Producent zabezpieczeń sieciowych Fortinet udostępnił wersję FortiOS 7.4.10, koncentrując się na poprawie stabilności oraz eliminacji istotnych błędów wpływających na bezpieczeństwo i wydajność urządzeń, w tym problemu z nadmiernym zużyciem pamięci przez proces IKE prowadzącego do przejścia urządzenia w tryb conserve, przerw w ruchu IPsec na platformach SoC4 oraz nieprawidłowego działania mechanizmów uwierzytelniania dwuskładnikowego w SSL-VPN; aktualizacja zawiera również szereg dodatkowych poprawek w obszarach firewall, HA, SD-WAN i IPS, zwiększając ogólną stabilność środowisk produkcyjnych.
Rozwiązane problemy:
AntiVirus
| Bug ID | Description |
|---|---|
| 1153880 | File upload of a large file fails on an HTTP2 connection when FortiGate AntiVirus is enabled in proxy mode with deep inspection. |
| 1181573 | SSL inspection does not correctly add the Authority Key Identifier (AKID) when operating in Flow mode with DPI enabled. |
DNS Filter
| Bug ID | Description |
|---|---|
| 1151824 | DNS query failure when DNS requests received from different VRF with the same transaction ID, source, and destination addresses are treated as retransmissions and discarded. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 1086668 | FortiGate does not connect to EMS cloud when EMS cloud license is expired on the global FortiCare account, even when the access keys are valid in other VDOMs. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 1074353 | IPv4 DNS address is used to connect to server when setup IPv6-only under fast fallback. |
| 1094870 | FTPS data connections fail to establish when using flow mode firewall policies configured for FTP service. |
| 1116834 | Authentication pop-up does not appear when accessing https websites via FortiGate with Explicit Proxy when authentication Rules, webproxy-forward-server, and certificate-inspection are configured in proxy-policy. |
| 1202441 | Captive portal is unavailable when accessing the Internet after firmware upgrade. |
| 1209746 | Intermittent connectivity issues occur when using FTP Proxy through npu vdom link. |
Firewall
| Bug ID | Description |
|---|---|
| 1093616 | Bytes counter issue occurs when existing sessions are revalidated on a new firewall policy. |
| 1099748 | HPE incorrectly identifies TCP RST ACK packets as TCP type when receiving RST ACK packets. |
| 1134809 | Security policy hit counter resets when learning mode is enabled in NGFW policy mode. |
| 1152839 | Packet loss occurs when asymmetric routing is used with IPv6 traffic. |
| 1154805 | Firewall deny policy mismatch occurs when local user traffic is specified. |
| 1171392 | No response occurs when FortiGate receives a packet with low TTL and a deny-all policy is set. |
| 1176942 | Auth-ike-saml-port responds on VIP/IPpool IP address when configured on a FortiGate with mismatched interface IP addresses. |
| 1187335 | Video playback issues occur when SNAT is applied and RTSP session helper does not rewrite the destination field. |
| 1188867 | An error condition occurs in firewall policies when referencing FSSO usernames with special characters in NGFW policy mode. |
| 1189618 | Packet drop when auto-asic-offload and IPS are enabled. |
| 1200717 | Traffic is allowed by local-in policy 4294967295 when VIP is configured with port-forwarding. |
| 1204648 | Secondary SCTP session failure occurs when an existing SCTP session has a different source port number than the EXP session. |
| 1212608 | FTP does not work in passive mode via the helper session. |
| 1216936 | NetBIOS broadcast packets are forwarded when netbios-forward is disabled on the same interface. |
| 1218523 | ICMP packet drops occur when hardware offloading is enabled. |
FortiGate 6000/7000 Platform
| Bug ID | Description |
|---|---|
| 1161584 | An error condition occurs in the APACER NVME controller during hardware testing on FortiGate-201G. |
| 1198697 | Link/Activity LEDs remain on when executing shutdown on FortiGate 120G/121G. |
| 1211372 | An error condition in confsyncd occurs when file sizes change between scans. |
| 1214688 | Fragmented UDP-ESP packets are not forwarded when received on FortiGate. |
| 1219115 | In 6K/7K platforms, SSL VPN load balancing does not work correctly when split-port is set to 1-M1 and 1-M2. |
| 1222830 | Management access loss when FIM02 on standby chassis is primary Worker. |
FortiView
| Bug ID | Description |
|---|---|
| 1146317 | Incorrect offload status when NPU Accelerated sessions have an offload value of 9. |
| 1192055 | Data retrieval issues occur when using FortiCloud as the source with custom accprofile.
|
| 1199964 | improper display of columns that use the user device source. |
GUI
| Bug ID | Description |
|---|---|
| 1000476 | Unresolved FQDN addresses are not highlighted when filtering the type column by FQDN on the Addresses list page |
| 1033972 | An error condition occurs in the GUI when changing the LDAP server IP. |
| 1055740 | CPU usage issues observed during GUI login with a USB drive containing many files. |
| 1056214 | Hyperscale firewall license warning appears when no license is present |
| 1063643 | GUI interface panel mismatch when FortiGate 121G Gen2 faceplate is changed. |
| 1098643 | Unexpected behavior observed in the WebSocket caused by stale connections, resulting in persistent memory allocation errors or Node.js restarts. |
| 1107513 | An error condition in Node.js occurs when handling stale websocket connections. |
| 1138545 | An error condition in Node.js occurs when writing to a closed client socket. |
| 1154487 | GUI page times out when never timeout option is enabled for the admin profile. |
| 1172647 | Filtering services become unavailable when Anycast is enabled. |
| 1180629 | GUI displays username sensitivity warning when username-sensitivity is disabled. |
| 1191076 | Interface bandwidth data is not displayed when LAG is upgraded from 2x40G to 2x100G ports. |
| 1191960 | Incorrect certificate HASH algorithm name is displayed in FortiGate GUI when viewing certificate information. |
| 1193884 | Vlan interface bandwidth displays incorrectly in GUI dashboard widget when LAG members are removed and re-added. |
| 1194972 | Devices are not visible on Asset & Identities > OT view when API response from /api/v2/monitor/user/device/query retrieves devices without sufficient information. |
| 1199029 | DHCP Server conflicts occur when changing from DHCP Server to Relay mode on an interface. |
| 1228733 | LDAP password is removed when OK is pressed |
HA
| Bug ID | Description |
|---|---|
| 1033784 | Traffic disruption occurs when changing aggregate interface member in FGCP a-a mode. |
| 1042297 | Out-of-sync status occurs when upgrading from 7.4.3 due to ips.sensor attribute value change without recalculating the cached checksum |
| 1084212 | HA out of sync occurs when creating custom SaaS application. |
| 1096472 | Traffic disruption occurs when moving VDOMs between VClusters. |
| 1121141 | IP address is not released by DHCP client when MAC changes during HA enablement. |
| 1141528 | High CPU usage occurs when FortiGate secondary unit is started in Azure vWAN SD-WAN NGFW with Dynamic rerouting. |
| 1160292 | FFDB version sync issue occurs when updating on-demand ffdb in HA environment. |
| 1191136 | HA ports cannot be added to an aggregate interface when running FortiOS 7.2.11 build 1740. |
| 1212718 | FGFM tunnel remains down after HA failover event when undestroyed fgfm session prevents new fgfm sessions from being created. |
| 1225710 | Mobile Token assignment fails on old models that don’t support vSN when HA fail-over occurs |
HyperScale
| Bug ID | Description |
|---|---|
| 1085722 | Value set for icmpv6-error-rate under sys npu doesn’t work. |
| 1219541 | Traffic disruption occurs when changing an interface’s VDOM.
|
| 1223847 | Excessive hyperscale logs occur when log-mode is set to per-mapping. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 1064078 | Egress shaper fails to enforce bandwidth limits on VPN ID with IPIP encapsulation IPsec interfaces due to incorrect handling of traffic forwarding across multiple network processing units. |
| 1068626 | SOC4 platform IPSec traffic may stop in specific corner cases due to the IPSec outbound process becoming unresponsive. |
| 1075112 | IKED is consuming more memory leading to the device to go into conserve mode. |
| 1090200 | transport-mode ipsec phase2 cannot set non-zero protocol successfully. |
| 1127782 | Traffic is dropped by anti-spoof check when passing traffic through phase2 transport mode with GRE encap. |
| 1146975 | IPsec tunnel issues occur when NPU offload is enabled on SOC4 platforms. |
| 1170094 | An error condition in IKE occurs when using TCP transport. |
| 1180324 | Auth-ike-saml-port setting is lost when set to 10443 during FortiGate update or reboot. |
| 1181552 | An error condition in IKE occurs when using TCP. |
| 1182043 | IPsec VPN connectivity issues occur when 'local-gw’ is set to 0.0.0.0 under the dial-up IPsec VPN interface. |
| 1184605 | Firewall policy issues occur when a new policy is created for a connected VPN user without explicit mention in the policy. |
| 1186237 | CPU utilization increases when a remote access VPN user connects or disconnects. |
| 1199265 | Intermittent traffic disruption occurs when IPsec tunnels are stuck and the engine hangs on the SOC4 platform. |
| 1199815 | Intermittent IPsec traffic disruption occurs when IKE tunnel status is out of sync with kernel. |
| 1200709 | Intermittent BGP disruption caused by DPDK enablement. |
| 1204679 | Radius authentication issues occur when packet fragmentation happens over IPsec tunnels. |
| 1206506 | Traffic disruption occurs when IPsec tunnel manager write sequence issue happens. |
| 1218538 | Traffic drop occurs when tunnel ID changes from random 10.0.0.x to remote gateway public IP. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 1077638 | Traffic drop occurs In some cases when FortiGate operates in NGFW Policy Mode.
|
| 1091118 | Oversized packets exceeding the MTU cause delayed ACKs, leading to unintended behavior. |
| 1140846 | Unexpected behavior observed in the IPSEngine when handling HTTPS traffic using HTTP/2 in certain configurations. |
| 1144684 | High CPU usage occurs when processing multiple RTSP streams due to inefficient resource management by the RTSP decoder. |
| 1162794 | Unintended behavior occurs in the IPS Engine caused by the SCADA dissector. |
| 1197659 | An error condition in IPS engine occurs when processing HTTP traffic. |
| 1218520 | BFD flaps occur due to an error condition in the IPS engine. |
Log and Report
| Bug ID | Description |
|---|---|
| 941146 | Traffic log msg field shows Connection failed message when certificate-inspection is enabled and traffic passes successfully. |
| 1119074 | An error condition in Syslog occurs when processing misaligned incoming cmdb messages. |
| 1129247 | Certificate verification fails when using OFTP custom certificate with non-Fortinet organization name. |
| 1162518 | FortiGate loses connectivity with FortiAnalyzer when changing interface-select-method to SD-WAN and DNS fails to resolve the address. |
| 1171020 | Authentication logs are missing when 2FA timeout occurs during SSLVPN authentication. |
| 1180182 | Alert email fails when device is rebooted under HA mode. |
Proxy
| Bug ID | Description |
|---|---|
| 1124557 | An error condition occurs in WAD when wad-restart-mode is set to time and wad-restart-start-time / wad-restart-end-time are configured. |
| 1178184 | SSL errors occur when accessing a specific website due to an unexpected record type when Web Filtering and DPI are enabled in Flow mode. |
| 1197212 | WAD incorrectly prioritizes the default FortiGuard CA bundle over user-installed CAs when building certificate chains for cross-signed server certificates. |
| 1228854 | HTTP status code 302 is not forwarded to the client when ssl-http-location-conversion is enabled. |
Routing
| Bug ID | Description |
|---|---|
| 1113929 | Incorrect SDWAN rule is matched. fib-best-match is configured under zone. |
| 1196770 | BGP default route installation issue occurs when capability-default-originate is enabled. |
| 1197960 | BGP peer flaps when stressful traffic is present on the interface with Quality of Service enabled and top priority. |
SD-WAN
| Bug ID | Description |
|---|---|
| 982365 | Egress shaping profile application issue occurs when using static tunnels on IPsec spoke. |
| 1094449 | Traffic routing issues occur when service-sla-tie-break is set to fib-best-match. |
| 1167276 | All participants of SLA name become unavailable when the check interval is set to 15 seconds. |
| 1176538 | Traffic between spokes occurs when shortcut is out of SLA or dead with load balancing enabled and fib-best-match tie-break. |
| 1187007 | GUI issues occur when accessing SDWAN rules and Performance SLA menus. |
| 1199707 | SIP traffic issue occurs when TCP syn-ack packets use a different egress interface than the syn packets. |
SSL-VPN
| Bug ID | Description |
|---|---|
| 893190 | When using two-factor authentication for SSL VPN users, the FortiGate does not respect the two-factor token timeout configured in config system global. This causes the token to expire prematurely for different two-factor authentication types including email, SMS, FortiToken. |
| 983513 | The two-factor-fac-expiry command is not working as expected for remote RADIUS users with a remote token set in FortiAuthenicator. |
| 1180110 | An error condition occurs during SSLVPN WebMode password renewal. |
Security Fabric
| Bug ID | Description |
|---|---|
| 995772 | Missing devices observed when loading into OT view with insufficient device information. |
| 1191902 | Automation stitch sync issue occurs when HA secondary unit is used in Security Fabric. |
| 1224923 | IP collection fails when Azure returns a SubscriptionNotFound 404 error. |
| 1225433 | Automation Stitch variable truncation occurs when using json-c version 0.18 with webhook actions. |
Switch Controller
| Bug ID | Description |
|---|---|
| 1149978 | CPU usage issues observed during flcfgd iteration over WAD user-device-store entries in Fortilink setup. |
| 1164685 | Local MAC addresses are filtered out from being added to user device list when mab-entry-as dynamic mode is enabled on Fortiswitch |
| 1170323 | Interfaces cannot be enabled as FortiLink interfaces on FortiGate with hardware revision 2. |
| 1198110 | FortiSwitch disconnection observed when adding managed-switch. |
| 1199780 | Config status remains 'Wait’ when FortiGate configuration changes are not reflected on FortiSwitches. |
System
| Bug ID | Description |
|---|---|
| 945871 | D-NAT functionality fails when using a Software Switch in explicit mode due to incorrect session matching during packet forwarding. |
| 1037480 | DHCP server configuration issues occur when setting role LAN under IPAM mode. |
| 1046484 | After shutting down FortiGate using the „execute shutdown” command, the system automatically boots up again. |
| 1057314 | Unnecessary configuration saves occur when the daemon check command is triggered. |
| 1075340 | Aggregate link down occurs when speed is set to 10000auto after upgrade to v7.4.5. |
| 1076579 | An error condition in newcli occurs during command processing due to invalid context. |
| 1083626 | FortiGate 90G/91G auto-negotiate support for shared SFP ports. |
| 1137156 | CPU usage issues caused by unnecessary cmdbsvr_cfgsave triggers. |
| 1142805 | Cannot set source IP for FortiGuard when a non-root vdom is set. |
| 1154920 | Intermittent 10G SFP+ link establishment issues occur when FortiGate-200F reboots and connects to a Ciena 3924 switch. |
| 1165059 | Unexpected behavior in system occurs when executing factory reset on FortiGate-70F. |
| 1170716 | Failed attachment to tower occurs when using custom APN with FortiGate 50G-5G modem. |
| 1184180 | Unexpected behavior occurs when restoring an invalid configuration with a system.interface defined as type aggregate and a system.virtual-switch with the same name. |
| 1188905 | Unresponsiveness occurs when MTU calculation is incorrect in function np_fragment. |
| 1191813 | Connectivity issues occur when auto negotiation is enabled on the Cisco switch end. |
| 1197255 | Error condition in sflowd occurs when removing entries from netflow cache under high load |
| 1197885 | Memory usage issues caused by ASLR when upgrading from 7.4.7GA to 7.4.8GA. |
| 1198758 | Intermittent traffic disruption occurs when using KPN SIM card with default APN settings. |
| 1198985 | SoC4 platforms with basic threat prevention config may enter extreme low memory mode. |
| 1199132 | An error condition occurs in the lan-extension-controller when changing the controller address. |
| 1199169 | IPv6 address acquisition issues occur during upgrade to v7.6.4. |
| 1199322 | VDSL2 sync issue occurs when ITU G.993.5 is enabled on 50G-DSL. |
| 1200320 | VPN goes down when dhcpc tries to renew IP lease and receives a DHCPNAK response. |
| 1205316 | Recurrent disconnections occur when IMS APN attachment attempts are made. |
| 1211645 | Authentication error when using HEX based keys with SHA1 or SHA256 in NTPv4. |
| 1211647 | Authentication error when using SHA256 as key-type in NTPv4. |
| 1211704 | Time synchronization issues occur when NTP server authentication is enabled. |
| 1221994 | CPU usage issues observed during TX direction port mirroring. |
| 1228304 | Unexpected behavior occurs when FortiGate receives Forward Relocation Request without PDN IE message. |
User and Authentication
| Bug ID | Description |
|---|---|
| 1121503 | Source-ip setting issue occurs when configuring scep enroll settings per VDOM in non-management VDOM. |
| 1158484 | When user logs into the FortiGate via FortiManager’s CLI console, users are not forced to change password even if password has expired. |
| 1165116 | Event log is not generated for expired authentication attempts, like when it fails due to 2FA timetout. |
| 1170894 | IKEv2 local user authentication issues occur when using two-factor email authentication with extended timeout values. |
| 1182725 | EAP-proxy fails to match group when the group length exceeds 128 characters. |
| 1189693 | LDAP authentication fails on OpenLDAP due to the type of ldap_result used. |
| 1196434 | SAML authentication issues occur when LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE is set and the SAML response is not signed. |
| 1205671 | Authentication failure occurs when all-usergroup is enabled under radius. |
| 1207282 | Authentication failure occurs when using multiple wildcard entries for admin access with TACACS server. |
| 1217617 | Login failure occurs when a trusted host is set for the admin after upgrading FortiGate to version 7.4.9. |
VM
| Bug ID | Description |
|---|---|
| 1074600 | Newcli process crashes on FortiGate-VM64 causing cmdb lock deadlock. |
| 1159433 | DPDK error when traffic reaches more than 4GBps. |
| 1172881 | IPS engine crash w DPDK enabled, stress traffic over ipsec tunnel and fragmentation, and „system affinity-packet-redistribution”. |
| 1198515 | Memory usage issues caused by IPsec tunnel rekey when DPDK is enabled. |
| 1215317 | Public IP disassociation occurs when SDN connector uses wrong Azure Management API endpoint. |
| 1217942 | FQDN synchronization issues occur when the primary’s timeout value on the secondary is not refreshed in a timely manner. |
| 1219012 | Dynamic object updates fail when an SDN connector is not functioning. |
| 1221924 | Inconsistency in IPS-socket size occurs when using a subscription license. |
| 1224484 | An error condition occurs in the diag daemon during image upgrade matrix operations. |
| 1228324 | Azure SDN connector fails to update new subscriptions until restarted. |
VoIP
| Bug ID | Description |
|---|---|
| 1201825 | Packet drop occurs when SIP ALG and Hyperscale are enabled. |
Web Application Firewall
| Bug ID | Description |
|---|---|
| 1208919 | Credit card information detection issues occur when WAF credit card signature requires PCRE_MULTILINE. |
Web Filter
| Bug ID | Description |
|---|---|
| 1096297 | Timeout occurs when web filter is enabled and fragments occur. |
| 1230414 | Improvements to resolve memory usage issues when logical-sn is enabled.
|
WiFi Controller
| Bug ID | Description |
|---|---|
| 1035098 | Clients could not get IP address from bridge-mode captive-portal SSID when the external portal sever is configured on another FortiGate unit. |
| 1127637 | wpad requests are sent exclusively to IPv6 addresses and do not attempt fallback to IPv4 in environments supporting dual-stack configurations. |
| 1158774 | Wireless and wired devices cannot communicate across a software switch on FortiGate-G models when capwap-offload is enabled. This issue affects deployments attempting to create a flat Layer 2 network between wired and wireless segments. |
| 1192914 | There is no wifi SSID signal after power off / power on FWF40F. |
| 1207256 | Inconsistent client signal-to-noise ratio values occur on some FortiGate models. |
| 1214109 | Customer upgraded FortiGate to v7.4.9, but FortiAP’s shows „Not Registered”. |
| 1217268 | FortiGate not sync the 11be5 and 11be6 syntax data to FortiManager correctly for v7.4. |
ZTNA
| Bug ID | Description |
|---|---|
| 1185076 | EMS rejects the wrong FQDN format when configuring virtual-host in ZTNA server->tcp-forwarding entry. |
Notatki producenta: FortiOS 7.4.10
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie