B&B Bezpieczeństwo w biznesie
  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Cyberbezpieczny Samorząd
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • Kontakt

Fortinet w najnowszej aktualizacji swojego oprogramowania FortiOS 6.4.13 wprowadził wiele znaczących zmian. Wśród nich możemy wyróżnić np.: zmiany w wykrywaniu urządzeń i licencjonowaniu FortiClient Endpoint Telemetry. W celu zwiększenia bezpieczeństwa system FortiOS 6.4.13 używa opcji, która pozwala na kontrolowanie minimalnej wersji protokołu SSL używanej w komunikacji między FortiGate a usługami SSL i TLS innych firm. Po więcej o najnowszym wydaniu w artykule poniżej.

FortiOS 6.4.13 rozwiązuje kilka istotnych problemów i wyzwań dotyczących oprogramowania. Jedne z najważniejszych problemów, które zostały rozwiązane w tej aktualizacji:

1.Problem z Explict Proxy, który uniemożliwiał dostęp do witryn HTTPS, jeśli w polityce proxy była ustawiona inspekcja certyfikatów,

2.Problem z Firewall, gdzie wyłączona polityka blokująca z obiektami serwera wirtualnego nie mogła zostać włączona po restarcie urządzenia.

3.Gdy lokalnemu administratorowi FortiGate przypisane były więcej niż dwa VDOM-y i próbował się zalogować do konsoli GUI, otrzymał błąd analizy poleceń przy wejściu w tryb konfiguracji VDOM.

Rozwiązane problemy:

Explicit Proxy

Bug ID Description
794124 HTTPS websites are not accessible if certificate-inspection is set in a proxy policy.
849794 Random websites are not accessible after upgrading when using a proxy policy.

Firewall

Bug ID Description
727809 Disabled deny firewall policy with virtual server objects cannot be enabled after a firewall reboot.
739949 In HA virtual cluster scenario, the Bytes counter on the Firewall Policy page always shows 0 B for the secondary while the Edit Policy page shows the correct Total bytes in the statistics.
808264 Stress test shows packet loss when testing with flow inspection mode and application control.
856187 Explicit FTPS stops working with IP pool after upgrading from 6.4.8 to 6.4.9.
865661 Standard and full ISDB sizes are not configurable on FG-101F.

GUI

Bug ID Description
722358 When a FortiGate local administrator is assigned to more than two VDOMs and tries logging in to the GUI console, they get a command parse error when entering VDOM configuration mode.
748530 A gateway of 0.0.0.0 is not accepted in a policy route.
870675 CLI console in GUI reports Connection lost. when the administrator has more than 100 VDOMs assigned.

Workaround: use SSH directly or reduce the number of VDOMs.

HA

Bug ID Description
776355 Packet loss occurs on the software switch interface when a passive device goes down.
816883 High CPU usage on secondary device, and CPU lacks the AVX feature needed to load libdpdk.so.
830879 Running execute ha manage 0 <remote_admin> fails and displays a Permission denied, please try again. error if the 169.254.0.0/16 local subnet is not in the trusted host list.
832634 HA failovers occur due to the kernel hanging on FG-100F.
853900 The administrator password-expire calculation on the primary and secondary returns a one-second diff, and causes HA to be out-of-sync.
856643 FG-500E interface stops sending IPv6 RAs after upgrading.
874823 FGSP session-sync-dev ports do not use L2 Ethernet frames but always use UDP, which reduces the performance.

Intrusion Prevention

Bug ID Description
715360 Each time an AV database update occurs (scheduled or manually triggered), the IPS engine restarts on the SLBC secondary blade.
775696 Each time an AV database update occurs (scheduled or manual), the IPS engine restarts on the SLBC secondary blade. This stops UTM analysis for sessions affected by that blade.
839170 IPS engine may crash (SIGALRM)) when the system is busy because it might not receive enough run time.

IPsec VPN

Bug ID Description
765174, 775279 Certain packets are causing IPsec tunnel drops on NP6XLite platforms after HA failover because the packet is not checked properly.
788751 IPsec VPN Interface shows incorrect TX/RX counter.
805301 Enabling NPU offloading in the phase 1 settings causes a complete traffic outage after a couple of ping packets pass through.
822651 NP dropping packet in the incoming direction for SoC4 models.
840153 Unexpected dynamic selectors block traffic when set mesh-selector-type subnet is configured.
842528 Improper IKEv1 quick mode fragmentation from third-party client can cause an IKE crash.
877161 IPsec traffic failing from FortiGate with Failed to find IPsec Common error when dialup IPsec VPN tunnel has remote IP configured on the IPsec VPN interface.
892699 In an HA cluster, static routes via the IPsec tunnel interface are not inactive in the routing table when the tunnel is down.

Log & Report

Bug ID Description
823183 FortiGates are showing Logs Queued in the GUI after a FortiAnalyzer reboot, even tough the queued logs were actually all uploaded to FortiAnalyzer and cleared when the connection restores.
873987 High memory usage from miglogd processes even without traffic.
874026 Caching a large number of service port entries causes high log daemon memory usage.

Proxy

Bug ID Description
867614 Multiple and recurrent WAD crashes are causing platform instability and conserve mode after upgrading to 6.4.11 because the Unix stream might be null in some scenarios.

REST API

Bug ID Description
745926 Using multiple logical AND symbols (&) on monitor API filtering causes a 502 Bad Gateway error.

Routing

Bug ID Description
618684 When HA failover is performed to the other cluster member that is not able to reach the BFD neighbor, the BFD session is down as expected but the static route is present in the routing table.
769100 Policy routes order is changed after updating the source/destination of SD-WAN rules.
797590 GRE tunnel configured using a loopback interface is not working after changing the interface back and forth.
846107 IPv6 VRRP backup is sending RA, which causes routing issues.
860075 Traffic session is processed by a different SD-WAN rule and randomly times out.
862418 Application VWL crash occurs after FortiManager configuration push causes an SD-WAN related outage.
864626 FortiGate local traffic does not follow SD-WAN rules.
890379 After upgrading, SD-WAN is unable to fail over the traffic when one interface is down.

Security Fabric

Bug ID Description
885810 The gcpd daemon constantly crashes (signal 11 segmentation fault).

SSL VPN

Bug ID Description
781581 Customer internal website is not shown correctly in SSL VPN web mode.
803576 Comments in front of <html> tag are not handled well in HTML file in SSL VPN web mode.
803622 High CPU in SSL VPN once SAML is used with FortiAuthenticator and an LDAP server.
818196 SSL VPN does not work properly after reconnecting without authentication and a TX drop is found.
873995 Problem with the internal website using SSL VPN web mode.
850898 OS checklist for the SSL VPN in FortiOS does not include macOS Ventura (13).
884860 SSL VPN tunnel mode gets disconnected when SSL VPN web mode is disconnected by limit-user-logins.

Switch Controller

Bug ID Description
798724 FortiSwitch exported ports in tenant VDOM are gone after rebooting the FortiGate.

System

Bug ID Description
688009 Update built-in modem firmware that comes with the device in order for the SIM to be correctly identified and make LTE link work properly.
709679 Get can not set mac address(16) error message when setting a MAC address on an interface in HA that is already set.
721119 The forticron process uses high CPU.
729912 DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses.
753421 Slow SNMP query performance of fgVpn2Tables OIDs when a large number of IPsec dialup tunnels are connected.
754681 The auto-script is not restarted when it is changed from HA synchronization.
766834 forticron allocates over 700 MB of memory, causes the FortiGate to go into conserve mode, and causes kernel panic due to 100 MB of configured CRL.
782962 PSU alarm log and SNMP trap are added for FG-10xF and FG-8xF models.
790656 DNS fails to correctly resolve hosts using the DNS database.
796094 Egress traffic on EMAC VLAN is using base MAC address instead.
800295 NTP server has intermittent unresolvable logs after upgrading to 6.4.
815937 FCLF8522P2BTLFTN transceiver is not working after upgrade.
828070 CLI displays pipe() failed error messages when sending the sensor value to SMC.
840960 When kernel debug level is set to >=KERN_INFO on NP6xLite platforms, some tuples missing debug messages may get flooded and cause the system to get stuck.
844937 FG-3700D unexpectedly reboots after the COMLog reported a kernel panic due to an IPv6 failure to set up the master session for the expectation session under some conditions.
850430 DHCP relay does not work properly with two DHCP relay servers configured.
850683 Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF.
850688 FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs.
855151 There may be a race condition between the CMDB initializing and the customer language file loading, which causes the customer language file to be removed after upgrading.
859795 High CPU utilization occurs when relay is enabled on VLAN, and this prevents users from getting an IP from DHCP.
868002 FortiGate is unable to resolve DNS from the DNS database for local out traffic (ICMP and access to RADIUS server).

Upgrade

Bug ID Description
743389 The dnsfilter-profile setting was purged from all DNS server entries upon upgrading from before 6.4.4.

User & Authentication

Bug ID Description
679016, 749694 A fnbamd crash is caused when the LDAP server is unreachable.
688065 When using the group-override-attr-type class option in a RADIUS configuration, two extra characters are added at the end of the group name.
839801 FortiToken purge in a VDOM clears all FortiToken statuses in the system.
851233 FortiToken activation emails should include HTTPS links to documentation instead of HTTP.

VM

Bug ID Description
785929 AWS FortiGate fails to bootstrap in new region of Cape Town, South Africa (af-south-1).

VoIP

Bug ID Description
757477 PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

Common Vulnerabilities and Exposures

Bug ID CVE references
843324 FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-42472
858793 FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-43947
866013 FortiOS 6.4.13 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-22641

 

Znane problemy:

FortiOS 6.4.13 wprowadza rozwiązania dla problemów dotyczących np.: Opcja „Reject” może być wybrana jako działanie na liście blokującej/zezwalań w Anti-Spam w interfejsie graficznym. Strony FortiView z źródłem FortiAnalyzer nieprawidłowo wyświetlają błąd ” Failed to retrieve data error” na wszystkich widokach VDOM, gdy istnieje nowo utworzony niezarejestrowany VDOM. To tylko przykładowe problemy, więcej można przeczytać w tabeli poniżej

Anti Spam

Bug ID Description
877613 Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI.

Anti Virus

Bug ID Description
752420 If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Firewall

Bug ID Description
719311 On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

770541 Within the Policy & Objects menu, the firewall, DoS, and traffic shaping policy pages take around five seconds to load when the FortiGate cannot reach the FortiGuard DNS servers.

Workaround: set the DNS server to the FortiGuard DNS server.

843554 If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

FortiView

Bug ID Description
683654 FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

GUI

Bug ID Description
440197 On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.
602397 Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.
653952 The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

688016 GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.
695163 When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

743477 On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

HA

Bug ID Description
771999 Sessions not synchronized to HA secondary on an FGSP and FGCP combined setup.
779180 FGSP does not synchronize the helper-pmap expectation session.

Hyperscale

Bug ID Description
734305 In the GUI, an FQDN or ISDB can be selected for a DoS policy, which is not supported (an error message appears). The CLI shows the correct options.
760560 The timestamp on the hyperscale SPU of a deny policy (policy id 0) is incorrect.
796368 Traffic shaping profile does not seem to have an effect on TCP/UDP traffic in hyperscale.
802369 Large client IP range makes fixed allocation usage relatively limited.

Intrusion Prevention

Bug ID Description
654307 Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.
763736 IPS custom signature logging shows (even after being disabled) after upgrading to FortiOS 6.4.7.

Log & Report

Bug ID Description
860822 When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.

Workaround: use a double backslash (domain\\username) while filtering or searching by username only without the domain.

Proxy

Bug ID Description
604681 WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

REST API

Bug ID Description
759675 Connection failed error occurs on FortiGate when an interface is created and updated using the API in quick succession.

Security Fabric

Bug ID Description
614691 Slow GUI performance in large Fabric topology with over 50 downstream devices.

SSL VPN

Bug ID Description
730416 Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

System

Bug ID Description
555616 When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.
602141 The extender daemon crashes on Low Encryption (LENC) FortiGates.
648085 Link status on peer device is not down when the admin port is down on the FortiGate.
664856 A VWP named .. can be created in the GUI, but it cannot be edited or deleted.
666664 Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.
669645 VXLAN VNI interface cannot be used with a hardware switch.
685674 FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.
751715 Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

Upgrade

Bug ID Description
767808 The asicdos option for enabling/disabling NP6XLite DoS offloading is missing after upgrading to 6.4.9. Affected platforms: NP6XLite.
840921 When upgrading from 6.0.15 to 6.4.11, an existing explicit flow-based web filter profile changes to proxy-based.

User & Authentication

Bug ID Description
778521 SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

VM

Bug ID Description
596742 Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.
617046 FG-VMX manager not showing all the nodes deployed.
639258 Autoscale GCP health check is not successful (port 8443 HTTPS).
668625 During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.
764392 Incorrect VMDK file size in the OVF file for hw13 and hw15.

Workaround: manually correct the hw13 and hw15 OVF file’s ovf:size value.

WiFi Controller

Bug ID Description
662714 The security-redirect-url setting is missing when the portal-type is auth-mac.

Należy pamiętać, że producent stale pracuje nad rozwiązywaniem tych problemów i udostępnia łatki oraz poprawki w kolejnych wersjach oprogramowania. Zaleca się skonsultowanie się z dokumentacją producenta lub wsparciem technicznym Fortinet w celu uzyskania najbardziej aktualnych informacji i rozwiązań dla znanych problemów w FortiOS 6.4.13

Notatki producenta: FortiOS 6.4.13

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

Post Views: 1 330

6.4.13 FortiGate Fortinet FortiOS

Poprzedni artykułFortiOS 6.2.15Następny artykuł FortiOS 7.0.12

Najnowsze

FortiAnalyzer 7.6.38 maja 2025
FortiManager 7.6.330 kwietnia 2025
FortiMail 7.6.322 kwietnia 2025

Kategorie

  • Acronis
  • Aktualności
  • Bez kategorii
  • ESET
  • F-Secure
  • FortiAnalyzer
  • FortiAP
  • FortiAuthenticator
  • FortiClient
  • FortiDeceptor
  • FORTIGATE
  • FORTIMAIL
  • FortiManager
  • FortiNAC
  • FortiSIEM
  • FORTISWITCH
  • FortiWeb
  • NAKIVO
  • Proget
  • Qnap
  • Stormshield
  • Szkolenia
  • Veeam
  • VMware
  • WithSecure

Tagi

6.0.6 6.2.2 6.2.7 6.4.0 6.4.4 6.4.5 6.4.8 7.0.0 7.0.2 7.0.5 7.2.0 7.2.2 ems Eset eset endpoint antivirus eset endpoint security ESET Inspect ESET Protect ESET Protect Cloud F-Secure FMG FortiAnalyzer forti analyzer FortiAP fortiap-w2 FortiAuthenticator FortiClient FortiClientEMS forticlient ems FortiGate FortiMail FortiManager FortiNAC Fortinet FortiOS FortiSIEM FortiSwitch FortiWeb vCenter vCenter Server VMware VMware ESXi vmware esxi 8.0 vmware vcenter VMware vCenter Server

MENU

  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Cyberbezpieczny Samorząd
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • Kontakt

BLOG TECHNICZNY

FortiAnalyzer 7.6.38 maja 2025
FortiManager 7.6.330 kwietnia 2025
FortiMail 7.6.322 kwietnia 2025

KONTAKT

biuro@b-and-b.plhttps://www.b-and-b.pl
8:00-16:00
RODO | POLITYKA PRYWATNOŚCI
OGÓLNE WARUNKI REKLAMACJI

BEZPIECZEŃSTWO W BIZNESIE 2025 - wszystkie prawa zastrzeżone

MENU

  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Cyberbezpieczny Samorząd
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • Kontakt

BLOG TECHNICZNY

FortiAnalyzer 7.6.38 maja 2025
FortiManager 7.6.330 kwietnia 2025
FortiMail 7.6.322 kwietnia 2025

Kontakt

+48 500-413-313
biuro@b-and-b.pl
8:00-16:00
Add new entry logo

Korzystamy z plików cookies lub podobnych technologii, by lepiej dopasować treści na stronie do Twoich potrzeb. W każdej chwili możesz zmienić ustawienia cookies. Polityka prywatności

Akceptuję Odmów
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
  • Always Active
    Necessary
    Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

  • Marketing
    Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

  • Analytics
    Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

  • Preferences
    Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

  • Unclassified
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.