Now available with full Release Notes.
3.11 Enhancements provided by MR6
3.11.1 AV/NIDS Updates
• Fortinet Protection System server connection reliability
Description: To improve reliability of the scheduled AV/NIDS update during busy network periods (e.g. after a Push
Update Notification is received by the FortiGate unit), the ' minute' field of the scheduled update is assigned a random
value. The ' minute' field can still be configured through the CLI. Any ' minute' value (0-59) is now allowed and a
value of 60 means to choose a random value.
• Improved update logs
Description: Modified the AV/NIDS update log message to include the version of the updates.
e.g.: Fortigate updated <AV database version> <IDS database version> <AV Engine version> <IDS Engine version>
<FortiShield Database status>
3.11.2 WebUI Enhancements
• Persistent log columns GUI
Description: When customizing the columns of the log message display, the order is stored in a browser “cookie†so
that when returning to the log display webpage the column arrangement is retained for the current WebUI session.
• FortiShield Anti-Spam
Description: FortiShield Anti-Spam is the new name for the Fortinet DNSBL subscription service available in late
Q4-2004. (DNS-BL is also commonly know as “RBL†or real-time black list.)
• Policy ID in session monitor
Description: The session monitor page in the WebUI now shows the corresponding firewall policy ID number.
4 MR6 Release Issues
4.1 Resolved Issues
AntiVirus
4.1.1 Large POP3 message may not download
Description: With AV scanning enabled, when a POP3 mail message reaches the oversize file limit with the action
set to “passâ€, the FortiGate firewall will send a NOOP command to the POP3 mail server while transferring the
partial message to the client. The FortiGate attempts to resume the message download from the server, but the server
has timed out and closed the connection.
Models Affected: All.
Bug ID: 11298
Status: Fixed in MR6.
4.1.2 AV sessions do not use session ttl timeout
Description: In transparent mode, AV scanned HTTP sessions time out in 40 seconds even though the session_ttl
timeout has been configured through the CLI to a longer time period.
Models Affected: All.
Bug ID:16632
Status: Fixed in MR6.
4.1.3 Secure sites or login pages load slowly
Description: When AV scanning enabled for HTTP, access is very slow to certain secure (HTTPS) sites or to login
pages using scripting.
Models Affected: All.
Bug ID: 17309
Status: Fixed in MR6.
4.1.4 Quarantine name display missing or incorrect
Description: The file names for quarantined virus files may be missing or be displayed incorrectly after capturing
multiple instances of the same virus file.
Models Affected: All.
Bug ID: 14870, 17133
Status: Fixed in MR6.
Firewall
4.1.5 H.323 UDP traffic sometimes dropped
Description: UDP (video) traffic sometimes gets dropped when carried over H.323 protocol when end points switch
from the standard ports to high ports for the UDP streams
Models Affected: All.
Bug ID: 15121
Status: Fixed in MR6
4.1.6 Authenticated policy timeout during active traffic
Description: A firewall policy with authentication enabled will timeout after the global authentication idle period
(System -> Config -> Options -> Timeout Settings – Auth timeout) even when there is active policy traffic.
Models Affected: All.
Bug ID: 16231
Status: Fixed in MR6
November 18, 2004 16
Fortinet Inc. Release Notes: FortiOSâ„¢ v2.80-MR6
4.1.7 NetBIOS forwarding fails when broadcast flag set
Description: NetBIOS/WINS forwarding does not work when broadcast flag set in the packet. Unicast or hybrid
mode NetBIOS traffic is unaffected and is forwarded correctly.
Models Affected: All.
Bug ID: 16490
Status: Fixed in MR6
4.1.8 WINS Server IP address change requires reboot
Description: When NetBIOS/WINS forwarding is enabled, a WINS server IP address change requires a reboot to
take effect.
Models Affected: All.
Bug ID: 16826
Status: Fixed in MR6.
4.1.9 Active FTP sessions and VIP
Description: When using VIP port-forwarding to an internal FTP server , some FTP clients cannot establish the
connection to the server when using active FTP. In active mode FTP the client connects from a random unprivileged
port (N > 1024) to the FTP server' s command port, port 21. Then, the client starts listening to port N+1and sends the
FTP command PORT N+1 to the FTP server. The server will then connect back to the client' s specified data port
from its local data port, which is port 20.
Models Affected: All.
Bug ID: 18020
Status: Fixed in MR6.
IPS
4.1.10 MSN Messenger not blocked
Description: For a NAT outgoing policy with AV and IPS enabled in the protection profile, clients still can log in to
MSN Messenger and initiate a chat session though the FortiGate firewall.
Models Affected: All.
Bug ID: 16141
Status: Fixed in MR5.
High Availability
4.1.11 Grayware settings not synchronized
Description: Select or deselect grayware items on Master from HA cluster webUI but checking configuration of a
slave from CLI shows the items are deselected. Workaround was to reboot the slave unit to force a full
synchronization of configuration settings.
Models Affected: All.
Bug ID: 16452
Status: Fixed in MR6.
4.1.12 HA Master status change does not generate an alert email
Description: HA Master unit status changes (slave becomes master or dead master detected) do not generate an alert
email message.
Models Affected: All.
Bug ID: 17010
Status: Fixed in MR6. Alert email now sent from new Master unit. (Note: Alert mails for Slave events are not
generated. See Bug ID #10259)
November 18, 2004 17
Fortinet Inc. Release Notes: FortiOSâ„¢ v2.80-MR6
4.1.13 Slave failed to clear some settings after reset to factory defaults
Description: Clear slave' s configuration setting by the CLI command " exec factorydefaults" , but after rebooting the
slave is still in HA cluster and reports " slave is not sync with master" .
Models Affected: All.
Bug ID: 16277, 16196
Status: Fixed in MR6.
4.1.14 AV/NIDS signature synchronization on slave unit
Description: Update error in slave unit' s event log: “FortiGate update failedâ€; yet synchronization of signatures
appears to be working properly (AV packages are up-to-date on slave).
Models Affected: All.
Bug ID: 16455
Status: Fixed in MR6.
Content Filtering
4.1.15 Spam filter lists Disable/Enable All from WebUI does not take effect
Description: From the WebUI, “uncheck all†or “check all†does not take effect. Workaround is to disable/enable
list entries individually, or after a reboot the “disable/enable all†will take effect.
Models Affected: All.
Bug ID: 16781, 15913
Status: Fixed in MR6.
4.1.16 Email address filter case sensitive
Description: Email address filter entries are case sensitive when they should be case insensitive. For example,
Abc@nowhere.com should be equivalent to any combination of upper and lower-case letters: aBC@Nowhere.com,
aBc@nOWHERe.Com, etc.
Models Affected: All.
Bug ID: 3499
Status: Fixed in MR6.
4.1.17 Return email address domain check
Description: Some e-mail messages failed the return e-mail DNS check and yet “FROM:†e-mail domain passes
DNS check using a different DNS server.
Models Affected: All.
Bug ID: 17737
Status: Fixed in MR6.
VPN
4.1.18 FortiClient VPN software connecting to FortiGate hub cannot connect
Description: The dial-up tunnel from a FortiClient endpoint in a concentrator configuration does not come up.
Models Affected: All.
Bug ID: 16903
Status: Fixed in MR6. Must use “wildcard selector†in Phase 2 setting.
4.1.19 Similarly named Dial-up IPSec tunnels do not establish
Description: Dialup IPSec policies cannot match the correct Phase2 configuration when multiple Phase2 names
share the same base name string and only differ by a numeric suffix: e.g. “p2†and “p22†are not distinguished.
Models Affected: All.
Bug ID: 15265
Status: Fixed in MR6.
November 18, 2004 18
Fortinet Inc. Release Notes: FortiOSâ„¢ v2.80-MR6
4.1.20 PPTP authentication fails after adding new user
Description: PPTP authentication will fail for all users after a new user is added to an existing User Group.
Workaround requires a system reboot after the new user is added.
Models Affected: All.
Bug ID: 17736
Status: Fixed in MR6.
4.1.21 Encrypt policies for Dialup IPsec tunnels do not work with address groups
Description: When an address group is used in an encrypt policy for an IPSec dialup server only the first subnet
belonging to this address group can be accessed from peer subnet.
Models Affected: All.
Bug ID: 16762, 15265
Status: Fixed in MR6.
Log and Report
4.1.22 Traffic log messages do not show interface information
Description: All ' source interface ' and ' destination interface' fields in traffic log messages became ' n/a' .
Models Affected: All.
Bug ID: 16547
Status: Fixed in MR6.
4.1.23 Traffic log in v2.80 is not consistent with v2.50
Description: In FortiOS v2.50 the protocol is a number and the service is the port/protocol.
Models Affected: All.
Bug ID: 16870
Status: Fixed in MR6.
System
4.1.24 Update Center settings cannot be changed from WebUI
Description: The Update Center WebUI does not accept any changes. Clicking “Apply†or “Update Now†displays
the error message “CFG_CLI_INTERNAL_ERRâ€. Workaround is to use the CLI commands to modify the Update
Center settings:
config system autoupdate <pushupdate/schedule>
Models Affected: All.
Bug ID: 16454
Status: Fixed in MR6.
4.1.25 IPS anomaly page in Web slow to display
Description: When accessing the IPS anomaly screen through the WebUI, the page display is very slow and could
take 2-3 minutes to fully render. Repeated clicking on the Anomaly menu link increases the delay since each click is
a new request to redraw the page.
Models Affected: All.
Bug ID: 16809
Status: Fix in MR6
4.1.26 FortiGate DHCP client renewal stops
Description: After few (less than 3 times) successful DHCP IP address renewals, the FortiGate DHCP client will
stop sending a DHCP renew message. Workaround is to change the interface mode to static and then change back to
DHCP mode again.
Models Affected: All.
Bug ID: 15725, 16554
November 18, 2004 19
Fortinet Inc. Release Notes: FortiOSâ„¢ v2.80-MR6
Status: Fixed in MR6.
4.1.27 Modem interface does not back-up WAN2 interface.
Description: The Modem interface can be set as a back-up should another interface fail. When WAN2 interface goes
down the Modem interface does not automatically connect as the back-up connection.
Models Affected: FortiWiFi-60.
Bug ID: 16872
Status: Fixed in MR6.
4.1.28 Certain SNMP traps functional
Description: Several SNMP traps are not working: portscan, syn_flood, virus detection, cpu overusage, low
memory, warm start, cold start, link up, link down.
Only 5 types of traps that are successfully generated are: interface ip change, management ip change, vpn tunnel up,
vpn tunnel down, ha status change
Models Affected: All.
Bug ID: 16624
Status: Fix in MR6.
4.1.29 Setting for “web pattern block†not cleared
Description: Executing a reset factory defaults does not clear the web pattern block settings of the previous
configuration.
Models Affected: All.
Bug ID: 16275
Status: Fixed in MR6.
4.1.30 Secondary IP subnet cannot overlap Primary IP address
Description: Cannot assign secondary IP & primary IP addresses that belong to the same subnet on an interface.
Models Affected: All.
Bug ID: 15933
Status: Fixed in MR6.
4.1.31 Alert Email address changes through WebUI
Description: Any changes to the email address settings in the Alert Email screen causes an error message pop-up
and the change is not applied. Workaround is to use the CLI.
Models Affected: All models running 2.80-MR4 or MR5.
Bug ID: 16179
Status: Fixed in MR6.
4.1.32 Ping server requires a static route
Description: In cases where an interface automatically acquires an IP address (e.g. DHCP or PPPoE) and ping server
is on a connected network (same subnet), the ping server function does not work since a static route (e.g. Default
route) to the target server is required.
Models Affected: All.
Bug ID: 16470
Status: Fixed in MR6.
4.1.33 RIP advertisements incorrect when secondary IP addresses defined
Description: The secondary IP address is being used in RIP v2 packets of the primary IP address even though the
network for secondary IP address has not been added into RIP network configuration.
Models Affected: All.
Bug ID: 16515
Status: Fixed in MR6.
November 18, 2004 20
Fortinet Inc. Release Notes: FortiOSâ„¢ v2.80-MR6
4.1.34 Alert email messages sometimes rejected by SMTP mail servers
Description: Certain SMTP mail servers require a non-empty “Reply-to†email header. Current Alert email
messages leave this header empty causing a rejection of the email message.
Models Affected: All models.
Bug ID: 17561
Status: Fixed in MR6. Added “reply-to†header
4.1.35 Ping server with PPPoE interfaces and policy routing
Description: The ping server does not support policy routing with PPPoE interfaces as outgoing interface.
Models Affected: All models.
Bug ID: 17892
Status: Fixed in MR6.
4.1.36 Multiple DHCP relay or servers on the same port
Description: If multiple DHCP relays or servers that were all accessed through the same interface of the FortiGate
unit, only the first relay or server would work.
Models Affected: All models.
Bug ID: 16409, 17195
Status: Fixed in MR6.
4.1.37 DHCP relay ARP with external IP
Description: DHCP relay would ARP DHCP server with address of the DHCP relay interface instead of the
FortiGate interface closest to the DHCP server. This could cause problems for hosts which do not honour ARP
requests from outside the local link.
Models Affected: All models.
Bug ID: 16783
Status: Fixed in MR6.
4.1.38 SNMP responses
Description: SNMP interface GET requests are not completed.
Models Affected: FortiWiFi-60.
Bug ID: 16473
Status: Fixed in MR6.
Description: FortiManager specific SNMP trap is not sent for PPPoE and DHCP address changes,
Models Affected: All models.
Bug ID: 16892, 16873, 16833, 16330
Status: Fixed in MR6.
Description: Some SNMP agents cannot perform snmp-walk due to dependency on successive indexes being larger
than the previous. Sort routing table first and then return the requested entry thus ensuring the order expected by
snmpwalk.
Models Affected: All models.
Bug ID: E91
Status: Fixed in MR6.
4.1.39 WebUI Fixes
Description: Display of the IPS anomaly page is very slow.
Models Affected: All models running v2.80-MR5.
Bug ID: 16809
Status: Fixed in MR6.