Fortinet publikuje aktualizację systemu operacyjnego dedykowanego dla FortiGate oznaczonego numerem wersji 6.0.6. Producent zaleca jak najszybszą aktualizację oprogramowania ze względu na podatność wykrytą w firmware 6.0.5 którą sam określił jako krytyczną! Mowa tutaj o nieprawidłowym sprawdzaniu certyfikatów pod kątem ich ważności. Zaleca się jak najszybszą aktualizację FortiOS z wersji 6.0.x do wersji 6.0.6.
Problem dotyczy urządzeń na których zainstalowany jest następujący firmware:
- FortiOS 6.2.0
- FortiOS 6.0.5 i niższy
- FortiOS 5.6.9 i niższy
- FortiOS 5.4.11 i niższy
- FortiOS 5.2.13 i niższy
- FortiManager 6.2.0
- FortiManager 6.0.5 i niższy
- FortiManager 5.6.8 i niższy
- FortiManager 5.4.6 i niższy
- FortiAnalyzer 6.2.0
- FortiAnalyzer 6.0.5 i niższy
- FortiAnalyzer 5.6.8 i niższy
- FortiAnalyzer 5.4.6 i niższy
Rozwiązane problemy:
VM
| Bug ID | Description |
|---|---|
| 548366 | Azure SDN fabric connector is showing status down. |
Common Vulnerabilities and Exposures
| Vulnerability |
|---|
| FortiOS 6.0.6 is no longer vulnerable to the issue described in the following link – https://fortiguard.com/psirt/FG-IR-19-144. |
Znane problemy do rozwiązania:
Application Control
| Bug ID | Description |
|---|---|
| 435951 | Traffic keeps going through the DENY NGFW policy configured with URL category. |
| 488369 | DSCP/ToS is not implemented in shaping-policy yet. |
FortiView
| Bug ID | Description |
|---|---|
| 403229 | In FortiView, display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic. |
| 411368 | In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field. |
| 525702 | FortiView does not support auto update in real-time view and shows unscanned application. |
| 526956 | FortiView widgets get deleted on upgrading to B222. |
| 527540 | In many FortiView pages, the Quarantine Host option is not clickable on a registered device. |
| 528483 | FortiView > Destination page filter destination owner cannot filter out correct destination in real time view. |
| 554791 | Policy direct hyperlink from historical FortiView sessions does not highlight policy. |
| 528767 | In FortiView > multiple charts, Previous Time Periods in custom period is missing. |
GUI
| Bug ID | Description |
|---|---|
| 442231 | Link cannot show different colors based on link usage legend in logical topology real time view. |
| 451776 | Admin GUI has limit of 10 characters for OTP. |
| 508015 | Edit Policy from GUI changes fsso setting to disabled. |
| 516415 | Edit Disclaimer Message button is missing on Proxy Policy page. |
HA
| Bug ID | Description |
|---|---|
| 479987 | FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works). |
| 539155 | HA master does not send SNMP trap when plugging cable into interface that is set as ha-mgmt-interfaces. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 445113 | IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 469798 | The interface shaping with egress shaping profile doesn’t work for offloaded traffic. |
| 481201 | The OCVPN feature is delayed about one day after registering on FortiCare. |
Log & Report
| Bug ID | Description |
|---|---|
| 412649 | In NGFW Policy mode, FortiGate does not create web filter logs. |
SSL VPN
| Bug ID | Description |
|---|---|
| 405239 | URL rewritten incorrectly for a specific page in application server. |
Switch Controller
| Bug ID | Description |
|---|---|
| 357360 | DHCP snooping may not work on IPv6. |
| 528983 | When IGMP snooping is enabled on a VLAN, reserved multicast packets are forwarded twice on the 124D, 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448DPOE, 448D-FPOE, 224E, 224E-POE, 248E-POE, 248E-FPOE models. |
System
| Bug ID | Description |
|---|---|
| 295292 | If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key. |
| 472843 | When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes. |
| 474132 | FG-51E hang under stress test since build 0050. |
Upgrade
| Bug ID | Description |
|---|---|
| 470575 | After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and web filter. |
| 473075 | When upgrading, multicast policies are lost when there is a zone member as interface. |
| 481408 | When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface. |
| 494217 | Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1.
Workaround: Use CLI to rename the user bookmark to the new name. |
FortiOS 6.0.6 – Notatki do wydania
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie