Fortinet udostępnił aktualizację dla produktu FortiOS z rodziny 6.4! Najnowsza wersja 6.4.12 rozwiązuje wiele problemów z SSL VPN – między innymi z RDP przez VPN SSL web, problem z dostępem do serwera NAS Synology również za pomocą SSL web. Rozwiązano problem z metryką dla tras routingu IPv6 – w niektórych przypadkach nie przynosiły oczekiwanego efektu. Więcej w artykule poniżej!
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG‑300D, FG-300E, FG-301E, FG‑400D, FG‑400E, FG-400E-BP, FG‑401E, FG‑500D, FG‑500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG‑3810D, FG-3815D, FG-5001D, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG‑VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-IBM, FG‑VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN |
| FortiFirewall | FFW-3980E, FFW-4200F, FFW-4400F, FFW-VM64, FFW-VM64-KVM |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Rozwiązane problemy:
Explicit Proxy
| Bug ID | Description |
|---|---|
| 763796 | FTP proxy refuses a connection on a freshly configured FortiGate. |
| 774442 | WAD is NATting to the wrong IP pool address for the interface. |
GUI
| Bug ID | Description |
|---|---|
| 794757 | Inbound traffic on the interface bandwidth widget shows 0 bps on the VLAN interface. |
HA
| Bug ID | Description |
|---|---|
| 662978 | Long lasting sessions are expired on HA secondary device with a 10G interface. |
| 750978 | Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout. |
| 785514 | In some cases, the fgfmd daemon is blocked by a query to the HA secondary checksum, and it will cause the tunnel between FortiManager and the FortiGate to go down. |
| 838541 | HA is out-of-sync due to certificate local in FGSP standalone cluster. |
Hyperscale
| Bug ID | Description |
|---|---|
| 805846 | In the FortiOS MIB files, the trap fields fgFwIppStatsGroupName and fgFwIppStatsInusePBAs have the same OID. As a result, the fgFwIppStatsInusePBAs field always returns a value of 0. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 675838 | iked ignores phase 1 configuration changes due to frequent FortiExtender CMDB changes. |
| 855772 | FortiGate IPsec tunnel role could be incorrect after rebooting or upgrading, and causes negotiation to be stuck when it comes up. |
| 858715 | IPsec phase 2 fails when both HA cluster members reboot at the same time. |
Log & Report
| Bug ID | Description |
|---|---|
| 838357 | A deny policy with log traffic disabled is generating logs. |
Proxy
| Bug ID | Description |
|---|---|
| 650348 | FortiGate refuses incoming TCP connection to FTP proxy port after explicit proxy related configurations are changed. |
| 799381 | WAD crash occurs when TLS 1.2 receives the client certificate and that server-facing SSL port has been closed due to the SSL bypass. |
Routing
| Bug ID | Description |
|---|---|
| 817670 | IPv6 route redistribution metric value is not taking effect. |
Security Fabric
| Bug ID | Description |
|---|---|
| 837347 | Upgrading from 6.4.8 to 7.0.5 causes SDN firewall address configurations to be lost. |
| 843043 | Only the first ACI SDN connector can be kept after upgrading from 6.4.8 if multiple ACI SDN connectors are configured. |
| 857441 | Azure Fabric connector process (azd) has high memory consumption during updates, which leads to low-end FortiGate models entering conserve mode. |
SSL VPN
| Bug ID | Description |
|---|---|
| 705880 | Updated empty group with SAML user does not trigger an SSL VPN firewall policy refresh, which causes the SAML user detection to not be successful in later usage. |
| 742332 | SSL VPN web portal redirect fails in http://qu***.jj***.bu***. |
| 746230 | SSL VPN web mode cannot display certain websites that are internal bookmarks. |
| 748085 | Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms. |
| 784522 | When trying to create a support ticket in Jira with SSL VPN proxy web mode, the dropdown field does not contain any values. |
| 822432 | SSL VPN crashes after copying a string to the remote server using the clipboard in RDP web mode when using RDP security. |
| 825810 | SSL VPN web mode is unable to access EMS server. |
| 834713 | Getting re-authentication pop-up window for VNC quick connection over SSL VPN web proxy. |
| 848067 | RDP over VPN SSL web mode stops work after upgrading to 6.4.10. |
| 852566 | User peer feature for one group to match to multiple user peers in the authentication rules is broken. |
| 854143 | Unable to access Synology NAS server through SSL VPN web mode. |
| 856316 | Browser displays an Error, Feature is not available message if a file larger than 1 MB is uploaded from FTP or SMB using a web bookmark, even though the file is uploaded successfully. There are no issues with downloading files. |
Switch Controller
| Bug ID | Description |
|---|---|
| 845667 | Enabling allowed-vlans-all on FortiSwitch ports will push VLANs from both owner and tenant VDOMs. |
| 859690 | The flcfgd daemon crashes frequently on the HA passive unit. |
System
| Bug ID | Description |
|---|---|
| 649729 | HA synchronization packets are hashed to a single queue when sync-packet-balance is enabled. |
| 713951 | Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E. |
| 724085 | Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected. |
| 733096 | FG-100F HA secondary’s unused ports flaps from down to up, then to down. |
| 776052 | Add SNMP MIB support for PBA pools. |
| 783939 | IPv4 session is flushed after creating a new VDOM. |
| 784169 | When a virtual switch member port is set to be an alternate by STP, it should not reply with ARP; otherwise, the connected device will learn the MAC address from the alternate port and send subsequent packets to the alternate port. |
| 787929 | Deleting a VDOM that contains EMAC interfaces might affect the interface bandwidth widget of the parent VLAN. |
| 807334 | DDNS is not working when cleartext is enabled. |
| 810466 | EHP and HRX drop on NP6 FortiGate, causing low throughput. |
| 811367 | Ports 33-35 constantly show suspect messaging in the transceiver output. Affected platforms: FG-2600F and FG-2601F. |
| 813607 | LACP interfaces are flapping after upgrading to 6.4.9. |
| 815692 | Slow upload speeds when connected to FIOS connection. Affected platforms: NP6Lite and NP6xLite. |
| 821000 | QSFP and QSFP+ Fortinet transceivers are not operational on FG-3401E. |
| 824543 | The reply-to option in the email server settings is no longer visible in a default server configuration. |
| 827240 | FortiGate in HA may freeze and reboot. Before the reboot, softIRQ may be seen as high. This leads to a kernel panic. |
| 827736 | As the size of the internet service database expands, ffdb_err_msg_print: ret=-4, Error: kernel error is observed frequently on 32-bit CPU platforms, such as the FG-100E. |
| 834850 | GUI CLI console displays a Connection lost message when logging in as an API administrator. |
| 847077 | Can't find xitem. Drop the response. error appears for DHCPOFFER packets in the DHCP relay debug. |
| 850774 | Session synchronization packets may be dropped when using HA1/HA2. Affected platforms: FGT-420xF and FGT-440xF. |
Upgrade
| Bug ID | Description |
|---|---|
| 848926 | After upgrading, the AV filter feature set is changed from proxy mode to flow mode. |
User & Authentication
| Bug ID | Description |
|---|---|
| 751763 | When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device. |
| 824999 | Subject Alternative Name (SAN) is missing from the certificate upon automatic certificate renewal made by the FortiGate. |
| 845198 | Local-in policies for authentication disappear and the authentication page returns a ERR_CONNECTION_TIMED_OUT error. The authentication page is not displayed because it is not rebuilt when firewall local-in-policy is added, edited, or deleted. |
| 853793 | FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 761836 | FWF-8xF platforms should allow the DHCP server configuration of an aggregate interface (aplink) to be edited in the GUI. |
| 807713 | FortiGate is not sending RADIUS accounting message consistently to RADIUS server for wireless SSO. |
Znane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 752420 | If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 805703 | FortiGate does not load balance requests evenly when the ldb-method is set to least-session. |
| 849794 | Random websites are not accessible with proxy policy after upgrading to 6.4.10. |
Firewall
| Bug ID | Description |
|---|---|
| 727809 | Disabled deny firewall policy with virtual server objects cannot be enabled after a firewall reboot. |
| 739949 | In HA virtual cluster scenario, the Bytes counter on the Firewall Policy page always shows 0 B for the secondary while the Edit Policy page shows the correct Total bytes in the statistics. |
| 856187 | Explicit FTPS stops working with IP pool after upgrading from 6.4.8 to 6.4.9. |
FortiView
| Bug ID | Description |
|---|---|
| 683654 | FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view. |
GUI
| Bug ID | Description |
|---|---|
| 440197 | On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly. |
| 602397 | Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. |
| 653952 | The web page cannot be found is displayed when a dashboard ID no longer exists.
Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again. |
| 688016 | GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy. |
| 695163 | When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.
Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs. |
| 722358 | When a FortiGate local administrator is assigned to more than two VDOMs and tries logging in to the GUI console, they get a command parse error when entering VDOM configuration mode. |
| 743477 | On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work. |
| 748530 | A gateway of 0.0.0.0 is not accepted in a policy route. |
| 792045 | FortiGate failed to view matched endpoints after viewing it successfully several times. |
| 829665 | User randomly lost GUI access, and the httpsd process is in a D state. |
| 843554 | The ALL service object is changed when a new object is created. |
HA
| Bug ID | Description |
|---|---|
| 771999 | Sessions not synchronized to HA secondary on an FGSP and FGCP combined setup. |
| 776355 | Packet loss occurs on the software switch interface when a passive device goes down. |
| 779180 | FGSP does not synchronize the helper-pmap expectation session. |
| 816883 | High CPU usage on secondary device, and CPU lacks the AVX feature needed to load libdpdk.so. |
| 830879 | Running execute ha manage 0 <remote_admin> fails and displays a Permission denied, please try again. error if the 169.254.0.0/16 local subnet is not in the trusted host list. |
| 832634 | HA failovers occur due to the kernel hanging on FG-100F. |
| 838571 | After an HA split-brain event, the PPPoE interfaces are not recovered. |
| 856643 | FG-500E interface stops sending IPv6 RAs after upgrading. |
Hyperscale
| Bug ID | Description |
|---|---|
| 734305 | In the GUI, an FQDN or ISDB can be selected for a DoS policy, which is not supported (an error message appears). The CLI shows the correct options. |
| 760560 | The timestamp on the hyperscale SPU of a deny policy (policy id 0) is incorrect. |
| 796368 | Traffic shaping profile does not seem to have an effect on TCP/UDP traffic in hyperscale. |
| 802369 | Large client IP range makes fixed allocation usage relatively limited. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 654307 | Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode. |
| 763736 | IPS custom signature logging shows (even after being disabled) after upgrading to FortiOS 6.4.7. |
| 873975 | Source MAC changes and the packet drops due to both sides of the session using the same source MAC address. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 787590 | ADVPN is not negotiated after gateway re-validation. |
| 805301 | Enabling NPU offloading in the phase 1 settings causes a complete traffic outage after a couple of ping packets pass through. |
| 840153 | Unexpected dynamic selectors block traffic when set mesh-selector-type subnet is configured. |
Proxy
| Bug ID | Description |
|---|---|
| 604681 | WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.
Workaround: disable SoC SSL acceleration under the firewall SSL settings. |
| 800125 | Even if the policy is set to deny FTP_PUT, file uploads are permitted when the UTM feature is enabled. |
REST API
| Bug ID | Description |
|---|---|
| 759675 | Connection failed error occurs on FortiGate when an interface is created and updated using the API in quick succession. |
Routing
| Bug ID | Description |
|---|---|
| 618684 | When HA failover is performed to the other cluster member that is not able to reach the BFD neighbor, the BFD session is down as expected but the static route is present in the routing table. |
| 797590 | GRE tunnel configured using a loopback interface is not working after changing the interface back and forth. |
| 823293 | Disabling BFD causes an OSPF flap/bounce. |
| 860075 | Traffic session is processed by a different SD-WAN rule and randomly times out. |
| 862418 | Application VWL crash occurs after FortiManager configuration push causes an SD-WAN related outage. |
| 865914 | When BSM carries multiple CRPs, PIM might use the incorrect prefix to update the mroute’s RP information. |
Security Fabric
| Bug ID | Description |
|---|---|
| 614691 | Slow GUI performance in large Fabric topology with over 50 downstream devices. |
| 870527 | FortiGate cannot display more than 500 VMs in a GCP dynamic address. |
SSL VPN
| Bug ID | Description |
|---|---|
| 730416 | Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode. |
| 781581 | Customer internal website is not shown correctly in SSL VPN web mode. |
| 802379 | SSL VPN has memory leaks and crashes |
| 803576 | Comments in front of <html> tag are not handled well in HTML file in SSL VPN web mode. |
| 803622 | High CPU in SSL VPN once SAML is used with FortiAuthenticator and an LDAP server. |
| 818196 | SSL VPN does not work properly after reconnecting without authentication and a TX drop is found. |
| 819296 | GUI should not use <server_ip> as a sender to send the SSL VPN configuration (it should use value set in reply-to). |
| 825750 | VMware vCenter bookmark in not working in SSL VPN web mode after logging in. |
| 831069 | A blank page displayed after logging in to the back-end server in SSL VPN web mode. |
| 847501 | Internal website http://oc***.di***.com dropdown menu on an SSL VPN web mode bookmark in always stays on and does not close. |
| 850898 | OS checklist for the SSL VPN in FortiOS does not include macOS Ventura (13). |
| 867182 | RDP/VNC host name is not encrypted when URL obscuration is enabled. |
Switch Controller
| Bug ID | Description |
|---|---|
| 798724 | FortiSwitch exported ports in tenant VDOM are gone after rebooting the FortiGate. |
System
| Bug ID | Description |
|---|---|
| 555616 | When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from. |
| 602141 | The extender daemon crashes on Low Encryption (LENC) FortiGates. |
| 648085 | Link status on peer device is not down when the admin port is down on the FortiGate. |
| 664856 | A VWP named .. can be created in the GUI, but it cannot be edited or deleted. |
| 666664 | Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface. |
| 669645 | VXLAN VNI interface cannot be used with a hardware switch. |
| 685674 | FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager. |
| 688009 | Update built-in modem firmware that comes with the device in order for the SIM to be correctly identified and make LTE link work properly. |
| 705878 | Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched. |
| 709679 | Get can not set mac address(16) error message when setting a MAC address on an interface in HA that is already set. |
| 729912 | DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses. |
| 751715 | Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed. |
| 753421 | Slow SNMP query performance of fgVpn2Tables OIDs when a large number of IPsec dialup tunnels are connected. |
| 755268 | When changing a per-ip-shaper, if there is ongoing traffic offloaded by NPU and it attaches that shaper, the new shaper’s quota will not get updated. |
| 766834 | forticron allocates over 700 MB of memory, causes the FortiGate to go into conserve mode, and causes kernel panic due to 100 MB of configured CRL. |
| 782392 | ICMP traceroute with more than one probe is not working, and drops are seen on NP6 platforms. |
| 782962 | PSU alarm log and SNMP trap are added for FG-10xF and FG-8xF models. |
| 789153 | A profile with higher privileges than the user’s own profile can be set. |
| 796094 | Egress traffic on EMAC VLAN is using base MAC address instead. |
| 800295 | NTP server has intermittent unresolvable logs after upgrading to 6.4. |
| 818795 | Kernel panic observed on FG-3700D. |
| 838933 | DoS anomaly has incorrect threshold after loading a modified configuration file. |
| 844937 | FG-3700D unexpectedly reboots after the COMLog reported a kernel panic due to an IPv6 failure to set up the master session for the expectation session under some conditions. |
| 850430 | DHCP relay does not work properly with two DHCP relay servers configured. |
| 850683 | Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF. |
| 850688 | FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs. |
| 855151 | There may be a race condition between the CMDB initializing and the customer language file loading, which causes the customer language file to be removed after upgrading.
Workaround: re-upload the customer language file after the FortiGate boots up. |
| 872739 | The fgfmsd process crashes since updating to 6.4.11. |
Upgrade
| Bug ID | Description |
|---|---|
| 743389 | The dnsfilter-profile setting was purged from all DNS server entries upon upgrading from before 6.4.4. |
| 767808 | The asicdos option for enabling/disabling NP6XLite DoS offloading is missing after upgrading to 6.4.9. Affected platforms: NP6XLite. |
| 840921 | When upgrading from 6.0.15 to 6.4.11, an existing explicit flow-based web filter profile changes to proxy-based. |
User & Authentication
| Bug ID | Description |
|---|---|
| 739350 | RADIUS response is sent even when the rsso-radius-response attribute is set to disable. |
| 778521 | SCEP fails to renew if the local certificate name length is between 31 and 35 characters. |
| 839801 | FortiToken purge in a VDOM clears all FortiToken statuses in the system. |
VM
| Bug ID | Description |
|---|---|
| 596742 | Azure SDN connector replicates configuration from primary device to secondary device during configuration restore. |
| 617046 | FG-VMX manager not showing all the nodes deployed. |
| 639258 | Autoscale GCP health check is not successful (port 8443 HTTPS). |
| 668625 | During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available. |
Web Filter
| Bug ID | Description |
|---|---|
| 779278 | FortiGate is responding on TLS 1.0, TLS 1.1, and SSLv3 on TCP port 8015. |
| 789804 | Web filter configured to restrict YouTube access does not work. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 662714 | The security-redirect-url setting is missing when the portal-type is auth-mac. |
| 708449 | CAPWAP traffic without VLAN tag was dropped by NP6XLite FortiGate when the FortiAP is connected through an aggregate interface (no FortiLink). |
| 811953 | Configuration installation from FortiManager breaks the quarantine setting, and the VAP becomes undeletable. |
Notatki producenta: FortiOS 6.4.12
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
