Fortinet opublikował aktualizację systemu FortiOS z rodziny 5.6. Nowa wersja FortiOS 5.6.11 wnosi wiele poprawek i naprawionych błędów związanych między innymi z kontrolą aplikacji, współpracą urządzeń zestawionych w klastrze HA, wyeliminowano problem procesu miglogd który podczas utracenia połączenia z FortiAnalyzerem magazynując logi drastycznie zwiększał zapotrzebowanie na pamięć RAM co powodowało przejście urządzenia w tryb conserve mode!
|Unable to add email wildcard to black/white list GUI in Anti-Spam profile.
|CIFS AV flow mode allows malware which has been blocked by HTTP.
|Application Control with SSL does not check SNI against server certificate.
|Application Control does not detect application with webproxy-forward-server.
|Application Control unscans the traffic to forward to upstream proxy.
|Application Control HTTP.BROWSER_Firefox is not blocking Facebook and some other sites.
|No need to resolve safe search FQDN if not used.
|WAD crash with signal 6.
|WAD re-signs valid web sites with untrusted CA certificate.
|SSL deep inspection not performed on certain sites.
|Cannot filter policy by multiple IDs.
|Policy ID filter not working for Single Policy ID.
|In FortiView GUI > All Sessions page, the filter is not working.
|GUI fails to read correct Last Used time for firewall policy.
|HTTPSD uses high CPU when accessing GUI network interfaces.
|Routing monitor network filter does not filter subnets after upgrade.
|MTU of session-sync-dev does not come into effect.
|Slowness when adding or removing member from address group via SSH.
|FGT-HA does not fail over when pingserver is down the second time.
|GTP Tunnel States are not synced on subordinate unit after a reboot.
|Old master keeps forwarding traffic after failover.
|Network loop over virtual-wire-pair in HA mode if running diagnose sys ha reset-uptime.
|SCTP sessions affected after upgrade and failover.
|NP6 sessions dropped after any change in GUI.
|In HA setup, with uninterrupted upgrade option enabled, some signature DBs might be damaged if upgrading from 5.6.9 and earlier to 5.6.10.
|IPS/AV not forwarding return traffic back to clients.
|TCP connections through IPsec (bound to loopback) do not work when IPS offload is enabled to NTurbo.
|Enabling IPS on IPv4 policy impacting HTTPS traffic over the site to site VPN using PPOE for internal servers.
|IPsec gateway not matching for PKI user when there is a DC field in the Client Certificate.
|Dialup IPsec hardware acceleration drops.
|Site-to-site VPN policy based – with DDNS destination fails to connect.
|iked crashes frequently with signal 11.
|ESP packets are sent to the wrong MAC after a routing change when IPsec SA is offloaded.
Log & Report
|VPN usage duration days in local report is not correct.
|Memory of miglogd increases and enters conserve mode.
|Active SSH sessions to a remote servers are dropped exactly when the session-ttl expires.
|Removed default ssl-exempt entries page show empty.
|WAD process crashing and affecting HTTP/HTTPS traffic.
|FortiManager sends requests to FortiGate to collect proxy policy hit_count/bytes, and the response from FortiGate misses the uuid attribute.
|FortiGate cannot accept passwords starting with 0x in certain situations (interpreted as HEX).
|Application PDMD crashes.
|When using policy route for IPv6, NAT64 does not work.
|GRE tunnel does not come up.
|IPv6 routing failed to choose lower priority route when output interface is specified.
|BGP/BFD packets marked as CS0.
|NSM crashes during dev and QA test.
|Multicast fails after failover from another interface.
|Although the routing table was changed in IPv6 network, the offloaded communication stopped.
|FortiGate not sending Framed-IP-Address attribute for SSL VPN tunnel in RADIUS accounting packet.
|Dropdown list cannot get expanded through bookmarks (SSL VPN).
|HTML PABX Admin Console not working correctly in SSL VPN mode.
|Update from web mode fails for SharePoint page using MS NLB.
|SSL VPN crashes when it receives HTTP request with header „X-Forwarded-For” because of the wrong use of sslvpn_ap_pstrcat.
|SSL VPN web mode RDP connection not working when security set to NLA.
|Abnormal work of mac-addr-check in function SSL VPN.
|SSL web mode is not modifying links on certain web pages.
|Unable to receive SSL tunnel IP address.
|TX packet drops on ssl.root interface.
|SSL VPN login auth times out if primary RADIUS server becomes unavailable.
|HTTP 302 redirection is not parsed by SSL VPN proxy (web mode / bookmark).
|Internal website not working through SSL VPN Web mode.
|SSL VPN tunnel mode can only add spit tunneling of user’s policy with groups and its users in different SSL VPN policies.
|Email Service > UserName is not enough for longer UserID. it gets truncated and causes authentication failure.
|DNSproxy does not seem to update link-monitor module.
|bcm.user always takes nearly 70% CPU after running Nturbo over IPsec script.
|SNMPD’s debug messages reveal source code function names.
|Intermittent failure of DHCP address assignment.
|System reboots due to a kernel panic.
|SLBC FortiOS should prevent change of default management VDOM.
|Primary DNS server is not queried even after 30 seconds.
|Kernel panic after upgrade from 5.6.7 to 5.6.8.
|DHCP option doesn’t include all NTP servers.
|Changing the order of VDOM in system admin when connected with TACACS+ wildcard admin is not propagated to other blades.
|SNMP monitoring of the implicit deny policy not possible.
|Setting alias or changing allowed access to aggregate link moves the state from down to up for a few seconds.
|USB Modem Huawei E173u-2 not working on FortiGate 60E device.
|DHCPD is using more memory on the slave unit than the active unit.
|DHCP not working properly with macOS when proxy arp is enabled/configured.
|Increase firewall.address tablesize for 80-90 series.
|FortiGate does not support DH 1024 bits as SSH server.
|FGT-5001D/B1672: /tmp/fcp_rt_dump file lost some IPsec VPN router info after modified IPsec VPN static router setting.
|Kernel panic on 3700D running 5.6.8.
|Can’t poll SNMP v3 statistics for BGP when ha-direct is enabled under SNMP user.
|High memory utilization caused by authd and wad process.
|4x10G split-port does not work on FG3700D rev 2.
|config-error-log shows after upgrade from v5.6.6 to v5.6.7.
User and Device
|FSSO failover is not graceful.
|Unable to login into FortiGate GUI with Yubikey. CLI works as expected.
|When all groups are included in a registry string that contains more than or equal to 16384 characters, the groups cannot be synchronized.
|Recurring conflicts between TS-Agent type FSSO sessions and regular FSSO sessions.
|FOS VM serial number changes during firmware upgrade.
|FortiGate VoIP handling.
|Signal 11 crash on b0161.
|FGT D series number of web filter profiles decreased globally.
|VDOM is replying with TCP ACK 0.
|Invalid hostname return on GUI when static URL is defined.
|Web filter blocks connection.
|Add support to update Fortinet_Wifi certificate through FGD.
|CAPWAP traffic dropped when offloaded if packets are fragmented.
|wifi-certificate settings becomes empty and eap_proxy is killed after deleting ca_bundle package and rebooting FortiGate.
Znane problemy do rozwiązania:
|Traffic keeps going through the DENY NGFW policy configured with URL category.
|Traffic-shaper in shaping policy does not work for specific application category like as P2P.
|Software switch span doesn’t work on this platform.
|FG-3815D does not support 1GE SFP transceivers.
|Using HA with FortiLink can encounter traffic loss during failover.
|DHCP snooping may not work on IPv6.
|FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
|FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
|Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
|FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
|Log fields are not aligned with columns after drill down on FortiView and Log details
|FortiGuard updategrp read-write privilege admin cannot open FortiGuard page.
|Should show ipv6 address when set ipv6 mode to pppoe/dhcp on GUI > Network > Interfaces.
|Link cannot show different colors based on link usage legend in logical topology real time view.
|IPS engine 3.428 on Fortigate sometimes cannot detect Psiphon packets that iscan can detect.
|Admin GUI has limit of 10 characters for OTP.
|Green checkmarks indicating HA sync status on GUI only appear beside virtual cluster 1.
Log & Report
|In NGFW Policy mode, FortiGate does not create webfilter logs.
|In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
|In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
|URL rewritten incorrectly for a specific page in application server.
|If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
|NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
|Monitor NP6 IPsec engine status.
|FortiGate to FortiManager tunnel (FGFM) using the wrong source IP when multiple paths exist.
|RADIUS COA Disconnect-ACK message ignore RADIUS server source-ip setting.
Zachęcamy do lektury notatek wydanych przez producenta: Release Notes – FortiOS 5.6.11
Pozdrawiamy, Zespół B&B
Bezpieczeństwo w biznesie