FortiOS - Release Notes

VERSION 5.4.4
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE
http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com 

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES
http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdocs@fortinet.com

March 13, 2017

FortiOS 5.4.4 Release Notes

01-543-405841-20170313
TABLE OF CONTENTS

Change Log 5
Introduction 6
Supported models 6
Special branch supported models 7
What’s new in FortiOS 5.4.4 8
Special Notices 9
Built-In Certificate 9
Default log setting change 9
FortiAnalyzer Support 9
Removed SSL/HTTPS/SMTPS/IMAPS/POP3S 9
FortiGate and FortiWiFi-92D Hardware Limitation 9
FG-900D and FG-1000D 10
FG-3700DX 10
FortiGate units managed by FortiManager 5.0 or 5.2 10
FortiClient Support 10
FortiClient (Mac OS X) SSL VPN Requirements 11
FortiGate-VM 5.4 for VMware ESXi 11
FortiClient Profile Changes 11
FortiPresence 11
Log Disk Usage 11
SSL VPN setting page 12
FG-30E-3G4G and FWF-30E-3G4G MODEM Firmware Upgrade 12
Upgrade Information 13
Upgrading to FortiOS 5.4.4 13
Cooperative Security Fabric Upgrade 13
FortiGate-VM 5.4 for VMware ESXi 13
Downgrading to previous firmware versions 14
Amazon AWS Enhanced Networking Compatibility Issue 14
FortiGate VM firmware 14
Firmware image checksums 15
Product Integration and Support 16
FortiOS 5.4.4 support 16
Language support 19
SSL VPN support 19
 SSL VPN standalone client 19
SSL VPN web mode 20
SSL VPN host compatibility list 20
Resolved Issues 22
Known Issues 26
Limitations 34
Citrix XenServer limitations 34
Open Source XenServer limitations 34
Change Log

Change Log

Date Change Description

2017-02-10 Initial release of FortiOS 5.4.4.

2017-02-16 Added FortiOS NP4Lite supported models.

Updated bug 382657 that it refers to MP4Lite models only.

Updated bug 387014 that it refers to FG-1500D only.

2017-02-21 Removed bug 393267 from Resolved Issues section since this bug has been resolved
in a previous release.

2017-02-21 Added bug 408366 to Known Issues section.

2017-03-02 Updated command in Special Notices section to config system global.

2017-03-13 Updated bug 299490 to clarify that MC is multicast.

5 Release Notes
Fortinet, Inc.
Introduction

This document provides the following information for FortiOS 5.4.4 build 1117:

l Special Notices
l Upgrade Information
l Product Integration and Support
l Resolved Issues
l Known Issues
l Limitations
See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.4 supports the following models.

FortiGate FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,

FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D FG-90D, FG-90D-POE, FG-
92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D,
FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-
500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D,
FG-1200D, FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C,
FG-3600C, FG-3700D, FG-3700DX, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60D-

POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE

FortiGate Rugged FGR-60D, FGR-90D

FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV,

FG-VM64-KVM, FG-VMX, FG-VM64-XEN

FortiOS 5.4.4 supports the additional CPU cores through a license update on the
following VM models:

l VMware 16, 32, unlimited

l KVM 16
l Hyper-V 16, 32, unlimited

Pay-as-you-go FOS-VM64, FOS-VM64-KVM

images

Release Notes 6
Fortinet, Inc.
 Introduction Supported models

FortiOS NP4Lite FG-30D, FG-60D, FG-70D, FG-90D, FG-90D-POE, FG-94D, FG-98D, FG-200D, FG-
200D-POE, FG-240D, FG-240D-POE, FG-280D-POE

FWF-30D, FWF-60D, FWF-90D, FWF-90D-POE

FortiOS Carrier FortiOS Carrier 5.4.4 images are delivered upon request and are not available on the
customer support firmware download page.

Special branch supported models

The following models are released on a special branch based off of FortiOS 5.4.4. To confirm that you are
running the proper build, the output from the get system status CLI command has a branch point field
that should read 1117.

FGR-30D is released on build 7603.

FGR-35D is released on build 7603.

FGR-30D-A is released on build 7603.

FGT-30E-MI is released on build 5971.

FGT-30E-MN is released on build 5971.

FWF-30E-MI is released on build 5971.

FWF-30E-MN is released on build 5971.

FWF-50E-2R is released on build 7607.

FGT-52E is released on build 6011.

FGT-60E is released on build 6003.

FWF-60E is released on build 6003.

FGT-61E is released on build 6003.

FWF-61E is released on build 6003.

FGT-80E is released on build 6003.

FGT-81E is released on build 6003.

FGT-81E-POE is released on build 6003.

FGT-90E is released on build 6019.

7 Release Notes
Fortinet, Inc.
 What’s new in FortiOS 5.4.4 Introduction

FGT-91E is released on build 6019.

FWF-92D is released on build 7602.

FGT-100E is released on build 6003.

FGT-100EF is released on build 6003.

FGT-101E is released on build 6003.

FGT-200E is released on build 5968.

FGT-201E is released on build 5968.

FGT-2000E is released on build 6020.

FGT-2500E is released on build 6020.

FGT-3800D is released on build 6013.

FGT-VM64 is released on build 7605.

FGT-VM64-KVM is released on build 7605.

FGT-VM64-HV is released on build 7605.

What’s new in FortiOS 5.4.4

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.4, see the What’s
New for FortiOS 5.4.4 document available in the Fortinet Document Library.

Release Notes 8
Fortinet, Inc.
Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit
certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models
(FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that
supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec
option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as
needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below
FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in
Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14,
include:

l PPPoE failing, HA failing to form

l IPv6 packets being dropped
l FortiSwitch devices failing to be discovered
l Spanning tree loops may result depending on the network topology
FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some
side effects with the introduction of a new command, which is enabled by default:
config system global
set hw-switch-ether-filter <enable | disable>

9 Release Notes
Fortinet, Inc.
 FG-900D and FG-1000D Special Notices

When the command is enabled:

l ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed
l BPDUs are dropped and therefore no STP loop results
l PPPoE packets are dropped
l IPv6 packets are dropped
l FortiSwitch devices are not discovered
l HA may fail to form depending the network topology

When the command is disabled:

l All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload
if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units managed by FortiManager 5.0 or 5.2

Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created
VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1
or later before upgrading FortiGate to 5.4.1 or later.

Note that the FortiClient license should be considered before upgrading. Full featured
FortiClient 5.2, and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending
on the environment needs, FortiClient EMS license may need to be purchased for
endpoint provisioning. Please consult Fortinet Sales or your reseller for guidance on
the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will
not carry over into FortiOS 5.4.1 and later. A new license will need to be procured for
either FortiClient EMS or FortiGate. To verify if a license purchase is compatible with
5.4.1 and later, the SKU should begin with FC-10-C010.

Release Notes 10
Fortinet, Inc.
 Special Notices FortiClient (Mac OS X) SSL VPN Requirements

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.4, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the
VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate.
FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise
Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the
FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,
Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to
Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features,
such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security
Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability
will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used
for endpoint compliance and Cooperative Security Fabric integration, and FortiClient
Enterprise Management Server (EMS) should be used for creating custom FortiClient
installers as well as deploying and provisioning FortiClient on endpoints. For more
information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections
on all versions of TLS. Use the following CLI command.
config system global
set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2
end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

11 Release Notes
Fortinet, Inc.
SSL VPN setting page Special Notices

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGate-
VMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the
How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM Firmware Upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade
instructions and the MODEM firmware have been uploaded to the Fortinet Customer Service & Support site.
Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab.
The upgrade instructions are in the following directory:

.../FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Release Notes 12
Fortinet, Inc.
Upgrade Information

Upgrading to FortiOS 5.4.4

FortiOS version 5.4.4 officially supports upgrading from version 5.4.2 and later and 5.2.9 and later.

When upgrading from a firmware version beyond those mentioned in the Release
Notes, a recommended guide for navigating the upgrade path can be found on the
Fortinet documentation site.

There is separate version of the guide describing the safest upgrade path to the latest
patch of each of the supported versions of the firmware. To upgrade to this build, go to
FortiOS 5.4 Supported Upgrade Paths.

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

l FortiClient 5.4.1 and later

l FortiClient EMS 1.0.1 and later
l FortiAP 5.4.1 and later
l FortiSwitch 3.4.2 and later
The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is
maintained without the need of manual steps. Customers must read the following two documents prior to
upgrading any product in their network:

l Cooperative Security Fabric - Upgrade Guide

l FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices
This document is available in the Customer Support Firmware Images download directory for FortiSwitch
3.4.2.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.4, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the
VMXNET2 vNIC driver.

13 Release Notes
Fortinet, Inc.
 Downgrading to previous firmware versions Upgrade Information

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings
are retained:

l operation mode
l interface IP/management IP
l static route table
l DNS settings
l VDOM parameters/settings
l admin user account
l session helpers
l system access profiles.
When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a
5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access,
you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following
AWS instances are affected:

l C3
l C4
l R3
l I2
l M4
l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package
contains the QCOW2 file for Open Source XenServer.
l .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package
contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Release Notes 14
Fortinet, Inc.
Upgrade Information Firmware image checksums

Linux KVM

l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains
QCOW2 that can be used by qemu.

Microsoft Hyper-V

l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package
contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file
fortios.vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

l .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains
Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by
the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service &
Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums,
enter the image file name including the extension, and select Get Checksum Code.

15 Release Notes
Fortinet, Inc.
Product Integration and Support

FortiOS 5.4.4 support

The following table lists 5.4.4 product integration and support information:

Web Browsers l Microsoft Edge 25

l Microsoft Internet Explorer 11
l Mozilla Firefox version 46
l Google Chrome version 50
l Apple Safari version 9.1 (For Mac OS X)
Other web browsers may function correctly, but are not
supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 25

l Microsoft Internet Explorer 11
l Mozilla Firefox version 45
l Apple Safari version 9.1 (For Mac OS X)
l Google Chrome version 51
Other web browsers may function correctly, but are not
supported by Fortinet.

FortiManager For the latest information, see the FortiManager and FortiOS
Compatibility.
You should upgrade your FortiManager prior to upgrading the
FortiGate.

FortiAnalyzer For the latest information, see the FortiAnalyzer and FortiOS
Compatibility.
You should upgrade your FortiAnalyzer prior to upgrading the
FortiGate.

FortiClient Microsoft l 5.4.1

Windows and FortiClient
If FortiClient is being managed by a FortiGate, you must
Mac OS X
upgrade FortiClient before upgrading the FortiGate.

FortiClient iOS l 5.4.1

FortiClient Android and l 5.4.0

FortiClient VPN Android

Release Notes 16
Fortinet, Inc.
Product Integration and Support FortiOS 5.4.4 support

FortiAP l 5.4.1 and later

l 5.2.5 and later
You should verify what the new FortiAP version is for your
FortiAP prior to upgrading the FortiAP units. You can do this by
going to the WiFi Controller > Managed Access Points >
Managed FortiAP page in the GUI. Under the OS Version
column you will see a message reading A recommended update
is available for any FortiAP that is running an earlier version than
what is recommended.

FortiAP-S l 5.4.1 and later

FortiSwitch OS l 3.5.0 and later

(FortiLink support)

FortiController l 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

l 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox l 2.1.0 and later

l 1.4.0 and later

Fortinet Single Sign-On l 5.0 build 0254 and later (needed for FSSO agent support OU in
(FSSO) group filters)
l Windows Server 2016 Standard
l Windows Server 2008 (32-bit and 64-bit)
l Windows Server 2008 R2 64-bit
l Windows Server 2012 Standard
l Windows Server 2012 R2 Standard
l Novell eDirectory 8.8
l 4.3 build 0164 (contact Support for download)
l Windows Server 2003 R2 (32-bit and 64-bit)
l Windows Server 2008 (32-bit and 64-bit)
l Windows Server 2008 R2 64-bit
l Windows Server 2012 Standard Edition
l Windows Server 2012 R2
l Novell eDirectory 8.8
FSSO does not currently support IPv6.

FortiExplorer l 2.6 build 1083 and later.

Some FortiGate models may be supported on specific
FortiExplorer versions.

17 Release Notes
Fortinet, Inc.
FortiOS 5.4.4 support Product Integration and Support

FortiExplorer iOS l 1.0.6 build 0130 and later

Some FortiGate models may be supported on specific
FortiExplorer iOS versions.

FortiExtender l 3.0.0
l 2.0.2 build 0011 and later

AV Engine l 5.239

IPS Engine l 3.305

Virtualization Environments

Citrix l XenServer version 5.6 Service Pack 2

l XenServer version 6.0 and later

Linux KVM l RHEL 7.1/Ubuntu 12.04 and later

l CentOS 6.4 (qemu 0.12.1) and later

Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016

Open Source l XenServer version 3.4.3

l XenServer version 4.1 and later

VMware l ESX versions 4.0 and 4.1

l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series - SR-IOV The following NIC chipset cards are supported:

l Intel 82599
l Intel X540
l Intel X710/XL710

FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2
vNIC driver.

Release Notes 18
Fortinet, Inc.
 Product Integration and Support Language support

Language support

The following table lists language support information.

Language support

Language GUI

English ✔

Chinese (Simplified) ✔

Chinese (Traditional) ✔

French ✔

Japanese ✔

Korean ✔

Portuguese (Brazil) ✔

Spanish (Spain) ✔

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer

Microsoft Windows XP SP3 (32-bit) 2332

Microsoft Windows 7 (32-bit & 64-bit)
Microsoft Windows 8 (32-bit & 64-bit)
Microsoft Windows 8.1 (32-bit & 64-bit)

Microsoft Windows 10 (32-bit & 64-bit) 2332

Linux CentOS 6.5 (32-bit & 64-bit) 2332

Linux Ubuntu 12.0.4 (32-bit & 64-bit)

Virtual Desktop for Microsoft Windows 7 SP1 (32-bit) 2332

19 Release Notes
Fortinet, Inc.
 SSL VPN support Product Integration and Support

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser

Microsoft Windows 7 SP1 (32-bit/64-bit) Microsoft Internet Explorer version 11

Mozilla Firefox version 46

Microsoft Windows 8/8.1 (32-bit/64-bit) Microsoft Internet Explorer version 11

Mozilla Firefox version 46

Mac OS 10.9 Safari 7

Linux CentOS version 6.5 Mozilla Firefox version 46

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall

Symantec Endpoint Protection 11 ✔ ✔

Kaspersky Antivirus 2009 ✔

McAfee Security Center 8.1 ✔ ✔

Trend Micro Internet Security Pro ✔ ✔

F-Secure Internet Security 2009 ✔ ✔

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall

CA Internet Security Suite Plus Software ✔ ✔

AVG Internet Security 2011

Release Notes 20
Fortinet, Inc.
Product Integration and Support SSL VPN support

Product Antivirus Firewall

F-Secure Internet Security 2011 ✔ ✔

Kaspersky Internet Security 2011 ✔ ✔

McAfee Internet Security 2011 ✔ ✔

Norton 360™ Version 4.0 ✔ ✔

Norton™ Internet Security 2011 ✔ ✔

Panda Internet Security 2011 ✔ ✔

Sophos Security Suite ✔ ✔

Trend Micro Titanium Internet Security ✔ ✔

ZoneAlarm Security Suite ✔ ✔

Symantec Endpoint Protection Small ✔ ✔

Business Edition 12.0

21 Release Notes
Fortinet, Inc.
Resolved Issues

The following issues have been fixed in version 5.4.4. For inquires about a particular bug, please contact
Customer Service & Support.

AV

Bug ID Description

370074 HTTP evader tool - AV evasion through manipulating HTTP content-encoding.

DLP

Bug ID Description

379911 DLP filter order is not applied to encrypted files.

367514 Executable files may not be blocked by DLP built-in .exe file-type filter.

FortiView

Bug ID Description

289376 Applying the filter All by using the right-click method may not work in the All Sessions page.

GUI

Bug ID Description

374221 SSL VPN setting portal mapping realm field misses the / option.

374162 GUI may show the modem status as Active in the Monitor page after setting the
modem to disable.

378421 Committing any change on SSL VPN Settings over web page returns error:500.

356998 urlfilter list re-order on GUI does not work.

396783 Disable GUI support for Domain/IP reputation feature.

HA

Bug ID Description

401745 Master can't sync with slave after updating OS from b1099.

Release Notes 22
Fortinet, Inc.
Resolved Issues

Log & Report

Bug ID Description

397132 Log rate is only 30k without any log lost on 3700D.

369778 The FWF_90D daemon report takes 99% of CPU time.

387014 EXT2 and EXT3 Errors from Console on 1500D.

400871 Changes to support Log Message Reference.

Switch-Controller

Bug ID Description

395711 pyfcgid takes 100% of CPU when managed switch page displayed.

400700 FortiLink is unstable - 1 min. disconnect/reconnect.

SSL VPN

Bug ID Description

366291 High CPU usage by SSL VPN.

397654 Intranet website opens in separate tabs in web-mode SSLVPN.

Firewall

Bug ID Description

396527 Policy does not work as intended when there are two IPv6 VIPs which has the same
mappedip and different extip.

IPS

Bug ID Description

396658 IPS signature count decreases from ~10k to ~5k after FGT reboot.

IPsecVPN

Bug ID Description

384334 unregister_netdevice: showing up on console after ha failover if flushing ipv6 advpn

spoke.

23 Release Notes
Fortinet, Inc.
 Resolved Issues

Bug ID Description

385658 DPD interoperability issue with Huawei eNodeB.

396041 Tunnel interface loses its config after reboot on 50E.

Users

Bug ID Description

397642 FGT5HD a-p cluster, LDAP authentication fails for users members of huge amount of LDAP
groups.

400065 The FSSO users were not able to pickup by firewall policy.

System

Bug ID Description

401241 SSL handshake fails when WAD needs to update the session ticket.

401886 Update geoip database to version 1.060(20170106).

398511 Sometimes the FG-5001D model selects a link-down port as an active slave of the
redundant interface which causes system instability.

391516 Add Franklin USB700 Modem support.

289738 FortiGate now supports Verizon 4G LTE USB Modem U620L.

386859 Netgear/Sierra AC340U wireless modem cards do not attach to USB serial properly on
FG30E/50E.

384831 CDC Ethernet USB modem not working on Kernel 3.2 devices.

396472 Checksum control is not working when upgrading firmware.

370586 Add CLI commands to configure limited IPsec engine on NP6.

Router

Bug ID Description

397628 Internet-service based routing not working.

402019 Policy Route member based is not updated untill config change or lnkmtd is restarted.

Release Notes 24
Fortinet, Inc.
Resolved Issues

WebProxy

Bug ID Description

398297 WAD does not forward http POST with data but reset the connection when action is allow.

398267 WAD crashes with singal 11 when App ctrl is used in webproxy policy.

400556 WAD dispatcher incorrectly count active file-descriptors.

25 Release Notes
Fortinet, Inc.
Known Issues

The following issues have been identified in version 5.4.4. For inquires about a particular bug or to report a bug,
please contact Customer Service & Support.

AntiVirus

Bug ID Description

374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).

392200 Encrypted archive log is generated even though the function archive-log in antivirus profile is
unset.

Endpoint Control

Bug ID Description

375149 FGT does not auto update AV signature version while Endpoint Control is enabled.

374855 Third party compliance may not be reported if FortiClient has no AV feature.

Firewall

Bug ID Description

364589 LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D

Bug ID Description

385860 FortiGate-3815D does not support 1GE SFP transceivers.

FortiGate-92D

Bug ID Description

267347 FortiGate-92D does not support Hardware switch.

FortiRugged-60D

Bug ID Description

375246 invalid hbdev dmz may be received if the default hbdev is used.

Release Notes 26
Fortinet, Inc.
Known Issues

FortiSwitch-Controller/FortiLink

Bug ID Description

357360 DHCP snooping may not work on IPv6.

374346 Adding or reducing stacking connections may block traffic for 20 seconds.

369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.

304199 Using HA with FortiLink can encounter traffic loss during failover.

FortiView

Bug ID Description

303940 Web Site > Security Action filter may not work.

373142 Threat: Filter result may not be correct when adding a filter on a threat and threat type on
the first level.

366627 FortiView Cloud Application may display the incorrect drilldown File and Session list in the
Applications View.

374947 FortiView may show empty country in the IPv6 traffic because country info is missing in log.

372350 Threat view: Threat Type and Event information is missing in the last level of the threat
view.

375187 Using realtime auto update may increase chrome browser memory usage.

368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.

375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.

372897 Invalid -4 and invalid 254 is shown as the submitted file status.

GUI

Bug ID Description

289297 Threat map may not be fully displayed when screen resolution is not big enough.

374166 Using Edge cannot select the firewall address when configuring a static route.

374081 wan-load-balance interface may be shown in the address associated interface list.

374521 Unable to Revert revisions on GUI.

27 Release Notes
Fortinet, Inc.
 Known Issues

Bug ID Description

375369 May not be able to change IPsec manualkey config in GUI.

374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.

303928 After upgrading from 5.2 to 5.4, the default flow based AV profile may not be visible or
selectable in the Firewall policy page in the GUI.

365223 CSF: downstream FGT may be shown twice when it uses hardware switch to connect
upstream.

373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are
triggered.

375383 Policy list page may receive a js error when clicking the search box if the policy includes
wan-load-balance interface.

355388 The Select window for remote server in remote user group may not work as expected.

373363 Multicast policy interface may list the wan-load-balance interface.

372943 Explicit proxy policy may show a blank for default authentication method.

375346 You may not be able to download the application control packet capture from the forward
traffic log.

374224 The Ominiselect widget and Tooltip keep loading when clicking a newly created object in
the Firewall Policy page.

374322 Interfaces page may display the wrong MAC Address for the hardware switch.

374247 GUI list may list another VDOM interface when editing a redundant interface.

374320 Editing a user from the Policy list page may redirect to an empty user edit page.

375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.

374397 Should only list any as destination interface when creating an explicit proxy in the TP
VDOM.

372908 The interface tooltip keeps loading the VLAN interface when its physical interface is in
another VDOM.

375227 You may be able to open the dropdown box and add new profiles even though errors occur
when editing a Firewall Policy page.

375259 Addrgrp editing page receives a js error if addrgrp contains another group object.

Release Notes 28
Fortinet, Inc.
Known Issues

Bug ID Description

374525 When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.

374343 After enable inspect-all in ssl-ssh-profile, user may not be able to modify
allow-invalid-server-cert from GUI.

372825 If the selected SSID has reached the maximum entry, the GUI will reset the previously
selected SSID.

374191 The Interface may be hidden from the Physical list if its VLAN interface is a ZONE member
in the GUI.

374350 Field pre-shared key may be unavailable when editing the IPsec dialup tunnel created
through the VPN wizard.

374371 The IPS Predefined Signature information popup window may not be displayed because it is
hidden behind the Add Signature window.

374183 The Security page does not have details for the Forward Traffic log for an IPS attack when
displaying a FortiAnalyzer log.

374538 Unable to enable Upload logs to FortiAnalyzer after disabling it.

374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.

365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as
another port from the GUI.

374237 You may not be able to set a custom NTP server in the GUI if you did not config it in the CLI
first.

393927 Policy List > FQDN Object tooltip should show resolved IP addresses.

297832 Administrator with read-write permission for Firewall Configuration is not able to read or
write firewall policies.

283682 Cannot delete FSSO-polling AD group from LDAP list tree window in FSSO-user GUI.

365317 Unable to add new AD group in second FSSO local polling agent.

369155 There is no Archived Data tab for email attachment in the DLP log detail page.

356998 urlfilter list re-order on GUI does not work.

387640 Duplicate entry found when auto generate guest user.

379050 User Definition intermittently not showing assigned token.

29 Release Notes
Fortinet, Inc.
 Known Issues

Bug ID Description

368069 Cannot select wan-load-balance or members for incoming interface of IPSec tunnel.

378802 Clicking Archived File button in Archive Data tab brings a webpage with "null".

HA

Bug ID Description

369437 HA Sync status icon is missing for Slave's GUI.

397171 FIB of VDOMs in vcluster2 is not synced to the slave.

399115 ID for the new policy (when using edit 0) is different on master and on slave unit.

396938 Reboot of FGT HA cluster member with redundant HA management interface deletes HA
configuration.

IPSec

Bug ID Description

393958 Shellshock attack succeeds when FGT is configured with server-cert-mode replace
and an attacker uses rsa_3des_sha.

375020 IPsec tunnel Fortinet bar may not display properly.

374326 Accept type: Any peer ID may be unavailable when creating a IPsec dialup tunnel with a
pre-shared key and ikev1 in main mode.

386802 Unable to establish phase 2 when using address group/group object as quick mode
selectors.

397386 Slave worker blades attempt to establish site to site IPsec VPN tunnel.

356330 Cross NP6-Chip IPSec traffic does not work in SLBC environment.

Logging & Report

Bug ID Description

300637 MUDB logs may display Unknown in the Attack Name field under UTM logs.

374103 Botnet detection events are not listed in the Learning Report.

367247 FortiSwitch log may not show the details in the GUI, while in CLI the details are displayed.

Release Notes 30
Fortinet, Inc.
Known Issues

Bug ID Description

374411 Local and Learning report web usage may only report data for outgoing traffic.

377733 Results/Deny All filter does not return all required/expected data.

377255 Can't read UTM details on log panel when set location to FortiAnalyzer.

386742 Missing deny traffic log when user traffic is blocked by NAC quarantine.

Router

Bug ID Description

393623 Policy routing change not is not reflected.

385264 AS-override has not been applied in multihop AS path condition.

374306 Number of concurrent sessions affect the convergence time after HA failover.

299490 During and after failover, some multicast groups take up to 480 seconds to recover.

373892 ECMP(BGP) routing failover time.

397087 VRIP cannot be reached on 51E when it is acting as VRRP master.

SSL VPN

Bug ID Description

304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.

303661 The Start Tunnel feature may have been removed.

375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web
mode.

374644 SSL VPN tunnel mode Fortinet bar may not be displayed.

395497 https-redirect for SSL VPN does not support realms.

382223 SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error
“Invalid HTTP request”.

394272 SSL VPN proxy mode can't proxy some web server url normally

31 Release Notes
Fortinet, Inc.
 Known Issues

System

Bug ID Description

304199 FortiLink traffic is lost in HA mode.

295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the

FortiGate may not prompt the user to enter the key.

290708 nturbo may not support CAPWAP traffic.

372717 Unable to access FortiGate GUI via https using low ciphers.

364280 User cannot use ssh-dss algorithm to log in to FortiGate via SSH.

371320 show system interface may not show the Port list in sequential order.

372717 admin-https-banned-cipher in sys global may not work as expected.

371986 NP6 may have issue handling fragment packets.

287612 Span function of software switch may not work on FortiGate-51E/FortiGate-30E.

355256 After reassigning a hardware switch to a TP-mode VDOM, bridge table does not learn MAC
addresses until after a reboot.

393395 The role of new VAP interface should be set as LAN.

393343 Remove botnet filter option if interface role is set to LAN.

392960 FOS support for V4 BIOS.

377192 DHCP request after lease expires is sent with former unicast IP instead of 0.0.0.0 as source.

381363 Empty username with Radius 802.1x WSSO auth.

354490 False positive sensor alarms in Event log.

383126 50E/51E TP mode - STP BPDU forwarding destined to 01:80:c2:00:00:00 has stopped after
warm/cold reboot.

310665 SNMP Interfaces dropdown is obsolete on some platforms.

382657 On models running NP4Lite, ICMP Packets bigger 1418 bytes size are dropped when off-
loading for IPSec tunnel is enabled.

394067 Improve displaying the warning: File System Check Recommended.

Release Notes 32
Fortinet, Inc.
Known Issues

Upgrade

Bug ID Description

269799 Sniffer config may be lost after upgrade.

289491 When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair
name exceeds 12 characters.

408366 FGT_VM platforms cannot do uninterruptible upgrade in HA mode.

Workaround: Upgrade each cluster member separately.

Visibility

Bug ID Description

374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an
address change.

VM

Bug ID Description

364280 ssh-dss may not work on FGT-VM-LENC.

33 Release Notes
Fortinet, Inc.
Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

l XenTools installation is not supported.

l FortiGate-VM can be imported or deployed in only the following three formats:
l XVA (recommended)
l VHD
l OVF
l The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual
NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may
arise when using the QCOW2 format and existing HDA issues.

Release Notes 34
Fortinet, Inc.
Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.