Producent Fortinet, opublikował najnowszą aktualizację dla oprogramowania FortiOS o oznaczeniu 7.0.4. Dzięki nowej aktualizacji, zostały poprawione działania procesów WAD, które odpowiadają za filtrowanie sieci i procesy proxy. Ponadto technologia SLL VPN, została skorygowana pod względem wielu problemów, lecz między innymi połączenia VNC będą działać bezproblemowo. Od wersji 7.0.4, usprawniono procesy związane z interfejsem graficznym, gdzie błędy dotyczyły przekierowań adresów, lecz również logowań użytkowników FSSO. Nowe oprogramowanie udoskonaliło integrację z urządzeniami FortiSwtich jak i również z środowiskiem ZTNA. Po więcej szczegółowych informacji, zapraszam do dalszej części artykułu.
Aktualnie wspierane modele:
|FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1
|FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
|FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN
|FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN
|Crash logs are sometimes truncated/incomplete.
|The partial fetch handling in the IMAP proxy only detects and scans the first fetched section, which allows threats in subsequent fetched sections to go through the firewall undetected.
|Per IP shaper under application list does not work as expected for some applications.
|If a filter configured with
set archive enable matches a HTTP post, the file is not submitted for archiving (unless
full-archive proto is enabled).
|DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.
|DNS filter breaks DNS zone transfer because the client socket might close prematurely (in which there is still some data in the user space) if the server side closed the connection.
|EMS endpoint IP and MAC addresses are not synchronized to the ZTNA tags on the FortiGate.
|Some tagged endpoints’ registration is lost on the FortiGate.
|When configuring explicit proxy with forward server, if
ssl-ssh-profile is enabled in
proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error.
|When configuring authentication schemes to negotiate and NTLM (mix), Firefox may not show the authentication pop-up with an explicit proxy.
|When an explicit proxy policy has a category address as destination address, the FortiGate needs to check if the address is a Google Translate URL for extra rating. This will trigger a keyword match. However, if a web filter profile is not set yet, WAD will crash. The fix will delay the keyword match until a web filter profile is present.
ssl-exempt result conflicts with CN
ssl-exempt result when SNI is an IP.
|TCP zero window advertisements not occurring in proxy mode and causing premature server disconnects.
|In HA vcluster scenario, the Bytes counter on the Firewall Policy page always shows 0 B for the secondary while the Edit Policy page shows the correct Total bytes in the statistics.
|Auto-update script sent from FortiOS GUI has a policy ID of zero, which causes FortiManager to be out of synchronization.
auto-asic-offload is enabled in policy, IP-in-IP sessions show as expired while tunnel traffic goes through the FortiGate.
|Kernel panic occurs and device reboots due to
|Multicast packet is forwarded from non-VWP port to a VWP port.
|After a session updates its shaping policy, if the new shaping policy does not configure a per-IP shaper, the session will still use the old per-IP shaper from the previous shaping policy.
|When a policy denies traffic for a VIP and
send-deny-packet is enabled, the
mappedip is used for the RST packet’s source IP instead of the external IP.
|Application filter does not work when the source is ISDB or unscanned.
|Newly created deny policy incorrectly has logging disabled and can not be enabled when the CSF is enabled.
|Policy page should show new name/content for firewall objects after editing them from the tooltip.
|Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console.
|The Edit Virtual IP page should not display Conflicts with the External IP of another VIP when changing the source filter setting.
|CLI shows EMS tag object in the address select list, but it is not available in the GUI omni select list.
|Managed FortiAPs and Managed FortiSwitches pages keep loading when VDOM administrator has
wifi read/write permissions.
|The search does not work on the Policy & Objects > Addresses page if there is a non-EMS address group with an EMS tag (invalid configuration).
|On the Policy & Objects > Firewall Policy page, an unclear error message appears when a user creates a new SSL VPN policy with a web mode portal and a VIP or VIP group is used as the destination address.
|On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.
|The Device Inventory widget shows no results when there are two user_info parameters.
|The VDOM dropdown list in the banner should be scrollable.
|Unable to create new VIP when there is another VIP with same external IP and mapped IP ranges and different services.
|On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.
|A gateway of 0.0.0.0 is not accepted in a policy route.
|On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of
diagnose sys sdwan intf-sla-log exceed 232-1.
|Firewall policy changes made in the GUI remove the replacement message group in that policy.
|Last Login in SSL-VPN widget is shown as NaN on macOS Safari.
|cmbdsvr signal 11 crash occurs when a wildcard FQDN is created with a duplicate ID.
|Sandbox status is shown as disabled on FortiGate Cloud widget when it is connected.
|Guest group that expires after first logon displays the duration variable as the Expires value. The value is correct if the administrator logs in and goes to Guest User Management.
|Interface migration wizard does not migrate all references.
|httpsd crashes after NGFW policy is deleted.
|On the Policy & Objects > Addresses page, filters applied on the Details column do not work.
|VIP with External IP configured to 0.0.0.0 is not showing in the GUI.
|Application control profile cannot be renamed from the GUI.
|Sometimes when changing the language from English to another language, the subcategories under the Dashboard menu do not change.
|On the Security Fabric > Fabric Connectors page, the connection to FortiManager is shown as down even if the connection is up.
Workaround: check the status in the CLI using
|After upgrading, the new ACME certificates configured in the GUI are using the staging environment.
|Path already in use error appears when adding new HTTPS ZTNA API gateway entry (the CLI allows this configuration).
|Failed to retrieve info error appears when viewing the Users & Devices dashboard.
|Unable to restore encrypted backup configuration to TFTP server in the GUI.
|PPPoE interface is not selectable if interface type is SSL-VPN Tunnel.
|Unable to see details of Apache.Struts.MPV.Input.Validation.Bypass log.
|Failed to retrieve information warning appears on secondary node faceplate.
|FSSO user login is not sorted correctly by duration on Firewall Users widget.
|The feature to send an email under User & Authentication > Guest Management is grayed out.
|On the Network > Explicit Proxy page, the GUI does not support configuring multiple outgoing IP addresses.
Workaround: use the CLI.
|When using NGFW policy-based mode, the VPN > Overlay Controller VPN option is removed.
|On the LDAP server page, when clicking Browse beside Distinguished Name and then clicking OK after viewing the query results, the LDAP server page is missing fields containing the server settings.
|In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.
|When HA failover happens, there is a time difference between the old secondary becoming the new primary and the new primary’s HA ID getting updated. If a session is created in between, the session gets a wrong HA ID, which indicates incorrectly that the session’s traffic needs to be handled by the new secondary.
ha-direct, some invalid configurations should be reset and hidden.
|After a hasync crash, the FGFM process stops sending keepalives.
|VDOMs added and deleted on the FGCP secondary device with the REST API are not synchronized between the FGCP cluster.
|VDOM restore on an already configured VDOM causes high CPU sometimes on the primary.
|No GARP is being sent out on the VWP interface upon HA failover, causing a long failover time.
|HA goes out of synchronization when uploading a local certificate.
|When the HA secondary device relays logs to the primary device, it may encounter high CPU usage.
|The secondary FortiGate shows a DHCP IP was removed due to conflict, but it is not removed on the primary FortiGate.
|PPPoE connection gets disconnected during HA failover.
ha-mgmt-interface for certificate related DNS queries when
ha-direct is enabled.
|Configuration pushed from FortiManager does not respect
standalone-config-sync and is pushed to all cluster members.
|SCTP sessions are not fully synchronized between nodes in FGSP.
|Unable to add a member to an aggregate interface that is down in a HA cluster.
|hasync crashes when the size of hasync statistics packets is invalid.
Tunnel to Fortimanager is down log message is generated on the secondary FortiGate unit (without HA management interface).
|Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled.
|Users cannot visit websites with an explicit web proxy when the FortiGate enters conserve mode with
fail-open disabled. Block pages appear with the replacement message, IPS Sensor Triggered!.
|FortiGate can only collect up to 128 packets when detected by a signature.
|Traffic is failing on dialup VPN IKEv2 with EAP authentication.
|IPsec server with NP offloading drops packets with an invalid SPI during rekey.
|Traffic cannot be sent out through IPsec VPN tunnel because SA is pushed to the wrong NP6 for platforms where NP6 is standalone. Affected models: FG-2000E and FG-2500E.
|FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.
|If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.
|Tunnel interface MTU settings do not work when
net-device is enabled in phase 1.
|OCVPN is unable to retain
set save-password enable option.
|The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.
|iked crashes due to responder child_sa creation failing in some cases.
|When the primary unit synchronizes the dialup
mode-cfg assigned IP to the secondary unit, the
mode-cfg IP is not marked as used in the IP pool. After a HA failover to the secondary unit, the new primary will assign the used IP to a new client. This caused a route clash, and the connection keeps getting flushed and re-established.
|In a setup with IPsec VPN IKEv2 tunnel on the FortiGate to a Cisco device, the tunnel randomly disconnects after updating to 7.0.2 when there is a CMDB version change (configuration or interface).
|Spoke cannot register to OCVPN when FortiGate is in policy-based NGFW mode.
|Mixed traffic and UTM logs are in the event log file because the current
category in the log packet header is not big enough.
|Unknown interface is shown in flow-based UTM logs.
|PDF report generation fails due to an HPDF API error when it is drawing a circle and there is only one entry in the SQL result.
|IPS malicious URL database (idsurldb, MUDB) update entry in
FortiGate update succeeded log is delayed from the actual update timing.
|The miglogd process uses high CPU when handling a web rating error log that is reported with an invalid VDOM ID.
|Unable to set source IP for FortiCloud unless FortiCloud is already activated.
|The reportd process consumes a high amount of CPU.
dstreputation fields in the forward traffic logs to provide the reputation level of the source and destination when the traffic matches an entry in the internet service database.
|Report suddenly cannot be generated due to no response from reportd.
|WAD crashes due to RCX having a null value.
|WAD memory leak causes device to go into conserve mode.
|Replacement page is not provided to client when blocking traffic from an application control profile.
|CLI should block or warn users if an API gateway with the same service (protocol) and path are declared on the same ZTNA server.
|Web filter is blocking websites in proxy mode due to SSL certificate validation failure, which is caused by an unreachable OCSP server.
|Browser has ERR_SSL_KEY_USAGE_INCOMPATIBLE error when both ZTNA and web proxy are enabled.
diagnose wad stats policy list does not show statistics correctly when enabling certificate inspection and HTTP policy redirect.
|WAD encounters signal 11 crash when adding user information.
|Stream-based scanning has high CPU cost and a long wait time on GZIP and BZIP2 files.
|When a timeout happens while forticron is downloading a file, the original downloaded file is not be deleted, so the next successful download has extra data in front.
|Load balancer based on HTTP host is DNATing traffic to the wrong real server when the correct real server is disabled.
|Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.
|WAD crashes when adding user information.
|Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.
SEC_ERROR_REUSED_ISSUER_AND_SERIAL error when ECDSA CA is configured for deep inspection.
|Trend Micro client results in FortiGate illegal parameter SSL alert response because the Trend Micro client sent a ClientHello that includes extra data, which is declined by the FortiGate according to RFC 5246 188.8.131.52.
|WAD memory spike when downloading files larger than 4 GB.
|High CPU usage in proxy-based policy with deep inspection and IPS sensor.
|WAD crashes if the certificate authentication request context is not closed in the following scenarios: when fnbamd returns a failure certificate authentication result or no response; and when the CA certificate is updated and the certificate cache is flushed.
|WAD crash in half-mode virtual server case and HTTP real server ZTNA case.
|WAD memory usage may spike and cause the FortiGate to enter conserve mode when downloading a large file fails.
|WAD crash for LDAP group looping.
|WAD memory usage may spike and cause the FortiGate to enter conserve mode.
|The three-way handshake packet that was marked as
TCP port number reused cannot pass through the FortiGate, and the FortiGate relies with a
FIN, ACK to the client.
|Once AV is enabled in proxy mode, traffic will be blocked in proxy mode.
|Failure to access certain AWS pages with proxy SSL deep inspection.
|Update various REST API endpoints to prevent information in other VDOMs from being leaked.
|HTTPS daemon is not responsive when successive API calls are made to create an interface.
|OSPF issues with spokes randomly showing
Process is not up and losing some routes.
Disconnected from FortiAnalyzer events reported when the
interface-select-method is set to
specify, and the
interface port_<x> is set to an interface that does not have the highest priority in the SD-WAN interface selection.
|Routing issue occurs when one of the SD-WAN interfaces goes down.
|Remote IP route shows
incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.
|When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down.
|Traffic sometimes does not match SD-WAN rules on some IPsec interfaces.
|OSPF E2 routes learned by Cisco routers are randomly removed from the routing table when the OSPF/OSPFv3 neighbor flaps.
|FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet.
|Security Fabric automation email action trigger shows multiple emails as one email with no separation between the addresses.
|Recommendation information for Failed Login Attempts security rating rule should display Lockout duration should be at least 30 minutes, instead of 1800 minutes.
|The security rating test for Unused Policies is incorrectly evaluated as Pass when there are unused policies with the accept action.
|SDN connector on FG-Azure stays stuck if it is alphabetically the first subscription that is not in the permission scope.
|The deleted auto-scripts are not sent to FortiManager through the auto-update and cause devices go out of sync.
|Pop-up window does not load correctly when accessing internal application at https://re***.wo***.nl using SSL VPN web mode.
|SSL VPN firewall policy creation via CLI does not require setting user identity.
|Internal page, https://vpn.ea***.***.**.us:10443, is not working in SSL VPN web mode.
|JS error thrown when accessing HTTPS bookmark (mk***.ag***.cp***.vw***) using SSL VPN web portal.
|After SSL VPN proxy rewrite, some Nuage JS files have problems running.
|If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.
|Unable to authenticate to outlook.com/owa/vw***.com website in SSL VPN web mode.
|Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.
|Unable to access Apache Guacamole web application using SSL VPN web mode.
|SSL VPN login authentication times out if primary RADIUS server becomes unavailable.
|Unable to access webmail server (https://9**.1**.9**.2**/) using SSL VPN web mode.
|SSL VPN proxy error in web mode for https://et***.ga***.gov.***/ due to requests to the loopback IP.
|JS error in SSL VPN web mode when trying to retrieve a PDF from https://vpn.ca***.com/.
|Jira server (cb***.com.au) cannot be displayed correctly using SSL VPN web mode.
|SSO login for SSL VPN bookmarks (https://za***.jo.za***.com) is not working.
|SAML user configured in groups in the IdP server might match to the wrong group in SSL VPN user authentication if an external browser is used.
|VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.
|DTLS does not work for SSL VPN and switches to TLS.
|Brickstream web interface is not loading properly when accessed using SSL VPN webmode.
|SSL VPN web mode has issues accessing https://e***.or***.kr.
|FQDN in firewall policy is treated case sensitive, which causes SSL VPN failure when redirecting or accessing a URL that contains capitalized characters.
|Users can modify the URL in SSL VPN portal to show connection launcher even when the Show Connection Launcher option is disabled.
|Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected.
|WebSocket using Pronto Xi could not be established through SSL VPN web mode.
|SSL VPN with RADIUS authentication does not work with an interface subnet address object.
|Empty webpage loads when accessing internal website, https://ba***.ba**.com:2222, in SSL VPN web mode.
|Unable to authenticate outlook.office.com using corporate domain email account.
|SAP Fiori webpage using JSON is not loading in SSL VPN web mode.
|SCADA portal will not fully load with SSL VPN web bookmark.
|SSL VPN crashed when closing web mode RDP after upgrading.
|SSL VPN web mode access problem occurs for web service security camera.
|SSL VPN web mode access is causing issues with MiniCAU.
|FortiGate loses FortiSwitch management access due to excessive configuration pushes.
|A bin/cu_acd crash is generated when
cfg-revert is enabled and involves FortiSwitch.
|The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series.
|SoC3 platforms may encounter kernel panic in cases when a PKCE IOCTL wait event is interrupted by WAD diagnose CLI commands.
|Support FEC (forward error correction) implementations in 10G, 25G, 40G, and 100G interfaces for FG-3400E and FG-3600E.
|System halts after running
execute update-now in FIPS-CC mode.
|A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.
|Lack of null pointer check in NP6XLite driver may lead to kernel panic. Affected models: FG-40F, FG-60F, and FG-101F.
|SFP port with 1G copper SFP always is up.
|NP6 drops, and bandwidth is limited to under 10 Gbps in
|Port group members have different speeds after the port speed is changed using a CLI script.
|Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.
|Kernel panic on FG-101F due to lack of null pointer check on NP6XLite driver.
|Remote access management from FortiCloud login fails if trusted hosts are configured for the administrator account.
|SFP28 ports on FG-340xE/FG-360xE cannot receive or transmit packets when the speed is set to 1000full. This issue is triggered by warm rebooting the FortiGate/Cisco switch or disconnecting the fiber cable.
|SFP28 port flapping when the speed is set to 10G.
|Verizon LTE connection is not stable, and the connection may drop after a few hours.
|On FG-20xF, the RJ45 ports connected to Dell N1548 switch do not automatically have an up link for energy detect mode.
|After upgrading to 7.0.0, FG-60E hangs due to various CLI configuration errors starting with
cli 102 die in an exception in line 4318: KV?.
|There is no I2C reading/writing handler in drivers for FGR-60F and FGR-60F-3G4G.
|As per IEEE 802.3, NP frames under 64 octets should be discarded on the RX.
|The forticron process has a memory leak if there are duplicated entries in the external IP range file.
|DNS query responses can be bumped when dealing with a high volume of visibility hostname log requests.
|Firewall does not use its ARP cache and is ARPing for client MAC addresses every 20 to 30 seconds.
|Unable to save configuration changes and get
failed: No space left on device error.
|Traffic logs report ICMP destination as unreachable for received traffic.
|FG-100F/101F sensor list shows the following deficiencies: missing PSU reading, degree sign is not readable in some CLI windows, and spelling mistakes.
|Legitimate traffic is unable to go through with NP6
|USB unmounts after configuration backup.
|The GA image becomes uncertified after backing it up on a flash disk.
|DNS server obtained via DHCPv6 prefix delegation is not used by DNS proxy.
|When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.
|Slow SNMP query performance of fgVpn2Tables OIDs when a large number of IPsec dialup tunnels are connected.
|FG-40F has a newcli signal 11 crash.
|DHCPc seconds not incrementing in DHCP DISCOVER, REQUEST, and INFORM packets.
Firmware image without valid RSA signature loaded error when loading the image from FortiCloud.
|Static ARP entry was removed while using DHCP relay.
|When a software switch has an intra-switch-policy set to implicit (the default setting), layer 2 traffic, such as LLDP or STP, is being forwarded when it should be denied by default.
|Direct CLI script from FortiManager fails due to additional
end at the end of
diagnose debug crashlog read.
|Unable to configure firewall access control lists on FG-20xF.
|Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if
asic-offload is enabled.
|Packet Loss on the LAG interface (eight ports) in static mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.
|When creating a new interface with MTU override enabled, PPPoE mode, and a set MTU value, the MTU value is overridden by the default value.
|CP9 or SoC3/SoC4 kernel driver may crash while doing AES-GCM decryption.
|WAD memory leak could cause system to halt and print
fork() failed on the console.
|Memory leak cause by leaked JSON object.
|Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.
|Outbound bandwidth in bandwidth widget does not adhere to the outbandwidth setting.
|Include an entry in SNMP OID that lists the number of octets for the IP type.
dnsfilter-profile setting was purged from all DNS server entries upon upgrading from below 6.4.4.
|IPv6 delegated configuration is lost after upgrading from 7.0.1.
|Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.
|SCEP client does not work with virtual service.
|RADIUS response is sent even when the
rsso-radius-response attribute is set to
|Unable to receive token via email on configured local email server with authentication when the incoming SMTP response is incomplete.
|There is no LDAP-based authentication possible during the time WAD updates/reads group information from the AD LDAP server.
|DST_Root_CA_X3 certificate is expired.
execute vpn certificate local generate does not conform to HTTP 1.1 RFC 2616.
|The fnbamd process spikes to 99% or crashes during RADIUS authentication.
|In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement.
|FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.
|Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.
|When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a
gcp-project-list configuration will be lost.
|Tags under VNET are not detected by SDN connector under Azure. The following issues have been fixed:
|DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID.
|In AWS, if the HA connection between active and passive nodes breaks for a few seconds and reconnects, sometimes the EIP will remain in the passive node.
|gcpd has signal 11 crash at
|Inconsistent TXQ selection degrades mlx5 vfNIC. Azure FortiGate interface has high latency when the IPsec tunnel is up.
|Azure SDN connector is unable to pull service tag from China and Germany regions.
|PRACK will cause voipd crashes when the following conditions are met:
block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).
|When an AV profile is enabled in a WANOpt proxy policy on a server side FortiGate, EICAR sent over HTTPS will not get blocked.
|WAD crashed with signal 6 when using WIPS for web filtering with Websense.
|Wireless controller sends ARP request packets that are destined to the FortiGate back to all tunnel interfaces.
|FG-1000D and FG-1500D go in to conserve mode when wpad and cw_acd have a memory spike, which affects wireless user tunnel traffic.
|FWF-60F local radio shows WPA3 is not supported.
|MAC authentication bypass is not working for some clients
|Client should match the new NAC policy if it is reordered to the top one.
|Optimize memory usage of wpad daemon in WiFi controller for large-scale 802.11r fast BSS transition deployment.
|cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.
|On FAP-U432F, the Radio 3 spectrum analysis should be disabled in the FortiGate GUI.
concurrent-client-limit-type is set to
unlimited it is limited by the
max-clients value in the VAP profile.
|FortiAP firmware status is inconsistent on System > Fabric Management page and upgrade slide.
|ZTNA access is systematically denied for ZTNA rule using SD-WAN zone as an incoming interface.
Visit https://fortiguard.com/psirt for more information.
|FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:
|FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:
Notatki producenta: FortiOS 7.0.4
Bezpieczeństwo w biznesie