This document provides the following information for FortiOS 5.4.2 build 1100:
See the FortinetDocumentLibrary for FortiOS documentation.
Supported models
FortiOS 5.4.2 supports the following models.
What’s new in FortiOS 5.4.2
For a detailed list of new features and enhancements that have been made in FortiOS 5.4.2, see the What’s New for FortiOS 5.4.2 document available in the FortinetDocumentLibrary.
Built-In Certificate
FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.
Default log setting change
For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.
FortiAnalyzer Support
In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.
Removed SSL/HTTPS/SMTPS/IMAPS/POP3S
SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.
FortiGate and FortiWiFi-92D Hardware Limitation
FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:
FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:
config global set hw-switch-ether-filter <enable | disable>
When the command is enabled:
When the command is disabled:
FG-900D and FG-1000D
CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.
FG-3700DX
CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.
FortiGate units running 5.4.2 and managed by FortiManager 5.0 or 5.2
FortiGate units running 5.4.2 and managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.
FortiClient Support
Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.
Note that the FortiClient license should be considered before upgrading.
Full featured FortiClient 5.2, and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on the environment needs, FortiClient EMS license may need to be purchased for endpoint provisioning. Please consult Fortinet Sales or your reseller for guidance on the appropriate licensing for your organization.
The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. A new license will need to be procured for either FortiClient EMS or FortiGate. To verify if a license purchase is compatible with 5.4.1 and later, the SKU should begin with FC-10-C010
FortiClient (Mac OS X) SSL VPN Requirements
When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.
FortiGate-VM 5.4 for VMware ESXi
Upon upgrading to FortiOS 5.4.2, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.
FortiClient Profile Changes
With introduction of the Cooperative Security Fabric in FortiOS v5.4.1, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.
In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus, Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.
When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.
FortiPresence
FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.
config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2
end
Log Disk Usage
Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.
To view a list of supported FortiGate models, refer to the FortiOS5.4.0FeaturePlatformMatrix.
SSL VPN setting page
The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the HowtopurchaseandimportasignedSSLcertificate document.
Upgrading to FortiOS 5.4.2
FortiOS version 5.4.2 officially supports upgrading from version 5.4.0 and 5.2.7.
When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.
There is separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS5.4SupportedUpgradePaths
Cooperative Security Fabric Upgrade
FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:
The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:
This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.
Model-60D Boot Issue
The following 60D models have an issue upon upgrading to FortiOS 5.4.1. The second disk (flash) is unformatted and results in the /var/log/ directory being mounted to an incorrect partition used exclusively for storing the firmware image and booting.
To fix the problem:
If your FortiGate device is currently running FortiOS 5.2.7:
If your FortiGate device is currently running FortiOS 5.4.0 or 5.4.1:
FortiClient Profiles
After upgrading from FortiOS 5.4.0 to 5.4.1, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading you should review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.
The following FortiClient Profile features are no longer supported by FortiOS 5.4.1:
Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths l Client-side web filtering when on-net
It is recommended that FortiClient Enterprise Management Server (EMS) should used for detailed Endpoint deployment and provisioning.
Unified Disk Usage
FortiOS 5.4.2 changes the disk usage behavior upon upgrading from FortiOS 5.2. The table below describes the new logging and WAN Optimization disk usage for single and two disk FortiGate devices running FortiOS 5.4.2.
FortiGate-VM 5.4 for VMware ESXi
Upon upgrading to FortiOS 5.4.2, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.
Downgrading to previous firmware versions
Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:
When downgrading from 5.4 to 5.2, users will need to reformat the log disk.
Amazon AWS Enhanced Networking Compatibility Issue
Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.
Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:
FortiGate VM firmware
Fortinet provides FortiGate VM firmware images for the following virtual environments:
Citrix XenServer and Open Source XenServer
Linux KVM
Microsoft Hyper-V
VMware ESX and ESXi
Firmware image checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.
FortiOS 5.4.2 support
The following table lists 5.4.2 product integration and support information:
FortiOS 5.4.2 support
Language support
The following table lists language support information.
SSL VPN support
Language support
SSL VPN supportSSL VPN standalone client
The following table lists SSL VPN tunnel client standalone installer for the following operating systems.
Operating system and installers
Other operating systems may function correctly, but are not supported by Fortinet.
Product Integration and Support SSL VPN support
SSL VPN web mode
The following table lists the operating systems and web browsers supported by SSL VPN web mode.
Supported operating systems and web browsers
Other operating systems and web browsers may function correctly, but are not supported by Fortinet.
SSL VPN host compatibility list
The following table lists the antivirus and firewall client software packages that are supported.
Supported Microsoft Windows XP antivirus and firewall software
Supported Microsoft Windows 7 32-bit antivirus and firewall software
SSL VPN support
The following issues have been fixed in version 5.4.2. For inquires about a particular bug, please contact CustomerService&Support.
FortiGate-60D
FortiGate-80D
Forticlient Windows Xp 32 Bit Windows 10
FortiGate-500D
FortiGate-800D
FortiGate-1500D
FortiGate-3600D
FortiGate-3810D
FortiLink
FortiView
FOC
GUI
FortiSwitch Controller
System
Tablesize
Router
WiFi
AV
DLP
IPS
Web Filter
DNS Filter
IPsecVPN
Web Application Firewall
Certification
WebProxy
Visibility
VM
Log
WANOPT
HA
FSSO
Firewall
FIPS-CC
FortiCloud
VOIP
Common Vulnerabilities and Exposures
The following issues have been identified in version 5.4.2. For inquires about a particular bug or to report a bug, please contact CustomerService&Support.
AntiVirus
DLP
Endpoint Control
FIPS-CC
Firewall
FortiGate-3815D
FortiRugged-60D
FortiSwitch
FortiSwitch-Controller/FortiLink
FortiView
GUI
HA
IPS
IPSec
Logging & Report
Router
SSL VPN
System
Upgrade
Visibility
VM
Citrix XenServer limitations
The following limitations apply to Citrix XenServer installations:
Open Source XenServer limitations
When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU! Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU
FortiClient leverages FortiClient's Antivirus technology, developed in-house by Fortinet. The Antivirus has achieved more than twenty VB100 awards and is capable of detecting threats on both a reactive and proactive basis. Proactive detection is based on detecting zero-day malware that has never been seen before in the wild. The tool is an enterprise class suite designed for the world's largest enterprise environments including Fortune 1000 companies, federal and state agencies, and customers that require the ultimate in a fully modular protection suite capable of power beyond Antivirus. Forti Client is fully integrated with FortiGate, FortiManager and 32 Bit Windows Xp DownloadFortiAnalyzer for management, deployment and central logging/reporting.Features and Highlights
Also Available: Download FortiClient for Mac
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |