FortiOS v2.80 MR12 Release Notes

FortiGate™ Multi-ThreatSecurity System

Release NotesFortiOS™ v2.80 MR12

Rev. 1.0

April 28, 2006

Fortinet Inc. Release Notes: FortiOS v2.80™ MR12

Table of Contents

1 FortiOS v2.80 Maintenance Release 12....................................................................................................................................12 Upgrade Information.................................................................................................................................................................22.1 General...............................................................................................................................................................................22.2 AV Signature Changes ......................................................................................................................................................22.3 Special Notices...................................................................................................................................................................22.4 Upgrading from FortiOS v2.50..........................................................................................................................................42.5 Upgrading from FortiOS v2.80..........................................................................................................................................62.6 Downgrade Notice..............................................................................................................................................................72.7 FortiManager System Support............................................................................................................................................7

3 FortiOS v2.80 Features..............................................................................................................................................................83.1 System................................................................................................................................................................................83.1.1 Role Based Administration........................................................................................................................................83.1.2 Configuration File Backup Improvements.................................................................................................................83.1.3 Redesigned WebUI....................................................................................................................................................83.1.4 Redesigned CLI .......................................................................................................................................................93.1.5 Dynamic DNS Support..............................................................................................................................................93.1.6 Multiple Secondary IP Addresses Per Interface........................................................................................................93.1.7 IPv6 Traffic Forwarding............................................................................................................................................93.1.8 ADSL (PPPoE ) Connection Idle Timeout Support ...............................................................................................103.1.9 PPPoE and DHCP Relay Support............................................................................................................................103.1.10 Virtual Domain Support in NAT and Transparent Modes.....................................................................................103.1.11 Improved "out-of-the-box" Usability for SOHO Models......................................................................................103.1.12 Support Extended and Non-Latin1(ISO 8850-1) Characters.................................................................................113.1.13 User Field Improvements.......................................................................................................................................113.1.14 One-Button Transmission of FortiGate System Info For Troubleshooting...........................................................113.1.15 IEEE 802.11 WLAN Client Mode Supported.......................................................................................................113.1.16 Alert Email Address Length..................................................................................................................................113.1.17 Console Paging Mode............................................................................................................................................113.1.18 LCD........................................................................................................................................................................113.1.19 Compressed Configuration Back-up Files.............................................................................................................123.1.20 AV/NIDS Updates.................................................................................................................................................123.1.21 Internal Modem Support for FortiGate-60M.........................................................................................................123.1.22 Bug Reporting........................................................................................................................................................123.1.23 Alert Message Console..........................................................................................................................................133.1.24 Forwarding Domains.............................................................................................................................................13

3.2 High Availability..............................................................................................................................................................133.2.1 Non-dedicated HA Port............................................................................................................................................133.2.2 Link Fail-over..........................................................................................................................................................133.2.3 Firmware Upgrade and Configuration Upload........................................................................................................133.2.4 HA Link Security.....................................................................................................................................................133.2.5 Support for FortiGate-60/100/200 and FortiWiFi-60 Models.................................................................................133.2.6 HA Active-Active Mode Now Can Load Balance Non-AV Traffic.......................................................................143.2.7 HA Synchronization Status......................................................................................................................................14

3.3 Router ..............................................................................................................................................................................143.3.1 Policy Route WebUI................................................................................................................................................143.3.2 Routing Monitor.......................................................................................................................................................143.3.3 Enhanced RIP Routing Protocol Support ...............................................................................................................143.3.4 OSPF Routing Protocol Support..............................................................................................................................14

3.4 Firewall.............................................................................................................................................................................153.4.1 Protection Profile.....................................................................................................................................................153.4.2 Improved Custom TCP/IP Support and Pre-defined Services ................................................................................153.4.3 Increased Maximum Number of Policy Routes on High-end Models.....................................................................153.4.4 IP Address Ranges...................................................................................................................................................15

April 28, 2006 i


3.4.5 Multiple IP Pools.....................................................................................................................................................153.4.6 DiffServ Settings......................................................................................................................................................163.4.7 Static NAT (SNAT) Port Floating...........................................................................................................................163.4.8 SIP Support..............................................................................................................................................................16

3.5 FortiGuard – Antivirus.....................................................................................................................................................163.5.1 Heuristic Virus Detection........................................................................................................................................163.5.2 Grayware Protection................................................................................................................................................163.5.3 Submit Quarantined Virus Sample to Fortinet.........................................................................................................163.5.4 HTML Link for Scanned Virus Detection...............................................................................................................163.5.5 Append Customized Text to Email Messages.........................................................................................................173.5.6 PPTP and L2TP AV scanning..................................................................................................................................173.5.7 High-end Models AV Optimize Command.............................................................................................................173.5.8 Antivirus Scan Support for ARJ Compression Format............................................................................................173.5.9 File Uncompression Maximum for AV Scanning...................................................................................................173.5.10 Windows Control Panel Extensions Support.........................................................................................................173.5.11 FortiGuard – Antivirus and FortiGuard – Intrusion Protection.............................................................................17

3.6 VPN..................................................................................................................................................................................183.6.1 IPSec Tunnel Support in Transparent Mode............................................................................................................183.6.2 DHCP Support Over IPSec......................................................................................................................................183.6.3 User Authentication via RSA SecurIDTM..............................................................................................................183.6.4 IP Address Range Support in IPSec Firewall Policies.............................................................................................183.6.5 Overlapping Address Support .................................................................................................................................183.6.6 Central Site Internet Access.....................................................................................................................................183.6.7 IPSec Dynamic DNS support...................................................................................................................................193.6.8 Policy Selector in IPSec Phase2..............................................................................................................................193.6.9 Site-to-Site/Dialup Tunnels.....................................................................................................................................19

3.7 Spam Filter.......................................................................................................................................................................193.7.1 Content Filtering......................................................................................................................................................193.7.2 FortiGuard – AntiSpam Service...............................................................................................................................20

3.8 IPS Functionality..............................................................................................................................................................203.8.1 Dynamic Threat Prevention System........................................................................................................................203.8.2 IPS signature Autoupdate........................................................................................................................................20

3.9 Web Content Filtering......................................................................................................................................................213.10 Log & Reporting.............................................................................................................................................................21

4 MR12 Release Issues...............................................................................................................................................................234.1 Resolved Issues in FortiOS v2.80 MR12.........................................................................................................................234.1.1 HA.............................................................................................................................................................................234.1.2 VPN...........................................................................................................................................................................234.1.3 System.......................................................................................................................................................................23

4.2 Resolved Issues in FortiOS v2.80 MR11 and Earlier.......................................................................................................244.2.1 System......................................................................................................................................................................244.2.2 WebUI.......................................................................................................................................................................254.2.3 HA............................................................................................................................................................................264.2.4 Router ......................................................................................................................................................................264.2.5 Firewall....................................................................................................................................................................274.2.6 FortiGuard................................................................................................................................................................284.2.7 VPN..........................................................................................................................................................................284.2.8 IPS............................................................................................................................................................................294.2.9 Logging & Reporting...............................................................................................................................................294.2.10 FortiGuard – AntiSpam..........................................................................................................................................304.2.11 Antivirus.................................................................................................................................................................30

5 Known Issues in FortiOS v2.80 MR12....................................................................................................................................315.1 HA.....................................................................................................................................................................................315.2 IPS.....................................................................................................................................................................................315.3 VPN...................................................................................................................................................................................325.4 System...............................................................................................................................................................................32

April 28, 2006 ii


5.5 Router................................................................................................................................................................................325.6 Antivirus............................................................................................................................................................................32

6 Image MD5 Checksums..........................................................................................................................................................34

Change LogRev.1.0 - Initial Release.

© Copyright 2006 Fortinet Inc. All rights reserved.Release Notes FortiOS™ v2.80 MR12

Fortinet Customer Support Contacts:Please refer to http://support.fortinet.com

April 28, 2006 iii


1 FortiOS v2.80 Maintenance Release 12This document outlines the features of the FortiOS v2.80 Maintenance Release 12 (B514) firmware for the FortiGate Multi-Tthreat Security System. MR12 is a bug fix only release.

April 28, 2006 1


2 Upgrade Information

2.1 GeneralFortiOS v2.80 MR12 supports all FortiGate models except the FortiGate-50. For the high-end models, FortiGate-3000 andhigher, there are specific images to support different Virtual Domain (VDom) maximums.

Save a copy of your FortiGate unit configuration (including replacement messages and content filtering lists) prior to

upgrading.

Note: The TFTP upgrade erases all current firewall configuration and replaces it with the Factory Default settings.

IMPORTANT!After any version upgrade,• [WebUI display] if you are using the GUI, clear the browser cache prior to login to the FortiGate unit to ensure properdisplay of the GUI screens.

• [Update the AV/NIDS definitions] The AV/NIDS signature included with an image upgrade may be older than currentlyavailable from FortiGuard. Fortinet recommends performing an "Update Now" as soon as possible after upgrading.(Consult the FortiGate User Guide for detailed procedures.)

2.2 AV Signature Changes The following default actions have been changed in NIDS signatures newer than version 2.214:

• icmp_flood (clear_session => disable)• ping_death (drop => disable)• large_icmp (none => disable)• udp_flood (drop_session => disable)

2.3 Special Notices

• Fortinet Subscription Based Services Name ChangeFortinet has changed the names of all its subscription based services. The new names are as follows:

• FortiGuard - Antivirus• FortiGuard - Intrusion Protection• FortiGuard - AntiSpam• FortiGuard - Web Filtering

• Clock ConfigurationThe system daylight savings mode must configured before the timezone and current time is set. This is required, as thecorrect time, as set by the user, is influenced by the timezone, and the daylight savings mode.

• Daylight Savings TimePrior to FortiOS v2.80 MR9 B393, when the firewall adjusts its clock for daylight savings, the update daemon wouldrestart continually, which prevents the firewall from receiving antivirus and IPS updates.. The workaround is to disablethe daylight savings time option (System > Config > Time). To compensate for the one hour difference either adjust theclock manually or if you are using NTP select a time zone one hour ahead of yours. For example, if your time zone isGMT-8:00, select GMT-7:00. FortiOS v2.80 MR9 B393 and all future MRs resolve this problem.

April 28, 2006 2


• H.323 Support FastStartFastStart/H.245 Tunneling and Microsoft NetMeeting is supported in FortiOS v2.80 MR12.

• SMTP SpliceStarting in FortiOS v2.80 MR10, the ability to disable SMTP splice is supported when AV scanning is enabled. SMTPsplice is enabled by default when AV scanning is enabled in the firewall policy, but can be turned off through the CLI.Administrators can choose between AV scanning or spam filter tagging of SMTP traffic since the AV splice operationnow precludes the use of tagging an email message with a spam subject-line tag. (Splice means that the FortiGateAntivirus Firewall sends part of the message or file to the destination address while it perfoms AV scanning.)

• FTP SpliceFTP splice now can be disabled or enabled.

• Configuration Reset Message During Upgrade in WebUIWhen upgrading from a FortiOS v2.50 image to a FortiOS v2.80 pre-MR5 release to MR11 from the WebUI, a messageis displayed "The system configuration will be set to default. All the original configuraiton will be lost...". This messageis incorrect and clicking "OK" will NOT erase the current configuration. Previous versions of FortiOS do not handle theembedded RSA signature in the MR9 image and cause the display of this message.

• "File too big" Error During UpgradeWhen upgrading from v2.80 MR3, if a "File too big" error message is displayed, reboot the FortiGate firewall and attemptthe upgrade again. The reboot will clear the internal RAM disk of the temporary files that may be blocking the upgradeprocedure. If the condition persists, then backup all configuration files and use the flash memory reformat function fromthe console boot-up menu.

• Compressed Configuration Back-up File The entire FortiGate configuration settings in MR5 and later are stored in a compressed format (zip file) when clicking onthe "Maintenance > Backup & Restore > All Configuration Files" from the WebUI.

• Content Log AccessAccess to the Content Log messages (HTTP, FTP, SMTP, POP3, IMAP content) is now through the Firewall > ProtectionProfile settings and are only available through the FortiLog System settings. The IP address of a FortiLog System unit ora syslog unit can be configured to receive the Content Log messages. Content Log messages are also no longer availablefrom the WebUI Log&Report >Log Access screen.

• Virtual Domains with Zones in Transparent ModeContact Fortinet Customer Support for assistance before upgrading to FortiOS v2.80 if your FortiGate configuration usesmore than 10 Virtual Domains with Zones in Transparent mode operation, otherwise loss of configuration settings willresult.

• Cerberian Web Filter UsersCerberian Web Filter functionality was removed in FortiOS v2.80 MR3 and no longer is supported. This functionality isnow provided by the FortiGuard – Web Filtering Service. Current Cerberian license holders are eligible for a freeupgrade to the FortiGuard Web Filtering Service and should contact their local Fortinet Sales representative.

• AV Oversize File/Email HandlingAntivirus scanning of oversize files or email messages (>10 MB or greater than 10% of system memory) requirestemporary buffering to the internal hard disk (on supported models). This function has been disabled and will no longerbe supported. Any files larger than the allowable AV scan memory limit will be handled as indicated by the ProtectionProfile "Oversize file" setting. Ensure that all Protection Profiles have the AV Buffer-to-Disk option disabled prior toupgrading from pre-MR4 versions. Failure to do so will result in all AV scanning options disabled in all ProtectionProfiles after the upgrade.

• Static Route Priority

April 28, 2006 3


Each static route entered in the firewall has an index when entered either through the GUI or through the CLI. The indexis used as the priority of the static route – a lower index value has a higher preference. Changes to affect the priority ofidentical static routes are made through the CLI.

• Restoring System configurations via the "System Configuration" backup fileThe "System configuration" file created via "Maintenance > Backup & Restore > System Configuration" does not store"CA Certificates", "SpamFilter" and "Webfilter" settings. Users that wish to backup and restore FortiGate firewallconfiguration settings using this file are asked to first backup the "CA Certificates", "SpamFilter" and "WebFilter"configuration settings before upgrading to a newer version of FortiOS. After upgrading, please restore each configurationfile before restoring the "System configuration" file.

• Log PoliciesThe Log policy "Local" and "Console" setting found in FortiOS v2.50 is not supported in FortiOS v2.80.

• FortiGate FortiBoost Blade Naming ChangeFortiGate firewall blades previously known as "FortiBoost" are known now as "FG5002FB2". All CLI and GUI elementsnow reflect the name change.

Note: • Image names that begin with "FGT_BOOST" are for the "FG5002FB2" blades.• Image names that begin with "FGT_5000" are for the "FG5001" blades.

• File Blocking File blocking is not supported for file names encoded in the following character sets:

• X-SJIF for Japanese characters• GB231 for Simplified Chinese characters• BIG5 for Traditional Chinese characters• EUC-KR for Korean characters

• Replacement MessagesFilenames that contain the following character sets are renamed to question marks in the replacement message:

• X-SJIF for Japanese characters• GB231 for Simplified Chinese characters• BIG5 for Traditional Chinese characters• EUC-KR for Korean characters

• Valid User Defined Banned Word Characters Only the following characters are allowed when specifying banned words with wildcard type:a-z A-Z 0-9 \ ^ $ . [ ] | ( ) { } + ? *

If you want to use other characters to specify a banned word, please use regular expression type instead.

• Replacement Message Size ChangesReplacement message sizes have been changed from 1024bytes to 4096 bytes in FortiOS v2.80 MR11.

2.4 Upgrading from FortiOS v2.50

For FortiGate units currently on FortiOS v2.50, upgrade to at least v2.50 MR10 prior to upgrading to v2.80 MR11.

The following are additional caveats when upgrading from FortiOS v2.50.

April 28, 2006 4


• Configuration FileFortiOS v2.50 CLI commands are incompatible with the FortiOS v2.80 CLI commands. Attempts to restore aconfiguration file from FortiOS v2.50 will fail. The existing configuration on a unit running v2.50 will be upgraded to thenew v2.80 syntax automatically during the upgrade process.

• Admin PasswordThe "admin" password and passwords for other administrator users are now preserved when upgrading from v2.50.

• Secondary IP AddressesThe secondary IP address settings assigned to interfaces are now retained upon upgrade to v2.80 MR5. Previous v2.80MR releases did not keep the secondary IP addresses. (Bug ID 16211 now resolved.)

• HDD ReformatIf your model has a hard disk, back-up the log files then run "exec formatlogdisk" from the CLI or accept the pop-upwindow prompt in the WebUI after the first login. Note that this operation will erase any existing log files on the harddisk, requires several minutes to complete, and involves a system reboot. Backup the log files before executing thiscommand and choose a low traffic period since there is a brief interruption while the unit reboots.

• Firewall Custom ServicesIn FortiOS v2.80, the Custom Service definition can only be a single contiguous range of source or destination ports.Multiple individual ports or ranges are no longer supported. Any such Custom Service definitions must be converted toindividual ranges and then combined into a Service Group. When upgrading to v2.80 MR6 or later, Custom Servicedefinitions that use multiple port ranges will be converted to new Custom Service definitions of discrete ranges. Theadministrator must then manually create a new Service Group comprised of the converted Custom Service definitions.

• IPSec Phase1 Local ID FormatA FQDN email address used in as the "Local ID" for a dialup VPN is now accepted when upgrading to v2.80 MR5 orlater. (It was removed during the upgrade to v2.80 MR4 and earlier.) The rest of the Phase1 configuration is retained.This value had to be re-entered manually through the WebUI or CLI. (Bug ID 16212 is now resolved.)

• Transparent Mode Virtual DomainsOnly 10 Virtual Domains in Transparent mode are allowed in the standard FortiOS v2.80 images. Any additional VDomsconfigured after the first ten in the configuration file are deleted when upgrading to v2.80. Only FortiGate-3000 andhigher models can support more than 10 VDoms and is a licensed feature.

• Web and Email Content Block List FilesThe formats of the web and email content block list files (e.g. banword.dat) have changed in v2.80 and therefore, a v2.50list file cannot be uploaded into v2.80. Existing block list entries in the FortiGate unit at the time of upgrade will beconverted. Contact Fortinet Customer Support for help with upgrading web and email content block list files.

• HA Cluster UpgradeTo upgrade a High Availability cluster from a FortiOS v2.50 version, each cluster member must be upgraded while theunit is off-line and disconnected from the HA Cluster. While disconnected from the HA cluster, the HA-monitoredinterfaces of the unit must be connected to a hub or switch to prevent a "linkfail" state which will prevent login to the unit.

• CLI command hierarchyIn FortiOS v2.80 the CLI commands are now hierarchical. In general, a configuration area must be specified first (e.g.config system interface), then an item (e.g. edit port1) before a set or unset command can be issued.

A CLI prompt or a command followed by <TAB> cycles through the possible options; '? <ENTER>' displays a list of allpossible options.

April 28, 2006 5


• CLI "set" command behaviourThe CLI "set" behaviour has changed in FortiOS v2.80. In v2.50, for a given "set" command, all of the parameters to be

modified or enabled must be entered on the same line. This differs from FortiOS v2.50 that allowed separate "set" lines

to be additive in constructing the command parameters. For example in v2.80, in the interface configuration, "set

allowaccess http" followed by "set allowaccess telnet" results only in TELNET being enabled on the

interface.

• VLAN ConfigurationsVLAN configurations are not not retained when upgrading from FortiOS v2.50. Please manually update each value as persettings in FortiOS v2.50 after the upgrade.

• Custom Firewall Service Protocol ConfigurationsCustom Firewall Service Protocol Configurations are not retained when upgrading from FortiOS v2.50. Please manuallyupdate each value as per settings in FortiOS v2.50 after the upgrade.

• EmailFilter Subject Tags Custom EmailFilter subject tags are not retained when upgrading from FortiOS v2.50. Please manually update each valueas per settings in FortiOS v2.50 after the upgrade.

• Custom Interface DHCP Server SettingsCustom Interface DHCP server "dhcp-server mode" settings are not retained when upgrading from FortiOS v2.50 MR11to FortiOS v2.80 MR11. Please manually update each value as per settings in FortiOS v2.50 MR11 after the upgrade.

2.5 Upgrading from FortiOS v2.80

For FortiGate units already on FortiOS v2.80, upgrade to at least v2.80 MR5 prior to upgrading to v2.80 MR11.

The following are additional caveats when upgrading from a previous FortiOS v2.80 build.

• Protection Profiles and AV Buffer-to-DiskEnsure that all Protection Profiles have the AV Buffer-to-Disk option disabled prior to upgrading from a pre-MR4version. Failure to do so will result in all AV scanning options disabled in all Protection Profiles after the upgrade.

• Spam Filter ListsThe Spam Filter List format was changed in v2.80 MR3 and restoring any old format lists will fail. Contact CustomerSupport for assistance in converting pre-MR4 lists. Existing lists in the FortiGate configuration are converted as part ofthe firmware upgrade process.

• User Domain and Firewall PoliciesThe User Domain function (MR2 and earlier) has been removed from MR3 and later releases. Any firewall policies thatuse User Domain will be deleted from the configuration when upgrading to v2.80 MR3. The User Domain function hasbeen replaced by an expanded User Group function that allows a User Group to be associated with a Protection Profile.See the Enhancements Section for further details.

• HA Cluster UpgradeTo upgrade a High Availability Cluster from a previous FortiOS v2.80 version, only the Master unit needs to be upgradedif the current version is FortiOS v2.80. The Slave units will be automatically upgraded by the Master unit.

April 28, 2006 6


• IPSec Phase1 Peer ID Configuration ResetWhen upgrading from MR7, the IPSec Phase1 Peer ID configuration is reset to "accept any peer ID". This is a problemwith MR7 with the Peer ID setting saved incorrectly in the configuration in the non-volitile memory. MR9 correctlysaves the Peer ID settings.

• Web Pattern Block Entries with Special CharacterWhen upgrading from MR6 or earlier, web pattern block entries that use certain special characters are removed from theconfiguration. This issue has been fixed. The special characters are < > ( ) # " '

• Static NAT VIPsIn MR9, newly added static NAT VIPs do not work unless the configuration is rewritten prior to using it. For example,

1. configure static NAT VIP2. add to firewall policy3. re-apply any existing setting in the current configuration, such as a firewall address

However, if step 3. is skipped, the static NAT VIP will not work. Existing VIPs prior to upgrade are not affected.

2.6 Downgrade NoticeIn order to downgrade to v2.50 or an earlier version of v2.80, it is necessary to first reformat the hard drive for FortiGatemodels 200 and above. The special hard drive formatting image must be loaded using the Boot ROM TFTP reloadprocedure. Contact Customer Support for obtaining reformatting images and instructions.

NOTE: All configuration settings are lost and set to factory defaults when a downgrade is performed (TFTP reload or

WebUI downgrade).

2.7 FortiManager System SupportFortiOS v2.80 MR11 will be supported in FortiManager v3.00 GA. Attempts to use earlier FortiManager versions to controland configure FortiGate units running FortiOS v2.80 MR11 may result in unpredictable behaviour or configuration errors.

April 28, 2006 7


3 FortiOS v2.80 FeaturesA short summary of the features in FortiOS v2.80 appears below. Refer to the FortiOS v2.80 User and Reference Guides forfurther information.

3.1 System

3.1.1 Role Based Administration

Description: Prior to the FortiOS v2.80 release, we allow for multiple system administrators to be created per FortiGate unit,with each assigned different access rights from read only to read/write. More granularity has been added in FortiOS v2.80 toexpand the access rights from the system level to the object level. With FortiOS v2.80, the following objects within aFortiGate unit can be configured for each system administrator as "Not Accessible", "Read Only", and "Read/write":

• Device status• Log and report• Device configuration• Users• Security Policy• Administrator

This permits definition of multiple administrator users with varying read and write capabilities based on administratorprofiles. For example, a Cryptographic officer may be assigned an administration user profile with only read-writecapabilities for the VPN area of the firewall. Administrators have access to all of the virtual domains on the FortiGate unit.Administrators logging into the CLI or web-based manager always log into the root domain and then must enter the virtualdomain that they want to administer.

3.1.2 Configuration File Backup Improvements

Description: FortiOS v2.80 provides a consolidated backup function, enabling backup for system configuration, contentfiltering URL list, content filtering key words, content filtering exempt list, email filtering black and white list as well as keywords, and NIDS/IDP settings, in a single place on the WebUI.

Description: DHCP server leases will now be backed up on whenever the system re-starts (e.g. Reboot, shutdown, reload,mode change, or upgrade). This preserves the dyanmic IP assignments when the FortiGate unit is acting as a DHCP server.

3.1.3 Redesigned WebUI

Description: The WebUI has been redesigned extensively for improved usability and convenience.• Improved status and session monitoring• Improved workflow through rearranging some functional tasks (e.g. Maintenance page for download of allconfiguration and settings)

• Improved usability of complex WebUI pages (optional "advanced" sections to configure complicated functions)• Access the CLI from the WebUI pop-up window• Improved security (support for TLS)• Context-sensitive online help• Improved support for NetscapeTM and MozillaTM browsers• Browser window title shows FortiGate hostname• New Log-in screen that hides the sidebar menu prior to log-in to the FortiGate Antivirus Firewall• Pop-up window for formating of hard disk after upgrade if required (post-MR4 releases)• Formatted Log display to view the log messages from the WebUI in "raw" format or a parsed column format.To preserve a custom column setting and order for the current login session, cookie support must be enabled inyour HTML browser.

• Service Availability Icons

April 28, 2006 8


Description: Coloured status icons are now used to indicate Update Center and FortiGuard availability.

• Content Summary

Description: Content Summary section in System Status screen shows recent HTTP, FTP, and email activity.

• Policy ID in Session Monitor

Description: The session monitor page in the WebUI now shows the corresponding firewall policy ID number.

3.1.4 Redesigned CLI

Description: Version 2.80 of the FortiOS introduces major changes to the Command Line Interface (CLI). The method ofentering commands, as well as the structure, navigation, command types, and command branches have all changed. Type"tree" to view the entire CLI command tree of commands and options (This is a long list.). For a comparison of FortiOSversions 2.50 and 2.80 command branches, see the following table.

CLI enhancementsThe FortiGate CLI functionality has been enhanced with the following changes:

• Basic HA information is added to the output of "get system status"• DHCP and PPPoE information is now displayed in CLI "get system interface"

Comparison of FortiOS versions v2.50 and v2.80 command branches

v2.50 v2.80 Description of change

set config,set

The config command branch replaces the set command branch. The config branchuses configuration shells. The set command is still used for setting functionalparameters.

unset unset The unset function has been moved under the config branch.

get get The get command branch has some changes to how it functions.

execute execute The execute command branch has been updated.

show The show command branch is new.

diagnose diagnose The diagnose command branch has been updated.

See the FortiOS v2.80 CLI Reference Guide for a complete description of how to use the v2.80 CLI structure.

Note: FortiOS v2.50 CLI commands are incompatible with the FortiOS v2.80 CLI commands. Attempts to restore aconfiguration file from FortiOS v2.50 will fail. An existing FortiOS v2.50 configuration can be upgraded, or a newconfiguration must be entered via the FortiOS v2.80 CLI or WebUI.

3.1.5 Dynamic DNS Support

Description: FortiOS v2.80 adds Dynamic DNS (DDNS) support to the interface configuration to map a dynamic IP addressto a static hostname. New DDNS servers support include: dhs.org, dyndns.org, dyns.net, ods.org, tzo.com, dnsalias.com,dnsart.com, vavic.com, dipdns.com, now.net.cn

3.1.6 Multiple Secondary IP Addresses Per Interface

Description: An interface can now be assigned multiple secondary IP addresses. In FortiOS v2.50 only a single secondaryIP address was allowed; FortiOS v2.80 allows up to 32 secondary IP addresses. This is a CLI-only command.

3.1.7 IPv6 Traffic Forwarding

Description: FortiOS v2.80 provides forwarding of IPv6 traffic and is configured through the CLI. (Other FortiGatefunctions such as firewall polices, content filtering, AV scanning, etc. are currently not available for IPv6 traffic.)

April 28, 2006 9


3.1.8 ADSL (PPPoE ) Connection Idle Timeout Support

Description: To support better ADSL environments using PPPoE and where service providers bill based on connection time,an idle timeout option can be configured to automatically disconnect the connection after a period of inactivity.

In PPPOE mode there will now be two other options on "system interface", lcp-echo-interval and lcp-max-echo-failures. lcp-echo-interval controls the interval in seconds between lcp echo requests and max failures sets the number of missed requestsbefore the ppp link is concidered dead, and reconnected.CLI commands:

config system <interface> set mode pppoe set lcp-echo-interval <seconds> set lcp-max-echo-fails <# of attempts>end

3.1.9 PPPoE and DHCP Relay Support

Description: Dynamic addressing using PPPoE on an interface can now support DHCP relay to allow client DHCP requeststo be forwarded to a pre-configured DHCP server accessible from another FortiGate interface.

3.1.10 Virtual Domain Support in NAT and Transparent Modes

Description: Virtual Domain (VDom) is used in conjunction with VLAN technology to allow customers to create multiple,independently managed security domains, either to secure discrete departments within an enterprise or as the basis for aservice provider’s managed security service.

FortiOS v2.36 and v2.50 releases support 802.1q VLAN processing, a pre-requisite of VDom functionality. VDomfunctionality extends these capabilities to provide more complete and granular virtualization, with the following key features:

• Multi-tier security domain design concept: One FortiGate unit can have multiple VDoms, and within eachVDom, multiple security zones plus interfaces can be defined – each zone further made of physical interfaces aswell as sub-interfaces mapped to VLAN tags; no traffic is allowed between VDoms

• Firewall policies and addresses configurable on a per VDom basis• Logging and reporting on a per VDom basis• 802.1Q VLAN trunking.• 802.1Q VLAN tagged packet processing.• AV profiles, firewall services, system times, etc. are shared across all VDoms . • Virtual router support on a per VDom basis in NAT/Route mode, so that overlapping IP addresses defined indifferent VDoms are supported.

• 2 VDoms are supported for NAT/router mode and 10 VDoms in Transparent mode in all FortiGate models withthe standard FortiOS v2.80 firmware. (In pre-MR4 releases, only 2 VDoms were supported in NAT andTransparent mode operation.)

• Greater than 2 VDom support requires a special version of FortiOS available as an extra-cost option on theFortiGate-3000 and higher models, and is dependent the number of VDoms supported.

3.1.11 Improved "out-of-the-box" Usability for SOHO Models

Description: For FortiGate-100 models and lower, the following features make set-up easier and quicker:

• HTTP is enabled by default on the Internal interface• DNS Forwarding – The client PC sets its DNS server address the local FortiGate interface and all DNS requestssent to FortiGate unit are relayed to the DNS server configured in FortiGate unit (GUI: System > Network >DNS).

April 28, 2006 10


3.1.12 Support Extended and Non-Latin1(ISO 8850-1) Characters

Description: Non-alphanumeric characters such as underscore ("_") and "@"are now supported in the Username andPassword fields. Non-Latin1(ISO 8850-1) characters can also be used in the configuration for object names such as forusernames, groups, IPSec tunnels, etc.

3.1.13 User Field Improvements

Description: The User allowable field parameters has been improved to provide:

• Increase maximum length to 20 single-byte characters for the LDAP CN ID field• Permit the whitespace character in user names

3.1.14 One-Button Transmission of FortiGate System Info For Troubleshooting

Description: FortiOS v2.80 provides a handy button on the WebUI for system administrators to send troubleshootinginformation to Fortinet and partner support personnel, including the current version of the FortiOS system, the version of theAV and NIDS definition files, system configuration, etc. Prior to use of this feature, you should first contact CustomerSupport to obtain a FortiCare Ticket number to include in your submission. Fortinet does not guarantee any response to anyquery unless a FortiCare Ticket has been assigned. (GUI: System > Maintenance > Support > Report a Bug)

3.1.15 IEEE 802.11 WLAN Client Mode Supported

Description: On the FortiWiFi-60, IEEE 802.11b/g client mode is now supported. Previous FortiOS versions only supportedaccess point mode. This is configured from the WLAN GUI or CLI commands.

3.1.16 Alert Email Address Length

Description: The maximum length for an alert email address has been increased to 63 single-byte characters. The previousmaximum was 34 characters in the WebUI.

3.1.17 Console Paging Mode

Description: The console can be configured to output in a paged "more" mode or a standard mode. The CLI session mustbe restarted for the new mode to take effect.CLI commands:

config system console set output moreend

config system console set output standardend

3.1.18 LCD

Description: Changes entered on the LCD panel can be aborted by pressing the "ESC" key. Previously, the data entry hadto be completed.

Description: The HA status is now displayed on the LCD display of models supporting HA and LCD displays.The LCD will show one of "Standalone, Primary, or Slave #", along with the mode "A-A or A-P."

April 28, 2006 11


3.1.19 Compressed Configuration Back-up Files

Description: When backing up "all configuration files" from the WebUI (System > Maintenance), a compressed zipfile isnow used to save space. This new compressed version is created after the first configuration change made after upgrading toMR5.

3.1.20 AV/NIDS Updates

Fortinet Protection System Server Connection ReliabilityDescription: To improve reliability of the scheduled AV/NIDS update during busy network periods (e.g. after a Push UpdateNotification is received by the FortiGate unit), the 'minute' field of the scheduled update is assigned a random value. The'minute' field can still be configured through the CLI. Any 'minute' value (0-59) is now allowed and a value of 60 means theFortiGate unit choses a random value.

3.1.21 Internal Modem Support for FortiGate-60M

Description: FortiGate-60M model is supported in MR8 and later. The 60M combines a built-in "56K" modem with thepopular FortiGate-60 platform to provide a convenient solution for installations requiring a dial-up backup or for securedPoint-of-Sale configurations.

3.1.22 Bug Reporting

Description: New simplified format for bug reporting page in the WebUI (System > Maintenance > Support > Report Bug).The bug report is sent in an encrypted attachment to Fortinet Customer Support. Response to submissions require a separaterequest to you regional Customer Support contact.

April 28, 2006 12


3.1.23 Alert Message Console

Description: A new display section in the GUI has been added to inform firewall administrators of certain critical events thathave occurred. It is called the Alert Message Console and is accessed in the System > Status page. The events that aredisplayed are:

• system reboots• firmware upgrades• connection limit reached

3.1.24 Forwarding Domains

Description: A new feature has been added to the FortiGate firewall that can be used as a filter to control how broadcasttraffic are forwarded to each interface.

Administrator can now assign "forwarding domain" memberships to each FortiGate firewall interface. When a broadcastarrives on an interface that belongs to one forwarding domain 'X', only interfaces that are belong to that forwarding domainare forwarded the broadcast traffic.

Note: This feature is only available when the FortiGate firewall is in transparent mode.

3.2 High Availability

3.2.1 Non-dedicated HA Port

Description: HA cluster communication can now be configured for one or more interfaces. Enabling cluster communicationfor more interfaces increases reliability. If an interface fails, cluster communicate can be diverted to other interfaces. Bydefault, HA cluster communication is enabled for two interfaces: the DMZ or HA interface and the normal external interface.

3.2.2 Link Fail-over

Description: If a monitored cluster member interface detects a link failure, the cluster member reports the status of its linksto the primary unit. The primary unit attempts to re-balance traffic according to the link failure status of all cluster members.If an interface on the primary unit detects a link failure, the primary with the next highest HA score becomes the primaryunit. Note that AV scanned sessions do not fail-over when a cluster member fails.

3.2.3 Firmware Upgrade and Configuration Upload

Description: To improve ease of maintenance, HA in v2.80 supports firmware upgrade and configuration upload while inoperation. Once the master unit has been updated, then the slave cluster members will be automatically updated.

3.2.4 HA Link Security

Description: HA data is now encrypted between members of an HA cluster. This reduces the effectiveness of a maliciousattack through re-play or spoofed data using the HA interfaces.

3.2.5 Support for FortiGate-60/100/200 and FortiWiFi-60 Models

Description: HA is now supported on FortiGate-60, FortiGate-100, FortiGate-200 and FortiWiFi-60 models. For theFortiWiFi-60, the WLAN interface is not a supported HA interface.

April 28, 2006 13


3.2.6 HA Active-Active Mode Now Can Load Balance Non-AV Traffic

Description: HA Active-Active mode can now load-balance all TCP sessions. Previously, only AV scanned traffic (e.g.HTTP, SMTP, POP3, etc.) would have the sessions distributed among the HA cluster members. Load-balancing is disabledby default. Note that AV scanned sessions do not fail-over when a cluster member fails.

3.2.7 HA Synchronization Status

A new CLI command has been added to show if slave and primary units have synchronized.CLI command:

diag sys ha checksync

3.3 Router

3.3.1 Policy Route WebUI

Description: Previously only available through the CLI, FortiOS v2.80 MR3 allows configuration of static policy routesthrough the WebUI (Router > Policy). Policy routing will route packets based on:

• Source address• Protocol, service type, or port range• Incoming or source interface

3.3.2 Routing Monitor

Description: The FortiGate routing table can now be viewed from the WebUI (Router > Monitor) or CLI ("get router

info routing_table"). This allows the administrator to view all the static and dynamic routes that influence traffic

routing.

3.3.3 Enhanced RIP Routing Protocol Support

Description: RIP routing protocol support has been enhanced to include:• Classful and Classless subnet support• Keychain security• Offset, distribution, and redistribution lists• Access, prefix, and router map lists• Split horizon• Database and status viewing

3.3.4 OSPF Routing Protocol Support

Description: OSPF routing protocol support has been added in FortiOS v2.80 with the following features:• OSPF Version 2 Support• OSPF Area Support (50 maximum)• Route Redistribution with Type• Multiple Instances Support (OSPF per virtual domain)• Opaque LSA Support• Database Overflow Support• Simple Password Authentication• MD5 authentication• OSPF Hello Parameter Configuration• OSPF Interface Configuration (100 maximum)• OSPF NSSA• Type 1 and Type 2 External• Virtual Links Support

April 28, 2006 14


3.4 Firewall

3.4.1 Protection Profile

• Menus

Description: FortiOS v2.80’s Protection Profile renames the "Content Profile" menu option in v2.50, adds new functionality,and provides improved information consolidation for improved usability. Protection Profile provides the following profilecategories under v2.80:

• Anti-Virus• Web Filtering• Web Category Filtering• Spam Filtering• IPS• Content Archive

• User GroupsDescription: An expanded User Group function allows a User Group to be associated with a Protection Profile. Thisreplaces the User Domain function in earlier v2.80 releases.

The new simplified method for configuring authentication groups is: 1. Configure local user 2. Configure local user group, selecting the protection profile associated with this group 3. In policy configuration when authentication is enabled, select multiple groups to the allowed authentication group

• HTTP Resume Block

Description: An option for the Protection Profiles is "HTTP resume block" to prevent partial downloads of files that may beused to evade the FortiGate AV scanner. This is a similar feature to blocking fragmented mail (SMTP, POP3, IMAP)messages.

3.4.2 Improved Custom TCP/IP Support and Pre-defined Services

Description: Custom TCP/IP services can now be defined for ICMP in addition to TCP and UDP. There are new pre-defined services for traffic types such as AOL and MSN Messenger.

3.4.3 Increased Maximum Number of Policy Routes on High-end Models

Description: In MR8 and later, the maximum number of policy routes on FortiGate-800 models and above has beenincreased to 250 from 100.

3.4.4 IP Address Ranges

Description: The IP addresses for firewall policies may now be specified as a range as well as the typical subnet groupings.The range is limited to span 256 addresses. As of v2.80 MR4, this includes Encrypt (IPSec) firewall polices.

3.4.5 Multiple IP Pools

Description: Multiple IP pools per interface are now supported and for NAT-enabled policies the assigned NAT-sourceaddress is randomly selected from the IP pool rather than being limited to the IP address of the destination interface. The IPpools can also contain IP addresses belonging to subnets that are different from the subnet of the interface on which the IPpools are defined.

• Increased Number of IP Pools In MR7 and later, all models now support up to a maximum of 512 IP pools for NAT firewall policies. IP pools are createdwith Address Groups defined in the Firewall configuration area. The previous maximum was 50 IP pools.

April 28, 2006 15


3.4.6 DiffServ Settings

Description: The DiffServ bits (DSCP – differentiated services code/control point) of incoming and outgoing packets can beoverwritten to specific values to support the QoS policies of a network. The default behaviour is to pass the DiffServ bitsfrom source to destination packets unchanged.

3.4.7 Static NAT (SNAT) Port Floating

Description: Static NAT port assignment for outbound-NAT will now always override the source port and assign the sourceport into upper range and thus prevent any collision-related problems for self-originated traffic.

3.4.8 SIP Support

Description: Support for Session Initiation Protocol (SIP) has been added for MR10. The following scenarios are supported:

A and B: SIP terminalsP: proxy

• A ---- FGT ---- B, A calls B. This works in both transparent and routed modes with or without NAT enabled.

• A ---- FGT ---- P ---- B, A registers with P, A calls B or B calls A. This works in both transparent and routed modes withor without NAT enabled. Note that P and B must be behind the same FortiGate interface.

• A, B ---- FGT ---- P, A and B register with P, A calls B. This works in transparent mode only. NAT mode is notsupported. Note that A and B must be behind the same FortiGate interface.

Note that VIPs are not supported, so A and B in the above scenarios can not be a VIP mapped destination.

3.5 FortiGuard – Antivirus

3.5.1 Heuristic Virus Detection

Description: FortiOS v2.80 release includes heuristic detection of viruses, worms, and Trojan attacks, which complementsexisting signature-based detection and also is especially effective at detecting new, or so-called "Zero Day" attacks. In thisfirst phase, binary executable files are scanned for the common techniques used by malicious code to take control of programflow execution.

3.5.2 Grayware Protection

Description: FortiOS v2.80 provides a new category of antivirus protection called Grayware. Grayware programs areunsolicited commercial software programs that get installed on computers, often without the user's consent or knowledge.Grayware programs are generally considered an annoyance, but these programs can cause system performance problems orbe used for malicious means – such as gathering personal information or surfing patterns. This feature is configurablethrough the Protection Profiles.

3.5.3 Submit Quarantined Virus Sample to Fortinet

Description: FortiOS v2.80 allows system administrators to submit files that have been quarantined by their FortiGate unitsto Fortinet’s Threat Response Team through a simple, one-button click from the FortiGate WebUI. (Antivirus > Quarantine> Config > Enable Autosubmit, and Antivirus > Quarantine > AutoSubmit for file pattern specification.)

3.5.4 HTML Link for Scanned Virus Detection

Description: In the event that log records are generated for virus and worm detection, an HTML link will be provided thatpoints to the Fortinet virus encyclopedia definition available on the Fortinet website.

April 28, 2006 16


3.5.5 Append Customized Text to Email Messages

Description: FortiOS v2.80 release allows the system administrator to define a message that will be appended to emailmessages that are destined towards destinations outside of the network protected by a FortiGate unit, For example, for a lawfirm, this user definable message could be a disclaimer for the firm; for another firm, the message can state that this particularmail is virus free as inspected by a FortiGate Antivirus Firewall. This feature adds more flexibility to the systemadministrator for managing their corporate messaging policy.

3.5.6 PPTP and L2TP AV scanning

Description: When the FortiGate is a terminating end-point to a PPTP or L2TP tunnel, the tunnel contents can now be AVscanned. This compliments the ability to scan IPSec tunnel traffic supported by previous FortiOS releases.

3.5.7 High-end Models AV Optimize Command

Description: On high-end models (FortiGate-3000and higher) optimisation for AV or throughput is available to achieve thebest AV scanning performance. The CLI commands "config system global" > "set optimize antivirus"

will optimize FortiGate operation for AV and is the system default. Note that this command will reboot the FortiGate unit.

3.5.8 Antivirus Scan Support for ARJ Compression Format

Description: The ARJ compression format is now supported for antivirus scanning.

3.5.9 File Uncompression Maximum for AV Scanning

Description: The FortiGate Antivirus Firewall has the ability to scan compressesed files by first performing a decompressionto get to the target file. A new CLI option for max uncompressed size to scan has been added to allow the administrator tospecify any value, in megabytes, within the available memory range, as well as 0 for no limit.The default is 10 MB.CLI commands:

conf antivirus service <http, ftp, pop3, imap, smtp> set uncompsizelimit 10end

3.5.10 Windows Control Panel Extensions Support

Description: To better deal with specific situations where Windows Control Panel Extensions are used to spread viruses ormalicious code, *.cpl has been added to the default list of fileblock patterns. However, the *.cpl pattern will not appear afteran upgrade to MR9 is performed because the upgrade routines do not add new items into the list to prevent overwriting thecurrent list, which may or may not be customised. In order to have *.cpl appear in the list in MR9, you must explicitly add*.cpl for fileblock prior to upgrading through the WebUI. When TFTP upgrading, the entry is added to the list by default.

3.5.11 FortiGuard – Antivirus and FortiGuard – Intrusion Protection

Description: Currently, if an update to the AV Engine, AV Signature Database, or NIDS Signature Database is required, theentire AV Enginecode and the complete databases for AV and NIDS Signatures are sent, even if only a few signatures havechanged or if one line of code in the AV Engine has changed. This method consumes a lot of bandwidth on networkconnections. MR10 introduces incremental updates. Updates are accomplished by sending only the changes betweenversions of the AVEngine, AV Signature Database, or NIDS Signature Database. Here is an example of how it works for aFortiGate running FortiOS v2.80 with AV Signature Database v4.639:

1 The FortiGate sends versioning information to the FDS2 The FDS sends required incremental updates to the FortiGate

• The FDS has AV Signature Database v4.642• Since the FortiGate has v4.639, it needs to be updated• The FDS sends 3 incremental updates (v4.640, v4.641, and v4.642)

• The FortiGate applies incremental updates to current version and now has AV Signature Database v4.642

April 28, 2006 17


Note: If the required incremental updates are not available on the FDS, the full update is sent instead.Add incremental updatecapabilities

3.6 VPN

3.6.1 IPSec Tunnel Support in Transparent Mode

Description: FortiOS v2.80 supports IPSec VPNs constructed in Transparent mode as well as NAT or Route mode. Allfeatures of IPSec VPN that are available in NAT/Route mode except for Concentrator (hub & spoke) are available inTransparent mode.

3.6.2 DHCP Support Over IPSec

Description: In FortiOS v2.80, DHCP over IPSec is supported by DHCP relay for an external DHCP server. In many remoteaccess scenarios, a mechanism for making the remote host appear to be present on the local corporate network is useful. Thismay be accomplished by assigning the host a "virtual" address from the corporate network, and then tunnelling traffic viaIPSec from the host's ISP-assigned address to the corporate security gateway. (Note: If the target DHCP server is on adifferent subnet from a FortiGate interface, a static route to the DHCP server's subnet must be manually entered into theFortiGate routing table.)

3.6.3 User Authentication via RSA SecurIDTM

Description: FortiOS v2.80 supports user authentication for IPSec tunnels using RSA SecurIDTM. The user must beconfigured in a RADIUS server to require SecurIDTM authentication.

3.6.4 IP Address Range Support in IPSec Firewall Policies

Description: Prior to MR4, firewall ENCRYPT polices for IPSec traffic had to use standard IP subnet ranges to specify thesource and destination addresses. With MR4, arbitrary IP ranges are supported in the Firewall Address definition (WebUI:Firewall > Address).

3.6.5 Overlapping Address Support

Description: FortiOS v2.80 supports site-to-site VPN configurations in which the subnet addresses overlap between the twosides of the tunnel.

Method 1: Outbound NATConfigure outbound NAT for the two subnets on two sides that have the same addressing scheme to support address overlapon the two sides.

Method 2: VIP over IPSecUse VIP addresses set to the FortiGate external IP address to map the hosts on either side of the tunnel.For example, to allow host1 to access host2 in the following scenario: host1--------FG1---------FG2---host210.0.0.1 10.0.0.2

Set a VIP on FG1 that resolves to the host2 address, and a VIP on FG2 that points at host1. Phase 2 wildcard selectors mustbe selected.

3.6.6 Central Site Internet Access

Description: For IPSec tunnels, all traffic including Internet-bound traffic can be sent through the tunnel to the central siteVPN Gateway. This allows consistent application of traffic filtering policies to be extended to the remote sites.

April 28, 2006 18


3.6.7 IPSec Dynamic DNS support

Description: Using DynDNS, IPSec VPN tunnels can be constructed even when dynamic IP addresses are being used on thetermination points of the tunnel. FortiOS v2.80 provides full support for Dynamic DNS, enabling the FortiGate unit to beable to automatically register itself with a number of available Dynamic DNS services whenever the external interface IPaddress changes, either via a user-initiated change or through dynamic addressing schemes implemented by IP serviceproviders.

3.6.8 Policy Selector in IPSec Phase2

Description: To better support multiple dial-up clients, IPSec Phase2 now supports a means to specify a firewall policy. Tospecify the firewall encryption policy source and destination IP addresses, select Specify a selector and then select the namesof the source and destination addresses from the Source address and Destination address lists. You may also optionallyspecify source and destination port numbers and/or a protocol number. If this option is set, clients cannot propose asubnet/range selector.CLI commands:

config vpn ipsec phase2 edit <phase2 name> set single-source enableend

3.6.9 Site-to-Site/Dialup Tunnels

Description: Internet browsing now is supported by site-to-site VPN tunnels (static tunnels) as well as dialup VPN tunnels.

3.7 Spam Filter

3.7.1 Content Filtering

Description: Email content filtering features first provided in FortiOS v2.50 have been significantly enhanced to provide amuch more powerful anti-spam function that includes the following features:

• Email content filtering support for SMTP, IMAP, and POP3 protocols• Verification against DNSBL (DNS-based Black Lists) or ORDB (Open Relay Database)• DNS lookup• Action for spam email: providing options to Reject / Delete • Support for content-based lists• MIME Header Checking• Reporting capabilities

DNSBL and ORDB lists act as domain name servers that match the domain of incoming email to a list of IP addresses knownto send spam or allow spam to pass through. The FortiGate unit compares the IP address or domain name of the sender toany database lists you configure in sequence. If a match is found, the corresponding action is taken. If no match is found, theemail is passed on to the next spam filter. (Note: The term "RBL" (Real-time Black List) is a type of DNSBL and is aregistered trademark of MAPS LLC.)

Reverse DNS look-up helps to counter email address spoofing by checking the SMTP mail server’s reported HELO domaindeclaration with the result of a DNS look-up and comparing the IP address of the SMTP server. The return email address canalso be checked for a valid domain with Reverse DNS look-up.

Keyword and phrase lists have been improved to allow wildcards and Perl regular expressions as well as the ability to specifywhich part of the email message to scan (header, body, or all).

A MIME headers list can be used to block or clear email from certain programs or with certain types of content. The SpamFilter compares the MIME header key-value pair of the sender to the list pair in sequence. If a match is found, the

April 28, 2006 19


corresponding action is taken. If no match is found, the email is passed on to the next spam filter. The firewall protectionprofiles provide a means for applying specific anti-spam functions on a policy-by-policy basis.

3.7.2 FortiGuard – AntiSpam Service

Description: Prior to MR10, this subscription based service in the GUI is labeled FortiSpamshield – the name has beenupdated for MR10. Please see the Special Notices section for a description on all of the subscription based services.FortiGuard – Antispam is a new subscription based service for providing antispam definitions (initially DNSBL or DNS-based black lists) updates through the FortiGuard - AntiSpam servers and is supported from MR4 and later. This service isavailable as of 2004 - Q4. (Note: Port UDP/8889 is used by the FortiGate unit to communicate with the FortiGuard -AntiSpam servers and may require further configuration of other upstream firewalls.)

In MR7 and later, there are new options in the firewall protection profile and a new FortiGuard - AntiSpam configurationscreen to enable serivce and cache timeout in the Spam Filter menu.

Administrators can check if a domain is on the black-list through the website http://www.nospammer.net. Submissions ofspam email samples can be sent to "[email protected]".

Description: FortiGuard - AntiSpam adds URL look-up to the existing IP address look-up to check for known spam sourcesand spam emails. The firewall protection profiles now have an option to enable FortiGuard - AntiSpam URL checking. TheWebUI has a new check-box option, while the CLI adds a new command:

config firewall profile edit <profile-entry> set <smtp/pop3/imap> spamfsurlend

3.8 IPS Functionality

3.8.1 Dynamic Threat Prevention System

Description: In FortiOS v2.80, the existing Intrusion Detection and Prevention functions have been merged and expanded toprovide a new Dynamic Threat Prevention System. IPS can be applied on a per-firewall policy basis through the ProtectionProfiles. All current NIDS signatures will include the option for an action to be taken to prevent the attack being detected.Signatures are arranged into groups based on the type of attack. Some signature groups also include additional configurationparameters in addition to the actions to take in response to a positive signature match: pass, drop, reset or clear packets orsessions. The detection signatures and prevention actions are updated automatically in real time via the FortiProtectNetwork.

New in FortiOS v2.80 are "anomalies" to identify network traffic that does not fit known or preset traffic patterns. TheFortiGate IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP protocols. Each anomaly comes witha recommended configuration that can be modified as required. Note that new anomaly lists are only provided in newfirmware releases.

3.8.2 IPS signature Autoupdate

Description: When a new IPS signature database is pushed to FortiGates by the FDS, IPS settings that have been alteredfrom their default values will be overridden. MR10 introduces a new command to do one of two things. If the option isdisabled, existing settings are not overridden on updates received from the FDS. If the option is enabled, which is the defaultsetting, the new IPS signature database is pushed with Fortinet recommended settings. The following is the new commandsyntax:

#config system autoupdate ips#set accept-recommended-settings <disable|enable>

April 28, 2006 20


#end

3.9 Web Content FilteringDescription: In FortiOS v2.80, category based filtering is supported with the FortiGuard – Web Filtering Service, Fortinet'shigh performance, server-based categorized URL filtering system. With the appropriate FortiGuard license, the administratornow has the ability to define and choose the categories of URLs that can be blocked per firewall policy. (This is a separatelylicensed product. Contact your local Fortinet Sales Representative for information.) FortiGuard capabilities include:

• 56 content categories.• Granular policy enforcement.• URL rating cache for high performance.• Ability to monitor or deny users access to specific categories.• Comprehensive historical statistics for all categories by profile• Log of all requests for websites in monitored or denied categories.

Description: A new FortiGuard – Web Category Filtering configuration option has been added that allows the user to specifywhether or not they would like image rating/blanking to be used. This feature adds the ability to rate images based on theirURL and replace them with blank images if the image is to be denied. The supported image types are: image/gif image/jpeg image/tiff image/png image/bmp

This configuration is available in both the WebUI and CLI.CLI command:

config firewall profile edit "img-scan" set cat_options rate_image_urlsend

Also the source of the replacement blanking image can be specified to be a location remote to the FortiGate unit. (CLI only.)

conf webfilter catblock set img_sink_ip xxx.xxx.xxx.xxxend

3.10 Log & ReportingDescription: The FortiGate Log and Reporting functionality has been enhanced with the following changes:

• Per user log/report for Web Filtering• Traffic Log reports group and user for firewall policy authenticated traffic• SNMP support for dial-up VPN tunnel monitoring (requires updated 2.80-MR3 or later version MIB)• Alert Email now contain the FortiGate serial number information for identifying the FortiGate unit.• Integration with the FortiLog System (secure tunnel, Content Log access, enhanced reporting)

• Improved Update LogsDescription: Modified the AV/NIDS update log message to include the version of the updates.e.g.: Fortigate updated <AV database version> <IDS database version> <AV Engine version> <IDS Engine version><FortiGuard - AntiSpam database status>

• Persistent Log Columns GUIDescription: When customizing the columns of the log message display, the order is stored in a browser "cookie" so thatwhen returning to the log display webpage the column arrangement is retained for the current WebUI session.

April 28, 2006 21


Description: The IDs of locally defined users now are logged when the user surfs to a web site while FortiGuard – WebFiltering is enabled. The firewall already logs user IDs when FortiGuard – Web Filtering is not enabled.

• Configuration Change Logs

Description: The logging of configuration changes has been increased. Now when a firewall policy is altered, the change islogged.

April 28, 2006 22


4 MR12 Release Issues

4.1 Resolved Issues in FortiOS v2.80 MR12

4.1.1 HA

Description: When an active link fails on the "master" (A-A) cluster Fortigate firewall, all routes on the new slave are lostand not relearned once the "route-ttl" timer expires. This case issue only affects networks where dynamic routing is used.Models Affected: All.Bug ID: 33421 Status: Fixed in MR12.

Description: A master unit running in TP mode does not pick-up sessions taken over by the slaves once the master returnsfrom a reboot.Models Affected: All.Bug ID: 33242 Status: Fixed in MR12.

Description: When a multicast firewall policy is defined to use a VLAN interface, and this interface is then deleted, the slaveunits synchronise properly. Upon a manual reboot the slaves become unsynchronised and continue to reboot.Models Affected: All.Bug ID: 34217 Status: Fixed in MR12.

4.1.2 VPN

Description: When a dialup IPSec tunnel consist of a phase2 tunnel that contains an underscore character, the tunnel will bedropped whenever a firewall policy setting is changed.Models Affected: All.Bug ID: 31658 Status: Fixed in MR12.

Description: The IPSec Phase 1 or Phase 2 keylife does not expire when using a byte count value.Models Affected: All.Bug ID: 9830 Status: Fixed in MR12.

Description: DNS forwarding fails to forward DNS queries through interfaces that are members of a zone.Models Affected: All.Bug ID: 37114 Status: Fixed in MR12.

Description: A hub and spoke VPN topology with the hub connected to a FortiManager would fail to allow traffic betweenthe hub FortiGates.Models Affected: All.Bug ID: 39173 Status: Fixed in MR12.

4.1.3 System

Description: The Systems GUI erroneously displays the "Chassis" option. This feature is not supported on the FGT5002blade.Models Affected: FGT_5002Bug ID: 33544 Status: Fixed in MR12.

Description: Microsoft Netmeeting fails to setup the connection when messages are received at the FortiGate on a VIP.Models Affected: All.Bug ID: 35478 Status: Fixed in MR12.

April 28, 2006 23


4.2 Resolved Issues in FortiOS v2.80 MR11 and Earlier

4.2.1 System

Description: If a DHCP relay agent is configured on the HA interface, DHCP DISCOVER messages are not forwarded tothe DHCP server.Models Affected: All.Bug ID: 28443 Status: Fixed in MR11.

Description: FortiOS v2.80 introduced the Access Profile feature. Since FortiOS v2.50 does not support this feature, uponupgrading some administrator accounts are lost. For every admin user in FortiOS v2.50, the upgrade procedure creates a newAccess Profile and since only a certain number of Access Profiles are configurable per FortiGate (8, 16, or 64 depending onthe model), admin users beyond these limits are not retained in the upgrade.Models Affected: All.Bug ID: 25201 Status: Fix in MR11.

Description: When DST ends, the system time alternates between the time when DST is enabled, and when the DST time isdisabled.Models Affected: All.Bug ID: 22463 Status: Fix in MR11.

Description: The FortiGate firewall does not send updates to the DDNS server when it acquires an IP address from a DHCPserver.Models Affected: All.Bug ID:30713 Status: Fix in MR11.

Description: When the l2forwarding feature is disabled on the FortiGate firewall, non-IPv4 multicast, broadcast and‘unknown destination’ frames are forwarded to all operational interfaces.Models Affected: All.Bug ID: 29101 Status: Fixed in MR11.

Description: H.323 traffic that use UDP port 1719 causes the FortiGate firewall to system reboot.Models Affected: All.Bug ID: 30962 Status: Fixed in MR11.

Description: FortiGate firewalls with serial number (s/n FG30002801030xxx) are not able to detect "downed" fiber ports.Models Affected: FGT3000(s/n FG30002801030xxx)Bug ID: 32122 Status: Fixed in MR11.

Description: Images filenames for the FG1000A and FG1000AFA2 do not conform to standard filename namingconventions. The device model numbers are abbreviated.Models Affected:FG1000A/FG1000AFA2Bug ID: 34589 Status: Fixed in MR11.

Description: FortiAccel ports on the FG1000A and FG1000AFA2 are named Port11/Port12 instead of "PortA1/PortA2".Models Affected: FG1000A/FG1000AFA2Bug ID: 34552 Status: Fixed in MR11.

Description: SNMPv1 and SNMPv2 get-next requests failed on requests to fnIp (fortinet.4) and fnVpn (fortinet.9) OIDs.Models Affected: All.Bug ID: 24725 Status: Fixed in MR10.

Description: If the system time was changed from NTP to manual time, administrative access to the firewall using HTTP,HTTPS, TELNET, SSH, PING, and SNMP would fail.

April 28, 2006 24


Models Affected: All.Bug ID: 22672 Status: Fixed in MR10.

Description: Using the GUI to delete an SNMP host in a community deletes the hosts below it. Models Affected: All.Bug ID: 23767 Status: Fixed in MR10.

Description: In an HA cluster configuration certain MIB OID locations sometimes do not respond to SNMP GET queries:memory, cpu, and sessions. Workaround is to view the information via the WebUI or CLI.Models Affected: FortiGate-3600.Bug ID: 22766 Status: Fixed in MR10.

Description: To prevent XSS (cross site scripting) vulnerabilities, certain characters are disallowed in most CLI and WebUIfields. The Web Pattern Block field does currently not allow the following characters: < > ( ) # " ' Models Affected: All running v2.80-MR7 and MR8.Bug ID: 23374 Status: Fixed in MR10.

Description: A Nessus-DOS attack would cause the CPU to spike and remain high even after the attack had stopped.Models Affected: All.Bug ID: 27249 Status: Fixed in MR10.

Description: An interface sent an IPChange trap when the interface was brought up and down. Even if the IP address did notchange, a trap would be sent.Models Affected: All.Bug ID: 18280 Status: Fixed in MR9.

Description: The LCD misformats the information. When the firewall's operational mode is changed through the LCD, theconfirmation message is misformatted.Models Affected: All models with an LCD.Bug ID: 19138 Status: Fixed in MR9.

Description: The daylight savings time option causes the update daemon to restart. If the option is enabled while in thedaylight savings time period the update daemon restarts.Models Affected: All.Bug ID: 24339 Status: Fixed in MR9.

4.2.2 WebUI

Description: When the FortiGate firewall is in HA mode, users are not able to access the quarantine page from neitherMozilla nor from Internet Explorer.Models Affected: All.Bug ID: 33362 Status: Fixed in MR11.

Description: If a log file from a slave unit in an HA cluster was downloaded, the file name was "fetch". It has been changedto reflect the type of log being downloaded, such as "tlog", "elog", etc.Models Affected: All.Bug ID: 24181 Status: Fixed in MR10.

Description: When more than 20 static VPN tunnels were configured, any connected dialup VPN tunnel would not appear inthe VPN > IPSec > Monitor page.Models Affected: All.Bug ID: 23140 Status: Fixed in MR10.

Description:21497 – Fields related to FortiLog encryption were not being displayed correctly when the encryption option was beingenabled and disabled.

April 28, 2006 25


21953 – The firewall would not allow an Xauth server to be setup on a dialup VPN Phase1 gateway, if the user groupincluded a RADIUS and LDAP server.21254 – The GUI inadvertently displayed the DHCP-IPSec option in the IPSec VPN Phase2 configuration when DynamicDNS is chosen for the remote gateway.Models Affected: All.Bug ID: 21497, 21953, 21254 Status: Fixed in MR9.

4.2.3 HA

Description: When in HA mode, 10.0.0.0/24 routes can not be added to the routing table.Models Affected: All.Bug ID: 31276 Status: Fixed in MR11.

Description: When a new NIDS signature is installed on the FortiGate Firewall master, the slave firewall(s) will reboot once.Models Affected: AllBug ID: 33489 Status:Fixed in MR11.

Description: FortiGate 60 firewalls running in HA mode erroneously permit users to enable the internal port as a monitoredport. The internal interface is a switch port, so is restricted by design from being a monitored port. Models Affected: AllBug ID: 30162 Status:Fixed in MR11.

Description: High availabilty is not supported on the FG1000A and FG1000AFA2 firewalls.Models Affected: FG1000A/FG1000AFA2Bug ID: 34553 Status:Fixed in MR11.

Description: Slave units in a three or more HA AA cluster using weighted round robin, would stop receiving sessions fromthe master unit.Models Affected: All.Bug ID: 23086 Status: Fixed in MR10.

Description: In Transparent mode, HA Active-Active mode, the firewall cluster forwards multicast and broadcast packets.The cluster can receive these packet types at the same time and both the master and slave can forward them at the same time.This will confuse the switch because of the identical source MAC address on the packet.Models Affected: All.Bug ID: 23873 Status: Fixed in MR9

Description: When adding a new member to a HA cluster, the normal operation involves synchronizing the unitconfiguration followed by a system reboot of the new member. However, if the synchronization fails the slave willcontinuously reboot as it repeatedly attempts to synchronize the configuration. This can occur if a configuration change ismade on the master when the HA link to the slave is down.Models Affected: All.Bug ID: 20530 Status: Fixed in MR9.

4.2.4 Router

Description: The policy routing feature does not automatically forward traffic through alternative routes when an associatedroute is removed. Models Affected: AllBug ID: 32302 Status:Fixed in MR11.

Description: When a gateway address is not configured, policy routes for OSPF discovered routes do not work.Models Affected: AllBug ID:29938 Status:Fixed in MR11.

April 28, 2006 26


Description: Static routes with administrative distances of 128 or more would disappear from the routing table and wouldnot be visible in GUI > Router > Monitor.Models Affected: All.Bug ID: 24263 Status: Fixed in MR10.

Description: Some FTP clients running in FTP Active mode would hang when being routed through the firewall using apolicy route.Models Affected: All.Bug ID: 21451 Status: Fixed in MR9.

Description: Once RIP Split Horizon was enabled it could not be disabled. Both Split Horizon and Poison Reverse work ifthey are enabled together.Models Affected: All.Bug ID: 20625 Status: Fixed in MR9.

4.2.5 Firewall

Description: Using a blank field in the Common Name Identifier field allows all users defined in a Windows ActiveDirectory to be authenticated, regardless of their position within the AD structure. If the Common Name Identifier field in anLDAP user is left blank, upon upgrading from FortiOS v2.80 MR9 to FortiOS v2.80 MR10, the field is filled in with "cn",which causes authentication attempts to fail if the above method is used.Models Affected: All.Bug ID: 29104 Status: Fixed in MR11.

Description: In Route mode for non peer-to-peer H323 VoIP communication, the control session for a non-natted policyexpiration time decreases even if there is some RTP traffic passing through the device linked with this session. Models Affected: All.Bug ID: 0027939 Status: Fixed in MR11.

Description: H323 sessions use the odd port numbers for RTP traffic.Models Affected: All.Bug ID: 31714 Status: Fixed in MR11.

Description: Non-NAT policy expiration time decreases even if there is RTP traffic passing through the device linked withthe control session.Models Affected: All.Bug ID: 27939 Status: Fixed in MR11.

Description: When a H.323 session is created, the H.323 session-helper modifies the source port of H.323 traffic.Models Affected: All.Bug ID: 32644 Status: Fixed in MR11.

Description: When a user attempts to establish a SIP session through the FortiGate firewall, the SIP session-helper modifiesthe source port of the invite message header.Models Affected: All.Bug ID: 31814 Status: Fixed in MR11.

Description: Microsoft NetMeeting call setup was not handled properly, thus resulting in failed calls.Models Affected: All.Bug ID: 20746 Status: Fixed in MR10.

Description: In previous builds of FortiOS, the required session-helpers for SIP/H.323 were setup automatically when theimage was upgraded – not TFTP upgraded. However, changes to the CLI in later builds required users to add the session-helpers manually if the image was upgraded. TFTP upgrades are unaffected.Models Affected: All.Bug ID: 26627 Status: Fixed in MR10.

April 28, 2006 27


Description: When a firewall policy had authentication enabled and IM blocking enabled, IM would not be blocked.Models Affected: All.Bug ID: 25669 Status: Fixed in MR10.

Description: Static NAT VIPs added after upgrading to FortiOS v2.80 MR9 do not work until the configuration is re-written.For example,

1. configure static NAT VIP2. add static NAT VIP to firewall policy3. re-apply any other existing setting in the current configuration, such as a firewall address

VIPs that exist prior to upgrade are not affected.Models Affected: FortiGate300 and above.Bug ID: 24225 Status: Fixed in MR10.

Description: HTTP Authentication through the firewall fails if the user name contains special characters. FTP and TELNETdid not observe the same behaviour.Models Affected: All.Bug ID: 20118 Status: Fixed in MR9.

Description: The firewall inadvertently switched any UDP Port Forwarding VIP to a TCP Port Forwarding VIP.Models Affected: All.Bug ID: 21386 Status: Fixed in MR9.

4.2.6 FortiGuard

Description: Duplicate emails are received when DATAZ extensions are used by email servers.Models Affected: All.Bug ID: 29773 Status: Fixed in MR11.

4.2.7 VPN

Description: When users make non-IPSec related configuration changes, established IPSec tunnels are dropped. Models Affected: All.Bug ID: 32795 Status: Fixed in MR11.

Description:When an interface is configured with a secondary IP address, VPN tunnels traffic for the primary IP address arenot sent nor received.Models Affected: All.Bug ID: 30472 Status: Fixed in MR11.

Description: On a FortiGate 200A firewall, users are not able to create PPTP sessions over unnumbered PPPoE interfaces. Models Affected: 200ABug ID: 29881 Status: Fixed in MR11.

Description: When the FortiGate 300 firewall is used as a VPN hub, tunnels between each of it's spokes go downunexpectedly.Models Affected: 300Bug ID: 31628 Status: Fixed in MR11.

Description: An IPSec tunnel between two FortiGate units would be brought down if a PPTP connection was attempted froma PC to one of the FortiGate units.Models Affected: All.Bug ID: 21384 Status: Fixed in MR9.

April 28, 2006 28


4.2.8 IPS

Description: When a "Syn Fin" packet is received on the FortiGate firewall, the firewall forwards one packet beforedropping the next ones.Models Affected: All.Bug ID: 26628 Status: Fixed in MR11.

Description: The IPS engine is not able to block traffic sent by Skype versions 1.3.066 and 1.4 beta.Models Affected: All.Bug ID: 32767 Status: Fixed in MR11.Description: The P2P > skype IPS signature found in the GUI under IPS > Signature > Predefined > p2p > skype does notblock Skype IM sessions when the action is set to "drop session" or "clear session".Models Affected: All.Bug ID: 23125 Status: Fixed in MR11.

Description: Changes made to IPS signatures are not saved upon a restore of the configuration file or an upgrade. Forexample, if you change the action on the "AskSam.as_web.Access " signature in the iss group from Pass to Drop Session,backup the configuration, upgrade the firewall, and then restore the configuration, the changes are not saved.Models Affected: All.Bug ID: 25636 Status: Fixed in MR10.

Description: The IPS Engine would stop running when the firewall reached a high memory usage scenario.Models Affected: All.Bug ID: 29712 Status: Fixed in MR10.

4.2.9 Logging & Reporting

Description: Content logging may drop the first character of the From, To, and Subject header fields (RFC2822 InternetMessage Format) if they contain no space after the colon (:) eliminator.Models Affected: All.Bug ID: 28194 Status: Fixed in MR11.

Description: Log files greater than 300megs can not be searched on the slave FortiGate firewall.Models Affected: All.Bug ID: 28897 Status: Fixed in MR11.

Description: The FortiGate firewall is unable to uploaded logs files via FTP if the FTP server the FortiGate firewall contactsgoes down and comes back up at a later time.Models Affected: All.Bug ID: 29471 Status: Fixed in MR11.

Description: When an interface goes down, the FortiGate firewall logs the event as belonging to the "informational"category instead of the "warninig" category.Models Affected: All.Bug ID: 20599 Status: Fixed in MR11.

Description: The firewall alert mail function may fail to authenticate with some mail servers.Models Affected: All.Bug ID: 21168 Status: Fixed in MR9.

Description: In the log file upload settings, the firewall uploads the log file with an incorrect file name. The uploaded logfile has yyyymmdd as part of the file name. The firewall was using the incorrect month.Models Affected: All.Bug ID:21354 Status: Fixed in MR9.

April 28, 2006 29


4.2.10 FortiGuard – AntiSpam

Description: When a word partially matches a regular expression that contains the "." pattern, that FortiGate Firewallerroneously identifies the email as containing a banned word and marks it as SPAM.Models Affected: All.Bug ID: 28658 Status: Fixed in MR11.

Description: An entry in the Event Log appeared stating the FortiGuard – AntiSpam license had expired even if the servicewas not enabled.Models Affected: All.Bug ID: 24347 Status: Fixed in MR10.

Description: If the Return e-mail DNS check was enabled and antispam RBL was enabled or the FortiGuard – AntiSpamRBL was enabled, the FortiGate would not perform a return e-mail DNS check.Models Affected: All.Bug ID: 25081 Status: Fixed in MR10.

4.2.11 Antivirus

Description: In previous builds of FortiOS, splice for SMTP would be enabled when antivirus scanning was enabled. Thishas changed for MR10. SMTP splice can be disabled when antivirus scanning is enabled. Please see the Special Notessection for more information FTP and SMTP Splice.Models Affected: All.Bug ID: 21480 Status: Fixed in MR10.

Description: The "Web Resume Download Block" feature was not working. The download would resume from where itstopped rather than from the start of the file again.Models Affected: All.Bug ID: 23821 Status: Fixed in MR10.

Description: When the FortiGate reaches a low memory condition, the "system global av_failopen" antivirus featuredetermines how sessions are handled. There are three options for this feature:

• off – connections are received and handled regardless of the free memory• one-shot – connections bypass the AV engine and the administrator must manually change the setting to off orpass in order to resume AV scanning

• pass – connections bypass the AV engine and AV scanning resumes when the low memory condition is resolvedThe default option for this feature is pass. In previous builds it was set to off.Models Affected: All.Bug ID: no bug Status: Fixed in MR10.

Description: The firewall does not block oversized files through FTP when AV was enabled. If the downloaded file is largerthan the threshold, the firewall would not block the file.Models Affected: All.Bug ID: 18431 Status: Fixed in MR9.

Description: The details of the Content Archive (System > Status) displayed misformatted IP addresses.Models Affected: All.Bug ID: 21415 Status: Fixed in MR9.

April 28, 2006 30


5 Known Issues in FortiOS v2.80 MR12

5.1 HADescription: All sessions are dropped when a unit with master override reboots and then rejoins the HA cluster. Thisbehaviour is shown only when the master is rebooted (reboot, or power up), not when an interface is disconnected andreconnected.Models Affected: All.Bug ID: 16058 Status: Fix in a future release.

5.2 IPSDescription: The default settings of some IPS signatures were changed in IPS database version 2.211. The following is a listof the signatures that changed. If your firewall is using an IPS database version that is older than 2.211 and you upgrade toMR10, which has an IPS database version of 2.216, then the following signatures will change. You must manually changethem if you wish to enable them. Please see the IPS sub-section of the Enhancements Provided by FortiOS v2.80 MR10section for a command to prevent the settings from being overwritten by future IPS signature updates.

Signatures which have been disabled by default

CyberKit.2.2SMB.DCERPC.SamrEnumerateAliasesInDomain.139Private.Access.UDPip_decoder:ipv4_bad_checksumdns_decoder:invalid_pointerdns_decoder:invalid_opcodedns_decoder:invalid_paramCyberKit.2.2SMB.DCERPC.SamrEnumerateAliasesInDomain.139http_decoder:double_encodingtcp_decoder:tcp_bad_checksumim:aimim:msnim:yahooim:qqpop_decoder:nested_requestpop_decoder:unknown_cmdpop_decoder:unknown_replysmtp_decoder:nested_requestsmtp_decoder:unknown_cmdsmtp_decoder:unknown_replyimap_decoder:unknown_cmdimap_decoder:unknown_replyudp_decoder:udp_bad_checksumPrivate.Access.UDP

Anamolies whose threshold have been changed

icmp_src_session (100 => 200)tcp_src_session (2000 => 5000)udp_src_session (1000 => 5000)

April 28, 2006 31


Models Affected: All.Bug ID: None. Status: None.

5.3 VPNDescription: When an IPSec dial-up client is using an address group for the source address, the FortiGate VPN Gatewayfirewall policy applies only to the last entry in the dial-up client address group.

e.g. On the FortiGate dial-up server, the encrypt policy source-to-destination is: 192.168.2.0->all. On dialup client:192.168.4.0+192.168.22.0 (address group)->192.168.2.0. Then, the resulting dial-up encrypt firewall policy is: 192.168.2.0->192.168.22.0Models Affected: All.Bug ID: 13786 Status: Fix in a future release.

Workaround: Create a dedicated tunnel on the VPN Gatewayjust for this client (with a matching policy), or make the client initiate separate tunnels for each address subnet.

Description: When a dialup VPN connection is made to a FortiGate firewall, the phase 2 SA's timer is not resetautomatically when there is still an active session.Models Affected: All.Bug ID: 33295 Status: Fix in a future release.

Workaround: Enable phase2 keepalive on the VPN dialup client.

5.4 SystemDescription: FortiOS v2.80 introduced the Access Profile feature. Since FortiOS v2.50 does not support this feature, uponupgrading some administrator accounts are lost. For every admin user in FortiOS v2.50, the upgrade procedure creates a newAccess Profile and since only a certain number of Access Profiles are configurable per FortiGate (8, 16, or 64 depending onthe model), admin users beyond these limits are not retained in the upgrade.Models Affected: All.Bug ID: 25201 Status: Fix in a future release.

Description: When the FortiGate firewall non-reserved IP pool is used up, the FortiGate firewall will assign reserved IPaddresses to requesting DHCP clients.Models Affected: All.Bug ID: 31376 Status: Fix in a future release.

5.5 RouterDescription: When a FortiGate running RIPv2 has a passive interface, authentication enabled, and a neighbour configured,no authentication information is contained in any of the RIPv2 packets.Models Affected: All.Bug ID: Status: Fix in a future release.

5.6 AntivirusDescription: Files that have Japanese characters in the filename are not blocked by the FortiGate firewall.Models Affected: All.Bug ID: 32369 Status: Fix in a future release.

Description: When an infected file has Japanese characters in the filename, the FortiGate firewall will send a replacementmessage and replace the name of the file with a series of "?".Models Affected: All.

April 28, 2006 32


Bug ID: 32419 Status: Fix in a future release.

April 28, 2006 33


6 Image MD5 Checksumsdd3617e94f2562c6dce0086b427f7f4a *FGT_1000AFA2-v280-build514-FORTINET.out9ab3b78c562cfd8cb06e6e9798bcdefc *FGT_1000A-v280-build514-FORTINET.outa37152d9406f551e104f0749a33950e0 *FGT_100A-v280-build514-FORTINET.outa67ce8941acf8d84c84badc5cd631df7 *FGT_100-v280-build514-FORTINET.outcd4781428dfd42487b4758ca3641d1a0 *FGT_1K-v280-build514-FORTINET.out3410114bbc3632697c531f087222c930 *FGT_200A-v280-build514-FORTINET.out8b7e101df1c3aa79560e4b5d87e82b6d *FGT_200-v280-build514-FORTINET.out2049a4dfddbb61a49587c7fdbf3e0475 *FGT_3000-v280-build514-FORTINET.outa61e496ac353b2e721567e0e15de3a25 *FGT_300A-v280-build514-FORTINET.out4055d93eaa22ee79d4e223bcff804167 *FGT_300-v280-build514-FORTINET.out5667a528d69dcd5e2fed5c328909b4c3 *FGT_3600-v280-build514-FORTINET.out2bb2adc299b7a307038ce8fa3dea9a4b *FGT_400A-v280-build514-FORTINET.outf1b2a6642bfb17f06df0d2bc7710270c *FGT_400-v280-build514-FORTINET.out035836de175150c3f482b625b97e2163 *FGT_5001-v280-build514-FORTINET.out148ef9b82d652ccc94c61c8ad9dcbbfa *FGT_5002FB2-v280-build514-FORTINET.outb403841acdcb6eaeca938ae7dd6cd6ae *FGT_500A-v280-build514-FORTINET.out1680d1addcb618c028d1df38ab1d15a9 *FGT_500-v280-build514-FORTINET.out01012a8832c21e6f118d56675769221c *FGT_50AM-v280-build514-FORTINET.outef185634ba06125b4e004d7fe1c5b346 *FGT_50A-v280-build514-FORTINET.outf324296912ecb9e4c6981f75fe969e0f *FGT_60M-v280-build514-FORTINET.out4cf951284cf574b1d2f73ee30be89f4b *FGT_60-v280-build514-FORTINET.out89a35fa8fbdf5b49f8e717bfc974a37f *FGT_800F-v280-build514-FORTINET.outd120b2a1d18b8b0f1fbdc61a2a2f50f3 *FGT_800-v280-build514-FORTINET.out8ad0f7c989311171cb7079633722cbf8 *FWF_60-v280-build514-FORTINET.out

(End of Release Notes)

April 28, 2006 34

Documents

FortiOS v2.80 MR12 Release Notes