Fortinet publikuje aktualizację systemu operacyjnego dedykowanego dla FortiGate oznaczoną numerem wersji 6.0.11. W najnowszej wersji oprogramowania producent dodał wbudowany certyfikat o nazwie „Fortinet_Factory” dla urządzeń FortiGate, FortiWiFi z serii D i nowszych. Zmieniono również wymogi SSL VPN dla MacOS, korzystając z SSL VPN w systemie Mac OS X 10.8, należy włączyć SSLv3 w FortiOS. Aktualizacja rozwiązała także problemy tj. w urządzeniu FG-100D ruch przechodzący przez porty 1-16 wykorzystuje już wszystkie rdzenie CPU, wpisy dziennika SSL VPN wyświetlają już poprawnie użytkowników i nie pokazują klientów z innych VDOM’s.
Rozwiązane problemy:
Firewall
| Bug ID | Description |
|---|---|
| 610557 | FortiGate VIP object offers weak elliptic curves since VS implementation in WAD for FortiOS 6.0 and above. |
| 644225 | Challenge ACK is being dropped. |
Log & Report
| Bug ID | Description |
|---|---|
| 593557 | Logs to syslog server configured with FQDN address fail on FortiGate when FQDN address DNS entry gets updated. |
| 612779 | Reliable syslogd session goes into bad state due to traffic shaper. |
Proxy
| Bug ID | Description |
|---|---|
| 568905 | WAD crashes due to RCX value being null. |
SSL VPN
| Bug ID | Description |
|---|---|
| 564871 | SSL VPN users create multiple connections. |
| 620508 | CLI command get vpn ssl monitor displays users from other VDOM. |
| 624899 | Log entry for tunnel stats shows wrong tunnel ID when using RDP bookmark. |
| 637018 | After the upgrade to 6.2.4/6.4.0 SSL VPN portal mapping/remote authentication is matching user into the incorrect group. |
| 649130 | SSL VPN log entries display users from other VDOMs. |
System
| Bug ID | Description |
|---|---|
| 503125 | FG-100D traffic traversing port1-port16 only saturates CPU0. |
| 541527 | Changing the order of VDOM in system admin when connected with TACACS+ wildcard administrator is not propagated to other blades. |
| 563956 | Kernel panic and reboot on FG-2500E. |
| 632635 | Frame size option in sniffer does not work. |
| 647159 | Kernel panic on FG-600D. |
| 665000 | HA LED off issue on FG-1100E/1101E models running FOS 6.0. |
User & Device
| Bug ID | Description |
|---|---|
| 591170 | Sessions are removed from the session table when FSSO group order is changed. |
Common Vulnerabilities and Exposures
| Bug ID | CVE references |
|---|---|
| 634975 | FortiOS 6.0.11 is no longer vulnerable to the following CVE Reference:
|
| 634978 | FortiOS 6.0.11 is no longer vulnerable to the following CVE Reference:
|
Znane problemy do rozwiązania:
Antivirus
| Bug ID | Description |
|---|---|
| 582368 | URL threat detection version shows a large negative number after FortiGate reboots. |
| 590092 | Cannot clear scanunit vdom-stats to reset the statistics on ATP widget. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 564582 | Explicit proxy policy treats domain.tld in FQDN firewall address object as wildcard. |
Firewall
| Bug ID | Description |
|---|---|
| 508015 | Editing a policy in the GUI changes the FSSO setting to disable. |
| 520558 | Should not do passive port NAT for FTP session helper. |
| 591731 | Cannot reorder shaping policy via GUI or CLI (FG-100F). |
FortiView
| Bug ID | Description |
|---|---|
| 527540 | On multiple pages, the Quarantine Host option is not clickable on a registered device. |
GUI
| Bug ID | Description |
|---|---|
| 545900 | GUI shows Failed to save changes when trying to reorder a policy in the list. |
| 587673 | On Proxy Policy page, the default view method (Interface Pair View) is not clickable. |
HA
| Bug ID | Description |
|---|---|
| 584551 | hatalk keeps exchanging heartbeat packet incorrectly with FortiManager. |
| 601550 | Application hasync crashes several times. |
| 643958 | Inconsistent data from FFDB caused several confsyncd crashes. |
Log & Report
| Bug ID | Description |
|---|---|
| 551031 | FortiGate lost logs to FortiAnalyzer when route was changed and without physical interface being down. |
| 592766 | Log device defaults to empty and cannot be switched on in the GUI after enabling FortiAnalyzer Cloud. |
| 634947 | rlogd signal 11 crashes. |
| 643099 | logid=0000000020 is generated even with set logtraffic disable in the policy. |
Proxy
| Bug ID | Description |
|---|---|
| 501299 | WAD sometimes does not spawn any workers when configuring FG-101E after a factory reset. |
| 584719 | WAD reads ftp over-limit multi-line response incorrectly. |
| 617099 | WAD crashes every few minutes. |
| 653099 | URL filter wildcard in proxy mode. |
Routing
| Bug ID | Description |
|---|---|
| 576930 | Time stamps missing in routing debugs. |
SSL VPN
| Bug ID | Description |
|---|---|
| 596273 | sslvpnd worker process crashes, causing a zombie tunnel session. |
| 599960 | RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed. |
| 633114 | Cannot access internal website pl***.fr using SSL VPN web mode. |
| 633684 | Host check causing macOS users to fail to connect to SSL VPN. |
| 644506 | Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password. |
| 648433 | Internal website loading issue in SSL VPN web portal. |
System
| Bug ID | Description |
|---|---|
| 571720 | Using DHCP to acquire addresses for mode-config with certificates fails to send DHCP request. |
| 585053 | NP6 VLAN LACP-based interface RX/TX counters not increasing. |
| 587521 | VIP server load-balancing persistence HTTP cookie not refreshed after the timer. |
| 598464 | Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side. |
| 605723 | FG-600E stops sending out packets on its SPF and copper port on NP6. |
| 607565 | Interface emac-vlan feature does not work on SoC4 platform. |
| 611512 | When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE. |
| 615460 | GRE keep-alive reply dropped. |
| 628642 | Issue when packets from same session are forwarded to each LACP member when NPx offloading is enabled. |
| 633827 | Errors during fuzzy tests on FG-1500D. |
User & Device
| Bug ID | Description |
|---|---|
| 567831 | Local FSSO poller is regularly missing logon events. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 579908 | Tunnel mode SSID packet loss seen from FAP-U24JEV and 800 connected APs. |
| 608717 | Packet loss over CAPWAP tunneled SSID. |
| 618456 | High cw_acd usage upon polling a large number of wireless clients with REST API. |
| 641042 | FG-200D drops TX packet on the SSID tunnel interface. |