Fortinet publikuję aktualizację dla FortiOS o oznaczeniu 6.4.4. W nowej wersji pojawi się udogodnienie dla urządzeń Cisco, gdzie skonfigurowanie wielu adresów IP będzie możliwe, lecz tylko jeden będzie aktywny, a pozostałe adresy będą służyć jako zapasowe. Po aktualizacji został naprawiony problem z długim czasem autoryzacji użytkowników, gdzie problem dotyczył połączeń z serwerem FSSO. Wersja 6.4.4 skorygowała błędy dotyczące urządzenia FortiGate 101F, problemy dotyczyły głównie informacji o statusie wentylatora i BGP. Dzięki aktualizacji rozwiązało się wiele błędów dotyczących wirtualizacji, między innymi problem z serwerami HTTP został poprawiony błąd z komunikacją. Po więcej informacji o aktualizacji zapraszam do dalszej części artykułu.
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-101E, FG-140E, FG-140E-POE, FG-200E, FG-201E, FG‑300D, FG-300E, FG-301E, FG‑400D, FG‑400E, FG‑401E, FG‑500D, FG‑500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG‑3810D, FG-3815D, FG-5001D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG‑VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-IBM, FG‑VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Rozwiązane problemy:
DNS Filter
| Bug ID | Description |
|---|---|
| 653581 | Cannot pass DNS traffic through FortiGate or DNS traffic originated from FortiGate when external blocklist (threat feed) is updated. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 664654 | EMS host tags are not synced with the FortiGate when the user connects to a tunnel mode SSID. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 662931 | Browsers change default SameSite cookie settings to Lax, and Kerberos authentication does not work in transparent proxy. |
| 664548 | When the FortiGate is configured as an explicit proxy and AV is enabled on the proxy policy, users cannot access certain FTP sites. |
File Filter
| Bug ID | Description |
|---|---|
| 676485 | File filter rule set with the msc file type was removed after upgrading. |
Firewall
| Bug ID | Description |
|---|---|
| 651321 | sflowd is crashing due to invalid custom application category. |
| 653828 | When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds. |
| 661777 | Source NAT port reuses ports too quickly, and GCP/API fails to establish due to endpoint independence conflict. |
| 665739 | HTTP host virtual server does not work well when real server has the same IP but a different port. |
| 666612 | Get internet service name configuration error on version 7.01011 when FortiGate reboots or upgrades. |
| 667696 | Reputation settings in policies not working as expected. |
| 669665 | All ISDB groups are lost when upgrading from 6.2.5 to 6.4.2. |
GUI
| Bug ID | Description |
|---|---|
| 490396 | System administrator account profile overwrite does not work in the GUI if the remote administrator has 2FA enabled (CLI is OK). |
| 567996 | Slow load times for the Managed FortiSwitch and FortiSwitch Ports pages when there is a large number of FortiSwitches. |
| 650708 | When the client browser is in a different time zone from the FortiGate, the Guest Management page displays an incorrect expiry time for guest users. The CLI returns the correct expiry. |
| 652394 | GUI cannot change action for the web-based email category in DNS filter profile. |
| 662873 | Editing the LDAP server in the GUI removes the line set server-identity-check disable from the configuration. |
| 663351 | Connectivity test for RADIUS server using CHAP authentication always returns failure. |
| 665444 | Columns for log details do not resize, and they cover existing columns. |
| 666500 | The Confirm version downgrade option is not displayed after uploading a previous version’s firmware file. |
| 668020 | Support displaying disclaimer users in the Firewall Users widget. |
| 672906 | GUI does not prompt system reboot progress page after successfully restoring configuration. |
| 675170 | In the WiFi Clients drilldown, applications and destinations are same for two different stations. |
| 680541 | The logtype_mask filter in the IoC drilldown is not support on the FortiAnalyzer side. |
HA
| Bug ID | Description |
|---|---|
| 615001 | LAG does not come up after link failed signal is triggered. |
| 650624 | HA GARP sending was delayed due to lots of transceiver reading |
| 653095 | Inband management IP connection breaks when failover occurs (only in virtual cluster setup). |
| 677246 | Unable to contact TACACS+ server when using HA dedicated management interface in 6.4.3. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 671322 | IPS engine reloads, or FortiGate reboots and displays CMDB __bsearch_index() duplicate value insertion errors. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 566076 | IKED process signal 11 crash in an ADVPN and BGP scenario. |
| 655895 | Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6). |
| 663126 | Packets for the existing session are still forwarded via the old tunnel after the routing changed on the ADVPN hub. |
| 663648 | BGP over dynamic IPsec VPN tunnel with net-device enable not passing through traffic after rebooting. |
| 667129 | In ADVPN with SLA mode, traffic does not switch back to the lowest cost link after its recovery. |
| 673258 | FortiGate to Cisco IKEv2 tunnel randomly disconnects after rekey. |
Log & Report
| Bug ID | Description |
|---|---|
| 587916 | Logs for local-out DNS query timeout should not be in the DNS filter UTM log category. |
| 670741 | Unable to configure syslog filter data size more then 512 characters. |
Proxy
| Bug ID | Description |
|---|---|
| 657905 | Firewall policy with UTM in proxy mode breaks SSL connections in active-active cluster. |
| 661063 | If a client sends an RST to a WAD proxy, the proxy can close the connection to the server. In this case, the relatively long session expiration (which is usually 120 seconds by default) could lead to session number spikes in some tests. |
Routing
| Bug ID | Description |
|---|---|
| 537354 | BFD/BGP dropping when outbandwidth is set on interface. |
| 628896 | DHCP relay should follow SD-WAN rules. |
| 654032 | SD-WAN IPv6 route tag command is not available in the SD-WAN services. |
| 659409 | FortiGate blocks IPv6 but allows IPv4 for traffic that looks asymmetric with asymroute is disabled. |
| 663396 | SD-WAN route changes and packet drops during HTTP communication, even though preserve-session-route is enabled. |
| 667469 | SD-WAN members and OIFs keep reordering despite the health check status being stable. |
| 668982 | Possible memory leak when BGP table version increases. |
| 670017 | FortiGate as first hop router sometimes does not send register messages to the RP. |
| 673603 | Only the interface IP in the management VDOM can be specified as the health check source IP. |
| 675442 | Weight-based load-balance algorithm causes local-in reply traffic egress from wrong interface. |
| 676685 | VRRP does not consider VRF when looking up destination in routing table. |
Security Fabric
| Bug ID | Description |
|---|---|
| 660624 | FortiAnalyzer Cloud should be taken into consideration when doing CLI check for CSF setting. |
| 666242 | Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported. |
| 669436 | Filter lookup for Azure connector in subnet and virtual network does not show all results. |
SSL VPN
| Bug ID | Description |
|---|---|
| 586035 | The policy script-src 'self' will block the SSL VPN proxy URL. |
| 615453 | WebSocket using Socket.IO could not be established through SSL VPN web mode. |
| 646339 | SSL-SSH inspection profile changes to no-inspection after device reboots. |
| 653349 | SSL VPN web mode not working for Ec***re website. |
| 661290 | https://mo***.be site is non-accessible in SSL VPN web mode. |
| 662871 | SSL VPN web mode has problem accessing some pages on FortiAnalyzer 6.2. |
| 664276 | SSL VPN host check validation not working for SAML user. |
| 665330 | SDT application can no longer load secondary menu elements in SSL VPN web mode. |
| 665408 | Occasionally, 2FA SSL VPN users are unable to log in when two remote authentication servers with the same IP are used. |
| 666855 | FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients. |
| 667780 | Policy check cache should include user or group information. |
| 667828 | SSL VPN web mode authentication problem when accessing li***.com. |
| 668574 | Unable to load a video in SSL VPN web mode |
| 669144 | HTTPS access to ERP Sage X3 through web mode fails. |
| 669497 | Cannot view TIFF files in SSL VPN web mode. |
| 669685 | Split tunneling is not adding FQDN addresses to the routes. |
| 669707 | The jstor.org webpage is not loading via SSL VPN bookmark. |
| 670042 | Internal website, http://si***.ar, does not load a report over SSL VPN web portal. |
| 670803 | Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode. |
| 675878 | When matching multiple SSL VPN firewall policies, SSL VPN checks the group list from bottom to top, and the user is mapped to the incorrect portal. |
| 676345 | SSL VPN web mode is unable to open some webpages on the internal site, https://vi***.se, portal. |
| 677167 | SSL VPN web mode has problem accessing Sapepronto server. |
Switch Controller
| Bug ID | Description |
|---|---|
| 671135 | flcfg crashes while configuring FortiSwitches through FortiLink. |
System
| Bug ID | Description |
|---|---|
| 521213 | Read-only administrators should be able to run diagnose sniffer packet command. |
| 606360 | HQIP loopback test failed with configured software switch. |
| 627236 | TCP traffic disruption when traffic shaper takes effect with NP offloading enabled. |
| 630861 | Support FortiManager when private-data-encryption is enabled in FortiOS. |
| 634202 | STP does not work in transparent mode. |
| 644782 | A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode. |
| 651420 | Add support for interface-shaping-offload under system npu on SoC3 and SoC4 models. |
| 657629 | FG-101F cannot retrieve power fan status and BGP status via SNMP. |
| 660709 | The sflowd process has high CPU usage when application control is enabled. |
| 662681 | Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes. |
| 662687 | Asynchronous SDK call may take a long time and cause HA A-P to have Kernel panic - not syncing error. |
| 663083 | Offloaded traffic from IPsec crossing the NPU VDOM link is dropped. |
| 664268 | No filename setting on BOOTP response when option 67 is set on the DHCP server. |
| 664478 | Kernel crash caused race condition on vlif accessing. |
| 666030 | Empty firewall objects after pushing several policy deletes. |
| 666205 | High CPU on L2TP process caused by loop. |
| 666852 | FortiGate local-out system DNS traffic for host names lookup continuously generates timeout DNS log if the primary server cannot resolve them. |
| 668410 | NP6lite SoC3 adapter drops packets after handed from kernel. |
| 670838 | It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%. |
| 673263 | High memory issue is caused by heavy traffic on the VDOM link. |
| 673918 | Read-only administrator with packet capture read-write permission cannot run diagnose sniffer command. |
| 675418 | FortiManager CLI script for 2FA FortiToken mobile push does not trigger activation code email. |
User & Authentication
| Bug ID | Description |
|---|---|
| 643583 | radius-vdom-override and accprofile-override do not work when administrator has 2FA enabled. |
| 658794 | FortiGate sent CSR certificate instead of signed certificate to FortiManager when retrieve is performed. |
| 663685 | The authd process truncates user names to a length of 35 characters (this breaks RADIUS accounting and logging for very long user names). |
| 665391 | The authd process gets stuck with high CPU due to slow route lookup when the routing table is big. FSSO stops processing new authentication events. |
| 666268 | The authd process may crash if the FSSO server connection is disconnected. |
VM
| Bug ID | Description |
|---|---|
| 641038 | SSL VPN performance problem on OCI due to driver. |
| 656701 | FG-VMX service manager enters conserve mode; cmdbsvr has high memory utilization. |
| 659333 | Slow route change for HA failover in GCP cloud. |
| 669822 | Hot adding multiple CPUs at once to Xen-flavored VMs can result in a kernel panic crash. |
| 671279 | FG-VM64-AZURE-PAYG license/serial number get lost after downgrading to 6.2.6 from 6.4.3. |
| 672312 | Azure SDN connector does not offer all service tags. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 643854 | Client traffic was dropped by CAPWAP offloading when it connected from a mesh leaf Forti-AP managed by a FWF-61F local radio. |
| 672920 | CAPWAP tunnel traffic is dropped when offloading is enabled (with FAP managed by a VLAN interface). |
| 673211 | CAPWAP traffic drops on FG-300E when FortiAP is managed by VLAN interface. |
| 674342 | The cw_acd crashes after upgrading to 6.4.3 at cwAcLocal. |
| 680503 | The current Fortinet_Wifi certificate will expire on 2021-02-11. |
Znane problemy:
Explicit Proxy
| Bug ID | Description |
|---|---|
| 664380 | When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error. |
Firewall
| Bug ID | Description |
|---|---|
| 667772 | When NGFW mode is set to policy mode and a security policy is configured, the Quard daemon should start when either an anti-virus, web filter, application, IPS, or DLP profile is enabled. |
FortiView
| Bug ID | Description |
|---|---|
| 628225 | Compromised Hosts has error 500 when FQDN is set in config log fortianalyzer setting. |
| 683413 | Some FortiView pages/widgets fail to query data from FortiAnalyzer Cloud if the local FortiAnalyzer is not enabled.
Affected pages/widgets: Compromised Hosts, FortiView Cloud Applications, FortiView VPN, FortiView Web Categories, Top Admin Logins, Top Endpoint Vulnerabilities, Top Failed Authentication, Top System Events, Top Threats, Top Threats – WAN, and Top Vulnerable Endpoint Devices. |
GUI
| Bug ID | Description |
|---|---|
| 602397 | FortiSwitch port page is noticeably slow for large topology. |
| 665111 | Unable use break function or other add a line break when editing replacement messages in the GUI. |
| 673496 | Red highlight appears when attempting to save phase 2 configurations using the Complete Section button. |
| 676165 | Script pushed from FortiManager 6.4.2 to FortiOS 6.4.2 to add address objects and address group succeeds. FortiOS GUI shows the new address group as empty. |
HA
| Bug ID | Description |
|---|---|
| 540600 | The HA hello-holddown value is divided by 10 in the hatalk daemon, which makes the hello-holddown time 10 times less than the configuration. |
| 653642 | FortiGate HA failover from FortiManager is not successful. |
| 675781 | HA cluster goes out of sync with new custom DDNS entry, and changes with respect to the ddns-key value. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 654307 | Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 642543 | IPsec did not rekey when keylife expired after back-to-back HA failover. |
| 644780 | Rectify the consequences if we cancel password renewal is canceled on FortiClient. |
| 652774 | OCVPN spoke-to-spoke communication intermittently fails with mixed topology where some spokes have two ISPs and some have one, but the hubs have two. |
| 670025 | IKEv2 fragmentation-mtu option is not respected when EAP is used for authentication. |
| 673049 | FortiGate not sending its external interface IP in the IKE negotiation (Google Cloud Platform). |
Log & Report
| Bug ID | Description |
|---|---|
| 661040 | Cyrillic characters not displayed properly in local reports. |
| 667274 | FortiGate does not have log disk auto scan failure status log. |
| 675347 | In local log search, results returned immediately when there are checked logs. |
Proxy
| Bug ID | Description |
|---|---|
| 658257 | StartTLS-SMTP traffic gets blocked by the firewall when certificate inspection (proxy mode) and the IPS sensor are enabled in a policy. |
Routing
| Bug ID | Description |
|---|---|
| 672061 | In IPsec topology with hub and ~1000 spokes, hundreds of spoke tunnels are flapping, causing BGP instability for other spokes. |
| 677928 | SD-WAN with sit-tunnel as a member creates an unwanted default route. |
SSL VPN
| Bug ID | Description |
|---|---|
| 550819 | guacd is consuming too much memory and CPU resources during operation. |
| 610995 | SSL VPN web mode gets error when accessing internal website at https://st***.st***.ca/. |
System
| Bug ID | Description |
|---|---|
| 464340 | EHP drops for units with no NP service module. |
| 555616 | When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from. |
| 607565 | Interface emac-vlan feature does not work on SoC4 platform. |
| 647309 | HA kernel crash at filter4 module and subsequent loop of failure at mm/vmalloc.c:1341/__get_vm_area_node()!. |
| 649937 | The diagnose geoip geoip-query command fails when fortiguard-anycast is disabled. |
| 651103 | FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN. |
| 668856 | Offloaded traffic passing through two VDOMs connected with EMAC-VLANs is sometimes dropped. |
| 669951 | confsyncd may crash when there is an error parsing through the internet service database, but no error is returned. |
| 672183 | UDP 4500 inter-VDOM traffic not offloaded, causing BFD/IPsec to drop. |
| 675508 | When provisioning FortiGate and FortiSwitch with enforced 6.4.2 firmware in FortiManager, the physical port for FortiLink is down and cannot connect to the FortiSwitch. |
User & Authentication
| Bug ID | Description |
|---|---|
| 580391 | Unable to create MAC address-based policies in NGFW. |
VM
| Bug ID | Description |
|---|---|
| 596742 | Azure SDN connector replicates configuration from primary device to secondary device during configuration restore. |
| 617046 | FG-VMX manager not showing all the nodes deployed. |
| 639258 | Autoscale GCP health check is not successful (port 8443 HTTPS). |
| 646161 | FG-VM8 does not recognize all memory allocated in Hyper-V. |
| 668625 | During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available. |
| 682420 | Dialup IPsec tunnel from Azure may not be re-established after HA failover. |
Web Filter
| Bug ID | Description |
|---|---|
| 675436 | YouTube channel home page on blocklist is not blocked when directed from a YouTube search result. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 625630 | FWF-60E hangs with looping kernel panic at WiFi driver. |
| 662714 | The security-redirect-url setting is missing when the portal-type is auth-mac. |
| 672136 | Log severity for wireless events in FortiWiFi and FortiAP should be reconsidered for CAPWAP teardown. |
| 677994 | Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band. |
Notatki producenta-FortiOS 6.4.4
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
