Aktualizacja FortiOS z rodziny 5.6.X została właśnie opublikowana. Nowa wersja, FortiOS 5.6.6 wnosi wiele poprawek i eliminuje błędy wykryte w poprzedniej wersji oprogramowania. Zachęcamy do zapoznania się z listą poprawek jak i do aktualizacji swoich urządzeń.
Wprowadzone poprawki:
Authentication
Bug ID Description
433700 Support non-blocking LDAP authentication.
461580 Getting authentication portal by FQDN:1000/login? and /logout? does not work if using authredirect fqdn in policy.
474615 Not possible to allow expired certificates while blocking is revoked.
477437 authd crashes.
477856 FortiGate does not send RADIUS accounting interim updates to the configured accounting server.
AV
Bug ID Description
459986 Repeated scanunit signal 11 crash scan_for_base64_objects.
488492 Mobile Malware Subscription missing expire date.
Connectivity
Bug ID Description
463982 FortiManager IP is unset in FortiGate CM.
479607 Scheduled auto-update happens twice in 10 seconds but a log entry for the first try is not logged.
DLP
Bug ID Description
496255 Some XML-based MS Office files are recognized as ZIP file.
Endpoint Control
Bug ID Description
479672 FortiTelemetry not blocking VIP.
FIPS-CC
Bug ID Description
481535 Device suddenly goes down with FIPS error .
Firewall
Bug ID Description
478360 IPv6 VIP does not translate IP address.
497954 Netflow gives wrong reports for long lived sessions.
498188 Dirty_session_check in FortiGate drops all established VIP64 sessions.
FortiSwitch-Controller
Bug ID Description
497980 All managed FortiSwitches capwap tunnel down due to application cu_acd crashed.
498211 Connectivity fault during upgrade of FortiLink connected FSW.
FortiView
Bug ID Description
437272 FortiView bytes Sent/Received not matching the total data of the source when drilled down to details.
477994 Realtime FortiVIew > All Sessions, filtering entries by Application is not working.
GUI
Bug ID Description
438183 The exemption list of a cloned AV profile with Sandbox-inspection enabled affects the list of original AV profile.
449598 Remote LDAP User Definition wizard does not pull users.
450919 IPS sensor with >= 8192 signature entries should not be created from GUI.
457378 Show Matching Logs of IPv4 Policy does not work when Implicit Firewall Policies of Feature Visibility is disabled.
462757 VPN map fails to load when using a custom management VDOM.
463539 Addresses page keep loading if nested addrgrp6 exists.
467175 Interface Bandwidth widget in NOC type dashboard disappears due to javascript after being added and then refreshed.
471578 Should not display cached/failed log status when FortiAnalyzer is store-and-upload and test connectivity succeed.
474645 After modifying system settings in GUI, gets wrong message and FGFM status is changed.
482628 CPU.Speculative.Execution.Timing.Information.Disclosure signature can’t be filtered if Application is selected.
485386 Adding a signature to existing IPS sensor profile gives internal server error -500 error message on web GUI.
488563 Purging expired account or deleting account through guest admin for user group name with spaces lead to blank page.
490409 FSSO configuration not displaying if the name contains spaces.
493140 Need to see application signature names instead of LDS under Logs & Report > System event logs.
493230 SNMP GUI page Apply button doesn’t work after the first time.
HA
Bug ID Description
408886 Uninterrupted upgrade from B718 to tag 9702 failed with 1.5M BGP routes and 6M sessions load.
459252 Hasync, Hatalk, and a few other processes go to D state when creating firewall policy or editing interface.
465849 Wrong diagnose sys ha dump-by vcluster display when cluster is on the same LAN.
471816 Policy route setting is synced in standalone-config-sync mode.
473806 Management interface IP address replicating to slave when using standalone management VDOMs.
480195 cmdbsvr process crashes with signal 6 and signal 11 while adding devices to a large device group.
482548 Conserve mode caused by hasync consuming most of memory.
488729 Box doesn not boot up when standalone-mgmt-vdom option is enabled in HA setting and rebooted.
491311 Management port has sync’ed when creating a new NAT VDOM.
493759 When vcluster2 is removed from HA config, all active sessions are killed once session-ttl is reached.
503118 Slave unit sends several false alert emails everyday after upgrade to 5.6
IPS
Bug ID Description
423140 All IPS sessions lost when new custom signature added.
492193 DoS policies consume 20% more CPU than in FortiOS 5.2.
503895 Traffic drops for 15 seconds when UTM is enabled.
506234 Cannot configure IPS sensor severity or threat-weight category.
IPsec VPN
Bug ID Description
476461 IKE does not release the mode-cfg framed-IP assigned from RADIUS.
486756 Traffic is not fragmented for IPsec VPN when Proxy-based UTM is enabled.
487946 MSS value increases when AV or WEB filter in use resulting in Packet too big message.
490066 FortiClient with IPsec with Proxy / Webfilter – Fragmentation is needed.
492046 FortiGate does not respond to INFORMATIONAL exchange message as requested by RFC.
492366 100% system CPU usage when re-keying idle IPsec tunnels.
Log & Report
Bug ID Description
459163 QUAD File Dropped Reason = Unknown.
462471 Found miglogd crash on FG-240D.
496058 FortiAnalyzer is not able to show logs from some VDOMs.
497357 FortiGate logs show the action as block when we use DNS filter and if a DNS query timeout happens.
Proxy and WebProxy
Bug ID Description
487096 SSL handshake fails when activate ESET application.
491417 FortiGate is dropping server hello packets when URLFILTER is enabled.
500182 UDP over SOCKS proxy.
500965 In FG-200E kernel conserve mode, WAD process consuming high memory.
503633 Some traffic forwarded to different gateway when proxy based UTM profiles are used.
507155 System went into conserve mode due to WAD after upgrade to 5.6.5.
Router
Bug ID Description
443948 High memory usage for zebos_launcher and isisd.
460959 WAN link monitor (HTTP) log issue.
465957 Backup VPN static route remains after failback when explicit proxy and NAT are configured.
490312 When we set keepalive-interval > 0 in GRE tunnel, static route to remote site becomes inactive.
491423 BGP shutdown neighbor capability-default-originate parameter always in use.
491679 FortiGate chooses higher metric OSPF E2 route for traffic under some circumstance.
505189 Kernel is missing routes.
506219 Worker blade doesn’t update the FT routing cache when phase1 is bound to a loopback interface.
SSL VPN
Bug ID Description
382223 SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.
456027 SMB bookmark in SSL VPN portal doesn’t work with dynamic user-mapping and gets Invalid HTTP request error.
466438 High CPU usage by sslvpnd.
483253 FQDN doesn’t work well through SSL VPN web mode.
486918 SSL VPN web mode unable to load the page correctly.
491733 SSL VPN process taking 99% of CPU utilization {tunnel mode only).
491895 Web mode SSL VPN HTTP bookmark not working.
492066 High memory usage in SSL VPN even when there is only one connection.
492654 SSLVPND process crashes and users are disconnected from SSL VPN.
494960 SSL VPN web mode has trouble loading internal web application.
496584 SSL VPN bad password attempt causes excessive bindRequests against LDAP and lockout of accounts.
507251 SSLVPND is continuously crashing.
Switch
Bug ID Description
487444 FortiGate stops accepting traffic from any interface in a hardware switch after HA failover in 80/81E.
493685 Hardware switch flooding traffic.
System
Bug ID Description
414081 SMB1 support has been by default disabled under part models.
435388 The parent physical interface cannot be in zone list when VLAN interface is added to zone.
436399 snmpd crashes with signal 11 in get_fgHaStatsEntry.
