Najnowsze wydanie oprogramowania FortiOS w wersji 7.2.7 głównie dotyczy łatania podatności CVE-2023-38545 klasyfikowanej jako krytyczna. Wykorzystanie luki w zabezpieczeniach kontrolowanego zewnętrznie ciągu formatu [CWE-134] w demonie fgfmd FortiOS może pozwolić zdalnemu nieuwierzytelnionemu atakującemu na wykonanie dowolnego kodu lub poleceń za pośrednictwem specjalnie spreparowanych żądań. Aktualizacja niezwykle ważna dla urządzeń opartych na OS od 7.2.0 do 7.2.6. Więcej informacji w artykule poniżej.
Wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1, FG-6000F, FG-7000E, FG-7000F |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G |
| FortiFirewall | FFW-3980E, FFW-VM64, FFW-VM64-KVM |
| FortiGate VM | FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Rozwiązane problemy:
| Bug ID | CVE references |
|---|---|
| 959918 | FortiOS 7.2.7 is no longer vulnerable to the following CVE Reference:
|
Znane problemy:
Explicit Proxy
| Bug ID | Description |
|---|---|
| 865828 | The internet-service6-custom and internet-service6-custom-group options do not work with custom IPv6 addresses. |
| 894557 | In some cases, the explicit proxy policy list can take a long time to load due to a delay in retrieving the proxy statistics. This issue does not impact explicit proxy functionality.
Workaround: restart the WAD process, or update the number of WAD processors. config system global
set wad-worker-count <integer>
end
|
| 942612 | Web proxy forward server does not convert HTTP version to the original version when sending them back to the client. |
Firewall
| Bug ID | Description |
|---|---|
| 958311 | Firewall address list may show incorrect error for an unresolved FQDN address. This is purely a GUI display issue; the FQDN address can be resolved by the FortiGate and traffic can be matched.
Workaround: run the following command to check if an FQDN address is being resolved properly. # diagnose test application dnsproxy 7 |
FortiGate 6000 and 7000 platforms
| Bug ID | Description |
|---|---|
| 781163 | FortiView Sources page is unable to display historical data from FortiAnalyzer due to Fail to retrieve FortiView data error. |
| 790464 | Existing ARP entries are removed from all slots when an ARP query of a single slot does not respond. |
| 885205 | IPv6 ECMP is not supported for the FG-6000F and FG-7000E platforms. IPv6 ECMP is supported for the FG-7000F platform. |
| 887946 | UTM traffic is blocked by an FGSP configuration with asymmetric routing. |
| 906481 | The GUI becomes unresponsive, and sometimes may work after rebooting. |
| 907695 | The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface. |
| 910883 | The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM. |
| 937879 | FortiGate 7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate 7000F chassis with FIM-7921Fs. |
| 941944 | CPU usage data displayed on the FortiGate 6000 GUI is actually CPU usage data for the management board. CPU usage data displayed on the FortiGate 7000 GUI is actually the CPU usage for the primary FIM.
Use the global This command also displays global performance information including: Dataplane CPU states: 1% Dataplane memory states: 21% Dataplane average sessions: 8720 sessions in 1 minute Dataplane average session setup rate: 4632 sessions per second in last 1 minute |
| 946943 | On 6K and 7K platforms, the management VDOM GUI should not show the WiFi & Switch Controller menu. |
| 948388 | On the FortiGate 6000s, missing image update command in the CLI: execute load-balance update image. |
| 948750 | When EMAC VLAN interfaces are removed spontaneously from the configuration, TCP traffic through their underlying VLAN interface fails. |
| 949175 | On the FortiGate 7121F, with FIM2 as the primary FIM, making FIM1 the primary causes NP7 PLE invalidation. |
| 949240 | SLBC special ports will not match local-in policy in the management path. |
| 951135 | Graceful upgrade of a FortiGate 6000 or 7000 FGCP HA cluster is not supported when upgrading from FortiOS 7.0.12 to 7.2.6.
Upgrading the firmware of a FortiGate 6000 or 7000 FGCP HA cluster from 7.0.12 to 7.2.6 should be done during a maintenance window, since the firmware upgrade process will disrupt traffic for up to 30 minutes. Before upgrading the firmware, disable |
| 951193 | SLBC for FortiOS 7.0 and 7.2 uses different FGCP HA heartbeat formats. Because of the different heartbeat formats, you cannot create an FGCP HA cluster of two FortiGate 6000s or 7000s when one chassis is running FortiOS 7.0.x and the other is running FortiOS 7.2.x. Instead, to form an FGCP HA cluster, both chassis must be running FortiOS 7.0.x or 7.2.x.
If two chassis are running different patch releases of FortiOS 7.0 or 7.2 (for example, one chassis is running 7.2.5 and the other 7.2.6), they can form a cluster. When the cluster is formed, FGCP elects one chassis to be the primary chassis. The primary chassis synchronizes its firmware to the secondary chassis. As a result, both chassis will be running the same firmware version. You can also form a cluster if one chassis is running FortiOS 7.2.x and the other is running 7.4.x. For best results, both chassis should be running the same firmware version, although as described above, this is not a requirement. |
| 954881 | Image synchronization failure happened after a factory reset on FortiGate 7000E/F . |
| 973407 | FIM installed NPU session causes the SSE to get stuck. |
| 978241 | FortiGate does not honor worker port partition when SNATing connections using a fixed port range IP pool. |
FortiView
| Bug ID | Description |
|---|---|
| 941521 | On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI. |
GUI
| Bug ID | Description |
|---|---|
| 848660 | Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.
Workaround: super_admin users can enable the monitor bandwidth feature on the interface first, then the widget can work for read-only administrators. |
| 853352 | On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries. |
| 934644 | When the FortiGate is in conserve mode, node process (GUI management) may not release memory properly causing entry-level devices to stay in conserve mode. |
| 971790 | FortiGate models with 2 GB RAM may experience memory usage issues when users access the web GUI, due to a sudden increase in memory consumption in httpsd.
Workaround: avoid navigating to memory-intensive pages under Dashboard with multiple widgets that can cause a spike in memory consumption. Users can create custom dashboards with a single widget to reduce the concurrent load. |
| 974988 | FortiGate GUI should display a license expired notification due to an expired FortiManager Cloud license if it still has a valid account level FortiManager Cloud license (function is not affected). |
Hyperscale
| Bug ID | Description |
|---|---|
| 802182 | After successfully changing the VLAN ID of an interface from the CLI, an error message similar to cmdb_txn_cache_data(query=log.npu-server,leve=1) failed may appear. |
| 817562 | NPD/LPMD cannot differentiate the different VRF’s, considers as VRF 0 for all. |
| 843197 | Output of diagnose sys npu-session list/list-full does not mention policy route information. |
| 853258 | Packets drop, and different behavior occurs between devices in an HA pair with ECMP next hop. |
| 872146 | The diagnose sys npu-session list command shows an incorrect policy ID when traffic is using an intra-zone policy. |
| 920228 | NAT46 NPU sessions are lost and traffic drops when a HA failover occurs. |
| 949188 | With NAT64 HS policy, ICMP reply packets are dropped by FortiOS. |
| 950582 | Traffic not passing across the VDOM link. |
| 958066 | Observed TCP sessions timing out with a single hyperscale VDOM configuration after loading image from BIOS. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 852051 | IPsec is not fully offloaded, and IPsec VPN throughput is poor. |
| 916260 | The IPsec VPN tunnel list can take more than 10 seconds to load if the FortiGate has large number of tunnels, interfaces, policies, and addresses. This is a GUI display issue and does not impact tunnel operation. |
Log & Report
| Bug ID | Description |
|---|---|
| 932537 | If Security Rating is enabled to run on schedule (every four hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run.
Workaround: disable on-schedule Security Rating run. config system global
set security-rating-run-on-schedule disable
end
|
| 960661 | FortiAnalyzer report is not available to view for the secondary unit in the HA cluster.
Workaround: view the report directly in FortiAnalyzer. |
| 965247 | FortiGate syslog format in reliable transport mode is not compliant with RFC 6587. |
Proxy
| Bug ID | Description |
|---|---|
| 790426 | An error case occurs in WAD while redirecting the web filter HTTPS sessions. |
| 828917 | Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate. |
| 954104 | An error case occurs in WAD when WAD gets the external authenticated users from other daemons. |
Routing
| Bug ID | Description |
|---|---|
| 903444 | The diagnose ip rtcache list command is no longer supported in the FortiOS 4.19 kernel. |
Security Fabric
| Bug ID | Description |
|---|---|
| 902344 | When there are over 30 downstream FortiGates in the Security Fabric, the root FortiGate’s GUI may experience slowness when loading the Fabric Management page and prevents the user from upgrading firmware in the GUI.
Workaround: perform the firmware upgrade in the CLI. To perform the firmware upgrade via the GUI, temporarily disable the Security Fabric on the root FortiGate. |
SSL VPN
| Bug ID | Description |
|---|---|
| 795381 | FortiClient Windows cannot be launched with SSL VPN web portal. |
| 879329 | Destination address of SSL VPN firewall policy may be lost after upgrading when dstaddr is set to all and at least one authentication rule has a portal with split tunneling enabled. |
| 947210 | Application sslvpnd *** code requested backtrace *** was observed during graceful upgrade. |
System
| Bug ID | Description |
|---|---|
| 861962 | When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port’s LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE. |
| 882187 | Optimize memory usage caused by the high volume of disk traffic logs. |
| 887940 | Status light is not showing on the FortiGate 60F or 100F after a cold and warm reboot. |
| 901621 | Setting the interface configuration inbandwidth or outbandwidth commands stops traffic flow. |
| 931299 | When the URL filter requests the FortiGuard (FGD) rating server address using DNS, it will try to get both A (IPv4) and AAAA (IPv6) records. |
| 931299 | When the URL filter requests the FortiGuard (FGD) rating server address using DNS, it will try to get both A (IPv4) and AAAA (IPv6) records. |
| 937982 | High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory. |
| 947240 | FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM. |
| 963600 | SolarWinds is unable to negotiate encryption. A Negotiation failed: no matching host key type found error message appears in the log. |
| 967171 | The speed 1000auto setting on ports X1 to X4 disappears after upgrading from 7.2.5 to 7.2.6. Affected platforms: FG-40xF and FG-60xF. |
Upgrade
| Bug ID | Description |
|---|---|
| 939011 | On the FortiGate 6000F, the ALL TP VDOM cannot synchronize because of switch-controller.auto-config.policy. |
Web Filter
| Bug ID | Description |
|---|---|
| 885222 | HTTP session is logged as HTTPS in web filter when VIP is used. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 869106 | The layer 3 roaming feature may not work when the wireless controller is running multiple cw_acd processes (when the value of acd-process-count is not zero). |
| 869978 | CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled. |
| 873273 | The Automatically connect to nearest saved network option does not work as expected when FWF-60E client-mode local radio loses connection. |
| 903922 | Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation. |
ZTNA
| Bug ID | Description |
|---|---|
| 819987 | SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting. |
Notatki producenta: FortiOS 7.2.7
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie