Forticlient 5.4.5 Windows Release Notes
Forticlient 5.4.5 Windows Release Notes
Forticlient 5.4.5 Windows Release Notes
VERSION 5.4.5
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
FEEDBACK
Email: techdocs@fortinet.com
January 8, 2018
04-545-467440-20180108
TABLE OF CONTENTS
Change Log 4
Introduction 5
Licensing 5
Standalone mode 5
Managed mode 5
Special Notices 7
Microsoft Windows updates related to CPU security flaw (Meltdown) 7
Change in SSL VPN default 7
SSL VPN cannot connect after upgrade to FortiOS to 5.4.x 7
Cooperative Security Fabric upgrade 7
Installing FortiClient on Windows 7 8
SSL VPN on Windows 10 8
Using FortiClient VPN with other third-party VPN clients 8
Conflicts with Cisco Systems VPN client 9
Change in FortiClient Endpoint Control default registration port 9
Installation Information 10
Firmware images and tools 10
Upgrading from previous FortiClient versions 10
Downgrading to previous versions 11
Firmware image checksums 11
Product Integration and Support 12
FortiClient 5.4.5 support 12
Language support 13
Conflicts with third party antivirus products 14
Conflicts with Cisco Systems VPN client 14
Resolved Issues 16
Known Issues 17
Change Log
Release Notes 4
Fortinet, Inc.
Introduction
This document provides a summary of enhancements, support information, and installation instructions for
FortiClient (Windows) 5.4.5 build 0891.
l Introduction
l Special Notices
l Installation Information
l Product Integration and Support
l Resolved Issues
l Known Issues
Review all sections prior to installing FortiClient.
Licensing
l Standalone mode
l Managed mode
Standalone mode
In standalone mode, FortiClient is not connected to a FortiGate or Enterprise Management Server (EMS). In this
mode, FortiClient is free for private individuals and commercial businesses to use. No license is required.
Managed mode
Companies with large installations of FortiClient usually need a means to manage their endpoints. EMS can be
used to provision and centrally manage FortiClient endpoints, and FortiGate can be used with FortiClient
endpoints for network security. Each FortiClient endpoint can connect to a FortiGate or an EMS. In this mode,
FortiClient licensing is applied to the FortiGate or EMS. No separate license is required on FortiClient itself.
When using the ten (10) free licenses for FortiClient in managed mode, support is
provided on the Fortinet Forums (forum.fortinet.com). Phone support is not provided
when using the free licenses. Phone support is provided for paid licenses.
5 Release Notes
Fortinet, Inc.
Licensing Introduction
Release Notes 6
Fortinet, Inc.
Special Notices
Microsoft Windows updates may not occur due to a CPU security flaw (Meltdown) with anti-virus products
installed. Please read the customer service bulletin CSB-180105-1 at
https://support.fortinet.com/Information/Bulletin.aspx . A PDF of the bulletin can be downloaded from the
firmware download directory of the Fortinet support site at https://support.fortinet.com.
Starting with FortiClient 5.4.4, TLS is the default used for SSL VPN when establishing a tunnel connection with
FortiGate. Previously with FortiClient 5.4.0 to 5.4.3, DTLS was the default. After you upgrade to FortiClient
5.4.4, you can configure DTLS to be the default by setting the following XML element in the FortiClient
configuration file: <prefer_dtls_tunnel>1<prefer_dtls_tunnel>
When <prefer_dtls_tunnel> is set to 1, FortiClient uses DTLS, if it is enabled on the FortiGate and tunnel
establishment is successful. If dtls-tunnel is disabled on FortiGate, or tunnel establishment is not
successful, TLS is used.
After upgrading FortiOS to 5.4.x from 5.2 or earlier, problems might occur with FortiClient (Windows) when
connecting with SSL VPN to FortiGate. Connection in FortiClient can become stuck at 40%, and display the
following error message:
Unable to establish the VPN connection. The VPN server may be unreachable. (-5)
The error can be caused by changed default settings for encryption on FortiOS 5.4.
Workaround:
FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:
7 Release Notes
Fortinet, Inc.
Installing FortiClient on Windows 7 Special Notices
Files and drivers for FortiClient 5.4.0 and later are digitally signed using SHA2 certificates. Microsoft Windows 7
is known to have issues with the verification of SHA2 certificates. Ensure you have installed the update described
in the Affected Software section of the Advisory for your operating system from the following link:
Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2
During the installation process, FortiClient 5.4.1 checks whether the update for the operating system is installed
on the endpoint. If the update is not installed, a dialog box is displayed that instructs you to install the required
update. FortiClient 5.4.1 installation will not complete until the required update for the operating system is
installed.
When a custom DNS server is configured for SSL VPN, sometimes Windows 10 DNS resolution is not correct
after the SSL VPN is connected.
The following FortiClient XML configuration is recommended, so that FortiClient restarts Windows dnscache
service when SSL is connected.
<sslvpn>
<options>
<dnscache_service_control>2</dnscache_service_control>
</options>
</sslvpn>
It is not supported to run more than one VPN connection simultanously. If using any third-party VPN software
(other than FortiClient), please disconnect FortiClient VPN before establishing connection with the other VPN
Release Notes 8
Fortinet, Inc.
Special Notices Conflicts with Cisco Systems VPN client
software. To reconnect VPN using FortiClient, ensure that you first disconnect any established VPN connection
from a third-party VPN software.
FortiClient VPN feature conflicts with Cisco Systems VPN Client 5.0.07.
When both Cisco VPN Client 5.0.07 and FortiClient VPN are installed on the same Windows computer, a BSoD is
likely to occur if an IPsec VPN connection is established using FortiClient.
Cisco VPN Client 5.0.07 has reached end of support. It is suggested to use Cisco AnyConnect 3.1 or newer
instead. This is actively maintained by Cisco Systems. With Cisco Anyconnect installed, a BSoD does not occur
when using FortiClient to establish an IPsec VPN connection.
Please note that it is unknown what may occur if VPN connections are attempted using both Cisco Anyconnect
and FortiClient VPN at the same time. This is not recommended. Consider disconnecting one VPN connection,
before establishing a second one.
FortiClient registers to the FortiGate using Endpoint Control (EC). In FortiClient 5.0 and 5.2, the default
registration port is TCP port 8010. FortiOS 5.0 and 5.2 both listen on TCP port 8010.
Starting with FortiClient 5.4, EC registration will use port 8013 by default. To register to FortiOS 5.0 or 5.2, the
user must specify port 8010 with the IP address, separated by a colon. For example, <ip_address>:8010.
FortiOS 5.4 and later will listen on port 8013. If registering from FortiClient 5.4 and later to FortiOS 5.4 and later,
the default ports will match. Specifying the port number with then IP address is then optional.
9 Release Notes
Fortinet, Inc.
Installation Information
When installing FortiClient version 5.4.5, you can choose the setup type that best suits your needs. You can
select one of the following options:
l FortiClientSetup_5.4.5.0891.exe
Standard installer for Microsoft Windows (32-bit).
l FortiClientSetup_5.4.5.0891.zip
A zip package containing FortiClient.msi and language transforms for Microsoft Windows (32-bit). Some
properties of the MSI package can be customized with FortiClient Configurator tool.
l FortiClientSetup_5.4.5.0891_x64.exe
Standard installer for Microsoft Windows (64-bit).
l FortiClientSetup_5.4.5.0891_x64.zip
A zip package containing FortiClient.msi and language transforms for Microsoft Windows (64-bit). Some
properties of the MSI package can be customized with FortiClient Configurator tool.
l FortiClientTools_5.4.5.0891.zip
A zip package containing miscellaneous tools, including the FortiClient Configurator tool and VPN Automation
files.
When creating a custom FortiClient 5.4.5 installer using the FortiClient Configurator tool,
you can choose which features to install. You can enable or disable software updates, con-
figure SSO, and rebrand FortiClient .
When FortiClient endpoints are registered to FortiGate, you must upgrade endpoints to FortiClient 5.4.1 or later
before you upgrade FortiGate to 5.4.1. See Cooperative Security Fabric upgrade on page 7.
Please review the following sections prior to installing FortiClient version 5.4.5: Introduction
on page 5, Special Notices on page 7, and Product Integration and Support on page 12.
Release Notes 10
Fortinet, Inc.
Installation Information Downgrading to previous versions
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service &
Support portal located at https://support.fortinet.com. After logging in, click on Download > Firmware Image
Checksums, enter the image file name, including the extension, and select Get Checksum Code.
11 Release Notes
Fortinet, Inc.
Product Integration and Support
The following table lists version 5.4.5 product integration and support information.
FortiAuthenticator l 4.2.0
l 4.1.0 and later
l 3.3.0 and later
l 3.2.0 and later
l 3.1.0 and later
l 3.0.0 and later
Release Notes 12
Fortinet, Inc.
Product Integration and Support Language support
Only IPsec VPN and SSL VPN are supported with the following FortiOS
versions:
l FortiOS 5.6.0 and later
l FortiOS 5.4.0
l FortiOS 5.2.0 and later
Language support
English ✔ ✔ ✔
Chinese (Simplified) ✔
Chinese (Traditional) ✔
French (France) ✔
German ✔
Japanese ✔
Korean ✔
Portuguese (Brazil) ✔
Russian ✔
Spanish (Spain) ✔
13 Release Notes
Fortinet, Inc.
Conflicts with third party antivirus products Product Integration and Support
The FortiClient language setting defaults to the regional language setting configured on the client workstation,
unless configured in the XML configuration file.
If the client workstation is configured to a regional language setting that is not supported by
FortiClient, it defaults to English.
The antivirus feature in FortiClient is known to conflict with other similar products in the market. Consider
removing other antivirus programs before installing FortiClient.
During a new installation of FortiClient, the installer will search for other registered third party software and, if any
is found, warn users to uninstall them before proceeding with the installation. There is also an option to disable
FortiClient Real Time Protection (RTP).
FortiClient VPN feature conflicts with Cisco Systems VPN Client 5.0.07. This Cisco Client has reached end of
support. It is suggested to use Cisco AnyConnect 3.1 or newer instead. This is actively maintained by Cisco
Release Notes 14
Fortinet, Inc.
Product Integration and Support Conflicts with Cisco Systems VPN client
Systems, and it does not have any conflicts with the FortiClient VPN feature.
15 Release Notes
Fortinet, Inc.
Resolved Issues
The following issues have been fixed in version 5.4.5. For inquiries about a particular bug, please contact
Customer Service & Support.
Bug ID Description
467324 Windows updates may not occur due to a CPU security flaw (Meltdown) with anti-virus
products installed. Please read the customer service bulletin CSB-180105-1 at
https://support.fortinet.com/Information/Bulletin.aspx . A PDF of the bulletin can be
downloaded from the firmware download directory of the Fortinet support site at
https://support.fortinet.com.
Release Notes 16
Fortinet, Inc.
Known Issues
The following issues have been identified in FortiClient (Windows) 5.4.5. For inquires about a particular bug or to
report a bug, please contact Customer Service & Support.
Bug ID Description
0399256 IPsec tunnel before Windows logon - certificate read from Smartcard with PIN
0403544 VPN IPsec auto-connect does not work on FortiClient 5.4.2 and Windows 7 (32-bit)
0405196 When users log in to their PC, the endpoint shows out of sync for a few minutes
0409656 FortiClient removed default route of LTE card after connecting to IPsec VPN
0410841 Only legacy VPN before logon works on Windows 8.1 and Windows Server 2012R2
0437697 [Profiles][Sandbox] Sandbox setting issues between EMS 1.2.0 and FortiClient 5.4.3
0438876 User could still copy and upload downloaded network files when RTP was using
FortiSandbox signature contained the file
0440034 FortiClient firewall detail page failed to show all firewall rules
0440185 b0870: FortiClient loses saved VPN password with weak connection
0440589 Cannot go back to FortiClient dashboard from setting by clicking dashboard in menu
0441409 FortiClient Sandbox Scan USB and Scan mapped network drive stayed disabled
when EMS profile enabled them
Workaround: In the EMS (1.2.0 or newer), open the assigned endpoint profile for edit-
ing, and select the Advanced XML configuration tab. Click Edit; click Test, and then
save the configuration. No need to change anything in the advanced configuration
before saving it.
17 Release Notes
Fortinet, Inc.
Known Issues
Bug ID Description
0441447 FortiClient Application Firewall blocking network service caused no profile update from
EMS
Release Notes 18
Fortinet, Inc.
Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.