463409 FG-3700D/DX issue with FQDN.
467060 Virtual Wire Pair wrongly tag the VLAN when passing from Native VLAN to Tagged VLAN.
475745 Backup password for administrator account is not working when interface is down.
478264 VPN traffic across VLAN NPU VDOM link fails after being offloaded.
484281 Asymmetric traffic issue.
491441 FWF-60D-POE: Null pointer KP happened a few times.
493052 Sometimes 5001D slave blade loses kernel static route after down/up traffic interface in 5001D/5913C SLBC system.
493747 High CPU was observed when changing the policy when large number of policies were configured.
494040 Creating or modifying security profiles generate multiple logs with misleading action.
494707 FortiGate trusthost settings not respected.
495994 Observes lots of IPS syntax errors on the console screen.
496590 FQDN address object does not accept numbers at the end.
498032 Sometimes 5001E blade crashes during traffic testing with UTM enabled in firewall policy.
499332 No error message when configuring address .067 and address converted with .55.
501098 A specific SFP shared port’s LED (port15 to 18 on FG-800C) is not lit properly.
503638 config system ipip-tunnel is lost after reboot when using pppoe interface.
505930 FG-3700D freezes when deleting VDOM.
507060 Packet loss on startup when interfaces are in bypass mode.
507061 Longer time to put interfaces in bypass mode during shutdown.
VM
Bug ID Description
464979 Encounter cannot set MAC address(6) after enabling HA on FGT_VM64_XEN.
476617 FortiGate VM on AWS using C5 instance can’t upgrade or downgrade image.
496951 Cannot create 802.3ad Aggregate with more than one member in KVM FGT-VM.
498653 FortiOS VM stops passing traffic after failover.
501886 Azure SDN connector does not work for some regions.
506221 azd keep crashing with signal 11.
VoIP
Bug ID Description
478634 Debug commands for SIP filter are not applied.
508277 Non-SIP packet send to SIP ALG gets dropped with no log.
Web Filter
Bug ID Description
470650 DNS filter getting purged by FortiManager when not used in a policy because FortiGate DNS filter does not contain static entry.
476806 FortiOS incorrectly sends ICMP „Destination Unreachable” with WF/certificate inspection.
485685 Proceeding from a web filter warning page intermittently results in the BLOCK page shown instead of the expected web site.
486466 HTTPS web page is blocked after clicking Proceed button.
489286 Renaming web filter profile does not take effect.
504238 Incorrect log action blocked even user is „passthrough” in web filter log with warning-prompt per domain.
WiFi
Bug ID Description
471638 FortiGate disconnects all clients when they roam from AP to AP.
Znane problemy:
Application Control
Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
448247 Traffic-shaper in shaping policy does not work for specific application category like as P2P.
FortiGate-90E/91E
Bug ID Description
393139 Software switch span doesn’t work on this platform.
FortiGate 3815D
Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.
FortiSwitch-Controller/FortiLink
Bug ID Description
304199 HA with FortiLink traffic loss – no virtual MAC.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
FortiView
Bug ID Description
366627 FortiView Cloud Application may display incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
408100 Log fields are not aligned with columns after drill down on FortiView and Log details.
GUI
Bug ID Description
356174 FortiGuard updategrp read-write privilege admin cannot open FortiGuard page.
374844 Should show ipv6 address when set ipv6 mode to pppoe/dhcp on GUI > Network > Interfaces.
375383 If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box.
422413 Use API monitor to get data for FortiToken list page.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
445113 IPS engine 3.428 on Fortigate sometimes cannot detect Psiphon packets that iscan can detect.
451776 Admin GUI has limit of 10 characters for OTP.
HA
Bug ID Description
481943 Green checkmarks indicating HA sync status on GUI only appear beside virtual cluster 1.
Log & Report
Bug ID Description
412649 In NGFW Policy mode, FortiGate does not create webfilter logs.
Proxy
Bug ID Description
454185 Specific application does not work when deep inspection is enabled.
Security Fabric
Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
SSL VPN
Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.
477231 Unable to login to VMware vSphere Client 6.5 through SSL VPN web portal.
System
Bug ID Description
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
436580 PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411 Monitor NP6 IPsec engine status.
457096 FortiGate to FortiManager tunnel (FGFM) using the wrong source IP when multiple paths exist.
464873 RADIUS COA Disconnect-ACK message ignore RADIUS server source-ip setting.
VM
Bug ID Description
441129 Certify FortiGate-VMX v5.6 with NSX v6.3 and vSphere v6.5.
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
