Producent urządzeń zabezpieczeń sieciowych Fortinet przedstawił najnowszy update dla FortiOS w wydaniu 7.0.14 a w nim wiele poprawek i ulepszeń takich jak załatanie podatności CVE-2023-38545 która mogła pozwolić zdalnemu nieuwierzytelnionemu atakującemu na wykonanie dowolnego kodu lub poleceń za pośrednictwem specjalnie spreparowanych żądań. Ponadto naprawiono błędy związane z SSL VPN, które blokowały urządzeniom mobilnym iOS i Android łączenie się z tunelem SSL VPN oraz problemy systemowe związane z ruchem ISP na interfejsach LAG i wiele więcej. Dodatkowe informacje można znaleźć w artykule poniżej.
|FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG- 71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG- 90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG- 201F, FG-300E, FG-301E, FG-400E, FG-400E-BP, FG-400F, FG-401F, FG-401E, FG-500E, FG-501E, FG-600E, FG-601E, FG- 600F, FG-601F, FG-800D, FG-900D, FG-1000D, FG-1100E, FG-1101E, FG-1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG-3200D, FG-3300E, FG-3301E, FG- 3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG-3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG-5001E1
|FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
|FFW-3980E, FFW-VM64, FFW-VM64-KVM
|Maszyna wirtualna FortiGate
|FG-ARM64-AWS, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG-VM64-GCP, FG-VM64- HV, FG-VM64-IBM, FG-VM64-KVM, FG-VM64-OPC, FG-VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN
|Obrazy płatne zgodnie z rzeczywistym użyciem
|FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN
|For firewall policies using inspection-mode proxy, some HTTP/2 sessions may be invalidly detected as unknown application.
|DNS proxy caches DNS responses with only one CNAME record.
|Explicit proxy and SD-WAN issue occurs.
|Web proxy forward server does not convert HTTP version to the original version when sending them back to the client.
|Explicit proxy policy function issues when matching external-threat feed categories.
|NAT64 does not recover when the interface changes.
|Virtual wire pair interface drops all packet if the
prp-port-out setting is configured under
system npu-setting prp on FG-101F.
|In transparent mode, multicast packets are not forwarded through the bridge and are dropped.
|Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.
|GUI always displays Access denied error after logging in.
|A prompt to Login as ReadOnly/ReadWrite is not displayed when
post-login-banner is enabled on a FortiGate managed by FortiManager.
|Managed FortiAP-s page is not loading for non super-admin users.
|HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through VXLAN.
|When walking through the session list to change the
ha_id, some dead sessions could be freed one more time.
|There is no response on
ha-mgmt-interfaces after a reboot when using a VLAN interface based on hd-sw as the ha-mgmt interface.
|An error condition occurred while forwarding over a VRRP address, caused by the creation of a new VLAN.
|The user.radius checksum is the same in both HA units, but the GUI shows a different checksum on the secondary and the HA status is out of sync.
|In a three member A-P cluster, the dhcp lease list (
execute dhcp lease-list) might be empty on secondary units.
service-negate does not work as expected in a hyperscale deny policy.
|In some cases, carrier-grade NAT is dropping traffic.
|The HA/AUX ports are not enabled on boot up when using the NPU path option
|IPS logs show incorrect source and destination IP addresses and policy IDs, and the ports are zeros.
|IPsec VPN between two FortiGates (100F and 60F) experiences slow throughput compared to the available underlay bandwidth.
diagnose traffictest issues with dynamic IP addresses and loopback interfaces.
|File transfer stops after a while when offloading is enabled.
|In FGSP, IKE routes are not removed from the kernel when
secondary-add-ipsec-routes is disabled.
|Incorrect traffic order in IPsec aggregate redundant member list after upgrade.
mode-cfg between phase 1 assigned IP address and destination selector addition.
|IPsec tunnels stuck on NP6XLite spoke drop the ESP packet.
|After a third-party router failover, traffic traversing the IPsec tunnel is lost.
|FortiGate is sending ESP packets with source MAC address of port1 HA virtual MAC address.
|When the IPsec tunnel destination MAC address is changed, tunnel traffic may stop.
Log & Report
|Administrators without read permissions for the threat weight feature cannot see the event log menu.
|Although there is enough disk space for logging, IPS archive full message is shown.
|FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.
|The received traffic counter is not increasing when the traffic is HTTPS with webfilter.
|In the webfilter content block UTM log in proxy inspection mode,
rcvdbyte are zero.
|An error case occurs in WAD while redirecting the web filter HTTPS sessions.
|Unexpected behavior in WAD when the ALPN is set to
http2 in the
|Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.
|When a client opens two files and sends a compounded request to read and close file A, this causes file B to be closed twice and WAD to crash.
|Inadvertent traffic disruption caused by WAD when it receives an HTTP2 data frame payload on a dead stream.
|Too many redirects on TWPP after the second KRB keytab is configured.
|An error case occurs in WAD when WAD gets the external authenticated users from other daemons.
|Incorrect BGP Originator_ID from route reflector seen on receiving spokes.
|The change of an IPv6 route does not mark sessions as dirty nor trigger a route change.
|Issue with SD-WAN rule for FortiGuard.
|FortiGate 40F-3G4G not adding LTE dynamic route to route table.
Routing information changed log is being generated from secondary in an HA cluster.
|Locally originated type 5 and 7 LSAs’ forward address value is incorrect.
|Packet loss status in SD-WAN health check occur after an HA failover.
|Threat feeds are showing that the connection status has not started when it should be connected.
|Cisco APIC SDN update times out on large datasets.
|In HA, the primary unit may sometimes show a blank GUI screen.
|FortiOS check would block iOS and Android mobile devices from connecting to the SSL VPN tunnel.
|The internal website does not load completely with SSL VPN web mode.
|Update SSL VPN host check logic for unsupported OS.
|OS checklist for SSL VPN in FortiOS does not include macOS Sonoma 14.
|Console printed DSL related error messages when disconnecting the managed FortiSwitch and connecting to the FortiGate again.
|Redirected traffic should not hit the firewall policy when
allow-traffic-redirect is enabled.
|Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.
|An exported FortiSwitch port is not correctly showing up/down status.
diagnose sys logdisk smart does not work for NVMe disk models.
|FG-100F HA secondary’s unused ports flaps from down to up, then to down.
|On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth setting.
|SNMP OID 126.96.36.199.188.8.131.52 ipAddressPrefixTable is not available.
|FortiGate enters conserve mode in a few hours after enabling UTM on the policies.
|FortiGate queries system DNS for A <Root> and AAAA <Root> servers.
|Sensor information widget continuously loading.
|ISP traffic is failing with the LAG interfaces on upstream switches.
|Ports are flapping and down on the FortiGate 3980E.
|FortiGate does not send ARP probe for UDP NP-offloaded sessions.
|Fail detection function does not work properly on X1 and X2 10G ports.
|For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates.
|Review the temperature sensor for the SoC4 system.
|When L3 or L4 hashing algorithm is used, traffic is not forwarded over the same aggregate member after being offloaded by NP7.
|High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.
|ARP issue with VXLAN over IPsec and Soft Switch.
|The virtual server http-host algorithm is redirecting requests to an unexpected server.
|FortiGate as L2TP client is not working with Cisco ASR as L2TP server.
|Temperature sensor value missing for FG-180xF, FG-420xF, and FG-440xF platforms.F
|FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM.
|MSS clamping is not working on VXLAN over IPsec after upgrading.
|Egress shaping does not work on NP when applied on the WAN interface.
|A port that uses a copper-transceiver does not update the link status in real-time.
|SolarWinds unable to negotiate encryption, no matching host key type found.
|SNMP OID 184.108.40.206.220.127.116.11.1.5 ipAddressPrefix is not fully implemented.
|Session expiration does not get updated for offloaded traffic between a specific host range.
|An error condition occurred in fgfm caused by an out-of-band management configuration.
User & Authentication
|Automatic certificate name generation is the same for global and VDOM remote certificates, which can cause certificates to exist with the same name.
|ACME client fails to work with some CA servers.
|FortiGate receives FSSO user in the format of HOSTNAME$.
|OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected.
|Unexpected behavior in awsd caused by tags with an empty value on AWS instances while adding a new AWS Fabric connector.
|In WANOpt transparent mode, WAN optimization does not keep the original source address of the packets.
|Custom Images are not seen on Web Filter block replacement page for HTTP traffic in flow mode.
|The URL local/user category rating result has only one best match category (longest URL pattern match), and other matched local/user categories cannot be chosen even if the category is configured in the profile.
|Fetching the registration status does not always work.
Common Vulnerabilities and Exposures
|FortiOS 7.0.14 is no longer vulnerable to the following CVE Reference:
Notatki producenta: FortiOS 7.0.14
Bezpieczeństwo w biznesie