.0_533151 remote access stuck loading main dashboard page and login with Fortimanager_ Access user.
512806 Slowness in loading the Addresses page.
515022 FortiGate and FSA has right connectivity, but Test Connectivity on GUI interface is showing

Unreachable or not Authorized.

515983 Firefox cannot list user TACACS+ Servers. Chrome is OK.
516027 In GUI IPsec monitor page, the column username should be peerID.
516295 Error connecting to FortiCloud message while trying to access FortiCloud Reports in GUI.
518024 Guest admin logging in gets GUI Error 500: Internal Server Error.
518131 Cannot add static route with the same gateway IP and interface from WebGUI.
518970 Suggestion to improve SD-WAN SLA creation page’s invalid-entry handling.
522576 GUI always loading VPN interface when there is over 5k VPN tunnel interfaces.
526573 GUI Virtual IP misses SSL-VPN interface.

HA

Bug ID Description
445214 Slave in AP cluster memory/CPU spike as a result of DHCP/HA sync issue.
509557 Duplicate MAC on mgmt2 ports.
510660 Upgrade to build 3574 fails for HA cluster.
511522 HA uninterruptible upgrade from 9790 to 3558 fails.
515401 SLBC-Dual mode: Slave chassis blade sending traffic logs.
516779 Confsync cannot work with three members when encryption is enabled.
517537 Slave out-of-sync. Unable to log into slave unit.
518621 ha-mgmt-interface IPv6 GW is not registered when ha-mgmt-interface IPv4 GW is not set.
518651 TCP Session lost when only one unit in HA cluster kicked un-interruptive upgrade.
519653 Increase FGSP session sync from 200 VDOMs to 500 VDOMs.
525182 WLAN guest user in VDOM makes the cluster out of sync.

Intrusion Prevention

Bug ID Description
469608 ICMP packets dropped during FortiGate update.
476219 Delay for BFD in IPinIP traffic hitting policy with IPS while IPsec calculates new key.
501986 DOS policy configured with action proxy for tcp_syn_flood doesn’t work properly.
516128 Victim is quarantined after IPS attack.

IPsec VPN

Bug ID Description
515375 VPN goes down randomly, also affects remote sites dialup.
520151 When two certificates are configured on p1, both aren’t offered or the wrong one is offered.

Log & Report

Bug ID Description
503897 FortiGate-501E units generating logs only for five minutes after rebooting the unit, Then do not generate logs anymore.
516033 The traffic log for WANOPT data traffic in the server-side FortiGate should show policy type as proxy-policy, not policy.
Bug ID Description
518402 miglogd crash and no logs are generated.
522447 FortiGate logging is not stable and stops working.
522512 When a service group contains more than 128 services, the existing logic cannot catch it and causes buffer overflow.
519969 EXE log filter category utm-anomaly/utm-voip does not work.
Bug ID Description
441506 BGP Aggregate address results in blackhole for incoming traffic.
449010 WAN LLB session log srcip and dstip are mixed up intermittently.

Proxy

Bug ID Description
477289 Proxy is unexpectedly sending FIN packet (FTP over HTTP traffic).
509994 Web site denied due to certificate error (revoked) only in Proxy_policy and deep inspection profile.
512434 Need to do changes in default replacement message of Invalid certificate Message.
513270 Certificate error with SSL deep inspection.
514426 Explicit proxy cannot catch Microsoft Outlook after FFDB update.
516414 Traffic over 1GB through SCP gets terminated when SSH inspection is enabled in ssl-sshprofile.
516934 In transparent proxy policy with cookie authentication mode, NTLM authentication doesn’t work and LDAP authentication using wrong username/password will cause WAD to crash.
519021 Cannot access internal CRM application server with antivirus enabled.
521051 HTTP WebSocket 101 switching protocol requests mismatch in 6.0.3.
521648 WAD crashes and fnbamd process takes 100% of CPU. Kerberos and NTLM authentication do not work
526322 WAD crashes when processing transparent proxy traffic after upgrade to 6.0.3.
526555 WAD segmentation signal 11 in 6.0.3.

REST API

Bug ID Description
467747 REST API user cannot create API user via autoscript upload and cannot set API password via CLI.

Routing

Bug ID Description
476805 FortiGate delays to send keepalive which causes neighbor’s hold down timer to expire and reset the BGP neighborship
485408 Merge vwl_valeo project – no option for proute based on only dynamic routes.
500432 IGMP multicast joins taking very long time and uses high NSM CPU utilization.
515683 FortiGate generates fragmented OSPFv3 DBD packets.
518677 Log message MOB-L2-UNTRUST:311 not found in the list! seen on VDOM with IPv6 router advertisement enabled.
518929 SNMP, OSPF MIB ospfIfState value when designated router is not correct.
518943 RIPv2 with MD5 authentication key ID incompatible with other vendors.
520907,

520945

Zebos doesn’t start up correctly on models using Linux 2.4 kernel.
522258 Some missing fields in proute list.

Security Fabric

Bug ID Description
515970 Fabric settings/widget and FortiMail icons are yellow even when they are connected.

SSL-VPN

Bug ID Description
508101 HTTPS bookmark to internal website produces error after the initial successful login.
511002 SSL-VPN web mode login fails when entering valid OTP manually.
511107 For RADIUS with 2FA and password renewal enabled, password change fails due to unexpected state AVP + GUI bug.
511415 SSL-VPN web mode RDP connection disconnects when pasting text from local to remote RDP server.
515889 SSL-VPN web mode has trouble loading internal web application.
519068 WAD informer process crashes in tunnel mode SSL-VPN user login.
519372 SSL-VPN web mode RDP doesn’t work.
519987 HTTP bookmark error SyntaxError: Expected ‘)’ after accessing internal server.
520361 SSL-VPN portal not loading predefined bookmarks.
521459 HSTS header missing again under SSL-VPN.

Switch Controller

Bug ID Description
522457 After a physical port of FortiLink LAG has link down/up, fortilinkd packet cannot be sent from FortiGate to FortiSwitch.

System

Bug ID Description
502651 Inconsistent behavior with 1G copper transceivers on 3960E.
503318 Accessing FDS via proxy server without DNS resolution.
505468 Incorrect SNMP answer for get-next.
505522 Intermittent failure of DHCP address assignment.
505873 ftm2 daemon cannot detect change of ssl-static-key-ciphers and need to restart daemon.
507518 Partial configuration loss after root VDOM restore.
508285 After restoring a config for VDOM, the VDOM cannot be deleted unless OS is rebooted.
510737 Users are not able to pull DHCP addresses from FGT.
511851 Unable to set EMAC VLANs on different VDOMs to the same VLAN ID.
512930 WAD crash with signal 11.
513156 Packet loss on startup when interfaces are in bypass mode (2500E).
513339 Finisar FCLF8521p2BTL (FG-TRAN-GC) and (FS-TRAN-GC) FCLF8522P2BTL transceivers not detected by FortiOS.
513663 FG-3200D running FOS 5.6.5 – WAD crashing frequently.
516105 Daylight Saving Time no longer used in Azerbaijan.
516783 DSA and RSA fingerprints are identical.
524422 Support FortiGateRugged-30D model containing the new CPU.

Upgrade

Bug ID Description
510447 FWF-30D keeps rebooting after upgrade to 6.0.2.

User & Device

Bug ID Description
463849 FAC remote LDAP user authentication via RADIUS fails on invalid token if password change and 2FA are both required.
491118 Kerberos users unable to access internet.
510581 Backup password for LDAP admin does not work when interface is down.
511776 Once user has assigned token other tokens not listed in pull down menu.
515226 FortiGate keeps sending accounting packet to RADIUS server for user that is no longer authenticated.
519826 fnbamd crashes and LDAP authentication stops working after upgrade.

VM

Bug ID Description
488964 Service Manger warns that internal and external interfaces are down.
498653 FortiOSVM stops passing traffic after failover.
509672 “netx request error:60…” was reported when running some “exec nsx service” and “exec nsx group” commands on SVM.
512713 Connectivity loss between FGT-SVM and FGT-VMX causes license to became invalid after one hour.
515624 FortiGate VM cannot use the maximum memory allowance as per the license.
524852 Possible cross-origin error when attempting to read state from window.opener for GCP marketplace.

VoIP

Bug ID Description
516927 No audio when call is generated from the outside in a FGT30E SIP-ALG when local devices apps register against remote SIP server.

Web Filter

Bug ID Description
486171 The “Web Rating Overrides” doesn’t work with flow-mode.
518933 Certificate inspection (CN base) web category filter doesn’t work.
523804 Enabling safe search on DNS causes any site with google in the domain to redirect to forcesafesearch.google.com.

WiFi Controller

Bug ID Description
478594 wpad_ac uses high CPU.
503106 Remote site client connected to the FAP14C ethernet port is randomly not able to reach the LAN client connected to the FortiGate.
512606 FortiWiFi not working with FortiPresence Pro.
519321 FWF-50E kernel panic due to a WiFi driver issue.
520521 hostapd crashes and causes a wireless outage.
522762 Frequent hostapd crash.

 

Known Issues

The following issues have been identified in version 6.0.4. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
488369 DSCP/ToS is not implemented in shaping-policy yet.

FortiView

Bug ID Description
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
403229 In FortiView, display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
482045 FortiView – no data shown on Traffic from WAN.
521497 The FortiView All Sessions real time view is missing right-click menu to end session/ban ip.
525702 FortiView does not support auto update in real-time view and shows unscanned application.
526956 FortiView widgets get deleted on upgrading to B222.
527540 In many FortiView pages, the Quarantine Host option is not clickable on a registered device.
527708 Policy ID hyper link in policy view is missing.
527775 FortiView logs entries do not refresh on log drill down page.
527952 FortiView > WiFi Clients > drill down > Sessions gets nothing at final drill down if device identification is disabled.
528483 FortiView > Destination page filter destination owner cannot filter out correct destination in real time view.
528684 FortiView > Bubble Chart cannot drill down on Firefox 63 with ReferenceError: “event is not defined”.
528744 FortiView > Traffic Shaping displays data with error message if switched from other pages in custom period.
528767 In FortiView > multiple charts, Previous Time Periods in custom period is missing.
Bug ID Description
529000 Threat view does not show entries if signature attack direction is incoming and the source is FortiAnalyzer.
529001 In FortiView > Cloud Applications, there are entries without cloud action details.
529313 FortiView > Web Sites > Web Categories drill down displays all entries in Policies tab.
529355 All tabs in FortiView > System Events show no entry when the source is FortiCloud.
529558 System Events widget shows No matching entries found when drilling down HA event.

GUI

Bug ID Description
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
451776 Admin GUI has limit of 10 characters for OTP.
508015 Edit Policy from GUI changes fsso setting to disabled.
513451 Archived data filed in logs shows incorrect data.
516415 Edit Disclaimer Message button is missing on Proxy Policy page.
Bug ID Description
469798 The interface shaping with egress shaping profile doesn’t work for offloaded traffic.
481201 The OCVPN feature is delayed about one day after registering on FortiCare.

HA

Bug ID Description
451470 Unexpected performance reduction in case of Inter-Chassis HA fail-back with enabling HA override.
479987 FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works).
529274 Factory reset box faild to sync with master in multi-VDOM upgraded from 6.0.3.

Intrusion Prevention

Bug ID Description
445113 IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.

IPsec VPN

Log & Report

Bug ID Description
412649 In NGFW Policy mode, FortiGate does not create web filter logs.
528786 In Log viewer, forward traffic filter Result Accept(all)/Deny(all) does not work.

SSL-VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.

Switch Controller

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.

System

Bug ID Description
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
385860 FG-3815D does not support 1GE SFP transceivers.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
468684 EHP drop improvement for units using NP_SERVICE_MODULE.
472843 When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes.
474132 FG-51E hang under stress test since build 0050.
494042 If we create VLAN in VDOM A, then we cannot create ZONE name with the same VLAN name in VDOM B.
513339 Finisar FCLF8521p2BTL (FG-TRAN-GC) and (FS-TRAN-GC) FCLF8522P2BTL transceivers not detected by FortiOS.

Upgrade

Bug ID Description
470575 After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and web filter.
473075 When upgrading, multicast policies are lost when there is a zone member as interface.
481408 When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
494217 Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1. Workaround: Use CLI to rename the user bookmark to the new name.

Web Filter

Bug ID Description
480003 FortiGuard category does not work in NGFW mode policy.
WiFi Controller  
Bug ID Description
516067 CAPWAP traffic from non-VLAN SSID is blocked when dtls-policy=ipsec-vpn and NP6 offload are enabled.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.6.6 Release Notes

Introduction

This document provides the following information for FortiOS 5.6.6 build 1630:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.6 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E,

FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-DSL, FG-60E-POE, FG-61E,

FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E,

FG-81E-POE, FG-90D, FG-90D-POE, FG-90E, FG-91E, FG-92D, FG-94D-POE, FG98D-POE, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E,

FG-140E-POE, FG-200D, FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE,

FG-280D-POE, FG-300D, FG-300E, FG-301E, FG-400D, FG-500D, FG-500E, FG-501E,

FG-600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D,

FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D, FG-3200D,

FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-3960E,

FG-3980E, FG-5001C, FG-5001D, FG-5001E, FG-5001E1

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE,

FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-60E-DSL,

FWF-61E, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-AZURE,

FG-VM64-AZUREONDEMAND, FG-VM64-GCP, FG-VM64-GCPONDEMAND,

FG-VM64-HV, FG-VM64-KVM, FG-VM64-OPC, FG-SVM, FG-VMX, FG-VM64-XEN

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 5.6.6 images are delivered upon request and are not available on the customer support firmware download page.

Introduction

VXLAN supported models

The following models support VXLAN.

FortiGate FG-30E, FG-30E-MI, FG-30E-MN, FG-50E, FG-51E, FG-52E, FG-60E, FG-60E-DLS,

FG-60E-MC, FG-60E-MI, FG-60E-POE, FG-60EV, FG-61E, FG-80D, FG-80E, FG-80E-POE,

FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-92D, FG-100D, FG-100E, FG-100EF, FG101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-500D, FG-500E, FG-501E, FG-600D, FG-800D, FG900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D,

FG-3100D, FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-3960E, FG-3980E, FG-5001D, FG-5001E, FG-5001E1

FortiWiFi FWF-30E, FWF-30E-MI, FWF-30E-MN, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-60E-DSL, FWF-60E-MC, FWF-60E-MI, FWF-60EV, FWF-61E
FortiGate Rugged FGR-30D, FGR-30D-A, FGR-35D
FortiGate VM FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-AZURE,

FG-VM64-AZUREONDEMAND, FG-VM64-GCP, FG-VM64-GCPONDEMAND,

FG-VM64-HV, FG-VM64-KVM, FG-VM64-NPU, FG-VM64-OPC, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN

 

Special Notices

Built-in certificate

New FortiGate and FortiWiFi D-series and above are shipped with a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

Special Notices

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.6, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient profile changes

With introduction of the Fortinet Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

FortiExtender support

Due to OpenSSL updates, FortiOS 5.6.6 cannot manage FortiExtender 3.2.0 or earlier. If you run FortiOS 5.6.6 with FortiExtender, you must use a newer version of FortiExtender such as 3.2.1 or later.

Using ssh-dss algorithm to log in to FortiGate

In version 5.4.5 and later, using ssh-dss algorithm to log in to FortiGate via SSH is no longer supported.

FortiOS 6.0.2 Release Notes

Introduction

This document provides the following information for FortiOS 6.0.2 build 0163:

Supported models

FortiOS 6.0.2 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E,

FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG70D-POE, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE,

FG-90E, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG-101E,

FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG-200E,

FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E,

FG-400D, FG-500D, FG-500E, FG-501E, FG-600D, FG-800D, FG-900D, FG-1000D,

FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D,

FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE,

FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN,

FG-VM64-GCP, FG-VM64-OPC, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCPONDEMAND

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 6.0.2 images are delivered upon request and are not available on the customer support firmware download page.

Special Notices

WAN optimization and web caching functions

WAN optimization and web caching functions are removed from 60D and 90D series platforms, starting from 6.0.0 due to their limited disk size. Platforms affected are: l FGT-60D l FGT-60D-POE l FWF-60D l FWF-60D-POE l FGT-90D l FGT-90D-POE l FWF-90D l FWF-90D-POE l FGT-94D-POE

Upon upgrading from 5.6 patches to 6.0.0, diagnose debug config-error-log read will show command parse error about wanopt and webcache settings.

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate mode:

  • FGR-30D-A l FGR-30D l FGR-35D l FGR-60D l FGR-90D l FGT-200D l FGT-200D-POE l FGT-240D l FGT-240D-POE l FGT-280D-POE l FGT-30D l FGT-30D-POE l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E Special Notices 7
  • FGT-51E l FGT-52E l FGT-60D l FGT-60D-POE l FGT-70D l FGT-70D-POE l FGT-90D l FGT-90D-POE l FGT-94D-POE l FGT-98D-POE l FWF-30D l FWF-30D-POE l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E-2R l FWF-50E l FWF-51E l FWF-60D l FWF-60D-POE l FWF-90D l FWF-90D-POE l FWF-92D

Built-in certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

 

Special Notices

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiClient profile changes

With introduction of the Fortinet Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn.

FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 6.0.2

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

  1. Go to https://support.fortinet.com.
  2. From the Download menu, select Firmware Images.
  3. Check that Select Product is FortiGate.
  4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version 5. Click Go.

If you are upgrading from version 5.6.2 or 5.6.3, this caution does not apply.

Before upgrading, ensure that port 4433 is not used for admin-port or admin-sport (in config system global), or for SSL VPN (in config vpn ssl settings). If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

Physical interface inclusion in zones

Upgrading from 5.6.3 or later removes all of the members of a zone if the zone contains a physical interface and at least one of that physical interface’s VLAN interfaces is removed. For example:

Before Upgrade:

config system zone edit “Trust”

set interface “port1” “Vlan01” “Vlan02” “Vlan03”

next

After Upgrade:

config system zone edit “Trust”

next

Remove “port1” from the list and the upgrade will retain the VLANs.

Conditions when physical zone members are removed: l If a physical interface has a VLAN associated (regardless of whether they are in the same zone or any zone) Conditions when VLAN zone members are removed: l If the parent physical interface is also set on a zone

You can use the following options to prepare for the upgrade:

  • Use only physical interfaces that have no VLAN associations Or:
  • Create new VLANs in place of current physical interface zone members, and remove all physical zone members from zones using only the associated, new VLAN entries.

Fortinet Security Fabric upgrade

FortiOS 6.0.2 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.0.0 l FortiClient 6.0.0 l FortiClient EMS 6.0.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.4 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.0.2 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.0.2 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

  • Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox) l FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting)

 

  • LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS enhanced networking compatibility issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.0.2 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.0.2 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3
  • I2 l M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any] end

 

Product Integration and Support

FortiOS 6.0.2 support

The following table lists 6.0.2 product integration and support information:

Web Browsers l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l    Microsoft Edge 41

l    Microsoft Internet Explorer version 11 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Fortinet Security Fabric upgrade on page 10. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on page 10. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient:

l Microsoft Windows l Mac OS X l Linux

l 6.0.0

See important compatibility information in Fortinet Security Fabric upgrade on page 10.

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.

FortiClient iOS l 5.6.0 and later
FortiClient Android and FortiClient VPN Android l 5.4.2 and later

 

FortiAP l 5.4.2 and later l 5.6.0 and later
FortiAP-S l 5.4.3 and later l 5.6.0 and later
FortiSwitch OS

(FortiLink support)

l 3.6.4 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l 5.0 build 0268 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8
FortiExtender l 3.2.1
AV Engine l 6.00012
IPS Engine l 4.00021
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2336. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X El Capitan 10.11.1 Apple Safari version 9

Mozilla Firefox version 54

Google Chrome version 59

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus   Firewall
Symantec Endpoint Protection 11  
Kaspersky Antivirus 2009    
McAfee Security Center 8.1  
Trend Micro Internet Security Pro  
F-Secure Internet Security 2009  

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 6.0.2. For inquires about a particular bug, please contact Customer Service & Support.

AntiVirus

Bug ID Description
487946 MSS value increases when AV or WEB filter in use resulting in Packet too big message.
489308 scanunit process frequently crashes.
497371 Flow-AV blocks Windows updates (.cab files).

Application Control

Bug ID Description
423140 All IPS sessions lost when new custom signature added.

Authentication & User

Bug ID Description
477392 Cannot use FAC username password and FortiToken two-factor authenticate login HA slave unit.
481469 Failed to resolve hostname for configured CRL URL on a non-managment VDOM.
488566 Renaming guest user group name doesn’t reflect under Guest administrator account assigned leads to black page.
491175 diag test application fnbamd 1 causes fnbamd to enter an idle state and causes authentication failure.
491235 New diag command diag test app wad 13.
491241 Enhance diag command diag test app fnbamd 1.
493470 Authenticated user receives Oops “Authentication requested” referencing a proxy policy which does not have authentication.
493930 Admins who use dedicated HA mgmt interfaces are not visible in the CLI.
495210 Guest user accounts do not show expiration time, but time until expiration only.
496524 After successful wired portal auth, the wired PC still gets many http redirection and fails to access the internet.

Connectivity

Bug ID Description
463982 FortiManager IP is unset in FortiGate CM.
479607 Scheduled auto-update happens twice in 10 seconds but a log entry for the first try is not logged.
481058 Configuration revision control list can’t be retrieved from FortiCloud.

DLP

Bug ID Description
478524 Diskless model missing full-archive-proto in config DLP sensor when only FortiCloud logging enabled.
486958 Scanunit signal 14 alarm clock caused by DLP scanning bz2 file.
492624 DLP blocking web sites in FortiOS v6.0 GA.
496255 Some XML-based MS Office files are recognized as ZIP files.

Firewall

Bug ID Description
474612 SNAT is using low ports below 1023.
475539 Inaccurate netflow export. Traffic measurements do not match with SNMP readings.
478681 Should be able to disable SNAT when a VIP exists and central-NAT is enabled.
492961 Set utm-status disable did not hide profile-group. Unset profile-group will make profile-protocol-options empty.
498188 Dirty_session_check in FortiGate drops all established VIP64 sessions.
502579 Local-In-Policies with FQDN address is not working after upgrade from 5.6 to 6.0.1.

FortiView

Bug ID Description
414172 HTTPsd / DNSproxy/ high CPU/memory with high rate UDP 1Byte spoofing traffic.
GUI  
Bug ID Description
402457 Suggest to improve IPsec VPN monitor page Proxy ID Source and Proxy ID Destination fields.

 

Bug ID Description
413881 VDOM link tooltip displays Failed to retrieve info.
444104 Accept/Decline buttons cannot be seen in GUI with a long login disclaimer and screen under certain resolutions.
449598 Remote LDAP User Definition wizard does not pull users.
457627 Want the ability to change the date/time format displayed in the GUI of the FortiGate.
457721 FortiLink Switch-controller GUI – allow user to edit Port Description for FortiLink/ISL.
457966 Virtual wire pair > Add VLAN range filter on GUI.
460617 GUI FortiGuard Check Again button doesn’t work as expected due to FortiGuard service 8888/53 incorrectly routed.
462011 GUI is blank when accessed with RADIUS user with read-access profile and the FortiGate is managed by FortiManager.
462072 GUI should show full FQDN name in reputation search result.
468465 Some filters do not return logs when source is FortiCloud.
468797 Cannot filter by date or timestamp when viewing logs from FortiCloud.
469082 prof_admin profile admins are not able to display GUI IPv4 source address.
470241 Raw logs are downloaded from the default location even if you select another log device in GUI.
472023 Outbreak prevention detection makes “clean” counter increment in Advanced Threat Protection Stats widget.
472558 DHCP Server GUI – GUI populates wrong information when switching from DHCP Relay to DHCP

Server.

473808 Column filter is not persistent and is removed after refreshing the page.
474807 Cannot restore default page in replacement message group.
475036 Virtual Server Duplicate Entry found error in GUI.
477393 Negative values in Load Balance monitor logs.
477870 Alias for modem interface present in GUI but not in CLI.
479468 The link status is lost after SD-WAN GUI changes to List Edit.
479937 GUI should hide options that don’t apply to certificate inspection.
481902 When accessing FortiView > Websites page, gets error Failed to get FortiView data and httpsd keeps crashing.
482628 CPU.Speculative.Execution.Timing.Information.Disclosure signature can’t be filtered if Application is selected.
Bug ID Description
489674 When scroll to the end of an muTable, GUI should shows 100% of entry.
489675 The Firefox web browser sometimes cannot delete performance SLA rules.
489715 Destination address should not be mandatory in GUI in SD-WAN Rules.
492898 Cannot delete FSSO AD group entries in GUI anymore.
493351 Object tooltip of last page should not always display on current page.
493773 SD-WAN rule in GUI unable to select (whether as source or destination) the address group grp_ citrixfarm.
494724 When creating trunk interface on managed FSW, FSW ports in right-side list show down, even when some are up.
496613 Editing web filter profile in GUI deletes web-proxy profile and URL filter entries.
497667 FortiSwitch Ports page loads very slowly.
502785 Remove # of interfaces from device list.

HA

Bug ID Description
408886 Uninterrupted upgrade from B718 to tag 9702 failed with 1.5M BGP routes and 6M sessions load.
461915 When standalone config sync is enabled in FGSP, IPv6 setting of interface is synced.
473806 Management interface IP address replicating to slave when using standalone management VDOMs.
473806 Management interface IP address replicating to slave when using standalone management VDOMs.
474622 IPsec itn=0 after a unit joins an FGSP cluster.
482548 Conserve mode caused by hasync consuming most of memory.
485340 Cluster Uptime: -141 days -20:-31:-50.
486552 vcluster HA failover fails with large site-to-site IPsec VPN configuration on 3800D.
487444 FortiGate stops accepting traffic from any interface in a hardware switch after HA failover in 80/81E.
491311 Management port has sync’ed when creating a new NAT VDOM.
493759 When vcluster2 is removed from HA config, all active sessions are killed once session-ttl is reached.
494029 After failover, sometimes cannot connect to management-ip of backup device.
501147 Moving VDOM to virtual cluster from GUI causes cluster to go out of sync.

IPS

Bug ID Description
478185 Improve the ability of detection fragmented intrusion attacks.
489557 Strange traceroute issues when IPS is enabled.

IPsec VPN

Bug ID Description
486756 Traffic is not fragmented for IPsec VPN when Proxy-based UTM is enabled.
489990 Make PKI validation of IDi & Certificate Identity optional.
490066 FortiClient with IPsec with Proxy / Webfilter – Fragmentation is needed.
491305 Packet from FortiClient cannot go through VXLAN over IPsec depending on packet size.
492046 FortiGate does not respond to INFORMATIONAL exchange message as requested by RFC.
493918 Memory leak with IKED.

Log & Report

Bug ID Description
459306 Suggest to lower Threat Level for oversized file.
493140 Need to see application signature names instead of LDS under Logs & Report > System event logs.
494040 Creating or modifying security profiles generate multiple logs with misleading action.
497357 FortiGate logs show the action as block when we use DNS filter and if a DNS query timeout happens.
498519 Web filter authentication failed to set status field in the event log message.

Proxy

Bug ID Description
479678 IPpool does not work properly in explicit Proxy-policy.
482916 WAD crashes with signal 6.
486821 Web application Symphony fails with AV profile enabled in policy.
487096 SSL handshake fails when activate ESET application.
491417 FortiGate is dropping server hello packets when URLFILTER is enabled.
Bug ID Description
491424 Adjust the proxy-auth-timeout default value and unit.
491630 With UTM enabled, client failed to get response from server, gets 500 Internal error.
494081 WAD process crashes with signal 11 after upgrading the firmware to v5.6.4.

Router

Bug ID Description
443948 High memory usage for zebos_launcher and isisd.
482631 OSPF adjacencies lost, FGFMD high CPU while pushing policies from FortiManager.
491423 BGP shutdown neighbor capability-default-originate parameter always in use.
491679 FortiGate chooses higher metric OSPF E2 route for traffic under some circumstance.
492063 Route map not able to set attribute with BGP conditional advertisement.
493454 Large PIM SM bootstrap packets are not forwarded with kernel 3.2.
494393 Router access list should not default to prefix any and exact match disable.
500673 SD-WAN rules with application do not work after HA switchover.

SSL VPN

Bug ID Description
466438 High CPU usage by sslvpnd.
483712 sslvpnd consumes high memory causing FortiGate to enter conserve mode.
486918 SSL VPN web mode unable to load the page correctly.
489827 In SSL VPN web mode, Visteon.service-now.com/vss URL is not loading.
491895 Web mode SSL VPN HTTP bookmark not working.
494948 Confluence software is not rendered correctly in web mode.
494960 SSL VPN web mode has trouble loading internal web application.
494978 authd registers SSL VPN user with wrong user/group information and breaking SSL VPN after upgrade to 5.6.4.
498249 Need update SCEP over SSL host name/certificate check.
501769 SSL VPN: Bookmark to internal web site not loading correctly – JavaScript errors.

Switch

Bug ID Description
493685 Hardware switch flooding traffic.

System

Bug ID Description
370953 SLBC worker blade failed to re-synchronize with the config master blade due to the frozen confsync daemon.
394509 No log entry for failed admin PKI authentication.
414081 SMB1 support has been by default disabled under part models.
441483 Confused by set enable-shaper disable to enable HPE protection.
459273 Slave worker blade loses local administrator accounts.
462178 Front panel SPEED LED is flashing green when transmitting and receiving data.
466317 [api] is in Z state.
468938 Kernel panic on 3700D – slave.
472267 DNS filter performance improvement.
472270 SNMP feature for DNS filter counts.
473354 Suggest enable per-session-accounting on NP6Lite by default.
477886 PRP support.
479142 SLBC 5001D slave blade going out of sync.
481783 DHCP address assignment sometimes fails – DHCPD crashing multiple times.
485781 Deleting EMAC VLAN interface on a different VDOM causing connectivity loss to the EMAC VLAN for 5-7 pings.
493219 Softirq and nice are taking high CPU resources when sending and receiving packets with a virtual wire pair.
494603 FortiGate in transparent mode is not accessible over https/ssh (administrative access) once trusted host is configured.
494707 FortiGate trusthost settings not respected.
499332 No error message when configuring address .067 and address converted with .55.
499435 Allow packet sniffer to use RAM disk.
499793 FortiGate set wrong timezone for Paraguay.

Upgrade

Bug ID Description
495994 After upgrade to 5.4.9, observing a lot of IPS syntax errors on the console screen.

VM

Bug ID Description
493225 FTG-VM01 is missing diag sys mpstat command option.
499154 FortiGate Azure rejects static route configure pushing from FortiManager.
501911 In FOS-AWS prompt, user password = instance ID, and force user to change password upon initial log in.
Bug ID Description
471638 FortiGate disconnects all clients when they roam from AP to AP.
479415 Incorrect auth-success-page Authentication Success Page Replacement message.

VoIP

Bug ID Description
478634 Debug commands for SIP filter are not applied.

Web Filter

Bug ID Description
454634 Web filter set warning-prompt per-domain is warning per-category instead of per-domain.
476806 FortiOS incorrectly sends ICMP “Destination Unreachable” with WF/certificate inspection.
486171 The Web Rating Overrides option doesn’t work with flow-mode.
490377 The Web Rating Overrides option doesn’t work properly on proxy-based.
498231 Web sites like FedEx.com is catogized as malicious category incorrectly.

Web Proxy

Bug ID Description
500182 UDP over SOCKS proxy.

WiFi

Bug ID Description
491248 VAP RADIUS-based MAC authentication should support CoA.
491769 Support for third-party external portal with RADIUS MAC authentication.
495995 Custom categories override doesn’t work.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
450553 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2017-12150 l CVE-2017-12151 l CVE-2017-12163

487421 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13365

495090 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13366

496431 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2018-9192

499552 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:

l CVE-2016-7431

 

Known Issues

The following issues have been identified in version 6.0.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.
Bug ID Description
256264 Realtime session list cannot show IPv6 session and related issues.

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.

FortiView

Bug ID Description
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
453610 Fortiview->Policies(or Sources)->Now, it shows nothing when filtered by physical interface at PPPoE mode.
460016 In Fortiview > Threats, drill down one level, click Return and the graph is cleared.
482045 FortiView – no data shown on Traffic from WAN.
494731 Incorrect reporting in Fortiview.

GUI

Bug ID Description
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
451776 Admin GUI has limit of 10 characters for OTP.
470589 The Forward Traffic Log Details panel Security tab does not display security log details when multiple log devices are enabled.
487350 FortiGuard Filtering Services Availability showing Unavailable on GUI when no valid Anti-spam license is present.
493839 Cannot change quota type (time-based, traffic-based).

HA

Bug ID Description
451470 Unexpected performance reduction in case of Inter-Chassis HA fail-back with enabling HA override.
479987 FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works).
503433 hasync daemon crashes when admin session times out and cluster could be out of sync for a short period.

IPS

Bug ID Description
445113 IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.

IPsec VPN

Bug ID Description
469798 The interface shaping with egress shaping profile doesn’t work for offloaded traffic.
481201 The OCVPN feature is delayed about one day after registering on FortiCare.

Log & Report

Bug ID Description
412649 In NGFW Policy mode, FortiGate does not create webfilter logs.

Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.

System

Bug ID Description
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411 Monitor NP6 IPsec engine status.
466048 Huawei USB LTE E3276 cannot be detected.
468684 EHP drop improvement for units using NP_SERVICE_MODULE.
472843 When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes.
474132 FG-51E hang under stress test since build 0050.
482497 Running diagnose npu np6lite session in FGT-201E results in high CPU and system instability.
494042 If we create VLAN in VDOM A, then we cannot create ZONE name with the same VLAN name in VDOM B.

Upgrade

Bug ID Description
470575 After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and webfilter.
473075 When upgrading, multicast policies are lost when there is a zone member as interface.
Bug ID Description
481408 When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
494217 Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1. Workaround: Use CLI to rename the user bookmark to the new name.

Web Filter

Bug ID Description
480003 FortiGuard category does not work in NGFW mode policy.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiWLC 8.4.0 Release Notes

Getting Started with Upgrade

The following table describes the approved upgrade path applicable for all controllers except the new virtual controllers.

 

NOTE:

FortiWLC-1000D and FortiWLC-3000D controllers can be upgraded only from 8.3 releases.

Supported Upgrade Releases

 

From FortiWLC release… To FortiWLC Release…
7.0 7.0-10-0
8.0 8.0-5-0, 8.0-6-0
8.1 8.1-3-2
8.2 8.2.4
8.2.4/8.3 8.3.1
7.0.11, 8.2.7, 8.3.0, 8.3.1, and 8.3.2 8.3.3
7.0-11, 8.2.7, 8.3.0, 8.3.1, 8.3.2, 8.3.3 8.4.0

 

NOTE:

  • Fortinet recommends that while upgrading 32-bit controllers to version 8.4.0, use the upgrade controller command instead of the upgrade system
  • Controller upgrade performed via CLI interface will require a serial or SSH2 connection to connect to the controller and use its CLI. FortiWLC-1000D and FortiWLC-3000D controller upgrades can be performed via GUI as well.

 

Check Available Free Space

Total free space required is the size of the image + 50MB (approximately 230 MB).  You can use the show file systems command to verify the current disk usage.

 

controller# show file systems

Filesystem     1K-blocks   Used        Available   Use%   Mounted on /dev/hdc2      428972      227844   178242      57%      /

none               4880           56            4824           2%       /dev/shm

 

The first partition in the above example, /hdc2, although the actual name will vary depending on the version of FortiWLC-SD installed on the controller is the one that must have ample free space.

 

In the example above, the partition shows 178242KB of free space (shown bolded above), which translates to approximately 178MB. If your system does not have at least 230MB (230000KB) free, use the delete flash:<flash> command to free up space by deleting older flash files until there is enough space to perform the upgrade (on some controllers, this may require deleting the flash file for the current running version).

 

Set up Serial Connection

Set the serial connection for the following options:

 

 

NOTE:

Only one terminal session is supported at a time. Making multiple serial connections causes signalling conflicts, resulting in damage or loss of data.

 

  • Baud–115200
  • Data–8 bits
  • Parity–None
  • Stop Bit—1
  • Flow Control—None

 

Supported Hardware and Software

This table lists the supported hardware and software versions in this release of FortiWLC.

 

Hardware and

Software

Supported Unsupported
Access Points AP122

AP822e, AP822i (v1 &

v2) AP832e, AP832i,

OAP832e

AP332e*

AP332i*

AP433e*

AP433i*

OAP433e*

FAP-U421EV

FAP-U423EV

FAP-U321EV

FAP-U323EV

FAP-U422EV

 

FAP U221EV

FAP U223EV

FAP U24JEV

AP1010e*

AP1010i*

AP1020e*

AP1020i*

AP1014i*

AP110*

 

AP201

AP208

AP150

AP300, AP301,

AP302, AP302i,

AP301i

AP310, AP311, AP320,

AP310i, AP320i

OAP180

OAP380

*Cannot be configured as a relay AP
Controllers FortiWLC-50D

FortiWLC -200D

FortiWLC -500D

FortiWLC- 1000D

FortiWLC -3000D#

FWC- VM-50#

FWC –VM-200#

FWC –VM-500#

FWC –VM-1000#

FWC-VM-3000#

MC3200, MC3200-VE

MC1550, MC1550-VE

MC6000

MC4200 (with or without 10G Module)

MC4200-VE

MC 5000

MC 4100

MC 1500

MC 1500-VE

 

 

#Spectrum Manager NOT supported in these controller models.
FortiWLM 8.3.3/8.4  
FortiConnect 16.8.2  
Browsers    
FortiWLC (SD) WebUI Internet Explorer 9,10

Mozilla Firefox 25+

Google Chrome

31+

 
  NOTE:  

ation of Firefox 3.0 and 3.5+ prevents the display of the X-axis legend of dashboard

.

A limit graphs
Captive Portal Internet Explorer 6, 7, 8, 9, 10, IE11 and Edge.

Apple Safari

Google Chrome

Mozilla Firefox 4.x and earlier

Mobile devices (such as Apple iPhone and BlackBerry)

 

 

 

Installing and Upgrading

Follow this procedure to upgrade FortiWLC-50D, FortiWLC-200D, FortiWLC-500D, MC1550, MC1550-VE, MC3200, MC3200-VE, MC4200, MC4200-VE and MC6000 controllers. See section Upgrading FortiWLC-1000D and FortiWLC-3000D to upgrade FortiWLC-1000D and FortiWLC-3000D. See Upgrading Virtual Controllers to upgrade virtual controllers.

 

 

  1. Download image files from the remote server to the controller using one of the following commands:

# copy ftp://ftpuser:<password@ext-ip-addr>/<image-name-rpm.tar><space>.

 

[OR]  

 

# copy tftp://<ext-ip-addr>/<image-name-rpm.tar><space>.

 

Where

 

  • image-name for legacy controllers: meru-{release-version}-{hardware-model}rpm.tar. Eg, meru-8.3-3-MC4200-rpm.tar
  • image-name for FortiWLC: forti-{release-version}-{hardware-model}-rpm.tar. Eg, forti-8.3-3-FWC2HD-rpm.tar

 

  1. Disable AP auto upgrade and then upgrade the controller (in config mode)

# auto-ap-upgrade disable

 

# copy running-config startup-config

 

# upgrade controller <target version> (Example, upgrade controller 8.3)

 

The show flash command displays the version details.

 

  1. Upgrade the APs

# upgrade ap same all

 

After the APs are up, use the show controller and show ap command to ensure that the controller and APs are upgraded to the latest (upgraded) version. Ensure that the system configuration is available in the controller using the show running‐config command (if not, recover from the remote location). See the Backup Running Configuration step.

 

Upgrading FortiWLC-1000D and FortiWLC-3000D

To upgrade to FortiWLC-1000D and FortiWLC-3000D, use the following instructions.

 

In version 8.4.0, the image naming systems have been changed for 64 bit controller models from Primary/Secondary to image0/image1. This change applies to the upgrade procedure in the related FortiWLC GUI screens and CLI commands.

 

Upgrading via CLI

  1. Use the show imagesc ommand to view the available images in the controller. By default, a new controller will boot from the primary partition which contains the running image.

default(15)# show images

Running image: Primary   <—- Denotes Primary Partition

——————————————————————————– Running image details.

         System version: 0.3.2

         System hash: 11af7a3f3a700d3c8335dc254165282a91bd021b

         System branch: master

         System built: 20170323191620

         System memory: 721M/1006M

         Apps version: 8.3-1build-15

         Apps size: 1204M/1822M

——————————————————————————– Other image details.

         System version: 0.3.3

         System hash: 4699cb9f517c4a2abbbce458f689bf3558b5d65e

         System branch: master

         System built: 20170511180827

         System memory: 729M/1015M

         Apps version: 8.3-1build-21

         Apps size: 1119M/1821M

 

  1. To install the latest release, download the release image using the upgrade-image     command:

 

upgrade-image scp://<username>@<remote-server-ip>:<path-to-image>/<image- name>-rpm.tar both 

     reboot

 

The above command will upgrade the secondary partition and the controller will reboot to secondary partition.

 

NOTE:

After an upgrade the current partition will shift to the second partition. For example, if you started upgrade in primary partition, post upgrade the default partition becomes secondary partition and vice- versa.

 

default(15)# show images

Running image: Secondary  ß— Current partition after upgrade

——————————————————————————-

Running image details.

         System version: 0.3.2

         System hash: 11af7a3f3a700d3c8335dc254165282a91bd021b

         System branch: master

         System built: 20170323191620

         System memory: 729M/1015M

         Apps version: 8.3-1build-20

         Apps size: 1116M/1821M

——————————————————————————-

Other image details.

         System version: 0.3.2

         System hash: 11af7a3f3a700d3c8335dc254165282a91bd021b

         System branch: master

         System built: 20170323191620

         System memory: 721M/1006M

         Apps version: 8.3-1build-15

              

             Apps size: 1204M/1822M

 

 

 

 

                 

Upgrading via GUI

This section describes the upgrade procedure through the FortiWLC GUI.

 

NOTE:

  • Standalone controllers running pre-8.3.3 FortiWLC (except version 0-12) are required to upgrade to 8.3.3 GA and then to the current 8.4.0 version.

Fortinet recommends upgrading via CLI to avoid this issue which occurs due to file size limitation.

  • This issue does not exist on controllers with manufacturing build as 8.3.3 GA.

 

  1. To upgrade controllers using GUI, navigate to Maintenance > File Management > SD Version.
  2. Click Import button to choose the image file.

 

NOTE:

FortiWLC release 8.4.0 introduces software upgrades using the .fwlc format. This format will be supported in the forthcoming releases.

Direct upgrade from a pre-8.4.0 to 8.4.0 release using the .fwlc format is not supported.

 

 

  1. After the import is complete, a success message is displayed.

 

 

Switching Partitions

To switch partitions in FortiWLC-1000D, FortiWLC-3000D and the new virtual controllers, select the partition during the bootup process.

 

Upgrading 32-bit 8.3.3 Controllers (MC models, FortiWLC50D/200D/500D) with AP832/822 (without KRACK patch)

Upgrading from FortiWLC 8.3.3 to 8.4.0 results in runtime1 image corruption in AP832 and AP822v1. This is due to a resource leak in the 8.3.3 version which is fixed in later releases.

 

Follow these steps to upgrade from 8.3.3 to 8.4.0.

  1. Reboot the APs before upgrade.
  2. Run the upgrade controller command to upgrade controllers.
  3. Once the controller is online, upgrade the APs in batches. Before initiating upgrade, ensure all APs are rebooted so that the uptime is less than 5 hours.

 

NOTE:

Fortinet recommends that you upgrade the 8.3.3 32-bit controller before upgrading the access points due to the issue mentioned in this section.

If KRACK patch is installed on the 8.3.3 32-bit controller then this recommendation does not apply. The controller can be directly upgraded to 8.4.

Upgrading a N+1 Site

To upgrade a site running N+1, all controllers must be on the same FortiWLC-SD version and the backup controller must be in the same subnet as the primary controllers.

 

NOTE:

  • 64-bit controllers running pre-8.3.3 FortiWLC (except version 0-12) are required to upgrade to the 8.3.3 GA version and then to the current 8.4.0 version.
  • When upgraded to 8.3.3 GA, the N+1 setup needs to be reconfigured to enable N+1, that is, the master controller should be deleted and then added to the slave controller.

This reconfiguration is not required when upgrading from 8.3.3 GA to 8.4.0.

  • This issue does not exist on controllers with manufacturing build as 8.3.3 GA.

 

You can choose any of the following options to upgrade:

  • Option 1 – Just like you would upgrade any controller, you can upgrade a N+1 controller.
    1. Upgrade master and then upgrade slave.
    2. After the upgrade, enable master on slave using the nplus1 enable

 

  • Option 2 – Upgrade slave and then upgrade master.

After the upgrade, enable master service on slave using the nplus1 enable command.

 

  • Option 3 – If there are multiple master controllers
    1. Upgrade all master controllers followed by slave controllers. After the upgrade, enable all master controllers on slave controllers using the nplus1 enable
    2. To enable master controller on slave controller, use the nplus1 enable
    3. Connect to all controllers using SSH or a serial cable.
    4. Use the show nplus1 command to verify if the slave and master controllers are in the

 

The output should display the following information:

Admin: Enable 

Switch: Yes 

Reason: ‐

SW Version: 8.3-1

 

  1. If the configuration does not display the above settings, use the nplus1 enable <master‐controller‐ip> command to complete the configuration.
  2. To add any missing master controller to the cluster, use the nplus1 add master

 

Restore Saved Configuration

After upgrading, restore the saved configuration.

  1. Copy the backup configuration back to the controller:

# copy ftp://<user>:<passswd>@<offbox-ip-address>/runningconfig.txt origconfig.txt

  1. Copy the saved configuration file to the running configuration file:

    # copy orig-config.txt running-config

  1. Save the running configuration to the start-up configuration:

   # copy running-config startup-config

 

Upgrading Virtual Controllers

Virtual Controllers can be upgraded the same way as the hardware controllers. See sections Upgrading via CLI, Upgrading via GUI, and Upgrading a N+1 Site.

Download the appropriate Virtual Controller image from Fortinet Customer Support website.  For more information on managing the virtual controllers, see the Virtual Wireless Controller Deployment Guide.

Upgrading the controller can be done in the following ways:

  • Using the FTP, TFTP, SCP, and SFTP protocols.
  • Navigate to Maintenance < File Management in the FortiWLC GUI to import the downloaded package.

The following are sample commands for upgrading the Virtual Controllers using any of these protocols.

  • upgrade-image tftp://10.xx.xx.xx:forti-x.x-xbuild-x-x86_64-rpm.tar both reboot
  • upgrade-image sftp://build@10.xx.xxx.xxx:/home/forti-x.x-xGAbuild-88-FWC1KDrpm.tar both reboot
  • upgrade-image scp://build@10.xx.xxx.xxx:/home /forti-x.x-xGAbuild-88-FWC1KDrpm.tar both reboot
  • upgrade-image ftp://anonymous@10.xx.xx.xx:forti-x.x-xbuild-x-x86_64-rpm.tar both reboot

 

The both option upgrades the Fortinet binaries (rpm) as well as the Kernel (iso), the apps option upgrades only the Fortinet binaries (rpm).

After upgrade, the Virtual Controller should maintain the System-id of the system, unless there were some changes in the fields that are used to generate the system-id. See the to the Licensing section for detailed information.

The International Virtual Controller can be installed, configured, licensed and upgraded the same way.

 

Upgrade Advisories

The following are upgrade advisories to consider before you begin upgrading your network.

NOTE:

Fortinet recommends upgrading a batch of maximum 100 APs.

Upgrading Virtual Controllers

In the upgrade command, select the options Apps or Both based on these requirements:

  • Apps: This option will only upgrade the Fortinet binaries (rpm).
  • Both: This option will upgrade Fortinet binaries as well as kernel (iso).

Upgrading FAP-U422EV

If the controller is running on pre-8.4.0 version and FAP-U422EV is deployed, follow these points:

  • Disable auto‐ap‐upgrade.

OR

  • It is advised not to plug in FAP-U422EV till the controller gets upgraded to 8.4.0.

Mesh Deployments

When attempting to upgrade a mesh deployment, you must start upgrading the mesh APs   individually, starting with the outermost APs and working inwards towards the gateway APs before upgrading the controller.

Feature Groups in Mesh profile

If APs that are part of a mesh profile are to be added to feature group, all APs of that mesh profile should be added to the same feature group. The Override Group Settings option in the Wireless Interface section in the Configuration > Wireless > Radio page must be enabled on the gateway AP.

Voice Scale Recommendations

The following voice scale settings are recommended if your deployment requires more than 3 concurrent calls to be handled per AP. The voice scale settings are enabled for an operating channel (per radio). When enabled, all APs or SSIDs operating in that channel enhances voice call service. To enable:

  1. In the WebUI, go to Configuration > Devices > System Settings > Scale Settings
  2. Enter a channel number in the Voice Scale Channel List field and click OK.

 

NOTE:

Enable the voice scale settings only if the channel is meant for voice deployment.  After enabling voice scale, the voice calls in that channel take priority over data traffic and this result in a noticeable reduction of throughput in data traffic.

 

 

 

New Features

This section describes the new hardware/software features introduced in this release of FortiWLC.

Fortinet Universal Access Points

The new Fortinet Universal Access Points (FAP-Us) are dual radio, dual band 802.11ac access points. These access points are designed to provide superior experience in data, voice, and video applications in enterprise class deployments.

 

FAP-U221EV and FAP-U223EV

The FAPs support two 2×2 MIMO radios (band locked) with a single core and comply with the IEEE 802.3af and 802.3at PoE specifications. A maximum of 8 ESS profiles and 128 clients are supported.

 

FAP-U24JEV

The FAPs support two 1×1 MIMO radios (band locked) with a single core and comply with the IEEE 802.3af and 802.3at PoE specifications. A maximum of 8 ESS profiles and 128 clients are supported.

The FAP has one 2×2 radio which will be always configured as two 1×1 interfaces.

 

NOTE:

FAP-U221EV, FAP-U223EV, and FAP-U24JEV do not support the following features:

  • MU-MIMO
  • LACP
  • 0 – Not supported in version 8.4.0 only.
  • Enterprise Mesh – Not supported on FAP-U24JEV only.
  • Application Visibility (DPI)

 

FAP-U422EV

The FAP is a Wave-2 access point and supports two 4×4 MIMO radios (band locked) with a dual core. This device complies with the 802.3at PoE specifications. A maximum of 16 ESS profiles are supported.

The FAP supports all FortiWLC functionalities same as the FAP-U42xEV.

 

For more information on the FAPs, see the corresponding Quick Start Guides.

 

 

Enhancements

These are the enhancements in this release of FortiWLC.

 

  • FAP-U422EV and AP832 are Passpoint R2 certified.
  • In FortiWLC 8.4.0, the DFS is enabled for FAP-U32xEV FCC & Japan, FAP-U22xEV CE & Japan and FAP-U24JEV CE.
  • The Simple Service Discovery Protocol (SSDP) is supported for Chromecast discovery.  DNS configuration option is supported for FortiGate discovery.

 

Additional Information

This section describes information related to the usage of FortiWLC.

 

  • Chromecast cast option is visible on the Youtube application only when the publisher or subscriber is in the tunneled mode.
  • The capture-packets command with -R filer captures all packets instead of filtered packets.

Clients and Encryption Keys

These are the maximum supported clients and encryption/decryption keys for FAP models.

 

FAP Models

 

Maximum supported clients/radios Encryption/Decryption
VCell Native Cell VCell Native Cell
ARRP

(Off)

ARRP

(On)

Hardware Software Hardware Software
FAP-U42x EV 170 170 256 170 0 256 0
FAP-U32x EV 170  170 256 170 0 256 0
FAP-U22x EV 128 128 128 64 64 64 64
FAP-U24J EV 128  128 128 64 64 64 64

 

 

VCell Roaming across Access Points

These are the supported VCell roaming details across APs.

 

Access 

Points

AP122 AP822 AP832 FAP-

U22xEV

FAP-

U32xEV

FAP-

U42xEV

FAP-

U24JEV

AP122  Supported Supported Supported with 2×2

MIMO mode

Supported with 2×2

MIMO mode

Supported with 2×2

MIMO mode

Supported with 2×2

MIMO mode

Supported with 1×1 mode
AP822 Supported Supported Supported with 2×2

MIMO mode

Supported Supported with 2×2

MIMO mode

Supported with 2×2

MIMO mode

Supported with 1×1 mode
AP832 Supported with 2×2

MIMO mode

Supported with 2×2

MIMO mode

Supported Supported with 2×2

MIMO mode

Supported Supported with 3×3

MIMO mode

Supported with 1×1 mode
FAP-

U22xEV

Supported with 2×2

MIMO mode

Supported Supported with 2×2

MIMO mode

Supported Not

Supported

Not

Supported

Supported with 1×1 mode
FAP-

U32xEV

Supported with 2×2

MIMO mode

Supported with 2×2

MIMO mode

Supported Not

Supported

Supported Supported with 3×3

MIMO mode

Not

Supported

FAP-

U42xEV

Supported with 2×2

MIMO mode

Supported with 2×2

MIMO mode

Supported with 3×3

MIMO mode

Not

Supported

Supported with 3×3

MIMO mode

Supported Not

Supported

FAP-

U24JEV

Supported with 1×1

MIMO mode

Supported with 1×1

MIMO mode

Supported with 1×1

MIMO mode

Supported with 1×1

MIMO mode

Not

Supported

Not

Supported

Supported

 

Fixed Issues

These are the fixed issues in this release of FortiWLC.

 

Bug ID Description
453607 SNMP results were incomplete for neighboring APs count.
462374 In tunnel mode, STA did not communicate with the wired network after controller fail over.
464122 No framed IP attribute in the accounting start packet.
464687 wncagent spikes while running the event view, GUI and CLI failed to expose the event history.
470393 STA did not receive packets from the wired network after controller fail over.
473365 OAP433 crashes with kernel panic.
448391 The Search/Filter option not available for port profiles in the feature group configuration page of the FortiWLC GUI.
446850 The conn ap command co nnected to a different AP.
449185 AP CommNodeId duplicated in multiple APs.
452055 AP reboots with false ** FATAL ** Dead lock detected error.
450379 Channel mismatch on some radios, with primary channel displayed as 44 and operating channel as 40.
457195 sys commands failed in the AP CLI.
455522 With Service Control enabled, the services crashed and restarted.
454144 Wncagent crashes after every one hour.
446296 AP sent Deauth to station by incorrect station type and unknown BSSID.
443669 An incorrect number of stations displayed in the pie charts on the system dashboard.
456464 Device connected but unable to pass traffic.
449409 Nplus1 was disabled when firmware was upgraded on FortiWLC-1000D,
452204 Random AP reboots with exception in APP visibility.
452650,

452649

FAP-U421EV did not auto-negotiate 1Gbps full duplex.
453317,

453316

Random AP832 crashes (NIP [c000d50c] e500_idle+0x90/0x94).
453511 Unable to configure DNS and domain name during the initial setup when the controller was on default setting.
457172 Controller based Captive Portal not working in the Bridged mode for AP822i.
457183 With IE9, incorrect page displayed for the Security Profiles Configuration.
460169 Channel mismatch on some radios, with primary channel displayed as 36 (Non- DFS channel) and operating channel as 100 (DFS Channel).
460587 Unable to edit ESS profiles from the web GUI.
461127 APs lost IP configuration after reboot and came up with default configuration.
446772 CP bypass page displayed even though the client is MAC authenticated and bypass enabled.
381008 Coordinator restarted due to memory issues
435490 All Chromecast devices did not show up in Youtube for casting.
423993 FAP-U421EV access points lost beacons in a virtual cell, causing clients to do  assoc-2-assoc.
409488 Error in copying from backup configuration to running configuration.
422065 Controller not sending the RADIUS accounting packet.
462414 When the secondary DNS Server was configured, the secondary NetBIOS server gets the same IP address as the secondary DNS server.
448985 When controller fails over, OUI configuration of client_locater is not taken over to the new active controller.
449154 When the client_locator is enabled and the controller fails over, client_locator is disabled on the new active controller.
470643 Nplus1 configuration fails after firmware upgrade from 8.3 on FortiWLC1000D.
470641 IP address on the slave controller is missing after firmware upgrade from 8.3 on FortiWLC-1000D.
466824 FAP-U321 upgrade fails.
469118 wncagent spikes observed.
470822 FAP-U421 reboots while unable to handle kernel null pointer – LR is at wlc_scbfindband+0x5c/0x130 [wl].
437223 The Console page in Chrome indicates that Adobe Flash is not installed even when it is installed in the Spectrum manager.
438782 Spectrum analysis: Overlay interference is misinterpreted as interference detected by the FAP.
436573 When upgrading from any prior release to 8.3.3, in N+1 configuration the passive slave controller Switch and Reason are No and No Config respectively.

This issue occurs on 64-bit Controller models/instances.

470640 Radio Tx Freeze on FAP-U421EV & FAP-U423EV.
351641 [OAP-832] Frequent leaf node reboots with the LOST CONTACT with controller error.
475059 The controller IP address is set to 0.0.0.0 in the VPN administration page post upgrade to 8.4.0.
475307 [FAP-U42x] Radios’ operating channel is different than the configured channel.
439721 High Latency and ping loss observed on clients configured in bridged mode with native and Static VLAN.

 

 

             

Known Issues

These are the known issues in this release of FortiWLC.

 

Bug ID Description Impact Workaround
450682 Random FAP-U421EV crashes with kernel panic. FAP reboots which impacts the client connectivity for the duration of AP boot up time.  
455780 In some MAC client devices authentication fails and the client is not able to connect.

This is due to the delay in processing EAPTLS messages.

This issue is specifically seen in MAC clients, due to the delay in EAP-TLS messages being processed by the AP, in some cases authentication fails because of which clients are not able to connect.  Set the authenticatio n timeout to 3 seconds.  For more information, contact the Customer Support.
461937 Sometimes, the FAP-U42x does not tag some packets on bridged data plane. Data loss on wireless devices. Connect the AP and run

sys perf off.

420129 Fujistu smart phones with AP822 rev2 randomly drop calls and then reconnect to the network. This is due to wrong beacon information. Glitches during voice calls. Install the 8.2.7 special

build. For more information, contact the Customer Support.

463646 Sometimes in the FAP-U units, in high multicast/broadcast traffic, performance issues and high latency are observed in the bridged mode. Latency in application usage for wireless clients. Disable

Multicast-to-

Unicast Conversion option.

442046 [AP832] Sometimes, the APs do not respond to port 5000, client connectivity affected. The AP reboots when this condition is encountered. In 8.4.0, the AP auto reboots when this condition

is encountered.

 

For root

 

      cause fix, contact the Customer Support for installing the relevant patch.
474057 [Virtual FortiWLC] In case of a fresh FortiWLC installation, the gateway does not recognize the services in the FortiWLC GUI.

In Monitor > Service Control > Service Details, the Service column is blank.

The Services pie chart in the Service Control Dashboard is not visible, unless the setup command is run or the controller is rebooted. Run the setup command

and reboot the controller.

474593 AP description with sh string gets lost post upgrade. The AP description is set to default (AP ID). Avoid using

sh string in AP description.

453518 Difference in the AP signal strength on the 5Ghz band while operating in the normal mode and in the site survey mode (country code set to UK). While doing site survey there will be a difference in signal strength if there is change in TX power other than values of 3 and 4.

 

Contact the

Customer Support for installing the relevant patch.

466751 Sometimes, the APs reboot in a loop when trying to add new APs or doing a bulk reboot. APs cannot discover the controller.  
462324 Sometimes, RADIUS requests are sent with the same port number for different IDs. TLS errors for the clients see at RADIUS end. No impact on connectivity.  
463626 Round trip delays are observed randomly

at wired side of AP822i after AP reboots.

Latency on wireless clients. In 8.4.0, reboot the AP.

 

For root cause fix, contact the Customer Support for installing the relevant

      patch.
463851,

448621

[FortiWLC-3000D/1000D] Sometimes in multiple upgrade scenarios spanning over releases, unable to add the master controller in slave controller in an N+1 setup.   Contact the Customer Support.
456513 Sometimes, AP832 connected to Cisco WS-C2960X-48FPD-L comes up as 802.3af and not 802.3at with the BLE dongle. BLE is disabled. Contact the

Customer Support for installing the relevant patch.

464308 APs Stuck in Disabled/Online state after reboot.

This issue is observed under scale deployments, for example, rebooting 100+ APs at the same time.

Client connectivity affected till the AP reboots. Reboot the AP.
464541 Wired Port profile in Mesh uplink port gets lost after upgrade to FortiWLC 8.4.0. Wired clients cannot access the network. Recreate the port interface for the AP.

 

Known Issues in FAP-U422/FAP-U24J/FAP-U22xEV

 

Bug ID Description Impact Workaround
451168 FAP-U24JEV/FAP-U22xEV- DTIM functionality is not working.

PS-Poll based power-save clients fail to receive multicast traffic when the Multicast-to-Unicast Conversion option is disabled in the ESS profile.

Power-save clients fail to receive the multicast traffic sometimes and the battery life of wireless device is drained. Enable the Multicastto-Unicast Conversion option [Default setting].
453903 FAP-U24JEV – Client mitigation fails when the Rogue AP detection feature enabled. Mitigation fails in cases of Rogue AP operating in foreign channel.  
474882 [FAP-U22x] Phy tx error with fatal error reinitializing and psm watchdog observed randomly on Radio 0/1 interface. Data loss is observed when the error is reported till it recovers.  

 

         

Common Vulnerabilities and Exposures

This release of FortiWLC is no longer vulnerable to the following:

 

Bug ID Vulnerability
450012 •      CVE-2017-1000251

•      CVE-2017-1000250

454662 •      CVE-2017-13077 to CVE-2017-13082

•      CVE-2017-13084

•      CVE-2017-13086 to CVE-2017-13088

461748 CVE20168491
443753 Broadcom ESDK vulnerability fix.

 

Visit https://fortiguard.com/psirt for more information.

FortiOS IPS Engine version 3.443

Introduction

This document provides the following information for FortiOS IPS Engine version 3.443.

Bug ID Description
443479 Support for FortiSandbox Sniffer user defined file extensions.

l What’s New in IPS Engine 3.443 l Product Integration and Support l Resolved Issues

For additional FortiOS documentation, see the Fortinet Document Library.

What’s New in IPS Engine 3.443

Product Integration and Support

Fortinet Product Support

The following table lists IPS engine product integration and support information:

FortiOS 5.2.0 and later

5.4.0 and later

5.6.0 and later

FortiClient 5.4.0 and later (Windows and Mac)

5.6.0 and later (Windows and Mac)

 

 

Resolved Issues

The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID Description
446858 Fixed a crash caused by a NULL pointer de-reference.
445900

446782

Fixed two SSL deep inspection bugs.
444268 Fix IPS engine high CPU usage caused by TCP RST packets with data.
444811 Fix a crash in the IPS HTTP decoder on some proxy traffic. Fixed IPS_CONTEXT_URI_ DECODED context field_start and field_end value for proxy traffic.
440277 Fixed a random detection miss, and a random crash in SSL packet scanning.
411415 Support session clearing by VDOM.
379449 Updated the Brotli library to match the version used by Chromium 61.
450442 Fixed crashes caused by configuration errors in IPS sensors.
444237 Fixed two bugs in the SMB2 decoder that may cause high memory usage.
403562 Fixed a bug that could cause FortiOS to enter conserve mode because of memory corruption.
451677 Fixed a bug that caused the IPS engine to incorrectly identify Phoenix PACS traffic as BitTorrent traffic.
451763 Fixed a bug that caused the IPS engine to drop STUN packets because they were identified as partial SSL records.
460391 Fix crashes in the update_ftp_scan_ret function.
448646 Fix high CPU usage caused by retransmission bugs.
450693

460635

Fixed a bug that caused the ERR_SSL_DECRYPT_ERROR_ALERT message when SSL deep scanning is enabled.