This document provides the following information for FortiOS 6.0.2 build 0163:
Supported models
FortiOS 6.0.2 supports the following models.
| Fortis | FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG-50E, FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG70D-POE, FG-80D, FG-80E, FG- 80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE, FG-90E、FG-92D、FG-94D-POE、FG-98D-POE、FG-100D、FG-100E、FG-100EF、FG-101E、 FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG-200D, FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E, FG-400D, FG-500D, FG-500E, FG-501E, FG-600D, FG-800D, FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D, FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1 |
| FortiWiFi | FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-POE, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E, FWF-90D, FWF-90D-POE, FWF-92D |
| FortiGate Rugged | FGR-30D、FGR-35D、FGR-60D、FGR-90D |
| Fortis Virtual Machine | FG-SVM、FG-VM64、FG-VM64-HV、FG-VM64-KVM、FG-VMX、FG-VM64-XEN、 FG-VM64-GCP、FG-VM64-OPC、FG-VM64-AZURE、FG-VM64-AZUREONDEMAND、FG-VM64-GCPONDEMAND |
| pay-as-you-go images | FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN |
| FortiOS Carrier | FortiOS Carrier 6.0.2 images are available upon request, but are not available on the customer support firmware download page. |
WAN optimization and web caching features
WAN optimization and web caching features were removed from 60D and 90D series platforms, starting with 6.0.0, due to their limited disk size. Affected platforms are: l FGT-60D l FGT-60D-POE l FWF-60D l FWF-60D-POE l FGT-90D l FGT-90D-POE l FWF-90D l FWF-90D-POE l FGT-94D -POE
After upgrading from 5.6 patch to 6.0.0, diagnose debug config-error-log read will show command parsing errors regarding wanopt and webcache settings.
FortiGuard Security Rating Service
Not all FortiGate models support running the FortiGuard Security Rating Service as the fabric "root" device. The following FortiGate platforms can run the FortiGuard security rating service when added to an existing Fortinet security fabric managed by a supported FortiGate mode:
- FGR-30D-A l FGR-30D l FGR-35D l FGR-60D l FGR-90D l FGT-200D l FGT-200D-POE l FGT-240D l FGT-240D-POE l FGT-280D-POE l FGT- 30D l FGT-30D-POE l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E 特别提示 7
- FGT-51E l FGT-52E l FGT-60D l FGT-60D-POE l FGT-70D l FGT-70D-POE l FGT-90D l FGT-90D-POE l FGT-94D-POE l FGT-98D-POE l FWF-30D l FWF-30D-POE l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E-2R l FWF-50E l FWF-51E l FWF-60D l FWF-60D-POE l FWF-90D l FWF-90D-POE l FWF-92D
built-in certificate
FortiGate and FortiWiFi D-series and later have built-in Fortinet_Factory certificates that use 2048-bit certificates with 14 DH groups.
FortiGate and FortiWiFi-92D Hardware Limitations
FortiOS 5.4.0 reports issues with FG-92D modelsSpecial Notices > High Availability in FG-92D Interface Modepart of the release notes. These issues related to using ports 1 through 14 include:
- PPPoE fails, HA cannot be formed. l IPv6 packets are discarded. l The FortiSwitch fails to be discovered. l Depending on the network topology, spanning tree loops may occur.
FG-92D and FWF-92D do not support STP. These issues were improved in FortiOS 5.4.1, but introduced a new command enabled by default with some side effects:
Configure the global setting hw-switch-ether-filter
Special Note
When the command is enabled:
- Allow ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets. l BPDUs are discarded, so no STP loop occurs. l PPPoE packets are lost. l IPv6 packets are discarded. l The FortiSwitch device is not found. l Depending on the network topology, HA may not be formed.
When the command is disabled:
- All packet types are allowed, but depending on the network topology, may cause an STP loop.
FG-900D and FG-1000D
CAPWAP traffic will not be offloaded if the ingress and egress traffic ports are on different NP6 chips. It will only be offloaded if both ingress and egress ports belong to the same NP6 chip.
FortiClient (Mac OS X) SSL VPN Requirements
When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.
FortiClient configuration file changes
With the introduction of the Fortinet Security Fabric, FortiClient configuration files will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for endpoint compliance, while FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and configuration.
FortiClient profiles on FortiGate are used for compliance-related FortiClient features such as antivirus, web filter, vulnerability scanning, and application firewall. you can setIrregularitiesSet asjamorwarn.
FortiClient users can change its functionality locally to meet FortiGate compliance standards. You can also configure endpoints centrally using FortiClient EMS. EMS also includes support for additional features such as VPN tunnels or other advanced options. For more information, seeFortiOS Manual - Security Profiles.
Using the dedicated management interface (mgmt1andmgmt2)
For best stability, use the management port (mgmt1andmgmt2) are used for management traffic only. Do not use the management port for general user traffic.
Upgrade to FortiOS 6.0.2
Supported upgrade paths information can be found atflying tower customer Serve & support Place.
View information about supported upgrade paths:
- gohttps://support.fortinet.com.
- fromdownloadmenu, selectfirmware image.
- check thatselect productyesFortis.
- clickupgrade pathtab and select the following:
Liftcurrent productLiftCurrent FortiOS versionLiftUpgrade to FortiOS version5.clickgo.
This warning does not apply if you are upgrading from version 5.6.2 or 5.6.3.
Before upgrading, make sure that port 4433 is not used for management port or management movement (in config system global), or for SSL VPN (in config vpn ssl settings). If you are using port 4433, you must change the admin-port, admin-sport, or SSL VPN port to a different port number before upgrading.
The physical interface is contained in the zone
Upgrading from 5.6.3 or later removes all members of the zone if the zone contains a physical interface and at least one of the physical interface's VLAN interfaces is removed. For example:
Before upgrade:
Configure System Zone Edit "Trust"
set interface "port1" "Vlan01" "Vlan02" "Vlan03"
Next
After upgrade:
Configure System Zone Edit "Trust"
Next
Remove "port1" from the list and the upgrade will preserve the VLAN.
Conditions for deleting a member of a physical zone: l If a physical interface is associated with a VLAN (regardless of whether they are in the same zone or any zone) Conditions for deleting a member of a VLAN zone: l If the parent physical interface is also set in a zone
You can use the following options to prepare for the upgrade:
- Use only physical interfaces without VLAN association or:
- Creates a new VLAN in place of the current physical interface zone member and removes all physical zone members from the zone with only the associated new VLAN entry.
Fortinet Security Architecture Upgrade
FortiOS 6.0.2 greatly increases interoperability between other Fortinet products. This includes:
l FortiAnalyzer 6.0.0 l FortiClient 6.0.0 l FortiClient EMS 6.0.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.4 and later
Upgrade the firmware for each product in the correct order. This keeps the network connected without using manual steps.
Before upgrading any product, you must readFortiOS Security Architecture Upgrade Guide.
The minimum version of the TLS service changes automatically
To improve security, FortiOS 6.0.2 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used for communication between FortiGate and third-party SSL and TLS services.
When you upgrade to FortiOS 6.0.2 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit the global setting to use TLS v1.2 by default. You can override these settings.
- email server (configure system email server) l certificates (configure vpn certificate settings) l FortiSandbox (configure system fortisandbox) l FortiGuard (configure log fortiguard settings) l FortiAnalyzer (configure log fortianalyzer settings)
- LDAP server (configure user ldap) l POP3 server (configure user pop3)
Downgrade to previous firmware version
Downgrading to a previous firmware version will result in loss of configuration for all models. Only keep the following settings:
l Operation Mode l Interface IP/Management IP l Static Routing Table l DNS Settings l VDOM Parameters/Settings l Admin User Account l Session Assistant l System Access Profile
If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:
- Backup your configuration.
- In the backup configuration, replace all long VDOM names with their corresponding short VDOM names. For example, the edit
/ replace with edit / 。 - Restore configuration.
- Perform a downgrade.
Amazon AWS enhances network compatibility issues
With this new enhancement, there are compatibility issues with older AWS VM versions. After downgrading a 6.0.2 image to an older version, network connectivity is lost. Because AWS does not provide console access, you cannot restore a downgraded image.
When downgrading from 6.0.2 to an older version, the enhanced nic driver is not allowed to run. The following AWS instances are affected:
- C3 l C4 l R3
- I2 l M4 l D2
FortiGate virtual machine firmware
Fortinet provides FortiGate VM firmware images for the following virtual environments:
Citrix XenServer and Open Source XenServer
- .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
- .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 files for open source XenServer.
- .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.
Linux KVM
- .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
- .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 which can be used by qemu.
Microsoft Hyper-V
- .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
- .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the virtual hard disk folder, which can be manually added to the Hyper-V manager.
VMware ESX and ESXi
- .out: Download a 64-bit firmware image to upgrade an existing FortiGate VM installation.
- .ovf.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains VMware's Open Virtualization Format (OVF) file and two Virtual Machine Disk Format (VMDK) files that the OVF file uses during deployment.
Firmware image checksum
MD5 checksums for all Fortinet software and firmware releases are available on the Customer Service and Support Portal,https://support.fortinet.com. After login selectDownload > Firmware Image Checksum, enter an image filename including the extension, and selectGet check code.
FortiGuard update server location settings
The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is ANY. On VMs, the default is usa.
On virtual machines, update-server-location is set to usa after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later).
If necessary, set update-server-location to use the closest or low-latency FDS server.
Setting up FortiGuardupdate server location:
configure system fortiguard set update server location [US | any] end
FortiOS 6.0.2 support
The following table lists 6.0.2 product integration and support information:
| Internet browser | l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (for Mac OS X) Other web browsers may work but are not supported by Fortinet. |
| Explicit Web Proxy Browser | l Microsoft Edge 41 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (for Mac OS X) Other web browsers may work but are not supported by Fortinet. |
| Enhanced Manager | See Important Compatibility Information in Fortinet Security Fabric Upgrades on page 10. For the latest information, seeEnhanced Manager compatibility and FortiOSIn the Fortinet Documentation Library. Upgrade FortiManager before upgrading FortiGate. |
| Enhanced Analyzer | See Important Compatibility Information in Fortinet Security Fabric Upgrades on page 10. For the latest information, seeEnhanced Analyzer compatibility and FortiOSIn the Fortinet Documentation Library. Upgrade FortiAnalyzer before upgrading FortiGate. |
| Enhanced client: LiftMicrosoft WindowsLiftApple OSLiftLinux | l 6.0.0 See Important Compatibility Information in Fortinet Security Fabric Upgrades on page 10. If FortiClient is managed by FortiGate, you must upgrade FortiClient before upgrading FortiGate. FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later. If you are using FortiClient for IPsec VPN or SSL VPN only, FortiClient 5.6.0 and later are supported. |
| FortiClient iOS | l 5.6.0 and later versions |
| FortiClient Android 和 FortiClient VPN Android | l Version 5.4.2 and later |
| FortiAP | l 5.4.2 and later l 5.6.0 and later |
| FortiAP-S | l 5.4.3 and later l 5.6.0 and later |
| FortiSwitch operating system (FortiLink support) | l 3.6.4 and later versions |
| Enhanced Controller | l Version 5.2.5 and later Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C |
| Enhanced Sandbox | l Version 2.3.3 and later |
| Fortinet Single Sign-On (FSSO) | l 5.0 build 0268 and later (requires OU in FSSO agent support group filter) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8 |
| booster | l 3.2.1 |
| video engine | l 6.00012 |
| engine | l 4.00021 |
| virtualization environment | |
| Citrix | l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later |
| Linux KVM | l RHEL 7.1/Ubuntu 12.04 and above l CentOS 6.4 (qemu 0.12.1) and above |
| Microsoft | l Hyper-V Server 2008 R2、2012、2012 R2 |
| open source | l XenServer version 3.4.3 l XenServer version 4.1 and later |
| VMware | l ESX version 4.0 and 4.1 l ESXi version 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5 |
| World Series – SR-IOV | The following NIC chipset cards are supported: l Intel 82599 l Intel X540 l Intel X710/XL710 |
language support
The following table lists language support information.
language support
| language | GUI |
| English | ✔ |
| Simplified Chinese) | ✔ |
| Chinese traditional) | ✔ |
| French | ✔ |
| Japanese | ✔ |
| Korean | ✔ |
| Portuguese (Brazil) | ✔ |
| spanish | ✔ |
SSL VPN support
SSL VPN Standalone Client
The table below lists the SSL VPN Tunnel Client standalone installers for the following operating systems.
Operating system and installer
| operating system | installer |
| Linux CentOS 6.5 / 7 (32 and 64 bit) Linux Ubuntu 16.04 | 2336. Fortinet developer website downloadhttps://fndn.fortinet.net. |
Other operating systems may work but are not supported by Fortinet.
SSL VPN network mode
The table below lists the supported operating systems and web browsers for SSL VPN network mode.
Supported operating systems and web browsers
| operating system | browser |
| Microsoft Windows 7 SP1 (32-bit and 64-bit) Microsoft Windows 8 / 8.1 (32-bit and 64-bit) | Microsoft Internet Explorer version 11 Mozilla Firefox version 54 Google Chrome Version 59 |
| Microsoft Windows 10 (64-bit) | microsoft edge Microsoft Internet Explorer version 11 Mozilla Firefox version 54 Google Chrome Version 59 |
| Linux CentOS 6.5 / 7 (32 and 64 bit) | Mozilla Firefox version 54 |
| OS X El Capitan 10.11.1 | Apple Safari version 9 Mozilla Firefox version 54 Google Chrome Version 59 |
| iOS | Apple Safari Firefox browser Google Chrome |
| android | Firefox browser Google Chrome |
Other operating systems and web browsers may work but are not supported by Fortinet.
SSL VPN Host Compatibility List
The following table lists supported antivirus and firewall client software packages.
Supported Microsoft Windows XP antivirus and firewall software
| product | antivirus software | firewall | |
| Symantec Endpoint Protection 11 | ✔ | ✔ | |
| Kaspersky Antivirus 2009 | ✔ | ||
| McAfee Security Center 8.1 | ✔ | ✔ | |
| Trend Micro Internet Security Expert | ✔ | ✔ | |
| F-Safe Cyber Security 2009 | ✔ | ✔ |
Supports Microsoft Windows 7 32-bit antivirus and firewall software
| product | antivirus software | firewall |
| CA Internet Security Suite Plus software | ✔ | ✔ |
| AVG Cyber Security 2011 | ||
| F-Safe Cyber Security 2011 | ✔ | ✔ |
| Kaspersky Internet Security 2011 | ✔ | ✔ |
| McAfee Internet Security 2011 | ✔ | ✔ |
| Norton 360™ version 4.0 | ✔ | ✔ |
| Norton™ Internet Security 2011 | ✔ | ✔ |
| Panda Internet Security 2011 | ✔ | ✔ |
| Sophos Security Suite | ✔ | ✔ |
| Trend Micro Titanium Internet Security | ✔ | ✔ |
| ZoneAlarm Security Suite | ✔ | ✔ |
| Symantec Endpoint Protection Small Business Edition 12.0 | ✔ | ✔ |
The following issues have been fixed in version 6.0.2. For inquiries regarding specific errors, please contactcustomerServe & support.
antivirus software
| Vulnerability number | describe |
| 487946 | The MSS value increases when using AV or WEB filters results in Packet Too Large messages. |
| 489308 | The scanunit process crashes frequently. |
| 497371 | Flow-AV blocks Windows updates (.cab files). |
application control
| Vulnerability number | describe |
| 423140 | After adding a new custom signature, all IPS sessions are lost. |
Authentication and users
| Vulnerability number | describe |
| 477392 | HA slave units cannot be logged in using FAC username password and FortiToken two-factor authentication. |
| 481469 | Unable to resolve hostname for CRL URL configured on non-management VDOM. |
| 488566 | Renaming the guest user group name will not be reflected under the guest administrator account assigned to the black page. |
| 491175 | diag test application fnbamd 1 causes fnbamd to go idle and cause authentication to fail. |
| 491235 | New diag command diag test app wad 13. |
| 491241 | Enhanced diag command diag test app fnbamd 1. |
| 493470 | Authenticated users receiveOops "authentication requested"Refers to a proxy policy with no authentication. |
| 493930 | Admins using the dedicated HA management interface are not visible in the CLI. |
| 495210 | Guest user accounts do not show an expiration time, only an expiration time. |
| 496524 | After the wired portal auth succeeds, the wired PC still receives many http redirects and cannot access the Internet. |
connectivity
| Vulnerability number | describe |
| 463982 | FortiManager IP is not set in FortiGate CM. |
| 479607 | The scheduled auto-update happened twice within 10 seconds, but no log entry was recorded for the first attempt. |
| 481058 | Unable to retrieve configuration revision control list from FortiCloud. |
Digital Frame
| Vulnerability number | describe |
| 478524 | The diskless model lacks the full archive protocol in configuring DLP sensors when only FortiCloud logging is enabled. |
| 486958 | Scanunit signal 14 alarm clock caused by DLP scanning bz2 files. |
| 492624 | DLP blocking websites in FortiOS v6.0 GA. |
| 496255 | Some XML-based MS Office files are recognized as ZIP files. |
firewall
| Vulnerability number | describe |
| 474612 | SNAT uses low-end ports below 1023. |
| 475539 | Inaccurate netflow export. Flow measurements do not match SNMP readings. |
| 478681 | It should be possible to disable SNAT when the VIP is present and central NAT is enabled. |
| 492961 | Setting utm-status disable does not hide the profile group. Unsetting profile-group will leave profile-protocol-options empty. |
| 498188 | Dirty_session_check in FortiGate drops all established VIP64 sessions. |
| 502579 | After upgrading from 5.6 to 6.0.1, local policies with FQDN addresses do not work. |
FortiView
| Vulnerability number | describe |
| 414172 | HTTPsd / DNSproxy / High CPU / Memory with high rate UDP 1Byte spoofing traffic. |
| GUI | |
| Vulnerability number | describe |
| 402457 | Suggestions for improving the IPsec VPN monitoring pageProxy ID sourceandProxy ID Destinationfield. |
| Vulnerability number | describe |
| 413881 | VDOM link tooltip displayFailed to get information. |
| 444104 | Accept/Decline buttons are not visible in GUIs with long login disclaimers and screens at some resolutions. |
| 449598 | Remote LDAP User DefinitionsThe wizard does not pull the user. |
| 457627 | Would like to be able to change the date/time format displayed in FortiGate's GUI. |
| 457721 | FortiLink Switch Controller GUI - Allows user to edit FortiLink/ISL port descriptions. |
| 457966 | Virtual pair > Add VLAN range filter on GUI. |
| 460617 | GUI Hardening Guarddouble checkDue to a FortiGuard service 8888/53 routing error, the button does not work as expected. |
| 462011 | When accessed using a RADIUS user with a read access profile, the GUI is blank and the FortiGate is managed by FortiManager. |
| 462072 | The GUI should display the full FQDN name in the reputation search results. |
| 468465 | Some filters do not return logs when the source is FortiCloud. |
| 468797 | It is not possible to filter by date or timestamp when viewing logs from FortiCloud. |
| 469082 | professor administratorProfile administrators cannot display GUI IPv4 source addresses. |
| 470241 | Even if you select another log device in the GUI, raw logs are downloaded from the default location. |
| 472023 | Outbreak prevention detection puts 'clean' counters atAdvanced Threat Protection Statisticssmall parts. |
| 472558 | DHCP server GUI - GUI populates with wrong information when switching from DHCP relay to DHCP server. |
| 473808 | Column filters are not persistent and will be removed after a page refresh. |
| 474807 | There is no way to restore the default page in the replacement mail group. |
| 475036 | Duplicate entries found for virtual serversBug in GUI. |
| 477393 | Negative values inload balancingMonitor logs. |
| 477870 | The alias for the modem interface appears in the GUI but not the CLI. |
| 479468 | Link state is lost after SD-WAN GUI changes tolist editor. |
| 479937 | The GUI should hide options that don't apply to certificate checking. |
| 481902 | when visitingFortiView > Websitepage, errorFailed to fetch FortiView dataAnd httpsd keeps crashing. |
| 482628 | CPU.Speculative.Execution.Timing.Information.Disclosure signature cannot be filtered ifapplicationSelected. |
| Vulnerability number | describe |
| 489674 | When scrolling to the end of the muTable, the GUI should display 100% of the entries. |
| 489675 | The Firefox web browser sometimes fails to delete performance SLA rules. |
| 489715 | Target address should not be mandatory in GUISD-WAN rules. |
| 492898 | FSSO AD group entries can no longer be deleted in the GUI. |
| 493351 | Object tooltips for the last page should not always be displayed on the current page. |
| 493773 | SD-WAN rules in the GUI fail to select (either as source or destination) the address group grp_citrixfarm. |
| 494724 | When creating a trunk interface on a managed FSW, the FSW ports in the right list show closed even though some ports are open. |
| 496613 | Editing a web filter profile in the GUI deletes the web proxy profile and URL filter entries. |
| 497667 | The FortiSwitch Ports page loads very slowly. |
| 502785 | eliminate# interfacefrom the device list. |
ha
| Vulnerability number | describe |
| 408886 | Nonstop upgrade from B718 to label 9702 fails with 1.5M BGP routes and 6M session load. |
| 461915 | When standalone configuration synchronization is enabled in FGSP, the IPv6 settings of the interfaces are synchronized. |
| 473806 | Copied to the slave's management interface IP address when using a standalone management VDOM. |
| 473806 | Copied to the slave's management interface IP address when using a standalone management VDOM. |
| 474622 | IPsec itn=0 after a unit joins the FGSP cluster. |
| 482548 | Save mode caused by hassync consuming most of the memory. |
| 485340 | Cluster uptime: -141 days -20:-31:-50. |
| 486552 | vcluster HA failover fails on 3800D with large site-to-site IPsec VPN configuration. |
| 487444 | After HA failover in 80/81E, FortiGate stops accepting traffic from any interface in the hardware switch. |
| 491311 | When creating a new NAT VDOM, the management port is synchronized. |
| 493759 | After removing vcluster2 from the HA configuration, all active sessions are terminated once the session-ttl is reached. |
| 494029 | After a failover, sometimes it is not possible to connect toManagement IPbackup device. |
| 501147 | Moving a VDOM to a virtual cluster from the GUI causes the cluster to get out of sync. |
IPS
| Vulnerability number | describe |
| 478185 | Improve the ability to detect fragmented intrusion attacks. |
| 489557 | Weird traceroute issue when IPS is enabled. |
IPsec VPN
| Vulnerability number | describe |
| 486756 | IPsec VPN traffic is not fragmented when proxy-based UTM is enabled. |
| 489990 | Make PKI verification of IDi and certificate identities optional. |
| 490066 | FortiClient with IPsec with Proxy / Webfilter - requires fragmentation. |
| 491305 | Packets from FortiClient cannot pass through VXLAN over IPsec, depending on the packet size. |
| 492046 | FortiGate does not respond to RFC requested information exchange messages. |
| 493918 | IKED memory leak. |
Records and Reports
| Vulnerability number | describe |
| 459306 | It is recommended to reduce the threat level of very large files. |
| 493140 | Need to see Application Signature Name instead of LDS under Logs and Reports > System Event Log. |
| 494040 | Creating or modifying a Security Profile generates multiple logs of misleading actions. |
| 497357 | When we use DNS filters and a DNS query timeout occurs, the FortiGate logs show the operation as blocked. |
| 498519 | Web filter authentication fails to set the status field in event log messages. |
agent
| Vulnerability number | describe |
| 479678 | IPpool does not work properly in explicit proxy policies. |
| 482916 | WAD crashes on signal 6. |
| 486821 | web applicationsymphonyFailed to enable AV profile in policy. |
| 487096 | SSL handshake failed when activating ESET application. |
| 491417 | FortiGate drops server hello packets when URLFILTER is enabled. |
| Vulnerability number | describe |
| 491424 | Adjust proxy-auth-timeout defaults and units. |
| 491630 | When UTM is enabled, the client cannot get a response from the server and receives a 500 internal error. |
| 494081 | After upgrading the firmware to v5.6.4, the WAD process crashes with signal 11. |
router
| Vulnerability number | describe |
| 443948 | High memory usage by zebos_launcher and isisd. |
| 482631 | OSPF adjacency lost, FGFMD high CPU while pushing policy from FortiManager. |
| 491423 | The BGP shutdown neighbor capability-default-originate parameter is always in use. |
| 491679 | FortiGate chooses higher metric OSPF E2 routes for traffic in some cases. |
| 492063 | Route-maps cannot use BGP conditional advertisement to set attributes. |
| 493454 | Kernel 3.2 does not forward large PIM SM boot packets. |
| 494393 | Router access lists should not default to any prefix and exact match disabled. |
| 500673 | SD-WAN rules for applications do not work after HA switchover. |
SSL VPN
| Vulnerability number | describe |
| 466438 | High CPU usage by sslvpnd. |
| 483712 | sslvpnd consumes a lot of memory causing FortiGate to enter save mode. |
| 486918 | SSL VPN network mode does not load pages correctly. |
| 489827 | In SSL VPN web mode, the Visteon.service-now.com/vss URL does not load. |
| 491895 | Web mode SSL VPN HTTP bookmarks do not work. |
| 494948 | Confluence software does not render correctly in web mode. |
| 494960 | SSL VPN network mode fails to load internal web applications. |
| 494978 | After upgrading to 5.6.4, authd registers SSL VPN users with wrong user/group information and breaks SSL VPN. |
| 498249 | SCEP needs to be updated with SSL hostname/certificate checking. |
| 501769 | SSL VPN: Internal website bookmarks not loading correctly - JavaScript error. |
change
| Vulnerability number | describe |
| 493685 | The hardware switch floods the traffic. |
system
| Vulnerability number | describe |
| 370953 | The SLBC worker blade cannot resync with the config master blade due to a frozen confsync daemon. |
| 394509 | There are no log entries for failed admin PKI authentications. |
| 414081 | SMB1 support is disabled by default on some models. |
| 441483 | Confused set enable-shaper disable to enable HPE protection. |
| 459273 | Slave worker blade loses local administrator account. |
| 462178 | front panelspeedThe LED blinks green when sending and receiving data. |
| 466317 | [api] is in Z state. |
| 468938 | Kernel panic on 3700D - slave. |
| 472267 | DNS filter performance improvements. |
| 472270 | SNMP functionality for DNS filter counts. |
| 473354 | It is recommended to enable per-session-accounting by default on NP6Lite. |
| 477886 | PRP support. |
| 479142 | SLBC 5001D slave blade out of sync. |
| 481783 | DHCP address assignment sometimes fails - DHCPD crashes multiple times. |
| 485781 | Deleting the EMAC VLAN interface on a different VDOM causes loss of connectivity to the EMAC VLAN for 5-7 pings. |
| 493219 | Softirq and nice are CPU intensive when sending and receiving packets using virtual wire pairs. |
| 494603 | Once a trusted host is configured, FortiGate in transparent mode cannot be accessed via https/ssh (management access). |
| 494707 | FortiGate trusted host settings are not respected. |
| 499332 | There is no error message when configuring address .067 and address translation to .55. |
| 499435 | Allow packet sniffer to use RAM disk. |
| 499793 | FortiGate set the wrong time zone for Paraguay. |
upgrade
| Vulnerability number | describe |
| 495994 | After upgrading to 5.4.9, many IPS syntax errors are observed on the console screen. |
virtual machine
| Vulnerability number | describe |
| 493225 | FTG-VM01 is missing diag sys mpstat command option. |
| 499154 | FortiGate Azure rejects static routing configuration pushed from FortiManager. |
| 501911 | In FOS-AWS prompt, user password = instance ID and force user to change password on initial login. |
| Vulnerability number | describe |
| 471638 | FortiGate disconnects all clients when they roam from AP to AP. |
| 479415 | Incorrect authorization success pageAuthentication success page replacementinformation. |
online telephone
| Vulnerability number | describe |
| 478634 | Debug commands that do not apply SIP filters. |
web filter
| Vulnerability number | describe |
| 454634 | Per-domain web filter settings warning prompts are per-category rather than per-domain warnings. |
| 476806 | FortiOS incorrectly sends ICMP "Destination Unreachable" with WF/Certificate check. |
| 486171 | thisNetwork Rating Overrideoption is not available in streaming mode. |
| 490377 | thisNetwork Rating Overrideoption doesn't work properly in proxy-based scenarios. |
| 498231 | sites like thisfedexMisclassified as malicious. |
web proxy
| Vulnerability number | describe |
| 500182 | UDP via SOCKS proxy. |
Wifi
| Vulnerability number | describe |
| 491248 | VAP RADIUS based MAC authentication should support CoA. |
| 491769 | Support for third-party external portals with RADIUS MAC authentication. |
| 495995 | Custom class overrides don't work. |
Common Vulnerabilities and Exposures
accesshttps://fortiguard.com/psirtto know more information.
| Vulnerability number | CVE References |
| 450553 | FortiOS 6.0.2 is no longer vulnerable to the following CVE references: l CVE-2017-12150 l CVE-2017-12151 l CVE-2017-12163 |
| 487421 | FortiOS 6.0.2 is no longer vulnerable to the following CVE references: l CVE-2018-13365 |
| 495090 | FortiOS 6.0.2 is no longer vulnerable to the following CVE references: l CVE-2018-13366 |
| 496431 | FortiOS 6.0.2 is no longer vulnerable to the following CVE references: l CVE-2018-9192 |
| 499552 | FortiOS 6.0.2 is no longer vulnerable to the following CVE references: l CVE-2016-7431 |
The following issues were found in version 6.0.2. To inquire about a specific bug or to report a bug, please contactcustomer Serve & support.
application control
| Vulnerability number | describe |
| 435951 | Traffic continues through the DENY NGFW policy configured with the URL category. |
Fortis 3815D
| Vulnerability number | describe |
| 385860 | FG-3815D does not support 1GE SFP transceivers. |
| Vulnerability number | describe |
| 256264 | The live session list cannot display IPv6 sessions and related issues. |
FortiSwitch Controller/FortiLink
| Vulnerability number | describe |
| 304199 | Using HA with FortiLink may experience traffic loss during failover. |
| 357360 | DHCP snooping might not work with IPv6. |
FortiView
| Vulnerability number | describe |
| 375172 | A FortiGate under a FortiSwitch may appear to be directly connected to an upstream FortiGate. |
| 453610 | Fortiview -> Policies (or Sources) -> Now, nothing is displayed when filtering by physical interface in PPPoE mode. |
| 460016 | existFortiview > Threats, to drill down one level, clickreturnGraphics are cleared. |
| 482045 | FortiView - no data displayedTraffic from the WAN. |
| 494731 | Bug reporting in Fortiview. |
GUI
| Vulnerability number | describe |
| 439185 | Unable to view and download AV Quarantine from the details panel when the source is FortiAnalyzer. |
| 442231 | Links could not be displayed in different colors according to the link legend in the logical topology live view. |
| 451776 | The OTP for the management GUI is limited to 10 characters. |
| 470589 | thisForwarding traffic log detailscontrol panelSafetytab does not show security log details when multiple log facilities are enabled. |
| 487350 | FortiGuard Filtering Service AvailabilityshowunavailableOn the GUI when no valid antispam license exists. |
| 493839 | Cannot change quota type (time-based, traffic-based). |
ha
| Vulnerability number | describe |
| 451470 | Unexpected performance degradation in case of inter-chassis HA failback with HA override enabled. |
| 479987 | FG MGMT1 does not authenticate Admin RADIUS users through the primary unit (secondary unit works). |
| 503433 | The hassync daemon crashes when the management session times out, and the cluster may become out of sync for a short period of time. |
IPS
| Vulnerability number | describe |
| 445113 | IPS engine 3.428 on FortiGate sometimes fails to detect Psiphon packets that iscan can. |
IPsec VPN
| Vulnerability number | describe |
| 469798 | Interface shaping with an egress shaping profile does not apply to offload traffic. |
| 481201 | After registering with FortiCare, there is a delay of about one day in OCVPN functionality. |
Records and Reports
| Vulnerability number | describe |
| 412649 | In NGFW Policy mode, FortiGate does not create webfilter logs. |
security structure
| Vulnerability number | describe |
| 403229 | In the FortiAnalyzer's FortiView display, the upstream FortiGate cannot drill down to the final level of downstream traffic. |
| 411368 | In FortiView with FortiAnalyzer, the combined MAC address is shown inequipmentsite. |
SSL VPN
| Vulnerability number | describe |
| 405239 | Incorrect URL rewriting for specific pages in the application server. |
system
| Vulnerability number | describe |
| 295292 | If private data encryption is enabled, FortiGate may not prompt the user for the key when restoring the configuration to FortiGate. |
| 364280 | Users cannot log into FortiGate via SSH using the ssh-dss algorithm. |
| 436746 | NP6 counters showing packet loss on FG-1500D. A pure firewall policy without UTM. |
| 440411 | Monitor NP6 IPsec engine status. |
| 466048 | Unable to detect Huawei USB LTE E3276. |
| 468684 | EHP drop improvements for units using NP_SERVICE_MODULE. |
| 472843 | FortiGate does not always save script changes when FortiManager is set to DM=set verify-install-disable. |
| 474132 | FG-51E hangs under stress test since build 0050. |
| 482497 | Running a diagnostic npu np6lite session in FGT-201E results in high CPU and system instability. |
| 494042 | If we create a VLAN in VDOM A, then we cannot create a ZONE name with the same VLAN name in VDOM B. |
upgrade
| Vulnerability number | describe |
| 470575 | After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and webfilter. |
| 473075 | When upgrading, multicast policies are lost when there are zone members as interfaces. |
| Vulnerability number | describe |
| 481408 | When upgrading from 5.6.3 to 6.0.0, IPv6 policies will be lost if there are SD-WAN members as interfaces. |
| 494217 | Peer-to-peer SSL VPN personal bookmarks do not display when upgrading to 6.0.1.Solution: Rename a user bookmark to a new name using the CLI. |
web filter
| Vulnerability number | describe |
| 480003 | FortiGuard categories do not work in NGFW mode policies. |
Citrix XenServer Limitations
The following limitations apply to Citrix XenServer installations:
- XenTools installation is not supported.
- FortiGate-VM can only be imported or deployed in the following three formats:
- XVA (recommended)
- VHD l OVF
- The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration prior to the first power-on process.
Open Source XenServer Limitations
When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, there may be import issues using the QCOW2 format and existing HDA issues.
Having trouble configuring your Fortinet hardware or have some questions you need answered?Check out the Fortinet Guru Youtube channel! Want someone to handle it for you?Get some advice from Fortinet GURU!
Don't forget to visit the YouTube channel for the latest Fortinet training videos and Q&A sessions!
-FortinetGuru YouTube Channel
-FortiSwitch Training Videos
Cybersecurity videos and training are available through:CISO Security Training Video Office
FAQs
What is the maximum number of entries has been reached in FortiGate? ›
Maximum number of entries: 10'. This is a limit that is not present in the Max Values table, and at the moment it exists on all FortiGate platforms.
How do I read Fortinet firewall logs? ›To view raw logs, in the log message list view toolbar, click Tools > Display Raw. To switch back to formatted log view, click Tools > Formatted Log. For more information about FortiGate raw logs, see the FortiGate Log Message Reference in the Fortinet Document Library.
What is the difference between FortiOS mature and feature? ›A release that contains new features also brings with it a greater chance of new bugs. Therefore, these releases are less suitable for use on production systems. Mature releases, on the other hand, contain more bug fixes and rather fewer new features and are therefore also to be regarded as more stable.
How to check open ports in Fortinet? ›Go to Policy & Objects -> Local In and there is an overview of the active listening ports.