Producent oprogramowania Fortinet opublikował właśnie najnowszą aktualizację oprogramowania FortiOS o numerze wersji 7.0.5. W najnowszej aktualizacji naprawiono krytyczne błędy inspekcji w trybie proxy, które były spowodowane błędnym otwarciem sesji ipsapp z informacją „all providers are busy”. Rozwiązano także problem blokowania ruchu podczas włączonej inspekcji AV w trybie proxy w przypadku połączeń IPsec z włączonym offloadingiem NPU. Po więcej ciekawych informacji zachęcamy do zapoznania się z dalszą częścią artykułu.
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
| FortiGate VM | FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Rozwiązane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 778298 | Traffic is blocked when an AV profiled is enabled in proxy inspection mode in an IPsec scenario with NPU offloading enabled. |
Proxy
| Bug ID | Description |
|---|---|
| 772041 | WAD crash at signal 11. |
| 778659 | Proxy inspection fails due to ipsapp session open failed: all providers busy. |
System
| Bug ID | Description |
|---|---|
| 778474 | dhcpd is not processing discover messages if they contain a 0 length option, such as 80 (rapid commit). The warning, length 0 overflows input buffer, is displayed. |
Znane problemy:
Endpoint Control
| Bug ID | Description |
|---|---|
| 708545 | The WAD daemon is triggered to fetch the FortiClient information based on a ZTNA EMS tag enabled for checking in a proxy policy. It is then possible to get a ZTNA EMS tag in the firewall dynamic address and get the expected traffic control. |
| 730767 | The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.
Workaround: delete the EMS Cloud entry then add it back. |
Firewall
| Bug ID | Description |
|---|---|
| 719311 | FortiGate shows partial view of policies after upgrading. |
GUI
| Bug ID | Description |
|---|---|
| 440197 | On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly. |
| 677806 | On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status. |
| 685431 | On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.
Workaround: use the CLI to configure policies. |
| 707589 | System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed. |
| 708005 | When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.
Workaround: use Chrome, Edge, or Safari as the browser. |
| 713529 | When FortiAnalyzer is configured, the HTTPS daemon may crash while processing some FortiAnalyzer log requests. There is no apparent impact on the GUI operation. |
| 755177 | When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path. |
HA
| Bug ID | Description |
|---|---|
| 662978 | Long lasting sessions are expired on HA secondary device with a 10G interface. |
| 771389 | SNMP community name with one extra character at the end stills matches when HA is enabled. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 699973 | IPsec aggregate shows down status on Interfaces, Firewall Policy, and Static Routes configuration pages. |
Proxy
| Bug ID | Description |
|---|---|
| 692444 | WAD memory leak is caused by missing a close event. The WAD receives a close event from TCP when the SSL port is blocked by the up application layer. If the SSL port input buffer does not have any data, then the close event will get ignored even if the application layer turns off blocking and the SSL port will leak. |
Routing
| Bug ID | Description |
|---|---|
| 745856 | The default SD-WAN route for the LTE wwan interface is not created.
Workaround: add a random gateway to the wwan member. config system sdwan
config members
edit 2
set interface "wwan"
set gateway 10.198.58.58
set priority 100
next
end
end
|
Security Fabric
| Bug ID | Description |
|---|---|
| 614691 | Slow GUI performance in large Fabric topology with over 50 downstream devices. |
SSL VPN
| Bug ID | Description |
|---|---|
| 757450 | SNAT is not working in SSL VPN web mode when accessing an SFTP server. |
System
| Bug ID | Description |
|---|---|
| 644782 | A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode. |
| 681322 | TCP 8008 permitted by authd, even though the service in the policy does not include that port. |
| 699152 | QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E. |
| 764252 | On FG-100F, no event is raised for PSU failure and the diagnostic command is not available. |
VM
| Bug ID | Description |
|---|---|
| 689047 | ARM64-KVM has kernel panic. |
WAN Optimization
| Bug ID | Description |
|---|---|
| 728861 | HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.
Workaround: set |
WiFi Controller
| Bug ID | Description |
|---|---|
| 630085 | A cw_acd crash is observed on the FortiGate when the FortiAP is deleted from the managed AP list. |
| 750425 | In RADIUS MAC authentication, the FortiGate NAS-IP-Address will revert to 0.0.0.0 after using the FortiGate address. |
| 757189 | A batch of APs in cluster are exhibiting control messages that the maximal retransmission limit reached, and the APs disconnect from the FortiGate. |
| 775157 | A packet with the wrong IP header could not be processed by the CAPWAP driver, which randomly causes the FortiGate to reboot. |
Notatki producenta: FortiOS 7.0.5
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie