Fortinet wypuścił nową wersję FortiOS 7.2.9, która wprowadza kilka kluczowych ulepszeń poprawiających działanie i bezpieczeństwo systemu. Dzięki zmniejszeniu częstotliwości aktualizacji bazy danych w SSL VPN, konfiguracja webowa działa teraz znacznie płynniej. Ponadto, usprawniono synchronizację w środowiskach HA, co eliminuje problemy z utratą synchronizacji jednostek zapasowych i błędami w działaniu klastra. Dodatkowo, nowa wersja usuwa podatność CVE-2024-26015, co znacząco podnosi poziom bezpieczeństwa systemu. Poniżej znajdują się szczegółowe informacje na ten temat.
Wspierane urządzenia:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-DSL, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-90G, FG-91E, FG-91G, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-120G, FG-121G, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1, FG-7000E |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G |
| FortiFirewall | FFW-1801F, FFW-2600F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM |
| FortiGate VM | FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Rozwiązane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 911872 | When connecting to FortiGate Cloud Sandbox, the connection status takes a long time to update and shows as unreachable. |
| 948371 | Scanunit should no longer submit known infected files to FortiSandbox. |
| 962261 | When the IPS engine specifies a secure protocol for the AV query, the per protocol fortisandbox setting is not checked correctly. |
| 977905 | An issue in the WAD process prevents access to SMB when an AV proxy based profile is included in a policy. |
Application Control
| Bug ID | Description |
|---|---|
| 951150 | The Zoom meeting remote control feature cannot not be blocked during meetings. |
Data Loss Prevention
| Bug ID | Description |
|---|---|
| 977334 | Users cannot download files more than 5MB in size using FPX when SSL deep inspection and DLP profiles are enabled. |
| 1012922 | When a DLP policy is set to block the upload or download of test PDF documents, the policy does not function as expected. |
DNS Filter
| Bug ID | Description |
|---|---|
| 1010464 | When the DNS filter is enabled with external-ip-blocklist, the IPS Engine remains in D status for an extended period of time and the DNS session ends. |
| 1026058 | When IP is not resolved or does not exist, the DNS alters the response for the domain and results in a performance issue on the client device. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 937642 | A WAD processing issue displays VPN endpoint entries on the Assets – FortiClient Monitor widget even when the VPN tunnel is down. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 775882 | The WAD process does not function as expected due to a memory allocation issue. |
| 882867 | Proxy policy match resolves IP to multiple internet service application IDs. |
| 890776 | The GUI-explicit-proxy setting on the System > Feature Visibility page is not retained after a FortiGate reboot or upgrade. |
| 990643 | FortiGate blocks pages when browsing websites though a transparent proxy-redirect policy on SD-WAN. |
| 1001700 | If explicit webproxy uses SAML authentication and the PAC file is enabled at the same time, the browser will report a too many redirects error when trying to visit any websites. |
| 1011209 | The proxy policy does not work as expected when the session-ttl value is greater than the global session-ttl value. |
| 1014477 | Files do not get uploaded on webmail applications with antivirus, app control, or IPS enabled on an explicit proxy policy. |
| 1042125 | FortiGate generates a replacement error message when the message-upon-server-error option is disabled. |
Firewall
| Bug ID | Description |
|---|---|
| 807191 | On FortiGate, the diagnose netlink interface list command shows no traffic running through the policy, even with NP offload enabled or disabled. |
| 837866 | On the NP7 platform, traffic is blocked when egress-shaping-profile and outbandwidth are enabled on a VLAN parent interface. |
| 876034 | Traffic may continue to flow when only deny security policies are in effect until the Policy Match Engine (PME) determines the correct policy to enforce. |
| 932151 | When connecting to realserver through an access proxy, if making multiple requests to the same realserver with svr-pool-multiplex enabled, the old connection will be re-used but the session context dstaddr is not updated. |
| 935034 | The clock skew tolerance is not reflected. |
| 942605 | FortiGate accepts the ha-mgmt-intf-only local-in policy from FortiManager, even though the ha-mgmt-status is not enabled. |
| 951984 | The best output route may not be found for local out DNAT traffic. |
| 966466 | On an FG-3001F NP7 device, packet loss occurs even on local-in traffic. |
| 980766 | FortiGate drops traffic on unrelated firewall policies when tcp-without-syn is enabled. |
| 1010824 | FortiGate creates dummy destination IP logs when pinging a FortiGate VIP. |
| 1014584 | On the Policy & Objects > Firewall Policy page, firewall policies with FQDN show as unresolved in the table. |
| 1016547 | When FortiGate forwards M/C packets to an interface with egress-shaping-profile enabled, an interruption occurs in the kernel. |
FortiGate 6000 and 7000 platforms
| Bug ID | Description |
|---|---|
| 638799 | The DHCPv6 client does not work with vcluster2. |
| 694958 | On FortiGate 7000 models, the Power Supply status displays as Normal in the GUI when there is a logged power failure. |
| 885205 | IPv6 ECMP is not supported for the FG-6000F and FG-7000E platforms. IPv6 ECMP is supported for the FG-7000F platform. |
| 940541 | A permanent MAC address is used instead of an HA virtual MAC address during automation. |
| 967479 | FortiGate encounters a CPU usage issue on all blades of the secondary chassis after a firmware upgrade due to a filtering issue in the cmdbsvr. |
| 969860 | The Security Fabric > Physical Topology and Security Fabric > Logical Topology pages do not load properly in the GUI due to misread serial numbers in the REST API proxy request. |
| 983236 | Under normal conditions, a FortiGate 6000 or 7000 may generate event log messages due to a known issue with a feature added to FortiOS 7.2 and 7.4. The feature is designed to create event log messages for certain DP channel traffic issues but also generates event log messages when the DP processor detects traffic anomalies that are part of normal traffic processing. This causes the event log messages to detect false positives that don’t affect normal operation.
For example, DP channel 15 RX drop detected! messages can be created when a routine problem is detected with a packet that would normally cause the DP processor to drop the packet. Similar discard message may also appear if the DP buffer is full. |
| 995866 | When the outbandwidth of an interface is set to a high or max value, pinging out of the interface does not work as expected. |
| 997161 | On FortiGate 6000 FPCs and FortiGate 7000 FPMs the node process may consume large amounts of CPU resources, possibly affecting FPC or FPM performance. (You can run the diagnose sys top command from an FPC or FPM CLI to view CPU usage.)
This problem may be caused by security rating result submission. You can work around the problem by using the following commands to disable automatic security rating results submission and to disable running scheduled security ratings checks: config system global
set security-rating-result-submission disable
set security-rating-run-on-schedule disable
end
Once you have entered these commands, use the following command to restart the node process:
|
| 1003879 | Incorrect SLBC traffic-related statistics may be displayed on the FortiGate 6000 or FortiGate 7000 GUI (for example, in a dashboard widgets). This can occur if an FPC or FPM is not correctly registered for statistic collection during startup. |
| 1013046 | On FortiGate 6000 and 7000 models, interested traffic cannot trigger the IPsec tunnel. |
| 1022499 | IPv6 routes are not fully synchronized between HA primary and secondary units. |
| 1025652 | On the FortiGate 7000E platform, after upgrading firmware from 7.2.8 to 7.4.x, the CLI of the secondary FIM and the FPMs in the secondary chassis of an FGCP cluster may display This firmware failed signature validation. The firmware is valid and the FortiGate 7000E cluster will operate normally. |
| 1028313 | On FortiGate 7000E and 7000F models in an HA cluster, FortiGate experiences a split brain scenario between the primary and secondary units when the primary unit is rebooted. |
| 1029415 | On FortiGate 6000 models in an HA cluster, the secondary unit does not send out logs when an interface is configured. |
| 1030917 | FortiGate displays an erroneous error for high/low warning alarms. SFP data transfer functions as expected. |
| 1032573 | In an HA configuration, FortiGate does not respond to SNMP queries causing the device to display as being DOWN. |
| 1033050 | On FortiGate 6000 models in an HA cluster, the secondary unit does not send out automated stitch emails for certain events. |
| 1037965 | When applying a script to a configuration, the updated configuration is applied to the FIM but is not fully synchronized on the FPCs. |
FortiView
| Bug ID | Description |
|---|---|
| 1009287 | On the Dashboard > FortiView Sessions page, closing a large number of FortiView sessions (+100) can take longer than expected and result in a CPU usage issue. |
GUI
| Bug ID | Description |
|---|---|
| 1001919 | The Automatic patch upgrades enabled notification displays on the System > Firmware & Registration page even if FortiManager is set up on FortiGate. |
| 1006079 | When changing administrator account settings, the trusthost10 setting is duplicated. |
| 1013866 | The category action change is not saved if the category number is the same as the existing entry ID. |
| 1018887 | Editing a policy route from the Routing Monitor widget redirects to a blank page. |
| 1050865 | When updating an administrator password in the GUI, the password expiration date does not update when the new password is created. |
HA
| Bug ID | Description |
|---|---|
| 825380 | When workspace configuration save mode is set to manual in the System > Settings, configuration changes made on the primary unit and then saved do not synchronize with the secondary unit when one of the cluster units are rebooted or shutdown after the change. |
| 858683 | FortiGate in A-P HA mode with admin-restrict-local enabled allows the local administrator to log in to the passive host, even if LDAP is available. |
| 929486 | When Configuration save mode is set to Manual, any firewall policy change will make the cluster out-of-sync. |
| 940400 | SCTP traffic is not forwarded back to the session owner (FGSP asymmetric traffic with IPS , NAT mode, and SCTP). |
| 956473 | After a reboot on the secondary unit, FortiGate encounters a HA split brain condition if ha failover-hold-time is used and one ha monitor interface disabled. |
| 962525 | In HA mode, FortiGate uses ha-mgmt-interface as the portal for the DNS resolver, even if this port may not be able to reach the DNS server. |
| 970334 | The vcluster2 on a Secondary HA unit does not use session-sync-dev to synchronize sessions to FGSP peer unit. |
| 976024 | VXLAN traffic does not pass through after HA cluster failover. |
| 1000001 | A secondary HA unit may go into conserve mode when joining an HA cluster if the FortiGate’s configuration is large. |
| 1002682 | The VMware SDN connector does not respect the ha-direct setting and uses the management interface, causing traffic to be dropped. |
| 1007395 | When downgrading to a 7.2.x firmware version, an error message regarding cluster history displays on the CLI of the primary HA device during every bootup. |
| 1011674 | Upgrading from 7.0.14 or 7.2.8 on the HA secondary device will fail with BIOS security level 2. The image is marked un-certified and the upgrade process is aborted. The HA cluster is not affected. |
| 1015950 | When upgrading a FortiGate VM Analyzer, a CPU usage issue causes the auto scale cluster to go out of synchronization. |
| 1017177 | A WAD processing issue causes the SNMP to not respond in an HA cluster. |
| 1018937 | In a FortiGate HA configuration, the tunnel connection to FortiManager is disrupted due to a mismatched serial number and local certificate issue. |
| 1024535 | In an FGSP cluster configuration running in TP mode, reply traffic in asymmetric flow is not offloaded to NP. |
| 1027149 | When creating a new VDOM in an HA configuration, FortiGate may not operate as expected due to an hasync issue. |
| 1034326 | In a HA cluster using FGSP mode, the primary and secondary units cannot synchronize the lease agreements due to a synchronization issue with the DHCP server. |
Hyperscale
| Bug ID | Description |
|---|---|
| 936747 | Connections per second (CPS) performance of SIP sessions accepted by hyperscale firewall policies with EIM and EIF disabled that include overload with port block allocation (PBA) GCN IP pools is lower than expected. |
| 961684 | When DoS policies are used and the system is under stress conditions, BGP might go down. |
| 976972 | New primary can get stuck on failover with HTTP CC sessions. |
| 986501 | When switching from a hyperscale to regular interface, the FortiGate encounters a kernel interruption during configuration. |
| 994019 | Harpin traffic may not work due to a rare situation caused by a race condition. |
| 1024902 | After FTP traffic passes, the npu-session stat does not display the accurate amount of actual sessions on FortiGate. |
| 1034100 | The NPD process is interrupted in a Hyperscale VDOM configuration after an upgrade and sessions are not setup on hardware. |
ICAP
| Bug ID | Description |
|---|---|
| 1022247 | In an ICAP profile, the set request-failure bypass option does not work as expected resulting in traffic being blocked. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 916175 | In rare cases, the IPS engine may not handle buffer overflow. |
| 979586 | When applying an IPS profile with offloading enabled, WLAN authentication does not function as expected caused by EAP transaction timeouts. |
| 1000223 | HTTPS connections to a Virtual IP (VIP) on TCP port 8015 are incorrectly blocked by the firewall, displaying an IPS block page even when no packet from the outside to TCP port 8015 should reach the internal VIP address. |
| 1008064 | The IPS DB is not preserved when upgrading to 7.2.5 or later. |
| 1009871 | The IPS encounters a memory usage issue with HTTP3 sessions and enters into conserve mode. |
| 1011702 | FortiGate experiences a CPU usage issue which may lead to an interruption in the kernel when dos-policy is enabled. |
| 1026354 | On FortiGate, the softirq experiences a CPU usage issue with the IPS engine when traffic hits a firewall policy without an IPS profile. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 745607 | Traffic cannot pass through policy-based routing when an S2S IPsec tunnel is established. |
| 949086 | Policy route is not matching ESP traffic. |
| 950445 | After a third-party router failover, traffic traversing the IPsec tunnel is lost. |
| 954614 | IPsec phase 2 negotiation fails with failed to create dialup instance, error 22 error message. |
| 998229 | Traffic loss is experienced on inter-region ADVPN tunnels after phase 2 rekey. |
| 999619 | A peername conflict error occurs when users configure static tunnels and then dynamic tunnels. There is no conflict when done in the reverse order. |
| 1001602 | Using IPSec over back to back EMAC VLAN interfaces does not work as expected with NPU offload enabled. |
| 1001996 | The iked does not function as expected due to a misplaced object being created in the secondary HA during failover. |
| 1003830 | IPsec VPN tunnel phase 2 instability after upgrading to 7.4.2 on the NP6xlite platform. |
| 1004272 | On NP7 platforms that are used a hub in a hub and spoke configuration, traffic packets are dropped on IPsec tunnel spokes due to an anti-replay error. |
| 1006110 | When an ipip tunnel over IPsec is configured, the configuration may cause running traffic to access the deleted SA. |
| 1009732 | If there are more than 2000 dialup IPsec tunnel interfaces used in multiple FGT firewall polices, and IKE policy update may not able to complete before IKE watchdog timeout. |
| 1010337 | FortiGate sends two verification codes for IKEv2 with RADIUS user and two-factor authentication enabled. |
| 1020250 | A second IPsec tunnel cannot be added on different IP versions that use the same peerid. |
| 1024558 | IPsec interfaces created on 802.1ad + 802.3ad interfaces with NP offloading enabled do not work as expected after a firmware upgrade. |
| 1029262 | IPsec VPN traffic does not pass over the tunnel when the HA heartbeat cable is reconnected. |
| 1031963 | The firewall hit and bytes counts display values of 0 in a policy-based VPN. |
Log & Report
| Bug ID | Description |
|---|---|
| 839934 | Destination interface in traffic log does not match the SD-WAN quality description in the log details. |
| 850642 | Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes. |
| 868853 | The cli-cmd-audit option in the config log.tacacs+accounting.filter command does not display in the CLI. |
| 872493 | FortiGate encounters a memory usage issue when the disk log has rolled or when searching logs in the GUI or CLI. |
| 908596,
998490 |
In the Local Logs tab on the Log & Report > Log Settings page, the Disk Usage displays free and used space incorrectly due to an issue with the daemon after a reboot. |
| 925649 | An interruption may occur in the daemon locallogd when the system is in memory conserve mode. |
| 938396 | The following intrusion was observed: in the alert mail refers to another field in the anomaly log. |
| 957130 | On the Log & Report > Forward Traffic page, when running version 7.2.3 of FortiGate, log retrieval speed from FortiAnalyzer is slow. |
| 978526 | The configuration attribute cfgattr="password[*]" does not appear in the log when password-policy is enabled. |
| 993476 | FortiGate encounters a CPU usage issue after rebooting with multiple VDOMs configured. |
| 1005171 | After upgrading to version 7.0.14, the system event log generates false positives for individual ports that are not used in any configuration. |
| 1006611 | FortiOS may not function as expected when the miglogd application attempts to process logs. |
| 1010244 | When uploading the log file to the FTP server or FAZ, parts of the log files are not included in the upload when two segments are sent in the same second. |
| 1010428 | On the Log & Report > System Events page, the log displays an FortiGate has experienced an unexpected power off error message when an interruption occurs in the kernel. |
| 1011172 | The miglogd does not forward log packages to FortiAnalyzer due to a memory usage issue. |
| 1012862 | User equipment IP addresses are not visible in traffic logs. |
| 1018392 | A memory usage issue in the fgtlogd daemon causes FortiGate to enter into conserve mode. |
| 1028309 | On FortiGate, a CPU usage issue occurs in the locallogd. |
| 1040158 | FortiGate 90G and 120G models display the incorrect log disk types. |
| 1040678 | The first character User-Agent information is not included in the web filter log. |
| 1055142 | When filtering logs by actions, the Add, Edit, Delete, and Move options are set to lower case by right-clicking logs. |
Proxy
| Bug ID | Description |
|---|---|
| 723764 | Replacement page is not provided to client when blocking traffic from an application control profile. |
| 871273 | When the kernel API tries to access the command buffer, the device enters D state due to a kernel interruption. |
| 900546 | DNS proxy may resolve with an IPv4 address, even when pref-dns-result is set to IPv6, if the IPv4 response comes first and there is no DNS cache. |
| 922093 | CPU usage issue in WAD caused by source port exhaustion when using WAN optimization. |
| 933502 | When a forward server with proxy authorization is configured with certain traffic, a memory usage issue in the WAD process interrupts the operation of FortiGate. |
| 949464 | On FortiGate, a memory usage issue in the WAD may cause the unit to enter into conserve mode. |
| 956481 | On FortiGate 6000 models, when an explicit proxy is configured, the TCP 3-way handshake does complete as expected. |
| 979361 | After an upgrade, FortiOS encounters an error condition in the application daemon wad caused by an SSL cache error. |
| 982553 | After upgrading from version 6.4.13 to version 7.0.12 or 7.0.13, FortiGate experiences a memory usage issue. |
| 984777 | FortiGate encounters a CPU usage issue after configuration updates due to an issue in the WAD process. |
| 987483 | On FortiGate, the WAD daemon does not work as expected due to a NULL pointer issue. |
| 994101 | SSL Logs show certificate-probe-failed error when web profile is enabled. |
| 998938 | Changes in the proxy-address for firewall proxy-policy can not be applied correctly. |
| 999118 | TCP connections are not distributed properly when src-affinity-exempt is enabled. |
| 1003481 | FortiGate may not work as expected due to an error condition in the daemon WAD. |
| 1014778 | When downgrading to a previous firmware version, the restoration of IoT device information results in an out of bound access interruption due to newly added iot attributes. |
| 1020828 | An HTTP2 stream issue causes an error condition in the WAD. |
| 1048983 | The X-Forwarded-For request header does not work as expected for long IPv6 addresses due to a buffering issue. |
REST API
| Bug ID | Description |
|---|---|
| 859680 | In an HA setup with vCluster, a CMDB API request to the primary cluster does not synchronize the configuration to the secondary cluster. |
| 920260 | SD-WAN interfaces should be denoted in the interface statistics API. |
Routing
| Bug ID | Description |
|---|---|
| 889544 | The default route is not displayed correctly using BGP when configured using route-map and default-originate-routemap. |
| 906896 | Make OSPFv3 update the translator role and translated Type-5 LSA when the ASBR table is updated. |
| 910071 | FortiOS is limited to 31 interfaces for Multicast Routing using PIM-SM. |
| 910656 | Router information in the BGP summary still shows removed BGP neighbor/peer configuration. |
| 953658 | On FortiGate 40F-3G4G models, the LTE dynamic route not being added to route table when the IP address is changed. |
| 977751 | BGP advertisement and Route-Reflector advertisement do not advertise additional routes after first table is announced and encoded. |
| 978683 | The link-down-failover command does not bring the BGP peering down when the IPsec tunnel is brought down on the peer FortiGate. |
| 989012 | The ICMP_TIME_EXCEEDED packet does not follow the original ICMP path displays the incorrect traceroute from the user. |
| 991995 | FortiGate does not remove the BGP community list when using regex. |
| 993843 | On FortiGate 1800F models, the VXLAN tunnel on a Loopback interface does not match SD-WAN rules. |
| 1001556 | VXLAN does not match SD-WAN rule when a service is specified. |
| 1002851 | BGP Stale routes do not function as expected in an HA configuration. |
| 1003756 | When creating a rule on the Network > Routing Objects page, the Prefix-list is set to 0.0.0.0 0.0.0.0 when an incorrect format is entered in the Prefix field. |
| 1004249 | FortiGate routes traffic to an interface with a physical status of DOWN. |
| 1006703 | OSPF logs for neighbor status are not generated when using multiple VRFs. |
| 1009907 | The OSPF daemon does not function as expected causing routing to stop working after an HA cluster failover. |
| 1011263 | FortiGate does not advertise default route to its EBGP neighbor when capability-default-originate is enabled. |
| 1017761 | The gateway attribute is skipped in the configuration when in load-balance mode after an upgrade. |
| 1020474 | In a hub and spoke configuration, the IPsec SA MTU calculation does not match with the vpn-id-ipip encapsulation resulting in a fragmentation issue. |
| 1023878 | SD-WAN SLA shows intermittent disruptions of packet loss on all links simultaneously, even though there is no actual packet loss. |
| 1029460 | Creating a BGP IPv4 network prefix or neighbor in the GUI unintentionally creates an empty IPv6 network prefix. |
| 1034038 | After enabling route-reflector-client-vpnv4 under a BGP neighbor-group, the BGP connection is flapping on the spoke and generates an error. |
| 1042909 | When creating a new static route on the Network > Static Routes page, the Priority field still displays when the Destination is switched from Subnet to Internet Service. |
Security Fabric
| Bug ID | Description |
|---|---|
| 958429 | On the Security Fabric > Automation page, the webhook request header does not contain Content-type: application/json when using the JSON format. This causes Microsoft Teams to reject the request. |
| 990703 | An Azure SDN connector API failure may cause a dynamic object to be purged and re-added, leading to potentia network interruptions. |
| 991462,
993279 |
When automation stitch is configured with the once schedule, the stitch is not synchronized to the downstream FortiGates. |
| 1019244 | The System > Fabric Management page may not load properly after an unsuccessful federated upgrade. |
| 1042972 | Cannot test an automation stitch that uses the Schedule trigger from the GUI. |
| 1058589 | Webhook requests use the same Content-Type: application/json in HTTP headers for all requests, even if it has a custom header. |
SSL VPN
| Bug ID | Description |
|---|---|
| 883903 | FortiGate does not identify users on SSL VPN as 2FA users if the user and token are put together in the same field (concatenated). |
| 893190 | FortiGate does not utilize timeout timers correctly for 2FA when SSL VPN is used as a server. |
| 904465 | The SSL VPN schedule is incorrect by 1 hour when a daylight savings timezone is enabled. |
| 905050 | Intermittent behavior in samld due to an absent crucial parameter in the SP login response may lead to SSL VPN users experiencing disconnections. |
| 943971 | On the VPN > SSL-VPN Settings page, when renaming a selected Restrict Access Host object, the object is deselected. |
| 947210 | Application sslvpnd *** code requested backtrace *** was observed during graceful upgrade. |
| 954892,
1059534 |
SSL VPN web setup rate performance is reduced due to a high frequency of database updates. |
| 955866 | During an upgrade, function traces caused by sslvpn watchdog timeout are observed in system logs. |
| 979000 | FortiGate does not execute the radius disconnect request from FortiAuthenticator. |
| 983513 | The two-factor-fac-expiry command is not working as expected for remote RADIUS users with a remote token set in FortiAuthenticator. |
| 999378 | When the GUI tries to write a QR code for the SSL VPN configuration to the file system to send in an email, it tries to write it in a read-only folder. |
| 999661 | When changing SSL VPN access in the Restrict Access field to Allow access from any host and enabling the Negate Source option on the VPN > SSL VPN page, the changes made in the GUI are not reflected in the CLI. |
| 1003672 | When RDP is accessed through SSL VPN web mode, keyboard strokes on-screen lag behind what is being typed by users. |
| 1004633 | FortiGate does not respond to ARP packets related to SSL VPN client IP addresses. |
| 1022439 | SAMLD encounters a memory usage issue, preventing successful login attempts on SSL VPN. |
| 1024584 | The SSL VPN IP pool may get exhausted when tunnel-connect-without-reauth is enabled. |
| 1024837 | OneLogin SAML does not work with SSL VPN after upgrading to 7.0.15 or 7.4.3. |
| 1042457 | Duplicate log entries are created for SSL VPN sessions when the tunnel goes up or down. |
| 1048915 | The SSL VPN web mode flag is determined incorrectly causing the authenticated POST request to be dropped. |
Switch Controller
| Bug ID | Description |
|---|---|
| 688724 | A non-default LLDP profile with a configured med-network-policy cannot be applied on a switch port. |
| 957669 | On the WiFi & Switch Controller > FortiSwitch Ports page, dynamic/NAC checks are missing from the Dynamic VLAN column. |
| 991855 | The access-mode and storm control policy commands are not visible in FortiGate clusters causing them to go out of synchronization and does not send updated configurations to the FortiSwitch. |
| 1000663 | The switch-controller managed-switch ports’ configurations are getting removed after each reboot. |
| 1033874 | FortiGate does not work as expected due an issue with a null variable in the cu_acd. |
| 1058289 | FortiGate 90G and 91G models only supports up to 8 FortiSwitches and not 24 due to table size issue. |
System
| Bug ID | Description |
|---|---|
| 811367 | Ports 33-35 constantly show suspect messaging in the transceiver output. Affected platforms: FG-2600F and FG-2601F. |
| 820268 | VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform. |
| 827575 | FortiGate cannot build a 3-way handshake in TP mode using an IPv6 route. |
| 861144 | execute ping-option interface cannot specific an interface name of a. |
| 863542 | FortiGate devices configured behind a proxy may not connect to the FortiToken Mobile server, leading to errors when provisioning tokens. |
| 871785 | When a FortiGate snmp community has VDOM settings and it receives an SNMP query for OID belonging to other VDOMs, the snmpd watchdog timeout may not work as expected. |
| 874449 | On the NP7 platform, some applications do not work as expected when nTurbo is enabled. |
| 880611 | FortiGate enters into conserve mode due to a memory usage issue. |
| 884388 | FortiGate encounters a CPU usage issue caused by the IPv6 FQDN check. |
| 885189 | On FortiGate, support is only provided for a single host-key ssh-ed25519 when ssh-rsa is disabled. |
| 886030 | The diag traffictest command does work as expected due to a UDP connection issue. |
| 887940 | Status light is not showing on the FortiGate 60F or 100F after a cold and warm reboot. |
| 896194 | GRE traffic through npu_vlink is not offloaded even with npu_offload enabled. |
| 901721 | In a certain edge case, traffic directed towards a VLAN interface could cause a kernel interruption. |
| 903251 | On FortiGate, kernel 4.19 does not adjust packets when it receives fragments needed while in proxy mode and pmtu-discovery disabled. |
| 906074 | On FortiGate, the WWAN connection is not always stable due to a source IP issue with the VZW. |
| 907450 | SSH users cannot access FortiGate in FIPS mode due to missing algorithms. |
| 908790 | Some LTE modems are not activated automatically and need to be rebooted manually using the CLI in order to be activated. |
| 916172 | GRE traffic is still allowed to flow through when the GRE interface is disabled. |
| 918278 | A Signal 7 interruption occurs in the cmdbsvr daemon, causing FortiGate to enter conserve mode. |
| 918574 | When cloud-communication under the global setting and include-default-servers under the central-management setting are disabled in the CLI, FortiGate still directs traffic to the public server. |
| 925554 | On the Network > Interfaces page, hardware and software switches show VLAN interfaces as down instead of up. The actual status of the VLAN interface can be verified using the command line. |
| 929750 | FortiWiFi-81F-2R-POE stp state is not correct after bootup with self loop topology. |
| 932002 | Possible infinite loop can cause FortiOS to become unresponsive until the FortiGate goes through a power cycle. |
| 934708 | The cmdbsvr could not secure the var_zone lock due to another process holding it indefinitely. |
| 938475 | A memory usage issue occurs when multiple threads try to access VLAN group. |
| 939013 | SNMP walk of the entire MIB fails when the configuration has split-port and a large number of interfaces. |
| 940717 | On FortiGate, Forticron does not work as expected due to a null pointer access issue. |
| 947398 | When an EMAC VLAN interface is set up on top of a redundant interface, the kernel may encounter an error when rebooting. |
| 954439 | SNMP does not respond if a VRF is set on the interface. |
| 957135 | EMAC VLAN interface uses two MAC addresses when it should only use an internally generated MAC address. |
| 964820 | Traffic forwarding on Dialup VPN IPsec does not work as expected when npu-offload is enabled. |
| 966384 | On FortiGate 401F and 601F models, the CR mediatype option on x5-x8 ports is not available. |
| 967436 | DAC cable between FortiGate and FortiSwitch stops working after upgrading from 7.2.6 to 7.2.7. |
| 970053 | When a different transceiver type is added to FortiGate, the new transceiver information does not update in the GUI or CLI. |
| 974449 | Memory configuration checks do not work as expected when using the diag hardware test system command due to a memory threshold issue. |
| 974740 | FortiGate 2600F does not set 10G ports to 100G. |
| 976314 | After upgrading FortiGate and not changing any configuration details, the output of s_duplex in get hardware nic port command displays Half instead of Full. This is purely a display issue and does not affect system operation. |
| 978122 | FortiGate experiences packet drop when egress-shaping-profile is applied to a LAG interface. |
| 979957 | When a FortiGate is added to FortiManager in backup mode, the ability to enable or disable auto-firmware-update on FortiGuard does not function as expected. This generates an error indicating the FortiGate is managed by FortiManager, despite backup mode suggesting otherwise. |
| 984148 | The SNMP OID session count for NP6 and NP7 is not displayed. |
| 987513 | A CPU usage issue occurs and a CpuHigh SNMP trap is sent when adding a firewall policy on systems with numerous existing policies, causing issues with performance. |
| 989629 | FortiGate does not show additional speed options outside of auto on a WAN interface. |
| 990409 | After an upgrade on FortiOS, the kernel operation is interrupted and reboots due to a switch command issue. |
| 991264 | The locallogd process may cause a CPU usage issue on FortiGate. |
| 991925 | The EMAC VLAN, with a vlanid over a physical interface and a VIP configuration, has the incorrect mac address once traffic is offloaded. |
| 995442 | FortiGate may generate a Power Redundancy Alarm error when there is no power loss. The error also does not show up in the system log. |
| 995801 | SNMP OID .1.3.6.1.4.1.12356.101.21.2.1.1.2.4 does not return the correct value due to the device status being removed during refactoring. |
| 995967 | When FortiGate firmware is upgraded, the interface speed changes from auto to 1000 full. |
| 997563 | SNMP ifSpeed OID show values as zero on VLAN interfaces in hardware switches. |
| 999819 | FortiGate 100 models may become unresponsive and prevent access to the GUI, requiring a reboot to regain access due to an issue with the SOC3. |
| 1000194 | FortiGate does not show QoS statistics in the diagnose netlink interface list command when offloading is disabled in a firewall policy and IPsec phase 1 tunnel on NP7 platforms. |
| 1000884 | SCM tools prevent users from logging into FortiGate using SSH after an upgrade. |
| 1001133 | After an upgrade, FortiGate receives a PSU RPS LOST traps error despite not having any RPS connected. |
| 1001601 | A kernel interruption on FortiGate prevents it from rebooting after an upgrade with a specific configuration. |
| 1001722 | VLAN/EMAC VLAN traffic is unexpectedly blocked under certain conditions. |
| 1001938 | Support Kazakhstan time zone change to a single time zone, UTC+5. |
| 1002323 | After restoring a configuration on FortiGate with the interface changed from aggregate to physical, the interface switches back to aggregate and cannot be changed back to physical. |
| 1004804 | FortiGate running firmware 7.2.7, the device encounters an error condition in the application daemon. |
| 1005573 | FortiGate incorrectly sends set csr instead of set certificate to FortiManager after auto enrolling a certificate using SCEP. |
| 1006024 | Administrator accounts using an admin profile with only FortiGuard Updates read-write permissions cannot open the FortiGuard page. |
| 1006324 | When a different transceiver type is added to FortiGate, the new transceiver information does not update in the GUI or CLI. |
| 1006979 | FortiGate may encounter a memory usage issue on the flpold process, causing the primary and secondary units to go out of synchronization. |
| 1008049 | The I2C bus become stuck during an upgrade due to an error in the switch-config-init command. |
| 1009278 | Traffic does not hit a new policy created in the GUI or CLI due to an auto-script command issue. |
| 1009282 | In the PSU section of the diagnose hardware test system firmware command, some information is missing. |
| 1009853 | Outgoing traffic from EMAC-VLAN uses default cos tag when traffic is not offloaded. |
| 1010328 | Fgfmsd does not function as expected when the type is set as fortimanager in system-central management but has no route to FortiManager. |
| 1011229 | On FortiGate, a slab memory usage issue causes the device to enter into conserve mode. |
| 1012518 | Some FortiGate models on NP6/NP6Lite/NP6xLite platforms experience unexpected behavior due to certain traffic conditions after upgrading to 7.2.8. Traffic may be interrupted momentarily. |
| 1014624 | On the FortiGate 1800F, the 40G interface’s status is DOWN after upgrading to 7.2.8. |
| 1019749 | On a VDOM, running sudo global show does not return any system interfaces information. |
| 1021355 | FortiGate encounters a CPU usage issue when there are a high volume of traffic and scripts running on the device which could lead to an issue with performance. |
| 1021542 | FortiGate reboots twice after a factory reset when gtp-enchanced-mode is enabled. |
| 1021632 | FortiGate may experience intermittent traffic loss on an LACP interface in a virtual wire pair with l2forward enabled. |
| 1022935 | FortiGate experiences a CPU usage issue when dedicated-management-cpu is enabled. |
| 1023458 | On FortiGate, the 100G fiber cap does not include a CR4 option. |
| 1029351 | The OPC VM does not boot up when in native mode. |
| 1032018 | The SFP+ port LED does not illuminate and displays a speed 10Mbps even though the link status up and speed is set to 1000Mbps. |
| 1034286 | FortiGate does not auto negotiate to Full duplex when connecting to FortiSwitch due to a duplication error. |
| 1037075 | On FortiGate, an interruption occurs in the kernel when running WAD process monitoring scripts. |
| 1037393 | FortiGate reboots due to the maximum buffer length difference between nTurbo and NPU HW. |
| 1041457 | On FortiGate, kernel 4.19 does not work as expected when concurrently reassembling fragmented packets that have more than 64 destination IPv4 addresses. |
| 1043593 | On the Network > Diagnostics > Packet Capture page, the timeline graph is removed from the packet viewer. |
| 1045866 | The node daemon causes a CPU usage and memory usage issue when many interfaces are being edited or created at once. |
| 1046726 | The csfd and node daemons cause a CPU usage issue on large network topologies with many FortiAPs and/or FortiSwitches configured. |
| 1049119 | FortiGate encounters an interruption in the kernel due to a NULL pointer issue. |
| 1052004 | FortiGate encounters a memory usage issue when there is no traffic running and the configuration is not fully loaded. |
| 1058397 | On FortiGate 900 models, when the baudrate is configured, the changes are not applied and is set to 9600. |
Upgrade
| Bug ID | Description |
|---|---|
| 925567 | When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not respect the recommended upgrade path. |
| 955810 | Upgrading FortiOS is unsuccessful due to unmount shared data partition failed error. |
| 955835 | When auto-upgrade is disabled, scheduled upgrades on FortiGate are not automatically canceled. To cancel any scheduled upgrades, exec federated-upgrade cancel must be done manually. |
| 977281 | After the FortiGate in an HA environment is upgraded using the Fabric upgrade feature, the GUI might incorrectly show the status Downgrade to 7.2.X shortly, even though the upgrade has completed. |
| 1013821 | On FortiGate, an interruption occurs in the kernel in both HA FortiGates when an HA cluster’s firmware is upgraded. |
| 1017519 | Auto firmware-upgrade may run when a FortiGate is added to a FortiManager that is added behind a NAT. |
User & Authentication
| Bug ID | Description |
|---|---|
| 825561 | 2FA push for FAC token and FTC will not start the push notification process without user input on the browser. |
| 865952 | FortiGate does not generate any request to the CMP server if it uses HTTPS. |
| 933622 | The FortiGate does not send the user’s IP address to the TACACS+ server during an authorization request. |
| 947299 | Global DH parameter does not modify the SSH connection key exchange. |
| 960230 | After the authentication timeout setting value is reached, the Time Left value on the Firewall User Monitor > Firewall Users > Time Left page increases to thousands of days. |
| 974298 | When using the local-in firewall authentication with SAML method, SAML users cannot get access using the authentication portal. |
| 988958 | When rsso user groups are updated, the session table is not cleared of old sessions and traffic still hits the old policy. |
| 1001026 | Users are unable to use passwords that contain the ñ character for authentication. |
| 1003405 | When there are over 5000 firewall users, the minimized Firewall Users widget on the Dashboard does not display the donut chart or the number of users. Expanding the widget to full screen displays all users. |
| 1012337 | Client IP addresses are sent in an invalid format which some servers cannot accept. |
| 1021157 | Users are unable to use passwords that contain Polish characters ńżźćłśąó for RADIUS authentication. |
| 1039004 | The username-case-sensitive disable setting is not respected for RSSO when a username has a capital letter. |
VM
| Bug ID | Description |
|---|---|
| 909368 | If Azure accelerated networking is enabled, IPsec traffic cannot be redistributed using round-robin. This results in a CPU usage issue. |
| 915528 | FortiGate-VM does not send LACP frames on the FortiLink interface toward FortiSwitch. |
| 923061 | IPsec tunnels on AWS have TX errors incremented every 30 seconds. |
| 988036 | The VMware SDN Connector does not resolve the hostname when retrieving tags and generates an error. |
| 1006570 | VPN tunnels go down due to IKE authentication loss after a firmware upgrade on the VM. |
| 1016327 | After rebooting, DPDK mode is disabled on a VLAN interface and traffic stops. |
| 1036917 | When a intended policy is configured for interesting traffic subnets, traffic flow hits the implicit deny rule instead of the configured policy. |
| 1040088 | In an HA configuration, the secondary unit heartbeat port is accessible even though access to the interface is not allowed on that unit. |
| 1046696 | A FortiGate VM HA in Azure Cloud may intermittently go out of synchronization due to an issue in the daemon process. |
VoIP
| Bug ID | Description |
|---|---|
| 1004894 | VOIPD experiences high memory usage and enters into conserve mode. |
Web Filter
| Bug ID | Description |
|---|---|
| 925801 | Custom images do not display on the Web Filter block replacement page for HTTP traffic in flow mode. |
| 1002266 | Web filtering does not update rating servers if there is a FortiGuard DNS change. |
| 1004985 | The webfilter cookie override trigger process had no issue observed and an override entry was created in the FortiGate, but client access was kept blocked by the old profile and the client received a replacement message with an override link just like the initial access to trigger the override. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 899553 | 802.11r (FT) roaming does not work in an HA setup. |
| 907104 | In an HA setup, after disconnecting a client from an AP, the client is removed from the primary AC but remains listed on the secondary AC. |
| 938840 | Excessive MEM POOLuse_up_cnt observed on secondary unit in an HA environment. |
| 943016 | After upgrading from version 7.2.5, the wpad_ac does not operate as expected. |
| 949682 | Intermittent traffic disruption observed in cw_acd caused by a rare error condition. |
| 989929 | A kernel interruption occurs on FWF-40F/60F models when WiFi stations connect to SSID on the local radio. |
| 994752 | A memory usage on the secondary firewall causes FortiGate to enter conserve mode. |
| 995456 | FortiGate cannot access FAP-U devices using an SSH connection. |
| 998804 | On the Clients By FortiAP widget on the Dashboard > WiFi page, the SSID column does not display the proper name of the downstream device. |
| 1001672 | FortiWiFi reboots or becomes unresponsive when connecting to SSID after upgrading to 7.0.14. |
| 1003070 | On FortiGate, the sta count is not accurate when some wireless clients connect to APs managed by FortiGate. |
| 1018107 | Unable to manage FortiAP from FortiGate. |
| 1019680 | FortiWiFi cannot access internal FAP consoles due to a login prompt issue in diagnose sys modem com. |
ZTNA
| Bug ID | Description |
|---|---|
| 918279 | Traffic does not match a simple ZTNA firewall policy when the external interface configured on a ZTNA server is a member of a SD-WAN zone being used in the same ZTNA firewall policy. |
| 944772 | FortiGate does not use data from FortiClient to send the VPN snapshot to EMS. |
| 998172 | When first connecting to the ZTNA server, the EMS websocket can become stuck and an error displays ZTNA Access Denied – Policy restriction!. |
| 1006214 | When ZTNA is enabled, the WAD process might encounter a memory usage issue in a rare condition. |
| 1008632 | When visiting SaaS application web pages using ZTNA, web pages can stall or return an ERR_CERT_COMMON_NAME_INVALID error. |
Common Vulnerabilities and Exposures
| Bug ID | CVE references |
|---|---|
| 980300 | FortiOS 7.2.9 is no longer vulnerable to the following CVE Reference:
|
Notatki producenta: FortiOS 7.2.9 Release Notes
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie